ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2024-12-27 23:50:19 +05:30
Code Issues Packages Projects Releases Wiki Activity

Добавлено право на избегание удостоверения личности для внутренних приложений

Browse Source
This commit is contained in:
ErickSkrauch 2017-09-30 00:44:05 +03:00
parent 22ed0942e8
commit 8e79d1dd1c
7 changed files with 47 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/components/OAuth2/Storage/ScopeStorage.php
View File

@ -32,6 +32,7 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface {
private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [ private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [
P::BLOCK_ACCOUNT, P::BLOCK_ACCOUNT,
P::OBTAIN_EXTENDED_ACCOUNT_INFO, P::OBTAIN_EXTENDED_ACCOUNT_INFO,
P::ESCAPE_IDENTITY_VERIFICATION,
]; ];
/** /**
@ -55,6 +56,7 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface {
$client = $this->server->getClientStorage()->get($clientId); $client = $this->server->getClientStorage()->get($clientId);
Assert::that($client)->isInstanceOf(ClientEntity::class); Assert::that($client)->isInstanceOf(ClientEntity::class);
/** @noinspection NullPointerExceptionInspection */
$isTrusted = $client->isTrusted(); $isTrusted = $client->isTrusted();
} }

6
api/components/User/Component.php
View File

@ -58,7 +58,11 @@ class Component extends YiiUserComponent {
} }
} }
public function findIdentityByAccessToken(string $accessToken): ?IdentityInterface { public function findIdentityByAccessToken($accessToken): ?IdentityInterface {
if ($accessToken === null) {
return null;
}
/** @var \api\components\User\IdentityInterface|string $identityClass */ /** @var \api\components\User\IdentityInterface|string $identityClass */
$identityClass = $this->identityClass; $identityClass = $this->identityClass;
try { try {

14
api/validators/PasswordRequiredValidator.php
View File

@ -3,8 +3,11 @@ namespace api\validators;
use common\helpers\Error as E; use common\helpers\Error as E;
use common\models\Account; use common\models\Account;
use common\rbac\Permissions as P;
use yii\base\InvalidConfigException; use yii\base\InvalidConfigException;
use yii\di\Instance;
use yii\validators\Validator; use yii\validators\Validator;
use yii\web\User;
class PasswordRequiredValidator extends Validator { class PasswordRequiredValidator extends Validator {
@ -18,14 +21,25 @@ class PasswordRequiredValidator extends Validator {
*/ */
public $skipOnEmpty = false; public $skipOnEmpty = false;
/**
* @var User|string
*/
public $user = 'user';
public function init() { public function init() {
parent::init(); parent::init();
if (!$this->account instanceof Account) { if (!$this->account instanceof Account) {
throw new InvalidConfigException('account should be instance of ' . Account::class); throw new InvalidConfigException('account should be instance of ' . Account::class);
} }
$this->user = Instance::ensure($this->user, User::class);
} }
protected function validateValue($value) { protected function validateValue($value) {
if ($this->user->can(P::ESCAPE_IDENTITY_VERIFICATION)) {
return null;
}
if (empty($value)) { if (empty($value)) {
return [E::PASSWORD_REQUIRED, []]; return [E::PASSWORD_REQUIRED, []];
} }

4
common/rbac/Manager.php
View File

@ -19,6 +19,10 @@ class Manager extends PhpManager {
*/ */
public function getAssignments($accessToken): array { public function getAssignments($accessToken): array {
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken); $identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
if ($identity === null) {
return [];
}
/** @noinspection NullPointerExceptionInspection */ /** @noinspection NullPointerExceptionInspection */
$permissions = $identity->getAssignedPermissions(); $permissions = $identity->getAssignedPermissions();
if (empty($permissions)) { if (empty($permissions)) {

3
common/rbac/Permissions.php
View File

@ -28,4 +28,7 @@ final class Permissions {
public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email'; public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email';
public const OBTAIN_EXTENDED_ACCOUNT_INFO = 'obtain_account_extended_info'; public const OBTAIN_EXTENDED_ACCOUNT_INFO = 'obtain_account_extended_info';
// Service permissions
public const ESCAPE_IDENTITY_VERIFICATION = 'escape_identity_verification';
} }

2
console/controllers/RbacController.php
View File

@ -45,6 +45,8 @@ class RbacController extends Controller {
$permManageOwnTwoFactorAuth = $this->createPermission(P::MANAGE_OWN_TWO_FACTOR_AUTH, AccountOwner::class); $permManageOwnTwoFactorAuth = $this->createPermission(P::MANAGE_OWN_TWO_FACTOR_AUTH, AccountOwner::class);
$permMinecraftServerSession = $this->createPermission(P::MINECRAFT_SERVER_SESSION); $permMinecraftServerSession = $this->createPermission(P::MINECRAFT_SERVER_SESSION);
$permEscapeIdentityVerification = $this->createPermission(P::ESCAPE_IDENTITY_VERIFICATION);
$roleAccountsWebUser = $this->createRole(R::ACCOUNTS_WEB_USER); $roleAccountsWebUser = $this->createRole(R::ACCOUNTS_WEB_USER);
$authManager->addChild($permObtainOwnAccountInfo, $permObtainAccountInfo); $authManager->addChild($permObtainOwnAccountInfo, $permObtainAccountInfo);

31
tests/codeception/api/unit/validators/PasswordRequiredValidatorTest.php
View File

@ -2,32 +2,35 @@
namespace codeception\api\unit\validators; namespace codeception\api\unit\validators;
use api\validators\PasswordRequiredValidator; use api\validators\PasswordRequiredValidator;
use Codeception\Specify;
use common\models\Account; use common\models\Account;
use common\rbac\Permissions as P;
use tests\codeception\api\unit\TestCase; use tests\codeception\api\unit\TestCase;
use tests\codeception\common\_support\ProtectedCaller; use tests\codeception\common\_support\ProtectedCaller;
use common\helpers\Error as E; use common\helpers\Error as E;
use yii\web\User;
class PasswordRequiredValidatorTest extends TestCase { class PasswordRequiredValidatorTest extends TestCase {
use Specify;
use ProtectedCaller; use ProtectedCaller;
public function testValidateValue() { public function testValidateValue() {
$account = new Account(['password' => '12345678']); $account = new Account(['password' => '12345678']);
$this->specify('get error.password_required if password is empty', function () use ($account) { $model = new PasswordRequiredValidator(['account' => $account]);
$model = new PasswordRequiredValidator(['account' => $account]);
expect($this->callProtected($model, 'validateValue', ''))->equals([E::PASSWORD_REQUIRED, []]);
});
$this->specify('get error.password_incorrect if password is incorrect', function () use ($account) { // Get error.password_required if password is empty
$model = new PasswordRequiredValidator(['account' => $account]); $this->assertEquals([E::PASSWORD_REQUIRED, []], $this->callProtected($model, 'validateValue', ''));
expect($this->callProtected($model, 'validateValue', '87654321'))->equals([E::PASSWORD_INCORRECT, []]);
});
$this->specify('no errors, if password is correct for provided account', function () use ($account) { // Get error.password_incorrect if password is incorrect
$model = new PasswordRequiredValidator(['account' => $account]); $this->assertEquals([E::PASSWORD_INCORRECT, []], $this->callProtected($model, 'validateValue', '87654321'));
expect($this->callProtected($model, 'validateValue', '12345678'))->null();
}); // No errors, if password is correct for provided account
$this->assertNull($this->callProtected($model, 'validateValue', '12345678'));
// Skip validation if user can skip identity verification
/** @var User|\Mockery\MockInterface $component */
$component = mock(User::class . '[can]', [['identityClass' => '']]);
$component->shouldReceive('can')->withArgs([P::ESCAPE_IDENTITY_VERIFICATION])->andReturn(true);
$model->user = $component;
$this->assertNull($this->callProtected($model, 'validateValue', ''));
} }
} }