]>
Commit | Line | Data |
---|---|---|
44acf706 | 1 | <?php |
fab87c26 | 2 | namespace Shaarli\Security; |
44acf706 | 3 | |
cc2ded54 | 4 | use Exception; |
c7721487 V |
5 | use Shaarli\Config\ConfigManager; |
6 | ||
44acf706 V |
7 | /** |
8 | * User login management | |
9 | */ | |
10 | class LoginManager | |
11 | { | |
c689e108 V |
12 | /** @var string Name of the cookie set after logging in **/ |
13 | public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; | |
14 | ||
1b28c66c | 15 | /** @var array A reference to the $_GLOBALS array */ |
44acf706 | 16 | protected $globals = []; |
1b28c66c V |
17 | |
18 | /** @var ConfigManager Configuration Manager instance **/ | |
44acf706 | 19 | protected $configManager = null; |
1b28c66c V |
20 | |
21 | /** @var SessionManager Session Manager instance **/ | |
63ea23c2 | 22 | protected $sessionManager = null; |
1b28c66c | 23 | |
b49a04f7 A |
24 | /** @var BanManager Ban Manager instance **/ |
25 | protected $banManager; | |
1b28c66c V |
26 | |
27 | /** @var bool Whether the user is logged in **/ | |
63ea23c2 | 28 | protected $isLoggedIn = false; |
1b28c66c V |
29 | |
30 | /** @var bool Whether the Shaarli instance is open to public edition **/ | |
63ea23c2 | 31 | protected $openShaarli = false; |
44acf706 | 32 | |
c689e108 V |
33 | /** @var string User sign-in token depending on remote IP and credentials */ |
34 | protected $staySignedInToken = ''; | |
35 | ||
44acf706 V |
36 | /** |
37 | * Constructor | |
38 | * | |
63ea23c2 V |
39 | * @param ConfigManager $configManager Configuration Manager instance |
40 | * @param SessionManager $sessionManager SessionManager instance | |
44acf706 | 41 | */ |
b49a04f7 | 42 | public function __construct($configManager, $sessionManager) |
44acf706 | 43 | { |
44acf706 | 44 | $this->configManager = $configManager; |
63ea23c2 | 45 | $this->sessionManager = $sessionManager; |
b49a04f7 A |
46 | $this->banManager = new BanManager( |
47 | $this->configManager->get('security.trusted_proxies', []), | |
48 | $this->configManager->get('security.ban_after'), | |
49 | $this->configManager->get('security.ban_duration'), | |
50 | $this->configManager->get('resource.ban_file', 'data/ipbans.php'), | |
51 | $this->configManager->get('resource.log') | |
52 | ); | |
53 | ||
704637bf | 54 | if ($this->configManager->get('security.open_shaarli') === true) { |
63ea23c2 V |
55 | $this->openShaarli = true; |
56 | } | |
57 | } | |
58 | ||
c689e108 V |
59 | /** |
60 | * Generate a token depending on deployment salt, user password and client IP | |
61 | * | |
62 | * @param string $clientIpAddress The remote client IP address | |
63 | */ | |
64 | public function generateStaySignedInToken($clientIpAddress) | |
65 | { | |
d9ba1cdd A |
66 | if ($this->configManager->get('security.session_protection_disabled') === true) { |
67 | $clientIpAddress = ''; | |
68 | } | |
c689e108 V |
69 | $this->staySignedInToken = sha1( |
70 | $this->configManager->get('credentials.hash') | |
71 | . $clientIpAddress | |
72 | . $this->configManager->get('credentials.salt') | |
73 | ); | |
74 | } | |
75 | ||
76 | /** | |
77 | * Return the user's client stay-signed-in token | |
78 | * | |
79 | * @return string User's client stay-signed-in token | |
80 | */ | |
81 | public function getStaySignedInToken() | |
82 | { | |
83 | return $this->staySignedInToken; | |
84 | } | |
85 | ||
63ea23c2 V |
86 | /** |
87 | * Check user session state and validity (expiration) | |
88 | * | |
84742084 | 89 | * @param array $cookie The $_COOKIE array |
84742084 | 90 | * @param string $clientIpId Client IP address identifier |
63ea23c2 | 91 | */ |
c689e108 | 92 | public function checkLoginState($cookie, $clientIpId) |
63ea23c2 V |
93 | { |
94 | if (! $this->configManager->exists('credentials.login')) { | |
95 | // Shaarli is not configured yet | |
96 | $this->isLoggedIn = false; | |
97 | return; | |
98 | } | |
99 | ||
c689e108 V |
100 | if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) |
101 | && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken | |
63ea23c2 | 102 | ) { |
704637bf V |
103 | // The user client has a valid stay-signed-in cookie |
104 | // Session information is updated with the current client information | |
c7721487 | 105 | $this->sessionManager->storeLoginInfo($clientIpId); |
704637bf | 106 | } elseif ($this->sessionManager->hasSessionExpired() |
c7721487 | 107 | || $this->sessionManager->hasClientIpChanged($clientIpId) |
63ea23c2 | 108 | ) { |
51f0128c | 109 | $this->sessionManager->logout(); |
63ea23c2 V |
110 | $this->isLoggedIn = false; |
111 | return; | |
112 | } | |
113 | ||
8edd7f15 | 114 | $this->isLoggedIn = true; |
c7721487 | 115 | $this->sessionManager->extendSession(); |
63ea23c2 V |
116 | } |
117 | ||
118 | /** | |
119 | * Return whether the user is currently logged in | |
120 | * | |
121 | * @return true when the user is logged in, false otherwise | |
122 | */ | |
123 | public function isLoggedIn() | |
124 | { | |
125 | if ($this->openShaarli) { | |
126 | return true; | |
127 | } | |
128 | return $this->isLoggedIn; | |
129 | } | |
130 | ||
131 | /** | |
132 | * Check user credentials are valid | |
133 | * | |
84742084 V |
134 | * @param string $remoteIp Remote client IP address |
135 | * @param string $clientIpId Client IP address identifier | |
136 | * @param string $login Username | |
137 | * @param string $password Password | |
63ea23c2 V |
138 | * |
139 | * @return bool true if the provided credentials are valid, false otherwise | |
140 | */ | |
84742084 | 141 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) |
63ea23c2 | 142 | { |
cc2ded54 | 143 | // Check login matches config |
9ba6982e | 144 | if ($login !== $this->configManager->get('credentials.login')) { |
cc2ded54 SN |
145 | return false; |
146 | } | |
63ea23c2 | 147 | |
cc2ded54 SN |
148 | // Check credentials |
149 | try { | |
21e5df5e SN |
150 | $useLdapLogin = !empty($this->configManager->get('ldap.host')); |
151 | if ((false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) | |
152 | || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) | |
153 | ) { | |
cc2ded54 SN |
154 | $this->sessionManager->storeLoginInfo($clientIpId); |
155 | logm( | |
156 | $this->configManager->get('resource.log'), | |
157 | $remoteIp, | |
158 | 'Login successful' | |
159 | ); | |
160 | return true; | |
161 | } | |
162 | } | |
163 | catch(Exception $exception) { | |
63ea23c2 V |
164 | logm( |
165 | $this->configManager->get('resource.log'), | |
84742084 | 166 | $remoteIp, |
cc2ded54 | 167 | 'Exception while checking credentials: ' . $exception |
63ea23c2 | 168 | ); |
63ea23c2 V |
169 | } |
170 | ||
63ea23c2 V |
171 | logm( |
172 | $this->configManager->get('resource.log'), | |
84742084 | 173 | $remoteIp, |
cc2ded54 | 174 | 'Login failed for user ' . $login |
63ea23c2 | 175 | ); |
cc2ded54 SN |
176 | return false; |
177 | } | |
178 | ||
179 | ||
180 | /** | |
181 | * Check user credentials from local config | |
182 | * | |
183 | * @param string $login Username | |
184 | * @param string $password Password | |
185 | * | |
186 | * @return bool true if the provided credentials are valid, false otherwise | |
187 | */ | |
188 | public function checkCredentialsFromLocalConfig($login, $password) { | |
189 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | |
190 | ||
191 | return $login == $this->configManager->get('credentials.login') | |
192 | && $hash == $this->configManager->get('credentials.hash'); | |
193 | } | |
194 | ||
195 | /** | |
196 | * Check user credentials are valid through LDAP bind | |
197 | * | |
198 | * @param string $remoteIp Remote client IP address | |
199 | * @param string $clientIpId Client IP address identifier | |
200 | * @param string $login Username | |
201 | * @param string $password Password | |
202 | * | |
203 | * @return bool true if the provided credentials are valid, false otherwise | |
204 | */ | |
205 | public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) | |
206 | { | |
8694e841 A |
207 | $connect = $connect ?? function($host) { |
208 | $resource = ldap_connect($host); | |
209 | ||
210 | ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); | |
211 | ||
212 | return $resource; | |
213 | }; | |
214 | $bind = $bind ?? function($handle, $dn, $password) { | |
215 | return ldap_bind($handle, $dn, $password); | |
216 | }; | |
a69cfe0d SN |
217 | |
218 | return $bind( | |
219 | $connect($this->configManager->get('ldap.host')), | |
8694e841 | 220 | sprintf($this->configManager->get('ldap.dn'), $login), |
a69cfe0d SN |
221 | $password |
222 | ); | |
44acf706 V |
223 | } |
224 | ||
44acf706 V |
225 | /** |
226 | * Handle a failed login and ban the IP after too many failed attempts | |
227 | * | |
228 | * @param array $server The $_SERVER array | |
229 | */ | |
230 | public function handleFailedLogin($server) | |
231 | { | |
b49a04f7 | 232 | $this->banManager->handleFailedAttempt($server); |
44acf706 V |
233 | } |
234 | ||
235 | /** | |
236 | * Handle a successful login | |
237 | * | |
238 | * @param array $server The $_SERVER array | |
239 | */ | |
240 | public function handleSuccessfulLogin($server) | |
241 | { | |
b49a04f7 | 242 | $this->banManager->clearFailures($server); |
44acf706 V |
243 | } |
244 | ||
245 | /** | |
246 | * Check if the user can login from this IP | |
247 | * | |
248 | * @param array $server The $_SERVER array | |
249 | * | |
250 | * @return bool true if the user is allowed to login | |
251 | */ | |
252 | public function canLogin($server) | |
253 | { | |
b49a04f7 | 254 | return ! $this->banManager->isBanned($server); |
44acf706 V |
255 | } |
256 | } |