/**
* All defined constants for resources in Scalr\Acl\Acl class must be also
* defined in the Scalr\Acl\Resource\Definition class
*
* @test
* @dataProvider providerGet
*/
public function testGet($resourceId)
{
$resourceDefinition = new Definition();
$resource = $resourceDefinition->get($resourceId);
$this->assertInstanceOf('Scalr\\Acl\\Resource\\ResourceObject', $resource, sprintf("Resource (0x%x) must be defined in the Scalr\\Acl\\Resource\\Definition class", $resourceId));
$this->assertEquals($resourceId, $resource->getResourceId());
$this->assertNotEmpty($resource->getName(), sprintf("Name of the resource (0x%x) must be defined", $resourceId));
$this->assertNotEmpty($resource->getDescription(), sprintf("Description of the resource (0x%x) must be defined", $resourceId));
$resource->getPermissions();
}
/**
* Gets associative group which the resource belongs to.
*
* @return string
*/
public function getGroup()
{
return Definition::get($this->resourceId)->getGroup();
}
/**
* Loads permissions into role object
*
* @param Role\RoleObject $role A role object
*/
protected function loadRolePermissions(Role\RoleObject $role)
{
$sAcc = $role instanceof Role\AccountRoleObject ? 'account_' : '';
$res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` as `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`\n FROM `acl_" . $sAcc . "role_resources` rr\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n ", array($role->getRoleId()));
if ($res) {
$resources = $role->getResources();
while ($rec = $res->FetchRow()) {
if (!isset($resources[$rec['resource_id']])) {
//Adds resource to role object
$resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted']);
$role->appendResource($resource);
} else {
$resource = $resources[$rec['resource_id']];
}
if ($rec['perm_id'] !== null) {
$permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']);
//We should append permission only if it's been declared in the definition.
$resourceDefinition = Resource\Definition::get($resource->getResourceId());
if ($resourceDefinition->hasPermission($permission->getPermissionId())) {
$resource->appendPermission($permission);
}
unset($permission);
}
unset($resource);
}
}
}
/**
* Loads permissions into role object
*
* @param Role\RoleObject $role A role object
*/
protected function loadRolePermissions(Role\RoleObject $role)
{
if ($role instanceof Role\AccountRoleObject) {
$sAcc = 'account_';
$rmJoin = "LEFT JOIN acl_account_role_resource_modes rm ON rr.`account_role_id` = rm.account_role_id " . " AND rr.`resource_id` = rm.`resource_id`";
} else {
$sAcc = '';
$rmJoin = '';
}
$disabledResources = Acl::getDisabledResources();
$disabledSql = !empty($disabledResources) ? "AND rr.resource_id NOT IN (" . implode(',', array_fill(0, count($disabledResources), '?')) . ")" : "";
$res = $this->db->Execute("\n SELECT\n rr.`" . $sAcc . "role_id` AS `role_id`,\n rr.`resource_id`, rr.`granted`, rp.`perm_id`,\n rp.`granted` AS `perm_granted`,\n " . (!empty($rmJoin) ? "rm.`mode`" : "NULL AS `mode`") . "\n FROM `acl_" . $sAcc . "role_resources` rr\n " . $rmJoin . "\n LEFT JOIN `acl_" . $sAcc . "role_resource_permissions` rp\n ON rp.`" . $sAcc . "role_id` = rr.`" . $sAcc . "role_id`\n AND rp.`resource_id` = rr.`resource_id`\n WHERE rr.`" . $sAcc . "role_id` = ?\n {$disabledSql}\n ", array_merge((array) $role->getRoleId(), $disabledResources));
if ($res) {
$resources = $role->getResources();
while ($rec = $res->FetchRow()) {
if (!isset($resources[$rec['resource_id']])) {
//Adds resource to role object
$resource = new Role\RoleResourceObject($rec['role_id'], $rec['resource_id'], $rec['granted'], $rec['mode']);
$role->appendResource($resource);
} else {
$resource = $resources[$rec['resource_id']];
}
if ($rec['perm_id'] !== null) {
$permission = new Role\RoleResourcePermissionObject($rec['role_id'], $rec['resource_id'], $rec['perm_id'], $rec['perm_granted']);
//We should append permission only if it's been declared in the definition.
$resourceDefinition = Resource\Definition::get($resource->getResourceId());
if ($resourceDefinition->hasPermission($permission->getPermissionId())) {
$resource->appendPermission($permission);
}
unset($permission);
}
unset($resource);
}
}
}
/**
* Checks if specified resource is allowed
*
* @param int $resourceId The ID of the resource.
* @param string $permissionId optional The ID of the permission associated with resource.
* @return bool|null Returns true if access is allowed.
* If resource or permission isn't overridden it returns null.
* @throws Exception\RoleObjectException
*/
public function isAllowed($resourceId, $permissionId = null)
{
$allowed = null;
$resourceDefinition = Resource\Definition::get($resourceId);
if ($resourceDefinition === null) {
throw new Exception\RoleObjectException(sprintf("%s ACL resource (0x%x).", in_array($resourceId, Acl::getDisabledResources()) ? 'Disabled' : 'Unknown', intval($resourceId)));
}
if (!empty($permissionId) && !$resourceDefinition->hasPermission($permissionId)) {
throw new Exception\RoleObjectException(sprintf("Unknown permission (%s) for resource '%s' (0x%x).", $permissionId, $resourceDefinition->getName(), intval($resourceId)));
}
//Checks if resource is defined for the role
$resource = $this->getResource($resourceId);
if ($permissionId !== null && $resource !== null) {
//If resource is defined we can check unique permission.
//Checks if permission is defined
$permission = $resource->getPermission($permissionId);
//Checks access to unuque permission of the specified resource for the role.
//If resource isn't allowed it automatically forbids all related permissions.
$allowed = $permission !== null && $resource->isGranted() !== null ? $resource->isGranted() && $permission->isGranted() : null;
} else {
//Checks access to the resource for the role
$allowed = $resource !== null ? $resource->isGranted() : null;
}
return $allowed;
}
/**
* Gets the Mode for the specified ACL Resource
*
* @param int $resouceId Identifier of the ACL Resource
* @return int|null Returns the Mode for the specified ACL Resource
*/
public function getResourceMode($resouceId)
{
$mode = null;
foreach ($this->getIterator() as $role) {
/* @var $role AccountRoleObject */
$resource = $role->getResource($resouceId);
//If ACL Resource is turned off we should disregard its mode because it can be set to the default value.
if ($role->isAllowed($resouceId)) {
//If there are no resource than default mode is applied
$m = $resource ? $resource->getMode() : null;
//NULL is considered to be the most priority value
if ($m === null) {
break;
}
//Lesser value has more priority
$mode = $mode === null ? $m : min($mode, $m);
}
}
if ($mode === null) {
//Check if default value is defined for the specified ACL Resource
$modeDefinition = Definition::get($resouceId)->getMode();
if ($modeDefinition instanceof ModeInterface) {
$mode = $modeDefinition->getDefault();
}
}
return $mode;
}
