Commit a356bf95 authored by Cyril Vazquez's avatar Cyril Vazquez
Browse files

Merge branch 'develop' into 'Support/2.6.X'

Develop

See merge request !25
parents 2cbf8c22 9c82c09e
# CHANGELOG
## Version 2.6.2
**Nécessite Maarch RM 2.6.8**
- `Changed` Suppression de la modification des vérification de droit dans la fonction de création d'un compte de service, incluse au socle
- `Changed` Suppression de la modification de la fonction vérifiant les droits, incluse au socle
## Version 2.6.1
- `Changed` Modification des vérification de droit dans la fonction de création d'un compte de service pour gain de performance
- `Changed` Modification de la fonction vérifiant les droits pour gain de performance
......@@ -16,4 +23,3 @@
- `Fixed` Modification du securityLevel.ini pour autoriser les administrateurs généraux à accéder au planificateur de tâches
- `Fixed` Correction d'un cast d'objet d'archive lors de l'import
- `Fixed` Correction de la sélection de l'algorithme de hash lorsque celui-ci n'est pas défini dans la configuration
\ No newline at end of file
2.6.1
\ No newline at end of file
2.6.2
\ No newline at end of file
<?php
/*
* Copyright (C) 2015 Maarch
*
* This file is part of bundle auth.
*
* Bundle auth is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Bundle auth is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with bundle auth. If not, see <http://www.gnu.org/licenses/>.
*/
namespace ext\digitalSafe\bundle\auth\Controller;
/**
* serviceAccount controller
*
* @package Auth
* @author Alexandre Morin <alexandre.morin@maarch.org>
*/
class serviceAccount extends \bundle\auth\Controller\serviceAccount
{
/**
* Record a new service
* @param auth/account $serviceAccount The service object
* @param string $orgId The organization identifier
* @param array $servicesURI Array of service URI
*
* @return auth/account The service object
*/
public function addService($serviceAccount, $orgId, $servicesURI = [])
{
$this->userAccountController->isAuthorized(['gen_admin', 'func_admin']);
$organizationController = \laabs::newController("organization/organization");
$accountToken = \laabs::getToken('AUTH');
$account = $this->read($accountToken->accountId);
if (isset($orgId) && !empty($orgId)) {
try {
$organization = $organizationController->read($orgId);
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Organization unit identified by " . $orgId . " does not exist.");
}
}
if ($this->hasSecurityLevel) {
if ($account->getSecurityLevel() == $account::SECLEVEL_FUNCADMIN && array_search($account->ownerOrgId, array_column($this->organizationController->readParentOrg($orgId), 'orgId')) === false){
throw new \core\Exception\ForbiddenException("You are not allowed to add user in this organization");
}
$this->checkPrivilegesAccess($account, $serviceAccount);
}
if (!$serviceAccount->ownerOrgId && !empty($orgId)) {
if(!empty($serviceAccount->ownerOrgId) && $serviceAccount->ownerOrgId != $organization->ownerOrgId) {
throw new \core\Exception\NotFoundException("Organization identified by " . $serviceAccount->ownerOrgId . " is not the owner organization of the organization identified by " . $orgId);
}
$serviceAccount->ownerOrgId = $organization->ownerOrgId;
}
if ($serviceAccount->ownerOrgId) {
try {
$organizationController->read($serviceAccount->ownerOrgId);
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Organization identified by " . $serviceAccount->ownerOrgId . " does not exist.");
}
}
$serviceAccount = \laabs::cast($serviceAccount, 'auth/account');
$serviceAccount->accountId = \laabs::newId();
if ($this->sdoFactory->exists('auth/account', array('accountName' => $serviceAccount->accountName))) {
throw \laabs::newException("auth/serviceAlreadyExistException");
}
$transactionControl = !$this->sdoFactory->inTransaction();
if ($transactionControl) {
$this->sdoFactory->beginTransaction();
}
try {
$this->sdoFactory->create($serviceAccount, 'auth/account');
$this->createServicePrivilege($servicesURI, $serviceAccount->accountId);
if (!$serviceAccount->isAdmin) {
$this->organizationController->addServicePosition($orgId, $serviceAccount->accountId);
}
} catch (\Exception $exception) {
if ($transactionControl) {
$this->sdoFactory->rollback();
}
throw $exception;
}
if ($transactionControl) {
$this->sdoFactory->commit();
}
return $serviceAccount;
}
/**
* Generate a service account token
* @param string $serviceAccountId The service account identifier
*
* @return object The credential
*/
public function generateToken($serviceAccountId)
{
// Check userAccount exists
$currentDate = \laabs::newTimestamp();
try {
$serviceAccount = $this->sdoFactory->read('auth/account', array('accountId' => $serviceAccountId));
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Account identified by " . $serviceAccountId . " does not exist.");
}
$accountToken = \laabs::getToken('AUTH');
$ownAccount = $this->read($accountToken->accountId);
if ($accountToken->accountId != $serviceAccountId && $this->hasSecurityLevel) {
$organization = $this->sdoFactory->read('organization/organization', $serviceAccount->ownerOrgId);
$organizations = $this->organizationController->readDescendantOrg($organization->orgId);
$organizations[] = $organization;
if (array_search($serviceAccount->ownerOrgId, array_column($organizations, 'orgId')) === false){
throw new \core\Exception\ForbiddenException("You are not allowed to modify this service account");
}
$this->checkPrivilegesAccess($ownAccount, $serviceAccount);
}
$serviceAccount->salt = md5(microtime());
$serviceAccount->tokenDate = $currentDate;
$dataToken = new \StdClass();
$dataToken->accountId = $serviceAccount->accountId;
$dataToken->salt = $serviceAccount->salt;
$token = new \core\token($dataToken, 0);
$jsonToken = \json_encode($token);
$cryptedToken = \laabs::encrypt($jsonToken, \laabs::getCryptKey());
$cookieToken = base64_encode($cryptedToken);
$serviceAccount->password = $cookieToken;
$this->sdoFactory->update($serviceAccount, 'auth/account');
return $cookieToken;
}
}
......@@ -87,29 +87,6 @@ class digitalSafe
$account = $this->accountController->get($accountToken->accountId);
$replyMessage->accountName = $account->accountName;
foreach ($archive->digitalResources as $resource) {
if ((isset($resource->hash) && !is_null($resource->hash))
&& (isset($resource->hashAlgorithm)
&& !is_null($resource->hashAlgorithm))
) {
try {
$this->checkHash($resource->handler, $resource->hash, $resource->hashAlgorithm);
} catch (\Exception $e) {
throw $this->getThrowable($e->getMessage(), 400, $replyMessage);
}
$this->getHash($resource);
continue;
}
if (!isset($resource->hash) && !isset($resource->hashAlgorithm)) {
$this->getHash($resource);
continue;
}
throw $this->getThrowable("Hash or hash algorithm missing", 401, $replyMessage);
}
try {
$archive = \laabs::castMessage($archive, 'recordsManagement/archive');
$archiveId = $this->archiveController->receive($archive, false);
......@@ -676,32 +653,6 @@ class digitalSafe
}
}
/**
* Calculate hash if necessary
*
* @param object $resource
*/
protected function getHash($resource)
{
$hashAlgorithm = \laabs::configuration('recordsManagement')['hashAlgorithm'];
if ($resource->hashAlgorithm == $hashAlgorithm) {
return;
}
$resource->hashAlgorithm = $hashAlgorithm;
if (is_string($resource->handler)) {
$resource->hash = strtolower(hash($hashAlgorithm, base64_decode($resource->handler)));
} else {
$tmpfile = \laabs::getTmpDir().DIRECTORY_SEPARATOR.rand();
file_put_contents($tmpfile, base64_decode(stream_get_contents($resource->handler)));
rewind($resource->handler);
$resource->hash = strtolower(hash_file($hashAlgorithm, $tmpfile));
unlink($tmpfile);
}
}
/**
* log event in lifecycle journal
*
......@@ -724,9 +675,9 @@ class digitalSafe
/**
* Prepare a throwable
* @param string The message
* @param int The code
* @param int The code
* @param mixed The contextual data
*
*
* @return \Exception
*/
protected function getThrowable($message, $code, $context = [])
......@@ -737,7 +688,7 @@ class digitalSafe
$exception->{$name} = $value;
}
$exception->operationResult = false;
return $exception;
}
}
<?php
/*
* Copyright (C) 2015 Maarch
*
* This file is part of bundle recordsManagement.
*
* Bundle recordsManagement is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Bundle recordsManagement is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with bundle recordsManagement. If not, see <http://www.gnu.org/licenses/>.
*/
namespace ext\digitalSafe\bundle\recordsManagement\Controller;
/**
* Class for Records Management archives
*/
class archive extends \bundle\recordsManagement\Controller\archive
{
/**
* Check if the current user have the rights on an archive
*
* @param recordsManagement/archive $archive The archive object
* @throws
* @return boolean THe result of the operation
*/
public function checkRights($archive, $isCommunication = false)
{
$currentUserService = \laabs::getToken("ORGANIZATION");
$currentDate = \laabs::newDate();
if (!$currentUserService) {
return false;
}
$userPositionController = \laabs::newController('organization/userPosition');
$org = $this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber);
$positionAncestors = $this->organizationController->readParentOrg($this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber)->orgId);
$positionAncestors[] = $org;
$userServices[] = $currentUserService->registrationNumber;
// OWNER access
if (!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('owner', $currentUserService->orgRoleCodes)) {
return true;
}
// ARCHIVER access
if (!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('archiver', $currentUserService->orgRoleCodes)
&& $archive->archiverOrgRegNumber === $currentUserService->registrationNumber) {
return true;
}
// ORIGINATOR ACCESS
foreach ($positionAncestors as $orgUnit) {
if ($orgUnit->registrationNumber == $currentUserService->registrationNumber) {
return true;
}
}
// COMMUNICATION ACCESS
if (!is_null($archive->accessRuleComDate)
&& ($isCommunication)
&& ($archive->accessRuleComDate <= $currentDate)) {
return true;
}
// USER ACCESS
if (!empty($archive->userOrgRegNumbers)) {
foreach ($archive->userOrgRegNumbers as $userOrgRegNumber) {
if (\laabs\in_array($userOrgRegNumber, $userServices)) {
return true;
}
}
}
throw \laabs::newException('recordsManagement/accessDeniedException', "Permission denied");
}
}
......@@ -5,7 +5,7 @@
@include menu.ini
; Default max result in search screens
maxResults = 200
maxResults = 500
; Public archive mode
publicArchives = false
......@@ -183,9 +183,9 @@ blacklistUserStories = "[
; 'cookieName' Name of the cookie whose value is the csrf token
; 'tokenLenght' Token size
; 'lifeTime' Token validity in seconds (defaults 3600)
csrfWhiteList = "['user/login', 'user/password', 'user/prompt', 'user/logout']"
csrfWhiteList = "['user/login', 'user/password', 'user/prompt', 'user/logout', 'user/generateResetToken']"
csrfConfig = '{
"cookieName" : "CSRF",
"cookieName" : "Csrf",
"tokenLength" : 32
}'
......@@ -341,6 +341,33 @@ Password = %password%
signatureFile = "%laabsDirectory%/data/maarchRM/droidSignatureFiles/DROID_SignatureFile_V94.xml"
containerSignatureFile = "%laabsDirectory%/data/maarchRM/droidSignatureFiles/container-signature-20180920.xml"
; Path to libreOffice executable
;libreOfficeExecutable = "c:\Program Files (x86)\LibreOffice 5\program\soffice"
libreOfficeExecutable = "/usr/bin/libreoffice"
; Conversion paths
conversionServices = "[
{
'serviceName' : 'dependency/fileSystem/plugins/libreOffice',
'softwareName' : 'LibreOffice',
'softwareVersion' : '5.4.2.0',
'inputFormats' : ['fmt/412', 'fmt/291', 'fmt/293'],
'outputFormats' : {
'fmt/95' : {
'extension' : 'pdf',
'filter' : 'writer_pdf_Export',
'options': 'SelectPdfVersion=1'
},
'fmt/18' : {
'extension' : 'pdf'
}
}
}
]"
; Path of zip executable (only for Windows)
;zipExecutable = "C:\Program Files\7-Zip\7z.exe"
[dependency.html]
headers = "['dashboard/head.html']"
layout = "dashboard/layout.html"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment