/**
* Constructs a unauthorized exception
* @param string $message The message of the exception
* @param integer $code Code of the exception
* @param Exception $previous Previous exception which caused this exception
* @return null
*/
public function __construct($message = null, $code = null, Exception $previous = null)
{
if ($code === null) {
$code = 202;
}
parent::__construct($message, $code, $previous);
}
/**
* Returns securely generated key of variable length in hexadecimal representation
*
* @param int $bits
* @return string
* @throws SecurityException
*/
public static function randomKey(int $bits = 256) : string
{
// $bits must be divisible by 8
if ($bits % 8 != 0) {
throw SecurityException::incorrectRandomBits(__METHOD__);
}
return bin2hex(random_bytes(intval($bits / 8)));
}
public function __construct($username)
{
parent::__construct('a username has to be unique!', 1001);
$this->username = $username;
}
public function __construct()
{
parent::__construct('Logged in user must be an admin', Http::STATUS_FORBIDDEN);
}
public function __construct($token)
{
$this->token = $token;
parent::__construct(sprintf('The token "%s" does not exist!', $token), 1005);
}
public function doCheck($object, IPermission $perm, LoginContext $context = null)
{
if (SecurityManager::$Logger->isDebugEnabled()) {
SecurityManager::$Logger->debug('Preparing to check permission with login context:');
SecurityManager::$Logger->debug(print_r($context, true));
}
// A little "hack" here to avoid any lock to the root user due to configuration problem
// in the next steps (= even without any configuration or with a broken configuration file,
// the root will always have all the permissions on everything)
$eyeosUser = null;
try {
$eyeosUser = $context->getEyeosUser();
if ($eyeosUser->getName() === 'root') {
if (SecurityManager::$Logger->isInfoEnabled()) {
SecurityManager::$Logger->info('Root user found in login context: bypassing any further security check for requested permission ' . $perm . '.');
}
return;
}
} catch (EyeNullPointerException $e) {
}
$configuration = PolicyConfiguration::getConfiguration();
// Browse policy entries until we find one that matches the class of our object
foreach ($configuration->getPolicyEntries() as $policyEntry) {
$objectClass = $policyEntry->getObjectClass();
if ($object instanceof $objectClass) {
// Check permission using each handler defined for this entry
foreach ($policyEntry->getHandlerEntries() as $handlerEntry) {
try {
$handler = SecurityManager::getNewHandlerInstance($handlerEntry->getHandlerClass(), $handlerEntry->getParams());
try {
$status = $handler->checkPermission($object, $perm, $context);
// SUCCESS (access granted byt the current handler)
if ($status === true) {
if ($handlerEntry->getFlag() == PolicyHandlerEntry::FLAG_SUFFICIENT) {
if ($this->firstRequiredError === null) {
return;
}
}
$this->success = true;
} else {
if (SecurityManager::$Logger->isInfoEnabled()) {
$failureExceptionMessage = '(none available)';
if ($handler->getFailureException() !== null) {
$failureExceptionMessage = $handler->getFailureException()->getMessage();
}
SecurityManager::$Logger->debug($handlerEntry->getHandlerClass() . ' failure message: ' . $failureExceptionMessage);
}
}
} catch (EyeSecurityException $e) {
if ($handlerEntry->getFlag() == PolicyHandlerEntry::FLAG_REQUISITE) {
if (SecurityManager::$Logger->isInfoEnabled()) {
SecurityManager::$Logger->info('Requested permission ' . $perm . ' denied object of class ' . get_class($object) . ' (REQUISITE handler ' . $handlerEntry->getHandlerClass() . ' failed).');
SecurityManager::$Logger->info($e->getMessage());
}
$this->throwException($this->firstRequiredError, $e);
} else {
if ($handlerEntry->getFlag() == PolicyHandlerEntry::FLAG_REQUIRED) {
if ($this->firstRequiredError === null) {
$this->firstRequiredError = $e;
}
} else {
if ($this->firstError === null) {
$this->firstError = $e;
}
}
}
}
} catch (EyeException $e) {
$this->throwException(null, $e);
}
}
if ($this->firstRequiredError !== null) {
// A required handler failed
if (SecurityManager::$Logger->isInfoEnabled()) {
SecurityManager::$Logger->info('Requested permission ' . $perm . ' denied on object of class ' . get_class($object) . ' (a REQUIRED handler failed).');
SecurityManager::$Logger->info($this->firstRequiredError->getMessage());
}
$this->throwException($this->firstRequiredError, null);
} else {
if (!$this->success && $this->firstError !== null) {
// No handler succeeded: return the first error
if (SecurityManager::$Logger->isInfoEnabled()) {
SecurityManager::$Logger->info('Requested permission ' . $perm . ' denied on object of class ' . get_class($object) . '.');
SecurityManager::$Logger->info($this->firstError->getMessage());
}
$this->throwException($this->firstError, null);
} else {
if (!$this->success) {
// All handlers returned FALSE (= they could not perform permission checks for any reason)
SecurityManager::$Logger->warn('All SecurityHandlers have been ignored for object of class ' . get_class($object) . '.');
$this->throwException(new EyeSecurityException('Permission check failure: all handlers ignored on object of class "' . $objectClass . '".'), null);
} else {
if (SecurityManager::$Logger->isDebugEnabled()) {
SecurityManager::$Logger->debug('Permission ' . $perm . ' granted on object of class ' . get_class($object) . '.');
}
return;
}
}
}
}
}
// No matching policy entry has been found for given $object: report it in the log and allow access
if (!$this->success) {
SecurityManager::$Logger->warn('No matching policy entry for object of class ' . get_class($object) . ' has been found.');
}
}
public function __construct()
{
parent::__construct('Current user is not logged in', Http::STATUS_UNAUTHORIZED);
}
public function __construct($email)
{
$this->email = $email;
parent::__construct(sprintf('The email "%s" is not unique!', $email), 1004);
}
public function __construct()
{
parent::__construct('CSRF check failed', Http::STATUS_PRECONDITION_FAILED);
}
public function __construct($interval)
{
parent::__construct('a token has already been generated', 1003);
$this->interval = $interval;
}
/**
* Construct this exception
* @param string $error Error message
* @param string $translationKey Translation key of the error message
* @param string $field Name of the field which caused this exception (optional)
* @return null
*/
public function __construct($error, $translationKey, $field = null)
{
parent::__construct($error, 201);
$this->setTranslationKey($translationKey);
$this->setField($field);
}
public function __construct()
{
parent::__construct('App is not enabled', Http::STATUS_PRECONDITION_FAILED);
}
public function __construct($message = 'Unknown user', $code = SecurityException::UNKNOWN_USER)
{
parent::__construct($message, $code);
}
public function __construct()
{
parent::__construct('The password is missing!', 1002);
}
public function __construct($message, $code = 503)
{
parent::__construct($message, $code);
}
