2016-02-14 23:20:10 +05:30
|
|
|
|
<?php
|
2016-11-27 03:13:42 +05:30
|
|
|
|
namespace api\components\OAuth2\Storage;
|
2016-02-14 23:20:10 +05:30
|
|
|
|
|
2016-12-18 04:50:53 +05:30
|
|
|
|
use api\components\OAuth2\Entities\ClientEntity;
|
2016-11-27 03:13:42 +05:30
|
|
|
|
use api\components\OAuth2\Entities\ScopeEntity;
|
2017-09-19 22:36:16 +05:30
|
|
|
|
use Assert\Assert;
|
|
|
|
|
use common\rbac\Permissions as P;
|
2016-02-14 23:20:10 +05:30
|
|
|
|
use League\OAuth2\Server\Storage\AbstractStorage;
|
|
|
|
|
use League\OAuth2\Server\Storage\ScopeInterface;
|
|
|
|
|
|
|
|
|
|
class ScopeStorage extends AbstractStorage implements ScopeInterface {
|
|
|
|
|
|
2017-09-19 22:36:16 +05:30
|
|
|
|
public const OFFLINE_ACCESS = 'offline_access';
|
|
|
|
|
|
|
|
|
|
private const PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS = [
|
|
|
|
|
'account_info' => P::OBTAIN_OWN_ACCOUNT_INFO,
|
|
|
|
|
'account_email' => P::OBTAIN_ACCOUNT_EMAIL,
|
|
|
|
|
'account_block' => P::BLOCK_ACCOUNT,
|
|
|
|
|
'internal_account_info' => P::OBTAIN_EXTENDED_ACCOUNT_INFO,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
private const AUTHORIZATION_CODE_PERMISSIONS = [
|
|
|
|
|
P::OBTAIN_OWN_ACCOUNT_INFO,
|
|
|
|
|
P::OBTAIN_ACCOUNT_EMAIL,
|
|
|
|
|
P::MINECRAFT_SERVER_SESSION,
|
|
|
|
|
self::OFFLINE_ACCESS,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
private const CLIENT_CREDENTIALS_PERMISSIONS = [
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [
|
|
|
|
|
P::BLOCK_ACCOUNT,
|
|
|
|
|
P::OBTAIN_EXTENDED_ACCOUNT_INFO,
|
|
|
|
|
];
|
|
|
|
|
|
2016-02-14 23:20:10 +05:30
|
|
|
|
/**
|
2017-09-19 22:36:16 +05:30
|
|
|
|
* @param string $scope
|
|
|
|
|
* @param string $grantType передаётся, если запрос поступает из grant. В этом случае нужно отфильтровать
|
|
|
|
|
* только те права, которые можно получить на этом grant.
|
|
|
|
|
* @param string $clientId
|
|
|
|
|
*
|
|
|
|
|
* @return ScopeEntity|null
|
2016-02-14 23:20:10 +05:30
|
|
|
|
*/
|
2017-09-19 22:36:16 +05:30
|
|
|
|
public function get($scope, $grantType = null, $clientId = null): ?ScopeEntity {
|
|
|
|
|
$permission = $this->convertToInternalPermission($scope);
|
|
|
|
|
|
2016-12-18 04:50:53 +05:30
|
|
|
|
if ($grantType === 'authorization_code') {
|
2017-09-19 22:36:16 +05:30
|
|
|
|
$permissions = self::AUTHORIZATION_CODE_PERMISSIONS;
|
2016-12-18 04:50:53 +05:30
|
|
|
|
} elseif ($grantType === 'client_credentials') {
|
2017-09-19 22:36:16 +05:30
|
|
|
|
$permissions = self::CLIENT_CREDENTIALS_PERMISSIONS;
|
2016-12-18 04:50:53 +05:30
|
|
|
|
$isTrusted = false;
|
|
|
|
|
if ($clientId !== null) {
|
2017-09-19 22:36:16 +05:30
|
|
|
|
/** @var ClientEntity $client */
|
2016-12-18 04:50:53 +05:30
|
|
|
|
$client = $this->server->getClientStorage()->get($clientId);
|
2017-09-19 22:36:16 +05:30
|
|
|
|
Assert::that($client)->isInstanceOf(ClientEntity::class);
|
2016-12-18 04:50:53 +05:30
|
|
|
|
|
|
|
|
|
$isTrusted = $client->isTrusted();
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-19 22:36:16 +05:30
|
|
|
|
if ($isTrusted) {
|
|
|
|
|
$permissions = array_merge($permissions, self::CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL);
|
2016-12-18 04:50:53 +05:30
|
|
|
|
}
|
2017-09-19 22:36:16 +05:30
|
|
|
|
} else {
|
|
|
|
|
$permissions = array_merge(
|
|
|
|
|
self::AUTHORIZATION_CODE_PERMISSIONS,
|
|
|
|
|
self::CLIENT_CREDENTIALS_PERMISSIONS,
|
|
|
|
|
self::CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL
|
|
|
|
|
);
|
2016-12-18 04:50:53 +05:30
|
|
|
|
}
|
|
|
|
|
|
2017-09-19 22:36:16 +05:30
|
|
|
|
if (!in_array($permission, $permissions, true)) {
|
2016-02-14 23:20:10 +05:30
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$entity = new ScopeEntity($this->server);
|
2017-09-19 22:36:16 +05:30
|
|
|
|
$entity->setId($permission);
|
2016-02-14 23:20:10 +05:30
|
|
|
|
|
|
|
|
|
return $entity;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-19 22:36:16 +05:30
|
|
|
|
private function convertToInternalPermission(string $publicScope): string {
|
|
|
|
|
return self::PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS[$publicScope] ?? $publicScope;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-14 23:20:10 +05:30
|
|
|
|
}
|