1 files changed, 213 insertions, 0 deletions
diff --git a/application/security/BanManager.php b/application/security/BanManager.php
new file mode 100644
index 00000000..68190c54
--- /dev/null
+++ b/application/security/BanManager.php
@@ -0,0 +1,213 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\FileUtils;
+/**
+ * Class BanManager
+ *
+ * Failed login attempts will store the associated IP address.
+ * After N failed attempts, the IP will be prevented from log in for duration D.
+ * Both N and D can be set in the configuration file.
+ *
+ * @package Shaarli\Security
+ */
+class BanManager
+{
+    /** @var array List of allowed proxies IP */
+    protected $trustedProxies;
+    /** @var int Number of allowed failed attempt before the ban */
+    protected $nbAttempts;
+    /** @var  int Ban duration in seconds */
+    protected $banDuration;
+    /** @var string Path to the file containing IP bans and failures */
+    protected $banFile;
+    /** @var string Path to the log file, used to log bans */
+    protected $logFile;
+    /** @var array List of IP with their associated number of failed attempts */
+    protected $failures = [];
+    /** @var array List of banned IP with their associated unban timestamp */
+    protected $bans = [];
+    /**
+     * BanManager constructor.
+     *
+     * @param array  $trustedProxies List of allowed proxies IP
+     * @param int    $nbAttempts     Number of allowed failed attempt before the ban
+     * @param int    $banDuration    Ban duration in seconds
+     * @param string $banFile        Path to the file containing IP bans and failures
+     * @param string $logFile        Path to the log file, used to log bans
+     */
+    public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, $logFile) {
+        $this->trustedProxies = $trustedProxies;
+        $this->nbAttempts = $nbAttempts;
+        $this->banDuration = $banDuration;
+        $this->banFile = $banFile;
+        $this->logFile = $logFile;
+        $this->readBanFile();
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedAttempt($server)
+    {
+        $ip = $this->getIp($server);
+        // the IP is behind a trusted forward proxy, but is not forwarded
+        // in the HTTP headers, so we do nothing
+        if (empty($ip)) {
+            return;
+        }
+        // increment the fail count for this IP
+        if (isset($this->failures[$ip])) {
+            $this->failures[$ip]++;
+        } else {
+            $this->failures[$ip] = 1;
+        }
+        if ($this->failures[$ip] >= $this->nbAttempts) {
+            $this->bans[$ip] = time() + $this->banDuration;
+            logm(
+                $this->logFile,
+                $server['REMOTE_ADDR'],
+                'IP address banned from login: '. $ip
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Remove failed attempts for the provided client.
+     *
+     * @param array $server $_SERVER
+     */
+    public function clearFailures($server)
+    {
+        $ip = $this->getIp($server);
+        // the IP is behind a trusted forward proxy, but is not forwarded
+        // in the HTTP headers, so we do nothing
+        if (empty($ip)) {
+            return;
+        }
+        if (isset($this->failures[$ip])) {
+            unset($this->failures[$ip]);
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Check whether the client IP is banned or not.
+     *
+     * @param array $server $_SERVER
+     *
+     * @return bool True if the IP is banned, false otherwise
+     */
+    public function isBanned($server)
+    {
+        $ip = $this->getIp($server);
+        // the IP is behind a trusted forward proxy, but is not forwarded
+        // in the HTTP headers, so we allow the authentication attempt.
+        if (empty($ip)) {
+            return false;
+        }
+        // the user is not banned
+        if (! isset($this->bans[$ip])) {
+            return false;
+        }
+        // the user is still banned
+        if ($this->bans[$ip] > time()) {
+            return true;
+        }
+        // the ban has expired, the user can attempt to log in again
+        if (isset($this->failures[$ip])) {
+            unset($this->failures[$ip]);
+        }
+        unset($this->bans[$ip]);
+        logm($this->logFile, $server['REMOTE_ADDR'], 'Ban lifted for: '. $ip);
+        $this->writeBanFile();
+        return false;
+    }
+    /**
+     * Retrieve the IP from $_SERVER.
+     * If the actual IP is behind an allowed reverse proxy,
+     * we try to extract the forwarded IP from HTTP headers.
+     *
+     * @param array $server $_SERVER
+     *
+     * @return string|bool The IP or false if none could be extracted
+     */
+    protected function getIp($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! in_array($ip, $this->trustedProxies)) {
+            return $ip;
+        }
+        return getIpAddressFromProxy($server, $this->trustedProxies);
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        $data = FileUtils::readFlatDB($this->banFile);
+        if (isset($data['failures']) && is_array($data['failures'])) {
+            $this->failures = $data['failures'];
+        }
+        if (isset($data['bans']) && is_array($data['bans'])) {
+            $this->bans = $data['bans'];
+        }
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        return FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'failures' => $this->failures,
+                'bans' => $this->bans,
+            ]
+        );
+    }
+    /**
+     * Get the Failures (for UT purpose).
+     *
+     * @return array
+     */
+    public function getFailures()
+    {
+        return $this->failures;
+    }
+    /**
+     * Get the Bans (for UT purpose).
+     *
+     * @return array
+     */
+    public function getBans()
+    {
+        return $this->bans;
+    }
+}

diff --git a/application/security/BanManager.php b/application/security/BanManager.php new file mode 100644 index 00000000..68190c54 --- /dev/null +++ b/application/security/BanManager.php
@@ -0,0 +1,213 @@
	1	<?php
	2
	3
	4	namespace Shaarli\Security;
	5
	6	use Shaarli\FileUtils;
	7
	8	/**
	9	* Class BanManager
	10	*
	11	* Failed login attempts will store the associated IP address.
	12	* After N failed attempts, the IP will be prevented from log in for duration D.
	13	* Both N and D can be set in the configuration file.
	14	*
	15	* @package Shaarli\Security
	16	*/
	17	class BanManager
	18	{
	19	/** @var array List of allowed proxies IP */
	20	protected $trustedProxies;
	21
	22	/** @var int Number of allowed failed attempt before the ban */
	23	protected $nbAttempts;
	24
	25	/** @var int Ban duration in seconds */
	26	protected $banDuration;
	27
	28	/** @var string Path to the file containing IP bans and failures */
	29	protected $banFile;
	30
	31	/** @var string Path to the log file, used to log bans */
	32	protected $logFile;
	33
	34	/** @var array List of IP with their associated number of failed attempts */
	35	protected $failures = [];
	36
	37	/** @var array List of banned IP with their associated unban timestamp */
	38	protected $bans = [];
	39
	40	/**
	41	* BanManager constructor.
	42	*
	43	* @param array $trustedProxies List of allowed proxies IP
	44	* @param int $nbAttempts Number of allowed failed attempt before the ban
	45	* @param int $banDuration Ban duration in seconds
	46	* @param string $banFile Path to the file containing IP bans and failures
	47	* @param string $logFile Path to the log file, used to log bans
	48	*/
	49	public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, $logFile) {
	50	$this->trustedProxies = $trustedProxies;
	51	$this->nbAttempts = $nbAttempts;
	52	$this->banDuration = $banDuration;
	53	$this->banFile = $banFile;
	54	$this->logFile = $logFile;
	55	$this->readBanFile();
	56	}
	57
	58	/**
	59	* Handle a failed login and ban the IP after too many failed attempts
	60	*
	61	* @param array $server The $_SERVER array
	62	*/
	63	public function handleFailedAttempt($server)
	64	{
	65	$ip = $this->getIp($server);
	66	// the IP is behind a trusted forward proxy, but is not forwarded
	67	// in the HTTP headers, so we do nothing
	68	if (empty($ip)) {
	69	return;
	70	}
	71
	72	// increment the fail count for this IP
	73	if (isset($this->failures[$ip])) {
	74	$this->failures[$ip]++;
	75	} else {
	76	$this->failures[$ip] = 1;
	77	}
	78
	79	if ($this->failures[$ip] >= $this->nbAttempts) {
	80	$this->bans[$ip] = time() + $this->banDuration;
	81	logm(
	82	$this->logFile,
	83	$server['REMOTE_ADDR'],
	84	'IP address banned from login: '. $ip
	85	);
	86	}
	87	$this->writeBanFile();
	88	}
	89
	90	/**
	91	* Remove failed attempts for the provided client.
	92	*
	93	* @param array $server $_SERVER
	94	*/
	95	public function clearFailures($server)
	96	{
	97	$ip = $this->getIp($server);
	98	// the IP is behind a trusted forward proxy, but is not forwarded
	99	// in the HTTP headers, so we do nothing
	100	if (empty($ip)) {
	101	return;
	102	}
	103
	104	if (isset($this->failures[$ip])) {
	105	unset($this->failures[$ip]);
	106	}
	107	$this->writeBanFile();
	108	}
	109
	110	/**
	111	* Check whether the client IP is banned or not.
	112	*
	113	* @param array $server $_SERVER
	114	*
	115	* @return bool True if the IP is banned, false otherwise
	116	*/
	117	public function isBanned($server)
	118	{
	119	$ip = $this->getIp($server);
	120	// the IP is behind a trusted forward proxy, but is not forwarded
	121	// in the HTTP headers, so we allow the authentication attempt.
	122	if (empty($ip)) {
	123	return false;
	124	}
	125
	126	// the user is not banned
	127	if (! isset($this->bans[$ip])) {
	128	return false;
	129	}
	130
	131	// the user is still banned
	132	if ($this->bans[$ip] > time()) {
	133	return true;
	134	}
	135
	136	// the ban has expired, the user can attempt to log in again
	137	if (isset($this->failures[$ip])) {
	138	unset($this->failures[$ip]);
	139	}
	140	unset($this->bans[$ip]);
	141	logm($this->logFile, $server['REMOTE_ADDR'], 'Ban lifted for: '. $ip);
	142
	143	$this->writeBanFile();
	144	return false;
	145	}
	146
	147	/**
	148	* Retrieve the IP from $_SERVER.
	149	* If the actual IP is behind an allowed reverse proxy,
	150	* we try to extract the forwarded IP from HTTP headers.
	151	*
	152	* @param array $server $_SERVER
	153	*
	154	* @return string\|bool The IP or false if none could be extracted
	155	*/
	156	protected function getIp($server)
	157	{
	158	$ip = $server['REMOTE_ADDR'];
	159	if (! in_array($ip, $this->trustedProxies)) {
	160	return $ip;
	161	}
	162	return getIpAddressFromProxy($server, $this->trustedProxies);
	163	}
	164
	165	/**
	166	* Read a file containing banned IPs
	167	*/
	168	protected function readBanFile()
	169	{
	170	$data = FileUtils::readFlatDB($this->banFile);
	171	if (isset($data['failures']) && is_array($data['failures'])) {
	172	$this->failures = $data['failures'];
	173	}
	174
	175	if (isset($data['bans']) && is_array($data['bans'])) {
	176	$this->bans = $data['bans'];
	177	}
	178	}
	179
	180	/**
	181	* Write the banned IPs to a file
	182	*/
	183	protected function writeBanFile()
	184	{
	185	return FileUtils::writeFlatDB(
	186	$this->banFile,
	187	[
	188	'failures' => $this->failures,
	189	'bans' => $this->bans,
	190	]
	191	);
	192	}
	193
	194	/**
	195	* Get the Failures (for UT purpose).
	196	*
	197	* @return array
	198	*/
	199	public function getFailures()
	200	{
	201	return $this->failures;
	202	}
	203
	204	/**
	205	* Get the Bans (for UT purpose).
	206	*
	207	* @return array
	208	*/
	209	public function getBans()
	210	{
	211	return $this->bans;
	212	}
	213	}