/**
* Return true if the current request's ip matches the saved ips list
* @return bool
*/
protected function matchIpAddress()
{
$accessControlScope = $this->getAccessControlScope();
$requestIp = $accessControlScope->getIp();
foreach ($this->ipAddressList as $checkIp) {
if (kIpAddressUtils::isIpInRange($requestIp, $checkIp)) {
return true;
}
}
return false;
}
protected function matches($field, $value)
{
return kIpAddressUtils::isIpInRange($field, $value);
}
protected function applyCondition($fieldValue, $condition, $refValue, $strippedFieldValue)
{
switch ($condition) {
case self::COND_MATCH:
if (!count($refValue)) {
return null;
}
return in_array($fieldValue, $refValue);
case self::COND_REGEX:
if (!count($refValue)) {
return null;
}
foreach ($refValue as $curRefValue) {
if ($fieldValue === $curRefValue || preg_match("/{$curRefValue}/i", $fieldValue)) {
return true;
}
}
return false;
case self::COND_SITE_MATCH:
$result = strpos($fieldValue, "kwidget") === false ? '0' : '1';
if (!count($refValue)) {
return $result;
}
foreach ($refValue as $curRefValue) {
if ($strippedFieldValue === $curRefValue || strpos($strippedFieldValue, "." . $curRefValue) !== false) {
return $result . '1';
}
}
return $result . '0';
case self::COND_IP_RANGE:
if (!count($refValue)) {
return null;
}
foreach ($refValue as $curRefValue) {
if (kIpAddressUtils::isIpInRange($fieldValue, $curRefValue)) {
return true;
}
}
return false;
case self::COND_GEO_DISTANCE:
if (!count($refValue)) {
return null;
}
foreach ($refValue as $curRefValue) {
if (kGeoUtils::isInGeoDistance($fieldValue, $curRefValue)) {
return true;
}
}
return false;
}
return $strippedFieldValue;
}
protected function applyCondition($fieldValue, $condition, $refValue)
{
switch ($condition) {
case self::COND_MATCH:
if (!count($refValue)) {
return null;
}
return in_array($fieldValue, $refValue);
case self::COND_REGEX:
if (!count($refValue)) {
return null;
}
foreach ($refValue as $curRefValue) {
if ($fieldValue === $curRefValue || preg_match("/{$curRefValue}/i", $fieldValue)) {
return true;
}
}
return false;
case self::COND_SITE_MATCH:
if (!count($refValue)) {
return null;
}
foreach ($refValue as $curRefValue) {
if ($fieldValue === $curRefValue || strpos($fieldValue, "." . $curRefValue) !== false) {
return true;
}
}
return false;
case self::COND_IP_RANGE:
if (!count($refValue)) {
return null;
}
require_once dirname(__FILE__) . '/../../infra/utils/kIpAddressUtils.php';
foreach ($refValue as $curRefValue) {
if (kIpAddressUtils::isIpInRange($fieldValue, $curRefValue)) {
return true;
}
}
return false;
}
return $fieldValue;
}
/**
* Init with allowed permissions for the user in the given KS or kCurrentContext if not KS given
* kCurrentContext::init should have been executed before!
* @param string $ks KS to extract user and partner IDs from instead of kCurrentContext
* @param boolean $useCache use cache or not
* @throws TODO: add all exceptions
*/
public static function init($useCache = null)
{
$securityContext = array(kCurrentContext::$partner_id, kCurrentContext::$ks);
if ($securityContext === self::$lastInitializedContext) {
KalturaLog::log('Already initalized for this security context');
self::$cacheWatcher->apply();
return;
}
// verify that kCurrentContext::init has been executed since it must be used to init current context permissions
if (!kCurrentContext::$ksPartnerUserInitialized) {
KalturaLog::crit('kCurrentContext::initKsPartnerUser must be executed before initializing kPermissionManager');
throw new Exception('kCurrentContext has not been initialized!', null);
}
// can be initialized more than once to support multirequest with different kCurrentContext parameters
self::$lastInitializedContext = null;
self::$cacheWatcher = new kApiCacheWatcher();
self::$useCache = $useCache ? true : false;
// copy kCurrentContext parameters (kCurrentContext::init should have been executed before)
self::$requestedPartnerId = !self::isEmpty(kCurrentContext::$partner_id) ? kCurrentContext::$partner_id : null;
self::$ksPartnerId = !self::isEmpty(kCurrentContext::$ks_partner_id) ? kCurrentContext::$ks_partner_id : null;
if (self::$ksPartnerId == Partner::ADMIN_CONSOLE_PARTNER_ID && kConf::hasParam('admin_console_partner_allowed_ips')) {
$ipAllowed = false;
$ipRanges = explode(',', kConf::get('admin_console_partner_allowed_ips'));
foreach ($ipRanges as $curRange) {
if (kIpAddressUtils::isIpInRange($_SERVER['REMOTE_ADDR'], $curRange)) {
$ipAllowed = true;
break;
}
}
if (!$ipAllowed) {
throw new kCoreException("Admin console partner used from an unallowed address", kCoreException::PARTNER_BLOCKED);
}
}
self::$ksUserId = !self::isEmpty(kCurrentContext::$ks_uid) ? kCurrentContext::$ks_uid : null;
if (self::$ksPartnerId != Partner::BATCH_PARTNER_ID) {
self::$kuser = !self::isEmpty(kCurrentContext::getCurrentKsKuser()) ? kCurrentContext::getCurrentKsKuser() : null;
}
self::$ksString = kCurrentContext::$ks ? kCurrentContext::$ks : null;
self::$adminSession = !self::isEmpty(kCurrentContext::$is_admin_session) ? kCurrentContext::$is_admin_session : false;
// if ks defined - check that it is valid
self::errorIfKsNotValid();
// init partner, user, and role objects
self::initPartnerUserObjects();
// throw an error if KS partner (operating partner) is blocked
self::errorIfPartnerBlocked();
//throw an error if KS user is blocked
self::errorIfUserBlocked();
// init role ids
self::initRoleIds();
// init permissions map
self::initPermissionsMap();
// initialization done
self::$lastInitializedContext = $securityContext;
self::$cacheWatcher->stop();
return true;
}
