pictcode / lib / Cake / Controller / Component / Acl / PhpAcl.php @ 635eef61
履歴 | 表示 | アノテート | ダウンロード (13.458 KB)
1 | 635eef61 | spyder1211 | <?php
|
---|---|---|---|
2 | /**
|
||
3 | * PHP configuration based AclInterface implementation
|
||
4 | *
|
||
5 | * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
|
||
6 | * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
7 | *
|
||
8 | * Licensed under The MIT License
|
||
9 | * For full copyright and license information, please see the LICENSE.txt
|
||
10 | * Redistributions of files must retain the above copyright notice.
|
||
11 | *
|
||
12 | * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
13 | * @link http://cakephp.org CakePHP(tm) Project
|
||
14 | * @package Cake.Controller.Component.Acl
|
||
15 | * @since CakePHP(tm) v 2.1
|
||
16 | * @license http://www.opensource.org/licenses/mit-license.php MIT License
|
||
17 | */
|
||
18 | |||
19 | /**
|
||
20 | * PhpAcl implements an access control system using a plain PHP configuration file.
|
||
21 | * An example file can be found in app/Config/acl.php
|
||
22 | *
|
||
23 | * @package Cake.Controller.Component.Acl
|
||
24 | */
|
||
25 | class PhpAcl extends Object implements AclInterface { |
||
26 | |||
27 | /**
|
||
28 | * Constant for deny
|
||
29 | *
|
||
30 | * @var bool
|
||
31 | */
|
||
32 | const DENY = false; |
||
33 | |||
34 | /**
|
||
35 | * Constant for allow
|
||
36 | *
|
||
37 | * @var bool
|
||
38 | */
|
||
39 | const ALLOW = true; |
||
40 | |||
41 | /**
|
||
42 | * Options:
|
||
43 | * - policy: determines behavior of the check method. Deny policy needs explicit allow rules, allow policy needs explicit deny rules
|
||
44 | * - config: absolute path to config file that contains the acl rules (@see app/Config/acl.php)
|
||
45 | *
|
||
46 | * @var array
|
||
47 | */
|
||
48 | public $options = array(); |
||
49 | |||
50 | /**
|
||
51 | * Aro Object
|
||
52 | *
|
||
53 | * @var PhpAro
|
||
54 | */
|
||
55 | public $Aro = null; |
||
56 | |||
57 | /**
|
||
58 | * Aco Object
|
||
59 | *
|
||
60 | * @var PhpAco
|
||
61 | */
|
||
62 | public $Aco = null; |
||
63 | |||
64 | /**
|
||
65 | * Constructor
|
||
66 | *
|
||
67 | * Sets a few default settings up.
|
||
68 | */
|
||
69 | public function __construct() { |
||
70 | $this->options = array( |
||
71 | 'policy' => static::DENY, |
||
72 | 'config' => APP . 'Config' . DS . 'acl.php', |
||
73 | ); |
||
74 | } |
||
75 | |||
76 | /**
|
||
77 | * Initialize method
|
||
78 | *
|
||
79 | * @param AclComponent $Component Component instance
|
||
80 | * @return void
|
||
81 | */
|
||
82 | public function initialize(Component $Component) { |
||
83 | if (!empty($Component->settings['adapter'])) { |
||
84 | $this->options = $Component->settings['adapter'] + $this->options; |
||
85 | } |
||
86 | |||
87 | App::uses('PhpReader', 'Configure'); |
||
88 | $Reader = new PhpReader(dirname($this->options['config']) . DS); |
||
89 | $config = $Reader->read(basename($this->options['config'])); |
||
90 | $this->build($config); |
||
91 | $Component->Aco = $this->Aco; |
||
92 | $Component->Aro = $this->Aro; |
||
93 | } |
||
94 | |||
95 | /**
|
||
96 | * build and setup internal ACL representation
|
||
97 | *
|
||
98 | * @param array $config configuration array, see docs
|
||
99 | * @return void
|
||
100 | * @throws AclException When required keys are missing.
|
||
101 | */
|
||
102 | public function build(array $config) { |
||
103 | if (empty($config['roles'])) { |
||
104 | throw new AclException(__d('cake_dev', '"roles" section not found in configuration.')); |
||
105 | } |
||
106 | |||
107 | if (empty($config['rules']['allow']) && empty($config['rules']['deny'])) { |
||
108 | throw new AclException(__d('cake_dev', 'Neither "allow" nor "deny" rules were provided in configuration.')); |
||
109 | } |
||
110 | |||
111 | $rules['allow'] = !empty($config['rules']['allow']) ? $config['rules']['allow'] : array(); |
||
112 | $rules['deny'] = !empty($config['rules']['deny']) ? $config['rules']['deny'] : array(); |
||
113 | $roles = !empty($config['roles']) ? $config['roles'] : array(); |
||
114 | $map = !empty($config['map']) ? $config['map'] : array(); |
||
115 | $alias = !empty($config['alias']) ? $config['alias'] : array(); |
||
116 | |||
117 | $this->Aro = new PhpAro($roles, $map, $alias); |
||
118 | $this->Aco = new PhpAco($rules); |
||
119 | } |
||
120 | |||
121 | /**
|
||
122 | * No op method, allow cannot be done with PhpAcl
|
||
123 | *
|
||
124 | * @param string $aro ARO The requesting object identifier.
|
||
125 | * @param string $aco ACO The controlled object identifier.
|
||
126 | * @param string $action Action (defaults to *)
|
||
127 | * @return bool Success
|
||
128 | */
|
||
129 | public function allow($aro, $aco, $action = "*") { |
||
130 | return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'allow'); |
||
131 | } |
||
132 | |||
133 | /**
|
||
134 | * deny ARO access to ACO
|
||
135 | *
|
||
136 | * @param string $aro ARO The requesting object identifier.
|
||
137 | * @param string $aco ACO The controlled object identifier.
|
||
138 | * @param string $action Action (defaults to *)
|
||
139 | * @return bool Success
|
||
140 | */
|
||
141 | public function deny($aro, $aco, $action = "*") { |
||
142 | return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'deny'); |
||
143 | } |
||
144 | |||
145 | /**
|
||
146 | * No op method
|
||
147 | *
|
||
148 | * @param string $aro ARO The requesting object identifier.
|
||
149 | * @param string $aco ACO The controlled object identifier.
|
||
150 | * @param string $action Action (defaults to *)
|
||
151 | * @return bool Success
|
||
152 | */
|
||
153 | public function inherit($aro, $aco, $action = "*") { |
||
154 | return false; |
||
155 | } |
||
156 | |||
157 | /**
|
||
158 | * Main ACL check function. Checks to see if the ARO (access request object) has access to the
|
||
159 | * ACO (access control object).
|
||
160 | *
|
||
161 | * @param string $aro ARO
|
||
162 | * @param string $aco ACO
|
||
163 | * @param string $action Action
|
||
164 | * @return bool true if access is granted, false otherwise
|
||
165 | */
|
||
166 | public function check($aro, $aco, $action = "*") { |
||
167 | $allow = $this->options['policy']; |
||
168 | $prioritizedAros = $this->Aro->roles($aro); |
||
169 | |||
170 | if ($action && $action !== "*") { |
||
171 | $aco .= '/' . $action; |
||
172 | } |
||
173 | |||
174 | $path = $this->Aco->path($aco); |
||
175 | |||
176 | if (empty($path)) { |
||
177 | return $allow; |
||
178 | } |
||
179 | |||
180 | foreach ($path as $node) { |
||
181 | foreach ($prioritizedAros as $aros) { |
||
182 | if (!empty($node['allow'])) { |
||
183 | $allow = $allow || count(array_intersect($node['allow'], $aros)); |
||
184 | } |
||
185 | |||
186 | if (!empty($node['deny'])) { |
||
187 | $allow = $allow && !count(array_intersect($node['deny'], $aros)); |
||
188 | } |
||
189 | } |
||
190 | } |
||
191 | |||
192 | return $allow; |
||
193 | } |
||
194 | |||
195 | } |
||
196 | |||
197 | /**
|
||
198 | * Access Control Object
|
||
199 | */
|
||
200 | class PhpAco { |
||
201 | |||
202 | /**
|
||
203 | * holds internal ACO representation
|
||
204 | *
|
||
205 | * @var array
|
||
206 | */
|
||
207 | protected $_tree = array(); |
||
208 | |||
209 | /**
|
||
210 | * map modifiers for ACO paths to their respective PCRE pattern
|
||
211 | *
|
||
212 | * @var array
|
||
213 | */
|
||
214 | public static $modifiers = array( |
||
215 | '*' => '.*', |
||
216 | ); |
||
217 | |||
218 | /**
|
||
219 | * Constructor
|
||
220 | *
|
||
221 | * @param array $rules Rules array
|
||
222 | */
|
||
223 | public function __construct(array $rules = array()) { |
||
224 | foreach (array('allow', 'deny') as $type) { |
||
225 | if (empty($rules[$type])) { |
||
226 | $rules[$type] = array(); |
||
227 | } |
||
228 | } |
||
229 | |||
230 | $this->build($rules['allow'], $rules['deny']); |
||
231 | } |
||
232 | |||
233 | /**
|
||
234 | * return path to the requested ACO with allow and deny rules attached on each level
|
||
235 | *
|
||
236 | * @param string $aco ACO string
|
||
237 | * @return array
|
||
238 | */
|
||
239 | public function path($aco) { |
||
240 | $aco = $this->resolve($aco); |
||
241 | $path = array(); |
||
242 | $level = 0; |
||
243 | $root = $this->_tree; |
||
244 | $stack = array(array($root, 0)); |
||
245 | |||
246 | while (!empty($stack)) { |
||
247 | list($root, $level) = array_pop($stack); |
||
248 | |||
249 | if (empty($path[$level])) { |
||
250 | $path[$level] = array(); |
||
251 | } |
||
252 | |||
253 | foreach ($root as $node => $elements) { |
||
254 | $pattern = '/^' . str_replace(array_keys(static::$modifiers), array_values(static::$modifiers), $node) . '$/'; |
||
255 | |||
256 | if ($node == $aco[$level] || preg_match($pattern, $aco[$level])) { |
||
257 | // merge allow/denies with $path of current level
|
||
258 | foreach (array('allow', 'deny') as $policy) { |
||
259 | if (!empty($elements[$policy])) { |
||
260 | if (empty($path[$level][$policy])) { |
||
261 | $path[$level][$policy] = array(); |
||
262 | } |
||
263 | $path[$level][$policy] = array_merge($path[$level][$policy], $elements[$policy]); |
||
264 | } |
||
265 | } |
||
266 | |||
267 | // traverse
|
||
268 | if (!empty($elements['children']) && isset($aco[$level + 1])) { |
||
269 | array_push($stack, array($elements['children'], $level + 1)); |
||
270 | } |
||
271 | } |
||
272 | } |
||
273 | } |
||
274 | |||
275 | return $path; |
||
276 | } |
||
277 | |||
278 | /**
|
||
279 | * allow/deny ARO access to ARO
|
||
280 | *
|
||
281 | * @param string $aro ARO string
|
||
282 | * @param string $aco ACO string
|
||
283 | * @param string $action Action string
|
||
284 | * @param string $type access type
|
||
285 | * @return void
|
||
286 | */
|
||
287 | public function access($aro, $aco, $action, $type = 'deny') { |
||
288 | $aco = $this->resolve($aco); |
||
289 | $depth = count($aco); |
||
290 | $root = $this->_tree; |
||
291 | $tree = &$root; |
||
292 | |||
293 | foreach ($aco as $i => $node) { |
||
294 | if (!isset($tree[$node])) { |
||
295 | $tree[$node] = array( |
||
296 | 'children' => array(), |
||
297 | ); |
||
298 | } |
||
299 | |||
300 | if ($i < $depth - 1) { |
||
301 | $tree = &$tree[$node]['children']; |
||
302 | } else {
|
||
303 | if (empty($tree[$node][$type])) { |
||
304 | $tree[$node][$type] = array(); |
||
305 | } |
||
306 | |||
307 | $tree[$node][$type] = array_merge(is_array($aro) ? $aro : array($aro), $tree[$node][$type]); |
||
308 | } |
||
309 | } |
||
310 | |||
311 | $this->_tree = &$root; |
||
312 | } |
||
313 | |||
314 | /**
|
||
315 | * resolve given ACO string to a path
|
||
316 | *
|
||
317 | * @param string $aco ACO string
|
||
318 | * @return array path
|
||
319 | */
|
||
320 | public function resolve($aco) { |
||
321 | if (is_array($aco)) { |
||
322 | return array_map('strtolower', $aco); |
||
323 | } |
||
324 | |||
325 | // strip multiple occurrences of '/'
|
||
326 | $aco = preg_replace('#/+#', '/', $aco); |
||
327 | // make case insensitive
|
||
328 | $aco = ltrim(strtolower($aco), '/'); |
||
329 | return array_filter(array_map('trim', explode('/', $aco))); |
||
330 | } |
||
331 | |||
332 | /**
|
||
333 | * build a tree representation from the given allow/deny informations for ACO paths
|
||
334 | *
|
||
335 | * @param array $allow ACO allow rules
|
||
336 | * @param array $deny ACO deny rules
|
||
337 | * @return void
|
||
338 | */
|
||
339 | public function build(array $allow, array $deny = array()) { |
||
340 | $this->_tree = array(); |
||
341 | |||
342 | foreach ($allow as $dotPath => $aros) { |
||
343 | if (is_string($aros)) { |
||
344 | $aros = array_map('trim', explode(',', $aros)); |
||
345 | } |
||
346 | |||
347 | $this->access($aros, $dotPath, null, 'allow'); |
||
348 | } |
||
349 | |||
350 | foreach ($deny as $dotPath => $aros) { |
||
351 | if (is_string($aros)) { |
||
352 | $aros = array_map('trim', explode(',', $aros)); |
||
353 | } |
||
354 | |||
355 | $this->access($aros, $dotPath, null, 'deny'); |
||
356 | } |
||
357 | } |
||
358 | |||
359 | } |
||
360 | |||
361 | /**
|
||
362 | * Access Request Object
|
||
363 | */
|
||
364 | class PhpAro { |
||
365 | |||
366 | /**
|
||
367 | * role to resolve to when a provided ARO is not listed in
|
||
368 | * the internal tree
|
||
369 | *
|
||
370 | * @var string
|
||
371 | */
|
||
372 | const DEFAULT_ROLE = 'Role/default'; |
||
373 | |||
374 | /**
|
||
375 | * map external identifiers. E.g. if
|
||
376 | *
|
||
377 | * array('User' => array('username' => 'jeff', 'role' => 'editor'))
|
||
378 | *
|
||
379 | * is passed as an ARO to one of the methods of AclComponent, PhpAcl
|
||
380 | * will check if it can be resolved to an User or a Role defined in the
|
||
381 | * configuration file.
|
||
382 | *
|
||
383 | * @var array
|
||
384 | * @see app/Config/acl.php
|
||
385 | */
|
||
386 | public $map = array( |
||
387 | 'User' => 'User/username', |
||
388 | 'Role' => 'User/role', |
||
389 | ); |
||
390 | |||
391 | /**
|
||
392 | * aliases to map
|
||
393 | *
|
||
394 | * @var array
|
||
395 | */
|
||
396 | public $aliases = array(); |
||
397 | |||
398 | /**
|
||
399 | * internal ARO representation
|
||
400 | *
|
||
401 | * @var array
|
||
402 | */
|
||
403 | protected $_tree = array(); |
||
404 | |||
405 | /**
|
||
406 | * Constructor
|
||
407 | *
|
||
408 | * @param array $aro The aro data
|
||
409 | * @param array $map The identifier mappings
|
||
410 | * @param array $aliases The aliases to map.
|
||
411 | */
|
||
412 | public function __construct(array $aro = array(), array $map = array(), array $aliases = array()) { |
||
413 | if (!empty($map)) { |
||
414 | $this->map = $map; |
||
415 | } |
||
416 | |||
417 | $this->aliases = $aliases; |
||
418 | $this->build($aro); |
||
419 | } |
||
420 | |||
421 | /**
|
||
422 | * From the perspective of the given ARO, walk down the tree and
|
||
423 | * collect all inherited AROs levelwise such that AROs from different
|
||
424 | * branches with equal distance to the requested ARO will be collected at the same
|
||
425 | * index. The resulting array will contain a prioritized list of (list of) roles ordered from
|
||
426 | * the most distant AROs to the requested one itself.
|
||
427 | *
|
||
428 | * @param string|array $aro An ARO identifier
|
||
429 | * @return array prioritized AROs
|
||
430 | */
|
||
431 | public function roles($aro) { |
||
432 | $aros = array(); |
||
433 | $aro = $this->resolve($aro); |
||
434 | $stack = array(array($aro, 0)); |
||
435 | |||
436 | while (!empty($stack)) { |
||
437 | list($element, $depth) = array_pop($stack); |
||
438 | $aros[$depth][] = $element; |
||
439 | |||
440 | foreach ($this->_tree as $node => $children) { |
||
441 | if (in_array($element, $children)) { |
||
442 | array_push($stack, array($node, $depth + 1)); |
||
443 | } |
||
444 | } |
||
445 | } |
||
446 | |||
447 | return array_reverse($aros); |
||
448 | } |
||
449 | |||
450 | /**
|
||
451 | * resolve an ARO identifier to an internal ARO string using
|
||
452 | * the internal mapping information.
|
||
453 | *
|
||
454 | * @param string|array $aro ARO identifier (User.jeff, array('User' => ...), etc)
|
||
455 | * @return string internal aro string (e.g. User/jeff, Role/default)
|
||
456 | */
|
||
457 | public function resolve($aro) { |
||
458 | foreach ($this->map as $aroGroup => $map) { |
||
459 | list ($model, $field) = explode('/', $map, 2); |
||
460 | $mapped = ''; |
||
461 | |||
462 | if (is_array($aro)) { |
||
463 | if (isset($aro['model']) && isset($aro['foreign_key']) && $aro['model'] === $aroGroup) { |
||
464 | $mapped = $aroGroup . '/' . $aro['foreign_key']; |
||
465 | } elseif (isset($aro[$model][$field])) { |
||
466 | $mapped = $aroGroup . '/' . $aro[$model][$field]; |
||
467 | } elseif (isset($aro[$field])) { |
||
468 | $mapped = $aroGroup . '/' . $aro[$field]; |
||
469 | } |
||
470 | } elseif (is_string($aro)) { |
||
471 | $aro = ltrim($aro, '/'); |
||
472 | |||
473 | if (strpos($aro, '/') === false) { |
||
474 | $mapped = $aroGroup . '/' . $aro; |
||
475 | } else {
|
||
476 | list($aroModel, $aroValue) = explode('/', $aro, 2); |
||
477 | |||
478 | $aroModel = Inflector::camelize($aroModel); |
||
479 | |||
480 | if ($aroModel === $model || $aroModel === $aroGroup) { |
||
481 | $mapped = $aroGroup . '/' . $aroValue; |
||
482 | } |
||
483 | } |
||
484 | } |
||
485 | |||
486 | if (isset($this->_tree[$mapped])) { |
||
487 | return $mapped; |
||
488 | } |
||
489 | |||
490 | // is there a matching alias defined (e.g. Role/1 => Role/admin)?
|
||
491 | if (!empty($this->aliases[$mapped])) { |
||
492 | return $this->aliases[$mapped]; |
||
493 | } |
||
494 | } |
||
495 | return static::DEFAULT_ROLE; |
||
496 | } |
||
497 | |||
498 | /**
|
||
499 | * adds a new ARO to the tree
|
||
500 | *
|
||
501 | * @param array $aro one or more ARO records
|
||
502 | * @return void
|
||
503 | */
|
||
504 | public function addRole(array $aro) { |
||
505 | foreach ($aro as $role => $inheritedRoles) { |
||
506 | if (!isset($this->_tree[$role])) { |
||
507 | $this->_tree[$role] = array(); |
||
508 | } |
||
509 | |||
510 | if (!empty($inheritedRoles)) { |
||
511 | if (is_string($inheritedRoles)) { |
||
512 | $inheritedRoles = array_map('trim', explode(',', $inheritedRoles)); |
||
513 | } |
||
514 | |||
515 | foreach ($inheritedRoles as $dependency) { |
||
516 | // detect cycles
|
||
517 | $roles = $this->roles($dependency); |
||
518 | |||
519 | if (in_array($role, Hash::flatten($roles))) { |
||
520 | $path = ''; |
||
521 | |||
522 | foreach ($roles as $roleDependencies) { |
||
523 | $path .= implode('|', (array)$roleDependencies) . ' -> '; |
||
524 | } |
||
525 | |||
526 | trigger_error(__d('cake_dev', 'cycle detected when inheriting %s from %s. Path: %s', $role, $dependency, $path . $role)); |
||
527 | continue;
|
||
528 | } |
||
529 | |||
530 | if (!isset($this->_tree[$dependency])) { |
||
531 | $this->_tree[$dependency] = array(); |
||
532 | } |
||
533 | |||
534 | $this->_tree[$dependency][] = $role; |
||
535 | } |
||
536 | } |
||
537 | } |
||
538 | } |
||
539 | |||
540 | /**
|
||
541 | * adds one or more aliases to the internal map. Overwrites existing entries.
|
||
542 | *
|
||
543 | * @param array $alias alias from => to (e.g. Role/13 -> Role/editor)
|
||
544 | * @return void
|
||
545 | */
|
||
546 | public function addAlias(array $alias) { |
||
547 | $this->aliases = $alias + $this->aliases; |
||
548 | } |
||
549 | |||
550 | /**
|
||
551 | * build an ARO tree structure for internal processing
|
||
552 | *
|
||
553 | * @param array $aros array of AROs as key and their inherited AROs as values
|
||
554 | * @return void
|
||
555 | */
|
||
556 | public function build(array $aros) { |
||
557 | $this->_tree = array(); |
||
558 | $this->addRole($aros); |
||
559 | } |
||
560 | |||
561 | } |