ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
ACL.php
Go to the documentation of this file.
1<?php
2
8class sspmod_core_ACL {
9
15 private $acl;
16
17
23 public function __construct($acl) {
24 assert('is_string($acl) || is_array($acl)');
25
26 if (is_string($acl)) {
27 $acl = self::getById($acl);
28 }
29
30 foreach ($acl as $rule) {
31 if (!is_array($rule)) {
32 throw new SimpleSAML_Error_Exception('Invalid rule in access control list: ' . var_export($rule, TRUE));
33 }
34 if (count($rule) === 0) {
35 throw new SimpleSAML_Error_Exception('Empty rule in access control list.');
36 }
37
38 $action = array_shift($rule);
39 if ($action !== 'allow' && $action !== 'deny') {
40 throw new SimpleSAML_Error_Exception('Invalid action in rule in access control list: ' . var_export($action, TRUE));
41 }
42
43 }
44
45 $this->acl = $acl;
46 }
47
48
55 private static function getById($id) {
56 assert('is_string($id)');
57
58 $config = SimpleSAML_Configuration::getOptionalConfig('acl.php');
59 if (!$config->hasValue($id)) {
60 throw new SimpleSAML_Error_Exception('No ACL with id ' . var_export($id, TRUE) . ' in config/acl.php.');
61 }
62
63 return $config->getArray($id);
64 }
65
66
73 public function allows(array $attributes) {
74
75 foreach ($this->acl as $rule) {
76 $action = array_shift($rule);
77
78 if (!self::match($attributes, $rule)) {
79 continue;
80 }
81
82 if ($action === 'allow') {
83 return TRUE;
84 } else {
85 return FALSE;
86 }
87 }
88 }
89
90
98 private static function match(array $attributes, array $rule) {
99
100 $op = array_shift($rule);
101 if ($op === NULL) {
102 // An empty rule always matches
103 return TRUE;
104 }
105
106 switch($op) {
107 case 'and':
108 return self::opAnd($attributes, $rule);
109 case 'equals':
110 return self::opEquals($attributes, $rule);
111 case 'equals-preg':
112 return self::opEqualsPreg($attributes, $rule);
113 case 'has':
114 return self::opHas($attributes, $rule);
115 case 'has-preg':
116 return self::opHasPreg($attributes, $rule);
117 case 'not':
118 return !self::match($attributes, $rule);
119 case 'or':
120 return self::opOr($attributes, $rule);
121 default:
122 throw new SimpleSAML_Error_Exception('Invalid ACL operation: ' . var_export($op, TRUE));
123 }
124 }
125
126
134 private static function opAnd($attributes, $rule) {
135
136 foreach ($rule as $subRule) {
137 if (!self::match($attributes, $subRule)) {
138 return FALSE;
139 }
140 }
141
142 // All matches
143 return TRUE;
144 }
145
146
154 private static function opEquals($attributes, $rule) {
155
156 $attributeName = array_shift($rule);
157
158 if (!array_key_exists($attributeName, $attributes)) {
159 $attributeValues = array();
160 } else {
161 $attributeValues = $attributes[$attributeName];
162 }
163
164 foreach ($rule as $value) {
165 $found = FALSE;
166 foreach ($attributeValues as $i => $v) {
167 if ($value !== $v) {
168 continue;
169 }
170 unset($attributeValues[$i]);
171 $found = TRUE;
172 break;
173 }
174 if (!$found) {
175 return FALSE;
176 }
177 }
178 if (!empty($attributeValues)) {
179 /* One of the attribute values didn't match. */
180 return FALSE;
181 }
182
183 /* All the values in the attribute matched one in the rule. */
184 return TRUE;
185 }
186
187
195 private static function opEqualsPreg($attributes, $rule) {
196
197 $attributeName = array_shift($rule);
198
199 if (!array_key_exists($attributeName, $attributes)) {
200 $attributeValues = array();
201 } else {
202 $attributeValues = $attributes[$attributeName];
203 }
204
205 foreach ($rule as $pattern) {
206 $found = FALSE;
207 foreach ($attributeValues as $i => $v) {
208 if (!preg_match($pattern, $v)) {
209 continue;
210 }
211 unset($attributeValues[$i]);
212 $found = TRUE;
213 break;
214 }
215 if (!$found) {
216 return FALSE;
217 }
218 }
219
220 if (!empty($attributeValues)) {
221 /* One of the attribute values didn't match. */
222 return FALSE;
223 }
224
225 /* All the values in the attribute matched one in the rule. */
226 return TRUE;
227 }
228
229
237 private static function opHas($attributes, $rule) {
238
239 $attributeName = array_shift($rule);
240
241 if (!array_key_exists($attributeName, $attributes)) {
242 $attributeValues = array();
243 } else {
244 $attributeValues = $attributes[$attributeName];
245 }
246
247 foreach ($rule as $value) {
248 if (!in_array($value, $attributeValues, TRUE)) {
249 return FALSE;
250 }
251 }
252
253 /* Found all values in the rule in the attribute. */
254 return TRUE;
255 }
256
257
265 private static function opHasPreg($attributes, $rule) {
266
267 $attributeName = array_shift($rule);
268
269 if (!array_key_exists($attributeName, $attributes)) {
270 $attributeValues = array();
271 } else {
272 $attributeValues = $attributes[$attributeName];
273 }
274
275 foreach ($rule as $pattern) {
276 $matches = preg_grep($pattern, $attributeValues);
277 if (count($matches) === 0) {
278 return FALSE;
279 }
280 }
281
282 /* Found all values in the rule in the attribute. */
283 return TRUE;
284 }
285
286
294 private static function opOr($attributes, $rule) {
295
296 foreach ($rule as $subRule) {
297 if (self::match($attributes, $subRule)) {
298 return TRUE;
299 }
300 }
301
302 /* None matches. */
303 return FALSE;
304 }
305
306}
php
An exception for terminatinating execution or to throw for unit testing.
SimpleSAML_Configuration\getOptionalConfig
static getOptionalConfig($filename='config.php', $configSet='simplesaml')
Load a configuration file from a configuration set.
Definition: Configuration.php:239
SimpleSAML_Error_Exception
Definition: Exception.php:13
sspmod_core_ACL
Definition: ACL.php:8
sspmod_core_ACL\opEqualsPreg
static opEqualsPreg($attributes, $rule)
'equals-preg' match operator.
Definition: ACL.php:195
sspmod_core_ACL\$acl
$acl
Definition: ACL.php:15
sspmod_core_ACL\getById
static getById($id)
Retrieve an access control list with the given id.
Definition: ACL.php:55
sspmod_core_ACL\opHas
static opHas($attributes, $rule)
'has' match operator.
Definition: ACL.php:237
sspmod_core_ACL\__construct
__construct($acl)
Initializer for this access control list.
Definition: ACL.php:23
sspmod_core_ACL\allows
allows(array $attributes)
Match the attributes against the access control list.
Definition: ACL.php:73
sspmod_core_ACL\match
static match(array $attributes, array $rule)
Match the attributes against the given rule.
Definition: ACL.php:98
sspmod_core_ACL\opEquals
static opEquals($attributes, $rule)
'equals' match operator.
Definition: ACL.php:154
sspmod_core_ACL\opAnd
static opAnd($attributes, $rule)
'and' match operator.
Definition: ACL.php:134
sspmod_core_ACL\opHasPreg
static opHasPreg($attributes, $rule)
'has-preg' match operator.
Definition: ACL.php:265
sspmod_core_ACL\opOr
static opOr($attributes, $rule)
'or' match operator.
Definition: ACL.php:294
$action
$action
Definition: consentAdmin.php:126
$i
$i
Definition: disco.tpl.php:19
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$attributes
$attributes
Definition: serviceValidate.php:33
$rule
$rule
Definition: showstats.php:43