ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
ACL.php
Go to the documentation of this file.
1 <?php
2 
8 class sspmod_core_ACL {
9 
15  private $acl;
16 
17 
23  public function __construct($acl) {
24  assert(is_string($acl) || is_array($acl));
25 
26  if (is_string($acl)) {
27  $acl = self::getById($acl);
28  }
29 
30  foreach ($acl as $rule) {
31  if (!is_array($rule)) {
32  throw new SimpleSAML_Error_Exception('Invalid rule in access control list: ' . var_export($rule, TRUE));
33  }
34  if (count($rule) === 0) {
35  throw new SimpleSAML_Error_Exception('Empty rule in access control list.');
36  }
37 
38  $action = array_shift($rule);
39  if ($action !== 'allow' && $action !== 'deny') {
40  throw new SimpleSAML_Error_Exception('Invalid action in rule in access control list: ' . var_export($action, TRUE));
41  }
42 
43  }
44 
45  $this->acl = $acl;
46  }
47 
48 
55  private static function getById($id) {
56  assert(is_string($id));
57 
58  $config = SimpleSAML_Configuration::getOptionalConfig('acl.php');
59  if (!$config->hasValue($id)) {
60  throw new SimpleSAML_Error_Exception('No ACL with id ' . var_export($id, TRUE) . ' in config/acl.php.');
61  }
62 
63  return $config->getArray($id);
64  }
65 
66 
73  public function allows(array $attributes) {
74 
75  foreach ($this->acl as $rule) {
76  $action = array_shift($rule);
77 
78  if (!self::match($attributes, $rule)) {
79  continue;
80  }
81 
82  if ($action === 'allow') {
83  return TRUE;
84  } else {
85  return FALSE;
86  }
87  }
88  }
89 
90 
98  private static function match(array $attributes, array $rule) {
99 
100  $op = array_shift($rule);
101  if ($op === NULL) {
102  // An empty rule always matches
103  return TRUE;
104  }
105 
106  switch($op) {
107  case 'and':
108  return self::opAnd($attributes, $rule);
109  case 'equals':
110  return self::opEquals($attributes, $rule);
111  case 'equals-preg':
112  return self::opEqualsPreg($attributes, $rule);
113  case 'has':
114  return self::opHas($attributes, $rule);
115  case 'has-preg':
116  return self::opHasPreg($attributes, $rule);
117  case 'not':
118  return !self::match($attributes, $rule);
119  case 'or':
120  return self::opOr($attributes, $rule);
121  default:
122  throw new SimpleSAML_Error_Exception('Invalid ACL operation: ' . var_export($op, TRUE));
123  }
124  }
125 
126 
134  private static function opAnd($attributes, $rule) {
135 
136  foreach ($rule as $subRule) {
137  if (!self::match($attributes, $subRule)) {
138  return FALSE;
139  }
140  }
141 
142  // All matches
143  return TRUE;
144  }
145 
146 
154  private static function opEquals($attributes, $rule) {
155 
156  $attributeName = array_shift($rule);
157 
158  if (!array_key_exists($attributeName, $attributes)) {
159  $attributeValues = array();
160  } else {
161  $attributeValues = $attributes[$attributeName];
162  }
163 
164  foreach ($rule as $value) {
165  $found = FALSE;
166  foreach ($attributeValues as $i => $v) {
167  if ($value !== $v) {
168  continue;
169  }
170  unset($attributeValues[$i]);
171  $found = TRUE;
172  break;
173  }
174  if (!$found) {
175  return FALSE;
176  }
177  }
178  if (!empty($attributeValues)) {
179  /* One of the attribute values didn't match. */
180  return FALSE;
181  }
182 
183  /* All the values in the attribute matched one in the rule. */
184  return TRUE;
185  }
186 
187 
195  private static function opEqualsPreg($attributes, $rule) {
196 
197  $attributeName = array_shift($rule);
198 
199  if (!array_key_exists($attributeName, $attributes)) {
200  $attributeValues = array();
201  } else {
202  $attributeValues = $attributes[$attributeName];
203  }
204 
205  foreach ($rule as $pattern) {
206  $found = FALSE;
207  foreach ($attributeValues as $i => $v) {
208  if (!preg_match($pattern, $v)) {
209  continue;
210  }
211  unset($attributeValues[$i]);
212  $found = TRUE;
213  break;
214  }
215  if (!$found) {
216  return FALSE;
217  }
218  }
219 
220  if (!empty($attributeValues)) {
221  /* One of the attribute values didn't match. */
222  return FALSE;
223  }
224 
225  /* All the values in the attribute matched one in the rule. */
226  return TRUE;
227  }
228 
229 
237  private static function opHas($attributes, $rule) {
238 
239  $attributeName = array_shift($rule);
240 
241  if (!array_key_exists($attributeName, $attributes)) {
242  $attributeValues = array();
243  } else {
244  $attributeValues = $attributes[$attributeName];
245  }
246 
247  foreach ($rule as $value) {
248  if (!in_array($value, $attributeValues, TRUE)) {
249  return FALSE;
250  }
251  }
252 
253  /* Found all values in the rule in the attribute. */
254  return TRUE;
255  }
256 
257 
265  private static function opHasPreg($attributes, $rule) {
266 
267  $attributeName = array_shift($rule);
268 
269  if (!array_key_exists($attributeName, $attributes)) {
270  $attributeValues = array();
271  } else {
272  $attributeValues = $attributes[$attributeName];
273  }
274 
275  foreach ($rule as $pattern) {
276  $matches = preg_grep($pattern, $attributeValues);
277  if (count($matches) === 0) {
278  return FALSE;
279  }
280  }
281 
282  /* Found all values in the rule in the attribute. */
283  return TRUE;
284  }
285 
286 
294  private static function opOr($attributes, $rule) {
295 
296  foreach ($rule as $subRule) {
297  if (self::match($attributes, $subRule)) {
298  return TRUE;
299  }
300  }
301 
302  /* None matches. */
303  return FALSE;
304  }
305 
306 }
$config
$config
Definition: bootstrap.php:15
$action
$action
Definition: consentAdmin.php:140
sspmod_core_ACL\opEqualsPreg
static opEqualsPreg($attributes, $rule)
&#39;equals-preg&#39; match operator.
Definition: ACL.php:195
SimpleSAML_Error_Exception
Definition: Exception.php:12
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
sspmod_core_ACL\opOr
static opOr($attributes, $rule)
&#39;or&#39; match operator.
Definition: ACL.php:294
sspmod_core_ACL\allows
allows(array $attributes)
Match the attributes against the access control list.
Definition: ACL.php:73
sspmod_core_ACL
Definition: ACL.php:8
sspmod_core_ACL\opHasPreg
static opHasPreg($attributes, $rule)
&#39;has-preg&#39; match operator.
Definition: ACL.php:265
sspmod_core_ACL\opAnd
static opAnd($attributes, $rule)
&#39;and&#39; match operator.
Definition: ACL.php:134
$rule
$rule
Definition: showstats.php:43
sspmod_core_ACL\$acl
$acl
Definition: ACL.php:15
sspmod_core_ACL\__construct
__construct($acl)
Initializer for this access control list.
Definition: ACL.php:23
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
sspmod_core_ACL\opHas
static opHas($attributes, $rule)
&#39;has&#39; match operator.
Definition: ACL.php:237
sspmod_core_ACL\opEquals
static opEquals($attributes, $rule)
&#39;equals&#39; match operator.
Definition: ACL.php:154
sspmod_core_ACL\match
static match(array $attributes, array $rule)
Match the attributes against the given rule.
Definition: ACL.php:98
$i
$i
Definition: disco.tpl.php:19
SimpleSAML_Configuration\getOptionalConfig
static getOptionalConfig($filename='config.php', $configSet='simplesaml')
Load a configuration file from a configuration set.
Definition: Configuration.php:267
sspmod_core_ACL\getById
static getById($id)
Retrieve an access control list with the given id.
Definition: ACL.php:55