aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/security/LoginManager.php
blob: 39ec9b2e7fffa92688ab29dbc3e2a551a9b5967b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
<?php
namespace Shaarli\Security;

use Exception;
use Shaarli\Config\ConfigManager;

/**
 * User login management
 */
class LoginManager
{
    /** @var string Name of the cookie set after logging in **/
    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';

    /** @var array A reference to the $_GLOBALS array */
    protected $globals = [];

    /** @var ConfigManager Configuration Manager instance **/
    protected $configManager = null;

    /** @var SessionManager Session Manager instance **/
    protected $sessionManager = null;

    /** @var BanManager Ban Manager instance **/
    protected $banManager;

    /** @var bool Whether the user is logged in **/
    protected $isLoggedIn = false;

    /** @var bool Whether the Shaarli instance is open to public edition **/
    protected $openShaarli = false;

    /** @var string User sign-in token depending on remote IP and credentials */
    protected $staySignedInToken = '';

    /**
     * Constructor
     *
     * @param ConfigManager  $configManager  Configuration Manager instance
     * @param SessionManager $sessionManager SessionManager instance
     */
    public function __construct($configManager, $sessionManager)
    {
        $this->configManager = $configManager;
        $this->sessionManager = $sessionManager;
        $this->banManager = new BanManager(
            $this->configManager->get('security.trusted_proxies', []),
            $this->configManager->get('security.ban_after'),
            $this->configManager->get('security.ban_duration'),
            $this->configManager->get('resource.ban_file', 'data/ipbans.php'),
            $this->configManager->get('resource.log')
        );

        if ($this->configManager->get('security.open_shaarli') === true) {
            $this->openShaarli = true;
        }
    }

    /**
     * Generate a token depending on deployment salt, user password and client IP
     *
     * @param string $clientIpAddress The remote client IP address
     */
    public function generateStaySignedInToken($clientIpAddress)
    {
        if ($this->configManager->get('security.session_protection_disabled') === true) {
            $clientIpAddress = '';
        }
        $this->staySignedInToken = sha1(
            $this->configManager->get('credentials.hash')
            . $clientIpAddress
            . $this->configManager->get('credentials.salt')
        );
    }

    /**
     * Return the user's client stay-signed-in token
     *
     * @return string User's client stay-signed-in token
     */
    public function getStaySignedInToken()
    {
        return $this->staySignedInToken;
    }

    /**
     * Check user session state and validity (expiration)
     *
     * @param array  $cookie     The $_COOKIE array
     * @param string $clientIpId Client IP address identifier
     */
    public function checkLoginState($cookie, $clientIpId)
    {
        if (! $this->configManager->exists('credentials.login')) {
            // Shaarli is not configured yet
            $this->isLoggedIn = false;
            return;
        }

        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
        ) {
            // The user client has a valid stay-signed-in cookie
            // Session information is updated with the current client information
            $this->sessionManager->storeLoginInfo($clientIpId);
        } elseif ($this->sessionManager->hasSessionExpired()
            || $this->sessionManager->hasClientIpChanged($clientIpId)
        ) {
            $this->sessionManager->logout();
            $this->isLoggedIn = false;
            return;
        }

        $this->isLoggedIn = true;
        $this->sessionManager->extendSession();
    }

    /**
     * Return whether the user is currently logged in
     *
     * @return true when the user is logged in, false otherwise
     */
    public function isLoggedIn()
    {
        if ($this->openShaarli) {
            return true;
        }
        return $this->isLoggedIn;
    }

    /**
     * Check user credentials are valid
     *
     * @param string $remoteIp   Remote client IP address
     * @param string $clientIpId Client IP address identifier
     * @param string $login      Username
     * @param string $password   Password
     *
     * @return bool true if the provided credentials are valid, false otherwise
     */
    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
    {
        // Check login matches config
        if ($login !== $this->configManager->get('credentials.login')) {
            return false;
        }

        // Check credentials
        try {
            $useLdapLogin = !empty($this->configManager->get('ldap.host'));
            if ((false === $useLdapLogin && $this->checkCredentialsFromLocalConfig($login, $password))
                || (true === $useLdapLogin && $this->checkCredentialsFromLdap($login, $password))
            ) {
                    $this->sessionManager->storeLoginInfo($clientIpId);
                    logm(
                        $this->configManager->get('resource.log'),
                        $remoteIp,
                        'Login successful'
                    );
                    return true;
            }
        }
        catch(Exception $exception) {
            logm(
                $this->configManager->get('resource.log'),
                $remoteIp,
                'Exception while checking credentials: ' . $exception
            );
        }

        logm(
            $this->configManager->get('resource.log'),
            $remoteIp,
            'Login failed for user ' . $login
        );
        return false;
    }


    /**
     * Check user credentials from local config
     *
     * @param string $login      Username
     * @param string $password   Password
     *
     * @return bool true if the provided credentials are valid, false otherwise
     */
    public function checkCredentialsFromLocalConfig($login, $password) {
        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));

        return $login == $this->configManager->get('credentials.login')
             && $hash == $this->configManager->get('credentials.hash');
    }

    /**
     * Check user credentials are valid through LDAP bind
     *
     * @param string $remoteIp   Remote client IP address
     * @param string $clientIpId Client IP address identifier
     * @param string $login      Username
     * @param string $password   Password
     *
     * @return bool true if the provided credentials are valid, false otherwise
     */
    public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
    {
        $connect = $connect ?? function($host) {
            $resource = ldap_connect($host);

            ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);

            return $resource;
        };
        $bind = $bind ?? function($handle, $dn, $password) {
            return ldap_bind($handle, $dn, $password);
        };

        return $bind(
            $connect($this->configManager->get('ldap.host')),
            sprintf($this->configManager->get('ldap.dn'), $login),
            $password
        );
    }

    /**
     * Handle a failed login and ban the IP after too many failed attempts
     *
     * @param array $server The $_SERVER array
     */
    public function handleFailedLogin($server)
    {
        $this->banManager->handleFailedAttempt($server);
    }

    /**
     * Handle a successful login
     *
     * @param array $server The $_SERVER array
     */
    public function handleSuccessfulLogin($server)
    {
        $this->banManager->clearFailures($server);
    }

    /**
     * Check if the user can login from this IP
     *
     * @param array $server The $_SERVER array
     *
     * @return bool true if the user is allowed to login
     */
    public function canLogin($server)
    {
        return ! $this->banManager->isBanned($server);
    }
}