統計
| ブランチ: | リビジョン:

pictcode / lib / Cake / Controller / Component / Acl / PhpAcl.php @ 635eef61

履歴 | 表示 | アノテート | ダウンロード (13.458 KB)

1 635eef61 spyder1211
<?php
2
/**
3
 * PHP configuration based AclInterface implementation
4
 *
5
 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
6
 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
7
 *
8
 * Licensed under The MIT License
9
 * For full copyright and license information, please see the LICENSE.txt
10
 * Redistributions of files must retain the above copyright notice.
11
 *
12
 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
13
 * @link          http://cakephp.org CakePHP(tm) Project
14
 * @package       Cake.Controller.Component.Acl
15
 * @since         CakePHP(tm) v 2.1
16
 * @license       http://www.opensource.org/licenses/mit-license.php MIT License
17
 */
18
19
/**
20
 * PhpAcl implements an access control system using a plain PHP configuration file.
21
 * An example file can be found in app/Config/acl.php
22
 *
23
 * @package Cake.Controller.Component.Acl
24
 */
25
class PhpAcl extends Object implements AclInterface {
26
27
/**
28
 * Constant for deny
29
 *
30
 * @var bool
31
 */
32
        const DENY = false;
33
34
/**
35
 * Constant for allow
36
 *
37
 * @var bool
38
 */
39
        const ALLOW = true;
40
41
/**
42
 * Options:
43
 *  - policy: determines behavior of the check method. Deny policy needs explicit allow rules, allow policy needs explicit deny rules
44
 *  - config: absolute path to config file that contains the acl rules (@see app/Config/acl.php)
45
 *
46
 * @var array
47
 */
48
        public $options = array();
49
50
/**
51
 * Aro Object
52
 *
53
 * @var PhpAro
54
 */
55
        public $Aro = null;
56
57
/**
58
 * Aco Object
59
 *
60
 * @var PhpAco
61
 */
62
        public $Aco = null;
63
64
/**
65
 * Constructor
66
 *
67
 * Sets a few default settings up.
68
 */
69
        public function __construct() {
70
                $this->options = array(
71
                        'policy' => static::DENY,
72
                        'config' => APP . 'Config' . DS . 'acl.php',
73
                );
74
        }
75
76
/**
77
 * Initialize method
78
 *
79
 * @param AclComponent $Component Component instance
80
 * @return void
81
 */
82
        public function initialize(Component $Component) {
83
                if (!empty($Component->settings['adapter'])) {
84
                        $this->options = $Component->settings['adapter'] + $this->options;
85
                }
86
87
                App::uses('PhpReader', 'Configure');
88
                $Reader = new PhpReader(dirname($this->options['config']) . DS);
89
                $config = $Reader->read(basename($this->options['config']));
90
                $this->build($config);
91
                $Component->Aco = $this->Aco;
92
                $Component->Aro = $this->Aro;
93
        }
94
95
/**
96
 * build and setup internal ACL representation
97
 *
98
 * @param array $config configuration array, see docs
99
 * @return void
100
 * @throws AclException When required keys are missing.
101
 */
102
        public function build(array $config) {
103
                if (empty($config['roles'])) {
104
                        throw new AclException(__d('cake_dev', '"roles" section not found in configuration.'));
105
                }
106
107
                if (empty($config['rules']['allow']) && empty($config['rules']['deny'])) {
108
                        throw new AclException(__d('cake_dev', 'Neither "allow" nor "deny" rules were provided in configuration.'));
109
                }
110
111
                $rules['allow'] = !empty($config['rules']['allow']) ? $config['rules']['allow'] : array();
112
                $rules['deny'] = !empty($config['rules']['deny']) ? $config['rules']['deny'] : array();
113
                $roles = !empty($config['roles']) ? $config['roles'] : array();
114
                $map = !empty($config['map']) ? $config['map'] : array();
115
                $alias = !empty($config['alias']) ? $config['alias'] : array();
116
117
                $this->Aro = new PhpAro($roles, $map, $alias);
118
                $this->Aco = new PhpAco($rules);
119
        }
120
121
/**
122
 * No op method, allow cannot be done with PhpAcl
123
 *
124
 * @param string $aro ARO The requesting object identifier.
125
 * @param string $aco ACO The controlled object identifier.
126
 * @param string $action Action (defaults to *)
127
 * @return bool Success
128
 */
129
        public function allow($aro, $aco, $action = "*") {
130
                return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'allow');
131
        }
132
133
/**
134
 * deny ARO access to ACO
135
 *
136
 * @param string $aro ARO The requesting object identifier.
137
 * @param string $aco ACO The controlled object identifier.
138
 * @param string $action Action (defaults to *)
139
 * @return bool Success
140
 */
141
        public function deny($aro, $aco, $action = "*") {
142
                return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'deny');
143
        }
144
145
/**
146
 * No op method
147
 *
148
 * @param string $aro ARO The requesting object identifier.
149
 * @param string $aco ACO The controlled object identifier.
150
 * @param string $action Action (defaults to *)
151
 * @return bool Success
152
 */
153
        public function inherit($aro, $aco, $action = "*") {
154
                return false;
155
        }
156
157
/**
158
 * Main ACL check function. Checks to see if the ARO (access request object) has access to the
159
 * ACO (access control object).
160
 *
161
 * @param string $aro ARO
162
 * @param string $aco ACO
163
 * @param string $action Action
164
 * @return bool true if access is granted, false otherwise
165
 */
166
        public function check($aro, $aco, $action = "*") {
167
                $allow = $this->options['policy'];
168
                $prioritizedAros = $this->Aro->roles($aro);
169
170
                if ($action && $action !== "*") {
171
                        $aco .= '/' . $action;
172
                }
173
174
                $path = $this->Aco->path($aco);
175
176
                if (empty($path)) {
177
                        return $allow;
178
                }
179
180
                foreach ($path as $node) {
181
                        foreach ($prioritizedAros as $aros) {
182
                                if (!empty($node['allow'])) {
183
                                        $allow = $allow || count(array_intersect($node['allow'], $aros));
184
                                }
185
186
                                if (!empty($node['deny'])) {
187
                                        $allow = $allow && !count(array_intersect($node['deny'], $aros));
188
                                }
189
                        }
190
                }
191
192
                return $allow;
193
        }
194
195
}
196
197
/**
198
 * Access Control Object
199
 */
200
class PhpAco {
201
202
/**
203
 * holds internal ACO representation
204
 *
205
 * @var array
206
 */
207
        protected $_tree = array();
208
209
/**
210
 * map modifiers for ACO paths to their respective PCRE pattern
211
 *
212
 * @var array
213
 */
214
        public static $modifiers = array(
215
                '*' => '.*',
216
        );
217
218
/**
219
 * Constructor
220
 *
221
 * @param array $rules Rules array
222
 */
223
        public function __construct(array $rules = array()) {
224
                foreach (array('allow', 'deny') as $type) {
225
                        if (empty($rules[$type])) {
226
                                $rules[$type] = array();
227
                        }
228
                }
229
230
                $this->build($rules['allow'], $rules['deny']);
231
        }
232
233
/**
234
 * return path to the requested ACO with allow and deny rules attached on each level
235
 *
236
 * @param string $aco ACO string
237
 * @return array
238
 */
239
        public function path($aco) {
240
                $aco = $this->resolve($aco);
241
                $path = array();
242
                $level = 0;
243
                $root = $this->_tree;
244
                $stack = array(array($root, 0));
245
246
                while (!empty($stack)) {
247
                        list($root, $level) = array_pop($stack);
248
249
                        if (empty($path[$level])) {
250
                                $path[$level] = array();
251
                        }
252
253
                        foreach ($root as $node => $elements) {
254
                                $pattern = '/^' . str_replace(array_keys(static::$modifiers), array_values(static::$modifiers), $node) . '$/';
255
256
                                if ($node == $aco[$level] || preg_match($pattern, $aco[$level])) {
257
                                        // merge allow/denies with $path of current level
258
                                        foreach (array('allow', 'deny') as $policy) {
259
                                                if (!empty($elements[$policy])) {
260
                                                        if (empty($path[$level][$policy])) {
261
                                                                $path[$level][$policy] = array();
262
                                                        }
263
                                                        $path[$level][$policy] = array_merge($path[$level][$policy], $elements[$policy]);
264
                                                }
265
                                        }
266
267
                                        // traverse
268
                                        if (!empty($elements['children']) && isset($aco[$level + 1])) {
269
                                                array_push($stack, array($elements['children'], $level + 1));
270
                                        }
271
                                }
272
                        }
273
                }
274
275
                return $path;
276
        }
277
278
/**
279
 * allow/deny ARO access to ARO
280
 *
281
 * @param string $aro ARO string
282
 * @param string $aco ACO string
283
 * @param string $action Action string
284
 * @param string $type access type
285
 * @return void
286
 */
287
        public function access($aro, $aco, $action, $type = 'deny') {
288
                $aco = $this->resolve($aco);
289
                $depth = count($aco);
290
                $root = $this->_tree;
291
                $tree = &$root;
292
293
                foreach ($aco as $i => $node) {
294
                        if (!isset($tree[$node])) {
295
                                $tree[$node] = array(
296
                                        'children' => array(),
297
                                );
298
                        }
299
300
                        if ($i < $depth - 1) {
301
                                $tree = &$tree[$node]['children'];
302
                        } else {
303
                                if (empty($tree[$node][$type])) {
304
                                        $tree[$node][$type] = array();
305
                                }
306
307
                                $tree[$node][$type] = array_merge(is_array($aro) ? $aro : array($aro), $tree[$node][$type]);
308
                        }
309
                }
310
311
                $this->_tree = &$root;
312
        }
313
314
/**
315
 * resolve given ACO string to a path
316
 *
317
 * @param string $aco ACO string
318
 * @return array path
319
 */
320
        public function resolve($aco) {
321
                if (is_array($aco)) {
322
                        return array_map('strtolower', $aco);
323
                }
324
325
                // strip multiple occurrences of '/'
326
                $aco = preg_replace('#/+#', '/', $aco);
327
                // make case insensitive
328
                $aco = ltrim(strtolower($aco), '/');
329
                return array_filter(array_map('trim', explode('/', $aco)));
330
        }
331
332
/**
333
 * build a tree representation from the given allow/deny informations for ACO paths
334
 *
335
 * @param array $allow ACO allow rules
336
 * @param array $deny ACO deny rules
337
 * @return void
338
 */
339
        public function build(array $allow, array $deny = array()) {
340
                $this->_tree = array();
341
342
                foreach ($allow as $dotPath => $aros) {
343
                        if (is_string($aros)) {
344
                                $aros = array_map('trim', explode(',', $aros));
345
                        }
346
347
                        $this->access($aros, $dotPath, null, 'allow');
348
                }
349
350
                foreach ($deny as $dotPath => $aros) {
351
                        if (is_string($aros)) {
352
                                $aros = array_map('trim', explode(',', $aros));
353
                        }
354
355
                        $this->access($aros, $dotPath, null, 'deny');
356
                }
357
        }
358
359
}
360
361
/**
362
 * Access Request Object
363
 */
364
class PhpAro {
365
366
/**
367
 * role to resolve to when a provided ARO is not listed in
368
 * the internal tree
369
 *
370
 * @var string
371
 */
372
        const DEFAULT_ROLE = 'Role/default';
373
374
/**
375
 * map external identifiers. E.g. if
376
 *
377
 * array('User' => array('username' => 'jeff', 'role' => 'editor'))
378
 *
379
 * is passed as an ARO to one of the methods of AclComponent, PhpAcl
380
 * will check if it can be resolved to an User or a Role defined in the
381
 * configuration file.
382
 *
383
 * @var array
384
 * @see app/Config/acl.php
385
 */
386
        public $map = array(
387
                'User' => 'User/username',
388
                'Role' => 'User/role',
389
        );
390
391
/**
392
 * aliases to map
393
 *
394
 * @var array
395
 */
396
        public $aliases = array();
397
398
/**
399
 * internal ARO representation
400
 *
401
 * @var array
402
 */
403
        protected $_tree = array();
404
405
/**
406
 * Constructor
407
 *
408
 * @param array $aro The aro data
409
 * @param array $map The identifier mappings
410
 * @param array $aliases The aliases to map.
411
 */
412
        public function __construct(array $aro = array(), array $map = array(), array $aliases = array()) {
413
                if (!empty($map)) {
414
                        $this->map = $map;
415
                }
416
417
                $this->aliases = $aliases;
418
                $this->build($aro);
419
        }
420
421
/**
422
 * From the perspective of the given ARO, walk down the tree and
423
 * collect all inherited AROs levelwise such that AROs from different
424
 * branches with equal distance to the requested ARO will be collected at the same
425
 * index. The resulting array will contain a prioritized list of (list of) roles ordered from
426
 * the most distant AROs to the requested one itself.
427
 *
428
 * @param string|array $aro An ARO identifier
429
 * @return array prioritized AROs
430
 */
431
        public function roles($aro) {
432
                $aros = array();
433
                $aro = $this->resolve($aro);
434
                $stack = array(array($aro, 0));
435
436
                while (!empty($stack)) {
437
                        list($element, $depth) = array_pop($stack);
438
                        $aros[$depth][] = $element;
439
440
                        foreach ($this->_tree as $node => $children) {
441
                                if (in_array($element, $children)) {
442
                                        array_push($stack, array($node, $depth + 1));
443
                                }
444
                        }
445
                }
446
447
                return array_reverse($aros);
448
        }
449
450
/**
451
 * resolve an ARO identifier to an internal ARO string using
452
 * the internal mapping information.
453
 *
454
 * @param string|array $aro ARO identifier (User.jeff, array('User' => ...), etc)
455
 * @return string internal aro string (e.g. User/jeff, Role/default)
456
 */
457
        public function resolve($aro) {
458
                foreach ($this->map as $aroGroup => $map) {
459
                        list ($model, $field) = explode('/', $map, 2);
460
                        $mapped = '';
461
462
                        if (is_array($aro)) {
463
                                if (isset($aro['model']) && isset($aro['foreign_key']) && $aro['model'] === $aroGroup) {
464
                                        $mapped = $aroGroup . '/' . $aro['foreign_key'];
465
                                } elseif (isset($aro[$model][$field])) {
466
                                        $mapped = $aroGroup . '/' . $aro[$model][$field];
467
                                } elseif (isset($aro[$field])) {
468
                                        $mapped = $aroGroup . '/' . $aro[$field];
469
                                }
470
                        } elseif (is_string($aro)) {
471
                                $aro = ltrim($aro, '/');
472
473
                                if (strpos($aro, '/') === false) {
474
                                        $mapped = $aroGroup . '/' . $aro;
475
                                } else {
476
                                        list($aroModel, $aroValue) = explode('/', $aro, 2);
477
478
                                        $aroModel = Inflector::camelize($aroModel);
479
480
                                        if ($aroModel === $model || $aroModel === $aroGroup) {
481
                                                $mapped = $aroGroup . '/' . $aroValue;
482
                                        }
483
                                }
484
                        }
485
486
                        if (isset($this->_tree[$mapped])) {
487
                                return $mapped;
488
                        }
489
490
                        // is there a matching alias defined (e.g. Role/1 => Role/admin)?
491
                        if (!empty($this->aliases[$mapped])) {
492
                                return $this->aliases[$mapped];
493
                        }
494
                }
495
                return static::DEFAULT_ROLE;
496
        }
497
498
/**
499
 * adds a new ARO to the tree
500
 *
501
 * @param array $aro one or more ARO records
502
 * @return void
503
 */
504
        public function addRole(array $aro) {
505
                foreach ($aro as $role => $inheritedRoles) {
506
                        if (!isset($this->_tree[$role])) {
507
                                $this->_tree[$role] = array();
508
                        }
509
510
                        if (!empty($inheritedRoles)) {
511
                                if (is_string($inheritedRoles)) {
512
                                        $inheritedRoles = array_map('trim', explode(',', $inheritedRoles));
513
                                }
514
515
                                foreach ($inheritedRoles as $dependency) {
516
                                        // detect cycles
517
                                        $roles = $this->roles($dependency);
518
519
                                        if (in_array($role, Hash::flatten($roles))) {
520
                                                $path = '';
521
522
                                                foreach ($roles as $roleDependencies) {
523
                                                        $path .= implode('|', (array)$roleDependencies) . ' -> ';
524
                                                }
525
526
                                                trigger_error(__d('cake_dev', 'cycle detected when inheriting %s from %s. Path: %s', $role, $dependency, $path . $role));
527
                                                continue;
528
                                        }
529
530
                                        if (!isset($this->_tree[$dependency])) {
531
                                                $this->_tree[$dependency] = array();
532
                                        }
533
534
                                        $this->_tree[$dependency][] = $role;
535
                                }
536
                        }
537
                }
538
        }
539
540
/**
541
 * adds one or more aliases to the internal map. Overwrites existing entries.
542
 *
543
 * @param array $alias alias from => to (e.g. Role/13 -> Role/editor)
544
 * @return void
545
 */
546
        public function addAlias(array $alias) {
547
                $this->aliases = $alias + $this->aliases;
548
        }
549
550
/**
551
 * build an ARO tree structure for internal processing
552
 *
553
 * @param array $aros array of AROs as key and their inherited AROs as values
554
 * @return void
555
 */
556
        public function build(array $aros) {
557
                $this->_tree = array();
558
                $this->addRole($aros);
559
        }
560
561
}