mirror of
https://github.com/elyby/accounts.git
synced 2024-11-10 07:22:00 +05:30
dd2c4bc413
Все действия, связанные с аккаунтами, теперь вызываются через url `/api/v1/accounts/<id>/<action>`. Добавлена вменяемая система разграничения прав на основе RBAC. Теперь oAuth2 токены генерируются как случайная строка в 40 символов длинной, а не UUID. Исправлен баг с неправильным временем жизни токена в ответе успешного запроса аутентификации. Теперь все unit тесты можно успешно прогнать без наличия интернета.
87 lines
3.0 KiB
PHP
87 lines
3.0 KiB
PHP
<?php
|
||
namespace api\components\OAuth2\Storage;
|
||
|
||
use api\components\OAuth2\Entities\ClientEntity;
|
||
use api\components\OAuth2\Entities\ScopeEntity;
|
||
use Assert\Assert;
|
||
use common\rbac\Permissions as P;
|
||
use League\OAuth2\Server\Storage\AbstractStorage;
|
||
use League\OAuth2\Server\Storage\ScopeInterface;
|
||
|
||
class ScopeStorage extends AbstractStorage implements ScopeInterface {
|
||
|
||
public const OFFLINE_ACCESS = 'offline_access';
|
||
|
||
private const PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS = [
|
||
'account_info' => P::OBTAIN_OWN_ACCOUNT_INFO,
|
||
'account_email' => P::OBTAIN_ACCOUNT_EMAIL,
|
||
'account_block' => P::BLOCK_ACCOUNT,
|
||
'internal_account_info' => P::OBTAIN_EXTENDED_ACCOUNT_INFO,
|
||
];
|
||
|
||
private const AUTHORIZATION_CODE_PERMISSIONS = [
|
||
P::OBTAIN_OWN_ACCOUNT_INFO,
|
||
P::OBTAIN_ACCOUNT_EMAIL,
|
||
P::MINECRAFT_SERVER_SESSION,
|
||
self::OFFLINE_ACCESS,
|
||
];
|
||
|
||
private const CLIENT_CREDENTIALS_PERMISSIONS = [
|
||
];
|
||
|
||
private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [
|
||
P::BLOCK_ACCOUNT,
|
||
P::OBTAIN_EXTENDED_ACCOUNT_INFO,
|
||
];
|
||
|
||
/**
|
||
* @param string $scope
|
||
* @param string $grantType передаётся, если запрос поступает из grant. В этом случае нужно отфильтровать
|
||
* только те права, которые можно получить на этом grant.
|
||
* @param string $clientId
|
||
*
|
||
* @return ScopeEntity|null
|
||
*/
|
||
public function get($scope, $grantType = null, $clientId = null): ?ScopeEntity {
|
||
$permission = $this->convertToInternalPermission($scope);
|
||
|
||
if ($grantType === 'authorization_code') {
|
||
$permissions = self::AUTHORIZATION_CODE_PERMISSIONS;
|
||
} elseif ($grantType === 'client_credentials') {
|
||
$permissions = self::CLIENT_CREDENTIALS_PERMISSIONS;
|
||
$isTrusted = false;
|
||
if ($clientId !== null) {
|
||
/** @var ClientEntity $client */
|
||
$client = $this->server->getClientStorage()->get($clientId);
|
||
Assert::that($client)->isInstanceOf(ClientEntity::class);
|
||
|
||
$isTrusted = $client->isTrusted();
|
||
}
|
||
|
||
if ($isTrusted) {
|
||
$permissions = array_merge($permissions, self::CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL);
|
||
}
|
||
} else {
|
||
$permissions = array_merge(
|
||
self::AUTHORIZATION_CODE_PERMISSIONS,
|
||
self::CLIENT_CREDENTIALS_PERMISSIONS,
|
||
self::CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL
|
||
);
|
||
}
|
||
|
||
if (!in_array($permission, $permissions, true)) {
|
||
return null;
|
||
}
|
||
|
||
$entity = new ScopeEntity($this->server);
|
||
$entity->setId($permission);
|
||
|
||
return $entity;
|
||
}
|
||
|
||
private function convertToInternalPermission(string $publicScope): string {
|
||
return self::PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS[$publicScope] ?? $publicScope;
|
||
}
|
||
|
||
}
|