chg: [ACL] rework

- moved the menu into the ACL function
- tied ACL function into menubuilding process to remove items the user has no access to - thanks to @JakubOnderka for the inspiration
- tied missing endpoints into the ACL system
- fixed the queryACL function to work with Cerebrate
pull/32/head
iglocska 2020-09-29 13:18:28 +02:00
parent 410caf544f
commit 5f30a8b674
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
3 changed files with 381 additions and 298 deletions

View File

@ -108,7 +108,7 @@ class AppController extends Controller
throw new MethodNotAllowedException(__('Invalid user credentials.'));
}
$this->ACL->checkAccess();
$this->set('menu', $this->{$this->modelClass}->getMenu());
$this->set('menu', $this->ACL->getMenu());
$this->set('ajax', $this->request->is('ajax'));
$this->request->getParam('prefix');
$this->set('darkMode', !empty(Configure::read('Cerebrate.dark')));
@ -135,13 +135,8 @@ class AppController extends Controller
return $this->RestResponse->viewData(['uuid' => $uuid], 'json');
}
public function checkPermission($perm_flag)
{
return true;
}
public function queryACL()
{
$this->ACL->findMissingFunctionNames();
return $this->RestResponse->viewData($this->ACL->findMissingFunctionNames());
}
}

View File

@ -10,6 +10,7 @@ use Cake\Http\Exception\ForbiddenException;
use Cake\ORM\TableRegistry;
use Cake\Core\Configure;
use Cake\Core\Configure\Engine\PhpConfig;
use Cake\Utility\Inflector;
class ACLComponent extends Component
{
@ -31,6 +32,22 @@ class ACLComponent extends Component
// $action == array('AND' => []) - roles with all permissions in the array have access
// If we add any new functionality to MISP and we don't add it to this list, it will only be visible to site admins.
private $aclList = array(
'*' => [
'checkPermission' => ['*'],
'generateUUID' => ['*'],
'queryACL' => ['perm_admin']
],
'Alignments' => [
'add' => ['perm_admin'],
'delete' => ['perm_admin'],
'index' => ['*'],
'view' => ['*']
],
'AuthKeys' => [
'add' => ['*'],
'delete' => ['*'],
'index' => ['*']
],
'Broods' => [
'add' => ['perm_admin'],
'delete' => ['perm_admin'],
@ -38,19 +55,10 @@ class ACLComponent extends Component
'index' => ['perm_admin'],
'view' => ['perm_admin']
],
'Instance' => [
'home' => ['*'],
'status' => ['*']
],
'Pages' => [
'display' => ['*']
],
'Organisations' => [
'add' => ['perm_admin'],
'delete' => ['perm_admin'],
'edit' => ['perm_admin'],
'index' => ['*'],
'view' => ['*']
'EncryptionKeys' => [
'add' => ['*'],
'delete' => ['*'],
'index' => ['*']
],
'Individuals' => [
'add' => ['perm_admin'],
@ -59,13 +67,47 @@ class ACLComponent extends Component
'index' => ['*'],
'view' => ['*']
],
'SharingGroups' => [
'Instance' => [
'home' => ['*'],
'status' => ['*']
],
'MetaTemplateFields' => [
'index' => ['perm_admin']
],
'MetaTemplates' => [
'disable' => ['perm_admin'],
'enable' => ['perm_admin'],
'index' => ['perm_admin'],
'update' => ['perm_admin'],
'view' => ['perm_admin']
],
'Organisations' => [
'add' => ['perm_admin'],
'delete' => ['perm_admin'],
'edit' => ['perm_admin'],
'index' => ['*'],
'view' => ['*']
],
'Pages' => [
'display' => ['*']
],
'Roles' => [
'add' => ['perm_admin'],
'delete' => ['perm_admin'],
'edit' => ['perm_admin'],
'index' => ['*'],
'view' => ['*']
],
'SharingGroups' => [
'add' => ['perm_admin'],
'addOrg' => ['perm_admin'],
'delete' => ['perm_admin'],
'edit' => ['perm_admin'],
'index' => ['*'],
'listOrgs' => ['*'],
'removeOrg' => ['perm_admin'],
'view' => ['*']
],
'Users' => [
'add' => ['perm_admin'],
'delete' => ['perm_admin'],
@ -74,13 +116,7 @@ class ACLComponent extends Component
'login' => ['*'],
'logout' => ['*'],
'view' => ['*']
],
'MetaTemplates' => [
'view' => ['perm_admin'],
'enable' => ['perm_admin'],
'disable' => ['perm_admin'],
'update' => ['perm_admin'],
]
]
);
private function __checkLoggedActions($user, $controller, $action)
@ -173,16 +209,8 @@ class ACLComponent extends Component
$this->Authentication->allowUnauthenticated(['login']);
}
// The check works like this:
// If the user is a site admin, return true
// If the requested action has an OR-d list, iterate through the list. If any of the permissions are set for the user, return true
// If the requested action has an AND-ed list, iterate through the list. If any of the permissions for the user are not set, turn the check to false. Otherwise return true.
// If the requested action has a permission, check if the user's role has it flagged. If yes, return true
// If we fall through all of the checks, return an exception.
public function checkAccess(bool $soft = false): bool
private function checkAccessInternal($controller, $action, $soft): bool
{
$controller = $this->request->getParam('controller');
$action = $this->request->getParam('action');
if (empty($this->user)) {
// we have to be in a publically allowed scope otherwise the Auth component will kick us out anyway.
return true;
@ -216,13 +244,41 @@ class ACLComponent extends Component
}
}
}
return false;
}
public function checkAccessUrl($url, $soft = false): bool
{
$urlParts = explode('/', $url);
if ($urlParts[1] === 'open') {
return in_array($urlParts[2], Configure::read('Cerebrate.open'));
} else {
return $this->checkAccessInternal(Inflector::camelize($urlParts[1]), $urlParts[2], $soft);
}
}
// The check works like this:
// If the user is a site admin, return true
// If the requested action has an OR-d list, iterate through the list. If any of the permissions are set for the user, return true
// If the requested action has an AND-ed list, iterate through the list. If any of the permissions for the user are not set, turn the check to false. Otherwise return true.
// If the requested action has a permission, check if the user's role has it flagged. If yes, return true
// If we fall through all of the checks, return an exception.
public function checkAccess(bool $soft = false): bool
{
$controller = $this->request->getParam('controller');
$action = $this->request->getParam('action');
if ($this->checkAccessInternal($controller, $action, $soft) === true) {
return true;
}
return $this->__error(403, 'You do not have permission to use this functionality.', $soft);
}
private function __error($code, $message, $soft = false)
{
if ($soft) {
return $code;
return false;
}
switch ($code) {
case 404:
@ -237,9 +293,13 @@ class ACLComponent extends Component
private function __findAllFunctions()
{
$functionFinder = '/function[\s\n]+(\S+)[\s\n]*\(/';
$dir = new Folder(APP . 'Controller');
$files = $dir->find('.*\.php');
$functionFinder = '/public.function[\s\n]+(\S+)[\s\n]*\(/';
$files = scandir(ROOT . '/src/Controller/');
foreach ($files as $k => $file) {
if (substr($file, -14) !== 'Controller.php') {
unset($files[$k]);
}
}
$results = [];
foreach ($files as $file) {
$controllerName = lcfirst(str_replace('Controller.php', "", $file));
@ -271,9 +331,13 @@ class ACLComponent extends Component
$results = $this->__findAllFunctions();
$missing = [];
foreach ($results as $controller => $functions) {
$controller = Inflector::camelize($controller);
foreach ($functions as $function) {
if (!isset($this->__aclList[$controller])
|| !in_array($function, array_keys($this->__aclList[$controller]))) {
if (in_array($function, ['beforeFilter', 'beforeRender', 'initialize', 'afterFilter'])) {
continue;
}
if (!isset($this->aclList[$controller])
|| !in_array($function, array_keys($this->aclList[$controller]))) {
$missing[$controller][] = $function;
}
}
@ -342,4 +406,283 @@ class ACLComponent extends Component
}
return $result;
}
public function getMenu()
{
$open = Configure::read('Cerebrate.open');
$menu = [
'ContactDB' => [
'Individuals' => [
'label' => __('Individuals'),
'url' => '/individuals/index',
'children' => [
'index' => [
'url' => '/individuals/index',
'label' => __('List individuals')
],
'add' => [
'url' => '/individuals/add',
'label' => __('Add individual')
],
'view' => [
'url' => '/individuals/view/{{id}}',
'label' => __('View individual'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/individuals/edit/{{id}}',
'label' => __('Edit individual'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/individuals/delete/{{id}}',
'label' => __('Delete individual'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'Organisations' => [
'label' => __('Organisations'),
'url' => '/organisations/index',
'children' => [
'index' => [
'url' => '/organisations/index',
'label' => __('List organisations')
],
'add' => [
'url' => '/organisations/add',
'label' => __('Add organisation')
],
'view' => [
'url' => '/organisations/view/{{id}}',
'label' => __('View organisation'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/organisations/edit/{{id}}',
'label' => __('Edit organisation'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/organisations/delete/{{id}}',
'label' => __('Delete organisation'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'EncryptionKeys' => [
'label' => __('Encryption keys'),
'url' => '/encryptionKeys/index',
'children' => [
'index' => [
'url' => '/encryptionKeys/index',
'label' => __('List encryption keys')
],
'add' => [
'url' => '/encryptionKeys/add',
'label' => __('Add encryption key')
],
'edit' => [
'url' => '/encryptionKeys/edit/{{id}}',
'label' => __('Edit organisation'),
'actions' => ['edit'],
'skipTopMenu' => 1
]
]
]
],
'Trust Circles' => [
'SharingGroups' => [
'label' => __('Sharing Groups'),
'url' => '/sharingGroups/index',
'children' => [
'index' => [
'url' => '/sharingGroups/index',
'label' => __('List sharing groups')
],
'add' => [
'url' => '/SharingGroups/add',
'label' => __('Add sharing group')
],
'edit' => [
'url' => '/SharingGroups/edit/{{id}}',
'label' => __('Edit sharing group'),
'actions' => ['edit'],
'skipTopMenu' => 1
]
]
]
],
'Administration' => [
'Roles' => [
'label' => __('Roles'),
'url' => '/roles/index',
'children' => [
'index' => [
'url' => '/roles/index',
'label' => __('List roles')
],
'add' => [
'url' => '/roles/add',
'label' => __('Add role')
],
'view' => [
'url' => '/roles/view/{{id}}',
'label' => __('View role'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/roles/edit/{{id}}',
'label' => __('Edit role'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/roles/delete/{{id}}',
'label' => __('Delete role'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'Users' => [
'label' => __('Users'),
'url' => '/users/index',
'children' => [
'index' => [
'url' => '/users/index',
'label' => __('List users')
],
'add' => [
'url' => '/users/add',
'label' => __('Add user')
],
'view' => [
'url' => '/users/view/{{id}}',
'label' => __('View user'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/users/edit/{{id}}',
'label' => __('Edit user'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/users/delete/{{id}}',
'label' => __('Delete user'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'MetaTemplates' => [
'label' => __('Meta Field Templates'),
'url' => '/metaTemplates/index',
'children' => [
'index' => [
'url' => '/metaTemplates/index',
'label' => __('List Meta Templates')
],
'view' => [
'url' => '/metaTemplates/view/{{id}}',
'label' => __('View Meta Template'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/metaTemplates/delete/{{id}}',
'label' => __('Delete Meta Template'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
]
],
'Cerebrate' => [
'Roles' => [
'label' => __('Roles'),
'url' => '/roles/index',
'children' => [
'index' => [
'url' => '/roles/index',
'label' => __('List roles')
],
'view' => [
'url' => '/roles/view/{{id}}',
'label' => __('View role'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'Instance' => [
__('Instance'),
'url' => '/instance/home',
'children' => [
'home' => [
'url' => '/instance/home',
'label' => __('Home')
]
]
]
],
'Open' => [
'Organisations' => [
'label' => __('Organisations'),
'url' => '/open/organisations/index',
'children' => [
'index' => [
'url' => '/open/organisations/index',
'label' => __('List organisations')
],
],
'open' => in_array('organisations', Configure::read('Cerebrate.open'))
],
'Individuals' => [
'label' => __('Individuals'),
'url' => '/open/individuals/index',
'children' => [
'index' => [
'url' => '/open/individuals/index',
'label' => __('List individuals')
],
],
'open' => in_array('individuals', Configure::read('Cerebrate.open'))
]
]
];
foreach ($menu as $group => $subMenu) {
foreach ($subMenu as $subMenuElementName => $subMenuElement) {
if (!empty($subMenuElement['url']) && !$this->checkAccessUrl($subMenuElement['url'], true) === true) {
unset($menu[$group][$subMenuElementName]);
continue;
}
if (!empty($subMenuElement['children'])) {
foreach ($subMenuElement['children'] as $menuItem => $menuItemData) {
if (!empty($menuItemData['url']) && !$this->checkAccessUrl($menuItemData['url'], true) === true) {
unset($menu[$group][$subMenuElementName]['children'][$menuItem]);
continue;
}
}
$menu[$group][$subMenuElementName]['children'] = array_values($menu[$group][$subMenuElementName]['children']);
if (empty($menu[$group][$subMenuElementName]['children'])) {
unset($subMenu[$subMenuElementName]);
}
}
}
if (empty($menu[$group])) {
unset($menu[$group]);
}
}
return $menu;
}
}

View File

@ -12,259 +12,4 @@ class AppTable extends Table
public function initialize(array $config): void
{
}
public function getMenu()
{
$open = Configure::read('Cerebrate.open');
return [
'ContactDB' => [
'Individuals' => [
'label' => __('Individuals'),
'url' => '/individuals/index',
'children' => [
'index' => [
'url' => '/individuals/index',
'label' => __('List individuals')
],
'add' => [
'url' => '/individuals/add',
'label' => __('Add individual')
],
'view' => [
'url' => '/individuals/view/{{id}}',
'label' => __('View individual'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/individuals/edit/{{id}}',
'label' => __('Edit individual'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/individuals/delete/{{id}}',
'label' => __('Delete individual'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'Organisations' => [
'label' => __('Organisations'),
'url' => '/organisations/index',
'children' => [
'index' => [
'url' => '/organisations/index',
'label' => __('List organisations')
],
'add' => [
'url' => '/organisations/add',
'label' => __('Add organisation')
],
'view' => [
'url' => '/organisations/view/{{id}}',
'label' => __('View organisation'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/organisations/edit/{{id}}',
'label' => __('Edit organisation'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/organisations/delete/{{id}}',
'label' => __('Delete organisation'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'EncryptionKeys' => [
'label' => __('Encryption keys'),
'url' => '/encryptionKeys/index',
'children' => [
'index' => [
'url' => '/encryptionKeys/index',
'label' => __('List encryption keys')
],
'add' => [
'url' => '/encryptionKeys/add',
'label' => __('Add encryption key')
],
'edit' => [
'url' => '/encryptionKeys/edit/{{id}}',
'label' => __('Edit organisation'),
'actions' => ['edit'],
'skipTopMenu' => 1
]
]
]
],
'Trust Circles' => [
'SharingGroups' => [
'label' => __('Sharing Groups'),
'url' => '/sharingGroups/index',
'children' => [
'index' => [
'url' => '/sharingGroups/index',
'label' => __('List sharing groups')
],
'add' => [
'url' => '/SharingGroups/add',
'label' => __('Add sharing group')
],
'edit' => [
'url' => '/SharingGroups/edit/{{id}}',
'label' => __('Edit sharing group'),
'actions' => ['edit'],
'skipTopMenu' => 1
]
]
]
],
'Administration' => [
'Roles' => [
'label' => __('Roles'),
'url' => '/roles/index',
'children' => [
'index' => [
'url' => '/roles/index',
'label' => __('List roles')
],
'add' => [
'url' => '/roles/add',
'label' => __('Add role')
],
'view' => [
'url' => '/roles/view/{{id}}',
'label' => __('View role'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/roles/edit/{{id}}',
'label' => __('Edit role'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/roles/delete/{{id}}',
'label' => __('Delete role'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'Users' => [
'label' => __('Users'),
'url' => '/users/index',
'children' => [
'index' => [
'url' => '/users/index',
'label' => __('List users')
],
'add' => [
'url' => '/users/add',
'label' => __('Add user')
],
'view' => [
'url' => '/users/view/{{id}}',
'label' => __('View user'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'edit' => [
'url' => '/users/edit/{{id}}',
'label' => __('Edit user'),
'actions' => ['edit', 'delete', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/users/delete/{{id}}',
'label' => __('Delete user'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'MetaTemplates' => [
'label' => __('Meta Field Templates'),
'url' => '/metaTemplates/index',
'children' => [
'index' => [
'url' => '/metaTemplates/index',
'label' => __('List Meta Templates')
],
'view' => [
'url' => '/metaTemplates/view/{{id}}',
'label' => __('View Meta Template'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
],
'delete' => [
'url' => '/metaTemplates/delete/{{id}}',
'label' => __('Delete Meta Template'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
]
],
'Cerebrate' => [
'Roles' => [
'label' => __('Roles'),
'url' => '/roles/index',
'children' => [
'index' => [
'url' => '/roles/index',
'label' => __('List roles')
],
'view' => [
'url' => '/roles/view/{{id}}',
'label' => __('View role'),
'actions' => ['delete', 'edit', 'view'],
'skipTopMenu' => 1
]
]
],
'Instance' => [
__('Instance'),
'url' => '/instance/home',
'children' => [
'home' => [
'url' => '/instance/home',
'label' => __('Home')
]
]
]
],
'Open' => [
'Organisations' => [
'label' => __('Organisations'),
'url' => '/open/organisations/index',
'children' => [
'index' => [
'url' => '/open/organisations/index',
'label' => __('List organisations')
],
],
'open' => in_array('organisations', Configure::read('Cerebrate.open'))
],
'Individuals' => [
'label' => __('Individuals'),
'url' => '/open/individuals/index',
'children' => [
'index' => [
'url' => '/open/individuals/index',
'label' => __('List individuals')
],
],
'open' => in_array('individuals', Configure::read('Cerebrate.open'))
]
]
];
}
}