AclMiddleware::checkPolicies() - Code Metrics - Inspection of "Code quality improvements" - Gixx/WebHemi - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 5c9096...cd0441 )

by Gabor

created 2016-11-25 14:10 UTC

AclMiddleware::checkPolicies() A

↳ Parent: AclMiddleware

Complexity

Conditions	3
Paths	3

Size

Total Lines	15
Code Lines	8

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
c	0
b	0
f	0
dl	0
loc	15
rs	9.4285
cc	3
eloc	8
nc	3
nop	3

<?php
/**
 * WebHemi.
 *
 * PHP version 5.6
 *
 * @copyright 2012 - 2016 Gixx-web (http://www.gixx-web.com)
 * @license   https://opensource.org/licenses/MIT The MIT License (MIT)
 *
 * @link      http://www.gixx-web.com
 */

namespace WebHemi\Middleware\Security;

use Exception;
use WebHemi\Adapter\Auth\AuthAdapterInterface;
use WebHemi\Adapter\Http\ResponseInterface;
use WebHemi\Adapter\Http\ServerRequestInterface;
use WebHemi\Application\EnvironmentManager;
use WebHemi\Auth\Result;
use WebHemi\Data\Coupler\UserToGroupCoupler;
use WebHemi\Data\Coupler\UserToPolicyCoupler;
use WebHemi\Data\Coupler\UserGroupToPolicyCoupler;
use WebHemi\Data\Entity\ApplicationEntity;
use WebHemi\Data\Entity\AccessManagement\PolicyEntity;
use WebHemi\Data\Entity\AccessManagement\ResourceEntity;
use WebHemi\Data\Entity\User\UserEntity;
use WebHemi\Data\Storage\AccessManagement\ResourceStorage;
use WebHemi\Data\Storage\ApplicationStorage;
use WebHemi\Middleware\MiddlewareInterface;
use WebHemi\Middleware\Action;

/**
 * Class AclMiddleware.
 */
class AclMiddleware implements MiddlewareInterface
{
    /** @var EnvironmentManager */
    private $environmentManager;
    /** @var AuthAdapterInterface */
    private $authAdapter;
    /** @var UserToPolicyCoupler */
    private $userToPolicyCoupler;
    /** @var UserToGroupCoupler */
    private $userToGroupCoupler;
    /** @var UserGroupToPolicyCoupler */
    private $userGroupToPolicyCoupler;
    private $applicationStorage;
    private $resourceStorage;
    /** @var array */
    private $middlewareWhiteList = [
        Action\Auth\LoginAction::class,
        Action\Auth\LogoutAction::class,
    ];

    /**
     * AclMiddleware constructor.
     * @param AuthAdapterInterface     $authAdapter
     * @param EnvironmentManager       $environmentManager
     * @param UserToPolicyCoupler      $userToPolicyCoupler
     * @param UserToGroupCoupler       $userToGroupCoupler
     * @param UserGroupToPolicyCoupler $userGroupToPolicyCoupler
     * @param ApplicationStorage       $applicationStorage
     * @param ResourceStorage          $resourceStorage
     */
    public function __construct(
        AuthAdapterInterface $authAdapter,
        EnvironmentManager $environmentManager,
        UserToPolicyCoupler $userToPolicyCoupler,
        UserToGroupCoupler $userToGroupCoupler,
        UserGroupToPolicyCoupler $userGroupToPolicyCoupler,
        ApplicationStorage $applicationStorage,
        ResourceStorage $resourceStorage
    ) {
        $this->authAdapter = $authAdapter;
        $this->environmentManager = $environmentManager;
        $this->userToPolicyCoupler = $userToPolicyCoupler;
        $this->userToGroupCoupler = $userToGroupCoupler;
        $this->userGroupToPolicyCoupler = $userGroupToPolicyCoupler;
        $this->applicationStorage = $applicationStorage;
        $this->resourceStorage = $resourceStorage;
    }

    /**
     * A middleware is a callable. It can do whatever is appropriate with the Request and Response objects.
     * The only hard requirement is that a middleware MUST return an instance of \Psr\Http\Message\ResponseInterface.
     * Each middleware SHOULD invoke the next middleware and pass it Request and Response objects as arguments.
     *
     * @param ServerRequestInterface $request
     * @param ResponseInterface      $response
     * @throws Exception
     * @return ResponseInterface
     */
    public function __invoke(ServerRequestInterface &$request, ResponseInterface $response)
    {
        $actionMiddleware = $request->getAttribute(ServerRequestInterface::REQUEST_ATTR_RESOLVED_ACTION_CLASS);
        $identity = false;

        if (in_array($actionMiddleware, $this->middlewareWhiteList)) {
            return $response;
        }

        if ($this->authAdapter->hasIdentity()) {
            $identity = $this->authAdapter->getIdentity();
        }

        if ($identity instanceof UserEntity) {
            $selectedApplication = $this->environmentManager->getSelectedApplication();
            /** @var ApplicationEntity $applicationEntity */
            $applicationEntity = $this->applicationStorage->getApplicationByName($selectedApplication);
            /** @var ResourceEntity $resourceEntity */
            $resourceEntity = $this->resourceStorage->getResourceByName($actionMiddleware);

            // First we check the group policies
            /** @var array<UserGroupEntity> $userGroups */
            $userGroups = $this->userToGroupCoupler->getEntityDependencies($identity);
            /** @var array<PolicyEntity> $userGroupPolicies */
            $userGroupPolicies = [];
            foreach ($userGroups as $userGroupEntity) {
                $groupPolicies = $this->userGroupToPolicyCoupler->getEntityDependencies($userGroupEntity);
                $userGroupPolicies = array_merge($userGroupPolicies, $groupPolicies);
            }
            $hasAccess = $this->checkPolicies($userGroupPolicies, $applicationEntity, $resourceEntity);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

            // Then we check the personal policies
            /** @var array<PolicyEntity> $userPolicies */
            $userPolicies = $this->userToPolicyCoupler->getEntityDependencies($identity);
            $hasAccess = $hasAccess && $this->checkPolicies($userPolicies, $applicationEntity, $resourceEntity);

            if (!$hasAccess) {
                $response = $response->withStatus(ResponseInterface::STATUS_FORBIDDEN, 'Forbidden');
            }
        } else {
            $appUri = rtrim($this->environmentManager->getSelectedApplicationUri(), '/');
            $response = $response->withStatus(ResponseInterface::STATUS_REDIRECT, 'Found')
                ->withHeader('Location', $appUri.'/auth/login');
        }

        return $response;
    }

    /**
     * Checks policies for application and resource
     *
     * @param array<PolicyEntity>      $policies
     * @param ApplicationEntity|null   $applicationEntity
     * @param ResourceEntity|null      $resourceEntity
     * @return bool
     */
    private function checkPolicies(
        array $policies,
        ApplicationEntity $applicationEntity = null,
        ResourceEntity $resourceEntity = null
    ) {
        // We assume the best case: the user has access
        $hasAccess = true;

        /** @var PolicyEntity $policyEntity */
        foreach ($policies as $policyEntity) {
            $hasAccess = $hasAccess && $this->checkPolicy($policyEntity, $applicationEntity, $resourceEntity);
        }

        return $hasAccess;
    }

    /**
     * @param PolicyEntity           $policyEntity
     * @param ApplicationEntity|null $applicationEntity
     * @param ResourceEntity|null    $resourceEntity
     * @return bool
     */
    private function checkPolicy(
        PolicyEntity $policyEntity,
        ApplicationEntity $applicationEntity = null,
        ResourceEntity $resourceEntity = null
    ) {
        $applicationId = $applicationEntity ? $applicationEntity->getApplicationId() : null;
        $resourceId = $resourceEntity ? $resourceEntity->getResourceId() : null;
        $policyApplicationId = $policyEntity->getApplicationId();
        $policyResourceId = $policyEntity->getResourceId();

        // The user has access when:
        // - user has a policy that connected to the current application OR any application AND
        // - user has a policy that connected to the current resource OR any resource
        if (($policyApplicationId == null || $policyApplicationId == $applicationId)
            && ($policyResourceId == null || $policyResourceId == $resourceId)
        ) {
            return $policyEntity->getAllowed();
        }

        // At this point we know that the current policy doesn't belong to this application or resource, so no need
        // to block the user.
        return true;
    }
}


1			<?php
2			/**
3			* WebHemi.
4			*
5			* PHP version 5.6
6			*
7			* @copyright 2012 - 2016 Gixx-web (http://www.gixx-web.com)
8			* @license https://opensource.org/licenses/MIT The MIT License (MIT)
9			*
10			* @link http://www.gixx-web.com
11			*/
12
13			namespace WebHemi\Middleware\Security;
14
15			use Exception;
16			use WebHemi\Adapter\Auth\AuthAdapterInterface;
17			use WebHemi\Adapter\Http\ResponseInterface;
18			use WebHemi\Adapter\Http\ServerRequestInterface;
19			use WebHemi\Application\EnvironmentManager;
20			use WebHemi\Auth\Result;
21			use WebHemi\Data\Coupler\UserToGroupCoupler;
22			use WebHemi\Data\Coupler\UserToPolicyCoupler;
23			use WebHemi\Data\Coupler\UserGroupToPolicyCoupler;
24			use WebHemi\Data\Entity\ApplicationEntity;
25			use WebHemi\Data\Entity\AccessManagement\PolicyEntity;
26			use WebHemi\Data\Entity\AccessManagement\ResourceEntity;
27			use WebHemi\Data\Entity\User\UserEntity;
28			use WebHemi\Data\Storage\AccessManagement\ResourceStorage;
29			use WebHemi\Data\Storage\ApplicationStorage;
30			use WebHemi\Middleware\MiddlewareInterface;
31			use WebHemi\Middleware\Action;
32
33			/**
34			* Class AclMiddleware.
35			*/
36			class AclMiddleware implements MiddlewareInterface
37			{
38			/** @var EnvironmentManager */
39			private $environmentManager;
40			/** @var AuthAdapterInterface */
41			private $authAdapter;
42			/** @var UserToPolicyCoupler */
43			private $userToPolicyCoupler;
44			/** @var UserToGroupCoupler */
45			private $userToGroupCoupler;
46			/** @var UserGroupToPolicyCoupler */
47			private $userGroupToPolicyCoupler;
48			private $applicationStorage;
49			private $resourceStorage;
50			/** @var array */
51			private $middlewareWhiteList = [
52			Action\Auth\LoginAction::class,
53			Action\Auth\LogoutAction::class,
54			];
55
56			/**
57			* AclMiddleware constructor.
58			* @param AuthAdapterInterface $authAdapter
59			* @param EnvironmentManager $environmentManager
60			* @param UserToPolicyCoupler $userToPolicyCoupler
61			* @param UserToGroupCoupler $userToGroupCoupler
62			* @param UserGroupToPolicyCoupler $userGroupToPolicyCoupler
63			* @param ApplicationStorage $applicationStorage
64			* @param ResourceStorage $resourceStorage
65			*/
66			public function __construct(
67			AuthAdapterInterface $authAdapter,
68			EnvironmentManager $environmentManager,
69			UserToPolicyCoupler $userToPolicyCoupler,
70			UserToGroupCoupler $userToGroupCoupler,
71			UserGroupToPolicyCoupler $userGroupToPolicyCoupler,
72			ApplicationStorage $applicationStorage,
73			ResourceStorage $resourceStorage
74			) {
75			$this->authAdapter = $authAdapter;
76			$this->environmentManager = $environmentManager;
77			$this->userToPolicyCoupler = $userToPolicyCoupler;
78			$this->userToGroupCoupler = $userToGroupCoupler;
79			$this->userGroupToPolicyCoupler = $userGroupToPolicyCoupler;
80			$this->applicationStorage = $applicationStorage;
81			$this->resourceStorage = $resourceStorage;
82			}
83
84			/**
85			* A middleware is a callable. It can do whatever is appropriate with the Request and Response objects.
86			* The only hard requirement is that a middleware MUST return an instance of \Psr\Http\Message\ResponseInterface.
87			* Each middleware SHOULD invoke the next middleware and pass it Request and Response objects as arguments.
88			*
89			* @param ServerRequestInterface $request
90			* @param ResponseInterface $response
91			* @throws Exception
92			* @return ResponseInterface
93			*/
94			public function __invoke(ServerRequestInterface &$request, ResponseInterface $response)
95			{
96			$actionMiddleware = $request->getAttribute(ServerRequestInterface::REQUEST_ATTR_RESOLVED_ACTION_CLASS);
97			$identity = false;
98
99			if (in_array($actionMiddleware, $this->middlewareWhiteList)) {
100			return $response;
101			}
102
103			if ($this->authAdapter->hasIdentity()) {
104			$identity = $this->authAdapter->getIdentity();
105			}
106
107			if ($identity instanceof UserEntity) {
108			$selectedApplication = $this->environmentManager->getSelectedApplication();
109			/** @var ApplicationEntity $applicationEntity */
110			$applicationEntity = $this->applicationStorage->getApplicationByName($selectedApplication);
111			/** @var ResourceEntity $resourceEntity */
112			$resourceEntity = $this->resourceStorage->getResourceByName($actionMiddleware);
113
114			// First we check the group policies
115			/** @var array<UserGroupEntity> $userGroups */
116			$userGroups = $this->userToGroupCoupler->getEntityDependencies($identity);
117			/** @var array<PolicyEntity> $userGroupPolicies */
118			$userGroupPolicies = [];
119			foreach ($userGroups as $userGroupEntity) {
120			$groupPolicies = $this->userGroupToPolicyCoupler->getEntityDependencies($userGroupEntity);
121			$userGroupPolicies = array_merge($userGroupPolicies, $groupPolicies);
122			}
123			$hasAccess = $this->checkPolicies($userGroupPolicies, $applicationEntity, $resourceEntity);
			0 ignored issues – show Documentation introduced 2016-11-25 14:13 UTC by Report Bug Copy Issue Report `$userGroupPolicies` is of type `array<integer,object<Web...y\DataEntityInterface>>`, but the function expects a `array<integer,object<Web...nagement\PolicyEntity>>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
124
125			// Then we check the personal policies
126			/** @var array<PolicyEntity> $userPolicies */
127			$userPolicies = $this->userToPolicyCoupler->getEntityDependencies($identity);
128			$hasAccess = $hasAccess && $this->checkPolicies($userPolicies, $applicationEntity, $resourceEntity);
129
130			if (!$hasAccess) {
131			$response = $response->withStatus(ResponseInterface::STATUS_FORBIDDEN, 'Forbidden');
132			}
133			} else {
134			$appUri = rtrim($this->environmentManager->getSelectedApplicationUri(), '/');
135			$response = $response->withStatus(ResponseInterface::STATUS_REDIRECT, 'Found')
136			->withHeader('Location', $appUri.'/auth/login');
137			}
138
139			return $response;
140			}
141
142			/**
143			* Checks policies for application and resource
144			*
145			* @param array<PolicyEntity> $policies
146			* @param ApplicationEntity\|null $applicationEntity
147			* @param ResourceEntity\|null $resourceEntity
148			* @return bool
149			*/
150			private function checkPolicies(
151			array $policies,
152			ApplicationEntity $applicationEntity = null,
153			ResourceEntity $resourceEntity = null
154			) {
155			// We assume the best case: the user has access
156			$hasAccess = true;
157
158			/** @var PolicyEntity $policyEntity */
159			foreach ($policies as $policyEntity) {
160			$hasAccess = $hasAccess && $this->checkPolicy($policyEntity, $applicationEntity, $resourceEntity);
161			}
162
163			return $hasAccess;
164			}
165
166			/**
167			* @param PolicyEntity $policyEntity
168			* @param ApplicationEntity\|null $applicationEntity
169			* @param ResourceEntity\|null $resourceEntity
170			* @return bool
171			*/
172			private function checkPolicy(
173			PolicyEntity $policyEntity,
174			ApplicationEntity $applicationEntity = null,
175			ResourceEntity $resourceEntity = null
176			) {
177			$applicationId = $applicationEntity ? $applicationEntity->getApplicationId() : null;
178			$resourceId = $resourceEntity ? $resourceEntity->getResourceId() : null;
179			$policyApplicationId = $policyEntity->getApplicationId();
180			$policyResourceId = $policyEntity->getResourceId();
181
182			// The user has access when:
183			// - user has a policy that connected to the current application OR any application AND
184			// - user has a policy that connected to the current resource OR any resource
185			if (($policyApplicationId == null \|\| $policyApplicationId == $applicationId)
186			&& ($policyResourceId == null \|\| $policyResourceId == $resourceId)
187			) {
188			return $policyEntity->getAllowed();
189			}
190
191			// At this point we know that the current policy doesn't belong to this application or resource, so no need
192			// to block the user.
193			return true;
194			}
195			}
196

Gixx / WebHemi

Push — master ( 5c9096...cd0441 )

AclMiddleware::checkPolicies() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like