/**
* Convert an object from $source to an object.
*
* @param mixed $source
* @param string $targetType
* @param array $convertedChildProperties
* @param PropertyMappingConfigurationInterface $configuration
* @return object the target type
*/
public function convertFrom($source, $targetType, array $convertedChildProperties = [], PropertyMappingConfigurationInterface $configuration = null)
{
try {
$role = $this->policyService->getRole($source);
} catch (NoSuchRoleException $exception) {
return new Error('Could not find a role with the identifier "%s".', 1397212327, [$source]);
}
return $role;
}
/**
* Creates a new account and sets the given password and roles
*
* @param string $identifier Identifier of the account, must be unique
* @param string $password The clear text password
* @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
* @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
* @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
* @return Account A new account, not yet added to the account repository
*/
public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default')
{
$account = new Account();
$account->setAccountIdentifier($identifier);
$account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy));
$account->setAuthenticationProviderName($authenticationProviderName);
$roles = [];
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
return $account;
}
/**
* @test
*/
public function everybodyRoleCanHaveExplicitDenies()
{
$mockPrivilegeClassName = get_class($this->mockPrivilege);
$this->mockPolicyConfiguration = ['privilegeTargets' => [$mockPrivilegeClassName => ['Some.PrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()'], 'Some.OtherPrivilegeTarget:Identifier' => ['matcher' => 'someMatcher()']]], 'roles' => ['Neos.Flow:Everybody' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'DENY']]], 'Some.Other:Role' => ['privileges' => [['privilegeTarget' => 'Some.PrivilegeTarget:Identifier', 'permission' => 'GRANT']]]]];
$everybodyRole = $this->policyService->getRole('Neos.Flow:Everybody');
$this->assertTrue($everybodyRole->getPrivilegeForTarget('Some.PrivilegeTarget:Identifier')->isDenied());
}
/**
* Initializes the roles field by fetching the role objects referenced by the roleIdentifiers
*
* @return void
*/
protected function initializeRoles()
{
if ($this->roles !== null) {
return;
}
$this->roles = [];
foreach ($this->roleIdentifiers as $key => $roleIdentifier) {
// check for and clean up roles no longer available
if ($this->policyService->hasRole($roleIdentifier)) {
$this->roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier);
} else {
unset($this->roleIdentifiers[$key]);
}
}
}
/**
* Update a given account
*
* @param Account $account The account to update
* @param array $roleIdentifiers A possibly updated list of roles for the user's primary account
* @param array $password Expects an array in the format array('<password>', '<password confirmation>')
* @Flow\Validate(argumentName="password", type="\Neos\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 })
* @return void
*/
public function updateAccountAction(Account $account, array $roleIdentifiers, array $password = array())
{
$user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName());
if ($user === $this->currentUser) {
$roles = array();
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier);
}
if (!$this->privilegeManager->isPrivilegeTargetGrantedForRoles($roles, 'Neos.Neos:Backend.Module.Administration.Users')) {
$this->addFlashMessage('With the selected roles the currently logged in user wouldn\'t have access to this module any longer. Please adjust the assigned roles!', 'Don\'t lock yourself out', Message::SEVERITY_WARNING, array(), 1416501197);
$this->forward('edit', null, null, array('user' => $this->currentUser));
}
}
$password = array_shift($password);
if (strlen(trim(strval($password))) > 0) {
$this->userService->setUserPassword($user, $password);
}
$this->userService->setRolesForAccount($account, $roleIdentifiers);
$this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK);
$this->redirect('edit', null, null, array('user' => $user));
}
/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof PasswordToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['password'])) {
if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$account = new Account();
$roles = [];
foreach ($this->options['authenticateRoles'] as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* Returns the roles of all authenticated accounts, including inherited roles.
*
* If no authenticated roles could be found the "Anonymous" role is returned.
*
* The "Neos.Flow:Everybody" roles is always returned.
*
* @return Role[]
*/
public function getRoles()
{
if ($this->initialized === false) {
$this->initialize();
}
if ($this->roles === null) {
$this->roles = ['Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody')];
if ($this->authenticationManager->isAuthenticated() === false) {
$this->roles['Neos.Flow:Anonymous'] = $this->policyService->getRole('Neos.Flow:Anonymous');
} else {
$this->roles['Neos.Flow:AuthenticatedUser'] = $this->policyService->getRole('Neos.Flow:AuthenticatedUser');
/** @var $token TokenInterface */
foreach ($this->getAuthenticationTokens() as $token) {
if ($token->isAuthenticated() !== true) {
continue;
}
$account = $token->getAccount();
if ($account === null) {
continue;
}
if ($account !== null) {
$accountRoles = $account->getRoles();
/** @var $currentRole Role */
foreach ($accountRoles as $currentRole) {
if (!in_array($currentRole, $this->roles)) {
$this->roles[$currentRole->getIdentifier()] = $currentRole;
}
/** @var $currentParentRole Role */
foreach ($currentRole->getAllParentRoles() as $currentParentRole) {
if (!in_array($currentParentRole, $this->roles)) {
$this->roles[$currentParentRole->getIdentifier()] = $currentParentRole;
}
}
}
}
}
}
}
return $this->roles;
}
/**
* Returns an array with all roles of a user's accounts, including parent roles, the "Everybody" role and the
* "AuthenticatedUser" role, assuming that the user is logged in.
*
* @param User $user The user
* @return array
*/
protected function getAllRoles(User $user)
{
$roles = array('Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody'), 'Neos.Flow:AuthenticatedUser' => $this->policyService->getRole('Neos.Flow:AuthenticatedUser'));
/** @var Account $account */
foreach ($user->getAccounts() as $account) {
$accountRoles = $account->getRoles();
/** @var $currentRole Role */
foreach ($accountRoles as $currentRole) {
if (!in_array($currentRole, $roles)) {
$roles[$currentRole->getIdentifier()] = $currentRole;
}
/** @var $currentParentRole Role */
foreach ($currentRole->getAllParentRoles() as $currentParentRole) {
if (!in_array($currentParentRole, $roles)) {
$roles[$currentParentRole->getIdentifier()] = $currentParentRole;
}
}
}
}
return $roles;
}
/**
* Creates a new account, assigns it the given roles and authenticates it.
* The created account is returned for further modification, for example for attaching a Party object to it.
*
* @param array $roleNames A list of roles the new account should have
* @return \Neos\Flow\Security\Account The created account
* @api
*/
protected function authenticateRoles(array $roleNames)
{
$account = new \Neos\Flow\Security\Account();
$roles = array();
foreach ($roleNames as $roleName) {
$roles[] = $this->policyService->getRole($roleName);
}
$account->setRoles($roles);
$this->authenticateAccount($account);
return $account;
}
/**
* Shows a list of all defined privilege targets and the effective permissions
*
* @param string $privilegeType The privilege type ("entity", "method" or the FQN of a class implementing PrivilegeInterface)
* @param string $roles A comma separated list of role identifiers. Shows policy for an unauthenticated user when left empty.
*/
public function showEffectivePolicyCommand($privilegeType, $roles = '')
{
$systemRoleIdentifiers = ['Neos.Flow:Everybody', 'Neos.Flow:Anonymous', 'Neos.Flow:AuthenticatedUser'];
if (strpos($privilegeType, '\\') === false) {
$privilegeType = sprintf('\\Neos\\Flow\\Security\\Authorization\\Privilege\\%s\\%sPrivilegeInterface', ucfirst($privilegeType), ucfirst($privilegeType));
}
if (!class_exists($privilegeType) && !interface_exists($privilegeType)) {
$this->outputLine('The privilege type "%s" was not defined.', [$privilegeType]);
$this->quit(1);
}
if (!is_subclass_of($privilegeType, PrivilegeInterface::class)) {
$this->outputLine('"%s" does not refer to a valid Privilege', [$privilegeType]);
$this->quit(1);
}
$requestedRoles = [];
foreach (Arrays::trimExplode(',', $roles) as $roleIdentifier) {
try {
if (in_array($roleIdentifier, $systemRoleIdentifiers)) {
continue;
}
$currentRole = $this->policyService->getRole($roleIdentifier);
$requestedRoles[$roleIdentifier] = $currentRole;
foreach ($currentRole->getAllParentRoles() as $currentParentRole) {
if (!in_array($currentParentRole, $requestedRoles)) {
$requestedRoles[$currentParentRole->getIdentifier()] = $currentParentRole;
}
}
} catch (NoSuchRoleException $exception) {
$this->outputLine('The role %s was not defined.', [$roleIdentifier]);
$this->quit(1);
}
}
if (count($requestedRoles) > 0) {
$requestedRoles['Neos.Flow:AuthenticatedUser'] = $this->policyService->getRole('Neos.Flow:AuthenticatedUser');
} else {
$requestedRoles['Neos.Flow:Anonymous'] = $this->policyService->getRole('Neos.Flow:Anonymous');
}
$requestedRoles['Neos.Flow:Everybody'] = $this->policyService->getRole('Neos.Flow:Everybody');
$this->outputLine('Effective Permissions for the roles <b>%s</b> ', [implode(', ', $requestedRoles)]);
$this->outputLine(str_repeat('-', $this->output->getMaximumLineLength()));
$definedPrivileges = $this->policyService->getAllPrivilegesByType($privilegeType);
$permissions = [];
/** @var PrivilegeInterface $definedPrivilege */
foreach ($definedPrivileges as $definedPrivilege) {
$accessGrants = 0;
$accessDenies = 0;
$permission = 'ABSTAIN';
/** @var Role $requestedRole */
foreach ($requestedRoles as $requestedRole) {
$privilegeType = $requestedRole->getPrivilegeForTarget($definedPrivilege->getPrivilegeTarget()->getIdentifier());
if ($privilegeType === null) {
continue;
}
if ($privilegeType->isGranted()) {
$accessGrants++;
} elseif ($privilegeType->isDenied()) {
$accessDenies++;
}
}
if ($accessDenies > 0) {
$permission = '<error>DENY</error>';
}
if ($accessGrants > 0 && $accessDenies === 0) {
$permission = '<success>GRANT</success>';
}
$permissions[$definedPrivilege->getPrivilegeTarget()->getIdentifier()] = $permission;
}
ksort($permissions);
foreach ($permissions as $privilegeTargetIdentifier => $permission) {
$formattedPrivilegeTargetIdentifier = wordwrap($privilegeTargetIdentifier, $this->output->getMaximumLineLength() - 10, PHP_EOL . str_repeat(' ', 10), true);
$this->outputLine('%-70s %s', [$formattedPrivilegeTargetIdentifier, $permission]);
}
}
/**
* @test
*/
public function createAccountWithPasswordCreatesANewAccountWithTheGivenIdentifierPasswordRolesAndProviderName()
{
$factory = new AccountFactory();
$actualAccount = $factory->createAccountWithPassword('username', 'password', ['Neos.Flow:Administrator', 'Neos.Flow:Customer'], 'OtherProvider');
$this->assertEquals('username', $actualAccount->getAccountIdentifier());
$this->assertEquals('OtherProvider', $actualAccount->getAuthenticationProviderName());
$this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Administrator')));
$this->assertTrue($actualAccount->hasRole($this->policyService->getRole('Neos.Flow:Customer')));
}
