From e9fedf3e5cd63aea4da7a71f6647ee427c62fa49 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sat, 5 Dec 2015 20:31:27 -0500 Subject: Rewrite of the authentication and authorization system --- app/ServiceProvider/AuthenticationProvider.php | 149 ++++++++++++++++++++++++ app/ServiceProvider/ClassProvider.php | 40 +++---- app/ServiceProvider/GroupProvider.php | 37 ++++++ app/ServiceProvider/NotificationProvider.php | 45 ++++++++ app/ServiceProvider/PluginProvider.php | 31 +++++ app/ServiceProvider/RouteProvider.php | 151 +++++++++++++++++++++++++ app/ServiceProvider/SessionProvider.php | 13 +++ 7 files changed, 441 insertions(+), 25 deletions(-) create mode 100644 app/ServiceProvider/AuthenticationProvider.php create mode 100644 app/ServiceProvider/GroupProvider.php create mode 100644 app/ServiceProvider/NotificationProvider.php create mode 100644 app/ServiceProvider/PluginProvider.php create mode 100644 app/ServiceProvider/RouteProvider.php (limited to 'app/ServiceProvider') diff --git a/app/ServiceProvider/AuthenticationProvider.php b/app/ServiceProvider/AuthenticationProvider.php new file mode 100644 index 00000000..8600d96e --- /dev/null +++ b/app/ServiceProvider/AuthenticationProvider.php @@ -0,0 +1,149 @@ +register(new TotpAuth($container)); + $container['authenticationManager']->register(new RememberMeAuth($container)); + $container['authenticationManager']->register(new DatabaseAuth($container)); + + if (REVERSE_PROXY_AUTH) { + $container['authenticationManager']->register(new ReverseProxyAuth($container)); + } + + if (LDAP_AUTH) { + $container['authenticationManager']->register(new LdapAuth($container)); + } + + if (GITLAB_AUTH) { + $container['authenticationManager']->register(new GitlabAuth($container)); + } + + if (GITHUB_AUTH) { + $container['authenticationManager']->register(new GithubAuth($container)); + } + + if (GOOGLE_AUTH) { + $container['authenticationManager']->register(new GoogleAuth($container)); + } + + $container['projectAccessMap'] = $this->getProjectAccessMap(); + $container['applicationAccessMap'] = $this->getApplicationAccessMap(); + + $container['projectAuthorization'] = new Authorization($container['projectAccessMap']); + $container['applicationAuthorization'] = new Authorization($container['applicationAccessMap']); + + return $container; + } + + /** + * Get ACL for projects + * + * @access public + * @return AccessMap + */ + public function getProjectAccessMap() + { + $acl = new AccessMap; + $acl->setDefaultRole(Role::PROJECT_VIEWER); + $acl->setRoleHierarchy(Role::PROJECT_MANAGER, array(Role::PROJECT_MEMBER, Role::PROJECT_VIEWER)); + $acl->setRoleHierarchy(Role::PROJECT_MEMBER, array(Role::PROJECT_VIEWER)); + + $acl->add('Action', '*', Role::PROJECT_MANAGER); + $acl->add('Analytic', '*', Role::PROJECT_MANAGER); + $acl->add('Board', 'save', Role::PROJECT_MEMBER); + $acl->add('BoardPopover', '*', Role::PROJECT_MEMBER); + $acl->add('Calendar', 'save', Role::PROJECT_MEMBER); + $acl->add('Category', '*', Role::PROJECT_MANAGER); + $acl->add('Column', '*', Role::PROJECT_MANAGER); + $acl->add('Comment', '*', Role::PROJECT_MEMBER); + $acl->add('Customfilter', '*', Role::PROJECT_MEMBER); + $acl->add('Export', '*', Role::PROJECT_MANAGER); + $acl->add('File', array('screenshot', 'create', 'save', 'remove', 'confirm'), Role::PROJECT_MEMBER); + $acl->add('Gantt', '*', Role::PROJECT_MANAGER); + $acl->add('Project', array('share', 'integrations', 'notifications', 'edit', 'update', 'duplicate', 'disable', 'enable', 'remove'), Role::PROJECT_MANAGER); + $acl->add('ProjectPermission', '*', Role::PROJECT_MANAGER); + $acl->add('Projectuser', '*', Role::PROJECT_MANAGER); + $acl->add('Subtask', '*', Role::PROJECT_MEMBER); + $acl->add('Swimlane', '*', Role::PROJECT_MANAGER); + $acl->add('Task', 'remove', Role::PROJECT_MEMBER); + $acl->add('Taskcreation', '*', Role::PROJECT_MEMBER); + $acl->add('Taskduplication', '*', Role::PROJECT_MEMBER); + $acl->add('TaskImport', '*', Role::PROJECT_MANAGER); + $acl->add('Tasklink', '*', Role::PROJECT_MEMBER); + $acl->add('Taskmodification', '*', Role::PROJECT_MEMBER); + $acl->add('Taskstatus', '*', Role::PROJECT_MEMBER); + $acl->add('Timer', '*', Role::PROJECT_MEMBER); + + return $acl; + } + + /** + * Get ACL for the application + * + * @access public + * @return AccessMap + */ + public function getApplicationAccessMap() + { + $acl = new AccessMap; + $acl->setDefaultRole(Role::APP_USER); + $acl->setRoleHierarchy(Role::APP_ADMIN, array(Role::APP_MANAGER, Role::APP_USER, Role::APP_PUBLIC)); + $acl->setRoleHierarchy(Role::APP_MANAGER, array(Role::APP_USER, Role::APP_PUBLIC)); + $acl->setRoleHierarchy(Role::APP_USER, array(Role::APP_PUBLIC)); + + $acl->add('Oauth', array('google', 'github', 'gitlab'), Role::APP_PUBLIC); + $acl->add('Auth', array('login', 'check', 'captcha'), Role::APP_PUBLIC); + $acl->add('Webhook', '*', Role::APP_PUBLIC); + $acl->add('Task', 'readonly', Role::APP_PUBLIC); + $acl->add('Board', 'readonly', Role::APP_PUBLIC); + $acl->add('Ical', '*', Role::APP_PUBLIC); + $acl->add('Feed', '*', Role::APP_PUBLIC); + + $acl->add('Config', '*', Role::APP_ADMIN); + $acl->add('Currency', '*', Role::APP_ADMIN); + $acl->add('Gantt', '*', Role::APP_MANAGER); + $acl->add('Group', '*', Role::APP_ADMIN); + $acl->add('Link', '*', Role::APP_ADMIN); + $acl->add('Project', array('users', 'allowEverybody', 'allow', 'role', 'revoke', 'create'), Role::APP_MANAGER); + $acl->add('ProjectPermission', '*', Role::APP_MANAGER); + $acl->add('Projectuser', '*', Role::APP_MANAGER); + $acl->add('Twofactor', 'disable', Role::APP_ADMIN); + $acl->add('UserImport', '*', Role::APP_ADMIN); + $acl->add('User', array('index', 'create', 'save', 'authentication', 'remove'), Role::APP_ADMIN); + + return $acl; + } +} diff --git a/app/ServiceProvider/ClassProvider.php b/app/ServiceProvider/ClassProvider.php index 9ec81116..76fe70f6 100644 --- a/app/ServiceProvider/ClassProvider.php +++ b/app/ServiceProvider/ClassProvider.php @@ -5,23 +5,17 @@ namespace Kanboard\ServiceProvider; use Pimple\Container; use Pimple\ServiceProviderInterface; use League\HTMLToMarkdown\HtmlConverter; -use Kanboard\Core\Plugin\Loader; use Kanboard\Core\Mail\Client as EmailClient; use Kanboard\Core\ObjectStorage\FileStorage; use Kanboard\Core\Paginator; -use Kanboard\Core\OAuth2; +use Kanboard\Core\Http\OAuth2; use Kanboard\Core\Tool; use Kanboard\Core\Http\Client as HttpClient; -use Kanboard\Model\UserNotificationType; -use Kanboard\Model\ProjectNotificationType; -use Kanboard\Notification\Mail as MailNotification; -use Kanboard\Notification\Web as WebNotification; class ClassProvider implements ServiceProviderInterface { private $classes = array( 'Model' => array( - 'Acl', 'Action', 'Authentication', 'Board', @@ -47,6 +41,9 @@ class ClassProvider implements ServiceProviderInterface 'ProjectPermission', 'ProjectNotification', 'ProjectMetadata', + 'ProjectGroupRole', + 'ProjectUserRole', + 'RememberMeSession', 'Subtask', 'SubtaskExport', 'SubtaskTimeTracking', @@ -69,7 +66,7 @@ class ClassProvider implements ServiceProviderInterface 'Transition', 'User', 'UserImport', - 'UserSession', + 'UserLocking', 'UserNotification', 'UserNotificationType', 'UserNotificationFilter', @@ -82,6 +79,8 @@ class ClassProvider implements ServiceProviderInterface 'TaskFilterCalendarFormatter', 'TaskFilterICalendarFormatter', 'ProjectGanttFormatter', + 'UserFilterAutoCompleteFormatter', + 'GroupAutoCompleteFormatter', ), 'Core' => array( 'DateParser', @@ -92,7 +91,7 @@ class ClassProvider implements ServiceProviderInterface 'Core\Http' => array( 'Request', 'Response', - 'Router', + 'RememberMeCookie', ), 'Core\Cache' => array( 'MemoryCache', @@ -102,6 +101,13 @@ class ClassProvider implements ServiceProviderInterface ), 'Core\Security' => array( 'Token', + 'Role', + ), + 'Core\User' => array( + 'GroupSync', + 'UserSync', + 'UserSession', + 'UserProfile', ), 'Integration' => array( 'BitbucketWebhook', @@ -142,22 +148,6 @@ class ClassProvider implements ServiceProviderInterface return $mailer; }; - $container['userNotificationType'] = function ($container) { - $type = new UserNotificationType($container); - $type->setType(MailNotification::TYPE, t('Email'), '\Kanboard\Notification\Mail'); - $type->setType(WebNotification::TYPE, t('Web'), '\Kanboard\Notification\Web'); - return $type; - }; - - $container['projectNotificationType'] = function ($container) { - $type = new ProjectNotificationType($container); - $type->setType('webhook', 'Webhook', '\Kanboard\Notification\Webhook', true); - $type->setType('activity_stream', 'ActivityStream', '\Kanboard\Notification\ActivityStream', true); - return $type; - }; - - $container['pluginLoader'] = new Loader($container); - $container['cspRules'] = array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:'); return $container; diff --git a/app/ServiceProvider/GroupProvider.php b/app/ServiceProvider/GroupProvider.php new file mode 100644 index 00000000..dff4b23a --- /dev/null +++ b/app/ServiceProvider/GroupProvider.php @@ -0,0 +1,37 @@ +register(new DatabaseBackendGroupProvider($container)); + + if (LDAP_AUTH && LDAP_GROUP_PROVIDER) { + $container['groupManager']->register(new LdapBackendGroupProvider($container)); + } + + return $container; + } +} diff --git a/app/ServiceProvider/NotificationProvider.php b/app/ServiceProvider/NotificationProvider.php new file mode 100644 index 00000000..83daf65d --- /dev/null +++ b/app/ServiceProvider/NotificationProvider.php @@ -0,0 +1,45 @@ +setType(MailNotification::TYPE, t('Email'), '\Kanboard\Notification\Mail'); + $type->setType(WebNotification::TYPE, t('Web'), '\Kanboard\Notification\Web'); + return $type; + }; + + $container['projectNotificationType'] = function ($container) { + $type = new ProjectNotificationType($container); + $type->setType('webhook', 'Webhook', '\Kanboard\Notification\Webhook', true); + $type->setType('activity_stream', 'ActivityStream', '\Kanboard\Notification\ActivityStream', true); + return $type; + }; + + return $container; + } +} diff --git a/app/ServiceProvider/PluginProvider.php b/app/ServiceProvider/PluginProvider.php new file mode 100644 index 00000000..d2f1666b --- /dev/null +++ b/app/ServiceProvider/PluginProvider.php @@ -0,0 +1,31 @@ +scan(); + + return $container; + } +} diff --git a/app/ServiceProvider/RouteProvider.php b/app/ServiceProvider/RouteProvider.php new file mode 100644 index 00000000..60ed161c --- /dev/null +++ b/app/ServiceProvider/RouteProvider.php @@ -0,0 +1,151 @@ +addRoute('dashboard', 'app', 'index'); + $container['router']->addRoute('dashboard/:user_id', 'app', 'index', array('user_id')); + $container['router']->addRoute('dashboard/:user_id/projects', 'app', 'projects', array('user_id')); + $container['router']->addRoute('dashboard/:user_id/tasks', 'app', 'tasks', array('user_id')); + $container['router']->addRoute('dashboard/:user_id/subtasks', 'app', 'subtasks', array('user_id')); + $container['router']->addRoute('dashboard/:user_id/calendar', 'app', 'calendar', array('user_id')); + $container['router']->addRoute('dashboard/:user_id/activity', 'app', 'activity', array('user_id')); + + // Search routes + $container['router']->addRoute('search', 'search', 'index'); + $container['router']->addRoute('search/:search', 'search', 'index', array('search')); + + // Project routes + $container['router']->addRoute('projects', 'project', 'index'); + $container['router']->addRoute('project/create', 'project', 'create'); + $container['router']->addRoute('project/create/:private', 'project', 'create', array('private')); + $container['router']->addRoute('project/:project_id', 'project', 'show', array('project_id')); + $container['router']->addRoute('p/:project_id', 'project', 'show', array('project_id')); + $container['router']->addRoute('project/:project_id/customer-filter', 'customfilter', 'index', array('project_id')); + $container['router']->addRoute('project/:project_id/share', 'project', 'share', array('project_id')); + $container['router']->addRoute('project/:project_id/notifications', 'project', 'notifications', array('project_id')); + $container['router']->addRoute('project/:project_id/edit', 'project', 'edit', array('project_id')); + $container['router']->addRoute('project/:project_id/integrations', 'project', 'integrations', array('project_id')); + $container['router']->addRoute('project/:project_id/duplicate', 'project', 'duplicate', array('project_id')); + $container['router']->addRoute('project/:project_id/remove', 'project', 'remove', array('project_id')); + $container['router']->addRoute('project/:project_id/disable', 'project', 'disable', array('project_id')); + $container['router']->addRoute('project/:project_id/enable', 'project', 'enable', array('project_id')); + $container['router']->addRoute('project/:project_id/permissions', 'ProjectPermission', 'index', array('project_id')); + $container['router']->addRoute('project/:project_id/import', 'taskImport', 'step1', array('project_id')); + + // Action routes + $container['router']->addRoute('project/:project_id/actions', 'action', 'index', array('project_id')); + $container['router']->addRoute('project/:project_id/action/:action_id/confirm', 'action', 'confirm', array('project_id', 'action_id')); + + // Column routes + $container['router']->addRoute('project/:project_id/columns', 'column', 'index', array('project_id')); + $container['router']->addRoute('project/:project_id/column/:column_id/edit', 'column', 'edit', array('project_id', 'column_id')); + $container['router']->addRoute('project/:project_id/column/:column_id/confirm', 'column', 'confirm', array('project_id', 'column_id')); + $container['router']->addRoute('project/:project_id/column/:column_id/move/:direction', 'column', 'move', array('project_id', 'column_id', 'direction')); + + // Swimlane routes + $container['router']->addRoute('project/:project_id/swimlanes', 'swimlane', 'index', array('project_id')); + $container['router']->addRoute('project/:project_id/swimlane/:swimlane_id/edit', 'swimlane', 'edit', array('project_id', 'swimlane_id')); + $container['router']->addRoute('project/:project_id/swimlane/:swimlane_id/confirm', 'swimlane', 'confirm', array('project_id', 'swimlane_id')); + $container['router']->addRoute('project/:project_id/swimlane/:swimlane_id/disable', 'swimlane', 'disable', array('project_id', 'swimlane_id')); + $container['router']->addRoute('project/:project_id/swimlane/:swimlane_id/enable', 'swimlane', 'enable', array('project_id', 'swimlane_id')); + $container['router']->addRoute('project/:project_id/swimlane/:swimlane_id/up', 'swimlane', 'moveup', array('project_id', 'swimlane_id')); + $container['router']->addRoute('project/:project_id/swimlane/:swimlane_id/down', 'swimlane', 'movedown', array('project_id', 'swimlane_id')); + + // Category routes + $container['router']->addRoute('project/:project_id/categories', 'category', 'index', array('project_id')); + $container['router']->addRoute('project/:project_id/category/:category_id/edit', 'category', 'edit', array('project_id', 'category_id')); + $container['router']->addRoute('project/:project_id/category/:category_id/confirm', 'category', 'confirm', array('project_id', 'category_id')); + + // Task routes + $container['router']->addRoute('project/:project_id/task/:task_id', 'task', 'show', array('project_id', 'task_id')); + $container['router']->addRoute('t/:task_id', 'task', 'show', array('task_id')); + $container['router']->addRoute('public/task/:task_id/:token', 'task', 'readonly', array('task_id', 'token')); + + $container['router']->addRoute('project/:project_id/task/:task_id/activity', 'activity', 'task', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/screenshot', 'file', 'screenshot', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/upload', 'file', 'create', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/comment', 'comment', 'create', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/link', 'tasklink', 'create', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/transitions', 'task', 'transitions', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/analytics', 'task', 'analytics', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/remove', 'task', 'remove', array('project_id', 'task_id')); + + $container['router']->addRoute('project/:project_id/task/:task_id/edit', 'taskmodification', 'edit', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/description', 'taskmodification', 'description', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/recurrence', 'taskmodification', 'recurrence', array('project_id', 'task_id')); + + $container['router']->addRoute('project/:project_id/task/:task_id/close', 'taskstatus', 'close', array('task_id', 'project_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/open', 'taskstatus', 'open', array('task_id', 'project_id')); + + $container['router']->addRoute('project/:project_id/task/:task_id/duplicate', 'taskduplication', 'duplicate', array('task_id', 'project_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/copy', 'taskduplication', 'copy', array('task_id', 'project_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/copy/:dst_project_id', 'taskduplication', 'copy', array('task_id', 'project_id', 'dst_project_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/move', 'taskduplication', 'move', array('task_id', 'project_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/move/:dst_project_id', 'taskduplication', 'move', array('task_id', 'project_id', 'dst_project_id')); + + // Board routes + $container['router']->addRoute('board/:project_id', 'board', 'show', array('project_id')); + $container['router']->addRoute('b/:project_id', 'board', 'show', array('project_id')); + $container['router']->addRoute('public/board/:token', 'board', 'readonly', array('token')); + + // Calendar routes + $container['router']->addRoute('calendar/:project_id', 'calendar', 'show', array('project_id')); + $container['router']->addRoute('c/:project_id', 'calendar', 'show', array('project_id')); + + // Listing routes + $container['router']->addRoute('list/:project_id', 'listing', 'show', array('project_id')); + $container['router']->addRoute('l/:project_id', 'listing', 'show', array('project_id')); + + // Gantt routes + $container['router']->addRoute('gantt/:project_id', 'gantt', 'project', array('project_id')); + $container['router']->addRoute('gantt/:project_id/sort/:sorting', 'gantt', 'project', array('project_id', 'sorting')); + + // Subtask routes + $container['router']->addRoute('project/:project_id/task/:task_id/subtask/create', 'subtask', 'create', array('project_id', 'task_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/subtask/:subtask_id/remove', 'subtask', 'confirm', array('project_id', 'task_id', 'subtask_id')); + $container['router']->addRoute('project/:project_id/task/:task_id/subtask/:subtask_id/edit', 'subtask', 'edit', array('project_id', 'task_id', 'subtask_id')); + + // Feed routes + $container['router']->addRoute('feed/project/:token', 'feed', 'project', array('token')); + $container['router']->addRoute('feed/user/:token', 'feed', 'user', array('token')); + + // Ical routes + $container['router']->addRoute('ical/project/:token', 'ical', 'project', array('token')); + $container['router']->addRoute('ical/user/:token', 'ical', 'user', array('token')); + + // Auth routes + $container['router']->addRoute('oauth/google', 'oauth', 'google'); + $container['router']->addRoute('oauth/github', 'oauth', 'github'); + $container['router']->addRoute('oauth/gitlab', 'oauth', 'gitlab'); + $container['router']->addRoute('login', 'auth', 'login'); + $container['router']->addRoute('logout', 'auth', 'logout'); + } + + return $container; + } +} diff --git a/app/ServiceProvider/SessionProvider.php b/app/ServiceProvider/SessionProvider.php index 414d9578..0999d531 100644 --- a/app/ServiceProvider/SessionProvider.php +++ b/app/ServiceProvider/SessionProvider.php @@ -8,8 +8,21 @@ use Kanboard\Core\Session\SessionManager; use Kanboard\Core\Session\SessionStorage; use Kanboard\Core\Session\FlashMessage; +/** + * Session Provider + * + * @package serviceProvider + * @author Frederic Guillot + */ class SessionProvider implements ServiceProviderInterface { + /** + * Register providers + * + * @access public + * @param \Pimple\Container $container + * @return \Pimple\Container + */ public function register(Container $container) { $container['sessionStorage'] = function() { -- cgit v1.2.3