/** * Returns the roles of all authenticated accounts, including inherited roles. * * If no authenticated roles could be found the "Anonymous" role is returned. * * The "Everybody" roles is always returned. * * @return array<\TYPO3\Flow\Security\Policy\Role> */ public function getRoles() { if ($this->initialized === FALSE) { $this->initialize(); } if ($this->roles === NULL) { $this->roles = array('Everybody' => $this->policyService->getRole('Everybody')); if ($this->authenticationManager->isAuthenticated() === FALSE) { $this->roles['Anonymous'] = $this->policyService->getRole('Anonymous'); } else { $this->roles['AuthenticatedUser'] = $this->policyService->getRole('AuthenticatedUser'); /** @var $token \TYPO3\Flow\Security\Authentication\TokenInterface */ foreach ($this->getAuthenticationTokens() as $token) { if ($token->isAuthenticated() === TRUE) { $account = $token->getAccount(); if ($account !== NULL) { $accountRoles = $account->getRoles(); /** @var $currentRole Role */ foreach ($accountRoles as $currentRole) { if (!in_array($currentRole, $this->roles)) { $this->roles[$currentRole->getIdentifier()] = $currentRole; } /** @var $currentParentRole Role */ foreach ($this->policyService->getAllParentRoles($currentRole) as $currentParentRole) { if (!in_array($currentParentRole, $this->roles)) { $this->roles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } } } } } } return $this->roles; }
/** * Shows the effective policy rules currently active in the system * * @param boolean $grantsOnly Only list methods effectively granted to the given roles * @return void */ public function showEffectivePolicyCommand($grantsOnly = FALSE) { $roles = array(); $roleIdentifiers = $this->request->getExceedingArguments(); if (empty($roleIdentifiers) === TRUE) { $this->outputLine('Please specify at leas one role, to calculate the effective privileges for!'); $this->quit(1); } foreach ($roleIdentifiers as $roleIdentifier) { if ($this->policyService->hasRole($roleIdentifier)) { $currentRole = $this->policyService->getRole($roleIdentifier); $roles[$roleIdentifier] = $currentRole; foreach ($this->policyService->getAllParentRoles($currentRole) as $parentRoleIdentifier => $parentRole) { if (!isset($roles[$parentRoleIdentifier])) { $roles[$parentRoleIdentifier] = $parentRole; } } } } if (count($roles) === 0) { $this->outputLine('The specified role(s) do not exist.'); $this->quit(1); } $this->outputLine(PHP_EOL . 'The following roles will be used for calculating the effective privileges (retrieved from the configured roles hierarchy):' . PHP_EOL); foreach ($roles as $roleIdentifier => $role) { $this->outputLine($roleIdentifier); } $dummySecurityContext = new DummyContext(); $dummySecurityContext->setRoles($roles); $accessDecisionManager = new AccessDecisionVoterManager($this->objectManager, $dummySecurityContext); if ($this->policyCache->has('acls')) { $classes = array(); $acls = $this->policyCache->get('acls'); foreach ($acls as $classAndMethodName => $aclEntry) { if (strpos($classAndMethodName, '->') === FALSE) { continue; } list($className, $methodName) = explode('->', $classAndMethodName); $className = $this->objectManager->getCaseSensitiveObjectName($className); $reflectionClass = new \ReflectionClass($className); foreach ($reflectionClass->getMethods() as $casSensitiveMethodName) { if ($methodName === strtolower($casSensitiveMethodName->getName())) { $methodName = $casSensitiveMethodName->getName(); break; } } $runtimeEvaluationsInPlace = FALSE; foreach ($aclEntry as $role => $resources) { if (in_array($role, $roles) === FALSE) { continue; } if (!isset($classes[$className])) { $classes[$className] = array(); } if (!isset($classes[$className][$methodName])) { $classes[$className][$methodName] = array(); $classes[$className][$methodName]['resources'] = array(); } foreach ($resources as $resourceName => $privilege) { $classes[$className][$methodName]['resources'][$resourceName] = $privilege; if ($privilege['runtimeEvaluationsClosureCode'] !== FALSE) { $runtimeEvaluationsInPlace = TRUE; } } } if ($runtimeEvaluationsInPlace === FALSE) { try { $accessDecisionManager->decideOnJoinPoint(new JoinPoint(NULL, $className, $methodName, array())); } catch (AccessDeniedException $e) { $classes[$className][$methodName]['effectivePrivilege'] = $e->getMessage(); } if (!isset($classes[$className][$methodName]['effectivePrivilege'])) { $classes[$className][$methodName]['effectivePrivilege'] = 'Access granted'; } } else { $classes[$className][$methodName]['effectivePrivilege'] = 'Could not be calculated. Runtime evaluations in place!'; } } foreach ($classes as $className => $methods) { $classNamePrinted = FALSE; foreach ($methods as $methodName => $resources) { if ($grantsOnly === TRUE && $resources['effectivePrivilege'] !== 'Access granted') { continue; } if ($classNamePrinted === FALSE) { $this->outputLine(PHP_EOL . PHP_EOL . ' <b>' . $className . '</b>'); $classNamePrinted = TRUE; } $this->outputLine(PHP_EOL . ' ' . $methodName); if (isset($resources['resources']) === TRUE && is_array($resources['resources']) === TRUE) { foreach ($resources['resources'] as $resourceName => $privilege) { switch ($privilege['privilege']) { case PolicyService::PRIVILEGE_GRANT: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access granted'); break; case PolicyService::PRIVILEGE_DENY: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Access denied'); break; case PolicyService::PRIVILEGE_ABSTAIN: $this->outputLine(' Resource "<i>' . $resourceName . '</i>": Vote abstained (no acl entry for given roles)'); break; } } } $this->outputLine(' <b>Effective privilege for given roles: ' . $resources['effectivePrivilege'] . '</b>'); } } } else { $this->outputLine('Could not find any policy entries, please warmup caches...'); } }