icingaweb2/library/Icinga/Authentication/Role.php

<?php
/* Icinga Web 2 | (c) 2016 Icinga Development Team | GPLv2+ */

namespace Icinga\Authentication;

class Role
{
    /**
     * Name of the role
     *
     * @var string
     */
    protected $name;

    /**
     * Permissions of the role
     *
     * @var string[]
     */
    protected $permissions = [];

    /**
     * Refusals of the role
     *
     * @var string[]
     */
    protected $refusals = [];

    /**
     * Restrictions of the role
     *
     * @var string[]
     */
    protected $restrictions = [];

    /**
     * Get the name of the role
     *
     * @return  string
     */
    public function getName()
    {
        return $this->name;
    }

    /**
     * Set the name of the role
     *
     * @param   string  $name
     *
     * @return  $this
     */
    public function setName($name)
    {
        $this->name = $name;

        return $this;
    }

    /**
     * Get the permissions of the role
     *
     * @return  string[]
     */
    public function getPermissions()
    {
        return $this->permissions;
    }

    /**
     * Set the permissions of the role
     *
     * @param   string[]    $permissions
     *
     * @return  $this
     */
    public function setPermissions(array $permissions)
    {
        $this->permissions = $permissions;

        return $this;
    }

    /**
     * Get the refusals of the role
     *
     * @return string[]
     */
    public function getRefusals()
    {
        return $this->refusals;
    }

    /**
     * Set the refusals of the role
     *
     * @param array $refusals
     *
     * @return $this
     */
    public function setRefusals(array $refusals)
    {
        $this->refusals = $refusals;

        return $this;
    }

    /**
     * Get the restrictions of the role
     *
     * @param   string  $name   Optional name of the restriction
     *
     * @return  string[]|null
     */
    public function getRestrictions($name = null)
    {
        $restrictions = $this->restrictions;

        if ($name === null) {
            return $restrictions;
        }

        if (isset($restrictions[$name])) {
            return $restrictions[$name];
        }

        return null;
    }

    /**
     * Set the restrictions of the role
     *
     * @param   string[]    $restrictions
     *
     * @return  $this
     */
    public function setRestrictions(array $restrictions)
    {
        $this->restrictions = $restrictions;

        return $this;
    }

    /**
     * Whether this role grants the given permission
     *
     * @param string $permission
     *
     * @return bool
     */
    public function grants($permission)
    {
        foreach ($this->permissions as $grantedPermission) {
            if ($this->match($grantedPermission, $permission)) {
                return true;
            }
        }

        return false;
    }

    /**
     * Whether this role denies the given permission
     *
     * @param string $permission
     *
     * @return bool
     */
    public function denies($permission)
    {
        foreach ($this->refusals as $refusedPermission) {
            if ($this->match($refusedPermission, $permission, false)) {
                return true;
            }
        }

        return false;
    }

    /**
     * Get whether the role expression matches the required permission
     *
     * @param string $roleExpression
     * @param string $requiredPermission
     * @param bool $cascadeUpwards `false` if `foo/bar/*` and `foo/bar/raboof` should not match `foo/*`
     *
     * @return bool
     */
    protected function match($roleExpression, $requiredPermission, $cascadeUpwards = true)
    {
        if ($roleExpression === '*' || $roleExpression === $requiredPermission) {
            return true;
        }

        $requiredWildcard = strpos($requiredPermission, '*');
        if ($requiredWildcard !== false) {
            if (($grantedWildcard = strpos($roleExpression, '*')) !== false) {
                $wildcard = $cascadeUpwards ? min($requiredWildcard, $grantedWildcard) : $grantedWildcard;
            } else {
                $wildcard = $cascadeUpwards ? $requiredWildcard : false;
            }
        } else {
            $wildcard = strpos($roleExpression, '*');
        }

        if ($wildcard !== false && $wildcard > 0) {
            if (substr($requiredPermission, 0, $wildcard) === substr($roleExpression, 0, $wildcard)) {
                return true;
            }
        } elseif ($requiredPermission === $roleExpression) {
            return true;
        }

        return false;
    }
}
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`<?php`
			`/* Icinga Web 2 \| (c) 2016 Icinga Development Team \| GPLv2+ */`

			`namespace Icinga\Authentication;`

			`class Role`
			`{`
			`/**`
			`* Name of the role`
			`*`
			`* @var string`
			`*/`
			`protected $name;`

			`/**`
			`* Permissions of the role`
			`*`
			`* @var string[]`
			`*/`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`protected $permissions = [];`

			`/**`
			`* Refusals of the role`
			`*`
			`* @var string[]`
			`*/`
			`protected $refusals = [];`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00
			`/**`
			`* Restrictions of the role`
			`*`
			`* @var string[]`
			`*/`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`protected $restrictions = [];`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00
			`/**`
			`* Get the name of the role`
			`*`
			`* @return string`
			`*/`
			`public function getName()`
			`{`
			`return $this->name;`
			`}`

			`/**`
			`* Set the name of the role`
			`*`
			`* @param string $name`
			`*`
			`* @return $this`
			`*/`
			`public function setName($name)`
			`{`
			`$this->name = $name;`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`return $this;`
			`}`

Role: implement setPermissions() and setRestrictions() refs #10887 2016-03-24 16:11:31 +01:00			`/**`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`* Get the permissions of the role`
Role: implement setPermissions() and setRestrictions() refs #10887 2016-03-24 16:11:31 +01:00			`*`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`* @return string[]`
Role: implement setPermissions() and setRestrictions() refs #10887 2016-03-24 16:11:31 +01:00			`*/`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`public function getPermissions()`
Role: implement setPermissions() and setRestrictions() refs #10887 2016-03-24 16:11:31 +01:00			`{`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`return $this->permissions;`
Role: implement setPermissions() and setRestrictions() refs #10887 2016-03-24 16:11:31 +01:00			`}`

lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`/**`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`* Set the permissions of the role`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`*`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`* @param string[] $permissions`
			`*`
			`* @return $this`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`*/`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`public function setPermissions(array $permissions)`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`{`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`$this->permissions = $permissions;`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00
			`return $this;`
			`}`

			`/**`
			`* Get the refusals of the role`
			`*`
			`* @return string[]`
			`*/`
			`public function getRefusals()`
			`{`
			`return $this->refusals;`
			`}`

			`/**`
			`* Set the refusals of the role`
			`*`
			`* @param array $refusals`
			`*`
			`* @return $this`
			`*/`
			`public function setRefusals(array $refusals)`
			`{`
			`$this->refusals = $refusals;`

Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`return $this;`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`}`

			`/**`
			`* Get the restrictions of the role`
			`*`
			`* @param string $name Optional name of the restriction`
			`*`
			`* @return string[]\|null`
			`*/`
			`public function getRestrictions($name = null)`
			`{`
			`$restrictions = $this->restrictions;`

			`if ($name === null) {`
			`return $restrictions;`
			`}`

			`if (isset($restrictions[$name])) {`
			`return $restrictions[$name];`
			`}`

			`return null;`
			`}`
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00
			`/**`
			`* Set the restrictions of the role`
			`*`
			`* @param string[] $restrictions`
			`*`
			`* @return $this`
			`*/`
			`public function setRestrictions(array $restrictions)`
			`{`
			`$this->restrictions = $restrictions;`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00
Move setters after getter in Role.php refs #10887 2016-03-29 11:19:03 +02:00			`return $this;`
			`}`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00
			`/**`
			`* Whether this role grants the given permission`
			`*`
			`* @param string $permission`
			`*`
			`* @return bool`
			`*/`
			`public function grants($permission)`
			`{`
			`foreach ($this->permissions as $grantedPermission) {`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`if ($this->match($grantedPermission, $permission)) {`
			`return true;`
			`}`
			`}`

			`return false;`
			`}`

			`/**`
			`* Whether this role denies the given permission`
			`*`
			`* @param string $permission`
			`*`
			`* @return bool`
			`*/`
			`public function denies($permission)`
			`{`
			`foreach ($this->refusals as $refusedPermission) {`
			`if ($this->match($refusedPermission, $permission, false)) {`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00			`return true;`
			`}`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`}`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`return false;`
			`}`

			`/**`
			`* Get whether the role expression matches the required permission`
			`*`
			`* @param string $roleExpression`
			`* @param string $requiredPermission`
			* @param bool $cascadeUpwards `false` if `foo/bar/` and `foo/bar/raboof` should not match `foo/`
			`*`
			`* @return bool`
			`*/`
			`protected function match($roleExpression, $requiredPermission, $cascadeUpwards = true)`
			`{`
			`if ($roleExpression === '*' \|\| $roleExpression === $requiredPermission) {`
			`return true;`
			`}`

			`$requiredWildcard = strpos($requiredPermission, '*');`
			`if ($requiredWildcard !== false) {`
			`if (($grantedWildcard = strpos($roleExpression, '*')) !== false) {`
			`$wildcard = $cascadeUpwards ? min($requiredWildcard, $grantedWildcard) : $grantedWildcard;`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00			`} else {`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`$wildcard = $cascadeUpwards ? $requiredWildcard : false;`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00			`}`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`} else {`
			`$wildcard = strpos($roleExpression, '*');`
			`}`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`if ($wildcard !== false && $wildcard > 0) {`
			`if (substr($requiredPermission, 0, $wildcard) === substr($roleExpression, 0, $wildcard)) {`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00			`return true;`
			`}`
Auth: Add support for denied permissions 2021-01-29 15:48:48 +01:00			`} elseif ($requiredPermission === $roleExpression) {`
			`return true;`
Move permission match code from class `User` to `Role` 2021-01-22 15:47:36 +01:00			`}`

			`return false;`
			`}`
lib: Add Authentication/Role refs #10887 2016-03-24 15:29:39 +01:00			`}`