Files
breadcrumb-the-shire/modules/security/lib/Module/Security/Service/SecurityBcSettingsGateway.php

276 lines
8.5 KiB
PHP

<?php
namespace MintyPHP\Module\Security\Service;
use MintyPHP\Service\Settings\SettingsCryptoGatewayInterface;
use MintyPHP\Service\Settings\SettingsMetadataGateway;
/**
* Global Business Central connection settings for the Security module.
*
* Standalone, intentionally thin: a single global connection stored in the core
* `settings` table (GR-CORE-011). Secrets are encrypted via SettingsCryptoGateway
* (GR-SEC-005). Setting keys are prefixed with 'security.' to avoid collisions
* with the helpdesk module's own BC settings.
*
* Per-tenant connection overrides are deliberately out of scope for v1.
*
* @api Consumed by the Security settings page and SecurityBcGateway.
*/
class SecurityBcSettingsGateway
{
public const KEY_AUTH_MODE = 'security.bc_auth_mode';
public const KEY_ODATA_BASE_URL = 'security.bc_odata_base_url';
public const KEY_COMPANY_NAME = 'security.bc_company_name';
public const KEY_BASIC_USER = 'security.bc_basic_user';
public const KEY_BASIC_PASSWORD_ENC = 'security.bc_basic_password_enc';
public const KEY_OAUTH_TENANT_ID = 'security.bc_oauth_tenant_id';
public const KEY_OAUTH_CLIENT_ID = 'security.bc_oauth_client_id';
public const KEY_OAUTH_CLIENT_SECRET_ENC = 'security.bc_oauth_client_secret_enc';
public const KEY_OAUTH_TOKEN_ENDPOINT = 'security.bc_oauth_token_endpoint';
public const AUTH_MODE_BASIC = 'basic';
public const AUTH_MODE_OAUTH2 = 'oauth2';
public function __construct(
private readonly SettingsMetadataGateway $settingsMetadataGateway,
private readonly SettingsCryptoGatewayInterface $settingsCryptoGateway
) {
}
public function getAuthMode(): string
{
$value = trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_AUTH_MODE) ?? ''));
return $value === self::AUTH_MODE_OAUTH2 ? self::AUTH_MODE_OAUTH2 : self::AUTH_MODE_BASIC;
}
public function setAuthMode(string $mode): bool
{
$mode = trim($mode);
if (!in_array($mode, [self::AUTH_MODE_BASIC, self::AUTH_MODE_OAUTH2], true)) {
return false;
}
return $this->settingsMetadataGateway->set(self::KEY_AUTH_MODE, $mode, self::KEY_AUTH_MODE);
}
public function getODataBaseUrl(): string
{
$value = trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_ODATA_BASE_URL) ?? ''));
return $value !== '' ? rtrim($value, '/') : '';
}
public function setODataBaseUrl(?string $url): bool
{
$url = trim((string) ($url ?? ''));
if ($url !== '' && !preg_match('#^https://#i', $url)) {
return false;
}
return $this->settingsMetadataGateway->set(
self::KEY_ODATA_BASE_URL,
$url !== '' ? rtrim($url, '/') : null,
self::KEY_ODATA_BASE_URL
);
}
public function getCompanyName(): string
{
return trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_COMPANY_NAME) ?? ''));
}
public function setCompanyName(?string $name): bool
{
$name = trim((string) ($name ?? ''));
return $this->settingsMetadataGateway->set(
self::KEY_COMPANY_NAME,
$name !== '' ? $name : null,
self::KEY_COMPANY_NAME
);
}
public function getBasicUser(): ?string
{
$value = trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_BASIC_USER) ?? ''));
return $value !== '' ? $value : null;
}
public function setBasicUser(?string $user): bool
{
$user = trim((string) ($user ?? ''));
return $this->settingsMetadataGateway->set(
self::KEY_BASIC_USER,
$user !== '' ? $user : null,
self::KEY_BASIC_USER
);
}
public function getBasicPassword(): ?string
{
return $this->decryptSetting(self::KEY_BASIC_PASSWORD_ENC);
}
public function setBasicPassword(?string $password): bool
{
return $this->encryptSetting(self::KEY_BASIC_PASSWORD_ENC, $password);
}
public function getOAuthTenantId(): ?string
{
$value = trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_OAUTH_TENANT_ID) ?? ''));
return $value !== '' ? $value : null;
}
public function setOAuthTenantId(?string $tenantId): bool
{
$tenantId = trim((string) ($tenantId ?? ''));
return $this->settingsMetadataGateway->set(
self::KEY_OAUTH_TENANT_ID,
$tenantId !== '' ? $tenantId : null,
self::KEY_OAUTH_TENANT_ID
);
}
public function getOAuthClientId(): ?string
{
$value = trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_OAUTH_CLIENT_ID) ?? ''));
return $value !== '' ? $value : null;
}
public function setOAuthClientId(?string $clientId): bool
{
$clientId = trim((string) ($clientId ?? ''));
return $this->settingsMetadataGateway->set(
self::KEY_OAUTH_CLIENT_ID,
$clientId !== '' ? $clientId : null,
self::KEY_OAUTH_CLIENT_ID
);
}
public function getOAuthClientSecret(): ?string
{
return $this->decryptSetting(self::KEY_OAUTH_CLIENT_SECRET_ENC);
}
public function setOAuthClientSecret(?string $secret): bool
{
return $this->encryptSetting(self::KEY_OAUTH_CLIENT_SECRET_ENC, $secret);
}
public function getOAuthTokenEndpoint(): ?string
{
$value = trim((string) ($this->settingsMetadataGateway->getValue(self::KEY_OAUTH_TOKEN_ENDPOINT) ?? ''));
return $value !== '' ? $value : null;
}
public function setOAuthTokenEndpoint(?string $endpoint): bool
{
$endpoint = trim((string) ($endpoint ?? ''));
if ($endpoint !== '' && !preg_match('#^https://#i', $endpoint)) {
return false;
}
return $this->settingsMetadataGateway->set(
self::KEY_OAUTH_TOKEN_ENDPOINT,
$endpoint !== '' ? $endpoint : null,
self::KEY_OAUTH_TOKEN_ENDPOINT
);
}
/**
* Build the full OData entity URL for a given entity set.
*/
public function buildEntityUrl(string $entitySet): string
{
$baseUrl = $this->getODataBaseUrl();
$company = rawurlencode($this->getCompanyName());
return $baseUrl . "/Company('" . $company . "')/" . $entitySet;
}
/**
* Validate that required settings for the current auth mode are present.
*
* @return array<int, string> List of missing setting descriptions (empty = valid)
*/
public function validateConfiguration(): array
{
$missing = [];
if ($this->getODataBaseUrl() === '') {
$missing[] = 'BC OData Base URL';
}
if ($this->getCompanyName() === '') {
$missing[] = 'BC Company Name';
}
if ($this->getAuthMode() === self::AUTH_MODE_BASIC) {
if ($this->getBasicUser() === null) {
$missing[] = 'BC Basic Auth User';
}
if ($this->getBasicPassword() === null) {
$missing[] = 'BC Basic Auth Password';
}
} else {
if ($this->getOAuthClientId() === null) {
$missing[] = 'BC OAuth2 Client ID';
}
if ($this->getOAuthClientSecret() === null) {
$missing[] = 'BC OAuth2 Client Secret';
}
if ($this->getOAuthTokenEndpoint() === null) {
$missing[] = 'BC OAuth2 Token Endpoint';
}
}
return $missing;
}
public function isConfigured(): bool
{
return $this->validateConfiguration() === [];
}
private function decryptSetting(string $key): ?string
{
$encrypted = trim((string) ($this->settingsMetadataGateway->getValue($key) ?? ''));
if ($encrypted === '') {
return null;
}
try {
$decrypted = trim($this->settingsCryptoGateway->decryptString($encrypted));
} catch (\Throwable) {
return null;
}
return $decrypted !== '' ? $decrypted : null;
}
private function encryptSetting(string $key, ?string $value): bool
{
$value = trim((string) ($value ?? ''));
if ($value === '') {
return $this->settingsMetadataGateway->set($key, null, $key);
}
try {
$encrypted = $this->settingsCryptoGateway->encryptString($value);
} catch (\Throwable) {
return false;
}
return $this->settingsMetadataGateway->set($key, $encrypted, $key);
}
}