File: AccessCheck.php

package info (click to toggle)
simplesamlphp 1.19.7-2
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 42,920 kB
  • sloc: php: 202,044; javascript: 14,867; xml: 2,700; sh: 225; perl: 82; makefile: 70; python: 5
file content (95 lines) | stat: -rw-r--r-- 3,182 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
<?php

namespace SimpleSAML\Module\statistics;

use SimpleSAML\Configuration;
use SimpleSAML\Logger;
use SimpleSAML\Utils\Auth;

/**
 * Class implementing the access checker function for the statistics module.
 *
 * @package SimpleSAMLphp
 */
class AccessCheck
{
    /**
     * Check that the user has access to the statistics.
     * If the user doesn't have access, send the user to the login page.
     *
     * @param \SimpleSAML\Configuration $statconfig
     * @return void
     * @throws \Exception
     * @throws \SimpleSAML\Error\Exception
     */
    public static function checkAccess(Configuration $statconfig)
    {
        $protected = $statconfig->getBoolean('protected', false);
        $authsource = $statconfig->getString('auth', null);
        $allowedusers = $statconfig->getValue('allowedUsers', null);
        $useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');

        $acl = $statconfig->getValue('acl', null);
        if ($acl !== null && !is_string($acl) && !is_array($acl)) {
            throw new \SimpleSAML\Error\Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
        }

        if (!$protected) {
            return;
        }

        if (Auth::isAdmin()) {
            // User logged in as admin. OK.
            Logger::debug('Statistics auth - logged in as admin, access granted');
            return;
        }

        if (!isset($authsource)) {
            // If authsource is not defined, init admin login.
            Auth::requireAdmin();
        }

        // We are using an authsource for login.

        $as = new \SimpleSAML\Auth\Simple($authsource);
        $as->requireAuth();

        // User logged in with auth source.
        Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');

        // Retrieving attributes
        $attributes = $as->getAttributes();

        if (!empty($allowedusers)) {
            // Check if userid exists
            if (!isset($attributes[$useridattr][0])) {
                throw new \Exception('User ID is missing');
            }

            // Check if userid is allowed access..
            if (in_array($attributes[$useridattr][0], $allowedusers, true)) {
                Logger::debug(
                    'Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']'
                );
                return;
            }
            Logger::debug(
                'Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']'
            );
        } else {
            Logger::debug('Statistics auth - no allowedUsers list.');
        }

        if (!is_null($acl)) {
            $acl = new \SimpleSAML\Module\core\ACL($acl);
            if ($acl->allows($attributes)) {
                Logger::debug('Statistics auth - allowed access by ACL.');
                return;
            }
            Logger::debug('Statistics auth - denied access by ACL.');
        } else {
            Logger::debug('Statistics auth - no ACL configured.');
        }
        throw new \SimpleSAML\Error\Exception('Access denied to the current user.');
    }
}