1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
<?php
/**
* UserFrosting (http://www.userfrosting.com)
*
* @link https://github.com/userfrosting/UserFrosting
* @license https://github.com/userfrosting/UserFrosting/blob/master/licenses/UserFrosting.md (MIT License)
*/
namespace UserFrosting\Sprinkle\Account\Authorize;
use Monolog\Logger;
use PhpParser\Lexer\Emulative as EmulativeLexer;
use PhpParser\Node;
use PhpParser\NodeTraverser;
use PhpParser\Parser as Parser;
use PhpParser\PrettyPrinter\Standard as StandardPrettyPrinter;
use PhpParser\Error as PhpParserException;
use Psr\Http\Message\ServerRequestInterface as Request;
use UserFrosting\Sprinkle\Account\Database\Models\User;
/**
* AccessConditionExpression class
*
* This class models the evaluation of an authorization condition expression, as associated with permissions.
* A condition is built as a boolean expression composed of AccessCondition method calls.
*
* @author Alex Weissman (https://alexanderweissman.com)
*/
class AccessConditionExpression
{
/**
* @var User A user object, which for convenience can be referenced as 'self' in access conditions.
*/
protected $user;
/**
* @var ParserNodeFunctionEvaluator The node visitor, which evaluates access condition callbacks used in a permission condition.
*/
protected $nodeVisitor;
/**
* @var \PhpParser\Parser The PhpParser object to use (initialized in the ctor)
*/
protected $parser;
/**
* @var NodeTraverser The NodeTraverser object to use (initialized in the ctor)
*/
protected $traverser;
/**
* @var StandardPrettyPrinter The PrettyPrinter object to use (initialized in the ctor)
*/
protected $prettyPrinter;
/**
* @var Logger
*/
protected $logger;
/**
* @var bool Set to true if you want debugging information printed to the auth log.
*/
protected $debug;
/**
* Create a new AccessConditionExpression object.
*
* @param User $user A user object, which for convenience can be referenced as 'self' in access conditions.
* @param Logger $logger A Monolog logger, used to dump debugging info for authorization evaluations.
* @param bool $debug Set to true if you want debugging information printed to the auth log.
*/
public function __construct(ParserNodeFunctionEvaluator $nodeVisitor, User $user, Logger $logger, $debug = FALSE) {
$this->nodeVisitor = $nodeVisitor;
$this->user = $user;
$this->parser = new Parser(new EmulativeLexer);
$this->traverser = new NodeTraverser;
$this->traverser->addVisitor($nodeVisitor);
$this->prettyPrinter = new StandardPrettyPrinter;
$this->logger = $logger;
$this->debug = $debug;
}
/**
* Evaluates a condition expression, based on the given parameters.
*
* The special parameter `self` is an array of the current user's data.
* This get included automatically, and so does not need to be passed in.
* @param string $condition a boolean expression composed of calls to AccessCondition functions.
* @param array[mixed] $params the parameters to be used when evaluating the expression.
* @return bool true if the condition is passed for the given parameters, otherwise returns false.
*/
public function evaluateCondition($condition, $params) {
// Set the reserved `self` parameters.
// This replaces any values of `self` specified in the arguments, thus preventing them from being overridden in malicious user input.
// (For example, from an unfiltered request body).
$params['self'] = $this->user->export();
$this->nodeVisitor->setParams($params);
$code = "<?php $condition;";
if ($this->debug) {
$this->logger->debug("Evaluating access condition '$condition' with parameters:", $params);
}
// Traverse the parse tree, and execute any callbacks found using the supplied parameters.
// Replace the function node with the return value of the callback.
try {
// parse
$stmts = $this->parser->parse($code);
// traverse
$stmts = $this->traverser->traverse($stmts);
// Evaluate boolean statement. It is safe to use eval() here, because our expression has been reduced entirely to a boolean expression.
$expr = $this->prettyPrinter->prettyPrintExpr($stmts[0]);
$expr_eval = "return " . $expr . ";\n";
$result = eval($expr_eval);
if ($this->debug) {
$this->logger->debug("Expression '$expr' evaluates to " . ($result == TRUE ? "true" : "false"));
}
return $result;
} catch (PhpParserException $e) {
if ($this->debug) {
$this->logger->debug("Error parsing access condition '$condition':" . $e->getMessage());
}
return FALSE; // Access fails if the access condition can't be parsed.
} catch (AuthorizationException $e) {
if ($this->debug) {
$this->logger->debug("Error parsing access condition '$condition':" . $e->getMessage());
}
return FALSE;
}
}
}
|
