mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-20 17:15:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added system to restrict permissions based on API token level

Browse source
This commit is contained in:
Jan Böhmer 2023-08-28 21:20:59 +02:00
parent 56d120cd08
commit fc6643bd6f
8 changed files with 374 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

63
config/permissions.yaml
View file

@ -25,27 +25,35 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
# If a part can be read by a user, he can also see all the datastructures (except devices)
alsoSet: ['storelocations.read', 'footprints.read', 'categories.read', 'suppliers.read', 'manufacturers.read',
'currencies.read', 'attachment_types.read', 'measurement_units.read']
apiTokenRole: ROLE_API_READ_ONLY
edit:
label: "perm.edit"
alsoSet: ['read', 'parts_stock.withdraw', 'parts_stock.add', 'parts_stock.move']
apiTokenRole: ROLE_API_EDIT
create:
label: "perm.create"
alsoSet: ['read', 'edit']
apiTokenRole: ROLE_API_EDIT
delete:
label: "perm.delete"
alsoSet: ['read', 'edit']
apiTokenRole: ROLE_API_EDIT
change_favorite:
label: "perm.part.change_favorite"
alsoSet: ['edit']
apiTokenRole: ROLE_API_EDIT
show_history:
label: "perm.part.show_history"
alsoSet: ['read']
apiTokenRole: ROLE_API_READ_ONLY
revert_element:
label: "perm.revert_elements"
alsoSet: ["read", "edit", "create", "delete", "show_history"]
apiTokenRole: ROLE_API_EDIT
import:
label: "perm.import"
alsoSet: ["read", "edit", "create"]
apiTokenRole: ROLE_API_EDIT
parts_stock:
group: "data"
@ -53,10 +61,13 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
operations:
withdraw:
label: "perm.parts_stock.withdraw"
apiTokenRole: ROLE_API_EDIT
add:
label: "perm.parts_stock.add"
apiTokenRole: ROLE_API_EDIT
move:
label: "perm.parts_stock.move"
apiTokenRole: ROLE_API_EDIT
storelocations: &PART_CONTAINING
@ -65,23 +76,30 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
operations:
read:
label: "perm.read"
apiTokenRole: ROLE_API_READ_ONLY
edit:
label: "perm.edit"
alsoSet: 'read'
apiTokenRole: ROLE_API_EDIT
create:
label: "perm.create"
alsoSet: ['read', 'edit']
apiTokenRole: ROLE_API_EDIT
delete:
label: "perm.delete"
alsoSet: ['read', 'edit']
apiTokenRole: ROLE_API_EDIT
show_history:
label: "perm.show_history"
apiTokenRole: ROLE_API_READ_ONLY
revert_element:
label: "perm.revert_elements"
alsoSet: ["read", "edit", "create", "delete", "show_history"]
apiTokenRole: ROLE_API_EDIT
import:
label: "perm.import"
alsoSet: [ "read", "edit", "create" ]
apiTokenRole: ROLE_API_EDIT
footprints:
<<: *PART_CONTAINING
@ -145,6 +163,7 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
create_parts:
label: "perm.part.info_providers.create_parts"
alsoSet: ['parts.create']
apiTokenRole: ROLE_API_EDIT
groups:
label: "perm.groups"
@ -152,26 +171,34 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
operations:
read:
label: "perm.read"
apiTokenRole: ROLE_API_ADMIN
edit:
label: "perm.edit"
alsoSet: 'read'
apiTokenRole: ROLE_API_ADMIN
create:
label: "perm.create"
alsoSet: ['read', 'edit']
apiTokenRole: ROLE_API_ADMIN
delete:
label: "perm.delete"
alsoSet: ['read', 'delete']
apiTokenRole: ROLE_API_ADMIN
edit_permissions:
label: "perm.edit_permissions"
alsoSet: ['read', 'edit']
apiTokenRole: ROLE_API_ADMIN
show_history:
label: "perm.show_history"
apiTokenRole: ROLE_API_ADMIN
revert_element:
label: "perm.revert_elements"
alsoSet: ["read", "edit", "create", "delete", "edit_permissions", "show_history"]
apiTokenRole: ROLE_API_ADMIN
import:
label: "perm.import"
alsoSet: [ "read", "edit", "create" ]
apiTokenRole: ROLE_API_ADMIN
users:
label: "perm.users"
@ -179,37 +206,49 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
operations:
read:
label: "perm.read"
apiTokenRole: ROLE_API_ADMIN
create:
label: "perm.create"
alsoSet: ['read', 'edit_username', 'edit_infos']
apiTokenRole: ROLE_API_ADMIN
delete:
label: "perm.delete"
alsoSet: ['read', 'edit_username', 'edit_infos']
apiTokenRole: ROLE_API_ADMIN
edit_username:
label: "perm.users.edit_user_name"
alsoSet: ['read']
apiTokenRole: ROLE_API_ADMIN
edit_infos:
label: "perm.users.edit_infos"
alsoSet: 'read'
apiTokenRole: ROLE_API_ADMIN
edit_permissions:
label: "perm.users.edit_permissions"
alsoSet: 'read'
apiTokenRole: ROLE_API_ADMIN
set_password:
label: "perm.users.set_password"
alsoSet: 'read'
apiTokenRole: ROLE_API_FULL
impersonate:
label: "perm.users.impersonate"
alsoSet: ['set_password']
apiTokenRole: ROLE_API_FULL
change_user_settings:
label: "perm.users.change_user_settings"
apiTokenRole: ROLE_API_ADMIN
show_history:
label: "perm.show_history"
apiTokenRole: ROLE_API_ADMIN
revert_element:
label: "perm.revert_elements"
alsoSet: ["read", "create", "delete", "edit_permissions", "show_history", "edit_infos", "edit_username"]
apiTokenRole: ROLE_API_ADMIN
import:
label: "perm.import"
alsoSet: [ "read", "create" ]
apiTokenRole: ROLE_API_ADMIN
#database:
# label: "perm.database"
@ -244,15 +283,20 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
operations:
show_logs:
label: "perm.show_logs"
apiTokenRole: ROLE_API_ADMIN
delete_logs:
label: "perm.delete_logs"
alsoSet: 'show_logs'
apiTokenRole: ROLE_API_ADMIN
server_infos:
label: "perm.server_infos"
apiTokenRole: ROLE_API_ADMIN
manage_oauth_tokens:
label: "Manage OAuth tokens"
apiTokenRole: ROLE_API_ADMIN
show_updates:
label: "perm.system.show_available_updates"
apiTokenRole: ROLE_API_ADMIN
attachments:
@ -260,56 +304,73 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
operations:
show_private:
label: "perm.attachments.show_private"
apiTokenRole: ROLE_API_READ_ONLY
list_attachments:
label: "perm.attachments.list_attachments"
alsoSet: ['attachment_types.read']
apiTokenRole: ROLE_API_READ_ONLY
self:
label: "perm.self"
operations:
edit_infos:
label: "perm.self.edit_infos"
apiTokenRole: ROLE_API_FULL
edit_username:
label: "perm.self.edit_username"
apiTokenRole: ROLE_API_FULL
show_permissions:
label: "perm.self.show_permissions"
apiTokenRole: ROLE_API_READ_ONLY
show_logs:
label: "perm.self.show_logs"
apiTokenRole: ROLE_API_FULL
labels:
label: "perm.labels"
operations:
create_labels:
label: "perm.self.create_labels"
apiTokenRole: ROLE_API_READ_ONLY
edit_options:
label: "perm.self.edit_options"
alsoSet: ['create_labels']
apiTokenRole: ROLE_API_READ_ONLY
read_profiles:
label: "perm.self.read_profiles"
apiTokenRole: ROLE_API_READ_ONLY
edit_profiles:
label: "perm.self.edit_profiles"
alsoSet: ['read_profiles']
apiTokenRole: ROLE_API_EDIT
create_profiles:
label: "perm.self.create_profiles"
alsoSet: ['read_profiles', 'edit_profiles']
apiTokenRole: ROLE_API_EDIT
delete_profiles:
label: "perm.self.delete_profiles"
alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles']
apiTokenRole: ROLE_API_EDIT
use_twig:
label: "perm.labels.use_twig"
alsoSet: ['create_labels', 'edit_options']
apiTokenRole: ROLE_API_ADMIN
show_history:
label: "perm.show_history"
alsoSet: ['read_profiles']
apiTokenRole: ROLE_API_READ_ONLY
revert_element:
label: "perm.revert_elements"
alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles', 'delete_profiles']
apiTokenRole: ROLE_API_EDIT
api:
label: "perm.api"
operations:
access_api:
label: "perm.api.access_api"
apiTokenRole: ROLE_API_READ_ONLY
manage_tokens:
label: "perm.api.manage_tokens"
alsoSet: ['access_api']
alsoSet: ['access_api']
apiTokenRole: ROLE_API_FULL

1
src/Configuration/PermissionsConfiguration.php
View file

@ -55,6 +55,7 @@ final class PermissionsConfiguration implements ConfigurationInterface
->scalarNode('name')->end()
->scalarNode('label')->end()
->scalarNode('bit')->end()
->scalarNode('apiTokenRole')->defaultNull()->end()
->arrayNode('alsoSet')
->beforeNormalization()->castToArray()->end()->scalarPrototype()->end();

4
src/Entity/UserSystem/ApiTokenLevel.php
View file

@ -27,6 +27,7 @@ enum ApiTokenLevel: int
{
private const ROLE_READ_ONLY = 'ROLE_API_READ_ONLY';
private const ROLE_EDIT = 'ROLE_API_EDIT';
private const ROLE_ADMIN = 'ROLE_API_ADMIN';
private const ROLE_FULL = 'ROLE_API_FULL';
/**
@ -56,7 +57,8 @@ enum ApiTokenLevel: int
return match ($this) {
self::READ_ONLY => [self::ROLE_READ_ONLY],
self::EDIT => [self::ROLE_READ_ONLY, self::ROLE_EDIT],
self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_FULL],
self::ADMIN => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_ADMIN],
self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_ADMIN, self::ROLE_FULL],
};
}

20
src/Security/Voter/PermissionVoter.php
View file

@ -23,26 +23,28 @@ declare(strict_types=1);
namespace App\Security\Voter;
use App\Entity\UserSystem\User;
use App\Services\UserSystem\VoterHelper;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
/**
* This voter allows you to directly check permissions from the permission structure, without passing an object.
* This use the syntax like "@permission.op"
* However you should use the "normal" object based voters if possible, because they are needed for a future ACL system.
*/
class PermissionVoter extends ExtendedVoter
class PermissionVoter extends Voter
{
/**
* Similar to voteOnAttribute, but checking for the anonymous user is already done.
* The current user (or the anonymous user) is passed by $user.
*
* @param string $attribute
*/
protected function voteOnUser(string $attribute, $subject, User $user): bool
public function __construct(private readonly VoterHelper $helper)
{
}
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
{
$attribute = ltrim($attribute, '@');
[$perm, $op] = explode('.', $attribute);
return $this->resolver->inherit($user, $perm, $op) ?? false;
return $this->helper->isGranted($token, $perm, $op);
}
/**

37
src/Services/UserSystem/PermissionManager.php
View file

@ -28,6 +28,7 @@ use App\Entity\UserSystem\Group;
use App\Entity\UserSystem\User;
use App\Security\Interfaces\HasPermissionsInterface;
use InvalidArgumentException;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\Config\ConfigCache;
use Symfony\Component\Config\Definition\Processor;
use Symfony\Component\Config\Resource\FileResource;
@ -41,7 +42,7 @@ use Symfony\Component\Yaml\Yaml;
*/
class PermissionManager
{
protected $permission_structure;
protected array $permission_structure;
protected string $cache_file;
/**
@ -125,6 +126,40 @@ class PermissionManager
return null; //The inherited value is never resolved. Should be treated as false, in Voters.
}
/**
* Same as inherit(), but it checks if the access token has the required role.
* @param User $user the user for which the operation should be checked
* @param array $roles The roles associated with the authentication token
* @param string $permission the name of the permission for which should be checked
* @param string $operation the name of the operation for which should be checked
*
* @return bool|null true, if the user is allowed to do the operation (ALLOW), false if not (DISALLOW), and null,
* if the value is set to inherit
*/
public function inheritWithAPILevel(User $user, array $roles, string $permission, string $operation): ?bool
{
//Check that the permission/operation combination is valid
if (! $this->isValidOperation($permission, $operation)) {
throw new InvalidArgumentException('The permission/operation combination "'.$permission.'/'.$operation.'" is not valid!');
}
//Get what API level we require for the permission/operation
$level_role = $this->permission_structure['perms'][$permission]['operations'][$operation]['apiTokenRole'];
//When no role was set (or it is null), then the operation is blocked for API access
if (null === $level_role) {
return false;
}
//Otherwise check if the token has the required role, if not, then the operation is blocked for API access
if (!in_array($level_role, $roles, true)) {
return false;
}
//If we have the required role, then we can check the permission
return $this->inherit($user, $permission, $operation);
}
/**
* Sets the new value for the operation.
*

110
src/Services/UserSystem/VoterHelper.php Normal file
View file

@ -0,0 +1,110 @@
<?php
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
namespace App\Services\UserSystem;
use App\Entity\UserSystem\User;
use App\Repository\UserRepository;
use App\Security\ApiTokenAuthenticatedToken;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
final class VoterHelper
{
private readonly UserRepository $userRepository;
public function __construct(private readonly PermissionManager $permissionManager, private readonly EntityManagerInterface $entityManager)
{
$this->userRepository = $this->entityManager->getRepository(User::class);
}
/**
* Checks if the operation on the given permission is granted for the given token.
* Similar to isGrantedTrinary, but returns false if the permission is not granted.
* @param TokenInterface $token The token to check
* @param string $permission The permission to check
* @param string $operation The operation to check
* @return bool
*/
public function isGranted(TokenInterface $token, string $permission, string $operation): bool
{
return $this->isGrantedTrinary($token, $permission, $operation) ?? false;
}
/**
* Checks if the operation on the given permission is granted for the given token.
* The result is returned in trinary value, where null means inherted from the parent.
* @param TokenInterface $token The token to check
* @param string $permission The permission to check
* @param string $operation The operation to check
* @return bool|null The result of the check. Null means inherted from the parent.
*/
public function isGrantedTrinary(TokenInterface $token, string $permission, string $operation): ?bool
{
$user = $token->getUser();
if ($user instanceof User) {
//A disallowed user is not allowed to do anything...
if ($user->isDisabled()) {
return false;
}
} else {
//Try to resolve the user from the token
$user = $this->resolveUser($token);
}
//If the token is a APITokenAuthenticated
if ($token instanceof ApiTokenAuthenticatedToken) {
//Use the special API token checker
return $this->permissionManager->inheritWithAPILevel($user, $token->getRoleNames(), $permission, $operation);
}
//Otherwise use the normal permission checker
return $this->permissionManager->inherit($user, $permission, $operation);
}
/**
* Resolves the user from the given token. If the token is anonymous, the anonymous user is returned.
* @return User
*/
public function resolveUser(TokenInterface $token): User
{
$user = $token->getUser();
//If the user is a User entity, just return it
if ($user instanceof User) {
return $user;
}
//If the user is null, return the anonymous user
if ($user === null) {
$user = $this->userRepository->getAnonymousUser();
if (!$user instanceof User) {
throw new \RuntimeException('The anonymous user could not be resolved.');
}
return $user;
}
//Otherwise throw an exception
throw new \RuntimeException('The user could not be resolved.');
}
}

19
tests/Services/UserSystem/PermissionManagerTest.php
View file

@ -52,7 +52,11 @@ class PermissionManagerTest extends WebTestCase
->setPermissionValue('parts', 'edit', false) //edit
->setPermissionValue('parts', 'create', null) //create
->setPermissionValue('parts', 'move', null) //move
->setPermissionValue('parts', 'delete', null); //delete
->setPermissionValue('parts', 'delete', null) //delete
->setPermissionValue('footprints', 'edit', true)
->setPermissionValue('footprints', 'create', false)
;
$this->user = $this->createMock(User::class);
$this->user->method('getPermissions')->willReturn($user_perms);
@ -170,6 +174,19 @@ class PermissionManagerTest extends WebTestCase
$this->assertNull($this->service->inherit($this->user_withoutGroup, 'parts', 'delete'));
}
public function testInheritWithAPILevel(): void
{
//If no API roles are given, access should be prevented
$this->assertFalse($this->service->inheritWithAPILevel($this->user, [], 'parts', 'read'));
//Allow access with roles
$this->assertTrue($this->service->inheritWithAPILevel($this->user, ['ROLE_API_READ_ONLY', 'ROLE_API_FULL'], 'parts', 'read'));
//Block access if the token has not the sufficient level
$this->assertFalse($this->service->inheritWithAPILevel($this->user, ['ROLE_API_READ_ONLY'], 'footprints', 'edit'));
//And allow with role
$this->assertTrue($this->service->inheritWithAPILevel($this->user, ['ROLE_API_READ_ONLY', 'ROLE_API_EDIT'], 'footprints', 'edit'));
}
public function testSetPermission(): void
{
$user = new User();

133
tests/Services/UserSystem/VoterHelperTest.php Normal file
View file

@ -0,0 +1,133 @@
<?php
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace App\Tests\Services\UserSystem;
use App\Entity\UserSystem\ApiToken;
use App\Entity\UserSystem\ApiTokenLevel;
use App\Entity\UserSystem\PermissionData;
use App\Entity\UserSystem\User;
use App\Security\ApiTokenAuthenticatedToken;
use App\Services\UserSystem\VoterHelper;
use PHPUnit\Framework\TestCase;
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
use Symfony\Component\Security\Core\Authentication\Token\NullToken;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
class VoterHelperTest extends KernelTestCase
{
protected ?VoterHelper $service = null;
protected ?User $user = null;
protected function setUp(): void
{
//Get a service instance.
self::bootKernel();
$this->service = self::getContainer()->get(VoterHelper::class);
//Set up a mocked user
$user_perms = new PermissionData();
$user_perms->setPermissionValue('parts', 'read', true) //read
->setPermissionValue('parts', 'edit', false) //edit
->setPermissionValue('parts', 'create', null) //create
->setPermissionValue('parts', 'move', null) //move
->setPermissionValue('parts', 'delete', null) //delete
->setPermissionValue('footprints', 'edit', true)
->setPermissionValue('footprints', 'create', false)
;
$this->user = $this->createMock(User::class);
$this->user->method('getPermissions')->willReturn($user_perms);
}
public function testResolveUserAnonUser(): void
{
//If the user is null, the anonymous user should be returned.
$anonymousToken = new NullToken();
$this->assertNull($anonymousToken->getUser());
$user = $this->service->resolveUser($anonymousToken);
//Ensure that this is the anonymous user.
$this->assertNotNull($user);
$this->assertTrue($user->isAnonymousUser());
}
public function testResolveUser(): void
{
//For a token with a user, the user should be returned.
$token = new PostAuthenticationToken($this->user, 'main', ['ROLE_USER']);
$this->assertSame($this->user, $token->getUser());
$user = $this->service->resolveUser($token);
$this->assertSame($this->user, $user);
}
public function testIsGrantedTrinaryNonAPI(): void
{
//For a UserNamePasswordToken everything should work as expected.
$token = new UsernamePasswordToken($this->user, 'main');
$this->assertTrue($this->service->isGrantedTrinary($token, 'parts', 'read'));
$this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'edit'));
$this->assertNull($this->service->isGrantedTrinary($token, 'parts', 'create'));
}
public function testIsGrantedTrinaryReadOnlyAPI(): void
{
//Create a API token
$api_token = new ApiToken();
$api_token->setLevel(ApiTokenLevel::READ_ONLY)->setName('Test Token');
//Create an auth token
$token = new ApiTokenAuthenticatedToken($this->user, 'main', ['ROLE_USER'], $api_token);
//The permissions should be readonly
$this->assertTrue($this->service->isGrantedTrinary($token, 'parts', 'read'));
$this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'edit'));
$this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'create'));
$this->assertFalse($this->service->isGrantedTrinary($token, 'footprints', 'edit'));
}
public function testIsGrantedTrinaryAdminAPI(): void
{
//Create a API token
$api_token = new ApiToken();
$api_token->setLevel(ApiTokenLevel::FULL)->setName('Test Token');
//Create an auth token
$token = new ApiTokenAuthenticatedToken($this->user, 'main', ['ROLE_USER'], $api_token);
//The permissions should be readonly
$this->assertTrue($this->service->isGrantedTrinary($token, 'parts', 'read'));
$this->assertFalse($this->service->isGrantedTrinary($token, 'parts', 'edit'));
$this->assertNull($this->service->isGrantedTrinary($token, 'parts', 'create'));
$this->assertTrue($this->service->isGrantedTrinary($token, 'footprints', 'edit'));
}
public function testIsGrantedNonAPI(): void
{
//Same as testIsGrantedTrinaryNonAPI, but every non-true value should return false.
$token = new UsernamePasswordToken($this->user, 'main');
$this->assertTrue($this->service->isGranted($token, 'parts', 'read'));
$this->assertFalse($this->service->isGranted($token, 'parts', 'edit'));
$this->assertFalse($this->service->isGranted($token, 'parts', 'create'));
}
}