263 lines
7.0 KiB
PHP
Executable File
263 lines
7.0 KiB
PHP
Executable File
<?php
|
|
|
|
namespace api\core;
|
|
|
|
use \error\core\Error;
|
|
use \error\core\Err;
|
|
use \api\core\AuthSystem;
|
|
use \database\core\Repo;
|
|
|
|
|
|
|
|
|
|
class AuthSystemDefault implements AuthSystem{
|
|
|
|
public function __construct(){
|
|
self::check();
|
|
}
|
|
|
|
|
|
|
|
/* INITIALISATION DU SYSTEME ET MISE A JOUR CONSTANTES D'AUTHENTIFICATION
|
|
*
|
|
*
|
|
*/
|
|
public static function check(){
|
|
/* (1) Initialisation
|
|
---------------------------------------------------------*/
|
|
if( !isset($_SESSION['TOKEN']) ) $_SESSION['TOKEN'] = [];
|
|
if( !isset($_SESSION['AUTH']) ) $_SESSION['AUTH'] = [];
|
|
if( !isset($_SESSION['PERM']) ) $_SESSION['PERM'] = [];
|
|
if( !isset($_SESSION['ADMIN']) ) $_SESSION['ADMIN'] = [];
|
|
|
|
|
|
/* (2) Gestion de AUTH (authentification)
|
|
---------------------------------------------------------*/
|
|
$AUTH = '';
|
|
|
|
/* (1) Si Auth dans HEADER, on le récupère */
|
|
if( isset($_SERVER['PHP_AUTH_DIGEST']) && is_string($_SERVER['PHP_AUTH_DIGEST']) )
|
|
$AUTH = $_SERVER['PHP_AUTH_DIGEST'];
|
|
|
|
/* (2) Si SESSION déja connectée -> no récupère le token */
|
|
elseif( isset($_SESSION['TOKEN']) && is_string($_SESSION['TOKEN']) )
|
|
$AUTH = $_SESSION['TOKEN'];
|
|
|
|
|
|
/* (3) Gestion de AUTH en fonction des tokens
|
|
---------------------------------------------------------*/
|
|
/* (1) Token Authentication: ADMIN */
|
|
if( preg_match('/^a([a-f0-9]{128})$/', $AUTH, $match) )
|
|
$_SESSION['AUTH'] = [ 'token' => $match[1], 'type' => 'admin' ];
|
|
|
|
/* (2) Token Authentication: USER */
|
|
elseif( preg_match('/^u([a-f0-9]{128})$/', $AUTH, $match) )
|
|
$_SESSION['AUTH'] = [ 'token' => $match[1], 'type' => 'user' ];
|
|
|
|
/* (2) Aucune authentification */
|
|
else{
|
|
$_SESSION['TOKEN'] = [];
|
|
$_SESSION['AUTH'] = [];
|
|
$_SESSION['USER'] = [];
|
|
$_SESSION['ADMIN'] = [];
|
|
}
|
|
|
|
/* (4) On vérifie l'authentification par BDD
|
|
---------------------------------------------------------*/
|
|
if( !self::deepCheck() ){
|
|
$_SESSION['TOKEN'] = [];
|
|
$_SESSION['AUTH'] = [];
|
|
$_SESSION['USER'] = [];
|
|
$_SESSION['ADMIN'] = [];
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
/* VERIFICATION DE L'AUTHENTIFICATION
|
|
*
|
|
*
|
|
*/
|
|
private static function deepCheck(){
|
|
|
|
/* [1] Si aucune authentification
|
|
=========================================================*/
|
|
if( self::auth_level() == 0 )
|
|
return false;
|
|
|
|
|
|
/* [2] Si authentification token -> ADMIN
|
|
=========================================================*/
|
|
if( self::auth_level() == 2 ){
|
|
|
|
/* (1) Fetch admin by token */
|
|
$fetched_admin = Repo::request('admin', 'getByToken', $_SESSION['AUTH']['token']);
|
|
|
|
/* (2) If does not exist -> no auth */
|
|
if( !is_array($fetched_admin) )
|
|
return false;
|
|
|
|
/* (3) Update global admin informations */
|
|
$_SESSION['ADMIN'] = [
|
|
'id' => $fetched_admin['id_admin'],
|
|
'username' => $fetched_admin['username'],
|
|
'mail' => $fetched_admin['mail']
|
|
];
|
|
|
|
}
|
|
|
|
|
|
/* [3] Si authentification token -> USER
|
|
=========================================================*/
|
|
if( self::auth_level() == 1 ){
|
|
|
|
/* (1) Fetch user by token */
|
|
$fetched_user = Repo::request('user', 'getByToken', $_SESSION['AUTH']['token']);
|
|
|
|
/* (2) If does not exist -> no auth */
|
|
if( !is_array($fetched_user) )
|
|
return false;
|
|
|
|
/* (3) Update global user informations */
|
|
$_SESSION['USER'] = [
|
|
'id' => $fetched_user['id_user'],
|
|
'username' => $fetched_user['username'],
|
|
'mail' => $fetched_user['mail']
|
|
];
|
|
|
|
}
|
|
|
|
|
|
/* [5] Si pas d'erreur d'authentification, on retourne TRUE
|
|
=========================================================*/
|
|
return true;
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
|
|
*
|
|
* @expected<array> Liste de listes de combinaisons de permissions attendues
|
|
*
|
|
* @return error<Error> Si FALSE, pas la permission, sinon si
|
|
*
|
|
*/
|
|
public static function permission($expected){
|
|
|
|
$error_propag = [];
|
|
|
|
/* [1] Check format -> if not array of array(s) -> ERROR
|
|
=========================================================*/
|
|
/* (1) If not array -> ERROR */
|
|
if( !is_array($expected) )
|
|
return new Error(Err::FormatError);
|
|
|
|
/* (2) If not array of array(s) -> ERROR */
|
|
foreach($expected as $permissions)
|
|
if( !is_array($permissions) )
|
|
return new Error(Err::FormatError);
|
|
|
|
|
|
/* [2] Foreach each set of permission
|
|
=========================================================*/
|
|
foreach($expected as $permission_group){
|
|
|
|
/* If granted -> don't go further */
|
|
$error_propag[] = self::check_permission_group($permission_group);
|
|
|
|
if( $error_propag[count($error_propag)-1]->get() == Err::Success )
|
|
return new Error(Err::Success);
|
|
|
|
}
|
|
|
|
|
|
/* [3] By default return `PermissionError`
|
|
=========================================================*/
|
|
if( count($error_propag) > 0 )
|
|
return $error_propag[count($error_propag)-1];
|
|
|
|
return new Error(Err::PermissionError);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
|
|
*
|
|
* @expected<array> Liste des permissions attendues
|
|
*
|
|
* @return error<int> Err:: error constants
|
|
*
|
|
*/
|
|
private static function check_permission_group($expected){
|
|
|
|
|
|
/* [1] Gestion de l'AUTH (authentification)
|
|
=========================================================*/
|
|
|
|
/* (1) Si entrepot requis, mais manquant
|
|
---------------------------------------------------------*/
|
|
if( in_array('admin', $expected) && ( self::auth_level() < 2 || !isset($_SESSION['ADMIN']['id']) ) )
|
|
return new Error(Err::PermissionError);
|
|
|
|
/* (2) Si admin requis, mais manquant
|
|
---------------------------------------------------------*/
|
|
if( in_array('user', $expected) && ( self::auth_level() < 1 || !isset($_SESSION['USER']['id']) ) )
|
|
return new Error(Err::PermissionError);
|
|
|
|
/* (3) On retire 'admin', et 'user' de @expected
|
|
---------------------------------------------------------*/
|
|
$adminIndex = array_search('admin', $expected);
|
|
$userIndex = array_search('user', $expected);
|
|
if( is_int($adminIndex) ) unset($expected[$adminIndex]);
|
|
if( is_int($userIndex) ) unset($expected[$userIndex]);
|
|
|
|
|
|
/* [2] Gestion des permissions CUSTOM
|
|
=========================================================*/
|
|
|
|
/* (1) Vérification de toutes les permissions requises */
|
|
foreach($expected as $permission)
|
|
|
|
// Si il manque au minimum une permission, on retourne FALSE
|
|
if( !in_array($permission, $_SESSION['PERM']) )
|
|
return new Error(Err::PermissionError, $permission);
|
|
|
|
|
|
/* [4] Si on a toutes les permissions requises
|
|
=========================================================*/
|
|
return new Error(Err::Success);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* RENVOIE LE NIVEAU D'AUTHENTIFICATION
|
|
*
|
|
* @return auth<int> Niveau d'authentification (0 à 2)
|
|
*
|
|
*/
|
|
public static function auth_level(){
|
|
|
|
/* (1) Not set */
|
|
if( !is_array($_SESSION['AUTH']) || !isset($_SESSION['AUTH']['token']) || !isset($_SESSION['AUTH']['type']) )
|
|
return 0;
|
|
|
|
/* (2) Admin / User */
|
|
return ($_SESSION['AUTH']['type'] == 'admin') ? 2 : 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
?>
|