diff options
author | Sébastien NOBILI <code@pipoprods.org> | 2020-03-02 17:08:19 +0100 |
---|---|---|
committer | Sébastien NOBILI <code@pipoprods.org> | 2020-03-02 17:13:18 +0100 |
commit | cc2ded54e12e3f3140b895067af086cd71cc5dc6 (patch) | |
tree | 5e95c4b5b6d7eadef25cbb503167e8f89608162d /application/security | |
parent | 810f0f6c96b6d26e22164027185c5996b425816c (diff) | |
download | Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.tar.gz Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.tar.zst Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.zip |
ldap authentication, fixes shaarli/Shaarli#1343
Diffstat (limited to 'application/security')
-rw-r--r-- | application/security/LoginManager.php | 64 |
1 files changed, 55 insertions, 9 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 0b0ce0b1..2cea3f10 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php | |||
@@ -1,6 +1,7 @@ | |||
1 | <?php | 1 | <?php |
2 | namespace Shaarli\Security; | 2 | namespace Shaarli\Security; |
3 | 3 | ||
4 | use Exception; | ||
4 | use Shaarli\Config\ConfigManager; | 5 | use Shaarli\Config\ConfigManager; |
5 | 6 | ||
6 | /** | 7 | /** |
@@ -139,26 +140,71 @@ class LoginManager | |||
139 | */ | 140 | */ |
140 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) | 141 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) |
141 | { | 142 | { |
142 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | 143 | // Check login matches config |
144 | if ($login != $this->configManager->get('credentials.login')) { | ||
145 | return false; | ||
146 | } | ||
143 | 147 | ||
144 | if ($login != $this->configManager->get('credentials.login') | 148 | // Check credentials |
145 | || $hash != $this->configManager->get('credentials.hash') | 149 | try { |
146 | ) { | 150 | if (($this->configManager->get('ldap.host') != "" && $this->checkCredentialsFromLdap($login, $password)) |
151 | || ($this->configManager->get('ldap.host') == "" && $this->checkCredentialsFromLocalConfig($login, $password))) { | ||
152 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
153 | logm( | ||
154 | $this->configManager->get('resource.log'), | ||
155 | $remoteIp, | ||
156 | 'Login successful' | ||
157 | ); | ||
158 | return true; | ||
159 | } | ||
160 | } | ||
161 | catch(Exception $exception) { | ||
147 | logm( | 162 | logm( |
148 | $this->configManager->get('resource.log'), | 163 | $this->configManager->get('resource.log'), |
149 | $remoteIp, | 164 | $remoteIp, |
150 | 'Login failed for user ' . $login | 165 | 'Exception while checking credentials: ' . $exception |
151 | ); | 166 | ); |
152 | return false; | ||
153 | } | 167 | } |
154 | 168 | ||
155 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
156 | logm( | 169 | logm( |
157 | $this->configManager->get('resource.log'), | 170 | $this->configManager->get('resource.log'), |
158 | $remoteIp, | 171 | $remoteIp, |
159 | 'Login successful' | 172 | 'Login failed for user ' . $login |
160 | ); | 173 | ); |
161 | return true; | 174 | return false; |
175 | } | ||
176 | |||
177 | |||
178 | /** | ||
179 | * Check user credentials from local config | ||
180 | * | ||
181 | * @param string $login Username | ||
182 | * @param string $password Password | ||
183 | * | ||
184 | * @return bool true if the provided credentials are valid, false otherwise | ||
185 | */ | ||
186 | public function checkCredentialsFromLocalConfig($login, $password) { | ||
187 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | ||
188 | |||
189 | return $login == $this->configManager->get('credentials.login') | ||
190 | && $hash == $this->configManager->get('credentials.hash'); | ||
191 | } | ||
192 | |||
193 | /** | ||
194 | * Check user credentials are valid through LDAP bind | ||
195 | * | ||
196 | * @param string $remoteIp Remote client IP address | ||
197 | * @param string $clientIpId Client IP address identifier | ||
198 | * @param string $login Username | ||
199 | * @param string $password Password | ||
200 | * | ||
201 | * @return bool true if the provided credentials are valid, false otherwise | ||
202 | */ | ||
203 | public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) | ||
204 | { | ||
205 | $connect = $connect ?? function($host) { return ldap_connect($host); }; | ||
206 | $bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); }; | ||
207 | return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password); | ||
162 | } | 208 | } |
163 | 209 | ||
164 | /** | 210 | /** |