mirror of
https://github.com/elyby/accounts.git
synced 2025-01-15 16:32:11 +05:30
Добавлено право на избегание удостоверения личности для внутренних приложений
This commit is contained in:
parent
22ed0942e8
commit
8e79d1dd1c
@ -32,6 +32,7 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface {
|
|||||||
private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [
|
private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [
|
||||||
P::BLOCK_ACCOUNT,
|
P::BLOCK_ACCOUNT,
|
||||||
P::OBTAIN_EXTENDED_ACCOUNT_INFO,
|
P::OBTAIN_EXTENDED_ACCOUNT_INFO,
|
||||||
|
P::ESCAPE_IDENTITY_VERIFICATION,
|
||||||
];
|
];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -55,6 +56,7 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface {
|
|||||||
$client = $this->server->getClientStorage()->get($clientId);
|
$client = $this->server->getClientStorage()->get($clientId);
|
||||||
Assert::that($client)->isInstanceOf(ClientEntity::class);
|
Assert::that($client)->isInstanceOf(ClientEntity::class);
|
||||||
|
|
||||||
|
/** @noinspection NullPointerExceptionInspection */
|
||||||
$isTrusted = $client->isTrusted();
|
$isTrusted = $client->isTrusted();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -58,7 +58,11 @@ class Component extends YiiUserComponent {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function findIdentityByAccessToken(string $accessToken): ?IdentityInterface {
|
public function findIdentityByAccessToken($accessToken): ?IdentityInterface {
|
||||||
|
if ($accessToken === null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
/** @var \api\components\User\IdentityInterface|string $identityClass */
|
/** @var \api\components\User\IdentityInterface|string $identityClass */
|
||||||
$identityClass = $this->identityClass;
|
$identityClass = $this->identityClass;
|
||||||
try {
|
try {
|
||||||
|
@ -3,8 +3,11 @@ namespace api\validators;
|
|||||||
|
|
||||||
use common\helpers\Error as E;
|
use common\helpers\Error as E;
|
||||||
use common\models\Account;
|
use common\models\Account;
|
||||||
|
use common\rbac\Permissions as P;
|
||||||
use yii\base\InvalidConfigException;
|
use yii\base\InvalidConfigException;
|
||||||
|
use yii\di\Instance;
|
||||||
use yii\validators\Validator;
|
use yii\validators\Validator;
|
||||||
|
use yii\web\User;
|
||||||
|
|
||||||
class PasswordRequiredValidator extends Validator {
|
class PasswordRequiredValidator extends Validator {
|
||||||
|
|
||||||
@ -18,14 +21,25 @@ class PasswordRequiredValidator extends Validator {
|
|||||||
*/
|
*/
|
||||||
public $skipOnEmpty = false;
|
public $skipOnEmpty = false;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var User|string
|
||||||
|
*/
|
||||||
|
public $user = 'user';
|
||||||
|
|
||||||
public function init() {
|
public function init() {
|
||||||
parent::init();
|
parent::init();
|
||||||
if (!$this->account instanceof Account) {
|
if (!$this->account instanceof Account) {
|
||||||
throw new InvalidConfigException('account should be instance of ' . Account::class);
|
throw new InvalidConfigException('account should be instance of ' . Account::class);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->user = Instance::ensure($this->user, User::class);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function validateValue($value) {
|
protected function validateValue($value) {
|
||||||
|
if ($this->user->can(P::ESCAPE_IDENTITY_VERIFICATION)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
if (empty($value)) {
|
if (empty($value)) {
|
||||||
return [E::PASSWORD_REQUIRED, []];
|
return [E::PASSWORD_REQUIRED, []];
|
||||||
}
|
}
|
||||||
|
@ -19,6 +19,10 @@ class Manager extends PhpManager {
|
|||||||
*/
|
*/
|
||||||
public function getAssignments($accessToken): array {
|
public function getAssignments($accessToken): array {
|
||||||
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
|
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
|
||||||
|
if ($identity === null) {
|
||||||
|
return [];
|
||||||
|
}
|
||||||
|
|
||||||
/** @noinspection NullPointerExceptionInspection */
|
/** @noinspection NullPointerExceptionInspection */
|
||||||
$permissions = $identity->getAssignedPermissions();
|
$permissions = $identity->getAssignedPermissions();
|
||||||
if (empty($permissions)) {
|
if (empty($permissions)) {
|
||||||
|
@ -28,4 +28,7 @@ final class Permissions {
|
|||||||
public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email';
|
public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email';
|
||||||
public const OBTAIN_EXTENDED_ACCOUNT_INFO = 'obtain_account_extended_info';
|
public const OBTAIN_EXTENDED_ACCOUNT_INFO = 'obtain_account_extended_info';
|
||||||
|
|
||||||
|
// Service permissions
|
||||||
|
public const ESCAPE_IDENTITY_VERIFICATION = 'escape_identity_verification';
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -45,6 +45,8 @@ class RbacController extends Controller {
|
|||||||
$permManageOwnTwoFactorAuth = $this->createPermission(P::MANAGE_OWN_TWO_FACTOR_AUTH, AccountOwner::class);
|
$permManageOwnTwoFactorAuth = $this->createPermission(P::MANAGE_OWN_TWO_FACTOR_AUTH, AccountOwner::class);
|
||||||
$permMinecraftServerSession = $this->createPermission(P::MINECRAFT_SERVER_SESSION);
|
$permMinecraftServerSession = $this->createPermission(P::MINECRAFT_SERVER_SESSION);
|
||||||
|
|
||||||
|
$permEscapeIdentityVerification = $this->createPermission(P::ESCAPE_IDENTITY_VERIFICATION);
|
||||||
|
|
||||||
$roleAccountsWebUser = $this->createRole(R::ACCOUNTS_WEB_USER);
|
$roleAccountsWebUser = $this->createRole(R::ACCOUNTS_WEB_USER);
|
||||||
|
|
||||||
$authManager->addChild($permObtainOwnAccountInfo, $permObtainAccountInfo);
|
$authManager->addChild($permObtainOwnAccountInfo, $permObtainAccountInfo);
|
||||||
|
@ -2,32 +2,35 @@
|
|||||||
namespace codeception\api\unit\validators;
|
namespace codeception\api\unit\validators;
|
||||||
|
|
||||||
use api\validators\PasswordRequiredValidator;
|
use api\validators\PasswordRequiredValidator;
|
||||||
use Codeception\Specify;
|
|
||||||
use common\models\Account;
|
use common\models\Account;
|
||||||
|
use common\rbac\Permissions as P;
|
||||||
use tests\codeception\api\unit\TestCase;
|
use tests\codeception\api\unit\TestCase;
|
||||||
use tests\codeception\common\_support\ProtectedCaller;
|
use tests\codeception\common\_support\ProtectedCaller;
|
||||||
use common\helpers\Error as E;
|
use common\helpers\Error as E;
|
||||||
|
use yii\web\User;
|
||||||
|
|
||||||
class PasswordRequiredValidatorTest extends TestCase {
|
class PasswordRequiredValidatorTest extends TestCase {
|
||||||
use Specify;
|
|
||||||
use ProtectedCaller;
|
use ProtectedCaller;
|
||||||
|
|
||||||
public function testValidateValue() {
|
public function testValidateValue() {
|
||||||
$account = new Account(['password' => '12345678']);
|
$account = new Account(['password' => '12345678']);
|
||||||
$this->specify('get error.password_required if password is empty', function () use ($account) {
|
|
||||||
$model = new PasswordRequiredValidator(['account' => $account]);
|
$model = new PasswordRequiredValidator(['account' => $account]);
|
||||||
expect($this->callProtected($model, 'validateValue', ''))->equals([E::PASSWORD_REQUIRED, []]);
|
|
||||||
});
|
|
||||||
|
|
||||||
$this->specify('get error.password_incorrect if password is incorrect', function () use ($account) {
|
// Get error.password_required if password is empty
|
||||||
$model = new PasswordRequiredValidator(['account' => $account]);
|
$this->assertEquals([E::PASSWORD_REQUIRED, []], $this->callProtected($model, 'validateValue', ''));
|
||||||
expect($this->callProtected($model, 'validateValue', '87654321'))->equals([E::PASSWORD_INCORRECT, []]);
|
|
||||||
});
|
|
||||||
|
|
||||||
$this->specify('no errors, if password is correct for provided account', function () use ($account) {
|
// Get error.password_incorrect if password is incorrect
|
||||||
$model = new PasswordRequiredValidator(['account' => $account]);
|
$this->assertEquals([E::PASSWORD_INCORRECT, []], $this->callProtected($model, 'validateValue', '87654321'));
|
||||||
expect($this->callProtected($model, 'validateValue', '12345678'))->null();
|
|
||||||
});
|
// No errors, if password is correct for provided account
|
||||||
|
$this->assertNull($this->callProtected($model, 'validateValue', '12345678'));
|
||||||
|
|
||||||
|
// Skip validation if user can skip identity verification
|
||||||
|
/** @var User|\Mockery\MockInterface $component */
|
||||||
|
$component = mock(User::class . '[can]', [['identityClass' => '']]);
|
||||||
|
$component->shouldReceive('can')->withArgs([P::ESCAPE_IDENTITY_VERIFICATION])->andReturn(true);
|
||||||
|
$model->user = $component;
|
||||||
|
$this->assertNull($this->callProtected($model, 'validateValue', ''));
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user