X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fsecurity%2FLoginManager.php;h=bdfaca7b29f05e4c46a8f79e848990bd18d3d33f;hb=refs%2Fheads%2Fgitolite_local%2Fldap;hp=27247f3f1fd9ac97581e220be54091400dfe91fb;hpb=51f0128cdba52099c40693379e72f094b42a6f80;p=github%2Fshaarli%2FShaarli.git diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 27247f3f..bdfaca7b 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -8,6 +8,9 @@ use Shaarli\Config\ConfigManager; */ class LoginManager { + /** @var string Name of the cookie set after logging in **/ + public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; + /** @var array A reference to the $_GLOBALS array */ protected $globals = []; @@ -26,6 +29,12 @@ class LoginManager /** @var bool Whether the Shaarli instance is open to public edition **/ protected $openShaarli = false; + /** @var string User sign-in token depending on remote IP and credentials */ + protected $staySignedInToken = ''; + + protected $lastErrorReason = ''; + protected $lastErrorIsBanishable = false; + /** * Constructor * @@ -40,36 +49,57 @@ class LoginManager $this->sessionManager = $sessionManager; $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); $this->readBanFile(); - if ($this->configManager->get('security.open_shaarli')) { + if ($this->configManager->get('security.open_shaarli') === true) { $this->openShaarli = true; } } + /** + * Generate a token depending on deployment salt, user password and client IP + * + * @param string $clientIpAddress The remote client IP address + */ + public function generateStaySignedInToken($clientIpAddress) + { + $this->staySignedInToken = sha1( + $this->configManager->get('credentials.hash') + . $clientIpAddress + . $this->configManager->get('credentials.salt') + ); + } + + /** + * Return the user's client stay-signed-in token + * + * @return string User's client stay-signed-in token + */ + public function getStaySignedInToken() + { + return $this->staySignedInToken; + } + /** * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier - * @param string $token Session token - * - * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId) { - if (! $this->configManager->exists('credentials.login')) { + if (! $this->configManager->exists('credentials.login') || (isset($_SESSION['username']) && $_SESSION['username'] && $this->configManager->get('credentials.login') !== $_SESSION['username'])) { // Shaarli is not configured yet $this->isLoggedIn = false; return; } - if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) - && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) + && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { + // The user client has a valid stay-signed-in cookie + // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); - $this->isLoggedIn = true; - } - if ($this->sessionManager->hasSessionExpired() + } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { $this->sessionManager->logout(); @@ -77,6 +107,7 @@ class LoginManager return; } + $this->isLoggedIn = true; $this->sessionManager->extendSession(); } @@ -105,20 +136,40 @@ class LoginManager */ public function checkCredentials($remoteIp, $clientIpId, $login, $password) { - $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); + $this->lastErrorIsBanishable = false; - if ($login != $this->configManager->get('credentials.login') - || $hash != $this->configManager->get('credentials.hash') - ) { + if ($this->configManager->getUserSpace() !== null && $this->configManager->getUserSpace() !== $login) { + logm($this->configManager->get('resource.log'), + $remoteIp, + 'Trying to login to wrong user space'); + $this->lastErrorReason = 'You’re trying to access the wrong account.'; + return false; + } + + logm($this->configManager->get('resource.log'), + $remoteIp, + 'Trying LDAP connection'); + $result = $this->configManager->findLDAPUser($login, $password); + if ($result === false) { logm( $this->configManager->get('resource.log'), $remoteIp, - 'Login failed for user ' . $login + 'Impossible to connect to LDAP' + ); + $this->lastErrorReason = 'Server error.'; + return false; + } else if (is_null($result)) { + logm( + $this->configManager->get('resource.log'), + $remoteIp, + 'Login failed for user ' . $login ); + $this->lastErrorIsBanishable = true; + $this->lastErrorReason = 'Wrong login/password.'; return false; } - $this->sessionManager->storeLoginInfo($clientIpId); + $this->sessionManager->storeLoginInfo($clientIpId, $login); logm( $this->configManager->get('resource.log'), $remoteIp, @@ -159,6 +210,10 @@ class LoginManager */ public function handleFailedLogin($server) { + if (!$this->lastErrorIsBanishable) { + return $this->lastErrorReason ?: 'Error during login.'; + }; + $ip = $server['REMOTE_ADDR']; $trusted = $this->configManager->get('security.trusted_proxies', []); @@ -187,6 +242,7 @@ class LoginManager ); } $this->writeBanFile(); + return $this->lastErrorReason ?: 'Error during login.'; } /**