/**
* Get an array of Role names granted to the user that permit the requested
* action on the given Service. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Supported actions: EDIT_OBJECT
* @see \Action
*
* @param string $action @see \Action
* @param \Service $se
* @param \User $user
* @return array of RoleName string values that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \Service $se, \User $user = null)
{
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action not known');
}
if (is_null($user)) {
return array();
}
if (is_null($user->getId())) {
return array();
}
if ($action == \Action::EDIT_OBJECT) {
$usersActualRoleNames = array();
$site = $se->getParentSite();
if (is_null($site)) {
//TODO: Service Group authentication - see if the current user holds a role over the creating service group
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($site != null) {
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($site, $user));
}
$ngi = $site->getNgi();
if ($ngi != null) {
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($ngi, $user));
}
$requiredRoles = array(\RoleTypeName::SITE_ADMIN, \RoleTypeName::SITE_SECOFFICER, \RoleTypeName::SITE_OPS_DEP_MAN, \RoleTypeName::SITE_OPS_MAN, \RoleTypeName::REG_FIRST_LINE_SUPPORT, \RoleTypeName::REG_STAFF_ROD, \RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given Project. If the user has no roles that
* permit the requested action, then return an empty array.
*
* Suppored actions: EDIT_OBJECT, GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action @see \Action
* @param \ServiceGroup $sg
* @param \User $user
* @return array of RoleName string values that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \Project $project, \User $user = null)
{
require_once __DIR__ . '/Role.php';
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action not known');
}
if (is_null($user)) {
return array();
}
if (is_null($user->getId())) {
return array();
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($action == \Action::EDIT_OBJECT) {
// Only Project (E) level roles can edit project
$requiredRoles = array(\RoleTypeName::COD_ADMIN, \RoleTypeName::COD_STAFF, \RoleTypeName::EGI_CSIRT_OFFICER, \RoleTypeName::COO);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($project, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
if ($action == \Action::GRANT_ROLE || $action == \Action::REJECT_ROLE || $action == \Action::REVOKE_ROLE) {
$requiredRoles = array(\RoleTypeName::COD_ADMIN, \RoleTypeName::COD_STAFF, \RoleTypeName::EGI_CSIRT_OFFICER, \RoleTypeName::COO);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($project, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given ServiceGroup. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Suppored actions: EDIT_OBJECT
* GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action @see \Action
* @param \ServiceGroup $sg
* @param \User $user
* @return array of RoleName string values that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \ServiceGroup $sg, \User $user = null)
{
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action not known');
}
if (is_null($user)) {
return array();
}
if (is_null($user->getId())) {
return array();
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($action == \Action::EDIT_OBJECT) {
$requiredRoles = array(\RoleTypeName::SERVICEGROUP_ADMIN);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($sg, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
if ($action == \Action::GRANT_ROLE || $action == \Action::REJECT_ROLE || $action == \Action::REVOKE_ROLE) {
$requiredRoles = array(\RoleTypeName::SERVICEGROUP_ADMIN);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($sg, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
public function testGetUserRoles()
{
print __METHOD__ . "\n";
// Create two roletypes
$ngiRoleType = TestUtil::createSampleRoleType("RT1_NAME");
$siteRoleType = TestUtil::createSampleRoleType("RT2_NAME");
$this->em->persist($ngiRoleType);
$this->em->persist($siteRoleType);
// Create a user
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$this->em->persist($u);
// Create an NGI
$ngi = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($ngi);
// Create a Role and link to the User, ngiRoleType and ngi
$roleNgi = TestUtil::createSampleRole($u, $ngiRoleType, $ngi, RoleStatus::GRANTED);
$this->em->persist($roleNgi);
// Create a site
$site1 = TestUtil::createSampleSite("SITENAME");
$this->em->persist($site1);
// Create another role and link to the User, siteRoleType and site
$roleSite = TestUtil::createSampleRole($u, $siteRoleType, $site1, RoleStatus::GRANTED);
$this->em->persist($roleSite);
// Create a second and third sites and add to the NGI, but DO NOT add direct
// roles over those sites for the user. The user will still have role
// over the sites because they have a role over the NGI !
$site2 = TestUtil::createSampleSite("SITENAME2");
$site3 = TestUtil::createSampleSite("SITENAME3");
$this->em->persist($site2);
$this->em->persist($site3);
$ngi->addSiteDoJoin($site2);
$ngi->addSiteDoJoin($site3);
$this->em->flush();
// ********MUST******** start a new connection to test transactional
// isolation of RoleService methods.
$em = $this->createEntityManager();
$roleService = new org\gocdb\services\Role();
$roleService->setEntityManager($em);
// assert that user has expected roles
$roles = $roleService->getUserRoles($u, RoleStatus::GRANTED);
$this->assertEquals(2, sizeof($roles));
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($ngi, $u)) == 1);
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($site1, $u)) == 1);
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($site2, $u)) == 0);
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($site3, $u)) == 0);
// assert that the user has an expected site count with roles over those sites
$mySites = $roleService->getReachableSitesFromOwnedObjectRoles($u);
$this->assertEquals(3, sizeof($mySites));
// assert user don't have these pending/revoked roles
$roles = $roleService->getUserRoles($u, RoleStatus::PENDING);
$this->assertEmpty($roles);
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given Site. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Suppored actions: EDIT_OBJECT, SITE_EDIT_CERT_STATUS,
* SITE_ADD_SERVICE, SITE_DELETE_SERVICE,
* GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action @see \Action
* @param \Site $site
* @param \User $user
* @return array of RoleName strings that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \Site $site, \User $user = null)
{
if (is_null($user)) {
return array();
// empty array if null user
}
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action');
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($action == \Action::EDIT_OBJECT || $action == \Action::SITE_ADD_SERVICE || $action == \Action::SITE_DELETE_SERVICE) {
// Site leve roles and parent NGI level roles can edit the site
$requiredRoles = array(\RoleTypeName::SITE_ADMIN, \RoleTypeName::SITE_SECOFFICER, \RoleTypeName::SITE_OPS_DEP_MAN, \RoleTypeName::SITE_OPS_MAN, \RoleTypeName::REG_FIRST_LINE_SUPPORT, \RoleTypeName::REG_STAFF_ROD, \RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN);
// get the user's actual roles
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($site, $user);
if ($site->getNgi() != null) {
// A Site should always have a parent NGI, but this is not enforced
// by the DB constraints as this may? be needed in future - also
// unit tests use orphan sites. Thus this method is defensive.
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($site->getNgi(), $user));
}
// return intersection between between required roles and user's actual roles
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
if ($action == \Action::GRANT_ROLE || $action == \Action::REJECT_ROLE || $action == \Action::REVOKE_ROLE) {
// Site managers and NGI managers can manage roles
$requiredRoles = array(\RoleTypeName::SITE_SECOFFICER, \RoleTypeName::SITE_OPS_DEP_MAN, \RoleTypeName::SITE_OPS_MAN, \RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN);
// get the user's actual roles
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($site, $user);
if ($site->getNgi() != null) {
// A Site should always have a parent NGI, but this is not enforced
// by the DB constraints as this may? be needed in future - also
// unit tests use orphan sites. Thus this method is defensive.
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($site->getNgi(), $user));
}
// return intersection between between required roles and user's actual roles
$enablingRoles = array_intersect($requiredRoles, $usersActualRoleNames);
} else {
if ($action == \Action::SITE_EDIT_CERT_STATUS) {
// only NGI manager and Project level roles can edit cert status
$requiredRoles = array(\RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN, \RoleTypeName::COD_STAFF, \RoleTypeName::COD_ADMIN, \RoleTypeName::EGI_CSIRT_OFFICER, \RoleTypeName::COO);
$usersActualRoleNames = array();
if ($site->getNgi() != null) {
// A Site should always have a parent NGI, but this is not enforced
// by the DB constraints as this may? be needed in future - also
// unit tests use orphan sites. Thus this method is defensive.
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($site->getNgi(), $user);
// Get all project level roles for all the projects that group the site's ngi
if (count($site->getNgi()->getProjects()) > 0) {
foreach ($site->getNgi()->getProjects() as $parentProject) {
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($parentProject, $user));
}
}
}
// return intersection between required roles and user's actual roles
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
}
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
