/** * Convert an object from $source to an object. * * @param mixed $source * @param string $targetType * @param array $convertedChildProperties * @param PropertyMappingConfigurationInterface $configuration * @return object the target type */ public function convertFrom($source, $targetType, array $convertedChildProperties = [], PropertyMappingConfigurationInterface $configuration = null) { try { $role = $this->policyService->getRole($source); } catch (NoSuchRoleException $exception) { return new Error('Could not find a role with the identifier "%s".', 1397212327, [$source]); } return $role; }
/** * @test */ public function viewHelperRendersThenPartIfHasRoleReturnsTrue() { $role = new Role('Acme.Demo:SomeRole'); $this->mockSecurityContext->expects($this->once())->method('hasRole')->with('Acme.Demo:SomeRole')->will($this->returnValue(true)); $this->mockPolicyService->expects($this->once())->method('getRole')->with('Acme.Demo:SomeRole')->will($this->returnValue($role)); $this->mockViewHelper->expects($this->once())->method('renderThenChild')->will($this->returnValue('then-child')); $arguments = ['role' => 'SomeRole', 'account' => null]; $this->mockViewHelper->setArguments($arguments); $actualResult = $this->mockViewHelper->render(); $this->assertEquals('then-child', $actualResult); }
/** * Creates a new account and sets the given password and roles * * @param string $identifier Identifier of the account, must be unique * @param string $password The clear text password * @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account * @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with * @param string $passwordHashingStrategy Optional password hashing strategy to use for the password * @return Account A new account, not yet added to the account repository */ public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default') { $account = new Account(); $account->setAccountIdentifier($identifier); $account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy)); $account->setAuthenticationProviderName($authenticationProviderName); $roles = []; foreach ($roleIdentifiers as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); return $account; }
/** * @test */ public function everybodyRoleCanHaveExplicitDenies() { $mockPrivilegeClassName = get_class($this->mockPrivilege); $this->mockPolicyConfiguration = ['privilegeTargets' => [$mockPrivilegeClassName => ['Some.PrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()'], 'Some.OtherPrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()']]], 'roles' => ['Neos.Flow:Everybody' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'DENY']]], 'Some.Other:Role' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'GRANT']]]]]; $everybodyRole = $this->policyService->getRole('Neos.Flow:Everybody'); $this->assertTrue($everybodyRole->getPrivilegeForTarget('Some.PrivilegeTarget:Identifier')->isDenied()); }
public function setUp() { $this->mockRole = $this->getMockBuilder(Role::class)->disableOriginalConstructor()->getMock(); $this->mockRole->expects($this->any())->method('getIdentifier')->will($this->returnValue('Neos.Flow:TestRoleIdentifier')); $this->mockPolicyService = $this->getMockBuilder(PolicyService::class)->disableOriginalConstructor()->getMock(); $this->mockPolicyService->expects($this->any())->method('getRole')->with('Neos.Flow:TestRoleIdentifier')->will($this->returnValue($this->mockRole)); $this->mockHashService = $this->getMockBuilder(HashService::class)->disableOriginalConstructor()->getMock(); $expectedPassword = $this->testKeyClearText; $expectedHashedPasswordAndSalt = $this->testKeyHashed; $this->mockHashService->expects($this->any())->method('validatePassword')->will($this->returnCallback(function ($password, $hashedPasswordAndSalt) use($expectedPassword, $expectedHashedPasswordAndSalt) { return $hashedPasswordAndSalt === $expectedHashedPasswordAndSalt && $password === $expectedPassword; })); $this->mockFileBasedSimpleKeyService = $this->getMockBuilder(FileBasedSimpleKeyService::class)->disableOriginalConstructor()->getMock(); $this->mockFileBasedSimpleKeyService->expects($this->any())->method('getKey')->with('testKey')->will($this->returnValue($this->testKeyHashed)); $this->mockToken = $this->getMockBuilder(PasswordToken::class)->disableOriginalConstructor()->getMock(); }
/** * @param string $className * @param string $methodName * @return boolean */ protected function hasPolicyEntryForMethod($className, $methodName) { $methodPrivileges = $this->policyService->getAllPrivilegesByType(MethodPrivilegeInterface::class); /** @var MethodPrivilegeInterface $privilege */ foreach ($methodPrivileges as $privilege) { if ($privilege->matchesMethod($className, $methodName)) { return true; } } return false; }
/** * Initializes the roles field by fetching the role objects referenced by the roleIdentifiers * * @return void */ protected function initializeRoles() { if ($this->roles !== null) { return; } $this->roles = []; foreach ($this->roleIdentifiers as $key => $roleIdentifier) { // check for and clean up roles no longer available if ($this->policyService->hasRole($roleIdentifier)) { $this->roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier); } else { unset($this->roleIdentifiers[$key]); } } }
/** * Shows the methods represented by the given security privilege target * * If the privilege target has parameters those can be specified separated by a colon * for example "parameter1:value1" "parameter2:value2". * But be aware that this only works for parameters that have been specified in the policy * * @param string $privilegeTarget The name of the privilegeTarget as stated in the policy * @return void */ public function showMethodsForPrivilegeTargetCommand($privilegeTarget) { $privilegeTargetInstance = $this->policyService->getPrivilegeTargetByIdentifier($privilegeTarget); if ($privilegeTargetInstance === null) { $this->outputLine('The privilegeTarget "%s" is not defined', [$privilegeTarget]); $this->quit(1); } $privilegeParameters = []; foreach ($this->request->getExceedingArguments() as $argument) { list($argumentName, $argumentValue) = explode(':', $argument, 2); $privilegeParameters[$argumentName] = $argumentValue; } $privilege = $privilegeTargetInstance->createPrivilege(PrivilegeInterface::GRANT, $privilegeParameters); if (!$privilege instanceof MethodPrivilegeInterface) { $this->outputLine('The privilegeTarget "%s" does not refer to a MethodPrivilege but to a privilege of type "%s"', [$privilegeTarget, $privilege->getPrivilegeTarget()->getPrivilegeClassName()]); $this->quit(1); } $matchedClassesAndMethods = []; foreach ($this->reflectionService->getAllClassNames() as $className) { try { $reflectionClass = new \ReflectionClass($className); } catch (\ReflectionException $exception) { continue; } foreach ($reflectionClass->getMethods() as $reflectionMethod) { $methodName = $reflectionMethod->getName(); if ($privilege->matchesMethod($className, $methodName)) { $matchedClassesAndMethods[$className][$methodName] = $methodName; } } } if (count($matchedClassesAndMethods) === 0) { $this->outputLine('The given privilegeTarget did not match any method.'); $this->quit(1); } foreach ($matchedClassesAndMethods as $className => $methods) { $this->outputLine($className); foreach ($methods as $methodName) { $this->outputLine(' ' . $methodName); } $this->outputLine(); } }
/** * Update a given account * * @param Account $account The account to update * @param array $roleIdentifiers A possibly updated list of roles for the user's primary account * @param array $password Expects an array in the format array('<password>', '<password confirmation>') * @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 }) * @return void */ public function updateAccountAction(Account $account, array $roleIdentifiers, array $password = array()) { $user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName()); if ($user === $this->currentUser) { $roles = array(); foreach ($roleIdentifiers as $roleIdentifier) { $roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier); } if (!$this->privilegeManager->isPrivilegeTargetGrantedForRoles($roles, 'Neos.Neos:Backend.Module.Administration.Users')) { $this->addFlashMessage('With the selected roles the currently logged in user wouldn\'t have access to this module any longer. Please adjust the assigned roles!', 'Don\'t lock yourself out', Message::SEVERITY_WARNING, array(), 1416501197); $this->forward('edit', null, null, array('user' => $this->currentUser)); } } $password = array_shift($password); if (strlen(trim(strval($password))) > 0) { $this->userService->setUserPassword($user, $password); } $this->userService->setRolesForAccount($account, $roleIdentifiers); $this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK); $this->redirect('edit', null, null, array('user' => $user)); }
/** * Sets isAuthenticated to TRUE for all tokens. * * @param TokenInterface $authenticationToken The token to be authenticated * @return void * @throws UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof PasswordToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['password'])) { if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $account = new Account(); $roles = []; foreach ($this->options['authenticateRoles'] as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Returns the roles of all authenticated accounts, including inherited roles. * * If no authenticated roles could be found the "Anonymous" role is returned. * * The "Neos.Flow:Everybody" roles is always returned. * * @return Role[] */ public function getRoles() { if ($this->initialized === false) { $this->initialize(); } if ($this->roles === null) { $this->roles = ['Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody')]; if ($this->authenticationManager->isAuthenticated() === false) { $this->roles['Neos.Flow:Anonymous'] = $this->policyService->getRole('Neos.Flow:Anonymous'); } else { $this->roles['Neos.Flow:AuthenticatedUser'] = $this->policyService->getRole('Neos.Flow:AuthenticatedUser'); /** @var $token TokenInterface */ foreach ($this->getAuthenticationTokens() as $token) { if ($token->isAuthenticated() !== true) { continue; } $account = $token->getAccount(); if ($account === null) { continue; } if ($account !== null) { $accountRoles = $account->getRoles(); /** @var $currentRole Role */ foreach ($accountRoles as $currentRole) { if (!in_array($currentRole, $this->roles)) { $this->roles[$currentRole->getIdentifier()] = $currentRole; } /** @var $currentParentRole Role */ foreach ($currentRole->getAllParentRoles() as $currentParentRole) { if (!in_array($currentParentRole, $this->roles)) { $this->roles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } } } } } return $this->roles; }
/** * Returns an array with all roles of a user's accounts, including parent roles, the "Everybody" role and the * "AuthenticatedUser" role, assuming that the user is logged in. * * @param User $user The user * @return array */ protected function getAllRoles(User $user) { $roles = array('Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody'), 'Neos.Flow:AuthenticatedUser' => $this->policyService->getRole('Neos.Flow:AuthenticatedUser')); /** @var Account $account */ foreach ($user->getAccounts() as $account) { $accountRoles = $account->getRoles(); /** @var $currentRole Role */ foreach ($accountRoles as $currentRole) { if (!in_array($currentRole, $roles)) { $roles[$currentRole->getIdentifier()] = $currentRole; } /** @var $currentParentRole Role */ foreach ($currentRole->getAllParentRoles() as $currentParentRole) { if (!in_array($currentParentRole, $roles)) { $roles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } } return $roles; }
/** * Creates a new account, assigns it the given roles and authenticates it. * The created account is returned for further modification, for example for attaching a Party object to it. * * @param array $roleNames A list of roles the new account should have * @return \Neos\Flow\Security\Account The created account * @api */ protected function authenticateRoles(array $roleNames) { $account = new \Neos\Flow\Security\Account(); $roles = array(); foreach ($roleNames as $roleName) { $roles[] = $this->policyService->getRole($roleName); } $account->setRoles($roles); $this->authenticateAccount($account); return $account; }
/** * A changed database needs to resynchronize the roles * * @return void */ public function resetPolicyRolesCacheAfterDatabaseChanges() { $this->policyService->reset(); }
/** * @test */ public function createAccountWithPasswordCreatesANewAccountWithTheGivenIdentifierPasswordRolesAndProviderName() { $factory = new AccountFactory(); $actualAccount = $factory->createAccountWithPassword('username', 'password', ['Neos.Flow:Administrator', 'Neos.Flow:Customer'], 'OtherProvider'); $this->assertEquals('username', $actualAccount->getAccountIdentifier()); $this->assertEquals('OtherProvider', $actualAccount->getAuthenticationProviderName()); $this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Administrator'))); $this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Customer'))); }