/**
* Get an array of Role names granted to the user that permit the requested
* action on the given Service. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Supported actions: EDIT_OBJECT
* @see \Action
*
* @param string $action @see \Action
* @param \Service $se
* @param \User $user
* @return array of RoleName string values that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \Service $se, \User $user = null)
{
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action not known');
}
if (is_null($user)) {
return array();
}
if (is_null($user->getId())) {
return array();
}
if ($action == \Action::EDIT_OBJECT) {
$usersActualRoleNames = array();
$site = $se->getParentSite();
if (is_null($site)) {
//TODO: Service Group authentication - see if the current user holds a role over the creating service group
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($site != null) {
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($site, $user));
}
$ngi = $site->getNgi();
if ($ngi != null) {
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($ngi, $user));
}
$requiredRoles = array(\RoleTypeName::SITE_ADMIN, \RoleTypeName::SITE_SECOFFICER, \RoleTypeName::SITE_OPS_DEP_MAN, \RoleTypeName::SITE_OPS_MAN, \RoleTypeName::REG_FIRST_LINE_SUPPORT, \RoleTypeName::REG_STAFF_ROD, \RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given Project. If the user has no roles that
* permit the requested action, then return an empty array.
*
* Suppored actions: EDIT_OBJECT, GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action @see \Action
* @param \ServiceGroup $sg
* @param \User $user
* @return array of RoleName string values that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \Project $project, \User $user = null)
{
require_once __DIR__ . '/Role.php';
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action not known');
}
if (is_null($user)) {
return array();
}
if (is_null($user->getId())) {
return array();
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($action == \Action::EDIT_OBJECT) {
// Only Project (E) level roles can edit project
$requiredRoles = array(\RoleTypeName::COD_ADMIN, \RoleTypeName::COD_STAFF, \RoleTypeName::EGI_CSIRT_OFFICER, \RoleTypeName::COO);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($project, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
if ($action == \Action::GRANT_ROLE || $action == \Action::REJECT_ROLE || $action == \Action::REVOKE_ROLE) {
$requiredRoles = array(\RoleTypeName::COD_ADMIN, \RoleTypeName::COD_STAFF, \RoleTypeName::EGI_CSIRT_OFFICER, \RoleTypeName::COO);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($project, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given ServiceGroup. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Suppored actions: EDIT_OBJECT
* GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action @see \Action
* @param \ServiceGroup $sg
* @param \User $user
* @return array of RoleName string values that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \ServiceGroup $sg, \User $user = null)
{
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action not known');
}
if (is_null($user)) {
return array();
}
if (is_null($user->getId())) {
return array();
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($action == \Action::EDIT_OBJECT) {
$requiredRoles = array(\RoleTypeName::SERVICEGROUP_ADMIN);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($sg, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
if ($action == \Action::GRANT_ROLE || $action == \Action::REJECT_ROLE || $action == \Action::REVOKE_ROLE) {
$requiredRoles = array(\RoleTypeName::SERVICEGROUP_ADMIN);
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($sg, $user);
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
/**
* @expectedException \LogicException
*/
public function testInvalidRoleStatus()
{
print __METHOD__ . "\n";
$roleService = new org\gocdb\services\Role();
$this->assertFalse($roleService->isValidRoleStatus("some invalid role"));
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$roleService->getUserRoles($u, "some invalid role");
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given Site. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Suppored actions: EDIT_OBJECT, SITE_EDIT_CERT_STATUS,
* SITE_ADD_SERVICE, SITE_DELETE_SERVICE,
* GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action @see \Action
* @param \Site $site
* @param \User $user
* @return array of RoleName strings that grant the requested action
* @throws \LogicException if action is not supported or is unknown
*/
public function authorizeAction($action, \Site $site, \User $user = null)
{
if (is_null($user)) {
return array();
// empty array if null user
}
if (!in_array($action, \Action::getAsArray())) {
throw new \LogicException('Coding Error - Invalid action');
}
$roleService = new \org\gocdb\services\Role();
// to inject
$roleService->setEntityManager($this->em);
if ($action == \Action::EDIT_OBJECT || $action == \Action::SITE_ADD_SERVICE || $action == \Action::SITE_DELETE_SERVICE) {
// Site leve roles and parent NGI level roles can edit the site
$requiredRoles = array(\RoleTypeName::SITE_ADMIN, \RoleTypeName::SITE_SECOFFICER, \RoleTypeName::SITE_OPS_DEP_MAN, \RoleTypeName::SITE_OPS_MAN, \RoleTypeName::REG_FIRST_LINE_SUPPORT, \RoleTypeName::REG_STAFF_ROD, \RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN);
// get the user's actual roles
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($site, $user);
if ($site->getNgi() != null) {
// A Site should always have a parent NGI, but this is not enforced
// by the DB constraints as this may? be needed in future - also
// unit tests use orphan sites. Thus this method is defensive.
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($site->getNgi(), $user));
}
// return intersection between between required roles and user's actual roles
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
if ($action == \Action::GRANT_ROLE || $action == \Action::REJECT_ROLE || $action == \Action::REVOKE_ROLE) {
// Site managers and NGI managers can manage roles
$requiredRoles = array(\RoleTypeName::SITE_SECOFFICER, \RoleTypeName::SITE_OPS_DEP_MAN, \RoleTypeName::SITE_OPS_MAN, \RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN);
// get the user's actual roles
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($site, $user);
if ($site->getNgi() != null) {
// A Site should always have a parent NGI, but this is not enforced
// by the DB constraints as this may? be needed in future - also
// unit tests use orphan sites. Thus this method is defensive.
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($site->getNgi(), $user));
}
// return intersection between between required roles and user's actual roles
$enablingRoles = array_intersect($requiredRoles, $usersActualRoleNames);
} else {
if ($action == \Action::SITE_EDIT_CERT_STATUS) {
// only NGI manager and Project level roles can edit cert status
$requiredRoles = array(\RoleTypeName::NGI_SEC_OFFICER, \RoleTypeName::NGI_OPS_DEP_MAN, \RoleTypeName::NGI_OPS_MAN, \RoleTypeName::COD_STAFF, \RoleTypeName::COD_ADMIN, \RoleTypeName::EGI_CSIRT_OFFICER, \RoleTypeName::COO);
$usersActualRoleNames = array();
if ($site->getNgi() != null) {
// A Site should always have a parent NGI, but this is not enforced
// by the DB constraints as this may? be needed in future - also
// unit tests use orphan sites. Thus this method is defensive.
$usersActualRoleNames = $roleService->getUserRoleNamesOverEntity($site->getNgi(), $user);
// Get all project level roles for all the projects that group the site's ngi
if (count($site->getNgi()->getProjects()) > 0) {
foreach ($site->getNgi()->getProjects() as $parentProject) {
$usersActualRoleNames = array_merge($usersActualRoleNames, $roleService->getUserRoleNamesOverEntity($parentProject, $user));
}
}
}
// return intersection between required roles and user's actual roles
$enablingRoles = array_intersect($requiredRoles, array_unique($usersActualRoleNames));
} else {
throw new \LogicException('Unsupported Action');
}
}
}
if ($user->isAdmin()) {
$enablingRoles[] = \RoleTypeName::GOCDB_ADMIN;
}
return array_unique($enablingRoles);
}
