mirror of
https://github.com/elyby/accounts.git
synced 2025-05-31 14:11:46 +05:30
Implementation of the backend for the OAuth2 clients management
This commit is contained in:
ErickSkrauch
@@ -4,12 +4,15 @@ namespace console\controllers;
|
||||
use common\models\AccountSession;
|
||||
use common\models\EmailActivation;
|
||||
use common\models\MinecraftAccessKey;
|
||||
use common\models\OauthClient;
|
||||
use common\tasks\ClearOauthSessions;
|
||||
use Yii;
|
||||
use yii\console\Controller;
|
||||
use yii\console\ExitCode;
|
||||
|
||||
class CleanupController extends Controller {
|
||||
|
||||
public function actionEmailKeys() {
|
||||
public function actionEmailKeys(): int {
|
||||
$query = EmailActivation::find();
|
||||
foreach ($this->getEmailActivationsDurationsMap() as $typeId => $expiration) {
|
||||
$query->orWhere([
|
||||
@@ -24,10 +27,10 @@ class CleanupController extends Controller {
|
||||
$email->delete();
|
||||
}
|
||||
|
||||
return self::EXIT_CODE_NORMAL;
|
||||
return ExitCode::OK;
|
||||
}
|
||||
|
||||
public function actionMinecraftSessions() {
|
||||
public function actionMinecraftSessions(): int {
|
||||
$expiredMinecraftSessionsQuery = MinecraftAccessKey::find()
|
||||
->andWhere(['<', 'updated_at', time() - 1209600]); // 2 weeks
|
||||
|
||||
@@ -36,7 +39,7 @@ class CleanupController extends Controller {
|
||||
$minecraftSession->delete();
|
||||
}
|
||||
|
||||
return self::EXIT_CODE_NORMAL;
|
||||
return ExitCode::OK;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -47,7 +50,7 @@ class CleanupController extends Controller {
|
||||
* У модели AccountSession нет внешних связей, так что целевые записи
|
||||
* могут быть удалены без использования циклов.
|
||||
*/
|
||||
public function actionWebSessions() {
|
||||
public function actionWebSessions(): int {
|
||||
AccountSession::deleteAll([
|
||||
'OR',
|
||||
['<', 'last_refreshed_at', time() - 7776000], // 90 days
|
||||
@@ -58,7 +61,24 @@ class CleanupController extends Controller {
|
||||
],
|
||||
]);
|
||||
|
||||
return self::EXIT_CODE_NORMAL;
|
||||
return ExitCode::OK;
|
||||
}
|
||||
|
||||
public function actionOauthClients(): int {
|
||||
/** @var OauthClient[] $clients */
|
||||
$clients = OauthClient::find()
|
||||
->onlyDeleted()
|
||||
->all();
|
||||
foreach ($clients as $client) {
|
||||
if ($client->getSessions()->exists()) {
|
||||
Yii::$app->queue->push(ClearOauthSessions::createFromOauthClient($client));
|
||||
continue;
|
||||
}
|
||||
|
||||
$client->delete();
|
||||
}
|
||||
|
||||
return ExitCode::OK;
|
||||
}
|
||||
|
||||
private function getEmailActivationsDurationsMap(): array {
|
||||
|
||||
@@ -4,6 +4,7 @@ namespace console\controllers;
|
||||
use common\rbac\Permissions as P;
|
||||
use common\rbac\Roles as R;
|
||||
use common\rbac\rules\AccountOwner;
|
||||
use common\rbac\rules\OauthClientOwner;
|
||||
use InvalidArgumentException;
|
||||
use Yii;
|
||||
use yii\base\ErrorException;
|
||||
@@ -30,6 +31,9 @@ class RbacController extends Controller {
|
||||
$permChangeAccountEmail = $this->createPermission(P::CHANGE_ACCOUNT_EMAIL);
|
||||
$permManageTwoFactorAuth = $this->createPermission(P::MANAGE_TWO_FACTOR_AUTH);
|
||||
$permBlockAccount = $this->createPermission(P::BLOCK_ACCOUNT);
|
||||
$permCreateOauthClients = $this->createPermission(P::CREATE_OAUTH_CLIENTS);
|
||||
$permViewOauthClients = $this->createPermission(P::VIEW_OAUTH_CLIENTS);
|
||||
$permManageOauthClients = $this->createPermission(P::MANAGE_OAUTH_CLIENTS);
|
||||
$permCompleteOauthFlow = $this->createPermission(P::COMPLETE_OAUTH_FLOW, AccountOwner::class);
|
||||
|
||||
$permObtainAccountEmail = $this->createPermission(P::OBTAIN_ACCOUNT_EMAIL);
|
||||
@@ -44,6 +48,8 @@ class RbacController extends Controller {
|
||||
$permChangeOwnAccountEmail = $this->createPermission(P::CHANGE_OWN_ACCOUNT_EMAIL, AccountOwner::class);
|
||||
$permManageOwnTwoFactorAuth = $this->createPermission(P::MANAGE_OWN_TWO_FACTOR_AUTH, AccountOwner::class);
|
||||
$permMinecraftServerSession = $this->createPermission(P::MINECRAFT_SERVER_SESSION);
|
||||
$permViewOwnOauthClients = $this->createPermission(P::VIEW_OWN_OAUTH_CLIENTS, OauthClientOwner::class);
|
||||
$permManageOwnOauthClients = $this->createPermission(P::MANAGE_OWN_OAUTH_CLIENTS, OauthClientOwner::class);
|
||||
|
||||
$permEscapeIdentityVerification = $this->createPermission(P::ESCAPE_IDENTITY_VERIFICATION);
|
||||
|
||||
@@ -56,6 +62,8 @@ class RbacController extends Controller {
|
||||
$authManager->addChild($permChangeOwnAccountPassword, $permChangeAccountPassword);
|
||||
$authManager->addChild($permChangeOwnAccountEmail, $permChangeAccountEmail);
|
||||
$authManager->addChild($permManageOwnTwoFactorAuth, $permManageTwoFactorAuth);
|
||||
$authManager->addChild($permViewOwnOauthClients, $permViewOauthClients);
|
||||
$authManager->addChild($permManageOwnOauthClients, $permManageOauthClients);
|
||||
|
||||
$authManager->addChild($permObtainExtendedAccountInfo, $permObtainAccountInfo);
|
||||
$authManager->addChild($permObtainExtendedAccountInfo, $permObtainAccountEmail);
|
||||
@@ -68,6 +76,9 @@ class RbacController extends Controller {
|
||||
$authManager->addChild($roleAccountsWebUser, $permChangeOwnAccountEmail);
|
||||
$authManager->addChild($roleAccountsWebUser, $permManageOwnTwoFactorAuth);
|
||||
$authManager->addChild($roleAccountsWebUser, $permCompleteOauthFlow);
|
||||
$authManager->addChild($roleAccountsWebUser, $permCreateOauthClients);
|
||||
$authManager->addChild($roleAccountsWebUser, $permViewOwnOauthClients);
|
||||
$authManager->addChild($roleAccountsWebUser, $permManageOwnOauthClients);
|
||||
}
|
||||
|
||||
private function createRole(string $name): Role {
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
<?php
|
||||
|
||||
use console\db\Migration;
|
||||
|
||||
class m180224_132027_extend_oauth_clients_attributes extends Migration {
|
||||
|
||||
public function safeUp() {
|
||||
$this->addColumn('{{%oauth_clients}}', 'type', $this->string()->notNull()->after('secret'));
|
||||
$this->addColumn('{{%oauth_clients}}', 'website_url', $this->string()->null()->after('redirect_uri'));
|
||||
$this->addColumn('{{%oauth_clients}}', 'minecraft_server_ip', $this->string()->null()->after('website_url'));
|
||||
$this->addColumn('{{%oauth_clients}}', 'is_deleted', $this->boolean()->notNull()->defaultValue(false)->after('is_trusted'));
|
||||
$this->update('{{%oauth_clients}}', [
|
||||
'type' => 'application',
|
||||
]);
|
||||
$this->addColumn('{{%oauth_sessions}}', 'created_at', $this->integer()->unsigned()->notNull());
|
||||
$this->update('{{%oauth_sessions}}', [
|
||||
'created_at' => time(),
|
||||
]);
|
||||
}
|
||||
|
||||
public function safeDown() {
|
||||
$this->dropColumn('{{%oauth_clients}}', 'type');
|
||||
$this->dropColumn('{{%oauth_clients}}', 'website_url');
|
||||
$this->dropColumn('{{%oauth_clients}}', 'minecraft_server_ip');
|
||||
$this->dropColumn('{{%oauth_clients}}', 'is_deleted');
|
||||
$this->dropColumn('{{%oauth_sessions}}', 'created_at');
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user