2 files changed, 227 insertions, 86 deletions
diff --git a/application/security/BanManager.php b/application/security/BanManager.php
new file mode 100644
index 00000000..68190c54
--- /dev/null
+++ b/application/security/BanManager.php
@@ -0,0 +1,213 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\FileUtils;
+/**
+ * Class BanManager
+ *
+ * Failed login attempts will store the associated IP address.
+ * After N failed attempts, the IP will be prevented from log in for duration D.
+ * Both N and D can be set in the configuration file.
+ *
+ * @package Shaarli\Security
+ */
+class BanManager
+{
+    /** @var array List of allowed proxies IP */
+    protected $trustedProxies;
+    /** @var int Number of allowed failed attempt before the ban */
+    protected $nbAttempts;
+    /** @var  int Ban duration in seconds */
+    protected $banDuration;
+    /** @var string Path to the file containing IP bans and failures */
+    protected $banFile;
+    /** @var string Path to the log file, used to log bans */
+    protected $logFile;
+    /** @var array List of IP with their associated number of failed attempts */
+    protected $failures = [];
+    /** @var array List of banned IP with their associated unban timestamp */
+    protected $bans = [];
+    /**
+     * BanManager constructor.
+     *
+     * @param array  $trustedProxies List of allowed proxies IP
+     * @param int    $nbAttempts     Number of allowed failed attempt before the ban
+     * @param int    $banDuration    Ban duration in seconds
+     * @param string $banFile        Path to the file containing IP bans and failures
+     * @param string $logFile        Path to the log file, used to log bans
+     */
+    public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, $logFile) {
+        $this->trustedProxies = $trustedProxies;
+        $this->nbAttempts = $nbAttempts;
+        $this->banDuration = $banDuration;
+        $this->banFile = $banFile;
+        $this->logFile = $logFile;
+        $this->readBanFile();
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedAttempt($server)
+    {
+        $ip = $this->getIp($server);
+        // the IP is behind a trusted forward proxy, but is not forwarded
+        // in the HTTP headers, so we do nothing
+        if (empty($ip)) {
+            return;
+        }
+        // increment the fail count for this IP
+        if (isset($this->failures[$ip])) {
+            $this->failures[$ip]++;
+        } else {
+            $this->failures[$ip] = 1;
+        }
+        if ($this->failures[$ip] >= $this->nbAttempts) {
+            $this->bans[$ip] = time() + $this->banDuration;
+            logm(
+                $this->logFile,
+                $server['REMOTE_ADDR'],
+                'IP address banned from login: '. $ip
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Remove failed attempts for the provided client.
+     *
+     * @param array $server $_SERVER
+     */
+    public function clearFailures($server)
+    {
+        $ip = $this->getIp($server);
+        // the IP is behind a trusted forward proxy, but is not forwarded
+        // in the HTTP headers, so we do nothing
+        if (empty($ip)) {
+            return;
+        }
+        if (isset($this->failures[$ip])) {
+            unset($this->failures[$ip]);
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Check whether the client IP is banned or not.
+     *
+     * @param array $server $_SERVER
+     *
+     * @return bool True if the IP is banned, false otherwise
+     */
+    public function isBanned($server)
+    {
+        $ip = $this->getIp($server);
+        // the IP is behind a trusted forward proxy, but is not forwarded
+        // in the HTTP headers, so we allow the authentication attempt.
+        if (empty($ip)) {
+            return false;
+        }
+        // the user is not banned
+        if (! isset($this->bans[$ip])) {
+            return false;
+        }
+        // the user is still banned
+        if ($this->bans[$ip] > time()) {
+            return true;
+        }
+        // the ban has expired, the user can attempt to log in again
+        if (isset($this->failures[$ip])) {
+            unset($this->failures[$ip]);
+        }
+        unset($this->bans[$ip]);
+        logm($this->logFile, $server['REMOTE_ADDR'], 'Ban lifted for: '. $ip);
+        $this->writeBanFile();
+        return false;
+    }
+    /**
+     * Retrieve the IP from $_SERVER.
+     * If the actual IP is behind an allowed reverse proxy,
+     * we try to extract the forwarded IP from HTTP headers.
+     *
+     * @param array $server $_SERVER
+     *
+     * @return string|bool The IP or false if none could be extracted
+     */
+    protected function getIp($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! in_array($ip, $this->trustedProxies)) {
+            return $ip;
+        }
+        return getIpAddressFromProxy($server, $this->trustedProxies);
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        $data = FileUtils::readFlatDB($this->banFile);
+        if (isset($data['failures']) && is_array($data['failures'])) {
+            $this->failures = $data['failures'];
+        }
+        if (isset($data['bans']) && is_array($data['bans'])) {
+            $this->bans = $data['bans'];
+        }
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        return FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'failures' => $this->failures,
+                'bans' => $this->bans,
+            ]
+        );
+    }
+    /**
+     * Get the Failures (for UT purpose).
+     *
+     * @return array
+     */
+    public function getFailures()
+    {
+        return $this->failures;
+    }
+    /**
+     * Get the Bans (for UT purpose).
+     *
+     * @return array
+     */
+    public function getBans()
+    {
+        return $this->bans;
+    }
+}
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 1ff3d0be..0b0ce0b1 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -20,8 +20,8 @@ class LoginManager
    /** @var SessionManager Session Manager instance **/
    protected $sessionManager = null;
-    /** @var string Path to the file containing IP bans */
+    /** @var BanManager Ban Manager instance **/
-    protected $banFile = '';
+    protected $banManager;
    /** @var bool Whether the user is logged in **/
    protected $isLoggedIn = false;
@@ -35,17 +35,21 @@ class LoginManager
    /**
     * Constructor
     *
-     * @param array          $globals        The $GLOBALS array (reference)
     * @param ConfigManager  $configManager  Configuration Manager instance
     * @param SessionManager $sessionManager SessionManager instance
     */
-    public function __construct(& $globals, $configManager, $sessionManager)
+    public function __construct($configManager, $sessionManager)
    {
-        $this->globals = &$globals;
        $this->configManager = $configManager;
        $this->sessionManager = $sessionManager;
-        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->banManager = new BanManager(
-        $this->readBanFile();
+            $this->configManager->get('security.trusted_proxies', []),
+            $this->configManager->get('security.ban_after'),
+            $this->configManager->get('security.ban_duration'),
+            $this->configManager->get('resource.ban_file', 'data/ipbans.php'),
+            $this->configManager->get('resource.log')
+        );
        if ($this->configManager->get('security.open_shaarli') === true) {
            $this->openShaarli = true;
        }
@@ -158,65 +162,13 @@ class LoginManager
    }
    /**
-     * Read a file containing banned IPs
-     */
-    protected function readBanFile()
-    {
-        if (! file_exists($this->banFile)) {
-            return;
-        }
-        include $this->banFile;
-    }
-    /**
-     * Write the banned IPs to a file
-     */
-    protected function writeBanFile()
-    {
-        if (! array_key_exists('IPBANS', $this->globals)) {
-            return;
-        }
-        file_put_contents(
-            $this->banFile,
-            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
-        );
-    }
-    /**
     * Handle a failed login and ban the IP after too many failed attempts
     *
     * @param array $server The $_SERVER array
     */
    public function handleFailedLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        $this->banManager->handleFailedAttempt($server);
-        $trusted = $this->configManager->get('security.trusted_proxies', []);
-        if (in_array($ip, $trusted)) {
-            $ip = getIpAddressFromProxy($server, $trusted);
-            if (! $ip) {
-                // the IP is behind a trusted forward proxy, but is not forwarded
-                // in the HTTP headers, so we do nothing
-                return;
-            }
-        }
-        // increment the fail count for this IP
-        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
-            $this->globals['IPBANS']['FAILURES'][$ip]++;
-        } else {
-            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
-        }
-        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
-            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
-            logm(
-                $this->configManager->get('resource.log'),
-                $server['REMOTE_ADDR'],
-                'IP address banned from login'
-            );
-        }
-        $this->writeBanFile();
    }
    /**
@@ -226,13 +178,7 @@ class LoginManager
     */
    public function handleSuccessfulLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        $this->banManager->clearFailures($server);
-        // FIXME unban when behind a trusted proxy?
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
    }
    /**
@@ -244,24 +190,6 @@ class LoginManager
     */
    public function canLogin($server)
    {
-        $ip = $server['REMOTE_ADDR'];
+        return ! $this->banManager->isBanned($server);
-        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
-            // the user is not banned
-            return true;
-        }
-        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
-            // the user is still banned
-            return false;
-        }
-        // the ban has expired, the user can attempt to log in again
-        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
-        unset($this->globals['IPBANS']['FAILURES'][$ip]);
-        unset($this->globals['IPBANS']['BANS'][$ip]);
-        $this->writeBanFile();
-        return true;
    }
 }

diff --git a/application/security/BanManager.php b/application/security/BanManager.php new file mode 100644 index 00000000..68190c54 --- /dev/null +++ b/application/security/BanManager.php
@@ -0,0 +1,213 @@
		1	<?php
		2
		3
		4	namespace Shaarli\Security;
		5
		6	use Shaarli\FileUtils;
		7
		8	/**
		9	* Class BanManager
		10	*
		11	* Failed login attempts will store the associated IP address.
		12	* After N failed attempts, the IP will be prevented from log in for duration D.
		13	* Both N and D can be set in the configuration file.
		14	*
		15	* @package Shaarli\Security
		16	*/
		17	class BanManager
		18	{
		19	/** @var array List of allowed proxies IP */
		20	protected $trustedProxies;
		21
		22	/** @var int Number of allowed failed attempt before the ban */
		23	protected $nbAttempts;
		24
		25	/** @var int Ban duration in seconds */
		26	protected $banDuration;
		27
		28	/** @var string Path to the file containing IP bans and failures */
		29	protected $banFile;
		30
		31	/** @var string Path to the log file, used to log bans */
		32	protected $logFile;
		33
		34	/** @var array List of IP with their associated number of failed attempts */
		35	protected $failures = [];
		36
		37	/** @var array List of banned IP with their associated unban timestamp */
		38	protected $bans = [];
		39
		40	/**
		41	* BanManager constructor.
		42	*
		43	* @param array $trustedProxies List of allowed proxies IP
		44	* @param int $nbAttempts Number of allowed failed attempt before the ban
		45	* @param int $banDuration Ban duration in seconds
		46	* @param string $banFile Path to the file containing IP bans and failures
		47	* @param string $logFile Path to the log file, used to log bans
		48	*/
		49	public function __construct($trustedProxies, $nbAttempts, $banDuration, $banFile, $logFile) {
		50	$this->trustedProxies = $trustedProxies;
		51	$this->nbAttempts = $nbAttempts;
		52	$this->banDuration = $banDuration;
		53	$this->banFile = $banFile;
		54	$this->logFile = $logFile;
		55	$this->readBanFile();
		56	}
		57
		58	/**
		59	* Handle a failed login and ban the IP after too many failed attempts
		60	*
		61	* @param array $server The $_SERVER array
		62	*/
		63	public function handleFailedAttempt($server)
		64	{
		65	$ip = $this->getIp($server);
		66	// the IP is behind a trusted forward proxy, but is not forwarded
		67	// in the HTTP headers, so we do nothing
		68	if (empty($ip)) {
		69	return;
		70	}
		71
		72	// increment the fail count for this IP
		73	if (isset($this->failures[$ip])) {
		74	$this->failures[$ip]++;
		75	} else {
		76	$this->failures[$ip] = 1;
		77	}
		78
		79	if ($this->failures[$ip] >= $this->nbAttempts) {
		80	$this->bans[$ip] = time() + $this->banDuration;
		81	logm(
		82	$this->logFile,
		83	$server['REMOTE_ADDR'],
		84	'IP address banned from login: '. $ip
		85	);
		86	}
		87	$this->writeBanFile();
		88	}
		89
		90	/**
		91	* Remove failed attempts for the provided client.
		92	*
		93	* @param array $server $_SERVER
		94	*/
		95	public function clearFailures($server)
		96	{
		97	$ip = $this->getIp($server);
		98	// the IP is behind a trusted forward proxy, but is not forwarded
		99	// in the HTTP headers, so we do nothing
		100	if (empty($ip)) {
		101	return;
		102	}
		103
		104	if (isset($this->failures[$ip])) {
		105	unset($this->failures[$ip]);
		106	}
		107	$this->writeBanFile();
		108	}
		109
		110	/**
		111	* Check whether the client IP is banned or not.
		112	*
		113	* @param array $server $_SERVER
		114	*
		115	* @return bool True if the IP is banned, false otherwise
		116	*/
		117	public function isBanned($server)
		118	{
		119	$ip = $this->getIp($server);
		120	// the IP is behind a trusted forward proxy, but is not forwarded
		121	// in the HTTP headers, so we allow the authentication attempt.
		122	if (empty($ip)) {
		123	return false;
		124	}
		125
		126	// the user is not banned
		127	if (! isset($this->bans[$ip])) {
		128	return false;
		129	}
		130
		131	// the user is still banned
		132	if ($this->bans[$ip] > time()) {
		133	return true;
		134	}
		135
		136	// the ban has expired, the user can attempt to log in again
		137	if (isset($this->failures[$ip])) {
		138	unset($this->failures[$ip]);
		139	}
		140	unset($this->bans[$ip]);
		141	logm($this->logFile, $server['REMOTE_ADDR'], 'Ban lifted for: '. $ip);
		142
		143	$this->writeBanFile();
		144	return false;
		145	}
		146
		147	/**
		148	* Retrieve the IP from $_SERVER.
		149	* If the actual IP is behind an allowed reverse proxy,
		150	* we try to extract the forwarded IP from HTTP headers.
		151	*
		152	* @param array $server $_SERVER
		153	*
		154	* @return string\|bool The IP or false if none could be extracted
		155	*/
		156	protected function getIp($server)
		157	{
		158	$ip = $server['REMOTE_ADDR'];
		159	if (! in_array($ip, $this->trustedProxies)) {
		160	return $ip;
		161	}
		162	return getIpAddressFromProxy($server, $this->trustedProxies);
		163	}
		164
		165	/**
		166	* Read a file containing banned IPs
		167	*/
		168	protected function readBanFile()
		169	{
		170	$data = FileUtils::readFlatDB($this->banFile);
		171	if (isset($data['failures']) && is_array($data['failures'])) {
		172	$this->failures = $data['failures'];
		173	}
		174
		175	if (isset($data['bans']) && is_array($data['bans'])) {
		176	$this->bans = $data['bans'];
		177	}
		178	}
		179
		180	/**
		181	* Write the banned IPs to a file
		182	*/
		183	protected function writeBanFile()
		184	{
		185	return FileUtils::writeFlatDB(
		186	$this->banFile,
		187	[
		188	'failures' => $this->failures,
		189	'bans' => $this->bans,
		190	]
		191	);
		192	}
		193
		194	/**
		195	* Get the Failures (for UT purpose).
		196	*
		197	* @return array
		198	*/
		199	public function getFailures()
		200	{
		201	return $this->failures;
		202	}
		203
		204	/**
		205	* Get the Bans (for UT purpose).
		206	*
		207	* @return array
		208	*/
		209	public function getBans()
		210	{
		211	return $this->bans;
		212	}
		213	}


diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 1ff3d0be..0b0ce0b1 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php
@@ -20,8 +20,8 @@ class LoginManager
20	/ @var SessionManager Session Manager instance /	20	/ @var SessionManager Session Manager instance /
21	protected $sessionManager = null;	21	protected $sessionManager = null;
22		22
23	/** @var string Path to the file containing IP bans */	23	/ @var BanManager Ban Manager instance /
24	protected $banFile = '';	24	protected $banManager;
25		25
26	/ @var bool Whether the user is logged in /	26	/ @var bool Whether the user is logged in /
27	protected $isLoggedIn = false;	27	protected $isLoggedIn = false;
@@ -35,17 +35,21 @@ class LoginManager
35	/**	35	/**
36	* Constructor	36	* Constructor
37	*	37	*
38	* @param array $globals The $GLOBALS array (reference)
39	* @param ConfigManager $configManager Configuration Manager instance	38	* @param ConfigManager $configManager Configuration Manager instance
40	* @param SessionManager $sessionManager SessionManager instance	39	* @param SessionManager $sessionManager SessionManager instance
41	*/	40	*/
42	public function __construct(& $globals, $configManager, $sessionManager)	41	public function __construct($configManager, $sessionManager)
43	{	42	{
44	$this->globals = &$globals;
45	$this->configManager = $configManager;	43	$this->configManager = $configManager;
46	$this->sessionManager = $sessionManager;	44	$this->sessionManager = $sessionManager;
47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');	45	$this->banManager = new BanManager(
48	$this->readBanFile();	46	$this->configManager->get('security.trusted_proxies', []),
		47	$this->configManager->get('security.ban_after'),
		48	$this->configManager->get('security.ban_duration'),
		49	$this->configManager->get('resource.ban_file', 'data/ipbans.php'),
		50	$this->configManager->get('resource.log')
		51	);
		52
49	if ($this->configManager->get('security.open_shaarli') === true) {	53	if ($this->configManager->get('security.open_shaarli') === true) {
50	$this->openShaarli = true;	54	$this->openShaarli = true;
51	}	55	}
@@ -158,65 +162,13 @@ class LoginManager
158	}	162	}
159		163
160	/**	164	/**
161	* Read a file containing banned IPs
162	*/
163	protected function readBanFile()
164	{
165	if (! file_exists($this->banFile)) {
166	return;
167	}
168	include $this->banFile;
169	}
170
171	/**
172	* Write the banned IPs to a file
173	*/
174	protected function writeBanFile()
175	{
176	if (! array_key_exists('IPBANS', $this->globals)) {
177	return;
178	}
179	file_put_contents(
180	$this->banFile,
181	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
182	);
183	}
184
185	/**
186	* Handle a failed login and ban the IP after too many failed attempts	165	* Handle a failed login and ban the IP after too many failed attempts
187	*	166	*
188	* @param array $server The $_SERVER array	167	* @param array $server The $_SERVER array
189	*/	168	*/
190	public function handleFailedLogin($server)	169	public function handleFailedLogin($server)
191	{	170	{
192	$ip = $server['REMOTE_ADDR'];	171	$this->banManager->handleFailedAttempt($server);
193	$trusted = $this->configManager->get('security.trusted_proxies', []);
194
195	if (in_array($ip, $trusted)) {
196	$ip = getIpAddressFromProxy($server, $trusted);
197	if (! $ip) {
198	// the IP is behind a trusted forward proxy, but is not forwarded
199	// in the HTTP headers, so we do nothing
200	return;
201	}
202	}
203
204	// increment the fail count for this IP
205	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
206	$this->globals['IPBANS']['FAILURES'][$ip]++;
207	} else {
208	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
209	}
210
211	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
212	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
213	logm(
214	$this->configManager->get('resource.log'),
215	$server['REMOTE_ADDR'],
216	'IP address banned from login'
217	);
218	}
219	$this->writeBanFile();
220	}	172	}
221		173
222	/**	174	/**
@@ -226,13 +178,7 @@ class LoginManager
226	*/	178	*/
227	public function handleSuccessfulLogin($server)	179	public function handleSuccessfulLogin($server)
228	{	180	{
229	$ip = $server['REMOTE_ADDR'];	181	$this->banManager->clearFailures($server);
230	// FIXME unban when behind a trusted proxy?
231
232	unset($this->globals['IPBANS']['FAILURES'][$ip]);
233	unset($this->globals['IPBANS']['BANS'][$ip]);
234
235	$this->writeBanFile();
236	}	182	}
237		183
238	/**	184	/**
@@ -244,24 +190,6 @@ class LoginManager
244	*/	190	*/
245	public function canLogin($server)	191	public function canLogin($server)
246	{	192	{
247	$ip = $server['REMOTE_ADDR'];	193	return ! $this->banManager->isBanned($server);
248
249	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
250	// the user is not banned
251	return true;
252	}
253
254	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
255	// the user is still banned
256	return false;
257	}
258
259	// the ban has expired, the user can attempt to log in again
260	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
261	unset($this->globals['IPBANS']['FAILURES'][$ip]);
262	unset($this->globals['IPBANS']['BANS'][$ip]);
263
264	$this->writeBanFile();
265	return true;
266	}	194	}
267	}	195	}