/** * User attempts to update the given site's certification status. * @param \Site $site * @param \CertificationStatus $newCertStatus * @param \User $user * @param string $reason The reason for this change, max 300 char. * @throws \Exception If access is denied or the change is invalid */ public function editCertificationStatus(\Site $site, \CertificationStatus $newCertStatus, \User $user, $reason) { //$this->editAuthorization($site, $user); require_once __DIR__ . '/Site.php'; $siteService = new \org\gocdb\services\Site(); $siteService->setEntityManager($this->em); if (count($siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site, $user)) == 0) { throw new \Exception('You do not have permission to change site certification status'); } // TODO use validate service if (empty($reason)) { throw new \LogicException('A reason is required'); } if (strlen($reason) > 300) { throw new \LogicException('Invalid reason - 300 char max'); } // Admins can do any cert status change, e.g. to undo mistakes. if (!$user->isAdmin()) { $this->isChangeValid($site, $newCertStatus); } $oldStatusString = $site->getCertificationStatus()->getName(); try { $this->em->beginTransaction(); $now = new \DateTime('now', new \DateTimeZone('UTC')); // create a new CertStatusLog $certLog = new \CertificationStatusLog(); $certLog->setAddedBy($user->getCertificateDn()); $certLog->setNewStatus($newCertStatus->getName()); $certLog->setOldStatus($oldStatusString); $certLog->setAddedDate($now); $certLog->setReason($reason); $this->em->persist($certLog); // update our site $site->addCertificationStatusLog($certLog); $site->setCertificationStatus($newCertStatus); $site->setCertificationStatusChangeDate($now); $this->em->merge($site); $this->em->flush(); $this->em->getConnection()->commit(); } catch (\Exception $ex) { $this->em->getConnection()->rollback(); $this->em->close(); throw $ex; } }
/** * Get an array of Role names granted to the user that permit the requested * action on the given OwnedEntity. If the user has no roles that * permit the requested action, then return an empty array. * <p> * Supported actions: EDIT_OBJECT, NGI_ADD_SITE, GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE * * @param string $action * @param \OwnedEntity $entity * @param \User $callingUser * @return array of RoleName values * @throws LogicException If unsupported enitity type or action is passed */ public function authorizeAction($action, \OwnedEntity $entity, \User $callingUser) { $siteService = new \org\gocdb\services\Site(); $siteService->setEntityManager($this->em); $ngiService = new \org\gocdb\services\NGI(); $ngiService->setEntityManager($this->em); $sgService = new \org\gocdb\services\ServiceGroup(); $sgService->setEntityManager($this->em); $projectService = new \org\gocdb\services\Project(); $projectService->setEntityManager($this->em); if ($entity instanceof \NGI) { $grantingRoles = $ngiService->authorizeAction($action, $entity, $callingUser); } else { if ($entity instanceof \Site) { $grantingRoles = $siteService->authorizeAction($action, $entity, $callingUser); } else { if ($entity instanceof \Project) { $grantingRoles = $projectService->authorizeAction($action, $entity, $callingUser); } else { if ($entity instanceof \ServiceGroup) { $grantingRoles = $sgService->authorizeAction($action, $entity, $callingUser); } else { throw new \LogicException('Unsuppored OwnedEntity type'); } } } } return $grantingRoles; }
/** * Array * ( * [Service_Type] => 21 * [EndpointURL] => Testing://host.com * [Scope] => 2 * [Hosting_Site] => 377 * [SE] => Array * ( * [ENDPOINT] => my.new.host.com21 * [HOSTNAME] => my.new.host.com * [HOST_IP] => 10.0.0.1 * [HOST_DN] => /cn=JCasson * [HOST_IP_V6] => 0000:0000:0000:0000:0000:0000:0000:0000[/int] * [DESCRIPTION] => hithere * [HOST_OS] => * [HOST_ARCH] => * [BETA] => Y * [PRODUCTION_LEVEL] => Y * [IS_MONITORED] => Y * [EMAIL] => * ) * ) * @param Array $values Balues for the new SE (defined above) * @param org\gocdb\services\User $user The user adding the SE */ public function addService($values, \User $user = null) { $this->em->getConnection()->beginTransaction(); // get the parent site $dql = "SELECT s from Site s WHERE s.id = :id"; $site = $this->em->createQuery($dql)->setParameter('id', $values['hostingSite'])->getSingleResult(); // get the service type $st = $this->getServiceType($values['serviceType']); $siteService = new \org\gocdb\services\Site(); $siteService->setEntityManager($this->em); if (count($siteService->authorizeAction(\Action::SITE_ADD_SERVICE, $site, $user)) == 0) { throw new \Exception("You don't hold a role over {$site}."); } $this->validate($values['SE'], 'service'); $this->validateEndpointUrl($values['endpointUrl']); $this->uniqueCheck($values['SE']['HOSTNAME'], $st, $site); //check there are the required number of scopes specified $this->checkNumberOfScopes($values['Scope_ids']); // validate production/monitored combination if ($st != 'VOMS' && $st != 'emi.ARGUS') { if ($values['PRODUCTION_LEVEL'] == "Y" && $values['IS_MONITORED'] != "Y") { throw new \Exception("If Production flat is set to True, Monitored flag must also be True (except for VOMS and emi.ARGUS)"); } } $se = new \Service(); try { $se->setParentSiteDoJoin($site); $se->setServiceType($st); // Set production if ($values['PRODUCTION_LEVEL'] == "Y") { $se->setProduction(true); } else { $se->setProduction(false); } // Set Beta if ($values['BETA'] == "Y") { $se->setBeta(true); } else { $se->setBeta(false); } // Set monitored if ($values['IS_MONITORED'] == "Y") { $se->setMonitored(true); } else { $se->setMonitored(false); } // Set the scopes foreach ($values['Scope_ids'] as $scopeId) { $dql = "SELECT s FROM Scope s WHERE s.id = :id"; $scope = $this->em->createQuery($dql)->setParameter('id', $scopeId)->getSingleResult(); $se->addScope($scope); } $se->setDn($values['SE']['HOST_DN']); $se->setIpAddress($values['SE']['HOST_IP']); $se->setOperatingSystem($values['SE']['HOST_OS']); $se->setArchitecture($values['SE']['HOST_ARCH']); $se->setHostName($values['SE']['HOSTNAME']); $se->setDescription($values['SE']['DESCRIPTION']); $se->setEmail($values['SE']['EMAIL']); $se->setUrl($values['endpointUrl']); /* With version 5.3 a service does not have to have an endpoint. $el = new \EndpointLocation(); $el->setUrl($values['endpointUrl']); $se->addEndpointLocationDoJoin($el); $this->em->persist($el); */ $this->em->persist($se); $this->em->flush(); $this->em->getConnection()->commit(); } catch (\Exception $e) { $this->em->getConnection()->rollback(); $this->em->close(); throw $e; } return $se; }
/** * Persist some seed data - roletypes, user, Project, NGI, sites and SEs and * assert that the user has the expected number of roles that grant specific * actions over the owned objects. For example, assert that the user has 'n' * number of roles that allow a particular site to be edited, or 'n' number * of roles that allow an NGI certification status change. */ public function testAuthorizeAction1() { print __METHOD__ . "\n"; // Create roletypes $siteAdminRT = TestUtil::createSampleRoleType(RoleTypeName::SITE_ADMIN); $ngiManRT = TestUtil::createSampleRoleType(RoleTypeName::NGI_OPS_MAN); $rodRT = TestUtil::createSampleRoleType(RoleTypeName::REG_STAFF_ROD); $codRT = TestUtil::createSampleRoleType(RoleTypeName::COD_ADMIN); $this->em->persist($siteAdminRT); // edit site1 (but not cert status) $this->em->persist($ngiManRT); // edit owned site1/site2 and cert status $this->em->persist($rodRT); // edit owned sites 1and2 (but not cert status) $this->em->persist($codRT); // edit all sites cert status only // Create a user $u = TestUtil::createSampleUser("Test", "Testing", "/c=test"); $this->em->persist($u); // Create a linked object graph // NGI->Site1->SE // |->Site2 $ngi = TestUtil::createSampleNGI("MYNGI"); $this->em->persist($ngi); $site1 = TestUtil::createSampleSite("SITENAME"); //$site1->setNgiDoJoin($ngi); $ngi->addSiteDoJoin($site1); $this->em->persist($site1); $se1 = TestUtil::createSampleService('somelabel'); $site1->addServiceDoJoin($se1); $this->em->persist($se1); $site2_userHasNoDirectRole = TestUtil::createSampleSite("SITENAME_2"); $ngi->addSiteDoJoin($site2_userHasNoDirectRole); //$site2_userHasNoDirectRole->setNgiDoJoin($ngi); $this->em->persist($site2_userHasNoDirectRole); // Create ngiManagerRole, ngiUserRole, siteAdminRole and link user and owned entities $ngiManagerRole = TestUtil::createSampleRole($u, $ngiManRT, $ngi, RoleStatus::GRANTED); $this->em->persist($ngiManagerRole); $rodUserRole = TestUtil::createSampleRole($u, $rodRT, $ngi, RoleStatus::GRANTED); $this->em->persist($rodUserRole); $siteAdminRole = TestUtil::createSampleRole($u, $siteAdminRT, $site1, RoleStatus::GRANTED); $this->em->persist($siteAdminRole); $this->em->flush(); // ********MUST******** start a new connection to test transactional // isolation of RoleService methods. $em = $this->createEntityManager(); $siteService = new org\gocdb\services\Site(); $siteService->setEntityManager($em); // Assert user can edit site using 3 enabling roles $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u); $this->assertEquals(3, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles)); // Assert user can only edit cert status through his NGI_OPS_MAN role $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u); $this->assertEquals(1, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); // Add a new project and link ngi and give user COD_ADMIN Project role (use $this->em to isolate) // Project->NGI->Site1->SE // |->Site2 $proj = new Project('EGI project'); $proj->addNgi($ngi); //$ngi->addProject($proj); // not strictly needed $this->em->persist($proj); $codRole = TestUtil::createSampleRole($u, $codRT, $proj, RoleStatus::GRANTED); $this->em->persist($codRole); $this->em->flush(); // Assert user now has 2 roles that enable SITE_EDIT_CERT_STATUS change action $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u); $this->assertEquals(2, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::COD_ADMIN, $enablingRoles)); // Assert user can edit SE using SITE_ADMIN, NGI_OPS_MAN, REG_STAFF_ROD roles (but not COD role) $seService = new org\gocdb\services\ServiceService(); $seService->setEntityManager($em); $enablingRoles = $seService->authorizeAction(\Action::EDIT_OBJECT, $se1, $u); $this->assertEquals(3, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles)); // Assert User can only edit Site2 through his 2 indirect ngi roles // (user don't have any direct site level roles on this site and COD don't give edit perm) $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u); $this->assertEquals(2, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles)); // Delete the user's Project COD role $this->em->remove($codRole); $this->em->flush(); // Assert user can only SITE_EDIT_CERT_STATUS through 1 role for both sites $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u); $this->assertEquals(1, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u); $this->assertEquals(1, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles)); // Delete the user's NGI manager role $this->em->remove($ngiManagerRole); $this->em->flush(); // Assert user can't edit site2 cert status $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u); $this->assertEquals(0, count($enablingRoles)); // Assert user can still edit site via his ROD role $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u); $this->assertEquals(1, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles)); // Delete the user's NGI ROD role $this->em->remove($rodUserRole); $this->em->flush(); // User can't edit site2 $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u); $this->assertEquals(0, count($enablingRoles)); // Assert user can still edit SITE1 through his direct site level role (this role has not been deleted) $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u); $this->assertEquals(1, count($enablingRoles)); $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles)); // Delete user's remaining Site role $this->em->remove($siteAdminRole); $this->em->flush(); // User can't edit site1 $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u); $this->assertEquals(0, count($enablingRoles)); }