This class describes all known resources.
/**
* Outputs the stucture of the resources.
* @ not a test
*/
public function printDefinition()
{
$reflection = new \ReflectionClass('Scalr\\Acl\\Acl');
foreach ($reflection->getConstants() as $name => $value) {
if (strpos($name, 'GROUP_') === 0) {
printf("\n%s:\n--\n", $value);
$list = Definition::getByGroup($value);
/* @var $resource \Scalr\Acl\Resource\ResourceObject */
foreach ($list as $resource) {
printf(" %s - %s\n", $resource->getName(), $resource->getDescription());
foreach ($resource->getPermissions() as $permissionId => $description) {
printf(" * %s - %s\n", ucfirst($permissionId), $description);
}
}
}
}
}
/**
* Verifies that Full access role is defined properly.
*
* All existing resources must be defined and allowed for this role.
* All existing resource unique permissions must be defined and allowed for this role.
*
* @test
* @dataProvider providerPredefinedRoles
*/
public function testPredefinedRoles($roleId, $allowed)
{
if (\Scalr::config('scalr.phpunit.skip_functional_tests')) {
$this->markTestSkipped();
}
$acl = \Scalr::getContainer()->acl;
$role = $acl->getRole($roleId);
$this->assertInstanceOf('Scalr\\Acl\\Role\\RoleObject', $role);
$this->assertNotEmpty($role->getName(), 'Role name must be defined');
$this->assertEquals($roleId, $role->getRoleId());
$roleResources = $role->getResources();
$this->assertInstanceOf('ArrayObject', $roleResources);
/* @var $resourceDefinition Resource\ResourceObject */
foreach (Resource\Definition::getAll() as $resourceId => $resourceDefinition) {
// Absence of the record is considered as forbidden
if (!$allowed && !isset($roleResources[$resourceId])) {
continue;
}
$this->assertTrue(isset($roleResources[$resourceId]), sprintf('All resources must be defined for the %s role. ' . 'You should add records to the acl_role_resources table with role_id(%d)', $role->getName(), self::ROLE_FULL_ACCESS));
/* @var $resource Role\RoleResourceObject */
$resource = $roleResources[$resourceId];
$this->assertTrue($resource->isGranted() == $allowed, sprintf('%s resource must be %s for the %s role', $resourceDefinition->getName(), $allowed ? 'allowed' : 'forbidden', $role->getName()));
$permissions = $resource->getPermissions();
$this->assertInstanceOf('ArrayObject', $permissions);
foreach ($resourceDefinition->getPermissions() as $permissionId => $description) {
// Absence of the record is considered as forbidden
if (!$allowed && !isset($permissions[$permissionId])) {
continue;
}
$this->assertTrue(isset($permissions[$permissionId]), sprintf('Permission [%s - %s] must be defined for the %s role. ' . 'You should add record to the acl_role_resource_permission table with ' . 'key (role_id[%d], resource_id[0x%x], perm_id[%s]).', $resourceDefinition->getName(), $permissionId, $role->getName(), $role->getRoleId(), $resource->getResourceId(), $permissionId));
/* @var $permission Role\RoleResourcePermissionObject */
$permission = $permissions[$permissionId];
$this->assertInstanceOf('Scalr\\Acl\\Role\\RoleResourcePermissionObject', $permission);
$this->assertTrue($permission->isGranted() == $allowed, sprintf('Permission [%s - %s] must be %s for the %s role.', $resourceDefinition->getName(), $permissionId, $allowed ? 'allowed' : 'forbidden', $role->getName()));
}
}
}
protected function validateBefore4($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_CLOUD_CREDENTIALS_ACCOUNT') && Definition::has(Acl::RESOURCE_CLOUD_CREDENTIALS_ACCOUNT);
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ORPHANED_SERVERS') && Definition::has(Acl::RESOURCE_ORPHANED_SERVERS);
}
protected function validateBefore2($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION') && Definition::has(Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION);
}
/**
* Check if stage is applied for the specified resource and permission
*
* @param string $resourceName The name of the ACL resource (Example:"RESOURCE_FARMS")
* @param string $permissionName The name of the ACL permission (Example:"PERM_FARMS_SERVERS")
* @return boolean
*/
private function checkAppliedForPermission($resourceName, $permissionName)
{
return defined('Scalr\\Acl\\Acl::' . $resourceName) && defined('Scalr\\Acl\\Acl::' . $permissionName) && Definition::has(constant('Scalr\\Acl\\Acl::' . $resourceName)) && $this->db->GetOne("\n SELECT `granted` FROM `acl_role_resource_permissions`\n WHERE `resource_id` = ? AND `role_id` = ? AND `perm_id` = ?\n LIMIT 1\n ", [constant('Scalr\\Acl\\Acl::' . $resourceName), Acl::ROLE_ID_FULL_ACCESS, constant('Scalr\\Acl\\Acl::' . $permissionName)]) == 1;
}
protected function validateBefore2($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_ANALYTICS') && defined('Scalr\\Acl\\Acl::PERM_ADMINISTRATION_ANALYTICS_ALLOCATE_BUDGET') && Definition::has(Acl::RESOURCE_ADMINISTRATION_ANALYTICS) && $this->db->GetOne("\n SELECT `granted` FROM `acl_role_resources`\n WHERE `resource_id` = ? AND `role_id` = ?\n LIMIT 1\n ", array(Acl::RESOURCE_ADMINISTRATION_ANALYTICS, Acl::ROLE_ID_FULL_ACCESS)) == 1;
}
protected function validateBefore4($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF') && Definition::has(Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF);
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_AWS_ROUTE53') && defined('Scalr\\Acl\\Acl::RESOURCE_ANALYTICS_PROJECTS') && Definition::has(Acl::RESOURCE_AWS_ROUTE53) && Definition::has(Acl::RESOURCE_ANALYTICS_PROJECTS);
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES') && Definition::has(Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES);
}
protected function validateBefore6($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_FARMS') && Definition::has(Acl::RESOURCE_FARMS) && defined('Scalr\\Acl\\Acl::RESOURCE_TEAM_FARMS') && Definition::has(Acl::RESOURCE_TEAM_FARMS) && defined('Scalr\\Acl\\Acl::RESOURCE_OWN_FARMS') && Definition::has(Acl::RESOURCE_OWN_FARMS) && defined('Scalr\\Acl\\Acl::PERM_FARMS_PROJECTS');
}
protected function validateBefore2($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS') && Definition::has(Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS);
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_FARMS_SERVERS') && defined('Scalr\\Acl\\Acl::PERM_FARMS_SERVERS_SSH_CONSOLE') && Definition::has(Acl::RESOURCE_FARMS_SERVERS) && $this->db->GetOne("\n SELECT `granted` FROM `acl_role_resources`\n WHERE `resource_id` = ? AND `role_id` = ?\n LIMIT 1\n ", array(Acl::RESOURCE_FARMS_SERVERS, Acl::ROLE_ID_FULL_ACCESS)) == 1;
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_GENERAL_CUSTOM_EVENTS') && defined('Scalr\\Acl\\Acl::PERM_GENERAL_CUSTOM_EVENTS_FIRE') && Definition::has(Acl::RESOURCE_GENERAL_CUSTOM_EVENTS) && $this->db->GetOne("\n SELECT `granted` FROM `acl_role_resources`\n WHERE `resource_id` = ? AND `role_id` = ?\n LIMIT 1\n ", array(Acl::RESOURCE_GENERAL_CUSTOM_EVENTS, Acl::ROLE_ID_FULL_ACCESS)) == 1;
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_WEBHOOKS_ENVIRONMENT') && Definition::has(Acl::RESOURCE_WEBHOOKS_ENVIRONMENT);
}
protected function validateBefore4($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_FARMS_IMAGES') && defined('Scalr\\Acl\\Acl::PERM_FARMS_IMAGES_CREATE') && Definition::has(Acl::RESOURCE_FARMS_IMAGES);
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_WEBHOOKS') && Definition::has(Acl::RESOURCE_ADMINISTRATION_WEBHOOKS);
}
/**
* Gets all resources
*
* Current exclude filters will be applied.
* This method will return all predefined resources with its names
*
* @return array Returns array looks like
* array(array(
* 'id' => resource_id,
* 'name' => resource_name,
* 'group' => associative_group,
* 'granted' => [1|0] is resource allowed,
* 'permissions' => array(
* permissionId => [1|0] is permission allowed
* ),
* ))
*/
public function getArray()
{
$groupOrder = Acl::getGroups();
$ret = array();
foreach (Resource\Definition::getAll() as $resource) {
/* @var $resource Resource\ResourceObject */
$rec = array('id' => $resource->getResourceId(), 'name' => $resource->getName(), 'group' => $resource->getGroup(), 'groupOrder' => isset($groupOrder[$resource->getGroup()]) ? $groupOrder[$resource->getGroup()] : 0, 'granted' => $this->isAllowed($resource->getResourceId()) ? 1 : 0);
$permissions = $resource->getPermissions();
if (!empty($permissions)) {
$rec['permissions'] = array();
foreach ($permissions as $permissionId => $description) {
$rec['permissions'][$permissionId] = $this->isAllowed($resource->getResourceId(), $permissionId) ? 1 : 0;
}
}
$ret[] = $rec;
}
return $ret;
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_GLOBAL_VARIABLES_ACCOUNT') && Definition::has(Acl::RESOURCE_GLOBAL_VARIABLES_ACCOUNT);
}
protected function validateBefore3($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_GCE_SNAPSHOTS') && Definition::has(Acl::RESOURCE_GCE_SNAPSHOTS);
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_LOGS_EVENT_LOGS') && Definition::has(Acl::RESOURCE_LOGS_EVENT_LOGS);
}
/**
* Gets iterator of all predefined resources with unique permissions
*
* @return \ArrayIterator
*/
public function getIteratorResources()
{
return Resource\Definition::getAll()->getIterator();
}
/**
* Gets missing records for predefined global ACL roles: Full Access and Everything forbidden.
*
* @return string Returns sql script output that adds missing records
*/
public function getMissingRecords()
{
$output = array();
foreach (array(array(self::ROLE_ID_FULL_ACCESS, true), array(self::ROLE_ID_EVERYTHING_FORBIDDEN, false)) as $v) {
$roleId = $v[0];
$allowed = $v[1];
$role = $this->getRole($roleId);
$roleResources = $role->getResources();
foreach (Resource\Definition::getAll() as $resourceId => $resourceDefinition) {
// Absence of the record is considered as forbidden
if (!$allowed && !isset($roleResources[$resourceId])) {
continue;
}
if (!isset($roleResources[$resourceId])) {
$output .= sprintf("INSERT `acl_role_resources` " . "SET `role_id` = %d, `resource_id` = 0x%x, `granted` = %d;\n", $roleId, $resourceId, (int) $allowed);
$roleResources[$resourceId] = new Role\RoleResourceObject($roleId, $resourceId, $allowed);
}
$resource = $roleResources[$resourceId];
if ($resource->isGranted() != $allowed) {
$output .= sprintf("UPDATE `acl_role_resources` " . "SET `granted` = %d; WHERE `role_id` = %d AND `resource_id` = 0x%x;\n", (int) $allowed, $roleId, $resourceId);
}
$permissions = $resource->getPermissions();
foreach ($resourceDefinition->getPermissions() as $permissionId => $description) {
// Absence of the record is considered as forbidden
if (!$allowed && !isset($permissions[$permissionId])) {
continue;
}
if (!isset($permissions[$permissionId])) {
$output .= sprintf("INSERT `acl_role_resource_permissions` " . "SET `role_id` = %d, `resource_id` = 0x%x, `perm_id` = '%s', `granted` = %d;\n", $roleId, $resourceId, $permissionId, (int) $allowed);
$permissions[$permissionId] = new Role\RoleResourcePermissionObject($roleId, $resourceId, $permissionId, $allowed);
}
$permission = $permissions[$permissionId];
if ($permission->isGranted() != $allowed) {
$output .= sprintf("UPDATE `acl_role_resource_permissions` SET `granted` = %d; " . "WHERE `role_id` = %d AND `resource_id` = 0x%x AND `perm_id` = '%s';\n", (int) $allowed, $roleId, $resourceId, $permissionId);
}
}
unset($permissions);
}
unset($role);
unset($roleResources);
}
return $output;
}
protected function validateBefore1($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_DISCOVERY_SERVERS') && Definition::has(Acl::RESOURCE_DISCOVERY_SERVERS) && defined('Scalr\\Acl\\Acl::PERM_DISCOVERY_SERVERS_IMPORT');
}
protected function validateBefore2($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_AWS_S3') && Definition::has(Acl::RESOURCE_AWS_S3);
}
protected function validateBefore4($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_SERVICES_CHEF_ACCOUNT') && Definition::has(Acl::RESOURCE_SERVICES_CHEF_ACCOUNT);
}
/**
* Gets associative group which the resource belongs to.
*
* @return string
*/
public function getGroup()
{
return Definition::get($this->resourceId)->getGroup();
}
protected function validateBefore2($stage)
{
return defined('Scalr\\Acl\\Acl::RESOURCE_ANNOUNCEMENTS') && Definition::has(Acl::RESOURCE_ANNOUNCEMENTS);
}
