Harden module runtime: audited listener failures and DI-first resolver
This commit is contained in:
@@ -15,12 +15,17 @@ class AccessPolicyFactory
|
||||
private ?TenantAuthorizationPolicy $tenantAuthorizationPolicy = null;
|
||||
private ?DepartmentAuthorizationPolicy $departmentAuthorizationPolicy = null;
|
||||
private ?AuthorizationService $authorizationService = null;
|
||||
private \Closure $moduleClassResolver;
|
||||
|
||||
public function __construct(
|
||||
private readonly PermissionService $permissionService,
|
||||
private readonly TenantScopeService $tenantScopeService,
|
||||
private readonly ?ModuleRegistry $moduleRegistry = null
|
||||
private readonly ?ModuleRegistry $moduleRegistry = null,
|
||||
?callable $moduleClassResolver = null
|
||||
) {
|
||||
$this->moduleClassResolver = $moduleClassResolver !== null
|
||||
? \Closure::fromCallable($moduleClassResolver)
|
||||
: static fn (string $class): ?object => null;
|
||||
}
|
||||
|
||||
public function createUserAuthorizationPolicy(): UserAuthorizationPolicy
|
||||
@@ -108,26 +113,11 @@ class AccessPolicyFactory
|
||||
|
||||
private function instantiateModulePolicy(string $policyClass): ?AuthorizationPolicyInterface
|
||||
{
|
||||
if (!class_exists($policyClass)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
try {
|
||||
$reflection = new \ReflectionClass($policyClass);
|
||||
$constructor = $reflection->getConstructor();
|
||||
if ($constructor === null || $constructor->getNumberOfRequiredParameters() === 0) {
|
||||
$instance = $reflection->newInstance();
|
||||
return $instance instanceof AuthorizationPolicyInterface ? $instance : null;
|
||||
}
|
||||
|
||||
if ($constructor->getNumberOfRequiredParameters() === 1) {
|
||||
$instance = $reflection->newInstance($this->permissionService);
|
||||
return $instance instanceof AuthorizationPolicyInterface ? $instance : null;
|
||||
}
|
||||
$instance = ($this->moduleClassResolver)($policyClass);
|
||||
return $instance instanceof AuthorizationPolicyInterface ? $instance : null;
|
||||
} catch (\Throwable) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ namespace MintyPHP\Service\Auth;
|
||||
|
||||
use MintyPHP\App\AppContainer;
|
||||
use MintyPHP\App\Module\Contracts\SessionProvider;
|
||||
use MintyPHP\App\Module\ModuleClassResolver;
|
||||
use MintyPHP\App\Module\ModuleRegistry;
|
||||
use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\Service\User\UserTenantContextService;
|
||||
@@ -70,10 +71,7 @@ class AuthSessionTenantContextService
|
||||
return [];
|
||||
}
|
||||
foreach ($registry->getSessionProviders() as $providerClass) {
|
||||
if (!class_exists($providerClass)) {
|
||||
continue;
|
||||
}
|
||||
$provider = new $providerClass();
|
||||
$provider = ModuleClassResolver::resolve($this->container, $providerClass);
|
||||
if ($provider instanceof SessionProvider) {
|
||||
$providers[] = $provider;
|
||||
}
|
||||
|
||||
@@ -31,8 +31,10 @@ class LdapConnectionGateway
|
||||
return @ldap_bind($conn, $dn, $password);
|
||||
}
|
||||
|
||||
/** @return \LDAP\Result|false */
|
||||
public function search(\LDAP\Connection $conn, string $baseDn, string $filter, array $attributes = [], int $scope = 0): \LDAP\Result|false
|
||||
/**
|
||||
* @return mixed LDAP\Result on success, false on failure.
|
||||
*/
|
||||
public function search(\LDAP\Connection $conn, string $baseDn, string $filter, array $attributes = [], int $scope = 0): mixed
|
||||
{
|
||||
if ($scope === 1) {
|
||||
return @ldap_list($conn, $baseDn, $filter, $attributes);
|
||||
@@ -40,8 +42,12 @@ class LdapConnectionGateway
|
||||
return @ldap_search($conn, $baseDn, $filter, $attributes);
|
||||
}
|
||||
|
||||
public function getEntries(\LDAP\Connection $conn, \LDAP\Result $result): array|false
|
||||
public function getEntries(\LDAP\Connection $conn, mixed $result): array|false
|
||||
{
|
||||
if (!$result instanceof \LDAP\Result) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return ldap_get_entries($conn, $result);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user