The access decision voters get the roles and privileges configured (in the
security policy) for a specific method invocation from this service.
/**
* Convert an object from $source to an object.
*
* @param mixed $source
* @param string $targetType
* @param array $convertedChildProperties
* @param PropertyMappingConfigurationInterface $configuration
* @return object the target type
*/
public function convertFrom($source, $targetType, array $convertedChildProperties = [], PropertyMappingConfigurationInterface $configuration = null)
{
try {
$role = $this->policyService->getRole($source);
} catch (NoSuchRoleException $exception) {
return new Error('Could not find a role with the identifier "%s".', 1397212327, [$source]);
}
return $role;
}
/**
* @test
*/
public function viewHelperRendersThenPartIfHasRoleReturnsTrue()
{
$role = new Role('Acme.Demo:SomeRole');
$this->mockSecurityContext->expects($this->once())->method('hasRole')->with('Acme.Demo:SomeRole')->will($this->returnValue(true));
$this->mockPolicyService->expects($this->once())->method('getRole')->with('Acme.Demo:SomeRole')->will($this->returnValue($role));
$this->mockViewHelper->expects($this->once())->method('renderThenChild')->will($this->returnValue('then-child'));
$arguments = ['role' => 'SomeRole', 'account' => null];
$this->mockViewHelper->setArguments($arguments);
$actualResult = $this->mockViewHelper->render();
$this->assertEquals('then-child', $actualResult);
}
/**
* Creates a new account and sets the given password and roles
*
* @param string $identifier Identifier of the account, must be unique
* @param string $password The clear text password
* @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
* @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
* @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
* @return Account A new account, not yet added to the account repository
*/
public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default')
{
$account = new Account();
$account->setAccountIdentifier($identifier);
$account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy));
$account->setAuthenticationProviderName($authenticationProviderName);
$roles = [];
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
return $account;
}
/**
* @test
*/
public function everybodyRoleCanHaveExplicitDenies()
{
$mockPrivilegeClassName = get_class($this->mockPrivilege);
$this->mockPolicyConfiguration = ['privilegeTargets' => [$mockPrivilegeClassName => ['Some.PrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()'], 'Some.OtherPrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()']]], 'roles' => ['Neos.Flow:Everybody' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'DENY']]], 'Some.Other:Role' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'GRANT']]]]];
$everybodyRole = $this->policyService->getRole('Neos.Flow:Everybody');
$this->assertTrue($everybodyRole->getPrivilegeForTarget('Some.PrivilegeTarget:Identifier')->isDenied());
}
public function setUp()
{
$this->mockRole = $this->getMockBuilder(Role::class)->disableOriginalConstructor()->getMock();
$this->mockRole->expects($this->any())->method('getIdentifier')->will($this->returnValue('Neos.Flow:TestRoleIdentifier'));
$this->mockPolicyService = $this->getMockBuilder(PolicyService::class)->disableOriginalConstructor()->getMock();
$this->mockPolicyService->expects($this->any())->method('getRole')->with('Neos.Flow:TestRoleIdentifier')->will($this->returnValue($this->mockRole));
$this->mockHashService = $this->getMockBuilder(HashService::class)->disableOriginalConstructor()->getMock();
$expectedPassword = $this->testKeyClearText;
$expectedHashedPasswordAndSalt = $this->testKeyHashed;
$this->mockHashService->expects($this->any())->method('validatePassword')->will($this->returnCallback(function ($password, $hashedPasswordAndSalt) use($expectedPassword, $expectedHashedPasswordAndSalt) {
return $hashedPasswordAndSalt === $expectedHashedPasswordAndSalt && $password === $expectedPassword;
}));
$this->mockFileBasedSimpleKeyService = $this->getMockBuilder(FileBasedSimpleKeyService::class)->disableOriginalConstructor()->getMock();
$this->mockFileBasedSimpleKeyService->expects($this->any())->method('getKey')->with('testKey')->will($this->returnValue($this->testKeyHashed));
$this->mockToken = $this->getMockBuilder(PasswordToken::class)->disableOriginalConstructor()->getMock();
}
/**
* @param string $className
* @param string $methodName
* @return boolean
*/
protected function hasPolicyEntryForMethod($className, $methodName)
{
$methodPrivileges = $this->policyService->getAllPrivilegesByType(MethodPrivilegeInterface::class);
/** @var MethodPrivilegeInterface $privilege */
foreach ($methodPrivileges as $privilege) {
if ($privilege->matchesMethod($className, $methodName)) {
return true;
}
}
return false;
}
/**
* Initializes the roles field by fetching the role objects referenced by the roleIdentifiers
*
* @return void
*/
protected function initializeRoles()
{
if ($this->roles !== null) {
return;
}
$this->roles = [];
foreach ($this->roleIdentifiers as $key => $roleIdentifier) {
// check for and clean up roles no longer available
if ($this->policyService->hasRole($roleIdentifier)) {
$this->roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier);
} else {
unset($this->roleIdentifiers[$key]);
}
}
}
/**
* Shows the methods represented by the given security privilege target
*
* If the privilege target has parameters those can be specified separated by a colon
* for example "parameter1:value1" "parameter2:value2".
* But be aware that this only works for parameters that have been specified in the policy
*
* @param string $privilegeTarget The name of the privilegeTarget as stated in the policy
* @return void
*/
public function showMethodsForPrivilegeTargetCommand($privilegeTarget)
{
$privilegeTargetInstance = $this->policyService->getPrivilegeTargetByIdentifier($privilegeTarget);
if ($privilegeTargetInstance === null) {
$this->outputLine('The privilegeTarget "%s" is not defined', [$privilegeTarget]);
$this->quit(1);
}
$privilegeParameters = [];
foreach ($this->request->getExceedingArguments() as $argument) {
list($argumentName, $argumentValue) = explode(':', $argument, 2);
$privilegeParameters[$argumentName] = $argumentValue;
}
$privilege = $privilegeTargetInstance->createPrivilege(PrivilegeInterface::GRANT, $privilegeParameters);
if (!$privilege instanceof MethodPrivilegeInterface) {
$this->outputLine('The privilegeTarget "%s" does not refer to a MethodPrivilege but to a privilege of type "%s"', [$privilegeTarget, $privilege->getPrivilegeTarget()->getPrivilegeClassName()]);
$this->quit(1);
}
$matchedClassesAndMethods = [];
foreach ($this->reflectionService->getAllClassNames() as $className) {
try {
$reflectionClass = new \ReflectionClass($className);
} catch (\ReflectionException $exception) {
continue;
}
foreach ($reflectionClass->getMethods() as $reflectionMethod) {
$methodName = $reflectionMethod->getName();
if ($privilege->matchesMethod($className, $methodName)) {
$matchedClassesAndMethods[$className][$methodName] = $methodName;
}
}
}
if (count($matchedClassesAndMethods) === 0) {
$this->outputLine('The given privilegeTarget did not match any method.');
$this->quit(1);
}
foreach ($matchedClassesAndMethods as $className => $methods) {
$this->outputLine($className);
foreach ($methods as $methodName) {
$this->outputLine(' ' . $methodName);
}
$this->outputLine();
}
}
/**
* Update a given account
*
* @param Account $account The account to update
* @param array $roleIdentifiers A possibly updated list of roles for the user's primary account
* @param array $password Expects an array in the format array('<password>', '<password confirmation>')
* @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 })
* @return void
*/
public function updateAccountAction(Account $account, array $roleIdentifiers, array $password = array())
{
$user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName());
if ($user === $this->currentUser) {
$roles = array();
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier);
}
if (!$this->privilegeManager->isPrivilegeTargetGrantedForRoles($roles, 'Neos.Neos:Backend.Module.Administration.Users')) {
$this->addFlashMessage('With the selected roles the currently logged in user wouldn\'t have access to this module any longer. Please adjust the assigned roles!', 'Don\'t lock yourself out', Message::SEVERITY_WARNING, array(), 1416501197);
$this->forward('edit', null, null, array('user' => $this->currentUser));
}
}
$password = array_shift($password);
if (strlen(trim(strval($password))) > 0) {
$this->userService->setUserPassword($user, $password);
}
$this->userService->setRolesForAccount($account, $roleIdentifiers);
$this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK);
$this->redirect('edit', null, null, array('user' => $user));
}
/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof PasswordToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['password'])) {
if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$account = new Account();
$roles = [];
foreach ($this->options['authenticateRoles'] as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* Returns the roles of all authenticated accounts, including inherited roles.
*
* If no authenticated roles could be found the "Anonymous" role is returned.
*
* The "Neos.Flow:Everybody" roles is always returned.
*
* @return Role[]
*/
public function getRoles()
{
if ($this->initialized === false) {
$this->initialize();
}
if ($this->roles === null) {
$this->roles = ['Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody')];
if ($this->authenticationManager->isAuthenticated() === false) {
$this->roles['Neos.Flow:Anonymous'] = $this->policyService->getRole('Neos.Flow:Anonymous');
} else {
$this->roles['Neos.Flow:AuthenticatedUser'] = $this->policyService->getRole('Neos.Flow:AuthenticatedUser');
/** @var $token TokenInterface */
foreach ($this->getAuthenticationTokens() as $token) {
if ($token->isAuthenticated() !== true) {
continue;
}
$account = $token->getAccount();
if ($account === null) {
continue;
}
if ($account !== null) {
$accountRoles = $account->getRoles();
/** @var $currentRole Role */
foreach ($accountRoles as $currentRole) {
if (!in_array($currentRole, $this->roles)) {
$this->roles[$currentRole->getIdentifier()] = $currentRole;
}
/** @var $currentParentRole Role */
foreach ($currentRole->getAllParentRoles() as $currentParentRole) {
if (!in_array($currentParentRole, $this->roles)) {
$this->roles[$currentParentRole->getIdentifier()] = $currentParentRole;
}
}
}
}
}
}
}
return $this->roles;
}
/**
* Returns an array with all roles of a user's accounts, including parent roles, the "Everybody" role and the
* "AuthenticatedUser" role, assuming that the user is logged in.
*
* @param User $user The user
* @return array
*/
protected function getAllRoles(User $user)
{
$roles = array('Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody'), 'Neos.Flow:AuthenticatedUser' => $this->policyService->getRole('Neos.Flow:AuthenticatedUser'));
/** @var Account $account */
foreach ($user->getAccounts() as $account) {
$accountRoles = $account->getRoles();
/** @var $currentRole Role */
foreach ($accountRoles as $currentRole) {
if (!in_array($currentRole, $roles)) {
$roles[$currentRole->getIdentifier()] = $currentRole;
}
/** @var $currentParentRole Role */
foreach ($currentRole->getAllParentRoles() as $currentParentRole) {
if (!in_array($currentParentRole, $roles)) {
$roles[$currentParentRole->getIdentifier()] = $currentParentRole;
}
}
}
}
return $roles;
}
/**
* Creates a new account, assigns it the given roles and authenticates it.
* The created account is returned for further modification, for example for attaching a Party object to it.
*
* @param array $roleNames A list of roles the new account should have
* @return \Neos\Flow\Security\Account The created account
* @api
*/
protected function authenticateRoles(array $roleNames)
{
$account = new \Neos\Flow\Security\Account();
$roles = array();
foreach ($roleNames as $roleName) {
$roles[] = $this->policyService->getRole($roleName);
}
$account->setRoles($roles);
$this->authenticateAccount($account);
return $account;
}
/**
* A changed database needs to resynchronize the roles
*
* @return void
*/
public function resetPolicyRolesCacheAfterDatabaseChanges()
{
$this->policyService->reset();
}
/**
* @test
*/
public function createAccountWithPasswordCreatesANewAccountWithTheGivenIdentifierPasswordRolesAndProviderName()
{
$factory = new AccountFactory();
$actualAccount = $factory->createAccountWithPassword('username', 'password', ['Neos.Flow:Administrator', 'Neos.Flow:Customer'], 'OtherProvider');
$this->assertEquals('username', $actualAccount->getAccountIdentifier());
$this->assertEquals('OtherProvider', $actualAccount->getAuthenticationProviderName());
$this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Administrator')));
$this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Customer')));
}
