Added system to restrict permissions based on API token level

src/Configuration/PermissionsConfiguration.php

@@ -55,6 +55,7 @@ final class PermissionsConfiguration implements ConfigurationInterface
             ->scalarNode('name')->end()
             ->scalarNode('label')->end()
             ->scalarNode('bit')->end()
+            ->scalarNode('apiTokenRole')->defaultNull()->end()
             ->arrayNode('alsoSet')
             ->beforeNormalization()->castToArray()->end()->scalarPrototype()->end();
 

src/Entity/UserSystem/ApiTokenLevel.php

@@ -27,6 +27,7 @@ enum ApiTokenLevel: int
 {
     private const ROLE_READ_ONLY = 'ROLE_API_READ_ONLY';
     private const ROLE_EDIT = 'ROLE_API_EDIT';
+    private const ROLE_ADMIN = 'ROLE_API_ADMIN';
     private const ROLE_FULL = 'ROLE_API_FULL';
 
     /**
@@ -56,7 +57,8 @@ enum ApiTokenLevel: int
         return match ($this) {
             self::READ_ONLY => [self::ROLE_READ_ONLY],
             self::EDIT => [self::ROLE_READ_ONLY, self::ROLE_EDIT],
-            self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_FULL],
+            self::ADMIN => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_ADMIN],
+            self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_ADMIN, self::ROLE_FULL],
         };
     }
 

src/Security/Voter/PermissionVoter.php

@@ -23,26 +23,28 @@ declare(strict_types=1);
 namespace App\Security\Voter;
 
 use App\Entity\UserSystem\User;
+use App\Services\UserSystem\VoterHelper;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 
 /**
  * This voter allows you to directly check permissions from the permission structure, without passing an object.
  * This use the syntax like "@permission.op"
  * However you should use the "normal" object based voters if possible, because they are needed for a future ACL system.
  */
-class PermissionVoter extends ExtendedVoter
+class PermissionVoter extends Voter
 {
-    /**
-     * Similar to voteOnAttribute, but checking for the anonymous user is already done.
-     * The current user (or the anonymous user) is passed by $user.
-     *
-     * @param  string  $attribute
-     */
-    protected function voteOnUser(string $attribute, $subject, User $user): bool
+    public function __construct(private readonly VoterHelper $helper)
+    {
+
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
     {
         $attribute = ltrim($attribute, '@');
         [$perm, $op] = explode('.', $attribute);
 
-        return $this->resolver->inherit($user, $perm, $op) ?? false;
+        return $this->helper->isGranted($token, $perm, $op);
     }
 
     /**

src/Services/UserSystem/PermissionManager.php

@@ -28,6 +28,7 @@ use App\Entity\UserSystem\Group;
 use App\Entity\UserSystem\User;
 use App\Security\Interfaces\HasPermissionsInterface;
 use InvalidArgumentException;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Config\ConfigCache;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Config\Resource\FileResource;
@@ -41,7 +42,7 @@ use Symfony\Component\Yaml\Yaml;
  */
 class PermissionManager
 {
-    protected $permission_structure;
+    protected array $permission_structure;
     protected string $cache_file;
 
     /**
@@ -125,6 +126,40 @@ class PermissionManager
         return null; //The inherited value is never resolved. Should be treated as false, in Voters.
     }
 
+    /**
+     * Same as inherit(), but it checks if the access token has the required role.
+     * @param  User  $user  the user for which the operation should be checked
+     * @param array  $roles  The roles associated with the authentication token
+     * @param  string  $permission  the name of the permission for which should be checked
+     * @param  string  $operation  the name of the operation for which should be checked
+     *
+     * @return bool|null true, if the user is allowed to do the operation (ALLOW), false if not (DISALLOW), and null,
+     *                    if the value is set to inherit
+     */
+    public function inheritWithAPILevel(User $user, array $roles, string $permission, string $operation): ?bool
+    {
+        //Check that the permission/operation combination is valid
+        if (! $this->isValidOperation($permission, $operation)) {
+            throw new InvalidArgumentException('The permission/operation combination "'.$permission.'/'.$operation.'" is not valid!');
+        }
+
+        //Get what API level we require for the permission/operation
+        $level_role = $this->permission_structure['perms'][$permission]['operations'][$operation]['apiTokenRole'];
+
+        //When no role was set (or it is null), then the operation is blocked for API access
+        if (null === $level_role) {
+            return false;
+        }
+
+        //Otherwise check if the token has the required role, if not, then the operation is blocked for API access
+        if (!in_array($level_role, $roles, true)) {
+            return false;
+        }
+
+        //If we have the required role, then we can check the permission
+        return $this->inherit($user, $permission, $operation);
+    }
+
     /**
      * Sets the new value for the operation.
      *

src/Services/UserSystem/VoterHelper.php

@@ -0,0 +1,110 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types=1);
+
+
+namespace App\Services\UserSystem;
+
+use App\Entity\UserSystem\User;
+use App\Repository\UserRepository;
+use App\Security\ApiTokenAuthenticatedToken;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+final class VoterHelper
+{
+    private readonly UserRepository $userRepository;
+
+    public function __construct(private readonly PermissionManager $permissionManager, private readonly EntityManagerInterface $entityManager)
+    {
+        $this->userRepository = $this->entityManager->getRepository(User::class);
+    }
+
+    /**
+     * Checks if the operation on the given permission is granted for the given token.
+     * Similar to isGrantedTrinary, but returns false if the permission is not granted.
+     * @param  TokenInterface  $token  The token to check
+     * @param  string  $permission  The permission to check
+     * @param  string  $operation  The operation to check
+     * @return bool
+     */
+    public function isGranted(TokenInterface $token, string $permission, string $operation): bool
+    {
+        return $this->isGrantedTrinary($token, $permission, $operation) ?? false;
+    }
+
+    /**
+     * Checks if the operation on the given permission is granted for the given token.
+     * The result is returned in trinary value, where null means inherted from the parent.
+     * @param  TokenInterface  $token The token to check
+     * @param  string  $permission The permission to check
+     * @param  string  $operation The operation to check
+     * @return bool|null The result of the check. Null means inherted from the parent.
+     */
+    public function isGrantedTrinary(TokenInterface $token, string $permission, string $operation): ?bool
+    {
+        $user = $token->getUser();
+
+        if ($user instanceof User) {
+            //A disallowed user is not allowed to do anything...
+            if ($user->isDisabled()) {
+                return false;
+            }
+        } else {
+            //Try to resolve the user from the token
+            $user = $this->resolveUser($token);
+        }
+
+        //If the token is a APITokenAuthenticated
+        if ($token instanceof ApiTokenAuthenticatedToken) {
+            //Use the special API token checker
+            return $this->permissionManager->inheritWithAPILevel($user, $token->getRoleNames(), $permission, $operation);
+        }
+
+        //Otherwise use the normal permission checker
+        return $this->permissionManager->inherit($user, $permission, $operation);
+    }
+
+    /**
+     * Resolves the user from the given token. If the token is anonymous, the anonymous user is returned.
+     * @return User
+     */
+    public function resolveUser(TokenInterface $token): User
+    {
+        $user = $token->getUser();
+        //If the user is a User entity, just return it
+        if ($user instanceof User) {
+            return $user;
+        }
+
+        //If the user is null, return the anonymous user
+        if ($user === null) {
+            $user = $this->userRepository->getAnonymousUser();
+            if (!$user instanceof User) {
+                throw new \RuntimeException('The anonymous user could not be resolved.');
+            }
+            return $user;
+        }
+
+        //Otherwise throw an exception
+        throw new \RuntimeException('The user could not be resolved.');
+    }
+}