1 files changed, 265 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
new file mode 100644
index 00000000..d6784d6d
--- /dev/null
+++ b/application/security/LoginManager.php
@@ -0,0 +1,265 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * User login management
+ */
+class LoginManager
+{
+    /** @var string Name of the cookie set after logging in **/
+    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
+    /** @var array A reference to the $_GLOBALS array */
+    protected $globals = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $configManager = null;
+    /** @var SessionManager Session Manager instance **/
+    protected $sessionManager = null;
+    /** @var string Path to the file containing IP bans */
+    protected $banFile = '';
+    /** @var bool Whether the user is logged in **/
+    protected $isLoggedIn = false;
+    /** @var bool Whether the Shaarli instance is open to public edition **/
+    protected $openShaarli = false;
+    /** @var string User sign-in token depending on remote IP and credentials */
+    protected $staySignedInToken = '';
+    /**
+     * Constructor
+     *
+     * @param array          $globals        The $GLOBALS array (reference)
+     * @param ConfigManager  $configManager  Configuration Manager instance
+     * @param SessionManager $sessionManager SessionManager instance
+     */
+    public function __construct(& $globals, $configManager, $sessionManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->sessionManager = $sessionManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+        if ($this->configManager->get('security.open_shaarli') === true) {
+            $this->openShaarli = true;
+        }
+    }
+    /**
+     * Generate a token depending on deployment salt, user password and client IP
+     *
+     * @param string $clientIpAddress The remote client IP address
+     */
+    public function generateStaySignedInToken($clientIpAddress)
+    {
+        $this->staySignedInToken = sha1(
+            $this->configManager->get('credentials.hash')
+            . $clientIpAddress
+            . $this->configManager->get('credentials.salt')
+        );
+    }
+    /**
+     * Return the user's client stay-signed-in token
+     *
+     * @return string User's client stay-signed-in token
+     */
+    public function getStaySignedInToken()
+    {
+        return $this->staySignedInToken;
+    }
+    /**
+     * Check user session state and validity (expiration)
+     *
+     * @param array  $cookie     The $_COOKIE array
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function checkLoginState($cookie, $clientIpId)
+    {
+        if (! $this->configManager->exists('credentials.login')) {
+            // Shaarli is not configured yet
+            $this->isLoggedIn = false;
+            return;
+        }
+        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
+            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
+        ) {
+            // The user client has a valid stay-signed-in cookie
+            // Session information is updated with the current client information
+            $this->sessionManager->storeLoginInfo($clientIpId);
+        } elseif ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
+        ) {
+            $this->sessionManager->logout();
+            $this->isLoggedIn = false;
+            return;
+        }
+        $this->isLoggedIn = true;
+        $this->sessionManager->extendSession();
+    }
+    /**
+     * Return whether the user is currently logged in
+     *
+     * @return true when the user is logged in, false otherwise
+     */
+    public function isLoggedIn()
+    {
+        if ($this->openShaarli) {
+            return true;
+        }
+        return $this->isLoggedIn;
+    }
+    /**
+     * Check user credentials are valid
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
+    {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        if ($login != $this->configManager->get('credentials.login')
+            || $hash != $this->configManager->get('credentials.hash')
+        ) {
+            logm(
+                $this->configManager->get('resource.log'),
+                $remoteIp,
+                'Login failed for user ' . $login
+            );
+            return false;
+        }
+        $this->sessionManager->storeLoginInfo($clientIpId);
+        logm(
+            $this->configManager->get('resource.log'),
+            $remoteIp,
+            'Login successful'
+        );
+        return true;
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+    }
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+        return true;
+    }
+}

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..d6784d6d --- /dev/null +++ b/application/security/LoginManager.php
@@ -0,0 +1,265 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* User login management
	8	*/
	9	class LoginManager
	10	{
	11	/ @var string Name of the cookie set after logging in /
	12	public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
	13
	14	/** @var array A reference to the $_GLOBALS array */
	15	protected $globals = [];
	16
	17	/ @var ConfigManager Configuration Manager instance /
	18	protected $configManager = null;
	19
	20	/ @var SessionManager Session Manager instance /
	21	protected $sessionManager = null;
	22
	23	/** @var string Path to the file containing IP bans */
	24	protected $banFile = '';
	25
	26	/ @var bool Whether the user is logged in /
	27	protected $isLoggedIn = false;
	28
	29	/ @var bool Whether the Shaarli instance is open to public edition /
	30	protected $openShaarli = false;
	31
	32	/** @var string User sign-in token depending on remote IP and credentials */
	33	protected $staySignedInToken = '';
	34
	35	/**
	36	* Constructor
	37	*
	38	* @param array $globals The $GLOBALS array (reference)
	39	* @param ConfigManager $configManager Configuration Manager instance
	40	* @param SessionManager $sessionManager SessionManager instance
	41	*/
	42	public function __construct(& $globals, $configManager, $sessionManager)
	43	{
	44	$this->globals = &$globals;
	45	$this->configManager = $configManager;
	46	$this->sessionManager = $sessionManager;
	47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
	48	$this->readBanFile();
	49	if ($this->configManager->get('security.open_shaarli') === true) {
	50	$this->openShaarli = true;
	51	}
	52	}
	53
	54	/**
	55	* Generate a token depending on deployment salt, user password and client IP
	56	*
	57	* @param string $clientIpAddress The remote client IP address
	58	*/
	59	public function generateStaySignedInToken($clientIpAddress)
	60	{
	61	$this->staySignedInToken = sha1(
	62	$this->configManager->get('credentials.hash')
	63	. $clientIpAddress
	64	. $this->configManager->get('credentials.salt')
	65	);
	66	}
	67
	68	/**
	69	* Return the user's client stay-signed-in token
	70	*
	71	* @return string User's client stay-signed-in token
	72	*/
	73	public function getStaySignedInToken()
	74	{
	75	return $this->staySignedInToken;
	76	}
	77
	78	/**
	79	* Check user session state and validity (expiration)
	80	*
	81	* @param array $cookie The $_COOKIE array
	82	* @param string $clientIpId Client IP address identifier
	83	*/
	84	public function checkLoginState($cookie, $clientIpId)
	85	{
	86	if (! $this->configManager->exists('credentials.login')) {
	87	// Shaarli is not configured yet
	88	$this->isLoggedIn = false;
	89	return;
	90	}
	91
	92	if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
	93	&& $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
	94	) {
	95	// The user client has a valid stay-signed-in cookie
	96	// Session information is updated with the current client information
	97	$this->sessionManager->storeLoginInfo($clientIpId);
	98
	99	} elseif ($this->sessionManager->hasSessionExpired()
	100	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
	101	) {
	102	$this->sessionManager->logout();
	103	$this->isLoggedIn = false;
	104	return;
	105	}
	106
	107	$this->isLoggedIn = true;
	108	$this->sessionManager->extendSession();
	109	}
	110
	111	/**
	112	* Return whether the user is currently logged in
	113	*
	114	* @return true when the user is logged in, false otherwise
	115	*/
	116	public function isLoggedIn()
	117	{
	118	if ($this->openShaarli) {
	119	return true;
	120	}
	121	return $this->isLoggedIn;
	122	}
	123
	124	/**
	125	* Check user credentials are valid
	126	*
	127	* @param string $remoteIp Remote client IP address
	128	* @param string $clientIpId Client IP address identifier
	129	* @param string $login Username
	130	* @param string $password Password
	131	*
	132	* @return bool true if the provided credentials are valid, false otherwise
	133	*/
	134	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
	135	{
	136	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
	137
	138	if ($login != $this->configManager->get('credentials.login')
	139	\|\| $hash != $this->configManager->get('credentials.hash')
	140	) {
	141	logm(
	142	$this->configManager->get('resource.log'),
	143	$remoteIp,
	144	'Login failed for user ' . $login
	145	);
	146	return false;
	147	}
	148
	149	$this->sessionManager->storeLoginInfo($clientIpId);
	150	logm(
	151	$this->configManager->get('resource.log'),
	152	$remoteIp,
	153	'Login successful'
	154	);
	155	return true;
	156	}
	157
	158	/**
	159	* Read a file containing banned IPs
	160	*/
	161	protected function readBanFile()
	162	{
	163	if (! file_exists($this->banFile)) {
	164	return;
	165	}
	166	include $this->banFile;
	167	}
	168
	169	/**
	170	* Write the banned IPs to a file
	171	*/
	172	protected function writeBanFile()
	173	{
	174	if (! array_key_exists('IPBANS', $this->globals)) {
	175	return;
	176	}
	177	file_put_contents(
	178	$this->banFile,
	179	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
	180	);
	181	}
	182
	183	/**
	184	* Handle a failed login and ban the IP after too many failed attempts
	185	*
	186	* @param array $server The $_SERVER array
	187	*/
	188	public function handleFailedLogin($server)
	189	{
	190	$ip = $server['REMOTE_ADDR'];
	191	$trusted = $this->configManager->get('security.trusted_proxies', []);
	192
	193	if (in_array($ip, $trusted)) {
	194	$ip = getIpAddressFromProxy($server, $trusted);
	195	if (! $ip) {
	196	// the IP is behind a trusted forward proxy, but is not forwarded
	197	// in the HTTP headers, so we do nothing
	198	return;
	199	}
	200	}
	201
	202	// increment the fail count for this IP
	203	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
	204	$this->globals['IPBANS']['FAILURES'][$ip]++;
	205	} else {
	206	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
	207	}
	208
	209	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
	210	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
	211	logm(
	212	$this->configManager->get('resource.log'),
	213	$server['REMOTE_ADDR'],
	214	'IP address banned from login'
	215	);
	216	}
	217	$this->writeBanFile();
	218	}
	219
	220	/**
	221	* Handle a successful login
	222	*
	223	* @param array $server The $_SERVER array
	224	*/
	225	public function handleSuccessfulLogin($server)
	226	{
	227	$ip = $server['REMOTE_ADDR'];
	228	// FIXME unban when behind a trusted proxy?
	229
	230	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	231	unset($this->globals['IPBANS']['BANS'][$ip]);
	232
	233	$this->writeBanFile();
	234	}
	235
	236	/**
	237	* Check if the user can login from this IP
	238	*
	239	* @param array $server The $_SERVER array
	240	*
	241	* @return bool true if the user is allowed to login
	242	*/
	243	public function canLogin($server)
	244	{
	245	$ip = $server['REMOTE_ADDR'];
	246
	247	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
	248	// the user is not banned
	249	return true;
	250	}
	251
	252	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
	253	// the user is still banned
	254	return false;
	255	}
	256
	257	// the ban has expired, the user can attempt to log in again
	258	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
	259	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	260	unset($this->globals['IPBANS']['BANS'][$ip]);
	261
	262	$this->writeBanFile();
	263	return true;
	264	}
	265	}