2014-02-12 17:01:11 +01:00
|
|
|
<?php
|
|
|
|
// {{{ICINGA_LICENSE_HEADER}}}
|
|
|
|
// {{{ICINGA_LICENSE_HEADER}}}}
|
|
|
|
|
|
|
|
namespace Icinga\Authentication;
|
|
|
|
|
|
|
|
use Icinga\Application\Config;
|
2014-11-19 15:10:09 +01:00
|
|
|
use Icinga\Application\Logger;
|
2014-03-03 17:21:17 +01:00
|
|
|
use Icinga\Exception\NotReadableError;
|
2014-11-18 13:11:52 +01:00
|
|
|
use Icinga\Data\ConfigObject;
|
2014-10-20 13:36:37 +02:00
|
|
|
use Icinga\User;
|
2014-02-12 17:01:11 +01:00
|
|
|
use Icinga\Util\String;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Retrieve restrictions and permissions for users
|
|
|
|
*/
|
|
|
|
class AdmissionLoader
|
|
|
|
{
|
|
|
|
/**
|
2014-11-18 13:11:52 +01:00
|
|
|
* @param string $username
|
|
|
|
* @param array $userGroups
|
|
|
|
* @param ConfigObject $section
|
2014-02-12 17:01:11 +01:00
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
2014-11-18 13:11:52 +01:00
|
|
|
protected function match($username, $userGroups, ConfigObject $section)
|
2014-02-12 17:01:11 +01:00
|
|
|
{
|
2014-10-20 13:36:37 +02:00
|
|
|
$username = strtolower($username);
|
|
|
|
if (! empty($section->users)) {
|
|
|
|
$users = array_map('strtolower', String::trimSplit($section->users));
|
|
|
|
if (in_array($username, $users)) {
|
|
|
|
return true;
|
|
|
|
}
|
2014-02-12 17:01:11 +01:00
|
|
|
}
|
2014-10-20 13:36:37 +02:00
|
|
|
if (! empty($section->groups)) {
|
|
|
|
$groups = array_map('strtolower', String::trimSplit($section->groups));
|
|
|
|
foreach ($userGroups as $userGroup) {
|
|
|
|
if (in_array(strtolower($userGroup), $groups)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
2014-02-12 17:01:11 +01:00
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2014-11-19 15:10:09 +01:00
|
|
|
* Get user permissions and restrictions
|
|
|
|
*
|
|
|
|
* @param User $user
|
|
|
|
*
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function getPermissionsAndRestrictions(User $user)
|
|
|
|
{
|
|
|
|
$permissions = array();
|
|
|
|
$restrictions = array();
|
|
|
|
$username = $user->getUsername();
|
|
|
|
try {
|
|
|
|
$roles = Config::app('roles');
|
|
|
|
} catch (NotReadableError $e) {
|
|
|
|
Logger::error(
|
|
|
|
'Can\'t get permissions and restrictions for user \'%s\'. An exception was thrown:',
|
|
|
|
$username,
|
|
|
|
$e
|
|
|
|
);
|
|
|
|
return array($permissions, $restrictions);
|
|
|
|
}
|
|
|
|
$userGroups = $user->getGroups();
|
|
|
|
foreach ($roles as $role) {
|
|
|
|
if ($this->match($username, $userGroups, $role)) {
|
|
|
|
$permissions = array_merge(
|
|
|
|
$permissions,
|
|
|
|
array_diff(String::trimSplit($role->permissions), $permissions)
|
|
|
|
);
|
|
|
|
$restrictionsFromRole = $role->toArray();
|
|
|
|
unset($restrictionsFromRole['users']);
|
|
|
|
unset($restrictionsFromRole['groups']);
|
|
|
|
unset($restrictionsFromRole['permissions']);
|
|
|
|
foreach ($restrictionsFromRole as $name => $restriction) {
|
|
|
|
if (! isset($restrictions[$name])) {
|
|
|
|
$restrictions[$name] = array();
|
|
|
|
}
|
|
|
|
$restrictions[$name][] = $restriction;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return array($permissions, $restrictions);
|
|
|
|
}
|
2014-02-12 17:01:11 +01:00
|
|
|
}
|