diff options
Diffstat (limited to 'application/security')
| -rw-r--r-- | application/security/BanManager.php | 8 | ||||
| -rw-r--r-- | application/security/LoginManager.php | 16 | ||||
| -rw-r--r-- | application/security/SessionManager.php | 3 |
3 files changed, 16 insertions, 11 deletions
diff --git a/application/security/BanManager.php b/application/security/BanManager.php index 288cbde0..7077af5b 100644 --- a/application/security/BanManager.php +++ b/application/security/BanManager.php | |||
| @@ -1,6 +1,5 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | 2 | ||
| 3 | |||
| 4 | namespace Shaarli\Security; | 3 | namespace Shaarli\Security; |
| 5 | 4 | ||
| 6 | use Psr\Log\LoggerInterface; | 5 | use Psr\Log\LoggerInterface; |
| @@ -47,7 +46,8 @@ class BanManager | |||
| 47 | * @param string $banFile Path to the file containing IP bans and failures | 46 | * @param string $banFile Path to the file containing IP bans and failures |
| 48 | * @param LoggerInterface $logger PSR-3 logger to save login attempts in log directory | 47 | * @param LoggerInterface $logger PSR-3 logger to save login attempts in log directory |
| 49 | */ | 48 | */ |
| 50 | public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, LoggerInterface $logger) { | 49 | public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, LoggerInterface $logger) |
| 50 | { | ||
| 51 | $this->trustedProxies = $trustedProxies; | 51 | $this->trustedProxies = $trustedProxies; |
| 52 | $this->nbAttempts = $nbAttempts; | 52 | $this->nbAttempts = $nbAttempts; |
| 53 | $this->banDuration = $banDuration; | 53 | $this->banDuration = $banDuration; |
| @@ -80,7 +80,7 @@ class BanManager | |||
| 80 | 80 | ||
| 81 | if ($this->failures[$ip] >= $this->nbAttempts) { | 81 | if ($this->failures[$ip] >= $this->nbAttempts) { |
| 82 | $this->bans[$ip] = time() + $this->banDuration; | 82 | $this->bans[$ip] = time() + $this->banDuration; |
| 83 | $this->logger->info(format_log('IP address banned from login: '. $ip, $ip)); | 83 | $this->logger->info(format_log('IP address banned from login: ' . $ip, $ip)); |
| 84 | } | 84 | } |
| 85 | $this->writeBanFile(); | 85 | $this->writeBanFile(); |
| 86 | } | 86 | } |
| @@ -136,7 +136,7 @@ class BanManager | |||
| 136 | unset($this->failures[$ip]); | 136 | unset($this->failures[$ip]); |
| 137 | } | 137 | } |
| 138 | unset($this->bans[$ip]); | 138 | unset($this->bans[$ip]); |
| 139 | $this->logger->info(format_log('Ban lifted for: '. $ip, $ip)); | 139 | $this->logger->info(format_log('Ban lifted for: ' . $ip, $ip)); |
| 140 | 140 | ||
| 141 | $this->writeBanFile(); | 141 | $this->writeBanFile(); |
| 142 | return false; | 142 | return false; |
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 426e785e..b795b80e 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | |||
| 2 | namespace Shaarli\Security; | 3 | namespace Shaarli\Security; |
| 3 | 4 | ||
| 4 | use Exception; | 5 | use Exception; |
| @@ -106,7 +107,8 @@ class LoginManager | |||
| 106 | // The user client has a valid stay-signed-in cookie | 107 | // The user client has a valid stay-signed-in cookie |
| 107 | // Session information is updated with the current client information | 108 | // Session information is updated with the current client information |
| 108 | $this->sessionManager->storeLoginInfo($clientIpId); | 109 | $this->sessionManager->storeLoginInfo($clientIpId); |
| 109 | } elseif ($this->sessionManager->hasSessionExpired() | 110 | } elseif ( |
| 111 | $this->sessionManager->hasSessionExpired() | ||
| 110 | || $this->sessionManager->hasClientIpChanged($clientIpId) | 112 | || $this->sessionManager->hasClientIpChanged($clientIpId) |
| 111 | ) { | 113 | ) { |
| 112 | $this->sessionManager->logout(); | 114 | $this->sessionManager->logout(); |
| @@ -145,7 +147,8 @@ class LoginManager | |||
| 145 | // Check credentials | 147 | // Check credentials |
| 146 | try { | 148 | try { |
| 147 | $useLdapLogin = !empty($this->configManager->get('ldap.host')); | 149 | $useLdapLogin = !empty($this->configManager->get('ldap.host')); |
| 148 | if ($login === $this->configManager->get('credentials.login') | 150 | if ( |
| 151 | $login === $this->configManager->get('credentials.login') | ||
| 149 | && ( | 152 | && ( |
| 150 | (false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) | 153 | (false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password)) |
| 151 | || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) | 154 | || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password)) |
| @@ -156,7 +159,7 @@ class LoginManager | |||
| 156 | 159 | ||
| 157 | return true; | 160 | return true; |
| 158 | } | 161 | } |
| 159 | } catch(Exception $exception) { | 162 | } catch (Exception $exception) { |
| 160 | $this->logger->info(format_log('Exception while checking credentials: ' . $exception, $clientIpId)); | 163 | $this->logger->info(format_log('Exception while checking credentials: ' . $exception, $clientIpId)); |
| 161 | } | 164 | } |
| 162 | 165 | ||
| @@ -174,7 +177,8 @@ class LoginManager | |||
| 174 | * | 177 | * |
| 175 | * @return bool true if the provided credentials are valid, false otherwise | 178 | * @return bool true if the provided credentials are valid, false otherwise |
| 176 | */ | 179 | */ |
| 177 | public function checkCredentialsFromLocalConfig($login, $password) { | 180 | public function checkCredentialsFromLocalConfig($login, $password) |
| 181 | { | ||
| 178 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); | 182 | $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); |
| 179 | 183 | ||
| 180 | return $login == $this->configManager->get('credentials.login') | 184 | return $login == $this->configManager->get('credentials.login') |
| @@ -193,14 +197,14 @@ class LoginManager | |||
| 193 | */ | 197 | */ |
| 194 | public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) | 198 | public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null) |
| 195 | { | 199 | { |
| 196 | $connect = $connect ?? function($host) { | 200 | $connect = $connect ?? function ($host) { |
| 197 | $resource = ldap_connect($host); | 201 | $resource = ldap_connect($host); |
| 198 | 202 | ||
| 199 | ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); | 203 | ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); |
| 200 | 204 | ||
| 201 | return $resource; | 205 | return $resource; |
| 202 | }; | 206 | }; |
| 203 | $bind = $bind ?? function($handle, $dn, $password) { | 207 | $bind = $bind ?? function ($handle, $dn, $password) { |
| 204 | return ldap_bind($handle, $dn, $password); | 208 | return ldap_bind($handle, $dn, $password); |
| 205 | }; | 209 | }; |
| 206 | 210 | ||
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 96bf193c..f957b91a 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | |||
| 2 | namespace Shaarli\Security; | 3 | namespace Shaarli\Security; |
| 3 | 4 | ||
| 4 | use Shaarli\Config\ConfigManager; | 5 | use Shaarli\Config\ConfigManager; |
| @@ -79,7 +80,7 @@ class SessionManager | |||
| 79 | */ | 80 | */ |
| 80 | public function generateToken() | 81 | public function generateToken() |
| 81 | { | 82 | { |
| 82 | $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); | 83 | $token = sha1(uniqid('', true) . '_' . mt_rand() . $this->conf->get('credentials.salt')); |
| 83 | $this->session['tokens'][$token] = 1; | 84 | $this->session['tokens'][$token] = 1; |
| 84 | return $token; | 85 | return $token; |
| 85 | } | 86 | } |