X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fsecurity%2FLoginManager.php;h=426e785e1a5431328d0818d49ec6d00d037eb0cd;hb=1e49a65a2a930390cf00114cc30d8516626331c2;hp=d6784d6da6424e266a21702b7f0686746e91fe20;hpb=d9cd27322a97e6ed3a8b11a380ef0080e3baf79c;p=github%2Fshaarli%2FShaarli.git diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index d6784d6d..426e785e 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -1,6 +1,8 @@ globals = &$globals; + public function __construct( + ConfigManager $configManager, + SessionManager $sessionManager, + CookieManager $cookieManager, + BanManager $banManager, + LoggerInterface $logger + ) { $this->configManager = $configManager; $this->sessionManager = $sessionManager; - $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); - $this->readBanFile(); + $this->cookieManager = $cookieManager; + $this->banManager = $banManager; + $this->logger = $logger; + if ($this->configManager->get('security.open_shaarli') === true) { $this->openShaarli = true; } @@ -58,6 +69,9 @@ class LoginManager */ public function generateStaySignedInToken($clientIpAddress) { + if ($this->configManager->get('security.session_protection_disabled') === true) { + $clientIpAddress = ''; + } $this->staySignedInToken = sha1( $this->configManager->get('credentials.hash') . $clientIpAddress @@ -78,10 +92,9 @@ class LoginManager /** * Check user session state and validity (expiration) * - * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier */ - public function checkLoginState($cookie, $clientIpId) + public function checkLoginState($clientIpId) { if (! $this->configManager->exists('credentials.login')) { // Shaarli is not configured yet @@ -89,13 +102,10 @@ class LoginManager return; } - if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) - && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken - ) { + if ($this->staySignedInToken === $this->cookieManager->getCookieParameter(CookieManager::STAY_SIGNED_IN)) { // The user client has a valid stay-signed-in cookie // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); - } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { @@ -113,7 +123,7 @@ class LoginManager * * @return true when the user is logged in, false otherwise */ - public function isLoggedIn() + public function isLoggedIn(): bool { if ($this->openShaarli) { return true; @@ -124,59 +134,80 @@ class LoginManager /** * Check user credentials are valid * - * @param string $remoteIp Remote client IP address * @param string $clientIpId Client IP address identifier * @param string $login Username * @param string $password Password * * @return bool true if the provided credentials are valid, false otherwise */ - public function checkCredentials($remoteIp, $clientIpId, $login, $password) + public function checkCredentials($clientIpId, $login, $password) { - $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); - - if ($login != $this->configManager->get('credentials.login') - || $hash != $this->configManager->get('credentials.hash') - ) { - logm( - $this->configManager->get('resource.log'), - $remoteIp, - 'Login failed for user ' . $login - ); - return false; + // Check credentials + try { + $useLdapLogin = !empty($this->configManager->get('ldap.host')); + if ($login === $this->configManager->get('credentials.login') + && ( + (false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) + || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) + ) + ) { + $this->sessionManager->storeLoginInfo($clientIpId); + $this->logger->info(format_log('Login successful', $clientIpId)); + + return true; + } + } catch(Exception $exception) { + $this->logger->info(format_log('Exception while checking credentials: ' . $exception, $clientIpId)); } - $this->sessionManager->storeLoginInfo($clientIpId); - logm( - $this->configManager->get('resource.log'), - $remoteIp, - 'Login successful' - ); - return true; + $this->logger->info(format_log('Login failed for user ' . $login, $clientIpId)); + + return false; } + /** - * Read a file containing banned IPs + * Check user credentials from local config + * + * @param string $login Username + * @param string $password Password + * + * @return bool true if the provided credentials are valid, false otherwise */ - protected function readBanFile() - { - if (! file_exists($this->banFile)) { - return; - } - include $this->banFile; + public function checkCredentialsFromLocalConfig($login, $password) { + $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); + + return $login == $this->configManager->get('credentials.login') + && $hash == $this->configManager->get('credentials.hash'); } /** - * Write the banned IPs to a file + * Check user credentials are valid through LDAP bind + * + * @param string $remoteIp Remote client IP address + * @param string $clientIpId Client IP address identifier + * @param string $login Username + * @param string $password Password + * + * @return bool true if the provided credentials are valid, false otherwise */ - protected function writeBanFile() + public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) { - if (! array_key_exists('IPBANS', $this->globals)) { - return; - } - file_put_contents( - $this->banFile, - "globals['IPBANS'], true) . ";\n?>" + $connect = $connect ?? function($host) { + $resource = ldap_connect($host); + + ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); + + return $resource; + }; + $bind = $bind ?? function($handle, $dn, $password) { + return ldap_bind($handle, $dn, $password); + }; + + return $bind( + $connect($this->configManager->get('ldap.host')), + sprintf($this->configManager->get('ldap.dn'), $login), + $password ); } @@ -187,34 +218,7 @@ class LoginManager */ public function handleFailedLogin($server) { - $ip = $server['REMOTE_ADDR']; - $trusted = $this->configManager->get('security.trusted_proxies', []); - - if (in_array($ip, $trusted)) { - $ip = getIpAddressFromProxy($server, $trusted); - if (! $ip) { - // the IP is behind a trusted forward proxy, but is not forwarded - // in the HTTP headers, so we do nothing - return; - } - } - - // increment the fail count for this IP - if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { - $this->globals['IPBANS']['FAILURES'][$ip]++; - } else { - $this->globals['IPBANS']['FAILURES'][$ip] = 1; - } - - if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { - $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); - logm( - $this->configManager->get('resource.log'), - $server['REMOTE_ADDR'], - 'IP address banned from login' - ); - } - $this->writeBanFile(); + $this->banManager->handleFailedAttempt($server); } /** @@ -224,13 +228,7 @@ class LoginManager */ public function handleSuccessfulLogin($server) { - $ip = $server['REMOTE_ADDR']; - // FIXME unban when behind a trusted proxy? - - unset($this->globals['IPBANS']['FAILURES'][$ip]); - unset($this->globals['IPBANS']['BANS'][$ip]); - - $this->writeBanFile(); + $this->banManager->clearFailures($server); } /** @@ -242,24 +240,6 @@ class LoginManager */ public function canLogin($server) { - $ip = $server['REMOTE_ADDR']; - - if (! isset($this->globals['IPBANS']['BANS'][$ip])) { - // the user is not banned - return true; - } - - if ($this->globals['IPBANS']['BANS'][$ip] > time()) { - // the user is still banned - return false; - } - - // the ban has expired, the user can attempt to log in again - logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); - unset($this->globals['IPBANS']['FAILURES'][$ip]); - unset($this->globals['IPBANS']['BANS'][$ip]); - - $this->writeBanFile(); - return true; + return ! $this->banManager->isBanned($server); } }