]>
Commit | Line | Data |
---|---|---|
44acf706 V |
1 | <?php |
2 | namespace Shaarli; | |
3 | ||
4 | /** | |
5 | * User login management | |
6 | */ | |
7 | class LoginManager | |
8 | { | |
1b28c66c | 9 | /** @var array A reference to the $_GLOBALS array */ |
44acf706 | 10 | protected $globals = []; |
1b28c66c V |
11 | |
12 | /** @var ConfigManager Configuration Manager instance **/ | |
44acf706 | 13 | protected $configManager = null; |
1b28c66c V |
14 | |
15 | /** @var SessionManager Session Manager instance **/ | |
63ea23c2 | 16 | protected $sessionManager = null; |
1b28c66c V |
17 | |
18 | /** @var string Path to the file containing IP bans */ | |
44acf706 | 19 | protected $banFile = ''; |
1b28c66c V |
20 | |
21 | /** @var bool Whether the user is logged in **/ | |
63ea23c2 | 22 | protected $isLoggedIn = false; |
1b28c66c V |
23 | |
24 | /** @var bool Whether the Shaarli instance is open to public edition **/ | |
63ea23c2 | 25 | protected $openShaarli = false; |
44acf706 V |
26 | |
27 | /** | |
28 | * Constructor | |
29 | * | |
63ea23c2 V |
30 | * @param array $globals The $GLOBALS array (reference) |
31 | * @param ConfigManager $configManager Configuration Manager instance | |
32 | * @param SessionManager $sessionManager SessionManager instance | |
44acf706 | 33 | */ |
63ea23c2 | 34 | public function __construct(& $globals, $configManager, $sessionManager) |
44acf706 V |
35 | { |
36 | $this->globals = &$globals; | |
37 | $this->configManager = $configManager; | |
63ea23c2 | 38 | $this->sessionManager = $sessionManager; |
44acf706 V |
39 | $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); |
40 | $this->readBanFile(); | |
63ea23c2 V |
41 | if ($this->configManager->get('security.open_shaarli')) { |
42 | $this->openShaarli = true; | |
43 | } | |
44 | } | |
45 | ||
46 | /** | |
47 | * Check user session state and validity (expiration) | |
48 | * | |
49 | * @param array $server The $_SERVER array | |
50 | * @param array $session The $_SESSION array (reference) | |
51 | * @param array $cookie The $_COOKIE array | |
52 | * @param string $webPath Path on the server in which the cookie will be available on | |
53 | * @param string $token Session token | |
54 | * | |
55 | * @return bool true if the user session is valid, false otherwise | |
56 | */ | |
57 | public function checkLoginState($server, & $session, $cookie, $webPath, $token) | |
58 | { | |
59 | if (! $this->configManager->exists('credentials.login')) { | |
60 | // Shaarli is not configured yet | |
61 | $this->isLoggedIn = false; | |
62 | return; | |
63 | } | |
64 | ||
65 | if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) | |
66 | && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token | |
67 | ) { | |
68 | $this->sessionManager->storeLoginInfo($server); | |
69 | $this->isLoggedIn = true; | |
70 | } | |
71 | ||
72 | // Logout when: | |
73 | // - the session does not exist on the server side | |
74 | // - the session has expired | |
75 | // - the client IP address has changed | |
76 | if (empty($session['uid']) | |
77 | || ($this->configManager->get('security.session_protection_disabled') === false | |
78 | && $session['ip'] != client_ip_id($server)) | |
79 | || time() >= $session['expires_on'] | |
80 | ) { | |
81 | $this->sessionManager->logout($webPath); | |
82 | $this->isLoggedIn = false; | |
83 | return; | |
84 | } | |
85 | ||
86 | // Extend session validity | |
87 | if (! empty($session['longlastingsession'])) { | |
88 | // "Stay signed in" is enabled | |
89 | $session['expires_on'] = time() + $session['longlastingsession']; | |
90 | } else { | |
91 | $session['expires_on'] = time() + SessionManager::$INACTIVITY_TIMEOUT; | |
92 | } | |
93 | } | |
94 | ||
95 | /** | |
96 | * Return whether the user is currently logged in | |
97 | * | |
98 | * @return true when the user is logged in, false otherwise | |
99 | */ | |
100 | public function isLoggedIn() | |
101 | { | |
102 | if ($this->openShaarli) { | |
103 | return true; | |
104 | } | |
105 | return $this->isLoggedIn; | |
106 | } | |
107 | ||
108 | /** | |
109 | * Check user credentials are valid | |
110 | * | |
111 | * @param array $server The $_SERVER array | |
112 | * @param string $login Username | |
113 | * @param string $password Password | |
114 | * | |
115 | * @return bool true if the provided credentials are valid, false otherwise | |
116 | */ | |
117 | public function checkCredentials($server, $login, $password) | |
118 | { | |
119 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | |
120 | ||
121 | if ($login != $this->configManager->get('credentials.login') | |
122 | || $hash != $this->configManager->get('credentials.hash') | |
123 | ) { | |
124 | logm( | |
125 | $this->configManager->get('resource.log'), | |
126 | $server['REMOTE_ADDR'], | |
127 | 'Login failed for user ' . $login | |
128 | ); | |
129 | return false; | |
130 | } | |
131 | ||
132 | $this->sessionManager->storeLoginInfo($server); | |
133 | logm( | |
134 | $this->configManager->get('resource.log'), | |
135 | $server['REMOTE_ADDR'], | |
136 | 'Login successful' | |
137 | ); | |
138 | return true; | |
44acf706 V |
139 | } |
140 | ||
141 | /** | |
142 | * Read a file containing banned IPs | |
143 | */ | |
144 | protected function readBanFile() | |
145 | { | |
146 | if (! file_exists($this->banFile)) { | |
147 | return; | |
148 | } | |
149 | include $this->banFile; | |
150 | } | |
151 | ||
152 | /** | |
153 | * Write the banned IPs to a file | |
154 | */ | |
155 | protected function writeBanFile() | |
156 | { | |
157 | if (! array_key_exists('IPBANS', $this->globals)) { | |
158 | return; | |
159 | } | |
160 | file_put_contents( | |
161 | $this->banFile, | |
162 | "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>" | |
163 | ); | |
164 | } | |
165 | ||
166 | /** | |
167 | * Handle a failed login and ban the IP after too many failed attempts | |
168 | * | |
169 | * @param array $server The $_SERVER array | |
170 | */ | |
171 | public function handleFailedLogin($server) | |
172 | { | |
173 | $ip = $server['REMOTE_ADDR']; | |
174 | $trusted = $this->configManager->get('security.trusted_proxies', []); | |
175 | ||
176 | if (in_array($ip, $trusted)) { | |
177 | $ip = getIpAddressFromProxy($server, $trusted); | |
178 | if (! $ip) { | |
179 | // the IP is behind a trusted forward proxy, but is not forwarded | |
180 | // in the HTTP headers, so we do nothing | |
181 | return; | |
182 | } | |
183 | } | |
184 | ||
185 | // increment the fail count for this IP | |
186 | if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { | |
187 | $this->globals['IPBANS']['FAILURES'][$ip]++; | |
188 | } else { | |
189 | $this->globals['IPBANS']['FAILURES'][$ip] = 1; | |
190 | } | |
191 | ||
192 | if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { | |
193 | $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); | |
194 | logm( | |
195 | $this->configManager->get('resource.log'), | |
196 | $server['REMOTE_ADDR'], | |
197 | 'IP address banned from login' | |
198 | ); | |
199 | } | |
200 | $this->writeBanFile(); | |
201 | } | |
202 | ||
203 | /** | |
204 | * Handle a successful login | |
205 | * | |
206 | * @param array $server The $_SERVER array | |
207 | */ | |
208 | public function handleSuccessfulLogin($server) | |
209 | { | |
210 | $ip = $server['REMOTE_ADDR']; | |
211 | // FIXME unban when behind a trusted proxy? | |
212 | ||
213 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | |
214 | unset($this->globals['IPBANS']['BANS'][$ip]); | |
215 | ||
216 | $this->writeBanFile(); | |
217 | } | |
218 | ||
219 | /** | |
220 | * Check if the user can login from this IP | |
221 | * | |
222 | * @param array $server The $_SERVER array | |
223 | * | |
224 | * @return bool true if the user is allowed to login | |
225 | */ | |
226 | public function canLogin($server) | |
227 | { | |
228 | $ip = $server['REMOTE_ADDR']; | |
229 | ||
230 | if (! isset($this->globals['IPBANS']['BANS'][$ip])) { | |
231 | // the user is not banned | |
232 | return true; | |
233 | } | |
234 | ||
235 | if ($this->globals['IPBANS']['BANS'][$ip] > time()) { | |
236 | // the user is still banned | |
237 | return false; | |
238 | } | |
239 | ||
240 | // the ban has expired, the user can attempt to log in again | |
241 | logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); | |
242 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | |
243 | unset($this->globals['IPBANS']['BANS'][$ip]); | |
244 | ||
245 | $this->writeBanFile(); | |
246 | return true; | |
247 | } | |
248 | } |