/**
* User attempts to update the given site's certification status.
* @param \Site $site
* @param \CertificationStatus $newCertStatus
* @param \User $user
* @param string $reason The reason for this change, max 300 char.
* @throws \Exception If access is denied or the change is invalid
*/
public function editCertificationStatus(\Site $site, \CertificationStatus $newCertStatus, \User $user, $reason)
{
//$this->editAuthorization($site, $user);
require_once __DIR__ . '/Site.php';
$siteService = new \org\gocdb\services\Site();
$siteService->setEntityManager($this->em);
if (count($siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site, $user)) == 0) {
throw new \Exception('You do not have permission to change site certification status');
}
// TODO use validate service
if (empty($reason)) {
throw new \LogicException('A reason is required');
}
if (strlen($reason) > 300) {
throw new \LogicException('Invalid reason - 300 char max');
}
// Admins can do any cert status change, e.g. to undo mistakes.
if (!$user->isAdmin()) {
$this->isChangeValid($site, $newCertStatus);
}
$oldStatusString = $site->getCertificationStatus()->getName();
try {
$this->em->beginTransaction();
$now = new \DateTime('now', new \DateTimeZone('UTC'));
// create a new CertStatusLog
$certLog = new \CertificationStatusLog();
$certLog->setAddedBy($user->getCertificateDn());
$certLog->setNewStatus($newCertStatus->getName());
$certLog->setOldStatus($oldStatusString);
$certLog->setAddedDate($now);
$certLog->setReason($reason);
$this->em->persist($certLog);
// update our site
$site->addCertificationStatusLog($certLog);
$site->setCertificationStatus($newCertStatus);
$site->setCertificationStatusChangeDate($now);
$this->em->merge($site);
$this->em->flush();
$this->em->getConnection()->commit();
} catch (\Exception $ex) {
$this->em->getConnection()->rollback();
$this->em->close();
throw $ex;
}
}
/**
* Get an array of Role names granted to the user that permit the requested
* action on the given OwnedEntity. If the user has no roles that
* permit the requested action, then return an empty array.
* <p>
* Supported actions: EDIT_OBJECT, NGI_ADD_SITE, GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE
*
* @param string $action
* @param \OwnedEntity $entity
* @param \User $callingUser
* @return array of RoleName values
* @throws LogicException If unsupported enitity type or action is passed
*/
public function authorizeAction($action, \OwnedEntity $entity, \User $callingUser)
{
$siteService = new \org\gocdb\services\Site();
$siteService->setEntityManager($this->em);
$ngiService = new \org\gocdb\services\NGI();
$ngiService->setEntityManager($this->em);
$sgService = new \org\gocdb\services\ServiceGroup();
$sgService->setEntityManager($this->em);
$projectService = new \org\gocdb\services\Project();
$projectService->setEntityManager($this->em);
if ($entity instanceof \NGI) {
$grantingRoles = $ngiService->authorizeAction($action, $entity, $callingUser);
} else {
if ($entity instanceof \Site) {
$grantingRoles = $siteService->authorizeAction($action, $entity, $callingUser);
} else {
if ($entity instanceof \Project) {
$grantingRoles = $projectService->authorizeAction($action, $entity, $callingUser);
} else {
if ($entity instanceof \ServiceGroup) {
$grantingRoles = $sgService->authorizeAction($action, $entity, $callingUser);
} else {
throw new \LogicException('Unsuppored OwnedEntity type');
}
}
}
}
return $grantingRoles;
}
/**
* Array
* (
* [Service_Type] => 21
* [EndpointURL] => Testing://host.com
* [Scope] => 2
* [Hosting_Site] => 377
* [SE] => Array
* (
* [ENDPOINT] => my.new.host.com21
* [HOSTNAME] => my.new.host.com
* [HOST_IP] => 10.0.0.1
* [HOST_DN] => /cn=JCasson
* [HOST_IP_V6] => 0000:0000:0000:0000:0000:0000:0000:0000[/int]
* [DESCRIPTION] => hithere
* [HOST_OS] =>
* [HOST_ARCH] =>
* [BETA] => Y
* [PRODUCTION_LEVEL] => Y
* [IS_MONITORED] => Y
* [EMAIL] =>
* )
* )
* @param Array $values Balues for the new SE (defined above)
* @param org\gocdb\services\User $user The user adding the SE
*/
public function addService($values, \User $user = null)
{
$this->em->getConnection()->beginTransaction();
// get the parent site
$dql = "SELECT s from Site s WHERE s.id = :id";
$site = $this->em->createQuery($dql)->setParameter('id', $values['hostingSite'])->getSingleResult();
// get the service type
$st = $this->getServiceType($values['serviceType']);
$siteService = new \org\gocdb\services\Site();
$siteService->setEntityManager($this->em);
if (count($siteService->authorizeAction(\Action::SITE_ADD_SERVICE, $site, $user)) == 0) {
throw new \Exception("You don't hold a role over {$site}.");
}
$this->validate($values['SE'], 'service');
$this->validateEndpointUrl($values['endpointUrl']);
$this->uniqueCheck($values['SE']['HOSTNAME'], $st, $site);
//check there are the required number of scopes specified
$this->checkNumberOfScopes($values['Scope_ids']);
// validate production/monitored combination
if ($st != 'VOMS' && $st != 'emi.ARGUS') {
if ($values['PRODUCTION_LEVEL'] == "Y" && $values['IS_MONITORED'] != "Y") {
throw new \Exception("If Production flat is set to True, Monitored flag must also be True (except for VOMS and emi.ARGUS)");
}
}
$se = new \Service();
try {
$se->setParentSiteDoJoin($site);
$se->setServiceType($st);
// Set production
if ($values['PRODUCTION_LEVEL'] == "Y") {
$se->setProduction(true);
} else {
$se->setProduction(false);
}
// Set Beta
if ($values['BETA'] == "Y") {
$se->setBeta(true);
} else {
$se->setBeta(false);
}
// Set monitored
if ($values['IS_MONITORED'] == "Y") {
$se->setMonitored(true);
} else {
$se->setMonitored(false);
}
// Set the scopes
foreach ($values['Scope_ids'] as $scopeId) {
$dql = "SELECT s FROM Scope s WHERE s.id = :id";
$scope = $this->em->createQuery($dql)->setParameter('id', $scopeId)->getSingleResult();
$se->addScope($scope);
}
$se->setDn($values['SE']['HOST_DN']);
$se->setIpAddress($values['SE']['HOST_IP']);
$se->setOperatingSystem($values['SE']['HOST_OS']);
$se->setArchitecture($values['SE']['HOST_ARCH']);
$se->setHostName($values['SE']['HOSTNAME']);
$se->setDescription($values['SE']['DESCRIPTION']);
$se->setEmail($values['SE']['EMAIL']);
$se->setUrl($values['endpointUrl']);
/* With version 5.3 a service does not have to have an endpoint.
$el = new \EndpointLocation();
$el->setUrl($values['endpointUrl']);
$se->addEndpointLocationDoJoin($el);
$this->em->persist($el);
*/
$this->em->persist($se);
$this->em->flush();
$this->em->getConnection()->commit();
} catch (\Exception $e) {
$this->em->getConnection()->rollback();
$this->em->close();
throw $e;
}
return $se;
}
/**
* Persist some seed data - roletypes, user, Project, NGI, sites and SEs and
* assert that the user has the expected number of roles that grant specific
* actions over the owned objects. For example, assert that the user has 'n'
* number of roles that allow a particular site to be edited, or 'n' number
* of roles that allow an NGI certification status change.
*/
public function testAuthorizeAction1()
{
print __METHOD__ . "\n";
// Create roletypes
$siteAdminRT = TestUtil::createSampleRoleType(RoleTypeName::SITE_ADMIN);
$ngiManRT = TestUtil::createSampleRoleType(RoleTypeName::NGI_OPS_MAN);
$rodRT = TestUtil::createSampleRoleType(RoleTypeName::REG_STAFF_ROD);
$codRT = TestUtil::createSampleRoleType(RoleTypeName::COD_ADMIN);
$this->em->persist($siteAdminRT);
// edit site1 (but not cert status)
$this->em->persist($ngiManRT);
// edit owned site1/site2 and cert status
$this->em->persist($rodRT);
// edit owned sites 1and2 (but not cert status)
$this->em->persist($codRT);
// edit all sites cert status only
// Create a user
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$this->em->persist($u);
// Create a linked object graph
// NGI->Site1->SE
// |->Site2
$ngi = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($ngi);
$site1 = TestUtil::createSampleSite("SITENAME");
//$site1->setNgiDoJoin($ngi);
$ngi->addSiteDoJoin($site1);
$this->em->persist($site1);
$se1 = TestUtil::createSampleService('somelabel');
$site1->addServiceDoJoin($se1);
$this->em->persist($se1);
$site2_userHasNoDirectRole = TestUtil::createSampleSite("SITENAME_2");
$ngi->addSiteDoJoin($site2_userHasNoDirectRole);
//$site2_userHasNoDirectRole->setNgiDoJoin($ngi);
$this->em->persist($site2_userHasNoDirectRole);
// Create ngiManagerRole, ngiUserRole, siteAdminRole and link user and owned entities
$ngiManagerRole = TestUtil::createSampleRole($u, $ngiManRT, $ngi, RoleStatus::GRANTED);
$this->em->persist($ngiManagerRole);
$rodUserRole = TestUtil::createSampleRole($u, $rodRT, $ngi, RoleStatus::GRANTED);
$this->em->persist($rodUserRole);
$siteAdminRole = TestUtil::createSampleRole($u, $siteAdminRT, $site1, RoleStatus::GRANTED);
$this->em->persist($siteAdminRole);
$this->em->flush();
// ********MUST******** start a new connection to test transactional
// isolation of RoleService methods.
$em = $this->createEntityManager();
$siteService = new org\gocdb\services\Site();
$siteService->setEntityManager($em);
// Assert user can edit site using 3 enabling roles
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(3, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Assert user can only edit cert status through his NGI_OPS_MAN role
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
// Add a new project and link ngi and give user COD_ADMIN Project role (use $this->em to isolate)
// Project->NGI->Site1->SE
// |->Site2
$proj = new Project('EGI project');
$proj->addNgi($ngi);
//$ngi->addProject($proj); // not strictly needed
$this->em->persist($proj);
$codRole = TestUtil::createSampleRole($u, $codRT, $proj, RoleStatus::GRANTED);
$this->em->persist($codRole);
$this->em->flush();
// Assert user now has 2 roles that enable SITE_EDIT_CERT_STATUS change action
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(2, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::COD_ADMIN, $enablingRoles));
// Assert user can edit SE using SITE_ADMIN, NGI_OPS_MAN, REG_STAFF_ROD roles (but not COD role)
$seService = new org\gocdb\services\ServiceService();
$seService->setEntityManager($em);
$enablingRoles = $seService->authorizeAction(\Action::EDIT_OBJECT, $se1, $u);
$this->assertEquals(3, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Assert User can only edit Site2 through his 2 indirect ngi roles
// (user don't have any direct site level roles on this site and COD don't give edit perm)
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(2, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Delete the user's Project COD role
$this->em->remove($codRole);
$this->em->flush();
// Assert user can only SITE_EDIT_CERT_STATUS through 1 role for both sites
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
// Delete the user's NGI manager role
$this->em->remove($ngiManagerRole);
$this->em->flush();
// Assert user can't edit site2 cert status
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
$this->assertEquals(0, count($enablingRoles));
// Assert user can still edit site via his ROD role
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Delete the user's NGI ROD role
$this->em->remove($rodUserRole);
$this->em->flush();
// User can't edit site2
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(0, count($enablingRoles));
// Assert user can still edit SITE1 through his direct site level role (this role has not been deleted)
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
// Delete user's remaining Site role
$this->em->remove($siteAdminRole);
$this->em->flush();
// User can't edit site1
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(0, count($enablingRoles));
}
