1 files changed, 134 insertions, 0 deletions
diff --git a/application/LoginManager.php b/application/LoginManager.php
new file mode 100644
index 00000000..397bc6e3
--- /dev/null
+++ b/application/LoginManager.php
@@ -0,0 +1,134 @@
+<?php
+namespace Shaarli;
+/**
+ * User login management
+ */
+class LoginManager
+{
+    protected $globals = [];
+    protected $configManager = null;
+    protected $banFile = '';
+    /**
+     * Constructor
+     *
+     * @param array         $globals       The $GLOBALS array (reference)
+     * @param ConfigManager $configManager Configuration Manager instance.
+     */
+    public function __construct(& $globals, $configManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+    }
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+        return true;
+    }
+}

diff --git a/application/LoginManager.php b/application/LoginManager.php new file mode 100644 index 00000000..397bc6e3 --- /dev/null +++ b/application/LoginManager.php
@@ -0,0 +1,134 @@
	1	<?php
	2	namespace Shaarli;
	3
	4	/**
	5	* User login management
	6	*/
	7	class LoginManager
	8	{
	9	protected $globals = [];
	10	protected $configManager = null;
	11	protected $banFile = '';
	12
	13	/**
	14	* Constructor
	15	*
	16	* @param array $globals The $GLOBALS array (reference)
	17	* @param ConfigManager $configManager Configuration Manager instance.
	18	*/
	19	public function __construct(& $globals, $configManager)
	20	{
	21	$this->globals = &$globals;
	22	$this->configManager = $configManager;
	23	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
	24	$this->readBanFile();
	25	}
	26
	27	/**
	28	* Read a file containing banned IPs
	29	*/
	30	protected function readBanFile()
	31	{
	32	if (! file_exists($this->banFile)) {
	33	return;
	34	}
	35	include $this->banFile;
	36	}
	37
	38	/**
	39	* Write the banned IPs to a file
	40	*/
	41	protected function writeBanFile()
	42	{
	43	if (! array_key_exists('IPBANS', $this->globals)) {
	44	return;
	45	}
	46	file_put_contents(
	47	$this->banFile,
	48	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
	49	);
	50	}
	51
	52	/**
	53	* Handle a failed login and ban the IP after too many failed attempts
	54	*
	55	* @param array $server The $_SERVER array
	56	*/
	57	public function handleFailedLogin($server)
	58	{
	59	$ip = $server['REMOTE_ADDR'];
	60	$trusted = $this->configManager->get('security.trusted_proxies', []);
	61
	62	if (in_array($ip, $trusted)) {
	63	$ip = getIpAddressFromProxy($server, $trusted);
	64	if (! $ip) {
	65	// the IP is behind a trusted forward proxy, but is not forwarded
	66	// in the HTTP headers, so we do nothing
	67	return;
	68	}
	69	}
	70
	71	// increment the fail count for this IP
	72	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
	73	$this->globals['IPBANS']['FAILURES'][$ip]++;
	74	} else {
	75	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
	76	}
	77
	78	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
	79	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
	80	logm(
	81	$this->configManager->get('resource.log'),
	82	$server['REMOTE_ADDR'],
	83	'IP address banned from login'
	84	);
	85	}
	86	$this->writeBanFile();
	87	}
	88
	89	/**
	90	* Handle a successful login
	91	*
	92	* @param array $server The $_SERVER array
	93	*/
	94	public function handleSuccessfulLogin($server)
	95	{
	96	$ip = $server['REMOTE_ADDR'];
	97	// FIXME unban when behind a trusted proxy?
	98
	99	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	100	unset($this->globals['IPBANS']['BANS'][$ip]);
	101
	102	$this->writeBanFile();
	103	}
	104
	105	/**
	106	* Check if the user can login from this IP
	107	*
	108	* @param array $server The $_SERVER array
	109	*
	110	* @return bool true if the user is allowed to login
	111	*/
	112	public function canLogin($server)
	113	{
	114	$ip = $server['REMOTE_ADDR'];
	115
	116	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
	117	// the user is not banned
	118	return true;
	119	}
	120
	121	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
	122	// the user is still banned
	123	return false;
	124	}
	125
	126	// the ban has expired, the user can attempt to log in again
	127	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
	128	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	129	unset($this->globals['IPBANS']['BANS'][$ip]);
	130
	131	$this->writeBanFile();
	132	return true;
	133	}
	134	}