Move LoginManager and SessionManager to the Security namespace

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2018-04-27 22:12:22 +0200
committer: VirtualTam <virtualtam@flibidi.net> 2018-06-02 16:46:06 +0200
commit: fab87c2696b9d6a26310f1bfc024b018ca5184fe (patch)
tree: 383d361b4ae14b8105fdef339435c83ed3da60b6 /application/LoginManager.php
parent: 68dcaccfa46649addc66674b627a83064798bbc0 (diff)
download: Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.gz
Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.zst
Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.zip
1 files changed, 0 insertions, 238 deletions
diff --git a/application/LoginManager.php b/application/LoginManager.php
deleted file mode 100644
index 27d06705..00000000
--- a/application/LoginManager.php
+++ /dev/null
@@ -1,238 +0,0 @@
-<?php
-namespace Shaarli;
-use Shaarli\Config\ConfigManager;
-/**
- * User login management
- */
-class LoginManager
-{
-    /** @var array A reference to the $_GLOBALS array */
-    protected $globals = [];
-    /** @var ConfigManager Configuration Manager instance **/
-    protected $configManager = null;
-    /** @var SessionManager Session Manager instance **/
-    protected $sessionManager = null;
-    /** @var string Path to the file containing IP bans */
-    protected $banFile = '';
-    /** @var bool Whether the user is logged in **/
-    protected $isLoggedIn = false;
-    /** @var bool Whether the Shaarli instance is open to public edition **/
-    protected $openShaarli = false;
-    /**
-     * Constructor
-     *
-     * @param array          $globals        The $GLOBALS array (reference)
-     * @param ConfigManager  $configManager  Configuration Manager instance
-     * @param SessionManager $sessionManager SessionManager instance
-     */
-    public function __construct(& $globals, $configManager, $sessionManager)
-    {
-        $this->globals = &$globals;
-        $this->configManager = $configManager;
-        $this->sessionManager = $sessionManager;
-        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
-        $this->readBanFile();
-        if ($this->configManager->get('security.open_shaarli')) {
-            $this->openShaarli = true;
-        }
-    }
-    /**
-     * Check user session state and validity (expiration)
-     *
-     * @param array  $cookie     The $_COOKIE array
-     * @param string $webPath    Path on the server in which the cookie will be available on
-     * @param string $clientIpId Client IP address identifier
-     * @param string $token      Session token
-     *
-     * @return bool true if the user session is valid, false otherwise
-     */
-    public function checkLoginState($cookie, $webPath, $clientIpId, $token)
-    {
-        if (! $this->configManager->exists('credentials.login')) {
-            // Shaarli is not configured yet
-            $this->isLoggedIn = false;
-            return;
-        }
-        if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE])
-            && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token
-        ) {
-            $this->sessionManager->storeLoginInfo($clientIpId);
-            $this->isLoggedIn = true;
-        }
-        if ($this->sessionManager->hasSessionExpired()
-            || $this->sessionManager->hasClientIpChanged($clientIpId)
-        ) {
-            $this->sessionManager->logout($webPath);
-            $this->isLoggedIn = false;
-            return;
-        }
-        $this->sessionManager->extendSession();
-    }
-    /**
-     * Return whether the user is currently logged in
-     *
-     * @return true when the user is logged in, false otherwise
-     */
-    public function isLoggedIn()
-    {
-        if ($this->openShaarli) {
-            return true;
-        }
-        return $this->isLoggedIn;
-    }
-    /**
-     * Check user credentials are valid
-     *
-     * @param string $remoteIp   Remote client IP address
-     * @param string $clientIpId Client IP address identifier
-     * @param string $login      Username
-     * @param string $password   Password
-     *
-     * @return bool true if the provided credentials are valid, false otherwise
-     */
-    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
-    {
-        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
-        if ($login != $this->configManager->get('credentials.login')
-            || $hash != $this->configManager->get('credentials.hash')
-        ) {
-            logm(
-                $this->configManager->get('resource.log'),
-                $remoteIp,
-                'Login failed for user ' . $login
-            );
-            return false;
-        }
-        $this->sessionManager->storeLoginInfo($clientIpId);
-        logm(
-            $this->configManager->get('resource.log'),
-            $remoteIp,
-            'Login successful'
-        );
-        return true;
-    }
-    /**
-     * Read a file containing banned IPs
-     */
-    protected function readBanFile()
-    {
-        if (! file_exists($this->banFile)) {
-            return;
-        }
-        include $this->banFile;
-    }
-    /**
-     * Write the banned IPs to a file
-     */
-    protected function writeBanFile()
-    {
-        if (! array_key_exists('IPBANS', $this->globals)) {
-            return;
-        }
-        file_put_contents(
-            $this->banFile,
-            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
-        );
-    }
-    /**
-     * Handle a failed login and ban the IP after too many failed attempts
-     *
-     * @param array $server The $_SERVER array
-     */
-    public function handleFailedLogin($server)
-    {
-        $ip = $server['REMOTE_ADDR'];
-        $trusted = $this->configManager->get('security.trusted_proxies', []);
-        if (in_array($ip, $trusted)) {
-            $ip = getIpAddressFromProxy($server, $trusted);
-            if (! $ip) {
-                // the IP is behind a trusted forward proxy, but is not forwarded
-                // in the HTTP headers, so we do nothing
-                return;
-            }
-        }
-        // increment the fail count for this IP
-        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
-            $this->globals['IPBANS']['FAILURES'][$ip]++;
-        } else {
-            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
-        }
-        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
-            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
-            logm(
-                $this->configManager->get('resource.log'),
-                $server['REMOTE_ADDR'],
-                'IP address banned from login'
-            );
-        }
-        $this->writeBanFile();
-    }
-    /**
-     * Handle a successful login
-     *
-     * @param array $server The $_SERVER array
-     */
-    public function handleSuccessfulLogin($server)
-    {
-        $ip = $server['REMOTE_ADDR'];
-        // FIXME unban when behind a trusted proxy?
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
-    }
-    /**
-     * Check if the user can login from this IP
-     *
-     * @param array $server The $_SERVER array
-     *
-     * @return bool true if the user is allowed to login
-     */
-    public function canLogin($server)
-    {
-        $ip = $server['REMOTE_ADDR'];
-        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
-            // the user is not banned
-            return true;
-        }
-        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
-            // the user is still banned
-            return false;
-        }
-        // the ban has expired, the user can attempt to log in again
-        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
-        return true;
-    }
-}
author	VirtualTam <virtualtam@flibidi.net>	2018-04-27 22:12:22 +0200
committer	VirtualTam <virtualtam@flibidi.net>	2018-06-02 16:46:06 +0200
commit	fab87c2696b9d6a26310f1bfc024b018ca5184fe (patch)
tree	383d361b4ae14b8105fdef339435c83ed3da60b6 /application/LoginManager.php
parent	68dcaccfa46649addc66674b627a83064798bbc0 (diff)
download	Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.gz Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.zst Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.zip

diff --git a/application/LoginManager.php b/application/LoginManager.php deleted file mode 100644 index 27d06705..00000000 --- a/application/LoginManager.php +++ /dev/null
@@ -1,238 +0,0 @@
1	<?php
2	namespace Shaarli;
3
4	use Shaarli\Config\ConfigManager;
5
6	/**
7	* User login management
8	*/
9	class LoginManager
10	{
11	/** @var array A reference to the $_GLOBALS array */
12	protected $globals = [];
13
14	/ @var ConfigManager Configuration Manager instance /
15	protected $configManager = null;
16
17	/ @var SessionManager Session Manager instance /
18	protected $sessionManager = null;
19
20	/** @var string Path to the file containing IP bans */
21	protected $banFile = '';
22
23	/ @var bool Whether the user is logged in /
24	protected $isLoggedIn = false;
25
26	/ @var bool Whether the Shaarli instance is open to public edition /
27	protected $openShaarli = false;
28
29	/**
30	* Constructor
31	*
32	* @param array $globals The $GLOBALS array (reference)
33	* @param ConfigManager $configManager Configuration Manager instance
34	* @param SessionManager $sessionManager SessionManager instance
35	*/
36	public function __construct(& $globals, $configManager, $sessionManager)
37	{
38	$this->globals = &$globals;
39	$this->configManager = $configManager;
40	$this->sessionManager = $sessionManager;
41	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
42	$this->readBanFile();
43	if ($this->configManager->get('security.open_shaarli')) {
44	$this->openShaarli = true;
45	}
46	}
47
48	/**
49	* Check user session state and validity (expiration)
50	*
51	* @param array $cookie The $_COOKIE array
52	* @param string $webPath Path on the server in which the cookie will be available on
53	* @param string $clientIpId Client IP address identifier
54	* @param string $token Session token
55	*
56	* @return bool true if the user session is valid, false otherwise
57	*/
58	public function checkLoginState($cookie, $webPath, $clientIpId, $token)
59	{
60	if (! $this->configManager->exists('credentials.login')) {
61	// Shaarli is not configured yet
62	$this->isLoggedIn = false;
63	return;
64	}
65
66	if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE])
67	&& $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token
68	) {
69	$this->sessionManager->storeLoginInfo($clientIpId);
70	$this->isLoggedIn = true;
71	}
72
73	if ($this->sessionManager->hasSessionExpired()
74	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
75	) {
76	$this->sessionManager->logout($webPath);
77	$this->isLoggedIn = false;
78	return;
79	}
80
81	$this->sessionManager->extendSession();
82	}
83
84	/**
85	* Return whether the user is currently logged in
86	*
87	* @return true when the user is logged in, false otherwise
88	*/
89	public function isLoggedIn()
90	{
91	if ($this->openShaarli) {
92	return true;
93	}
94	return $this->isLoggedIn;
95	}
96
97	/**
98	* Check user credentials are valid
99	*
100	* @param string $remoteIp Remote client IP address
101	* @param string $clientIpId Client IP address identifier
102	* @param string $login Username
103	* @param string $password Password
104	*
105	* @return bool true if the provided credentials are valid, false otherwise
106	*/
107	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
108	{
109	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
110
111	if ($login != $this->configManager->get('credentials.login')
112	\|\| $hash != $this->configManager->get('credentials.hash')
113	) {
114	logm(
115	$this->configManager->get('resource.log'),
116	$remoteIp,
117	'Login failed for user ' . $login
118	);
119	return false;
120	}
121
122	$this->sessionManager->storeLoginInfo($clientIpId);
123	logm(
124	$this->configManager->get('resource.log'),
125	$remoteIp,
126	'Login successful'
127	);
128	return true;
129	}
130
131	/**
132	* Read a file containing banned IPs
133	*/
134	protected function readBanFile()
135	{
136	if (! file_exists($this->banFile)) {
137	return;
138	}
139	include $this->banFile;
140	}
141
142	/**
143	* Write the banned IPs to a file
144	*/
145	protected function writeBanFile()
146	{
147	if (! array_key_exists('IPBANS', $this->globals)) {
148	return;
149	}
150	file_put_contents(
151	$this->banFile,
152	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
153	);
154	}
155
156	/**
157	* Handle a failed login and ban the IP after too many failed attempts
158	*
159	* @param array $server The $_SERVER array
160	*/
161	public function handleFailedLogin($server)
162	{
163	$ip = $server['REMOTE_ADDR'];
164	$trusted = $this->configManager->get('security.trusted_proxies', []);
165
166	if (in_array($ip, $trusted)) {
167	$ip = getIpAddressFromProxy($server, $trusted);
168	if (! $ip) {
169	// the IP is behind a trusted forward proxy, but is not forwarded
170	// in the HTTP headers, so we do nothing
171	return;
172	}
173	}
174
175	// increment the fail count for this IP
176	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
177	$this->globals['IPBANS']['FAILURES'][$ip]++;
178	} else {
179	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
180	}
181
182	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
183	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
184	logm(
185	$this->configManager->get('resource.log'),
186	$server['REMOTE_ADDR'],
187	'IP address banned from login'
188	);
189	}
190	$this->writeBanFile();
191	}
192
193	/**
194	* Handle a successful login
195	*
196	* @param array $server The $_SERVER array
197	*/
198	public function handleSuccessfulLogin($server)
199	{
200	$ip = $server['REMOTE_ADDR'];
201	// FIXME unban when behind a trusted proxy?
202
203	unset($this->globals['IPBANS']['FAILURES'][$ip]);
204	unset($this->globals['IPBANS']['BANS'][$ip]);
205
206	$this->writeBanFile();
207	}
208
209	/**
210	* Check if the user can login from this IP
211	*
212	* @param array $server The $_SERVER array
213	*
214	* @return bool true if the user is allowed to login
215	*/
216	public function canLogin($server)
217	{
218	$ip = $server['REMOTE_ADDR'];
219
220	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
221	// the user is not banned
222	return true;
223	}
224
225	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
226	// the user is still banned
227	return false;
228	}
229
230	// the ban has expired, the user can attempt to log in again
231	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
232	unset($this->globals['IPBANS']['FAILURES'][$ip]);
233	unset($this->globals['IPBANS']['BANS'][$ip]);
234
235	$this->writeBanFile();
236	return true;
237	}
238	}