From b01a9a65e06e2e1e510dd5fbec622fb26817db4b Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Wed, 19 Nov 2014 15:10:09 +0100
Subject: [PATCH] Security: Introduce
 AdmissionLoader::getPermissionsAndRestrictions() for loading permissins and
 restrictions from roles.ini

When loading from roles.ini there's currently an empty permission added which is of course a bug and will be fixed asap.

refs #5647
---
 .../Icinga/Authentication/AdmissionLoader.php | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php
index 65d99f427..4a65d1595 100644
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
@@ -5,6 +5,7 @@
 namespace Icinga\Authentication;
 
 use Icinga\Application\Config;
+use Icinga\Application\Logger;
 use Icinga\Exception\NotReadableError;
 use Icinga\Data\ConfigObject;
 use Icinga\User;
@@ -42,6 +43,50 @@ class AdmissionLoader
         return false;
     }
 
+    /**
+     * Get user permissions and restrictions
+     *
+     * @param   User $user
+     *
+     * @return  array
+     */
+    public function getPermissionsAndRestrictions(User $user)
+    {
+        $permissions = array();
+        $restrictions = array();
+        $username = $user->getUsername();
+        try {
+            $roles = Config::app('roles');
+        } catch (NotReadableError $e) {
+            Logger::error(
+                'Can\'t get permissions and restrictions for user \'%s\'. An exception was thrown:',
+                $username,
+                $e
+            );
+            return array($permissions, $restrictions);
+        }
+        $userGroups = $user->getGroups();
+        foreach ($roles as $role) {
+            if ($this->match($username, $userGroups, $role)) {
+                $permissions = array_merge(
+                    $permissions,
+                    array_diff(String::trimSplit($role->permissions), $permissions)
+                );
+                $restrictionsFromRole = $role->toArray();
+                unset($restrictionsFromRole['users']);
+                unset($restrictionsFromRole['groups']);
+                unset($restrictionsFromRole['permissions']);
+                foreach ($restrictionsFromRole as $name => $restriction) {
+                    if (! isset($restrictions[$name])) {
+                        $restrictions[$name] = array();
+                    }
+                    $restrictions[$name][] = $restriction;
+                }
+            }
+        }
+        return array($permissions, $restrictions);
+    }
+
     /**
      * Get user permissions
      *