1 files changed, 17 insertions, 86 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 0f315483..0b0ce0b1 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -20,8 +20,8 @@ class LoginManager
    /** @var SessionManager Session Manager instance **/
    protected $sessionManager = null;
-    /** @var string Path to the file containing IP bans */
+    /** @var BanManager Ban Manager instance **/
-    protected $banFile = '';
+    protected $banManager;
    /** @var bool Whether the user is logged in **/
    protected $isLoggedIn = false;
@@ -35,17 +35,21 @@ class LoginManager
    /**
     * Constructor
     *
-     * @param array          $globals        The $GLOBALS array (reference)
     * @param ConfigManager  $configManager  Configuration Manager instance
     * @param SessionManager $sessionManager SessionManager instance
     */
-    public function __construct(& $globals, $configManager, $sessionManager)
+    public function __construct($configManager, $sessionManager)
    {
-        $this->globals = &$globals;
        $this->configManager = $configManager;
        $this->sessionManager = $sessionManager;
-        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->banManager = new BanManager(
-        $this->readBanFile();
+            $this->configManager->get('security.trusted_proxies', []),
+            $this->configManager->get('security.ban_after'),
+            $this->configManager->get('security.ban_duration'),
+            $this->configManager->get('resource.ban_file', 'data/ipbans.php'),
+            $this->configManager->get('resource.log')
+        );
        if ($this->configManager->get('security.open_shaarli') === true) {
            $this->openShaarli = true;
        }
@@ -58,6 +62,9 @@ class LoginManager
     */
    public function generateStaySignedInToken($clientIpAddress)
    {
+        if ($this->configManager->get('security.session_protection_disabled') === true) {
+            $clientIpAddress = '';
+        }
        $this->staySignedInToken = sha1(
            $this->configManager->get('credentials.hash')
            . $clientIpAddress
@@ -155,65 +162,13 @@ class LoginManager
    }
    /**
-     * Read a file containing banned IPs
-     */
-    protected function readBanFile()
-    {
-        if (! file_exists($this->banFile)) {
-            return;
-        }
-        include $this->banFile;
-    }
-    /**
-     * Write the banned IPs to a file
-     */
-    protected function writeBanFile()
-    {
-        if (! array_key_exists('IPBANS', $this->globals)) {
-            return;
-        }
-        file_put_contents(
-            $this->banFile,
-            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
-        );
-    }
-    /**
     * Handle a failed login and ban the IP after too many failed attempts
     *
     * @param array $server The $_SERVER array
     */
    public function handleFailedLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        $this->banManager->handleFailedAttempt($server);
-        $trusted = $this->configManager->get('security.trusted_proxies', []);
-        if (in_array($ip, $trusted)) {
-            $ip = getIpAddressFromProxy($server, $trusted);
-            if (! $ip) {
-                // the IP is behind a trusted forward proxy, but is not forwarded
-                // in the HTTP headers, so we do nothing
-                return;
-            }
-        }
-        // increment the fail count for this IP
-        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
-            $this->globals['IPBANS']['FAILURES'][$ip]++;
-        } else {
-            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
-        }
-        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
-            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
-            logm(
-                $this->configManager->get('resource.log'),
-                $server['REMOTE_ADDR'],
-                'IP address banned from login'
-            );
-        }
-        $this->writeBanFile();
    }
    /**
@@ -223,13 +178,7 @@ class LoginManager
     */
    public function handleSuccessfulLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        $this->banManager->clearFailures($server);
-        // FIXME unban when behind a trusted proxy?
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
    }
    /**
@@ -241,24 +190,6 @@ class LoginManager
     */
    public function canLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        return ! $this->banManager->isBanned($server);
-        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
-            // the user is not banned
-            return true;
-        }
-        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
-            // the user is still banned
-            return false;
-        }
-        // the ban has expired, the user can attempt to log in again
-        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
-        return true;
    }
 }

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 0f315483..0b0ce0b1 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php
@@ -20,8 +20,8 @@ class LoginManager
20	/ @var SessionManager Session Manager instance /	20	/ @var SessionManager Session Manager instance /
21	protected $sessionManager = null;	21	protected $sessionManager = null;
22		22
23	/** @var string Path to the file containing IP bans */	23	/ @var BanManager Ban Manager instance /
24	protected $banFile = '';	24	protected $banManager;
25		25
26	/ @var bool Whether the user is logged in /	26	/ @var bool Whether the user is logged in /
27	protected $isLoggedIn = false;	27	protected $isLoggedIn = false;
@@ -35,17 +35,21 @@ class LoginManager
35	/**	35	/**
36	* Constructor	36	* Constructor
37	*	37	*
38	* @param array $globals The $GLOBALS array (reference)
39	* @param ConfigManager $configManager Configuration Manager instance	38	* @param ConfigManager $configManager Configuration Manager instance
40	* @param SessionManager $sessionManager SessionManager instance	39	* @param SessionManager $sessionManager SessionManager instance
41	*/	40	*/
42	public function __construct(& $globals, $configManager, $sessionManager)	41	public function __construct($configManager, $sessionManager)
43	{	42	{
44	$this->globals = &$globals;
45	$this->configManager = $configManager;	43	$this->configManager = $configManager;
46	$this->sessionManager = $sessionManager;	44	$this->sessionManager = $sessionManager;
47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');	45	$this->banManager = new BanManager(
48	$this->readBanFile();	46	$this->configManager->get('security.trusted_proxies', []),
		47	$this->configManager->get('security.ban_after'),
		48	$this->configManager->get('security.ban_duration'),
		49	$this->configManager->get('resource.ban_file', 'data/ipbans.php'),
		50	$this->configManager->get('resource.log')
		51	);
		52
49	if ($this->configManager->get('security.open_shaarli') === true) {	53	if ($this->configManager->get('security.open_shaarli') === true) {
50	$this->openShaarli = true;	54	$this->openShaarli = true;
51	}	55	}
@@ -58,6 +62,9 @@ class LoginManager
58	*/	62	*/
59	public function generateStaySignedInToken($clientIpAddress)	63	public function generateStaySignedInToken($clientIpAddress)
60	{	64	{
		65	if ($this->configManager->get('security.session_protection_disabled') === true) {
		66	$clientIpAddress = '';
		67	}
61	$this->staySignedInToken = sha1(	68	$this->staySignedInToken = sha1(
62	$this->configManager->get('credentials.hash')	69	$this->configManager->get('credentials.hash')
63	. $clientIpAddress	70	. $clientIpAddress
@@ -155,65 +162,13 @@ class LoginManager
155	}	162	}
156		163
157	/**	164	/**
158	* Read a file containing banned IPs
159	*/
160	protected function readBanFile()
161	{
162	if (! file_exists($this->banFile)) {
163	return;
164	}
165	include $this->banFile;
166	}
167
168	/**
169	* Write the banned IPs to a file
170	*/
171	protected function writeBanFile()
172	{
173	if (! array_key_exists('IPBANS', $this->globals)) {
174	return;
175	}
176	file_put_contents(
177	$this->banFile,
178	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
179	);
180	}
181
182	/**
183	* Handle a failed login and ban the IP after too many failed attempts	165	* Handle a failed login and ban the IP after too many failed attempts
184	*	166	*
185	* @param array $server The $_SERVER array	167	* @param array $server The $_SERVER array
186	*/	168	*/
187	public function handleFailedLogin($server)	169	public function handleFailedLogin($server)
188	{	170	{
189	$ip = $server['REMOTE_ADDR'];	171	$this->banManager->handleFailedAttempt($server);
190	$trusted = $this->configManager->get('security.trusted_proxies', []);
191
192	if (in_array($ip, $trusted)) {
193	$ip = getIpAddressFromProxy($server, $trusted);
194	if (! $ip) {
195	// the IP is behind a trusted forward proxy, but is not forwarded
196	// in the HTTP headers, so we do nothing
197	return;
198	}
199	}
200
201	// increment the fail count for this IP
202	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
203	$this->globals['IPBANS']['FAILURES'][$ip]++;
204	} else {
205	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
206	}
207
208	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
209	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
210	logm(
211	$this->configManager->get('resource.log'),
212	$server['REMOTE_ADDR'],
213	'IP address banned from login'
214	);
215	}
216	$this->writeBanFile();
217	}	172	}
218		173
219	/**	174	/**
@@ -223,13 +178,7 @@ class LoginManager
223	*/	178	*/
224	public function handleSuccessfulLogin($server)	179	public function handleSuccessfulLogin($server)
225	{	180	{
226	$ip = $server['REMOTE_ADDR'];	181	$this->banManager->clearFailures($server);
227	// FIXME unban when behind a trusted proxy?
228
229	unset($this->globals['IPBANS']['FAILURES'][$ip]);
230	unset($this->globals['IPBANS']['BANS'][$ip]);
231
232	$this->writeBanFile();
233	}	182	}
234		183
235	/**	184	/**
@@ -241,24 +190,6 @@ class LoginManager
241	*/	190	*/
242	public function canLogin($server)	191	public function canLogin($server)
243	{	192	{
244	$ip = $server['REMOTE_ADDR'];	193	return ! $this->banManager->isBanned($server);
245
246	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
247	// the user is not banned
248	return true;
249	}
250
251	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
252	// the user is still banned
253	return false;
254	}
255
256	// the ban has expired, the user can attempt to log in again
257	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
258	unset($this->globals['IPBANS']['FAILURES'][$ip]);
259	unset($this->globals['IPBANS']['BANS'][$ip]);
260
261	$this->writeBanFile();
262	return true;
263	}	194	}
264	}	195	}