This class describes all known resources.
Since: 30.07.2013
Author: Vitaliy Demidov (vitaliy@scalr.com)
Ejemplo n.º 1
0
 /**
  * Outputs the stucture of the resources.
  * @ not a test
  */
 public function printDefinition()
 {
     $reflection = new \ReflectionClass('Scalr\\Acl\\Acl');
     foreach ($reflection->getConstants() as $name => $value) {
         if (strpos($name, 'GROUP_') === 0) {
             printf("\n%s:\n--\n", $value);
             $list = Definition::getByGroup($value);
             /* @var $resource \Scalr\Acl\Resource\ResourceObject */
             foreach ($list as $resource) {
                 printf("  %s - %s\n", $resource->getName(), $resource->getDescription());
                 foreach ($resource->getPermissions() as $permissionId => $description) {
                     printf("  * %s - %s\n", ucfirst($permissionId), $description);
                 }
             }
         }
     }
 }
Ejemplo n.º 2
0
 /**
  * Verifies that Full access role is defined properly.
  *
  * All existing resources must be defined and allowed for this role.
  * All existing resource unique permissions must be defined and allowed for this role.
  *
  * @test
  * @dataProvider providerPredefinedRoles
  */
 public function testPredefinedRoles($roleId, $allowed)
 {
     if (\Scalr::config('scalr.phpunit.skip_functional_tests')) {
         $this->markTestSkipped();
     }
     $acl = \Scalr::getContainer()->acl;
     $role = $acl->getRole($roleId);
     $this->assertInstanceOf('Scalr\\Acl\\Role\\RoleObject', $role);
     $this->assertNotEmpty($role->getName(), 'Role name must be defined');
     $this->assertEquals($roleId, $role->getRoleId());
     $roleResources = $role->getResources();
     $this->assertInstanceOf('ArrayObject', $roleResources);
     /* @var $resourceDefinition Resource\ResourceObject */
     foreach (Resource\Definition::getAll() as $resourceId => $resourceDefinition) {
         // Absence of the record is considered as forbidden
         if (!$allowed && !isset($roleResources[$resourceId])) {
             continue;
         }
         $this->assertTrue(isset($roleResources[$resourceId]), sprintf('All resources must be defined for the %s role. ' . 'You should add records to the acl_role_resources table with role_id(%d)', $role->getName(), self::ROLE_FULL_ACCESS));
         /* @var $resource Role\RoleResourceObject */
         $resource = $roleResources[$resourceId];
         $this->assertTrue($resource->isGranted() == $allowed, sprintf('%s resource must be %s for the %s role', $resourceDefinition->getName(), $allowed ? 'allowed' : 'forbidden', $role->getName()));
         $permissions = $resource->getPermissions();
         $this->assertInstanceOf('ArrayObject', $permissions);
         foreach ($resourceDefinition->getPermissions() as $permissionId => $description) {
             // Absence of the record is considered as forbidden
             if (!$allowed && !isset($permissions[$permissionId])) {
                 continue;
             }
             $this->assertTrue(isset($permissions[$permissionId]), sprintf('Permission [%s - %s] must be defined for the %s role. ' . 'You should add record to the acl_role_resource_permission table with ' . 'key (role_id[%d], resource_id[0x%x], perm_id[%s]).', $resourceDefinition->getName(), $permissionId, $role->getName(), $role->getRoleId(), $resource->getResourceId(), $permissionId));
             /* @var $permission Role\RoleResourcePermissionObject */
             $permission = $permissions[$permissionId];
             $this->assertInstanceOf('Scalr\\Acl\\Role\\RoleResourcePermissionObject', $permission);
             $this->assertTrue($permission->isGranted() == $allowed, sprintf('Permission [%s - %s] must be %s for the %s role.', $resourceDefinition->getName(), $permissionId, $allowed ? 'allowed' : 'forbidden', $role->getName()));
         }
     }
 }
Ejemplo n.º 3
0
 protected function validateBefore4($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_CLOUD_CREDENTIALS_ACCOUNT') && Definition::has(Acl::RESOURCE_CLOUD_CREDENTIALS_ACCOUNT);
 }
Ejemplo n.º 4
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ORPHANED_SERVERS') && Definition::has(Acl::RESOURCE_ORPHANED_SERVERS);
 }
Ejemplo n.º 5
0
 protected function validateBefore2($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION') && Definition::has(Acl::RESOURCE_ADMINISTRATION_ORCHESTRATION);
 }
Ejemplo n.º 6
0
 /**
  * Check if stage is applied for the specified resource and permission
  *
  * @param    string    $resourceName   The name of the ACL resource (Example:"RESOURCE_FARMS")
  * @param    string    $permissionName The name of the ACL permission (Example:"PERM_FARMS_SERVERS")
  * @return   boolean
  */
 private function checkAppliedForPermission($resourceName, $permissionName)
 {
     return defined('Scalr\\Acl\\Acl::' . $resourceName) && defined('Scalr\\Acl\\Acl::' . $permissionName) && Definition::has(constant('Scalr\\Acl\\Acl::' . $resourceName)) && $this->db->GetOne("\n                    SELECT `granted` FROM `acl_role_resource_permissions`\n                    WHERE `resource_id` = ? AND `role_id` = ? AND `perm_id` = ?\n                    LIMIT 1\n                ", [constant('Scalr\\Acl\\Acl::' . $resourceName), Acl::ROLE_ID_FULL_ACCESS, constant('Scalr\\Acl\\Acl::' . $permissionName)]) == 1;
 }
Ejemplo n.º 7
0
 protected function validateBefore2($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_ANALYTICS') && defined('Scalr\\Acl\\Acl::PERM_ADMINISTRATION_ANALYTICS_ALLOCATE_BUDGET') && Definition::has(Acl::RESOURCE_ADMINISTRATION_ANALYTICS) && $this->db->GetOne("\n                    SELECT `granted` FROM `acl_role_resources`\n                    WHERE `resource_id` = ? AND `role_id` = ?\n                    LIMIT 1\n                ", array(Acl::RESOURCE_ADMINISTRATION_ANALYTICS, Acl::ROLE_ID_FULL_ACCESS)) == 1;
 }
Ejemplo n.º 8
0
 protected function validateBefore4($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF') && Definition::has(Acl::RESOURCE_SERVICES_ADMINISTRATION_CHEF);
 }
Ejemplo n.º 9
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_AWS_ROUTE53') && defined('Scalr\\Acl\\Acl::RESOURCE_ANALYTICS_PROJECTS') && Definition::has(Acl::RESOURCE_AWS_ROUTE53) && Definition::has(Acl::RESOURCE_ANALYTICS_PROJECTS);
 }
Ejemplo n.º 10
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES') && Definition::has(Acl::RESOURCE_ADMINISTRATION_GLOBAL_VARIABLES);
 }
Ejemplo n.º 11
0
 protected function validateBefore6($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_FARMS') && Definition::has(Acl::RESOURCE_FARMS) && defined('Scalr\\Acl\\Acl::RESOURCE_TEAM_FARMS') && Definition::has(Acl::RESOURCE_TEAM_FARMS) && defined('Scalr\\Acl\\Acl::RESOURCE_OWN_FARMS') && Definition::has(Acl::RESOURCE_OWN_FARMS) && defined('Scalr\\Acl\\Acl::PERM_FARMS_PROJECTS');
 }
Ejemplo n.º 12
0
 protected function validateBefore2($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS') && Definition::has(Acl::RESOURCE_ENVADMINISTRATION_ANALYTICS);
 }
Ejemplo n.º 13
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_FARMS_SERVERS') && defined('Scalr\\Acl\\Acl::PERM_FARMS_SERVERS_SSH_CONSOLE') && Definition::has(Acl::RESOURCE_FARMS_SERVERS) && $this->db->GetOne("\n                    SELECT `granted` FROM `acl_role_resources`\n                    WHERE `resource_id` = ? AND `role_id` = ?\n                    LIMIT 1\n                ", array(Acl::RESOURCE_FARMS_SERVERS, Acl::ROLE_ID_FULL_ACCESS)) == 1;
 }
Ejemplo n.º 14
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_GENERAL_CUSTOM_EVENTS') && defined('Scalr\\Acl\\Acl::PERM_GENERAL_CUSTOM_EVENTS_FIRE') && Definition::has(Acl::RESOURCE_GENERAL_CUSTOM_EVENTS) && $this->db->GetOne("\n                    SELECT `granted` FROM `acl_role_resources`\n                    WHERE `resource_id` = ? AND `role_id` = ?\n                    LIMIT 1\n                ", array(Acl::RESOURCE_GENERAL_CUSTOM_EVENTS, Acl::ROLE_ID_FULL_ACCESS)) == 1;
 }
Ejemplo n.º 15
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_WEBHOOKS_ENVIRONMENT') && Definition::has(Acl::RESOURCE_WEBHOOKS_ENVIRONMENT);
 }
Ejemplo n.º 16
0
 protected function validateBefore4($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_FARMS_IMAGES') && defined('Scalr\\Acl\\Acl::PERM_FARMS_IMAGES_CREATE') && Definition::has(Acl::RESOURCE_FARMS_IMAGES);
 }
Ejemplo n.º 17
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ADMINISTRATION_WEBHOOKS') && Definition::has(Acl::RESOURCE_ADMINISTRATION_WEBHOOKS);
 }
 /**
  * Gets all resources
  *
  * Current exclude filters will be applied.
  * This method will return all predefined resources with its names
  *
  * @return  array   Returns array looks like
  *                 array(array(
  *                     'id'         => resource_id,
  *                     'name'       => resource_name,
  *                     'group'      => associative_group,
  *                     'granted'    => [1|0] is resource allowed,
  *                     'permissions' => array(
  *                         permissionId => [1|0] is permission allowed
  *                     ),
  *                 ))
  */
 public function getArray()
 {
     $groupOrder = Acl::getGroups();
     $ret = array();
     foreach (Resource\Definition::getAll() as $resource) {
         /* @var $resource Resource\ResourceObject */
         $rec = array('id' => $resource->getResourceId(), 'name' => $resource->getName(), 'group' => $resource->getGroup(), 'groupOrder' => isset($groupOrder[$resource->getGroup()]) ? $groupOrder[$resource->getGroup()] : 0, 'granted' => $this->isAllowed($resource->getResourceId()) ? 1 : 0);
         $permissions = $resource->getPermissions();
         if (!empty($permissions)) {
             $rec['permissions'] = array();
             foreach ($permissions as $permissionId => $description) {
                 $rec['permissions'][$permissionId] = $this->isAllowed($resource->getResourceId(), $permissionId) ? 1 : 0;
             }
         }
         $ret[] = $rec;
     }
     return $ret;
 }
Ejemplo n.º 19
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_GLOBAL_VARIABLES_ACCOUNT') && Definition::has(Acl::RESOURCE_GLOBAL_VARIABLES_ACCOUNT);
 }
Ejemplo n.º 20
0
 protected function validateBefore3($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_GCE_SNAPSHOTS') && Definition::has(Acl::RESOURCE_GCE_SNAPSHOTS);
 }
Ejemplo n.º 21
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_LOGS_EVENT_LOGS') && Definition::has(Acl::RESOURCE_LOGS_EVENT_LOGS);
 }
Ejemplo n.º 22
0
 /**
  * Gets iterator of all predefined resources with unique permissions
  *
  * @return  \ArrayIterator
  */
 public function getIteratorResources()
 {
     return Resource\Definition::getAll()->getIterator();
 }
Ejemplo n.º 23
0
Archivo: Acl.php Proyecto: recipe/scalr
 /**
  * Gets missing records for predefined global ACL roles: Full Access and Everything forbidden.
  *
  * @return string Returns sql script output that adds missing records
  */
 public function getMissingRecords()
 {
     $output = array();
     foreach (array(array(self::ROLE_ID_FULL_ACCESS, true), array(self::ROLE_ID_EVERYTHING_FORBIDDEN, false)) as $v) {
         $roleId = $v[0];
         $allowed = $v[1];
         $role = $this->getRole($roleId);
         $roleResources = $role->getResources();
         foreach (Resource\Definition::getAll() as $resourceId => $resourceDefinition) {
             // Absence of the record is considered as forbidden
             if (!$allowed && !isset($roleResources[$resourceId])) {
                 continue;
             }
             if (!isset($roleResources[$resourceId])) {
                 $output .= sprintf("INSERT `acl_role_resources` " . "SET `role_id` = %d, `resource_id` = 0x%x, `granted` = %d;\n", $roleId, $resourceId, (int) $allowed);
                 $roleResources[$resourceId] = new Role\RoleResourceObject($roleId, $resourceId, $allowed);
             }
             $resource = $roleResources[$resourceId];
             if ($resource->isGranted() != $allowed) {
                 $output .= sprintf("UPDATE `acl_role_resources` " . "SET `granted` = %d; WHERE `role_id` = %d AND `resource_id` = 0x%x;\n", (int) $allowed, $roleId, $resourceId);
             }
             $permissions = $resource->getPermissions();
             foreach ($resourceDefinition->getPermissions() as $permissionId => $description) {
                 // Absence of the record is considered as forbidden
                 if (!$allowed && !isset($permissions[$permissionId])) {
                     continue;
                 }
                 if (!isset($permissions[$permissionId])) {
                     $output .= sprintf("INSERT `acl_role_resource_permissions` " . "SET `role_id` = %d, `resource_id` = 0x%x, `perm_id` = '%s', `granted` = %d;\n", $roleId, $resourceId, $permissionId, (int) $allowed);
                     $permissions[$permissionId] = new Role\RoleResourcePermissionObject($roleId, $resourceId, $permissionId, $allowed);
                 }
                 $permission = $permissions[$permissionId];
                 if ($permission->isGranted() != $allowed) {
                     $output .= sprintf("UPDATE `acl_role_resource_permissions` SET `granted` = %d; " . "WHERE `role_id` = %d AND `resource_id` = 0x%x AND `perm_id` = '%s';\n", (int) $allowed, $roleId, $resourceId, $permissionId);
                 }
             }
             unset($permissions);
         }
         unset($role);
         unset($roleResources);
     }
     return $output;
 }
Ejemplo n.º 24
0
 protected function validateBefore1($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_DISCOVERY_SERVERS') && Definition::has(Acl::RESOURCE_DISCOVERY_SERVERS) && defined('Scalr\\Acl\\Acl::PERM_DISCOVERY_SERVERS_IMPORT');
 }
Ejemplo n.º 25
0
 protected function validateBefore2($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_AWS_S3') && Definition::has(Acl::RESOURCE_AWS_S3);
 }
Ejemplo n.º 26
0
 protected function validateBefore4($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_SERVICES_CHEF_ACCOUNT') && Definition::has(Acl::RESOURCE_SERVICES_CHEF_ACCOUNT);
 }
 /**
  * Gets associative group which the resource belongs to.
  *
  * @return string
  */
 public function getGroup()
 {
     return Definition::get($this->resourceId)->getGroup();
 }
Ejemplo n.º 28
0
 protected function validateBefore2($stage)
 {
     return defined('Scalr\\Acl\\Acl::RESOURCE_ANNOUNCEMENTS') && Definition::has(Acl::RESOURCE_ANNOUNCEMENTS);
 }