WebSVN – oidplus – Blame – /trunk/includes/classes/OIDplusAuthUtils.class.php

Rev	Author	Line No.	Line
2	daniel-mar	1	<?php
		2
		3	/*
		4	* OIDplus 2.0
		5	* Copyright 2019 Daniel Marschall, ViaThinkSoft
		6	*
		7	* Licensed under the Apache License, Version 2.0 (the "License");
		8	* you may not use this file except in compliance with the License.
		9	* You may obtain a copy of the License at
		10	*
		11	* http://www.apache.org/licenses/LICENSE-2.0
		12	*
		13	* Unless required by applicable law or agreed to in writing, software
		14	* distributed under the License is distributed on an "AS IS" BASIS,
		15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		16	* See the License for the specific language governing permissions and
		17	* limitations under the License.
		18	*/
		19
		20	class OIDplusAuthUtils {
		21
14	daniel-mar	22	// RA authentication functions
2	daniel-mar	23
		24	public static function raLogin($email) {
		25	if (strpos($email, '\|') !== false) return;
		26
42	daniel-mar	27	$ses = OIDplus::sesHandler();
2	daniel-mar	28	$list = $ses->getValue('oidplus_logged_in');
		29	if (is_null($list)) $list = '';
		30
		31	$ary = ($list == '') ? array() : explode('\|', $list);
		32	if (!in_array($email, $ary)) $ary[] = $email;
		33	$list = implode('\|', $ary);
		34
		35	$ses->setValue('oidplus_logged_in', $list);
		36	}
		37
		38	public static function raLogout($email) {
42	daniel-mar	39	$ses = OIDplus::sesHandler();
2	daniel-mar	40	$list = $ses->getValue('oidplus_logged_in');
		41	if (is_null($list)) $list = '';
		42
		43	$ary = ($list == '') ? array() : explode('\|', $list);
		44	$key = array_search($email, $ary);
		45	if ($key !== false) unset($ary[$key]);
		46	$list = implode('\|', $ary);
		47
		48	$ses->setValue('oidplus_logged_in', $list);
85	daniel-mar	49
179	daniel-mar	50	if (($list == '') && (!self::isAdminLoggedIn())) {
85	daniel-mar	51	// Nobody logged in anymore. Destroy session cookie to make GDPR people happy
		52	$ses->destroySession();
		53	}
2	daniel-mar	54	}
		55
329	daniel-mar	56	public static function raCheckPassword($ra_email, $password) {
		57	$ra = new OIDplusRA($ra_email);
		58	return $ra->checkPassword($password);
		59	}
		60
85	daniel-mar	61	public static function raNumLoggedIn() {
329	daniel-mar	62	return count(self::loggedInRaList());
85	daniel-mar	63	}
		64
2	daniel-mar	65	public static function raLogoutAll() {
42	daniel-mar	66	$ses = OIDplus::sesHandler();
2	daniel-mar	67	$ses->setValue('oidplus_logged_in', '');
		68	}
		69
		70	public static function loggedInRaList() {
329	daniel-mar	71	if (self::forceAllLoggedOut()) {
282	daniel-mar	72	return array();
		73	}
329	daniel-mar	74
42	daniel-mar	75	$ses = OIDplus::sesHandler();
2	daniel-mar	76	$list = $ses->getValue('oidplus_logged_in');
		77	if (is_null($list)) $list = '';
115	daniel-mar	78
		79	$res = array();
329	daniel-mar	80	foreach (array_unique(explode('\|',$list)) as $ra_email) {
115	daniel-mar	81	if ($ra_email == '') continue;
		82	$res[] = new OIDplusRA($ra_email);
		83	}
		84	return $res;
2	daniel-mar	85	}
		86
		87	public static function isRaLoggedIn($email) {
115	daniel-mar	88	foreach (self::loggedInRaList() as $ra) {
		89	if ($email == $ra->raEmail()) return true;
		90	}
		91	return false;
2	daniel-mar	92	}
		93
14	daniel-mar	94	// Admin authentication functions
2	daniel-mar	95
		96	public static function adminLogin() {
42	daniel-mar	97	$ses = OIDplus::sesHandler();
2	daniel-mar	98	$ses->setValue('oidplus_admin_logged_in', '1');
		99	}
		100
		101	public static function adminLogout() {
42	daniel-mar	102	$ses = OIDplus::sesHandler();
85	daniel-mar	103	$ses->setValue('oidplus_admin_logged_in', '0');
		104
		105	if (self::raNumLoggedIn() == 0) {
		106	// Nobody logged in anymore. Destroy session cookie to make GDPR people happy
		107	$ses->destroySession();
		108	}
2	daniel-mar	109	}
		110
		111	public static function adminCheckPassword($password) {
421	daniel-mar	112	$passwordData = OIDplus::baseConfig()->getValue('ADMIN_PASSWORD', '');
		113	if (empty($passwordData)) {
360	daniel-mar	114	throw new OIDplusException(_L('No admin password set in %1','userdata/baseconfig/config.inc.php'));
261	daniel-mar	115	}
421	daniel-mar	116	if (strpos($passwordData, '$') !== false) {
		117	list($s_salt, $hash) = explode('$', $passwordData, 2);
		118	} else {
		119	$s_salt = '';
		120	$hash = $passwordData;
		121	}
		122	return strcmp(sha3_512($s_salt.$password, true), base64_decode($hash)) === 0;
2	daniel-mar	123	}
		124
		125	public static function isAdminLoggedIn() {
329	daniel-mar	126	if (self::forceAllLoggedOut()) {
282	daniel-mar	127	return false;
		128	}
42	daniel-mar	129	$ses = OIDplus::sesHandler();
2	daniel-mar	130	return $ses->getValue('oidplus_admin_logged_in') == '1';
		131	}
		132
310	daniel-mar	133	// Authentication keys for validating arguments (e.g. sent by mail)
2	daniel-mar	134
		135	public static function makeAuthKey($data) {
424	daniel-mar	136	$data = OIDplus::baseConfig()->getValue('SERVER_SECRET') . '/AUTHKEY/' . $data;
421	daniel-mar	137	$calc_authkey = sha3_512($data, false);
2	daniel-mar	138	return $calc_authkey;
		139	}
		140
		141	public static function validateAuthKey($data, $auth_key) {
421	daniel-mar	142	return strcmp(self::makeAuthKey($data), $auth_key) === 0;
2	daniel-mar	143	}
		144
329	daniel-mar	145	// "Veto" functions to force logout state
		146
		147	public static function forceAllLoggedOut() {
		148	if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'sitemap.php')) {
		149	// The sitemap may not contain any confidential information,
		150	// even if the user is logged in, because the admin could
		151	// accidentally copy-paste the sitemap to a
		152	// search engine control panel while they are logged in
		153	return true;
		154	} else {
		155	return false;
		156	}
		157	}
427	daniel-mar	158
424	daniel-mar	159	// CSRF functions
427	daniel-mar	160
424	daniel-mar	161	private $enable_csrf = true;
427	daniel-mar	162
424	daniel-mar	163	public function enableCSRF() {
		164	$this->enable_csrf = true;
		165	}
427	daniel-mar	166
424	daniel-mar	167	public function disableCSRF() {
		168	$this->enable_csrf = false;
		169	}
427	daniel-mar	170
424	daniel-mar	171	public function genCSRFToken() {
		172	return uniqid(mt_rand(), true);
		173	}
427	daniel-mar	174
424	daniel-mar	175	public function checkCSRF() {
427	daniel-mar	176	if (!$this->enable_csrf) return;
424	daniel-mar	177	if (!isset($_REQUEST['csrf_token']) \|\| !isset($_COOKIE['csrf_token']) \|\| ($_REQUEST['csrf_token'] != $_COOKIE['csrf_token'])) {
		178	throw new Exception(_L('Wrong CSRF Token'));
		179	}
		180	}
329	daniel-mar	181
421	daniel-mar	182	// Generate RA passwords
		183
		184	public static function raGeneratePassword($password) {
		185	$s_salt = uniqid(mt_rand(), true);
		186	$calc_authkey = 'A2#'.base64_encode(sha3_512($s_salt.$password, true));
		187	return array($s_salt, $calc_authkey);
		188	}
		189
		190	// Generate admin password
		191
		192	/* Nothing here; the admin password will be generated in setup_base.js */
		193
		194	}

Subversion Repositories oidplus

oidplus/trunk/includes/classes/OIDplusAuthUtils.class.php @ 1301 – Rev 427