From fab87c2696b9d6a26310f1bfc024b018ca5184fe Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 27 Apr 2018 22:12:22 +0200 Subject: Move LoginManager and SessionManager to the Security namespace Signed-off-by: VirtualTam --- application/security/LoginManager.php | 238 ++++++++++++++++++++++++++++++++++ 1 file changed, 238 insertions(+) create mode 100644 application/security/LoginManager.php (limited to 'application/security/LoginManager.php') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..e7b9b21e --- /dev/null +++ b/application/security/LoginManager.php @@ -0,0 +1,238 @@ +globals = &$globals; + $this->configManager = $configManager; + $this->sessionManager = $sessionManager; + $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); + $this->readBanFile(); + if ($this->configManager->get('security.open_shaarli')) { + $this->openShaarli = true; + } + } + + /** + * Check user session state and validity (expiration) + * + * @param array $cookie The $_COOKIE array + * @param string $webPath Path on the server in which the cookie will be available on + * @param string $clientIpId Client IP address identifier + * @param string $token Session token + * + * @return bool true if the user session is valid, false otherwise + */ + public function checkLoginState($cookie, $webPath, $clientIpId, $token) + { + if (! $this->configManager->exists('credentials.login')) { + // Shaarli is not configured yet + $this->isLoggedIn = false; + return; + } + + if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) + && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + ) { + $this->sessionManager->storeLoginInfo($clientIpId); + $this->isLoggedIn = true; + } + + if ($this->sessionManager->hasSessionExpired() + || $this->sessionManager->hasClientIpChanged($clientIpId) + ) { + $this->sessionManager->logout($webPath); + $this->isLoggedIn = false; + return; + } + + $this->sessionManager->extendSession(); + } + + /** + * Return whether the user is currently logged in + * + * @return true when the user is logged in, false otherwise + */ + public function isLoggedIn() + { + if ($this->openShaarli) { + return true; + } + return $this->isLoggedIn; + } + + /** + * Check user credentials are valid + * + * @param string $remoteIp Remote client IP address + * @param string $clientIpId Client IP address identifier + * @param string $login Username + * @param string $password Password + * + * @return bool true if the provided credentials are valid, false otherwise + */ + public function checkCredentials($remoteIp, $clientIpId, $login, $password) + { + $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); + + if ($login != $this->configManager->get('credentials.login') + || $hash != $this->configManager->get('credentials.hash') + ) { + logm( + $this->configManager->get('resource.log'), + $remoteIp, + 'Login failed for user ' . $login + ); + return false; + } + + $this->sessionManager->storeLoginInfo($clientIpId); + logm( + $this->configManager->get('resource.log'), + $remoteIp, + 'Login successful' + ); + return true; + } + + /** + * Read a file containing banned IPs + */ + protected function readBanFile() + { + if (! file_exists($this->banFile)) { + return; + } + include $this->banFile; + } + + /** + * Write the banned IPs to a file + */ + protected function writeBanFile() + { + if (! array_key_exists('IPBANS', $this->globals)) { + return; + } + file_put_contents( + $this->banFile, + "globals['IPBANS'], true) . ";\n?>" + ); + } + + /** + * Handle a failed login and ban the IP after too many failed attempts + * + * @param array $server The $_SERVER array + */ + public function handleFailedLogin($server) + { + $ip = $server['REMOTE_ADDR']; + $trusted = $this->configManager->get('security.trusted_proxies', []); + + if (in_array($ip, $trusted)) { + $ip = getIpAddressFromProxy($server, $trusted); + if (! $ip) { + // the IP is behind a trusted forward proxy, but is not forwarded + // in the HTTP headers, so we do nothing + return; + } + } + + // increment the fail count for this IP + if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { + $this->globals['IPBANS']['FAILURES'][$ip]++; + } else { + $this->globals['IPBANS']['FAILURES'][$ip] = 1; + } + + if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { + $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); + logm( + $this->configManager->get('resource.log'), + $server['REMOTE_ADDR'], + 'IP address banned from login' + ); + } + $this->writeBanFile(); + } + + /** + * Handle a successful login + * + * @param array $server The $_SERVER array + */ + public function handleSuccessfulLogin($server) + { + $ip = $server['REMOTE_ADDR']; + // FIXME unban when behind a trusted proxy? + + unset($this->globals['IPBANS']['FAILURES'][$ip]); + unset($this->globals['IPBANS']['BANS'][$ip]); + + $this->writeBanFile(); + } + + /** + * Check if the user can login from this IP + * + * @param array $server The $_SERVER array + * + * @return bool true if the user is allowed to login + */ + public function canLogin($server) + { + $ip = $server['REMOTE_ADDR']; + + if (! isset($this->globals['IPBANS']['BANS'][$ip])) { + // the user is not banned + return true; + } + + if ($this->globals['IPBANS']['BANS'][$ip] > time()) { + // the user is still banned + return false; + } + + // the ban has expired, the user can attempt to log in again + logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); + unset($this->globals['IPBANS']['FAILURES'][$ip]); + unset($this->globals['IPBANS']['BANS'][$ip]); + + $this->writeBanFile(); + return true; + } +} -- cgit v1.2.3 From 51f0128cdba52099c40693379e72f094b42a6f80 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 27 Apr 2018 23:17:38 +0200 Subject: Refactor session and cookie timeout control Signed-off-by: VirtualTam --- application/security/LoginManager.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'application/security/LoginManager.php') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index e7b9b21e..27247f3f 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -49,13 +49,12 @@ class LoginManager * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array - * @param string $webPath Path on the server in which the cookie will be available on * @param string $clientIpId Client IP address identifier * @param string $token Session token * * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $webPath, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId, $token) { if (! $this->configManager->exists('credentials.login')) { // Shaarli is not configured yet @@ -73,7 +72,7 @@ class LoginManager if ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { - $this->sessionManager->logout($webPath); + $this->sessionManager->logout(); $this->isLoggedIn = false; return; } -- cgit v1.2.3 From c689e108639a4f6aa9e15928422e14db7cbe30ca Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sun, 6 May 2018 17:06:36 +0200 Subject: Refactor LoginManager stay-signed-in token management Signed-off-by: VirtualTam --- application/security/LoginManager.php | 37 +++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) (limited to 'application/security/LoginManager.php') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 27247f3f..41fa9a20 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -8,6 +8,9 @@ use Shaarli\Config\ConfigManager; */ class LoginManager { + /** @var string Name of the cookie set after logging in **/ + public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; + /** @var array A reference to the $_GLOBALS array */ protected $globals = []; @@ -26,6 +29,9 @@ class LoginManager /** @var bool Whether the Shaarli instance is open to public edition **/ protected $openShaarli = false; + /** @var string User sign-in token depending on remote IP and credentials */ + protected $staySignedInToken = ''; + /** * Constructor * @@ -45,16 +51,39 @@ class LoginManager } } + /** + * Generate a token depending on deployment salt, user password and client IP + * + * @param string $clientIpAddress The remote client IP address + */ + public function generateStaySignedInToken($clientIpAddress) + { + $this->staySignedInToken = sha1( + $this->configManager->get('credentials.hash') + . $clientIpAddress + . $this->configManager->get('credentials.salt') + ); + } + + /** + * Return the user's client stay-signed-in token + * + * @return string User's client stay-signed-in token + */ + public function getStaySignedInToken() + { + return $this->staySignedInToken; + } + /** * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier - * @param string $token Session token * * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId) { if (! $this->configManager->exists('credentials.login')) { // Shaarli is not configured yet @@ -62,8 +91,8 @@ class LoginManager return; } - if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) - && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) + && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { $this->sessionManager->storeLoginInfo($clientIpId); $this->isLoggedIn = true; -- cgit v1.2.3 From 704637bfebc73ada4b800b35c457e9fe56ad3567 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sun, 6 May 2018 17:12:48 +0200 Subject: Add test coverage for LoginManager methods Signed-off-by: VirtualTam --- application/security/LoginManager.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'application/security/LoginManager.php') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 41fa9a20..4946850b 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -46,7 +46,7 @@ class LoginManager $this->sessionManager = $sessionManager; $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); $this->readBanFile(); - if ($this->configManager->get('security.open_shaarli')) { + if ($this->configManager->get('security.open_shaarli') === true) { $this->openShaarli = true; } } @@ -80,8 +80,6 @@ class LoginManager * * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier - * - * @return bool true if the user session is valid, false otherwise */ public function checkLoginState($cookie, $clientIpId) { @@ -94,11 +92,12 @@ class LoginManager if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { + // The user client has a valid stay-signed-in cookie + // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); $this->isLoggedIn = true; - } - if ($this->sessionManager->hasSessionExpired() + } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { $this->sessionManager->logout(); -- cgit v1.2.3 From 8edd7f15886620b07064aa889aea05c5acbc0e58 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Wed, 30 May 2018 02:09:09 +0200 Subject: SessionManager+LoginManager: fix checkLoginState logic Signed-off-by: VirtualTam --- application/security/LoginManager.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'application/security/LoginManager.php') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 4946850b..d6784d6d 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -95,7 +95,6 @@ class LoginManager // The user client has a valid stay-signed-in cookie // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); - $this->isLoggedIn = true; } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) @@ -105,6 +104,7 @@ class LoginManager return; } + $this->isLoggedIn = true; $this->sessionManager->extendSession(); } -- cgit v1.2.3