Implementation of the backend for the OAuth2 clients management

common/rbac/Permissions.php

@@ -12,6 +12,9 @@ final class Permissions {
     public const MANAGE_TWO_FACTOR_AUTH = 'manage_two_factor_auth';
     public const BLOCK_ACCOUNT = 'block_account';
     public const COMPLETE_OAUTH_FLOW = 'complete_oauth_flow';
+    public const CREATE_OAUTH_CLIENTS = 'create_oauth_clients';
+    public const VIEW_OAUTH_CLIENTS = 'view_oauth_clients';
+    public const MANAGE_OAUTH_CLIENTS = 'manage_oauth_clients';
 
     // Personal level controller permissions
     public const OBTAIN_OWN_ACCOUNT_INFO = 'obtain_own_account_info';
@@ -23,6 +26,8 @@ final class Permissions {
     public const CHANGE_OWN_ACCOUNT_EMAIL = 'change_own_account_email';
     public const MANAGE_OWN_TWO_FACTOR_AUTH = 'manage_own_two_factor_auth';
     public const MINECRAFT_SERVER_SESSION = 'minecraft_server_session';
+    public const VIEW_OWN_OAUTH_CLIENTS = 'view_own_oauth_clients';
+    public const MANAGE_OWN_OAUTH_CLIENTS = 'manage_own_oauth_clients';
 
     // Data permissions
     public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email';

common/rbac/rules/AccountOwner.php

@@ -3,7 +3,6 @@ namespace common\rbac\rules;
 
 use common\models\Account;
 use Yii;
-use yii\base\InvalidParamException;
 use yii\rbac\Rule;
 
 class AccountOwner extends Rule {
@@ -26,7 +25,7 @@ class AccountOwner extends Rule {
     public function execute($accessToken, $item, $params): bool {
         $accountId = $params['accountId'] ?? null;
         if ($accountId === null) {
-            throw new InvalidParamException('params don\'t contain required key: accountId');
+            return false;
         }
 
         $identity = Yii::$app->user->findIdentityByAccessToken($accessToken);

common/rbac/rules/OauthClientOwner.php

@@ -0,0 +1,61 @@
+<?php
+declare(strict_types=1);
+
+namespace common\rbac\rules;
+
+use common\models\OauthClient;
+use common\rbac\Permissions as P;
+use Yii;
+use yii\rbac\Rule;
+
+class OauthClientOwner extends Rule {
+
+    public $name = 'oauth_client_owner';
+
+    /**
+     * Accepts 2 params:
+     * - clientId - it's the client id, that user want access to.
+     * - accountId - if it is passed to check the VIEW_OAUTH_CLIENTS permission, then it will
+     *               check, that current user have access to the provided account.
+     *
+     * @param string|int     $accessToken
+     * @param \yii\rbac\Item $item
+     * @param array          $params
+     *
+     * @return bool a value indicating whether the rule permits the auth item it is associated with.
+     */
+    public function execute($accessToken, $item, $params): bool {
+        $accountId = $params['accountId'] ?? null;
+        if ($accountId !== null && $item->name === P::VIEW_OWN_OAUTH_CLIENTS) {
+            return (new AccountOwner())->execute($accessToken, $item, ['accountId' => $accountId]);
+        }
+
+        $clientId = $params['clientId'] ?? null;
+        if ($clientId === null) {
+            return false;
+        }
+
+        /** @var OauthClient|null $client */
+        $client = OauthClient::findOne($clientId);
+        if ($client === null) {
+            return false;
+        }
+
+        $identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
+        if ($identity === null) {
+            return false;
+        }
+
+        $account = $identity->getAccount();
+        if ($account === null) {
+            return false;
+        }
+
+        if ($account->id !== $client->account_id) {
+            return false;
+        }
+
+        return true;
+    }
+
+}