/**
* Removes a role from this repository.
*
* @param \TYPO3\Flow\Security\Policy\Role $role The role to remove
* @return void
*/
public function remove($role)
{
if (isset($this->newRoles[$role->getIdentifier()])) {
unset($this->newRoles[$role->getIdentifier()]);
}
parent::remove($role);
}
/**
* @test
*/
public function setRolesWorks()
{
$roles = array($this->administratorRole, $this->customerRole);
$expectedRoles = array($this->administratorRole->getIdentifier() => $this->administratorRole, $this->customerRole->getIdentifier() => $this->customerRole);
$this->account->setRoles($roles);
$this->assertSame($expectedRoles, $this->account->getRoles());
}
public function setUp()
{
$this->mockRole = $this->getMockBuilder('TYPO3\\Flow\\Security\\Policy\\Role')->disableOriginalConstructor()->getMock();
$this->mockRole->expects($this->any())->method('getIdentifier')->will($this->returnValue('TYPO3.Flow:TestRoleIdentifier'));
$this->mockPolicyService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Policy\\PolicyService')->disableOriginalConstructor()->getMock();
$this->mockPolicyService->expects($this->any())->method('getRole')->with('TYPO3.Flow:TestRoleIdentifier')->will($this->returnValue($this->mockRole));
$this->mockHashService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Cryptography\\HashService')->disableOriginalConstructor()->getMock();
$expectedPassword = $this->testKeyClearText;
$expectedHashedPasswordAndSalt = $this->testKeyHashed;
$this->mockHashService->expects($this->any())->method('validatePassword')->will($this->returnCallback(function ($password, $hashedPasswordAndSalt) use($expectedPassword, $expectedHashedPasswordAndSalt) {
return $hashedPasswordAndSalt === $expectedHashedPasswordAndSalt && $password === $expectedPassword;
}));
$this->mockFileBasedSimpleKeyService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Cryptography\\FileBasedSimpleKeyService')->disableOriginalConstructor()->getMock();
$this->mockFileBasedSimpleKeyService->expects($this->any())->method('getKey')->with('testKey')->will($this->returnValue($this->testKeyHashed));
$this->mockToken = $this->getMockBuilder('TYPO3\\Flow\\Security\\Authentication\\Token\\PasswordToken')->disableOriginalConstructor()->getMock();
}
/**
* @test
*/
public function setParentRolesMakesSureThatParentRolesDontContainDuplicates()
{
$role = new Role('Acme.Demo:Test');
$role->initializeObject();
$parentRole1 = new Role('Acme.Demo:Parent1');
$parentRole2 = new Role('Acme.Demo:Parent2');
$parentRole2->addParentRole($parentRole1);
$role->setParentRoles(array($parentRole1, $parentRole2, $parentRole2, $parentRole1));
$expectedParentRoles = array('Acme.Demo:Parent1' => $parentRole1, 'Acme.Demo:Parent2' => $parentRole2);
// Internally, parentRoles might contain duplicates which Doctrine will try
// to persist - even though getParentRoles() will return an array which
// does not contain duplicates:
$internalParentRolesCollection = ObjectAccess::getProperty($role, 'parentRoles', TRUE);
$this->assertEquals(2, count($internalParentRolesCollection->toArray()));
$this->assertEquals($expectedParentRoles, $role->getParentRoles());
}
/**
* Adds a role to this account
*
* @param Role $role
* @return void
* @throws \InvalidArgumentException
* @api
*/
public function addRole(Role $role)
{
if ($role->isAbstract()) {
throw new \InvalidArgumentException(sprintf('Abstract roles can\'t be assigned to accounts directly, but the role "%s" is marked abstract', $role->getIdentifier()), 1399900657);
}
$this->initializeRoles();
if (!$this->hasRole($role)) {
$roleIdentifier = $role->getIdentifier();
$this->roleIdentifiers[] = $roleIdentifier;
$this->roles[$roleIdentifier] = $role;
}
}
/**
* Returns TRUE if the given role is a directly assigned parent of this role.
*
* @param Role $role
* @return boolean
*/
public function hasParentRole(Role $role)
{
return isset($this->parentRoles[$role->getIdentifier()]);
}
/**
* Parses the global policy configuration and initializes roles and privileges accordingly
*
* @return void
* @throws SecurityException
*/
protected function initialize()
{
if ($this->initialized) {
return;
}
$this->policyConfiguration = $this->configurationManager->getConfiguration(ConfigurationManager::CONFIGURATION_TYPE_POLICY);
$this->emitConfigurationLoaded($this->policyConfiguration);
$this->initializePrivilegeTargets();
$privilegeTargetsForEverybody = $this->privilegeTargets;
$this->roles = array();
$everybodyRole = new Role('TYPO3.Flow:Everybody');
$everybodyRole->setAbstract(true);
if (isset($this->policyConfiguration['roles'])) {
foreach ($this->policyConfiguration['roles'] as $roleIdentifier => $roleConfiguration) {
if ($roleIdentifier === 'TYPO3.Flow:Everybody') {
$role = $everybodyRole;
} else {
$role = new Role($roleIdentifier);
if (isset($roleConfiguration['abstract'])) {
$role->setAbstract((bool) $roleConfiguration['abstract']);
}
}
if (isset($roleConfiguration['privileges'])) {
foreach ($roleConfiguration['privileges'] as $privilegeConfiguration) {
$privilegeTargetIdentifier = $privilegeConfiguration['privilegeTarget'];
if (!isset($this->privilegeTargets[$privilegeTargetIdentifier])) {
throw new SecurityException(sprintf('privilege target "%s", referenced in role configuration "%s" is not defined!', $privilegeTargetIdentifier, $roleIdentifier), 1395869320);
}
$privilegeTarget = $this->privilegeTargets[$privilegeTargetIdentifier];
if (!isset($privilegeConfiguration['permission'])) {
throw new SecurityException(sprintf('No permission set for privilegeTarget "%s" in Role "%s"', $privilegeTargetIdentifier, $roleIdentifier), 1395869331);
}
$privilegeParameters = isset($privilegeConfiguration['parameters']) ? $privilegeConfiguration['parameters'] : array();
try {
$privilege = $privilegeTarget->createPrivilege($privilegeConfiguration['permission'], $privilegeParameters);
} catch (\Exception $exception) {
throw new SecurityException(sprintf('Error for privilegeTarget "%s" in Role "%s": %s', $privilegeTargetIdentifier, $roleIdentifier, $exception->getMessage()), 1401886654, $exception);
}
$role->addPrivilege($privilege);
if ($roleIdentifier === 'TYPO3.Flow:Everybody') {
unset($privilegeTargetsForEverybody[$privilegeTargetIdentifier]);
}
}
}
$this->roles[$roleIdentifier] = $role;
}
}
// create ABSTAIN privilege for all uncovered privilegeTargets
/** @var PrivilegeTarget $privilegeTarget */
foreach ($privilegeTargetsForEverybody as $privilegeTarget) {
if ($privilegeTarget->hasParameters()) {
continue;
}
$everybodyRole->addPrivilege($privilegeTarget->createPrivilege(PrivilegeInterface::ABSTAIN));
}
$this->roles['TYPO3.Flow:Everybody'] = $everybodyRole;
// Set parent roles
/** @var Role $role */
foreach ($this->roles as $role) {
if (isset($this->policyConfiguration['roles'][$role->getIdentifier()]['parentRoles'])) {
foreach ($this->policyConfiguration['roles'][$role->getIdentifier()]['parentRoles'] as $parentRoleIdentifier) {
$role->addParentRole($this->roles[$parentRoleIdentifier]);
}
}
}
$this->emitRolesInitialized($this->roles);
$this->initialized = true;
}
/**
* @dataProvider roleIdentifiersAndPackageKeysAndNames
* @test
*/
public function setNameAndPackageKeyWorks($roleIdentifier, $name, $packageKey)
{
$role = new Role($roleIdentifier);
$this->assertEquals($name, $role->getName());
$this->assertEquals($packageKey, $role->getPackageKey());
}
/**
* @test
*/
public function hasRoleWorksWithRecursiveRoles()
{
$everybodyRole = new Role('Everybody', Role::SOURCE_SYSTEM);
$testRole1 = new Role('Acme.Demo:TestRole1');
$testRole2 = new Role('Acme.Demo:TestRole2');
// Set parents
$testRole1->setParentRoles(array($testRole2));
$account = new \TYPO3\Flow\Security\Account();
$account->setRoles(array($testRole1));
$mockAuthenticationManager = $this->getMock('TYPO3\\Flow\\Security\\Authentication\\AuthenticationManagerInterface');
$mockAuthenticationManager->expects($this->atLeastOnce())->method('isAuthenticated')->will($this->returnValue(TRUE));
$mockToken = $this->getMock('TYPO3\\Flow\\Security\\Authentication\\TokenInterface');
$mockToken->expects($this->atLeastOnce())->method('isAuthenticated')->will($this->returnValue(TRUE));
$mockToken->expects($this->atLeastOnce())->method('getAccount')->will($this->returnValue($account));
$mockPolicyService = $this->getAccessibleMock('TYPO3\\Flow\\Security\\Policy\\PolicyService', array('getRole', 'initializeRolesFromPolicy'));
$mockPolicyService->expects($this->atLeastOnce())->method('getRole')->will($this->returnCallback(function ($roleIdentifier) use($everybodyRole) {
switch ($roleIdentifier) {
case 'Everybody':
return $everybodyRole;
}
}));
$securityContext = $this->getAccessibleMock('TYPO3\\Flow\\Security\\Context', array('initialize', 'getAccount'));
$securityContext->expects($this->any())->method('getAccount')->will($this->returnValue($account));
$securityContext->_set('activeTokens', array($mockToken));
$securityContext->_set('policyService', $mockPolicyService);
$securityContext->_set('authenticationManager', $mockAuthenticationManager);
$this->assertTrue($securityContext->hasRole('Acme.Demo:TestRole2'));
}
/**
* @param \TYPO3\Flow\Security\Policy\Role $role
* @throws \InvalidArgumentException
* @return \Ag\Login\Domain\Model\Role $role
*/
protected function flowRoleToRole($role)
{
if (strpos($role->__toString(), '|') === FALSE) {
return new Role($role->__toString());
} else {
$role = explode('|', $role->__toString());
if (count($role) === 2) {
return new Role($role[0], $role[1]);
} else {
throw new \InvalidArgumentException('Could not succesfully parse the Flow role for account ' . $this->login->getAccountIdentifier());
}
}
}
/**
* Returns the privilege a specific role has for the given resource.
* Note: Resources with runtime evaluations return always a PRIVILEGE_DENY!
* @see getPrivilegesForJoinPoint() instead, if you need privileges for them.
*
* @param \TYPO3\Flow\Security\Policy\Role $role The role for which the privileges should be returned
* @param string $resource The resource for which the privileges should be returned
* @return integer One of: PRIVILEGE_GRANT, PRIVILEGE_DENY
* @throws \TYPO3\Flow\Security\Exception\NoEntryInPolicyException
*/
public function getPrivilegeForResource(\TYPO3\Flow\Security\Policy\Role $role, $resource)
{
if (!isset($this->acls[$resource])) {
if (isset($this->resources[$resource])) {
return self::PRIVILEGE_DENY;
} else {
throw new \TYPO3\Flow\Security\Exception\NoEntryInPolicyException('The given resource ("' . $resource . '") was not found in the policy cache. Most likely you have to recreate the AOP proxy classes.', 1248348214);
}
}
$roleIdentifier = $role->getIdentifier();
if (!array_key_exists($roleIdentifier, $this->acls[$resource])) {
return NULL;
}
if ($this->acls[$resource][$roleIdentifier]['runtimeEvaluationsClosureCode'] !== FALSE) {
return self::PRIVILEGE_DENY;
}
return $this->acls[$resource][$roleIdentifier]['privilege'];
}
