/** * Convert an object from $source to an object. * * @param mixed $source * @param string $targetType * @param array $convertedChildProperties * @param PropertyMappingConfigurationInterface $configuration * @return object the target type */ public function convertFrom($source, $targetType, array $convertedChildProperties = [], PropertyMappingConfigurationInterface $configuration = null) { try { $role = $this->policyService->getRole($source); } catch (NoSuchRoleException $exception) { return new Error('Could not find a role with the identifier "%s".', 1397212327, [$source]); } return $role; }
/** * Creates a new account and sets the given password and roles * * @param string $identifier Identifier of the account, must be unique * @param string $password The clear text password * @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account * @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with * @param string $passwordHashingStrategy Optional password hashing strategy to use for the password * @return Account A new account, not yet added to the account repository */ public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default') { $account = new Account(); $account->setAccountIdentifier($identifier); $account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy)); $account->setAuthenticationProviderName($authenticationProviderName); $roles = []; foreach ($roleIdentifiers as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); return $account; }
/** * @test */ public function everybodyRoleCanHaveExplicitDenies() { $mockPrivilegeClassName = get_class($this->mockPrivilege); $this->mockPolicyConfiguration = ['privilegeTargets' => [$mockPrivilegeClassName => ['Some.PrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()'], 'Some.OtherPrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()']]], 'roles' => ['Neos.Flow:Everybody' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'DENY']]], 'Some.Other:Role' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'GRANT']]]]]; $everybodyRole = $this->policyService->getRole('Neos.Flow:Everybody'); $this->assertTrue($everybodyRole->getPrivilegeForTarget('Some.PrivilegeTarget:Identifier')->isDenied()); }
/** * Initializes the roles field by fetching the role objects referenced by the roleIdentifiers * * @return void */ protected function initializeRoles() { if ($this->roles !== null) { return; } $this->roles = []; foreach ($this->roleIdentifiers as $key => $roleIdentifier) { // check for and clean up roles no longer available if ($this->policyService->hasRole($roleIdentifier)) { $this->roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier); } else { unset($this->roleIdentifiers[$key]); } } }
/** * Update a given account * * @param Account $account The account to update * @param array $roleIdentifiers A possibly updated list of roles for the user's primary account * @param array $password Expects an array in the format array('<password>', '<password confirmation>') * @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 }) * @return void */ public function updateAccountAction(Account $account, array $roleIdentifiers, array $password = array()) { $user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName()); if ($user === $this->currentUser) { $roles = array(); foreach ($roleIdentifiers as $roleIdentifier) { $roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier); } if (!$this->privilegeManager->isPrivilegeTargetGrantedForRoles($roles, 'Neos.Neos:Backend.Module.Administration.Users')) { $this->addFlashMessage('With the selected roles the currently logged in user wouldn\'t have access to this module any longer. Please adjust the assigned roles!', 'Don\'t lock yourself out', Message::SEVERITY_WARNING, array(), 1416501197); $this->forward('edit', null, null, array('user' => $this->currentUser)); } } $password = array_shift($password); if (strlen(trim(strval($password))) > 0) { $this->userService->setUserPassword($user, $password); } $this->userService->setRolesForAccount($account, $roleIdentifiers); $this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK); $this->redirect('edit', null, null, array('user' => $user)); }
/** * Sets isAuthenticated to TRUE for all tokens. * * @param TokenInterface $authenticationToken The token to be authenticated * @return void * @throws UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof PasswordToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['password'])) { if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $account = new Account(); $roles = []; foreach ($this->options['authenticateRoles'] as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Returns the roles of all authenticated accounts, including inherited roles. * * If no authenticated roles could be found the "Anonymous" role is returned. * * The "Neos.Flow:Everybody" roles is always returned. * * @return Role[] */ public function getRoles() { if ($this->initialized === false) { $this->initialize(); } if ($this->roles === null) { $this->roles = ['Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody')]; if ($this->authenticationManager->isAuthenticated() === false) { $this->roles['Neos.Flow:Anonymous'] = $this->policyService->getRole('Neos.Flow:Anonymous'); } else { $this->roles['Neos.Flow:AuthenticatedUser'] = $this->policyService->getRole('Neos.Flow:AuthenticatedUser'); /** @var $token TokenInterface */ foreach ($this->getAuthenticationTokens() as $token) { if ($token->isAuthenticated() !== true) { continue; } $account = $token->getAccount(); if ($account === null) { continue; } if ($account !== null) { $accountRoles = $account->getRoles(); /** @var $currentRole Role */ foreach ($accountRoles as $currentRole) { if (!in_array($currentRole, $this->roles)) { $this->roles[$currentRole->getIdentifier()] = $currentRole; } /** @var $currentParentRole Role */ foreach ($currentRole->getAllParentRoles() as $currentParentRole) { if (!in_array($currentParentRole, $this->roles)) { $this->roles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } } } } } return $this->roles; }
/** * Returns an array with all roles of a user's accounts, including parent roles, the "Everybody" role and the * "AuthenticatedUser" role, assuming that the user is logged in. * * @param User $user The user * @return array */ protected function getAllRoles(User $user) { $roles = array('Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody'), 'Neos.Flow:AuthenticatedUser' => $this->policyService->getRole('Neos.Flow:AuthenticatedUser')); /** @var Account $account */ foreach ($user->getAccounts() as $account) { $accountRoles = $account->getRoles(); /** @var $currentRole Role */ foreach ($accountRoles as $currentRole) { if (!in_array($currentRole, $roles)) { $roles[$currentRole->getIdentifier()] = $currentRole; } /** @var $currentParentRole Role */ foreach ($currentRole->getAllParentRoles() as $currentParentRole) { if (!in_array($currentParentRole, $roles)) { $roles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } } return $roles; }
/** * Creates a new account, assigns it the given roles and authenticates it. * The created account is returned for further modification, for example for attaching a Party object to it. * * @param array $roleNames A list of roles the new account should have * @return \Neos\Flow\Security\Account The created account * @api */ protected function authenticateRoles(array $roleNames) { $account = new \Neos\Flow\Security\Account(); $roles = array(); foreach ($roleNames as $roleName) { $roles[] = $this->policyService->getRole($roleName); } $account->setRoles($roles); $this->authenticateAccount($account); return $account; }
/** * Shows a list of all defined privilege targets and the effective permissions * * @param string $privilegeType The privilege type ("entity", "method" or the FQN of a class implementing PrivilegeInterface) * @param string $roles A comma separated list of role identifiers. Shows policy for an unauthenticated user when left empty. */ public function showEffectivePolicyCommand($privilegeType, $roles = '') { $systemRoleIdentifiers = ['Neos.Flow:Everybody', 'Neos.Flow:Anonymous', 'Neos.Flow:AuthenticatedUser']; if (strpos($privilegeType, '\\') === false) { $privilegeType = sprintf('\\Neos\\Flow\\Security\\Authorization\\Privilege\\%s\\%sPrivilegeInterface', ucfirst($privilegeType), ucfirst($privilegeType)); } if (!class_exists($privilegeType) && !interface_exists($privilegeType)) { $this->outputLine('The privilege type "%s" was not defined.', [$privilegeType]); $this->quit(1); } if (!is_subclass_of($privilegeType, PrivilegeInterface::class)) { $this->outputLine('"%s" does not refer to a valid Privilege', [$privilegeType]); $this->quit(1); } $requestedRoles = []; foreach (Arrays::trimExplode(',', $roles) as $roleIdentifier) { try { if (in_array($roleIdentifier, $systemRoleIdentifiers)) { continue; } $currentRole = $this->policyService->getRole($roleIdentifier); $requestedRoles[$roleIdentifier] = $currentRole; foreach ($currentRole->getAllParentRoles() as $currentParentRole) { if (!in_array($currentParentRole, $requestedRoles)) { $requestedRoles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } catch (NoSuchRoleException $exception) { $this->outputLine('The role %s was not defined.', [$roleIdentifier]); $this->quit(1); } } if (count($requestedRoles) > 0) { $requestedRoles['Neos.Flow:AuthenticatedUser'] = $this->policyService->getRole('Neos.Flow:AuthenticatedUser'); } else { $requestedRoles['Neos.Flow:Anonymous'] = $this->policyService->getRole('Neos.Flow:Anonymous'); } $requestedRoles['Neos.Flow:Everybody'] = $this->policyService->getRole('Neos.Flow:Everybody'); $this->outputLine('Effective Permissions for the roles <b>%s</b> ', [implode(', ', $requestedRoles)]); $this->outputLine(str_repeat('-', $this->output->getMaximumLineLength())); $definedPrivileges = $this->policyService->getAllPrivilegesByType($privilegeType); $permissions = []; /** @var PrivilegeInterface $definedPrivilege */ foreach ($definedPrivileges as $definedPrivilege) { $accessGrants = 0; $accessDenies = 0; $permission = 'ABSTAIN'; /** @var Role $requestedRole */ foreach ($requestedRoles as $requestedRole) { $privilegeType = $requestedRole->getPrivilegeForTarget($definedPrivilege->getPrivilegeTarget()->getIdentifier()); if ($privilegeType === null) { continue; } if ($privilegeType->isGranted()) { $accessGrants++; } elseif ($privilegeType->isDenied()) { $accessDenies++; } } if ($accessDenies > 0) { $permission = '<error>DENY</error>'; } if ($accessGrants > 0 && $accessDenies === 0) { $permission = '<success>GRANT</success>'; } $permissions[$definedPrivilege->getPrivilegeTarget()->getIdentifier()] = $permission; } ksort($permissions); foreach ($permissions as $privilegeTargetIdentifier => $permission) { $formattedPrivilegeTargetIdentifier = wordwrap($privilegeTargetIdentifier, $this->output->getMaximumLineLength() - 10, PHP_EOL . str_repeat(' ', 10), true); $this->outputLine('%-70s %s', [$formattedPrivilegeTargetIdentifier, $permission]); } }
/** * @test */ public function createAccountWithPasswordCreatesANewAccountWithTheGivenIdentifierPasswordRolesAndProviderName() { $factory = new AccountFactory(); $actualAccount = $factory->createAccountWithPassword('username', 'password', ['Neos.Flow:Administrator', 'Neos.Flow:Customer'], 'OtherProvider'); $this->assertEquals('username', $actualAccount->getAccountIdentifier()); $this->assertEquals('OtherProvider', $actualAccount->getAuthenticationProviderName()); $this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Administrator'))); $this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Customer'))); }