/**
* Checks the given token for validity and sets the token authentication status
* accordingly (success, wrong credentials or no credentials given).
*
* @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof UsernamePassword) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account \TYPO3\Flow\Security\Account */
$account = NULL;
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['username'])) {
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
}
if (is_object($account)) {
if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* Add the current node and all parent identifiers to be used for cache entry tagging
*
* @Flow\Before("method(TYPO3\Flow\Mvc\Routing\RouterCachingService->extractUuids())")
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current join point
* @return void
*/
public function addCurrentNodeIdentifier(JoinPointInterface $joinPoint)
{
$values = $joinPoint->getMethodArgument('values');
if (!isset($values['node']) || strpos($values['node'], '@') === false) {
return;
}
// Build context explicitly without authorization checks because the security context isn't available yet
// anyway and any Entity Privilege targeted on Workspace would fail at this point:
$this->securityContext->withoutAuthorizationChecks(function () use($joinPoint, $values) {
$contextPathPieces = NodePaths::explodeContextPath($values['node']);
$context = $this->contextFactory->create(['workspaceName' => $contextPathPieces['workspaceName'], 'dimensions' => $contextPathPieces['dimensions'], 'invisibleContentShown' => true]);
$node = $context->getNode($contextPathPieces['nodePath']);
if (!$node instanceof NodeInterface) {
return;
}
$values['node-identifier'] = $node->getIdentifier();
$node = $node->getParent();
$values['node-parent-identifier'] = array();
while ($node !== null) {
$values['node-parent-identifier'][] = $node->getIdentifier();
$node = $node->getParent();
}
$joinPoint->setMethodArgument('values', $values);
});
}
/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof Typo3OrgSsoToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account \TYPO3\Flow\Security\Account */
$account = null;
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['username'])) {
$providerName = $this->name;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) {
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
}
if (is_object($account)) {
$authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata'];
if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* Exports the node data of all nodes in the given sub-tree
* by writing them to the given XMLWriter.
*
* @param string $startingPointNodePath path to the root node of the sub-tree to export. The specified node will not be included, only its sub nodes.
* @param string $workspaceName
* @param \XMLWriter $xmlWriter
* @param boolean $tidy
* @param boolean $endDocument
* @param string $resourceSavePath
* @param string $nodeTypeFilter Filter the node type of the nodes, allows complex expressions (e.g. "TYPO3.Neos:Page", "!TYPO3.Neos:Page,TYPO3.Neos:Text")
* @return \XMLWriter
*/
public function export($startingPointNodePath = '/', $workspaceName = 'live', \XMLWriter $xmlWriter = null, $tidy = true, $endDocument = true, $resourceSavePath = null, $nodeTypeFilter = null)
{
$this->propertyMappingConfiguration = new ImportExportPropertyMappingConfiguration($resourceSavePath);
$this->exceptionsDuringExport = array();
$this->exportedNodePaths = array();
if ($startingPointNodePath !== '/') {
$startingPointParentPath = substr($startingPointNodePath, 0, strrpos($startingPointNodePath, '/'));
$this->exportedNodePaths[$startingPointParentPath] = true;
}
$this->xmlWriter = $xmlWriter;
if ($this->xmlWriter === null) {
$this->xmlWriter = new \XMLWriter();
$this->xmlWriter->openMemory();
$this->xmlWriter->setIndent($tidy);
$this->xmlWriter->startDocument('1.0', 'UTF-8');
}
$this->securityContext->withoutAuthorizationChecks(function () use($startingPointNodePath, $workspaceName, $nodeTypeFilter) {
$nodeDataList = $this->findNodeDataListToExport($startingPointNodePath, $workspaceName, $nodeTypeFilter);
$this->exportNodeDataList($nodeDataList);
});
if ($endDocument) {
$this->xmlWriter->endDocument();
}
$this->handleExceptionsDuringExport();
return $this->xmlWriter;
}
/**
* Returns the static value of the given operand, this might be also a global object
*
* @param mixed $expression The expression string representing the operand
* @return mixed The calculated value
*/
public function getValueForOperand($expression)
{
if (is_array($expression)) {
$result = array();
foreach ($expression as $expressionEntry) {
$result[] = $this->getValueForOperand($expressionEntry);
}
return $result;
} elseif (is_numeric($expression)) {
return $expression;
} elseif ($expression === true) {
return true;
} elseif ($expression === false) {
return false;
} elseif ($expression === null) {
return null;
} elseif (strpos($expression, 'context.') === 0) {
$objectAccess = explode('.', $expression, 3);
$globalObjectsRegisteredClassName = $this->globalObjects[$objectAccess[1]];
$globalObject = $this->objectManager->get($globalObjectsRegisteredClassName);
$this->securityContext->withoutAuthorizationChecks(function () use($globalObject, $objectAccess, &$globalObjectValue) {
$globalObjectValue = $this->getObjectValueByPath($globalObject, $objectAccess[2]);
});
return $globalObjectValue;
} else {
return trim($expression, '"\'');
}
}
/**
* @test
*/
public function getContextHashReturnsStaticStringIfAuthorizationChecksAreDisabled()
{
$self = $this;
$this->securityContext->withoutAuthorizationChecks(function () use($self) {
$self->assertSame(Context::CONTEXT_HASH_UNINITIALIZED, $self->securityContext->getContextHash());
});
}
/**
* Checks the given token for validity and sets the token authentication status
* accordingly (success, wrong credentials or no credentials given).
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof JwtToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1417040168);
}
/** @var $account Account */
$account = NULL;
$credentials = $authenticationToken->getCredentials();
if (!is_array($credentials) || !isset($credentials['token'])) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
return;
}
$hmac = $this->hashService->generateHmac($this->signature);
$payload = NULL;
try {
$payload = (array) JWT::decode($credentials['token'], $hmac, array('HS256'));
} catch (\Exception $exception) {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
if (isset($credentials['username'])) {
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
return;
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
return;
}
}
if ($credentials['user_agent'] === $payload['user_agent'] && $credentials['ip_address'] === $payload['ip_address']) {
$this->securityContext->withoutAuthorizationChecks(function () use($payload, &$account) {
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($payload['identifier'], $this->name);
});
}
if (is_object($account)) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
return;
}
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
return;
}
/**
* Authenticates against a crowd instance.
*
* @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof UsernamePassword) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339845);
}
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['username']) && isset($credentials['password'])) {
$crowdAuthenticationResponse = $this->crowdClient->authenticate($credentials['username'], $credentials['password']);
if ($crowdAuthenticationResponse !== NULL) {
/** @var $account \TYPO3\Flow\Security\Account */
$account = NULL;
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
if ($account === NULL) {
$account = new Account();
$account->setAuthenticationProviderName($providerName);
$account->setAccountIdentifier($credentials['username']);
$this->accountRepository->add($account);
}
$authenticateRole = $this->policyService->getRole($this->options['authenticateRole']);
if ($account->hasRole($authenticateRole) === FALSE) {
$account->addRole($authenticateRole);
}
$crowdUser = $this->partyService->getAssignedPartyOfAccount($account);
if ($crowdUser instanceof Person) {
if ($crowdUser->getName()->getFirstName() !== $crowdAuthenticationResponse['first-name']) {
$crowdUser->getName()->setFirstName($crowdAuthenticationResponse['first-name']);
$this->partyRepository->update($crowdUser);
}
if ($crowdUser->getName()->getLastName() !== $crowdAuthenticationResponse['last-name']) {
$crowdUser->getName()->setLastName($crowdAuthenticationResponse['last-name']);
$this->partyRepository->update($crowdUser);
}
if ($crowdUser->getPrimaryElectronicAddress()->getIdentifier() !== $crowdAuthenticationResponse['email']) {
$crowdUser->getPrimaryElectronicAddress()->setIdentifier($crowdAuthenticationResponse['email']);
$this->partyRepository->update($crowdUser);
}
} else {
$crowdUser = new Person();
$crowdUser->setName(new PersonName('', $crowdAuthenticationResponse['first-name'], '', $crowdAuthenticationResponse['last-name']));
$email = new ElectronicAddress();
$email->setIdentifier($crowdAuthenticationResponse['email']);
$email->setType(ElectronicAddress::TYPE_EMAIL);
$crowdUser->setPrimaryElectronicAddress($email);
$this->partyRepository->add($crowdUser);
$this->partyService->assignAccountToParty($account, $crowdUser);
}
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* @param string $nodeIdentifier
* @return NodeInterface
*/
protected function getNodeByIdentifier($nodeIdentifier)
{
$context = $this->contextFactory->create();
$node = null;
$this->securityContext->withoutAuthorizationChecks(function () use($nodeIdentifier, $context, &$node) {
$node = $context->getNodeByIdentifier($nodeIdentifier);
});
$context->getFirstLevelNodeCache()->setByIdentifier($nodeIdentifier, null);
return $node;
}
/**
* Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded.
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
* @return void
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof AbstractClientToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1383754993);
}
$credentials = $authenticationToken->getCredentials();
// Inspect the received access token as documented in https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/
$tokenInformation = $this->facebookTokenEndpoint->requestValidatedTokenInformation($credentials['accessToken']);
if ($tokenInformation === FALSE) {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
return;
}
// Check if the permitted scopes suffice:
$necessaryScopes = $this->options['scopes'];
$scopesHavingPermissionFor = $tokenInformation['scopes'];
$requiredButNotPermittedScopes = array_diff($necessaryScopes, $scopesHavingPermissionFor);
if (count($requiredButNotPermittedScopes) > 0) {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
$this->securityLogger->log('The permitted scopes do not satisfy the required once.', LOG_NOTICE, array('necessaryScopes' => $necessaryScopes, 'allowedScopes' => $scopesHavingPermissionFor));
return;
}
// From here, we surely know the user is considered authenticated against the remote service,
// yet to check if there is an immanent account present.
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
/** @var $account \TYPO3\Flow\Security\Account */
$account = NULL;
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($tokenInformation, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findByAccountIdentifierAndAuthenticationProviderName($tokenInformation['user_id'], $providerName);
});
if ($account === NULL) {
$account = new Account();
$account->setAccountIdentifier($tokenInformation['user_id']);
$account->setAuthenticationProviderName($providerName);
$this->accountRepository->add($account);
}
$authenticationToken->setAccount($account);
// request long-live token and attach that to the account
$longLivedToken = $this->facebookTokenEndpoint->requestLongLivedToken($credentials['accessToken']);
$account->setCredentialsSource($longLivedToken);
$this->accountRepository->update($account);
}
/**
* Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded.
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
* @return void
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof AbstractClientToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1383754993);
}
$credentials = $authenticationToken->getCredentials();
// There is no way to validate the Token or check the scopes at the moment apart from "trying" (and possibly receiving an access denied)
// we could check the validity of the Token and the scopes here in the future when Instagram provides that
// Only check if an access Token is present at this time and do a single test call
if (isset($credentials['accessToken']) && $credentials['accessToken'] !== NULL) {
// check if a secure request is possible (https://www.instagram.com/developer/secure-api-requests/)
$userInfo = $this->instagramTokenEndpoint->validateSecureRequestCapability($credentials['accessToken']);
if ($userInfo === FALSE) {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
$this->securityLogger->log('A secure call to the API with the provided accessToken and clientSecret was not possible', LOG_NOTICE);
return FALSE;
}
} else {
}
// From here, we surely know the user is considered authenticated against the remote service,
// yet to check if there is an immanent account present.
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
/** @var $account \TYPO3\Flow\Security\Account */
$account = NULL;
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($userInfo, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findByAccountIdentifierAndAuthenticationProviderName($userInfo['id'], $providerName);
});
if ($account === NULL) {
$account = new Account();
$account->setAccountIdentifier($userInfo['id']);
$account->setAuthenticationProviderName($providerName);
$this->accountRepository->add($account);
}
$authenticationToken->setAccount($account);
// the access token is valid for an "undefined time" according to instagram (so we cannot know when the user needs to log in again)
$account->setCredentialsSource($credentials['accessToken']);
$this->accountRepository->update($account);
// check if a user is already attached to this account
if ($this->partyService->getAssignedPartyOfAccount($account) === null || count($this->partyService->getAssignedPartyOfAccount($account)) < 1) {
$user = $this->userService->getCurrentUser();
if ($user !== null) {
$user->addAccount($account);
$this->userService->updateUser($user);
$this->persistenceManager->whitelistObject($user);
} else {
$this->securityLogger->logException(new Exception("The InstagramProvider was unable to determine the backend user, make sure the configuration Typo3BackendProvider requestPattern matches the Instagram Controller and the authentication strategy is set to 'atLeastOne' Token"));
}
}
// persistAll is called automatically at the end of this function, account gets whitelisted to allow
// persisting for an object thats tinkered with via a GET request
$this->persistenceManager->whitelistObject($account);
}
/**
* Find out if the given path exists anywhere in the CR. (internal)
* If you need this functionality use \TYPO3\TYPO3CR\Domain\Service\NodeService::nodePathExistsInAnyContext()
*
* @param string $nodePath
* @return boolean
*/
public function pathExists($nodePath)
{
$nodePath = strtolower($nodePath);
$result = null;
/** @var QueryBuilder $queryBuilder */
$queryBuilder = $this->entityManager->createQueryBuilder();
$this->securityContext->withoutAuthorizationChecks(function () use($nodePath, $queryBuilder, &$result) {
$queryBuilder->select('n.identifier')->from('TYPO3\\TYPO3CR\\Domain\\Model\\NodeData', 'n')->where('n.pathHash = :pathHash')->setParameter('pathHash', md5($nodePath));
$result = count($queryBuilder->getQuery()->getResult()) > 0 ? true : false;
});
return $result;
}
/**
* Tries to authenticate the tokens in the security context (in the given order)
* with the available authentication providers, if needed.
* If the authentication strategy is set to "allTokens", all tokens have to be authenticated.
* If the strategy is set to "oneToken", only one token needs to be authenticated, but the
* authentication will stop after the first authenticated token. The strategy
* "atLeastOne" will try to authenticate at least one and as many tokens as possible.
*
* @return void
* @throws \TYPO3\Flow\Security\Exception
* @throws \TYPO3\Flow\Security\Exception\AuthenticationRequiredException
*/
public function authenticate()
{
$this->isAuthenticated = false;
$anyTokenAuthenticated = false;
if ($this->securityContext === null) {
throw new Exception('Cannot authenticate because no security context has been set.', 1232978667);
}
$tokens = $this->securityContext->getAuthenticationTokens();
if (count($tokens) === 0) {
throw new NoTokensAuthenticatedException('The security context contained no tokens which could be authenticated.', 1258721059);
}
/** @var $token TokenInterface */
foreach ($tokens as $token) {
/** @var $provider AuthenticationProviderInterface */
foreach ($this->providers as $provider) {
if ($provider->canAuthenticate($token) && $token->getAuthenticationStatus() === TokenInterface::AUTHENTICATION_NEEDED) {
$provider->authenticate($token);
if ($token->isAuthenticated()) {
$this->emitAuthenticatedToken($token);
}
break;
}
}
if ($token->isAuthenticated()) {
if (!$token instanceof SessionlessTokenInterface) {
if (!$this->session->isStarted()) {
$this->session->start();
}
$account = $token->getAccount();
if ($account !== null) {
$this->securityContext->withoutAuthorizationChecks(function () use($account) {
$this->session->addTag('TYPO3-Flow-Security-Account-' . md5($account->getAccountIdentifier()));
});
}
}
if ($this->securityContext->getAuthenticationStrategy() === Context::AUTHENTICATE_ONE_TOKEN) {
$this->isAuthenticated = true;
$this->securityContext->refreshRoles();
return;
}
$anyTokenAuthenticated = true;
} else {
if ($this->securityContext->getAuthenticationStrategy() === Context::AUTHENTICATE_ALL_TOKENS) {
throw new AuthenticationRequiredException('Could not authenticate all tokens, but authenticationStrategy was set to "all".', 1222203912);
}
}
}
if (!$anyTokenAuthenticated && $this->securityContext->getAuthenticationStrategy() !== Context::AUTHENTICATE_ANY_TOKEN) {
throw new NoTokensAuthenticatedException('Could not authenticate any token. Might be missing or wrong credentials or no authentication provider matched.', 1222204027);
}
$this->isAuthenticated = $anyTokenAuthenticated;
$this->securityContext->refreshRoles();
}
/**
* Calls a behat step method
*
* @Flow\Internal
* @param string $testHelperObjectName
* @param string $methodName
* @param boolean $withoutSecurityChecks
*/
public function callBehatStepCommand($testHelperObjectName, $methodName, $withoutSecurityChecks = FALSE)
{
$testHelper = $this->objectManager->get($testHelperObjectName);
$rawMethodArguments = $this->request->getExceedingArguments();
$mappedArguments = array();
for ($i = 0; $i < count($rawMethodArguments); $i += 2) {
$mappedArguments[] = $this->propertyMapper->convert($rawMethodArguments[$i + 1], $rawMethodArguments[$i]);
}
$result = NULL;
try {
if ($withoutSecurityChecks === TRUE) {
$this->securityContext->withoutAuthorizationChecks(function () use($testHelper, $methodName, $mappedArguments, &$result) {
$result = call_user_func_array(array($testHelper, $methodName), $mappedArguments);
});
} else {
$result = call_user_func_array(array($testHelper, $methodName), $mappedArguments);
}
} catch (\Exception $exception) {
$this->outputLine('EXCEPTION: %s %d %s in %s:%s %s', array(get_class($exception), $exception->getCode(), $exception->getMessage(), $exception->getFile(), $exception->getLine(), $exception->getTraceAsString()));
return;
}
$this->output('SUCCESS: %s', array($result));
}
/**
* Filter a node by the current context.
* Will either return the node or NULL if it is not permitted in current context.
*
* @param NodeInterface $node
* @param Context $context
* @return \TYPO3\TYPO3CR\Domain\Model\NodeInterface|NULL
*/
protected function filterNodeByContext(NodeInterface $node, Context $context)
{
$this->securityContext->withoutAuthorizationChecks(function () use(&$node, $context) {
if (!$context->isRemovedContentShown() && $node->isRemoved()) {
$node = null;
return;
}
if (!$context->isInvisibleContentShown() && !$node->isVisible()) {
$node = null;
return;
}
if (!$context->isInaccessibleContentShown() && !$node->isAccessible()) {
$node = null;
}
});
return $node;
}
/**
* Imports the sub-tree from the xml reader into the given target path.
*
* The root node of the imported tree becomes a child of the node specified as the target path,
* as the following example illustrates:
*
* 1. Existing Nodes Before Import:
*
* path
* - to
* - - my
* - - - targetNode
* - - - - A
* - other
* - - nodes
*
* 2. Sub-tree in xml to import to 'path/to/my/targetNode':
*
* <B>
* - <B1/>
* </B>
*
* 3. existing nodes after the import:
*
* path
* - to
* - - my
* - - - targetNode
* - - - - A
* - - - - B
* - - - - - B1
* - another
* - - sub-tree
*
* @param \XMLReader $xmlReader The XML input to import - must be either XML as a string or a prepared \XMLReader instance containing XML data
* @param string $targetPath path to the node which becomes parent of the root of the imported sub-tree
* @param string $resourceLoadPath
* @throws ImportException
* @return void
*/
public function import(\XMLReader $xmlReader, $targetPath, $resourceLoadPath = null)
{
$this->propertyMappingConfiguration = new ImportExportPropertyMappingConfiguration($resourceLoadPath);
$this->nodeNameStack = $targetPath === '/' ? array() : array_map(function ($pathSegment) {
return Utility::renderValidNodeName($pathSegment);
}, explode('/', $targetPath));
$formatVersion = $this->determineFormatVersion($xmlReader);
switch ($formatVersion) {
case self::SUPPORTED_FORMAT_VERSION:
$this->securityContext->withoutAuthorizationChecks(function () use($xmlReader) {
$this->importSubtree($xmlReader);
});
break;
case null:
throw new ImportException('Failed to recognize format of the Node Data XML to import. Please make sure that you use a valid Node Data XML structure.', 1409059346);
default:
throw new ImportException('Failed to import Node Data XML: The format with version ' . $formatVersion . ' is not supported, only version ' . self::SUPPORTED_FORMAT_VERSION . ' is supported.', 1409059352);
}
}
/**
* @param Token $token
* @return void
*/
public function onetimeLoginAction(Token $token)
{
$username = $token->getMeta()['name'];
/** @var $account \TYPO3\Flow\Security\Account */
$account = NULL;
$providerName = $this->authenticationProviderName;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($username, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName);
});
foreach ($this->securityContext->getAuthenticationTokens() as $authenticationToken) {
if ($authenticationToken->getAuthenticationProviderName() === $providerName) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
break;
}
}
$this->redirect('resetForm');
}
/**
* @param string $username Crowd Username
* @param string $providerName Name of the authentication provider, this account should be used with
* @return Account
*/
public function getLocalAccountForCrowdUser($username, $providerName)
{
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($username, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName);
});
if ($account === NULL) {
if ($this->getUser($username) === NULL) {
return NULL;
}
$account = new Account();
$account->setAuthenticationProviderName($providerName);
$account->setAccountIdentifier($username);
$roleIdentifier = $this->configurationManager->getConfiguration(ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow.security.authentication.providers.' . $providerName . '.providerOptions.authenticateRole');
$account->addRole($this->policyService->getRole($roleIdentifier));
$this->accountRepository->add($account);
$this->persistenceManager->persistAll();
}
return $account;
}
/**
* Matches a frontend URI pointing to a node (for example a page).
*
* This function tries to find a matching node by the given request path. If one was found, its
* absolute context node path is set in $this->value and TRUE is returned.
*
* Note that this matcher does not check if access to the resolved workspace or node is allowed because at the point
* in time the route part handler is invoked, the security framework is not yet fully initialized.
*
* @param string $requestPath The request path (without leading "/", relative to the current Site Node)
* @return boolean TRUE if the $requestPath could be matched, otherwise FALSE
* @throws \Exception
* @throws Exception\NoHomepageException if no node could be found on the homepage (empty $requestPath)
*/
protected function matchValue($requestPath)
{
try {
/** @var NodeInterface $node */
$node = null;
// Build context explicitly without authorization checks because the security context isn't available yet
// anyway and any Entity Privilege targeted on Workspace would fail at this point:
$this->securityContext->withoutAuthorizationChecks(function () use(&$node, $requestPath) {
$node = $this->convertRequestPathToNode($requestPath);
});
} catch (Exception $exception) {
$this->systemLogger->log('FrontendNodeRoutePartHandler matchValue(): ' . $exception->getMessage(), LOG_DEBUG);
if ($requestPath === '') {
throw new Exception\NoHomepageException('Homepage could not be loaded. Probably you haven\'t imported a site yet', 1346950755, $exception);
}
return false;
}
if ($this->onlyMatchSiteNodes() && $node !== $node->getContext()->getCurrentSiteNode()) {
return false;
}
$this->value = $node->getContextPath();
return true;
}
