Merge tag 'v0.10.4' into stable

Release v0.10.4
author: ArthurHoaro <arthur@hoa.ro> 2019-07-27 12:34:30 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2019-07-27 12:34:30 +0200
commit: 38672ba0d1c722e5d6d33a58255ceb55e9410e46 (patch)
tree: dae4c7c47532380eac3ae641db99122fc77c93dc /application/security/LoginManager.php
parent: 83faedadff76c5bdca036f39f13943f63b27e164 (diff)
parent: 1e77e0448bbd25675d8c0fe4a73206ad9048904b (diff)
download: Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.gz
Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.zst
Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.zip
1 files changed, 264 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
new file mode 100644
index 00000000..0f315483
--- /dev/null
+++ b/application/security/LoginManager.php
@@ -0,0 +1,264 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * User login management
+ */
+class LoginManager
+{
+    /** @var string Name of the cookie set after logging in **/
+    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
+    /** @var array A reference to the $_GLOBALS array */
+    protected $globals = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $configManager = null;
+    /** @var SessionManager Session Manager instance **/
+    protected $sessionManager = null;
+    /** @var string Path to the file containing IP bans */
+    protected $banFile = '';
+    /** @var bool Whether the user is logged in **/
+    protected $isLoggedIn = false;
+    /** @var bool Whether the Shaarli instance is open to public edition **/
+    protected $openShaarli = false;
+    /** @var string User sign-in token depending on remote IP and credentials */
+    protected $staySignedInToken = '';
+    /**
+     * Constructor
+     *
+     * @param array          $globals        The $GLOBALS array (reference)
+     * @param ConfigManager  $configManager  Configuration Manager instance
+     * @param SessionManager $sessionManager SessionManager instance
+     */
+    public function __construct(& $globals, $configManager, $sessionManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->sessionManager = $sessionManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+        if ($this->configManager->get('security.open_shaarli') === true) {
+            $this->openShaarli = true;
+        }
+    }
+    /**
+     * Generate a token depending on deployment salt, user password and client IP
+     *
+     * @param string $clientIpAddress The remote client IP address
+     */
+    public function generateStaySignedInToken($clientIpAddress)
+    {
+        $this->staySignedInToken = sha1(
+            $this->configManager->get('credentials.hash')
+            . $clientIpAddress
+            . $this->configManager->get('credentials.salt')
+        );
+    }
+    /**
+     * Return the user's client stay-signed-in token
+     *
+     * @return string User's client stay-signed-in token
+     */
+    public function getStaySignedInToken()
+    {
+        return $this->staySignedInToken;
+    }
+    /**
+     * Check user session state and validity (expiration)
+     *
+     * @param array  $cookie     The $_COOKIE array
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function checkLoginState($cookie, $clientIpId)
+    {
+        if (! $this->configManager->exists('credentials.login')) {
+            // Shaarli is not configured yet
+            $this->isLoggedIn = false;
+            return;
+        }
+        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
+            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
+        ) {
+            // The user client has a valid stay-signed-in cookie
+            // Session information is updated with the current client information
+            $this->sessionManager->storeLoginInfo($clientIpId);
+        } elseif ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
+        ) {
+            $this->sessionManager->logout();
+            $this->isLoggedIn = false;
+            return;
+        }
+        $this->isLoggedIn = true;
+        $this->sessionManager->extendSession();
+    }
+    /**
+     * Return whether the user is currently logged in
+     *
+     * @return true when the user is logged in, false otherwise
+     */
+    public function isLoggedIn()
+    {
+        if ($this->openShaarli) {
+            return true;
+        }
+        return $this->isLoggedIn;
+    }
+    /**
+     * Check user credentials are valid
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
+    {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        if ($login != $this->configManager->get('credentials.login')
+            || $hash != $this->configManager->get('credentials.hash')
+        ) {
+            logm(
+                $this->configManager->get('resource.log'),
+                $remoteIp,
+                'Login failed for user ' . $login
+            );
+            return false;
+        }
+        $this->sessionManager->storeLoginInfo($clientIpId);
+        logm(
+            $this->configManager->get('resource.log'),
+            $remoteIp,
+            'Login successful'
+        );
+        return true;
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+    }
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+        return true;
+    }
+}
author	ArthurHoaro <arthur@hoa.ro>	2019-07-27 12:34:30 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2019-07-27 12:34:30 +0200
commit	38672ba0d1c722e5d6d33a58255ceb55e9410e46 (patch)
tree	dae4c7c47532380eac3ae641db99122fc77c93dc /application/security/LoginManager.php
parent	83faedadff76c5bdca036f39f13943f63b27e164 (diff)
parent	1e77e0448bbd25675d8c0fe4a73206ad9048904b (diff)
download	Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.gz Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.zst Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.zip

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..0f315483 --- /dev/null +++ b/application/security/LoginManager.php
@@ -0,0 +1,264 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* User login management
	8	*/
	9	class LoginManager
	10	{
	11	/ @var string Name of the cookie set after logging in /
	12	public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
	13
	14	/** @var array A reference to the $_GLOBALS array */
	15	protected $globals = [];
	16
	17	/ @var ConfigManager Configuration Manager instance /
	18	protected $configManager = null;
	19
	20	/ @var SessionManager Session Manager instance /
	21	protected $sessionManager = null;
	22
	23	/** @var string Path to the file containing IP bans */
	24	protected $banFile = '';
	25
	26	/ @var bool Whether the user is logged in /
	27	protected $isLoggedIn = false;
	28
	29	/ @var bool Whether the Shaarli instance is open to public edition /
	30	protected $openShaarli = false;
	31
	32	/** @var string User sign-in token depending on remote IP and credentials */
	33	protected $staySignedInToken = '';
	34
	35	/**
	36	* Constructor
	37	*
	38	* @param array $globals The $GLOBALS array (reference)
	39	* @param ConfigManager $configManager Configuration Manager instance
	40	* @param SessionManager $sessionManager SessionManager instance
	41	*/
	42	public function __construct(& $globals, $configManager, $sessionManager)
	43	{
	44	$this->globals = &$globals;
	45	$this->configManager = $configManager;
	46	$this->sessionManager = $sessionManager;
	47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
	48	$this->readBanFile();
	49	if ($this->configManager->get('security.open_shaarli') === true) {
	50	$this->openShaarli = true;
	51	}
	52	}
	53
	54	/**
	55	* Generate a token depending on deployment salt, user password and client IP
	56	*
	57	* @param string $clientIpAddress The remote client IP address
	58	*/
	59	public function generateStaySignedInToken($clientIpAddress)
	60	{
	61	$this->staySignedInToken = sha1(
	62	$this->configManager->get('credentials.hash')
	63	. $clientIpAddress
	64	. $this->configManager->get('credentials.salt')
	65	);
	66	}
	67
	68	/**
	69	* Return the user's client stay-signed-in token
	70	*
	71	* @return string User's client stay-signed-in token
	72	*/
	73	public function getStaySignedInToken()
	74	{
	75	return $this->staySignedInToken;
	76	}
	77
	78	/**
	79	* Check user session state and validity (expiration)
	80	*
	81	* @param array $cookie The $_COOKIE array
	82	* @param string $clientIpId Client IP address identifier
	83	*/
	84	public function checkLoginState($cookie, $clientIpId)
	85	{
	86	if (! $this->configManager->exists('credentials.login')) {
	87	// Shaarli is not configured yet
	88	$this->isLoggedIn = false;
	89	return;
	90	}
	91
	92	if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
	93	&& $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
	94	) {
	95	// The user client has a valid stay-signed-in cookie
	96	// Session information is updated with the current client information
	97	$this->sessionManager->storeLoginInfo($clientIpId);
	98	} elseif ($this->sessionManager->hasSessionExpired()
	99	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
	100	) {
	101	$this->sessionManager->logout();
	102	$this->isLoggedIn = false;
	103	return;
	104	}
	105
	106	$this->isLoggedIn = true;
	107	$this->sessionManager->extendSession();
	108	}
	109
	110	/**
	111	* Return whether the user is currently logged in
	112	*
	113	* @return true when the user is logged in, false otherwise
	114	*/
	115	public function isLoggedIn()
	116	{
	117	if ($this->openShaarli) {
	118	return true;
	119	}
	120	return $this->isLoggedIn;
	121	}
	122
	123	/**
	124	* Check user credentials are valid
	125	*
	126	* @param string $remoteIp Remote client IP address
	127	* @param string $clientIpId Client IP address identifier
	128	* @param string $login Username
	129	* @param string $password Password
	130	*
	131	* @return bool true if the provided credentials are valid, false otherwise
	132	*/
	133	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
	134	{
	135	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
	136
	137	if ($login != $this->configManager->get('credentials.login')
	138	\|\| $hash != $this->configManager->get('credentials.hash')
	139	) {
	140	logm(
	141	$this->configManager->get('resource.log'),
	142	$remoteIp,
	143	'Login failed for user ' . $login
	144	);
	145	return false;
	146	}
	147
	148	$this->sessionManager->storeLoginInfo($clientIpId);
	149	logm(
	150	$this->configManager->get('resource.log'),
	151	$remoteIp,
	152	'Login successful'
	153	);
	154	return true;
	155	}
	156
	157	/**
	158	* Read a file containing banned IPs
	159	*/
	160	protected function readBanFile()
	161	{
	162	if (! file_exists($this->banFile)) {
	163	return;
	164	}
	165	include $this->banFile;
	166	}
	167
	168	/**
	169	* Write the banned IPs to a file
	170	*/
	171	protected function writeBanFile()
	172	{
	173	if (! array_key_exists('IPBANS', $this->globals)) {
	174	return;
	175	}
	176	file_put_contents(
	177	$this->banFile,
	178	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
	179	);
	180	}
	181
	182	/**
	183	* Handle a failed login and ban the IP after too many failed attempts
	184	*
	185	* @param array $server The $_SERVER array
	186	*/
	187	public function handleFailedLogin($server)
	188	{
	189	$ip = $server['REMOTE_ADDR'];
	190	$trusted = $this->configManager->get('security.trusted_proxies', []);
	191
	192	if (in_array($ip, $trusted)) {
	193	$ip = getIpAddressFromProxy($server, $trusted);
	194	if (! $ip) {
	195	// the IP is behind a trusted forward proxy, but is not forwarded
	196	// in the HTTP headers, so we do nothing
	197	return;
	198	}
	199	}
	200
	201	// increment the fail count for this IP
	202	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
	203	$this->globals['IPBANS']['FAILURES'][$ip]++;
	204	} else {
	205	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
	206	}
	207
	208	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
	209	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
	210	logm(
	211	$this->configManager->get('resource.log'),
	212	$server['REMOTE_ADDR'],
	213	'IP address banned from login'
	214	);
	215	}
	216	$this->writeBanFile();
	217	}
	218
	219	/**
	220	* Handle a successful login
	221	*
	222	* @param array $server The $_SERVER array
	223	*/
	224	public function handleSuccessfulLogin($server)
	225	{
	226	$ip = $server['REMOTE_ADDR'];
	227	// FIXME unban when behind a trusted proxy?
	228
	229	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	230	unset($this->globals['IPBANS']['BANS'][$ip]);
	231
	232	$this->writeBanFile();
	233	}
	234
	235	/**
	236	* Check if the user can login from this IP
	237	*
	238	* @param array $server The $_SERVER array
	239	*
	240	* @return bool true if the user is allowed to login
	241	*/
	242	public function canLogin($server)
	243	{
	244	$ip = $server['REMOTE_ADDR'];
	245
	246	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
	247	// the user is not banned
	248	return true;
	249	}
	250
	251	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
	252	// the user is still banned
	253	return false;
	254	}
	255
	256	// the ban has expired, the user can attempt to log in again
	257	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
	258	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	259	unset($this->globals['IPBANS']['BANS'][$ip]);
	260
	261	$this->writeBanFile();
	262	return true;
	263	}
	264	}