/**
* {@inheritDoc}
*/
public function equals(SecurityIdentityInterface $sid)
{
if (!$sid instanceof UserSecurityIdentity) {
return false;
}
return $this->username === $sid->getUsername() && $this->class === $sid->getClass();
}
/**
* {@inheritdoc}
*/
public function equals(SecurityIdentityInterface $sid)
{
if (!$sid instanceof JournalRoleSecurityIdentity) {
return false;
}
return $this->role === $sid->getRole() && (int) $this->journal === (int) $sid->getJournal();
}
/**
* {@inheritDoc}
*/
public function equals(SecurityIdentityInterface $sid)
{
if (!$sid instanceof RoleSecurityIdentity) {
return false;
}
return $this->role === $sid->getRole();
}
/**
* {@inheritdoc}
*/
public function equals(SecurityIdentityInterface $sid)
{
if (!$sid instanceof self) {
return false;
}
return $this->id === $sid->getId() && $this->class === $sid->getClass();
}
/**
* @param $entity
* @param $mask
* @param SecurityIdentityInterface $securityIdentity
* @return $this
*/
public function revokeMask($entity, $mask, SecurityIdentityInterface $securityIdentity)
{
$acl = $this->getAcl($entity);
$aces = $acl->getObjectAces();
foreach ($aces as $index => $ace) {
if ($securityIdentity->equals($ace->getSecurityIdentity())) {
$this->removeMask($index, $acl, $ace, $mask);
}
}
$this->aclProvider->updateAcl($acl);
return $this;
}
/**
* Deletes the given security identity.
*
* @param SID $sid
*/
public function deleteSid(SID $sid)
{
if ($this->isAclEnabled()) {
if ($sid instanceof RoleSecurityIdentity) {
/**
* Marking removed Role as Disabled instead of delete, because straight deleting role identity breaks
* ace indexes
* TODO: Create a job to remove marked role identities and rebuild ace indexes
*/
$disabledSid = new RoleSecurityIdentity($sid->getRole() . uniqid(self::ROLE_DISABLED_FLAG));
$this->aclProvider->updateSecurityIdentity($disabledSid, $sid->getRole());
} else {
$this->aclProvider->deleteSecurityIdentity($sid);
}
}
}
/**
* Transform a given ACL security identity into a SecurityIdentity model.
*
* If there is no model entry given, a new one will be created and saved to the database.
*
* @throws \InvalidArgumentException
*
* @param \Symfony\Component\Security\Acl\Model\SecurityIdentityInterface $aclIdentity
* @param \PropelPDO $con
*
* @return \Propel\PropelBundle\Model\Acl\SecurityIdentity
*/
public static function fromAclIdentity(SecurityIdentityInterface $aclIdentity, \PropelPDO $con = null)
{
if ($aclIdentity instanceof UserSecurityIdentity) {
$identifier = $aclIdentity->getClass() . '-' . $aclIdentity->getUsername();
$username = true;
} elseif ($aclIdentity instanceof RoleSecurityIdentity) {
$identifier = $aclIdentity->getRole();
$username = false;
} else {
throw new \InvalidArgumentException('The ACL identity must either be an instance of UserSecurityIdentity or RoleSecurityIdentity.');
}
$obj = SecurityIdentityQuery::create()->filterByIdentifier($identifier)->filterByUsername($username)->findOneOrCreate($con);
if ($obj->isNew()) {
$obj->save($con);
}
return $obj;
}
/**
* Constructs the SQL for updating a security identity.
*
* @param SecurityIdentityInterface $sid
* @param string $oldName
* @throws \InvalidArgumentException
* @return string
*/
protected function getUpdateSecurityIdentitySql(SecurityIdentityInterface $sid, $oldName)
{
if ($sid instanceof UserSecurityIdentity) {
if ($sid->getUsername() == $oldName) {
throw new \InvalidArgumentException('There are no changes.');
}
$oldIdentifier = $sid->getClass() . '-' . $oldName;
$newIdentifier = $sid->getClass() . '-' . $sid->getUsername();
$username = true;
} elseif ($sid instanceof RoleSecurityIdentity) {
if ($sid->getRole() == $oldName) {
throw new \InvalidArgumentException('There are no changes.');
}
$oldIdentifier = $oldName;
$newIdentifier = $sid->getRole();
$username = false;
} else {
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
}
return sprintf('UPDATE %s SET identifier = %s WHERE identifier = %s AND username = %s', $this->options['sid_table_name'], $this->connection->quote($newIdentifier), $this->connection->quote($oldIdentifier), $this->connection->getDatabasePlatform()->convertBooleans($username));
}
/**
* Deletes all ACEs for the given security identity from the given ACL
*
* @param ACL $acl
* @param string $type The ACE type. Can be one of AclManager::*_ACE constants
* @param string|null $field The name of a field.
* Set to null for class-based or object-based ACE
* Set to not null class-field-based or object-field-based ACE
* @param SID $sid
* @return bool True if at least one permission was deleted
*/
public function deleteAllPermissions(ACL $acl, $type, $field, SID $sid)
{
$hasChanges = false;
$aces = $this->getAces($acl, $type, $field);
foreach ($aces as $index => $ace) {
if ($sid->equals($ace->getSecurityIdentity())) {
$this->deleteAce($acl, $type, $field, $index);
$hasChanges = true;
}
}
return $hasChanges;
}
/**
* @param SecurityIdentityInterface $sid
*
* @return string
*/
protected function getFormattedName(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity && $sid->getUsername()) {
$user = $this->manager->getRepository('OroUserBundle:User')->findOneBy(['username' => $sid->getUsername()]);
if ($user) {
return $this->nameFormatter->format($user);
}
} elseif ($sid instanceof BusinessUnitSecurityIdentity) {
$businessUnit = $this->manager->getRepository('OroOrganizationBundle:BusinessUnit')->find($sid->getId());
if ($businessUnit) {
return $businessUnit->getName();
}
}
return '';
}
/**
* Constructs the SQL for inserting a security identity.
*
* @param SecurityIdentityInterface $sid
*
* @throws \InvalidArgumentException
*
* @return string
*/
protected function getInsertSecurityIdentitySql(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity) {
$identifier = $sid->getClass() . '-' . $sid->getUsername();
$username = true;
} elseif ($sid instanceof RoleSecurityIdentity) {
$identifier = $sid->getRole();
$username = false;
} elseif ($sid instanceof JournalRoleSecurityIdentity) {
$identifier = $sid->getIdentifier();
$username = false;
} else {
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, JournalRoleSecurityIdentity or RoleSecurityIdentity.');
}
return sprintf('INSERT INTO %s (identifier, username) VALUES (%s, %s)', $this->options['sid_table_name'], $this->connection->quote($identifier), $this->connection->getDatabasePlatform()->convertBooleans($username));
}
/**
* Create an array of the security identity for inserting in the document
*
* @param SecurityIdentityInterface $sid
* @throws \InvalidArgumentException
* @return array
*/
protected function getSecurityIdentityQuery(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity) {
return array('username' => $sid->getUsername(), 'class' => $sid->getClass());
} else {
if ($sid instanceof RoleSecurityIdentity) {
return array('role' => $sid->getRole());
} else {
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
}
}
}
/**
* Gets all ACEs associated with given ACL and the given security identity
*
* @param SID $sid
* @param OID $oid
* @param string $type The ACE type. Can be one of self::*_ACE constants
* @param string|null $field The name of a field.
* Set to null for class-based or object-based ACE
* Set to not null class-field-based or object-field-based ACE
* @return EntryInterface[]
*/
protected function doGetAces(SID $sid, OID $oid, $type, $field)
{
$acl = $this->getAcl($oid);
if (!$acl) {
return array();
}
return array_filter($this->aceProvider->getAces($acl, $type, $field), function ($ace) use(&$sid) {
/** @var EntryInterface $ace */
return $sid->equals($ace->getSecurityIdentity());
});
}
/**
* Deletes all ACEs the given type and security identity from the list of ACEs associated with this item
*
* @param string $type The ACE type. Can be one of AclManager::*_ACE constants
* @param string|null $field The name of a field.
* Set to null for class-based or object-based ACE
* Set to not null class-field-based or object-field-based ACE
* @param SID $sid
*/
public function removeAces($type, $field, SID $sid)
{
if ($this->aces !== null) {
$toRemoveKeys = [];
foreach ($this->aces as $key => $val) {
if ($sid->equals($val->getSecurityIdentity()) && $type === $val->getType() && $field === $val->getField()) {
$toRemoveKeys[] = $key;
break;
}
}
if (!empty($toRemoveKeys)) {
foreach ($toRemoveKeys as $key) {
$this->aces->remove($key);
}
}
}
}
/**
* Get Security Identifier and Username flag to create SQL queries
*
* @param SecurityIdentityInterface $sid
*
* @throws \InvalidArgumentException
*
* @return array
*/
protected function getSecurityIdentifier(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity) {
return [$sid->getClass() . '-' . $sid->getUsername(), true];
} elseif ($sid instanceof RoleSecurityIdentity) {
return [$sid->getRole(), false];
} elseif ($sid instanceof BusinessUnitSecurityIdentity) {
return [$sid->getClass() . '-' . $sid->getId(), false];
} else {
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity or RoleSecurityIdentity' . ' or BusinessUnitSecurityIdentity.');
}
}
/**
* Gets all ACEs associated with given ACL and the given security identity
*
* @param SID $sid
* @param AclInterface $acl
* @param string $type The ACE type. Can be one of AclManager::*_ACE constants
* @param string|null $field The name of a field.
* Set to null for class-based or object-based ACE
* Set to not null class-field-based or object-field-based ACE
* @return EntryInterface[]
*/
protected function getAces(SID $sid, AclInterface $acl, $type, $field)
{
return array_filter($this->manager->getAceProvider()->getAces($acl, $type, $field), function ($ace) use(&$sid) {
/** @var EntryInterface $ace */
return $sid->equals($ace->getSecurityIdentity());
});
}
/**
* Constructs sql restriction based on sid specified as array and fills list
* of used sql params to be bind in prepared statement
*
* @param SecurityIdentityInterface $sid sid
* @param array &$valuesForBind list of params to be bind
*
* @return string
*/
private function getSidSqlRestriction(SecurityIdentityInterface $sid, &$valuesForBind)
{
if ($sid instanceof UserSecurityIdentity) {
$identifier = $sid->getClass() . '-' . $sid->getUsername();
$isUsername = true;
} elseif ($sid instanceof RoleSecurityIdentity) {
$identifier = $sid->getRole();
$isUsername = false;
} else {
throw new InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
}
$sidSqlRestriction = sprintf("INNER JOIN %s s ON e.security_identity_id = s.id AND s.identifier = :identifier AND s.username = :username", $this->options['sid_table_name']);
$valuesForBind['identifier'] = ['value' => $identifier, 'type' => PDO::PARAM_STR];
$valuesForBind['username'] = ['value' => $isUsername, 'type' => PDO::PARAM_BOOL];
return $sidSqlRestriction;
}
/**
* @param SecurityIdentityInterface $sid
*
* @return mixed
*/
protected function getSecurityIdentityId(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity) {
$identifier = $sid->getClass() . '-' . $sid->getUsername();
$username = true;
} elseif ($sid instanceof RoleSecurityIdentity) {
//skip Role SID because we didn't share records for Role
return null;
} elseif ($sid instanceof BusinessUnitSecurityIdentity) {
$identifier = $sid->getClass() . '-' . $sid->getId();
$username = false;
} else {
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity or RoleSecurityIdentity ' . 'or BusinessUnitSecurityIdentity.');
}
return $this->getObjectManager()->getRepository('OroSecurityBundle:AclSecurityIdentity')->findOneBy(['identifier' => $identifier, 'username' => $username]);
}
/**
* Constructs the SQL for selecting the primary key of a security identity.
*
* @param SecurityIdentityInterface $sid
* @throws \InvalidArgumentException
* @return string
*/
protected function getSelectSecurityIdentityIdSql(SecurityIdentityInterface $sid)
{
if ($sid instanceof UserSecurityIdentity) {
$identifier = $sid->getClass() . '-' . $sid->getUsername();
$username = true;
} elseif ($sid instanceof RoleSecurityIdentity) {
$identifier = $sid->getRole();
$username = false;
} else {
throw new \InvalidArgumentException('$sid must either be an instance of UserSecurityIdentity, or RoleSecurityIdentity.');
}
return sprintf('SELECT id FROM %s WHERE identifier = %s AND username = %s', $this->options['sid_table_name'], $this->connection->quote($identifier), $this->connection->getDatabasePlatform()->convertBooleans($username));
}
/**
* @param ObjectIdentityInterface $objectIdentity
* @param SecurityIdentityInterface $securityIdentity
* @param string|string[] $permissions
* @param string $type
* @param null|string $field
*/
protected function revoke(ObjectIdentityInterface $objectIdentity, SecurityIdentityInterface $securityIdentity, $permissions, $type, $field = null)
{
if (null === ($acl = $this->findAcl($objectIdentity))) {
return;
}
$index = false;
$oldMask = 0;
/** @var Entry $ace */
foreach ($acl->{$this->resolveAceMethod('get', $type, $field)}($field) as $k => $ace) {
if ($securityIdentity->equals($ace->getSecurityIdentity())) {
$index = $k;
$oldMask = $ace->getMask();
continue;
}
}
if (false !== $index) {
$maskBuilder = $this->permissionMap->getMaskBuilder();
$maskBuilder->set($oldMask);
foreach ((array) $permissions as $permission) {
$maskBuilder->remove($permission);
}
if (null === $field) {
$acl->{$this->resolveAceMethod('update', $type)}($index, $maskBuilder->get());
} else {
$acl->{$this->resolveAceMethod('update', $type, $field)}($index, $field, $maskBuilder->get());
}
}
$this->aclProvider->updateAcl($acl);
}
