]>
Commit | Line | Data |
---|---|---|
1 | <?php | |
2 | namespace Shaarli\Security; | |
3 | ||
4 | use Exception; | |
5 | use Shaarli\Config\ConfigManager; | |
6 | ||
7 | /** | |
8 | * User login management | |
9 | */ | |
10 | class LoginManager | |
11 | { | |
12 | /** @var array A reference to the $_GLOBALS array */ | |
13 | protected $globals = []; | |
14 | ||
15 | /** @var ConfigManager Configuration Manager instance **/ | |
16 | protected $configManager = null; | |
17 | ||
18 | /** @var SessionManager Session Manager instance **/ | |
19 | protected $sessionManager = null; | |
20 | ||
21 | /** @var BanManager Ban Manager instance **/ | |
22 | protected $banManager; | |
23 | ||
24 | /** @var bool Whether the user is logged in **/ | |
25 | protected $isLoggedIn = false; | |
26 | ||
27 | /** @var bool Whether the Shaarli instance is open to public edition **/ | |
28 | protected $openShaarli = false; | |
29 | ||
30 | /** @var string User sign-in token depending on remote IP and credentials */ | |
31 | protected $staySignedInToken = ''; | |
32 | /** @var CookieManager */ | |
33 | protected $cookieManager; | |
34 | ||
35 | /** | |
36 | * Constructor | |
37 | * | |
38 | * @param ConfigManager $configManager Configuration Manager instance | |
39 | * @param SessionManager $sessionManager SessionManager instance | |
40 | * @param CookieManager $cookieManager CookieManager instance | |
41 | */ | |
42 | public function __construct($configManager, $sessionManager, $cookieManager) | |
43 | { | |
44 | $this->configManager = $configManager; | |
45 | $this->sessionManager = $sessionManager; | |
46 | $this->cookieManager = $cookieManager; | |
47 | $this->banManager = new BanManager( | |
48 | $this->configManager->get('security.trusted_proxies', []), | |
49 | $this->configManager->get('security.ban_after'), | |
50 | $this->configManager->get('security.ban_duration'), | |
51 | $this->configManager->get('resource.ban_file', 'data/ipbans.php'), | |
52 | $this->configManager->get('resource.log') | |
53 | ); | |
54 | ||
55 | if ($this->configManager->get('security.open_shaarli') === true) { | |
56 | $this->openShaarli = true; | |
57 | } | |
58 | } | |
59 | ||
60 | /** | |
61 | * Generate a token depending on deployment salt, user password and client IP | |
62 | * | |
63 | * @param string $clientIpAddress The remote client IP address | |
64 | */ | |
65 | public function generateStaySignedInToken($clientIpAddress) | |
66 | { | |
67 | if ($this->configManager->get('security.session_protection_disabled') === true) { | |
68 | $clientIpAddress = ''; | |
69 | } | |
70 | $this->staySignedInToken = sha1( | |
71 | $this->configManager->get('credentials.hash') | |
72 | . $clientIpAddress | |
73 | . $this->configManager->get('credentials.salt') | |
74 | ); | |
75 | } | |
76 | ||
77 | /** | |
78 | * Return the user's client stay-signed-in token | |
79 | * | |
80 | * @return string User's client stay-signed-in token | |
81 | */ | |
82 | public function getStaySignedInToken() | |
83 | { | |
84 | return $this->staySignedInToken; | |
85 | } | |
86 | ||
87 | /** | |
88 | * Check user session state and validity (expiration) | |
89 | * | |
90 | * @param string $clientIpId Client IP address identifier | |
91 | */ | |
92 | public function checkLoginState($clientIpId) | |
93 | { | |
94 | if (! $this->configManager->exists('credentials.login')) { | |
95 | // Shaarli is not configured yet | |
96 | $this->isLoggedIn = false; | |
97 | return; | |
98 | } | |
99 | ||
100 | if ($this->staySignedInToken === $this->cookieManager->getCookieParameter(CookieManager::STAY_SIGNED_IN)) { | |
101 | // The user client has a valid stay-signed-in cookie | |
102 | // Session information is updated with the current client information | |
103 | $this->sessionManager->storeLoginInfo($clientIpId); | |
104 | } elseif ($this->sessionManager->hasSessionExpired() | |
105 | || $this->sessionManager->hasClientIpChanged($clientIpId) | |
106 | ) { | |
107 | $this->sessionManager->logout(); | |
108 | $this->isLoggedIn = false; | |
109 | return; | |
110 | } | |
111 | ||
112 | $this->isLoggedIn = true; | |
113 | $this->sessionManager->extendSession(); | |
114 | } | |
115 | ||
116 | /** | |
117 | * Return whether the user is currently logged in | |
118 | * | |
119 | * @return true when the user is logged in, false otherwise | |
120 | */ | |
121 | public function isLoggedIn() | |
122 | { | |
123 | if ($this->openShaarli) { | |
124 | return true; | |
125 | } | |
126 | return $this->isLoggedIn; | |
127 | } | |
128 | ||
129 | /** | |
130 | * Check user credentials are valid | |
131 | * | |
132 | * @param string $remoteIp Remote client IP address | |
133 | * @param string $clientIpId Client IP address identifier | |
134 | * @param string $login Username | |
135 | * @param string $password Password | |
136 | * | |
137 | * @return bool true if the provided credentials are valid, false otherwise | |
138 | */ | |
139 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) | |
140 | { | |
141 | // Check login matches config | |
142 | if ($login !== $this->configManager->get('credentials.login')) { | |
143 | return false; | |
144 | } | |
145 | ||
146 | // Check credentials | |
147 | try { | |
148 | $useLdapLogin = !empty($this->configManager->get('ldap.host')); | |
149 | if ((false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) | |
150 | || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) | |
151 | ) { | |
152 | $this->sessionManager->storeLoginInfo($clientIpId); | |
153 | logm( | |
154 | $this->configManager->get('resource.log'), | |
155 | $remoteIp, | |
156 | 'Login successful' | |
157 | ); | |
158 | return true; | |
159 | } | |
160 | } | |
161 | catch(Exception $exception) { | |
162 | logm( | |
163 | $this->configManager->get('resource.log'), | |
164 | $remoteIp, | |
165 | 'Exception while checking credentials: ' . $exception | |
166 | ); | |
167 | } | |
168 | ||
169 | logm( | |
170 | $this->configManager->get('resource.log'), | |
171 | $remoteIp, | |
172 | 'Login failed for user ' . $login | |
173 | ); | |
174 | return false; | |
175 | } | |
176 | ||
177 | ||
178 | /** | |
179 | * Check user credentials from local config | |
180 | * | |
181 | * @param string $login Username | |
182 | * @param string $password Password | |
183 | * | |
184 | * @return bool true if the provided credentials are valid, false otherwise | |
185 | */ | |
186 | public function checkCredentialsFromLocalConfig($login, $password) { | |
187 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | |
188 | ||
189 | return $login == $this->configManager->get('credentials.login') | |
190 | && $hash == $this->configManager->get('credentials.hash'); | |
191 | } | |
192 | ||
193 | /** | |
194 | * Check user credentials are valid through LDAP bind | |
195 | * | |
196 | * @param string $remoteIp Remote client IP address | |
197 | * @param string $clientIpId Client IP address identifier | |
198 | * @param string $login Username | |
199 | * @param string $password Password | |
200 | * | |
201 | * @return bool true if the provided credentials are valid, false otherwise | |
202 | */ | |
203 | public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) | |
204 | { | |
205 | $connect = $connect ?? function($host) { | |
206 | $resource = ldap_connect($host); | |
207 | ||
208 | ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); | |
209 | ||
210 | return $resource; | |
211 | }; | |
212 | $bind = $bind ?? function($handle, $dn, $password) { | |
213 | return ldap_bind($handle, $dn, $password); | |
214 | }; | |
215 | ||
216 | return $bind( | |
217 | $connect($this->configManager->get('ldap.host')), | |
218 | sprintf($this->configManager->get('ldap.dn'), $login), | |
219 | $password | |
220 | ); | |
221 | } | |
222 | ||
223 | /** | |
224 | * Handle a failed login and ban the IP after too many failed attempts | |
225 | * | |
226 | * @param array $server The $_SERVER array | |
227 | */ | |
228 | public function handleFailedLogin($server) | |
229 | { | |
230 | $this->banManager->handleFailedAttempt($server); | |
231 | } | |
232 | ||
233 | /** | |
234 | * Handle a successful login | |
235 | * | |
236 | * @param array $server The $_SERVER array | |
237 | */ | |
238 | public function handleSuccessfulLogin($server) | |
239 | { | |
240 | $this->banManager->clearFailures($server); | |
241 | } | |
242 | ||
243 | /** | |
244 | * Check if the user can login from this IP | |
245 | * | |
246 | * @param array $server The $_SERVER array | |
247 | * | |
248 | * @return bool true if the user is allowed to login | |
249 | */ | |
250 | public function canLogin($server) | |
251 | { | |
252 | return ! $this->banManager->isBanned($server); | |
253 | } | |
254 | } |