/**
* @test
*/
public function authenticateTagsSessionWithAccountIdentifier()
{
$account = new Account();
$account->setAccountIdentifier('admin');
$securityContext = $this->getMockBuilder(Context::class)->setMethods(['getAuthenticationStrategy', 'getAuthenticationTokens', 'refreshTokens', 'refreshRoles'])->getMock();
$token = $this->createMock(TokenInterface::class);
$token->expects($this->any())->method('getAccount')->will($this->returnValue($account));
$token->expects($this->atLeastOnce())->method('isAuthenticated')->will($this->returnValue(true));
$securityContext->expects($this->atLeastOnce())->method('getAuthenticationTokens')->will($this->returnValue([$token]));
$this->mockSession->expects($this->once())->method('addTag')->with('TYPO3-Flow-Security-Account-21232f297a57a5a743894a0e4a801fc3');
$this->authenticationProviderManager->_set('providers', []);
$this->authenticationProviderManager->_set('securityContext', $securityContext);
$this->authenticationProviderManager->authenticate();
}
/**
* @test
*/
public function authenticationFailsWithWrongCredentialsInAnUsernamePasswordToken()
{
$this->mockHashService->expects($this->once())->method('validatePassword')->with('wrong password', '8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')->will($this->returnValue(false));
$this->mockAccount->expects($this->once())->method('getCredentialsSource')->will($this->returnValue('8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086'));
$this->mockAccountRepository->expects($this->once())->method('findActiveByAccountIdentifierAndAuthenticationProviderName')->with('admin', 'myProvider')->will($this->returnValue($this->mockAccount));
$this->mockToken->expects($this->once())->method('getCredentials')->will($this->returnValue(['username' => 'admin', 'password' => 'wrong password']));
$this->mockToken->expects($this->at(2))->method('setAuthenticationStatus')->with(\Neos\Flow\Security\Authentication\TokenInterface::NO_CREDENTIALS_GIVEN);
$this->mockToken->expects($this->at(3))->method('setAuthenticationStatus')->with(\Neos\Flow\Security\Authentication\TokenInterface::WRONG_CREDENTIALS);
$this->persistedUsernamePasswordProvider->authenticate($this->mockToken);
}
/**
* Creates a new account and sets the given password and roles
*
* @param string $identifier Identifier of the account, must be unique
* @param string $password The clear text password
* @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
* @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
* @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
* @return Account A new account, not yet added to the account repository
*/
public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default')
{
$account = new Account();
$account->setAccountIdentifier($identifier);
$account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy));
$account->setAuthenticationProviderName($authenticationProviderName);
$roles = [];
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
return $account;
}
/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof PasswordToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['password'])) {
if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$account = new Account();
$roles = [];
foreach ($this->options['authenticateRoles'] as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* Creates a new account, assigns it the given roles and authenticates it.
* The created account is returned for further modification, for example for attaching a Party object to it.
*
* @param array $roleNames A list of roles the new account should have
* @return Security\Accountt The created account
*/
protected function authenticateRoles(array $roleNames)
{
$account = new Security\Account();
$account->setAccountIdentifier('TestAccount');
$roles = [];
foreach ($roleNames as $roleName) {
$roles[] = $this->policyService->getRole($roleName);
}
$account->setRoles($roles);
$this->authenticateAccount($account);
return $account;
}
/**
* @test
*/
public function shutdownCreatesSpecialDataEntryForSessionWithAuthenticatedAccounts()
{
$session = new Session();
$this->inject($session, 'bootstrap', $this->mockBootstrap);
$this->inject($session, 'objectManager', $this->mockObjectManager);
$this->inject($session, 'settings', $this->settings);
$this->inject($session, 'metaDataCache', $this->createCache('Meta'));
$this->inject($session, 'storageCache', $this->createCache('Storage'));
$session->initializeObject();
$session->start();
$account = new Account();
$account->setAccountIdentifier('admin');
$account->setAuthenticationProviderName('MyProvider');
$token = new UsernamePassword();
$token->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$token->setAccount($account);
$this->mockSecurityContext->expects($this->any())->method('isInitialized')->will($this->returnValue(true));
$this->mockSecurityContext->expects($this->any())->method('getAuthenticationTokens')->will($this->returnValue([$token]));
$session->close();
$this->httpRequest->setCookie($this->httpResponse->getCookie('TYPO3_Flow_Session'));
$session->resume();
$this->assertEquals(['MyProvider:admin'], $session->getData('TYPO3_Flow_Security_Accounts'));
}
/**
* @test
*/
public function isActiveReturnsFalseIfTheAccountHasAnExpirationDateInThePast()
{
$this->inject($this->account, 'now', new \DateTime());
$this->account->setExpirationDate(new \DateTime('yesterday'));
$this->assertFalse($this->account->isActive());
}
/**
* @test
*/
public function administratorsCanSeeTestEntityAAssociatedToATestEntityBSomeoneElsesAccount()
{
$myAccount = $this->authenticateRoles(['Neos.Flow:Administrator']);
$myAccount->setAccountIdentifier('MyAccount');
$myAccount->setAuthenticationProviderName('SomeProvider');
$andisAccount = new Security\Account();
$andisAccount->setAccountIdentifier('Andi');
$andisAccount->setAuthenticationProviderName('SomeProvider');
$this->persistenceManager->add($myAccount);
$this->persistenceManager->add($andisAccount);
$testEntityB = new Fixtures\TestEntityB('testEntityB');
$testEntityB->setOwnerAccount($myAccount);
$testEntityA = new Fixtures\TestEntityA($testEntityB);
$testEntityB2 = new Fixtures\TestEntityB('testEntityB2');
$testEntityB2->setOwnerAccount($andisAccount);
$testEntityA2 = new Fixtures\TestEntityA($testEntityB2);
$this->testEntityADoctrineRepository->add($testEntityA);
$this->testEntityADoctrineRepository->add($testEntityA2);
$testEntityAIdentifier = $this->persistenceManager->getIdentifierByObject($testEntityA);
$testEntityA2Identifier = $this->persistenceManager->getIdentifierByObject($testEntityA2);
$this->persistenceManager->persistAll();
$this->persistenceManager->clearState();
$result = $this->testEntityADoctrineRepository->findAllWithDql();
$this->assertTrue(count($result) === 2);
$this->assertNotNull($this->persistenceManager->getObjectByIdentifier($testEntityAIdentifier, Fixtures\TestEntityA::class));
$this->assertNotNull($this->persistenceManager->getObjectByIdentifier($testEntityA2Identifier, Fixtures\TestEntityA::class));
$this->restrictableEntityDoctrineRepository->removeAll();
$this->persistenceManager->persistAll();
$this->persistenceManager->clearState();
}
/**
* Edit the given account
*
* @param Account $account
* @return void
*/
public function editAccountAction(Account $account)
{
$this->view->assignMultiple(array('account' => $account, 'user' => $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName())));
}
/**
* Creates a personal workspace for the given user's account if it does not exist already.
*
* @param User $user The new user to create a workspace for
* @param Account $account The user's backend account
* @throws IllegalObjectTypeException
*/
protected function createPersonalWorkspace(User $user, Account $account)
{
$userWorkspaceName = UserUtility::getPersonalWorkspaceNameForUsername($account->getAccountIdentifier());
$userWorkspace = $this->workspaceRepository->findByIdentifier($userWorkspaceName);
if ($userWorkspace === null) {
$liveWorkspace = $this->workspaceRepository->findByIdentifier('live');
if (!$liveWorkspace instanceof Workspace) {
$liveWorkspace = new Workspace('live');
$liveWorkspace->setTitle('Live');
$this->workspaceRepository->add($liveWorkspace);
}
$userWorkspace = new Workspace($userWorkspaceName, $liveWorkspace, $user);
$userWorkspace->setTitle((string) $user->getName());
$this->workspaceRepository->add($userWorkspace);
}
}
/**
* Update a given account
*
* @param Account $account The account to update
* @param array $roleIdentifiers A possibly updated list of roles for the user's primary account
* @param array $password Expects an array in the format array('<password>', '<password confirmation>')
* @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 })
* @return void
*/
public function updateAccountAction(Account $account, array $roleIdentifiers, array $password = array())
{
$user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName());
if ($user === $this->currentUser) {
$roles = array();
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier);
}
if (!$this->privilegeManager->isPrivilegeTargetGrantedForRoles($roles, 'Neos.Neos:Backend.Module.Administration.Users')) {
$this->addFlashMessage('With the selected roles the currently logged in user wouldn\'t have access to this module any longer. Please adjust the assigned roles!', 'Don\'t lock yourself out', Message::SEVERITY_WARNING, array(), 1416501197);
$this->forward('edit', null, null, array('user' => $this->currentUser));
}
}
$password = array_shift($password);
if (strlen(trim(strval($password))) > 0) {
$this->userService->setUserPassword($user, $password);
}
$this->userService->setRolesForAccount($account, $roleIdentifiers);
$this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK);
$this->redirect('edit', null, null, array('user' => $user));
}
