/**
* Returns the roles of all authenticated accounts, including inherited roles.
*
* If no authenticated roles could be found the "Anonymous" role is returned.
*
* The "Everybody" roles is always returned.
*
* @return array<\TYPO3\Flow\Security\Policy\Role>
*/
public function getRoles()
{
if ($this->initialized === FALSE) {
$this->initialize();
}
if ($this->roles === NULL) {
$this->roles = array('Everybody' => $this->policyService->getRole('Everybody'));
if ($this->authenticationManager->isAuthenticated() === FALSE) {
$this->roles['Anonymous'] = $this->policyService->getRole('Anonymous');
} else {
$this->roles['AuthenticatedUser'] = $this->policyService->getRole('AuthenticatedUser');
/** @var $token \TYPO3\Flow\Security\Authentication\TokenInterface */
foreach ($this->getAuthenticationTokens() as $token) {
if ($token->isAuthenticated() === TRUE) {
$account = $token->getAccount();
if ($account !== NULL) {
$accountRoles = $account->getRoles();
/** @var $currentRole Role */
foreach ($accountRoles as $currentRole) {
if (!in_array($currentRole, $this->roles)) {
$this->roles[$currentRole->getIdentifier()] = $currentRole;
}
/** @var $currentParentRole Role */
foreach ($this->policyService->getAllParentRoles($currentRole) as $currentParentRole) {
if (!in_array($currentParentRole, $this->roles)) {
$this->roles[$currentParentRole->getIdentifier()] = $currentParentRole;
}
}
}
}
}
}
}
}
return $this->roles;
}
/**
* Shows the effective policy rules currently active in the system
*
* @param boolean $grantsOnly Only list methods effectively granted to the given roles
* @return void
*/
public function showEffectivePolicyCommand($grantsOnly = FALSE)
{
$roles = array();
$roleIdentifiers = $this->request->getExceedingArguments();
if (empty($roleIdentifiers) === TRUE) {
$this->outputLine('Please specify at leas one role, to calculate the effective privileges for!');
$this->quit(1);
}
foreach ($roleIdentifiers as $roleIdentifier) {
if ($this->policyService->hasRole($roleIdentifier)) {
$currentRole = $this->policyService->getRole($roleIdentifier);
$roles[$roleIdentifier] = $currentRole;
foreach ($this->policyService->getAllParentRoles($currentRole) as $parentRoleIdentifier => $parentRole) {
if (!isset($roles[$parentRoleIdentifier])) {
$roles[$parentRoleIdentifier] = $parentRole;
}
}
}
}
if (count($roles) === 0) {
$this->outputLine('The specified role(s) do not exist.');
$this->quit(1);
}
$this->outputLine(PHP_EOL . 'The following roles will be used for calculating the effective privileges (retrieved from the configured roles hierarchy):' . PHP_EOL);
foreach ($roles as $roleIdentifier => $role) {
$this->outputLine($roleIdentifier);
}
$dummySecurityContext = new DummyContext();
$dummySecurityContext->setRoles($roles);
$accessDecisionManager = new AccessDecisionVoterManager($this->objectManager, $dummySecurityContext);
if ($this->policyCache->has('acls')) {
$classes = array();
$acls = $this->policyCache->get('acls');
foreach ($acls as $classAndMethodName => $aclEntry) {
if (strpos($classAndMethodName, '->') === FALSE) {
continue;
}
list($className, $methodName) = explode('->', $classAndMethodName);
$className = $this->objectManager->getCaseSensitiveObjectName($className);
$reflectionClass = new \ReflectionClass($className);
foreach ($reflectionClass->getMethods() as $casSensitiveMethodName) {
if ($methodName === strtolower($casSensitiveMethodName->getName())) {
$methodName = $casSensitiveMethodName->getName();
break;
}
}
$runtimeEvaluationsInPlace = FALSE;
foreach ($aclEntry as $role => $resources) {
if (in_array($role, $roles) === FALSE) {
continue;
}
if (!isset($classes[$className])) {
$classes[$className] = array();
}
if (!isset($classes[$className][$methodName])) {
$classes[$className][$methodName] = array();
$classes[$className][$methodName]['resources'] = array();
}
foreach ($resources as $resourceName => $privilege) {
$classes[$className][$methodName]['resources'][$resourceName] = $privilege;
if ($privilege['runtimeEvaluationsClosureCode'] !== FALSE) {
$runtimeEvaluationsInPlace = TRUE;
}
}
}
if ($runtimeEvaluationsInPlace === FALSE) {
try {
$accessDecisionManager->decideOnJoinPoint(new JoinPoint(NULL, $className, $methodName, array()));
} catch (AccessDeniedException $e) {
$classes[$className][$methodName]['effectivePrivilege'] = $e->getMessage();
}
if (!isset($classes[$className][$methodName]['effectivePrivilege'])) {
$classes[$className][$methodName]['effectivePrivilege'] = 'Access granted';
}
} else {
$classes[$className][$methodName]['effectivePrivilege'] = 'Could not be calculated. Runtime evaluations in place!';
}
}
foreach ($classes as $className => $methods) {
$classNamePrinted = FALSE;
foreach ($methods as $methodName => $resources) {
if ($grantsOnly === TRUE && $resources['effectivePrivilege'] !== 'Access granted') {
continue;
}
if ($classNamePrinted === FALSE) {
$this->outputLine(PHP_EOL . PHP_EOL . ' <b>' . $className . '</b>');
$classNamePrinted = TRUE;
}
$this->outputLine(PHP_EOL . ' ' . $methodName);
if (isset($resources['resources']) === TRUE && is_array($resources['resources']) === TRUE) {
foreach ($resources['resources'] as $resourceName => $privilege) {
switch ($privilege['privilege']) {
case PolicyService::PRIVILEGE_GRANT:
$this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access granted');
break;
case PolicyService::PRIVILEGE_DENY:
$this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access denied');
break;
case PolicyService::PRIVILEGE_ABSTAIN:
$this->outputLine(' Resource "<i>' . $resourceName . '</i>": Vote abstained (no acl entry for given roles)');
break;
}
}
}
$this->outputLine(' <b>Effective privilege for given roles: ' . $resources['effectivePrivilege'] . '</b>');
}
}
} else {
$this->outputLine('Could not find any policy entries, please warmup caches...');
}
}
