1: <?php
  2: /**
  3:  * PHP configuration based AclInterface implementation
  4:  *
  5:  * PHP 5
  6:  *
  7:  * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
  8:  * Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
  9:  *
 10:  * Licensed under The MIT License
 11:  * Redistributions of files must retain the above copyright notice.
 12:  *
 13:  * @copyright     Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
 14:  * @link          http://cakephp.org CakePHP(tm) Project
 15:  * @package       Cake.Controller.Component.Acl
 16:  * @since         CakePHP(tm) v 2.1
 17:  * @license       MIT License (http://www.opensource.org/licenses/mit-license.php)
 18:  */
 19: 
 20: /**
 21:  * PhpAcl implements an access control system using a plain PHP configuration file. 
 22:  * An example file can be found in app/Config/acl.php
 23:  *
 24:  * @package Cake.Controller.Component.Acl
 25:  */
 26: class PhpAcl extends Object implements AclInterface {
 27: 
 28:     const DENY = false;
 29:     const ALLOW = true;
 30: 
 31: /**
 32:  * Options:
 33:  *  - policy: determines behavior of the check method. Deny policy needs explicit allow rules, allow policy needs explicit deny rules
 34:  *  - config: absolute path to config file that contains the acl rules (@see app/Config/acl.php)
 35:  *
 36:  * @var array
 37:  */
 38:     public $options = array();
 39: 
 40: /**
 41:  * Aro Object
 42:  *
 43:  * @var PhpAro
 44:  */
 45:     public $Aro = null;
 46: 
 47: /**
 48:  * Aco Object
 49:  * 
 50:  * @var PhpAco
 51:  */
 52:     public $Aco = null;
 53: 
 54: /**
 55:  * Constructor
 56:  *
 57:  * Sets a few default settings up.
 58:  */
 59:     public function __construct() {
 60:         $this->options = array(
 61:             'policy' => self::DENY,
 62:             'config' => APP . 'Config' . DS . 'acl.php',
 63:         );
 64:     }
 65: 
 66: /**
 67:  * Initialize method
 68:  * 
 69:  * @param AclComponent $Component Component instance 
 70:  * @return void
 71:  */
 72:     public function initialize(Component $Component) {
 73:         if (!empty($Component->settings['adapter'])) {
 74:             $this->options = array_merge($this->options, $Component->settings['adapter']);
 75:         }
 76: 
 77:         App::uses('PhpReader', 'Configure');
 78:         $Reader = new PhpReader(dirname($this->options['config']) . DS);
 79:         $config = $Reader->read(basename($this->options['config']));
 80:         $this->build($config);
 81:         $Component->Aco = $this->Aco;
 82:         $Component->Aro = $this->Aro;
 83:     }
 84: 
 85: /**
 86:  * build and setup internal ACL representation
 87:  *
 88:  * @param array $config configuration array, see docs
 89:  * @return void
 90:  * @throws AclException When required keys are missing.
 91:  */
 92:     public function build(array $config) {
 93:         if (empty($config['roles'])) {
 94:             throw new AclException(__d('cake_dev','"roles" section not found in configuration.'));
 95:         }
 96: 
 97:         if (empty($config['rules']['allow']) && empty($config['rules']['deny'])) {
 98:             throw new AclException(__d('cake_dev','Neither "allow" nor "deny" rules were provided in configuration.'));
 99:         }
100: 
101:         $rules['allow'] = !empty($config['rules']['allow']) ? $config['rules']['allow'] : array();
102:         $rules['deny'] = !empty($config['rules']['deny']) ? $config['rules']['deny'] : array();
103:         $roles = !empty($config['roles']) ? $config['roles'] : array();
104:         $map = !empty($config['map']) ? $config['map'] : array();
105:         $alias = !empty($config['alias']) ? $config['alias'] : array();
106: 
107:         $this->Aro = new PhpAro($roles, $map, $alias);
108:         $this->Aco = new PhpAco($rules);
109:     }
110: 
111: /**
112:  * No op method, allow cannot be done with PhpAcl
113:  *
114:  * @param string $aro ARO The requesting object identifier.
115:  * @param string $aco ACO The controlled object identifier.
116:  * @param string $action Action (defaults to *)
117:  * @return boolean Success
118:  */
119:     public function allow($aro, $aco, $action = "*") {
120:         return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'allow');
121:     }
122: 
123: /**
124:  * deny ARO access to ACO
125:  *
126:  * @param string $aro ARO The requesting object identifier.
127:  * @param string $aco ACO The controlled object identifier.
128:  * @param string $action Action (defaults to *)
129:  * @return boolean Success
130:  */
131:     public function deny($aro, $aco, $action = "*") {
132:         return $this->Aco->access($this->Aro->resolve($aro), $aco, $action, 'deny');
133:     }
134: 
135: /**
136:  * No op method
137:  *
138:  * @param string $aro ARO The requesting object identifier.
139:  * @param string $aco ACO The controlled object identifier.
140:  * @param string $action Action (defaults to *)
141:  * @return boolean Success
142:  */
143:     public function inherit($aro, $aco, $action = "*") {
144:         return false;
145:     }
146: 
147: /**
148:  * Main ACL check function. Checks to see if the ARO (access request object) has access to the
149:  * ACO (access control object).
150:  *
151:  * @param string $aro ARO
152:  * @param string $aco ACO
153:  * @param string $action Action
154:  * @return boolean true if access is granted, false otherwise
155:  */
156:     public function check($aro, $aco, $action = "*") {
157:         $allow = $this->options['policy'];
158:         $prioritizedAros = $this->Aro->roles($aro);
159: 
160:         if ($action && $action != "*") {
161:             $aco .= '/' . $action;
162:         }
163: 
164:         $path = $this->Aco->path($aco);
165: 
166:         if (empty($path)) {
167:             return $allow;
168:         }
169: 
170:         foreach ($path as $depth => $node) {
171:             foreach ($prioritizedAros as $aros) {
172:                 if (!empty($node['allow'])) {
173:                     $allow = $allow || count(array_intersect($node['allow'], $aros)) > 0;
174:                 }
175: 
176:                 if (!empty($node['deny'])) {
177:                     $allow = $allow && count(array_intersect($node['deny'], $aros)) == 0;
178:                 }
179:             }
180:         }
181: 
182:         return $allow;
183:     }
184: 
185: }
186: 
187: /**
188:  * Access Control Object
189:  *
190:  */
191: class PhpAco {
192: 
193: /**
194:  * holds internal ACO representation
195:  *
196:  * @var array
197:  */
198:     protected $_tree = array();
199: 
200: /**
201:  * map modifiers for ACO paths to their respective PCRE pattern
202:  * 
203:  * @var array
204:  */
205:     public static $modifiers = array(
206:         '*' => '.*',
207:     );
208: 
209:     public function __construct(array $rules = array()) {
210:         foreach (array('allow', 'deny') as $type) {
211:             if (empty($rules[$type])) {
212:                 $rules[$type] = array();
213:             }
214:         }
215: 
216:         $this->build($rules['allow'], $rules['deny']);
217:     }
218: 
219: /**
220:  * return path to the requested ACO with allow and deny rules attached on each level
221:  *
222:  * @return array
223:  */
224:     public function path($aco) {
225:         $aco = $this->resolve($aco);
226:         $path = array();
227:         $level = 0;
228:         $root = $this->_tree;
229:         $stack = array(array($root, 0));
230: 
231:         while (!empty($stack)) {
232:             list($root, $level) = array_pop($stack);
233: 
234:             if (empty($path[$level])) {
235:                 $path[$level] = array();
236:             }
237: 
238:             foreach ($root as $node => $elements) {
239:                 $pattern = '/^' . str_replace(array_keys(self::$modifiers), array_values(self::$modifiers), $node) . '$/';
240: 
241:                 if ($node == $aco[$level] || preg_match($pattern, $aco[$level])) {
242:                     // merge allow/denies with $path of current level
243:                     foreach (array('allow', 'deny') as $policy) {
244:                         if (!empty($elements[$policy])) {
245:                             if (empty($path[$level][$policy])) {
246:                                 $path[$level][$policy] = array();
247:                             }
248:                             $path[$level][$policy] = array_merge($path[$level][$policy], $elements[$policy]);
249:                         }
250:                     }
251: 
252:                     // traverse
253:                     if (!empty($elements['children']) && isset($aco[$level + 1])) {
254:                         array_push($stack, array($elements['children'], $level + 1));
255:                     }
256:                 }
257:             }
258:         }
259: 
260:         return $path;
261:     }
262: 
263: /**
264:  * allow/deny ARO access to ARO
265:  *
266:  * @return void 
267:  */
268:     public function access($aro, $aco, $action, $type = 'deny') {
269:         $aco = $this->resolve($aco);
270:         $depth = count($aco);
271:         $root = $this->_tree;
272:         $tree = &$root;
273: 
274:         foreach ($aco as $i => $node) {
275:             if (!isset($tree[$node])) {
276:                 $tree[$node]  = array(
277:                     'children' => array(),
278:                 );
279:             }
280: 
281:             if ($i < $depth - 1) {
282:                 $tree = &$tree[$node]['children'];
283:             } else {
284:                 if (empty($tree[$node][$type])) {
285:                     $tree[$node][$type] = array();
286:                 }
287: 
288:                 $tree[$node][$type] = array_merge(is_array($aro) ? $aro : array($aro), $tree[$node][$type]);
289:             }
290:         }
291: 
292:         $this->_tree = &$root;
293:     }
294: 
295: /**
296:  * resolve given ACO string to a path
297:  *
298:  * @param string $aco ACO string
299:  * @return array path
300:  */
301:     public function resolve($aco) {
302:         if (is_array($aco)) {
303:             return array_map('strtolower', $aco);
304:         }
305: 
306:         // strip multiple occurences of '/'
307:         $aco = preg_replace('#/+#', '/', $aco);
308:         // make case insensitive
309:         $aco = ltrim(strtolower($aco), '/');
310:         return array_filter(array_map('trim', explode('/', $aco)));
311:     }
312: 
313: /**
314:  * build a tree representation from the given allow/deny informations for ACO paths
315:  *
316:  * @param array $allow ACO allow rules
317:  * @param array $deny ACO deny rules
318:  * @return void 
319:  */
320:     public function build(array $allow, array $deny = array()) {
321:         $stack = array();
322:         $this->_tree = array();
323:         $tree = array();
324:         $root = &$tree;
325: 
326:         foreach ($allow as $dotPath => $aros) {
327:             if (is_string($aros)) {
328:                 $aros = array_map('trim', explode(',', $aros));
329:             }
330: 
331:             $this->access($aros, $dotPath, null, 'allow');
332:         }
333: 
334:         foreach ($deny as $dotPath => $aros) {
335:             if (is_string($aros)) {
336:                 $aros = array_map('trim', explode(',', $aros));
337:             }
338: 
339:             $this->access($aros, $dotPath, null, 'deny');
340:         }
341:     }
342: 
343: }
344: 
345: /**
346:  * Access Request Object
347:  *
348:  */
349: class PhpAro {
350: 
351: /**
352:  * role to resolve to when a provided ARO is not listed in 
353:  * the internal tree
354:  *
355:  * @var string
356:  */
357:     const DEFAULT_ROLE = 'Role/default';
358: 
359: /**
360:  * map external identifiers. E.g. if
361:  *
362:  * array('User' => array('username' => 'jeff', 'role' => 'editor')) 
363:  *
364:  * is passed as an ARO to one of the methods of AclComponent, PhpAcl 
365:  * will check if it can be resolved to an User or a Role defined in the
366:  * configuration file. 
367:  * 
368:  * @var array
369:  * @see app/Config/acl.php
370:  */
371:     public $map = array(
372:         'User' => 'User/username',
373:         'Role' => 'User/role',
374:     );
375: 
376: /**
377:  * aliases to map
378:  * 
379:  * @var array
380:  */
381:     public $aliases = array();
382: 
383: /**
384:  * internal ARO representation
385:  *
386:  * @var array
387:  */
388:     protected $_tree = array();
389: 
390:     public function __construct(array $aro = array(), array $map = array(), array $aliases = array()) {
391:         if (!empty($map)) {
392:             $this->map = $map;
393:         }
394: 
395:         $this->aliases = $aliases;
396:         $this->build($aro);
397:     }
398: 
399: /**
400:  * From the perspective of the given ARO, walk down the tree and
401:  * collect all inherited AROs levelwise such that AROs from different
402:  * branches with equal distance to the requested ARO will be collected at the same
403:  * index. The resulting array will contain a prioritized list of (list of) roles ordered from 
404:  * the most distant AROs to the requested one itself.
405:  * 
406:  * @param mixed $aro An ARO identifier
407:  * @return array prioritized AROs
408:  */
409:     public function roles($aro) {
410:         $aros = array();
411:         $aro = $this->resolve($aro);
412:         $stack = array(array($aro, 0));
413: 
414:         while (!empty($stack)) {
415:             list($element, $depth) = array_pop($stack);
416:             $aros[$depth][] = $element;
417: 
418:             foreach ($this->_tree as $node => $children) {
419:                 if (in_array($element, $children)) {
420:                     array_push($stack, array($node, $depth + 1));
421:                 }
422:             }
423:         }
424: 
425:         return array_reverse($aros);
426:     }
427: 
428: /**
429:  * resolve an ARO identifier to an internal ARO string using
430:  * the internal mapping information. 
431:  *
432:  * @param mixed $aro ARO identifier (User.jeff, array('User' => ...), etc)
433:  * @return string internal aro string (e.g. User/jeff, Role/default)
434:  */
435:     public function resolve($aro) {
436:         foreach ($this->map as $aroGroup => $map) {
437:             list ($model, $field) = explode('/', $map, 2);
438:             $mapped = '';
439: 
440:             if (is_array($aro)) {
441:                 if (isset($aro['model']) && isset($aro['foreign_key']) && $aro['model'] == $aroGroup) {
442:                     $mapped = $aroGroup . '/' . $aro['foreign_key'];
443:                 } elseif (isset($aro[$model][$field])) {
444:                     $mapped = $aroGroup . '/' . $aro[$model][$field];
445:                 } elseif (isset($aro[$field])) {
446:                     $mapped = $aroGroup . '/' . $aro[$field];
447:                 }
448:             } elseif (is_string($aro)) {
449:                 $aro = ltrim($aro, '/');
450: 
451:                 if (strpos($aro, '/') === false) {
452:                     $mapped = $aroGroup . '/' . $aro;
453:                 } else {
454:                     list($aroModel, $aroValue) = explode('/', $aro, 2);
455: 
456:                     $aroModel = Inflector::camelize($aroModel);
457: 
458:                     if ($aroModel == $model || $aroModel == $aroGroup) {
459:                         $mapped = $aroGroup . '/' . $aroValue;
460:                     }
461:                 }
462:             }
463: 
464:             if (isset($this->_tree[$mapped])) {
465:                 return $mapped;
466:             }
467: 
468:             // is there a matching alias defined (e.g. Role/1 => Role/admin)?
469:             if (!empty($this->aliases[$mapped])) {
470:                 return $this->aliases[$mapped];
471:             }
472:         }
473:         return self::DEFAULT_ROLE;
474:     }
475: 
476: /**
477:  * adds a new ARO to the tree
478:  *
479:  * @param array $aro one or more ARO records
480:  * @return void
481:  */
482:     public function addRole(array $aro) {
483:         foreach ($aro as $role => $inheritedRoles) {
484:             if (!isset($this->_tree[$role])) {
485:                 $this->_tree[$role] = array();
486:             }
487: 
488:             if (!empty($inheritedRoles)) {
489:                 if (is_string($inheritedRoles)) {
490:                     $inheritedRoles = array_map('trim', explode(',', $inheritedRoles));
491:                 }
492: 
493:                 foreach ($inheritedRoles as $dependency) {
494:                     // detect cycles
495:                     $roles = $this->roles($dependency);
496: 
497:                     if (in_array($role, Set::flatten($roles))) {
498:                         $path = '';
499: 
500:                         foreach ($roles as $roleDependencies) {
501:                             $path .= implode('|', (array)$roleDependencies) . ' -> ';
502:                         }
503: 
504:                         trigger_error(__d('cake_dev', 'cycle detected when inheriting %s from %s. Path: %s', $role, $dependency, $path . $role));
505:                         continue;
506:                     }
507: 
508:                     if (!isset($this->_tree[$dependency])) {
509:                         $this->_tree[$dependency] = array();
510:                     }
511: 
512:                     $this->_tree[$dependency][] = $role;
513:                 }
514:             }
515:         }
516:     }
517: 
518: /**
519:  * adds one or more aliases to the internal map. Overwrites existing entries.
520:  *
521:  * @param array $alias alias from => to (e.g. Role/13 -> Role/editor)
522:  * @return void
523:  */
524:     public  function addAlias(array $alias) {
525:         $this->aliases = array_merge($this->aliases, $alias);
526:     }
527: 
528: /**
529:  * build an ARO tree structure for internal processing
530:  *
531:  * @param array $aros array of AROs as key and their inherited AROs as values
532:  * @return void 
533:  */
534:     public function build(array $aros) {
535:         $this->_tree = array();
536:         $this->addRole($aros);
537:     }
538: 
539: }
540: