aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/security
diff options
context:
space:
mode:
Diffstat (limited to 'application/security')
-rw-r--r--application/security/BanManager.php8
-rw-r--r--application/security/LoginManager.php16
-rw-r--r--application/security/SessionManager.php3
3 files changed, 16 insertions, 11 deletions
diff --git a/application/security/BanManager.php b/application/security/BanManager.php
index 288cbde0..7077af5b 100644
--- a/application/security/BanManager.php
+++ b/application/security/BanManager.php
@@ -1,6 +1,5 @@
1<?php 1<?php
2 2
3
4namespace Shaarli\Security; 3namespace Shaarli\Security;
5 4
6use Psr\Log\LoggerInterface; 5use Psr\Log\LoggerInterface;
@@ -47,7 +46,8 @@ class BanManager
47 * @param string $banFile Path to the file containing IP bans and failures 46 * @param string $banFile Path to the file containing IP bans and failures
48 * @param LoggerInterface $logger PSR-3 logger to save login attempts in log directory 47 * @param LoggerInterface $logger PSR-3 logger to save login attempts in log directory
49 */ 48 */
50 public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, LoggerInterface $logger) { 49 public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, LoggerInterface $logger)
50 {
51 $this->trustedProxies = $trustedProxies; 51 $this->trustedProxies = $trustedProxies;
52 $this->nbAttempts = $nbAttempts; 52 $this->nbAttempts = $nbAttempts;
53 $this->banDuration = $banDuration; 53 $this->banDuration = $banDuration;
@@ -80,7 +80,7 @@ class BanManager
80 80
81 if ($this->failures[$ip] >= $this->nbAttempts) { 81 if ($this->failures[$ip] >= $this->nbAttempts) {
82 $this->bans[$ip] = time() + $this->banDuration; 82 $this->bans[$ip] = time() + $this->banDuration;
83 $this->logger->info(format_log('IP address banned from login: '. $ip, $ip)); 83 $this->logger->info(format_log('IP address banned from login: ' . $ip, $ip));
84 } 84 }
85 $this->writeBanFile(); 85 $this->writeBanFile();
86 } 86 }
@@ -136,7 +136,7 @@ class BanManager
136 unset($this->failures[$ip]); 136 unset($this->failures[$ip]);
137 } 137 }
138 unset($this->bans[$ip]); 138 unset($this->bans[$ip]);
139 $this->logger->info(format_log('Ban lifted for: '. $ip, $ip)); 139 $this->logger->info(format_log('Ban lifted for: ' . $ip, $ip));
140 140
141 $this->writeBanFile(); 141 $this->writeBanFile();
142 return false; 142 return false;
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 426e785e..b795b80e 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -1,4 +1,5 @@
1<?php 1<?php
2
2namespace Shaarli\Security; 3namespace Shaarli\Security;
3 4
4use Exception; 5use Exception;
@@ -106,7 +107,8 @@ class LoginManager
106 // The user client has a valid stay-signed-in cookie 107 // The user client has a valid stay-signed-in cookie
107 // Session information is updated with the current client information 108 // Session information is updated with the current client information
108 $this->sessionManager->storeLoginInfo($clientIpId); 109 $this->sessionManager->storeLoginInfo($clientIpId);
109 } elseif ($this->sessionManager->hasSessionExpired() 110 } elseif (
111 $this->sessionManager->hasSessionExpired()
110 || $this->sessionManager->hasClientIpChanged($clientIpId) 112 || $this->sessionManager->hasClientIpChanged($clientIpId)
111 ) { 113 ) {
112 $this->sessionManager->logout(); 114 $this->sessionManager->logout();
@@ -145,7 +147,8 @@ class LoginManager
145 // Check credentials 147 // Check credentials
146 try { 148 try {
147 $useLdapLogin = !empty($this->configManager->get('ldap.host')); 149 $useLdapLogin = !empty($this->configManager->get('ldap.host'));
148 if ($login === $this->configManager->get('credentials.login') 150 if (
151 $login === $this->configManager->get('credentials.login')
149 && ( 152 && (
150 (false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) 153 (false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password))
151 || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) 154 || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password))
@@ -156,7 +159,7 @@ class LoginManager
156 159
157 return true; 160 return true;
158 } 161 }
159 } catch(Exception $exception) { 162 } catch (Exception $exception) {
160 $this->logger->info(format_log('Exception while checking credentials: ' . $exception, $clientIpId)); 163 $this->logger->info(format_log('Exception while checking credentials: ' . $exception, $clientIpId));
161 } 164 }
162 165
@@ -174,7 +177,8 @@ class LoginManager
174 * 177 *
175 * @return bool true if the provided credentials are valid, false otherwise 178 * @return bool true if the provided credentials are valid, false otherwise
176 */ 179 */
177 public function checkCredentialsFromLocalConfig($login, $password) { 180 public function checkCredentialsFromLocalConfig($login, $password)
181 {
178 $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); 182 $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
179 183
180 return $login == $this->configManager->get('credentials.login') 184 return $login == $this->configManager->get('credentials.login')
@@ -193,14 +197,14 @@ class LoginManager
193 */ 197 */
194 public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) 198 public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
195 { 199 {
196 $connect = $connect ?? function($host) { 200 $connect = $connect ?? function ($host) {
197 $resource = ldap_connect($host); 201 $resource = ldap_connect($host);
198 202
199 ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); 203 ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);
200 204
201 return $resource; 205 return $resource;
202 }; 206 };
203 $bind = $bind ?? function($handle, $dn, $password) { 207 $bind = $bind ?? function ($handle, $dn, $password) {
204 return ldap_bind($handle, $dn, $password); 208 return ldap_bind($handle, $dn, $password);
205 }; 209 };
206 210
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 96bf193c..f957b91a 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -1,4 +1,5 @@
1<?php 1<?php
2
2namespace Shaarli\Security; 3namespace Shaarli\Security;
3 4
4use Shaarli\Config\ConfigManager; 5use Shaarli\Config\ConfigManager;
@@ -79,7 +80,7 @@ class SessionManager
79 */ 80 */
80 public function generateToken() 81 public function generateToken()
81 { 82 {
82 $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); 83 $token = sha1(uniqid('', true) . '_' . mt_rand() . $this->conf->get('credentials.salt'));
83 $this->session['tokens'][$token] = 1; 84 $this->session['tokens'][$token] = 1;
84 return $token; 85 return $token;
85 } 86 }