/** * @test */ public function getAllPrivilegesByTypeReturnsAllConfiguredPrivilegesOfThatType() { $mockPrivilegeClassName = get_class($this->mockPrivilege); $this->mockPolicyConfiguration = ['privilegeTargets' => [$mockPrivilegeClassName => ['Some.PrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()']]]]; $this->assertCount(1, $this->policyService->getAllPrivilegesByType($mockPrivilegeClassName)); $this->assertInstanceOf($mockPrivilegeClassName, $this->mockPrivilege, $this->policyService->getAllPrivilegesByType($mockPrivilegeClassName)); }
/** * @param string $className * @param string $methodName * @return boolean */ protected function hasPolicyEntryForMethod($className, $methodName) { $methodPrivileges = $this->policyService->getAllPrivilegesByType(\TYPO3\Flow\Security\Authorization\Privilege\Method\MethodPrivilegeInterface::class); /** @var MethodPrivilegeInterface $privilege */ foreach ($methodPrivileges as $privilege) { if ($privilege->matchesMethod($className, $methodName)) { return true; } } return false; }
/** * @param string $className * @param string $methodName * @return boolean */ protected function hasPolicyEntryForMethod($className, $methodName) { $methodPrivileges = $this->policyService->getAllPrivilegesByType('TYPO3\\Flow\\Security\\Authorization\\Privilege\\Method\\MethodPrivilegeInterface'); /** @var MethodPrivilegeInterface $privilege */ foreach ($methodPrivileges as $privilege) { if ($privilege->matchesMethod($className, $methodName)) { return TRUE; } } return FALSE; }
/** * Shows a list of all defined privilege targets and the effective permissions * * @param string $privilegeType The privilege type ("entity", "method" or the FQN of a class implementing PrivilegeInterface) * @param string $roles A comma separated list of role identifiers. Shows policy for an unauthenticated user when left empty. */ public function showEffectivePolicyCommand($privilegeType, $roles = '') { $systemRoleIdentifiers = array('TYPO3.Flow:Everybody', 'TYPO3.Flow:Anonymous', 'TYPO3.Flow:AuthenticatedUser'); if (strpos($privilegeType, '\\') === false) { $privilegeType = sprintf('\\TYPO3\\Flow\\Security\\Authorization\\Privilege\\%s\\%sPrivilegeInterface', ucfirst($privilegeType), ucfirst($privilegeType)); } if (!class_exists($privilegeType) && !interface_exists($privilegeType)) { $this->outputLine('The privilege type "%s" was not defined.', array($privilegeType)); $this->quit(1); } if (!is_subclass_of($privilegeType, PrivilegeInterface::class)) { $this->outputLine('"%s" does not refer to a valid Privilege', array($privilegeType)); $this->quit(1); } $requestedRoles = array(); foreach (Arrays::trimExplode(',', $roles) as $roleIdentifier) { try { if (in_array($roleIdentifier, $systemRoleIdentifiers)) { continue; } $currentRole = $this->policyService->getRole($roleIdentifier); $requestedRoles[$roleIdentifier] = $currentRole; foreach ($currentRole->getAllParentRoles() as $currentParentRole) { if (!in_array($currentParentRole, $requestedRoles)) { $requestedRoles[$currentParentRole->getIdentifier()] = $currentParentRole; } } } catch (NoSuchRoleException $exception) { $this->outputLine('The role %s was not defined.', array($roleIdentifier)); $this->quit(1); } } if (count($requestedRoles) > 0) { $requestedRoles['TYPO3.Flow:AuthenticatedUser'] = $this->policyService->getRole('TYPO3.Flow:AuthenticatedUser'); } else { $requestedRoles['TYPO3.Flow:Anonymous'] = $this->policyService->getRole('TYPO3.Flow:Anonymous'); } $requestedRoles['TYPO3.Flow:Everybody'] = $this->policyService->getRole('TYPO3.Flow:Everybody'); $this->outputLine('Effective Permissions for the roles <b>%s</b> ', array(implode(', ', $requestedRoles))); $this->outputLine(str_repeat('-', $this->output->getMaximumLineLength())); $definedPrivileges = $this->policyService->getAllPrivilegesByType($privilegeType); $permissions = array(); /** @var PrivilegeInterface $definedPrivilege */ foreach ($definedPrivileges as $definedPrivilege) { $accessGrants = 0; $accessDenies = 0; $permission = 'ABSTAIN'; /** @var Role $requestedRole */ foreach ($requestedRoles as $requestedRole) { $privilegeType = $requestedRole->getPrivilegeForTarget($definedPrivilege->getPrivilegeTarget()->getIdentifier()); if ($privilegeType === null) { continue; } if ($privilegeType->isGranted()) { $accessGrants++; } elseif ($privilegeType->isDenied()) { $accessDenies++; } } if ($accessDenies > 0) { $permission = '<error>DENY</error>'; } if ($accessGrants > 0 && $accessDenies === 0) { $permission = '<success>GRANT</success>'; } $permissions[$definedPrivilege->getPrivilegeTarget()->getIdentifier()] = $permission; } ksort($permissions); foreach ($permissions as $privilegeTargetIdentifier => $permission) { $formattedPrivilegeTargetIdentifier = wordwrap($privilegeTargetIdentifier, $this->output->getMaximumLineLength() - 10, PHP_EOL . str_repeat(' ', 10), true); $this->outputLine('%-70s %s', array($formattedPrivilegeTargetIdentifier, $permission)); } }