Added system to restrict permissions based on API token level

2025-07-09 18:04:33 +02:00 · 2023-08-28 21:20:59 +02:00 · 2023-08-28 21:20:59 +02:00 · fc6643bd6f
commit fc6643bd6f
parent 56d120cd08
8 changed files with 374 additions and 13 deletions
--- a/src/Services/UserSystem/PermissionManager.php
+++ b/src/Services/UserSystem/PermissionManager.php
@ -28,6 +28,7 @@ use App\Entity\UserSystem\Group;
 use App\Entity\UserSystem\User;
 use App\Security\Interfaces\HasPermissionsInterface;
 use InvalidArgumentException;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Config\ConfigCache;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Config\Resource\FileResource;
@ -41,7 +42,7 @@ use Symfony\Component\Yaml\Yaml;
 */
 class PermissionManager
 {
-    protected $permission_structure;
+    protected array $permission_structure;
    protected string $cache_file;

    /**
@ -125,6 +126,40 @@ class PermissionManager
        return null; //The inherited value is never resolved. Should be treated as false, in Voters.
    }

+    /**
+     * Same as inherit(), but it checks if the access token has the required role.
+     * @param  User  $user  the user for which the operation should be checked
+     * @param array  $roles  The roles associated with the authentication token
+     * @param  string  $permission  the name of the permission for which should be checked
+     * @param  string  $operation  the name of the operation for which should be checked
+     *
+     * @return bool|null true, if the user is allowed to do the operation (ALLOW), false if not (DISALLOW), and null,
+     *                    if the value is set to inherit
+     */
+    public function inheritWithAPILevel(User $user, array $roles, string $permission, string $operation): ?bool
+    {
+        //Check that the permission/operation combination is valid
+        if (! $this->isValidOperation($permission, $operation)) {
+            throw new InvalidArgumentException('The permission/operation combination "'.$permission.'/'.$operation.'" is not valid!');
+        }
+
+        //Get what API level we require for the permission/operation
+        $level_role = $this->permission_structure['perms'][$permission]['operations'][$operation]['apiTokenRole'];
+
+        //When no role was set (or it is null), then the operation is blocked for API access
+        if (null === $level_role) {
+            return false;
+        }
+
+        //Otherwise check if the token has the required role, if not, then the operation is blocked for API access
+        if (!in_array($level_role, $roles, true)) {
+            return false;
+        }
+
+        //If we have the required role, then we can check the permission
+        return $this->inherit($user, $permission, $operation);
+    }
+
    /**
     * Sets the new value for the operation.
     *
--- a/src/Services/UserSystem/VoterHelper.php
+++ b/src/Services/UserSystem/VoterHelper.php
@ -0,0 +1,110 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types=1);
+
+
+namespace App\Services\UserSystem;
+
+use App\Entity\UserSystem\User;
+use App\Repository\UserRepository;
+use App\Security\ApiTokenAuthenticatedToken;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+final class VoterHelper
+{
+    private readonly UserRepository $userRepository;
+
+    public function __construct(private readonly PermissionManager $permissionManager, private readonly EntityManagerInterface $entityManager)
+    {
+        $this->userRepository = $this->entityManager->getRepository(User::class);
+    }
+
+    /**
+     * Checks if the operation on the given permission is granted for the given token.
+     * Similar to isGrantedTrinary, but returns false if the permission is not granted.
+     * @param  TokenInterface  $token  The token to check
+     * @param  string  $permission  The permission to check
+     * @param  string  $operation  The operation to check
+     * @return bool
+     */
+    public function isGranted(TokenInterface $token, string $permission, string $operation): bool
+    {
+        return $this->isGrantedTrinary($token, $permission, $operation) ?? false;
+    }
+
+    /**
+     * Checks if the operation on the given permission is granted for the given token.
+     * The result is returned in trinary value, where null means inherted from the parent.
+     * @param  TokenInterface  $token The token to check
+     * @param  string  $permission The permission to check
+     * @param  string  $operation The operation to check
+     * @return bool|null The result of the check. Null means inherted from the parent.
+     */
+    public function isGrantedTrinary(TokenInterface $token, string $permission, string $operation): ?bool
+    {
+        $user = $token->getUser();
+
+        if ($user instanceof User) {
+            //A disallowed user is not allowed to do anything...
+            if ($user->isDisabled()) {
+                return false;
+            }
+        } else {
+            //Try to resolve the user from the token
+            $user = $this->resolveUser($token);
+        }
+
+        //If the token is a APITokenAuthenticated
+        if ($token instanceof ApiTokenAuthenticatedToken) {
+            //Use the special API token checker
+            return $this->permissionManager->inheritWithAPILevel($user, $token->getRoleNames(), $permission, $operation);
+        }
+
+        //Otherwise use the normal permission checker
+        return $this->permissionManager->inherit($user, $permission, $operation);
+    }
+
+    /**
+     * Resolves the user from the given token. If the token is anonymous, the anonymous user is returned.
+     * @return User
+     */
+    public function resolveUser(TokenInterface $token): User
+    {
+        $user = $token->getUser();
+        //If the user is a User entity, just return it
+        if ($user instanceof User) {
+            return $user;
+        }
+
+        //If the user is null, return the anonymous user
+        if ($user === null) {
+            $user = $this->userRepository->getAnonymousUser();
+            if (!$user instanceof User) {
+                throw new \RuntimeException('The anonymous user could not be resolved.');
+            }
+            return $user;
+        }
+
+        //Otherwise throw an exception
+        throw new \RuntimeException('The user could not be resolved.');
+    }
+}