1 files changed, 14 insertions, 86 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 1ff3d0be..0b0ce0b1 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -20,8 +20,8 @@ class LoginManager
    /** @var SessionManager Session Manager instance **/
    protected $sessionManager = null;
-    /** @var string Path to the file containing IP bans */
+    /** @var BanManager Ban Manager instance **/
-    protected $banFile = '';
+    protected $banManager;
    /** @var bool Whether the user is logged in **/
    protected $isLoggedIn = false;
@@ -35,17 +35,21 @@ class LoginManager
    /**
     * Constructor
     *
-     * @param array          $globals        The $GLOBALS array (reference)
     * @param ConfigManager  $configManager  Configuration Manager instance
     * @param SessionManager $sessionManager SessionManager instance
     */
-    public function __construct(& $globals, $configManager, $sessionManager)
+    public function __construct($configManager, $sessionManager)
    {
-        $this->globals = &$globals;
        $this->configManager = $configManager;
        $this->sessionManager = $sessionManager;
-        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->banManager = new BanManager(
-        $this->readBanFile();
+            $this->configManager->get('security.trusted_proxies', []),
+            $this->configManager->get('security.ban_after'),
+            $this->configManager->get('security.ban_duration'),
+            $this->configManager->get('resource.ban_file', 'data/ipbans.php'),
+            $this->configManager->get('resource.log')
+        );
        if ($this->configManager->get('security.open_shaarli') === true) {
            $this->openShaarli = true;
        }
@@ -158,65 +162,13 @@ class LoginManager
    }
    /**
-     * Read a file containing banned IPs
-     */
-    protected function readBanFile()
-    {
-        if (! file_exists($this->banFile)) {
-            return;
-        }
-        include $this->banFile;
-    }
-    /**
-     * Write the banned IPs to a file
-     */
-    protected function writeBanFile()
-    {
-        if (! array_key_exists('IPBANS', $this->globals)) {
-            return;
-        }
-        file_put_contents(
-            $this->banFile,
-            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
-        );
-    }
-    /**
     * Handle a failed login and ban the IP after too many failed attempts
     *
     * @param array $server The $_SERVER array
     */
    public function handleFailedLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        $this->banManager->handleFailedAttempt($server);
-        $trusted = $this->configManager->get('security.trusted_proxies', []);
-        if (in_array($ip, $trusted)) {
-            $ip = getIpAddressFromProxy($server, $trusted);
-            if (! $ip) {
-                // the IP is behind a trusted forward proxy, but is not forwarded
-                // in the HTTP headers, so we do nothing
-                return;
-            }
-        }
-        // increment the fail count for this IP
-        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
-            $this->globals['IPBANS']['FAILURES'][$ip]++;
-        } else {
-            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
-        }
-        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
-            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
-            logm(
-                $this->configManager->get('resource.log'),
-                $server['REMOTE_ADDR'],
-                'IP address banned from login'
-            );
-        }
-        $this->writeBanFile();
    }
    /**
@@ -226,13 +178,7 @@ class LoginManager
     */
    public function handleSuccessfulLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        $this->banManager->clearFailures($server);
-        // FIXME unban when behind a trusted proxy?
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
    }
    /**
@@ -244,24 +190,6 @@ class LoginManager
     */
    public function canLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        return ! $this->banManager->isBanned($server);
-        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
-            // the user is not banned
-            return true;
-        }
-        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
-            // the user is still banned
-            return false;
-        }
-        // the ban has expired, the user can attempt to log in again
-        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
-        return true;
    }
 }

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 1ff3d0be..0b0ce0b1 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php
@@ -20,8 +20,8 @@ class LoginManager
20	/ @var SessionManager Session Manager instance /	20	/ @var SessionManager Session Manager instance /
21	protected $sessionManager = null;	21	protected $sessionManager = null;
22		22
23	/** @var string Path to the file containing IP bans */	23	/ @var BanManager Ban Manager instance /
24	protected $banFile = '';	24	protected $banManager;
25		25
26	/ @var bool Whether the user is logged in /	26	/ @var bool Whether the user is logged in /
27	protected $isLoggedIn = false;	27	protected $isLoggedIn = false;
@@ -35,17 +35,21 @@ class LoginManager
35	/**	35	/**
36	* Constructor	36	* Constructor
37	*	37	*
38	* @param array $globals The $GLOBALS array (reference)
39	* @param ConfigManager $configManager Configuration Manager instance	38	* @param ConfigManager $configManager Configuration Manager instance
40	* @param SessionManager $sessionManager SessionManager instance	39	* @param SessionManager $sessionManager SessionManager instance
41	*/	40	*/
42	public function __construct(& $globals, $configManager, $sessionManager)	41	public function __construct($configManager, $sessionManager)
43	{	42	{
44	$this->globals = &$globals;
45	$this->configManager = $configManager;	43	$this->configManager = $configManager;
46	$this->sessionManager = $sessionManager;	44	$this->sessionManager = $sessionManager;
47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');	45	$this->banManager = new BanManager(
48	$this->readBanFile();	46	$this->configManager->get('security.trusted_proxies', []),
		47	$this->configManager->get('security.ban_after'),
		48	$this->configManager->get('security.ban_duration'),
		49	$this->configManager->get('resource.ban_file', 'data/ipbans.php'),
		50	$this->configManager->get('resource.log')
		51	);
		52
49	if ($this->configManager->get('security.open_shaarli') === true) {	53	if ($this->configManager->get('security.open_shaarli') === true) {
50	$this->openShaarli = true;	54	$this->openShaarli = true;
51	}	55	}
@@ -158,65 +162,13 @@ class LoginManager
158	}	162	}
159		163
160	/**	164	/**
161	* Read a file containing banned IPs
162	*/
163	protected function readBanFile()
164	{
165	if (! file_exists($this->banFile)) {
166	return;
167	}
168	include $this->banFile;
169	}
170
171	/**
172	* Write the banned IPs to a file
173	*/
174	protected function writeBanFile()
175	{
176	if (! array_key_exists('IPBANS', $this->globals)) {
177	return;
178	}
179	file_put_contents(
180	$this->banFile,
181	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
182	);
183	}
184
185	/**
186	* Handle a failed login and ban the IP after too many failed attempts	165	* Handle a failed login and ban the IP after too many failed attempts
187	*	166	*
188	* @param array $server The $_SERVER array	167	* @param array $server The $_SERVER array
189	*/	168	*/
190	public function handleFailedLogin($server)	169	public function handleFailedLogin($server)
191	{	170	{
192	$ip = $server['REMOTE_ADDR'];	171	$this->banManager->handleFailedAttempt($server);
193	$trusted = $this->configManager->get('security.trusted_proxies', []);
194
195	if (in_array($ip, $trusted)) {
196	$ip = getIpAddressFromProxy($server, $trusted);
197	if (! $ip) {
198	// the IP is behind a trusted forward proxy, but is not forwarded
199	// in the HTTP headers, so we do nothing
200	return;
201	}
202	}
203
204	// increment the fail count for this IP
205	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
206	$this->globals['IPBANS']['FAILURES'][$ip]++;
207	} else {
208	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
209	}
210
211	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
212	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
213	logm(
214	$this->configManager->get('resource.log'),
215	$server['REMOTE_ADDR'],
216	'IP address banned from login'
217	);
218	}
219	$this->writeBanFile();
220	}	172	}
221		173
222	/**	174	/**
@@ -226,13 +178,7 @@ class LoginManager
226	*/	178	*/
227	public function handleSuccessfulLogin($server)	179	public function handleSuccessfulLogin($server)
228	{	180	{
229	$ip = $server['REMOTE_ADDR'];	181	$this->banManager->clearFailures($server);
230	// FIXME unban when behind a trusted proxy?
231
232	unset($this->globals['IPBANS']['FAILURES'][$ip]);
233	unset($this->globals['IPBANS']['BANS'][$ip]);
234
235	$this->writeBanFile();
236	}	182	}
237		183
238	/**	184	/**
@@ -244,24 +190,6 @@ class LoginManager
244	*/	190	*/
245	public function canLogin($server)	191	public function canLogin($server)
246	{	192	{
247	$ip = $server['REMOTE_ADDR'];	193	return ! $this->banManager->isBanned($server);
248
249	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
250	// the user is not banned
251	return true;
252	}
253
254	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
255	// the user is still banned
256	return false;
257	}
258
259	// the ban has expired, the user can attempt to log in again
260	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
261	unset($this->globals['IPBANS']['FAILURES'][$ip]);
262	unset($this->globals['IPBANS']['BANS'][$ip]);
263
264	$this->writeBanFile();
265	return true;
266	}	194	}
267	}	195	}