]>
Commit | Line | Data |
---|---|---|
44acf706 | 1 | <?php |
fab87c26 | 2 | namespace Shaarli\Security; |
44acf706 | 3 | |
c7721487 V |
4 | use Shaarli\Config\ConfigManager; |
5 | ||
44acf706 V |
6 | /** |
7 | * User login management | |
8 | */ | |
9 | class LoginManager | |
10 | { | |
c689e108 V |
11 | /** @var string Name of the cookie set after logging in **/ |
12 | public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; | |
13 | ||
1b28c66c | 14 | /** @var array A reference to the $_GLOBALS array */ |
44acf706 | 15 | protected $globals = []; |
1b28c66c V |
16 | |
17 | /** @var ConfigManager Configuration Manager instance **/ | |
44acf706 | 18 | protected $configManager = null; |
1b28c66c V |
19 | |
20 | /** @var SessionManager Session Manager instance **/ | |
63ea23c2 | 21 | protected $sessionManager = null; |
1b28c66c | 22 | |
b49a04f7 A |
23 | /** @var BanManager Ban Manager instance **/ |
24 | protected $banManager; | |
1b28c66c V |
25 | |
26 | /** @var bool Whether the user is logged in **/ | |
63ea23c2 | 27 | protected $isLoggedIn = false; |
1b28c66c V |
28 | |
29 | /** @var bool Whether the Shaarli instance is open to public edition **/ | |
63ea23c2 | 30 | protected $openShaarli = false; |
44acf706 | 31 | |
c689e108 V |
32 | /** @var string User sign-in token depending on remote IP and credentials */ |
33 | protected $staySignedInToken = ''; | |
34 | ||
44acf706 V |
35 | /** |
36 | * Constructor | |
37 | * | |
63ea23c2 V |
38 | * @param ConfigManager $configManager Configuration Manager instance |
39 | * @param SessionManager $sessionManager SessionManager instance | |
44acf706 | 40 | */ |
b49a04f7 | 41 | public function __construct($configManager, $sessionManager) |
44acf706 | 42 | { |
44acf706 | 43 | $this->configManager = $configManager; |
63ea23c2 | 44 | $this->sessionManager = $sessionManager; |
b49a04f7 A |
45 | $this->banManager = new BanManager( |
46 | $this->configManager->get('security.trusted_proxies', []), | |
47 | $this->configManager->get('security.ban_after'), | |
48 | $this->configManager->get('security.ban_duration'), | |
49 | $this->configManager->get('resource.ban_file', 'data/ipbans.php'), | |
50 | $this->configManager->get('resource.log') | |
51 | ); | |
52 | ||
704637bf | 53 | if ($this->configManager->get('security.open_shaarli') === true) { |
63ea23c2 V |
54 | $this->openShaarli = true; |
55 | } | |
56 | } | |
57 | ||
c689e108 V |
58 | /** |
59 | * Generate a token depending on deployment salt, user password and client IP | |
60 | * | |
61 | * @param string $clientIpAddress The remote client IP address | |
62 | */ | |
63 | public function generateStaySignedInToken($clientIpAddress) | |
64 | { | |
d9ba1cdd A |
65 | if ($this->configManager->get('security.session_protection_disabled') === true) { |
66 | $clientIpAddress = ''; | |
67 | } | |
c689e108 V |
68 | $this->staySignedInToken = sha1( |
69 | $this->configManager->get('credentials.hash') | |
70 | . $clientIpAddress | |
71 | . $this->configManager->get('credentials.salt') | |
72 | ); | |
73 | } | |
74 | ||
75 | /** | |
76 | * Return the user's client stay-signed-in token | |
77 | * | |
78 | * @return string User's client stay-signed-in token | |
79 | */ | |
80 | public function getStaySignedInToken() | |
81 | { | |
82 | return $this->staySignedInToken; | |
83 | } | |
84 | ||
63ea23c2 V |
85 | /** |
86 | * Check user session state and validity (expiration) | |
87 | * | |
84742084 | 88 | * @param array $cookie The $_COOKIE array |
84742084 | 89 | * @param string $clientIpId Client IP address identifier |
63ea23c2 | 90 | */ |
c689e108 | 91 | public function checkLoginState($cookie, $clientIpId) |
63ea23c2 V |
92 | { |
93 | if (! $this->configManager->exists('credentials.login')) { | |
94 | // Shaarli is not configured yet | |
95 | $this->isLoggedIn = false; | |
96 | return; | |
97 | } | |
98 | ||
c689e108 V |
99 | if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) |
100 | && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken | |
63ea23c2 | 101 | ) { |
704637bf V |
102 | // The user client has a valid stay-signed-in cookie |
103 | // Session information is updated with the current client information | |
c7721487 | 104 | $this->sessionManager->storeLoginInfo($clientIpId); |
704637bf | 105 | } elseif ($this->sessionManager->hasSessionExpired() |
c7721487 | 106 | || $this->sessionManager->hasClientIpChanged($clientIpId) |
63ea23c2 | 107 | ) { |
51f0128c | 108 | $this->sessionManager->logout(); |
63ea23c2 V |
109 | $this->isLoggedIn = false; |
110 | return; | |
111 | } | |
112 | ||
8edd7f15 | 113 | $this->isLoggedIn = true; |
c7721487 | 114 | $this->sessionManager->extendSession(); |
63ea23c2 V |
115 | } |
116 | ||
117 | /** | |
118 | * Return whether the user is currently logged in | |
119 | * | |
120 | * @return true when the user is logged in, false otherwise | |
121 | */ | |
122 | public function isLoggedIn() | |
123 | { | |
124 | if ($this->openShaarli) { | |
125 | return true; | |
126 | } | |
127 | return $this->isLoggedIn; | |
128 | } | |
129 | ||
130 | /** | |
131 | * Check user credentials are valid | |
132 | * | |
84742084 V |
133 | * @param string $remoteIp Remote client IP address |
134 | * @param string $clientIpId Client IP address identifier | |
135 | * @param string $login Username | |
136 | * @param string $password Password | |
63ea23c2 V |
137 | * |
138 | * @return bool true if the provided credentials are valid, false otherwise | |
139 | */ | |
84742084 | 140 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) |
63ea23c2 V |
141 | { |
142 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | |
143 | ||
144 | if ($login != $this->configManager->get('credentials.login') | |
145 | || $hash != $this->configManager->get('credentials.hash') | |
146 | ) { | |
147 | logm( | |
148 | $this->configManager->get('resource.log'), | |
84742084 | 149 | $remoteIp, |
63ea23c2 V |
150 | 'Login failed for user ' . $login |
151 | ); | |
152 | return false; | |
153 | } | |
154 | ||
c7721487 | 155 | $this->sessionManager->storeLoginInfo($clientIpId); |
63ea23c2 V |
156 | logm( |
157 | $this->configManager->get('resource.log'), | |
84742084 | 158 | $remoteIp, |
63ea23c2 V |
159 | 'Login successful' |
160 | ); | |
161 | return true; | |
44acf706 V |
162 | } |
163 | ||
44acf706 V |
164 | /** |
165 | * Handle a failed login and ban the IP after too many failed attempts | |
166 | * | |
167 | * @param array $server The $_SERVER array | |
168 | */ | |
169 | public function handleFailedLogin($server) | |
170 | { | |
b49a04f7 | 171 | $this->banManager->handleFailedAttempt($server); |
44acf706 V |
172 | } |
173 | ||
174 | /** | |
175 | * Handle a successful login | |
176 | * | |
177 | * @param array $server The $_SERVER array | |
178 | */ | |
179 | public function handleSuccessfulLogin($server) | |
180 | { | |
b49a04f7 | 181 | $this->banManager->clearFailures($server); |
44acf706 V |
182 | } |
183 | ||
184 | /** | |
185 | * Check if the user can login from this IP | |
186 | * | |
187 | * @param array $server The $_SERVER array | |
188 | * | |
189 | * @return bool true if the user is allowed to login | |
190 | */ | |
191 | public function canLogin($server) | |
192 | { | |
b49a04f7 | 193 | return ! $this->banManager->isBanned($server); |
44acf706 V |
194 | } |
195 | } |