File: AccessCheck.php

package info (click to toggle)
simplesamlphp 1.16.3-1%2Bdeb10u2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 21,036 kB
  • sloc: php: 73,175; ansic: 875; sh: 83; perl: 82; xml: 52; makefile: 46
file content (81 lines) | stat: -rw-r--r-- 2,987 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
<?php

/**
 * Class implementing the access checker function for the statistics module.
 *
 * @package SimpleSAMLphp
 */
class sspmod_statistics_AccessCheck
{
    /**
     * Check that the user has access to the statistics.
     *
     * If the user doesn't have access, send the user to the login page.
     */
    public static function checkAccess(SimpleSAML_Configuration $statconfig)
    {
        $protected = $statconfig->getBoolean('protected', false);
        $authsource = $statconfig->getString('auth', null);
        $allowedusers = $statconfig->getValue('allowedUsers', null);
        $useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');

        $acl = $statconfig->getValue('acl', null);
        if ($acl !== null && !is_string($acl) && !is_array($acl)) {
            throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
        }

        if (!$protected) {
            return;
        }

        if (SimpleSAML\Utils\Auth::isAdmin()) {
            // User logged in as admin. OK.
            SimpleSAML\Logger::debug('Statistics auth - logged in as admin, access granted');
            return;
        }

        if (!isset($authsource)) {
            // If authsource is not defined, init admin login.
            SimpleSAML\Utils\Auth::requireAdmin();
        }

        // We are using an authsource for login.

        $as = new \SimpleSAML\Auth\Simple($authsource);
        $as->requireAuth();

        // User logged in with auth source.
        SimpleSAML\Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');

        // Retrieving attributes
        $attributes = $as->getAttributes();

        if (!empty($allowedusers)) {
            // Check if userid exists
            if (!isset($attributes[$useridattr][0])) {
                throw new Exception('User ID is missing');
            }

            // Check if userid is allowed access..
            if (in_array($attributes[$useridattr][0], $allowedusers, true)) {
                SimpleSAML\Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
                return;
            }
            SimpleSAML\Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
        } else {
            SimpleSAML\Logger::debug('Statistics auth - no allowedUsers list.');
        }

        if (!is_null($acl)) {
            $acl = new sspmod_core_ACL($acl);
            if ($acl->allows($attributes)) {
                SimpleSAML\Logger::debug('Statistics auth - allowed access by ACL.');
                return;
            }
            SimpleSAML\Logger::debug('Statistics auth - denied access by ACL.');
        } else {
            SimpleSAML\Logger::debug('Statistics auth - no ACL configured.');
        }
        throw new SimpleSAML_Error_Exception('Access denied to the current user.');
    }
}