diff options
author | VirtualTam <virtualtam+github@flibidi.net> | 2018-06-03 18:26:32 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-06-03 18:26:32 +0200 |
commit | d9cd27322a97e6ed3a8b11a380ef0080e3baf79c (patch) | |
tree | c4299a352b3f4c518f79eb7208f667f68f8e9388 /application/security/LoginManager.php | |
parent | 8f816d8ddfe9219e15580cef6e5c9037d1d4fd28 (diff) | |
parent | 8edd7f15886620b07064aa889aea05c5acbc0e58 (diff) | |
download | Shaarli-d9cd27322a97e6ed3a8b11a380ef0080e3baf79c.tar.gz Shaarli-d9cd27322a97e6ed3a8b11a380ef0080e3baf79c.tar.zst Shaarli-d9cd27322a97e6ed3a8b11a380ef0080e3baf79c.zip |
Merge pull request #1086 from virtualtam/refactor/login
Refactor user login and session management
Diffstat (limited to 'application/security/LoginManager.php')
-rw-r--r-- | application/security/LoginManager.php | 265 |
1 files changed, 265 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..d6784d6d --- /dev/null +++ b/application/security/LoginManager.php | |||
@@ -0,0 +1,265 @@ | |||
1 | <?php | ||
2 | namespace Shaarli\Security; | ||
3 | |||
4 | use Shaarli\Config\ConfigManager; | ||
5 | |||
6 | /** | ||
7 | * User login management | ||
8 | */ | ||
9 | class LoginManager | ||
10 | { | ||
11 | /** @var string Name of the cookie set after logging in **/ | ||
12 | public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; | ||
13 | |||
14 | /** @var array A reference to the $_GLOBALS array */ | ||
15 | protected $globals = []; | ||
16 | |||
17 | /** @var ConfigManager Configuration Manager instance **/ | ||
18 | protected $configManager = null; | ||
19 | |||
20 | /** @var SessionManager Session Manager instance **/ | ||
21 | protected $sessionManager = null; | ||
22 | |||
23 | /** @var string Path to the file containing IP bans */ | ||
24 | protected $banFile = ''; | ||
25 | |||
26 | /** @var bool Whether the user is logged in **/ | ||
27 | protected $isLoggedIn = false; | ||
28 | |||
29 | /** @var bool Whether the Shaarli instance is open to public edition **/ | ||
30 | protected $openShaarli = false; | ||
31 | |||
32 | /** @var string User sign-in token depending on remote IP and credentials */ | ||
33 | protected $staySignedInToken = ''; | ||
34 | |||
35 | /** | ||
36 | * Constructor | ||
37 | * | ||
38 | * @param array $globals The $GLOBALS array (reference) | ||
39 | * @param ConfigManager $configManager Configuration Manager instance | ||
40 | * @param SessionManager $sessionManager SessionManager instance | ||
41 | */ | ||
42 | public function __construct(& $globals, $configManager, $sessionManager) | ||
43 | { | ||
44 | $this->globals = &$globals; | ||
45 | $this->configManager = $configManager; | ||
46 | $this->sessionManager = $sessionManager; | ||
47 | $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); | ||
48 | $this->readBanFile(); | ||
49 | if ($this->configManager->get('security.open_shaarli') === true) { | ||
50 | $this->openShaarli = true; | ||
51 | } | ||
52 | } | ||
53 | |||
54 | /** | ||
55 | * Generate a token depending on deployment salt, user password and client IP | ||
56 | * | ||
57 | * @param string $clientIpAddress The remote client IP address | ||
58 | */ | ||
59 | public function generateStaySignedInToken($clientIpAddress) | ||
60 | { | ||
61 | $this->staySignedInToken = sha1( | ||
62 | $this->configManager->get('credentials.hash') | ||
63 | . $clientIpAddress | ||
64 | . $this->configManager->get('credentials.salt') | ||
65 | ); | ||
66 | } | ||
67 | |||
68 | /** | ||
69 | * Return the user's client stay-signed-in token | ||
70 | * | ||
71 | * @return string User's client stay-signed-in token | ||
72 | */ | ||
73 | public function getStaySignedInToken() | ||
74 | { | ||
75 | return $this->staySignedInToken; | ||
76 | } | ||
77 | |||
78 | /** | ||
79 | * Check user session state and validity (expiration) | ||
80 | * | ||
81 | * @param array $cookie The $_COOKIE array | ||
82 | * @param string $clientIpId Client IP address identifier | ||
83 | */ | ||
84 | public function checkLoginState($cookie, $clientIpId) | ||
85 | { | ||
86 | if (! $this->configManager->exists('credentials.login')) { | ||
87 | // Shaarli is not configured yet | ||
88 | $this->isLoggedIn = false; | ||
89 | return; | ||
90 | } | ||
91 | |||
92 | if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) | ||
93 | && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken | ||
94 | ) { | ||
95 | // The user client has a valid stay-signed-in cookie | ||
96 | // Session information is updated with the current client information | ||
97 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
98 | |||
99 | } elseif ($this->sessionManager->hasSessionExpired() | ||
100 | || $this->sessionManager->hasClientIpChanged($clientIpId) | ||
101 | ) { | ||
102 | $this->sessionManager->logout(); | ||
103 | $this->isLoggedIn = false; | ||
104 | return; | ||
105 | } | ||
106 | |||
107 | $this->isLoggedIn = true; | ||
108 | $this->sessionManager->extendSession(); | ||
109 | } | ||
110 | |||
111 | /** | ||
112 | * Return whether the user is currently logged in | ||
113 | * | ||
114 | * @return true when the user is logged in, false otherwise | ||
115 | */ | ||
116 | public function isLoggedIn() | ||
117 | { | ||
118 | if ($this->openShaarli) { | ||
119 | return true; | ||
120 | } | ||
121 | return $this->isLoggedIn; | ||
122 | } | ||
123 | |||
124 | /** | ||
125 | * Check user credentials are valid | ||
126 | * | ||
127 | * @param string $remoteIp Remote client IP address | ||
128 | * @param string $clientIpId Client IP address identifier | ||
129 | * @param string $login Username | ||
130 | * @param string $password Password | ||
131 | * | ||
132 | * @return bool true if the provided credentials are valid, false otherwise | ||
133 | */ | ||
134 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) | ||
135 | { | ||
136 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | ||
137 | |||
138 | if ($login != $this->configManager->get('credentials.login') | ||
139 | || $hash != $this->configManager->get('credentials.hash') | ||
140 | ) { | ||
141 | logm( | ||
142 | $this->configManager->get('resource.log'), | ||
143 | $remoteIp, | ||
144 | 'Login failed for user ' . $login | ||
145 | ); | ||
146 | return false; | ||
147 | } | ||
148 | |||
149 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
150 | logm( | ||
151 | $this->configManager->get('resource.log'), | ||
152 | $remoteIp, | ||
153 | 'Login successful' | ||
154 | ); | ||
155 | return true; | ||
156 | } | ||
157 | |||
158 | /** | ||
159 | * Read a file containing banned IPs | ||
160 | */ | ||
161 | protected function readBanFile() | ||
162 | { | ||
163 | if (! file_exists($this->banFile)) { | ||
164 | return; | ||
165 | } | ||
166 | include $this->banFile; | ||
167 | } | ||
168 | |||
169 | /** | ||
170 | * Write the banned IPs to a file | ||
171 | */ | ||
172 | protected function writeBanFile() | ||
173 | { | ||
174 | if (! array_key_exists('IPBANS', $this->globals)) { | ||
175 | return; | ||
176 | } | ||
177 | file_put_contents( | ||
178 | $this->banFile, | ||
179 | "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>" | ||
180 | ); | ||
181 | } | ||
182 | |||
183 | /** | ||
184 | * Handle a failed login and ban the IP after too many failed attempts | ||
185 | * | ||
186 | * @param array $server The $_SERVER array | ||
187 | */ | ||
188 | public function handleFailedLogin($server) | ||
189 | { | ||
190 | $ip = $server['REMOTE_ADDR']; | ||
191 | $trusted = $this->configManager->get('security.trusted_proxies', []); | ||
192 | |||
193 | if (in_array($ip, $trusted)) { | ||
194 | $ip = getIpAddressFromProxy($server, $trusted); | ||
195 | if (! $ip) { | ||
196 | // the IP is behind a trusted forward proxy, but is not forwarded | ||
197 | // in the HTTP headers, so we do nothing | ||
198 | return; | ||
199 | } | ||
200 | } | ||
201 | |||
202 | // increment the fail count for this IP | ||
203 | if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { | ||
204 | $this->globals['IPBANS']['FAILURES'][$ip]++; | ||
205 | } else { | ||
206 | $this->globals['IPBANS']['FAILURES'][$ip] = 1; | ||
207 | } | ||
208 | |||
209 | if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { | ||
210 | $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); | ||
211 | logm( | ||
212 | $this->configManager->get('resource.log'), | ||
213 | $server['REMOTE_ADDR'], | ||
214 | 'IP address banned from login' | ||
215 | ); | ||
216 | } | ||
217 | $this->writeBanFile(); | ||
218 | } | ||
219 | |||
220 | /** | ||
221 | * Handle a successful login | ||
222 | * | ||
223 | * @param array $server The $_SERVER array | ||
224 | */ | ||
225 | public function handleSuccessfulLogin($server) | ||
226 | { | ||
227 | $ip = $server['REMOTE_ADDR']; | ||
228 | // FIXME unban when behind a trusted proxy? | ||
229 | |||
230 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | ||
231 | unset($this->globals['IPBANS']['BANS'][$ip]); | ||
232 | |||
233 | $this->writeBanFile(); | ||
234 | } | ||
235 | |||
236 | /** | ||
237 | * Check if the user can login from this IP | ||
238 | * | ||
239 | * @param array $server The $_SERVER array | ||
240 | * | ||
241 | * @return bool true if the user is allowed to login | ||
242 | */ | ||
243 | public function canLogin($server) | ||
244 | { | ||
245 | $ip = $server['REMOTE_ADDR']; | ||
246 | |||
247 | if (! isset($this->globals['IPBANS']['BANS'][$ip])) { | ||
248 | // the user is not banned | ||
249 | return true; | ||
250 | } | ||
251 | |||
252 | if ($this->globals['IPBANS']['BANS'][$ip] > time()) { | ||
253 | // the user is still banned | ||
254 | return false; | ||
255 | } | ||
256 | |||
257 | // the ban has expired, the user can attempt to log in again | ||
258 | logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); | ||
259 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | ||
260 | unset($this->globals['IPBANS']['BANS'][$ip]); | ||
261 | |||
262 | $this->writeBanFile(); | ||
263 | return true; | ||
264 | } | ||
265 | } | ||