private/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update
All checks were successful
Deploy / deploy-staging (push) Successful in 5s
Details
Deploy / deploy-production (push) Has been skipped
Details

Browse Source
This commit is contained in:
Lars Gebhardt-Kusche
2026-04-14 22:48:35 +02:00
parent 3e9fa3d4a1
commit 93c867040e
4 changed files with 281 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
partials/landingpages/modules/access.php
View File

@@ -12,16 +12,50 @@ if (!$module) {
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$selectedUsers = is_array($_POST['auth_user_values'] ?? null) ? $_POST['auth_user_values'] : [];
$selectedGroups = is_array($_POST['auth_group_values'] ?? null) ? $_POST['auth_group_values'] : [];
$manualUsers = (string)($_POST['auth_users'] ?? '');
$manualGroups = (string)($_POST['auth_groups'] ?? '');
modules()->saveAuth($moduleName, [
'required' => isset($_POST['auth_required']),
'users' => (string)($_POST['auth_users'] ?? ''),
'groups' => (string)($_POST['auth_groups'] ?? ''),
'users' => array_merge($selectedUsers, preg_split('/[,\\n]+/', $manualUsers) ?: []),
'groups' => array_merge($selectedGroups, preg_split('/[,\\n]+/', $manualGroups) ?: []),
]);
$notice = 'Zugriff gespeichert.';
$module = modules()->get($moduleName) ?: $module;
}
$authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required' => false, 'users' => [], 'groups' => []];
$allowedUsers = is_array($authConfig['users'] ?? null) ? array_values(array_filter(array_map('strval', $authConfig['users']))) : [];
$allowedGroups = is_array($authConfig['groups'] ?? null) ? array_values(array_filter(array_map('strval', $authConfig['groups']))) : [];
$knownUsers = modules()->knownAuthUsers();
$knownGroups = modules()->knownAuthGroups();
$currentUser = auth_user();
if (is_array($currentUser) && trim((string)($currentUser['sub'] ?? '')) !== '') {
$currentSub = (string)$currentUser['sub'];
$hasCurrentUser = false;
foreach ($knownUsers as $knownUser) {
if ((string)($knownUser['sub'] ?? '') === $currentSub) {
$hasCurrentUser = true;
break;
}
}
if (!$hasCurrentUser) {
$knownUsers[] = [
'sub' => $currentSub,
'username' => (string)($currentUser['username'] ?? ''),
'email' => (string)($currentUser['email'] ?? ''),
'name' => (string)($currentUser['name'] ?? ''),
'groups' => is_array($currentUser['groups'] ?? null) ? $currentUser['groups'] : [],
];
}
}
$knownGroups = array_values(array_unique(array_merge($knownGroups, auth_groups())));
sort($knownGroups, SORT_NATURAL | SORT_FLAG_CASE);
$knownUserValues = array_column($knownUsers, 'sub');
$manualUsers = array_values(array_filter($allowedUsers, fn (string $value): bool => !in_array($value, $knownUserValues, true)));
$manualGroups = array_values(array_filter($allowedGroups, fn (string $value): bool => !in_array($value, $knownGroups, true)));
?>
<div class="card">
<div class="pill">Zugriff</div>
@@ -40,15 +74,48 @@ $authConfig = is_array($module['auth'] ?? null) ? $module['auth'] : ['required'
<span>Login fuer dieses Modul erforderlich</span>
</label>
<label class="muted" style="display:grid; gap:6px;">
<div class="muted" style="display:grid; gap:8px;">
<span>Erlaubte Benutzer</span>
<textarea name="auth_users" rows="3" placeholder="Keycloak-Sub, Benutzername oder E-Mail, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['users'] ?? null) ? $authConfig['users'] : [])) ?></textarea>
</label>
<?php if ($knownUsers === []): ?>
<small class="muted">Noch keine Keycloak-User bekannt. User erscheinen hier, nachdem sie sich einmal angemeldet haben.</small>
<?php else: ?>
<div style="display:grid; gap:6px;">
<?php foreach ($knownUsers as $knownUser): ?>
<?php
$sub = (string)($knownUser['sub'] ?? '');
$label = trim((string)($knownUser['name'] ?? ''));
if ($label === '') {
$label = trim((string)($knownUser['username'] ?? ''));
}
$email = trim((string)($knownUser['email'] ?? ''));
$suffix = $email !== '' && $email !== $label ? ' (' . $email . ')' : '';
?>
<label style="display:flex; align-items:center; gap:10px;">
<input type="checkbox" name="auth_user_values[]" value="<?= e($sub) ?>" <?= in_array($sub, $allowedUsers, true) ? 'checked' : '' ?>>
<span><?= e(($label !== '' ? $label : $sub) . $suffix) ?></span>
</label>
<?php endforeach; ?>
</div>
<?php endif; ?>
<textarea name="auth_users" rows="3" placeholder="Weitere Keycloak-Sub, Benutzername oder E-Mail, je Zeile oder Komma"><?= e(implode("\n", $manualUsers)) ?></textarea>
</div>
<label class="muted" style="display:grid; gap:6px;">
<div class="muted" style="display:grid; gap:8px;">
<span>Erlaubte Gruppen</span>
<textarea name="auth_groups" rows="3" placeholder="/admin oder mining-users, je Zeile oder Komma"><?= e(implode("\n", is_array($authConfig['groups'] ?? null) ? $authConfig['groups'] : [])) ?></textarea>
</label>
<?php if ($knownGroups === []): ?>
<small class="muted">Noch keine Keycloak-Gruppen bekannt. Gruppen werden aus angemeldeten Usern und gespeicherten Modulrechten gesammelt.</small>
<?php else: ?>
<div style="display:grid; gap:6px;">
<?php foreach ($knownGroups as $knownGroup): ?>
<label style="display:flex; align-items:center; gap:10px;">
<input type="checkbox" name="auth_group_values[]" value="<?= e($knownGroup) ?>" <?= in_array($knownGroup, $allowedGroups, true) ? 'checked' : '' ?>>
<span><?= e($knownGroup) ?></span>
</label>
<?php endforeach; ?>
</div>
<?php endif; ?>
<textarea name="auth_groups" rows="3" placeholder="Weitere Gruppen, je Zeile oder Komma"><?= e(implode("\n", $manualGroups)) ?></textarea>
</div>
<small class="muted">Wenn Login aktiv ist und Benutzer/Gruppen leer bleiben, darf jeder eingeloggte Benutzer das Modul oeffnen.</small>

34
src/App/AuthService.php
View File

@@ -77,6 +77,8 @@ final class AuthService
];
$_SESSION['auth_id_token'] = $idToken;
$_SESSION['auth_expires_at'] = time() + self::SESSION_TTL;
$this->rememberKeycloakUser($claims, $groups);
}
public function canAccessModule(array $module): bool
@@ -111,6 +113,38 @@ final class AuthService
return array_intersect($allowedGroups, $userGroups) !== [];
}
private function rememberKeycloakUser(array $claims, array $groups): void
{
$pdo = $this->app->basePdo();
$sub = trim((string)($claims['sub'] ?? ''));
if (!$pdo || $sub === '') {
return;
}
$groupsJson = json_encode(array_values(array_unique(array_map('strval', $groups))), JSON_UNESCAPED_UNICODE);
if (!is_string($groupsJson)) {
$groupsJson = '[]';
}
$stmt = $pdo->prepare(
"INSERT INTO nexus_auth_users (sub, username, email, name, groups, last_login_at)
VALUES (:sub, :username, :email, :name, :groups, CURRENT_TIMESTAMP)
ON CONFLICT(sub) DO UPDATE SET
username = excluded.username,
email = excluded.email,
name = excluded.name,
groups = excluded.groups,
last_login_at = CURRENT_TIMESTAMP"
);
$stmt->execute([
'sub' => $sub,
'username' => (string)($claims['preferred_username'] ?? ''),
'email' => (string)($claims['email'] ?? ''),
'name' => (string)($claims['name'] ?? ''),
'groups' => $groupsJson,
]);
}
public function requireModuleAccess(array $module): void
{
if ($this->canAccessModule($module)) {

63
src/App/BaseSchema.php
View File

@@ -40,6 +40,27 @@ final class BaseSchema
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_module_auth (
name TEXT PRIMARY KEY,
required BOOLEAN NOT NULL DEFAULT false,
users TEXT NOT NULL DEFAULT '[]',
groups TEXT NOT NULL DEFAULT '[]',
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_auth_users (
sub TEXT PRIMARY KEY,
username TEXT,
email TEXT,
name TEXT,
groups TEXT NOT NULL DEFAULT '[]',
last_login_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_settings (
key TEXT PRIMARY KEY,
@@ -96,6 +117,27 @@ final class BaseSchema
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_module_auth (
name TEXT PRIMARY KEY,
required INTEGER NOT NULL DEFAULT 0,
users TEXT NOT NULL DEFAULT '[]',
groups TEXT NOT NULL DEFAULT '[]',
updated_at TEXT NOT NULL DEFAULT (datetime('now'))
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_auth_users (
sub TEXT PRIMARY KEY,
username TEXT,
email TEXT,
name TEXT,
groups TEXT NOT NULL DEFAULT '[]',
last_login_at TEXT NOT NULL DEFAULT (datetime('now'))
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_settings (
key TEXT PRIMARY KEY,
@@ -152,6 +194,27 @@ final class BaseSchema
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_module_auth (
name VARCHAR(190) PRIMARY KEY,
required TINYINT NOT NULL DEFAULT 0,
users TEXT NOT NULL,
groups TEXT NOT NULL,
updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_auth_users (
sub VARCHAR(190) PRIMARY KEY,
username VARCHAR(190),
email VARCHAR(190),
name VARCHAR(190),
groups TEXT NOT NULL,
last_login_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_settings (
`key` VARCHAR(190) PRIMARY KEY,

124
src/App/ModuleManager.php
View File

@@ -248,6 +248,7 @@ final class ModuleManager
continue;
}
$manifestAuth = is_array($data['auth'] ?? null) ? $data['auth'] : ['required' => false, 'users' => [], 'groups' => []];
$module = [
'name' => $name,
'slug' => $name,
@@ -261,7 +262,7 @@ final class ModuleManager
'metadata_db_defaults' => $data['metadata_db_defaults'] ?? [],
'path' => $dir,
'entry' => '/module/' . rawurlencode($name),
'auth' => is_array($data['auth'] ?? null) ? $data['auth'] : ['required' => false, 'users' => [], 'groups' => []],
'auth' => $this->loadAuth($name, $manifestAuth),
'enabled_by_default' => (bool)($data['enabled_by_default'] ?? false),
'enabled' => false,
];
@@ -314,28 +315,121 @@ final class ModuleManager
throw new \RuntimeException('Module not found.');
}
$manifest = $module['path'] . '/module.json';
$raw = is_file($manifest) ? file_get_contents($manifest) : '';
$data = $raw ? json_decode($raw, true) : [];
if (!is_array($data)) {
$data = [];
}
$data['auth'] = [
$authConfig = [
'required' => (bool) ($auth['required'] ?? false),
'users' => $this->normalizeList($auth['users'] ?? []),
'groups' => $this->normalizeList($auth['groups'] ?? []),
];
$json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
if (!is_string($json)) {
throw new \RuntimeException('Could not encode module metadata.');
if ($this->basePdo) {
$usersJson = json_encode($authConfig['users'], JSON_UNESCAPED_UNICODE);
$groupsJson = json_encode($authConfig['groups'], JSON_UNESCAPED_UNICODE);
if (!is_string($usersJson) || !is_string($groupsJson)) {
throw new \RuntimeException('Could not encode module auth.');
}
$stmt = $this->basePdo->prepare(
"INSERT INTO nexus_module_auth (name, required, users, groups, updated_at)
VALUES (:name, :required, :users, :groups, CURRENT_TIMESTAMP)
ON CONFLICT(name) DO UPDATE SET
required = excluded.required,
users = excluded.users,
groups = excluded.groups,
updated_at = CURRENT_TIMESTAMP"
);
$stmt->execute([
'name' => $name,
'required' => $authConfig['required'] ? 1 : 0,
'users' => $usersJson,
'groups' => $groupsJson,
]);
$this->modules[$name]['auth'] = $authConfig;
return $authConfig;
}
file_put_contents($manifest, $json . PHP_EOL, LOCK_EX);
$this->scanModules();
$this->modules[$name]['auth'] = $authConfig;
return $authConfig;
}
return $data['auth'];
public function knownAuthUsers(): array
{
if (!$this->basePdo) {
return [];
}
$stmt = $this->basePdo->query(
"SELECT sub, username, email, name, groups, last_login_at
FROM nexus_auth_users
ORDER BY COALESCE(NULLIF(name, ''), NULLIF(username, ''), email, sub)"
);
$users = [];
foreach ($stmt->fetchAll(\PDO::FETCH_ASSOC) as $row) {
$groups = json_decode((string)($row['groups'] ?? '[]'), true);
$row['groups'] = is_array($groups) ? array_values(array_filter(array_map('strval', $groups))) : [];
$users[] = $row;
}
return $users;
}
public function knownAuthGroups(): array
{
$groups = [];
foreach ($this->knownAuthUsers() as $user) {
foreach (($user['groups'] ?? []) as $group) {
$group = trim((string)$group);
if ($group !== '') {
$groups[] = $group;
}
}
}
foreach ($this->modules as $module) {
$auth = is_array($module['auth'] ?? null) ? $module['auth'] : [];
foreach (($auth['groups'] ?? []) as $group) {
$group = trim((string)$group);
if ($group !== '') {
$groups[] = $group;
}
}
}
sort($groups, SORT_NATURAL | SORT_FLAG_CASE);
return array_values(array_unique($groups));
}
private function loadAuth(string $name, array $fallback): array
{
$auth = [
'required' => (bool)($fallback['required'] ?? false),
'users' => $this->normalizeList($fallback['users'] ?? []),
'groups' => $this->normalizeList($fallback['groups'] ?? []),
];
if (!$this->basePdo) {
return $auth;
}
$stmt = $this->basePdo->prepare(
"SELECT required, users, groups
FROM nexus_module_auth
WHERE name = :name
LIMIT 1"
);
$stmt->execute(['name' => $name]);
$row = $stmt->fetch(\PDO::FETCH_ASSOC);
if ($row === false) {
return $auth;
}
$users = json_decode((string)($row['users'] ?? '[]'), true);
$groups = json_decode((string)($row['groups'] ?? '[]'), true);
return [
'required' => (bool)($row['required'] ?? false),
'users' => $this->normalizeList(is_array($users) ? $users : []),
'groups' => $this->normalizeList(is_array($groups) ? $groups : []),
];
}
private function normalizeList(mixed $values): array