X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fsecurity%2FLoginManager.php;h=bdfaca7b29f05e4c46a8f79e848990bd18d3d33f;hb=refs%2Fheads%2Fgitolite_local%2Fldap;hp=e7b9b21ef5c80d63919cfa304cd75d00daa0b2d7;hpb=fab87c2696b9d6a26310f1bfc024b018ca5184fe;p=github%2Fshaarli%2FShaarli.git diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index e7b9b21e..bdfaca7b 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -8,6 +8,9 @@ use Shaarli\Config\ConfigManager; */ class LoginManager { + /** @var string Name of the cookie set after logging in **/ + public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; + /** @var array A reference to the $_GLOBALS array */ protected $globals = []; @@ -26,6 +29,12 @@ class LoginManager /** @var bool Whether the Shaarli instance is open to public edition **/ protected $openShaarli = false; + /** @var string User sign-in token depending on remote IP and credentials */ + protected $staySignedInToken = ''; + + protected $lastErrorReason = ''; + protected $lastErrorIsBanishable = false; + /** * Constructor * @@ -40,44 +49,65 @@ class LoginManager $this->sessionManager = $sessionManager; $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); $this->readBanFile(); - if ($this->configManager->get('security.open_shaarli')) { + if ($this->configManager->get('security.open_shaarli') === true) { $this->openShaarli = true; } } + /** + * Generate a token depending on deployment salt, user password and client IP + * + * @param string $clientIpAddress The remote client IP address + */ + public function generateStaySignedInToken($clientIpAddress) + { + $this->staySignedInToken = sha1( + $this->configManager->get('credentials.hash') + . $clientIpAddress + . $this->configManager->get('credentials.salt') + ); + } + + /** + * Return the user's client stay-signed-in token + * + * @return string User's client stay-signed-in token + */ + public function getStaySignedInToken() + { + return $this->staySignedInToken; + } + /** * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array - * @param string $webPath Path on the server in which the cookie will be available on * @param string $clientIpId Client IP address identifier - * @param string $token Session token - * - * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $webPath, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId) { - if (! $this->configManager->exists('credentials.login')) { + if (! $this->configManager->exists('credentials.login') || (isset($_SESSION['username']) && $_SESSION['username'] && $this->configManager->get('credentials.login') !== $_SESSION['username'])) { // Shaarli is not configured yet $this->isLoggedIn = false; return; } - if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) - && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) + && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { + // The user client has a valid stay-signed-in cookie + // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); - $this->isLoggedIn = true; - } - if ($this->sessionManager->hasSessionExpired() + } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { - $this->sessionManager->logout($webPath); + $this->sessionManager->logout(); $this->isLoggedIn = false; return; } + $this->isLoggedIn = true; $this->sessionManager->extendSession(); } @@ -106,20 +136,40 @@ class LoginManager */ public function checkCredentials($remoteIp, $clientIpId, $login, $password) { - $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); + $this->lastErrorIsBanishable = false; - if ($login != $this->configManager->get('credentials.login') - || $hash != $this->configManager->get('credentials.hash') - ) { + if ($this->configManager->getUserSpace() !== null && $this->configManager->getUserSpace() !== $login) { + logm($this->configManager->get('resource.log'), + $remoteIp, + 'Trying to login to wrong user space'); + $this->lastErrorReason = 'You’re trying to access the wrong account.'; + return false; + } + + logm($this->configManager->get('resource.log'), + $remoteIp, + 'Trying LDAP connection'); + $result = $this->configManager->findLDAPUser($login, $password); + if ($result === false) { logm( $this->configManager->get('resource.log'), $remoteIp, - 'Login failed for user ' . $login + 'Impossible to connect to LDAP' + ); + $this->lastErrorReason = 'Server error.'; + return false; + } else if (is_null($result)) { + logm( + $this->configManager->get('resource.log'), + $remoteIp, + 'Login failed for user ' . $login ); + $this->lastErrorIsBanishable = true; + $this->lastErrorReason = 'Wrong login/password.'; return false; } - $this->sessionManager->storeLoginInfo($clientIpId); + $this->sessionManager->storeLoginInfo($clientIpId, $login); logm( $this->configManager->get('resource.log'), $remoteIp, @@ -160,6 +210,10 @@ class LoginManager */ public function handleFailedLogin($server) { + if (!$this->lastErrorIsBanishable) { + return $this->lastErrorReason ?: 'Error during login.'; + }; + $ip = $server['REMOTE_ADDR']; $trusted = $this->configManager->get('security.trusted_proxies', []); @@ -188,6 +242,7 @@ class LoginManager ); } $this->writeBanFile(); + return $this->lastErrorReason ?: 'Error during login.'; } /**