diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-06-25 16:53:18 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-25 16:53:18 +0200 |
commit | 78c2f122e067f8bab62deb7ef758708721f4a9ba (patch) | |
tree | 521baacd42ca547c13bf22549cd0a9025af0c371 /application | |
parent | e1231265bc46b070a4edd573c417aa030fe83426 (diff) | |
parent | 8694e8411b19d499ff58d8168fba448c63a5e443 (diff) | |
download | Shaarli-78c2f122e067f8bab62deb7ef758708721f4a9ba.tar.gz Shaarli-78c2f122e067f8bab62deb7ef758708721f4a9ba.tar.zst Shaarli-78c2f122e067f8bab62deb7ef758708721f4a9ba.zip |
Merge pull request #1428 from pipoprods/feat/ldap-auth
Diffstat (limited to 'application')
-rw-r--r-- | application/security/LoginManager.php | 79 |
1 files changed, 70 insertions, 9 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 0b0ce0b1..39ec9b2e 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php | |||
@@ -1,6 +1,7 @@ | |||
1 | <?php | 1 | <?php |
2 | namespace Shaarli\Security; | 2 | namespace Shaarli\Security; |
3 | 3 | ||
4 | use Exception; | ||
4 | use Shaarli\Config\ConfigManager; | 5 | use Shaarli\Config\ConfigManager; |
5 | 6 | ||
6 | /** | 7 | /** |
@@ -139,26 +140,86 @@ class LoginManager | |||
139 | */ | 140 | */ |
140 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) | 141 | public function checkCredentials($remoteIp, $clientIpId, $login, $password) |
141 | { | 142 | { |
142 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | 143 | // Check login matches config |
144 | if ($login !== $this->configManager->get('credentials.login')) { | ||
145 | return false; | ||
146 | } | ||
143 | 147 | ||
144 | if ($login != $this->configManager->get('credentials.login') | 148 | // Check credentials |
145 | || $hash != $this->configManager->get('credentials.hash') | 149 | try { |
146 | ) { | 150 | $useLdapLogin = !empty($this->configManager->get('ldap.host')); |
151 | if ((false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) | ||
152 | || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) | ||
153 | ) { | ||
154 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
155 | logm( | ||
156 | $this->configManager->get('resource.log'), | ||
157 | $remoteIp, | ||
158 | 'Login successful' | ||
159 | ); | ||
160 | return true; | ||
161 | } | ||
162 | } | ||
163 | catch(Exception $exception) { | ||
147 | logm( | 164 | logm( |
148 | $this->configManager->get('resource.log'), | 165 | $this->configManager->get('resource.log'), |
149 | $remoteIp, | 166 | $remoteIp, |
150 | 'Login failed for user ' . $login | 167 | 'Exception while checking credentials: ' . $exception |
151 | ); | 168 | ); |
152 | return false; | ||
153 | } | 169 | } |
154 | 170 | ||
155 | $this->sessionManager->storeLoginInfo($clientIpId); | ||
156 | logm( | 171 | logm( |
157 | $this->configManager->get('resource.log'), | 172 | $this->configManager->get('resource.log'), |
158 | $remoteIp, | 173 | $remoteIp, |
159 | 'Login successful' | 174 | 'Login failed for user ' . $login |
175 | ); | ||
176 | return false; | ||
177 | } | ||
178 | |||
179 | |||
180 | /** | ||
181 | * Check user credentials from local config | ||
182 | * | ||
183 | * @param string $login Username | ||
184 | * @param string $password Password | ||
185 | * | ||
186 | * @return bool true if the provided credentials are valid, false otherwise | ||
187 | */ | ||
188 | public function checkCredentialsFromLocalConfig($login, $password) { | ||
189 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | ||
190 | |||
191 | return $login == $this->configManager->get('credentials.login') | ||
192 | && $hash == $this->configManager->get('credentials.hash'); | ||
193 | } | ||
194 | |||
195 | /** | ||
196 | * Check user credentials are valid through LDAP bind | ||
197 | * | ||
198 | * @param string $remoteIp Remote client IP address | ||
199 | * @param string $clientIpId Client IP address identifier | ||
200 | * @param string $login Username | ||
201 | * @param string $password Password | ||
202 | * | ||
203 | * @return bool true if the provided credentials are valid, false otherwise | ||
204 | */ | ||
205 | public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) | ||
206 | { | ||
207 | $connect = $connect ?? function($host) { | ||
208 | $resource = ldap_connect($host); | ||
209 | |||
210 | ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); | ||
211 | |||
212 | return $resource; | ||
213 | }; | ||
214 | $bind = $bind ?? function($handle, $dn, $password) { | ||
215 | return ldap_bind($handle, $dn, $password); | ||
216 | }; | ||
217 | |||
218 | return $bind( | ||
219 | $connect($this->configManager->get('ldap.host')), | ||
220 | sprintf($this->configManager->get('ldap.dn'), $login), | ||
221 | $password | ||
160 | ); | 222 | ); |
161 | return true; | ||
162 | } | 223 | } |
163 | 224 | ||
164 | /** | 225 | /** |