/**
* Transform a given mode security identity into an ACL related SecurityIdentity.
*
* @param \Propel\Bundle\PropelAclBundle\Model\Acl\SecurityIdentity $securityIdentity
*
* @return \Symfony\Component\Security\Acl\Model\SecurityIdentityInterface
*/
public static function toAclIdentity(SecurityIdentity $securityIdentity)
{
$identifier = $securityIdentity->getIdentifier();
if ($securityIdentity->getUsername()) {
if (false === strpos($identifier, '-')) {
throw new \InvalidArgumentException('The given identifier does not resolve to a UserSecurityIdentity.');
}
list($class, $username) = explode('-', $identifier, 2);
return new UserSecurityIdentity($username, $class);
}
if (0 === strpos($identifier, 'ROLE_') or 0 === strpos($identifier, 'IS_AUTHENTICATED_')) {
return new RoleSecurityIdentity($identifier);
}
throw new \InvalidArgumentException('The security identity does not resolve to either UserSecurityIdentity or RoleSecurityIdentity.');
}
public function testFindByAclIdentityFilterSecurityIdentity()
{
// Another Entry, should not be found (different SecurityIdentity).
$entry = $this->createEntry();
$entry->setObjectIdentityId(1)->setSecurityIdentity(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity('ROLE_ADMIN')))->setAclClass($this->getAclClass())->setMask(64)->save($this->con);
$this->assertEquals(2, EntryQuery::create()->count($this->con));
$entries = EntryQuery::create()->findByAclIdentity($this->getAclObjectIdentity(1), array($this->getRoleSecurityIdentity('ROLE_USER')), $this->con);
$this->assertCount(1, $entries);
$this->assertEquals(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity('ROLE_USER'))->getId(), $entries[0]->getSecurityIdentityId());
}
/**
* Transform a given ACL entry into a Entry model.
*
* The entry will not be persisted!
*
* @param \Symfony\Component\Security\Acl\Model\EntryInterface $aclEntry
*
* @return \Propel\Bundle\PropelAclBundle\Model\Acl\Entry
*/
public static function fromAclEntry(EntryInterface $aclEntry)
{
$entry = new self();
// Already persisted before?
if ($aclEntry->getId()) {
$entry->setId($aclEntry->getId());
}
$entry->setMask($aclEntry->getMask())->setGranting($aclEntry->isGranting())->setGrantingStrategy($aclEntry->getStrategy())->setSecurityIdentity(SecurityIdentity::fromAclIdentity($aclEntry->getSecurityIdentity()));
if ($aclEntry instanceof FieldEntryInterface) {
$entry->setFieldName($aclEntry->getField());
}
if ($aclEntry instanceof AuditableEntryInterface) {
$entry->setAuditFailure($aclEntry->isAuditFailure())->setAuditSuccess($aclEntry->isAuditSuccess());
}
return $entry;
}
/**
* Constructor.
*
* @param \Propel\Bundle\PropelAclBundle\Model\Acl\Entry $entry
* @param \Symfony\Component\Security\Acl\Model\AclInterface $acl
*/
public function __construct(ModelEntry $entry, AclInterface $acl)
{
$this->acl = $acl;
$this->securityIdentity = SecurityIdentity::toAclIdentity($entry->getSecurityIdentity());
/*
* A new ACE (from a MutableAcl) does not have an ID,
* but will be persisted by the MutableAclProvider afterwards, if issued.
*/
if ($entry->getId()) {
$this->id = $entry->getId();
}
$this->mask = $entry->getMask();
$this->isGranting = $entry->getGranting();
$this->strategy = $entry->getGrantingStrategy();
$this->auditFailure = $entry->getAuditFailure();
$this->auditSuccess = $entry->getAuditSuccess();
}
public function testConstruct()
{
$collection = new \PropelObjectCollection();
$collection->setModel('Propel\\Bundle\\PropelAclBundle\\Model\\Acl\\Entry');
$acl = new Acl($collection, $this->getAclObjectIdentity(), new PermissionGrantingStrategy());
$model = $this->createEntry();
$model->setAuditFailure(true);
$model->setSecurityIdentity(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity()));
$entry = new Entry($model, $acl);
$this->assertEquals($model->getMask(), $entry->getMask());
$this->assertEquals($model->getGranting(), $entry->isGranting());
$this->assertEquals($model->getGrantingStrategy(), $entry->getStrategy());
$this->assertEquals($model->getAuditFailure(), $entry->isAuditFailure());
$this->assertEquals($model->getAuditSuccess(), $entry->isAuditSuccess());
$this->assertEquals($this->getRoleSecurityIdentity(), $entry->getSecurityIdentity());
return $entry;
}
/**
* Return Entry objects filtered by an ACL related ObjectIdentity.
*
* @see find()
*
* @param \Symfony\Component\Security\Acl\Model\ObjectIdentityInterface $objectIdentity An ACL related ObjectIdentity.
* @param array $securityIdentities A list of SecurityIdentity to filter by.
* @param \PropelPDO $con
*
* @return \PropelObjectCollection
*/
public function findByAclIdentity(ObjectIdentityInterface $objectIdentity, array $securityIdentities = array(), \PropelPDO $con = null)
{
$securityIds = array();
foreach ($securityIdentities as $eachIdentity) {
if (!$eachIdentity instanceof SecurityIdentityInterface) {
if (is_object($eachIdentity)) {
$errorMessage = sprintf('The list of security identities contains at least one invalid entry of class "%s". Please provide objects of classes implementing "Symfony\\Component\\Security\\Acl\\Model\\SecurityIdentityInterface" only.', get_class($eachIdentity));
} else {
$errorMessage = sprintf('The list of security identities contains at least one invalid entry "%s". Please provide objects of classes implementing "Symfony\\Component\\Security\\Acl\\Model\\SecurityIdentityInterface" only.', $eachIdentity);
}
throw new \InvalidArgumentException($errorMessage);
}
if ($securityIdentity = SecurityIdentity::fromAclIdentity($eachIdentity)) {
$securityIds[$securityIdentity->getId()] = $securityIdentity->getId();
}
}
$this->useAclClassQuery(null, \Criteria::INNER_JOIN)->filterByType((string) $objectIdentity->getType())->endUse()->leftJoinObjectIdentity()->add(ObjectIdentityPeer::OBJECT_IDENTIFIER, (string) $objectIdentity->getIdentifier(), \Criteria::EQUAL)->addOr(EntryPeer::OBJECT_IDENTITY_ID, null, \Criteria::ISNULL);
if (!empty($securityIdentities)) {
$this->filterBySecurityIdentityId($securityIds);
}
return $this->find($con);
}
/**
* @depends testUpdateObjectAuditing
*/
public function testUpdateClassFieldAuditing()
{
$collection = new \PropelObjectCollection();
$collection->setModel('Propel\\Bundle\\PropelAclBundle\\Model\\Acl\\Entry');
$entry = $this->createEntry();
$entry->setFieldName('name')->setSecurityIdentity(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity()))->setAclClass($this->getAclClass());
$collection->append($entry);
$acl = new AuditableAcl($collection, $this->getAclObjectIdentity(), new PermissionGrantingStrategy());
$aces = $acl->getClassFieldAces('name');
$this->assertCount(1, $aces);
$acl->updateClassFieldAuditing(0, 'name', true, true);
$aces = $acl->getClassFieldAces('name');
$this->assertTrue($aces[0]->isAuditSuccess());
$this->assertTrue($aces[0]->isAuditFailure());
$acl->updateClassFieldAuditing(0, 'name', false, false);
$aces = $acl->getClassFieldAces('name');
$this->assertFalse($aces[0]->isAuditSuccess());
$this->assertFalse($aces[0]->isAuditFailure());
}
/**
* Retrieve the persisted model for the given ACE.
*
* If none is given, null is returned.
*
* @param \Symfony\Component\Security\Acl\Model\EntryInterface $ace
*
* @return \Propel\Bundle\PropelAclBundle\Model\Acl\Entry|null
*/
protected function getPersistedAce(EntryInterface $ace, ObjectIdentity $objectIdentity, $object = false)
{
if (null !== $ace->getId() and null !== ($entry = EntryQuery::create()->findPk($ace->getId(), $this->connection))) {
$entry->reload(true, $this->connection);
return $entry;
}
/*
* The id is not set, but there may be an ACE in the database.
*
* This happens if the ACL has created new ACEs, but was not reloaded.
* We try to retrieve one by the unique key.
*/
$ukQuery = EntryQuery::create()->filterByAclClass($objectIdentity->getAclClass($this->connection))->filterBySecurityIdentity(SecurityIdentity::fromAclIdentity($ace->getSecurityIdentity(), $this->connection));
if (true === $object) {
$ukQuery->filterByObjectIdentity($objectIdentity);
} else {
$ukQuery->filterByObjectIdentityId(null, \Criteria::ISNULL);
}
if ($ace instanceof FieldEntryInterface) {
$ukQuery->filterByFieldName($ace->getField());
} else {
$ukQuery->filterByFieldName(null, \Criteria::ISNULL);
}
return $ukQuery->findOne($this->connection);
}
/**
* Returns the ACL that belongs to the given object identity.
*
* @throws \Symfony\Component\Security\Acl\Exception\AclNotFoundException
*
* @param \Symfony\Component\Security\Acl\Model\ObjectIdentityInterface $objectIdentity
* @param array $securityIdentities
*
* @return \Symfony\Component\Security\Acl\Model\AclInterface
*/
public function findAcl(ObjectIdentityInterface $objectIdentity, array $securityIdentities = array())
{
$modelObj = ObjectIdentityQuery::create()->findOneByAclObjectIdentity($objectIdentity, $this->connection);
if (null !== $this->cache and null !== $modelObj) {
$cachedAcl = $this->cache->getFromCacheById($modelObj->getId());
if ($cachedAcl instanceof AclInterface) {
return $cachedAcl;
}
}
$collection = EntryQuery::create()->findByAclIdentity($objectIdentity, $securityIdentities, $this->connection);
if (0 === count($collection)) {
if (empty($securityIdentities)) {
$errorMessage = 'There is no ACL available for this object identity. Please create one using the MutableAclProvider.';
} else {
$errorMessage = 'There is at least no ACL for this object identity and the given security identities. Try retrieving the ACL without security identity filter and add ACEs for the security identities.';
}
throw new AclNotFoundException($errorMessage);
}
$loadedSecurityIdentities = array();
foreach ($collection as $eachEntry) {
if (!isset($loadedSecurityIdentities[$eachEntry->getSecurityIdentity()->getId()])) {
$loadedSecurityIdentities[$eachEntry->getSecurityIdentity()->getId()] = SecurityIdentity::toAclIdentity($eachEntry->getSecurityIdentity());
}
}
$parentAcl = null;
$entriesInherited = true;
if (null !== $modelObj) {
$entriesInherited = $modelObj->getEntriesInheriting();
if (null !== $modelObj->getParentObjectIdentityId()) {
$parentObj = $modelObj->getObjectIdentityRelatedByParentObjectIdentityId($this->connection);
try {
$parentAcl = $this->findAcl(new ObjectIdentity($parentObj->getIdentifier(), $parentObj->getAclClass($this->connection)->getType()));
} catch (AclNotFoundException $e) {
/*
* This happens e.g. if the parent ACL is created, but does not contain any ACE by now.
* The ACEs may be applied later on.
*/
}
}
}
return $this->getAcl($collection, $objectIdentity, $loadedSecurityIdentities, $parentAcl, $entriesInherited);
}
/**
* Create a new ACL Entry.
*
* @param int $mask
* @param int $index
* @param \Symfony\Component\Security\Acl\Model\SecurityIdentityInterface $securityIdentity
* @param string $strategy
* @param bool $granting
* @param string $field
*
* @return \Propel\Bundle\PropelAclBundle\Security\Acl\Domain\Entry|\Propel\Bundle\PropelAclBundle\Security\Acl\Domain\FieldEntry
*/
protected function createAce($mask, $index, SecurityIdentityInterface $securityIdentity, $strategy = null, $granting = true, $field = null)
{
if (!is_int($mask)) {
throw new \InvalidArgumentException('The given mask is not valid. Please provide an integer.');
}
// Compatibility with default implementation
if (null === $strategy) {
if (true === $granting) {
$strategy = PermissionGrantingStrategy::ALL;
} else {
$strategy = PermissionGrantingStrategy::ANY;
}
}
$model = new ModelEntry();
$model->setAceOrder($index)->setMask($mask)->setGrantingStrategy($strategy)->setGranting($granting)->setSecurityIdentity(SecurityIdentity::fromAclIdentity($securityIdentity));
if (null !== $field) {
$model->setFieldName($field);
return new FieldEntry($model, $this);
}
return new Entry($model, $this);
}
protected function createModelEntry()
{
$entry = new ModelEntry();
$entry->setId(42)->setAclClass($this->getAclClass())->setSecurityIdentity(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity()))->setAuditFailure(true)->setAuditSuccess(false)->setGrantingStrategy('all')->setGranting(true)->setMask(64);
return $entry;
}
public function testSerializeUnserialize()
{
$collection = new \PropelObjectCollection();
$collection->setModel('Propel\\Bundle\\PropelAclBundle\\Model\\Acl\\Entry');
$entry = $this->createEntry();
$entry->setSecurityIdentity(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity('ROLE_ADMIN')))->setAclClass($this->getAclClass());
$collection->append($entry);
$acl = new Acl($collection, $this->getAclObjectIdentity(), new PermissionGrantingStrategy());
$serialized = serialize($acl);
$unserialized = unserialize($serialized);
$this->assertNotEmpty($serialized);
$this->assertNotEmpty($unserialized);
$this->assertInstanceOf('Propel\\Bundle\\PropelAclBundle\\Security\\Acl\\Domain\\Acl', $unserialized);
$this->assertEquals($serialized, serialize($unserialized));
}
public function testFromAclIdentityWithRole()
{
$secIdentity = new RoleSecurityIdentity(new Role('ROLE_USER'));
$identity = SecurityIdentity::fromAclIdentity($secIdentity, $this->con);
$this->assertInstanceOf('Propel\\Bundle\\PropelAclBundle\\Model\\Acl\\SecurityIdentity', $identity);
$this->assertEquals(false, $identity->getUsername());
$this->assertEquals('ROLE_USER', $identity->getIdentifier());
$this->assertGreaterThan(0, $identity->getId());
$dbEntry = SecurityIdentityQuery::create()->findPk($identity->getId());
$this->assertInstanceOf('Propel\\Bundle\\PropelAclBundle\\Model\\Acl\\SecurityIdentity', $dbEntry);
}
/**
* @depends testFindAclWithEntries
*/
public function testFindAclReadsFromCache()
{
$this->cache = new AclCache();
$obj = $this->createModelObjectIdentity(1);
$entry = $this->createEntry();
$entry->setSecurityIdentity(SecurityIdentity::fromAclIdentity($this->getRoleSecurityIdentity('ROLE_USER')))->setAclClass($obj->getAclClass())->setMask(64);
$obj->addEntry($entry)->save($this->con);
// Read and put into cache
$acl = $this->getAclProvider()->findAcl($this->getAclObjectIdentity(1), array($this->getRoleSecurityIdentity('ROLE_USER')));
$this->cache->content[1] = $acl;
// Change database
EntryQuery::create()->update(array(EntryPeer::translateFieldName(EntryPeer::MASK, \BasePeer::TYPE_COLNAME, \BasePeer::TYPE_PHPNAME) => 128), $this->con);
$this->assertEquals(0, EntryQuery::create()->filterByMask(64)->count($this->con));
// Verify cache has been read
$cachedAcl = $this->getAclProvider()->findAcl($this->getAclObjectIdentity(1), array($this->getRoleSecurityIdentity('ROLE_USER')));
$cachedObjectAces = $cachedAcl->getObjectAces();
$this->assertSame($acl, $cachedAcl);
$this->assertEquals(64, $cachedObjectAces[0]->getMask());
}