diff options
author | VirtualTam <virtualtam@flibidi.net> | 2017-10-25 23:03:31 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2018-02-05 18:12:09 +0100 |
commit | 44acf706812bc77812e6648c2cc28af36e172a14 (patch) | |
tree | 2c211d422b9d6c27ab341644531913361b6f1024 /application | |
parent | a381c373b30ed04001ea31ff5c38e077edacaf18 (diff) | |
download | Shaarli-44acf706812bc77812e6648c2cc28af36e172a14.tar.gz Shaarli-44acf706812bc77812e6648c2cc28af36e172a14.tar.zst Shaarli-44acf706812bc77812e6648c2cc28af36e172a14.zip |
Refactor login / ban authentication steps
Relates to https://github.com/shaarli/Shaarli/issues/324
Added:
- Add the `LoginManager` class to manage logins and bans
Changed:
- Refactor IP ban management
- Simplify logic
- Avoid using globals, inject dependencies
Fixed:
- Use `ban_duration` instead of `ban_after` when setting a new ban
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application')
-rw-r--r-- | application/LoginManager.php | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/application/LoginManager.php b/application/LoginManager.php new file mode 100644 index 00000000..397bc6e3 --- /dev/null +++ b/application/LoginManager.php | |||
@@ -0,0 +1,134 @@ | |||
1 | <?php | ||
2 | namespace Shaarli; | ||
3 | |||
4 | /** | ||
5 | * User login management | ||
6 | */ | ||
7 | class LoginManager | ||
8 | { | ||
9 | protected $globals = []; | ||
10 | protected $configManager = null; | ||
11 | protected $banFile = ''; | ||
12 | |||
13 | /** | ||
14 | * Constructor | ||
15 | * | ||
16 | * @param array $globals The $GLOBALS array (reference) | ||
17 | * @param ConfigManager $configManager Configuration Manager instance. | ||
18 | */ | ||
19 | public function __construct(& $globals, $configManager) | ||
20 | { | ||
21 | $this->globals = &$globals; | ||
22 | $this->configManager = $configManager; | ||
23 | $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); | ||
24 | $this->readBanFile(); | ||
25 | } | ||
26 | |||
27 | /** | ||
28 | * Read a file containing banned IPs | ||
29 | */ | ||
30 | protected function readBanFile() | ||
31 | { | ||
32 | if (! file_exists($this->banFile)) { | ||
33 | return; | ||
34 | } | ||
35 | include $this->banFile; | ||
36 | } | ||
37 | |||
38 | /** | ||
39 | * Write the banned IPs to a file | ||
40 | */ | ||
41 | protected function writeBanFile() | ||
42 | { | ||
43 | if (! array_key_exists('IPBANS', $this->globals)) { | ||
44 | return; | ||
45 | } | ||
46 | file_put_contents( | ||
47 | $this->banFile, | ||
48 | "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>" | ||
49 | ); | ||
50 | } | ||
51 | |||
52 | /** | ||
53 | * Handle a failed login and ban the IP after too many failed attempts | ||
54 | * | ||
55 | * @param array $server The $_SERVER array | ||
56 | */ | ||
57 | public function handleFailedLogin($server) | ||
58 | { | ||
59 | $ip = $server['REMOTE_ADDR']; | ||
60 | $trusted = $this->configManager->get('security.trusted_proxies', []); | ||
61 | |||
62 | if (in_array($ip, $trusted)) { | ||
63 | $ip = getIpAddressFromProxy($server, $trusted); | ||
64 | if (! $ip) { | ||
65 | // the IP is behind a trusted forward proxy, but is not forwarded | ||
66 | // in the HTTP headers, so we do nothing | ||
67 | return; | ||
68 | } | ||
69 | } | ||
70 | |||
71 | // increment the fail count for this IP | ||
72 | if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { | ||
73 | $this->globals['IPBANS']['FAILURES'][$ip]++; | ||
74 | } else { | ||
75 | $this->globals['IPBANS']['FAILURES'][$ip] = 1; | ||
76 | } | ||
77 | |||
78 | if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { | ||
79 | $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); | ||
80 | logm( | ||
81 | $this->configManager->get('resource.log'), | ||
82 | $server['REMOTE_ADDR'], | ||
83 | 'IP address banned from login' | ||
84 | ); | ||
85 | } | ||
86 | $this->writeBanFile(); | ||
87 | } | ||
88 | |||
89 | /** | ||
90 | * Handle a successful login | ||
91 | * | ||
92 | * @param array $server The $_SERVER array | ||
93 | */ | ||
94 | public function handleSuccessfulLogin($server) | ||
95 | { | ||
96 | $ip = $server['REMOTE_ADDR']; | ||
97 | // FIXME unban when behind a trusted proxy? | ||
98 | |||
99 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | ||
100 | unset($this->globals['IPBANS']['BANS'][$ip]); | ||
101 | |||
102 | $this->writeBanFile(); | ||
103 | } | ||
104 | |||
105 | /** | ||
106 | * Check if the user can login from this IP | ||
107 | * | ||
108 | * @param array $server The $_SERVER array | ||
109 | * | ||
110 | * @return bool true if the user is allowed to login | ||
111 | */ | ||
112 | public function canLogin($server) | ||
113 | { | ||
114 | $ip = $server['REMOTE_ADDR']; | ||
115 | |||
116 | if (! isset($this->globals['IPBANS']['BANS'][$ip])) { | ||
117 | // the user is not banned | ||
118 | return true; | ||
119 | } | ||
120 | |||
121 | if ($this->globals['IPBANS']['BANS'][$ip] > time()) { | ||
122 | // the user is still banned | ||
123 | return false; | ||
124 | } | ||
125 | |||
126 | // the ban has expired, the user can attempt to log in again | ||
127 | logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); | ||
128 | unset($this->globals['IPBANS']['FAILURES'][$ip]); | ||
129 | unset($this->globals['IPBANS']['BANS'][$ip]); | ||
130 | |||
131 | $this->writeBanFile(); | ||
132 | return true; | ||
133 | } | ||
134 | } | ||