main/build/api/core/AuthSystemDefault.php

237 lines
6.2 KiB
PHP
Raw Normal View History

<?php
namespace api\core;
use \error\core\Error;
use \error\core\Err;
use \api\core\AuthSystem;
class AuthSystemDefault implements AuthSystem{
public function __construct(){
self::check();
}
/* INITIALISATION DU SYSTEME ET MISE A JOUR CONSTANTES D'AUTHENTIFICATION
*
*
*/
public static function check(){
/* (1) Initialisation
---------------------------------------------------------*/
if( !isset($_SESSION['AUTH']) ) $_SESSION['AUTH'] = [];
if( !isset($_SESSION['PERM']) ) $_SESSION['PERM'] = [];
if( !isset($_SESSION['USER']) ) $_SESSION['USER'] = [];
if( !isset($_SESSION['ADMIN']) ) $_SESSION['ADMIN'] = [];
/* (2) Gestion de AUTH (authentification)
---------------------------------------------------------*/
/* (1) Si Auth dans HEADER, on le récupère */
$AUTH = isset($_SERVER['PHP_AUTH_DIGEST']) ? $_SERVER['PHP_AUTH_DIGEST'] : '';
/* (2) Si Auth dans SESSION, on le récupère */
if( $AUTH == '' && isset($_SESSION['AUTH']) )
$AUTH = implode('', $_SESSION['AUTH']);
/* (3) Gestion de AUTH en fonction des tokens
---------------------------------------------------------*/
/* (1) Token Authentication: ADMIN */
if( preg_match('/^(u[a-f0-9]{128})$/', $AUTH, $match) )
$_SESSION['AUTH'] = [ 'token' => $match[1], 'type' => 'user' ];
/* (2) Token Authentication: USER */
elseif( preg_match('/^(a[a-f0-9]{128})$/', $AUTH, $match) )
$_SESSION['AUTH'] = [ 'token' => $match[1], 'type' => 'admin' ];
/* (2) Aucune authentification */
else{
$_SESSION['AUTH'] = [];
$_SESSION['USER'] = [];
$_SESSION['ADMIN'] = [];
}
/* (4) On vérifie l'authentification par BDD
---------------------------------------------------------*/
if( !self::deepCheck() ){
$_SESSION['AUTH'] = [];
$_SESSION['USER'] = [];
$_SESSION['ADMIN'] = [];
}
}
/* VERIFICATION DE L'AUTHENTIFICATION
*
*
*/
private static function deepCheck(){
/* [1] Si aucune authentification
=========================================================*/
if( self::auth_level() == 0 )
return false;
/* [2] Si authentification token -> ADMIN
=========================================================*/
if( self::auth_level() == 2 ){
// TODO: implement ADMIN database auth. check
// + set $_SESSION['ADMIN']
// + return FALSE on error
}
/* [3] Si authentification token -> USER
=========================================================*/
if( self::auth_level() == 1 ){
// TODO: implement USER database auth. check
// + set $_SESSION['USER']
// + return FALSE on error
}
/* [5] Si pas d'erreur d'authentification, on retourne TRUE
=========================================================*/
return true;
}
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
*
* @expected<array> Liste de listes de combinaisons de permissions attendues
*
* @return error<Error> Si FALSE, pas la permission, sinon si
*
*/
public static function permission($expected){
$error_propag = [];
/* [1] Check format -> if not array of array(s) -> ERROR
=========================================================*/
/* (1) If not array -> ERROR */
if( !is_array($expected) )
return new Error(Err::FormatError);
/* (2) If not array of array(s) -> ERROR */
foreach($expected as $permissions)
if( !is_array($permissions) )
return new Error(Err::FormatError);
/* [2] Foreach each set of permission
=========================================================*/
foreach($expected as $permission_group){
/* If granted -> don't go further */
$error_propag[] = self::check_permission_group($permission_group);
if( $error_propag[count($error_propag)-1]->get() == Err::Success )
return new Error(Err::Success);
}
/* [3] By default return `PermissionError`
=========================================================*/
if( count($error_propag) > 0 )
return $error_propag[count($error_propag)-1];
return new Error(Err::PermissionError);
}
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
*
* @expected<array> Liste des permissions attendues
*
* @return error<int> Err:: error constants
*
*/
private static function check_permission_group($expected){
/* [1] Gestion de l'AUTH (authentification)
=========================================================*/
/* (1) Si entrepot requis, mais manquant
---------------------------------------------------------*/
if( in_array('admin', $expected) && ( self::auth_level() < 2 || !isset($_SESSION['ADMIN']['id']) ) )
return new Error(Err::PermissionError);
/* (2) Si admin requis, mais manquant
---------------------------------------------------------*/
if( in_array('user', $expected) && ( self::auth_level() < 1 || !isset($_SESSION['USER']['id']) ) )
return new Error(Err::PermissionError);
/* (3) On retire 'admin', et 'user' de @expected
---------------------------------------------------------*/
$adminIndex = array_search('admin', $expected);
$userIndex = array_search('user', $expected);
if( is_int($adminIndex) ) unset($expected[$adminIndex]);
if( is_int($userIndex) ) unset($expected[$userIndex]);
/* [2] Gestion des permissions CUSTOM
=========================================================*/
/* (1) Vérification de toutes les permissions requises */
foreach($expected as $permission)
// Si il manque au minimum une permission, on retourne FALSE
if( !in_array($permission, $_SESSION['PERM']) )
return new Error(Err::PermissionError, $permission);
/* [4] Si on a toutes les permissions requises
=========================================================*/
return new Error(Err::Success);
}
/* RENVOIE LE NIVEAU D'AUTHENTIFICATION
*
* @return auth<int> Niveau d'authentification (0 à 2)
*
*/
public static function auth_level(){
/* (1) Not set */
if( !is_array($_SESSION['AUTH']) || !isset($_SESSION['AUTH']['type']) )
return 0;
/* (2) Admin / User */
return ($_SESSION['AUTH']['type'] == 'admin') ? 2 : 1;
}
}
?>