]>
Commit | Line | Data |
---|---|---|
1 | <?php | |
2 | namespace Shaarli; | |
3 | ||
4 | /** | |
5 | * User login management | |
6 | */ | |
7 | class LoginManager | |
8 | { | |
9 | protected $globals = []; | |
10 | protected $configManager = null; | |
11 | protected $banFile = ''; | |
12 | ||
13 | /** | |
14 | * Constructor | |
15 | * | |
16 | * @param array $globals The $GLOBALS array (reference) | |
17 | * @param ConfigManager $configManager Configuration Manager instance. | |
18 | */ | |
19 | public function __construct(& $globals, $configManager) | |
20 | { | |
21 | $this->globals = &$globals; | |
22 | $this->configManager = $configManager; | |
23 | $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); | |
24 | $this->readBanFile(); | |
25 | } | |
26 | ||
27 | /** | |
28 | * Read a file containing banned IPs | |
29 | */ | |
30 | protected function readBanFile() | |
31 | { | |
32 | if (! file_exists($this->banFile)) { | |
33 | return; | |
34 | } | |
35 | include $this->banFile; | |
36 | } | |
37 | ||
38 | /** | |
39 | * Write the banned IPs to a file | |
40 | */ | |
41 | protected function writeBanFile() | |
42 | { | |
43 | if (! array_key_exists('IPBANS', $this->globals)) { | |
44 | return; | |
45 | } | |
46 | file_put_contents( | |
47 | $this->banFile, | |
48 | "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>" | |
49 | ); | |
50 | } | |
51 | ||
52 | /** | |
53 | * Handle a failed login and ban the IP after too many failed attempts | |
54 | * | |
55 | * @param array $server The $_SERVER array | |
56 | */ | |
57 | public function handleFailedLogin($server) | |
58 | { | |
59 | $ip = $server['REMOTE_ADDR']; | |
60 | $trusted = $this->configManager->get('security.trusted_proxies', []); | |
61 | ||
62 | if (in_array($ip, $trusted)) { | |
63 | $ip = getIpAddressFromProxy($server, $trusted); | |
64 | if (! $ip) { | |
65 | // the IP is behind a trusted forward proxy, but is not forwarded | |
66 | // in the HTTP headers, so we do nothing | |
67 | return; | |
68 | } | |
69 | } | |
70 | ||
71 | // increment the fail count for this IP | |
72 | if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { | |
73 | $this->globals['IPBANS']['FAILURES'][$ip]++; | |
74 | } else { | |
75 | $this->globals['IPBANS']['FAILURES'][$ip] = 1; | |
76 | } | |
77 | ||
78 | if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { | |
79 | $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); | |
80 | logm( | |
81 | $this->configManager->get('resource.log'), | |
82 | $server['REMOTE_ADDR'], | |
83 | 'IP address banned from login' | |
84 | ); | |
85 | } | |
86 | $this->writeBanFile(); | |
87 | } | |
88 | ||
89 | /** | |
90 | * Handle a successful login | |
91 | * | |
92 | * @param array $server The $_SERVER array | |
93 | */ | |
94 | public function handleSuccessfulLogin($server) | |
95 | { | |
96 | $ip = $server['REMOTE_ADDR']; | |
97 | // FIXME unban when behind a trusted proxy? | |
98 | ||
99 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | |
100 | unset($this->globals['IPBANS']['BANS'][$ip]); | |
101 | ||
102 | $this->writeBanFile(); | |
103 | } | |
104 | ||
105 | /** | |
106 | * Check if the user can login from this IP | |
107 | * | |
108 | * @param array $server The $_SERVER array | |
109 | * | |
110 | * @return bool true if the user is allowed to login | |
111 | */ | |
112 | public function canLogin($server) | |
113 | { | |
114 | $ip = $server['REMOTE_ADDR']; | |
115 | ||
116 | if (! isset($this->globals['IPBANS']['BANS'][$ip])) { | |
117 | // the user is not banned | |
118 | return true; | |
119 | } | |
120 | ||
121 | if ($this->globals['IPBANS']['BANS'][$ip] > time()) { | |
122 | // the user is still banned | |
123 | return false; | |
124 | } | |
125 | ||
126 | // the ban has expired, the user can attempt to log in again | |
127 | logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); | |
128 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | |
129 | unset($this->globals['IPBANS']['BANS'][$ip]); | |
130 | ||
131 | $this->writeBanFile(); | |
132 | return true; | |
133 | } | |
134 | } |