From c846dfe95277976e84ec52117f41359a0f325ce0 Mon Sep 17 00:00:00 2001
From: Martin Haase <martin.haase@daasi.de>
Date: Thu, 8 May 2008 11:32:58 +0000
Subject: [PATCH] initial, now complete, import of Markus Widmer's RBAC AuthN
Code
git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@1227 7c539038-3410-0410-b1ec-0f2a7bf1c452
---
.../conf/rbac.conf | 119 +
.../conf/rbacSoap.conf | 60 +
.../conf/system.conf | 45 +
.../documentation/install.tex | 35 +
.../lib/Crypto.class.php | 134 +
.../lib/DataBase.class.php | 818 +++++++
.../lib/Helper.class.php | 468 ++++
.../lib/LDAP.class.php | 670 +++++
.../lib/Node.class.php | 315 +++
.../lib/Number.class.php | 68 +
.../lib/XML.class.php | 291 +++
.../lib/iCrypto.interface.php | 12 +
.../lib/iDataBase.interface.php | 22 +
.../lib/iHelper.interface.php | 15 +
.../lib/iLDAP.interface.php | 18 +
.../lib/iNode.interface.php | 26 +
.../lib/iNumber.interface.php | 8 +
.../lib/iXML.interface.php | 8 +
.../rbac/Context.class.php | 151 ++
.../rbac/LGPL.txt | 166 ++
.../rbac/RBAC.class.php | 312 +++
.../rbac/RBACException.class.php | 36 +
.../rbac/RBACExtension.class.php | 44 +
.../rbac/RBACcore.class.php | 2181 +++++++++++++++++
.../rbac/RBAClimitedHirarchical.class.php | 648 +++++
.../rbac/SOAP/XACML.class.php | 114 +
.../rbac/SOAP/clients/xacmlCheckAccess.php | 98 +
.../rbac/SOAP/wsdl/xacml.wsdl | 92 +
.../rbac/SOAP/xacml.php | 30 +
...rol-xacml-2.0-saml-assertion-schema-os.xsd | 51 +
...trol-xacml-2.0-saml-protocol-schema-os.xsd | 60 +
.../SOAP/xsd/saml-schema-assertion-2.0.xsd | 284 +++
.../SOAP/xsd/saml-schema-protocol-2.0.xsd | 303 +++
.../rbac/SimpleConfig.class.php | 108 +
.../rbac/conf/rbac.conf.dist | 125 +
.../rbac/conf/system.conf.dist | 47 +
.../rbac/extensions/DSD.class.php | 677 +++++
.../rbac/extensions/Logger.class.php | 50 +
.../rbac/extensions/SSD.class.php | 845 +++++++
.../rbac/extensions/UserEntry.class.php | 56 +
.../rbac/iContext.interface.php | 15 +
.../rbac/iRBACcore.interface.php | 31 +
.../iRBAClimitedHirarchical.interface.php | 25 +
.../rbac/schema/rbac.schema | 141 ++
.../rbacSoap/TgAdministration.class.php | 735 ++++++
.../rbacSoap/TgExtra.class.php | 1638 +++++++++++++
.../rbacSoap/TgReview.class.php | 606 +++++
.../rbacSoap/TgSystem.class.php | 268 ++
.../rbacSoap/XACML.class.php | 122 +
.../rbacSoap/examples/addAscendant.php | 119 +
.../rbacSoap/examples/addDescendant.php | 119 +
.../rbacSoap/examples/addInheritance.php | 119 +
.../rbacSoap/examples/addMember.php | 75 +
.../rbacSoap/examples/addRole.php | 118 +
.../rbacSoap/examples/addUser.php | 120 +
.../rbacSoap/examples/assignUser.php | 119 +
.../rbacSoap/examples/assignedRoles.php | 128 +
.../rbacSoap/examples/assignedUsers.php | 128 +
.../rbacSoap/examples/authorizedRoles.php | 133 +
.../rbacSoap/examples/authorizedUsers.php | 128 +
.../rbacSoap/examples/checkAccess.php | 75 +
.../rbacSoap/examples/createProject.php | 73 +
.../rbacSoap/examples/createSession.php | 120 +
.../rbacSoap/examples/deactivateProject.php | 73 +
.../rbacSoap/examples/deassignUser.php | 119 +
.../rbacSoap/examples/deleteInheritance.php | 119 +
.../rbacSoap/examples/deleteMember.php | 75 +
.../rbacSoap/examples/deleteRole.php | 117 +
.../rbacSoap/examples/deleteSession.php | 119 +
.../rbacSoap/examples/deleteUser.php | 119 +
.../rbacSoap/examples/dropActiveRole.php | 116 +
.../rbacSoap/examples/filterBySid.php | 128 +
.../rbacSoap/examples/getAllProjects.php | 65 +
.../rbacSoap/examples/getLeader.php | 82 +
.../rbacSoap/examples/getMembers.php | 82 +
.../rbacSoap/examples/getObjects.php | 82 +
.../rbacSoap/examples/getOwner.php | 73 +
.../examples/getProjectDescription.php | 75 +
.../rbacSoap/examples/getRights.php | 84 +
.../rbacSoap/examples/getSid.php | 52 +
.../rbacSoap/examples/grantPermission.php | 120 +
.../rbacSoap/examples/isPublic.php | 73 +
.../rbacSoap/examples/publish.php | 73 +
.../rbacSoap/examples/registerResource.php | 75 +
.../rbacSoap/examples/revokePermission.php | 120 +
.../examples/roleOperationsOnObject.php | 128 +
.../rbacSoap/examples/rolePermissions.php | 129 +
.../rbacSoap/examples/sessionPermissions.php | 120 +
.../rbacSoap/examples/sessionRoles.php | 128 +
.../rbacSoap/examples/tgAddActiveRole.php | 73 +
.../rbacSoap/examples/tgAssignedProjects.php | 80 +
.../rbacSoap/examples/tgAssignedRoles.php | 82 +
.../rbacSoap/examples/tgCheckAccess.php | 76 +
.../rbacSoap/examples/tgGrantPermission.php | 77 +
.../rbacSoap/examples/tgRevokePermission.php | 77 +
.../rbacSoap/examples/unregisterResource.php | 73 +
.../rbacSoap/examples/userExists.php | 120 +
.../examples/userOperationsOnObject.php | 128 +
.../rbacSoap/examples/userPermissions.php | 132 +
.../rbacSoap/examples/xacmlCheckAccess.php | 103 +
.../rbacSoap/soapTypes.inc.php | 524 ++++
.../rbacSoap/tgadministration.php | 26 +
.../rbacSoap/tgextra.php | 32 +
.../rbacSoap/tgreview.php | 26 +
.../rbacSoap/tgsystem.php | 26 +
.../rbacSoap/wsdl/tgadministration.wsdl | 555 +++++
.../rbacSoap/wsdl/tgextra.wsdl | 1090 ++++++++
.../rbacSoap/wsdl/tgreview.wsdl | 497 ++++
.../rbacSoap/wsdl/tgsystem.wsdl | 284 +++
.../rbacSoap/wsdl/xacml.wsdl | 93 +
.../rbacSoap/wsdl/xacml.wsdl.readme.txt | 1 +
.../rbacSoap/xacml.php | 27 +
.../rbacSoap/xacmlTypes.inc.php | 22 +
...rol-xacml-2.0-saml-assertion-schema-os.xsd | 51 +
...trol-xacml-2.0-saml-protocol-schema-os.xsd | 60 +
...xacml-2.0-saml-protocol-schema-os.xsd.save | 61 +
.../xsd/saml-schema-assertion-2.0.xsd | 284 +++
.../rbacSoap/xsd/saml-schema-protocol-2.0.xsd | 303 +++
.../tgExtensions/Logger.class.php | 223 ++
.../tgExtensions/PublicResource.class.php | 78 +
120 files changed, 22595 insertions(+)
create mode 100644 info.textgrid.middleware.tgauth.rbac/conf/rbac.conf
create mode 100644 info.textgrid.middleware.tgauth.rbac/conf/rbacSoap.conf
create mode 100644 info.textgrid.middleware.tgauth.rbac/conf/system.conf
create mode 100644 info.textgrid.middleware.tgauth.rbac/documentation/install.tex
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/Crypto.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/DataBase.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/Helper.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/LDAP.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/Node.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/Number.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/XML.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iCrypto.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iDataBase.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iHelper.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iLDAP.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iNode.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iNumber.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/lib/iXML.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/Context.class.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/LGPL.txt
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/RBAC.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/RBACException.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/RBACExtension.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/XACML.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/clients/xacmlCheckAccess.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/wsdl/xacml.wsdl
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xacml.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-assertion-2.0.xsd
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-protocol-2.0.xsd
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/SimpleConfig.class.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/conf/rbac.conf.dist
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/conf/system.conf.dist
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/extensions/DSD.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/extensions/Logger.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/extensions/SSD.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/extensions/UserEntry.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/iContext.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/iRBACcore.interface.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbac/iRBAClimitedHirarchical.interface.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbac/schema/rbac.schema
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/TgAdministration.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/TgSystem.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/XACML.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addAscendant.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addDescendant.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addInheritance.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addMember.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addRole.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addUser.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignUser.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedRoles.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedUsers.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedRoles.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedUsers.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/checkAccess.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createProject.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createSession.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deactivateProject.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deassignUser.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteInheritance.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteMember.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteRole.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteSession.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteUser.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/dropActiveRole.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/filterBySid.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getAllProjects.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getLeader.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getMembers.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getObjects.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getOwner.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getProjectDescription.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getRights.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getSid.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/grantPermission.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/isPublic.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/publish.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/registerResource.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/revokePermission.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/roleOperationsOnObject.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/rolePermissions.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionPermissions.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionRoles.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAddActiveRole.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedProjects.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedRoles.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgCheckAccess.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgGrantPermission.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgRevokePermission.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/unregisterResource.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userExists.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userOperationsOnObject.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userPermissions.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/xacmlCheckAccess.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/soapTypes.inc.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/tgadministration.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/tgreview.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/tgsystem.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgadministration.wsdl
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgextra.wsdl
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgreview.wsdl
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgsystem.wsdl
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl.readme.txt
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/xacml.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/rbacSoap/xacmlTypes.inc.php
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd.save
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-assertion-2.0.xsd
create mode 100644 info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-protocol-2.0.xsd
create mode 100755 info.textgrid.middleware.tgauth.rbac/tgExtensions/Logger.class.php
create mode 100755 info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php
diff --git a/info.textgrid.middleware.tgauth.rbac/conf/rbac.conf b/info.textgrid.middleware.tgauth.rbac/conf/rbac.conf
new file mode 100644
index 0000000..68338f3
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/conf/rbac.conf
@@ -0,0 +1,119 @@
+<?xml version="1.1" ?>
+<configuration>
+
+ <section name="user">
+ <var name="host">ingrid.daasi.de</var>
+ <var name="port">4389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=people,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="binddn">cn=manager,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="password">secret</var>
+ <var name="filter">(objectClass=inetorgperson)</var>
+ <var name="userEntryDefinitionClass">InetOrgDefinition</var>
+ <var name="userEntryDefinitionFile">/srv/vhosts/textgrid.regengedanken.de/www/htdocs/rbac/InetOrgDefinition.class.php</var>
+
+ <!-- Possile values are "uid", "cn", "sn" or any other used in the
+ objectClass "inetOrgPerson". If you want to use another attribute, you
+ will have to write an Extension for the addUser-function. This is
+ only possible if you use the RBAC-Framework instead of the plain
+ libraries RBACcore or RBAClimitedHirarchical. -->
+ <var name="namingattribute">uid</var>
+ </section>
+
+ <section name="role">
+ <var name="host">ingrid.daasi.de</var>
+ <var name="port">4389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=roles,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="binddn">cn=manager,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">rbacname</var>
+ <var name="filter">(objectClass=rbacrole)</var>
+
+ <!-- May also be member to have greater compatibility, for example -->
+ <var name="assignedattribute">rbacperformer</var>
+ </section>
+
+ <section name="session">
+ <var name="host">ingrid.daasi.de</var>
+ <var name="port">4389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=sessions,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="binddn">cn=manager,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">rbacname</var>
+ <var name="filter">(objectClass=rbacsession)</var>
+ </section>
+
+ <section name="resource">
+ <var name="host">ingrid.daasi.de</var>
+ <var name="port">4389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">dc=rbac,dc=textgrid,dc=de</var>
+ <var name="binddn">cn=manager,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">rbacname</var>
+ <var name="aliasattribute">tgresourceuri</var>
+ <var name="filter">(objectClass=rbacresource)</var>
+ </section>
+
+
+ <!-- This is the configuration section for the project-extension
+ defined in the extensions/Project.class.php file.
+ Notice: This part is independant from the configuration in
+ the rbacSoap.conf.xml file. If you change this, you
+ might also have to change the parameters given there. -->
+ <section name="project">
+ <var name="base">rbacname=Projekt-Teilnehmer,ou=roles,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="leaderRoleName">Projektleiter</var>
+ <var name="administratorRoleName">Administrator</var>
+ <var name="editorRoleName">Bearbeiter</var>
+ <var name="observerRoleName">Beobachter</var>
+ </section>
+
+
+ <section name="errorCode">
+ <var name="OK">1</var>
+ <var name="RESOURCE_OPERATION_ERROR">2</var>
+ <var name="RESOURCE_UNKNOWN">4</var>
+ <var name="USER_SESSION_ERROR">8</var>
+ <var name="SESSION_ALLREADY_EXISTS">16</var>
+ <var name="SESSION_DOES_NOT_EXISTS">32</var>
+ <var name="USER_UNKNOWN">64</var>
+ <var name="USER_ROLE_ERROR">128</var>
+ <var name="USER_ALLREADY_EXISTS">256</var>
+ <var name="INVALID_USER_FORMAT">512</var>
+ <var name="ROLE_ALLREADY_EXISTS">1024</var>
+ <var name="ROLE_UNKNOWN">2048</var>
+ <var name="LDAP_ERROR">4096</var>
+ <var name="UNKNOWN_ERROR">8192</var>
+ <var name="SD_ALLREADY_EXISTS">16384</var>
+ <var name="SD_CARDINALITY">32768</var>
+ <var name="SD_UNKNOWN">65536</var>
+ </section>
+
+ <section name="errorDescription">
+ <var name="OK">Ok</var>
+ <var name="RESOURCE_OPERATION_ERROR">This resource-operation-combination is invalid .</var>
+ <var name="RESOURCE_UNKNOWN">The resource is not known or not uniqueue.</var>
+ <var name="USER_SESSION_ERROR">The user you gave is not the owner of this session.</var>
+ <var name="SESSION_ALLREADY_EXISTS">The session allready exists so you can not create it.</var>
+ <var name="SESSION_DOES_NOT_EXISTS">The session does not exist.</var>
+ <var name="USER_UNKNOWN">The user is not known.</var>
+ <var name="USER_ROLE_ERROR">This user-role-combination is invalid.</var>
+ <var name="USER_ALLREADY_EXISTS">The user allready exists.</var>
+ <var name="INVALID_USER_FORMAT">The user has to have the the format: <username>@<domain> (foo@example.org)</var>
+ <var name="ROLE_ALLREADY_EXISTS">The role allready exists.</var>
+ <var name="ROLE_UNKNOWN">The role is unknown.</var>
+ <var name="LDAP_ERROR">An LDAP-Error occured, see description: </var>
+ <var name="UNKNOWN_ERROR">An error occured.</var>
+ <var name="SD_ALLREADY_EXISTS">The Separation of Duty Set allready exists.</var>
+ <var name="SD_CARDINALITY">The given cardinality is invalid! Make sure it is >= 2</var>
+ <var name="SD_UNKNOWN">The Separation of Duty set is unknown</var>
+ </section>
+
+</configuration>
diff --git a/info.textgrid.middleware.tgauth.rbac/conf/rbacSoap.conf b/info.textgrid.middleware.tgauth.rbac/conf/rbacSoap.conf
new file mode 100644
index 0000000..f717380
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/conf/rbacSoap.conf
@@ -0,0 +1,60 @@
+<configuration>
+
+ <section name="errorCode">
+ <var name="OK">1</var>
+ <var name="INSUFFICIENT_ACCESS">2</var>
+ <var name="AUTHENTICATION_ERROR">4</var>
+ </section>
+
+ <section name="errorDescription">
+ <var name="OK">Ok</var>
+ <var name="INSUFFICIENT_ACCESS">This function requires an authentication and authorization.</var>
+ <var name="AUTHENTICATION_ERROR">Authentication was not successfull. Username or password are incorrect.</var>
+ </section>
+
+ <section name="authentication">
+ <var name="host">ingrid.daasi.de</var>
+ <var name="port">4389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=people,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="binddn">cn=manager,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">uid</var>
+ </section>
+
+ <section name="counter">
+ <var name="host">ingrid.daasi.de</var>
+ <var name="port">4389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=counter,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="binddn">cn=manager,dc=rbac,dc=textgrid,dc=de</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">cn</var>
+ </section>
+
+
+ <!-- All trees under which users are created
+ have this naming-attribute -->
+ <section name="user">
+ <var name="userTreeAttribute">ou</var>
+ </section>
+
+
+ <!-- The name of the project-role under which
+ all projects are stored. Remember that the
+ value given here is relative to the role-base
+ configured for the rbac-system! -->
+ <section name="project">
+ <var name="base">Projekt-Teilnehmer</var>
+ </section>
+
+
+ <!-- This base is used to create new
+ TextGrid-Resources. -->
+ <section name="textGridResource">
+ <var name="base">ou=resources,dc=rbac,dc=textgrid,dc=de</var>
+ </section>
+
+</configuration>
diff --git a/info.textgrid.middleware.tgauth.rbac/conf/system.conf b/info.textgrid.middleware.tgauth.rbac/conf/system.conf
new file mode 100644
index 0000000..602ef13
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/conf/system.conf
@@ -0,0 +1,45 @@
+<system>
+
+ <!-- This is the system-configuration for the RBAC-Framework.
+ The RBAC libraries need an additional configuration-file
+ where you have to define all LDAP-specific settings. Tell
+ the RBAC-Framework where it can find this configuration.
+ Specify a full path or a path relative to your main
+ application. -->
+ <configuration file="../conf/rbac.conf" />
+
+
+ <!-- Here you can specify if you want to use Core RBAC or the
+ Limited Hierarchical RBAC. In order to work properly both
+ libraries need a couple of classes specified through
+ the "require" statements. Again you have to specify a full
+ path or a path relative to your main application. -->
+ <rbac class="RBAClimitedHirarchical">
+ <require file="../rbac/iContext.interface.php" />
+ <require file="../lib/iCrypto.interface.php" />
+ <require file="../lib/iHelper.interface.php" />
+ <require file="../lib/iLDAP.interface.php" />
+ <require file="../rbac/iRBACcore.interface.php" />
+ <require file="../rbac/iRBAClimitedHirarchical.interface.php" />
+
+ <require file="../rbac/RBACException.class.php" />
+ <require file="../rbac/RBACExtension.class.php" />
+ <require file="../rbac/Context.class.php" />
+ <require file="../lib/Helper.class.php" />
+ <require file="../lib/LDAP.class.php" />
+ <require file="../lib/Crypto.class.php" />
+ <require file="../rbac/SimpleConfig.class.php" />
+ <require file="../rbac/RBACcore.class.php" />
+ <require file="../rbac/RBAClimitedHirarchical.class.php" />
+ </rbac>
+
+
+ <!-- Specify the extensions you want to use through the
+ RBAC-Framework. Give a full path or a path relative
+ to your main application. -->
+ <extension class="PublicResource" file="../tgExtensions/PublicResource.class.php" />
+<!-- <extension class="SSD" file="../rbac/extensions/SSD.class.php" /> -->
+<!-- <extension class="DSD" file="../rbac/extensions/DSD.class.php" /> -->
+ <extension class="Logger" file="../tgExtensions/Logger.class.php" />
+
+</system>
diff --git a/info.textgrid.middleware.tgauth.rbac/documentation/install.tex b/info.textgrid.middleware.tgauth.rbac/documentation/install.tex
new file mode 100644
index 0000000..0c763bc
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/documentation/install.tex
@@ -0,0 +1,35 @@
+\documentclass[a4paper,12pt,twoside]{article}
+\usepackage[ngerman]{babel}
+\usepackage[OT1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage[top=2.5cm,bottom=2.5cm,left=3cm,right=2.5cm]{geometry}
+\usepackage{amssymb}
+\usepackage{amsmath}
+\usepackage{graphicx}
+\usepackage{bibgerm}
+\usepackage{setspace}
+\usepackage{ifthen}
+\graphicspath{{graphics/}}
+%
+%
+\onehalfspacing
+%
+%
+\author{Markus Widmer}
+\title{Role Based Access Control mit OpenLDAP\\ (Anwendung im TextGrid-Projekt)}
+\date{SS 2007}
+%
+%
+\pagenumbering{roman}
+\parindent=0mm
+%
+%
+\begin{document}
+%
+\begin{abstract}
+In this document you will find a quick installation and configuration guide for the openRBAC software. This software is implemented in PHP5 and is available under the LGPL (Limited Gnu Public License).
+\end{abstract}
+%
+\tableofcontents
+%
+\end{document}
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/Crypto.class.php b/info.textgrid.middleware.tgauth.rbac/lib/Crypto.class.php
new file mode 100755
index 0000000..24752ff
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/Crypto.class.php
@@ -0,0 +1,134 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 13.12.2006
+// Letzte Aenderung: 13.12.2006
+
+
+
+
+class Crypto implements iCrypto {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ function __construct() {
+ }
+
+
+
+
+ // ## Destruktor ####################################################
+ function __destruct() {
+ }
+
+
+
+
+ // ## ssha ##########################################################
+ function ssha( $inPassword ) {
+
+ $hash = ""; // Der Hash des Passworts
+ $salt = ""; // Das Salt
+
+
+ // Zufallszahl erzeugen
+ mt_srand( (double)microtime()*1000000 );
+
+
+ // "Salz" erzeugen
+ $salt = mhash_keygen_s2k( MHASH_SHA1, $inPassword, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8), 4);
+
+
+ // Den "Hash" erzeugen
+ $hash = "{SSHA}" . base64_encode( mhash( MHASH_SHA1, $inPassword . $salt ) . $salt);
+
+
+ return $hash;
+
+ }
+
+
+
+
+ // ## md5 ###########################################################
+ function md5( $inPassword ) {
+
+ return "{MD5}" . md5( $inPassword );
+
+ }
+
+
+
+
+ // ## ntPassword ####################################################
+ function ntPassword( $inPassword ) {
+
+ return strtoupper( hash( "md4", mb_convert_encoding( $inPassword, "UCS-2LE" ) ) );
+
+ }
+
+
+
+
+ // ## validatePassword ##############################################
+ function validatePassword( $inPassword, $inHash ) {
+
+ $hash = ""; // Der Hash ohne "{Was bin ich}"
+ $newHash = ""; // Das verschluesselte Referenzpasswort
+ $originalHash = ""; // Der SSHA-Hash ohne Salt
+ $salt = ""; // Das Salt bei SSHA
+
+
+ if( preg_match( "/^\{ssha\}/i", $inHash ) ) {
+
+ // "{SSHA}" am Anfang abschneiden
+ $hash = preg_replace( "/^\{ssha\}/i", "", $inHash );
+
+
+ $hash = base64_decode( $hash );
+
+
+ // Hash und Salt voneinander trennen
+ $originalHash = substr( $hash, 0, 20 );
+ $salt = substr( $hash, 20 );
+
+
+ // Neuen Hash erzeugen um ihn mit dem alten zu vergleichen
+ $newHash = "{SSHA}" . base64_encode( mhash( MHASH_SHA1, $inPassword . $salt ) . $salt);
+
+
+ if( strcmp( $inHash, $newHash ) == 0 ) {
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ elseif( preg_match( "/^\{md5\}/i", $inHash ) ) {
+
+ $hash = preg_replace( "/^\{md5\}/i", "", $inHash );
+ $newHash = preg_replace( "/^\{md5\}/i", "", $this->md5( $inPassword ) );
+
+ return preg_match( "/^" . $newHash . "$/", $hash );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/DataBase.class.php b/info.textgrid.middleware.tgauth.rbac/lib/DataBase.class.php
new file mode 100755
index 0000000..d2fedf6
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/DataBase.class.php
@@ -0,0 +1,818 @@
+<?php
+// ####################################################################
+// Version: 0.3.3
+// Author: Markus Widmer
+// Created: 09.11.2006
+// Modified: 02.04.2008
+
+
+
+
+class DataBase implements iDataBase {
+
+ // ## Class-variables ###############################################
+ private $host = "";
+ private $database = "";
+ private $arrData = Array();
+ private $arrFieldname = Array();
+ private $username = "";
+ private $password = "";
+ private $hasConnection = false;
+ private $connection;
+
+
+
+
+ // ## Constructor ###################################################
+ public function __construct( $inHost, $inDatabase ) {
+
+ $this->host = $inHost;
+ $this->database = $inDatabase;
+
+ }
+
+
+
+
+ // ## Wakeup ########################################################
+ public function __wakeup() {
+
+ if( $this->hasConnection() ) {
+
+ $this->reconnect();
+
+ }
+
+ }
+
+
+
+
+ // ## connect #######################################################
+ public function connect( $inUsername, $inPassword ) {
+
+ $this->username = $inUsername;
+ $this->password = $inPassword;
+
+ if( $mysqlHandler = mysql_connect( $this->host, $this->username, $this->password ) ) {
+
+ $this->hasConnection = true;
+ $this->connection = $mysqlHandler;
+
+
+ return true;
+
+ }
+ else {
+
+ $this->hasConnection = false;
+
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## reconnect #####################################################
+ public function reconnect() {
+
+ return $this->connect( $this->username, $this->password );
+
+ }
+
+
+
+
+ // ## hasConnection #################################################
+ public function hasConnection() {
+
+ return $this->hasConnection;
+
+ }
+
+
+
+
+ // ## get ###########################################################
+ public function get( $inTable, $inOrder, $inFilter = "", $inCol = "*" ) {
+
+ $queryString = ""; // Abfragestring, der an die Datenbank gesendet wird
+ $mysqlQuery = false; // Das Ergebnis der Abfrage
+ $mysqlHandler = false; // Verbindungs-Handler
+ $strCol = ""; // Angabe zu den Spalten
+ $result = Array(); // Rueckgabe
+ $helper = new Helper(); // Konvertierungsklasse
+
+
+ if( $helper->isUtf8( $inFilter ) ) {
+
+ $inFilter = utf8_decode( $inFilter );
+
+ }
+
+
+ // Eventuell eine Liste von Spalten zusammenstellen,
+ // die zurueckgegeben werden sollen
+ if( is_array( $inCol ) ) {
+
+ for( $i = 0; $i < sizeof( $inCol ); $i++ ) {
+
+ if( $i == 0 ) {
+
+ $strCol = $inCol[0];
+
+ }
+ else {
+
+ $strCol .= ", " . $inCol[$i];
+
+ }
+
+ }
+
+ }
+ else {
+
+ $strCol = $inCol;
+
+ }
+
+
+ // Verbindung mit der Datenbank aufbauen
+ if( $this->hasConnection ) {
+
+ // Abfrage starten
+ if( $inFilter != "" ) {
+
+ $queryString = "select " . $strCol . " from " . $this->database . "." . $inTable
+ . " where " . $inFilter . " order by " . $inOrder . ";";
+
+
+ trigger_error( "Query: " . $queryString . "\n", E_USER_NOTICE );
+
+
+ $mysqlQuery = mysql_query( $queryString );
+
+ }
+ else {
+
+ $queryString = "select " . $strCol . " from " . $this->database . "." . $inTable . " order by " . $inOrder . ";";
+
+
+ trigger_error( "Query: " . $queryString . "\n", E_USER_NOTICE );
+
+
+ $mysqlQuery = mysql_query( $queryString );
+
+ }
+
+
+ $result = Array();
+ while( $mysqlResult = mysql_fetch_array( $mysqlQuery, MYSQL_ASSOC ) ) {
+
+ foreach( $mysqlResult as $key => $value ) {
+
+ if( !$helper->isUtf8( $mysqlResult[$key] ) ) {
+
+ $mysqlResult[$key] = utf8_encode( $value );
+
+ }
+
+ }
+
+
+ array_push( &$result, $mysqlResult );
+
+ }
+
+ }
+ else {
+
+ trigger_error( "Not connected to database", E_USER_ERROR );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // ## getColumns ####################################################
+ public function getColumns( $inTable ) {
+
+ $queryString = ""; // Abfragestring, der an die Datenbank gesendet wird
+ $mysqlQuery = false; // Das Ergebnis der Abfrage
+ $mysqlHandler = false; // Verbindungs-Handler
+ $result = Array(); // Die Rueckgabe
+ $helper = new Helper(); // Konvertierungsklasse
+
+
+ // Verbindung mit der Datenbank aufbauen
+ if( $this->hasConnection ) {
+
+ $queryString = "show columns from " . $this->database . "." . $inTable . ";";
+ $mysqlQuery = mysql_query( $queryString );
+
+
+ trigger_error( "Query: " . $queryString . "\n", E_USER_NOTICE );
+
+
+ while( $mysqlResult = mysql_fetch_array( $mysqlQuery, MYSQL_ASSOC ) ) {
+
+ foreach( $mysqlResult as $key => $value ) {
+
+ if( !$helper->isUtf8( $mysqlResult[$key] ) ) {
+
+ $mysqlResult[$key] = utf8_encode( $value );
+
+ }
+
+ }
+
+
+ array_push( &$result, $mysqlResult );
+
+ }
+
+ }
+ else {
+
+ trigger_error( "Not connected to database", E_USER_ERROR );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+ // ## store #########################################################
+ public function store( $inTable, $inData ) {
+
+ $helper = new Helper(); // Konvertierungsklasse
+ $keyInData = true; // Flag, ob ein primaerer Schluessel in den Daten vorkommt
+ $checkIfExists = ""; // Abfragestring, um zu ueberpruefen, ob ein Eintrag bereits existiert
+ $whereClause = " where "; // Bedingungs-String, an dem noch weiter angebaut werden muss
+ $allreadyExists = false; // Flag, ob ein Eintrag bereits existiert
+ $columnAutoincrement = ""; //
+ $columnPrimaryKey = Array(); // Alle primaeren Schluessel, die in der Tabelle definiert sind
+ $column = $this->getColumns( $inTable ); // Die vorhandenen Spalten der Tabelle
+ $checkResult = Array(); // Ergebnis der Abfrage, ob der Datensatz bereits existiert
+ $returnResult = Array(); // Rueckgabe
+ $lastInsertResult = Array(); // Ergebnis der Abfrage nach dem zuletzt eingefuegten Datensatz
+ $mysqlQuery = false; // Antwort der Datenbank auf eine Anfrage
+ $mysqlResult = Array(); // Ein Datensatz der Antwort der Datenbank
+ $queryString = ""; // Abfrage, die an die Datenbank geschickt wird
+ $i = 0; // Schleifenvariable
+ $useUtf8 = false; // UTF8 zur Uebertragung verwenden
+
+
+
+ // An diesem String muss noch weiter angebaut werden im Verlauf
+ // der Funktion
+ $checkIfExists = "select * from " . $this->database . "." . $inTable . " where";
+
+
+ // Alle Spalten anschauen, ob
+ // 1. Die Spalte ein primaerer Schluessel ist
+ // 2. Dieser Schluessel in den Eingabedaten vorkommt
+ // 3. Diese Spalte vielleicht ein "auto_increment" besitzt
+ for( $i = 0; $i < sizeof( $column ); $i++ ) {
+
+ if( $column[$i]['Key'] == "PRI" ) {
+
+ // Es wird darauf geprueft, ob wirklich alle Felder, die einen
+ // primaeren Schluessel darstellen, angegeben sind.
+ $keyInData = $keyInData && isset( $inData[$column[$i]['Field']] ) && preg_match( "/.+/", $inData[$column[$i]['Field']] );
+ array_push( &$columnPrimaryKey, $column[$i]['Field'] );
+
+
+ if( $keyInData ) {
+
+ $checkIfExists .= " " . $column[$i]['Field'] . "=\"" . $inData[$column[$i]['Field']] . "\" and";
+ $whereClause .= " " . $column[$i]['Field'] . "=\"" . $inData[$column[$i]['Field']] . "\" and";
+
+ }
+
+ }
+
+
+ if( $column[$i]['Extra'] == "auto_increment" ) {
+
+ $columnAutoincrement = $column[$i]['Field'];
+
+ }
+
+ }
+
+
+ // Wenn alle Schluesselwerte uebergeben wurden, dann pruefen, ob der
+ // Datensatz bereits existiert
+ if( $keyInData ) {
+
+ // Verbindung mit der Datenbank aufbauen
+ if( $this->hasConnection ) {
+
+ // Abschneiden des letzten "and"
+ $checkIfExists = substr( $checkIfExists, 0, sizeof( $checkIfExists ) - 4 ) . ";";
+ $mysqlQuery = mysql_query( $checkIfExists );
+
+
+ $checkResult = Array();
+ while( $mysqlResult = mysql_fetch_array( $mysqlQuery, MYSQL_ASSOC ) ) {
+
+ array_push( &$checkResult, $mysqlResult );
+
+ }
+
+
+ $allreadyExists = sizeof( $checkResult ) > 0;
+
+ }
+ else {
+
+ trigger_error( "Not connected to database", E_USER_ERROR );
+
+ }
+
+ }
+
+
+
+ // Wenn sowohl alle Schluessel angegeben sind in den Daten und der Datensatz schon
+ // existiert, dann wird ein "update"-Befehl abgesetzt. Sonst ein "insert"-Befehl
+ if( $keyInData && $allreadyExists ) {
+
+ $queryString = "update " . $this->database . "." . $inTable . " set ";
+
+ foreach( $inData as $key => $value ) {
+
+ $queryString .= " " . $key . "=\"" . $value . "\", ";
+
+
+ if( $helper->isUtf8( $key )
+ || $helper->isUtf8( $value ) ) {
+
+ $useUtf8 = true;
+
+ }
+
+ }
+
+ $queryString = substr( $queryString, 0, strlen( $queryString ) - 2 ) . substr( $whereClause, 0, strlen( $whereClause ) - 3 ) . ";";
+
+ }
+ else {
+
+ $queryString = "insert into " . $this->database . "." . $inTable . " ( ";
+
+ foreach( $inData as $key => $value ) {
+
+ $queryString .= " " . $key . ", ";
+
+
+ if( $helper->isUtf8( $key ) ) {
+
+ $useUtf8 = true;
+
+ }
+
+ }
+
+ $queryString = substr( $queryString, 0, strlen( $queryString ) - 2 ) . " ) values ( ";
+
+ foreach( $inData as $key => $value ) {
+
+ $queryString .= " \"" . $value . "\", ";
+
+
+ if( $helper->isUtf8( $value ) ) {
+
+ $useUtf8 = true;
+
+ }
+
+ }
+
+ $queryString = substr( $queryString, 0, strlen( $queryString ) - 2 ) . " );";
+
+ }
+
+
+
+ // Verbindung mit der Datenbank aufbauen
+ if( $this->hasConnection ) {
+
+ // Es muss gelten (entweder oder)
+ // 1. In den Daten sind alle notwendigen primaeren Schluessel eingetragen und es
+ // ist keine Spalte dabei, die ein "auto_increment" enthaelt.
+ // 2. Es sind alle Schluessel vorhanden und der Datensatz existiert bereits in der
+ // Tabelle
+ if( (!$keyInData && ($columnAutoincrement != "")) || ($keyInData && $allreadyExists) ) {
+
+ // Wenn es sich um einen "insert"-Befehl handelt, dann soll die Datenbank
+ // gesperrt werden, um anschliessend den neu eingefuegten Datensatz wieder
+ // auslesen zu koennen.
+ if( !$keyInData ) {
+
+ $mysqlQuery = mysql_query( "lock tables " . $this->database . "." . $inTable . " write;" );
+
+ }
+
+
+ trigger_error( "Query: " . $queryString . "\n", E_USER_NOTICE );
+
+
+ // Sollte ein Wert UTF8-codiert sein, so muss dies der Datenbank
+ // gesagt werden
+ if( $useUtf8 ) {
+
+ trigger_error( "DataBase::store(): Using UTF8 for submission.\n", E_USER_NOTICE );
+
+ mysql_query( "SET CHARACTER SET \"utf8\"" );
+
+ }
+
+
+ // Den zusammengesetzten Query-String an die Datenbank senden
+ $mysqlQuery = mysql_query( $queryString );
+
+
+ // Es war ein insert-Befehl und es muss erausgefunden werden, welcher
+ // Schluessel dabei erzeugt wurde. Ausserdem werden die eingefuegten Daten
+ // abgefragt, um als Rueckgabe der Funktion zu dienen.
+ if( !$keyInData ) {
+
+ // Herausfinden, welcher Schluessel erzeugt wurde
+ $queryString = "select distinct last_insert_id() from " . $this->database . "." . $inTable . ";";
+ $mysqlQuery = mysql_query( $queryString );
+
+
+ $lastInsertResult = Array();
+ while( $mysqlResult = mysql_fetch_array( $mysqlQuery, MYSQL_ASSOC ) ) {
+
+ array_push( &$lastInsertResult, $mysqlResult );
+
+ }
+
+
+ $queryString = "select * from " . $this->database . "." . $inTable . " where ";
+ $queryString .= $columnAutoincrement . "=\"" . $lastInsertResult[0]['last_insert_id()'] . "\";";
+ $mysqlQuery = mysql_query( $queryString );
+
+ }
+ else {
+
+ $queryString = "select * from " . $this->database . "." . $inTable . " where ";
+ $queryString .= $columnPrimaryKey[0] . "=\"" . $inData[$columnPrimaryKey[0]] . "\";";
+ $mysqlQuery = mysql_query( $queryString );
+
+ }
+
+
+ while( $mysqlResult = mysql_fetch_array( $mysqlQuery, MYSQL_ASSOC ) ) {
+
+ $returnResult[] = $mysqlResult;
+
+ }
+
+
+ // Datenbank wieder freigeben
+ if( !$keyInData ) {
+
+ $mysqlQuery = mysql_query( "unlock tables;" );
+
+ }
+
+ }
+ else {
+
+ trigger_error( "Cannot insert data into table without having auto_increment or primary key in data", E_USER_ERROR );
+
+ }
+
+ }
+ else {
+
+ trigger_error( "Not connected to database", E_USER_ERROR );
+
+ }
+
+
+ if( sizeof( $returnResult ) > 0 ) {
+
+ return $returnResult;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## query #########################################################
+ public function query( $inQuery ) {
+
+ $queryString = ""; // Abfragestring, der an die Datenbank gesendet wird
+ $mysqlQuery = false; // Das Ergebnis der Abfrage
+ $mysqlHandler = false; // Verbindungs-Handler
+ $helper = new Helper(); // Konvertierungsklasse
+ $returnResult = true; // Die Rueckgabe
+
+
+ if( $helper->isUtf8( $inQuery ) ) {
+
+ mysql_query( "SET CHARACTER SET 'utf8'" );
+ //$inQuery = utf8_decode( $inQuery );
+
+ }
+
+
+ if( $this->hasConnection ) {
+
+ trigger_error( "Query: " . $inQuery . "\n", E_USER_NOTICE );
+
+
+ $mysqlQuery = mysql_db_query( $this->database, $inQuery );
+
+
+ // Sollte es sich nicht um eine delete-Anweisung handeln, dann das
+ // Abfrageergebnis uebernehmen
+ if( !preg_match( "/(^[\s]*delete[\s]*from[\s]*.*)|(^[\s]*update[\s]*.*)/i", $inQuery ) ) {
+
+ $returnResult = Array();
+ while( $mysqlResult = mysql_fetch_array( $mysqlQuery, MYSQL_ASSOC ) ) {
+
+ foreach( $mysqlResult as $key => $value ) {
+
+ $mysqlResult[$key] = utf8_decode( $value );
+
+ }
+
+
+ array_push( &$returnResult, $mysqlResult );
+
+ }
+
+ }
+
+ }
+ else {
+
+ trigger_error( "Not connected to database", E_USER_ERROR );
+
+
+ $returnResult = false;
+
+ }
+
+
+ return $returnResult;
+
+ }
+
+
+
+
+ // ## dateToText ####################################################
+ public function dateToText( $inDate, $inCountry ) {
+
+ $tmp = Array();
+
+
+ if( $inDate != "" ) {
+
+ // Aufteilen des Datums in seine Bestandteile
+ $tmp = split( "-", $inDate );
+
+
+ if( preg_match( "/^de$/i", $inCountry ) ) {
+
+ if( sizeof( $tmp ) == 3 ) {
+
+ $datestring = trim( $tmp[2] ) . "." . trim( $tmp[1] ) . "." . trim( $tmp[0] );
+
+ }
+ else {
+
+ $datestring = $inDate;
+
+ }
+
+ }
+ elseif( preg_match( "/^en$/i", $inCountry ) ) {
+
+ if( sizeof( $tmp ) == 3 ) {
+
+ $datestring = trim( $tmp[2] ) . "/" . trim( $tmp[1] ) . "/" . trim( $tmp[0] );
+
+ }
+ else {
+
+ $datestring = $inDate;
+
+ }
+
+ }
+ else {
+
+ $datestring = $inDate;
+
+ }
+
+ }
+ else {
+
+ $datestring = "";
+
+ }
+
+
+ return $datestring;
+
+ }
+
+
+
+
+ // ## textToDate ####################################################
+ public function textToDate( $inText, $inCountry ) {
+
+ if( $inText != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $tmp = split( "\.", $inText );
+
+
+ if( sizeof( $tmp ) == 3 ) {
+
+ $datestring = trim( $tmp[2] ) . "-" . trim( $tmp[1] ) . "-" . trim( $tmp[0] );
+
+ }
+ else {
+
+ $datestring = $inText;
+
+ }
+
+ }
+ elseif( preg_match( "/en/i", $inCountry ) ) {
+
+ $tmp = split( "/", $inText );
+
+
+ if( sizeof( $tmp ) == 3 ) {
+
+ $datestring = trim( $tmp[2] ) . "-" . trim( $tmp[1] ) . "-" . trim( $tmp[0] );
+
+ }
+ else {
+
+ $datestring = $inText;
+
+ }
+
+ }
+ else {
+
+ $datestring = $inText;
+
+ }
+
+ }
+ else {
+
+ $datestring = "";
+
+ }
+
+
+ return $datestring;
+
+ }
+
+
+
+
+ // ## mysqlToFloat ##################################################
+ public function mysqlToFloat( $inFloat, $inCountry ) {
+
+ if( $inFloat != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $float = str_replace( ".", ",", $inFloat );
+
+ }
+
+ }
+ else {
+
+ $float = 0;
+
+ }
+
+
+ return $float;
+
+ }
+
+
+
+
+ // ## floatToMysql ##################################################
+ public function floatToMysql( $inFloat, $inCountry ) {
+
+ if( $inFloat != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $float = str_replace( ".", "", $inFloat );
+ $float = str_replace( ",", ".", $float );
+
+ }
+
+ }
+ else {
+
+ $float = 0;
+
+ }
+
+
+ return $float;
+
+ }
+
+
+
+
+ // ## floatrangeToMysql #############################################
+ public function floatrangeToMysql( $inFloatrange, $inCountry ) {
+
+ if( $inFloatrange != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $floatrange = str_replace( ".", "", $inFloatrange );
+ $floatrange = str_replace( " ", "", $floatrange );
+ $floatrange = str_replace( ",", ".", $floatrange );
+ $floatrange = str_replace( "-", " - ", $floatrange );
+
+ }
+
+ }
+ else {
+
+ $floatrange = "";
+
+ }
+
+
+ return $floatrange;
+
+ }
+
+
+
+
+ // ## mysqlToFloatrange #############################################
+ public function mysqlToFloatrange( $inFloatrange, $inCountry ) {
+
+ if( $inFloatrange != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $floatrange = str_replace( ".", ",", $inFloatrange );
+
+ }
+
+ }
+ else {
+
+ $floatrange = "";
+
+ }
+
+
+ return $floatrange;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/Helper.class.php b/info.textgrid.middleware.tgauth.rbac/lib/Helper.class.php
new file mode 100755
index 0000000..8ff17a5
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/Helper.class.php
@@ -0,0 +1,468 @@
+<?php
+// ####################################################################
+// Version: 0.6.2
+// Author: Markus Widmer
+// Created: 28.11.2006
+// Modified: 09.04.2008
+
+
+
+
+class Helper implements iHelper {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct() {
+ }
+
+
+
+
+ // ## extractFilename ###############################################
+ public function extractFilename( $inPath ) {
+
+ $arrComponent = Array(); // Die einzelnen Komponentn des Pfads
+
+
+ $arrComponent = preg_split( "/\//", $inPath );
+
+
+ return $arrComponent[(sizeof( $arrComponent ) - 1)];
+
+ }
+
+
+
+ // ## isUtf8 ########################################################
+ public function isUtf8( $inString ) {
+
+/*
+ return preg_match( "%^(?:"
+ . "[\x09\x0A\x0D\x20-\x7E]" # ASCII
+ . " | [\xC2-\xDF][\x80-\xBF]" # non-overlong 2-byte
+ . " | \xE0[\xA0-\xBF][\x80-\xBF]" # excluding overlongs
+ . " | [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2}" # straight 3-byte
+ . " | \xED[\x80-\x9F][\x80-\xBF]" # excluding surrogates
+ . " | \xF0[\x90-\xBF][\x80-\xBF]{2}" # planes 1-3
+ . " | [\xF1-\xF3][\x80-\xBF]{3}" # planes 4-15
+ . " | \xF4[\x80-\x8F][\x80-\xBF]{2}" # plane 16
+ . " )*$%xs", $inString );
+*/
+
+ return (utf8_encode( utf8_decode( $inString ) ) === $inString);
+
+ }
+
+
+
+
+ // ## flatAddressToArray ############################################
+ public function flatAddressToArray( $inAddress, $inSplit ) {
+
+ $arrRawAddress = Array(); // Die erste Bearbeitung der Adresse
+ $arrAddress = Array(); // Endversion
+ $zipIndex = false; // Stelle im Array, an der die PLZ steht
+ $i = 0; // Schleifenvariable
+
+
+ $arrAddress['raw'] = $inAddress;
+ $arrRawAddress = preg_split( "/[" . $inSplit . "]/", $inAddress );
+
+
+ // Im letzten Eintrag muss der Laendercode stehen
+ $arrAddress['countrycode'] = trim( strtolower( array_pop( &$arrRawAddress ) ) );
+
+
+ if( preg_match( "/^de$/i", trim( $arrAddress['countrycode'] ) ) ) {
+
+ // Herausfinden, an welcher Stelle die Postleitzahl steht
+ for( $i = 0; $i < sizeof( $arrRawAddress ); $i++ ) {
+
+ if( preg_match( "/[0-9]{5}/", trim( $arrRawAddress[$i] ) ) ) {
+
+ $zipIndex = $i;
+ $arrAddress['zip'] = trim( $arrRawAddress[$i] );
+
+ }
+
+ }
+
+
+ if( $zipIndex ) {
+
+ // Alle Eintraege davor gehoeren zur Anschrift
+ for( $i = 0; $i < $zipIndex; $i++ ) {
+
+ $arrAddress['address'][$i] = trim( $arrRawAddress[$i] );
+
+ }
+
+
+ // Der Eintrag nach nach der PLZ ist die Stadt
+ if( sizeof( $arrRawAddress ) > $zipIndex + 1 ) {
+
+ $arrAddress['town'] = trim( $arrRawAddress[$zipIndex+1] );
+
+ }
+
+
+ // Land
+ $arrAddress['country'] = trim( $arrAddress['countrycode'] );
+
+ }
+ else {
+
+ // Alle Eintraege gehoeren zur Anschrift
+ for( $i = 0; $i < sizeof( $arrRawAddress ); $i++ ) {
+
+ $arrAddress['address'][$i] = trim( $arrRawAddress[$i] );
+
+ }
+
+ }
+
+ }
+
+
+ return $arrAddress;
+
+ }
+
+
+
+
+ // ## extractLanguage ###############################################
+ public function extractLanguage( $inServerString ) {
+
+ $arrCode = Array(); // Alle gefunden moeglichen Codes
+ $arrCombination = Array(); // Alle Kombinationen aus Sprache-Land
+ $arrBlacklist = Array(); // Diese Codes nicht verwenden, da sie ein Land bezeichnen
+ $arrReturn = Array(); // Die gueltigen gefundenen Sprachen
+ $i = 0; // Schleifenvariable
+
+
+ preg_match_all( "/[a-z]{2}/i", $inServerString, &$arrCode );
+ preg_match_all( "/[a-z]{2}-[a-z]{2}/i", $inServerString, &$arrCombination );
+
+
+ // Nur der erste Array-Eintrag ist von Interesse in diesem Fall
+ $arrCode = $arrCode[0];
+ $arrCombination = $arrCombination[0];
+
+
+ for( $i = 0; $i < sizeof( $arrCombination ); $i++ ) {
+
+ $arrTmp = split( "-", $arrCombination[$i] );
+
+
+ // Der hintere Teil bezieht sich auf das Land. Wenn aber hinterer und vorderer
+ // Teil gleich sind, darf es trotzdem nicht auf die Blacklist.
+ !preg_match( "/" . $arrTmp[0] . "/", $arrTmp[1] ) ? array_push( &$arrBlacklist, $arrTmp[1] ) : false;
+
+ }
+
+
+ for( $i = 0; $i < sizeof( $arrCode ); $i++ ) {
+
+ if( !in_array( $arrCode[$i], $arrReturn )
+ && !in_array( $arrCode[$i], $arrBlacklist ) ) {
+
+ array_push( &$arrReturn, strtolower( $arrCode[$i] ) );
+
+ }
+
+ }
+
+
+ return $arrReturn;
+
+ }
+
+
+
+
+/*
+ // ## generalizedtimeToTextDateTime #################################
+ public function generalizedtimeToTextDateTime( $inDate, $inCountry ) {
+
+ $datestring = ""; // Formatiertes Datum mit Uhrzeit
+
+
+ if( $inDate != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $datestring .= substr( $inDate, 6, 2 ) . "." . substr( $inDate, 4, 2 ) . "." . substr( $inDate, 0, 4 ) . " / ";
+ $datestring .= substr( $inDate, 8, 2 ) . ":" . substr( $inDate, 10, 2 ) . ":" . substr( $inDate, 12, 2 );
+
+ }
+ elseif( preg_match( "/en/i", $inCountry ) ) {
+
+ $datestring .= substr( $inDate, 6, 2 ) . "/" . substr( $inDate, 4, 2 ) . "/" . substr( $inDate, 0, 4 ) . " - ";
+ $datestring .= substr( $inDate, 8, 2 ) . ":" . substr( $inDate, 10, 2 ) . ":" . substr( $inDate, 12, 2 );
+
+ }
+ else {
+
+ $datestring = $inDate;
+
+ }
+
+ }
+
+
+ return $datestring;
+
+ }
+*/
+
+
+/*
+ // ## generalizedtimeToTextDate #####################################
+ public function generalizedtimeToTextDate( $inDate, $inCountry ) {
+
+ $datestring = ""; // Formatiertes Datum
+
+
+ if( $inDate != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $datestring .= substr( $inDate, 6, 2 ) . "." . substr( $inDate, 4, 2 ) . "." . substr( $inDate, 0, 4 );
+
+ }
+ elseif( preg_match( "/en/i", $inCountry ) ) {
+
+ $datestring .= substr( $inDate, 6, 2 ) . "/" . substr( $inDate, 4, 2 ) . "/" . substr( $inDate, 0, 4 );
+
+ }
+ else {
+
+ $datestring = $inDate;
+
+ }
+
+ }
+
+
+ return $datestring;
+
+ }
+*/
+
+
+/*
+ // ## textDateToGeneralizedtime #####################################
+ public function textDateToGeneralizedtime( $inText, $inCountry ) {
+
+ $datestring = ""; // Datum im Format generalizedtime
+ $convert = new Convert(); // Konvertierungsklasse
+
+
+ if( $inText != "" ) {
+
+ if( preg_match( "/de/i", $inCountry ) ) {
+
+ $tmp = split( "\.", $inText );
+
+
+ if( sizeof( $tmp ) == 3 ) {
+
+ $datestring .= $convert->expandNumber( trim( $tmp[2] ), 4 );
+ $datestring .= $convert->expandNumber( trim( $tmp[1] ), 2 );
+ $datestring .= $convert->expandNumber( trim( $tmp[0] ), 2 ) . "000000Z";
+
+ }
+ else {
+
+ $datestring = $inText;
+
+ }
+
+ }
+ elseif( preg_match( "/en/i", $inCountry ) ) {
+
+ $tmp = split( "/", $inText );
+
+
+ if( sizeof( $tmp ) == 3 ) {
+
+ $datestring .= $convert->expandNumber( trim( $tmp[2] ), 4 );
+ $datestring .= $convert->expandNumber( trim( $tmp[1] ), 2 );
+ $datestring .= $convert->expandNumber( trim( $tmp[0] ), 2 ) . "000000Z";
+
+ }
+ else {
+
+ $datestring = $inText;
+
+ }
+
+ }
+ else {
+
+ $datestring = $inText;
+
+ }
+
+ }
+
+
+ return $datestring;
+
+ }
+*/
+
+
+/*
+ // ## textToMysqlDatetime ###########################################
+ public function textToMysqlDatetime( $inText, $inCountry ) {
+
+ $tmp = Array();
+ $tmpDate = Array();
+ $tmpTime = Array();
+ $dateTime = "";
+
+
+ if( preg_match( "/^de$/i", $inCountry ) ) {
+
+ if( preg_match( "/^[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{4}(\s[0-9]{1,2}(:[0-9]{1,2}){1,2})?$/", $inText ) ) {
+
+ $tmp = split( " ", $inText );
+
+ }
+ else {
+
+ $tmp = false;
+
+ }
+
+
+ if( is_array( $tmp ) ) {
+
+ isset( $tmp[0] ) ? $tmpDate = split( "\.", $tmp[0] ) : $tmpDate = Array();
+ isset( $tmp[1] ) ? $tmpTime = split( ":", $tmp[1] ) : $tmpTime = Array();
+
+ sizeof( $tmpDate ) == 3 ? $dateTime .= $tmpDate[2] . "-" . $tmpDate[1] . "-" . $tmpDate[0] : false;
+ sizeof( $tmpTime ) >= 2 ? $dateTime .= " " . $tmpTime[0] . ":" . $tmpTime[1] : false;
+ sizeof( $tmpTime ) == 3 ? $dateTime .= ":" . $tmpTime[2] : false;
+
+
+ return $dateTime;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ elseif( preg_match( "/^en$/i", $inCountry ) ) {
+
+ return false;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+*/
+
+
+/*
+ // ## mysqlDatetimeToArray ##########################################
+ public function mysqlDatetimeToArray( $inDate, $inCountry ) {
+
+ $tmp = Array();
+ $tmpDate = Array();
+ $tmpTime = Array();
+ $arrDateAndTime = Array();
+
+
+ if( $inDate != "" ) {
+
+ // Aufteilen des Datums in seine Bestandteile
+ $tmp = split( " ", $inDate );
+ $tmpDate = split( "-", $tmp[0] );
+ $tmpTime = split( ":", $tmp[1] );
+
+
+ if( preg_match( "/^de$/i", $inCountry ) ) {
+
+ // Das Datum zusammensetzen
+ if( sizeof( $tmpDate ) == 3 ) {
+
+ $arrDateAndTime['date'] = trim( $tmpDate[2] ) . "." . trim( $tmpDate[1] ) . "." . trim( $tmpDate[0] );
+ $arrDateAndTime['day'] = $tmpDate[2];
+ $arrDateAndTime['month'] = $tmpDate[1];
+ $arrDateAndTime['year'] = $tmpDate[0];
+
+ }
+ else {
+
+ $arrDateAndTime['date'] = $tmp[0];
+
+ }
+
+
+ // Die Uhrzeit kann einfach uebernommen werden
+ $arrDateAndTime['time'] = join( ":", $tmpTime );
+ isset( $tmpTime[0] ) ? $arrDateAndTime['hour'] = $tmpTime[0] : $arrDateAndTime['hour'] = 0;
+ isset( $tmpTime[1] ) ? $arrDateAndTime['minute'] = $tmpTime[1] : $arrDateAndTime['minute'] = 0;
+ isset( $tmpTime[2] ) ? $arrDateAndTime['second'] = $tmpTime[2] : $arrDateAndTime['second'] = 0;
+
+ }
+ elseif( preg_match( "/^en$/i", $inCountry ) ) {
+
+ // Das Datum zusammensetzen
+ if( sizeof( $tmpDate ) == 3 ) {
+
+ $arrDateAndTime['date'] = trim( $tmpDate[0] ) . "/" . trim( $tmpDate[1] ) . "/" . trim( $tmpDate[2] );
+ $arrDateAndTime['day'] = $tmpDate[2];
+ $arrDateAndTime['month'] = $tmpDate[1];
+ $arrDateAndTime['year'] = $tmpDate[0];
+
+ }
+ else {
+
+ $arrDateAndTime['date'] = $tmp[0];
+
+ }
+
+
+ // Die Uhrzeit kann einfach uebernommen werden
+ $arrDateAndTime['time'] = join( ":", $tmpTime );
+ isset( $tmpTime[0] ) ? $arrDateAndTime['hour'] = $tmpTime[0] : $arrDateAndTime['hour'] = 0;
+ isset( $tmpTime[1] ) ? $arrDateAndTime['minute'] = $tmpTime[1] : $arrDateAndTime['minute'] = 0;
+ isset( $tmpTime[2] ) ? $arrDateAndTime['second'] = $tmpTime[2] : $arrDateAndTime['second'] = 0;
+
+ }
+ else {
+
+ $arrDateAndTime['date'] = $tmp[0];
+ $arrDateAndTime['time'] = $tmp[1];
+
+ }
+
+ }
+ else {
+
+ $datestring = "";
+
+ }
+
+
+ return $arrDateAndTime;
+
+ }
+*/
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/LDAP.class.php b/info.textgrid.middleware.tgauth.rbac/lib/LDAP.class.php
new file mode 100755
index 0000000..5522d1e
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/LDAP.class.php
@@ -0,0 +1,670 @@
+<?php
+// ####################################################################
+// Version: 0.4.1
+// Author: Markus Widmer
+// Created: 12.10.2006
+// Modified: 02.04.2008
+
+
+
+class LDAP implements iLDAP {
+
+ // ## Class-variables ###############################################
+ private $connection;
+ private $hasConnection;
+ private $lastConnectHost;
+ private $lastConnectPort;
+ private $lastConnectVersion;
+ private $lastConnectTls;
+ private $lastBindDn;
+ private $lastBindPw;
+ private $cache;
+
+
+
+
+ // ## Constructor ###################################################
+ public function __construct() {
+
+ $this->hasConnection = false;
+
+ }
+
+
+
+
+ // ## Destructor ####################################################
+ public function __destruct() {
+ }
+
+
+
+
+ // ## Wakeup ########################################################
+ public function __wakeup() {
+
+ if( $this->hasConnection() ) {
+
+ $this->reconnect();
+
+ }
+
+ }
+
+
+
+
+ // ## connect #######################################################
+ public function connect( $inHost, $inPort, $inVersion, $inTls = false ) {
+
+ $connection = false; // Verbindungstest ueber einen Socket
+ $socket = false; // Socket-Handler
+
+
+ // Verbindungsdaten fuer ein "reconnect" speichern
+ $this->lastConnectHost = $inHost;
+ $this->lastConnectPort = $inPort;
+ $this->lastConnectVersion = $inVersion;
+ $this->lastConnectTls = $inTls;
+
+
+ // Die Verbindung wird als nicht vorhanden eingestuft
+ $this->connection = false;
+ $this->hasConnection = false;
+
+
+ // Testen, ob eine Verbindung moeglich ist. Dies wird durch
+ // den Aufbau eines Sockets geleistet, da die Funktion
+ // "ldap_connect" in jedem Fall den Wert TRUE liefert und
+ // so nicht festgestellt werden kann ob eine Verbindung
+ // moeglich ist. Dieser Test gibt jedoch keine Auskunft
+ // darueber, ob wirklich ein LDAP-Server antwortet!
+ $socket = socket_create( AF_INET, SOCK_STREAM, SOL_TCP );
+ $connection = @socket_connect( $socket, $inHost, $inPort );
+ socket_close( $socket );
+
+
+ if( $connection ) {
+
+ // Es wird nun davon ausgegangen, dass auch der
+ // Verbindungsaufbau klappt und das Skript daher
+ // eine Verbindung hat.
+ $this->hasConnection = true;
+
+
+ // Verbindungsaufbau
+ $this->connection = ldap_connect( $inHost, $inPort ) or die( "ERROR!" );
+
+
+ // Optionen setzen
+ ldap_set_option( $this->connection, LDAP_OPT_PROTOCOL_VERSION, $inVersion );
+
+ if( $inTls ) {
+
+ ldap_start_tls( $this->connection );
+
+ }
+
+ }
+ else {
+
+ trigger_error( "LDAP::connect(): Connection to host " . $inHost . " on port . " . $inPort . " failed.\n", E_USER_ERROR );
+
+ }
+
+
+ return $this->connection;
+
+ }
+
+
+
+
+ // ## reconnect #####################################################
+ public function reconnect() {
+
+ $this->hasConnection = false;
+ return $this->connect( $this->lastConnectHost, $this->lastConnectPort, $this->lastConnectVersion, $this->lastConnectTls );
+
+ }
+
+
+
+
+ // ## rebind ########################################################
+ public function rebind() {
+
+ return $this->bind( $this->lastBindDn, $this->lastBindPw );
+
+ }
+
+
+
+
+ // ## bind ##########################################################
+ public function bind( $inDn, $inPassword ) {
+
+ // Verbindungsdaten fuer ein "rebind" speichern
+ $this->lastBindDn = $inDn;
+ $this->lastBindPw = $inPassword;
+
+
+ // Am LDAP binden funktioniert nur ueber eine
+ // vorhandene Verbindung.
+ if( $this->hasConnection() ) {
+
+ if( !ldap_bind( $this->connection, $inDn, $inPassword ) ) {
+
+ trigger_error( "LDAP::bind(): Bind for " . $inDn . " not ok\n", E_USER_NOTICE );
+
+ return false;
+
+ }
+ else {
+
+ return true;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getEntry ######################################################
+ public function getEntry( $inDn ) {
+
+ $ldapSearch = false; // Such-Handler
+ $ldapEntries = Array(); // Unbearbeitete Ergebnisse
+ $arrResult = Array(); // Suchergebniss
+ $i = 0; // Schleifenvariable
+
+
+ // Im LDAP suchen funktioniert nur ueber eine
+ // vorhandene Verbindung.
+ if( $this->hasConnection ) {
+
+ if( isset( $this->cache[$inDn] ) ) {
+
+ return $this->cache[$inDn];
+
+ }
+ else {
+
+ trigger_error( "LDAP::getEntry(): Searching for: " . $inDn . "\n", E_USER_NOTICE );
+
+
+ $ldapSearch = @ldap_read( $this->connection, $inDn, "(objectClass=*)" );
+
+
+ if( $ldapSearch ) {
+
+ $ldapEntries = ldap_get_entries( $this->connection, $ldapSearch );
+
+ }
+
+
+ // Ueberfluessige Eintraege entfernen
+ $ldapEntries = $this->clean( $ldapEntries );
+
+
+ // Sollte nur ein einziger oder kein Eintrag sein! Dieser
+ // Eine (oder Keine) wird uebernommen.
+ for( $i = 0; $i < sizeof( $ldapEntries ); $i++ ) {
+
+ // Das Ergebnis in den Cache schreiben
+ $this->cache[$ldapEntries[$i]['dn']] = $ldapEntries[$i];
+
+
+ if( preg_match( "/^" . $ldapEntries[$i]['dn'] . "$/i", $inDn ) ) {
+
+ $arrResult = $ldapEntries[$i];
+
+ }
+
+ }
+
+ }
+
+ }
+
+
+ return $arrResult;
+
+ }
+
+
+
+
+ // ## search ########################################################
+ public function search( $inBase, $inFilter, $inScope = "sub", $inArrAttribute = null ) {
+
+ $ldapSearch = false; // Such-Handler
+ $ldapEntries = false; // Unbearbeitete Ergebnisse
+ $arrResult = Array(); // Suchergebnisse
+ $i = 0; // Schleifenvariable
+
+
+ // Im LDAP suchen funktioniert nur ueber eine
+ // vorhandene Verbindung.
+ if( $this->hasConnection() ) {
+
+ trigger_error( "LDAP::search(): Searching for: " . $inFilter . " with scope " . $inScope . "\n", E_USER_NOTICE );
+
+
+ // Je nach "scope" muss eine andere Funktion aufgerufen werden.
+ if( $inScope == "one" ) {
+
+ if( is_array( $inArrAttribute ) ) {
+
+ $ldapSearch = ldap_list( $this->connection, $inBase, $inFilter, $inArrAttribute );
+
+ }
+ else {
+
+ $ldapSearch = ldap_list( $this->connection, $inBase, $inFilter );
+
+ }
+
+ }
+ else {
+
+ if( is_array( $inArrAttribute ) ) {
+
+ $ldapSearch = ldap_search( $this->connection, $inBase, $inFilter, $inArrAttribute );
+
+ }
+ else {
+
+ $ldapSearch = ldap_search( $this->connection, $inBase, $inFilter );
+
+ }
+
+ }
+
+
+ $ldapEntries = ldap_get_entries( $this->connection, $ldapSearch );
+
+
+ // Ueberfluessige Eintraege entfernen
+ $arrResult = $this->clean( $ldapEntries );
+
+
+ // Die gefundenen Eintraege in den Cache schreiben,
+ // sofern die Abfrage nicht auf wenige Attribute
+ // beschraenkt wurde!
+ if( !$inArrAttribute == null ) {
+
+ for( $i = 0; $i < sizeof( $arrResult ); $i++ ) {
+
+ $this->cache[$arrResult[$i]['dn']] = $arrResult[$i];
+
+ }
+
+ }
+
+ }
+
+
+ return $arrResult;
+
+ }
+
+
+
+
+ // ## clean #########################################################
+ private function clean( $inResult, $inDecode = false ) {
+
+ $helper = new Helper(); // Hilfsklasse mit verschiedenen Funktionen
+ $attributeName = ""; // Temporaerer Attributname
+ $arrAttribute = Array(); // Temporaerer Speicher fuer Attribute
+ $arrResAttr = Array(); // Temporaerer Speicher fuer Attribute
+
+ $j = 0; // Schleifenvariable
+ $m = 0; // Schleifenvariable
+ $o = 0; // Schleifenvariable
+ $p = 0; // Schleifenvariable
+ $arrResult = Array(); // Rueckgabe
+
+
+ // Alle Suchergebnisse durchgehen. Dabei ist es wichtig
+ // das letzte Element nicht zu beachten, da eine
+ // LDAP-Abfrage immer ein Ergebniss mehr liefert als
+ // tatsaechlich vorhanden sind.
+ for( $i = 0; $i < sizeof( $inResult ) - 1; $i++ ) {
+
+ // Nur Eintraege betrachten, die eine DN mit Wert haben.
+ if( $inResult[$i]['dn'] != "" ) {
+
+ // DN uebernehmen
+ $arrResult[$j]['dn'] = $inResult[$i]['dn'];
+
+
+ // Jedes Attribut ansehen
+ for( $m = 0; $m < $inResult[$i]['count']; $m++ ) {
+
+ $attributeName = $inResult[$i][$m];
+
+
+ $o = 0;
+ $arrAttribute = Array();
+ $arrResAttr = $inResult[$i][$attributeName];
+ for( $p = 0; $p < sizeof( $arrResAttr ) - 1; $p++ ) {
+
+ if( $arrResAttr[$p] != "" ) {
+
+ // Daten decodieren
+ if( $inDecode ) {
+
+ $arrAttribute[$o] = utf8_decode( $arrResAttr[$p] );
+
+ }
+ else {
+
+ if( !$helper->isUtf8( $arrResAttr[$p] ) ) {
+
+ $arrAttribute[$o] = utf8_encode( $arrResAttr[$p] );
+
+ }
+ else {
+
+ $arrAttribute[$o] = $arrResAttr[$p];
+
+ }
+
+ }
+
+
+ $o++;
+
+ }
+
+ }
+
+
+ // Uebernehmen des bereinigten Attribut-Arrays
+ $arrResult[$j][$attributeName] = $arrAttribute;
+
+ }
+
+
+ $j++;
+
+ }
+
+ }
+
+
+ return $arrResult;
+
+ }
+
+
+
+
+ // ## copy ##########################################################
+ public final function copy( $inDnFrom, $inDnTo, $inRecursiv = false ) {
+
+ $ldapSearch = false; // Such-Handler
+ $ldapResult = Array(); // Unbehandelte Suchergebnisse
+ $tmp = ""; // Temporaerer String
+ $oldDn = ""; // Alte DN zwischenspeichern
+ $newRdn = ""; // Neues Ziel bei Rekursion
+ $attrNameOld = ""; // Alter Attributname
+ $attrNameNew = ""; // Neuer Attributname
+ $attrValueOld = ""; // Alter Wert des Attributs
+ $attrValueNew = ""; // Neuer Wert des Attributs
+ $i = 0; // Schleifenvariable
+ $treeCopy = false; // Rekursives Kopieren
+ $baseCopy = false; // Kopieren des aktuellen DN
+
+
+ if( $this->hasConnection() ) {
+
+ // Abfragen des Eintrags
+ $ldapSearch = ldap_search( $this->connection, $inDnFrom, "(objectClass=*)" );
+ $ldapResult = ldap_get_entries( $this->connection, $ldapSearch );
+
+
+ // Entfernen von ueberfluessigen Eintragungen im Array
+ $ldapResult = $this->clean( $ldapResult, false );
+
+
+ // Zunaechst nur das erste Element bearbeiten
+ $ldapResult = $ldapResult[0];
+
+
+ // Entfernen des DN nach Zwischenspeicherung
+ $oldDn = $ldapResult['dn'];
+ unset( $ldapResult['dn'] );
+
+
+ // Attribut umbenennen, damit kein Namens-Konflikt entsteht
+ $tmp = split( ",", $oldDn );
+ $tmp = split( "=", $tmp[0] );
+ $attrNameOld = $tmp[0];
+ $attrValueOld = $tmp[1];
+ $tmp = split( ",", $inDnTo );
+ $tmp = split( "=", $tmp[0] );
+ $attrNameNew = $tmp[0];
+ $attrValueNew = $tmp[1];
+
+
+ for( $i = 0; $i < sizeof( $ldapResult[$attrNameOld] ); $i++ ) {
+
+ if( $ldapResult[$attrNameOld][$i] == $attrValueOld ) {
+
+ // Alle Eintraege muessen UTF8 codiert sein
+ $ldapResult[$attrNameNew][$i] = utf8_encode( $attrValueNew );
+
+ }
+
+ }
+
+
+ // Einfuegen an neuer DN
+ $baseCopy = ldap_add( $this->connection, utf8_encode( $inDnTo ), $ldapResult );
+
+
+ // Rekursion
+ if( $inRecursiv ) {
+
+ // Abfragen der darunterliegenden Eintraege
+ $ldapSearch = ldap_list( $this->connection, $inDnFrom, "(objectClass=*)" );
+ $ldapResult = ldap_get_entries( $this->connection, $ldapSearch );
+
+
+ // Entfernen von ueberfluessigen Eintragungen im Array
+ $ldapResult = $this->clean( $ldapResult );
+
+
+ for( $i = 0; $i < sizeof( $ldapResult ); $i++ ) {
+
+ $oldDn = $ldapResult[$i]['dn'];
+ unset( $ldapResult[$i]['dn'] );
+
+
+ // Name des Knotens herausfinden
+ $newRdn = split( ",", $oldDn );
+ $newRdn = $newRdn[0];
+
+
+ // Rekursiver Aufruf
+ $treeCopy = $this->copy( $oldDn, $newRdn . "," . $inDnTo, true );
+
+ }
+
+ }
+
+
+ if( $inRecursive ) {
+
+ return ( $baseCopy && $treeCopy );
+
+ }
+ else {
+
+ return $baseCopy;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## delete ########################################################
+ public final function delete( $inDn, $inRecursiv = false ) {
+
+ $treeDelete; // Erfolg des rekursiven Loeschens
+
+
+ if( $this->hasConnection() ) {
+
+ // Rekursion
+ if( $inRecursiv ) {
+
+ $treeDelete = false;
+
+
+ // Abfragen der darunterliegenden Eintraege
+ $ldapSearch = ldap_list( $this->connection, $inDn, "(objectClass=*)", Array( "objectClass" ) );
+ $ldapResult = ldap_get_entries( $this->connection, $ldapSearch );
+
+
+ // Entfernen von ueberfluessigen Eintragungen im Array
+ $ldapResult = $this->clean( $ldapResult );
+
+
+ for( $i = 0; $i < sizeof( $ldapResult ); $i++ ) {
+
+ unset( $this->cache[$ldapResult[$i]['dn']] );
+ $treeDelete = $this->delete( $ldapResult[$i]['dn'], true );
+
+ }
+
+
+ if( sizeof( $ldapResult ) == 0 ) {
+
+ $treeDelete = true;
+
+ }
+
+ }
+ else {
+
+ $treeDelete = true;
+
+ }
+
+
+ // Loeschen der aktuellen DN
+ unset( $this->cache[$inDn] );
+ return ( $treeDelete && ldap_delete( $this->connection, $inDn ) );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## modify ########################################################
+ public function modify( $inDn, Array $inAttribute ) {
+
+ if( $this->hasConnection() ) {
+
+ unset( $this->cache[$inDn] );
+ return ldap_modify( $this->connection, $inDn, $inAttribute );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## removeAttribute ###############################################
+ public function removeAttribute( $inDn, $inAttribute ) {
+
+ if( $this->hasConnection() ) {
+
+ unset( $this->cache[$inDn] );
+ return ldap_mod_del( $this->connection, $inDn, Array( $inAttribute => Array() ) );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## add ###########################################################
+ public function add( $inDn, Array $inAttribute ) {
+
+ if( $this->hasConnection() ) {
+
+ unset( $this->cache[$inDn] );
+ return ldap_add( $this->connection, $inDn, $inAttribute );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getConnection #################################################
+ public final function getConnection() {
+
+ return $this->connection;
+
+ }
+
+
+
+
+ // ## getConnection #################################################
+ public final function hasConnection() {
+
+ return $this->hasConnection;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/Node.class.php b/info.textgrid.middleware.tgauth.rbac/lib/Node.class.php
new file mode 100755
index 0000000..ab024c7
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/Node.class.php
@@ -0,0 +1,315 @@
+<?php
+// ####################################################################
+// Version: 0.3.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 11.10.2006
+// Letzte Aenderung: 15.02.2008
+
+
+
+class Node implements iNode {
+
+ // ## Klassenvariablen ##############################################
+ private $value = false;
+ private $name = "NODE";
+ private $child = Array();
+ private $attribute = Array();
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct() {
+ }
+
+
+
+
+ // ## Destruktor ####################################################
+ public function __destruct() {
+ }
+
+
+
+
+ // ## setName #######################################################
+ public function setName( $inName ) {
+
+ // Der Name darf weder ein Objekt, ein Array oder eine
+ // ausfuehrbare Funktion sein, um gespeichert zu werden.
+ if( !is_object( $inName )
+ && !is_array( $inName ) ) {
+
+ $this->name = strtolower( $inName );
+
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getName #######################################################
+ public function getName() {
+
+ return $this->name;
+
+ }
+
+
+
+
+ // ## setAttribute ##################################################
+ public function setAttribute( $inName, $inValue ) {
+
+ // Der Name darf weder ein Objekt, ein Array oder eine
+ // ausfuehrbare Funktion sein. Ebenso der Wert.
+ if( !is_object( $inName )
+ && !is_array( $inName )
+ && !is_object( $inValue )
+ && !is_array( $inValue ) ) {
+
+ $this->attribute[$inName] = strval( $inValue );
+
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getAttribute ##################################################
+ public function getAttribute( $inName ) {
+
+ // Das Attribut muss einen Wert haben
+ if( isset( $this->attribute[$inName] ) ) {
+
+ return $this->attribute[$inName];
+
+ }
+
+ // Sonst wird ein leerer String zurueckgegeben
+ else {
+
+ return "";
+
+ }
+
+ }
+
+
+
+ // ## setValue ######################################################
+ public function setValue( $inValue ) {
+
+ // Ein Knoten kann nur dann einen Wert haben, wenn
+ // er keine Kinderknoten hat.
+ if( sizeof( $this->child ) == 0 ) {
+
+ // Der Wert darf weder ein Objekt, ein Array oder eine
+ // ausfuehrbare Funktion sein, um gespeichert zu werden.
+ if( !is_object( $inValue )
+ && !is_array( $inValue ) ) {
+
+ $this->value = strval( $inValue );
+
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+ // ## getValue ######################################################
+ public function getValue() {
+
+ return $this->value;
+
+ }
+
+
+
+ // ## addChild ######################################################
+ public function addChild( iNode $inNode ) {
+
+ // Ein Knoten kann nur dann Kinderknoten haben, wenn er
+ // nicht bereits einen Wert hat. Der uebergebene Wert
+ // muss zudem auch wirklich ein Knoten sein.
+ if( ($this->value == false)
+ && ($inNode instanceof iNode) ) {
+
+ $this->child[] = $inNode;
+
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getChildArray #################################################
+ public function getChildArray() {
+
+ if( is_array( $this->child ) ) {
+
+ return $this->child;
+
+ }
+ else {
+
+ return Array();
+
+ }
+
+ }
+
+
+
+
+ // ## getChild ######################################################
+ public function getChild( $inName, $inNumber ) {
+
+ // Es wird auf jeden Fall ein korrekter Knoten
+ // zurueckgegeben, auch wenn keiner gefunden
+ // wurde.
+ $wantedNode = new Node();
+ $wantedNode->setName( $inName );
+
+
+ // Die Suche nach dem Knoten beginnen und alle
+ // Kinderknoten ansehen.
+ $i = 0;
+ $n = 0;
+ $flagFound = false;
+ while( ($i < sizeof( $this->child ))
+ && !$flagFound ) {
+
+ // Einen Knoten holen
+ $child = $this->child[$i];
+
+
+ // Name ist korrekt...
+ if( preg_match( "/^" . $child->getName() . "$/i", $inName ) ) {
+
+ // Nummer ist korrekt...
+ if( $inNumber == $n ) {
+
+ $flagFound = true;
+ $wantedNode = $child;
+
+ }
+
+ // Nummer ist nicht korrekt...
+ else {
+
+ $n++;
+
+ }
+
+ }
+
+
+ // Schleifenvariable hochzaehlen
+ $i++;
+
+ }
+
+
+ return $wantedNode;
+
+ }
+
+
+
+
+ // ## searchChild ###################################################
+ public function searchChild( $inName, $inAttribute, $inRegex ) {
+
+ $arrNode = Array(); // Der Rueckgabewert
+ $child = new Node(); // Temporaerer Knoten
+ $i = 0; // Schleifenvariable
+
+
+ for( $i = 0; $i < $this->countChilds( $inName ); $i++ ) {
+
+ $child = $this->getChild( $inName, $i );
+
+ if( preg_match( $inRegex, $child->getAttribute( $inAttribute ) ) ) {
+
+ $arrNode[] = $child;
+
+ }
+
+ }
+
+
+ return $arrNode;
+
+ }
+
+
+
+
+ // ## countChilds ###################################################
+ public function countChilds( $inName ) {
+
+ $number = 0; // Anzahl der Knoten
+ $i = 0; // Schleifenvariable
+
+
+ // Alle Knoten durchgehen
+ for( $i = 0; $i < sizeof( $this->child ); $i++ ) {
+
+ if( preg_match( "/^" . $this->child[$i]->getName() . "$/i", $inName ) ) {
+
+ $number++;
+
+ }
+
+ }
+
+
+ return $number;
+
+ }
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/Number.class.php b/info.textgrid.middleware.tgauth.rbac/lib/Number.class.php
new file mode 100755
index 0000000..a4fe7c3
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/Number.class.php
@@ -0,0 +1,68 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Author: Markus Widmer
+// Created: 01.04.2008
+// Modified: 01.04.2008
+
+
+
+
+class Number implements iNumber {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct() {
+ }
+
+
+
+
+ // ## format ########################################################
+ function format( $inNumber, $inAfterComma, $inLanguage, $inRound = false ) {
+
+ if( $inRound ) {
+
+ $inNumber = round( $inNumber, $inRound + 1 );
+
+ }
+
+
+ switch( $inLanguage ) {
+
+ case "de": return number_format( $inNumber, $inAfterComma, ",", "." );
+ break;
+ case "en": return number_format( $inNumber, $inAfterComma, ".", "," );
+ break;
+ default : return $inNumber;
+
+ }
+
+ }
+
+
+
+
+ // ## expand ########################################################
+ function expand( $inNumber, $inDigit ) {
+
+ settype( &$inNumber, "string" );
+
+
+ while( strlen( $inNumber ) < $inDigit ) {
+
+ $inNumber = "0" . $inNumber;
+
+ }
+
+
+ return $inNumber;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/XML.class.php b/info.textgrid.middleware.tgauth.rbac/lib/XML.class.php
new file mode 100755
index 0000000..36ece33
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/XML.class.php
@@ -0,0 +1,291 @@
+<?php
+// ####################################################################
+// Version: 0.2.4
+// Author: Markus Widmer
+// Created: 12.10.2006
+// Modified: 09.04.2008
+
+
+
+
+class XML implements iXML {
+
+ // ## Klassenvariablen ##############################################
+ private $rootNode = Array();
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct() {
+ }
+
+
+
+
+ // ## getRoot #######################################################
+ public function getRoot( $inName = "default" ) {
+
+ if( isset( $this->rootNode[$inName] ) ) {
+
+ return $this->rootNode[$inName];
+
+ }
+ else {
+
+ return Array();
+
+ }
+
+ }
+
+
+
+
+ // ## parseFile #####################################################
+ public function parseFile( $inFilename, $inName = "default" ) {
+
+ if( file_exists( $inFilename ) ) {
+
+ $this->parse( file_get_contents( $inFilename ), $inName );
+
+ }
+ else {
+
+ throw new Exception( "XML::parseFile() File does not exists: " . $inFilename );
+
+ }
+
+ }
+
+
+
+
+ // ## parse #########################################################
+ public function parse( $inData, $inName = "default" ) {
+
+ $parser = xml_parser_create(); // Der Parser
+ $arrVal = Array(); // Hier werden die erhaltenen Werte abgelegt
+ $arrValClean = Array(); // Werte ohne CDATA
+ $index = Array(); // Ein Index des Inhalts
+ $node = Array(); // Zum Ablegen der erzeugten Knoten
+ $tmpNode = new Node(); // Knoten zum Anhaengen der Ergebnisknoten
+ $i = 0; // Schleifenvariable
+
+
+ // Um den XML-Parser benutzen zu koennen wird ein Dummy-Knoten
+ // um die Daten herum gebaut und hinterher wieder entfernt. Dies
+ // dient dazu auch nicht korrekte XML-Dateien, bei denen es mehrere
+ // Root-Knoten gibt, parsen zu koennen.
+ $inData = "<DDUUMMYY>" . $inData . "</DDUUMMYY>";
+
+
+ // Der XML-Parser versteht den XML-Kopf mit Angaben
+ // zur Version und zum verwendeten Zeichensatz nicht.
+ // Dieser muss hier manuell ausgewertet werden.
+ $arrXmlHeader = Array();
+ preg_match( "/<\?\s*xml\s.+\?>/i", $inData, &$arrXmlHeader );
+
+
+ if( sizeof( $arrXmlHeader ) == 1 ) {
+
+ $inData = preg_replace( "/<\?\s*xml\s.+\?>/i", "", $inData );
+
+ }
+
+
+ // The data needs only to encoded if it is not
+ // already. In any case they are pared into an array.
+ // To avoid the need of the Helper class at this point,
+ // the check will be done directly!
+ if( utf8_encode( utf8_decode( $inData ) ) === $inData ) {
+
+ xml_parse_into_struct( $parser, utf8_encode( $inData ), &$arrVal, &$index );
+
+ }
+ else {
+
+ xml_parse_into_struct( $parser, $inData, &$arrVal, &$index );
+
+ }
+
+
+ xml_parser_free( $parser );
+
+
+ // Alle CDATA-Informationen aus dem Array entfernen, um die
+ // weitere Bearbeitung zu beschleunigen.
+ for( $i = 0; $i < sizeof( $arrVal ); $i++ ) {
+
+ if( $arrVal[$i]['type'] != "cdata" ) {
+
+ $arrValClean[] = $arrVal[$i];
+
+ }
+
+ }
+
+
+ // Den Array auswerten und Objekte daraus erzeugen
+ $node = $this->parseArrayToNode( $arrValClean, 1 );
+
+
+ // Etwas Speicher freigeben
+ unset( $vals );
+ unset( $index );
+
+
+ // Entfernen des Dummy-Knotens
+ $node = $node[0]->getChildArray();
+
+
+ // Besteht der Array "node" nur aus einem Eintrag, so kann
+ // der Knoten uebernommen werden. Besteht er aus mehreren,
+ // so wird er unterhalb eines neu erzeugten Knotens
+ // abgelegt. Ist der Array leer,
+ // so ist ein Fehler aufgetreten und es wird nichts gespeichert.
+ if( sizeof( $node ) <= 0 ) {
+
+ return false;
+
+ }
+ else {
+
+ $this->rootNode[$inName] = $node;
+
+
+ return true;
+
+ }
+
+ }
+
+
+
+
+ // ## parseArrayToNode ##############################################
+ private function parseArrayToNode( Array $inArray, $inLevel ) {
+
+ $node = new Node(); // Zum Anlegen neuer Knoten
+ $arrNode = Array(); // Array der neu angelegten Knoten
+ $arrAttribute = Array(); // Zwischenspeicher fuer die Attribute
+ $flagFound = false; // Flag, das zur Suche nach dem Knotenende verwendet wird
+ $i = 0; // Schleifenvariable
+ $j = 0; // Schleifenvariable
+ $c = 0; // Schleifenvariable
+
+
+ $i = 0;
+ while( $i < sizeof( $inArray ) ) {
+
+ if( ($inArray[$i]['type'] == "complete")
+ && ($inArray[$i]['level'] == $inLevel) ) {
+
+ $node = new Node();
+ $node->setName( $inArray[$i]['tag'] );
+
+ if( !isset( $inArray[$i]['value'] ) ) {
+
+ $inArray[$i]['value'] = "";
+
+ }
+
+
+ $node->setValue( trim( $inArray[$i]['value'] ) );
+
+
+ // Noch die Attribute auslesen und speichern
+ if( isset( $inArray[$i]['attributes'] ) ) {
+
+ $arrAttribute = $inArray[$i]['attributes'];
+
+ foreach( $arrAttribute as $key => $value ) {
+
+ $node->setAttribute( strtolower( $key ), $value );
+
+ }
+
+ }
+
+
+ // Neuen Knoten in den Array einfuegen
+ $arrNode[] = $node;
+
+ }
+ elseif( preg_match( "/open/i", $inArray[$i]['type'] )
+ && ($inArray[$i]['level'] == $inLevel) ) {
+
+ # Ende des Knoten finden
+ $j = $i;
+ $flagFound = false;
+ while( ($j < sizeof( $inArray ))
+ && !$flagFound ) {
+
+ if( preg_match( "/close/i", $inArray[$j]['type'] )
+ && ($inArray[$j]['level'] == $inArray[$i]['level'])
+ && preg_match( "/" . $inArray[$i]['tag'] . "/i", $inArray[$j]['tag'] ) ) {
+
+ $flagFound = true;
+
+ }
+ else {
+
+ $j++;
+
+ }
+
+ }
+
+
+ # Eine Ebene tiefer bearbeiten. Dazu den Array entsprechend
+ # "ausschneiden".
+ $child = $this->parseArrayToNode( array_slice( $inArray, $i + 1, $j - $i - 1 ), $inLevel + 1 );
+
+
+ # Neuen Knoten erstellen und Daten hinzufuegen
+ $node = new Node();
+ $node->setName( $inArray[$i]['tag'] );
+
+ for( $c = 0; $c < sizeof( $child ); $c++ ) {
+
+ $node->addChild( $child[$c] );
+
+ }
+
+
+ // Noch die Attribute auslesen und speichern
+ if( isset( $inArray[$i]['attributes'] ) ) {
+
+ $arrAttribute = $inArray[$i]['attributes'];
+
+ foreach( $arrAttribute as $key => $value ) {
+
+ $node->setAttribute( strtolower( $key ), $value );
+
+ }
+
+ }
+
+
+ // Neuen Knoten in den Array einfuegen
+ $arrNode[] = $node;
+
+ }
+ elseif( ($inArray[$i]['type'] == "cdata")
+ && ($inArray[$i]['level'] == $inLevel) ) {
+
+ }
+
+
+ // Erhoehen der Schleifenvariable
+ $i++;
+
+ }
+
+
+ return $arrNode;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iCrypto.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iCrypto.interface.php
new file mode 100755
index 0000000..4e37377
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iCrypto.interface.php
@@ -0,0 +1,12 @@
+<?php
+interface iCrypto {
+
+ public function __construct();
+ public function __destruct();
+
+ public function ssha( $inPassword );
+ public function md5( $inPassword );
+ public function validatePassword( $inPassword, $inHash );
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iDataBase.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iDataBase.interface.php
new file mode 100755
index 0000000..da9474f
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iDataBase.interface.php
@@ -0,0 +1,22 @@
+<?php
+interface iDataBase {
+
+ public function __construct( $inHost, $inDatabase );
+
+
+ public function connect( $inUsername, $inPassword );
+ public function reconnect();
+ public function hasConnection();
+ public function get( $inTable, $inOrder, $inFilter = "", $inColumn = "*" );
+ public function getColumns( $inTable );
+ public function store( $inTable, $inData );
+ public function query( $inQuery );
+ public function dateToText( $inDate, $inCountry );
+ public function textToDate( $inText, $inCountry );
+ public function mysqlToFloatrange( $inFloatrange, $inCountry );
+ public function floatrangeToMysql( $inFloatrange, $inCountry );
+ public function floatToMysql( $inFloat, $inCountry );
+ public function mysqlToFloat( $inFloat, $inCountry );
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iHelper.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iHelper.interface.php
new file mode 100755
index 0000000..51fe176
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iHelper.interface.php
@@ -0,0 +1,15 @@
+<?php
+interface iHelper {
+
+// public function numberFormat( $inNumber, $inAfterComma, $inLanguage, $inRound = false );
+// public function expandNumber( $inNumber, $inDigit );
+ public function isUtf8( $inString );
+ public function flatAddressToArray( $inAddress, $inSplit );
+ public function extractFilename( $inPath );
+// public function generalizedtimeToTextDate( $inDate, $inCountry );
+// public function textDateToGeneralizedtime( $inText, $inCountry );
+// public function generalizedtimeToTextDateTime( $inText, $inCountry );
+// public function mysqlDatetimeToArray( $inDate, $inCountry );
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iLDAP.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iLDAP.interface.php
new file mode 100755
index 0000000..92c45e1
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iLDAP.interface.php
@@ -0,0 +1,18 @@
+<?php
+interface iLDAP {
+
+ public function connect( $inHost, $inPort, $inVersion, $inTls = false );
+ public function bind( $inDn, $inPassword );
+ public function reconnect();
+ public function rebind();
+ public function getEntry( $inDn );
+ public function search( $inBase, $inFilter, $inScope = "sub", $inArrAttribute = null );
+ public function copy( $inDnFrom, $inDnTo, $inRecursiv = false );
+ public function delete( $inDn, $inRecursiv = false );
+ public function modify( $inDn, Array $inAttribute );
+ public function add( $inDn, Array $inAttribute );
+ public function getConnection();
+ public function hasConnection();
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iNode.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iNode.interface.php
new file mode 100755
index 0000000..75fe029
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iNode.interface.php
@@ -0,0 +1,26 @@
+<?php
+interface iNode {
+
+ public function __construct();
+ public function __destruct();
+
+
+ public function setName( $inName );
+ public function getName();
+
+ public function setValue( $inValue );
+ public function getValue();
+
+ public function addChild( iNode $inChild );
+ public function getChild( $inName, $inNumber );
+ public function searchChild( $inName, $inAttribute, $inRegex );
+
+ public function setAttribute( $inName, $inValue );
+ public function getAttribute( $inName );
+
+ public function getChildArray();
+
+ public function countChilds( $inName );
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iNumber.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iNumber.interface.php
new file mode 100755
index 0000000..7fa3918
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iNumber.interface.php
@@ -0,0 +1,8 @@
+<?php
+interface iNumber {
+
+ public function format( $inNumber, $inAfterComma, $inLanguage, $inRound = false );
+ public function number( $inNumber, $inDigit );
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/lib/iXML.interface.php b/info.textgrid.middleware.tgauth.rbac/lib/iXML.interface.php
new file mode 100755
index 0000000..da0f18a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/lib/iXML.interface.php
@@ -0,0 +1,8 @@
+<?php
+interface iXML {
+
+ public function parse( $inData, $inName = "default" );
+ public function getRoot( $inName = "default" );
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/Context.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/Context.class.php
new file mode 100755
index 0000000..2a89cd6
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/Context.class.php
@@ -0,0 +1,151 @@
+<?php
+// ####################################################################
+// Version: 0.1.1
+// Autor: Markus Widmer
+// Erstellungsdatum: 02.11.2007
+// Letzte Aenderung: 03.11.2007
+
+
+
+class Context implements iContext {
+
+ // ## Klassenvariablen ##############################################
+ private $arrParameter = Array();
+ private $arrData = Array();
+ private $type;
+ private $continue = true;
+ private $securityChainReason;
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct() {
+
+ $this->type = "none";
+
+ }
+
+
+
+
+ // ## setParameters #################################################
+ public function setParameters( Array $inArrParameter ) {
+
+ $this->arrParameter = $inArrParameter;
+
+ }
+
+
+
+
+ // ## getParameters #################################################
+ public function getParameters() {
+
+ if( is_array( $this->arrParameter ) ) {
+
+ return $this->arrParameter;
+
+ }
+ else {
+
+ return Array();
+
+ }
+
+ }
+
+
+
+
+ // ## setType #######################################################
+ public function setType( $inType ) {
+
+ $this->type = $inType;
+
+ }
+
+
+
+
+ // ## getType #######################################################
+ public function getType() {
+
+ return $this->type;
+
+ }
+
+
+
+
+ // ## setValue ######################################################
+ public function setValue( $inName, $inValue ) {
+
+ $this->arrData[$inName] = $inValue;
+
+ }
+
+
+
+
+ // ## getValue ######################################################
+ public function getValue( $inName ) {
+
+ if( isset( $this->arrData[$inName] ) ) {
+
+ return $this->arrData[$inName];
+
+ }
+ else {
+
+ return null;
+
+ }
+
+ }
+
+
+
+
+ // ## changeSecurityChain ###########################################
+ public function changeSecurityChain( $inContinue, $inReason = null ) {
+
+ if( is_bool( $inContinue ) ) {
+
+ $this->continue = $inContinue;
+ $inReason != null ? $this->securityChainReason = $inReason : false;
+
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getSecurityChain ##############################################
+ public function getSecurityChain() {
+
+ return $this->continue;
+
+ }
+
+
+
+
+ // ## getSecurityChainReason ########################################
+ public function getSecurityChainReason() {
+
+ return $this->securityChainReason;
+
+ }
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/LGPL.txt b/info.textgrid.middleware.tgauth.rbac/rbac/LGPL.txt
new file mode 100644
index 0000000..3f7b8b1
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/LGPL.txt
@@ -0,0 +1,166 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBAC.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBAC.class.php
new file mode 100755
index 0000000..f928ffe
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBAC.class.php
@@ -0,0 +1,312 @@
+<?php
+// ####################################################################
+// Version: 0.2.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 31.10.2007
+// Letzte Aenderung: 03.11.2007
+
+
+
+class RBAC {
+
+ // ## Klassenvariablen ##############################################
+ private $conf;
+ private $objSystem = false;
+ private $arrExtension = Array();
+ private $arrEvent = Array();
+ private $arrCallParameter = Array();
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inConfigurationFile, $inBase = "./", $inLib = "../lib/" ) {
+
+ $evalString = ""; // Temporary evaluation-string
+ $rbacClassName = false; // The name of the RBAC-System-class from the configuration file
+ $arrExtension = Array(); // The configured extensions
+ $file; // A file-handle
+ $content = ""; // The content of the configuration file
+ $xmlConf; // The XML-Parser
+ $tmpExtObject = false; // Temporary new extension object
+ $i = 0; // Loop
+
+
+
+ // If this RBAC-Framework is part of another framework
+ // this may allready have loaded these interfaces and
+ // classes. So we shouldn't do this again!
+ if( !interface_exists( "iNode" ) ) {
+
+ // Requiring these interfaces
+ require_once( $inLib . "/iNode.interface.php" );
+ require_once( $inLib . "/iXML.interface.php" );
+
+
+ // Requiring these classes
+ require_once( $inLib . "/XML.class.php" );
+ require_once( $inLib . "/Node.class.php" );
+
+ }
+
+
+ // Read the system-configuration
+ if( file_exists( $inConfigurationFile ) ) {
+
+ $file = fopen( $inConfigurationFile, "r" );
+ $content = fread( $file, filesize( $inConfigurationFile ) + 64 );
+
+ }
+ else {
+
+ throw new Exception( "File not found: " . $inConfigurationFile );
+
+ }
+
+
+ // Read the configuration-file
+ $xmlConf = new XML();
+ $xmlConf->parse( $content, "conf" );
+ $this->conf = $xmlConf->getRoot( "conf" );
+ $this->conf = $this->conf[0];
+
+
+ // This is the RBAC configuration file
+ $rbacConfFile = $this->conf->getChild( "configuration", 0 )->getAttribute( "file" );
+ if( !preg_match( "/.+/", $rbacConfFile )
+ || !file_exists( $rbacConfFile ) ) {
+
+ throw new Exception( "RBAC::__construct() Given configuration-file " . $rbacConfFile
+ . " and/or default file does not exist: " . $rbacConfFile . "\n" );
+
+ }
+
+
+ // This RBAC-class is to be used.
+ $xmlRbac = $this->conf->getChild( "rbac", 0 );
+ $rbacClassName = $this->conf->getChild( "rbac", 0 )->getAttribute( "class" );
+
+
+ // The class-name has to be set so that we can make an
+ // instance of it later.
+ if( !$rbacClassName
+ || !preg_match( "/.+/", $rbacClassName ) ) {
+
+ throw new Exception( "RBAC::__construct() Missing configuration for RBAC-class\n" );
+
+ }
+
+
+ // Including all nevessarry classes and interfaces
+ for( $i = 0; $i < $xmlRbac->countChilds( "require" ); $i++ ) {
+
+ if( file_exists( $xmlRbac->getChild( "require", $i )->getAttribute( "file" ) ) ) {
+
+ require_once( $xmlRbac->getChild( "require", $i )->getAttribute( "file" ) );
+
+ }
+
+ }
+
+
+ if( class_exists( $rbacClassName ) ) {
+
+ // Create an instance of the RBAC-System-class
+ eval( "\$this->objSystem = new " . $rbacClassName . "( \$rbacConfFile, \$this );" );
+
+ }
+ else {
+
+ throw new Exception( "RBAC::__construct() The configured RBAC-System-class " . $rbacClassName . " does not exists.\n" );
+
+ }
+
+
+ // These are the names of the extensions that are to be
+ // used, for example "ssd" or "dsd"
+ $arrExtension = $this->conf->searchChild( "extension", "class", "/.+/" );
+
+
+ for( $i = 0; $i < sizeof( $arrExtension ); $i++ ) {
+
+ if( !class_exists( $arrExtension[$i]->getAttribute( "class" ) ) ) {
+
+ // To load the class, the file in which the class
+ // is supposed to be has to exist
+ if( file_exists( $arrExtension[$i]->getAttribute( "file" ) ) ) {
+
+ require_once( $arrExtension[$i]->getAttribute( "file" ) );
+
+ }
+ else {
+
+ throw new Exception( "Unable to load extension: \"" . $arrExtension[$i]->getAttribute( "file" ), 4 );
+
+ }
+
+
+ // Create an instance of the extension
+ $tmpExtObject = false;
+ $evalString = "\$tmpExtObject = new ";
+ $evalString .= $arrExtension[$i]->getAttribute( "class" ) . "( \$this->objSystem, \$this );";
+ eval( $evalString );
+
+
+ // Save the new instance under its name
+ $this->arrExtension[get_class( $tmpExtObject )] = $tmpExtObject;
+ $this->arrExtension[get_class( $tmpExtObject )]->registerEvents( $this );
+
+ }
+
+ }
+
+ }
+
+
+
+
+ // ## __call ########################################################
+ public function __call( $inFunctionName, $inArrParameter ) {
+
+ $evalString = "";
+ $foundInExtension = false;
+ $tmpClass = false;
+ $tmpCall = false;
+ $evalString = "";
+ $i = 0;
+
+
+ // First store the parameters becaus they are
+ // later automatically attached to the context
+ $this->arrCallParameter = $inArrParameter;
+
+
+ // This will call directly functions that are defined
+ // in extensions but not in RBAC. If the function exists
+ // in RBAC, nothing will happen!
+ foreach( $this->arrExtension as $className => $extension ) {
+
+ if( method_exists( $extension, $inFunctionName )
+ && !method_exists( $this->objSystem, $inFunctionName ) ) {
+
+ $result = call_user_func_array( Array( &$this->arrExtension[$className], $inFunctionName ), $inArrParameter );
+ $foundInExtension = true;
+ break;
+
+ }
+
+ }
+
+
+ // If no extension has defined the function, try to
+ // call it in RBAC directly
+ if( !$foundInExtension ) {
+
+ if( method_exists( $this->objSystem, $inFunctionName ) ) {
+
+ $result = call_user_func_array( Array( &$this->objSystem, $inFunctionName ), $inArrParameter );
+
+
+ if( isset( $this->arrEvent[$inFunctionName]['outputfilter'] ) ) {
+
+ // Apply every filter that was registered for
+ // this function.
+ foreach( $this->arrEvent[$inFunctionName]['outputfilter'] as $index => $eventListener ) {
+
+ $evalString = "\$result = " . $eventListener['class'] . "->" . $eventListener['call'] . "( " . $result . " );";
+ eval( $evalString );
+
+ }
+
+ }
+
+ }
+ else {
+
+ throw new Exception( "Unable to locate requested method\": " . $inFunctionName . "\"", 3 );
+
+ }
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // ## registerEventListener #########################################
+ public function registerEventListener( $inForFunction, $inEvent, $inCallClass, $inCallFunction ) {
+
+ $methodExists = false;
+ $className = get_class( $inCallClass );
+
+
+ // Check if the method that has to be registered for
+ // an event really exists
+// if( method_exists( $this->arrExtension[$inCallClass->getClassName()], $inCallFunction ) ) {
+ if( method_exists( $this->arrExtension[$className], $inCallFunction ) ) {
+
+ $methodExists = true;
+
+ }
+
+
+ // Store the class and it's listening function in the array
+ // of listeners of the according function
+ if( $methodExists ) {
+
+ $this->arrEvent[$inForFunction][$inEvent][] = Array( "class" => get_class( $inCallClass ),
+ "call" => $inCallFunction );
+
+ }
+
+ }
+
+
+
+
+ // ## event #########################################################
+ public function event( $inForFunction, $inEvent, Context $inContext ) {
+
+ $newContext = $inContext;
+
+
+ // Append the parameters the function was
+ // called with
+ is_array( $this->arrCallParameter ) ? $newContext->setParameters( $this->arrCallParameter ) : false;
+ $newContext->setType( $inEvent );
+
+
+ if( isset( $this->arrEvent[$inForFunction][$inEvent] ) ) {
+
+ foreach( $this->arrEvent[$inForFunction][$inEvent] as $index => $eventListener ) {
+
+ $evalString = "\$newContext = \$this->arrExtension[" . $eventListener['class'] . "]->" . $eventListener['call'] . "( \$newContext );";
+ eval( $evalString );
+
+
+ if( !($newContext instanceof Context) ) {
+
+ throw new Exception( "Return value from extension is not a \"Context\"", 6 );
+
+ }
+
+ }
+
+
+ return $newContext;
+
+ }
+ else {
+
+ return $newContext;
+
+ }
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBACException.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBACException.class.php
new file mode 100755
index 0000000..3d31a27
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBACException.class.php
@@ -0,0 +1,36 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 31.07.2007
+// Letzte Aenderung: 31.07.2007
+
+
+
+
+class RBACException extends Exception {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inMessage, $inCode ) {
+
+ parent::__construct( $inMessage, $inCode );
+
+ }
+
+
+
+
+ // ## __toString ####################################################
+ public function __toString() {
+
+ return get_class() . ": [{$this->code}]: {$this->message}\n";
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBACExtension.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBACExtension.class.php
new file mode 100755
index 0000000..5f8b755
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBACExtension.class.php
@@ -0,0 +1,44 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 02.11.2007
+// Letzte Aenderung: 02.11.2007
+
+
+
+abstract class RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+ protected $rbac;
+ protected $conn;
+ protected $conf;
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC ) {
+
+ // Save thsi instances of RBAC and grab the configuration
+ // from it.
+ $this->rbac = $inRBAC;
+ $this->conf = $inRBAC->getConfiguration();
+
+
+ // Get the user- and role connections from the
+ // underlying RBAC-system
+ $this->conn['user'] = $inRBAC->getConnection( "user" );
+ $this->conn['role'] = $inRBAC->getConnection( "role" );
+ $this->conn['resource'] = $inRBAC->getConnection( "resource" );
+ $this->conn['session'] = $inRBAC->getConnection( "session" );
+
+ }
+
+
+
+ // ## registerEvents ################################################
+ abstract public function registerEvents( RBAC $inRegistrar );
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php
new file mode 100755
index 0000000..3be23ea
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php
@@ -0,0 +1,2181 @@
+<?php
+// ####################################################################
+// Version: 0.2.2
+// Author: Markus Widmer
+// Created: 31.07.2007
+// Modified: 01.04.2008
+
+
+// Requiring these interfaces if the RBAC-Framework
+// is not existing. Otherwise the RBAC-Framework
+// takes care of importing all nevessarry classes and
+// interfaces.
+if( !class_exists( "RBAC" ) ) {
+
+ if( defined( "RBAC_LIB_PATH" )
+ && defined( "RBAC_PATH" ) ) {
+
+ !interface_exists( "iHelper" ) ? require_once( RBAC_LIB_PATH . "/iHelper.interface.php" ) : false;
+ !interface_exists( "iNode" ) ? require_once( RBAC_LIB_PATH . "/iNode.interface.php" ) : false;
+ !interface_exists( "iXML" ) ? require_once( RBAC_LIB_PATH . "/iXML.interface.php" ) : false;
+ !interface_exists( "iLDAP" ) ? require_once( RBAC_LIB_PATH . "/iLDAP.interface.php" ) : false;
+ !interface_exists( "iCrypto" ) ? require_once( RBAC_LIB_PATH . "/iCrypto.interface.php" ) : false;
+
+ !interface_exists( "iContext" ) ? require_once( RBAC_PATH . "/iContext.interface.php" ) : false;
+ !interface_exists( "iRBACcore" ) ? require_once( RBAC_PATH . "/iRBACcore.interface.php" ) : false;
+
+
+ !class_exists( "Helper" ) ? require_once( RBAC_LIB_PATH . "/Helper.class.php" ) : false;
+ !class_exists( "Node" ) ? require_once( RBAC_LIB_PATH . "/Node.class.php" ) : false;
+ !class_exists( "XML" ) ? require_once( RBAC_LIB_PATH . "/XML.class.php" ) : false;
+ !class_exists( "LDAP" ) ? require_once( RBAC_LIB_PATH . "/LDAP.class.php" ) : false;
+ !class_exists( "Crypto" ) ? require_once( RBAC_LIB_PATH . "/Crypto.class.php" ) : false;
+
+ !class_exists( "SimpleConfig" ) ? require_once( RBAC_PATH . "/SimpleConfig.class.php" ) : false;
+ !class_exists( "RBACException" ) ? require_once( RBAC_PATH . "/RBACException.class.php" ) : false;
+ !class_exists( "RBACExtension" ) ? require_once( RBAC_PATH . "/RBACExtension.class.php" ) : false;
+ !class_exists( "Context" ) ? require_once( RBAC_PATH . "/Context.class.php" ) : false;
+
+ }
+ else {
+
+ exit( "\nYou have to define the constants RBAC_LIB_PATH and RBAC_PATH.\n" );
+
+ }
+
+}
+
+
+class RBACcore implements iRBACcore {
+
+ // ## Klassenvariablen ##############################################
+ protected $conf;
+ protected $conn;
+ protected $arrEntryStorage = Array();
+ protected $interceptor = false;
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inConfigurationFile, RBAC $inInterceptor = null ) {
+
+ $file; // File-handler
+ $content = ""; // Content of the XML-file
+
+
+ if( $inInterceptor instanceof RBAC ) {
+
+ $this->interceptor = $inInterceptor;
+
+ }
+
+
+ // Read the configuration
+ $this->conf = new SimpleConfig( $inConfigurationFile );
+
+
+ // Create a user connection
+ $this->conn['user'] = new LDAP();
+ $this->conn['user']->connect( $this->conf->getValue( "user", "host" ),
+ $this->conf->getValue( "user", "port" ),
+ $this->conf->getValue( "user", "version" ),
+ preg_match( "/(^yes$)|(^true$)/i",
+ $this->conf->getValue( "user", "tls" ) ) );
+ $this->doBind( "user" );
+
+
+ // Create a role connection
+ if( $this->sameConnectionParams( "user", "role" ) ) {
+
+ $this->conn['role'] = &$this->conn['user'];
+
+ }
+ else {
+
+ $this->conn['role'] = new LDAP();
+ $this->conn['role']->connect( $this->conf->getValue( "role", "host" ),
+ $this->conf->getValue( "role", "port" ),
+ $this->conf->getValue( "role", "version" ),
+ preg_match( "/(^yes$)|(^true$)/i",
+ $this->conf->getValue( "role", "tls" ) ) );
+ $this->doBind( "role" );
+
+ }
+
+
+ // Create a session connection
+ if( $this->sameConnectionParams( "session", "user" ) ) {
+
+ $this->conn['session'] = &$this->conn['user'];
+
+ }
+ elseif( $this->sameConnectionParams( "session", "role" ) ) {
+
+ $this->conn['session'] = &$this->conn['role'];
+
+ }
+ else {
+
+ $this->conn['session'] = new LDAP();
+ $this->conn['session']->connect( $this->conf->getValue( "session", "host" ),
+ $this->conf->getValue( "session", "port" ),
+ $this->conf->getValue( "session", "version" ),
+ preg_match( "/(^yes$)|(^true$)/i",
+ $this->conf->getValue( "session", "tls" ) ) );
+ $this->doBind( "session" );
+
+ }
+
+
+ // Create a resource connection
+ if( $this->sameConnectionParams( "resource", "user" ) ) {
+
+ $this->conn['resource'] = &$this->conn['user'];
+
+ }
+ elseif( $this->sameConnectionParams( "resource", "role" ) ) {
+
+ $this->conn['resource'] = &$this->conn['role'];
+
+ }
+ elseif( $this->sameConnectionParams( "resource", "session" ) ) {
+
+ $this->conn['resource'] = &$this->conn['session'];
+
+ }
+ else {
+
+ $this->conn['resource'] = new LDAP();
+ $this->conn['resource']->connect( $this->conf->getValue( "resource", "host" ),
+ $this->conf->getValue( "resource", "port" ),
+ $this->conf->getValue( "resource", "version" ),
+ preg_match( "/(^yes$)|(^true$)/i",
+ $this->conf->getValue( "resource", "tls" ) ) );
+ $this->doBind( "resource" );
+
+ }
+
+ }
+
+
+
+
+ // ## __wakeup ######################################################
+ private function __wakeup() {
+
+ $this->doBind( "user" );
+
+
+ if( !$this->sameConnectionParams( "role", "user" ) ) {
+
+ $this->doBind( "role" );
+
+ }
+
+
+ if( !$this->sameConnectionParams( "resource", "user" )
+ && !$this->sameConnectionParams( "resource", "role" ) ) {
+
+ $this->doBind( "resource" );
+
+ }
+
+
+ if( !$this->sameConnectionParams( "session", "user" )
+ && !$this->sameConnectionParams( "session", "role" )
+ && !$this->sameConnectionParams( "session", "resource" ) ) {
+
+ $this->doBind( "session" );
+
+ }
+
+ }
+
+
+
+
+ // ## doBind ########################################################
+ protected function doBind( $inConnectionName ) {
+
+ $this->conn[$inConnectionName]->bind( $this->conf->getValue( $inConnectionName, "binddn" ),
+ $this->conf->getValue( $inConnectionName, "password" ) );
+
+ }
+
+
+
+
+ // ## sameConnectionParams ##########################################
+ protected function sameConnectionParams( $inNeedle, $inHaystack ) {
+
+ $same = true; // The return value
+
+
+ $same = $same & ( preg_match( "/^" . $this->conf->getValue( $inNeedle, "host" ) . "$/i",
+ $this->conf->getValue( $inHaystack, "host" ) ) );
+
+ $same = $same & ( preg_match( "/^" . $this->conf->getValue( $inNeedle, "port" ) . "$/i",
+ $this->conf->getValue( $inHaystack, "port" ) ) );
+
+ $same = $same & ( preg_match( "/^" . $this->conf->getValue( $inNeedle, "version" ) . "$/i",
+ $this->conf->getValue( $inHaystack, "version" ) ) );
+
+ $same = $same & ( preg_match( "/^" . $this->conf->getValue( $inNeedle, "tls" ) . "$/i",
+ $this->conf->getValue( $inHaystack, "tls" ) ) );
+
+
+ return $same;
+
+ }
+
+
+
+
+ // ## isIntRepresentation ###########################################
+ public function isIntRepresentation( $inRole ) {
+
+ return preg_match( "/^\s*(.+=.+,\s*)+\s*" . $this->conf->getValue( "role", "base" ) . "\s*$/i",
+ $inRole );
+
+ }
+
+
+
+ // ## roleIntToExt ##################################################
+ public function roleIntToExt( $inRole ) {
+
+ $arrTmpSplit; // Temporary var containing role-hirarchy
+ $i = 0; // Loop
+
+
+ if( $this->isIntRepresentation( $inRole ) ) {
+
+ // Cut off the base-DN
+ $inRole = preg_replace( "/,\s*" . $this->conf->getValue( "role", "base" ) . "$/i", "", $inRole );
+
+
+ // Split by comma
+ $arrTmpSplit = preg_split( "/[,]/", $inRole );
+
+
+ // Remove the naming-attribute
+ for( $i = 0; $i < sizeof( $arrTmpSplit ); $i++ ) {
+
+ $arrTmpSplit[$i] = trim( $arrTmpSplit[$i] );
+ $arrTmpSplit[$i] = preg_replace( "/^" . $this->conf->getValue( "role", "namingattribute" )
+ . "=/i",
+ "", $arrTmpSplit[$i] );
+
+ }
+
+
+ // Reconstruct the role
+ return join( ",", $arrTmpSplit );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## roleExtToInt ##################################################
+ public function roleExtToInt( $inRole ) {
+
+ $arrTmpSplit; // Temporary var containing role-hirarchy
+ $i = 0; // Loop
+
+
+ if( !$this->isIntRepresentation( $inRole ) ) {
+
+ // Split by comma
+ $arrTmpSplit = preg_split( "/[,]/", $inRole );
+
+
+ // Add the naming-attribute
+ for( $i = 0; $i < sizeof( $arrTmpSplit ); $i++ ) {
+
+ $arrTmpSplit[$i] = $this->conf->getValue( "role", "namingattribute" ) . "=" . $arrTmpSplit[$i];
+
+ }
+
+
+ return join( ",", $arrTmpSplit ) . "," . $this->conf->getValue( "role", "base" );
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## createSession #################################################
+ public function createSession( $inUsername, Array $inRole, $inSession ) {
+
+ $context = false; // Possibly a Context-object
+ $arrUser; // The users entries
+ $arrSession; // The sessions entries
+ $arrRole; // The roles that the user is assigned to
+ $sessionDn = ""; // The DN of the new session
+ $arrSessionEntry; // The sessions entry definition
+ $roleOk = false; // Temporary role-check
+ $roleOkGlob = true; // Are all roles ok
+ $filter = ""; // Filterstring
+ $continue = true; // The session-creation is allowed by default
+ $i = 0; // Loop
+ $j = 0; // Loop
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ // Construct a filter to search for the users entry
+ $filter = "(&" . $this->conf->getValue( "user", "filter" );
+ $filter .= "(" . $this->conf->getValue( "user", "namingattribute" ) . "=" . $inUsername . "))";
+
+
+ // Get the users entry
+ $arrUser = $this->conn['user']->search( $this->conf->getValue( "user", "base" ), $filter, "sub",
+ Array( $this->conf->getValue( "user", "namingattribute" ) ) );
+
+
+ // Construct a filter to search for the session entry
+ $filter = "(&" . $this->conf->getValue( "session", "filter" );
+ $filter .= "(" . $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . "))";
+
+
+ // Get the sessions entry
+ $arrSession = $this->conn['session']->search( $this->conf->getValue( "session", "base" ), $filter,
+ "one", Array( $this->conf->getValue( "session", "namingattribute" ) ) );
+
+
+ // The user has to exist, but not the session
+ if( sizeof( $arrUser ) == 1) {
+
+ if( sizeof( $arrSession ) == 0 && preg_match( "/.+/", $inSession ) ) {
+
+ $arrRole = $this->authorizedRoles( $inUsername, false );
+
+
+ // Make sure the given roles are in
+ // internal representation
+ for( $i = 0; $i < sizeof( $inRole ); $i++ ) {
+
+ if( !$this->isIntRepresentation( $inRole[$i] ) ) {
+
+ $inRole[$i] = $this->roleExtToInt( $inRole[$i] );
+
+ }
+
+ }
+
+
+ // Check if the given roleset is ok
+ for( $i = 0; $i < sizeof( $inRole ); $i++ ) {
+
+ $roleOk = false;
+ for( $j = 0; $j < sizeof( $arrRole ); $j++ ) {
+
+ // The input-role has to match with one of the
+ // users roles
+ $roleOk = $roleOk || preg_match( "/^" . $arrRole[$j] . "$/i", $inRole[$i] );
+
+ }
+
+
+ // Every input-role has to have matched
+ // at least once!
+ $roleOkGlob = $roleOkGlob && $roleOk;
+
+ }
+
+
+ // If the roleset is ok
+ if( $roleOkGlob ) {
+
+ $sessionDn = $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . ",";
+ $sessionDn .= $this->conf->getValue( "session", "base" );
+
+ $arrSessionEntry[$this->conf->getValue( "session", "namingattribute" )][0] = $inSession;
+ $arrSessionEntry['objectclass'][0] = "rbacSession";
+ $arrSessionEntry['rbacSessionUser'][0] = $inUsername;
+ $arrSessionEntry['rbacSessionCreationTimestamp'][0] = date( "YmdHis", time() ) . "Z";
+ sizeof( $inRole ) > 0 ? $arrSessionEntry['rbacSessionRole'] = $inRole : false;
+
+
+ // -----------
+ // -- EVENT --
+ // The session-entry is defined and is going to be
+ // added to the directory. Maybe someone wants to
+ // change the entry itself or deny this action.
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "entry", $arrSessionEntry );
+ $context->setValue( "dn", $sessionDn );
+
+ // Give away the context
+ $context = $this->interceptor->event( "createSession", "write", $context );
+
+ // Use the returned context
+ $sessionDn = $context->getValue( "dn" );
+ $arrSessionEntry = $context->getValue( "entry" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ if( $this->conn['session']->add( $sessionDn, $arrSessionEntry ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_ROLE_ERROR" ),
+ $this->conf->getValue( "errorCode", "USER_ROLE_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_ALLREADY_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_ALLREADY_EXISTS" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "USER_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteSession #################################################
+ public function deleteSession( $inUsername, $inSession ) {
+
+ $arrSession; // The sessions entries
+ $filter = ""; // Filterstring
+
+
+ // Construct a filter to search for the session entry
+ $filter = "(&" . $this->conf->getValue( "session", "filter" );
+ $filter .= "(" . $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . "))";
+
+
+ // Get the sessions entry
+ $arrSession = $this->conn['session']->search( $this->conf->getValue( "session", "base" ),
+ $filter, "one" );
+
+
+ // The has has to exist
+ if( sizeof( $arrSession ) == 1 && preg_match( "/.+/", $inSession ) ) {
+
+ // The user has to be the owner of the session
+ if( preg_match( "/^" . $arrSession[0]['rbacsessionuser'][0] . "$/i", $inUsername ) ) {
+
+ // Delete the session
+ if( $this->conn['session']->delete( $arrSession[0]['dn'] ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_DOES_NOT_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_DOES_NOT_EXISTS" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_DOES_NOT_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_DOES_NOT_EXISTS" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addActiveRole #################################################
+ public function addActiveRole( $inUser, $inSession, $inRole ) {
+
+ $context = false; // Possibly a Context-object
+ $arrSessionEntry; // The session entry from the directory
+ $arrRole; // The users roles
+ $sessionDn = ""; // The session-DN
+ $roleOk = false; // Is the role assigned to the user?
+ $continue = true; // It is allowed to add the role by default
+ $i = 0; // Loop
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ $sessionDn = $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . ",";
+ $sessionDn .= $this->conf->getValue( "session", "base" );
+
+
+ $arrSessionEntry = $this->conn['session']->getEntry( $sessionDn );
+
+
+ if( isset( $arrSessionEntry['dn'] ) ) {
+
+ // The given user has to be equal with the sessions
+ // user.
+ if( preg_match( "/^" . $inUser . "$/i", $arrSessionEntry['rbacsessionuser'][0] ) ) {
+
+ $arrRole = $this->authorizedRoles( $inUser, false );
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Check the role really is assigned to the user
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $roleOk = $roleOk || preg_match( "/^" . $inRole . "$/i", $arrRole[$i] );
+
+ }
+
+
+ if( $roleOk ) {
+
+ // Add the role to the roleset or create a new roleset.
+ if( is_array( $arrSessionEntry['rbacsessionrole'] ) ) {
+
+ $arrSessionEntry['rbacsessionrole'][] = $inRole;
+
+ }
+ else {
+
+ $arrSessionEntry['rbacsessionrole'] = Array( $inRole );
+
+ }
+
+
+ // -----------
+ // -- EVENT --
+ // The user-entry is defined and is going to be
+ // added to the directory. Maybe someone wants to
+ // change the entry itself or deny this action.
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "arrSessionRole", $arrSessionEntry['rbacsessionrole'] );
+ $context->setValue( "dn", $sessionDn );
+
+ // Give away the context
+ $context = $this->interceptor->event( "addActiveRole", "write", $context );
+
+ // Use the returned context
+ $sessionDn = $context->getValue( "dn" );
+ $arrSessionEntry['rbacsessionrole'] = $context->getValue( "arrSessionRole" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ // Commit the new roleset
+ if( $this->conn['session']->modify( $sessionDn, Array( "rbacsessionrole" => $arrSessionEntry['rbacsessionrole'] ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_ROLE_ERROR" ),
+ $this->conf->getValue( "errorCode", "USER_ROLE_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_SESSION_ERROR" ),
+ $this->conf->getValue( "errorCode", "USER_SESSION_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_DOES_NOT_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_DOES_NOT_EXISTS" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## dropActiveRole ################################################
+ public function dropActiveRole( $inUser, $inSession, $inRole ) {
+
+ $arrSessionEntry; // The session entry from the directory
+ $arrActiveRole = Array(); // The users roles
+ $sessionDn = ""; // The session-DN
+ $roleOk = false; // Is the role assigned to the user?
+ $i = 0; // Loop
+
+
+ $sessionDn = $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . ",";
+ $sessionDn .= $this->conf->getValue( "session", "base" );
+
+
+ $arrSessionEntry = $this->conn['session']->getEntry( $sessionDn );
+
+
+ if( isset( $arrSessionEntry['dn'] ) ) {
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Drop the role from the roleset.
+ for( $i = 0; $i < sizeof( $arrSessionEntry['rbacsessionrole'] ); $i++ ) {
+
+ if( !preg_match( "/^" . $inRole . "$/i", $arrSessionEntry['rbacsessionrole'][$i] ) ) {
+
+ $arrActiveRole[] = $arrSessionEntry['rbacsessionrole'];
+
+ }
+
+ }
+
+
+ // Commit the new roleset
+ if( $this->conn['session']->modify( $sessionDn, Array( "rbacsessionrole" => $arrActiveRole ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_DOES_NOT_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_DOES_NOT_EXISTS" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## assignedRoles #################################################
+ public function assignedRoles( $inUsername, $inExtRepresentation = true ) {
+
+ $filter = ""; // Filterstring
+ $arrRole; // The roles that the user is assigned to
+ $arrRoleReturn = Array(); // The roles in the correct format
+ $i = 0; // Loop
+
+
+ $filter = "(&" . $this->conf->getValue( "role", "filter" );
+ $filter .= "(" . $this->conf->getValue( "role", "assignedattribute" ) . "=" . $inUsername . "))";
+
+
+ // Search only with scope "one" becaue we are in Core-RBAC
+ $arrRole = $this->conn['role']->search( $this->conf->getValue( "role", "base" ), $filter,
+ "sub", Array( $this->conf->getValue( "role", "namingattribute" ) ) );
+
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrRoleReturn[] = $arrRole[$i]['dn'];
+
+ }
+
+
+ // Convert the roles to the external representation
+ if( $inExtRepresentation ) {
+
+ for( $i = 0; $i < sizeof( $arrRoleReturn ); $i++ ) {
+
+ $arrRoleReturn[$i] = $this->roleIntToExt( $arrRoleReturn[$i] );
+
+ }
+
+ }
+
+
+ return $this->removeDuplicates( $arrRoleReturn );
+
+ }
+
+
+
+
+ // ## assignedUsers #################################################
+ public function assignedUsers( $inRole, $inUseStoredRole = false ) {
+
+ $filter = ""; // Filterstring
+ $arrUser = Array(); // The users that are assigned to the role
+ $arrRoleEntry; // The roles entry
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ if( $inUseStoredRole && isset( $this->arrEntryStorage['assignedusersrole'][$inRole] ) ) {
+
+ $arrRoleEntry = $this->arrEntryStorage['assignedusersrole'][$inRole];
+
+ }
+ else {
+
+ // Get the role-entry
+ $arrRoleEntry = $this->conn['role']->getEntry( $inRole );
+ $this->arrEntryStorage['assignedusersrole'][$inRole] = $arrRoleEntry;
+
+ }
+
+
+
+
+
+ if( isset( $arrRoleEntry['dn'] ) ) {
+
+ $arrUser = $arrRoleEntry[$this->conf->getValue( "role", "assignedattribute" )];
+
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+
+ return $arrUser;
+
+ }
+
+
+
+
+ // ## rolePermissions ###############################################
+ public function rolePermissions( $inRole ) {
+
+ $arrResource; // The resources the role has a permission on
+ $arrPermission = Array(); // The permissions found
+ $arrTmpSplit; // Splitted string
+ $filter = ""; // Filterstring
+ $i = 0; // Loop
+ $j = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Get the role-entry
+ $arrRole = $this->conn['role']->getEntry( $inRole );
+
+
+ if( isset( $arrRole['dn'] ) ) {
+
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(rbacpermission=" . $inRole . ":-:*))";
+
+
+ $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ),
+ $filter, "sub",
+ Array( $this->conf->getValue( "resource", "aliasattribute" ),
+ $this->conf->getValue( "resource", "namingattribute" ),
+ "rbacpermission" ) );
+
+
+ for( $i = 0; $i < sizeof( $arrResource ); $i++ ) {
+
+ for( $j = 0; $j < sizeof( $arrResource[$i]['rbacpermission'] ); $j++ ) {
+
+ $arrTmpSplit = preg_split( "/:-:/", $arrResource[$i]['rbacpermission'][$j] );
+
+
+ if( preg_match( "/^" . $arrTmpSplit[0] . "$/i", $inRole ) ) {
+
+ $arrPermission[] = Array( "resource" => $arrResource[$i][$this->conf->getValue( "resource", "namingattribute" )][0],
+ "alias" => $arrResource[$i][$this->conf->getValue( "resource", "aliasattribute" )],
+ "operation" => $arrTmpSplit[1] );
+
+ }
+
+ }
+
+ }
+
+
+ return $arrPermission;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## userPermissions ###############################################
+ public function userPermissions( $inUsername ) {
+
+ $arrRole; // The roles of the user
+ $arrTmpPermission; // Temporary permission of a role
+ $arrUserPermission = Array(); // The permissions of the user
+ $i = 0; // Loop
+
+
+ // Get the users roles
+ $arrRole = $this->authorizedRoles( $inUsername, false );
+
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrTmpPermission = $this->rolePermissions( $arrRole[$i] );
+
+
+ $arrUserPermission = array_merge( $arrUserPermission, $arrTmpPermission );
+
+ }
+
+
+ return $arrUserPermission;
+
+ }
+
+
+
+
+ // ## sessionPermissions ############################################
+ public function sessionPermissions( $inSession ) {
+
+ $arrRole; // The roles of the session
+ $arrTmpPermission; // Temporary permission of a role
+ $arrSessionPermission = Array(); // The permissions of the user
+ $i = 0; // Loop
+
+
+ // Get the users roles
+ $arrRole = $this->sessionRoles( $inSession, false );
+
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrTmpPermission = $this->rolePermissions( $arrRole[$i] );
+
+
+ $arrSessionPermission = array_merge( $arrSessionPermission, $arrTmpPermission );
+
+ }
+
+
+ return $arrSessionPermission;
+
+ }
+
+
+
+
+ // ## roleOperationsOnObject ########################################
+ public function roleOperationsOnObject( $inRole, $inResource ) {
+
+ return $this->roleOperationsOnObjectInternal( $inRole, $inResource );
+
+ }
+
+
+
+
+ // ## roleOperationsOnObjectInternal ################################
+ protected function roleOperationsOnObjectInternal( $inRole, $inResource, $inUseStoredResource = false ) {
+
+ $arrRole; // The roles of the session
+ $filter = ""; // Filter to search for the resource
+ $arrTmpSplit; // Temporary split of the permission-string
+ $arrOperation = Array(); // The resulting operations
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Get the users roles
+ $arrRole = $this->conn['role']->getEntry( $inRole );
+
+
+ if( isset( $arrRole['dn'] ) ) {
+
+ // This functionality stores the resource and re-uses it
+ // if said so. This saves an enourmous number of queries
+ // to the ldap-directory especially if this method is
+ // called from "OnObject".
+ if( $inUseStoredResource && isset( $this->arrEntryStorage['roleoperationsonobjectinternal'] ) ) {
+
+ $arrResource = $this->arrEntryStorage['roleoperationsonobjectinternal'];
+
+ }
+ else {
+
+ // Create a filter to search for the resource
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $inResource . ")";
+ $filter .= " (" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $inResource . ")))";
+
+
+ // Ask the directory
+ $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ), $filter, Array( "rbacpermission" ) );
+
+
+ // Store the entry
+ sizeof( $arrResource ) == 1 ? $this->arrEntryStorage['roleoperationsonobjectinternal'] = $arrResource : false;
+
+ }
+
+
+ // There must not be more or less than 1 resource. If
+ // there are more, the resource is unknown because it is
+ // not uniqueue.
+ if( sizeof( $arrResource ) == 1 ) {
+
+ // Check all permissions if it is a permission of
+ // the given role. If so, keep the operation in mind.
+ for( $i = 0; $i < sizeof( $arrResource[0]['rbacpermission'] ); $i++ ) {
+
+ $arrTmpSplit = preg_split( "/:-:/", $arrResource[0]['rbacpermission'][$i] );
+
+
+ if( preg_match( "/^" . $arrTmpSplit[0] . "$/i", $inRole ) ) {
+
+ $arrOperation[] = $arrTmpSplit[1];
+
+ }
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "RESOURCE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "RESOURCE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+
+ return $this->removeDuplicates( $arrOperation );
+
+ }
+
+
+
+
+ // ## userOperationsOnObject ########################################
+ public function userOperationsOnObject( $inUser, $inResource ) {
+
+ $arrAuthRole; // The users authorized roles
+ $arrOperation = Array(); // The resulting operations
+ $arrTmpOperation; // Temporary array of operations
+ $i = 0; // Loop
+
+
+ // Get the users authorized roles
+ $arrAuthRole = $this->authorizedRoles( $inUser, false );
+
+
+ for( $i = 0; $i < sizeof( $arrAuthRole ); $i++ ) {
+
+ // Get the operations the user has because of role i
+ $arrTmpOperation = $this->roleOperationsOnObjectInternal( $arrAuthRole[$i], $inResource, true );
+
+
+ // Only merge the result of the above call if it really is
+ // an array.
+ is_array( $arrTmpOperation ) ? $arrOperation = array_merge( $arrOperation, $arrTmpOperation ) : false;
+
+ }
+
+
+ return $this->removeDuplicates( $arrOperation );
+
+ }
+
+
+
+
+ // ## sessionRoles ##################################################
+ public function sessionRoles( $inSession, $inExtRepresentation = true ) {
+
+ $arrRoleReturn = Array(); // The result
+ $arrSessionEntry; // The entry of the session
+ $sessionDn = ""; // The sessions DN
+ $filter = ""; // Filterstring
+ $i = 0; // Loop
+
+
+ if( preg_match( "/.+/", $inSession ) ) {
+
+ $sessionDn = $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . ",";
+ $sessionDn .= $this->conf->getValue( "session", "base" );
+
+
+ $arrSessionEntry = $this->conn['session']->getEntry( $sessionDn );
+
+
+ // The session has to exist to get its roles
+ if( isset( $arrSessionEntry['dn'] ) ) {
+
+ is_array( $arrSessionEntry['rbacsessionrole'] ) ? $arrRoleReturn = $arrSessionEntry['rbacsessionrole'] : $arrRoleReturn = Array();
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_DOES_NOT_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_DOES_NOT_EXISTS" ) );
+
+ }
+
+
+ // Convert the roles to the external representation
+ if( $inExtRepresentation ) {
+
+ for( $i = 0; $i < sizeof( $arrRoleReturn ); $i++ ) {
+
+ $arrRoleReturn[$i] = $this->roleIntToExt( $arrRoleReturn[$i] );
+
+ }
+
+ }
+
+ }
+
+
+ return $arrRoleReturn;
+
+ }
+
+
+
+
+ // ## checkAccess ###################################################
+ public function checkAccess( $inSession, $inOperation, $inResource ) {
+
+ $context = false; // Possibly a Context-object
+ $filter = ""; // Filterstring
+ $arrSessionRole; // The sessions active roleset
+ $i = 0; // Loop
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ try {
+
+ // Get all the active roles of the session.
+ $arrSessionRole = $this->sessionRoles( $inSession, false );
+
+
+ if( sizeof( $arrSessionRole ) > 0 ) {
+
+ // Create a filter that only returns the resource if
+ // it is allready clear, that access will be granted.
+ // This filter includes not only the direct granted
+ // permission, but also the indirectly granted permission
+ // through role hirarchy.
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $inResource . ")";
+ $filter .= " (" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $inResource . "))(|";
+
+
+ for( $i = 0; $i < sizeof( $arrSessionRole ); $i++ ) {
+
+ $filter .= "(rbacpermission=" . $arrSessionRole[$i] . ":-:" . $inOperation . ")";
+
+ }
+
+
+ $filter .= "))";
+
+
+ // Ask the directory
+ $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ), $filter, "sub",
+ Array( $this->conf->getValue( "rsource", "namingattribute" ) ) );
+
+
+ // -----------
+ // -- EVENT --
+ // The decision is known an given away to an other
+ // function. This may decide if we grant permission
+ // or not.
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "decision", sizeof( $arrResource ) == 1 );
+
+ // Give away the context
+ $context = $this->interceptor->event( "checkAccess", "finish", $context );
+
+ // Use the returned context
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ // If there is an interceptor, we allow other
+ // functions to completely decide what to do.
+ if( $this->interceptor
+ && $context->getValue( "decision" ) ) { //$continue ) {
+
+ return true;
+
+ }
+ elseif( !$this->interceptor
+ && sizeof( $arrResource ) == 1 ) {
+
+ return true;
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ catch( Exception $e ) {
+
+ $exceptionResult = false;
+
+
+ // -----------
+ // -- EVENT --
+ // There was an exception. Maybe an Extension can handle
+ // this. At this point we tend to return FALSE.
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "exception", $e );
+ $context->setValue( "decision", $exceptionResult );
+
+ // Give away the context
+ $context = $this->interceptor->event( "checkAccess", "exception", $context );
+
+ // Use the returned context
+ $exceptionResult = $context->getValue( "decision" );
+
+ }
+
+
+ return $exceptionResult;
+
+ }
+
+ }
+
+
+
+
+ // ## addUser #######################################################
+ public function addUser( $inUsername, $inPassword, $inSubtree = "" ) {
+
+ $context = false; // Possibly a Context-object
+ $crypto = new Crypto(); // The crypto-class to build hashes
+ $arrUserEntry; // The new user-entry
+ $namingAttribute = "uid"; // The users naming attribute
+ $userDn = ""; // The users DN
+ $continue = true; // The possible change in security chain
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ // If a valid definition is given then use it.
+ if( preg_match( "/(^uid$)|(^cn$)|(^sn$)/i", $this->conf->getValue( "user", "namingattribute" ) ) ) {
+
+ $namingAttribute = $this->conf->getValue( "user", "namingattribute" );
+
+ }
+
+
+ // Create filter to search for the user. It must not exist in
+ // the directory.
+ $filter = "(&" . $this->conf->getValue( "user", "filter" );
+ $filter .= "(" . $namingAttribute . "=" . $inUsername . "))";
+
+
+ // Ask the directory
+ $arrUserEntry = $this->conn['user']->search( $this->conf->getValue( "user", "base" ), $filter,
+ "sub", Array( $namingAttribute ) );
+
+
+ // The user does not exist
+ if( sizeof( $arrUserEntry ) == 0 ) {
+
+ // The users DN
+ $userDn = $namingAttribute . "=" . $inUsername . ",";
+ $userDn .= preg_match( "/^(.+=.+\s*,\s*)*(.+=.+\s*)$/i", $inSubtree ) ? $inSubtree . "," : "";
+ $userDn .= $this->conf->getValue( "user", "base" );
+
+
+ // Create the entry
+ $arrUserEntry['objectclass'][0] = "inetorgperson";
+ $arrUserEntry[$namingAttribute][0] = $inUsername;
+ $arrUserEntry['userpassword'][0] = $crypto->ssha( $inPassword );
+
+
+ // One of these attributes is allready set!
+ preg_match( "/(^uid$)|(^sn$)/i", $namingAttribute ) ? $arrUserEntry['cn'][0] = $inUsername : false;
+ preg_match( "/(^uid$)|(^cn$)/i", $namingAttribute ) ? $arrUserEntry['sn'][0] = $inUsername : false;
+ preg_match( "/(^sn$)|(^cn$)/i", $namingAttribute ) ? $arrUserEntry['uid'][0] = $inUsername : false;
+
+
+ // -----------
+ // -- EVENT --
+ // The user-entry is defined and is going to be
+ // added to the directory. Maybe someone wants to
+ // change the entry itself or deny this action.
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "entry", $arrUserEntry );
+ $context->setValue( "dn", $userDn );
+
+ // Give away the context
+ $context = $this->interceptor->event( "addUser", "write", $context );
+
+ // Use the returned context
+ $userDn = $context->getValue( "dn" );
+ $arrUserEntry = $context->getValue( "entry" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ if( $this->conn['user']->add( $userDn, $arrUserEntry ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_ALLREADY_EXISTS" ),
+ $this->conf->getValue( "errorCode", "USER_ALLREADY_EXISTS" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteUser ####################################################
+ public function deleteUser( $inUsername ) {
+
+ $arrUserEntry; // The new user-entry
+ $namingAttribute = "uid"; // The standard naming-attribute
+ $filter = ""; // The search filter
+
+
+ // If a valid definition is given then use it.
+ if( preg_match( "/(^uid$)|(^cn$)|(^sn$)/i", $this->conf->getValue( "user", "namingattribute" ) ) ) {
+
+ $namingAttribute = $this->conf->getValue( "user", "namingattribute" );
+
+ }
+
+
+ // Construct the filter to search for the given user
+ $filter = "(&" . $this->conf->getValue( "user", "filter" );
+ $filter .= "(" . $namingAttribute . "=" . $inUsername . "))";
+
+
+ // Ask the directory
+ $arrUserEntry = $this->conn['user']->search( $this->conf->getValue( "user", "base" ), $filter, "sub",
+ Array( $namingAttribute ) );
+
+
+ if( sizeof( $arrUserEntry ) == 1 ) {
+
+ if( $this->conn['user']->delete( $arrUserEntry[0]['dn'] ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "USER_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addRole #######################################################
+ public function addRole( $inRole ) {
+
+ $context = false; // Possibly a Context-object
+ $arrRoleEntry; // The new role-entry
+ $roleNamingValue = ""; // The value of the naming-attribute
+ $continue = true; // Adding the role is permitted by default
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Try to get the role from the directory
+ $arrRoleEntry = $this->conn['role']->getEntry( $inRole );
+
+
+ // The role must not exist.
+ if( !isset( $arrRoleEntry['dn'] ) ) {
+
+ // Extract the naming-attribute from the role
+ $roleNamingValue = preg_split( "/[,]/", $inRole );
+ $roleNamingValue = preg_split( "/[=]/", $roleNamingValue[0] );
+ $roleNamingValue = $roleNamingValue[1];
+
+
+ // Create the entry
+ $arrRoleEntry = Array();
+ $arrRoleEntry['objectclass'][0] = "rbacrole";
+ $arrRoleEntry[$this->conf->getValue( "role", "namingattribute" )][0] = $roleNamingValue;
+
+
+ // -----------
+ // -- EVENT --
+ // The role-entry is defined and ready. But maybe
+ // someone wants to change it or the creation
+ // of the role is not permitted
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "entry", $arrRoleEntry );
+ $context->setValue( "dn", $inRole );
+
+ // Give away the context
+ $context = $this->interceptor->event( "addRole", "write", $context );
+
+ // Use the returned context
+ $inRole = $context->getValue( "dn" );
+ $arrRoleEntry = $context->getValue( "entry" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ if( $this->conn['role']->add( $inRole, $arrRoleEntry ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_ALLREADY_EXISTS" ),
+ $this->conf->getValue( "errorCode", "ROLE_ALLREADY_EXISTS" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteRole ####################################################
+ public function deleteRole( $inRole ) {
+
+ $arrRoleEntry; // The new role-entry
+ $roleNamingValue = ""; // The value of the naming-attribute
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Try to get the role from the directory
+ $arrRoleEntry = $this->conn['user']->getEntry( $inRole );
+
+
+ // The role must not exist.
+ if( isset( $arrRoleEntry['dn'] ) ) {
+
+ if( $this->conn['role']->delete( $inRole ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## assignUser ####################################################
+ public function assignUser( $inUsername, $inRole ) {
+
+ $continue = true; // The possible change in security chain
+ $context = false; // Possibly a Context-object
+ $arrUserEntry; // The user-entry that has to exist
+ $arrRoleEntry; // The role-entry that will be modified
+ $userIsInEntry = false; // Is the user allready assigned to the role
+ $roleDn = ""; // The roles DN
+ $roleAssAttr = ""; // The attribute
+ $roleNamingValue = ""; // The value of the naming-attribute
+ $filter = ""; // Filter to search for user / role
+ $i = 0; // Loop
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Create filter to search for the user.
+ $filter = "(&" . $this->conf->getValue( "user", "filter" );
+ $filter .= "(" . $this->conf->getValue( "user", "namingattribute" ) . "=" . $inUsername . "))";
+
+
+ // Ask the directory
+ $arrUserEntry = $this->conn['user']->search( $this->conf->getValue( "user", "base" ), $filter,
+ "sub", Array( $namingAttribute ) );
+
+
+ // The user has to exist
+ if( sizeof( $arrUserEntry ) == 1 ) {
+
+ // Extract the naming-attribute from the role
+ $roleNamingValue = preg_split( "/[,]/", $inRole );
+ $roleNamingValue = preg_split( "/[=]/", $roleNamingValue[0] );
+ $roleNamingValue = $roleNamingValue[1];
+
+
+ $arrRoleEntry = $this->conn['role']->getEntry( $inRole );
+
+
+ if( isset( $arrRoleEntry['dn'] ) ) {
+
+ $roleDn = $arrRoleEntry['dn'];
+ $roleAssAttr = $this->conf->getValue( "role", "assignedattribute" );
+
+
+ // Check if the user is allready assigned to this role
+ for( $i = 0; $i < sizeof( $arrRoleEntry[$roleAssAttr] ); $i++ ) {
+
+ $userIsInEntry = $userIsInEntry
+ || preg_match( "/^" . $inUsername . "$/i", $arrRoleEntry[$roleAssAttr][$i] );
+
+ }
+
+
+ // If the role exists, the user exists and the user is
+ // not allready assigned to the role do the assignement
+ if( !$userIsInEntry ) {
+
+ if( sizeof( $arrRoleEntry[$roleAssAttr] ) > 0 ) {
+
+ $arrRoleEntry[$roleAssAttr][] = $inUsername;
+
+ }
+ else {
+
+ $arrRoleEntry[$roleAssAttr][0] = $inUsername;
+
+ }
+
+
+ // -----------
+ // -- EVENT --
+ // The role-entry is defined and ready. But maybe
+ // someone wants to change it or the assignment
+ // of the user to the role is not permitted
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "performer", $arrRoleEntry[$roleAssAttr] );
+ $context->setValue( "dn", $roleDn );
+
+ // Give away the context
+ $context = $this->interceptor->event( "assignUser", "write", $context );
+
+ // Use the returned context
+ $roleDn = $context->getValue( "dn" );
+ $arrRoleEntry[$roleAssAttr] = $context->getValue( "performer" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ if( $this->conn['role']->modify( $roleDn, Array( $roleAssAttr => $arrRoleEntry[$roleAssAttr] ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "USER_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deassignUser ##################################################
+ public function deassignUser( $inUsername, $inRole ) {
+
+ $arrAssigned; // The users that stay assigned to the role
+ $arrUserEntry; // The user-entry that has to exist
+ $arrRoleEntry; // The role-entry that will be modified
+ $userIsInEntry = false; // Is the user allready assigned to the role
+ $userDn = ""; // The users DN
+ $roleAssAttr = ""; // The attribute
+ $filter = ""; // Filter to search for user / role
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Create filter to search for the user.
+ $filter = "(&" . $this->conf->getValue( "user", "filter" );
+ $filter .= "(" . $this->conf->getValue( "user", "namingattribute" ) . "=" . $inUsername . "))";
+
+
+ // Ask the directory
+ $arrUserEntry = $this->conn['user']->search( $this->conf->getValue( "user", "base" ), $filter,
+ "sub", Array( $namingAttribute ) );
+
+
+ // The user has to exist
+ if( sizeof( $arrUserEntry ) == 1 ) {
+
+ // Extract the naming-attribute from the role
+ $roleNamingValue = preg_split( "/[,]/", $inRole );
+ $roleNamingValue = preg_split( "/[=]/", $roleNamingValue[0] );
+ $roleNamingValue = $roleNamingValue[1];
+
+/*
+ // Create filter to search for the role.
+ $filter = "(&" . $this->conf->getValue( "role", "filter" );
+ $filter .= "(" . $this->conf->getValue( "role", "namingattribute" ) . "=" . $roleNamingValue . "))";
+
+
+ // Ask the directory
+ $arrRoleEntry = $this->conn['role']->search( $this->conf->getValue( "role", "base" ), $filter, "sub" );
+*/
+
+ $arrRoleEntry = $this->conn['role']->getEntry( $inRole );
+
+
+// if( sizeof( $arrRoleEntry ) == 1 ) {
+ if( isset( $arrRoleEntry['dn'] ) ) {
+
+// $arrRoleEntry = $arrRoleEntry[0];
+ $roleAssAttr = $this->conf->getValue( "role", "assignedattribute" );
+
+
+ // Check if the user is allready assigned to this role. At the same
+ // time re-add all the other users assigned to that role.
+ $arrAssigned = Array();
+ for( $i = 0; $i < sizeof( $arrRoleEntry[$roleAssAttr] ); $i++ ) {
+
+ if( !preg_match( "/^" . $inUsername . "$/i", $arrRoleEntry[$roleAssAttr][$i] ) ) {
+
+ $arrAssigned[] = $arrRoleEntry[$roleAssAttr][$i];
+
+ }
+ else {
+
+ $userIsInEntry = true;
+
+ }
+
+ }
+
+
+ // If the role exists, the user exists and the user is
+ // not allready assigned to the role do the assignement
+ if( $userIsInEntry ) {
+
+ if( $this->conn['role']->modify( $arrRoleEntry['dn'], Array( $roleAssAttr => $arrAssigned ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "USER_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "USER_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## grantPermission ###############################################
+ public function grantPermission( $inResource, $inOperation, $inRole ) {
+
+ $arrRoleEntry; // The roles entry
+ $arrResourceEntry; // The resources entry
+ $arrPermission; // The permissions that have to be set
+ $filter = ""; // Filter to search for role and resource
+ $isValidOp = false; // Is the given operation valid
+ $isInEntry = false; // Is the permission allready granted
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Create a filter to get the resource
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $inResource . ")";
+ $filter .= " (" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $inResource . ")))";
+
+
+ // Get the resource
+ $arrResourceEntry = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ),
+ $filter, "sub" );
+
+
+ // Get the role
+ $arrRoleEntry = $this->conn['resource']->getEntry( $inRole );
+
+
+ // The resource has to exist and has to be uniqueue
+ if( sizeof( $arrResourceEntry ) == 1 ) {
+
+ // Check if the operation is valid
+ for( $i = 0; $i < sizeof( $arrResourceEntry[0]['rbacoperation'] ); $i++ ) {
+
+ $isValidOp = $isValidOp | preg_match( "/^" . $inOperation . "$/i", $arrResourceEntry[0]['rbacoperation'][$i] );
+
+ }
+
+
+ // Check if the permission allready exists
+ for( $i = 0; $i < sizeof( $arrResourceEntry[0]['rbacpermission'] ); $i++ ) {
+
+ $isInEntry = $isInEntry | preg_match( "/^" . $inRole . ":-:" . $inOperation . "$/i", $arrResourceEntry[0]['rbacpermission'][$i] );
+
+ }
+
+
+ // The role has to exist
+ if( isset( $arrRoleEntry['dn'] ) ) {
+
+ // The operation has to be valid
+ if( $isValidOp ) {
+
+ // The permission must not allready be set
+ if( !$isInEntry ) {
+
+ $arrPermission = $arrResourceEntry[0]['rbacpermission'];
+
+
+ $arrPermission[] = $inRole . ":-:" . $inOperation;
+
+
+ if( $this->conn['resource']->modify( $arrResourceEntry[0]['dn'], Array( "rbacpermission" => $arrPermission ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "RESOURCE_OPERATION_ERROR" ),
+ $this->conf->getValue( "errorCode", "RESOURCE_OPERATION_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "RESOURCE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "RESOURCE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## revokePermission ##############################################
+ public function revokePermission( $inOperation, $inResource, $inRole ) {
+
+ $arrResourceEntry; // The resources entry
+ $arrPermission; // The permissions that have to be set
+ $filter = ""; // Filter to search for role and resource
+ $isValidOp = false; // Is the given operation valid
+ $isInEntry = false; // Is the permission allready granted
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Create a filter to get the resource
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $inResource . ")";
+ $filter .= "(" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $inResource . ")))";
+
+
+ // Get the resource
+ $arrResourceEntry = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ),
+ $filter, "sub" );
+
+
+ // The resource has to exist and has to be uniqueue
+ if( sizeof( $arrResourceEntry ) == 1 ) {
+
+ // Check if the permission really exists
+ for( $i = 0; $i < sizeof( $arrResourceEntry[0]['rbacpermission'] ); $i++ ) {
+
+ $isInEntry = $isInEntry | preg_match( "/^" . $inRole . ":-:" . $inOperation . "$/i", $arrResourceEntry[0]['rbacpermission'][$i] );
+
+ }
+
+
+ // The permission must not allready be set
+ if( $isInEntry ) {
+
+ for( $i = 0; $i < sizeof( $arrResourceEntry[0]['rbacpermission'] ); $i++ ) {
+
+ if( !preg_match( "/^" . $inRole . ":-:" . $inOperation . "$/i", $arrResourceEntry[0]['rbacpermission'][$i] ) ) {
+
+ $arrPermission[] = $arrResourceEntry[0]['rbacpermission'][$i];
+
+ }
+
+ }
+
+
+ if( $this->conn['resource']->modify( $arrResourceEntry[0]['dn'], Array( "rbacpermission" => $arrPermission ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "RESOURCE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "RESOURCE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## authorizedRoles ###############################################
+ public function authorizedRoles( $inUsername, $inExtRepresentation = true ) {
+
+ return $this->assignedRoles( $inUsername, $inExtRepresentation );
+
+ }
+
+
+
+
+ // ## authorizedUsers ###############################################
+ public function authorizedUsers( $inRole, $inUseStoredRole = false ) {
+
+ return $this->assignedUsers( $inRole, $inUseStoredRole );
+
+ }
+
+
+
+
+ // ## sessionUser ###################################################
+ public function sessionUser( $inSession ) {
+
+ $arrSessionEntry; // The entry of the session
+ $sessionDn = ""; // The sessions DN
+ $filter = ""; // Filterstring
+ $username = ""; // The owner of the session
+ $i = 0; // Loop
+
+
+ if( preg_match( "/.+/", $inSession ) ) {
+
+ $sessionDn = $this->conf->getValue( "session", "namingattribute" ) . "=" . $inSession . ",";
+ $sessionDn .= $this->conf->getValue( "session", "base" );
+
+
+ $arrSessionEntry = $this->conn['session']->getEntry( $sessionDn );
+
+
+ // The session has to exist to get its roles
+ if( isset( $arrSessionEntry['dn'] ) ) {
+
+ $username = $arrSessionEntry['rbacsessionuser'][0];
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SESSION_DOES_NOT_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SESSION_DOES_NOT_EXISTS" ) );
+
+ }
+
+ }
+
+
+ return $username;
+
+ }
+
+
+
+
+ // ## removeDuplicates ##############################################
+ protected final function removeDuplicates( Array $inArray ) {
+
+ $arrOut = Array();
+ $element = "";
+
+
+ while( $element = array_pop( &$inArray ) ) {
+
+ if( !in_array( $element, $inArray ) ) {
+
+ $arrOut[] = $element;
+
+ }
+
+ }
+
+
+ return $arrOut;
+
+ }
+
+
+
+
+ // ## getConfiguration ##############################################
+ public function getConfiguration() {
+
+ return $this->conf;
+
+ }
+
+
+
+
+ // ## getConnection #################################################
+ public function getConnection( $inName ) {
+
+ if( isset( $this->conn[$inName] )
+ && $this->conn[$inName]->hasConnection() ) {
+
+ return $this->conn[$inName];
+
+ }
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php
new file mode 100755
index 0000000..48e3be9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php
@@ -0,0 +1,648 @@
+<?php
+// ####################################################################
+// Version: 0.2.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 15.08.2007
+// Letzte Aenderung: 19.12.2007
+
+
+// Requiring these interfaces if the RBAC-Framework
+// is not existing. Otherwise the RBAC-Framework
+// takes care of importing all nevessarry classes and
+// interfaces.
+if( !class_exists( "RBAC" ) ) {
+
+ require_once( "iNode.interface.php" );
+ require_once( "iXML.interface.php" );
+ require_once( "iLDAP.interface.php" );
+ require_once( "iCrypto.interface.php" );
+ require_once( "iConvert.interface.php" );
+ require_once( "iContext.interface.php" );
+ require_once( "iRBACcore.interface.php" );
+ require_once( "iRBAClimitedHirarchical.interface.php" );
+
+
+ require_once( "SimpleConfig.class.php" );
+ require_once( "XML.class.php" );
+ require_once( "Node.class.php" );
+ require_once( "LDAP.class.php" );
+ require_once( "Crypto.class.php" );
+ require_once( "Convert.class.php" );
+ require_once( "RBACException.class.php" );
+ require_once( "RBACExtension.class.php" );
+ require_once( "Context.class.php" );
+ require_once( "RBACcore.class.php" );
+
+}
+
+
+class RBAClimitedHirarchical extends RBACcore implements iRBAClimitedHirarchical {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inConfigurationFile, RBAC $inInterceptor = null ) {
+
+ parent::__construct( $inConfigurationFile, $inInterceptor );
+
+ }
+
+
+
+
+ // ## rolePermissions ###############################################
+ public function rolePermissions( $inRole ) {
+
+ $arrResource; // The resources the role has a permission on
+ $arrPermission = Array(); // The permissions found
+ $arrTmpSplit; // Splitted string
+ $filter = ""; // Filterstring
+ $i = 0; // Loop
+ $j = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Get the role-entry
+ $arrRole = $this->conn['role']->getEntry( $inRole );
+
+
+ if( isset( $arrRole['dn'] ) ) {
+
+ // Create the filter to search for all the roles in the
+ // role-hirarchy. This is the start.
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" ) . "(|";
+
+
+ // Split the role-DN to get informations about the hirarchy. But first
+ // remove the role-base.
+ $arrTmpSplit = preg_split( "/[,]/", preg_replace( "/\s*,\s*" . $this->conf->getValue( "role", "base" ) . "\s*$/i", "", $inRole ) );
+
+
+ // Add each role in the hirarchy to the filter
+ while( sizeof( $arrTmpSplit ) > 0 ) {
+
+ $filter .= "(rbacpermission=" . join( ",", $arrTmpSplit ) . "," . $this->conf->getValue( "role", "base" ) . ":-:*)";
+
+
+ // Cut off the first element
+ array_shift( &$arrTmpSplit );
+
+ }
+
+
+
+ $filter .= "))";
+
+
+ $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ),
+ $filter, "sub",
+ Array( $this->conf->getValue( "resource", "namingattribute" ),
+ $this->conf->getValue( "resource", "aliasattribute" ),
+ "rbacpermission" ) );
+
+
+ for( $i = 0; $i < sizeof( $arrResource ); $i++ ) {
+
+ for( $j = 0; $j < sizeof( $arrResource[$i]['rbacpermission'] ); $j++ ) {
+
+ $arrTmpSplit = preg_split( "/:-:/", $arrResource[$i]['rbacpermission'][$j] );
+
+
+ if( preg_match( "/" . $arrTmpSplit[0] . "$/i", $inRole ) ) {
+
+ $arrPermission[] = Array( "resource" => $arrResource[$i][$this->conf->getValue( "resource", "namingattribute" )][0],
+ "alias" => $arrResource[$i][$this->conf->getValue( "resource", "aliasattribute" )],
+ "operation" => $arrTmpSplit[1] );
+
+ }
+
+ }
+
+ }
+
+
+ return $arrPermission;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addInheritance ################################################
+ public function addInheritance( $inAscendant, $inDescendant ) {
+
+ $context = false; // Possibly a Context-object
+ $arrAscendant; // Role entry of the ascendant
+ $arrDescendant; // Role entry of the descendant
+ $tmpString = ""; // Temporary string
+ $arrTmpSplit; // The splitted tmpString
+ $filter = ""; // Filterstring
+ $continue = true; // The possible change in security chain
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ // Make sure the roles have internal representation
+ !$this->isIntRepresentation( $inAscendant ) ? $inAscendant = $this->roleExtToInt( $inAscendant ) : false;
+ !$this->isIntRepresentation( $inDescendant ) ? $inDescendant = $this->roleExtToInt( $inDescendant ) : false;
+
+
+ // Get the role-entries
+ $arrAscendant = $this->conn['role']->getEntry( $inAscendant );
+ $arrDescendant = $this->conn['role']->getEntry( $inDescendant );
+
+
+ // Both roles have to exist in the directory
+ if( isset( $arrAscendant['dn'] ) && isset( $arrDescendant['dn'] ) ) {
+
+ // The ascendant does not have any descendant yet. To find out, cut
+ // the base-DN. The result should be the role RDN.
+ $tmpString = $inAscendant;
+ $tmpString = preg_replace( "/\s*,\s*" . $this->conf->getValue( "role", "base" ) . "$/i", "", $tmpString );
+ $arrTmpSplit = preg_split( "/[,]/", $tmpString );
+
+
+ // The ascendants new DN will be
+ $ascendantNewDn = $tmpString . "," . $inDescendant;
+
+
+ // If there are not more commas there are no descendants and
+ // the tmpString is the role RDN. So the preg_split-function
+ // returns an array containing only one entry, the role RDN
+ // itself.
+ if( sizeof( $arrTmpSplit ) <= 1 ) {
+
+ // -----------
+ // -- EVENT --
+ // The inheritance is going to be added to
+ // the RBAC-system. But maybe someone wants to
+ // check for consistency.
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "ascendantNewDn", $tmpString . "," . $inDescendant );
+
+ // Give away the context
+ $context = $this->interceptor->event( "addInheritance", "write", $context );
+
+ // Use the returned context
+ $userDn = $context->getValue( "dn" );
+ $arrUserEntry = $context->getValue( "entry" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ if( $this->conn['role']->copy( $inAscendant, $tmpString . "," . $inDescendant, true ) ) {
+
+ if( $this->conn['role']->delete( $inAscendant, true ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "UNKNOWN_ERROR" ),
+ $this->conf->getValue( "errorCode", "UNKNOWN_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "UNKNOWN_ERROR" ),
+ $this->conf->getValue( "errorCode", "UNKNOWN_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteInheritance #############################################
+ public function deleteInheritance( $inAscendant, $inDescendant ) {
+
+ $arrAscendant; // Role entry of the ascendant
+ $arrDescendant; // Role entry of the descendant
+ $tmpString = ""; // Temporary string
+ $arrTmpSplit; // The splitted tmpString
+ $filter = ""; // Filterstring
+
+
+ // Make sure the roles have internal representation
+ !$this->isIntRepresentation( $inAscendant ) ? $inAscendant = $this->roleExtToInt( $inAscendant ) : false;
+ !$this->isIntRepresentation( $inDescendant ) ? $inDescendant = $this->roleExtToInt( $inDescendant ) : false;
+
+
+ // Get the role-entries
+ $arrAscendant = $this->conn['role']->getEntry( $inAscendant );
+ $arrDescendant = $this->conn['role']->getEntry( $inDescendant );
+
+
+ // Both roles have to exist in the directory
+ if( isset( $arrAscendant['dn'] ) && isset( $arrDescendant['dn'] ) ) {
+
+ // The ascendant has to be a direct ascendant of the descendant. To
+ // find out, cut the descendant from the ascendant. This should be the
+ // same as taking the RDN of the ascendant.
+ $tmpString = $inAscendant;
+ $tmpString = preg_replace( "/\s*,\s*" . $inDescendant . "/i", "", $tmpString );
+ $arrTmpSplit = preg_split( "/[,]/", $inAscendant );
+
+
+ if( preg_match( "/[\s]*" . $tmpString . "[\s]*/i", $arrTmpSplit[0] ) ) {
+
+ // Move the ascendant to the role base
+ if( $this->conn['role']->copy( $inAscendant, $arrTmpSplit[0] . "," . $this->conf->getValue( "role", "base" ), true ) ) {
+
+ if( $this->conn['role']->delete( $inAscendant, true ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "UNKNOWN_ERROR" ),
+ $this->conf->getValue( "errorCode", "UNKNOWN_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "UNKNOWN_ERROR" ),
+ $this->conf->getValue( "errorCode", "UNKNOWN_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addAscendant ##################################################
+ public function addAscendant( $inAscendant, $inDescendant ) {
+
+ $context = false; // Possibly a Context-object
+ $arrAscEntry; // The new role-entry
+ $arrDescEntry; // The descendant role-entry
+ $ascNamingValue = ""; // The value of the naming-attribute
+ $ascDn = ""; // The DN of the ascendant
+ $continue = true; // Adding the role is permitted by default
+
+
+ // If an interceptor is defined, we need to
+ // provide a context and events
+ if( $this->interceptor ) {
+
+ $context = new Context();
+
+ }
+
+
+ // Make sure the roles have internal representation
+ !$this->isIntRepresentation( $inAscendant ) ? $inAscendant = $this->roleExtToInt( $inAscendant ) : false;
+ !$this->isIntRepresentation( $inDescendant ) ? $inDescendant = $this->roleExtToInt( $inDescendant ) : false;
+
+
+ // Extract the naming-attribute from the ascendant
+ $ascNamingValue = preg_split( "/[,]/", $inAscendant );
+ $ascNamingValue = preg_split( "/[=]/", $ascNamingValue[0] );
+ $ascNamingValue = $ascNamingValue[1];
+
+
+ // The ascendant-entry will be directly under the descendant-entry
+ $ascDn = $this->conf->getValue( "role", "namingattribute" ) . "=" . $ascNamingValue . "," . $inDescendant;
+
+
+ // Try to get the role from the directory
+ $arrAscEntry = $this->conn['role']->getEntry( $ascDn );
+ $arrDescEntry = $this->conn['role']->getEntry( $inDescendant );
+
+
+ // The descendant has to exist, while ascendant must not.
+ // The ascendant has to be directly under the descendant!
+ if( !isset( $arrAscEntry['dn'] )
+ && isset( $arrDescEntry['dn'] ) ) {
+
+ // Create the entry
+ $arrAscEntry = Array();
+ $arrAscEntry['objectclass'][0] = "rbacrole";
+ $arrAscEntry[$this->conf->getValue( "role", "namingattribute" )][0] = $ascNamingValue;
+
+
+ // -----------
+ // -- EVENT --
+ // The ascendant-entry is defined and ready. But maybe
+ // someone wants to change it or the creation
+ // of the ascendant is not permitted
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "entry", $arrAscEntry );
+ $context->setValue( "dn", $ascDn );
+
+ // Give away the context
+ $context = $this->interceptor->event( "addAscendant", "write", $context );
+
+ // Use the returned context
+ $inAscendant = $context->getValue( "dn" );
+ $arrAscEntry = $context->getValue( "entry" );
+ $continue = $context->getSecurityChain();
+
+ }
+
+
+ if( $continue ) {
+
+ if( $this->conn['role']->add( $ascDn, $arrAscEntry ) ) {
+
+ // -----------
+ // -- EVENT --
+ // The ascendant-entry has been added. Is there
+ // anything else to do by somebody?
+ // -----------
+ if( $this->interceptor ) {
+
+ // Create context
+ $context->setValue( "entry", $arrAscEntry );
+ $context->setValue( "dn", $ascDn );
+
+ // Give away the context
+ $context = $this->interceptor->event( "addAscendant", "finished", $context );
+
+ }
+
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_ALLREADY_EXISTS" ),
+ $this->conf->getValue( "errorCode", "ROLE_ALLREADY_EXISTS" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addDescendant #################################################
+ public function addDescendant( $inAscendant, $inDescendant ) {
+
+ if( $this->addRole( $inDescendant ) ) {
+
+ return $this->addInheritance( $inAscendant, $inDescendant );
+
+ }
+
+ }
+
+
+
+
+ // ## authorizedRoles ###############################################
+ public function authorizedUsers( $inRole, $inUseStoredRole = false ) {
+
+ $arrRole; // The roles ldap-entry
+ $arrRoleAscendant; // The roles ascendants
+ $arrUser; // The authorized users
+ $filter = ""; // Filter-string
+
+
+ // Make sure the role has internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ if( $inUseStoredRole && isset( $this->arrEntryStorage['assignedusersrole'][$inRole] ) ) {
+
+ $arrRole = $this->arrEntryStorage['assignedusersrole'][$inRole];
+
+ }
+ else {
+
+ // Get the role-entry
+ $arrRole = $this->conn['role']->getEntry( $inRole );
+ $this->arrEntryStorage['assignedusersrole'][$inRole] = $arrRole;
+
+ }
+
+
+ if( isset( $arrRole['dn'] ) ) {
+
+ // The filter is only the role-filter because every
+ // ascendant is wanted.
+ $filter = $this->conf->getValue( "role", "filter" );
+
+
+ // Get all the ascendants
+ $arrRoleAscendant = $this->conn['role']->search( $arrRole['dn'], $filter, "sub",
+ Array( $this->conf->getValue( "role", "namingattribute" ),
+ $this->conf->getValue( "role", "assignedattribute" ) ) );
+
+
+ for( $i = 0; $i < sizeof( $arrRoleAscendant ); $i++ ) {
+
+ for( $j = 0; $j < sizeof( $arrRoleAscendant[$i][$this->conf->getValue( "role", "assignedattribute" )] ); $j++ ) {
+
+ $arrUser[] = $arrRoleAscendant[$i][$this->conf->getValue( "role", "assignedattribute" )][$j];
+
+ }
+
+ }
+
+
+ return $this->removeDuplicates( $arrUser );
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## authorizedRoles ###############################################
+ public function authorizedRoles( $inUsername, $inExtRepresentation = true ) {
+
+ $arrTmpSplit; // Splitted string
+ $arrAssignedRole = Array(); // All the assigned roles for the user
+ $arrAuthorizedRole = Array(); // All the authorized roles for the user
+ $i = 0; // Loop
+
+
+ // Get the directly assigned roles
+ $arrAssignedRole = $this->assignedRoles( $inUsername, false );
+
+
+ for( $i = 0; $i < sizeof( $arrAssignedRole ); $i++ ) {
+
+ // Split the role-DN to get informations about the hirarchy. But first
+ // remove the role-base.
+ $arrTmpSplit = preg_split( "/[,]/",
+ preg_replace( "/\s*,\s*" . $this->conf->getValue( "role", "base" ) . "\s*$/i",
+ "", $arrAssignedRole[$i] ) );
+
+
+ // Add each role in the hirarchy to the list
+ while( sizeof( $arrTmpSplit ) > 0 ) {
+
+ $arrAuthorizedRole[] = join( ",", $arrTmpSplit ) . "," . $this->conf->getValue( "role", "base" );
+
+
+ // Cut off the first element
+ array_shift( &$arrTmpSplit );
+
+ }
+
+ }
+
+
+ $arrAuthorizedRole = $this->removeDuplicates( $arrAuthorizedRole );
+
+
+ // For internal use this can be left out, so the
+ // internal function that uses this one doesn't have
+ // to convert every role back to internal representation
+ if( $inExtRepresentation ) {
+
+ for( $i = 0; $i < sizeof( $arrAuthorizedRole ); $i++ ) {
+
+ $arrAuthorizedRole[$i] = $this->roleIntToExt( $arrAuthorizedRole[$i] );
+
+ }
+
+ }
+
+
+ return $arrAuthorizedRole;
+
+ }
+
+
+
+
+ // ## roleOperationsOnObject ########################################
+ public function roleOperationsOnObject( $inRole, $inResource, $inUseStoredResource = false ) {
+
+ $arrOperation = Array(); // All the operations the role is authorized for
+ $arrRoleSplit = Array();
+ $roleWithoutBase = "";
+ $roleTmp = "";
+ $i = 0;
+
+
+ // Make sure the roles have internal representation
+ !$this->isIntRepresentation( $inRole ) ? $inRole = $this->roleExtToInt( $inRole ) : false;
+
+
+ // Remove the role-base
+ $roleWithoutBase = preg_replace( "/\s*,\s*" . $this->conf->getValue( "role", "base" ) . "\s*$/i", "", $inRole );
+
+
+ // Split the role hirarchy
+ $arrRoleSplit = preg_split( "/[,]/", $roleWithoutBase );
+
+
+ $roleTmp = $this->conf->getValue( "role", "base" );
+
+ for( $i = sizeof( $arrRoleSplit ) - 1; $i >= 0; $i-- ) {
+
+ $roleTmp = $arrRoleSplit[$i] . "," . $roleTmp;
+
+ $arrOperation = array_merge( $arrOperation, parent::roleOperationsOnObjectInternal( $roleTmp, $inResource, true ) );
+
+ }
+
+
+ return $this->removeDuplicates( $arrOperation );
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/XACML.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/XACML.class.php
new file mode 100755
index 0000000..1962be2
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/XACML.class.php
@@ -0,0 +1,114 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Created: 07.04.2008
+// Modified: 10.04.2008
+// Version: 0.2.0
+// #######################################################
+
+
+
+class XACML {
+
+ // Global variables
+ protected $rbac;
+
+
+
+ // -----------------------------------------------------
+ // Constructor
+ // Input: none
+ // Output: object RBACcore
+ // Description:
+ // Creates initial connections to the LDAP-server and
+ // sets some configuration parameters.
+ // -----------------------------------------------------
+ public function __construct( $inRbacConfFile, $inRbacBase ) {
+
+ $this->rbac = new RBAC( $inRbacConfFile, $inRbacBase );
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: checkXACMLaccess
+ // Input: inRequest / urn:oasis:xacml:2.0:saml:protocol:schema:os:XACMLAuthzDecisionQuery
+ // Output: result / urn:oasis:xacml:2.0:saml:assertion:schema:os:XACMLAuthzDecisionStatement
+ // Description
+ // Decides if the access to the resource may be
+ // granted. To do so the function takes the Subject,
+ // Action and Resource and passes them to the RBAC system.
+ // -----------------------------------------------------
+ function checkXACMLaccess( $inRequest ) {
+
+ $result = new stdClass(); // The response
+
+
+ $result->Response = new stdClass();
+ $result->Response->Result = new stdClass();
+
+
+ if( preg_match( "/^2\.0$/", $version ) ) {
+
+ try {
+
+ if( $this->rbac->checkAccess( $inRequest->Request->Subject->Attribute->AttributeValue->any,
+ $inRequest->Request->Action->Attribute->AttributeValue->any,
+ $inRequest->Request->Resource->Attribute->AttributeValue->any ) ) {
+
+ $result->Response->Result->Decision = "Permit";
+
+ }
+ else {
+
+ $result->Response->Result->Decision = "Deny";
+
+ }
+
+ }
+ catch( Exception $e ) {
+
+ $result->Response->Result->Decision = "Indeterminate";
+
+ }
+
+
+
+ // Return the request if the flag is set to TRUE
+ if( $inRequest->ReturnContext ) {
+
+ $result->Request = new stdClass();
+
+ isset( $inRequest->Request->Subject ) ? $result->Request->Subject = $inRequest->Request->Subject
+ : $result->Request->Subject = new sdtClass();
+
+
+ isset( $inRequest->Request->Resource ) ? $result->Request->Resource = $inRequest->Request->Resource
+ : $result->Request->Resource = new stdClass();
+
+
+ isset( $inRequest->Request->Action ) ? $result->Request->Action = $inRequest->Request->Action
+ : $result->Request->Action = new stdClass();
+
+
+ isset( $inRequest->Request->Environment ) ? $result->Request->Environment = $inRequest->Request->Environment
+ : $result->Request->Environment = new stdClass();
+
+ }
+
+ }
+ else {
+
+ $result->Response->Result->Decision = "NotApplicable";
+
+ }
+
+
+ return $result;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/clients/xacmlCheckAccess.php b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/clients/xacmlCheckAccess.php
new file mode 100755
index 0000000..523bfc8
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/clients/xacmlCheckAccess.php
@@ -0,0 +1,98 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Created: 03.04.2008
+// Modified: 10.08.2008
+// Version: 0.1.0
+// #######################################################
+
+
+
+// -----------------------------------------------------
+// You need this service
+// -----------------------------------------------------
+$soapXACML = new SoapClient( "http://<PATH_TO_WSDL>/xacml.wsdl", Array( "trace" => 1 ) );
+
+
+echo "<BODY><HTML>";
+
+
+if( isset( $_POST['session'] ) ) {
+
+ // -----------------------------------------------------
+ // The XACMLAuthzDecicionQuery consists of a complex
+ // structure that is build up here.
+ // -----------------------------------------------------
+
+ $regReq = new stdClass();
+
+ $regReq->Version = "2.0";
+ $regReq->ID = time();
+ $regReq->ReturnContext = true;
+ $regReq->Request = new stdClass();
+ $regReq->Request->Subject = new stdClass();
+ $regReq->Request->Resource = new stdClass();
+ $regReq->Request->Action = new stdClass();
+ $regReq->Request->Environment = new stdClass();
+
+ $regReq->Request->Subject->Attribute = new stdClass();
+ $regReq->Request->Subject->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+ $regReq->Request->Subject->Attribute->DataType = "http://www.w3.org/2001/XMLSchema#string";
+ $regReq->Request->Subject->Attribute->AttributeValue = new stdClass();
+ $regReq->Request->Subject->Attribute->AttributeValue->any = $_POST['session'];
+
+ $regReq->Request->Resource->Attribute = new stdClass();
+ $regReq->Request->Resource->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+ $regReq->Request->Resource->Attribute->DataType = "http://www.w3.org/2001/XMLSchema#anyURI";
+ $regReq->Request->Resource->Attribute->AttributeValue = new stdClass();
+ $regReq->Request->Resource->Attribute->AttributeValue->any = $_POST['resource'];
+
+ $regReq->Request->Action->Attribute = new stdClass();
+ $regReq->Request->Action->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:action:action-id";
+ $regReq->Request->Action->Attribute->DataType = "http://www.w3.org/2001/XMLSchema#string";
+ $regReq->Request->Action->Attribute->AttributeValue = new stdClass();
+ $regReq->Request->Action->Attribute->AttributeValue->any = $_POST['operation'];
+
+
+ echo "<BR>";
+ echo "Checking for access...<BR/><BR/>";
+ echo "Look at the HTML-code to see what happens, if you are interested in the SOAP documents!<BR/><BR/>";
+
+
+ try {
+
+ $caResponse = $soapXACML->checkXACMLaccess( $regReq );
+
+ echo "\n\n" . $soapXACML->__getLastRequest();
+ echo "\n\n" . $soapXACML->__getLastResponse() . "\n\n";
+
+ if( preg_match( "/^permit$/i", $caResponse->Response->Result->Decision ) ) {
+
+ echo "<BR><HR><BR>Granted: YES.<BR><HR><BR>";
+
+ }
+ else {
+
+ echo "<BR><HR><BR>Granted: NO.<BR><HR><BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"xacmlCheckAccess.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Session: <INPUT type=\"text\" name=\"session\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "Operation: <INPUT type=\"text\" name=\"operation\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/wsdl/xacml.wsdl b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/wsdl/xacml.wsdl
new file mode 100644
index 0000000..6a03f69
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/wsdl/xacml.wsdl
@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<wsdl:definitions name="xacml"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://daasi.de/namespaces/rbac/xacml"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://daasi.de/namespaces/rbac/xacml"
+ xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:xacml-saml="urn:oasis:xacml:2.0:saml:assertion:schema:os">
+
+
+ <!--
+ ####################
+ # Typ-Definitionen #
+ ####################
+ //-->
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://daasi.de/namespaces/rbac/xacml">
+ <xsd:import namespace="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+ schemaLocation="http://www.daasi.de/schema/oasis/access_control-xacml-2.0-saml-assertion-schema-os.xsd" />
+ <xsd:import namespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ schemaLocation="http://www.daasi.de/schema/oasis/access_control-xacml-2.0-saml-protocol-schema-os.xsd"/>
+
+ </xsd:schema>
+
+ </wsdl:types>
+
+
+ <!--
+ #################
+ # WSDL-Messages #
+ #################
+ //-->
+ <!-- #### checkXACMLaccess #### //-->
+ <wsdl:message name="checkXACMLaccessRequest">
+ <wsdl:part element="xacml-samlp:XACMLAuthzDecisionQuery" name="checkXACMLaccessInput" />
+ </wsdl:message>
+ <wsdl:message name="checkXACMLaccessResponse">
+ <wsdl:part element="xacml-saml:XACMLAuthzDecisionStatement" name="checkXACMLaccessOutput" />
+ </wsdl:message>
+
+
+
+ <!--
+ ##########################
+ # Port-Type-Definitionen #
+ ##########################
+ //-->
+ <wsdl:portType name="port_xacml">
+
+ <!-- #### checkXACMLaccess #### //-->
+ <wsdl:operation name="checkXACMLaccess">
+ <wsdl:input message="tns:checkXACMLaccessRequest" />
+ <wsdl:output message="tns:checkXACMLaccessResponse" />
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+
+
+ <!--
+ ###########
+ # Binding #
+ ###########
+ //-->
+ <wsdl:binding name="binding_xacml" type="tns:port_xacml">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
+
+ <!-- #### checkXACMLaccess #### //-->
+ <wsdl:operation name="checkXACMLaccess">
+ <soap:operation soapAction="http://daasi.de/rbac/xacml/checkXACMLaccess" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+
+
+ <!--
+ #####################
+ # Servicedefinition #
+ #####################
+ //-->
+ <wsdl:service name="xacml">
+ <wsdl:port binding="tns:binding_xacml" name="tns:xacml">
+ <soap:address location="http://<YOUR_LOCATION>/xacml.php" />
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xacml.php b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xacml.php
new file mode 100755
index 0000000..c4c2d43
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xacml.php
@@ -0,0 +1,30 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Created: 07.04.2008
+// Modified: 10.04.2008
+// Version: 0.2.0
+// #######################################################
+
+// Set this variable to the appropriate
+// path to RBAC.
+$path_to_rbac = "<PATH_TO_RBAC>";
+
+
+require_once( $path_to_rbac . "/RBAC.class.php" );
+require_once( "XACML.class.php" );
+
+
+// Dont be so verbose with messages and notices.
+error_reporting( E_ERROR | E_USER_ERROR );
+
+
+// #############################################################
+// Starting SOAP-Server
+// #############################################################
+$server = new SoapServer( "http://<PATH_TO_WSDL>/xacml.wsdl" );
+$server->setClass( "XACML", "../conf/system.conf", $path_to_rbac );
+
+
+$server->handle();
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd
new file mode 100644
index 0000000..4fd3fc0
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+ xmlns:tns="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="http://www.daasi.de/schema/oasis/saml-schema-assertion-2.0.xsd"/>
+ <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: access_control-xacml-2.0-saml-assertion-schema-cd-02.xsd
+ Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-cd-os.xsd
+ </xs:documentation>
+ </xs:annotation>
+ <!-- -->
+ <xs:element name="XACMLAuthzDecisionStatement"
+ type="tns:XACMLAuthzDecisionStatementType"/>
+ <xs:complexType name="XACMLAuthzDecisionStatementType">
+ <xs:complexContent>
+ <xs:extension base="saml:StatementAbstractType">
+ <xs:sequence>
+ <xs:element ref="xacml-context:Response"/>
+ <xs:element ref="xacml-context:Request" minOccurs="0"/>
+ </xs:sequence>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <!-- -->
+ <xs:element name="XACMLPolicyStatement"
+ type="tns:XACMLPolicyStatementType"/>
+ <xs:complexType name="XACMLPolicyStatementType">
+ <xs:complexContent>
+ <xs:extension base="saml:StatementAbstractType">
+ <xs:choice minOccurs="0" maxOccurs="unbounded">
+ <xs:element ref="xacml:Policy"/>
+ <xs:element ref="xacml:PolicySet"/>
+ </xs:choice>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd
new file mode 100644
index 0000000..d06e0ba
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:tns="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ schemaLocation="http://www.daasi.de/schema/oasis/saml-schema-protocol-2.0.xsd"/>
+ <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: access_control-xacml-2.0-saml-protocol-schema-os.xsd
+ Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd
+ </xs:documentation>
+ </xs:annotation>
+ <!-- -->
+ <xs:element name="XACMLAuthzDecisionQuery"
+ type="tns:XACMLAuthzDecisionQueryType"/>
+ <xs:complexType name="XACMLAuthzDecisionQueryType">
+ <xs:complexContent>
+ <xs:extension base="samlp:RequestAbstractType">
+ <xs:sequence>
+ <xs:element ref="xacml-context:Request"/>
+ </xs:sequence>
+ <xs:attribute name="InputContextOnly"
+ type="boolean"
+ use="optional"
+ default="false"/>
+ <xs:attribute name="ReturnContext"
+ type="boolean"
+ use="optional"
+ default="false"/>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <!-- -->
+ <xs:element name="XACMLPolicyQuery"
+ type="tns:XACMLPolicyQueryType"/>
+ <xs:complexType name="XACMLPolicyQueryType">
+ <xs:complexContent>
+ <xs:extension base="samlp:RequestAbstractType">
+ <xs:choice minOccurs="0" maxOccurs="unbounded">
+ <xs:element ref="xacml-context:Request"/>
+ <xs:element ref="xacml:Target"/>
+ <xs:element ref="xacml:PolicySetIdReference"/>
+ <xs:element ref="xacml:PolicyIdReference"/>
+ </xs:choice>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-assertion-2.0.xsd b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000..122dc3b
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,284 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-assertion-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New assertion schema for SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <attributeGroup name="IDNameQualifiers">
+ <attribute name="NameQualifier" type="string" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ </attributeGroup>
+ <element name="BaseID" type="saml:BaseIDAbstractType"/>
+ <complexType name="BaseIDAbstractType" abstract="true">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ </complexType>
+ <element name="NameID" type="saml:NameIDType"/>
+ <complexType name="NameIDType">
+ <simpleContent>
+ <extension base="string">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPProvidedID" type="string" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="EncryptedElementType">
+ <sequence>
+ <element ref="xenc:EncryptedData"/>
+ <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="EncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Issuer" type="saml:NameIDType"/>
+ <element name="AssertionIDRef" type="NCName"/>
+ <element name="AssertionURIRef" type="anyURI"/>
+ <element name="Assertion" type="saml:AssertionType"/>
+ <complexType name="AssertionType">
+ <sequence>
+ <element ref="saml:Issuer"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="saml:Advice" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Statement"/>
+ <element ref="saml:AuthnStatement"/>
+ <element ref="saml:AuthzDecisionStatement"/>
+ <element ref="saml:AttributeStatement"/>
+ </choice>
+ </sequence>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ </complexType>
+ <element name="Subject" type="saml:SubjectType"/>
+ <complexType name="SubjectType">
+ <choice>
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+ </choice>
+ </complexType>
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+ <complexType name="SubjectConfirmationType">
+ <sequence>
+ <choice minOccurs="0">
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+ </sequence>
+ <attribute name="Method" type="anyURI" use="required"/>
+ </complexType>
+ <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+ <complexType name="SubjectConfirmationDataType" mixed="true">
+ <complexContent>
+ <restriction base="anyType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ <attribute name="Recipient" type="anyURI" use="optional"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Address" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <complexType name="KeyInfoConfirmationDataType" mixed="false">
+ <complexContent>
+ <restriction base="saml:SubjectConfirmationDataType">
+ <sequence>
+ <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+ </sequence>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <element name="Conditions" type="saml:ConditionsType"/>
+ <complexType name="ConditionsType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Condition"/>
+ <element ref="saml:AudienceRestriction"/>
+ <element ref="saml:OneTimeUse"/>
+ <element ref="saml:ProxyRestriction"/>
+ </choice>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </complexType>
+ <element name="Condition" type="saml:ConditionAbstractType"/>
+ <complexType name="ConditionAbstractType" abstract="true"/>
+ <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+ <complexType name="AudienceRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Audience" type="anyURI"/>
+ <element name="OneTimeUse" type="saml:OneTimeUseType" />
+ <complexType name="OneTimeUseType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType"/>
+ </complexContent>
+ </complexType>
+ <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+ <complexType name="ProxyRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Advice" type="saml:AdviceType"/>
+ <complexType name="AdviceType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+ <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+ <element name="Statement" type="saml:StatementAbstractType"/>
+ <complexType name="StatementAbstractType" abstract="true"/>
+ <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+ <complexType name="AuthnStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:SubjectLocality" minOccurs="0"/>
+ <element ref="saml:AuthnContext"/>
+ </sequence>
+ <attribute name="AuthnInstant" type="dateTime" use="required"/>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+ <complexType name="SubjectLocalityType">
+ <attribute name="Address" type="string" use="optional"/>
+ <attribute name="DNSName" type="string" use="optional"/>
+ </complexType>
+ <element name="AuthnContext" type="saml:AuthnContextType"/>
+ <complexType name="AuthnContextType">
+ <sequence>
+ <choice>
+ <sequence>
+ <element ref="saml:AuthnContextClassRef"/>
+ <choice minOccurs="0">
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </sequence>
+ <choice>
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </choice>
+ <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AuthnContextClassRef" type="anyURI"/>
+ <element name="AuthnContextDeclRef" type="anyURI"/>
+ <element name="AuthnContextDecl" type="anyType"/>
+ <element name="AuthenticatingAuthority" type="anyURI"/>
+ <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+ <complexType name="AuthzDecisionStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ <attribute name="Decision" type="saml:DecisionType" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <simpleType name="DecisionType">
+ <restriction base="string">
+ <enumeration value="Permit"/>
+ <enumeration value="Deny"/>
+ <enumeration value="Indeterminate"/>
+ </restriction>
+ </simpleType>
+ <element name="Action" type="saml:ActionType"/>
+ <complexType name="ActionType">
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <element name="Evidence" type="saml:EvidenceType"/>
+ <complexType name="EvidenceType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </complexType>
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+ <complexType name="AttributeStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:EncryptedAttribute"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Attribute" type="saml:AttributeType"/>
+ <complexType name="AttributeType">
+ <sequence>
+ <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="NameFormat" type="anyURI" use="optional"/>
+ <attribute name="FriendlyName" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AttributeValue" type="anyType" nillable="true"/>
+ <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-protocol-2.0.xsd b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-protocol-2.0.xsd
new file mode 100644
index 0000000..6c6502c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SOAP/xsd/saml-schema-protocol-2.0.xsd
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-protocol-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New protocol schema based in a SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <complexType name="RequestAbstractType" abstract="true">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Extensions" type="samlp:ExtensionsType"/>
+ <complexType name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <complexType name="StatusResponseType">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ <element ref="samlp:Status"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Status" type="samlp:StatusType"/>
+ <complexType name="StatusType">
+ <sequence>
+ <element ref="samlp:StatusCode"/>
+ <element ref="samlp:StatusMessage" minOccurs="0"/>
+ <element ref="samlp:StatusDetail" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="StatusCode" type="samlp:StatusCodeType"/>
+ <complexType name="StatusCodeType">
+ <sequence>
+ <element ref="samlp:StatusCode" minOccurs="0"/>
+ </sequence>
+ <attribute name="Value" type="anyURI" use="required"/>
+ </complexType>
+ <element name="StatusMessage" type="string"/>
+ <element name="StatusDetail" type="samlp:StatusDetailType"/>
+ <complexType name="StatusDetailType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+ <complexType name="AssertionIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+ <complexType name="SubjectQueryAbstractType" abstract="true">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+ <complexType name="AuthnQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ </sequence>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+ <complexType name="RequestedAuthnContextType">
+ <choice>
+ <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+ <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+ </complexType>
+ <simpleType name="AuthnContextComparisonType">
+ <restriction base="string">
+ <enumeration value="exact"/>
+ <enumeration value="minimum"/>
+ <enumeration value="maximum"/>
+ <enumeration value="better"/>
+ </restriction>
+ </simpleType>
+ <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+ <complexType name="AttributeQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+ <complexType name="AuthzDecisionQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+ <complexType name="AuthnRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ <element ref="samlp:Scoping" minOccurs="0"/>
+ </sequence>
+ <attribute name="ForceAuthn" type="boolean" use="optional"/>
+ <attribute name="IsPassive" type="boolean" use="optional"/>
+ <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+ <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+ <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="ProviderName" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+ <complexType name="NameIDPolicyType">
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ <attribute name="AllowCreate" type="boolean" use="optional"/>
+ </complexType>
+ <element name="Scoping" type="samlp:ScopingType"/>
+ <complexType name="ScopingType">
+ <sequence>
+ <element ref="samlp:IDPList" minOccurs="0"/>
+ <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+ </complexType>
+ <element name="RequesterID" type="anyURI"/>
+ <element name="IDPList" type="samlp:IDPListType"/>
+ <complexType name="IDPListType">
+ <sequence>
+ <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+ <element ref="samlp:GetComplete" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="IDPEntry" type="samlp:IDPEntryType"/>
+ <complexType name="IDPEntryType">
+ <attribute name="ProviderID" type="anyURI" use="required"/>
+ <attribute name="Name" type="string" use="optional"/>
+ <attribute name="Loc" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="GetComplete" type="anyURI"/>
+ <element name="Response" type="samlp:ResponseType"/>
+ <complexType name="ResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+ <complexType name="ArtifactResolveType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="samlp:Artifact"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Artifact" type="string"/>
+ <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+ <complexType name="ArtifactResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+ <complexType name="ManageNameIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <choice>
+ <element ref="samlp:NewID"/>
+ <element ref="samlp:NewEncryptedID"/>
+ <element ref="samlp:Terminate"/>
+ </choice>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NewID" type="string"/>
+ <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Terminate" type="samlp:TerminateType"/>
+ <complexType name="TerminateType"/>
+ <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+ <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+ <complexType name="LogoutRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Reason" type="string" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SessionIndex" type="string"/>
+ <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+ <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+ <complexType name="NameIDMappingRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:NameIDPolicy"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+ <complexType name="NameIDMappingResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/SimpleConfig.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/SimpleConfig.class.php
new file mode 100755
index 0000000..521804a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/SimpleConfig.class.php
@@ -0,0 +1,108 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 31.07.2007
+// Letzte Aenderung: 31.07.2007
+
+
+
+
+class SimpleConfig {
+
+ // ## Klassenvariablen ##############################################
+ private $config;
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inConfigurationFile ) {
+
+ $file; // File-handler
+ $content = ""; // Content of the XML-file
+ $xmlConf;
+ $xmlSection;
+
+
+ if( file_exists( $inConfigurationFile ) ) {
+
+ $file = fopen( $inConfigurationFile, "r" );
+ $content = fread( $file, filesize( $inConfigurationFile ) + 64 );
+
+ }
+ else {
+
+ throw new Exception( "File not found: " . $inConfigurationFile );
+
+ }
+
+
+ // Read the configuration-file and store all the values
+ $xmlConf = new XML();
+ $xmlConf->parse( $content, "conf" );
+ $xmlConf = $xmlConf->getRoot( "conf" );
+ $xmlConf = $xmlConf[0];
+
+
+ for( $i = 0; $i < $xmlConf->countChilds( "SECTION" ); $i++ ) {
+
+ $xmlSection = $xmlConf->getChild( "SECTION", $i );
+
+
+ for( $j = 0; $j < $xmlSection->countChilds( "VAR" ); $j++ ) {
+
+ if( preg_match( "/^[a-z0-9_-]+$/i", $xmlSection->getChild( "VAR", $j )->getAttribute( "name" ) ) ) {
+
+ $this->config[$xmlSection->getAttribute( "name" )]
+ [$xmlSection->getChild( "VAR", $j )->getAttribute( "name" )] = $xmlSection->getChild( "VAR", $j )->getValue();
+
+ }
+
+ }
+
+ }
+
+ }
+
+
+
+
+ // ## getValue ######################################################
+ public function getValue( $inSection, $inName ) {
+
+ if( isset( $this->config[$inSection][$inName] ) ) {
+
+ return $this->config[$inSection][$inName];
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+
+
+
+
+ // ## getDefined ####################################################
+ public function getDefined( $inSection ) {
+
+ $arrDef = Array();
+
+
+ foreach( $this->config[$inSection] as $key => $value ) {
+
+ $arrDef[] = $key;
+
+ }
+
+
+ return $arrDef;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/conf/rbac.conf.dist b/info.textgrid.middleware.tgauth.rbac/rbac/conf/rbac.conf.dist
new file mode 100644
index 0000000..5c9945c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/conf/rbac.conf.dist
@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<configuration>
+
+ <section name="user">
+ <var name="host">ldap.example.org</var>
+ <var name="port">389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=users,ou=rbac,dc=example,dc=org</var>
+ <var name="binddn">cn=application,ou=dsa,dc=example,dc=org</var>
+ <var name="password">secret</var>
+ <var name="filter">(objectClass=inetorgperson)</var>
+ <var name="namingattribute">uid</var>
+ </section>
+
+ <section name="role">
+ <var name="host">ldap.example.org</var>
+ <var name="port">389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=roles,ou=rbac,dc=example,dc=org</var>
+ <var name="binddn">cn=application,ou=dsa,dc=example,dc=org</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">rbacname</var>
+ <var name="filter">(objectClass=rbacrole)</var>
+
+ <!-- May also be member to have greater compatibility with
+ allready existing entries in your LDAP-server //-->
+ <var name="assignedattribute">rbacperformer</var>
+ </section>
+
+ <section name="project">
+ <var name="base">ou=Projekt-Teilnehmer,ou=roles,ou=rbac,dc=example,dc=org</var>
+ </section>
+
+ <section name="session">
+ <var name="host">ldap.example.org</var>
+ <var name="port">389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=sessions,ou=rbac,dc=example,dc=org</var>
+ <var name="binddn">cn=application,ou=dsa,dc=example,dc=org</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">rbacname</var>
+ <var name="filter">(objectClass=rbacsession)</var>
+ </section>
+
+ <section name="resource">
+ <var name="host">ldap.example.org</var>
+ <var name="port">389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=rbac,dc=example,dc=org</var>
+ <var name="binddn">cn=application,ou=dsa,dc=example,dc=org</var>
+ <var name="password">secret</var>
+ <var name="namingattribute">rbacname</var>
+ <var name="aliasattribute">rbacname</var>
+ <var name="filter">(objectClass=rbacresource)</var>
+ </section>
+
+ <section name="ssd">
+ <var name="host">ldap.example.org</var>
+ <var name="port">389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=ssd,ou=rbac,dc=example,dc=org</var>
+ <var name="binddn">cn=application,ou=dsa,dc=example,dc=org</var>
+ <var name="password">secret</var>
+ <var name="filter">(objectClass=rbacssd)</var>
+ </section>
+
+ <section name="dsd">
+ <var name="host">ldap.example.org</var>
+ <var name="port">389</var>
+ <var name="version">3</var>
+ <var name="tls">no</var>
+ <var name="base">ou=dsd,ou=rbac,dc=example,dc=org</var>
+ <var name="binddn">cn=application,ou=dsa,dc=example,dc=org</var>
+ <var name="password">secret</var>
+ <var name="filter">(objectClass=rbacdsd)</var>
+ </section>
+
+
+ <section name="errorCode">
+ <var name="OK">1</var>
+ <var name="RESOURCE_OPERATION_ERROR">2</var>
+ <var name="RESOURCE_UNKNOWN">4</var>
+ <var name="USER_SESSION_ERROR">8</var>
+ <var name="SESSION_ALLREADY_EXISTS">16</var>
+ <var name="SESSION_DOES_NOT_EXISTS">32</var>
+ <var name="USER_UNKNOWN">64</var>
+ <var name="USER_ROLE_ERROR">128</var>
+ <var name="USER_ALLREADY_EXISTS">256</var>
+ <var name="INVALID_USER_FORMAT">512</var>
+ <var name="ROLE_ALLREADY_EXISTS">1024</var>
+ <var name="ROLE_UNKNOWN">2048</var>
+ <var name="LDAP_ERROR">4096</var>
+ <var name="UNKNOWN_ERROR">8192</var>
+ <var name="SD_ALLREADY_EXISTS">16384</var>
+ <var name="SD_CARDINALITY">32768</var>
+ <var name="SD_UNKNOWN">65536</var>
+ </section>
+
+ <section name="errorDescription">
+ <var name="OK">Ok</var>
+ <var name="RESOURCE_OPERATION_ERROR">This resource-operation-combination is invalid.</var>
+ <var name="RESOURCE_UNKNOWN">The resource is not known or not uniqueue.</var>
+ <var name="USER_SESSION_ERROR">The user you gave is not the owner of this session.</var>
+ <var name="SESSION_ALLREADY_EXISTS">The session allready exists so you can not create it.</var>
+ <var name="SESSION_DOES_NOT_EXISTS">The session does not exist.</var>
+ <var name="USER_UNKNOWN">The user is not known.</var>
+ <var name="USER_ROLE_ERROR">This user-role-combination is invalid.</var>
+ <var name="USER_ALLREADY_EXISTS">The user allready exists.</var>
+ <var name="INVALID_USER_FORMAT">The user has to have the the format: <username>@<domain> (foo@example.org)</var>
+ <var name="ROLE_ALLREADY_EXISTS">The role allready exists.</var>
+ <var name="ROLE_UNKNOWN">The role is unknown.</var>
+ <var name="LDAP_ERROR">An LDAP-Error occured, see description: </var>
+ <var name="UNKNOWN_ERROR">An error occured.</var>
+ <var name="SD_ALLREADY_EXISTS">The Separation of Duty Set allready exists.</var>
+ <var name="SD_CARDINALITY">The given cardinality is invalid! Make sure it is >= 2</var>
+ <var name="SD_UNKNOWN">The Separation of Duty set is unknown</var>
+ </section>
+
+</configuration>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/conf/system.conf.dist b/info.textgrid.middleware.tgauth.rbac/rbac/conf/system.conf.dist
new file mode 100644
index 0000000..6d014e4
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/conf/system.conf.dist
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<system>
+
+ <!-- This is the system-configuration for the RBAC-Framework.
+ The RBAC libraries need an additional configuration-file
+ where you have to define all LDAP-specific settings. Tell
+ the RBAC-Framework where it can find this configuration.
+ Specify a full path or a path relative to your main
+ application. -->
+ <configuration file="PATH_TO/rbac.conf" />
+
+
+ <!-- Here you can specify if you want to use Core RBAC or the
+ Limited Hierarchical RBAC. In order to work properly both
+ libraries need a couple of classes specified through
+ the "require" statements. Again you have to specify a full
+ path or a path relative to your main application. -->
+ <rbac class="RBAClimitedHirarchical">
+ <require file="PATH_TO/iContext.interface.php" />
+ <require file="PATH_TO/iHelper.interface.php" />
+ <require file="PATH_TO/iCrypto.interface.php" />
+ <require file="PATH_TO/iLDAP.interface.php" />
+ <require file="PATH_TO/iRBACcore.interface.php" />
+ <require file="PATH_TO/iRBAClimitedHirarchical.interface.php" />
+
+ <require file="PATH_TO/RBACException.class.php" />
+ <require file="PATH_TO/RBACExtension.class.php" />
+ <require file="PATH_TO/Context.class.php" />
+ <require file="PATH_TO/Helper.class.php" />
+ <require file="PATH_TO/LDAP.class.php" />
+ <require file="PATH_TO/Crypto.class.php" />
+ <require file="PATH_TO/SimpleConfig.class.php" />
+ <require file="PATH_TO/RBACcore.class.php" />
+ <require file="PATH_TO/RBAClimitedHirarchical.class.php" />
+ </rbac>
+
+
+ <!-- Specify the extensions you want to use through the
+ RBAC-Framework. Give a full path or a path relative
+ to your main application. -->
+ <extension class="SSD" file="PATH_TO/SSD.class.php" />
+ <extension class="DSD" file="PATH_TO/DSD.class.php" />
+ <extension class="UserEntry" file="PATH_TO/UserEntry.class.php" />
+ <extension class="Logger" file="PATH_TO/Logger.class.php" />
+
+</system>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/extensions/DSD.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/DSD.class.php
new file mode 100755
index 0000000..b4d6d8c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/DSD.class.php
@@ -0,0 +1,677 @@
+<?php
+// ####################################################################
+// Version: 0.1.1
+// Autor: Markus Widmer
+// Erstellungsdatum: 07.11.2007
+// Letzte Aenderung: 12.11.2007
+
+
+
+class DSD extends RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC, RBAC $inRegistrar ) {
+
+ // Save thsi instances of RBAC and grab the configuration
+ // from it.
+ $this->rbac = $inRBAC;
+ $this->conf = $inRBAC->getConfiguration();
+
+
+ // Get the user- and role connections from the
+ // underlying RBAC-system
+ $this->conn['session'] = $inRBAC->getConnection( "session" );
+ $this->conn['role'] = $inRBAC->getConnection( "role" );
+
+
+ // Add an own connection to the SSD
+ $this->conn['dsd'] = new LDAP();
+ $this->conn['dsd']->connect( $this->conf->getValue( "dsd", "host" ),
+ $this->conf->getValue( "dsd", "port" ),
+ $this->conf->getValue( "dsd", "version" ),
+ preg_match( "/(^yes$)|(^true$)/i",
+ $this->conf->getValue( "dsd", "tls" ) ) );
+ $this->conn['dsd']->bind( $this->conf->getValue( "dsd", "binddn" ),
+ $this->conf->getValue( "dsd", "password" ) );
+
+
+ // Let the extension do all the things
+ // we dont't want to do
+ parent::__construct( $inRBAC );
+
+ }
+
+
+
+
+ // ## registerEvents ################################################
+ public function registerEvents( RBAC $inRegistrar ) {
+
+ $inRegistrar->registerEventListener( "addActiveRole", "write", $this, "checkAddActiveRole" );
+ $inRegistrar->registerEventListener( "createSession", "write", $this, "checkCreateSession" );
+
+ }
+
+
+
+
+ // ## createDsdSet ##################################################
+ public function createDsdSet( $inName, Array $inArrRole, $inCardinality ) {
+
+ $filter = ""; // An LDAP filter
+ $arrDsd; // The DSD-entry if it allready exists
+ $arrDsdEntry; // The new DSD-entry
+ $arrRoleENtry; // Temporary role entry
+ $allRoleExist = true; // Check for existence of the given roles
+ $ssdConstraintsSatisfied = true; // Are all constraints satisfied
+ $i = 0; // Loop
+
+
+ if( $inCardinality >= 2 ) {
+
+ // Construct a filter to search for the users entry
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacname=" . $inName . "))";
+
+
+ // Get the DSD entry
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "sub", Array( "rbacname" ) );
+
+
+ if( sizeof( $inArrRole ) > 1 ) {
+
+ // Check if all the given roles exist
+ for( $i = 0; $i < sizeof( $inArrRole ) && $allRoleExist; $i++ ) {
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $inArrRole[$i] ) ? $inArrRole[$i] = $this->rbac->roleExtToInt( $inArrRole[$i] ) : false;
+
+
+ // Get the role
+ $arrRoleEntry = $this->conn['role']->getEntry( $inArrRole[$i] );
+
+
+ // Keep in mind if still all roles exist
+ $allRoleExist = $allRoleExist && isset( $arrRoleEntry['dn'] );
+
+ }
+
+
+ if( !isset( $arrDsd[0]['dn'] ) ) {
+
+ if( $allRoleExist ) {
+
+ $arrDsdEntry['objectclass'][] = "rbacdsd";
+ $arrDsdEntry['rbacname'][0] = $inName;
+ $arrDsdEntry['rbaccardinality'] = $inCardinality;
+ $arrDsdEntry['rbacsdrole'] = $inArrRole;
+
+
+ // Add the new DSD-Set to the directory
+ if( $this->conn['dsd']->add( "rbacname=" . $inName . "," . $this->conf->getValue( "dsd", "base" ), $arrDsdEntry ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_ALLREADY_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SD_ALLREADY_EXISTS" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_CARDINALITY" ),
+ $this->conf->getValue( "errorCode", "SD_CARDINALITY" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addDsdRoleMember ##############################################
+ public function addDsdRoleMember( $inDsdName, $inRole ) {
+
+ $filter = ""; // LDAP-filter
+ $arrDsd = Array(); // The Dsd-set entry
+ $arrTmpRole = Array(); // The temporary roles of the SSD-set
+
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $inRole ) ? $inRole = $this->rbac->roleExtToInt( $inRole ) : false;
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacName=" . $inDsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ // Get the role from the directory
+ $arrRole = $this->conn->getEntry( $inRole );
+
+
+ if( sizeof( $arrDsd == 1 )
+ && isset( $arrDsd[0]['dn'] ) ) {
+
+ // The role has to exist
+ if( isset( $arrRole['dn'] ) ) {
+
+ // Add the given role to the roles in the DSD-set
+ // to test, if it would still be consistent
+ isset( $arrDsd[0]['rbacsdrole'] ) ? $arrTmpRole = $arrDsd[0]['rbacsdrole'] : $arrTmpRole = Array();
+ $arrTmpRole[] = $inRole;
+
+
+ // Store the new role into the DSD-set
+ if( $this->conn['dsd']->modify( $arrDsd[0]['dn'], Array( "rbacsdrole" => $arrTmpRole ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteDsdRoleMember ###########################################
+ public function deleteDsdRoleMember( $inDsdName, $inRole ) {
+
+ $filter = ""; // LDAP-filter
+ $arrDsd = Array(); // The Ssd-set entry
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $inRole ) ? $inRole = $this->rbac->roleExtToInt( $inRole ) : false;
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacName=" . $inDsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrDsd ) == 1
+ && isset( $arrDsd[0]['dn'] ) ) {
+
+ if( $arrDsd[0]['rbaccardinality'][0] <= (sizeof( $arrDsd[0]['rbacsdrole'] ) - 1) ) {
+
+ for( $i = 0; $i < sizeof( $arrDsd[0]['rbacsdrole'] ); $i++ ) {
+
+ !preg_match( "/^" . $inRole . "$/i", $arrDsd[0]['rbacsdrole'][$i] ) ? $arrTmpRole[] = $arrDsd[0]['rbacsdrole'][$i] : false;
+
+ }
+
+
+ // Save the modifications to the directory
+ if( $this->conn['dsd']->modify( $arrDsd[0]['dn'], Array( "rbacsdrole" => $arrTmpRole ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_CARDINALITY" ),
+ $this->conf->getValue( "errorCode", "SD_CARDINALITY" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteDsdSet ##################################################
+ public function deleteDsdSet( $inDsdName ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacName=" . $inDsdName . "))";
+
+
+ // Ask the directory for the DSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrDsd ) == 1
+ && isset( $arrDsd[0]['dn'] ) ) {
+
+ if( $this->conn['dsd']->delete( $arrDsd[0]['dn'] ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## setDsdSetCardinality ##########################################
+ public function setDsdSetCardinality( $inDsdName, $inCardinality ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacName=" . $inDsdName . "))";
+
+
+ // Ask the directory for the DSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrDsd ) == 1
+ && isset( $arrDsd[0]['dn'] ) ) {
+
+ if( ($inCardinality >= 2)
+ && ($inCardinality <= sizeof( $arrDsd[0]['rbacsdrole'] )) ) {
+
+ // Store the new role into the DSD-set
+ if( $this->conn['dsd']->modify( $arrDsd[0]['dn'], Array( "rbaccardinality" => Array( $inCardinality ) ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## dsdRoleSets ###################################################
+ public function dsdRoleSets() {
+
+ $arrDsd = Array(); // The Dsd-set entry
+ $arrSetName = Array(); // The names of the DSD-sets
+ $i = 0; // Loop
+
+
+ // Ask the directory for the DSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $this->conf->getValue( "dsd", "filter" ),
+ "one", Array( "rbacname" ) );
+
+
+ for( $i = 0; $i < sizeof( $arrDsd ); $i++ ) {
+
+ $arrSetName[] = $arrDsd[$i]['rbacname'][0];
+
+ }
+
+
+ return $arrSetName;
+
+ }
+
+
+
+
+ // ## dsdRoleSetRoles ###############################################
+ public function dsdRoleSetRoles( $inDsdName, $inExtRepresentation = true ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+ $arrRole = Array(); // The roles of the SSD-set
+ $i = 0; // Loop
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacName=" . $inDsdName . "))";
+
+
+ // Ask the directory for the DSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrDsd ) == 1
+ && isset( $arrDsd[0]['dn'] ) ) {
+
+ isset( $arrDsd[0]['rbacsdrole'] ) ? $arrRole = $arrDsd[0]['rbacsdrole'] : $arrRole = Array();
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+
+ // For internal use this can be left out, so the
+ // internal function that uses this one doesn't have
+ // to convert every role back to internal representation
+ if( $inExtRepresentation ) {
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrRole[$i] = $this->rbac->roleIntToExt( $arrRole[$i] );
+
+ }
+
+ }
+
+
+ return $arrRole;
+
+ }
+
+
+
+
+ // ## dsdRoleSetCardinality #########################################
+ public function dsdRoleSetCardinality( $inDsdName ) {
+
+ $filter = ""; // LDAP-filter
+ $arrDsd = Array(); // The Dsd-set entry
+ $i = 0; // Loop
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacName=" . $inDsdName . "))";
+
+
+ // Ask the directory for the DSD-set
+ $arrDsd = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrDsd ) == 1
+ && isset( $arrDsd[0]['dn'] ) ) {
+
+ if( isset( $arrDsd[0]['rbaccardinality'][0] ) ) {
+
+ return $arrDsd[0]['rbaccardinality'][0];
+
+ }
+ else {
+
+ // The cardinality is a MUST-attribute, so if there is none
+ // it must be a LDAP-error
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SSD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SSD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+ // ## checkCreateSession ############################################
+ public function checkCreateSession( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters the assignUser-function got
+ $user = $arrParameter[0]; // Function-parameter
+ $arrRole = $arrParameter[1]; // Function-parameter
+ $session = $arrParameter[2]; // Function-parameter
+ $sessionMembership = 0; // A temporary count-variable
+ $isAllowed = true; // Is it allowed to create the session
+ $i = 0; // Loop
+ $j = 0; // Loop
+ $k = 0; // Loop
+
+
+ // Make sure the roles have internal representation
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ !$this->rbac->isIntRepresentation( $arrRole[$i] ) ? $arrRole[$i] = $this->rbac->roleExtToInt( $arrRole[$i] ) : false;
+
+ }
+
+
+ // Create a filter that gets all the DSD-sets
+ // where the role is present the user wants to activate
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" ) . "(|";
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $filter .= "(rbacsdrole=" . $arrRole[$i] . ")";
+
+ }
+
+ $filter .= "))";
+
+
+ // Get these DSD-sets
+ $arrDSD = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ for( $i = 0; $i < sizeof( $arrDSD ); $i++ ) {
+
+ $sessionMembership = 0;
+ for( $j = 0; $j < sizeof( $arrRole ); $j++ ) {
+
+ // This counts how many roles of the DSD-set would be active
+ for( $k = 0; $k < sizeof( $arrDSD[$i]['rbacsdrole'] ); $k++ ) {
+
+ if( preg_match( "/^" . $arrRole[$j] . "$/i", $arrDSD[$i]['rbacsdrole'][$k] ) ) {
+
+ $sessionMembership++;
+
+ }
+
+ }
+
+ }
+
+
+ // If one SSD-set disallows the assignment, it's enough
+ $isAllowed = $isAllowed && ( $sessionMembership < $arrDSD[$i]['rbaccardinality'][0] );
+
+ }
+
+
+ if( !$isAllowed ) {
+
+ // Change the security-context of the calling function
+ $inContext->changeSecurityChain( false, "Not all DSD-constraints would be satisfied" );
+
+ }
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## checkAddActiveRole ############################################
+ public function checkAddActiveRole( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters the assignUser-function got
+ $userMembership = 0; // The number of roles the user is assigned to in DSD-set
+ $isAllowed = true; // Is it allowed to assign the user to the role
+ $user = $arrParameter[0]; // Function-parameter
+ $session = $arrParameter[1]; // Function-parameter
+ $role = $arrParameter[2]; // Function-parameter
+ $sessionMembership = 0; // A temporary count-variable
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $role ) ? $role = $this->rbac->roleExtToInt( $role ) : false;
+
+
+ // The session has these roles in internal
+ // representation (last parameter false)
+ $arrSessionRole = $this->rbac->sessionRoles( $session, false );
+
+
+ // Create a filter that gets all the SSD-sets
+ // where the role is present the user would be assigned to
+ $filter = "(&" . $this->conf->getValue( "dsd", "filter" );
+ $filter .= "(rbacsdrole=" . $role . "))";
+
+
+ // Get these SSD-sets
+ $arrDSD = $this->conn['dsd']->search( $this->conf->getValue( "dsd", "base" ), $filter, "one" );
+
+
+ for( $i = 0; $i < sizeof( $arrDSD ); $i++ ) {
+
+ $sessionMembership = 0;
+ for( $j = 0; $j < sizeof( $arrSessionRole ); $j++ ) {
+
+ // This counts how many roles of the DSD-set the
+ // session has active
+ for( $k = 0; $k < sizeof( $arrDSD[$i]['rbacsdrole'] ); $k++ ) {
+
+ if( preg_match( "/^" . $arrSessionRole[$j] . "$/i", $arrDSD[$i]['rbacsdrole'][$k] ) ) {
+
+ $sessionMembership++;
+
+ }
+
+ }
+
+ }
+
+
+ // If one SSD-set disallows the assignment, it's enough
+ $isAllowed = $isAllowed && ( ($sessionMembership + 1) < $arrDSD[$i]['rbaccardinality'][0] );
+
+ }
+
+
+ if( !$isAllowed ) {
+
+ // Change the security-context of the calling function
+ $inContext->changeSecurityChain( false, "Not all DSD-constraints would be satisfied" );
+
+ }
+
+
+ return $inContext;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/extensions/Logger.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/Logger.class.php
new file mode 100755
index 0000000..a062c5d
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/Logger.class.php
@@ -0,0 +1,50 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 02.11.2007
+// Letzte Aenderung: 02.11.2007
+
+
+
+class Logger extends RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC, $inRegistrar ) {
+
+ // Let the extension do all the things
+ // we dont't want to do
+ parent::__construct( $inRBAC );
+
+ }
+
+
+
+ // ## registerEvents ################################################
+ public function registerEvents( RBAC $inRegistrar ) {
+
+ $inRegistrar->registerEventListener( "addUser", "write", $this, "logAddUserEvent" );
+
+ }
+
+
+
+
+ // ## createSsdSet ##################################################
+ public function logAddUserEvent( Context $inContext ) {
+
+ $file = fopen( "addUser.log", "a+" );
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/extensions/SSD.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/SSD.class.php
new file mode 100755
index 0000000..4a79169
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/SSD.class.php
@@ -0,0 +1,845 @@
+<?php
+// ####################################################################
+// Version: 0.1.1
+// Autor: Markus Widmer
+// Erstellungsdatum: 31.10.2007
+// Letzte Aenderung: 18.11.2007
+
+
+
+class SSD extends RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC, RBAC $inRegistrar ) {
+
+ // Save the instances of RBAC and grab the configuration
+ // from it.
+ $this->rbac = $inRBAC;
+ $this->conf = $inRBAC->getConfiguration();
+
+
+ // Get the user- and role connections from the
+ // underlying RBAC-system
+ $this->conn['user'] = $inRBAC->getConnection( "user" );
+ $this->conn['role'] = $inRBAC->getConnection( "role" );
+
+
+ // Add an own connection to the SSD
+ $this->conn['ssd'] = new LDAP();
+ $this->conn['ssd']->connect( $this->conf->getValue( "ssd", "host" ),
+ $this->conf->getValue( "ssd", "port" ),
+ $this->conf->getValue( "ssd", "version" ),
+ preg_match( "/(^yes$)|(^true$)/i",
+ $this->conf->getValue( "ssd", "tls" ) ) );
+ $this->conn['ssd']->bind( $this->conf->getValue( "ssd", "binddn" ),
+ $this->conf->getValue( "ssd", "password" ) );
+
+
+ // Let the extension do all the things
+ // we dont't want to do
+ parent::__construct( $inRBAC );
+
+ }
+
+
+
+
+ // ## registerEvents ################################################
+ public function registerEvents( RBAC $inRegistrar ) {
+
+ $inRegistrar->registerEventListener( "assignUser", "write", $this, "checkAssignUser" );
+ $inRegistrar->registerEventListener( "addInheritance", "write", $this, "checkAddInheritance" );
+
+ }
+
+
+
+
+ // ## createSsdSet ##################################################
+ public function createSsdSet( $inName, Array $inArrRole, $inCardinality ) {
+
+ $filter = ""; // An LDAP filter
+ $arrSsd; // The SSD-entry if it allready exists
+ $arrSsdEntry; // The new SSD-entry
+ $arrRoleEntry; // Temporary role entry
+ $allRoleExist = true; // Check for existence of the given roles
+ $ssdConstraintsSatisfied = true; // Are all constraints satisfied
+ $i = 0; // Loop
+
+
+ if( $inCardinality >= 2 ) {
+
+ // Construct a filter to search for the users entry
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacname=" . $inName . "))";
+
+
+ // Get the SSD entry
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "sub", Array( "rbacname" ) );
+
+
+ if( sizeof( $inArrRole ) > 1 ) {
+
+ // Check if all the given roles exist
+ for( $i = 0; $i < sizeof( $inArrRole ) && $allRoleExist; $i++ ) {
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $inArrRole[$i] ) ? $inArrRole[$i] = $this->rbac->roleExtToInt( $inArrRole[$i] ) : false;
+
+
+ // Get the role
+ $arrRoleEntry = $this->conn['role']->getEntry( $inArrRole[$i] );
+
+
+ // Keep in mind if still all roles exist
+ $allRoleExist = $allRoleExist && isset( $arrRoleEntry['dn'] );
+
+ }
+
+
+ if( !isset( $arrSsd[0]['dn'] ) ) {
+
+ if( $allRoleExist ) {
+
+ if( $this->checkSSDConsistency( $inArrRole, $inCardinality ) ) {
+
+ $arrSsdEntry['objectclass'][] = "rbacssd";
+ $arrSsdEntry['rbacname'][0] = $inName;
+ $arrSsdEntry['rbaccardinality'] = $inCardinality;
+ $arrSsdEntry['rbacsdrole'] = $inArrRole;
+
+
+ // Add the new SSD-Set to the directory
+ if( $this->conn['ssd']->add( "rbacname=" . $inName . "," . $this->conf->getValue( "ssd", "base" ), $arrSsdEntry ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_ALLREADY_EXISTS" ),
+ $this->conf->getValue( "errorCode", "SD_ALLREADY_EXISTS" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_CARDINALITY" ),
+ $this->conf->getValue( "errorCode", "SD_CARDINALITY" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## addSsdRoleMember ##############################################
+ public function addSsdRoleMember( $inSsdName, $inRole ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+ $arrRole = Array(); // The role-entry
+ $arrTmpRole = Array(); // The temporary roles of the SSD-set
+
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $inRole ) ? $inRole = $this->rbac->roleExtToInt( $inRole ) : false;
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacName=" . $inSsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ // Get the role from the directory
+ $arrRole = $this->conn->getEntry( $inRole );
+
+
+ if( sizeof( $arrSsd == 1 )
+ && isset( $arrSsd[0]['dn'] ) ) {
+
+ // Add the given role to the roles in the SSD-set
+ // to test, if it would still be consistent
+ isset( $arrSsd[0]['rbacsdrole'] ) ? $arrTmpRole = $arrSsd[0]['rbacsdrole'] : $arrTmpRole = Array();
+ $arrTmpRole[] = $inRole;
+
+
+ // The role has to exist
+ if( isset( $arrRole['dn'] ) ) {
+
+ if( $this->checkSSDConsistency( $arrTmpRole, $arrSsd[0]['rbaccardinality'][0] ) ) {
+
+ // Store the new role into the SSD-set
+ if( $this->conn['ssd']->modify( $arrSsd[0]['dn'], Array( "rbacsdrole" => $arrTmpRole ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "ROLE_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "ROLE_UNKNOWN" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteSsdRoleMember ###########################################
+ public function deleteSsdRoleMember( $inSsdName, $inRole ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $inRole ) ? $inRole = $this->rbac->roleExtToInt( $inRole ) : false;
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacName=" . $inSsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrSsd ) == 1
+ && isset( $arrSsd[0]['dn'] ) ) {
+
+ if( $arrSsd[0]['rbaccardinality'][0] <= (sizeof( $arrSsd[0]['rbacsdrole'] ) - 1) ) {
+
+ for( $i = 0; $i < sizeof( $arrSsd[0]['rbacsdrole'] ); $i++ ) {
+
+ !preg_match( "/^" . $inRole . "$/i", $arrSsd[0]['rbacsdrole'][$i] ) ? $arrTmpRole[] = $arrSsd[0]['rbacsdrole'][$i] : false;
+
+ }
+
+
+ // Save the modifications to the directory
+ if( $this->conn['ssd']->modify( $arrSsd[0]['dn'], Array( "rbacsdrole" => $arrTmpRole ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_CARDINALITY" ),
+ $this->conf->getValue( "errorCode", "SD_CARDINALITY" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## deleteSsdSet ##################################################
+ public function deleteSsdSet( $inSsdName ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacName=" . $inSsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrSsd ) == 1
+ && isset( $arrSsd[0]['dn'] ) ) {
+
+ if( $this->conn['ssd']->delete( $arrSsd[0]['dn'] ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## setSsdSetCardinality ##########################################
+ public function setSsdSetCardinality( $inSsdName, $inCardinality ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacName=" . $inSsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrSsd ) == 1
+ && isset( $arrSsd[0]['dn'] ) ) {
+
+ if( ($inCardinality >= 2)
+ && ($inCardinality <= sizeof( $arrSsd[0]['rbacsdrole'] )) ) {
+
+ if( $this->checkSSDConsistency( $arrSsd[0]['rbacsdrole'], $inCardinality ) ) {
+
+ // Store the new role into the SSD-set
+ if( $this->conn['ssd']->modify( $arrSsd[0]['dn'], Array( "rbaccardinality" => Array( $inCardinality ) ) ) ) {
+
+ return true;
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+
+ }
+ else {
+
+ return false;
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## ssdRoleSets ###################################################
+ public function ssdRoleSets() {
+
+ $arrSsd = Array(); // The Ssd-set entry
+ $arrSetName = Array(); // The names of the SSD-sets
+ $i = 0; // Loop
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $this->conf->getValue( "ssd", "filter" ),
+ "one", Array( "rbacname" ) );
+
+
+ for( $i = 0; $i < sizeof( $arrSsd ); $i++ ) {
+
+ $arrSetName[] = $arrSsd[$i]['rbacname'][0];
+
+ }
+
+
+ return $arrSetName;
+
+ }
+
+
+
+
+ // ## ssdRoleSetRoles ###############################################
+ public function ssdRoleSetRoles( $inSsdName, $inExtRepresentation = true ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+ $arrRole = Array(); // The roles of the SSD-set
+ $i = 0; // Loop
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacName=" . $inSsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrSsd ) == 1
+ && isset( $arrSsd[0]['dn'] ) ) {
+
+ isset( $arrSsd[0]['rbacsdrole'] ) ? $arrRole = $arrSsd[0]['rbacsdrole'] : $arrRole = Array();
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+
+ // For internal use this can be left out, so the
+ // internal function that uses this one doesn't have
+ // to convert every role back to internal representation
+ if( $inExtRepresentation ) {
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrRole[$i] = $this->rbac->roleIntToExt( $arrRole[$i] );
+
+ }
+
+ }
+
+
+ return $arrRole;
+
+ }
+
+
+
+
+ // ## ssdRoleSetCardinality #########################################
+ public function ssdRoleSetCardinality( $inSsdName ) {
+
+ $filter = ""; // LDAP-filter
+ $arrSsd = Array(); // The Ssd-set entry
+ $i = 0; // Loop
+
+
+ // Create a filter to get the SSD-set
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacName=" . $inSsdName . "))";
+
+
+ // Ask the directory for the SSD-set
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ if( sizeof( $arrSsd ) == 1
+ && isset( $arrSsd[0]['dn'] ) ) {
+
+ if( isset( $arrSsd[0]['rbaccardinality'][0] ) ) {
+
+ return $arrSsd[0]['rbaccardinality'][0];
+
+ }
+ else {
+
+ // The cardinality is a MUST-attribute, so if there is none
+ // it must be a LDAP-error
+ throw new RBACException( $this->conf->getValue( "errorDescription", "LDAP_ERROR" ),
+ $this->conf->getValue( "errorCode", "LDAP_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ throw new RBACException( $this->conf->getValue( "errorDescription", "SD_UNKNOWN" ),
+ $this->conf->getValue( "errorCode", "SD_UNKNOWN" ) );
+
+ }
+
+ }
+
+
+
+
+ // ## checkAddInheritance ###########################################
+ public function checkAddInheritance( Context $inContext ) {
+
+ $arrSsd = Array();
+ $arrParameter = $inContext->getParameters(); // The parameters the addInheritance-function got
+ $ascendant = $arrParameter[0];
+ $descendant = $arrParameter[1];
+ $isAllowed = true;
+
+
+ // Make sure the roles has internal representation
+ !$this->rbac->isIntRepresentation( $ascendant ) ? $ascendant = $this->rbac->roleExtToInt( $ascendant ) : false;
+ !$this->rbac->isIntRepresentation( $descendant ) ? $descendant = $this->rbac->roleExtToInt( $descendant ) : false;
+
+
+ // Create a filter that gets all the SSD-sets
+ // where the ascendant is present
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacsdrole=" . $ascendant . "))";
+
+
+ // Get these SSD-sets
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ // The ascendant must not be in any SSD-set
+ // because this set would be invalid afterwards
+ if( sizeof( $arrSsd ) == 0 ) {
+
+ // Create a filter that gets all the SSD-sets
+ // where the descendant is present
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacsdrole=" . $descendant . "))";
+
+
+ // Get these SSD-sets
+ $arrSsd = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ for( $i = 0; $i < sizeof( $arrSsd ) && $isAllowed; $i++ ) {
+
+ $isAllowed = $isAllowed && $this->checkSSDConsistency( $arrSsd[$i]['rbacsdrole'], $arrSsd[0]['rbaccardinality'][0],
+ $ascendant, $descendant );
+
+ }
+
+
+ if( !$isAllowed ) {
+
+ $inContext->changeSecurityChain( false, "Not all SSD-constraints would be satisfied" );
+
+ }
+
+ }
+ else {
+
+ $inContext->changeSecurityChain( false, "The ascendant-role is member of a SSD-set that would be inconsistent afterwards" );
+
+ }
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## checkAssignUser ###############################################
+ public function checkAssignUser( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters the assignUser-function got
+ $userMembership = 0; // The number of roles the user is assigned to in SSD-set
+ $isAllowed = true; // Is it allowed to assign the user to the role
+ $i = 0; // Loop
+
+
+ // Make sure the role has internal representation
+ !$this->rbac->isIntRepresentation( $arrParameter[1] ) ? $arrParameter[1] = $this->rbac->roleExtToInt( $arrParameter[1] ) : false;
+
+
+ // The user has these roles in internal
+ // representation (last parameter false)
+ $arrUserRole = $this->rbac->authorizedRoles( $arrParameter[0], false );
+
+
+ // Create a filter that gets all the SSD-sets
+ // where the role is present the user would be assigned to
+ $filter = "(&" . $this->conf->getValue( "ssd", "filter" );
+ $filter .= "(rbacsdrole=" . $arrParameter[1] . "))";
+
+
+ // Get these SSD-sets
+ $arrSSD = $this->conn['ssd']->search( $this->conf->getValue( "ssd", "base" ), $filter, "one" );
+
+
+ for( $i = 0; $i < sizeof( $arrSSD ); $i++ ) {
+
+ $userMembership = 0;
+ for( $j = 0; $j < sizeof( $arrUserRole ); $j++ ) {
+
+ // This counts how many roles of the SSD-sed the
+ // user is performer of
+ for( $k = 0; $k < sizeof( $arrSSD[$i]['rbacsdrole'] ); $k++ ) {
+
+ if( preg_match( "/^" . $arrUserRole[$j] . "$/i", $arrSSD[$i]['rbacsdrole'][$k] ) ) {
+
+ $userMembership++;
+
+ }
+
+ }
+
+ }
+
+
+ // If one SSD-set disallows the assignment, it's enough
+ $isAllowed = $isAllowed && ( ($userMembership + 1) < $arrSSD[$i]['rbaccardinality'][0] );
+
+ }
+
+
+ if( !$isAllowed ) {
+
+ $inContext->changeSecurityChain( false, "Not all SSD-constraints would be satisfied" );
+
+ }
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## arrayIntersection #############################################
+ public function arrayIntersection( Array $inArray ) {
+
+ $arrHistogram = Array();
+ $arrIntersection = Array();
+ $i = 0;
+ $j = 0;
+
+
+ for( $i = 0; $i < sizeof( $inArray ); $i++ ) {
+
+ for( $j = 0; $j < sizeof( $inArray[$i] ); $j++ ) {
+
+ isset( $arrHistogram[$inArray[$i][$j]] ) ? $arrHistogram[$inArray[$i][$j]] = $arrHistogram[$inArray[$i][$j]] + 1
+ : $arrHistogram[$inArray[$i][$j]] = 1;
+
+ }
+
+ }
+
+
+ foreach( $arrHistogram as $key => $value ) {
+
+ if( $value > 1 ) {
+
+ $arrIntersection[$key] = $value;
+
+ }
+
+ }
+
+
+ return $arrIntersection;
+
+ }
+
+
+
+
+ // ## checkSSDConsistency ###########################################
+ private function checkSSDConsistency( Array $inArrRole, $inCardinality, $inRoleAsc = null, $inRoleDesc = nul ) {
+
+ $ssdConstraintsSatisfied = true; // The result of the check
+ $arrMemberHistogram = Array();
+
+
+ // All these vombinations are possible
+ $arrRoleCombination = $this->createRoleCombinations( $inArrRole, $inCardinality );
+
+
+ foreach( $arrRoleCombination as $index => $arrCombination ) {
+
+ $arrMemberHistogram = Array();
+ for( $i = 0; $i < sizeof( $arrCombination ); $i++ ) {
+
+ // Get all authorized users for the role in the combination-set
+ $arrAuthorizedUser = $this->rbac->authorizedUsers( $arrCombination[$i], true );
+
+
+ // If an additional ascendant role is given, we have to
+ // add its authorized users to these roles that match the
+ // descendant role at any point of the hirarchy.
+ if( $inRoleAsc != null
+ && $inRoleDesc != null
+ && preg_match( "/" . $inRoleDesc . "$/i", $arrCombination[$i] ) ) {
+
+
+ $arrAuthorizedUser = array_merge( $arrAuthorizedUser, $this->rbac->authorizedUsers( $inRoleAsc, true ) );
+
+ }
+
+
+ // If the user is performer of this role, than increase
+ // by one
+ for( $j = 0; $j < sizeof( $arrAuthorizedUser ); $j++ ) {
+
+ isset( $arrMemberHistogram[$arrAuthorizedUser[$j]] ) ? $arrMemberHistogram[$arrAuthorizedUser[$j]]++
+ : $arrMemberHistogram[$arrAuthorizedUser[$j]] = 1;
+
+ }
+
+
+ // Each user may only perform less than inCardinality roles
+ foreach( $arrMemberHistogram as $user => $count ) {
+
+ if( $count >= $inCardinality ) {
+
+ $ssdConstraintsSatisfied = false;
+ break;
+
+ }
+
+ }
+
+ }
+
+ }
+
+
+ return $ssdConstraintsSatisfied;
+
+ }
+
+
+
+
+ // ## createRoleCombinations ########################################
+ public function createRoleCombinations( Array $inRole, $inCardinality ) {
+
+ $arrTmp = Array();
+ $arrResult = Array();
+
+
+ for( $i = 1; $i < pow( 2, sizeof( $inRole ) ); $i++ ) {
+
+ $bin = $i;
+ $index = 0;
+ $arrTmp = Array();
+
+
+ if( $bin == 0 ) {
+
+ $arrTmp[] = $inRole[$index];
+
+ }
+ else {
+
+ while( $bin != 0 ) {
+
+ if( $bin % 2 == 1 ) {
+
+ $arrTmp[] = $inRole[$index];
+
+ }
+
+
+ $index++;
+ $bin = floor( $bin / 2 );
+
+ }
+
+ }
+
+
+ if( sizeof( $arrTmp ) == $inCardinality ) {
+
+ $arrResult[] = $arrTmp;
+
+ }
+
+ }
+
+
+ return $arrResult;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/extensions/UserEntry.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/UserEntry.class.php
new file mode 100755
index 0000000..0a1868d
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/extensions/UserEntry.class.php
@@ -0,0 +1,56 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 03.11.2007
+// Letzte Aenderung: 03.11.2007
+
+
+
+class UserEntry extends RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC ) {
+
+ // Let the extension do all the things
+ // we dont't want to do
+ parent::__construct( $inRBAC );
+
+ }
+
+
+
+ // ## registerEvents ################################################
+ public function registerEvents( RBAC $inRegistrar ) {
+
+ $inRegistrar->registerEventListener( "addUser", "write", $this, "changeUserEntry" );
+
+ }
+
+
+
+
+ // ## changeUserEntry ###############################################
+ public function changeUserEntry( Context $inContext ) {
+
+ $entry = $inContext->getValue( "entry" );
+
+
+ // Make your own definitions here
+ $entry['givenName'][0] = "Foo";
+
+
+
+ $inContext->setValue( "entry", $entry );
+
+ return $inContext;
+
+ }
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/iContext.interface.php b/info.textgrid.middleware.tgauth.rbac/rbac/iContext.interface.php
new file mode 100755
index 0000000..0eb09f9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/iContext.interface.php
@@ -0,0 +1,15 @@
+<?php
+interface iContext {
+
+ public function setParameters( Array $inArrParameter );
+ public function getParameters();
+ public function setType( $inType );
+ public function getType();
+ public function setValue( $inName, $inValue );
+ public function getValue( $inName );
+ public function changeSecurityChain( $inContinue, $inReason = null );
+ public function getSecurityChain();
+ public function getSecurityChainReason();
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/iRBACcore.interface.php b/info.textgrid.middleware.tgauth.rbac/rbac/iRBACcore.interface.php
new file mode 100755
index 0000000..9dc0aef
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/iRBACcore.interface.php
@@ -0,0 +1,31 @@
+<?php
+interface iRBACcore {
+
+ public function createSession( $inUsername, Array $inRole, $inSession );
+ public function deleteSession( $inUsername, $inSession );
+ public function addActiveRole( $inUser, $inSession, $inRole );
+ public function dropActiveRole( $inUser, $inSession, $inRole );
+ public function assignedRoles( $inUsername, $inExtRepresentation = true );
+ public function assignedUsers( $inRole );
+ public function rolePermissions( $inRole );
+ public function userPermissions( $inUsername );
+ public function sessionPermissions( $inSession );
+ public function sessionRoles( $inSession, $inExtRepresentation = true );
+ public function checkAccess( $inSession, $inOperation, $inResource );
+ public function addUser( $inUsername, $inPassword, $inSubtree = "" );
+ public function deleteUser( $inUsername );
+ public function addRole( $inRole );
+ public function deleteRole( $inRole );
+ public function assignUser( $inUsername, $inRole );
+ public function deassignUser( $inUsername, $inRole );
+ public function grantPermission( $inResource, $inOperation, $inRole );
+ public function revokePermission( $inOperation, $inResource, $inRole );
+ public function roleOperationsOnObject( $inRole, $inResource );
+ public function userOperationsOnObject( $inUser, $inResource );
+
+ public function roleIntToExt( $inRole );
+ public function roleExtToInt( $inRole );
+ public function isIntRepresentation( $inRole );
+
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/iRBAClimitedHirarchical.interface.php b/info.textgrid.middleware.tgauth.rbac/rbac/iRBAClimitedHirarchical.interface.php
new file mode 100755
index 0000000..1789b0e
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/iRBAClimitedHirarchical.interface.php
@@ -0,0 +1,25 @@
+<?php
+interface iRBAClimitedHirarchical extends iRBACcore {
+
+/*
+ public function createSession( $inUsername, Array $inRole, $inSession );
+ public function deleteSession( $inUsername, $inSession );
+ public function addActiveRole( $inUser, $inSession, $inRole );
+ public function dropActiveRole( $inUser, $inSession, $inRole );
+ public function assignedRoles( $inUsername, $inExtRepresentation = true );
+ public function assignedUsers( $inRole );
+ public function rolePermissions( $inRole );
+ public function userPermissions( $inUsername );
+ public function sessionPermissions( $inSession );
+ public function sessionRoles( $inSession, $inExtRepresentation = true );
+ public function checkAccess( $inSession, $inOperation, $inResource );
+ public function addUser( $inUsername, $inPassword, $inSubtree = "" );
+ public function deleteUser( $inUsername );
+ public function addRole( $inRole );
+ public function deleteRole( $inRole );
+ public function assignUser( $inUsername, $inRole );
+ public function deassignUser( $inUsername, $inRole );
+ public function grantPermission( $inResource, $inOperation, $inRole );
+*/
+}
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/schema/rbac.schema b/info.textgrid.middleware.tgauth.rbac/rbac/schema/rbac.schema
new file mode 100644
index 0000000..b29c453
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/schema/rbac.schema
@@ -0,0 +1,141 @@
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.1
+ NAME 'rbacName'
+ DESC 'Eindeutiger Name eines RBAC-Eintrags'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SINGLE-VALUE
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.2
+ NAME 'rbacResourceName'
+ DESC 'Eine Resource, die mit RBAC verwaltet wird'
+ EQUALITY caseIgnoreMatch
+ SINGLE-VALUE
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.3
+ NAME 'rbacOperation'
+ DESC 'Eine Operation, die auf eine rbacResource anwendbar ist'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.4
+ NAME 'rbacPerformer'
+ DESC 'Inhaber einer Role'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.5
+ NAME 'rbacAllow'
+ DESC 'Berechtigung einer Role'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.6
+ NAME 'rbacSessionRole'
+ DESC 'Eine aktive Session-Rolle'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.7
+ NAME 'rbacSessionUser'
+ DESC 'Der Besitzer einer Session'
+ EQUALITY caseIgnoreMatch
+ SINGLE-VALUE
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.8
+ NAME 'rbacDescription'
+ DESC 'Eine RBAC-spezifische Beschreibung'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.9
+ NAME 'rbacPermission'
+ DESC 'Eine Berechtigung bestehend aus Rolle und Operation'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.10
+ NAME 'rbacSDRole'
+ DESC 'Eine Rolle in einem SSD- oder DSD-Set'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.11
+ NAME 'rbacCardinality'
+ DESC 'Die Kardinalitaet eine SSD- oder DSD-Set'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.12
+ NAME 'rbacSessionCreationTimestamp'
+ DESC 'Der Zeitpunkt, zu dem eine Session angelegt wurde'
+ EQUALITY generalizedTimeMatch
+ SINGLE-VALUE
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+
+attributetype ( 1.3.6.1.4.1.10126.1.23.1.3.13
+ NAME 'rbacSessionCheckTimestamp'
+ DESC 'Der Zeitpunkt, zu dem eine Session das letzte mal
+ verwendet wurde, um eine Entscheidung zu treffen.'
+ EQUALITY generalizedTimeMatch
+ SINGLE-VALUE
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+
+objectclass ( 1.3.6.1.4.1.10126.1.23.1.4.2
+ NAME 'rbacRole'
+ DESC 'Eine RBAC-Rolle'
+ SUP top
+ STRUCTURAL
+ MUST ( rbacName )
+ MAY ( rbacAllow $ rbacPerformer $ rbacDescription ) )
+
+
+objectclass ( 1.3.6.1.4.1.10126.1.23.1.4.3
+ NAME 'rbacSession'
+ DESC 'Eine RBAC-Session'
+ SUP top
+ STRUCTURAL
+ MUST ( rbacName $ rbacSessionUser $ rbacSessionCreationTimestamp )
+ MAY ( rbacSessionRole $ rbacDescription $ rbacSessionCheckTimestamp ) )
+
+
+objectClass ( 1.3.6.1.4.1.10126.1.23.1.4.4
+ NAME 'rbacResource'
+ DESC 'Eine RBAC-Resource'
+ AUXILIARY
+ MAY ( rbacName $ rbacOperation $ rbacDescription $ rbacPermission ) )
+
+
+objectclass ( 1.3.6.1.4.1.10126.1.23.1.4.5
+ NAME 'rbacSSD'
+ DESC 'Ein SSD-Set'
+ SUP top
+ STRUCTURAL
+ MUST ( rbacName $ rbacCardinality )
+ MAY ( rbacSDRole ) )
+
+objectclass ( 1.3.6.1.4.1.10126.1.23.1.4.6
+ NAME 'rbacDSD'
+ DESC 'Ein DSD-Set'
+ SUP top
+ STRUCTURAL
+ MUST ( rbacName $ rbacCardinality )
+ MAY ( rbacSDRole ) )
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgAdministration.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgAdministration.class.php
new file mode 100755
index 0000000..ffa1044
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgAdministration.class.php
@@ -0,0 +1,735 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 13.08.2007
+// Version: 0.1.4
+// #######################################################
+
+
+class TgAdministration {
+
+ // Global variables
+ protected $rbac;
+ protected $config;
+
+
+
+ // -----------------------------------------------------
+ // Constructor
+ // Input: none
+ // Output: object RBACcore
+ // Description:
+ // Sets the configuration and creates an instance of
+ // the RBAC-class.
+ // -----------------------------------------------------
+ public function __construct( $inConfigurationFilename, $inRbacConfFile, $inRbacBase ) {
+
+ $this->rbac = new RBAC( $inRbacConfFile, $inRbacBase );
+
+
+ $this->config = new SimpleConfig( $inConfigurationFilename );
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: addUser
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // password / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the user is added to the system.
+ // -----------------------------------------------------
+ function addUser( $inRequest ) {
+
+ $userDomain = ""; // The domain-component of the user
+ $arrTmpDomain = Array(); // Temporary array
+ $userTreeDn = ""; // The tree of the directory where to add the user
+ $addUserResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ if( preg_match( "/^.+[@]{1}.+$/", $inRequest->username ) ) {
+
+ $arrTmpDomain = preg_split( "/[@]/", $inRequest->username );
+ $userDomain = $arrTmpDomain[1];
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "user_" . $userDomain )
+ || $this->rbac->checkAccess( $inRequest->intSid, "administer", "user_base" ) ) {
+
+ // Construct the sub-dn under which the user will be added. The base-DN is
+ // not given because the RBAC-system uses this allways as base and simply starts
+ // to act from there. To give a dn to the RBAC-function is optional and not
+ // documented or supported by the ANSI-standard! It is an implementation-specific
+ // addition.
+ $userTreeDn = $this->config->getValue( "user", "userTreeAttribute" ) . "=" . $userDomain;
+
+ try {
+
+ $addUserResult = $this->rbac->addUser( $inRequest->username, $inRequest->password, $userTreeDn );
+
+
+ $result->result = $addUserResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "formatFault",
+ $this->config->getValue( "errorCode", "INVALID_USER_FORMAT" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INVALID_USER_FORMAT" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: deleteUser
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given user is removed from the system.
+ // -----------------------------------------------------
+ function deleteUser( $inRequest ) {
+
+ $userDomain = ""; // The domain-component of the user
+ $arrTmpDomain = Array(); // Temporary array
+ $deleteUserResult = false; // Result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ if( preg_match( "/^.+[@]{1}.+$/", $inRequest->username ) ) {
+
+ $arrTmpDomain = preg_split( "/[@]/", $inRequest->username );
+ $userDomain = $arrTmpDomain[1];
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "user_" . $userDomain )
+ || $this->rbac->checkAccess( $inRequest->intSid, "administer", "user_base" ) ) {
+
+ try {
+
+ $deleteUserResult = $this->rbac->deleteUser( $inRequest->username );
+
+
+ $result->result = $deleteUserResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "formatFault",
+ $this->config->getValue( "errorCode", "INVALID_USER_FORMAT" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INVALID_USER_FORMAT" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+ // -----------------------------------------------------
+ // Function: addRole
+ // Input: intSid / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given role is added to the system.
+ // This function creates roles without a hirarchy, so it
+ // only has to check if there is access to the "role_base".
+ // -----------------------------------------------------
+ function addRole( $inRequest ) {
+
+ $addRoleResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $addRoleResult = $this->rbac->addRole( $inRequest->role );
+
+
+ $result->result = $addRoleResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: deleteRole
+ // Input: intSid / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given role is removed from the system.
+ // This function removes roles without a hirarchy, so it
+ // only has to check if there is access to the "role_base".
+ // -----------------------------------------------------
+ function deleteRole( $inRequest ) {
+
+ $deleteRoleResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $deleteRoleResult = $this->rbac->deleteRole( $inRequest->role );
+
+
+ $result->result = $deleteRoleResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: assignUser
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given user is assigned to the
+ // role.
+ // -----------------------------------------------------
+ function assignUser( $inRequest ) {
+
+ $assignUserResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to assign a user
+ // to the given role. The user may have directly the right
+ // to modify the given role or the user may have the right to
+ // modify the whole role-tree.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "delegate", $inRequest->role )
+ || $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $assignUserResult = $this->rbac->assignUser( $inRequest->username, $inRequest->role );
+
+
+ $result->result = $assignUserResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+ // -----------------------------------------------------
+ // Function: deassignUser
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given user is deassigned from
+ // the role.
+ // -----------------------------------------------------
+ function deassignUser( $inRequest ) {
+
+ $deassignUserResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to assign a user
+ // to the given role. The user may have directly the right
+ // to modify the given role or the user may have the right to
+ // modify the whole role-tree.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "delegate", $inRequest->role )
+ || $this-rbac-checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $deassignUserResult = $this->rbac->deassignUser( $inRequest->username, $inRequest->role );
+
+
+ $result->result = $deassignUserResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: grantPermission
+ // Input: intSid / xsd:string
+ // resource / xsd:string
+ // operation / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given user is deassigned from
+ // the role.
+ // -----------------------------------------------------
+ function grantPermission( $inRequest ) {
+
+ $grantPermissionResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to grant a permission
+ // to the given role. The user may have directly the right
+ // to modify the given permission or the user may have the right to
+ // modify the whole permission (resource)-tree.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "delegate", $inRequest->resource ) ) {
+
+ try {
+
+ $grantPermissionResult = $this->rbac->grantPermission( $inRequest->resource, $inRequest->operation, $inRequest->role );
+
+
+ $result->result = $grantPermissionResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: revokePermission
+ // Input: intSid / xsd:string
+ // operation / xsd:string
+ // resource / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the role loses
+ // -----------------------------------------------------
+ function revokePermission( $inRequest ) {
+
+ $revokePermissionResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to grant a permission
+ // to the given role. The user may have directly the right
+ // to modify the given permission or the user may have the right to
+ // modify the whole permission (resource)-tree.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "delegate", $inRequest->resource ) ) {
+
+ try {
+
+ $revokePermissionResult = $this->rbac->revokePermission( $inRequest->operation, $inRequest->resource, $inRequest->role );
+
+
+ $result->result = $revokePermissionResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: addInheritance
+ // Input: intSid / xsd:string
+ // ascendant / xsd:string
+ // descendant / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the the role inheritance between
+ // the ascendance and the descendance is established.
+ // After this, the descendant has all the rights of
+ // the ascendant.
+ // -----------------------------------------------------
+ function addInheritance( $inRequest ) {
+
+ $addInheritanceResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to add an inheritance
+ // between the given roles. The user may have directly the right
+ // to add an inheritance to the descendant or he is allowed to
+ // modify all of the roles inheritances.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $addInheritanceResult = $this->rbac->addInheritance( $inRequest->ascendant, $inRequest->descendant );
+
+
+ $result->result = $addInheritanceResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: deleteInheritance
+ // Input: intSid / xsd:string
+ // ascendant / xsd:string
+ // descendant / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the role inheritance between
+ // the ascendance and the descendance is removed.
+ // After this, the descendant no longer has the rights of
+ // the ascendant.
+ // -----------------------------------------------------
+ function deleteInheritance( $inRequest ) {
+
+ $deleteInheritanceResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to add an inheritance
+ // between the given roles. The user may have directly the right
+ // to delete the inheritance or he is allowed to
+ // modify all of the roles inheritances.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $deleteInheritanceResult = $this->rbac->deleteInheritance( $inRequest->ascendant, $inRequest->descendant );
+
+
+ $result->result = $deleteInheritanceResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: addAscendant
+ // Input: intSid / xsd:string
+ // ascendant / xsd:string
+ // descendant / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the new role "ascendant" is added and
+ // the inheritance between the ascendance and the
+ // descendance is established. After this, the descendant
+ // has all the rights of the ascendant.
+ // -----------------------------------------------------
+ function addAscendant( $inRequest ) {
+
+ $addAscendantResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to add an ascendant.
+ // The user may have directly the right to add the ascendant
+ // or he is allowed to modify all of the roles.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "delegate", $inRequest->descendant )
+ || $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $addAscendantResult = $this->rbac->addAscendant( $inRequest->ascendant, $inRequest->descendant );
+
+
+ $result->result = $addAscendantResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: addDescendant
+ // Input: intSid / xsd:string
+ // ascendant / xsd:string
+ // descendant / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the new role "descendant" is added and
+ // the inheritance between the ascendance and the
+ // descendance is established. After this, the descendant
+ // has all the rights of the ascendant.
+ // -----------------------------------------------------
+ function addDescendant( $inRequest ) {
+
+ $addDescendantResult = false; // The result of the RBAC-call
+ $result = new booleanResponse(); // The result
+
+
+ // Test if the user has apropriate rights to add an descendant.
+ // The user may have directly the right to add the ascendant
+ // or he is allowed to modify all of the roles.
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "role_base" ) ) {
+
+ try {
+
+ $addDescendantResult = $this->rbac->addDescendant( $inRequest->ascendant, $inRequest->descendant );
+
+
+ $result->result = $addDescendantResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
new file mode 100755
index 0000000..599c709
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
@@ -0,0 +1,1638 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 17.07.2007
+// Modification date: 08.04.2008
+// Version: 0.2.0
+// #######################################################
+
+
+
+class TgExtra {
+
+ // Global variables
+ protected $rbac;
+ protected $config;
+ protected $connection;
+
+
+
+ // -----------------------------------------------------
+ // Constructor
+ // Input: none
+ // Output: object RBACcore
+ // Description:
+ // Creates initial connections to the LDAP-server and
+ // sets some configuration parameters.
+ // -----------------------------------------------------
+ public function __construct( $inConfigurationFilename, $inRbacConfFile, $inRbacBase ) {
+
+ $this->rbac = new RBAC( $inRbacConfFile, $inRbacBase );
+
+
+ $this->config = new SimpleConfig( $inConfigurationFilename );
+
+
+ // Create connection
+ $this->connection['user'] = new LDAP();
+ $this->connection['user']->connect( $this->config->getValue( "authentication", "host" ),
+ $this->config->getValue( "authentication", "port" ),
+ $this->config->getValue( "authentication", "version" ),
+ preg_match( "/yes/i", $this->config->getValue( "authentication", "tls" ) ) ? true : false );
+ $this->connection['user']->bind( $this->config->getValue( "authentication", "binddn" ),
+ $this->config->getValue( "authentication", "password" ) );
+
+
+ $this->connection['counter'] = new LDAP();
+ $this->connection['counter']->connect( $this->config->getValue( "counter", "host" ),
+ $this->config->getValue( "counter", "port" ),
+ $this->config->getValue( "counter", "version" ),
+ preg_match( "/yes/i", $this->config->getValue( "counter", "tls" ) ) ? true : false );
+ $this->connection['counter']->bind( $this->config->getValue( "counter", "binddn" ),
+ $this->config->getValue( "counter", "password" ) );
+
+
+ $this->connection['resource'] = $this->rbac->getConnection( "resource" );
+ $this->connection['role'] = $this->rbac->getConnection( "role" );
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: userExists
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // username / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Checks if a given user exists in the LDAP directory.
+ // -----------------------------------------------------
+ function userExists( $inRequest ) {
+
+ $result = new booleanResponse(); // The result
+
+
+ $filter = "(&" . $this->config->getValue( "authentication", "filter" );
+ $filter .= "(" . $this->config->getValue( "authentication", "namingattribute" ) . "=" . $inRequest->username . "))";
+
+
+ // Search for the users entry
+ $arrUserEntry = $this->connection['user']->search( $this->config->getValue( "authentication", "base" ), $filter, "sub",
+ Array( $this->config->getValue( "authentication", "namingattribute" ) ) );
+
+
+ if( isset( $arrUserEntry[0] )
+ && isset( $arrUserEntry[0]['dn'] ) ) {
+
+ $result->result = true;
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+ // -----------------------------------------------------
+ // Function: authenticate
+ // Input: username / xsd:string
+ // password / xsd:string
+ // log / xsd:string
+ // Output: sid / xsd:string
+ // Description
+ // Tries to authenticate the user. If this is
+ // successful a session-ID is generated and a
+ // session is startet.
+ // -----------------------------------------------------
+ function authenticate( $inRequest ) {
+
+ $filter = ""; // search-filter
+ $result = new authenticateResponse(); // service-resonse
+ $arrUserEntry; // the users entry in the directory
+ $intSid = ""; // the generated session-ID
+ $creationResult; // the result of the creation of the session
+
+
+ // Construct the search-filter
+ $filter .= "(&" . $this->config->getValue( "authentication", "filter" );
+ $filter .= "(" . $this->config->getValue( "authentication", "namingattribute" ) . "=" . $inRequest->username . "))";
+
+
+ // Search for the users entry
+ $arrUserEntry = $this->connection['user']->search( $this->config->getValue( "authentication", "base" ), $filter, "sub",
+ Array( $this->config->getValue( "authentication", "namingattribute" ) ) );
+
+
+ if( isset( $arrUserEntry[0] )
+ && isset( $arrUserEntry[0]['dn'] ) ) {
+
+ // Try to bind with the given password
+ $bindResult = $this->connection['user']->bind( $arrUserEntry[0]['dn'], $inRequest->password );
+
+
+ if( $bindResult ) {
+
+ $intSid = $this->createSessionID();
+
+
+ // Try to create the session in the rbac-system
+ $creationResult = $this->rbac->createSession( $inRequest->username, Array(), $intSid );
+ if( $creationResult == $this->config->getValue( "errorCode", "OK" ) ) {
+
+ $result->auth = $intSid;
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "AUTHENTICATION_ERROR" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "AUTHENTICATION_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "AUTHENTICATION_ERROR" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "AUTHENTICATION_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "UNKNOWN_USER" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "UNKNOWN_USER" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgCheckAccess
+ // Input: log / xsd:string
+ // session / xsd:string
+ // operation / xsd:string
+ // resource / xsd:string
+ // Output: sid / xsd:string
+ // Description
+ // Tries to authenticate the user. If this is
+ // successful a session-ID is generated and a
+ // session is startet.
+ // -----------------------------------------------------
+ public function tgCheckAccess( $inRequest ) {
+
+ $result = new booleanResponse();
+
+
+ $result->result = $this->rbac->checkAccess( $inRequest->auth, $inRequest->operation, $inRequest->resource );
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: createSessionID
+ // Input: none
+ // Output: sid / xsd:string
+ // Description
+ // Creates a new session-ID.
+ // -----------------------------------------------------
+ public function getSid() {
+
+ $result = new getSidResponse();
+
+
+ $result->sid = $this->createSessionID();
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: filterBySid
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // sid / xsd:string
+ // resource / xsd:string
+ // operation / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the function filters all the ressources
+ // given by checking if the sid has appropriate access.
+ // -----------------------------------------------------
+ function filterBySid( $inRequest ) {
+
+ $filterBySidResult = Array(); // The resources that pass the filter
+ $result = new filterResponse(); // The result
+
+
+ $res = $inRequest->resource;
+ // Make sure it is an array
+ if( !is_array( $res ) ) {
+
+ $res = Array( $res );
+
+ }
+
+
+ try {
+
+ for( $i = 0; $i < sizeof( $res ); $i++ ) {
+
+ if( $this->rbac->checkAccess( $inRequest->sid, $inRequest->operation, $res[$i] ) ) {
+
+ $filterBySidResult[] = $res[$i];
+
+ }
+
+ }
+
+
+ $result->resource = $filterBySidResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: addMember
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // username / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to add a user to a project. This is only possible
+ // if the user exists and the session has the permission
+ // "delegate" on the project.
+ // -----------------------------------------------------
+ public function addMember( $inRequest ) {
+
+ $arrSplit = Array();
+ $project = false;
+ $result = new booleanResponse(); // The return-result
+
+
+ // Extract the project from the role
+ $arrSplit = preg_split( "/[,]/", $inRequest->role );
+
+ for( $i = 0; $i < sizeof( $arrSplit ); $i++ ) {
+
+ if( preg_match( "/^tgpr[0-9]+$/i", $arrSplit[$i] ) ) {
+
+ $project = $arrSplit[$i];
+
+ }
+
+ }
+
+
+ if( $project
+ && $this->rbac->checkAccess( $inRequest->auth, "delegate", $project ) ) {
+
+ try {
+
+ if( $this->rbac->assignUser( $inRequest->username, $inRequest->role ) ) {
+
+ $result->result = true;
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgGrantPermission
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // role / xsd:string
+ // resource / xsd:string
+ // operation / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Grants a permission to a resource if the user
+ // given by the auth parameter has the right to
+ // do this.
+ // -----------------------------------------------------
+ public function tgGrantPermission( $inRequest ) {
+
+ $result = new booleanResponse();
+
+
+ try {
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "delegate", $inRequest->resource ) ) {
+
+ $result->result = $this->rbac->grantPermission( $inRequest->resource, $inRequest->operation, $inRequest->role );
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgRevokePermission
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // role / xsd:string
+ // resource / xsd:string
+ // operation / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Revokes a permission for a resource if the user
+ // given by the auth parameter has the right to
+ // do this.
+ // -----------------------------------------------------
+ public function tgRevokePermission( $inRequest ) {
+
+ $result = new booleanResponse();
+
+
+ try {
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "delegate", $inRequest->resource ) ) {
+
+ $result->result = $this->rbac->revokePermission( $inRequest->operation, $inRequest->resource, $inRequest->role );
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getObjects
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns a list of all resources that the user corresponding
+ // to the session-ID (auth) may read.
+ // -----------------------------------------------------
+ public function getObjects( $inRequest ) {
+
+ $result = new resourcesetResponse(); // The return-result
+ $filter = ""; // RBAC-filter
+ $arrResource = Array(); // Resoult of the RBAC-search
+ $i = 0; // Loop
+
+
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "resource", "filter" );
+ $filter .= "(tgprojectid=" . $inRequest->project . "))";
+
+
+ $arrResource = $this->connection['resource']->search( $this->rbac->getConfiguration()->getValue( "resource", "base" ),
+ $filter, "sub",
+ Array( $this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" ),
+ $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" ) ) );
+
+
+ for( $i = 0; $i < sizeof( $arrResource ); $i++ ) {
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "read",
+ $arrResource[$i][$this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" )][0] ) ) {
+
+ $result->resource[] = $arrResource[$i][$this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" )][0];
+
+ }
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: isPublic
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // resource / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns true if the resource is public. In every
+ // other case there will be returned false.
+ // -----------------------------------------------------
+ public function isPublic( $inRequest ) {
+
+ $result = new booleanResponse();
+ $filter = "";
+ $arrResource = Array();
+
+
+ // Create a filter that searches for the
+ // given resource.
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" ) . "=" . $inRequest->resource . ")";
+ $filter .= " (" . $this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" ) . "=" . $inRequest->resource . ")))";
+
+
+ $arrResource = $this->connection['resource']->search( $this->rbac->getConfiguration()->getValue( "resource", "base" ),
+ $filter, "sub",
+ Array( "tgispublic" ) );
+
+
+ // If the attribute is not set or there was no
+ // resource found, return false.
+ if( !isset( $arrResource[0]['tgispublic'] ) ) {
+
+ $result->result = false;
+
+ }
+ else {
+
+ preg_match( "/^true$/i", $arrResource[0]['tgispublic'][0] ) ? $result->result = true : $result->result = false;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getOwner
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // resource / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns the owner of a resource. This owner has nothing
+ // to do with any permissions, it is just the owner.
+ // -----------------------------------------------------
+ public function getOwner( $inRequest ) {
+
+ $result = new getOwnerResponse(); // The return-result
+ $filter = ""; // RBAC-filter
+ $arrResource = Array(); // Resoult of the RBAC-search
+
+
+ // Create a filter that searches for the
+ // given resource.
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" ) . "=" . $inRequest->resource . ")";
+ $filter .= " (" . $this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" ) . "=" . $inRequest->resource . ")))";
+
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "read", $inRequest->resource ) ) {
+
+ $arrResource = $this->connection['resource']->search( $this->rbac->getConfiguration()->getValue( "resource", "base" ),
+ $filter, "sub",
+ Array( "tgresourceowner" ) );
+
+
+ if( sizeof( $arrResource ) == 1 ) {
+
+ $result->owner = $arrResource[0]['tgresourceowner'][0];
+
+ }
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getMembers
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns a list of members in a project.
+ // -----------------------------------------------------
+ public function getMembers( $inRequest ) {
+
+ $result = new usersetResponse(); // The return-result
+ $arrMember = Array(); // Resoult of the RBAC-search
+
+
+ $arrMember = $this->rbac->authorizedUsers( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $this->config->getValue( "project", "base" )
+ . "," . $this->rbac->getConfiguration()->getValue( "role", "base" ) );
+
+
+ // The user has to be in the project to be
+ // allowed to display all other users
+ if( in_array( $this->rbac->sessionUser( $inRequest->auth ), $arrMember ) ) {
+
+ $result->username = $arrMember;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getRights
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // resource / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns a list of operations allowed by the user
+ // on a specific resource.
+ // -----------------------------------------------------
+ public function getRights( $inRequest ) {
+
+ $arrOperation = Array();
+ $result = new operationsetResponse(); // The return-result
+
+
+ if( preg_match( "/.+/", $inRequest->username ) ) {
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "delegate", $inRequest->resource ) ) {
+
+ $arrOperation = $this->rbac->userOperationsOnObject( $inRequest->username, $inRequest->resource );
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ else {
+
+ $arrOperation = $this->rbac->userOperationsOnObject( $this->rbac->sessionUser( $inRequest->auth ), $inRequest->resource );
+
+ }
+
+
+ $result->operation = $arrOperation;
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: publish
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns a list of operations allowed by the user
+ // on a specific resource.
+ // -----------------------------------------------------
+ public function publish( $inRequest ) {
+
+ $arrResource = Array();
+ $arrModify = Array();
+ $filter = "";
+ $result = new booleanResponse(); // The return-result
+
+
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" ) . "=" . $inRequest->resource . ")";
+ $filter .= " (" . $this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" ) . "=" . $inRequest->resource . ")))";
+
+
+ // Get the resource
+ $arrResource = $this->connection['resource']->search( $this->rbac->getConfiguration()->getValue( "resource", "base" ), $filter, "sub",
+ Array( "tgispublic", "tgprojectid" ) );
+
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "publish", $inRequest->resource ) ) {
+
+ $arrModify['tgispublic'][] = "TRUE";
+ $result->result = $this->connection['resource']->modify( $arrResource[0]['dn'], $arrModify );
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getProjectDescription
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // Output: result / xsd:string
+ // Description
+ // Returns the description of a project
+ // -----------------------------------------------------
+ public function getProjectDescription( $inRequest ) {
+
+ $result = new getProjectDescriptionResponse();
+ $filter = "";
+
+
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "role", "filter" );
+ $filter .= "(" . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . "))";
+
+
+ $arrProject = $this->connection['role']->getEntry( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $this->config->getValue( "project", "base" )
+ . "," . $this->rbac->getConfiguration()->getValue( "role", "base" ) );
+
+
+ if( isset( $arrProject['dn'] ) ) {
+
+ $result->project = new stdClass();
+ $result->project->description = $arrProject['tgprojectdescription'][0];
+ $result->project->name = $arrProject['tgprojectname'][0];
+ $result->project->id = $arrProject['tgprojectid'][0];
+
+ }
+ else {
+
+ $result->project->description = "Not available";
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgAssignedProjects
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Returns a list of all projects of the user corresponding
+ // to the session-ID (auth).
+ // -----------------------------------------------------
+ public function tgAssignedProjects( $inRequest ) {
+
+ $filter = "";
+ $username = "";
+ $arrFound = Array();
+ $result = new rolesetResponse(); // The return-result
+ $i = 0; // Loop
+ $j = 0; // Loop
+
+
+ // By default the result is an empty array
+ $result->role = Array();
+
+
+ // The user corresponding to the session
+ $username = $this->rbac->sessionUser( $inRequest->auth );
+
+
+ // Search all roles in which the user is performer.
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "role", "filter" );
+ $filter .= "(rbacPerformer=" . $username . "))";
+
+ $arrRole = $this->connection['role']->search( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $this->config->getValue( "project", "base" ) . ","
+ . $this->rbac->getConfiguration()->getValue( "role", "base" ),
+ $filter, "sub", Array( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) ) );
+
+
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrSplit = preg_split( "/[,]/", $arrRole[$i]['dn'] );
+ $projectBelong = "";
+
+
+ for( $j = 0; $j < sizeof( $arrSplit ); $j++ ) {
+
+ if( preg_match( "/^TGPR[0-9]+$/i",
+ preg_replace( "/^" . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=/i", "", $arrSplit[$j] ) ) ) {
+
+ $projectBelong = preg_replace( "/^" . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=/i", "", $arrSplit[$j] );
+
+ }
+
+ }
+
+
+ if( preg_match( "/.+/", $projectBelong )
+ && !isset( $arrFound[strtolower( $projectBelong )] ) ) {
+
+ $arrFound[strtolower( $projectBelong )] = 1;
+
+ }
+
+ }
+
+
+ foreach( $arrFound as $key => $value ) {
+
+ $result->role[] = strtoupper( $key );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: deleteMember
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // username / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to remove a user from a role. This is only possible
+ // if the user exists and the session has the permission
+ // "delegate" on the project.
+ // -----------------------------------------------------
+ public function deleteMember( $inRequest ) {
+
+ $arrSplit = Array();
+ $project = false;
+ $result = new booleanResponse(); // The return-result
+
+
+ // Extract the project from the role
+ $arrSplit = preg_split( "/[,]/", $inRequest->role );
+
+ for( $i = 0; $i < sizeof( $arrSplit ); $i++ ) {
+
+ if( preg_match( "/^tgpr[0-9]+$/i", $arrSplit[$i] ) ) {
+
+ $project = $arrSplit[$i];
+
+ }
+
+ }
+
+
+ if( $project
+ && $this->rbac->checkAccess( $inRequest->auth, "delegate", $project ) ) {
+
+ if( $this->rbac->deassignUser( $inRequest->username, $inRequest->role ) ) {
+
+ $result->result = true;
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: unregisterResource
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // uri / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to remove a resource from the directory. There for
+ // a user has to have the permission "delete" on the
+ // resource.
+ // -----------------------------------------------------
+ function unregisterResource( $inRequest ) {
+
+ $resourceNamingAttribute = ""; // The naming-attribute of the resource
+ $resourceAliasAttribute = ""; // The alias-attribute of the resource
+ $filter = ""; // The LDAP-filter to find the resource
+ $result = new booleanResponse(); // The return-result
+
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "delete", $inRequest->uri ) ) {
+
+ // The TextGrid-resource naming-attribute
+ $resourceNamingAttribute = $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" );
+ $resourceAliasAttribute = $this->rbac->getConfiguration()->getValue( "resource", "aliasattribute" );
+
+
+ $filter = "(&" . $this->rbac->getConfiguration()->getValue( "resource", "filter" );
+ $filter .= "(|(" . $resourceNamingAttribute . "=" . $inRequest->uri . ")";
+ $filter .= " (" . $resourceAliasAttribute . "=" . $inRequest->uri . ")))";
+
+ $arrResource = $this->connection['resource']->search( $this->rbac->getConfiguration()->getValue( "resource", "base" ), $filter, "sub" );
+
+
+ if( sizeof( $arrResource ) == 1 ) {
+
+ $result->result = $this->connection['resource']->delete( $arrResource[0]['dn'] );
+
+ }
+ else {
+
+ return new SoapFault( "unknownResourceFault",
+ $this->config->getValue( "errorCode", "RESOURCENOTFOUND_ERROR" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "RESOURCENOTFOUND_ERROR" ) );
+
+ }
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: registerResource
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // uri / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to add a resource to the directory. There for
+ // a user has to have the permission "create" on the
+ // resource "project".
+ // -----------------------------------------------------
+ function registerResource( $inRequest ) {
+
+ $connection = false; // The connection for resources
+ $registered = false; // The result of the registration-tries
+ $registerTry = 10; // The number of tries of registering the resource
+ $resourceNamingAttribute = ""; // The naming-attribute of the resource
+ $arrCounter = false; // The counter entry
+ $result = new booleanResponse(); // The return-result
+
+
+ // The TextGrid-resource naming-attribute
+ $resourceNamingAttribute = $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" );
+
+
+ // Look for the counter entry for resources.
+ $arrCounter = $this->connection['counter']->getEntry( "cn=resource," . $this->config->getValue( "counter", "base" ) );
+
+
+ // If there is a counter entry, use it
+ if( isset( $arrCounter['dn'] ) ) {
+
+ $freeNumber = $arrCounter['sn'][0] + 1;
+
+ }
+ else {
+
+ $arrResourceName = $this->connection['resource']->search( $this->config->getValue( "textGridResource", "base" ),
+ "(objectClass=textGridResource)",
+ "one", $resourceNamingAttribute );
+
+
+ // Every returned resource has to be examined for
+ // its number to get the next free one.
+ for( $i = 0; $i < sizeof( $arrResourceName ); $i++ ) {
+
+ $resourceName = preg_replace( "/^TGRS/i", "", $arrResourceName[$i][$resourceNamingAttribute][0] );
+ $maxNumber = max( $maxNumber, intval( $resourceName ) );
+
+ }
+
+
+ $freeNumber = $maxNumber + 1;
+
+ }
+
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "create", $inRequest->project ) ) {
+
+ // As long as the resource is not registered and the number
+ // of tries has not been reached, try to register
+ while( !$registered
+ && ($registerTry > 0) ) {
+
+ // This is the resource-entry that will be
+ // added to the directory
+ $arrEntry = Array();
+ $arrEntry['objectclass'][] = "textgridResource";
+ $arrEntry['objectclass'][] = "rbacResource";
+ $arrEntry['rbacoperation'][] = "read";
+ $arrEntry['rbacoperation'][] = "write";
+ $arrEntry['rbacoperation'][] = "delegate";
+ $arrEntry['rbacoperation'][] = "delete";
+ $arrEntry['rbacoperation'][] = "publish";
+ $arrEntry['tgresourceuri'][] = $inRequest->uri;
+ $arrEntry['tgprojectid'][] = $inRequest->project;
+ $arrEntry['tgispublic'][] = "FALSE";
+ $arrEntry[$resourceNamingAttribute][] = "TGRS" . ($freeNumber);
+ $arrEntry['tgresourceowner'][] = $this->rbac->sessionUser( $inRequest->auth );
+
+
+ // Add the default permissions to the resource
+ $arrEntry['rbacpermission'][] = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Projektleiter,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) . ":-:delegate";
+ $arrEntry['rbacpermission'][] = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Projektleiter,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) . ":-:publish";
+ $arrEntry['rbacpermission'][] = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Administrator,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) . ":-:delete";
+ $arrEntry['rbacpermission'][] = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Bearbeiter,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) . ":-:read";
+ $arrEntry['rbacpermission'][] = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Bearbeiter,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) . ":-:write";
+ $arrEntry['rbacpermission'][] = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Beobachter,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=" . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) . ":-:read";
+
+
+ // Try to add the resource with the appropriate number. If
+ // this fails, we will try again (10 times).
+ $registered = $this->connection['resource']->add( $this->rbac->getConfiguration()->getValue( "resource", "namingattribute" ) . "=TGRS"
+ . $freeNumber . "," . $this->config->getValue( "textGridResource", "base" ),
+ $arrEntry );
+
+
+ $registerTry--;
+
+
+ $registered ? false : $freeNumber++;
+
+ }
+
+
+ // This entry will add or modify the directory that way
+ // that there is a counter entry.
+ $arrEntry = Array();
+ $arrEntry['objectclass'][] = "person";
+ $arrEntry['cn'][] = "resource";
+ $arrEntry['sn'][] = $freeNumber;
+
+
+ if( !isset( $arrCounter['dn'] ) ) {
+
+ $this->connection['counter']->add( "cn=resource," . $this->config->getValue( "counter", "base" ), $arrEntry );
+
+ }
+ else {
+
+ $this->connection['counter']->modify( "cn=resource," . $this->config->getValue( "counter", "base" ), $arrEntry );
+
+ }
+
+
+ $result->result = $registered;
+
+ }
+ else {
+
+ $result->result = false;
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getLeader
+ // Input: log / xsd:string
+ // Output: username[] / tns:xsd:string
+ // Description
+ // Searches for the leader(s) of a project.
+ // -----------------------------------------------------
+ public function getLeader( $inRequest ) {
+
+ $arrUser = Array();
+ $result = new usersetResponse();
+
+
+ $result->username = $this->rbac->assignedUsers( "Projektleiter," . $inRequest->project . ","
+ . $this->config->getValue( "project", "base" ) );
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: getAllProjects
+ // Input: log / xsd:string
+ // Output: project[] / tns:projectInfo
+ // Description
+ // Searches for all projects and returns them as a list.
+ // -----------------------------------------------------
+ public function getAllProjects( $inRequest ) {
+
+ $arrProject = Array(); // All project-entries found
+ $connection = false; // The connection for roles
+ $result = new getAllProjectsResponse(); // Return
+
+
+ // The role-connection is needed because projects
+ // are representated as roles.
+ $connection = $this->rbac->getConnection( "resource" );
+
+
+ // Search the directory
+ $arrProject = $connection->search( $this->rbac->getConfiguration()->getValue( "project", "base" ), "(objectClass=rbacRole)", "one",
+ $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) );
+
+
+ for( $i = 0; $i < sizeof( $arrProject ); $i++ ) {
+
+ $result->project[] = new ProjectInfo( $arrProject[$i][$this->rbac->getConfiguration()->getValue( "role", "namingattribute" )][0],
+ $arrProject[$i]['tgprojectname'][0], $arrProject[$i]['tgprojectdescription'][0] );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: createProject
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // name / xsd:string
+ // description / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Tries to authorize the user. If this is
+ // successful the given role is added to the system.
+ // This function creates roles without a hirarchy, so it
+ // only has to check if there is access to the "role_base".
+ // -----------------------------------------------------
+ function createProject( $inRequest ) {
+
+ $createProjectResult = false; // The result of the process
+ $connection = false; // The connection to the projects
+ $arrProjectName = Array(); // All present projects
+ $projectName = ""; // At last Holds the project-name
+ $maxNumber = 0; // The highest free project-number
+ $result = new createProjectResponse(); // The result
+ $i = 0; // Loop
+
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "registerResource", "resource_base" ) ) {
+
+ // The role-connection is needed because projects
+ // are representated as roles.
+ $connection = $this->rbac->getConnection( "role" );
+
+
+ // Search the directory
+ $arrProjectName = $connection->search( $this->rbac->getConfiguration()->getValue( "project", "base" ), "(objectClass=rbacRole)", "one",
+ $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) );
+
+
+ // Every returned project has to be examined for
+ // its number to get the next free one.
+ for( $i = 0; $i < sizeof( $arrProjectName ); $i++ ) {
+
+ $projectName = preg_replace( "/^TGPR/i", "", $arrProjectName[$i][$this->rbac->getConfiguration()->getValue( "role", "namingattribute" )][0] );
+ $maxNumber = max( $maxNumber, intval( $projectName ) );
+
+ }
+
+
+ try {
+
+ // Create the project-role
+ $createProjectResult = $this->rbac->addAscendant( "TGPR" . ($maxNumber + 1),
+ $this->rbac->getConfiguration()->getValue( "project", "base" ) );
+
+
+ // The user of the session-ID will be the Leader
+ // of this new project.
+ $this->rbac->assignUser( $this->rbac->sessionUser( $inRequest->auth ),
+ $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Projektleiter,"
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=TGPR" . ($maxNumber + 1) . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ) );
+
+
+ // Set the project-description
+ $connection->modify( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=TGPR" . ($maxNumber + 1) . ","
+ . $this->rbac->getConfiguration()->getValue( "project", "base" ),
+ Array( "tgprojectdescription" => Array( $inRequest->description ) ) );
+
+
+ $result->projectId = "TGPR" . ($maxNumber + 1);
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: deactivateProject
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // project / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Adds an assigned role to the list of active session
+ // roles.
+ // -----------------------------------------------------
+ public function deactivateProject( $inRequest ) {
+
+ $renameResult = false; // The result of the rename process
+ $flagResult = false; // The result of setting the flag to the project role
+ $result = new booleanResponse(); // Return
+ $arrProject = ""; // The username corresponding to the session-ID
+
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "delegate", $inRequest->project ) ) {
+
+ $arrProject = $this->connection['role']->getEntry( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $this->config->getValue( "project", "base" )
+ . "," . $this->rbac->getConfiguration()->getValue( "role", "base" ) );
+
+
+ // Mark all users as deactivated that are directly
+ // assigned to the project role.
+ for( $i = 0; $i < sizeof( $arrModify['rbacperformer'] ); $i++ ) {
+
+ $arrModify['rbacperformer'][] = $arrProject['rbacperformer'][$i] . "__deactivated";
+
+ }
+
+
+ // Try to rename all users so they cannot
+ // activate any roles from this project
+ // anymore.
+ $renameResult = $this->renameRbacPerformers( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $this->config->getValue( "project", "base" )
+ . "," . $this->rbac->getConfiguration()->getValue( "role", "base" ) );
+
+
+ if( $renameResult ) {
+
+ // Set the flag to "TRUE"
+ $arrModify['tgprojectdeactivated'][] = "TRUE";
+
+
+ $flagResult = $this->connection['role']->modify( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $inRequest->project . ","
+ . $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
+ . $this->config->getValue( "project", "base" )
+ . "," . $this->rbac->getConfiguration()->getValue( "role", "base" ),
+ $arrModify );
+ }
+
+
+ $result->result = $renameResult && $flagResult;
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: renameRbacPerformers
+ // Input: inBase / string
+ // inRecursive / boolean
+ // Output: result / xsd:boolean
+ // Description
+ // The users stored in the rbacPerformer attribute are
+ // recursively renamed to <username>__deactivated.
+ // -----------------------------------------------------
+ private function renameRbacPerformers( $inBase, $inRecursive = true ) {
+
+ $arrEntry = Array();
+ $arrModify = Array();
+ $i = 0;
+ $result = true;
+
+
+ // Get the entry
+ $arrEntry = $this->connection['role']->getEntry( $inBase );
+
+
+ // Mark all users as deactivated that are directly
+ // assigned to the project role.
+ for( $i = 0; $i < sizeof( $arrEntry['rbacperformer'] ); $i++ ) {
+
+ $arrModify['rbacperformer'][] = $arrEntry['rbacperformer'][$i] . "__deactivated";
+
+ }
+
+
+ // If there are any users present in the entry,
+ // send the modifications.
+ if( sizeof( $arrModify['rbacperformer'] ) > 0 ) {
+
+ $this->connection['role']->modify( $inBase, $arrModify );
+
+ }
+
+
+ // Query all sub entries that still need to be
+ // processed.
+ $arrSub = $this->connection['role']->search( $inBase, $this->rbac->getConfiguration()->getValue( "role", "filter" ), "one" );
+
+
+ for( $i = 0; $i < sizeof( $arrSub ); $i++ ) {
+
+ $result = $result && $this->renameRbacPerformers( $arrSub[$i]['dn'] );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgAddActiveRole
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Adds an assigned role to the list of active session
+ // roles.
+ // -----------------------------------------------------
+ public function tgAddActiveRole( $inRequest ) {
+
+ $result = new booleanResponse(); // Return
+ $username = ""; // The username corresponding to the session-ID
+
+
+ $username = $this->rbac->sessionUser( $inRequest->auth );
+
+
+ if( preg_match( "/.+/", $username ) ) {
+
+ $result->result = $this->rbac->addActiveRole( $username, $inRequest->auth, $inRequest->role );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgDropActiveRole
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // role / xsd:string
+ // Output: sid / string
+ // Description
+ // Removes a role from the list of active session roles.
+ // -----------------------------------------------------
+ public function tgDropActiveRole( $inRequest ) {
+
+ $result = new booleanResponse(); // Return
+ $username = ""; // The username corresponding to the session-ID
+
+
+ $username = $this->rbac->sessionUser( $inRequest->auth );
+
+
+ if( preg_match( "/.+/", $username ) ) {
+
+ $result->result = $this->rbac->dropActiveRole( $username, $inRequest->auth, $inRequest->role );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: tgAssignedRoles
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // username / xsd:string
+ // Output: sid / string
+ // Description
+ // Creates a random string containing characters and
+ // numbers.
+ // -----------------------------------------------------
+ public function tgAssignedRoles( $inRequest ) {
+
+ $result = new rolesetResponse();
+ $arrActiveRole = Array();
+ $arrProject = Array();
+ $arrAllreadyChecked = Array();
+ $connection = false;
+ $i = 0; // Loop
+
+
+ if( preg_match( "/.+/", $inRequest->username )
+ && !preg_match( "/^" . $inRequest->username . "$/i", $this->rbac->sessionUser( $inRequest->auth ) ) ) {
+
+ // The roles of the user
+ $arrRole = $this->rbac->assignedRoles( $inRequest->username );
+
+
+ // Extract the different projects the user is
+ // assigned by his roles.
+ for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
+
+ $arrSplit = preg_split( "/[,]/", $arrRole[$i] );
+
+ for( $j = 0; $j < sizeof( $arrSplit ); $j++ ) {
+
+ if( preg_match( "/TGPR[0-9]+/i", $arrSplit[$j] )
+ && !in_array( trim( $arrSplit[$j] ), $arrProject ) ) {
+
+ $arrProject[] = trim( $arrSplit[$j] );
+ break;
+
+ }
+
+ }
+
+ }
+
+
+ // For each project the username is in, check if the
+ // session-ID has the right to display the assigned roles.
+ for( $i = 0; $i < sizeof( $arrProject ); $i++ ) {
+
+ if( $this->rbac->checkAccess( $inRequest->auth, "delegate", $arrProject[$i] ) ) {
+
+ for( $j = 0; $j < sizeof( $arrRole ); $j++ ) {
+
+ if( preg_match( "/" . $arrProject[$i] . "/i", $arrRole[$j] ) ) {
+
+ $result->role[] = $arrRole[$j];
+
+ }
+
+ }
+
+ }
+
+ }
+
+ }
+ else {
+
+ $result->role = $this->rbac->assignedRoles( $this->rbac->sessionUser( $inRequest->auth ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: createSessionID
+ // Input: none
+ // Output: sid / string
+ // Description
+ // Creates a random string containing characters and
+ // numbers.
+ // -----------------------------------------------------
+ private function createSessionID() {
+
+ $sid = ""; // Session-ID
+ $tmp = ""; // Temporaere Session-ID
+
+
+ // Setzen eines Startwerts fuer den Zufallsgenerator
+ mt_srand( (double)microtime() * 1000000 );
+
+
+ // Erzeugen eines Zufallsstrings
+ for( $i = 0; $i < 256; $i++ ) {
+
+ $tmp = chr( mt_rand( 0, 255 ) );
+
+
+ if( preg_match( "/[a-zA-Z0-9]/", $tmp ) ) {
+
+ $sid .= $tmp;
+
+ }
+
+ }
+
+
+ return $sid;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php
new file mode 100755
index 0000000..ef0c755
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php
@@ -0,0 +1,606 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 13.11.2007
+// Version: 0.1.6
+// #######################################################
+
+
+class TgReview {
+
+ // Global variables
+ protected $rbac;
+ protected $config;
+
+
+
+ // -----------------------------------------------------
+ // Constructor
+ // Input: none
+ // Output: object TgReview
+ // Description:
+ // Sets the configuration and creates an instance of
+ // the RBAC-class.
+ // -----------------------------------------------------
+ public function __construct( $inConfigurationFilename, $inRbacConfFile, $inRbacBase ) {
+
+ $this->rbac = new RBAC( $inRbacConfFile, $inRbacBase );
+
+
+ $this->config = new SimpleConfig( $inConfigurationFilename );
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: sessionRoles
+ // Input: intSid / xsd:string
+ // sid / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns a list of all roles that are activ
+ // for the given session.
+ // -----------------------------------------------------
+ public function sessionRoles( $inRequest ) {
+
+ $arrRoleResult = Array(); // The roles of the session
+ $result = new rolesetResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", "session_base" ) ) {
+
+ try {
+
+ $arrRoleResult = $this->rbac->sessionRoles( $inRequest->sid );
+
+
+ $result->role = $arrRoleResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: assignedRoles
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns a list of all roles the user is
+ // assigned to.
+ // -----------------------------------------------------
+ public function assignedRoles( $inRequest ) {
+
+ $userDomain = ""; // The domain-component of the user
+ $arrTmpDomain = Array(); // Temporary array
+ $arrRoleResult = Array(); // The roles of the user
+ $result = new rolesetResponse(); // The result
+
+
+ if( preg_match( "/^.+[@]{1}.+$/", $inRequest->username ) ) {
+
+ $arrTmpDomain = preg_split( "/[@]/", $inRequest->username );
+ $userDomain = $arrTmpDomain[1];
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", "user_" . $userDomain )
+ || $this->rbac->checkAccess( $inRequest->intSid, "review", "user_base" ) ) {
+
+ try {
+
+ $arrRoleResult = $this->rbac->assignedRoles( $inRequest->username );
+
+
+ $result->role = $arrRoleResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "formatFault",
+ $this->config->getValue( "errorCode", "INVALID_USER_FORMAT" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INVALID_USER_FORMAT" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: assignedUsers
+ // Input: intSid / xsd:string
+ // role / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns a list of all users that are
+ // assigned to the role.
+ // -----------------------------------------------------
+ public function assignedUsers( $inRequest ) {
+
+ $arrUserResult = Array(); // The users assigned to the role
+ $result = new usersetResponse(); // The result
+
+
+ // Test if the user has apropriate rights to list the users
+ // that are assigned to the role
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", $inRequest->role )
+ || $this->rbac->checkAccess( $inRequest->intSid, "review", "role_base" ) ) {
+
+ try {
+
+ $arrUserResult = $this->rbac->assignedUsers( $inRequest->role );
+
+
+ $result->username = $arrUserResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: rolePermissions
+ // Input: intSid / xsd:string
+ // role / xsd:string
+ // Output: result / array of tns:permission
+ // Description
+ // If the internal session has appropriate access the
+ // function returns all permissions a role has.
+ // -----------------------------------------------------
+ public function rolePermissions( $inRequest ) {
+
+ $arrPermission = Array(); // The permissions of the role
+ $result = new permissionsetResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "rolePermissions", "resource_top" ) ) {
+
+ try {
+
+ $arrPermission = $this->rbac->rolePermissions( $inRequest->role );
+ $result->permissionset = Array();
+
+
+ for( $i = 0; $i < sizeof( $arrPermission ); $i++ ) {
+
+ array_push( &$result->permissionset, new permission( $arrPermission[$i]['operation'],
+ $arrPermission[$i]['resource'] ) );
+
+ }
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: roleOperationsOnObject
+ // Input: intSid / xsd:string
+ // role / xsd:string
+ // resource / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns all operations a role has on a specific
+ // resource.
+ // -----------------------------------------------------
+ public function roleOperationsOnObject( $inRequest ) {
+
+ $arrOperation = Array(); // The operations of the role on the given resource
+ $result = new operationsetResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", "resource_top" ) ) {
+
+ try {
+
+ $arrOperation = $this->rbac->roleOperationsOnObject( $inRequest->role, $inRequest->resource );
+
+
+ $result->operationset = $arrOperation;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: userOperationsOnObject
+ // Input: intSid / xsd:string
+ // user / xsd:string
+ // resource / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns all operations a user has on a specific
+ // resource.
+ // -----------------------------------------------------
+ public function userOperationsOnObject( $inRequest ) {
+
+ $arrOperation = Array(); // The operations of the role on the given resource
+ $result = new operationsetResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "top", "resource_top" ) ) {
+
+ try {
+
+ $arrOperation = $this->rbac->userOperationsOnObject( $inRequest->user, $inRequest->resource );
+
+
+ $result->operationset = $arrOperation;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: userPermissions
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // Output: result / array of tns:permission
+ // Description
+ // If the internal session has appropriate access the
+ // function returns all permissions a user has by
+ // beeing assigned to roles.
+ // -----------------------------------------------------
+ public function userPermissions( $inRequest ) {
+
+ $arrPermission = Array(); // The permissions of the user
+ $result = new permissionsetResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", "resource_top" ) ) {
+
+ try {
+
+ $arrPermission = $this->rbac->userPermissions( $inRequest->username );
+ $result->permissionset = Array();
+
+
+ for( $i = 0; $i < sizeof( $arrPermission ); $i++ ) {
+
+ array_push( &$result->permissionset, new permission( $arrPermission[$i]['operation'],
+ $arrPermission[$i]['resource'] ) );
+
+ }
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: sessionPermissions
+ // Input: intSid / xsd:string
+ // sid / xsd:string
+ // Output: result / array of tns:permission
+ // Description
+ // If the internal session has appropriate access the
+ // function returns all permissions a session has
+ // because of the roles that are active.
+ // -----------------------------------------------------
+ public function sessionPermissions( $inRequest ) {
+
+ $arrPermission = Array(); // The permissions of the user
+ $result = new permissionsetResponse(); // The result
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", "resource_top" ) ) {
+
+ try {
+
+ $arrPermission = $this->rbac->sessionPermissions( $inRequest->sid );
+ $result->permissionset = Array();
+
+
+ for( $i = 0; $i < sizeof( $arrPermission ); $i++ ) {
+
+ array_push( &$result->permissionset, new permission( $arrPermission[$i]['operation'],
+ $arrPermission[$i]['resource'] ) );
+
+ }
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: authorizedRoles
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns a list of all roles the user is
+ // authorized for.
+ // -----------------------------------------------------
+ public function authorizedRoles( $inRequest ) {
+
+ $userDomain = ""; // The domain-component of the user
+ $arrTmpDomain = Array(); // Temporary array
+ $arrRoleResult = Array(); // The roles of the user
+ $result = new rolesetResponse(); // The result
+
+
+ if( preg_match( "/^.+[@]{1}.+$/", $inRequest->username ) ) {
+
+ $arrTmpDomain = preg_split( "/[@]/", $inRequest->username );
+ $userDomain = $arrTmpDomain[1];
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", "user_" . $userDomain )
+ || $this->rbac->checkAccess( $inRequest->intSid, "review", "user_base" ) ) {
+
+ try {
+
+ $arrRoleResult = $this->rbac->authorizedRoles( $inRequest->username );
+
+
+ $result->role = $arrRoleResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "formatFault",
+ $this->config->getValue( "errorCode", "INVALID_USER_FORMAT" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INVALID_USER_FORMAT" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: authorizedUsers
+ // Input: intSid / xsd:string
+ // role / xsd:string
+ // Output: result / array of xsd:string
+ // Description
+ // If the internal session has appropriate access the
+ // function returns a list of all users that are
+ // authorized for this role.
+ // -----------------------------------------------------
+ public function authorizedUsers( $inRequest ) {
+
+ $arrUserResult = Array(); // The users assigned to the role
+ $result = new usersetResponse(); // The result
+
+
+ // Test if the user has apropriate rights to list the users
+ // that are authorized to that role
+ if( $this->rbac->checkAccess( $inRequest->intSid, "review", $inRequest->role )
+ || $this->rbac->checkAccess( $inRequest->intSid, "review", "role_base" ) ) {
+
+ try {
+
+ $arrUserResult = $this->rbac->authorizedUsers( $inRequest->role );
+
+
+ $result->username = $arrUserResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $this->rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgSystem.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgSystem.class.php
new file mode 100755
index 0000000..6157e34
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgSystem.class.php
@@ -0,0 +1,268 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 17.07.2007
+// Modification date: 09.10.2007
+// Version: 0.2.2
+// #######################################################
+
+
+
+class TgSystem {
+
+ // Global variables
+ protected $rbac;
+ protected $config;
+
+
+
+ // -----------------------------------------------------
+ // Constructor
+ // Input: none
+ // Output: object RBACcore
+ // Description:
+ // Creates initial connections to the LDAP-server and
+ // sets some configuration parameters.
+ // -----------------------------------------------------
+ public function __construct( $inConfigurationFilename, $inRbacConfFile, $inRbacBase ) {
+
+ $this->rbac = new RBAC( $inRbacConfFile, $inRbacBase );
+
+
+ $this->config = new SimpleConfig( $inConfigurationFilename );
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: createSession
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // roleset / xsd:string
+ // sid / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Creates a session for a user. But first the user who
+ // wants to create a session for another user has to
+ // be authenticated and authorised.
+ // -----------------------------------------------------
+ function createSession( $inRequest ) {
+
+ $arrRole = Array(); // The initial roleset for the new session
+ $result = new booleanResponse(); // The result of the session-creation
+ $createSessionResult = false; // The result of the rbac-call
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "session_base" ) ) {
+
+ // Only if there is more than one role given, the soap-engine of
+ // PHP creates an array!
+ if( isset( $inRequest->roleset ) ) {
+
+ is_array( $inRequest->roleset ) ? $arrRole = $inRequest->roleset : array_push( &$arrRole, $inRequest->roleset );
+
+ }
+
+
+ // Try to create the session
+ try{
+
+ $createSessionResult = $this->rbac->createSession( $inRequest->username, $arrRole, $inRequest->sid );
+
+ $result->result = true;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: deleteSession
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // sid / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Deletes a user's session. But first the user who
+ // wants to delte the session for another user has to
+ // be authenticated and authorised.
+ // -----------------------------------------------------
+ function deleteSession( $inRequest ) {
+
+ $result = new booleanResponse(); // The result of the session-creation
+ $deleteSessionResult = false; // The result of the rbac-call
+
+
+ // Test if the user has apropriate rights
+ if( $this->rbac->checkAccess( $inRequest->intSid, "administer", "session_base" ) ) {
+
+ // Try to create the session
+ try{
+
+ $deleteSessionResult = $this->rbac->deleteSession( $inRequest->username, $inRequest->sid );
+
+ $result->result = true;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $rbac ), $e->getMessage() );
+
+ }
+
+ }
+ else {
+
+ return new SoapFault( "authenticationFault",
+ $this->config->getValue( "errorCode", "INSUFFICIENT_ACCESS" ),
+ get_class( $this ),
+ $this->config->getValue( "errorDescription", "INSUFFICIENT_ACCESS" ) );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: addActiveRole
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // sid / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Adds an active role to the session. This is
+ // possible without having authenticated.
+ // -----------------------------------------------------
+ function addActiveRole( $inRequest ) {
+
+ $result = new booleanResponse(); // The result of the session-creation
+ $addActiveRoleResult = false; // The result of the rbac-call
+
+
+ // Try to add the role to the session
+ try{
+
+ $addActiveRoleResult = $this->rbac->addActiveRole( $inRequest->username, $inRequest->sid, $inRequest->role );
+
+ $result->result = true;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $rbac ), $e->getMessage() );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: dropActiveRole
+ // Input: intSid / xsd:string
+ // username / xsd:string
+ // sid / xsd:string
+ // role / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Adds an active role to the session. This is
+ // possible without having authenticated.
+ // -----------------------------------------------------
+ function dropActiveRole( $inRequest ) {
+
+ $result = new booleanResponse(); // The result of the session-creation
+ $dropActiveRoleResult = false; // The result of the rbac-call
+
+
+ // Try to add the role to the session
+ try{
+
+ $dropActiveRoleResult = $this->rbac->dropActiveRole( $inRequest->username, $inRequest->sid, $inRequest->role );
+
+ $result->result = true;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $rbac ), $e->getMessage() );
+
+ }
+
+
+ return $result;
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: checkAccess
+ // Input: intSid / xsd:string
+ // sid / xsd:string
+ // operation / xsd:string
+ // resource / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Makes the "checkAccess"-call and returns the information
+ // if the access is granted or denied.
+ // -----------------------------------------------------
+ function checkAccess( $inRequest ) {
+
+ $result = new booleanResponse(); // The result of the session-creation
+ $checkAccessResult = false; // The result of the rbac-call
+
+
+ try {
+
+ $checkAccessResult = $this->rbac->checkAccess( $inRequest->sid, $inRequest->operation, $inRequest->resource );
+
+ $result->result = $checkAccessResult;
+
+ }
+ catch( RBACException $e ) {
+
+ return new SoapFault( "rbacFault", $e->getCode(), get_class( $rbac ), $e->getMessage() );
+
+ }
+
+
+ return $result;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/XACML.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/XACML.class.php
new file mode 100755
index 0000000..d638b82
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/XACML.class.php
@@ -0,0 +1,122 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 17.07.2007
+// Modification date: 01.11.2007
+// Version: 0.1.3
+// #######################################################
+
+
+
+class XACML {
+
+ // Global variables
+ protected $rbac;
+ protected $config;
+ protected $connection;
+
+
+
+ // -----------------------------------------------------
+ // Constructor
+ // Input: none
+ // Output: object RBACcore
+ // Description:
+ // Creates initial connections to the LDAP-server and
+ // sets some configuration parameters.
+ // -----------------------------------------------------
+ public function __construct( $inConfigurationFilename, $inRbacConfFile, $inRbacBase ) {
+
+ $this->rbac = new RBAC( $inRbacConfFile, $inRbacBase );
+
+
+ $this->config = new SimpleConfig( $inConfigurationFilename );
+
+ }
+
+
+
+
+ // -----------------------------------------------------
+ // Function: checkXACMLaccess
+ // Input: auth / xsd:string
+ // log / xsd:string
+ // username / xsd:string
+ // Output: result / xsd:boolean
+ // Description
+ // Checks if a given user exists in the LDAP directory.
+ // -----------------------------------------------------
+ function checkXACMLaccess( $inRequest ) {
+
+ $version = false; // The version of the XACML-SAML-Request
+ $result = new stdClass(); // The response
+
+
+ $version = $inRequest->Version;
+ $id = $inRequest->ID;
+
+
+ if( preg_match( "/^2\.0$/", $version ) ) {
+
+ $result->Version = "2.0";
+ $result->ID = $id;
+
+ $result->Response = new stdClass();
+ $result->Response->Result = new stdClass();
+
+
+ try {
+
+ if( $this->rbac->checkAccess( $inRequest->Request->Subject->Attribute->AttributeValue->any,
+ $inRequest->Request->Action->Attribute->AttributeValue->any,
+ $inRequest->Request->Resource->Attribute->AttributeValue->any ) ) {
+
+ $result->Response->Result->Decision = "Permit";
+
+ }
+ else {
+
+ $result->Response->Result->Decision = "Deny";
+
+ }
+
+ }
+ catch( Exception $e ) {
+
+ $result->Response->Result->Decision = "NotApplicable";
+
+ }
+
+
+
+ // Return the request if the flag is set to TRUE
+ if( $inRequest->ReturnContext ) {
+
+ $result->Request = new stdClass();
+
+ isset( $inRequest->Request->Subject ) ? $result->Request->Subject = $inRequest->Request->Subject
+ : $result->Request->Subject = new sdtClass();
+
+
+ isset( $inRequest->Request->Resource ) ? $result->Request->Resource = $inRequest->Request->Resource
+ : $result->Request->Resource = new stdClass();
+
+
+ isset( $inRequest->Request->Action ) ? $result->Request->Action = $inRequest->Request->Action
+ : $result->Request->Action = new stdClass();
+
+
+ isset( $inRequest->Request->Environment ) ? $result->Request->Environment = $inRequest->Request->Environment
+ : $result->Request->Environment = new stdClass();
+
+ }
+
+ }
+
+
+ return $result;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addAscendant.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addAscendant.php
new file mode 100755
index 0000000..9f71537
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addAscendant.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.10.2007
+// Modification date: 18.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can try to add an
+// inheritance
+// -----------------------------------------------------
+$addAscReq = new addAscendantRequest();
+$addAscReq->intSid = $authResponse->sid;
+$addAscReq->ascendant = "Testrolle";
+$addAscReq->descendant = "Anwendung";
+
+echo "<HR/>";
+echo "Adding ascendant...<BR/>";
+
+try {
+
+ $addAscResponse = $soapAdministration->addAscendant( $addAscReq );
+
+ if( $addAscResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addDescendant.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addDescendant.php
new file mode 100755
index 0000000..ce53a92
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addDescendant.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.10.2007
+// Modification date: 18.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can try to add an
+// inheritance
+// -----------------------------------------------------
+$addDescReq = new addDescendantRequest();
+$addDescReq->intSid = $authResponse->sid;
+$addDescReq->ascendant = "Anwendung";
+$addDescReq->descendant = "Testrolle";
+
+echo "<HR/>";
+echo "Adding descendant...<BR/>";
+
+try {
+
+ $addDescResponse = $soapAdministration->addDescendant( $addDescReq );
+
+ if( $addDescResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addInheritance.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addInheritance.php
new file mode 100755
index 0000000..1901a91
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addInheritance.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 04.10.2007
+// Modification date: 04.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can try to add an
+// inheritance
+// -----------------------------------------------------
+$addInhReq = new addInheritanceRequest();
+$addInhReq->intSid = $authResponse->sid;
+$addInhReq->ascendant = "Anwendung";
+$addInhReq->descendant = "Testrolle";
+
+echo "<HR/>";
+echo "Adding inheritance...<BR/>";
+
+try {
+
+ $addInhResponse = $soapAdministration->addInheritance( $addInhReq );
+
+ if( $addInhResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addMember.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addMember.php
new file mode 100755
index 0000000..817cb1e
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addMember.php
@@ -0,0 +1,75 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.03.2008
+// Modification date: 18.03.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new addMemberRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+ $regReq->role = $_POST['role'];
+ $regReq->username = $_POST['username'];
+
+
+ echo "<HR/>";
+ echo "Adding member...<BR/>";
+
+ try {
+
+ $addMemberResponse = $soapExtra->addMember( $regReq );
+
+ if( $addMemberResponse->result ) {
+
+ echo "DONE.<BR>";
+
+ }
+ else {
+
+ echo "UNABLE to commit!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"addMember.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Rolle: <INPUT type=\"text\" name=\"role\" value=\"\"><BR>\n";
+echo "Benutzer (eppn): <INPUT type=\"text\" name=\"username\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addRole.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addRole.php
new file mode 100755
index 0000000..53db207
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addRole.php
@@ -0,0 +1,118 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 06.08.2007
+// Modification date: 06.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a role you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can add a the role you
+// wish to create
+// -----------------------------------------------------
+$addRoleReq = new addRoleRequest();
+$addRoleReq->intSid = $authResponse->sid;
+$addRoleReq->role = "TGPR2,Projekt-Teilnehmer";
+
+echo "<HR/>";
+echo "Adding role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapAdministration->addRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addUser.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addUser.php
new file mode 100755
index 0000000..b3c86ca
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/addUser.php
@@ -0,0 +1,120 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can add a the user you
+// wish to create
+// -----------------------------------------------------
+$addUserReq = new addUserRequest();
+$addUserReq->intSid = $authResponse->sid;
+//$addUserReq->username = "mwidmer@uni-tuebingen.de";
+$addUserReq->username = "ShibConnector@application.int";
+$addUserReq->password = "secret";
+
+echo "<HR/>";
+echo "Adding user...<BR/>";
+
+try {
+
+ $addUserResponse = $soapAdministration->addUser( $addUserReq );
+
+ if( $addUserResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignUser.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignUser.php
new file mode 100755
index 0000000..c4aa257
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignUser.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can add a the user you
+// wish to create
+// -----------------------------------------------------
+$assUserReq = new assignUserRequest();
+$assUserReq->intSid = $authResponse->sid;
+$assUserReq->username = "mwidmer@uni-tuebingen.de";
+$assUserReq->role = "Anwendung";
+
+echo "<HR/>";
+echo "Assining user mwidmer@uni-tuebingen.de to role Anwendung...<BR/>";
+
+try {
+
+ $assUserResponse = $soapAdministration->assignUser( $assUserReq );
+
+ if( $assUserResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedRoles.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedRoles.php
new file mode 100755
index 0000000..81d5bff
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedRoles.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 23.07.2007
+// Modification date: 23.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$arReq = new assignedRolesRequest();
+$arReq->intSid = $authResponse->sid;
+$arReq->username = "mhaase@uni-tuebingen.de";
+
+echo "<HR/>";
+echo "The roles of mhaase@uni-tuebingen.de...<BR/>";
+
+try {
+
+ $rolesetResponse = $soapReview->assignedRoles( $arReq );
+
+ if( is_array( $rolesetResponse->role ) ) {
+
+ for( $i = 0; $i < sizeof( $rolesetResponse->role ); $i++ ) {
+
+ echo "Role " . $i . ": " . $rolesetResponse->role[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "Role 0: " . $rolesetResponse->role . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedUsers.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedUsers.php
new file mode 100755
index 0000000..88907ed
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/assignedUsers.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 23.07.2007
+// Modification date: 23.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$auReq = new assignedUsersRequest();
+$auReq->intSid = $authResponse->sid;
+$auReq->role = "Projekt-1,Projekt-Teilnehmer";
+
+echo "<HR/>";
+echo "The assigned users for role serviceProvider...<BR/>";
+
+try {
+
+ $usersetResponse = $soapReview->assignedUsers( $auReq );
+
+ if( is_array( $usersetResponse->username ) ) {
+
+ for( $i = 0; $i < sizeof( $usersetResponse->username ); $i++ ) {
+
+ echo "User " . $i . ": " . $usersetResponse->username[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "User 0: " . $usersetResponse->username . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedRoles.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedRoles.php
new file mode 100755
index 0000000..a3efbc2
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedRoles.php
@@ -0,0 +1,133 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.10.2007
+// Modification date: 18.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "shibconnector@application.int";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]+/i", $authResponse->auth ) ) {
+
+ echo "DONE: " . $authResponse->auth . "<BR/>";
+
+ }
+ else {
+
+ echo "FAILED!: " . serialize( $authResponse ) . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "shibconnector@application.int";
+$addRoleReq->role = "sessionCreator,Anwendung";
+$addRoleReq->auth = $authResponse->auth;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapExtra->tgAddActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$arReq = new authorizedRolesRequest();
+$arReq->intSid = $authResponse->auth;
+$arReq->username = "testuser@textgrid.de";
+
+echo "<HR/>";
+echo "The roles of testuser@textgrid.de...<BR/>";
+
+try {
+
+ $rolesetResponse = $soapReview->authorizedRoles( $arReq );
+
+ if( is_array( $rolesetResponse->role ) ) {
+
+ for( $i = 0; $i < sizeof( $rolesetResponse->role ); $i++ ) {
+
+ echo "Role " . $i . ": " . $rolesetResponse->role[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "Role 0: " . $rolesetResponse->role . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedUsers.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedUsers.php
new file mode 100755
index 0000000..7b1943f
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/authorizedUsers.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.10.2007
+// Modification date: 18.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$auReq = new authorizedUsersRequest();
+$auReq->intSid = $authResponse->sid;
+$auReq->role = "Projekt-1,Projekt-Teilnehmer";
+
+echo "<HR/>";
+echo "The authorized users for role Projekt-1,Projekt-Teilnehmer...<BR/>";
+
+try {
+
+ $usersetResponse = $soapReview->authorizedUsers( $auReq );
+
+ if( is_array( $usersetResponse->username ) ) {
+
+ for( $i = 0; $i < sizeof( $usersetResponse->username ); $i++ ) {
+
+ echo "User " . $i . ": " . $usersetResponse->username[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "User 0: " . $usersetResponse->username . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/checkAccess.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/checkAccess.php
new file mode 100755
index 0000000..861b656
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/checkAccess.php
@@ -0,0 +1,75 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgsystem.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['sid'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new registerResourceRequest();
+ $regReq->intSid = "";
+ $regReq->sid = $_POST['sid'];
+ $regReq->resource = $_POST['resource'];
+ $regReq->operation = $_POST['operation'];
+
+
+ echo "<HR/>";
+ echo "Checking access...<BR/>";
+
+ try {
+
+ $checkResponse = $soapSystem->checkAccess( $regReq );
+
+ if( $checkResponse->result ) {
+
+ echo "YES.<BR>";
+
+ }
+ else {
+
+ echo "NO<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"checkAccess.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "SID: <INPUT type=\"text\" name=\"sid\" value=\"\"><BR>\n";
+echo "Operation: <INPUT type=\"text\" name=\"operation\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createProject.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createProject.php
new file mode 100755
index 0000000..7392c1d
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createProject.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $creReq = new createProjectRequest();
+ $creReq->auth = $_POST['auth'];
+ $creReq->log = "";
+ $creReq->description = $_POST['description'];
+
+
+ echo "<HR/>";
+ echo "Creating project...<BR/>";
+
+ try {
+
+ $creResponse = $soapExtra->createProject( $creReq );
+
+ if( $creResponse->projectId ) {
+
+ echo "DONE: " . $creResponse->projectId . "<BR>";
+
+ }
+ else {
+
+ echo "UNABLE to create new project!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"createProject.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Project-description: <INPUT type=\"text\" name=\"description\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createSession.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createSession.php
new file mode 100755
index 0000000..efd6341
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/createSession.php
@@ -0,0 +1,120 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 08.07.2007
+// Modification date: 02.08.2007
+// Version: 0.1.2
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "shibConnector@application.int";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "shibConnector@application.int";
+$addRoleReq->role = "sessionCreator,Anwendung";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$creReq = new createSessionRequest();
+$creReq->intSid = $authResponse->sid;
+$creReq->username = "mhaase@uni-tuebingen.de";
+$creReq->roleset = Array( "Projekt-Teilnehmer" );
+$creReq->sid = "ABcDEFG";
+
+echo "<HR/>";
+echo "Creating the session...<BR/>";
+
+try {
+
+ $creResponse = $soapSystem->createSession( $creReq );
+
+ if( $creResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deactivateProject.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deactivateProject.php
new file mode 100755
index 0000000..3085575
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deactivateProject.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 08.04.2008
+// Modification date: 08.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $deaReq = new deactivateProjectRequest();
+ $deaReq->auth = $_POST['auth'];
+ $deaReq->log = "";
+ $deaReq->project = $_POST['project'];
+
+
+ echo "<HR/>";
+ echo "Deactivating project...<BR/>";
+
+ try {
+
+ $response = $soapExtra->deactivateProject( $deaReq );
+
+ if( $response->result ) {
+
+ echo "DONE";
+
+ }
+ else {
+
+ echo "UNABLE TO COMMIT...";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"deactivateProject.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Project: <INPUT type=\"text\" name=\"project\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deassignUser.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deassignUser.php
new file mode 100755
index 0000000..e60f303
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deassignUser.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 08.08.2007
+// Modification date: 08.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a role you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can deassign a user from a
+// role.
+// -----------------------------------------------------
+$deassUserReq = new deassignUserRequest();
+$deassUserReq->intSid = $authResponse->sid;
+$deassUserReq->username = "mwidmer@uni-tuebingen.de";
+$deassUserReq->role = "testRole";
+
+echo "<HR/>";
+echo "Assigning user to role...<BR/>";
+
+try {
+
+ $deassUserResponse = $soapAdministration->deassignUser( $deassUserReq );
+
+ if( $deassUserResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteInheritance.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteInheritance.php
new file mode 100755
index 0000000..52dcd28
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteInheritance.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 04.10.2007
+// Modification date: 04.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can try to delete an
+// inheritance
+// -----------------------------------------------------
+$delInhReq = new deleteInheritanceRequest();
+$delInhReq->intSid = $authResponse->sid;
+$delInhReq->ascendant = "Anwendung,Testrolle";
+$delInhReq->descendant = "Testrolle";
+
+echo "<HR/>";
+echo "Deleting inheritance...<BR/>";
+
+try {
+
+ $delInhResponse = $soapAdministration->deleteInheritance( $delInhReq );
+
+ if( $delInhResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteMember.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteMember.php
new file mode 100755
index 0000000..c346a5a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteMember.php
@@ -0,0 +1,75 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.03.2008
+// Modification date: 18.03.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new deleteMemberRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+ $regReq->role = $_POST['role'];
+ $regReq->username = $_POST['username'];
+
+
+ echo "<HR/>";
+ echo "Removing member...<BR/>";
+
+ try {
+
+ $addMemberResponse = $soapExtra->deleteMember( $regReq );
+
+ if( $addMemberResponse->result ) {
+
+ echo "DONE.<BR>";
+
+ }
+ else {
+
+ echo "UNABLE to commit!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"deleteMember.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Rolle: <INPUT type=\"text\" name=\"role\" value=\"\"><BR>\n";
+echo "Benutzer (eppn): <INPUT type=\"text\" name=\"username\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteRole.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteRole.php
new file mode 100755
index 0000000..1c38bc1
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteRole.php
@@ -0,0 +1,117 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 06.08.2007
+// Modification date: 06.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a role you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can delete the role
+// -----------------------------------------------------
+$delRoleReq = new deleteRoleRequest();
+$delRoleReq->intSid = $authResponse->sid;
+$delRoleReq->role = "testRole";
+
+echo "<HR/>";
+echo "Deleting role...<BR/>";
+
+try {
+
+ $delRoleResponse = $soapAdministration->deleteRole( $delRoleReq );
+
+ if( $delRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteSession.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteSession.php
new file mode 100755
index 0000000..e21def9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteSession.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 01.08.2007
+// Modification date: 01.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "rbacName=serviceProvider,ou=roles,ou=rbac,dc=rbac,dc=de";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$delReq = new deleteSessionRequest();
+$delReq->intSid = $authResponse->sid;
+$delReq->username = "mhaase@uni-tuebingen.de";
+$delReq->sid = "ABcDEFG";
+
+echo "<HR/>";
+echo "Deleting the session...<BR/>";
+
+try {
+
+ $delResponse = $soapSystem->deleteSession( $delReq );
+
+ if( $delResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteUser.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteUser.php
new file mode 100755
index 0000000..bf350a7
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/deleteUser.php
@@ -0,0 +1,119 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$delUserReq = new deleteUserRequest();
+$delUserReq->intSid = $authResponse->sid;
+$delUserReq->username = "mwidmer@uni-tuebingen.de";
+
+echo "<HR/>";
+echo "Removing user...<BR/>";
+
+try {
+
+ $delUserResponse = $soapAdministration->deleteUser( $delUserReq );
+
+ if( $delUserResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/dropActiveRole.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/dropActiveRole.php
new file mode 100755
index 0000000..b3c1cd0
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/dropActiveRole.php
@@ -0,0 +1,116 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 08.07.2007
+// Modification date: 17.07.2007
+// Version: 0.1.1
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// Now you can try to drop the active role from your session
+// -----------------------------------------------------
+$dropRoleReq = new addActiveRoleRequest();
+$dropRoleReq->username = "sp00001@textgrid.de";
+$dropRoleReq->role = "serviceProvider";
+$dropRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Dropping active role...<BR/>";
+
+try {
+
+ $dropRoleResponse = $soapSystem->dropActiveRole( $dropRoleReq );
+
+ if( $dropRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/filterBySid.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/filterBySid.php
new file mode 100755
index 0000000..6936133
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/filterBySid.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 23.10.2007
+// Modification date: 23.10.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can ask the RBAC-system
+// form the operations a role may do on a resource.
+// -----------------------------------------------------
+$filterReq = new filterBySidRequest();
+$filterReq->intSid = $authResponse->sid;
+$filterReq->sid = "ABcDEFG";
+$filterReq->resource = Array( "ingrid.daasi.de//demo/tg-demo.xml", "ingrid.daasi.de//demo/inhaltsverzeichnis.doc" );
+$filterReq->operation = "read";
+
+echo "<HR/>";
+echo "Filter on resources ingrid.daasi.de//demo/tg-demo.xml...<BR/>";
+
+try {
+
+ $filterResponse = $soapExtra->filterBySid( $filterReq );
+
+ if( is_array( $filterResponse->resource ) ) {
+
+ for( $i = 0; $i < sizeof( $filterResponse->resource ); $i++ ) {
+
+ echo "Resource " . $i . ": " . $filterResponse->resource[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "Resource 0: " . $filterResponse->resource . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getAllProjects.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getAllProjects.php
new file mode 100755
index 0000000..a389b87
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getAllProjects.php
@@ -0,0 +1,65 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+echo "<HR/>";
+echo "Listing all projects...<BR/>";
+
+try {
+
+ $getProResponse = $soapExtra->getAllProjects();
+
+ if( is_array( $getProResponse->project ) ) {
+
+ for( $i = 0; $i < sizeof( $getProResponse->project ); $i++ ) {
+
+ echo $getProResponse->project[$i]->id . " / " . $getProResponse->project[$i]->name . " / " . $getProResponse->project[$i]->description . "<BR>";
+
+ }
+
+ }
+ elseif( $getProResponse->project instanceof project ) {
+
+ echo $getProResponse->project->id . " / " . $getProResponse->project->name . " / " . $getProResponse->project->description . "<BR>";
+
+ }
+ else {
+
+ echo "No projects!<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getLeader.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getLeader.php
new file mode 100755
index 0000000..7fbd178
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getLeader.php
@@ -0,0 +1,82 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $leaReq = new getLeaderRequest();
+ $leaReq->auth = $_POST['auth'];
+ $leaReq->log = "";
+ $leaReq->project = $_POST['project'];
+
+
+ echo "<HR/>";
+ echo "Searching leader...<BR/>";
+
+ try {
+
+ $response = $soapExtra->getLeader( $leaReq );
+
+ if( is_array( $response->username ) ) {
+
+ for( $i = 0; $i < sizeof( $response->username ); $i++ ) {
+
+ echo $response->username[$i] . "<BR>";
+
+ }
+
+ }
+ elseif( preg_match( "/.+/", $response->username ) ) {
+
+ echo $response->username;
+
+ }
+ else {
+
+ echo "No leader found!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"getLeader.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Project-Name: <INPUT type=\"text\" name=\"project\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getMembers.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getMembers.php
new file mode 100755
index 0000000..d89821d
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getMembers.php
@@ -0,0 +1,82 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.04.2008
+// Modification date: 07.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['project'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $memReq = new getMembersRequest();
+ $memReq->auth = $_POST['auth'];
+ $memReq->log = "";
+ $memReq->project = $_POST['project'];
+
+
+ echo "<HR/>";
+ echo "Searching members for project...<BR/>";
+
+ try {
+
+ $memResponse = $soapSystem->getMembers( $memReq );
+
+ if( is_array( $memResponse->username ) ) {
+
+ for( $i = 0; $i < sizeof( $memResponse->username ); $i++ ) {
+
+ echo $memResponse->username[$i] . "<BR>";
+
+ }
+
+ }
+ elseif( preg_match( "/.+/", $memResponse->username ) ) {
+
+ echo $memResponse->username;
+
+ }
+ else {
+
+ echo "No members found!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"getMembers.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "project: <INPUT type=\"text\" name=\"project\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getObjects.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getObjects.php
new file mode 100755
index 0000000..2364f9c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getObjects.php
@@ -0,0 +1,82 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['project'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new getObjectsRequest();
+ $regReq->auth = $_POST['auth'];
+ $reqReq->log = "";
+ $regReq->project = $_POST['project'];
+
+
+ echo "<HR/>";
+ echo "Searching resources for project...<BR/>";
+
+ try {
+
+ $resourceResponse = $soapSystem->getObjects( $regReq );
+
+ if( is_array( $resourceResponse->resource ) ) {
+
+ for( $i = 0; $i < sizeof( $resourceResponse->resource ); $i++ ) {
+
+ echo $resourceResponse->resource[$i] . "<BR>";
+
+ }
+
+ }
+ elseif( preg_match( "/.+/", $resourceResponse->resource ) ) {
+
+ echo $resourceResponse->resource;
+
+ }
+ else {
+
+ echo "No resources found!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"getObjects.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "project: <INPUT type=\"text\" name=\"project\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getOwner.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getOwner.php
new file mode 100755
index 0000000..cc42db6
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getOwner.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.04.2008
+// Modification date: 07.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $geoReq = new getOwnerRequest();
+ $geoReq->auth = $_POST['auth'];
+ $geoReq->log = "";
+ $geoReq->resource = $_POST['resource'];
+
+
+ echo "<HR/>";
+ echo "Looking for owner...<BR/>";
+
+ try {
+
+ $response = $soapExtra->getOwner( $geoReq );
+
+ if( $response->owner ) {
+
+ echo "Owner: " . $response->owner;
+
+ }
+ else {
+
+ echo "UNABLE TO COMMIT...";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"getOwner.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getProjectDescription.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getProjectDescription.php
new file mode 100755
index 0000000..35a8ad1
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getProjectDescription.php
@@ -0,0 +1,75 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.04.2008
+// Modification date: 07.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['project'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $proReg = new getProjectDescriptionRequest();
+ $proReg->auth = $_POST['auth'];
+ $proReg->log = "";
+ $proReg->project = $_POST['project'];
+
+
+ echo "<HR/>";
+ echo "Looking for description...<BR/>";
+
+ try {
+
+ $response = $soapExtra->getProjectDescription( $proReg );
+
+ if( $response->project ) {
+
+ echo "ID: " . $response->project->id . "<br>";
+ echo "Name: " . $response->project->name . "<br>";
+ echo "Description: " . $response->project->description;
+
+ }
+ else {
+
+ echo "UNABLE TO COMMIT...";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"getProjectDescription.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Project: <INPUT type=\"text\" name=\"project\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getRights.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getRights.php
new file mode 100755
index 0000000..7a7e62c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getRights.php
@@ -0,0 +1,84 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.04.2008
+// Modification date: 07.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $opReq = new getMembersRequest();
+ $opReq->auth = $_POST['auth'];
+ $opReq->username = $_POST['username'];
+ $opReq->log = "";
+ $opReq->resource = $_POST['resource'];
+
+
+ echo "<HR/>";
+ echo "Searching allowed operations...<BR/>";
+
+ try {
+
+ $opResponse = $soapSystem->getRights( $opReq );
+
+ if( is_array( $opResponse->operation ) ) {
+
+ for( $i = 0; $i < sizeof( $opResponse->operation ); $i++ ) {
+
+ echo $opResponse->operation[$i] . "<BR>";
+
+ }
+
+ }
+ elseif( preg_match( "/.+/", $opResponse->operation ) ) {
+
+ echo $opResponse->operation;
+
+ }
+ else {
+
+ echo "No operations found!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"getRights.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "Username: <INPUT type=\"text\" name=\"username\" value=\"\"><BR/>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getSid.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getSid.php
new file mode 100755
index 0000000..6c806c9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getSid.php
@@ -0,0 +1,52 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 05.08.2007
+// Modification date: 05.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+//$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl",
+// Array( 'proxy_host' => "134.2.217.67", 'proxy_port' => 7777 ) );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// How to get a session-ID from the RBAC-system
+// -----------------------------------------------------
+echo "<HR/>";
+echo "Asking for a session-ID...<BR/>";
+
+try {
+
+ $getSidResponse = $soapExtra->getSid();
+
+ if( $getSidResponse->sid ) {
+
+ echo "DONE: " . $getSidResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/grantPermission.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/grantPermission.php
new file mode 100755
index 0000000..eeede55
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/grantPermission.php
@@ -0,0 +1,120 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 06.08.2007
+// Modification date: 06.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a role you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can try to grant a permission
+// to a role.
+// -----------------------------------------------------
+$grantPermReq = new grantPermissionRequest();
+$grantPermReq->intSid = $authResponse->sid;
+$grantPermReq->resource = "ingrid.daasi.de//demo/tg-demo.xml";
+$grantPermReq->operation = "read";
+$grantPermReq->role = "Testrolle";
+
+echo "<HR/>";
+echo "Assigning user to role...<BR/>";
+
+try {
+
+ $grantPermResponse = $soapAdministration->grantPermission( $grantPermReq );
+
+ if( $grantPermResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/isPublic.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/isPublic.php
new file mode 100755
index 0000000..d9eb2ba
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/isPublic.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 14.04.2008
+// Modification date: 14.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['resource'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new isPublicRequest();
+ $regReq->auth = "";
+ $reqReq->log = "";
+ $regReq->resource = $_POST['resource'];
+
+
+ echo "<HR/>";
+ echo "Checking if resource is public...<BR/>";
+
+ try {
+
+ $checkResponse = $soapSystem->isPublic( $regReq );
+
+ if( $checkResponse->result ) {
+
+ echo "YES.<BR>";
+
+ }
+ else {
+
+ echo "NO<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"isPublic.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/publish.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/publish.php
new file mode 100755
index 0000000..5657e4a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/publish.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.04.2008
+// Modification date: 07.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $pubReq = new publishRequest();
+ $pubReq->auth = $_POST['auth'];
+ $pubReq->log = "";
+ $pubReq->resource = $_POST['resource'];
+
+
+ echo "<HR/>";
+ echo "Publishing resource...<BR/>";
+
+ try {
+
+ $response = $soapExtra->publish( $pubReq );
+
+ if( $response->result ) {
+
+ echo "DONE";
+
+ }
+ else {
+
+ echo "UNABLE TO COMMIT...";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"publish.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/registerResource.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/registerResource.php
new file mode 100755
index 0000000..11dd88c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/registerResource.php
@@ -0,0 +1,75 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new registerResourceRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+ $regReq->project = $_POST['project'];
+ $regReq->uri = $_POST['uri'];
+
+
+ echo "<HR/>";
+ echo "Adding resource...<BR/>";
+
+ try {
+
+ $registerResourceResponse = $soapExtra->registerResource( $regReq );
+
+ if( $registerResourceResponse->result ) {
+
+ echo "DONE.<BR>";
+
+ }
+ else {
+
+ echo "UNABLE to commit!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"registerResource.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Project-Name: <INPUT type=\"text\" name=\"project\" value=\"\"><BR>\n";
+echo "URI: <INPUT type=\"text\" name=\"uri\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/revokePermission.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/revokePermission.php
new file mode 100755
index 0000000..3aeef75
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/revokePermission.php
@@ -0,0 +1,120 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 06.08.2007
+// Modification date: 06.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a role you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can try to grant a permission
+// to a role.
+// -----------------------------------------------------
+$revPermReq = new revokePermissionRequest();
+$revPermReq->intSid = $authResponse->sid;
+$revPermReq->resource = "ingrid.daasi.de//demo/tg-demo.xml";
+$revPermReq->operation = "read";
+$revPermReq->role = "Testrolle";
+
+echo "<HR/>";
+echo "Revoking permission read for role testRole...<BR/>";
+
+try {
+
+ $revPermResponse = $soapAdministration->revokePermission( $revPermReq );
+
+ if( $revPermResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/roleOperationsOnObject.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/roleOperationsOnObject.php
new file mode 100755
index 0000000..d6de59b
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/roleOperationsOnObject.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 17.08.2007
+// Modification date: 30.08.2007
+// Version: 0.1.1
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can ask the RBAC-system
+// form the operations a role may do on a resource.
+// -----------------------------------------------------
+$roooReq = new roleOperationsOnObjectRequest();
+$roooReq->intSid = $authResponse->sid;
+$roooReq->role = "Projektleiter,Projekt-1,Projekt-Teilnehmer";
+$roooReq->resource = "ingrid.daasi.de//demo/tg-demo.xml";
+
+echo "<HR/>";
+echo "The allowed operations of roles Projektleiter,Projekt-1,Projekt-Teilnehmer on resource ingrid.daasi.de//demo/tg-demo.xml...<BR/>";
+
+try {
+
+ $operationsetResponse = $soapReview->roleOperationsOnObject( $roooReq );
+
+ if( is_array( $operationsetResponse->operationset ) ) {
+
+ for( $i = 0; $i < sizeof( $operationsetResponse->operationset ); $i++ ) {
+
+ echo "Operation " . $i . ": " . $operationsetResponse->operationset[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "Operation 0: " . $operationsetResponse->operationset . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/rolePermissions.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/rolePermissions.php
new file mode 100755
index 0000000..647180e
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/rolePermissions.php
@@ -0,0 +1,129 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 25.07.2007
+// Modification date: 17.08.2007
+// Version: 0.1.1
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can ask the RBAC-system
+// for a list of permissions a role has.
+// -----------------------------------------------------
+$permReq = new rolePermissionsRequest();
+$permReq->intSid = $authResponse->sid;
+$permReq->role = "Projektleiter,Projekt-1,Projekt-Teilnehmer";
+
+echo "<HR/>";
+echo "Query the permissions of role Projektleiter,Projekt-1,Projekt-Teilnehmer...<BR/>";
+
+try {
+
+ $permResponse = $soapReview->rolePermissions( $permReq );
+
+ if( is_array( $permResponse->permissionset ) ) {
+
+ for( $i = 0; $i < sizeof( $permResponse->permissionset ); $i++ ) {
+
+ echo $permResponse->permissionset[$i]->resource . " / "
+ . $permResponse->permissionset[$i]->operation . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo $permResponse->permissionset->resource . " / "
+ . $permResponse->permissionset->operation . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionPermissions.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionPermissions.php
new file mode 100755
index 0000000..151c35b
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionPermissions.php
@@ -0,0 +1,120 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 08.08.2007
+// Modification date: 08.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can ask for a session's
+// permissions.
+// -----------------------------------------------------
+$permReq = new sessionPermissionsRequest();
+$permReq->intSid = $authResponse->sid;
+$permReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Query the permissions of my own session...<BR/>";
+
+try {
+
+ $permResponse = $soapReview->sessionPermissions( $permReq );
+ echo serialize( $permResponse );
+
+ for( $i = 0; $i < sizeof( $permResponse->permissionset ); $i++ ) {
+
+ echo $permResponse->permissionset[$i]->resource . " / "
+ . $permResponse->permissionset[$i]->operation . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionRoles.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionRoles.php
new file mode 100755
index 0000000..df58bd9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/sessionRoles.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you have to add a apropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$srReq = new sessionRolesRequest();
+$srReq->intSid = $authResponse->sid;
+$srReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Session roles...<BR/>";
+
+try {
+
+ $rolesetResponse = $soapReview->sessionRoles( $srReq );
+
+ if( is_array( $rolesetResponse->role ) ) {
+
+ for( $i = 0; $i < sizeof( $srResponse->role ); $i++ ) {
+
+ echo "Role " . $i . ": " . $rolesetResponse->role[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "Role 0: " . $rolesetResponse->role . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAddActiveRole.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAddActiveRole.php
new file mode 100755
index 0000000..de8e33a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAddActiveRole.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new tgAddActiveRoleRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+ $regReq->role = $_POST['role'];
+
+
+ echo "<HR/>";
+ echo "Adding role...<BR/>";
+
+ try {
+
+ $addActiveRoleResponse = $soapExtra->tgAddActiveRole( $regReq );
+
+ if( $addActiveRoleResponse->result ) {
+
+ echo "DONE.<BR>";
+
+ }
+ else {
+
+ echo "UNABLE to commit!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"tgAddActiveRole.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Role: <INPUT type=\"text\" name=\"role\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedProjects.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedProjects.php
new file mode 100755
index 0000000..1b77845
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedProjects.php
@@ -0,0 +1,80 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new tgAssignedProjectsRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+
+
+ echo "<HR/>";
+ echo "Searching...<BR/>";
+
+ try {
+
+ $assignedProjectsResponse = $soapExtra->tgAssignedProjects( $regReq );
+
+ if( is_array( $assignedProjectsResponse->role ) ) {
+
+ for( $i = 0; $i < sizeof( $assignedProjectsResponse->role ); $i++ ) {
+
+ echo $assignedProjectsResponse->role[$i] . "<BR>";
+
+ }
+
+ }
+ elseif( preg_match( "/.+/", $assignedProjectsResponse->role ) ) {
+
+ echo $assignedProjectsResponse->role;
+
+ }
+ else {
+
+ echo "No assigned roles!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"tgAssignedProjects.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedRoles.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedRoles.php
new file mode 100755
index 0000000..e5d55c9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgAssignedRoles.php
@@ -0,0 +1,82 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new tgAssignedRolesRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+ $regReq->username = $_POST['username'];
+
+
+ echo "<HR/>";
+ echo "Searching...<BR/>";
+
+ try {
+
+ $assignedRolesResponse = $soapExtra->tgAssignedRoles( $regReq );
+
+ if( is_array( $assignedRolesResponse->role ) ) {
+
+ for( $i = 0; $i < sizeof( $assignedRolesResponse->role ); $i++ ) {
+
+ echo $assignedRolesResponse->role[$i] . "<BR>";
+
+ }
+
+ }
+ elseif( preg_match( "/.+/", $assignedRolesResponse->role ) ) {
+
+ echo $assignedRolesResponse->role;
+
+ }
+ else {
+
+ echo "No assigned roles!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"tgAssignedRoles.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Username (may be empty): <INPUT type=\"text\" name=\"username\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgCheckAccess.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgCheckAccess.php
new file mode 100755
index 0000000..347e4ec
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgCheckAccess.php
@@ -0,0 +1,76 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new tgCheckAccessRequest();
+ $regReq->auth = $_POST['auth'];
+ $reqReq->log = "";
+// $regReq->sid = $_POST['sid'];
+ $regReq->resource = $_POST['resource'];
+ $regReq->operation = $_POST['operation'];
+
+
+ echo "<HR/>";
+ echo "Checking access...<BR/>";
+
+ try {
+
+ $checkResponse = $soapSystem->tgCheckAccess( $regReq );
+
+ if( $checkResponse->result ) {
+
+ echo "YES.<BR>";
+
+ }
+ else {
+
+ echo "NO<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"tgCheckAccess.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Operation: <INPUT type=\"text\" name=\"operation\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgGrantPermission.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgGrantPermission.php
new file mode 100755
index 0000000..1dc79c3
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgGrantPermission.php
@@ -0,0 +1,77 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 04.04.2008
+// Modification date: 04.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $graReq = new tgGrantPermissionRequest();
+ $graReq->auth = $_POST['auth'];
+ $graReq->log = "";
+ $graReq->role = $_POST['role'];
+ $graReq->resource = $_POST['resource'];
+ $graReq->operation = $_POST['operation'];
+
+
+ echo "<HR/>";
+ echo "Trying to grant permission...<BR/>";
+
+ try {
+
+ $response = $soapExtra->tgGrantPermission( $graReq );
+
+ if( $response->result ) {
+
+ echo "DONE";
+
+ }
+ else {
+
+ echo "UNABLE TO COMMIT...";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"tgGrantPermission.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Role: <INPUT type=\"text\" name=\"role\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "Operation: <INPUT type=\"text\" name=\"operation\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgRevokePermission.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgRevokePermission.php
new file mode 100755
index 0000000..e6d3a28
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/tgRevokePermission.php
@@ -0,0 +1,77 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.04.2008
+// Modification date: 07.04.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $revReg = new tgRevokePermissionRequest();
+ $revReg->auth = $_POST['auth'];
+ $revReg->log = "";
+ $revReg->role = $_POST['role'];
+ $revReg->resource = $_POST['resource'];
+ $revReg->operation = $_POST['operation'];
+
+
+ echo "<HR/>";
+ echo "Trying to revoke permission...<BR/>";
+
+ try {
+
+ $response = $soapExtra->tgRevokePermission( $revReg );
+
+ if( $response->result ) {
+
+ echo "DONE";
+
+ }
+ else {
+
+ echo "UNABLE TO COMMIT...";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"tgRevokePermission.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "Role: <INPUT type=\"text\" name=\"role\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "Operation: <INPUT type=\"text\" name=\"operation\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/unregisterResource.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/unregisterResource.php
new file mode 100755
index 0000000..59d8cf6
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/unregisterResource.php
@@ -0,0 +1,73 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 17.03.2008
+// Modification date: 17.03.2008
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['auth'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+ $regReq = new unregisterResourceRequest();
+ $regReq->auth = $_POST['auth'];
+ $regReq->log = "";
+ $regReq->uri = $_POST['uri'];
+
+
+ echo "<HR/>";
+ echo "Unregistering resource...<BR/>";
+
+ try {
+
+ $registerResourceResponse = $soapExtra->unregisterResource( $regReq );
+
+ if( $registerResourceResponse->result ) {
+
+ echo "DONE.<BR>";
+
+ }
+ else {
+
+ echo "UNABLE to commit!<BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"unregisterResource.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Auth: <INPUT type=\"text\" name=\"auth\" value=\"\"><BR>\n";
+echo "URI: <INPUT type=\"text\" name=\"uri\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userExists.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userExists.php
new file mode 100755
index 0000000..845e529
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userExists.php
@@ -0,0 +1,120 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgsystem.wsdl" );
+$soapAdministration = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/tgadministration.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can add a user you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "ShibConnector@application.int";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "ShibConnector@application.int";
+$addRoleReq->role = "Anwendung";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can add a the user you
+// wish to create
+// -----------------------------------------------------
+$addUserReq = new addUserRequest();
+$addUserReq->intSid = $authResponse->sid;
+//$addUserReq->username = "mwidmer@uni-tuebingen.de";
+$addUserReq->username = "ShibConnector@application.int";
+$addUserReq->password = "secret";
+
+echo "<HR/>";
+echo "Adding user...<BR/>";
+
+try {
+
+ $addUserResponse = $soapAdministration->addUser( $addUserReq );
+
+ if( $addUserResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userOperationsOnObject.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userOperationsOnObject.php
new file mode 100755
index 0000000..33c712d
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userOperationsOnObject.php
@@ -0,0 +1,128 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 30.08.2007
+// Modification date: 30.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "sp00001@textgrid.de";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "sp00001@textgrid.de";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can ask the RBAC-system
+// form the operations a user may do on a resource.
+// -----------------------------------------------------
+$roooReq = new userOperationsOnObjectRequest();
+$roooReq->intSid = $authResponse->sid;
+$roooReq->user = "mhaase@uni-tuebingen.de";
+$roooReq->resource = "ingrid.daasi.de//demo/tg-demo.xml";
+
+echo "<HR/>";
+echo "The allowed operations of user mhaase@uni-tuebingen.de on resource ingrid.daasi.de//demo/tg-demo.xml...<BR/>";
+
+try {
+
+ $operationsetResponse = $soapReview->userOperationsOnObject( $roooReq );
+
+ if( is_array( $operationsetResponse->operationset ) ) {
+
+ for( $i = 0; $i < sizeof( $operationsetResponse->operationset ); $i++ ) {
+
+ echo "Operation " . $i . ": " . $operationsetResponse->operationset[$i] . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo "Operations 0: " . $operationsetResponse->operationset . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userPermissions.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userPermissions.php
new file mode 100755
index 0000000..03be0c8
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/userPermissions.php
@@ -0,0 +1,132 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 08.08.2007
+// Modification date: 08.08.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../soapTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgextra.wsdl" );
+$soapSystem = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( "http://textgrid.regengedanken.de/rbacSoap/wsdl/tgreview.wsdl" );
+
+
+echo "<BODY><HTML>";
+
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = "shibConnector@application.int";
+$authReq->password = "secret";
+
+
+echo "<HR/>";
+echo "Doing authentication...<BR/>";
+
+try {
+
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->sid ) ) {
+
+ echo "DONE: " . $authResponse->sid . "<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = "shibConnector@application.int";
+$addRoleReq->role = "serviceProvider";
+$addRoleReq->sid = $authResponse->sid;
+
+echo "<HR/>";
+echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapSystem->addActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ echo "DONE.<BR/>";
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+// -----------------------------------------------------
+// If this was successfull you can ask for the users
+// permissions.
+// -----------------------------------------------------
+$permReq = new userPermissionsRequest();
+$permReq->intSid = $authResponse->sid;
+//$permReq->username = "shibConnector@application.int";
+$permReq->username = "mhaase@uni-tuebingen.de";
+
+
+echo "<HR/>";
+echo "Query the permissions of user sp00001@textgrid.de...<BR/>";
+
+try {
+
+ $permResponse = $soapReview->userPermissions( $permReq );
+
+ if( is_array( $permResponse->permissionset ) ) {
+
+ for( $i = 0; $i < sizeof( $permResponse->permissionset ); $i++ ) {
+
+ echo $permResponse->permissionset[$i]->resource . " / "
+ . $permResponse->permissionset[$i]->operation . "<BR/>";
+
+ }
+
+ }
+ else {
+
+ echo $permResponse->permissionset->resource . " / "
+ . $permResponse->permissionset->operation . "<BR/>";
+
+
+ }
+
+}
+catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+}
+
+
+echo "</BODY></HTML>";
+
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/xacmlCheckAccess.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/xacmlCheckAccess.php
new file mode 100755
index 0000000..f10dd6f
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/xacmlCheckAccess.php
@@ -0,0 +1,103 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 18.07.2007
+// Version: 0.1.0
+// #######################################################
+
+
+require_once( "../xacmlTypes.inc.php" );
+
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapXACML = new SoapClient( "http://rbac.textgrid.daasi.de/wsdl/xacml.wsdl.local", Array( "trace" => 1 ) );
+
+
+echo "<BODY><HTML>";
+
+
+
+
+if( isset( $_POST['session'] ) ) {
+
+ // -----------------------------------------------------
+ // If this was successfull you can add a the user you
+ // wish to create
+ // -----------------------------------------------------
+
+ $regReq = new stdClass();
+
+ $regReq->Version = "2.0";
+ $regReq->ID = "abcde1234";
+ $regReq->ReturnContext = true;
+ $regReq->Request = new stdClass();
+ $regReq->Request->Subject = new stdClass();
+ $regReq->Request->Resource = new stdClass();
+ $regReq->Request->Action = new stdClass();
+ $regReq->Request->Environment = new stdClass();
+
+ $regReq->Request->Subject->Attribute = new stdClass();
+ $regReq->Request->Subject->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+ $regReq->Request->Subject->Attribute->DataType = "http://www.w3.org/2001/XMLSchema#string";
+ $regReq->Request->Subject->Attribute->AttributeValue = new stdClass();
+ $regReq->Request->Subject->Attribute->AttributeValue->any = $_POST['session'];
+
+ $regReq->Request->Resource->Attribute = new stdClass();
+ $regReq->Request->Resource->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+ $regReq->Request->Resource->Attribute->DataType = "http://www.w3.org/2001/XMLSchema#anyURI";
+ $regReq->Request->Resource->Attribute->AttributeValue = new stdClass();
+ $regReq->Request->Resource->Attribute->AttributeValue->any = $_POST['resource'];
+
+ $regReq->Request->Action->Attribute = new stdClass();
+ $regReq->Request->Action->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:action:action-id";
+ $regReq->Request->Action->Attribute->DataType = "http://www.w3.org/2001/XMLSchema#string";
+ $regReq->Request->Action->Attribute->AttributeValue = new stdClass();
+ $regReq->Request->Action->Attribute->AttributeValue->any = $_POST['operation'];
+
+
+ echo "<HR/>";
+ echo "checking access...<BR/>";
+ echo "Look at the code to see what happens!<BR/>";
+
+
+ try {
+
+ $caResponse = $soapXACML->checkXACMLaccess( $regReq );
+
+ echo "\n\n" . $soapXACML->__getLastRequest();
+ echo "\n\n" . $soapXACML->__getLastResponse() . "\n\n";
+
+ if( preg_match( "/^permit$/i", $caResponse->Response->Result->Decision ) ) {
+
+ echo "<BR><HR><BR>Granted: YES.<BR><HR><BR>";
+
+ }
+ else {
+
+ echo "<BR><HR><BR>Granted: NO.<BR><HR><BR>";
+
+ }
+
+ }
+ catch( SoapFault $f ) {
+
+ echo "SOAP FAULT!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail;
+
+ }
+
+}
+
+
+echo "<FORM action=\"xacmlCheckAccess.php\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "Session: <INPUT type=\"text\" name=\"session\" value=\"\"><BR>\n";
+echo "Resource: <INPUT type=\"text\" name=\"resource\" value=\"\"><BR>\n";
+echo "Operation: <INPUT type=\"text\" name=\"operation\" value=\"\"><BR>\n";
+echo "<INPUT type=\"submit\" value=\"Commit...\">\n";
+echo "</FORM>\n";
+
+echo "</BODY></HTML>";
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/soapTypes.inc.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/soapTypes.inc.php
new file mode 100755
index 0000000..d61c50f
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/soapTypes.inc.php
@@ -0,0 +1,524 @@
+<?php
+class authenticateRequest {
+
+ public $username;
+ public $password;
+ public $log;
+
+}
+
+class authenticateResponse {
+
+ public $sid;
+
+}
+
+class getSidResponse {
+
+ public $sid;
+
+}
+
+class checkAccessRequest {
+
+ public $intSid;
+ public $operation;
+ public $resource;
+ public $sid;
+
+}
+
+class tgCheckAccessRequest {
+
+ public $auth;
+ public $log;
+ public $operation;
+ public $resource;
+ public $sid;
+
+}
+
+class tgGrantPermissionRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $resource;
+ public $operation;
+
+}
+
+class tgRevokePermissionRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $resource;
+ public $operation;
+
+}
+
+class getOwnerRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class getOwnerResponse {
+
+ public $owner;
+
+}
+
+class getMembersRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class deactivateProjectRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getRightsRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+ public $username;
+
+}
+
+class publishRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class isPublicRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class getProjectDescriptionRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getProjectDescriptionResponse {
+
+ public $project;
+
+}
+
+class createSessionRequest {
+
+ public $intSid;
+ public $username;
+ public $roleset;
+ public $sid;
+
+}
+
+class tgAddActiveRoleRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+
+}
+
+class tgAssignedRolesRequest {
+
+ public $auth;
+ public $log;
+ public $username;
+
+}
+
+class tgAssignedProjectsRequest {
+
+ public $auth;
+ public $log;
+
+}
+
+class deleteSessionRequest {
+
+ public $intSid;
+ public $username;
+ public $sid;
+
+}
+
+class addActiveRoleRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+ public $sid;
+
+}
+
+class addUserRequest {
+
+ public $intSid;
+ public $username;
+ public $password;
+
+}
+
+class deleteUserRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class addInheritanceRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class deleteInheritanceRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addAscendantRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addDescendantRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addRoleRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class deleteRoleRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class grantPermissionRequest {
+
+ public $intSid;
+ public $resource;
+ public $operation;
+ public $role;
+
+}
+
+class revokePermissionRequest {
+
+ public $intSid;
+ public $resource;
+ public $operation;
+ public $role;
+
+}
+
+class assignUserRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+
+}
+
+class deassignUserRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+
+}
+
+class sessionRolesRequest {
+
+ public $intSid;
+ public $sid;
+
+}
+
+class assignedRolesRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class authorizedRolesRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class roleOperationsOnObjectRequest {
+
+ public $intSid;
+ public $role;
+ public $resource;
+
+}
+
+class userOperationsOnObjectRequest {
+
+ public $intSid;
+ public $user;
+ public $resource;
+
+}
+
+class operationsetResponse {
+
+ public $operationset;
+
+}
+
+class assignedUsersRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class authorizedUsersRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class usersetResponse {
+
+ public $username;
+
+}
+
+class rolePermissionsRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class userPermissionsRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class getLeaderRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getObjectsRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class sessionPermissionsRequest {
+
+ public $intSid;
+ public $sid;
+
+}
+
+class rolesetResponse {
+
+ public $role;
+
+}
+
+class permissionsetResponse {
+
+ public $permissionset;
+
+}
+
+class resourcesetResponse {
+
+ public $resource;
+
+}
+
+class createProjectRequest {
+
+ public $auth;
+ public $log;
+ public $name;
+ public $description;
+
+}
+
+class registerResourceRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+ public $uri;
+
+}
+
+class unregisterResourceRequest {
+
+ public $auth;
+ public $log;
+ public $uri;
+
+}
+
+class addMemberRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $username;
+
+}
+
+class deleteMemberRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $username;
+
+}
+
+class createProjectResponse {
+
+ public $projectId;
+
+}
+
+class getAllProjectsResponse {
+
+ public $project;
+
+}
+
+class getAllProjectsRequest {
+
+ public $log;
+
+}
+
+class userExistsRequest {
+
+ public $auth;
+ public $log;
+ public $username;
+
+}
+
+
+class booleanResponse {
+
+ public $result;
+ public $errorCode;
+ public $errorDescription;
+
+}
+
+class filterBySidRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+ public $operation;
+
+}
+
+class filterResponse {
+
+ public $resource;
+
+}
+
+
+class permission {
+
+ public $resource;
+ public $operation;
+
+
+ public function __construct( $inOperation, $inResource ) {
+
+ $this->operation = $inOperation;
+ $this->resource = $inResource;
+
+ }
+
+}
+
+class projectInfo {
+
+ public $id;
+ public $description;
+ public $name;
+
+
+ public function __construct( $inId, $inName, $inDescription ) {
+
+ $this->id = $inId;
+ $this->description = $inDescription;
+ $this->name = $inName;
+
+ }
+
+}
+
+class checkXACMLaccessRequest {
+
+ public $request;
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgadministration.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgadministration.php
new file mode 100755
index 0000000..a127ca6
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgadministration.php
@@ -0,0 +1,26 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 17.07.2007
+// Modification date: 13.11.2007
+// Version: 1.0.0
+// #######################################################
+
+
+require_once( "soapTypes.inc.php" );
+require_once( "../rbac/RBAC.class.php" );
+require_once( "TgAdministration.class.php" );
+
+
+// Dont be so verbose with messages and notices.
+error_reporting( E_ERROR | E_USER_ERROR );
+
+
+// #############################################################
+// Starting SOAP-Server
+// #############################################################
+$server = new SoapServer( "http://rbac.textgrid.daasi.de/wsdl/tgadministration.wsdl" );
+$server->setClass( "TgAdministration", "../conf/rbacSoap.conf", "../conf/system.conf", "../rbac/" );
+
+$server->handle();
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php
new file mode 100755
index 0000000..0679357
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php
@@ -0,0 +1,32 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.07.2007
+// Modification date: 13.11.2007
+// Version: 1.0.0
+// #######################################################
+
+
+require_once( "soapTypes.inc.php" );
+require_once( "../rbac/RBAC.class.php" );
+require_once( "TgExtra.class.php" );
+
+
+// Dont be so verbose with messages and notices.
+error_reporting( E_ERROR | E_USER_ERROR );
+
+
+// #############################################################
+// Starting SOAP-Server
+// #############################################################
+$server = new SoapServer( "http://rbac.textgrid.daasi.de/wsdl/tgextra.wsdl" );
+$server->setClass( "TgExtra", "../conf/rbacSoap.conf", "../conf/system.conf", "../rbac/" );
+
+
+$server->handle();
+/*
+$tge = new TgExtra( "../conf/rbacSoap.conf.xml", "../conf/system.conf.xml", "../rbac/" );
+$createProjectRequest = new CreateProjectRequest();
+$tge->createProject( $createProjectRequest );
+*/
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgreview.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgreview.php
new file mode 100755
index 0000000..efe360d
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgreview.php
@@ -0,0 +1,26 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 18.07.2007
+// Modification date: 13.11.2007
+// Version: 1.1.0
+// #######################################################
+
+
+require_once( "soapTypes.inc.php" );
+require_once( "../rbac/RBAC.class.php" );
+require_once( "TgReview.class.php" );
+
+
+// Dont be so verbose with messages and notices.
+error_reporting( E_ERROR | E_USER_ERROR );
+
+
+// #############################################################
+// Starting SOAP-Server
+// #############################################################
+$server = new SoapServer( "http://rbac.textgrid.daasi.de/wsdl/tgreview.wsdl" );
+$server->setClass( "TgReview", "../conf/rbacSoap.conf", "../conf/system.conf", "../rbac/" );
+
+$server->handle();
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgsystem.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgsystem.php
new file mode 100755
index 0000000..00873c1
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgsystem.php
@@ -0,0 +1,26 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.07.2007
+// Modification date: 13.11.2007
+// Version: 1.0.0
+// #######################################################
+
+
+require_once( "soapTypes.inc.php" );
+require_once( "../rbac/RBAC.class.php" );
+require_once( "TgSystem.class.php" );
+
+
+// Dont be so verbose with messages and notices.
+error_reporting( E_ERROR | E_USER_ERROR );
+
+
+// #############################################################
+// Starting SOAP-Server
+// #############################################################
+$server = new SoapServer( "http://rbac.textgrid.daasi.de/wsdl/tgsystem.wsdl" );
+$server->setClass( "TgSystem", "../conf/rbacSoap.conf", "../conf/system.conf", "../rbac/" );
+
+$server->handle();
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgadministration.wsdl b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgadministration.wsdl
new file mode 100644
index 0000000..f5691c2
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgadministration.wsdl
@@ -0,0 +1,555 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<wsdl:definitions name="tgadministration"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://textgrid.info/namespaces/middleware/tgauth"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+
+ <!--
+ ####################
+ # Typ-Definitionen #
+ ####################
+ //-->
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+ <!-- #### addUser #### //-->
+ <xsd:element name="addUserRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="password" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### deleteUser #### //-->
+ <xsd:element name="deleteUserRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### addRole #### //-->
+ <xsd:element name="addRoleRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### deleteRole #### //-->
+ <xsd:element name="deleteRoleRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### assignUser #### //-->
+ <xsd:element name="assignUserRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### assignUser #### //-->
+ <xsd:element name="deassignUserRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### grantPermission #### //-->
+ <xsd:element name="grantPermissionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### revokePermission #### //-->
+ <xsd:element name="revokePermissionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### addInheritance #### //-->
+ <xsd:element name="addInheritanceRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="ascendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="descendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### deleteInheritance #### //-->
+ <xsd:element name="deleteInheritanceRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="ascendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="descendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### addAscendant #### //-->
+ <xsd:element name="addAscendantRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="ascendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="descendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### addDescendant #### //-->
+ <xsd:element name="addDescendantRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="ascendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="descendant" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="booleanResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="result" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### rbacFault #### //-->
+ <xsd:element name="rbacFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### authenticationFault #### //-->
+ <xsd:element name="authenticationFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### formatFault #### //-->
+ <xsd:element name="formatFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ </xsd:schema>
+ </wsdl:types>
+
+
+ <!--
+ #################
+ # WSDL-Messages #
+ #################
+ //-->
+
+ <!-- #### addUser #### //-->
+ <wsdl:message name="addUserRequest">
+ <wsdl:part element="tns:addUserRequest" name="addUserInput" />
+ </wsdl:message>
+ <wsdl:message name="addUserResponse">
+ <wsdl:part element="tns:booleanResponse" name="addUserOutput" />
+ </wsdl:message>
+
+ <!-- #### deleteUser #### //-->
+ <wsdl:message name="deleteUserRequest">
+ <wsdl:part element="tns:deleteUserRequest" name="deleteUserInput" />
+ </wsdl:message>
+ <wsdl:message name="deleteUserResponse">
+ <wsdl:part element="tns:booleanResponse" name="deleteUserOutput" />
+ </wsdl:message>
+
+ <!-- #### addRole #### //-->
+ <wsdl:message name="addRoleRequest">
+ <wsdl:part element="tns:addRoleRequest" name="addRoleInput" />
+ </wsdl:message>
+ <wsdl:message name="addRoleResponse">
+ <wsdl:part element="tns:booleanResponse" name="addRoleOutput" />
+ </wsdl:message>
+
+ <!-- #### deleteRole #### //-->
+ <wsdl:message name="deleteRoleRequest">
+ <wsdl:part element="tns:deleteRoleRequest" name="deleteRoleInput" />
+ </wsdl:message>
+ <wsdl:message name="deleteRoleResponse">
+ <wsdl:part element="tns:booleanResponse" name="deleteRoleOutput" />
+ </wsdl:message>
+
+ <!-- #### assignUser #### //-->
+ <wsdl:message name="assignUserRequest">
+ <wsdl:part element="tns:assignUserRequest" name="assignUserInput" />
+ </wsdl:message>
+ <wsdl:message name="assignUserResponse">
+ <wsdl:part element="tns:booleanResponse" name="assignUserOutput" />
+ </wsdl:message>
+
+ <!-- #### deassignUser #### //-->
+ <wsdl:message name="deassignUserRequest">
+ <wsdl:part element="tns:deassignUserRequest" name="deassignUserInput" />
+ </wsdl:message>
+ <wsdl:message name="deassignUserResponse">
+ <wsdl:part element="tns:booleanResponse" name="deassignUserOutput" />
+ </wsdl:message>
+
+ <!-- #### grantPermission #### //-->
+ <wsdl:message name="grantPermissionRequest">
+ <wsdl:part element="tns:grantPermissionRequest" name="grantPermissionInput" />
+ </wsdl:message>
+ <wsdl:message name="grantPermissionResponse">
+ <wsdl:part element="tns:booleanResponse" name="grantPermissionOutput" />
+ </wsdl:message>
+
+ <!-- #### grantPermission #### //-->
+ <wsdl:message name="revokePermissionRequest">
+ <wsdl:part element="tns:revokePermissionRequest" name="revokePermissionInput" />
+ </wsdl:message>
+ <wsdl:message name="revokePermissionResponse">
+ <wsdl:part element="tns:booleanResponse" name="revokePermissionOutput" />
+ </wsdl:message>
+
+ <!-- #### addInheritance #### //-->
+ <wsdl:message name="addInheritanceRequest">
+ <wsdl:part element="tns:addInheritanceRequest" name="addInheritanceInput" />
+ </wsdl:message>
+ <wsdl:message name="addInheritanceResponse">
+ <wsdl:part element="tns:booleanResponse" name="addInheritanceOutput" />
+ </wsdl:message>
+
+ <!-- #### deleteInheritance #### //-->
+ <wsdl:message name="deleteInheritanceRequest">
+ <wsdl:part element="tns:deleteInheritanceRequest" name="deleteInheritanceInput" />
+ </wsdl:message>
+ <wsdl:message name="deleteInheritanceResponse">
+ <wsdl:part element="tns:booleanResponse" name="deleteInheritanceOutput" />
+ </wsdl:message>
+
+ <!-- #### addAscendant #### //-->
+ <wsdl:message name="addAscendantRequest">
+ <wsdl:part element="tns:addAscendantRequest" name="addAscendantInput" />
+ </wsdl:message>
+ <wsdl:message name="addAscendantResponse">
+ <wsdl:part element="tns:booleanResponse" name="addAscendantOutput" />
+ </wsdl:message>
+
+ <!-- #### addAscendant #### //-->
+ <wsdl:message name="addDescendantRequest">
+ <wsdl:part element="tns:addDescendantRequest" name="addDescendantInput" />
+ </wsdl:message>
+ <wsdl:message name="addDescendantResponse">
+ <wsdl:part element="tns:booleanResponse" name="addDescendantOutput" />
+ </wsdl:message>
+
+ <!-- #### rbacFault #### //-->
+ <wsdl:message name="rbacFault">
+ <wsdl:part element="tns:rbacFaultResponse" name="rbacFault" />
+ </wsdl:message>
+
+ <!-- #### authenticationFault #### //-->
+ <wsdl:message name="authenticationFault">
+ <wsdl:part element="tns:authenticationFaultResponse" name="authenticationFault" />
+ </wsdl:message>
+
+ <!-- #### formatFault #### //-->
+ <wsdl:message name="formatFault">
+ <wsdl:part element="tns:formatFaultResponse" name="formatFault" />
+ </wsdl:message>
+
+
+ <!--
+ ##########################
+ # Port-Type-Definitionen #
+ ##########################
+ //-->
+ <wsdl:portType name="port_tgadministration">
+
+ <!-- #### addUser #### //-->
+ <wsdl:operation name="addUser">
+ <wsdl:input message="tns:addUserRequest" />
+ <wsdl:output message="tns:addUserResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ <wsdl:fault name="formatFault" message="tns:formatFault" />
+ </wsdl:operation>
+
+ <!-- #### deleteUser #### //-->
+ <wsdl:operation name="deleteUser">
+ <wsdl:input message="tns:deleteUserRequest" />
+ <wsdl:output message="tns:deleteUserResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ <wsdl:fault name="formatFault" message="tns:formatFault" />
+ </wsdl:operation>
+
+ <!-- #### addRole #### //-->
+ <wsdl:operation name="addRole">
+ <wsdl:input message="tns:addRoleRequest" />
+ <wsdl:output message="tns:addRoleResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### deleteRole #### //-->
+ <wsdl:operation name="deleteRole">
+ <wsdl:input message="tns:deleteRoleRequest" />
+ <wsdl:output message="tns:deleteRoleResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### assignUser #### //-->
+ <wsdl:operation name="assignUser">
+ <wsdl:input message="tns:assignUserRequest" />
+ <wsdl:output message="tns:assignUserResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ <wsdl:fault name="formatFault" message="tns:formatFault" />
+ </wsdl:operation>
+
+ <!-- #### deassignUser #### //-->
+ <wsdl:operation name="deassignUser">
+ <wsdl:input message="tns:deassignUserRequest" />
+ <wsdl:output message="tns:deassignUserResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ <wsdl:fault name="formatFault" message="tns:formatFault" />
+ </wsdl:operation>
+
+ <!-- #### grantPermission #### //-->
+ <wsdl:operation name="grantPermission">
+ <wsdl:input message="tns:grantPermissionRequest" />
+ <wsdl:output message="tns:grantPermissionResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### revokePermission #### //-->
+ <wsdl:operation name="revokePermission">
+ <wsdl:input message="tns:revokePermissionRequest" />
+ <wsdl:output message="tns:revokePermissionResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### addInheritance #### //-->
+ <wsdl:operation name="addInheritance">
+ <wsdl:input message="tns:addInheritanceRequest" />
+ <wsdl:output message="tns:addInheritanceResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### deleteInheritance #### //-->
+ <wsdl:operation name="deleteInheritance">
+ <wsdl:input message="tns:deleteInheritanceRequest" />
+ <wsdl:output message="tns:deleteInheritanceResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### addAscendant #### //-->
+ <wsdl:operation name="addAscendant">
+ <wsdl:input message="tns:addAscendantRequest" />
+ <wsdl:output message="tns:addAscendantResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### addDescendant #### //-->
+ <wsdl:operation name="addDescendant">
+ <wsdl:input message="tns:addDescendantRequest" />
+ <wsdl:output message="tns:addDescendantResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+
+
+ <!--
+ ###########
+ # Binding #
+ ###########
+ //-->
+ <wsdl:binding name="binding_tgadministration" type="tns:port_tgadministration">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
+
+ <!-- #### addUser #### //-->
+ <wsdl:operation name="addUser">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addUser" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="formatFault"><soap:fault name="formatFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### deleteUser #### //-->
+ <wsdl:operation name="deleteUser">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deleteUser" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="formatFault"><soap:fault name="formatFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### addRole #### //-->
+ <wsdl:operation name="addRole">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addRole" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### deleteRole #### //-->
+ <wsdl:operation name="deleteRole">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deleteRole" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### assignUser #### //-->
+ <wsdl:operation name="assignUser">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/assignUser" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="formatFault"><soap:fault name="formatFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### deassignUser #### //-->
+ <wsdl:operation name="deassignUser">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deassignUser" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="formatFault"><soap:fault name="formatFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### grantPermission #### //-->
+ <wsdl:operation name="grantPermission">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/grantPermission" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### revokePermission #### //-->
+ <wsdl:operation name="revokePermission">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/revokePermission" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### addInheritance #### //-->
+ <wsdl:operation name="addInheritance">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addInheritance" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### deleteInheritance #### //-->
+ <wsdl:operation name="deleteInheritance">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deleteInheritance" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### addAscendant #### //-->
+ <wsdl:operation name="addAscendant">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addAscendant" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### addDescendant #### //-->
+ <wsdl:operation name="addDescendant">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addDescendant" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+
+
+ <!--
+ #####################
+ # Servicedefinition #
+ #####################
+ //-->
+ <wsdl:service name="tgadministration">
+ <wsdl:port binding="tns:binding_tgadministration" name="tgadministration">
+ <soap:address location="http://rbac.textgrid.daasi.de/tgadministration.php" />
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgextra.wsdl b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgextra.wsdl
new file mode 100644
index 0000000..6d024f7
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgextra.wsdl
@@ -0,0 +1,1090 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<wsdl:definitions name="tgextra"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://textgrid.info/namespaces/middleware/tgauth"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+
+ <!--
+ ####################
+ # Typ-Definitionen #
+ ####################
+ //-->
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+ <!-- #### authenticate #### //-->
+ <xsd:element name="authenticateRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="password" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="authenticateResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### userExists #### //-->
+ <xsd:element name="userExistsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### createProject #### //-->
+ <xsd:element name="createProjectRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="name" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="createProjectResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="projectId" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### filterBySid #### //-->
+ <xsd:element name="filterBySidRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### addMember #### //-->
+ <xsd:element name="addMemberRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### deleteMember #### //-->
+ <xsd:element name="deleteMemberRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### getSid #### //-->
+ <xsd:element name="getSidResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### registerResource #### //-->
+ <xsd:element name="registerResourceRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="project" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="uri" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### unregisterResource #### //-->
+ <xsd:element name="unregisterResourceRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="uri" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getObjects #### //-->
+ <xsd:element name="getObjectsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="project" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getAllProjects #### //-->
+ <xsd:element name="getAllProjectsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="getAllProjectsResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="project" type="tns:projectInfo" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgCheckAccess #### //-->
+ <xsd:element name="tgCheckAccessRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgAddActiveRole #### //-->
+ <xsd:element name="tgAddActiveRoleRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgDropActiveRole #### //-->
+ <xsd:element name="tgDropActiveRoleRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgAssignedRoles #### //-->
+ <xsd:element name="tgAssignedRolesRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgAssignedProjects #### //-->
+ <xsd:element name="tgAssignedProjectsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getLeader #### //-->
+ <xsd:element name="getLeaderRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="project" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgGrantPermission #### //-->
+ <xsd:element name="tgGrantPermissionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### tgRevokePermission #### //-->
+ <xsd:element name="tgRevokePermissionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getOwner #### //-->
+ <xsd:element name="getOwnerRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="getOwnerResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="owner" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getMembers #### //-->
+ <xsd:element name="getMembersRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="project" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getRights #### //-->
+ <xsd:element name="getRightsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### publish #### //-->
+ <xsd:element name="publishRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### isPublic #### //-->
+ <xsd:element name="isPublicRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### getProjectDescription #### //-->
+ <xsd:element name="getProjectDescriptionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="project" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="getProjectDescriptionResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="project" type="tns:projectInfo" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### deactivateProject #### //-->
+ <xsd:element name="deactivateProjectRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="auth" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="log" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="project" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="filterResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="resource" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="booleanResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="result" type="xsd:boolean" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="rolesetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="role" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="usersetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="username" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="resourcesetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="resource" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="operationsetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="operation" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:complexType name="projectInfo">
+ <xsd:sequence>
+ <xsd:element name="id" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="name" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+
+
+ <!-- #### authenticationFault #### //-->
+ <xsd:element name="authenticationFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### unknownResourceFault #### //-->
+ <xsd:element name="unknownResourceFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### rbacFault #### //-->
+ <xsd:element name="rbacFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ </xsd:schema>
+ </wsdl:types>
+
+
+ <!--
+ #################
+ # WSDL-Messages #
+ #################
+ //-->
+
+ <!-- #### authenticate #### //-->
+ <wsdl:message name="authenticateRequest">
+ <wsdl:part element="tns:authenticateRequest" name="authenticateInput" />
+ </wsdl:message>
+ <wsdl:message name="authenticateResponse">
+ <wsdl:part element="tns:authenticateResponse" name="authenticateOutput" />
+ </wsdl:message>
+
+ <!-- #### userExists #### //-->
+ <wsdl:message name="userExistsRequest">
+ <wsdl:part element="tns:userExistsRequest" name="userExistsInput" />
+ </wsdl:message>
+ <wsdl:message name="userExistsResponse">
+ <wsdl:part element="tns:booleanResponse" name="userExistsOutput" />
+ </wsdl:message>
+
+ <!-- #### createProject #### //-->
+ <wsdl:message name="createProjectRequest">
+ <wsdl:part element="tns:createProjectRequest" name="createProjectInput" />
+ </wsdl:message>
+ <wsdl:message name="createProjectResponse">
+ <wsdl:part element="tns:createProjectResponse" name="createProjectOutput" />
+ </wsdl:message>
+
+ <!-- #### getObjects #### //-->
+ <wsdl:message name="getObjectsRequest">
+ <wsdl:part element="tns:getObjectsRequest" name="getObjectsInput" />
+ </wsdl:message>
+ <wsdl:message name="getObjectsResponse">
+ <wsdl:part element="tns:resourcesetResponse" name="getObjectsOutput" />
+ </wsdl:message>
+
+ <!-- #### addMember #### //-->
+ <wsdl:message name="addMemberRequest">
+ <wsdl:part element="tns:addMemberRequest" name="addMemberInput" />
+ </wsdl:message>
+ <wsdl:message name="addMemberResponse">
+ <wsdl:part element="tns:booleanResponse" name="addMemberOutput" />
+ </wsdl:message>
+
+ <!-- #### deleteMember #### //-->
+ <wsdl:message name="deleteMemberRequest">
+ <wsdl:part element="tns:deleteMemberRequest" name="deleteMemberInput" />
+ </wsdl:message>
+ <wsdl:message name="deleteMemberResponse">
+ <wsdl:part element="tns:booleanResponse" name="deleteMemberOutput" />
+ </wsdl:message>
+
+ <!-- #### tgCheckAccess #### //-->
+ <wsdl:message name="tgCheckAccessRequest">
+ <wsdl:part element="tns:tgCheckAccessRequest" name="tgCheckAccessInput" />
+ </wsdl:message>
+ <wsdl:message name="tgCheckAccessResponse">
+ <wsdl:part element="tns:booleanResponse" name="tgCheckAccessOutput" />
+ </wsdl:message>
+
+ <!-- #### tgAddActiveRole #### //-->
+ <wsdl:message name="tgAddActiveRoleRequest">
+ <wsdl:part element="tns:tgAddActiveRoleRequest" name="tgAddActiveRoleInput" />
+ </wsdl:message>
+ <wsdl:message name="tgAddActiveRoleResponse">
+ <wsdl:part element="tns:booleanResponse" name="tgAddActiveRoleOutput" />
+ </wsdl:message>
+
+ <!-- #### tgDropActiveRole #### //-->
+ <wsdl:message name="tgDropActiveRoleRequest">
+ <wsdl:part element="tns:tgDropActiveRoleRequest" name="tgDropActiveRoleInput" />
+ </wsdl:message>
+ <wsdl:message name="tgDropActiveRoleResponse">
+ <wsdl:part element="tns:booleanResponse" name="tgDropActiveRoleOutput" />
+ </wsdl:message>
+
+ <!-- #### tgAssignedRoles #### //-->
+ <wsdl:message name="tgAssignedRolesRequest">
+ <wsdl:part element="tns:tgAssignedRolesRequest" name="tgAssignedRolesInput" />
+ </wsdl:message>
+ <wsdl:message name="tgAssignedRolesResponse">
+ <wsdl:part element="tns:rolesetResponse" name="tgAssignedRolesOutput" />
+ </wsdl:message>
+
+ <!-- #### tgAssignedProjects #### //-->
+ <wsdl:message name="tgAssignedProjectsRequest">
+ <wsdl:part element="tns:tgAssignedProjectsRequest" name="tgAssignedProjectsInput" />
+ </wsdl:message>
+ <wsdl:message name="tgAssignedProjectsResponse">
+ <wsdl:part element="tns:rolesetResponse" name="tgAssignedProjectsOutput" />
+ </wsdl:message>
+
+ <!-- #### getAllProjects #### //-->
+ <wsdl:message name="getAllProjectsRequest">
+ <wsdl:part element="tns:getAllProjectsRequest" name="getAllProjectsInput" />
+ </wsdl:message>
+ <wsdl:message name="getAllProjectsResponse">
+ <wsdl:part element="tns:getAllProjectsResponse" name="getAllProjectsOutput" />
+ </wsdl:message>
+
+ <!-- #### getLeader #### //-->
+ <wsdl:message name="getLeaderRequest">
+ <wsdl:part element="tns:getLeaderRequest" name="getLeaderInput" />
+ </wsdl:message>
+ <wsdl:message name="getLeaderResponse">
+ <wsdl:part element="tns:usersetResponse" name="getLeaderOutput" />
+ </wsdl:message>
+
+ <!-- #### registerResource #### //-->
+ <wsdl:message name="registerResourceRequest">
+ <wsdl:part element="tns:registerResourceRequest" name="registerResourceInput" />
+ </wsdl:message>
+ <wsdl:message name="registerResourceResponse">
+ <wsdl:part element="tns:booleanResponse" name="registerResourceOutput" />
+ </wsdl:message>
+
+ <!-- #### unregisterResource #### //-->
+ <wsdl:message name="unregisterResourceRequest">
+ <wsdl:part element="tns:unregisterResourceRequest" name="unregisterResourceInput" />
+ </wsdl:message>
+ <wsdl:message name="unregisterResourceResponse">
+ <wsdl:part element="tns:booleanResponse" name="unregisterResourceOutput" />
+ </wsdl:message>
+
+ <!-- #### filterBySid #### //-->
+ <wsdl:message name="filterBySidRequest">
+ <wsdl:part element="tns:filterBySidRequest" name="filterBySidInput" />
+ </wsdl:message>
+ <wsdl:message name="filterBySidResponse">
+ <wsdl:part element="tns:filterResponse" name="filterBySidOutput" />
+ </wsdl:message>
+
+ <!-- #### tgGrantPermission #### //-->
+ <wsdl:message name="tgGrantPermissionRequest">
+ <wsdl:part element="tns:tgGrantPermissionRequest" name="tgGrantPermissionInput" />
+ </wsdl:message>
+ <wsdl:message name="tgGrantPermissionResponse">
+ <wsdl:part element="tns:booleanResponse" name="tgGrantPermissionOutput" />
+ </wsdl:message>
+
+ <!-- #### tgRevokePermission #### //-->
+ <wsdl:message name="tgRevokePermissionRequest">
+ <wsdl:part element="tns:tgRevokePermissionRequest" name="tgRevokePermissionInput" />
+ </wsdl:message>
+ <wsdl:message name="tgRevokePermissionResponse">
+ <wsdl:part element="tns:booleanResponse" name="tgRevokePermissionOutput" />
+ </wsdl:message>
+
+ <!-- #### getOwner #### //-->
+ <wsdl:message name="getOwnerRequest">
+ <wsdl:part element="tns:getOwnerRequest" name="getOwnerInput" />
+ </wsdl:message>
+ <wsdl:message name="getOwnerResponse">
+ <wsdl:part element="tns:getOwnerResponse" name="getOwnerOutput" />
+ </wsdl:message>
+
+ <!-- #### getMembers #### //-->
+ <wsdl:message name="getMembersRequest">
+ <wsdl:part element="tns:getMembersRequest" name="getMembersInput" />
+ </wsdl:message>
+ <wsdl:message name="getMembersResponse">
+ <wsdl:part element="tns:usersetResponse" name="getMembersOutput" />
+ </wsdl:message>
+
+ <!-- #### getRights #### //-->
+ <wsdl:message name="getRightsRequest">
+ <wsdl:part element="tns:getRightsRequest" name="getRightsInput" />
+ </wsdl:message>
+ <wsdl:message name="getRightsResponse">
+ <wsdl:part element="tns:operationsetResponse" name="getRightsOutput" />
+ </wsdl:message>
+
+ <!-- #### publish #### //-->
+ <wsdl:message name="publishRequest">
+ <wsdl:part element="tns:publishRequest" name="publishInput" />
+ </wsdl:message>
+ <wsdl:message name="publishResponse">
+ <wsdl:part element="tns:booleanResponse" name="publishOutput" />
+ </wsdl:message>
+
+ <!-- #### isPublic #### //-->
+ <wsdl:message name="isPublicRequest">
+ <wsdl:part element="tns:isPublicRequest" name="isPublicInput" />
+ </wsdl:message>
+ <wsdl:message name="isPublicResponse">
+ <wsdl:part element="tns:booleanResponse" name="isPublicOutput" />
+ </wsdl:message>
+
+ <!-- #### getProjectDescription #### //-->
+ <wsdl:message name="getProjectDescriptionRequest">
+ <wsdl:part element="tns:getProjectDescriptionRequest" name="getProjectDescriptionInput" />
+ </wsdl:message>
+ <wsdl:message name="getProjectDescriptionResponse">
+ <wsdl:part element="tns:getProjectDescriptionResponse" name="getProjectDescriptionOutput" />
+ </wsdl:message>
+
+ <!-- #### deactivateProject #### //-->
+ <wsdl:message name="deactivateProjectRequest">
+ <wsdl:part element="tns:deactivateProjectRequest" name="deactivateProjectInput" />
+ </wsdl:message>
+ <wsdl:message name="deactivateProjectResponse">
+ <wsdl:part element="tns:booleanResponse" name="deactivateProjectOutput" />
+ </wsdl:message>
+
+ <!-- #### getSid #### //-->
+ <wsdl:message name="getSidResponse">
+ <wsdl:part element="tns:getSidResponse" name="getSidOutput" />
+ </wsdl:message>
+
+ <!-- #### authenticationFault #### //-->
+ <wsdl:message name="authenticationFault">
+ <wsdl:part element="tns:authenticationFaultResponse" name="authenticationFault" />
+ </wsdl:message>
+
+ <!-- #### unknownResourceFault #### //-->
+ <wsdl:message name="unknownResourceFault">
+ <wsdl:part element="tns:unknownResourceFaultResponse" name="unknownResourceFault" />
+ </wsdl:message>
+
+ <!-- #### rbacFault #### //-->
+ <wsdl:message name="rbacFault">
+ <wsdl:part element="tns:rbacFaultResponse" name="rbacFault" />
+ </wsdl:message>
+
+
+
+ <!--
+ ##########################
+ # Port-Type-Definitionen #
+ ##########################
+ //-->
+ <wsdl:portType name="port_tgextra">
+
+ <!-- #### authenticate #### //-->
+ <wsdl:operation name="authenticate">
+ <wsdl:input message="tns:authenticateRequest" />
+ <wsdl:output message="tns:authenticateResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### userExists #### //-->
+ <wsdl:operation name="userExists">
+ <wsdl:input message="tns:userExistsRequest" />
+ <wsdl:output message="tns:userExistsResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### createProject #### //-->
+ <wsdl:operation name="createProject">
+ <wsdl:input message="tns:createProjectRequest" />
+ <wsdl:output message="tns:createProjectResponse" />
+ </wsdl:operation>
+
+ <!-- #### getObjects #### //-->
+ <wsdl:operation name="getObjects">
+ <wsdl:input message="tns:getObjectsRequest" />
+ <wsdl:output message="tns:getObjectsResponse" />
+ </wsdl:operation>
+
+ <!-- #### addMember #### //-->
+ <wsdl:operation name="addMember">
+ <wsdl:input message="tns:addMemberRequest" />
+ <wsdl:output message="tns:addMemberResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ </wsdl:operation>
+
+ <!-- #### deleteMember #### //-->
+ <wsdl:operation name="deleteMember">
+ <wsdl:input message="tns:deleteMemberRequest" />
+ <wsdl:output message="tns:deleteMemberResponse" />
+ </wsdl:operation>
+
+ <!-- #### tgAddActiveRole #### //-->
+ <wsdl:operation name="tgAddActiveRole">
+ <wsdl:input message="tns:tgAddActiveRoleRequest" />
+ <wsdl:output message="tns:tgAddActiveRoleResponse" />
+ </wsdl:operation>
+
+ <!-- #### tgDropActiveRole #### //-->
+ <wsdl:operation name="tgDropActiveRole">
+ <wsdl:input message="tns:tgDropActiveRoleRequest" />
+ <wsdl:output message="tns:tgDropActiveRoleResponse" />
+ </wsdl:operation>
+
+ <!-- #### tgCheckAccess #### //-->
+ <wsdl:operation name="tgCheckAccess">
+ <wsdl:input message="tns:tgCheckAccessRequest" />
+ <wsdl:output message="tns:tgCheckAccessResponse" />
+ </wsdl:operation>
+
+ <!-- #### tgAssignedRoles #### //-->
+ <wsdl:operation name="tgAssignedRoles">
+ <wsdl:input message="tns:tgAssignedRolesRequest" />
+ <wsdl:output message="tns:tgAssignedRolesResponse" />
+ </wsdl:operation>
+
+ <!-- #### tgAssignedProjects #### //-->
+ <wsdl:operation name="tgAssignedProjects">
+ <wsdl:input message="tns:tgAssignedProjectsRequest" />
+ <wsdl:output message="tns:tgAssignedProjectsResponse" />
+ </wsdl:operation>
+
+ <!-- #### getAllProjects #### //-->
+ <wsdl:operation name="getAllProjects">
+ <wsdl:input message="tns:getAllProjectsRequest" />
+ <wsdl:output message="tns:getAllProjectsResponse" />
+ </wsdl:operation>
+
+ <!-- #### getLeader #### //-->
+ <wsdl:operation name="getLeader">
+ <wsdl:input message="tns:getLeaderRequest" />
+ <wsdl:output message="tns:getLeaderResponse" />
+ </wsdl:operation>
+
+ <!-- #### registerResource #### //-->
+ <wsdl:operation name="registerResource">
+ <wsdl:input message="tns:registerResourceRequest" />
+ <wsdl:output message="tns:registerResourceResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### unregisterResource #### //-->
+ <wsdl:operation name="unregisterResource">
+ <wsdl:input message="tns:unregisterResourceRequest" />
+ <wsdl:output message="tns:unregisterResourceResponse" />
+ <wsdl:fault name="unknownResourceFault" message="tns:unknownResourceFault" />
+ </wsdl:operation>
+
+ <!-- #### filterBySid #### //-->
+ <wsdl:operation name="filterBySid">
+ <wsdl:input message="tns:filterBySidRequest" />
+ <wsdl:output message="tns:filterBySidResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### tgGrantPermission #### //-->
+ <wsdl:operation name="tgGrantPermission">
+ <wsdl:input message="tns:tgGrantPermissionRequest" />
+ <wsdl:output message="tns:tgGrantPermissionResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### tgRevokePermission #### //-->
+ <wsdl:operation name="tgRevokePermission">
+ <wsdl:input message="tns:tgRevokePermissionRequest" />
+ <wsdl:output message="tns:tgRevokePermissionResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### getOwner #### //-->
+ <wsdl:operation name="getOwner">
+ <wsdl:input message="tns:getOwnerRequest" />
+ <wsdl:output message="tns:getOwnerResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### getMembers #### //-->
+ <wsdl:operation name="getMembers">
+ <wsdl:input message="tns:getMembersRequest" />
+ <wsdl:output message="tns:getMembersResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### getRights #### //-->
+ <wsdl:operation name="getRights">
+ <wsdl:input message="tns:getRightsRequest" />
+ <wsdl:output message="tns:getRightsResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### publish #### //-->
+ <wsdl:operation name="publish">
+ <wsdl:input message="tns:publishRequest" />
+ <wsdl:output message="tns:publishResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### isPublic #### //-->
+ <wsdl:operation name="isPublic">
+ <wsdl:input message="tns:isPublicRequest" />
+ <wsdl:output message="tns:isPublicResponse" />
+ </wsdl:operation>
+
+ <!-- #### deactivateProject #### //-->
+ <wsdl:operation name="deactivateProject">
+ <wsdl:input message="tns:deactivateProjectRequest" />
+ <wsdl:output message="tns:deactivateProjectResponse" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### getProjectDescription #### //-->
+ <wsdl:operation name="getProjectDescription">
+ <wsdl:input message="tns:getProjectDescriptionRequest" />
+ <wsdl:output message="tns:getProjectDescriptionResponse" />
+ </wsdl:operation>
+
+ <!-- #### getSid #### //-->
+ <wsdl:operation name="getSid">
+ <wsdl:output message="tns:getSidResponse" />
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+
+
+ <!--
+ ###########
+ # Binding #
+ ###########
+ //-->
+ <wsdl:binding name="binding_tgextra" type="tns:port_tgextra">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
+
+ <!-- #### authenticate #### //-->
+ <wsdl:operation name="authenticate">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/authenticate" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### userExists #### //-->
+ <wsdl:operation name="userExists">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/userExists" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### createProject #### //-->
+ <wsdl:operation name="createProject">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/createProject" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### getObjects #### //-->
+ <wsdl:operation name="getObjects">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getObjects" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### addMember #### //-->
+ <wsdl:operation name="addMember">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addMember" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### deleteMember #### //-->
+ <wsdl:operation name="deleteMember">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deleteMember" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### tgAddActiveRole #### //-->
+ <wsdl:operation name="tgAddActiveRole">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgAddActiveRole" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### tgDropActiveRole #### //-->
+ <wsdl:operation name="tgDropActiveRole">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgDropActiveRole" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### tgCheckAccess #### //-->
+ <wsdl:operation name="tgCheckAccess">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgCheckAccess" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### tgAssignedRoles #### //-->
+ <wsdl:operation name="tgAssignedRoles">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgAssignedRoles" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### tgAssignedProjects #### //-->
+ <wsdl:operation name="tgAssignedProjects">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgAssignedProjects" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### getAllProjects #### //-->
+ <wsdl:operation name="getAllProjects">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getAllProjects" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### getLeader #### //-->
+ <wsdl:operation name="getLeader">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getLeader" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### registerResource #### //-->
+ <wsdl:operation name="registerResource">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/registerResource" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### unregisterResource #### //-->
+ <wsdl:operation name="unregisterResource">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/unregisterResource" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="unknownResourceFault"><soap:fault name="unknownResourceFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### filterBySid #### //-->
+ <wsdl:operation name="filterBySid">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/filterBySid" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### tgGrantPermission #### //-->
+ <wsdl:operation name="tgGrantPermission">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgGrantPermission" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### tgRevokePermission #### //-->
+ <wsdl:operation name="tgRevokePermission">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/tgRevokePermission" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### getOwner #### //-->
+ <wsdl:operation name="getOwner">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getOwner" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### getMembers #### //-->
+ <wsdl:operation name="getMembers">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getMembers" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### getRights #### //-->
+ <wsdl:operation name="getRights">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getRights" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### publish #### //-->
+ <wsdl:operation name="publish">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/publish" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### isPublic #### //-->
+ <wsdl:operation name="isPublic">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/isPublic" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### getProjectDescription #### //-->
+ <wsdl:operation name="getProjectDescription">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getProjectDescription" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ <!-- #### deactivateProject #### //-->
+ <wsdl:operation name="deactivateProject">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deactivateProject" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="authenticationFault"><soap:fault name="authenticationFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### getSid #### //-->
+ <wsdl:operation name="getSid">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/getSid" />
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+
+
+ <!--
+ #####################
+ # Servicedefinition #
+ #####################
+ //-->
+ <wsdl:service name="tgextra">
+ <wsdl:port binding="tns:binding_tgextra" name="tgextra">
+ <soap:address location="http://rbac.textgrid.daasi.de/tgextra.php" />
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgreview.wsdl b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgreview.wsdl
new file mode 100644
index 0000000..0e67483
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgreview.wsdl
@@ -0,0 +1,497 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<wsdl:definitions name="tgreview"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://textgrid.info/namespaces/middleware/tgauth"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+
+ <!--
+ ####################
+ # Typ-Definitionen #
+ ####################
+ //-->
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+ <!-- #### sessionRoles #### //-->
+ <xsd:element name="sessionRolesRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### assignedRoles #### //-->
+ <xsd:element name="assignedRolesRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### authorizedRoles #### //-->
+ <xsd:element name="authorizedRolesRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### authorizedUsers #### //-->
+ <xsd:element name="authorizedUsersRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### rolePermissions #### //-->
+ <xsd:element name="rolePermissionsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### userPermissions #### //-->
+ <xsd:element name="userPermissionsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### sessionPermissions #### //-->
+ <xsd:element name="sessionPermissionsRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### assignedUsers #### //-->
+ <xsd:element name="assignedUsersRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### roleOperationsOnObject #### //-->
+ <xsd:element name="roleOperationsOnObjectRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### userOperationsOnObject #### //-->
+ <xsd:element name="userOperationsOnObjectRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="user" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="operationsetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="operationset" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="permissionsetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="permissionset" type="tns:permission" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="rolesetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="role" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="usersetResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="username" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="booleanResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="result" type="xsd:boolean" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <xsd:element name="permission">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### rbacFault #### //-->
+ <xsd:element name="rbacFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### authenticationFault #### //-->
+ <xsd:element name="authenticationFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ </xsd:schema>
+
+ </wsdl:types>
+
+
+ <!--
+ #################
+ # WSDL-Messages #
+ #################
+ //-->
+
+ <!-- #### sessionRoles #### //-->
+ <wsdl:message name="sessionRolesRequest">
+ <wsdl:part element="tns:sessionRolesRequest" name="sessionRolesInput" />
+ </wsdl:message>
+ <wsdl:message name="sessionRolesResponse">
+ <wsdl:part element="tns:rolesetResponse" name="sessionRolesOutput" />
+ </wsdl:message>
+
+ <!-- #### assignedRoles #### //-->
+ <wsdl:message name="assignedRolesRequest">
+ <wsdl:part element="tns:assignedRolesRequest" name="assignedRolesInput" />
+ </wsdl:message>
+ <wsdl:message name="assignedRolesResponse">
+ <wsdl:part element="tns:rolesetResponse" name="assignedRolesOutput" />
+ </wsdl:message>
+
+ <!-- #### authorizedRoles #### //-->
+ <wsdl:message name="authorizedRolesRequest">
+ <wsdl:part element="tns:authorizedRolesRequest" name="authorizedRolesInput" />
+ </wsdl:message>
+ <wsdl:message name="authorizedRolesResponse">
+ <wsdl:part element="tns:rolesetResponse" name="authorizedRolesOutput" />
+ </wsdl:message>
+
+ <!-- #### authorizedUsers #### //-->
+ <wsdl:message name="authorizedUsersRequest">
+ <wsdl:part element="tns:authorizedUsersRequest" name="authorizedUsersInput" />
+ </wsdl:message>
+ <wsdl:message name="authorizedUsersResponse">
+ <wsdl:part element="tns:usersetResponse" name="authorizedUsersOutput" />
+ </wsdl:message>
+
+ <!-- #### rolePermissions #### //-->
+ <wsdl:message name="rolePermissionsRequest">
+ <wsdl:part element="tns:rolePermissionsRequest" name="rolePermissionsInput" />
+ </wsdl:message>
+ <wsdl:message name="rolePermissionsResponse">
+ <wsdl:part element="tns:permissionsetResponse" name="rolePermissionsOutput" />
+ </wsdl:message>
+
+ <!-- #### userPermissions #### //-->
+ <wsdl:message name="userPermissionsRequest">
+ <wsdl:part element="tns:userPermissionsRequest" name="userPermissionsInput" />
+ </wsdl:message>
+ <wsdl:message name="userPermissionsResponse">
+ <wsdl:part element="tns:permissionsetResponse" name="userPermissionsOutput" />
+ </wsdl:message>
+
+ <!-- #### sessionPermissions #### //-->
+ <wsdl:message name="sessionPermissionsRequest">
+ <wsdl:part element="tns:sessionPermissionsRequest" name="sessionPermissionsInput" />
+ </wsdl:message>
+ <wsdl:message name="sessionPermissionsResponse">
+ <wsdl:part element="tns:permissionsetResponse" name="sessionPermissionsOutput" />
+ </wsdl:message>
+
+ <!-- #### assignedUsers #### //-->
+ <wsdl:message name="assignedUsersRequest">
+ <wsdl:part element="tns:assignedUsersRequest" name="assignedUsersInput" />
+ </wsdl:message>
+ <wsdl:message name="assignedUsersResponse">
+ <wsdl:part element="tns:usersetResponse" name="assignedUsersOutput" />
+ </wsdl:message>
+
+ <!-- #### roleOperationsOnObject #### //-->
+ <wsdl:message name="roleOperationsOnObjectRequest">
+ <wsdl:part element="tns:roleOperationsOnObjectRequest" name="roleOperationsOnObjectInput" />
+ </wsdl:message>
+ <wsdl:message name="roleOperationsOnObjectResponse">
+ <wsdl:part element="tns:operationsetResponse" name="roleOperationsOnObjectOutput" />
+ </wsdl:message>
+
+ <!-- #### userOperationsOnObject #### //-->
+ <wsdl:message name="userOperationsOnObjectRequest">
+ <wsdl:part element="tns:userOperationsOnObjectRequest" name="userOperationsOnObjectInput" />
+ </wsdl:message>
+ <wsdl:message name="userOperationsOnObjectResponse">
+ <wsdl:part element="tns:operationsetResponse" name="userOperationsOnObjectOutput" />
+ </wsdl:message>
+
+ <!-- #### rbacFault #### //-->
+ <wsdl:message name="rbacFault">
+ <wsdl:part element="tns:rbacFaultResponse" name="rbacFault" />
+ </wsdl:message>
+
+ <!-- #### authenticationFault #### //-->
+ <wsdl:message name="authenticationFault">
+ <wsdl:part element="tns:authenticationFaultResponse" name="authenticationFault" />
+ </wsdl:message>
+
+
+ <!--
+ ##########################
+ # Port-Type-Definitionen #
+ ##########################
+ //-->
+ <wsdl:portType name="port_tgreview">
+
+ <!-- #### sessionRoles #### //-->
+ <wsdl:operation name="sessionRoles">
+ <wsdl:input message="tns:sessionRolesRequest" />
+ <wsdl:output message="tns:sessionRolesResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### assignedRoles #### //-->
+ <wsdl:operation name="assignedRoles">
+ <wsdl:input message="tns:assignedRolesRequest" />
+ <wsdl:output message="tns:assignedRolesResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### authorizedRoles #### //-->
+ <wsdl:operation name="authorizedRoles">
+ <wsdl:input message="tns:authorizedRolesRequest" />
+ <wsdl:output message="tns:authorizedRolesResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### authorizedUsers #### //-->
+ <wsdl:operation name="authorizedUsers">
+ <wsdl:input message="tns:authorizedUsersRequest" />
+ <wsdl:output message="tns:authorizedUsersResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### rolePermissions #### //-->
+ <wsdl:operation name="rolePermissions">
+ <wsdl:input message="tns:rolePermissionsRequest" />
+ <wsdl:output message="tns:rolePermissionsResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### userPermissions #### //-->
+ <wsdl:operation name="userPermissions">
+ <wsdl:input message="tns:userPermissionsRequest" />
+ <wsdl:output message="tns:userPermissionsResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### sessionPermissions #### //-->
+ <wsdl:operation name="sessionPermissions">
+ <wsdl:input message="tns:sessionPermissionsRequest" />
+ <wsdl:output message="tns:sessionPermissionsResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### assignedUsers #### //-->
+ <wsdl:operation name="assignedUsers">
+ <wsdl:input message="tns:assignedUsersRequest" />
+ <wsdl:output message="tns:assignedUsersResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### roleOperationsOnOBject #### //-->
+ <wsdl:operation name="roleOperationsOnObject">
+ <wsdl:input message="tns:roleOperationsOnObjectRequest" />
+ <wsdl:output message="tns:roleOperationsOnObjectResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### userOperationsOnOBject #### //-->
+ <wsdl:operation name="userOperationsOnObject">
+ <wsdl:input message="tns:userOperationsOnObjectRequest" />
+ <wsdl:output message="tns:userOperationsOnObjectResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+
+
+ <!--
+ ###########
+ # Binding #
+ ###########
+ //-->
+ <wsdl:binding name="binding_tgreview" type="tns:port_tgreview">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
+
+ <!-- #### sessionRoles #### //-->
+ <wsdl:operation name="sessionRoles">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/sessionRoles" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### assignedRoles #### //-->
+ <wsdl:operation name="assignedRoles">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/assignedRoles" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### authorizedRoles #### //-->
+ <wsdl:operation name="authorizedRoles">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/authorizedRoles" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### authorizedUsers #### //-->
+ <wsdl:operation name="authorizedUsers">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/authorizedUsers" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### rolePermissions #### //-->
+ <wsdl:operation name="rolePermissions">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/rolePermissions" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### userPermissions #### //-->
+ <wsdl:operation name="userPermissions">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/userPermissions" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### sessionPermissions #### //-->
+ <wsdl:operation name="sessionPermissions">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/sessionPermissions" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### assignedUsers #### //-->
+ <wsdl:operation name="assignedUsers">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/assignedUsers" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### roleOperationsOnObject #### //-->
+ <wsdl:operation name="roleOperationsOnObject">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/roleOperationsOnObject" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### userOperationsOnObject #### //-->
+ <wsdl:operation name="userOperationsOnObject">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/userOperationsOnObject" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+
+
+ <!--
+ #####################
+ # Servicedefinition #
+ #####################
+ //-->
+ <wsdl:service name="tgreview">
+ <wsdl:port binding="tns:binding_tgreview" name="tns:tgreview">
+ <soap:address location="http://rbac.textgrid.daasi.de/tgreview.php" />
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgsystem.wsdl b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgsystem.wsdl
new file mode 100644
index 0000000..fe4f886
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/tgsystem.wsdl
@@ -0,0 +1,284 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<wsdl:definitions name="tgsystem"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://textgrid.info/namespaces/middleware/tgauth"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+
+ <!--
+ ####################
+ # Typ-Definitionen #
+ ####################
+ //-->
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://textgrid.info/namespaces/middleware/tgauth">
+
+ <!-- #### createSession #### //-->
+ <xsd:element name="createSessionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="roleset" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### deleteSession #### //-->
+ <xsd:element name="deleteSessionRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### addActiveRole #### //-->
+ <xsd:element name="addActiveRoleRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### dropActiveRole #### //-->
+ <xsd:element name="dropActiveRoleRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="username" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="role" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### checkAccess #### //-->
+ <xsd:element name="checkAccessRequest">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="intSid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="sid" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="operation" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="resource" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <xsd:element name="booleanResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="result" type="xsd:boolean" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+
+ <!-- #### rbacFault #### //-->
+ <xsd:element name="rbacFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ <!-- #### authenticationFault #### //-->
+ <xsd:element name="authenticationFaultResponse">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="fault" type="xsd:string" minOccurs="1" maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+
+ </xsd:schema>
+
+ </wsdl:types>
+
+
+ <!--
+ #################
+ # WSDL-Messages #
+ #################
+ //-->
+
+ <!-- #### createSession #### //-->
+ <wsdl:message name="createSessionRequest">
+ <wsdl:part element="tns:createSessionRequest" name="createSessionInput" />
+ </wsdl:message>
+ <wsdl:message name="createSessionResponse">
+ <wsdl:part element="tns:booleanResponse" name="createSessionOutput" />
+ </wsdl:message>
+
+ <!-- #### deleteSession #### //-->
+ <wsdl:message name="deleteSessionRequest">
+ <wsdl:part element="tns:deleteSessionRequest" name="deleteSessionInput" />
+ </wsdl:message>
+ <wsdl:message name="deleteSessionResponse">
+ <wsdl:part element="tns:booleanResponse" name="deleteSessionOutput" />
+ </wsdl:message>
+
+ <!-- #### addActiveRole #### //-->
+ <wsdl:message name="addActiveRoleRequest">
+ <wsdl:part element="tns:addActiveRoleRequest" name="addActiveRoleInput" />
+ </wsdl:message>
+ <wsdl:message name="addActiveRoleResponse">
+ <wsdl:part element="tns:booleanResponse" name="addActiveRoleOutput" />
+ </wsdl:message>
+
+ <!-- #### dropActiveRole #### //-->
+ <wsdl:message name="dropActiveRoleRequest">
+ <wsdl:part element="tns:dropActiveRoleRequest" name="dropActiveRoleInput" />
+ </wsdl:message>
+ <wsdl:message name="dropActiveRoleResponse">
+ <wsdl:part element="tns:booleanResponse" name="dropActiveRoleOutput" />
+ </wsdl:message>
+
+ <!-- #### checkAccess #### //-->
+ <wsdl:message name="checkAccessRequest">
+ <wsdl:part element="tns:checkAccessRequest" name="checkAccessInput" />
+ </wsdl:message>
+ <wsdl:message name="checkAccessResponse">
+ <wsdl:part element="tns:booleanResponse" name="checkAccessOutput" />
+ </wsdl:message>
+
+ <!-- #### rbacFault #### //-->
+ <wsdl:message name="rbacFault">
+ <wsdl:part element="tns:rbacFaultResponse" name="rbacFault" />
+ </wsdl:message>
+
+ <!-- #### authenticationFault #### //-->
+ <wsdl:message name="authenticationFault">
+ <wsdl:part element="tns:authenticationFaultResponse" name="authenticationFault" />
+ </wsdl:message>
+
+
+ <!--
+ ##########################
+ # Port-Type-Definitionen #
+ ##########################
+ //-->
+ <wsdl:portType name="port_tgsystem">
+
+ <!-- #### createSession #### //-->
+ <wsdl:operation name="createSession">
+ <wsdl:input message="tns:createSessionRequest" />
+ <wsdl:output message="tns:createSessionResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### deleteSession #### //-->
+ <wsdl:operation name="deleteSession">
+ <wsdl:input message="tns:deleteSessionRequest" />
+ <wsdl:output message="tns:deleteSessionResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### addActiveRole #### //-->
+ <wsdl:operation name="addActiveRole">
+ <wsdl:input message="tns:addActiveRoleRequest" />
+ <wsdl:output message="tns:addActiveRoleResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ </wsdl:operation>
+
+ <!-- #### addActiveRole #### //-->
+ <wsdl:operation name="dropActiveRole">
+ <wsdl:input message="tns:dropActiveRoleRequest" />
+ <wsdl:output message="tns:dropActiveRoleResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ <!-- #### checkAccess #### //-->
+ <wsdl:operation name="checkAccess">
+ <wsdl:input message="tns:checkAccessRequest" />
+ <wsdl:output message="tns:checkAccessResponse" />
+ <wsdl:fault name="rbacFault" message="tns:rbacFault" />
+ <wsdl:fault name="authenticationFault" message="tns:authenticationFault" />
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+
+
+ <!--
+ ###########
+ # Binding #
+ ###########
+ //-->
+ <wsdl:binding name="binding_tgsystem" type="tns:port_tgsystem">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
+
+ <!-- #### createSession #### //-->
+ <wsdl:operation name="createSession">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/createSession" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### deleteSession #### //-->
+ <wsdl:operation name="deleteSession">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/deleteSession" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### addActiveRole #### //-->
+ <wsdl:operation name="addActiveRole">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/addActiveRole" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### dropActiveRole #### //-->
+ <wsdl:operation name="dropActiveRole">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/dropActiveRole" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ <!-- #### checkAccess #### //-->
+ <wsdl:operation name="checkAccess">
+ <soap:operation soapAction="http://textgrid.info/namespaces/middleware/tgauth/checkAccess" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ <wsdl:fault name="rbacFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ <wsdl:fault name="authenticationFault"><soap:fault name="rbacFault" use="literal"/></wsdl:fault>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+
+
+ <!--
+ #####################
+ # Servicedefinition #
+ #####################
+ //-->
+ <wsdl:service name="tgsystem">
+ <wsdl:port binding="tns:binding_tgsystem" name="tgsystem">
+ <soap:address location="http://rbac.textgrid.daasi.de/tgsystem.php" />
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl
new file mode 100644
index 0000000..27c3828
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<wsdl:definitions name="xacml"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://daasi.de/namespaces/rbac/xacml"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://daasi.de/namespaces/rbac/xacml"
+ xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:xacml-saml="urn:oasis:xacml:2.0:saml:assertion:schema:os">
+
+
+ <!--
+ ####################
+ # Typ-Definitionen #
+ ####################
+ //-->
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://daasi.de/namespaces/rbac/xacml">
+ <xsd:import namespace="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+ schemaLocation="http://www.daasi.de/schema/oasis/access_control-xacml-2.0-saml-assertion-schema-os.xsd" />
+ <xsd:import namespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ schemaLocation="http://www.daasi.de/schema/oasis/access_control-xacml-2.0-saml-protocol-schema-os.xsd"/>
+
+ </xsd:schema>
+
+ </wsdl:types>
+
+
+ <!--
+ #################
+ # WSDL-Messages #
+ #################
+ //-->
+
+ <!-- #### checkXACMLaccess #### //-->
+ <wsdl:message name="checkXACMLaccessRequest">
+ <wsdl:part element="xacml-samlp:XACMLAuthzDecisionQuery" name="checkXACMLaccessInput" />
+ </wsdl:message>
+ <wsdl:message name="checkXACMLaccessResponse">
+ <wsdl:part element="xacml-saml:XACMLAuthzDecisionStatement" name="checkXACMLaccessOutput" />
+ </wsdl:message>
+
+
+
+ <!--
+ ##########################
+ # Port-Type-Definitionen #
+ ##########################
+ //-->
+ <wsdl:portType name="port_xacml">
+
+ <!-- #### checkXACMLaccess #### //-->
+ <wsdl:operation name="checkXACMLaccess">
+ <wsdl:input message="tns:checkXACMLaccessRequest" />
+ <wsdl:output message="tns:checkXACMLaccessResponse" />
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+
+
+ <!--
+ ###########
+ # Binding #
+ ###########
+ //-->
+ <wsdl:binding name="binding_xacml" type="tns:port_xacml">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
+
+ <!-- #### checkXACMLaccess #### //-->
+ <wsdl:operation name="checkXACMLaccess">
+ <soap:operation soapAction="http://daasi.de/rbac/xacml/checkXACMLaccess" />
+ <wsdl:input><soap:body use="literal" /></wsdl:input>
+ <wsdl:output><soap:body use="literal" /></wsdl:output>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+
+
+ <!--
+ #####################
+ # Servicedefinition #
+ #####################
+ //-->
+ <wsdl:service name="xacml">
+ <wsdl:port binding="tns:binding_xacml" name="tns:xacml">
+ <soap:address location="http://rbac.textgrid.daasi.de/xacml.php" />
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl.readme.txt b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl.readme.txt
new file mode 100644
index 0000000..305325a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/wsdl/xacml.wsdl.readme.txt
@@ -0,0 +1 @@
+xacml.wsdl imports corrected OASIS XML schemas beacause these were found to be incorrect
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xacml.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xacml.php
new file mode 100755
index 0000000..95daeb0
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xacml.php
@@ -0,0 +1,27 @@
+<?php
+// #######################################################
+// Author: Markus Widmer
+// Creation date: 07.07.2007
+// Modification date: 13.11.2007
+// Version: 1.0.0
+// #######################################################
+
+
+require_once( "xacmlTypes.inc.php" );
+require_once( "../rbac/RBAC.class.php" );
+require_once( "XACML.class.php" );
+
+
+// Dont be so verbose with messages and notices.
+error_reporting( E_ERROR | E_USER_ERROR );
+
+
+// #############################################################
+// Starting SOAP-Server
+// #############################################################
+$server = new SoapServer( "http://rbac.textgrid.daasi.de/wsdl/xacml.wsdl.local" );
+$server->setClass( "XACML", "../conf/rbacSoap.conf", "../conf/system.conf", "../rbac/" );
+
+
+$server->handle();
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xacmlTypes.inc.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xacmlTypes.inc.php
new file mode 100755
index 0000000..972cee8
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xacmlTypes.inc.php
@@ -0,0 +1,22 @@
+<?php
+class dumpResponse {
+ public $dump;
+}
+
+
+class XACMLAuthzDecisionQuery {
+ public $id;
+ public $Version;
+ public $issueInstant;
+ public $inputContextOnly;
+ public $returnContext;
+ public $request;
+}
+
+
+class Request {
+ public $subject;
+ public $resource;
+ public $action;
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd
new file mode 100644
index 0000000..1dc54db
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-assertion-schema-os.xsd
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+ xmlns:tns="urn:oasis:xacml:2.0:saml:assertion:schema:os"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="http://rbac.textgrid.daasi.de/xsd/saml-schema-assertion-2.0.xsd"/>
+ <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: access_control-xacml-2.0-saml-assertion-schema-cd-02.xsd
+ Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-cd-os.xsd
+ </xs:documentation>
+ </xs:annotation>
+ <!-- -->
+ <xs:element name="XACMLAuthzDecisionStatement"
+ type="tns:XACMLAuthzDecisionStatementType"/>
+ <xs:complexType name="XACMLAuthzDecisionStatementType">
+ <xs:complexContent>
+ <xs:extension base="saml:StatementAbstractType">
+ <xs:sequence>
+ <xs:element ref="xacml-context:Response"/>
+ <xs:element ref="xacml-context:Request" minOccurs="0"/>
+ </xs:sequence>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <!-- -->
+ <xs:element name="XACMLPolicyStatement"
+ type="tns:XACMLPolicyStatementType"/>
+ <xs:complexType name="XACMLPolicyStatementType">
+ <xs:complexContent>
+ <xs:extension base="saml:StatementAbstractType">
+ <xs:choice minOccurs="0" maxOccurs="unbounded">
+ <xs:element ref="xacml:Policy"/>
+ <xs:element ref="xacml:PolicySet"/>
+ </xs:choice>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd
new file mode 100644
index 0000000..a80290f
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:tns="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ schemaLocation="http://rbac.textgrid.daasi.de/xsd/saml-schema-protocol-2.0.xsd"/>
+ <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: access_control-xacml-2.0-saml-protocol-schema-os.xsd
+ Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd
+ </xs:documentation>
+ </xs:annotation>
+ <!-- -->
+ <xs:element name="XACMLAuthzDecisionQuery"
+ type="tns:XACMLAuthzDecisionQueryType"/>
+ <xs:complexType name="XACMLAuthzDecisionQueryType">
+ <xs:complexContent>
+ <xs:extension base="samlp:RequestAbstractType">
+ <xs:sequence>
+ <xs:element ref="xacml-context:Request"/>
+ </xs:sequence>
+ <xs:attribute name="InputContextOnly"
+ type="boolean"
+ use="optional"
+ default="false"/>
+ <xs:attribute name="ReturnContext"
+ type="boolean"
+ use="optional"
+ default="false"/>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <!-- -->
+ <xs:element name="XACMLPolicyQuery"
+ type="tns:XACMLPolicyQueryType"/>
+ <xs:complexType name="XACMLPolicyQueryType">
+ <xs:complexContent>
+ <xs:extension base="samlp:RequestAbstractType">
+ <xs:choice minOccurs="0" maxOccurs="unbounded">
+ <xs:element ref="xacml-context:Request"/>
+ <xs:element ref="xacml:Target"/>
+ <xs:element ref="xacml:PolicySetIdReference"/>
+ <xs:element ref="xacml:PolicyIdReference"/>
+ </xs:choice>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd.save b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd.save
new file mode 100644
index 0000000..bc9cba7
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/access_control-xacml-2.0-saml-protocol-schema-os.xsd.save
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
+ xmlns:xs="http://www.23.org/2001/XMLSchema"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ schemaLocation="http://rbac.textgrid.daasi.de/xsd/saml-schema-protocol-2.0.xsd"/>
+ <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
+ <xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"/>
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: access_control-xacml-2.0-saml-protocol-schema-os.xsd
+ Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd
+ </xs:documentation>
+ </xs:annotation>
+ <!-- -->
+ <xs:element name="XACMLAuthzDecisionQuery"
+ type="XACMLAuthzDecisionQueryType"/>
+ <xs:complexType name="XACMLAuthzDecisionQueryType">
+ <xs:complexContent>
+ <xs:extension base="samlp:RequestAbstractType">
+ <xs:sequence>
+ <xs:element ref="xacml-context:Request"/>
+ </xs:sequence>
+ <xs:attribute name="InputContextOnly"
+ type="boolean"
+ use="optional"
+ default="false"/>
+ <xs:attribute name="ReturnContext"
+ type="boolean"
+ use="optional"
+ default="false"/>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ <!-- -->
+ <xs:element name="XACMLPolicyQuery"
+ type="XACMLPolicyQueryType"/>
+ <xs:complexType name="XACMLPolicyQueryType">
+ <xs:complexContent>
+ <xs:extension base="samlp:RequestAbstractType">
+ <xs:choice minOccurs="0" maxOccurs="unbounded">>
+ <xs:element ref="xacml-context:Request"/>
+ <xs:element ref="xacml:Target"/>
+ <xs:element ref="xacml:PolicySetIdReference"/>
+ <xs:element ref="xacml:PolicyIdReference"/>
+ </xs:choice>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-assertion-2.0.xsd b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000..122dc3b
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,284 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-assertion-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New assertion schema for SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <attributeGroup name="IDNameQualifiers">
+ <attribute name="NameQualifier" type="string" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ </attributeGroup>
+ <element name="BaseID" type="saml:BaseIDAbstractType"/>
+ <complexType name="BaseIDAbstractType" abstract="true">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ </complexType>
+ <element name="NameID" type="saml:NameIDType"/>
+ <complexType name="NameIDType">
+ <simpleContent>
+ <extension base="string">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPProvidedID" type="string" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="EncryptedElementType">
+ <sequence>
+ <element ref="xenc:EncryptedData"/>
+ <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="EncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Issuer" type="saml:NameIDType"/>
+ <element name="AssertionIDRef" type="NCName"/>
+ <element name="AssertionURIRef" type="anyURI"/>
+ <element name="Assertion" type="saml:AssertionType"/>
+ <complexType name="AssertionType">
+ <sequence>
+ <element ref="saml:Issuer"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="saml:Advice" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Statement"/>
+ <element ref="saml:AuthnStatement"/>
+ <element ref="saml:AuthzDecisionStatement"/>
+ <element ref="saml:AttributeStatement"/>
+ </choice>
+ </sequence>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ </complexType>
+ <element name="Subject" type="saml:SubjectType"/>
+ <complexType name="SubjectType">
+ <choice>
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+ </choice>
+ </complexType>
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+ <complexType name="SubjectConfirmationType">
+ <sequence>
+ <choice minOccurs="0">
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+ </sequence>
+ <attribute name="Method" type="anyURI" use="required"/>
+ </complexType>
+ <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+ <complexType name="SubjectConfirmationDataType" mixed="true">
+ <complexContent>
+ <restriction base="anyType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ <attribute name="Recipient" type="anyURI" use="optional"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Address" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <complexType name="KeyInfoConfirmationDataType" mixed="false">
+ <complexContent>
+ <restriction base="saml:SubjectConfirmationDataType">
+ <sequence>
+ <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+ </sequence>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <element name="Conditions" type="saml:ConditionsType"/>
+ <complexType name="ConditionsType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Condition"/>
+ <element ref="saml:AudienceRestriction"/>
+ <element ref="saml:OneTimeUse"/>
+ <element ref="saml:ProxyRestriction"/>
+ </choice>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </complexType>
+ <element name="Condition" type="saml:ConditionAbstractType"/>
+ <complexType name="ConditionAbstractType" abstract="true"/>
+ <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+ <complexType name="AudienceRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Audience" type="anyURI"/>
+ <element name="OneTimeUse" type="saml:OneTimeUseType" />
+ <complexType name="OneTimeUseType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType"/>
+ </complexContent>
+ </complexType>
+ <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+ <complexType name="ProxyRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Advice" type="saml:AdviceType"/>
+ <complexType name="AdviceType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+ <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+ <element name="Statement" type="saml:StatementAbstractType"/>
+ <complexType name="StatementAbstractType" abstract="true"/>
+ <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+ <complexType name="AuthnStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:SubjectLocality" minOccurs="0"/>
+ <element ref="saml:AuthnContext"/>
+ </sequence>
+ <attribute name="AuthnInstant" type="dateTime" use="required"/>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+ <complexType name="SubjectLocalityType">
+ <attribute name="Address" type="string" use="optional"/>
+ <attribute name="DNSName" type="string" use="optional"/>
+ </complexType>
+ <element name="AuthnContext" type="saml:AuthnContextType"/>
+ <complexType name="AuthnContextType">
+ <sequence>
+ <choice>
+ <sequence>
+ <element ref="saml:AuthnContextClassRef"/>
+ <choice minOccurs="0">
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </sequence>
+ <choice>
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </choice>
+ <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AuthnContextClassRef" type="anyURI"/>
+ <element name="AuthnContextDeclRef" type="anyURI"/>
+ <element name="AuthnContextDecl" type="anyType"/>
+ <element name="AuthenticatingAuthority" type="anyURI"/>
+ <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+ <complexType name="AuthzDecisionStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ <attribute name="Decision" type="saml:DecisionType" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <simpleType name="DecisionType">
+ <restriction base="string">
+ <enumeration value="Permit"/>
+ <enumeration value="Deny"/>
+ <enumeration value="Indeterminate"/>
+ </restriction>
+ </simpleType>
+ <element name="Action" type="saml:ActionType"/>
+ <complexType name="ActionType">
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <element name="Evidence" type="saml:EvidenceType"/>
+ <complexType name="EvidenceType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </complexType>
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+ <complexType name="AttributeStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:EncryptedAttribute"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Attribute" type="saml:AttributeType"/>
+ <complexType name="AttributeType">
+ <sequence>
+ <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="NameFormat" type="anyURI" use="optional"/>
+ <attribute name="FriendlyName" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AttributeValue" type="anyType" nillable="true"/>
+ <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-protocol-2.0.xsd b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-protocol-2.0.xsd
new file mode 100644
index 0000000..6c6502c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/xsd/saml-schema-protocol-2.0.xsd
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-protocol-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New protocol schema based in a SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <complexType name="RequestAbstractType" abstract="true">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Extensions" type="samlp:ExtensionsType"/>
+ <complexType name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <complexType name="StatusResponseType">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ <element ref="samlp:Status"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Status" type="samlp:StatusType"/>
+ <complexType name="StatusType">
+ <sequence>
+ <element ref="samlp:StatusCode"/>
+ <element ref="samlp:StatusMessage" minOccurs="0"/>
+ <element ref="samlp:StatusDetail" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="StatusCode" type="samlp:StatusCodeType"/>
+ <complexType name="StatusCodeType">
+ <sequence>
+ <element ref="samlp:StatusCode" minOccurs="0"/>
+ </sequence>
+ <attribute name="Value" type="anyURI" use="required"/>
+ </complexType>
+ <element name="StatusMessage" type="string"/>
+ <element name="StatusDetail" type="samlp:StatusDetailType"/>
+ <complexType name="StatusDetailType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+ <complexType name="AssertionIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+ <complexType name="SubjectQueryAbstractType" abstract="true">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+ <complexType name="AuthnQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ </sequence>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+ <complexType name="RequestedAuthnContextType">
+ <choice>
+ <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+ <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+ </complexType>
+ <simpleType name="AuthnContextComparisonType">
+ <restriction base="string">
+ <enumeration value="exact"/>
+ <enumeration value="minimum"/>
+ <enumeration value="maximum"/>
+ <enumeration value="better"/>
+ </restriction>
+ </simpleType>
+ <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+ <complexType name="AttributeQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+ <complexType name="AuthzDecisionQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+ <complexType name="AuthnRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ <element ref="samlp:Scoping" minOccurs="0"/>
+ </sequence>
+ <attribute name="ForceAuthn" type="boolean" use="optional"/>
+ <attribute name="IsPassive" type="boolean" use="optional"/>
+ <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+ <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+ <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="ProviderName" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+ <complexType name="NameIDPolicyType">
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ <attribute name="AllowCreate" type="boolean" use="optional"/>
+ </complexType>
+ <element name="Scoping" type="samlp:ScopingType"/>
+ <complexType name="ScopingType">
+ <sequence>
+ <element ref="samlp:IDPList" minOccurs="0"/>
+ <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+ </complexType>
+ <element name="RequesterID" type="anyURI"/>
+ <element name="IDPList" type="samlp:IDPListType"/>
+ <complexType name="IDPListType">
+ <sequence>
+ <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+ <element ref="samlp:GetComplete" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="IDPEntry" type="samlp:IDPEntryType"/>
+ <complexType name="IDPEntryType">
+ <attribute name="ProviderID" type="anyURI" use="required"/>
+ <attribute name="Name" type="string" use="optional"/>
+ <attribute name="Loc" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="GetComplete" type="anyURI"/>
+ <element name="Response" type="samlp:ResponseType"/>
+ <complexType name="ResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+ <complexType name="ArtifactResolveType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="samlp:Artifact"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Artifact" type="string"/>
+ <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+ <complexType name="ArtifactResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+ <complexType name="ManageNameIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <choice>
+ <element ref="samlp:NewID"/>
+ <element ref="samlp:NewEncryptedID"/>
+ <element ref="samlp:Terminate"/>
+ </choice>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NewID" type="string"/>
+ <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Terminate" type="samlp:TerminateType"/>
+ <complexType name="TerminateType"/>
+ <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+ <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+ <complexType name="LogoutRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Reason" type="string" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SessionIndex" type="string"/>
+ <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+ <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+ <complexType name="NameIDMappingRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:NameIDPolicy"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+ <complexType name="NameIDMappingResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+</schema>
+
diff --git a/info.textgrid.middleware.tgauth.rbac/tgExtensions/Logger.class.php b/info.textgrid.middleware.tgauth.rbac/tgExtensions/Logger.class.php
new file mode 100755
index 0000000..819d1e9
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/tgExtensions/Logger.class.php
@@ -0,0 +1,223 @@
+<?php
+// ####################################################################
+// Version: 0.2.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 02.11.2007
+// Letzte Aenderung: 14.02.2008
+
+
+
+class Logger extends RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC ) {
+
+ // Let the extension do all the things
+ // we dont't want to do
+ parent::__construct( $inRBAC );
+
+ }
+
+
+
+ // ## registerEvents ################################################
+ public function registerEvents( RBAC $inRegistrar ) {
+
+ $inRegistrar->registerEventListener( "addUser", "write", $this, "logAddUserEvent" );
+ $inRegistrar->registerEventListener( "checkAccess", "startup", $this, "logCheckAccessEvent" );
+ $inRegistrar->registerEventListener( "assignUser", "write", $this, "logAssignUserEvent" );
+ $inRegistrar->registerEventListener( "addAscendant", "finished", $this, "logAddAscendantEvent" );
+
+
+ // These functions for debugging-informations
+ $inRegistrar->registerEventListener( "checkAccess", "filter", $this, "debugCheckAccessEvent" );
+ $inRegistrar->registerEventListener( "checkAccess", "finish", $this, "debugCheckAccessResultEvent" );
+ $inRegistrar->registerEventListener( "grantPermission", "filter", $this, "debugGrantPermissionEvent" );
+ $inRegistrar->registerEventListener( "addAscendant", "write", $this, "debugAddAscendantEvent" );
+
+ }
+
+
+
+
+ // ## logAddUserEvent ###############################################
+ public function logAddUserEvent( Context $inContext ) {
+
+ $file = fopen( "LOG/addUser.log", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . " Adding user: " . $inContext->getValue( "dn" ) . "\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## logCheckAccessEvent ###########################################
+ public function logCheckAccessEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $arrSessionRole = Array(); // The active roles of the session
+ $file = false; // File-handler
+
+
+ // The active roles of the session
+ $arrSessionRole = $this->rbac->sessionRoles( $inContext->getValue( "sid" ), false );
+
+
+ $file = fopen( "LOG/checkAccess.log", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . " " );
+ fwrite( "Operation: \"" . $inContext->getValue( "operation" ) . "\", Resource: " . $inContext->getValue( "resource" ) . "\"" );
+ fwrite( $file, ", SID: \"" . $inContext->getValue( "sid" ) . "\", Roles: \"" . join( "|", $arrSessionRole ) . "\"\n---------------\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## logAddUserEvent ###############################################
+ public function logAssignUserEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $entry = $inContext->getValue( "entry" );
+
+
+ $file = fopen( "LOG/assignUser.log", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) );
+ fwrite( $file, " Assigning user \"" . $arrParameter[0] . "\"" );
+ fwrite( $file, " to role \"" . $arrParameter[1] . "\"\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## logAddAscendantEvent ##########################################
+ public function logAddAscendantEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $file = false; // File-handler
+
+
+ $file = fopen( "LOG/addAscendant.log", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) );
+ fwrite( $file, " Added ascendant: " . $arrParameter[0] . " to descendant: " . $arrParameter[1] . "\n---------------\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## debugCheckAccessEvent #########################################
+ public function debugCheckAccessEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $file = false; // File-handler
+
+
+ $file = fopen( "LOG/checkAccess.debug", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . " Filter-string: " . $inContext->getValue( "filter" ) . "\n---------------\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## debugCheckAccessResultEvent ###################################
+ public function debugCheckAccessResultEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $file = false; // File-handler
+
+
+ $file = fopen( "LOG/checkAccess.debug", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . " Unmodified Result: " . serialize( $inContext->getValue( "decision" ) ) . "\n---------------\n" );
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . " Resource-Entry: " . serialize( $inContext->getValue( "resource" ) ) . "\n---------------\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## debugGrantPermissionEvent #####################################
+ public function debugGrantPermissionEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $file = false; // File-handler
+
+
+ $file = fopen( "LOG/grantPermission.debug", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . " Filter-string: " . $inContext->getValue( "filter" ) . "\n---------------\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+
+
+
+ // ## debugAddAscendantEvent ########################################
+ public function debugAddAscendantEvent( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $file = false; // File-handler
+
+
+ $file = fopen( "LOG/addAscendant.debug", "a+" );
+
+ fwrite( $file, date( "Y-m-d h:i:s", time() ) . "Trying to add ascendant: " . $arrParameter[0] . " to descendant: " . $arrParameter[1] );
+ fwrite( $file, " / DN: " . $inContext->getValue( "dn" ) );
+ fwrite( $file, "\n---------------\n" );
+
+ fclose( $file );
+
+
+ return $inContext;
+
+ }
+
+}
+?>
diff --git a/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php b/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php
new file mode 100755
index 0000000..eebcf2e
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php
@@ -0,0 +1,78 @@
+<?php
+// ####################################################################
+// Version: 0.1.0
+// Autor: Markus Widmer
+// Erstellungsdatum: 12.03.2008
+// Letzte Aenderung: 12.03.2008
+
+
+
+class PublicResource extends RBACExtension {
+
+ // ## Klassenvariablen ##############################################
+
+
+
+
+ // ## Konstruktor ###################################################
+ public function __construct( $inRBAC ) {
+
+ // Let the extension do all the things
+ // we dont't want to do
+ parent::__construct( $inRBAC );
+
+ }
+
+
+
+ // ## registerEvents ################################################
+ public function registerEvents( RBAC $inRegistrar ) {
+
+ $inRegistrar->registerEventListener( "checkAccess", "finish", $this, "publicCheckAccess" );
+
+ }
+
+
+
+
+ // ## publicCheckAccess #############################################
+ public function publicCheckAccess( Context $inContext ) {
+
+ $arrParameter = $inContext->getParameters(); // The parameters of the checkAccess-function
+ $arrEntry = $inContext->getValue( "resource" ); // The resource-entry
+ $operation = $arrParameter[1]; // Die der Funktion checkAccess uebergebene Operatio
+ $filter = "";
+
+
+ // Filter to search for the resource
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $arrParameter[2] . ")";
+ $filter .= " (" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $arrParameter[2] . ")))";
+
+
+ $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ), $filter, "sub", Array( "tgispublic" ) );
+
+
+ // Only if the flag "tgIsPublic" is true and the operation
+ // is "read", we grant access to the resource even if
+ // the read-operation would not be granted. Otherwise we
+ // keep the decision of the checkAccess-function.
+ if( preg_match( "/^true$/i", $arrResource[0]['tgispublic'][0] )
+ && preg_match( "/^read$/", $operation ) ) {
+
+ $inContext->changeSecurityChain( true );
+
+ }
+ else {
+
+ $inContext->changeSecurityChain( $inContext->getValue( "decision" ) );
+
+ }
+
+
+ return $inContext;
+
+ }
+
+}
+?>
--
GitLab