public function doCheck($object, IPermission $perm, LoginContext $context = null) { if (SecurityManager::$Logger->isDebugEnabled()) { SecurityManager::$Logger->debug('Preparing to check permission with login context:'); SecurityManager::$Logger->debug(print_r($context, true)); } // A little "hack" here to avoid any lock to the root user due to configuration problem // in the next steps (= even without any configuration or with a broken configuration file, // the root will always have all the permissions on everything) $eyeosUser = null; try { $eyeosUser = $context->getEyeosUser(); if ($eyeosUser->getName() === 'root') { if (SecurityManager::$Logger->isInfoEnabled()) { SecurityManager::$Logger->info('Root user found in login context: bypassing any further security check for requested permission ' . $perm . '.'); } return; } } catch (EyeNullPointerException $e) { } $configuration = PolicyConfiguration::getConfiguration(); // Browse policy entries until we find one that matches the class of our object foreach ($configuration->getPolicyEntries() as $policyEntry) { $objectClass = $policyEntry->getObjectClass(); if ($object instanceof $objectClass) { // Check permission using each handler defined for this entry foreach ($policyEntry->getHandlerEntries() as $handlerEntry) { try { $handler = SecurityManager::getNewHandlerInstance($handlerEntry->getHandlerClass(), $handlerEntry->getParams()); try { $status = $handler->checkPermission($object, $perm, $context); // SUCCESS (access granted byt the current handler) if ($status === true) { if ($handlerEntry->getFlag() == PolicyHandlerEntry::FLAG_SUFFICIENT) { if ($this->firstRequiredError === null) { return; } } $this->success = true; } else { if (SecurityManager::$Logger->isInfoEnabled()) { $failureExceptionMessage = '(none available)'; if ($handler->getFailureException() !== null) { $failureExceptionMessage = $handler->getFailureException()->getMessage(); } SecurityManager::$Logger->debug($handlerEntry->getHandlerClass() . ' failure message: ' . $failureExceptionMessage); } } } catch (EyeSecurityException $e) { if ($handlerEntry->getFlag() == PolicyHandlerEntry::FLAG_REQUISITE) { if (SecurityManager::$Logger->isInfoEnabled()) { SecurityManager::$Logger->info('Requested permission ' . $perm . ' denied object of class ' . get_class($object) . ' (REQUISITE handler ' . $handlerEntry->getHandlerClass() . ' failed).'); SecurityManager::$Logger->info($e->getMessage()); } $this->throwException($this->firstRequiredError, $e); } else { if ($handlerEntry->getFlag() == PolicyHandlerEntry::FLAG_REQUIRED) { if ($this->firstRequiredError === null) { $this->firstRequiredError = $e; } } else { if ($this->firstError === null) { $this->firstError = $e; } } } } } catch (EyeException $e) { $this->throwException(null, $e); } } if ($this->firstRequiredError !== null) { // A required handler failed if (SecurityManager::$Logger->isInfoEnabled()) { SecurityManager::$Logger->info('Requested permission ' . $perm . ' denied on object of class ' . get_class($object) . ' (a REQUIRED handler failed).'); SecurityManager::$Logger->info($this->firstRequiredError->getMessage()); } $this->throwException($this->firstRequiredError, null); } else { if (!$this->success && $this->firstError !== null) { // No handler succeeded: return the first error if (SecurityManager::$Logger->isInfoEnabled()) { SecurityManager::$Logger->info('Requested permission ' . $perm . ' denied on object of class ' . get_class($object) . '.'); SecurityManager::$Logger->info($this->firstError->getMessage()); } $this->throwException($this->firstError, null); } else { if (!$this->success) { // All handlers returned FALSE (= they could not perform permission checks for any reason) SecurityManager::$Logger->warn('All SecurityHandlers have been ignored for object of class ' . get_class($object) . '.'); $this->throwException(new EyeSecurityException('Permission check failure: all handlers ignored on object of class "' . $objectClass . '".'), null); } else { if (SecurityManager::$Logger->isDebugEnabled()) { SecurityManager::$Logger->debug('Permission ' . $perm . ' granted on object of class ' . get_class($object) . '.'); } return; } } } } } // No matching policy entry has been found for given $object: report it in the log and allow access if (!$this->success) { SecurityManager::$Logger->warn('No matching policy entry for object of class ' . get_class($object) . ' has been found.'); } }