diff options
author | VirtualTam <virtualtam@flibidi.net> | 2018-04-27 22:12:22 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2018-06-02 16:46:06 +0200 |
commit | fab87c2696b9d6a26310f1bfc024b018ca5184fe (patch) | |
tree | 383d361b4ae14b8105fdef339435c83ed3da60b6 /application/security | |
parent | 68dcaccfa46649addc66674b627a83064798bbc0 (diff) | |
download | Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.gz Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.zst Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.zip |
Move LoginManager and SessionManager to the Security namespace
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/security')
-rw-r--r-- | application/security/LoginManager.php | 238 | ||||
-rw-r--r-- | application/security/SessionManager.php | 179 |
2 files changed, 417 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..e7b9b21e --- /dev/null +++ b/application/security/LoginManager.php | |||
@@ -0,0 +1,238 @@ | |||
1 | <?php | ||
2 | namespace Shaarli\Security; | ||
3 | |||
4 | use Shaarli\Config\ConfigManager; | ||
5 | |||
6 | /** | ||
7 | * User login management | ||
8 | */ | ||
9 | class LoginManager | ||
10 | { | ||
11 | /** @var array A reference to the $_GLOBALS array */ | ||
12 | protected $globals = []; | ||
13 | |||
14 | /** @var ConfigManager Configuration Manager instance **/ | ||
15 | protected $configManager = null; | ||
16 | |||
17 | /** @var SessionManager Session Manager instance **/ | ||
18 | protected $sessionManager = null; | ||
19 | |||
20 | /** @var string Path to the file containing IP bans */ | ||
21 | protected $banFile = ''; | ||
22 | |||
23 | /** @var bool Whether the user is logged in **/ | ||
24 | protected $isLoggedIn = false; | ||
25 | |||
26 | /** @var bool Whether the Shaarli instance is open to public edition **/ | ||
27 | protected $openShaarli = false; | ||
28 | |||
29 | /** | ||
30 | * Constructor | ||
31 | * | ||
32 | * @param array $globals The $GLOBALS array (reference) | ||
33 | * @param ConfigManager $configManager Configuration Manager instance | ||
34 | * @param SessionManager $sessionManager SessionManager instance | ||
35 | */ | ||
36 | public function __construct(& $globals, $configManager, $sessionManager) | ||
37 | { | ||
38 | $this->globals = &$globals; | ||
39 | $this->configManager = $configManager; | ||
40 | $this->sessionManager = $sessionManager; | ||
41 | $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); | ||
42 | $this->readBanFile(); | ||
43 | if ($this->configManager->get('security.open_shaarli')) { | ||
44 | $this->openShaarli = true; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | /** | ||
49 | * Check user session state and validity (expiration) | ||
50 | * | ||
51 | * @param array $cookie The $_COOKIE array | ||
52 | * @param string $webPath Path on the server in which the cookie will be available on | ||
53 | * @param string $clientIpId Client IP address identifier | ||
54 | * @param string $token Session token | ||
55 | * | ||
56 | * @return bool true if the user session is valid, false otherwise | ||
57 | */ | ||
58 | public function checkLoginState($cookie, $webPath, $clientIpId, $token) | ||
59 | { | ||
60 | if (! $this->configManager->exists('credentials.login')) { | ||
61 | // Shaarli is not configured yet | ||
62 | $this->isLoggedIn = false; | ||
63 | return; | ||
64 | } | ||
65 | |||
66 | if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) | ||
67 | && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token | ||
68 | ) { | ||
69 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
70 | $this->isLoggedIn = true; | ||
71 | } | ||
72 | |||
73 | if ($this->sessionManager->hasSessionExpired() | ||
74 | || $this->sessionManager->hasClientIpChanged($clientIpId) | ||
75 | ) { | ||
76 | $this->sessionManager->logout($webPath); | ||
77 | $this->isLoggedIn = false; | ||
78 | return; | ||
79 | } | ||
80 | |||
81 | $this->sessionManager->extendSession(); | ||
82 | } | ||
83 | |||
84 | /** | ||
85 | * Return whether the user is currently logged in | ||
86 | * | ||
87 | * @return true when the user is logged in, false otherwise | ||
88 | */ | ||
89 | public function isLoggedIn() | ||
90 | { | ||
91 | if ($this->openShaarli) { | ||
92 | return true; | ||
93 | } | ||
94 | return $this->isLoggedIn; | ||
95 | } | ||
96 | |||
97 | /** | ||
98 | * Check user credentials are valid | ||
99 | * | ||
100 | * @param string $remoteIp Remote client IP address | ||
101 | * @param string $clientIpId Client IP address identifier | ||
102 | * @param string $login Username | ||
103 | * @param string $password Password | ||
104 | * | ||
105 | * @return bool true if the provided credentials are valid, false otherwise | ||
106 | */ | ||
107 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) | ||
108 | { | ||
109 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | ||
110 | |||
111 | if ($login != $this->configManager->get('credentials.login') | ||
112 | || $hash != $this->configManager->get('credentials.hash') | ||
113 | ) { | ||
114 | logm( | ||
115 | $this->configManager->get('resource.log'), | ||
116 | $remoteIp, | ||
117 | 'Login failed for user ' . $login | ||
118 | ); | ||
119 | return false; | ||
120 | } | ||
121 | |||
122 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
123 | logm( | ||
124 | $this->configManager->get('resource.log'), | ||
125 | $remoteIp, | ||
126 | 'Login successful' | ||
127 | ); | ||
128 | return true; | ||
129 | } | ||
130 | |||
131 | /** | ||
132 | * Read a file containing banned IPs | ||
133 | */ | ||
134 | protected function readBanFile() | ||
135 | { | ||
136 | if (! file_exists($this->banFile)) { | ||
137 | return; | ||
138 | } | ||
139 | include $this->banFile; | ||
140 | } | ||
141 | |||
142 | /** | ||
143 | * Write the banned IPs to a file | ||
144 | */ | ||
145 | protected function writeBanFile() | ||
146 | { | ||
147 | if (! array_key_exists('IPBANS', $this->globals)) { | ||
148 | return; | ||
149 | } | ||
150 | file_put_contents( | ||
151 | $this->banFile, | ||
152 | "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>" | ||
153 | ); | ||
154 | } | ||
155 | |||
156 | /** | ||
157 | * Handle a failed login and ban the IP after too many failed attempts | ||
158 | * | ||
159 | * @param array $server The $_SERVER array | ||
160 | */ | ||
161 | public function handleFailedLogin($server) | ||
162 | { | ||
163 | $ip = $server['REMOTE_ADDR']; | ||
164 | $trusted = $this->configManager->get('security.trusted_proxies', []); | ||
165 | |||
166 | if (in_array($ip, $trusted)) { | ||
167 | $ip = getIpAddressFromProxy($server, $trusted); | ||
168 | if (! $ip) { | ||
169 | // the IP is behind a trusted forward proxy, but is not forwarded | ||
170 | // in the HTTP headers, so we do nothing | ||
171 | return; | ||
172 | } | ||
173 | } | ||
174 | |||
175 | // increment the fail count for this IP | ||
176 | if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { | ||
177 | $this->globals['IPBANS']['FAILURES'][$ip]++; | ||
178 | } else { | ||
179 | $this->globals['IPBANS']['FAILURES'][$ip] = 1; | ||
180 | } | ||
181 | |||
182 | if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { | ||
183 | $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); | ||
184 | logm( | ||
185 | $this->configManager->get('resource.log'), | ||
186 | $server['REMOTE_ADDR'], | ||
187 | 'IP address banned from login' | ||
188 | ); | ||
189 | } | ||
190 | $this->writeBanFile(); | ||
191 | } | ||
192 | |||
193 | /** | ||
194 | * Handle a successful login | ||
195 | * | ||
196 | * @param array $server The $_SERVER array | ||
197 | */ | ||
198 | public function handleSuccessfulLogin($server) | ||
199 | { | ||
200 | $ip = $server['REMOTE_ADDR']; | ||
201 | // FIXME unban when behind a trusted proxy? | ||
202 | |||
203 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | ||
204 | unset($this->globals['IPBANS']['BANS'][$ip]); | ||
205 | |||
206 | $this->writeBanFile(); | ||
207 | } | ||
208 | |||
209 | /** | ||
210 | * Check if the user can login from this IP | ||
211 | * | ||
212 | * @param array $server The $_SERVER array | ||
213 | * | ||
214 | * @return bool true if the user is allowed to login | ||
215 | */ | ||
216 | public function canLogin($server) | ||
217 | { | ||
218 | $ip = $server['REMOTE_ADDR']; | ||
219 | |||
220 | if (! isset($this->globals['IPBANS']['BANS'][$ip])) { | ||
221 | // the user is not banned | ||
222 | return true; | ||
223 | } | ||
224 | |||
225 | if ($this->globals['IPBANS']['BANS'][$ip] > time()) { | ||
226 | // the user is still banned | ||
227 | return false; | ||
228 | } | ||
229 | |||
230 | // the ban has expired, the user can attempt to log in again | ||
231 | logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); | ||
232 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | ||
233 | unset($this->globals['IPBANS']['BANS'][$ip]); | ||
234 | |||
235 | $this->writeBanFile(); | ||
236 | return true; | ||
237 | } | ||
238 | } | ||
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php new file mode 100644 index 00000000..6f004b24 --- /dev/null +++ b/application/security/SessionManager.php | |||
@@ -0,0 +1,179 @@ | |||
1 | <?php | ||
2 | namespace Shaarli\Security; | ||
3 | |||
4 | use Shaarli\Config\ConfigManager; | ||
5 | |||
6 | /** | ||
7 | * Manages the server-side session | ||
8 | */ | ||
9 | class SessionManager | ||
10 | { | ||
11 | /** @var int Session expiration timeout, in seconds */ | ||
12 | public static $INACTIVITY_TIMEOUT = 3600; | ||
13 | |||
14 | /** @var string Name of the cookie set after logging in **/ | ||
15 | public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; | ||
16 | |||
17 | /** @var array Local reference to the global $_SESSION array */ | ||
18 | protected $session = []; | ||
19 | |||
20 | /** @var ConfigManager Configuration Manager instance **/ | ||
21 | protected $conf = null; | ||
22 | |||
23 | /** | ||
24 | * Constructor | ||
25 | * | ||
26 | * @param array $session The $_SESSION array (reference) | ||
27 | * @param ConfigManager $conf ConfigManager instance | ||
28 | */ | ||
29 | public function __construct(& $session, $conf) | ||
30 | { | ||
31 | $this->session = &$session; | ||
32 | $this->conf = $conf; | ||
33 | } | ||
34 | |||
35 | /** | ||
36 | * Generates a session token | ||
37 | * | ||
38 | * @return string token | ||
39 | */ | ||
40 | public function generateToken() | ||
41 | { | ||
42 | $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); | ||
43 | $this->session['tokens'][$token] = 1; | ||
44 | return $token; | ||
45 | } | ||
46 | |||
47 | /** | ||
48 | * Checks the validity of a session token, and destroys it afterwards | ||
49 | * | ||
50 | * @param string $token The token to check | ||
51 | * | ||
52 | * @return bool true if the token is valid, else false | ||
53 | */ | ||
54 | public function checkToken($token) | ||
55 | { | ||
56 | if (! isset($this->session['tokens'][$token])) { | ||
57 | // the token is wrong, or has already been used | ||
58 | return false; | ||
59 | } | ||
60 | |||
61 | // destroy the token to prevent future use | ||
62 | unset($this->session['tokens'][$token]); | ||
63 | return true; | ||
64 | } | ||
65 | |||
66 | /** | ||
67 | * Validate session ID to prevent Full Path Disclosure. | ||
68 | * | ||
69 | * See #298. | ||
70 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
71 | * | ||
72 | * @param string $sessionId Session ID | ||
73 | * | ||
74 | * @return true if valid, false otherwise. | ||
75 | * | ||
76 | * @see http://php.net/manual/en/function.hash-algos.php | ||
77 | * @see http://php.net/manual/en/session.configuration.php | ||
78 | */ | ||
79 | public static function checkId($sessionId) | ||
80 | { | ||
81 | if (empty($sessionId)) { | ||
82 | return false; | ||
83 | } | ||
84 | |||
85 | if (!$sessionId) { | ||
86 | return false; | ||
87 | } | ||
88 | |||
89 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
90 | return false; | ||
91 | } | ||
92 | |||
93 | return true; | ||
94 | } | ||
95 | |||
96 | /** | ||
97 | * Store user login information after a successful login | ||
98 | * | ||
99 | * @param string $clientIpId Client IP address identifier | ||
100 | */ | ||
101 | public function storeLoginInfo($clientIpId) | ||
102 | { | ||
103 | // Generate unique random number (different than phpsessionid) | ||
104 | $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); | ||
105 | $this->session['ip'] = $clientIpId; | ||
106 | $this->session['username'] = $this->conf->get('credentials.login'); | ||
107 | $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; | ||
108 | } | ||
109 | |||
110 | /** | ||
111 | * Extend session validity | ||
112 | */ | ||
113 | public function extendSession() | ||
114 | { | ||
115 | if (! empty($this->session['longlastingsession'])) { | ||
116 | // "Stay signed in" is enabled | ||
117 | $this->session['expires_on'] = time() + $this->session['longlastingsession']; | ||
118 | return; | ||
119 | } | ||
120 | $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; | ||
121 | } | ||
122 | |||
123 | /** | ||
124 | * Logout a user by unsetting all login information | ||
125 | * | ||
126 | * See: | ||
127 | * - https://secure.php.net/manual/en/function.setcookie.php | ||
128 | * | ||
129 | * @param string $webPath path on the server in which the cookie will be available on | ||
130 | */ | ||
131 | public function logout($webPath) | ||
132 | { | ||
133 | if (isset($this->session)) { | ||
134 | unset($this->session['uid']); | ||
135 | unset($this->session['ip']); | ||
136 | unset($this->session['username']); | ||
137 | unset($this->session['visibility']); | ||
138 | unset($this->session['untaggedonly']); | ||
139 | } | ||
140 | setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); | ||
141 | } | ||
142 | |||
143 | /** | ||
144 | * Check whether the session has expired | ||
145 | * | ||
146 | * @param string $clientIpId Client IP address identifier | ||
147 | * | ||
148 | * @return bool true if the session has expired, false otherwise | ||
149 | */ | ||
150 | public function hasSessionExpired() | ||
151 | { | ||
152 | if (empty($this->session['uid'])) { | ||
153 | return true; | ||
154 | } | ||
155 | if (time() >= $this->session['expires_on']) { | ||
156 | return true; | ||
157 | } | ||
158 | return false; | ||
159 | } | ||
160 | |||
161 | /** | ||
162 | * Check whether the client IP address has changed | ||
163 | * | ||
164 | * @param string $clientIpId Client IP address identifier | ||
165 | * | ||
166 | * @return bool true if the IP has changed, false if it has not, or | ||
167 | * if session protection has been disabled | ||
168 | */ | ||
169 | public function hasClientIpChanged($clientIpId) | ||
170 | { | ||
171 | if ($this->conf->get('security.session_protection_disabled') === true) { | ||
172 | return false; | ||
173 | } | ||
174 | if ($this->session['ip'] == $clientIpId) { | ||
175 | return false; | ||
176 | } | ||
177 | return true; | ||
178 | } | ||
179 | } | ||