You are here

public function ContentHubAccess::access in Acquia Content Hub 8

Same name and namespace in other branches
  1. 8.2 src/Access/ContentHubAccess.php \Drupal\acquia_contenthub\Access\ContentHubAccess::access()

Checks access to Entity CDF.

Only grants access to logged in users with 'Administer Acquia Content Hub' permission or if the request verifies its HMAC signature.

Parameters

\Symfony\Component\Routing\Route $route: The route object to process.

\Symfony\Component\HttpFoundation\Request $request: The HTTP request object.

\Drupal\Core\Session\AccountInterface $account: Run access checks for this account.

Return value

bool TRUE if granted access, FALSE otherwise.

File

src/Access/ContentHubAccess.php, line 72

Class

ContentHubAccess
Implements permission to prevent unauthorized access to Entity CDF.

Namespace

Drupal\acquia_contenthub\Access

Code

public function access(Route $route, Request $request, AccountInterface $account) {

  // Check permissions and combine that with any custom access checking
  // needed. Pass forward parameters from the route and/or request as needed.
  if ($account
    ->hasPermission('administer acquia content hub')) {

    // If this is a logged in user with 'Administer Acquia Content Hub'
    // permission then grant access.
    return AccessResult::allowed();
  }
  else {
    if (empty($this->clientManager
      ->isConnected())) {
      $this->loggerFactory
        ->get('acquia_contenthub')
        ->debug('Access denied: Acquia Content Hub Client not connected.');
      return AccessResult::forbidden('Acquia Content Hub Client not connected.');
    }

    // If this user has no permission, then validate Request Signature.
    $headers = array_map('current', $request->headers
      ->all());
    $authorization_header = isset($headers['authorization']) ? $headers['authorization'] : '';
    $shared_secret = $this->contentHubSubscription
      ->getSharedSecret();
    $signature = $this->clientManager
      ->getRequestSignature($request, $shared_secret);
    $authorization = 'Acquia ContentHub:' . $signature;

    // Log debug information if validation fails.
    if ($authorization !== $authorization_header) {
      $this->loggerFactory
        ->get('acquia_contenthub')
        ->debug('HMAC validation failed. [authorization = %authorization]. [authorization_header = %authorization_header]', [
        '%authorization' => $authorization,
        '%authorization_header' => $authorization_header,
      ]);
    }

    // Only allow access if the Signature validates.
    return AccessResult::allowedIf($authorization === $authorization_header);
  }
}