From c9d7e88cc70b6ad124c28be479a6e64c4b174ea6 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Wed, 14 Nov 2018 02:17:27 +0100
Subject: Implemented controller permissions

---
 src/Controllers/BaseController.php                 | 11 ++++
 src/Helpers/AuthenticatorServiceProvider.php       |  1 +
 src/Http/Exceptions/HttpForbidden.php              | 23 +++++++
 src/Http/Request.php                               |  2 +-
 src/Middleware/CallableHandler.php                 |  8 +++
 src/Middleware/RequestHandler.php                  | 45 +++++++++++++
 tests/Unit/Controllers/BaseControllerTest.php      | 25 +++++++
 .../Controllers/Stub/ControllerImplementation.php  | 25 +++++++
 .../Helpers/AuthenticatorServiceProviderTest.php   |  1 +
 tests/Unit/Http/Exceptions/HttpForbiddenTest.php   | 22 +++++++
 tests/Unit/Middleware/CallableHandlerTest.php      |  8 +--
 tests/Unit/Middleware/RequestHandlerTest.php       | 77 ++++++++++++++++++++++
 .../Middleware/Stub/ControllerImplementation.php   | 24 +++++++
 13 files changed, 265 insertions(+), 7 deletions(-)
 create mode 100644 src/Http/Exceptions/HttpForbidden.php
 create mode 100644 tests/Unit/Controllers/BaseControllerTest.php
 create mode 100644 tests/Unit/Controllers/Stub/ControllerImplementation.php
 create mode 100644 tests/Unit/Http/Exceptions/HttpForbiddenTest.php
 create mode 100644 tests/Unit/Middleware/Stub/ControllerImplementation.php

diff --git a/src/Controllers/BaseController.php b/src/Controllers/BaseController.php
index 6a27a066..cbc00931 100644
--- a/src/Controllers/BaseController.php
+++ b/src/Controllers/BaseController.php
@@ -4,5 +4,16 @@ namespace Engelsystem\Controllers;
 
 abstract class BaseController
 {
+    /** @var string[]|string[][] A list of Permissions required to access the controller or certain pages */
+    protected $permissions = [];
 
+    /**
+     * Returns the list of permissions
+     *
+     * @return string[]|string[][]
+     */
+    public function getPermissions()
+    {
+        return $this->permissions;
+    }
 }
diff --git a/src/Helpers/AuthenticatorServiceProvider.php b/src/Helpers/AuthenticatorServiceProvider.php
index b7508b01..715a592f 100644
--- a/src/Helpers/AuthenticatorServiceProvider.php
+++ b/src/Helpers/AuthenticatorServiceProvider.php
@@ -13,5 +13,6 @@ class AuthenticatorServiceProvider extends ServiceProvider
 
         $this->app->instance(Authenticator::class, $authenticator);
         $this->app->instance('authenticator', $authenticator);
+        $this->app->instance('auth', $authenticator);
     }
 }
diff --git a/src/Http/Exceptions/HttpForbidden.php b/src/Http/Exceptions/HttpForbidden.php
new file mode 100644
index 00000000..01c0a5ec
--- /dev/null
+++ b/src/Http/Exceptions/HttpForbidden.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Engelsystem\Http\Exceptions;
+
+use Throwable;
+
+class HttpForbidden extends HttpException
+{
+    /**
+     * @param string         $message
+     * @param array          $headers
+     * @param int            $code
+     * @param Throwable|null $previous
+     */
+    public function __construct(
+        string $message = '',
+        array $headers = [],
+        int $code = 0,
+        Throwable $previous = null
+    ) {
+        parent::__construct(403, $message, $headers, $code, $previous);
+    }
+}
diff --git a/src/Http/Request.php b/src/Http/Request.php
index 0d8d28b4..06900a18 100644
--- a/src/Http/Request.php
+++ b/src/Http/Request.php
@@ -363,7 +363,7 @@ class Request extends SymfonyRequest implements ServerRequestInterface
         foreach ($uploadedFiles as $file) {
             /** @var UploadedFileInterface $file */
             $filename = tempnam(sys_get_temp_dir(), 'upload');
-            $handle = fopen($filename, "w");
+            $handle = fopen($filename, 'w');
             fwrite($handle, $file->getStream()->getContents());
             fclose($handle);
 
diff --git a/src/Middleware/CallableHandler.php b/src/Middleware/CallableHandler.php
index eb493bf1..0bb666a3 100644
--- a/src/Middleware/CallableHandler.php
+++ b/src/Middleware/CallableHandler.php
@@ -74,4 +74,12 @@ class CallableHandler implements MiddlewareInterface, RequestHandlerInterface
         $response = $this->container->get('response');
         return $response->withContent($return);
     }
+
+    /**
+     * @return callable
+     */
+    public function getCallable()
+    {
+        return $this->callable;
+    }
 }
diff --git a/src/Middleware/RequestHandler.php b/src/Middleware/RequestHandler.php
index ebe1ff9e..b0fc664f 100644
--- a/src/Middleware/RequestHandler.php
+++ b/src/Middleware/RequestHandler.php
@@ -3,6 +3,9 @@
 namespace Engelsystem\Middleware;
 
 use Engelsystem\Application;
+use Engelsystem\Controllers\BaseController;
+use Engelsystem\Helpers\Authenticator;
+use Engelsystem\Http\Exceptions\HttpForbidden;
 use InvalidArgumentException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -37,6 +40,14 @@ class RequestHandler implements MiddlewareInterface
         $requestHandler = $request->getAttribute('route-request-handler');
         $requestHandler = $this->resolveRequestHandler($requestHandler);
 
+        if ($requestHandler instanceof CallableHandler) {
+            $callable = $requestHandler->getCallable();
+
+            if (is_array($callable) && $callable[0] instanceof BaseController) {
+                $this->checkPermissions($callable[0], $callable[1]);
+            }
+        }
+
         if ($requestHandler instanceof MiddlewareInterface) {
             return $requestHandler->process($request, $handler);
         }
@@ -49,6 +60,8 @@ class RequestHandler implements MiddlewareInterface
     }
 
     /**
+     * Resolve the given class
+     *
      * @param string|callable|MiddlewareInterface|RequestHandlerInterface $handler
      * @return MiddlewareInterface|RequestHandlerInterface
      */
@@ -76,4 +89,36 @@ class RequestHandler implements MiddlewareInterface
 
         return $this->resolveMiddleware($handler);
     }
+
+    /**
+     * Check required page permissions
+     *
+     * @param BaseController $controller
+     * @param string         $method
+     * @return bool
+     */
+    protected function checkPermissions(BaseController $controller, string $method): bool
+    {
+        /** @var Authenticator $auth */
+        $auth = $this->container->get('auth');
+        $permissions = $controller->getPermissions();
+
+        // Merge action permissions
+        if (isset($permissions[$method])) {
+            $permissions = array_merge($permissions, (array)$permissions[$method]);
+        }
+
+        foreach ($permissions as $key => $permission) {
+            // Skip all action permission entries
+            if (!is_int($key)) {
+                continue;
+            }
+
+            if (!$auth->can($permission)) {
+                throw new HttpForbidden();
+            }
+        }
+
+        return true;
+    }
 }
diff --git a/tests/Unit/Controllers/BaseControllerTest.php b/tests/Unit/Controllers/BaseControllerTest.php
new file mode 100644
index 00000000..738b538f
--- /dev/null
+++ b/tests/Unit/Controllers/BaseControllerTest.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Controllers;
+
+use Engelsystem\Test\Unit\Controllers\Stub\ControllerImplementation;
+use PHPUnit\Framework\TestCase;
+
+class BaseControllerTest extends TestCase
+{
+    /**
+     * @covers \Engelsystem\Controllers\BaseController::getPermissions
+     */
+    public function testGetPermissions()
+    {
+        $controller = new ControllerImplementation();
+
+        $this->assertEquals([
+            'foo',
+            'lorem' => [
+                'ipsum',
+                'dolor',
+            ],
+        ], $controller->getPermissions());
+    }
+}
diff --git a/tests/Unit/Controllers/Stub/ControllerImplementation.php b/tests/Unit/Controllers/Stub/ControllerImplementation.php
new file mode 100644
index 00000000..01d9f250
--- /dev/null
+++ b/tests/Unit/Controllers/Stub/ControllerImplementation.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Controllers\Stub;
+
+use Engelsystem\Controllers\BaseController;
+
+class ControllerImplementation extends BaseController
+{
+    /** @var array */
+    protected $permissions = [
+        'foo',
+        'lorem' => [
+            'ipsum',
+            'dolor',
+        ],
+    ];
+
+    /**
+     * @param array $permissions
+     */
+    public function setPermissions(array $permissions)
+    {
+        $this->permissions = $permissions;
+    }
+}
diff --git a/tests/Unit/Helpers/AuthenticatorServiceProviderTest.php b/tests/Unit/Helpers/AuthenticatorServiceProviderTest.php
index f42e9dff..b1767ebc 100644
--- a/tests/Unit/Helpers/AuthenticatorServiceProviderTest.php
+++ b/tests/Unit/Helpers/AuthenticatorServiceProviderTest.php
@@ -24,5 +24,6 @@ class AuthenticatorServiceProviderTest extends ServiceProviderTest
 
         $this->assertInstanceOf(Authenticator::class, $app->get(Authenticator::class));
         $this->assertInstanceOf(Authenticator::class, $app->get('authenticator'));
+        $this->assertInstanceOf(Authenticator::class, $app->get('auth'));
     }
 }
diff --git a/tests/Unit/Http/Exceptions/HttpForbiddenTest.php b/tests/Unit/Http/Exceptions/HttpForbiddenTest.php
new file mode 100644
index 00000000..765a20d2
--- /dev/null
+++ b/tests/Unit/Http/Exceptions/HttpForbiddenTest.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Http\Exceptions;
+
+use Engelsystem\Http\Exceptions\HttpForbidden;
+use PHPUnit\Framework\TestCase;
+
+class HttpForbiddenTest extends TestCase
+{
+    /**
+     * @covers \Engelsystem\Http\Exceptions\HttpForbidden::__construct
+     */
+    public function testConstruct()
+    {
+        $exception = new HttpForbidden();
+        $this->assertEquals(403, $exception->getStatusCode());
+        $this->assertEquals('', $exception->getMessage());
+
+        $exception = new HttpForbidden('Go away!');
+        $this->assertEquals('Go away!', $exception->getMessage());
+    }
+}
diff --git a/tests/Unit/Middleware/CallableHandlerTest.php b/tests/Unit/Middleware/CallableHandlerTest.php
index 29424480..a0dbfce8 100644
--- a/tests/Unit/Middleware/CallableHandlerTest.php
+++ b/tests/Unit/Middleware/CallableHandlerTest.php
@@ -11,7 +11,6 @@ use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
-use ReflectionClass as Reflection;
 use stdClass;
 
 class CallableHandlerTest extends TestCase
@@ -28,17 +27,14 @@ class CallableHandlerTest extends TestCase
     /**
      * @dataProvider provideCallable
      * @covers       \Engelsystem\Middleware\CallableHandler::__construct
+     * @covers       \Engelsystem\Middleware\CallableHandler::getCallable
      * @param callable $callable
      */
     public function testInit($callable)
     {
         $handler = new CallableHandler($callable);
 
-        $reflection = new Reflection(get_class($handler));
-        $property = $reflection->getProperty('callable');
-        $property->setAccessible(true);
-
-        $this->assertEquals($callable, $property->getValue($handler));
+        $this->assertEquals($callable, $handler->getCallable());
     }
 
     /**
diff --git a/tests/Unit/Middleware/RequestHandlerTest.php b/tests/Unit/Middleware/RequestHandlerTest.php
index cb5fc4a6..7ff803d0 100644
--- a/tests/Unit/Middleware/RequestHandlerTest.php
+++ b/tests/Unit/Middleware/RequestHandlerTest.php
@@ -3,7 +3,11 @@
 namespace Engelsystem\Test\Unit\Middleware;
 
 use Engelsystem\Application;
+use Engelsystem\Helpers\Authenticator;
+use Engelsystem\Http\Exceptions\HttpForbidden;
+use Engelsystem\Middleware\CallableHandler;
 use Engelsystem\Middleware\RequestHandler;
+use Engelsystem\Test\Unit\Middleware\Stub\ControllerImplementation;
 use InvalidArgumentException;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@@ -131,6 +135,79 @@ class RequestHandlerTest extends TestCase
         $this->assertEquals($return, $response);
     }
 
+    /**
+     * @covers \Engelsystem\Middleware\RequestHandler::process
+     * @covers \Engelsystem\Middleware\RequestHandler::checkPermissions
+     */
+    public function testCheckPermissions()
+    {
+        /** @var Application|MockObject $container */
+        /** @var ServerRequestInterface|MockObject $request */
+        /** @var RequestHandlerInterface|MockObject $handler */
+        /** @var ResponseInterface|MockObject $response */
+        list($container, $request, $handler, $response) = $this->getMocks();
+
+        /** @var Authenticator|MockObject $auth */
+        $auth = $this->createMock(Authenticator::class);
+
+        $class = new ControllerImplementation();
+        /** @var CallableHandler|MockObject $callable */
+        $callable = $this->getMockBuilder(CallableHandler::class)
+            ->setConstructorArgs([[$class, 'actionStub']])
+            ->getMock();
+
+        $callable->expects($this->exactly(2))
+            ->method('getCallable')
+            ->willReturn([$class, 'actionStub']);
+
+        $callable->expects($this->exactly(1))
+            ->method('process')
+            ->with($request, $handler)
+            ->willReturn($response);
+
+        $request->expects($this->exactly(2))
+            ->method('getAttribute')
+            ->with('route-request-handler')
+            ->willReturn($callable);
+
+
+        /** @var RequestHandler|MockObject $middleware */
+        $middleware = $this->getMockBuilder(RequestHandler::class)
+            ->setConstructorArgs([$container])
+            ->setMethods(['resolveRequestHandler'])
+            ->getMock();
+
+        $middleware->expects($this->exactly(2))
+            ->method('resolveRequestHandler')
+            ->with($callable)
+            ->willReturn($callable);
+
+        $container->expects($this->exactly(2))
+            ->method('get')
+            ->with('auth')
+            ->willReturn($auth);
+
+        $hasPermissions = [];
+        $auth->expects($this->atLeastOnce())
+            ->method('can')
+            ->willReturnCallback(function ($permission) use (&$hasPermissions) {
+                return in_array($permission, $hasPermissions);
+            });
+
+        $hasPermissions = ['foo', 'test', 'user'];
+        $class->setPermissions([
+            'foo',
+            'loremIpsumAction' => ['dolor', 'sit'],
+            'actionStub'       => ['test'],
+            'user',
+        ]);
+        $middleware->process($request, $handler);
+
+        $class->setPermissions(array_merge(['not.existing.permission'], $hasPermissions));
+        $this->expectException(HttpForbidden::class);
+        $middleware->process($request, $handler);
+    }
+
     /**
      * @return array
      */
diff --git a/tests/Unit/Middleware/Stub/ControllerImplementation.php b/tests/Unit/Middleware/Stub/ControllerImplementation.php
new file mode 100644
index 00000000..939dde5b
--- /dev/null
+++ b/tests/Unit/Middleware/Stub/ControllerImplementation.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Engelsystem\Test\Unit\Middleware\Stub;
+
+use Engelsystem\Controllers\BaseController;
+
+class ControllerImplementation extends BaseController
+{
+    /**
+     * @param array $permissions
+     */
+    public function setPermissions(array $permissions)
+    {
+        $this->permissions = $permissions;
+    }
+
+    /**
+     * @return string
+     */
+    public function actionStub()
+    {
+        return '';
+    }
+}
-- 
cgit v1.2.3-54-g00ecf