294 lines
8.6 KiB
PHP
Executable File
294 lines
8.6 KiB
PHP
Executable File
<?php
|
|
|
|
namespace api\core;
|
|
|
|
use \database\core\Repo;
|
|
use \error\core\Error;
|
|
use \error\core\Err;
|
|
use \api\core\AuthSystem;
|
|
|
|
|
|
|
|
|
|
class AuthSystemDefault implements AuthSystem{
|
|
|
|
public function __construct(){
|
|
self::check();
|
|
}
|
|
|
|
|
|
|
|
/* INITIALISATION DU SYSTEME ET MISE A JOUR CONSTANTES D'AUTHENTIFICATION
|
|
*
|
|
*
|
|
*/
|
|
public static function check(){
|
|
/* (1) Initialisation
|
|
---------------------------------------------------------*/
|
|
if( !isset($_SESSION['AUTH']) ) $_SESSION['AUTH'] = [];
|
|
if( !isset($_SESSION['PERM']) ) $_SESSION['PERM'] = [];
|
|
if( !isset($_SESSION['WAREHOUSE']) ) $_SESSION['WAREHOUSE'] = [];
|
|
if( !isset($_SESSION['ADMIN']) ) $_SESSION['ADMIN'] = [];
|
|
|
|
|
|
/* (2) Gestion de AUTH (authentification)
|
|
---------------------------------------------------------*/
|
|
/* (1) Si Auth dans HEADER, on le récupère */
|
|
$AUTH = isset($_SERVER['PHP_AUTH_DIGEST']) ? $_SERVER['PHP_AUTH_DIGEST'] : '';
|
|
|
|
/* (2) Si Auth dans SESSION, on le récupère */
|
|
if( $AUTH == '' && isset($_SESSION['AUTH']) )
|
|
$AUTH = implode('', $_SESSION['AUTH']);
|
|
|
|
|
|
/* (3) Gestion de AUTH en fonction des tokens
|
|
---------------------------------------------------------*/
|
|
/* (1) Triple authentification (warehouse+SATS_token+SATS_nexttoken) */
|
|
if( preg_match('/^([a-f0-9]{128})([a-f0-9]{128})([a-f0-9]{128})$/', $AUTH, $match) )
|
|
$_SESSION['AUTH'] = [ $match[1], $match[2], $match[3] ];
|
|
|
|
/* (2) Double authentification (warehouse+admin) */
|
|
else if( preg_match('/^([a-f0-9]{128})([a-f0-9]{128})$/', $AUTH, $match) )
|
|
$_SESSION['AUTH'] = [ $match[1], $match[2] ];
|
|
|
|
/* (3) Authentification unique (warehouse) */
|
|
else if( preg_match('/^[a-f0-9]{128}$/', $AUTH, $match) )
|
|
$_SESSION['AUTH'] = [ $match[0] ];
|
|
|
|
/* (4) Aucune authentification */
|
|
else{
|
|
$_SESSION['AUTH'] = [];
|
|
$_SESSION['PERM'] = [];
|
|
$_SESSION['WAREHOUSE'] = [];
|
|
$_SESSION['ADMIN'] = [];
|
|
}
|
|
|
|
/* (4) On vérifie l'authentification par BDD
|
|
---------------------------------------------------------*/
|
|
if( !self::deepCheck() ){
|
|
$_SESSION['AUTH'] = [];
|
|
$_SESSION['PERM'] = [];
|
|
$_SESSION['WAREHOUSE'] = [];
|
|
$_SESSION['ADMIN'] = [];
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
/* VERIFICATION DE L'AUTHENTIFICATION
|
|
*
|
|
*
|
|
*/
|
|
private static function deepCheck(){
|
|
|
|
/* [1] Si aucune authentification
|
|
=========================================================*/
|
|
if( self::auth() == 0 )
|
|
return false;
|
|
|
|
|
|
/* [2] Si authentification unique -> WAREHOUSE
|
|
=========================================================*/
|
|
if( self::auth() >= 1 ){
|
|
|
|
$checkRoot = new Repo('warehouse/getByToken', [ $_SESSION['AUTH'][0] ]);
|
|
|
|
/* (1) Si le token n'existe pas, on retourne une erreur */
|
|
if( $checkRoot->answer() == false )
|
|
return false;
|
|
|
|
/* (2) On met à jour les informations de l'entrepot */
|
|
$_SESSION['WAREHOUSE'] = [
|
|
'id' => (int) $checkRoot->answer()[0]['id_warehouse'],
|
|
'name' => $checkRoot->answer()[0]['name'],
|
|
'theme' => '#'.$checkRoot->answer()[0]['theme']
|
|
];
|
|
|
|
/* (3) On récupère les modules de l'entrepot */
|
|
$getModules = new Repo('warehouse/getModules', [ $_SESSION['WAREHOUSE']['id'] ]);
|
|
|
|
$_SESSION['WAREHOUSE']['modules'] = $getModules->answer();
|
|
|
|
}
|
|
|
|
|
|
/* [3] Si authentification double -> WAREHOUSE + ADMIN
|
|
=========================================================*/
|
|
if( self::auth() == 2 ){
|
|
|
|
$checkBranch = new Repo('admin/getByToken', [ $_SESSION['WAREHOUSE']['id'], $_SESSION['AUTH'][1] ]);
|
|
|
|
/* (1) Si le token n'existe pas, on retourne une erreur */
|
|
if( $checkBranch->answer() == false )
|
|
return false;
|
|
|
|
/* (2) On met à jour les informations de l'administrateur */
|
|
$_SESSION['ADMIN'] = [
|
|
'id' => (int) $checkBranch->answer()['id_admin'],
|
|
'username' => $checkBranch->answer()['username'],
|
|
'mail' => $checkBranch->answer()['mail']
|
|
];
|
|
|
|
|
|
}
|
|
|
|
|
|
/* [4] Si authentification triple -> WAREHOUSE + SATS_token + SATS_nexttoken
|
|
=========================================================*/
|
|
if( self::auth() == 3 ){
|
|
|
|
|
|
$checkBranch = new Repo('machine/checkToken', [ $_SESSION['WAREHOUSE']['id'], $_SESSION['AUTH'][1], $_SESSION['AUTH'][2] ]);
|
|
|
|
/* (1) Si le token n'est pas valide, on retourne une erreur */
|
|
if( $checkBranch->answer() == false )
|
|
return false;
|
|
|
|
/* (2) On met à jour les informations de l'administrateur */
|
|
$_SESSION['SATS'] = [
|
|
'id' => (int) $checkBranch->answer()['id_machine'],
|
|
'name' => $checkBranch->answer()['name']
|
|
];
|
|
|
|
|
|
}
|
|
|
|
|
|
/* [5] Si pas d'erreur d'authentification, on retourne TRUE
|
|
=========================================================*/
|
|
return true;
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
|
|
*
|
|
* @module<String> Module concerné
|
|
* @expected<array> Liste de listes de combinaisons de permissions attendues
|
|
*
|
|
* @return error<Error> Si FALSE, pas la permission, sinon si
|
|
*
|
|
*/
|
|
public static function permission($module, $expected){
|
|
|
|
/* [1] Check format -> if not array of array(s) -> ERROR
|
|
=========================================================*/
|
|
/* (1) If not array of array(s) -> ERROR*/
|
|
foreach($expected as $permissions)
|
|
if( !is_array($permissions) )
|
|
return new Error(Err::FormatError);
|
|
|
|
|
|
/* [2] Foreach each set of permission
|
|
=========================================================*/
|
|
foreach($expected as $permission_group){
|
|
|
|
/* If granted -> don't go further */
|
|
if( self::check_permission_group($module, $permission_group) == Err::Success )
|
|
return new Error(Err::Success);
|
|
|
|
}
|
|
|
|
|
|
/* [3] By default return `PermissionError`
|
|
=========================================================*/
|
|
return new Error(Err::PermissionError);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
|
|
*
|
|
* @module<String> Module concerné
|
|
* @expected<array> Liste des permissions attendues
|
|
*
|
|
* @return error<int> Err:: error constants
|
|
*
|
|
*/
|
|
private static function check_permission_group($module, $expected){
|
|
|
|
|
|
/* [1] Gestion de l'AUTH (authentification)
|
|
=========================================================*/
|
|
|
|
/* (1) Si entrepot requis, mais manquant
|
|
---------------------------------------------------------*/
|
|
if( in_array('warehouse', $expected) && self::auth() < 1 )
|
|
return Err::PermissionError;
|
|
|
|
/* (2) Si admin requis, mais manquant
|
|
---------------------------------------------------------*/
|
|
if( in_array('admin', $expected) && self::auth() < 2 )
|
|
return Err::PermissionError;
|
|
|
|
/* (3) Si SATS requis, mais manquant
|
|
---------------------------------------------------------*/
|
|
if( in_array('sats', $expected) && self::auth() < 3 )
|
|
return Err::TokenError;
|
|
|
|
/* (4) On retire 'warehouse', 'admin' et 'sats' de @expected
|
|
---------------------------------------------------------*/
|
|
$warehouseIndex = array_search('warehouse', $expected);
|
|
$adminIndex = array_search('admin', $expected);
|
|
$satsIndex = array_search('sats', $expected);
|
|
if( is_int($warehouseIndex) ) unset($expected[$warehouseIndex]);
|
|
if( is_int($adminIndex) ) unset($expected[$adminIndex]);
|
|
if( is_int($satsIndex) ) unset($expected[$satsIndex]);
|
|
|
|
|
|
/* [2] Gestion des permissions
|
|
=========================================================*/
|
|
/* (1) Vérification de toutes les permissions requises */
|
|
foreach($expected as $permission)
|
|
// Si il manque au minimum une permission, on retourne FALSE
|
|
if( !in_array($permission, $_SESSION['PERM']) )
|
|
return Err::PermissionError;
|
|
|
|
|
|
/* [3] Vérification que le module est actif pour l'entrepot
|
|
=========================================================*/
|
|
|
|
/* (1) On vérifie que le module est actif dans l'entrepot */
|
|
$allowedModule = isset($_SESSION['WAREHOUSE']['modules'])
|
|
&& is_array($_SESSION['WAREHOUSE']['modules'])
|
|
&& in_array($module, $_SESSION['WAREHOUSE']['modules']);
|
|
|
|
/* (2) On vérifie si le module est un module "Default" */
|
|
$defaultModule = preg_match('/^(\w+)Default$/', $module);
|
|
|
|
/* (3) Si aucune autorisation et pas module "Default" */
|
|
if( !$allowedModule && !$defaultModule )
|
|
return Err::DisabledModule;
|
|
|
|
|
|
/* [4] Si on a toutes les permissions requises
|
|
=========================================================*/
|
|
return Err::Success;
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* RENVOIE LE NIVEAU D'AUTHENTIFICATION
|
|
*
|
|
* @return auth<int> Niveau d'authentification (0 à 2)
|
|
*
|
|
*/
|
|
public static function auth(){
|
|
return !is_array($_SESSION['AUTH']) ? 0 : count($_SESSION['AUTH']);
|
|
}
|
|
|
|
}
|
|
|
|
?>
|