diff --git a/config/permissions.yaml b/config/permissions.yaml index f0f1af32..b8970556 100644 --- a/config/permissions.yaml +++ b/config/permissions.yaml @@ -25,27 +25,35 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co # If a part can be read by a user, he can also see all the datastructures (except devices) alsoSet: ['storelocations.read', 'footprints.read', 'categories.read', 'suppliers.read', 'manufacturers.read', 'currencies.read', 'attachment_types.read', 'measurement_units.read'] + apiTokenRole: ROLE_API_READ_ONLY edit: label: "perm.edit" alsoSet: ['read', 'parts_stock.withdraw', 'parts_stock.add', 'parts_stock.move'] + apiTokenRole: ROLE_API_EDIT create: label: "perm.create" alsoSet: ['read', 'edit'] + apiTokenRole: ROLE_API_EDIT delete: label: "perm.delete" alsoSet: ['read', 'edit'] + apiTokenRole: ROLE_API_EDIT change_favorite: label: "perm.part.change_favorite" alsoSet: ['edit'] + apiTokenRole: ROLE_API_EDIT show_history: label: "perm.part.show_history" alsoSet: ['read'] + apiTokenRole: ROLE_API_READ_ONLY revert_element: label: "perm.revert_elements" alsoSet: ["read", "edit", "create", "delete", "show_history"] + apiTokenRole: ROLE_API_EDIT import: label: "perm.import" alsoSet: ["read", "edit", "create"] + apiTokenRole: ROLE_API_EDIT parts_stock: group: "data" @@ -53,10 +61,13 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co operations: withdraw: label: "perm.parts_stock.withdraw" + apiTokenRole: ROLE_API_EDIT add: label: "perm.parts_stock.add" + apiTokenRole: ROLE_API_EDIT move: label: "perm.parts_stock.move" + apiTokenRole: ROLE_API_EDIT storelocations: &PART_CONTAINING @@ -65,23 +76,30 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co operations: read: label: "perm.read" + apiTokenRole: ROLE_API_READ_ONLY edit: label: "perm.edit" alsoSet: 'read' + apiTokenRole: ROLE_API_EDIT create: label: "perm.create" alsoSet: ['read', 'edit'] + apiTokenRole: ROLE_API_EDIT delete: label: "perm.delete" alsoSet: ['read', 'edit'] + apiTokenRole: ROLE_API_EDIT show_history: label: "perm.show_history" + apiTokenRole: ROLE_API_READ_ONLY revert_element: label: "perm.revert_elements" alsoSet: ["read", "edit", "create", "delete", "show_history"] + apiTokenRole: ROLE_API_EDIT import: label: "perm.import" alsoSet: [ "read", "edit", "create" ] + apiTokenRole: ROLE_API_EDIT footprints: <<: *PART_CONTAINING @@ -145,6 +163,7 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co create_parts: label: "perm.part.info_providers.create_parts" alsoSet: ['parts.create'] + apiTokenRole: ROLE_API_EDIT groups: label: "perm.groups" @@ -152,26 +171,34 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co operations: read: label: "perm.read" + apiTokenRole: ROLE_API_ADMIN edit: label: "perm.edit" alsoSet: 'read' + apiTokenRole: ROLE_API_ADMIN create: label: "perm.create" alsoSet: ['read', 'edit'] + apiTokenRole: ROLE_API_ADMIN delete: label: "perm.delete" alsoSet: ['read', 'delete'] + apiTokenRole: ROLE_API_ADMIN edit_permissions: label: "perm.edit_permissions" alsoSet: ['read', 'edit'] + apiTokenRole: ROLE_API_ADMIN show_history: label: "perm.show_history" + apiTokenRole: ROLE_API_ADMIN revert_element: label: "perm.revert_elements" alsoSet: ["read", "edit", "create", "delete", "edit_permissions", "show_history"] + apiTokenRole: ROLE_API_ADMIN import: label: "perm.import" alsoSet: [ "read", "edit", "create" ] + apiTokenRole: ROLE_API_ADMIN users: label: "perm.users" @@ -179,37 +206,49 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co operations: read: label: "perm.read" + apiTokenRole: ROLE_API_ADMIN create: label: "perm.create" alsoSet: ['read', 'edit_username', 'edit_infos'] + apiTokenRole: ROLE_API_ADMIN delete: label: "perm.delete" alsoSet: ['read', 'edit_username', 'edit_infos'] + apiTokenRole: ROLE_API_ADMIN edit_username: label: "perm.users.edit_user_name" alsoSet: ['read'] + apiTokenRole: ROLE_API_ADMIN edit_infos: label: "perm.users.edit_infos" alsoSet: 'read' + apiTokenRole: ROLE_API_ADMIN edit_permissions: label: "perm.users.edit_permissions" alsoSet: 'read' + apiTokenRole: ROLE_API_ADMIN set_password: label: "perm.users.set_password" alsoSet: 'read' + apiTokenRole: ROLE_API_FULL impersonate: label: "perm.users.impersonate" alsoSet: ['set_password'] + apiTokenRole: ROLE_API_FULL change_user_settings: label: "perm.users.change_user_settings" + apiTokenRole: ROLE_API_ADMIN show_history: label: "perm.show_history" + apiTokenRole: ROLE_API_ADMIN revert_element: label: "perm.revert_elements" alsoSet: ["read", "create", "delete", "edit_permissions", "show_history", "edit_infos", "edit_username"] + apiTokenRole: ROLE_API_ADMIN import: label: "perm.import" alsoSet: [ "read", "create" ] + apiTokenRole: ROLE_API_ADMIN #database: # label: "perm.database" @@ -244,15 +283,20 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co operations: show_logs: label: "perm.show_logs" + apiTokenRole: ROLE_API_ADMIN delete_logs: label: "perm.delete_logs" alsoSet: 'show_logs' + apiTokenRole: ROLE_API_ADMIN server_infos: label: "perm.server_infos" + apiTokenRole: ROLE_API_ADMIN manage_oauth_tokens: label: "Manage OAuth tokens" + apiTokenRole: ROLE_API_ADMIN show_updates: label: "perm.system.show_available_updates" + apiTokenRole: ROLE_API_ADMIN attachments: @@ -260,56 +304,73 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co operations: show_private: label: "perm.attachments.show_private" + apiTokenRole: ROLE_API_READ_ONLY list_attachments: label: "perm.attachments.list_attachments" alsoSet: ['attachment_types.read'] + apiTokenRole: ROLE_API_READ_ONLY self: label: "perm.self" operations: edit_infos: label: "perm.self.edit_infos" + apiTokenRole: ROLE_API_FULL edit_username: label: "perm.self.edit_username" + apiTokenRole: ROLE_API_FULL show_permissions: label: "perm.self.show_permissions" + apiTokenRole: ROLE_API_READ_ONLY show_logs: label: "perm.self.show_logs" + apiTokenRole: ROLE_API_FULL labels: label: "perm.labels" operations: create_labels: label: "perm.self.create_labels" + apiTokenRole: ROLE_API_READ_ONLY edit_options: label: "perm.self.edit_options" alsoSet: ['create_labels'] + apiTokenRole: ROLE_API_READ_ONLY read_profiles: label: "perm.self.read_profiles" + apiTokenRole: ROLE_API_READ_ONLY edit_profiles: label: "perm.self.edit_profiles" alsoSet: ['read_profiles'] + apiTokenRole: ROLE_API_EDIT create_profiles: label: "perm.self.create_profiles" alsoSet: ['read_profiles', 'edit_profiles'] + apiTokenRole: ROLE_API_EDIT delete_profiles: label: "perm.self.delete_profiles" alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles'] + apiTokenRole: ROLE_API_EDIT use_twig: label: "perm.labels.use_twig" alsoSet: ['create_labels', 'edit_options'] + apiTokenRole: ROLE_API_ADMIN show_history: label: "perm.show_history" alsoSet: ['read_profiles'] + apiTokenRole: ROLE_API_READ_ONLY revert_element: label: "perm.revert_elements" alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles', 'delete_profiles'] + apiTokenRole: ROLE_API_EDIT api: label: "perm.api" operations: access_api: label: "perm.api.access_api" + apiTokenRole: ROLE_API_READ_ONLY manage_tokens: label: "perm.api.manage_tokens" - alsoSet: ['access_api'] \ No newline at end of file + alsoSet: ['access_api'] + apiTokenRole: ROLE_API_FULL \ No newline at end of file diff --git a/src/Configuration/PermissionsConfiguration.php b/src/Configuration/PermissionsConfiguration.php index 307e3794..c069ab24 100644 --- a/src/Configuration/PermissionsConfiguration.php +++ b/src/Configuration/PermissionsConfiguration.php @@ -55,6 +55,7 @@ final class PermissionsConfiguration implements ConfigurationInterface ->scalarNode('name')->end() ->scalarNode('label')->end() ->scalarNode('bit')->end() + ->scalarNode('apiTokenRole')->defaultNull()->end() ->arrayNode('alsoSet') ->beforeNormalization()->castToArray()->end()->scalarPrototype()->end(); diff --git a/src/Entity/UserSystem/ApiTokenLevel.php b/src/Entity/UserSystem/ApiTokenLevel.php index 8289e57c..3f997300 100644 --- a/src/Entity/UserSystem/ApiTokenLevel.php +++ b/src/Entity/UserSystem/ApiTokenLevel.php @@ -27,6 +27,7 @@ enum ApiTokenLevel: int { private const ROLE_READ_ONLY = 'ROLE_API_READ_ONLY'; private const ROLE_EDIT = 'ROLE_API_EDIT'; + private const ROLE_ADMIN = 'ROLE_API_ADMIN'; private const ROLE_FULL = 'ROLE_API_FULL'; /** @@ -56,7 +57,8 @@ enum ApiTokenLevel: int return match ($this) { self::READ_ONLY => [self::ROLE_READ_ONLY], self::EDIT => [self::ROLE_READ_ONLY, self::ROLE_EDIT], - self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_FULL], + self::ADMIN => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_ADMIN], + self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_ADMIN, self::ROLE_FULL], }; } diff --git a/src/Security/Voter/PermissionVoter.php b/src/Security/Voter/PermissionVoter.php index 018c4f92..f7d84bf7 100644 --- a/src/Security/Voter/PermissionVoter.php +++ b/src/Security/Voter/PermissionVoter.php @@ -23,26 +23,28 @@ declare(strict_types=1); namespace App\Security\Voter; use App\Entity\UserSystem\User; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; /** * This voter allows you to directly check permissions from the permission structure, without passing an object. * This use the syntax like "@permission.op" * However you should use the "normal" object based voters if possible, because they are needed for a future ACL system. */ -class PermissionVoter extends ExtendedVoter +class PermissionVoter extends Voter { - /** - * Similar to voteOnAttribute, but checking for the anonymous user is already done. - * The current user (or the anonymous user) is passed by $user. - * - * @param string $attribute - */ - protected function voteOnUser(string $attribute, $subject, User $user): bool + public function __construct(private readonly VoterHelper $helper) + { + + } + + protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool { $attribute = ltrim($attribute, '@'); [$perm, $op] = explode('.', $attribute); - return $this->resolver->inherit($user, $perm, $op) ?? false; + return $this->helper->isGranted($token, $perm, $op); } /** diff --git a/src/Services/UserSystem/PermissionManager.php b/src/Services/UserSystem/PermissionManager.php index a995dad7..83c806b6 100644 --- a/src/Services/UserSystem/PermissionManager.php +++ b/src/Services/UserSystem/PermissionManager.php @@ -28,6 +28,7 @@ use App\Entity\UserSystem\Group; use App\Entity\UserSystem\User; use App\Security\Interfaces\HasPermissionsInterface; use InvalidArgumentException; +use Symfony\Bundle\SecurityBundle\Security; use Symfony\Component\Config\ConfigCache; use Symfony\Component\Config\Definition\Processor; use Symfony\Component\Config\Resource\FileResource; @@ -41,7 +42,7 @@ use Symfony\Component\Yaml\Yaml; */ class PermissionManager { - protected $permission_structure; + protected array $permission_structure; protected string $cache_file; /** @@ -125,6 +126,40 @@ class PermissionManager return null; //The inherited value is never resolved. Should be treated as false, in Voters. } + /** + * Same as inherit(), but it checks if the access token has the required role. + * @param User $user the user for which the operation should be checked + * @param array $roles The roles associated with the authentication token + * @param string $permission the name of the permission for which should be checked + * @param string $operation the name of the operation for which should be checked + * + * @return bool|null true, if the user is allowed to do the operation (ALLOW), false if not (DISALLOW), and null, + * if the value is set to inherit + */ + public function inheritWithAPILevel(User $user, array $roles, string $permission, string $operation): ?bool + { + //Check that the permission/operation combination is valid + if (! $this->isValidOperation($permission, $operation)) { + throw new InvalidArgumentException('The permission/operation combination "'.$permission.'/'.$operation.'" is not valid!'); + } + + //Get what API level we require for the permission/operation + $level_role = $this->permission_structure['perms'][$permission]['operations'][$operation]['apiTokenRole']; + + //When no role was set (or it is null), then the operation is blocked for API access + if (null === $level_role) { + return false; + } + + //Otherwise check if the token has the required role, if not, then the operation is blocked for API access + if (!in_array($level_role, $roles, true)) { + return false; + } + + //If we have the required role, then we can check the permission + return $this->inherit($user, $permission, $operation); + } + /** * Sets the new value for the operation. * diff --git a/src/Services/UserSystem/VoterHelper.php b/src/Services/UserSystem/VoterHelper.php new file mode 100644 index 00000000..3f78a1aa --- /dev/null +++ b/src/Services/UserSystem/VoterHelper.php @@ -0,0 +1,110 @@ +. + */ + +declare(strict_types=1); + + +namespace App\Services\UserSystem; + +use App\Entity\UserSystem\User; +use App\Repository\UserRepository; +use App\Security\ApiTokenAuthenticatedToken; +use Doctrine\ORM\EntityManagerInterface; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; + +final class VoterHelper +{ + private readonly UserRepository $userRepository; + + public function __construct(private readonly PermissionManager $permissionManager, private readonly EntityManagerInterface $entityManager) + { + $this->userRepository = $this->entityManager->getRepository(User::class); + } + + /** + * Checks if the operation on the given permission is granted for the given token. + * Similar to isGrantedTrinary, but returns false if the permission is not granted. + * @param TokenInterface $token The token to check + * @param string $permission The permission to check + * @param string $operation The operation to check + * @return bool + */ + public function isGranted(TokenInterface $token, string $permission, string $operation): bool + { + return $this->isGrantedTrinary($token, $permission, $operation) ?? false; + } + + /** + * Checks if the operation on the given permission is granted for the given token. + * The result is returned in trinary value, where null means inherted from the parent. + * @param TokenInterface $token The token to check + * @param string $permission The permission to check + * @param string $operation The operation to check + * @return bool|null The result of the check. Null means inherted from the parent. + */ + public function isGrantedTrinary(TokenInterface $token, string $permission, string $operation): ?bool + { + $user = $token->getUser(); + + if ($user instanceof User) { + //A disallowed user is not allowed to do anything... + if ($user->isDisabled()) { + return false; + } + } else { + //Try to resolve the user from the token + $user = $this->resolveUser($token); + } + + //If the token is a APITokenAuthenticated + if ($token instanceof ApiTokenAuthenticatedToken) { + //Use the special API token checker + return $this->permissionManager->inheritWithAPILevel($user, $token->getRoleNames(), $permission, $operation); + } + + //Otherwise use the normal permission checker + return $this->permissionManager->inherit($user, $permission, $operation); + } + + /** + * Resolves the user from the given token. If the token is anonymous, the anonymous user is returned. + * @return User + */ + public function resolveUser(TokenInterface $token): User + { + $user = $token->getUser(); + //If the user is a User entity, just return it + if ($user instanceof User) { + return $user; + } + + //If the user is null, return the anonymous user + if ($user === null) { + $user = $this->userRepository->getAnonymousUser(); + if (!$user instanceof User) { + throw new \RuntimeException('The anonymous user could not be resolved.'); + } + return $user; + } + + //Otherwise throw an exception + throw new \RuntimeException('The user could not be resolved.'); + } +} \ No newline at end of file diff --git a/tests/Services/UserSystem/PermissionManagerTest.php b/tests/Services/UserSystem/PermissionManagerTest.php index b24801df..9d4aa11b 100644 --- a/tests/Services/UserSystem/PermissionManagerTest.php +++ b/tests/Services/UserSystem/PermissionManagerTest.php @@ -52,7 +52,11 @@ class PermissionManagerTest extends WebTestCase ->setPermissionValue('parts', 'edit', false) //edit ->setPermissionValue('parts', 'create', null) //create ->setPermissionValue('parts', 'move', null) //move - ->setPermissionValue('parts', 'delete', null); //delete + ->setPermissionValue('parts', 'delete', null) //delete + + ->setPermissionValue('footprints', 'edit', true) + ->setPermissionValue('footprints', 'create', false) + ; $this->user = $this->createMock(User::class); $this->user->method('getPermissions')->willReturn($user_perms); @@ -170,6 +174,19 @@ class PermissionManagerTest extends WebTestCase $this->assertNull($this->service->inherit($this->user_withoutGroup, 'parts', 'delete')); } + public function testInheritWithAPILevel(): void + { + //If no API roles are given, access should be prevented + $this->assertFalse($this->service->inheritWithAPILevel($this->user, [], 'parts', 'read')); + //Allow access with roles + $this->assertTrue($this->service->inheritWithAPILevel($this->user, ['ROLE_API_READ_ONLY', 'ROLE_API_FULL'], 'parts', 'read')); + + //Block access if the token has not the sufficient level + $this->assertFalse($this->service->inheritWithAPILevel($this->user, ['ROLE_API_READ_ONLY'], 'footprints', 'edit')); + //And allow with role + $this->assertTrue($this->service->inheritWithAPILevel($this->user, ['ROLE_API_READ_ONLY', 'ROLE_API_EDIT'], 'footprints', 'edit')); + } + public function testSetPermission(): void { $user = new User(); diff --git a/tests/Services/UserSystem/VoterHelperTest.php b/tests/Services/UserSystem/VoterHelperTest.php new file mode 100644 index 00000000..28bb9ba8 --- /dev/null +++ b/tests/Services/UserSystem/VoterHelperTest.php @@ -0,0 +1,133 @@ +. + */ + +namespace App\Tests\Services\UserSystem; + +use App\Entity\UserSystem\ApiToken; +use App\Entity\UserSystem\ApiTokenLevel; +use App\Entity\UserSystem\PermissionData; +use App\Entity\UserSystem\User; +use App\Security\ApiTokenAuthenticatedToken; +use App\Services\UserSystem\VoterHelper; +use PHPUnit\Framework\TestCase; +use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase; +use Symfony\Component\Security\Core\Authentication\Token\NullToken; +use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; +use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken; + +class VoterHelperTest extends KernelTestCase +{ + + protected ?VoterHelper $service = null; + + protected ?User $user = null; + + protected function setUp(): void + { + //Get a service instance. + self::bootKernel(); + $this->service = self::getContainer()->get(VoterHelper::class); + + //Set up a mocked user + $user_perms = new PermissionData(); + $user_perms->setPermissionValue('parts', 'read', true) //read + ->setPermissionValue('parts', 'edit', false) //edit + ->setPermissionValue('parts', 'create', null) //create + ->setPermissionValue('parts', 'move', null) //move + ->setPermissionValue('parts', 'delete', null) //delete + + ->setPermissionValue('footprints', 'edit', true) + ->setPermissionValue('footprints', 'create', false) + ; + + $this->user = $this->createMock(User::class); + $this->user->method('getPermissions')->willReturn($user_perms); + } + + public function testResolveUserAnonUser(): void + { + //If the user is null, the anonymous user should be returned. + + $anonymousToken = new NullToken(); + $this->assertNull($anonymousToken->getUser()); + $user = $this->service->resolveUser($anonymousToken); + //Ensure that this is the anonymous user. + $this->assertNotNull($user); + $this->assertTrue($user->isAnonymousUser()); + } + + public function testResolveUser(): void + { + //For a token with a user, the user should be returned. + $token = new PostAuthenticationToken($this->user, 'main', ['ROLE_USER']); + $this->assertSame($this->user, $token->getUser()); + $user = $this->service->resolveUser($token); + $this->assertSame($this->user, $user); + } + + public function testIsGrantedTrinaryNonAPI(): void + { + //For a UserNamePasswordToken everything should work as expected. + $token = new UsernamePasswordToken($this->user, 'main'); + $this->assertTrue($this->service->isGrantedTrinary($token, 'parts', 'read')); + $this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'edit')); + $this->assertNull($this->service->isGrantedTrinary($token, 'parts', 'create')); + } + + public function testIsGrantedTrinaryReadOnlyAPI(): void + { + //Create a API token + $api_token = new ApiToken(); + $api_token->setLevel(ApiTokenLevel::READ_ONLY)->setName('Test Token'); + //Create an auth token + $token = new ApiTokenAuthenticatedToken($this->user, 'main', ['ROLE_USER'], $api_token); + + //The permissions should be readonly + $this->assertTrue($this->service->isGrantedTrinary($token, 'parts', 'read')); + $this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'edit')); + $this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'create')); + $this->assertFalse($this->service->isGrantedTrinary($token, 'footprints', 'edit')); + } + + public function testIsGrantedTrinaryAdminAPI(): void + { + //Create a API token + $api_token = new ApiToken(); + $api_token->setLevel(ApiTokenLevel::FULL)->setName('Test Token'); + //Create an auth token + $token = new ApiTokenAuthenticatedToken($this->user, 'main', ['ROLE_USER'], $api_token); + + //The permissions should be readonly + $this->assertTrue($this->service->isGrantedTrinary($token, 'parts', 'read')); + $this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'edit')); + $this->assertNull($this->service->isGrantedTrinary($token, 'parts', 'create')); + $this->assertTrue($this->service->isGrantedTrinary($token, 'footprints', 'edit')); + } + + + public function testIsGrantedNonAPI(): void + { + //Same as testIsGrantedTrinaryNonAPI, but every non-true value should return false. + $token = new UsernamePasswordToken($this->user, 'main'); + $this->assertTrue($this->service->isGranted($token, 'parts', 'read')); + $this->assertFalse($this->service->isGranted($token, 'parts', 'edit')); + $this->assertFalse($this->service->isGranted($token, 'parts', 'create')); + } +}