[github/shaarli/Shaarli.git] / application / security / LoginManager.php

<?php
namespace Shaarli\Security;

use Exception;
use Shaarli\Config\ConfigManager;

/**
 * User login management
 */
class LoginManager
{
    /** @var string Name of the cookie set after logging in **/
    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';

    /** @var array A reference to the $_GLOBALS array */
    protected $globals = [];

    /** @var ConfigManager Configuration Manager instance **/
    protected $configManager = null;

    /** @var SessionManager Session Manager instance **/
    protected $sessionManager = null;

    /** @var BanManager Ban Manager instance **/
    protected $banManager;

    /** @var bool Whether the user is logged in **/
    protected $isLoggedIn = false;

    /** @var bool Whether the Shaarli instance is open to public edition **/
    protected $openShaarli = false;

    /** @var string User sign-in token depending on remote IP and credentials */
    protected $staySignedInToken = '';

    /**
     * Constructor
     *
     * @param ConfigManager  $configManager  Configuration Manager instance
     * @param SessionManager $sessionManager SessionManager instance
     */
    public function __construct($configManager, $sessionManager)
    {
        $this->configManager = $configManager;
        $this->sessionManager = $sessionManager;
        $this->banManager = new BanManager(
            $this->configManager->get('security.trusted_proxies', []),
            $this->configManager->get('security.ban_after'),
            $this->configManager->get('security.ban_duration'),
            $this->configManager->get('resource.ban_file', 'data/ipbans.php'),
            $this->configManager->get('resource.log')
        );

        if ($this->configManager->get('security.open_shaarli') === true) {
            $this->openShaarli = true;
        }
    }

    /**
     * Generate a token depending on deployment salt, user password and client IP
     *
     * @param string $clientIpAddress The remote client IP address
     */
    public function generateStaySignedInToken($clientIpAddress)
    {
        if ($this->configManager->get('security.session_protection_disabled') === true) {
            $clientIpAddress = '';
        }
        $this->staySignedInToken = sha1(
            $this->configManager->get('credentials.hash')
            . $clientIpAddress
            . $this->configManager->get('credentials.salt')
        );
    }

    /**
     * Return the user's client stay-signed-in token
     *
     * @return string User's client stay-signed-in token
     */
    public function getStaySignedInToken()
    {
        return $this->staySignedInToken;
    }

    /**
     * Check user session state and validity (expiration)
     *
     * @param array  $cookie     The $_COOKIE array
     * @param string $clientIpId Client IP address identifier
     */
    public function checkLoginState($cookie, $clientIpId)
    {
        if (! $this->configManager->exists('credentials.login')) {
            // Shaarli is not configured yet
            $this->isLoggedIn = false;
            return;
        }

        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
        ) {
            // The user client has a valid stay-signed-in cookie
            // Session information is updated with the current client information
            $this->sessionManager->storeLoginInfo($clientIpId);
        } elseif ($this->sessionManager->hasSessionExpired()
            || $this->sessionManager->hasClientIpChanged($clientIpId)
        ) {
            $this->sessionManager->logout();
            $this->isLoggedIn = false;
            return;
        }

        $this->isLoggedIn = true;
        $this->sessionManager->extendSession();
    }

    /**
     * Return whether the user is currently logged in
     *
     * @return true when the user is logged in, false otherwise
     */
    public function isLoggedIn()
    {
        if ($this->openShaarli) {
            return true;
        }
        return $this->isLoggedIn;
    }

    /**
     * Check user credentials are valid
     *
     * @param string $remoteIp   Remote client IP address
     * @param string $clientIpId Client IP address identifier
     * @param string $login      Username
     * @param string $password   Password
     *
     * @return bool true if the provided credentials are valid, false otherwise
     */
    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
    {
        // Check login matches config
        if ($login != $this->configManager->get('credentials.login')) {
            return false;
        }

        // Check credentials
        try {
            $useLdapLogin = !empty($this->configManager->get('ldap.host'));
            if ((false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password))
                || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password))
            ) {
                    $this->sessionManager->storeLoginInfo($clientIpId);
                    logm(
                        $this->configManager->get('resource.log'),
                        $remoteIp,
                        'Login successful'
                    );
                    return true;
            }
        }
        catch(Exception $exception) {
            logm(
                $this->configManager->get('resource.log'),
                $remoteIp,
                'Exception while checking credentials: ' . $exception
            );
        }

        logm(
            $this->configManager->get('resource.log'),
            $remoteIp,
            'Login failed for user ' . $login
        );
        return false;
    }


    /**
     * Check user credentials from local config
     *
     * @param string $login      Username
     * @param string $password   Password
     *
     * @return bool true if the provided credentials are valid, false otherwise
     */
    public function checkCredentialsFromLocalConfig($login, $password) {
        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));

        return $login == $this->configManager->get('credentials.login')
             && $hash == $this->configManager->get('credentials.hash');
    }

    /**
     * Check user credentials are valid through LDAP bind
     *
     * @param string $remoteIp   Remote client IP address
     * @param string $clientIpId Client IP address identifier
     * @param string $login      Username
     * @param string $password   Password
     *
     * @return bool true if the provided credentials are valid, false otherwise
     */
    public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
    {
        $connect = $connect ?? function($host) { return ldap_connect($host); };
        $bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
        return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
    }

    /**
     * Handle a failed login and ban the IP after too many failed attempts
     *
     * @param array $server The $_SERVER array
     */
    public function handleFailedLogin($server)
    {
        $this->banManager->handleFailedAttempt($server);
    }

    /**
     * Handle a successful login
     *
     * @param array $server The $_SERVER array
     */
    public function handleSuccessfulLogin($server)
    {
        $this->banManager->clearFailures($server);
    }

    /**
     * Check if the user can login from this IP
     *
     * @param array $server The $_SERVER array
     *
     * @return bool true if the user is allowed to login
     */
    public function canLogin($server)
    {
        return ! $this->banManager->isBanned($server);
    }
}
Commit	Line	Data
44acf706	1	<?php
fab87c26	2	namespace Shaarli\Security;
44acf706	3
cc2ded54	4	use Exception;
c7721487 V	5	use Shaarli\Config\ConfigManager;
c7721487 V	6
44acf706 V	7	/**
	8	* User login management
	9	*/
	10	class LoginManager
	11	{
c689e108 V	12	/ @var string Name of the cookie set after logging in /
	13	public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
	14
1b28c66c	15	/** @var array A reference to the $_GLOBALS array */
44acf706	16	protected $globals = [];
1b28c66c V	17
1b28c66c V	18	/ @var ConfigManager Configuration Manager instance /
44acf706	19	protected $configManager = null;
1b28c66c V	20
1b28c66c V	21	/ @var SessionManager Session Manager instance /
63ea23c2	22	protected $sessionManager = null;
1b28c66c	23
b49a04f7 A	24	/ @var BanManager Ban Manager instance /
b49a04f7 A	25	protected $banManager;
1b28c66c V	26
1b28c66c V	27	/ @var bool Whether the user is logged in /
63ea23c2	28	protected $isLoggedIn = false;
1b28c66c V	29
1b28c66c V	30	/ @var bool Whether the Shaarli instance is open to public edition /
63ea23c2	31	protected $openShaarli = false;
44acf706	32
c689e108 V	33	/** @var string User sign-in token depending on remote IP and credentials */
	34	protected $staySignedInToken = '';
	35
44acf706 V	36	/**
	37	* Constructor
	38	*
63ea23c2 V	39	* @param ConfigManager $configManager Configuration Manager instance
63ea23c2 V	40	* @param SessionManager $sessionManager SessionManager instance
44acf706	41	*/
b49a04f7	42	public function __construct($configManager, $sessionManager)
44acf706	43	{
44acf706	44	$this->configManager = $configManager;
63ea23c2	45	$this->sessionManager = $sessionManager;
b49a04f7 A	46	$this->banManager = new BanManager(
	47	$this->configManager->get('security.trusted_proxies', []),
	48	$this->configManager->get('security.ban_after'),
	49	$this->configManager->get('security.ban_duration'),
	50	$this->configManager->get('resource.ban_file', 'data/ipbans.php'),
	51	$this->configManager->get('resource.log')
	52	);
	53
704637bf	54	if ($this->configManager->get('security.open_shaarli') === true) {
63ea23c2 V	55	$this->openShaarli = true;
	56	}
	57	}
	58
c689e108 V	59	/**
	60	* Generate a token depending on deployment salt, user password and client IP
	61	*
	62	* @param string $clientIpAddress The remote client IP address
	63	*/
	64	public function generateStaySignedInToken($clientIpAddress)
	65	{
d9ba1cdd A	66	if ($this->configManager->get('security.session_protection_disabled') === true) {
	67	$clientIpAddress = '';
	68	}
c689e108 V	69	$this->staySignedInToken = sha1(
	70	$this->configManager->get('credentials.hash')
	71	. $clientIpAddress
	72	. $this->configManager->get('credentials.salt')
	73	);
	74	}
	75
	76	/**
	77	* Return the user's client stay-signed-in token
	78	*
	79	* @return string User's client stay-signed-in token
	80	*/
	81	public function getStaySignedInToken()
	82	{
	83	return $this->staySignedInToken;
	84	}
	85
63ea23c2 V	86	/**
	87	* Check user session state and validity (expiration)
	88	*
84742084	89	* @param array $cookie The $_COOKIE array
84742084	90	* @param string $clientIpId Client IP address identifier
63ea23c2	91	*/
c689e108	92	public function checkLoginState($cookie, $clientIpId)
63ea23c2 V	93	{
	94	if (! $this->configManager->exists('credentials.login')) {
	95	// Shaarli is not configured yet
	96	$this->isLoggedIn = false;
	97	return;
	98	}
	99
c689e108 V	100	if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
c689e108 V	101	&& $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
63ea23c2	102	) {
704637bf V	103	// The user client has a valid stay-signed-in cookie
704637bf V	104	// Session information is updated with the current client information
c7721487	105	$this->sessionManager->storeLoginInfo($clientIpId);
704637bf	106	} elseif ($this->sessionManager->hasSessionExpired()
c7721487	107	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
63ea23c2	108	) {
51f0128c	109	$this->sessionManager->logout();
63ea23c2 V	110	$this->isLoggedIn = false;
	111	return;
	112	}
	113
8edd7f15	114	$this->isLoggedIn = true;
c7721487	115	$this->sessionManager->extendSession();
63ea23c2 V	116	}
	117
	118	/**
	119	* Return whether the user is currently logged in
	120	*
	121	* @return true when the user is logged in, false otherwise
	122	*/
	123	public function isLoggedIn()
	124	{
	125	if ($this->openShaarli) {
	126	return true;
	127	}
	128	return $this->isLoggedIn;
	129	}
	130
	131	/**
	132	* Check user credentials are valid
	133	*
84742084 V	134	* @param string $remoteIp Remote client IP address
	135	* @param string $clientIpId Client IP address identifier
	136	* @param string $login Username
	137	* @param string $password Password
63ea23c2 V	138	*
	139	* @return bool true if the provided credentials are valid, false otherwise
	140	*/
84742084	141	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
63ea23c2	142	{
cc2ded54 SN	143	// Check login matches config
	144	if ($login != $this->configManager->get('credentials.login')) {
	145	return false;
	146	}
63ea23c2	147
cc2ded54 SN	148	// Check credentials
cc2ded54 SN	149	try {
21e5df5e SN	150	$useLdapLogin = !empty($this->configManager->get('ldap.host'));
	151	if ((false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password))
	152	\|\| (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password))
	153	) {
cc2ded54 SN	154	$this->sessionManager->storeLoginInfo($clientIpId);
	155	logm(
	156	$this->configManager->get('resource.log'),
	157	$remoteIp,
	158	'Login successful'
	159	);
	160	return true;
	161	}
	162	}
	163	catch(Exception $exception) {
63ea23c2 V	164	logm(
63ea23c2 V	165	$this->configManager->get('resource.log'),
84742084	166	$remoteIp,
cc2ded54	167	'Exception while checking credentials: ' . $exception
63ea23c2	168	);
63ea23c2 V	169	}
63ea23c2 V	170
63ea23c2 V	171	logm(
63ea23c2 V	172	$this->configManager->get('resource.log'),
84742084	173	$remoteIp,
cc2ded54	174	'Login failed for user ' . $login
63ea23c2	175	);
cc2ded54 SN	176	return false;
	177	}
	178
	179
	180	/**
	181	* Check user credentials from local config
	182	*
	183	* @param string $login Username
	184	* @param string $password Password
	185	*
	186	* @return bool true if the provided credentials are valid, false otherwise
	187	*/
	188	public function checkCredentialsFromLocalConfig($login, $password) {
	189	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
	190
	191	return $login == $this->configManager->get('credentials.login')
	192	&& $hash == $this->configManager->get('credentials.hash');
	193	}
	194
	195	/**
	196	* Check user credentials are valid through LDAP bind
	197	*
	198	* @param string $remoteIp Remote client IP address
	199	* @param string $clientIpId Client IP address identifier
	200	* @param string $login Username
	201	* @param string $password Password
	202	*
	203	* @return bool true if the provided credentials are valid, false otherwise
	204	*/
	205	public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
	206	{
	207	$connect = $connect ?? function($host) { return ldap_connect($host); };
	208	$bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
	209	return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
44acf706 V	210	}
44acf706 V	211
44acf706 V	212	/**
	213	* Handle a failed login and ban the IP after too many failed attempts
	214	*
	215	* @param array $server The $_SERVER array
	216	*/
	217	public function handleFailedLogin($server)
	218	{
b49a04f7	219	$this->banManager->handleFailedAttempt($server);
44acf706 V	220	}
	221
	222	/**
	223	* Handle a successful login
	224	*
	225	* @param array $server The $_SERVER array
	226	*/
	227	public function handleSuccessfulLogin($server)
	228	{
b49a04f7	229	$this->banManager->clearFailures($server);
44acf706 V	230	}
	231
	232	/**
	233	* Check if the user can login from this IP
	234	*
	235	* @param array $server The $_SERVER array
	236	*
	237	* @return bool true if the user is allowed to login
	238	*/
	239	public function canLogin($server)
	240	{
b49a04f7	241	return ! $this->banManager->isBanned($server);
44acf706 V	242	}
44acf706 V	243	}