From cee261bf7ef286368febb03c78a344924e607266 Mon Sep 17 00:00:00 2001 From: Eric Lippmann Date: Mon, 20 Oct 2014 13:36:37 +0200 Subject: [PATCH] Use lowercase username and user groups for loading user permissions and restrictions --- .../Icinga/Authentication/AdmissionLoader.php | 79 ++++++++++++------- 1 file changed, 52 insertions(+), 27 deletions(-) diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php index 098afda81..50624003c 100644 --- a/library/Icinga/Authentication/AdmissionLoader.php +++ b/library/Icinga/Authentication/AdmissionLoader.php @@ -6,6 +6,7 @@ namespace Icinga\Authentication; use Icinga\Application\Config; use Icinga\Exception\NotReadableError; +use Icinga\User; use Icinga\Util\String; /** @@ -14,73 +15,97 @@ use Icinga\Util\String; class AdmissionLoader { /** - * Match against groups - * - * @param string $section * @param string $username - * @param array $groups + * @param array $userGroups + * @param mixed $section * * @return bool */ - private function match($section, $username, array $groups) + protected function match($username, $userGroups, $section) { - if ($section->users && in_array($username, String::trimSplit($section->users)) === true) { - return true; + $username = strtolower($username); + if (! empty($section->users)) { + $users = array_map('strtolower', String::trimSplit($section->users)); + if (in_array($username, $users)) { + return true; + } } - - if ($section->groups && count(array_intersect(String::trimSplit($section->groups), $groups)) > 0) { - return true; + if (! empty($section->groups)) { + $groups = array_map('strtolower', String::trimSplit($section->groups)); + foreach ($userGroups as $userGroup) { + if (in_array(strtolower($userGroup), $groups)) { + return true; + } + } } - return false; } /** - * Retrieve permissions + * Get user permissions * - * @param string $username - * @param array $groups + * @param User $user * * @return array */ - public function getPermissions($username, array $groups) + public function getPermissions(User $user) { $permissions = array(); try { $config = Config::app('permissions'); } catch (NotReadableError $e) { + Logger::error( + 'Can\'t get permissions for user \'%s\'. An exception was thrown:', + $user->getUsername(), + $e + ); return $permissions; } + $username = $user->getUsername(); + $userGroups = $user->getGroups(); foreach ($config as $section) { - if ($this->match($section, $username, $groups) && isset($section->permissions)) { - $permissions += String::trimSplit($section->permissions); + if (! empty($section->permissions) + && $this->match($username, $userGroups, $section) + ) { + $permissions = array_merge( + $permissions, + array_diff(String::trimSplit($section->permissions), $permissions) + ); } } return $permissions; } /** - * Retrieve restrictions + * Get user restrictions * - * @param $username - * @param array $groups + * @param User $user * * @return array */ - public function getRestrictions($username, array $groups) + public function getRestrictions(User $user) { $restrictions = array(); try { $config = Config::app('restrictions'); } catch (NotReadableError $e) { + Logger::error( + 'Can\'t get restrictions for user \'%s\'. An exception was thrown:', + $user->getUsername(), + $e + ); return $restrictions; } - foreach ($config as $name => $section) { - if ($this->match($section, $username, $groups)) { - if (!array_key_exists($section->name, $restrictions)) { - $restrictions[$section->name] = array(); - } - $restrictions[$section->name][$name] = $section->restriction; + $username = $user->getUsername(); + $userGroups = $user->getGroups(); + foreach ($config as $section) { + if (! empty($section->restriction) + && $this->match($username, $userGroups, $section) + ) { + $restrictions = array_merge( + $restrictions, + array_diff(String::trimSplit($section->restriction), $restrictions) + ); } } return $restrictions;