/** * Removes a role from this repository. * * @param \TYPO3\Flow\Security\Policy\Role $role The role to remove * @return void */ public function remove($role) { if (isset($this->newRoles[$role->getIdentifier()])) { unset($this->newRoles[$role->getIdentifier()]); } parent::remove($role); }
/** * @test */ public function setRolesWorks() { $roles = array($this->administratorRole, $this->customerRole); $expectedRoles = array($this->administratorRole->getIdentifier() => $this->administratorRole, $this->customerRole->getIdentifier() => $this->customerRole); $this->account->setRoles($roles); $this->assertSame($expectedRoles, $this->account->getRoles()); }
public function setUp() { $this->mockRole = $this->getMockBuilder('TYPO3\\Flow\\Security\\Policy\\Role')->disableOriginalConstructor()->getMock(); $this->mockRole->expects($this->any())->method('getIdentifier')->will($this->returnValue('TYPO3.Flow:TestRoleIdentifier')); $this->mockPolicyService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Policy\\PolicyService')->disableOriginalConstructor()->getMock(); $this->mockPolicyService->expects($this->any())->method('getRole')->with('TYPO3.Flow:TestRoleIdentifier')->will($this->returnValue($this->mockRole)); $this->mockHashService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Cryptography\\HashService')->disableOriginalConstructor()->getMock(); $expectedPassword = $this->testKeyClearText; $expectedHashedPasswordAndSalt = $this->testKeyHashed; $this->mockHashService->expects($this->any())->method('validatePassword')->will($this->returnCallback(function ($password, $hashedPasswordAndSalt) use($expectedPassword, $expectedHashedPasswordAndSalt) { return $hashedPasswordAndSalt === $expectedHashedPasswordAndSalt && $password === $expectedPassword; })); $this->mockFileBasedSimpleKeyService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Cryptography\\FileBasedSimpleKeyService')->disableOriginalConstructor()->getMock(); $this->mockFileBasedSimpleKeyService->expects($this->any())->method('getKey')->with('testKey')->will($this->returnValue($this->testKeyHashed)); $this->mockToken = $this->getMockBuilder('TYPO3\\Flow\\Security\\Authentication\\Token\\PasswordToken')->disableOriginalConstructor()->getMock(); }
/** * @test */ public function setParentRolesMakesSureThatParentRolesDontContainDuplicates() { $role = new Role('Acme.Demo:Test'); $role->initializeObject(); $parentRole1 = new Role('Acme.Demo:Parent1'); $parentRole2 = new Role('Acme.Demo:Parent2'); $parentRole2->addParentRole($parentRole1); $role->setParentRoles(array($parentRole1, $parentRole2, $parentRole2, $parentRole1)); $expectedParentRoles = array('Acme.Demo:Parent1' => $parentRole1, 'Acme.Demo:Parent2' => $parentRole2); // Internally, parentRoles might contain duplicates which Doctrine will try // to persist - even though getParentRoles() will return an array which // does not contain duplicates: $internalParentRolesCollection = ObjectAccess::getProperty($role, 'parentRoles', TRUE); $this->assertEquals(2, count($internalParentRolesCollection->toArray())); $this->assertEquals($expectedParentRoles, $role->getParentRoles()); }
/** * Adds a role to this account * * @param Role $role * @return void * @throws \InvalidArgumentException * @api */ public function addRole(Role $role) { if ($role->isAbstract()) { throw new \InvalidArgumentException(sprintf('Abstract roles can\'t be assigned to accounts directly, but the role "%s" is marked abstract', $role->getIdentifier()), 1399900657); } $this->initializeRoles(); if (!$this->hasRole($role)) { $roleIdentifier = $role->getIdentifier(); $this->roleIdentifiers[] = $roleIdentifier; $this->roles[$roleIdentifier] = $role; } }
/** * Returns TRUE if the given role is a directly assigned parent of this role. * * @param Role $role * @return boolean */ public function hasParentRole(Role $role) { return isset($this->parentRoles[$role->getIdentifier()]); }
/** * Parses the global policy configuration and initializes roles and privileges accordingly * * @return void * @throws SecurityException */ protected function initialize() { if ($this->initialized) { return; } $this->policyConfiguration = $this->configurationManager->getConfiguration(ConfigurationManager::CONFIGURATION_TYPE_POLICY); $this->emitConfigurationLoaded($this->policyConfiguration); $this->initializePrivilegeTargets(); $privilegeTargetsForEverybody = $this->privilegeTargets; $this->roles = array(); $everybodyRole = new Role('TYPO3.Flow:Everybody'); $everybodyRole->setAbstract(true); if (isset($this->policyConfiguration['roles'])) { foreach ($this->policyConfiguration['roles'] as $roleIdentifier => $roleConfiguration) { if ($roleIdentifier === 'TYPO3.Flow:Everybody') { $role = $everybodyRole; } else { $role = new Role($roleIdentifier); if (isset($roleConfiguration['abstract'])) { $role->setAbstract((bool) $roleConfiguration['abstract']); } } if (isset($roleConfiguration['privileges'])) { foreach ($roleConfiguration['privileges'] as $privilegeConfiguration) { $privilegeTargetIdentifier = $privilegeConfiguration['privilegeTarget']; if (!isset($this->privilegeTargets[$privilegeTargetIdentifier])) { throw new SecurityException(sprintf('privilege target "%s", referenced in role configuration "%s" is not defined!', $privilegeTargetIdentifier, $roleIdentifier), 1395869320); } $privilegeTarget = $this->privilegeTargets[$privilegeTargetIdentifier]; if (!isset($privilegeConfiguration['permission'])) { throw new SecurityException(sprintf('No permission set for privilegeTarget "%s" in Role "%s"', $privilegeTargetIdentifier, $roleIdentifier), 1395869331); } $privilegeParameters = isset($privilegeConfiguration['parameters']) ? $privilegeConfiguration['parameters'] : array(); try { $privilege = $privilegeTarget->createPrivilege($privilegeConfiguration['permission'], $privilegeParameters); } catch (\Exception $exception) { throw new SecurityException(sprintf('Error for privilegeTarget "%s" in Role "%s": %s', $privilegeTargetIdentifier, $roleIdentifier, $exception->getMessage()), 1401886654, $exception); } $role->addPrivilege($privilege); if ($roleIdentifier === 'TYPO3.Flow:Everybody') { unset($privilegeTargetsForEverybody[$privilegeTargetIdentifier]); } } } $this->roles[$roleIdentifier] = $role; } } // create ABSTAIN privilege for all uncovered privilegeTargets /** @var PrivilegeTarget $privilegeTarget */ foreach ($privilegeTargetsForEverybody as $privilegeTarget) { if ($privilegeTarget->hasParameters()) { continue; } $everybodyRole->addPrivilege($privilegeTarget->createPrivilege(PrivilegeInterface::ABSTAIN)); } $this->roles['TYPO3.Flow:Everybody'] = $everybodyRole; // Set parent roles /** @var Role $role */ foreach ($this->roles as $role) { if (isset($this->policyConfiguration['roles'][$role->getIdentifier()]['parentRoles'])) { foreach ($this->policyConfiguration['roles'][$role->getIdentifier()]['parentRoles'] as $parentRoleIdentifier) { $role->addParentRole($this->roles[$parentRoleIdentifier]); } } } $this->emitRolesInitialized($this->roles); $this->initialized = true; }
/** * @dataProvider roleIdentifiersAndPackageKeysAndNames * @test */ public function setNameAndPackageKeyWorks($roleIdentifier, $name, $packageKey) { $role = new Role($roleIdentifier); $this->assertEquals($name, $role->getName()); $this->assertEquals($packageKey, $role->getPackageKey()); }
/** * @test */ public function hasRoleWorksWithRecursiveRoles() { $everybodyRole = new Role('Everybody', Role::SOURCE_SYSTEM); $testRole1 = new Role('Acme.Demo:TestRole1'); $testRole2 = new Role('Acme.Demo:TestRole2'); // Set parents $testRole1->setParentRoles(array($testRole2)); $account = new \TYPO3\Flow\Security\Account(); $account->setRoles(array($testRole1)); $mockAuthenticationManager = $this->getMock('TYPO3\\Flow\\Security\\Authentication\\AuthenticationManagerInterface'); $mockAuthenticationManager->expects($this->atLeastOnce())->method('isAuthenticated')->will($this->returnValue(TRUE)); $mockToken = $this->getMock('TYPO3\\Flow\\Security\\Authentication\\TokenInterface'); $mockToken->expects($this->atLeastOnce())->method('isAuthenticated')->will($this->returnValue(TRUE)); $mockToken->expects($this->atLeastOnce())->method('getAccount')->will($this->returnValue($account)); $mockPolicyService = $this->getAccessibleMock('TYPO3\\Flow\\Security\\Policy\\PolicyService', array('getRole', 'initializeRolesFromPolicy')); $mockPolicyService->expects($this->atLeastOnce())->method('getRole')->will($this->returnCallback(function ($roleIdentifier) use($everybodyRole) { switch ($roleIdentifier) { case 'Everybody': return $everybodyRole; } })); $securityContext = $this->getAccessibleMock('TYPO3\\Flow\\Security\\Context', array('initialize', 'getAccount')); $securityContext->expects($this->any())->method('getAccount')->will($this->returnValue($account)); $securityContext->_set('activeTokens', array($mockToken)); $securityContext->_set('policyService', $mockPolicyService); $securityContext->_set('authenticationManager', $mockAuthenticationManager); $this->assertTrue($securityContext->hasRole('Acme.Demo:TestRole2')); }
/** * @param \TYPO3\Flow\Security\Policy\Role $role * @throws \InvalidArgumentException * @return \Ag\Login\Domain\Model\Role $role */ protected function flowRoleToRole($role) { if (strpos($role->__toString(), '|') === FALSE) { return new Role($role->__toString()); } else { $role = explode('|', $role->__toString()); if (count($role) === 2) { return new Role($role[0], $role[1]); } else { throw new \InvalidArgumentException('Could not succesfully parse the Flow role for account ' . $this->login->getAccountIdentifier()); } } }
/** * Returns the privilege a specific role has for the given resource. * Note: Resources with runtime evaluations return always a PRIVILEGE_DENY! * @see getPrivilegesForJoinPoint() instead, if you need privileges for them. * * @param \TYPO3\Flow\Security\Policy\Role $role The role for which the privileges should be returned * @param string $resource The resource for which the privileges should be returned * @return integer One of: PRIVILEGE_GRANT, PRIVILEGE_DENY * @throws \TYPO3\Flow\Security\Exception\NoEntryInPolicyException */ public function getPrivilegeForResource(\TYPO3\Flow\Security\Policy\Role $role, $resource) { if (!isset($this->acls[$resource])) { if (isset($this->resources[$resource])) { return self::PRIVILEGE_DENY; } else { throw new \TYPO3\Flow\Security\Exception\NoEntryInPolicyException('The given resource ("' . $resource . '") was not found in the policy cache. Most likely you have to recreate the AOP proxy classes.', 1248348214); } } $roleIdentifier = $role->getIdentifier(); if (!array_key_exists($roleIdentifier, $this->acls[$resource])) { return NULL; } if ($this->acls[$resource][$roleIdentifier]['runtimeEvaluationsClosureCode'] !== FALSE) { return self::PRIVILEGE_DENY; } return $this->acls[$resource][$roleIdentifier]['privilege']; }