public function setUp()
{
$this->mockSecurityContext = $this->getMockBuilder(Context::class)->disableOriginalConstructor()->getMock();
$this->mockSecurityContext->expects($this->any())->method('withoutAuthorizationChecks')->will($this->returnCallback(function ($callback) {
return $callback->__invoke();
}));
}
/**
* @param \SKL\Post\Domain\Model\Author $author
* @return void
*/
public function editAction(Author $author)
{
$account = $this->securityContext->getAccount();
$this->view->assign('usrname', $account->getAccountIdentifier());
$this->view->assign('listCategories', $this->categoryRepository->findAll());
$this->view->assign('author', $author);
}
/**
* Log a message if a post is deleted
*
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint
* @Flow\Around("method(TYPO3\Neos\View\TypoScriptView->render())")
* @return void
*/
public function replacePlaceholdersIfNecessary(\TYPO3\Flow\Aop\JoinPointInterface $joinPoint)
{
$result = $joinPoint->getAdviceChain()->proceed($joinPoint);
/* @var $typoScriptView TypoScriptView */
$typoScriptView = $joinPoint->getProxy();
$viewVariables = ObjectAccess::getProperty($typoScriptView, 'variables', TRUE);
if (!isset($viewVariables['value']) || !$viewVariables['value']->getNodeType()->isOfType('Sandstorm.Newsletter:Newsletter')) {
// No newsletter, so logic does not apply
return $result;
}
/* @var $httpRequest Request */
$httpRequest = $this->controllerContext->getRequest()->getHttpRequest();
$arguments = $httpRequest->getUri()->getArguments();
if (!isset($arguments['hmac'])) {
if ($this->securityContext->isInitialized() && $this->securityContext->hasRole('TYPO3.Neos:Editor')) {
// Logged into backend, so we don't need to do anything.
return $result;
} else {
// No HMAC sent -- so we return the email INCLUDING placeholders (as per customer's request)
return $result;
//return '<h1>Error: HMAC not included in the link.</h1>';
}
}
$actualHmac = $arguments['hmac'];
$uriWithoutHmac = str_replace('&hmac=' . $actualHmac, '', (string) $httpRequest->getUri());
$expectedHmac = hash_hmac('sha1', urldecode($uriWithoutHmac), $this->hmacUrlSecret);
if ($expectedHmac !== $actualHmac) {
return '<h1>Error: Wrong link clicked.</h1>Please contact your administrator for help';
}
$result = preg_replace_callback(ReplacePlaceholdersInLiveImplementation::PLACEHOLDER_REGEX, function ($element) use($arguments) {
return ObjectAccess::getPropertyPath($arguments, $element[1]);
}, $result);
return $result;
}
/**
* Add the current node and all parent identifiers to be used for cache entry tagging
*
* @Flow\Before("method(TYPO3\Flow\Mvc\Routing\RouterCachingService->extractUuids())")
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current join point
* @return void
*/
public function addCurrentNodeIdentifier(JoinPointInterface $joinPoint)
{
$values = $joinPoint->getMethodArgument('values');
if (!isset($values['node']) || strpos($values['node'], '@') === false) {
return;
}
// Build context explicitly without authorization checks because the security context isn't available yet
// anyway and any Entity Privilege targeted on Workspace would fail at this point:
$this->securityContext->withoutAuthorizationChecks(function () use($joinPoint, $values) {
$contextPathPieces = NodePaths::explodeContextPath($values['node']);
$context = $this->contextFactory->create(['workspaceName' => $contextPathPieces['workspaceName'], 'dimensions' => $contextPathPieces['dimensions'], 'invisibleContentShown' => true]);
$node = $context->getNode($contextPathPieces['nodePath']);
if (!$node instanceof NodeInterface) {
return;
}
$values['node-identifier'] = $node->getIdentifier();
$node = $node->getParent();
$values['node-parent-identifier'] = array();
while ($node !== null) {
$values['node-parent-identifier'][] = $node->getIdentifier();
$node = $node->getParent();
}
$joinPoint->setMethodArgument('values', $values);
});
}
/**
* Get the account of the first authenticated token.
*
* @return \TYPO3\Flow\Security\Account|NULL
*/
public function getAccount()
{
if ($this->securityContext->canBeInitialized()) {
return $this->securityContext->getAccount();
}
return NULL;
}
/**
* This is the default Policy voter, it votes for the access privilege for the given resource
*
* @param \TYPO3\Flow\Security\Context $securityContext The current security context
* @param string $resource The resource to vote for
* @return integer One of: VOTE_GRANT, VOTE_ABSTAIN, VOTE_DENY
*/
public function voteForResource(\TYPO3\Flow\Security\Context $securityContext, $resource)
{
$accessGrants = 0;
$accessDenies = 0;
foreach ($securityContext->getRoles() as $role) {
try {
$privilege = $this->policyService->getPrivilegeForResource($role, $resource);
} catch (\TYPO3\Flow\Security\Exception\NoEntryInPolicyException $e) {
return self::VOTE_ABSTAIN;
}
if ($privilege === NULL) {
continue;
}
if ($privilege === \TYPO3\Flow\Security\Policy\PolicyService::PRIVILEGE_GRANT) {
$accessGrants++;
} elseif ($privilege === \TYPO3\Flow\Security\Policy\PolicyService::PRIVILEGE_DENY) {
$accessDenies++;
}
}
if ($accessDenies > 0) {
return self::VOTE_DENY;
}
if ($accessGrants > 0) {
return self::VOTE_GRANT;
}
return self::VOTE_ABSTAIN;
}
/**
* Checks the given token for validity and sets the token authentication status
* accordingly (success, wrong credentials or no credentials given).
*
* @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof UsernamePassword) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account \TYPO3\Flow\Security\Account */
$account = NULL;
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['username'])) {
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
}
if (is_object($account)) {
if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* @return void
*/
public function indexAction()
{
$account = $this->securityContext->getAccount();
$this->view->assign('usrname', $account->getAccountIdentifier());
$this->view->assign('setups', $this->setupRepository->findAll());
$this->view->assign('listCategories', $this->categoryRepository->findAll());
}
/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof Typo3OrgSsoToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account \TYPO3\Flow\Security\Account */
$account = null;
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['username'])) {
$providerName = $this->name;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) {
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
}
if (is_object($account)) {
$authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata'];
if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* The policy enforcement advice. This advices applies the security enforcement interceptor to all methods configured in the policy.
* Note: If we have some kind of "run as" functionality in the future, we would have to manipulate the security context
* before calling the policy enforcement interceptor
*
* @Flow\Around("filter(TYPO3\Flow\Security\Authorization\Privilege\Method\MethodPrivilegePointcutFilter)")
* @param JoinPointInterface $joinPoint The current joinpoint
* @return mixed The result of the target method if it has not been intercepted
*/
public function enforcePolicy(JoinPointInterface $joinPoint)
{
if ($this->securityContext->areAuthorizationChecksDisabled() !== true) {
$this->policyEnforcementInterceptor->setJoinPoint($joinPoint);
$this->policyEnforcementInterceptor->invoke();
}
return $joinPoint->getAdviceChain()->proceed($joinPoint);
}
/**
* Returns the currently logged in user, if any
*
* @return User The currently logged in user, or NULL
*/
public function getCurrentUser()
{
$account = $this->securityContext->getAccount();
if ($account === NULL) {
return NULL;
}
return $this->userRepository->findOneHavingAccount($account);
}
/**
* Returns the name of the currently logged in user's personal workspace (even if that might not exist at that time).
* If no user is logged in this method returns "live".
*
* @return string
*/
public function getUserWorkspaceName()
{
$account = $this->securityContext->getAccount();
if ($account === NULL) {
return 'live';
}
return 'user-' . preg_replace('/[^a-z0-9]/i', '', $account->getAccountIdentifier());
}
/**
* Initializes the controller before invoking an action method.
*
*/
public function initializeAction()
{
if ($this->securityContext->canBeInitialized()) {
$account = $this->securityContext->getAccount();
$this->bearbeiterObj = $this->bearbeiterRepository->findOneByAccount($account);
}
$this->cacheInterface = $this->cacheManager->getCache('GermaniaSacra_GermaniaCache');
}
/**
* @param string $title
* @param string $uri
* @param string $identifier
*/
public function disqusAction($title, $uri, $identifier)
{
$this->view->assign('title', $title);
$this->view->assign('uri', $uri);
$this->view->assign('identifier', $identifier);
if ($account = $this->securityContext->getAccount()) {
$this->view->assign('remoteAuth', $this->disqusRemoteAuthService->generateDisqusRemoteAuth($account));
}
}
/**
* Try to set the current account identifier emitting the events, if possible
*
* @return void
*/
protected function initializeAccountIdentifier()
{
if ($this->securityContext->canBeInitialized()) {
$account = $this->securityContext->getAccount();
if ($account !== NULL) {
$this->eventEmittingService->setCurrentAccountIdentifier($account->getAccountIdentifier());
}
}
}
/**
* Initializes some basic stuff that will basically be needed for each and
* every action that is executed later on.
*/
public function initializeAction()
{
// get the account of the authenticated user
$this->account = $this->securityContext->getAccount();
// set the locale
$this->locale = $this->localeDetector->detectLocaleFromLocaleTag($this->settings['defaultLanguage']);
if ($this->l18nService->getConfiguration()->getCurrentLocale() !== $this->locale) {
$this->l18nService->getConfiguration()->setCurrentLocale($this->locale);
}
}
/**
* This returns the (first) *authenticated* OAuth token which doesn't have a party attached.
*
*@return AbstractClientToken
*/
public function getChargedAuthenticatedTokenHavingNoPartyAttached()
{
/** @var $token AbstractClientToken */
foreach ((array) $this->securityContext->getAuthenticationTokensOfType($this->getTokenClassName()) as $token) {
if ($token->getAuthenticationStatus() === TokenInterface::AUTHENTICATION_SUCCESSFUL && ($token->getAccount() === NULL || $token->getAccount()->getParty() === NULL)) {
return $token;
}
}
return NULL;
}
/**
* The policy enforcement advice. This advices applies the security enforcement interceptor to all methods configured in the policy.
* Note: If we have some kind of "run as" functionality in the future, we would have to manipulate the security context
* before calling the policy enforcement interceptor
*
* @Flow\Around("setting(TYPO3.Flow.security.enable) && filter(TYPO3\Flow\Security\Policy\PolicyService)")
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current joinpoint
* @return mixed The result of the target method if it has not been intercepted
*/
public function enforcePolicy(\TYPO3\Flow\Aop\JoinPointInterface $joinPoint)
{
if ($this->securityContext->areAuthorizationChecksDisabled() !== TRUE) {
$this->policyEnforcementInterceptor->setJoinPoint($joinPoint);
$this->policyEnforcementInterceptor->invoke();
}
$result = $joinPoint->getAdviceChain()->proceed($joinPoint);
// @TODO Once we use the AfterInvocation again, it needs to be invoked here and its result returned instead.
return $result;
}
/**
* @param string $propertyPath
* @return string
*/
public function render($propertyPath = 'party.name')
{
$tokens = $this->securityContext->getAuthenticationTokens();
foreach ($tokens as $token) {
if ($token->isAuthenticated()) {
return (string) \TYPO3\Flow\Reflection\ObjectAccess::getPropertyPath($token->getAccount(), $propertyPath);
}
}
return '';
}
/**
* Returns TRUE, if at least one of the currently authenticated accounts holds
* a role with the given identifier, also recursively.
*
* @param string $roleIdentifier The string representation of the role to search for
* @return boolean TRUE, if a role with the given string representation was found
*/
public function hasRole($roleIdentifier)
{
if ($roleIdentifier === 'TYPO3.Flow:Everybody') {
return true;
}
if ($this->securityContext->canBeInitialized()) {
return $this->securityContext->hasRole($roleIdentifier);
}
return false;
}
/**
* Renders <f:then> child if any account is currently authenticated, otherwise renders <f:else> child.
*
* @return string the rendered string
* @api
*/
public function render()
{
$activeTokens = $this->securityContext->getAuthenticationTokens();
/** @var $token TokenInterface */
foreach ($activeTokens as $token) {
if ($token->isAuthenticated()) {
return $this->renderThenChild();
}
}
return $this->renderElseChild();
}
/**
* @param string $session
*/
public function deleteAction($session)
{
$account = $this->securityContext->getAccount();
/** @var \T3DD\Backend\Domain\Model\Vote $vote */
$vote = $this->voteRepository->getVoteForAccountAndSession($session, $account);
if (!$vote) {
$this->response->setStatus(404);
return;
}
$this->voteRepository->remove($vote);
}
/**
* Renders <f:then> child if any account is currently authenticated, otherwise renders <f:else> child.
*
* @param string $authenticationProviderName
* @return string the rendered string
* @api
*/
public function render($authenticationProviderName = 'Sandstorm.UserManagement:Login')
{
$activeTokens = $this->securityContext->getAuthenticationTokens();
/** @var $token TokenInterface */
foreach ($activeTokens as $token) {
if ($token->getAuthenticationProviderName() === $authenticationProviderName && $token->isAuthenticated()) {
return $this->renderThenChild();
}
}
return $this->renderElseChild();
}
/**
* @throws \TYPO3\Flow\Security\Exception\AuthenticationRequiredException
* @throws \TYPO3\Flow\Security\Exception\AccessDeniedException
* @return void
*/
public function authenticateAction()
{
try {
$this->authenticationManager->authenticate();
$account = $this->securityContext->getAccount();
$this->redirect('index', 'Dashboard', NULL, array('user' => $account));
} catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) {
$this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error('Bitte die korrekten Benutzerdaten eingeben.'));
//$this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error($exception->getMessage()));
throw $exception;
}
}
/**
* Create an action request from stored route match values and dispatch to that
*
* @param ComponentContext $componentContext
* @return void
*/
public function handle(ComponentContext $componentContext)
{
$httpRequest = $componentContext->getHttpRequest();
/** @var $actionRequest ActionRequest */
$actionRequest = $this->objectManager->get(ActionRequest::class, $httpRequest);
$this->securityContext->setRequest($actionRequest);
$routingMatchResults = $componentContext->getParameter(Routing\RoutingComponent::class, 'matchResults');
$actionRequest->setArguments($this->mergeArguments($httpRequest, $routingMatchResults));
$this->setDefaultControllerAndActionNameIfNoneSpecified($actionRequest);
$componentContext->setParameter(self::class, 'actionRequest', $actionRequest);
$this->dispatcher->dispatch($actionRequest, $componentContext->getHttpResponse());
}
/**
* @param Participant $participant
*/
public function updateAction(Participant $participant)
{
$participantEntity = $participant->getPayload();
if ($participantEntity->getAccount() !== NULL && $participantEntity->getAccount() !== $this->securityContext->getAccount() && !$this->securityContext->hasRole('T3DD.Backend:Administrator')) {
$this->response->setStatus(403);
return;
}
if (!$participantEntity->isCompleted()) {
$participantEntity->setCompleted(TRUE);
$participantEntity->setAccount($this->securityContext->getAccount());
}
$this->participantRepository->update($participantEntity);
$this->view->assign('value', $participant);
}
/**
* Update/adds a user preference
*
* @param string $key The key of the preference to update/add
* @param string $value The value of the preference
* @return void
*/
public function updateAction($key, $value)
{
/** @var $user User */
$user = $this->securityContext->getPartyByType('TYPO3\\Neos\\Domain\\Model\\User');
// TODO: This should be done in an earlier stage (TypeConverter ?)
if (strtolower($value) === 'false') {
$value = FALSE;
} elseif (strtolower($value) === 'true') {
$value = TRUE;
}
$user->getPreferences()->set($key, $value);
$this->partyRepository->update($user);
$this->throwStatus(204, 'User preferences have been updated');
}
/**
* Notify SSO servers about the logged out client
*
* All active authentication tokens of type SingleSignOnToken will be
* used to get the registered global session id and send a request
* to the session service on the SSO server.
*
* @return void
*/
public function logout()
{
$allConfiguration = $this->configurationManager->getConfiguration(\TYPO3\Flow\Configuration\ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow');
$tokens = $this->securityContext->getAuthenticationTokensOfType('Flowpack\\SingleSignOn\\Client\\Security\\SingleSignOnToken');
foreach ($tokens as $token) {
$providerName = $token->getAuthenticationProviderName();
$serverIdentifier = \TYPO3\Flow\Utility\Arrays::getValueByPath($allConfiguration, 'security.authentication.providers.' . $providerName . '.providerOptions.server');
if ($serverIdentifier !== NULL) {
$ssoClient = $this->ssoClientFactory->create();
$ssoServer = $this->ssoServerFactory->create($serverIdentifier);
$ssoServer->destroySession($ssoClient, $token->getGlobalSessionId());
}
}
}
/**
* @param NodeInterface $node
* @return string
* @throws NeosException
*/
public function render(NodeInterface $node)
{
if ($this->privilegeManager->isPrivilegeTargetGranted('TYPO3.Neos:Backend.GeneralAccess') === false) {
return '';
}
/** @var $actionRequest ActionRequest */
$actionRequest = $this->controllerContext->getRequest();
$innerView = new StandaloneView($actionRequest);
$innerView->setTemplatePathAndFilename('resource://TYPO3.Neos/Private/Templates/Backend/Content/Container.html');
$innerView->setFormat('html');
$innerView->setPartialRootPath('resource://TYPO3.Neos/Private/Partials');
$user = $this->securityContext->getPartyByType('TYPO3\\Neos\\Domain\\Model\\User');
$innerView->assignMultiple(array('node' => $node, 'modules' => $this->menuHelper->buildModuleList($this->controllerContext), 'sites' => $this->menuHelper->buildSiteList($this->controllerContext), 'user' => $user));
return $innerView->render();
}
/**
* Initialize view action
*
* @param \TYPO3\Flow\Mvc\View\ViewInterface $view
* @return void
*/
protected function initializeView(\TYPO3\Flow\Mvc\View\ViewInterface $view)
{
$loggedUser = $this->securityContext->getAccount();
$currentUrl = $this->request->getHttpRequest()->getUri();
$view->assign('currentpage', $currentUrl);
$view->assign('state', $this->base64UrlEncode($currentUrl));
if ($loggedUser != NULL) {
$view->assign('loggedInUser', $this->securityContext->getAccount()->getAccountIdentifier());
$view->assign('currentUser', $this->securityContext->getAccount()->getParty());
}
$facebook_appid = $this->facebookService->getAppId();
$facebook_redirecturi = $this->facebookService->getRedirectUri();
$vkLoginUrl = $this->vkService->getAuthorizationUri();
$this->view->assignMultiple(array('vk_url' => $vkLoginUrl, 'google_url' => $this->googlePlusService->getAuthorizationUri(), 'facebook_appid' => $facebook_appid, 'facebook_redirecturi' => $facebook_redirecturi));
}
