oat-sa · jbout · Apr 21, 2020 · Apr 21, 2020 · Apr 29, 2020 · May 12, 2020
diff --git a/scripts/install/setSimpleAccess.php → config/default/FuncAccessControl.conf.php b/scripts/install/setSimpleAccess.php → config/default/FuncAccessControl.conf.php
@@ -15,22 +15,9 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  *
- * Copyright (c) 2013 (original work) Open Assessment Technologies SA (under the project TAO-PRODUCT);
- *
- *
+ * Copyright (c) 2020 (original work) Open Assessment Technologies SA;
  */
 
-use oat\tao\model\accessControl\func\AccessRule;
-use oat\tao\model\accessControl\func\AclProxy as FuncProxy;
-use oat\tao\model\accessControl\data\implementation\FreeAccess;
-
-$impl = new oat\tao\model\accessControl\func\implementation\SimpleAccess();
+use oat\tao\model\accessControl\func\implementation\CacheOnly;
 
-$exts = common_ext_ExtensionsManager::singleton()->getInstalledExtensions();
-foreach ($exts as $extension) {
-    foreach ($extension->getManifest()->getAclTable() as $tableEntry) {
-        $rule = new AccessRule($tableEntry[0], $tableEntry[1], $tableEntry[2]);
-        $impl->applyRule($rule);
-    }
-}
-FuncProxy::setImplementation($impl);
+return new CacheOnly();
diff --git a/manifest.php b/manifest.php
@@ -56,10 +56,10 @@
     'label' => 'TAO Base',
     'description' => 'TAO meta-extension',
     'license' => 'GPL-2.0',
-    'version' => '42.8.0',
+    'version' => '42.9.0',
     'author' => 'Open Assessment Technologies, CRP Henri Tudor',
     'requires' => [
-        'generis' => '>=12.21.0',
+        'generis' => '>=12.22.0',
     ],
     'models' => [
         'http://www.tao.lu/Ontologies/TAO.rdf',
@@ -104,7 +104,6 @@
         ],
         'php' => [
             __DIR__ . '/scripts/install/addFileUploadSource.php',
-            __DIR__ . '/scripts/install/setSimpleAccess.php',
             SetServiceFileStorage::class,
             SetServiceState::class,
             __DIR__ . '/scripts/install/setJsConfig.php',

diff --git a/models/classes/accessControl/func/AccessRule.php b/models/classes/accessControl/func/AccessRule.php
@@ -35,18 +35,34 @@ class AccessRule
     const GRANT = 'grant';
     const DENY = 'deny';
 
+    const SCOPE_EXTENSION = 'ext';
+    const SCOPE_CONTROLLER = 'mod';
+    const SCOPE_ACTION = 'act';
+
+    /** @var string */
     private $grantDeny;
 
+    /** @var string */
     private $role;
 
+    /** @var string */
     private $mask;
 
+    /** @var string */
+    private $scope;
+    /** @var string */
+    private $extension;
+    /** @var string */
+    private $controller;
+    /** @var string */
+    private $action;
 
     public function __construct($mode, $roleUri, $mask)
     {
         $this->grantDeny = $mode;
-        $this->role = new core_kernel_classes_Resource($roleUri);
+        $this->role = $roleUri;
         $this->mask = $mask;
+        $this->parseMask();
     }
 
     /**
@@ -63,16 +79,101 @@ public function isGrant()
      * @return core_kernel_classes_Resource
      */
     public function getRole()
+    {
+        return new core_kernel_classes_Resource($this->role);
+    }
+
+    public function getRoleId()
     {
         return $this->role;
     }
-    
+
     /**
-     * Returns the filter of the rule
-     * @return array
+     * @deprecated please used the preparsed extension, controller, action
      */
     public function getMask()
     {
         return $this->mask;
     }
+
+    public function getScope()
+    {
+        return $this->scope;
+    }
+
+    public function getAction(): ?string
+    {
+        return $this->action;
+    }
+
+    public function getController(): ?string
+    {
+        return $this->controller;
+    }
+
+    public function getExtensionId(): ?string
+    {
+        return $this->extension;
+    }
+
+    private function parseMask(): void
+    {
+        if (is_string($this->mask)) {
+            $this->parseStringMask($this->mask);
+        } elseif (is_array($this->mask)) { /// array masks
+            $this->parseArrayMask($this->mask);
+        } else {
+            throw new \common_exception_InconsistentData('Invalid AccessRule mask ' . gettype($this->mask));
+        }
+    }
+
+    private function parseStringMask(string $mask): void
+    {
+        $controller = $mask;
+        $action = null;
+        if (strpos($mask, '@') !== false) {
+            [$controller, $action] = explode('@', $mask, 2);
+        }
+        if (class_exists($controller)) {
+            $this->scope = is_null($action) ? self::SCOPE_CONTROLLER : self::SCOPE_ACTION;
+            $this->controller = $controller;
+            $this->action = $action;
+        } else {
+            throw new \common_exception_InconsistentData('Invalid AccessRule mask ' . $mask);
+        }
+    }
+
+    private function parseArrayMask(array $mask): void
+    {
+        $legacy = $this->checkLegacyMask($mask);
+        if (!is_null($legacy)) {
+            $this->parseStringMask($legacy);
+        } elseif (isset($mask['act'], $mask['mod'], $mask['ext'])) {
+            $this->scope = self::SCOPE_ACTION;
+            $this->controller = FuncHelper::getClassName($mask['ext'], $mask['mod']);
+            $this->action = $mask['act'];
+        } elseif (isset($mask['mod'], $mask['ext'])) {
+            $this->scope = self::SCOPE_CONTROLLER;
+            $this->controller = FuncHelper::getClassName($mask['ext'], $mask['mod']);
+        } elseif (isset($mask['ext'])) {
+            $this->scope = self::SCOPE_EXTENSION;
+            $this->extension = $mask['ext'];
+        } else {
+            throw new \common_exception_InconsistentData('Invalid AccessRule mask ' . implode(',', array_keys($mask)));
+        }
+    }
+
+    /**
+     * Legacy notation, should not be used, but we still need to support it
+     */
+    private function checkLegacyMask(array $mask): ?string
+    {
+        if (isset($mask['controller'])) {
+            return $mask['controller'];
+        } elseif (isset($mask['act']) && !isset($mask['controller']) && strpos($mask['act'], '@') !== false) {
+            return $mask['act'];
+        } else {
+            return null;
+        }
+    }
 }
diff --git a/models/classes/accessControl/func/AclProxy.php b/models/classes/accessControl/func/AclProxy.php
@@ -22,8 +22,6 @@
 namespace oat\tao\model\accessControl\func;
 
 use oat\tao\model\accessControl\AccessControl;
-use common_ext_ExtensionsManager;
-use common_Logger;
 use oat\oatbox\user\User;
 use oat\oatbox\service\ServiceManager;
 

diff --git a/models/classes/accessControl/func/FuncAccessControl.php b/models/classes/accessControl/func/FuncAccessControl.php
@@ -28,7 +28,8 @@
  */
 interface FuncAccessControl
 {
-
+    public const SERVICE_ID = 'tao/FuncAccessControl';
+
     /**
      * Returns whenever or not a user has access to a specified call
      *

diff --git a/models/classes/accessControl/func/implementation/AclModel.php b/models/classes/accessControl/func/implementation/AclModel.php
@@ -0,0 +1,126 @@
+<?php
+
+/**
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; under version 2
+ * of the License (non-upgradable).
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * Copyright (c) 2013 (original work) Open Assessment Technologies SA (under the project TAO-PRODUCT);
+ *
+ */
+
+namespace oat\tao\model\accessControl\func\implementation;
+
+use oat\tao\model\accessControl\func\AccessRule;
+use oat\tao\model\accessControl\func\FuncHelper;
+
+/**
+ * Simple ACL Implementation deciding whenever or not to allow access
+ * strictly by the BASEUSER role and a whitelist
+ *
+ * Not to be used in production, since testtakers cann access the backoffice
+ *
+ * @access public
+ * @author Joel Bout, <[email protected]>
+ * @package tao
+
+ */
+class AclModel
+{
+    private $actionRules = [];
+    private $controllerRules = [];
+    private $extensionRules = [];
+
+    public function applyRule(AccessRule $rule): void
+    {
+        switch ($rule->getScope()) {
+            case AccessRule::SCOPE_ACTION :
+                $this->addAction($rule);
+                break;
+            case AccessRule::SCOPE_CONTROLLER :
+                $this->addController($rule);
+                break;
+            case AccessRule::SCOPE_EXTENSION :
+                $this->addExtension($rule);
+                break;
+        }
+    }
+
+    public function getControllerAcl(string $controllerName, string $extensionId): ControllerAccessRight
+    {
+        $controller = new ControllerAccessRight($controllerName, $extensionId);
+        $this->applyExtensionRules($controller);
+        $this->applyControllerRules($controller);
+        $this->applyActionRules($controller);
+        return $controller;
+    }
+
+    private function addAction(AccessRule $rule): void
+    {
+        $action = $rule->getAction();
+        $controller = $rule->getController();
+        if (!isset($this->actionRules[$controller])) {
+            $this->actionRules[$controller] = [];
+        }
+        $this->actionRules[$controller][] = [$rule->getRoleId(), $action];
+    }
+
+    private function addController(AccessRule $rule): void
+    {
+        $controller = $rule->getController();
+        if (!isset($this->controllerRules[$controller])) {
+            $this->controllerRules[$controller] = [];
+        }
+        $this->controllerRules[$controller][] = $rule->getRoleId();
+    }
+
+    private function addExtension(AccessRule $rule): void
+    {
+        $extensionName = $rule->getExtensionId();
+        if (!isset($this->extensionRules[$extensionName])) {
+            $this->extensionRules[$extensionName] = [];
+        }
+        $this->extensionRules[$extensionName][] = $rule->getRoleId();
+    }
+
+    private function applyActionRules(ControllerAccessRight $controller): ControllerAccessRight
+    {
+        if (isset($this->actionRules[$controller->getClassName()])) {
+            foreach ($this->actionRules[$controller->getClassName()] as $pair) {
+                $controller->addActionAccess($pair[0], $pair[1]);
+            }
+        }
+        return $controller;
+    }
+
+    private function applyControllerRules(ControllerAccessRight $controller): ControllerAccessRight
+    {
+        if (isset($this->controllerRules[$controller->getClassName()])) {
+            foreach ($this->controllerRules[$controller->getClassName()] as $roleId) {
+                $controller->addFullAccess($roleId);
+            }
+        }
+        return $controller;
+    }
+
+    private function applyExtensionRules(ControllerAccessRight $controller): ControllerAccessRight
+    {
+        $extensionId = $controller->getExtensionId();
+        if (isset($this->extensionRules[$extensionId])) {
+            foreach ($this->extensionRules[$extensionId] as $roleId) {
+                $controller->addFullAccess($roleId);
+            }
+        }
+        return $controller;
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,8 @@ @@
      */
     interface FuncAccessControl
     {
+        public const SERVICE_ID = 'tao/FuncAccessControl';
         /**
          * Returns whenever or not a user has access to a specified call
          *
@@ Expand Down @@