27,6 → 27,11 |
|
// Useful functions |
|
/** |
* @param string $password |
* @return string |
* @throws OIDplusException |
*/ |
private static function raPepperProcessing(string $password): string { |
// Additional feature: Pepper |
// The pepper is stored inside the base configuration file |
43,7 → 48,7 |
} else { |
$hmac = hash_hmac($algo, $password, $pepper); |
} |
if ($hmac === false) throw new OIDplusException(_L('HMAC failed')); |
if ($hmac === "") throw new OIDplusException(_L('HMAC failed')); |
return $hmac; |
} else { |
return $password; |
52,6 → 57,10 |
|
// Content provider |
|
/** |
* @return string |
* @throws OIDplusException |
*/ |
public function getAuthMethod() { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return 'null'; |
58,7 → 67,11 |
return get_class($acs); |
} |
|
protected function getAuthContentStore() { |
/** |
* @return OIDplusAuthContentStore|null |
* @throws OIDplusException |
*/ |
protected function getAuthContentStore()/*: ?OIDplusAuthContentStore*/ { |
// Logged in via JWT |
$tmp = OIDplusAuthContentStoreJWT::getActiveProvider(); |
if ($tmp) return $tmp; |
72,7 → 85,13 |
return null; |
} |
|
public function getExtendedAttribute($name, $default=NULL) { |
/** |
* @param string $name |
* @param mixed|null $default |
* @return mixed |
* @throws OIDplusException |
*/ |
public function getExtendedAttribute(string $name, $default=NULL) { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return $default; |
return $acs->getValue($name, $default); |
80,19 → 99,35 |
|
// RA authentication functions |
|
public function raLogin($email) { |
/** |
* @param string $email |
* @return void |
* @throws OIDplusException |
*/ |
public function raLogin(string $email) { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return; |
return $acs->raLogin($email); |
$acs->raLogin($email); |
} |
|
public function raLogout($email) { |
/** |
* @param string $email |
* @return void |
* @throws OIDplusException |
*/ |
public function raLogout(string $email) { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return; |
return $acs->raLogout($email); |
$acs->raLogout($email); |
} |
|
public function raCheckPassword($ra_email, $password) { |
/** |
* @param string $ra_email |
* @param string $password |
* @return bool |
* @throws OIDplusException |
*/ |
public function raCheckPassword(string $ra_email, string $password): bool { |
$ra = new OIDplusRA($ra_email); |
|
// Get RA info from RA |
111,13 → 146,21 |
return false; |
} |
|
public function raNumLoggedIn() { |
/** |
* @return int |
* @throws OIDplusException |
*/ |
public function raNumLoggedIn(): int { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return 0; |
return $acs->raNumLoggedIn(); |
} |
|
public function loggedInRaList() { |
/** |
* @return OIDplusRA[] |
* @throws OIDplusException |
*/ |
public function loggedInRaList(): array { |
if ($this->forceAllLoggedOut()) { |
return array(); |
} else { |
127,7 → 170,12 |
} |
} |
|
public function isRaLoggedIn($email) { |
/** |
* @param string $email |
* @return bool |
* @throws OIDplusException |
*/ |
public function isRaLoggedIn(string $email): bool { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return false; |
return $acs->isRaLoggedIn($email); |
134,7 → 182,15 |
} |
|
// "High level" function including logging and checking for valid JWT alternations |
public function raLoginEx($email, $remember_me, $origin='') { |
|
/** |
* @param string $email |
* @param bool $remember_me |
* @param string $origin |
* @return void |
* @throws OIDplusException |
*/ |
public function raLoginEx(string $email, bool $remember_me, string $origin='') { |
$loginfo = ''; |
$acs = $this->getAuthContentStore(); |
if (!is_null($acs)) { |
163,12 → 219,17 |
OIDplus::logger()->log("[OK]RA($email)!", $logmsg); |
} |
|
public function raLogoutEx($email) { |
/** |
* @param string $email |
* @return void |
* @throws OIDplusException |
*/ |
public function raLogoutEx(string $email) { |
$loginfo = ''; |
|
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return; |
$res = $acs->raLogoutEx($email, $loginfo); |
$acs->raLogoutEx($email, $loginfo); |
|
OIDplus::logger()->log("[OK]RA($email)!", "RA '$email' logged out ($loginfo)"); |
|
179,25 → 240,36 |
// Get a new token for the remaining users |
$acs->activate(); |
} |
|
return $res; |
} |
|
// Admin authentication functions |
|
/** |
* @return void |
* @throws OIDplusException |
*/ |
public function adminLogin() { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return; |
return $acs->adminLogin(); |
$acs->adminLogin(); |
} |
|
/** |
* @return void |
* @throws OIDplusException |
*/ |
public function adminLogout() { |
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return; |
return $acs->adminLogout(); |
$acs->adminLogout(); |
} |
|
public function adminCheckPassword($password) { |
/** |
* @param string $password |
* @return bool |
* @throws OIDplusException |
*/ |
public function adminCheckPassword(string $password): bool { |
$cfgData = OIDplus::baseConfig()->getValue('ADMIN_PASSWORD', ''); |
if (empty($cfgData)) { |
throw new OIDplusException(_L('No admin password set in %1','userdata/baseconfig/config.inc.php')); |
227,7 → 299,11 |
return false; |
} |
|
public function isAdminLoggedIn() { |
/** |
* @return bool |
* @throws OIDplusException |
*/ |
public function isAdminLoggedIn(): bool { |
if ($this->forceAllLoggedOut()) { |
return false; |
} else { |
237,8 → 313,14 |
} |
} |
|
// "High level" function including logging and checking for valid JWT alternations |
public function adminLoginEx($remember_me, $origin='') { |
/** |
* "High level" function including logging and checking for valid JWT alternations |
* @param bool $remember_me |
* @param string $origin |
* @return void |
* @throws OIDplusException |
*/ |
public function adminLoginEx(bool $remember_me, string $origin='') { |
$loginfo = ''; |
$acs = $this->getAuthContentStore(); |
if (!is_null($acs)) { |
267,12 → 349,16 |
OIDplus::logger()->log("[OK]A!", $logmsg); |
} |
|
/** |
* @return void |
* @throws OIDplusException |
*/ |
public function adminLogoutEx() { |
$loginfo = ''; |
|
$acs = $this->getAuthContentStore(); |
if (is_null($acs)) return; |
$res = $acs->adminLogoutEx($loginfo); |
$acs->adminLogoutEx($loginfo); |
|
if ($this->raNumLoggedIn() == 0) { |
// Nobody here anymore. Destroy the cookie to make GDPR people happy |
283,22 → 369,35 |
} |
|
OIDplus::logger()->log("[OK]A!", "Admin logged out ($loginfo)"); |
return $res; |
} |
|
// Authentication keys for validating arguments (e.g. sent by mail) |
|
public static function makeAuthKey($data) { |
/** |
* @param string $data |
* @return string |
* @throws OIDplusException |
*/ |
public static function makeAuthKey(string $data): string { |
return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
} |
|
public static function validateAuthKey($data, $auth_key) { |
/** |
* @param string $data |
* @param string $auth_key |
* @return bool |
* @throws OIDplusException |
*/ |
public static function validateAuthKey(string $data, string $auth_key): bool { |
return hash_equals(self::makeAuthKey($data), $auth_key); |
} |
|
// "Veto" functions to force logout state |
|
protected function forceAllLoggedOut() { |
/** |
* @return bool |
*/ |
protected function forceAllLoggedOut(): bool { |
if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'sitemap.php')) { |
// The sitemap may not contain any confidential information, |
// even if the user is logged in, because the admin could |
314,18 → 413,32 |
|
private $enable_csrf = true; |
|
/** |
* @return void |
*/ |
public function enableCSRF() { |
$this->enable_csrf = true; |
} |
|
/** |
* @return void |
*/ |
public function disableCSRF() { |
$this->enable_csrf = false; |
} |
|
public function genCSRFToken() { |
/** |
* @return string |
* @throws \Random\RandomException |
*/ |
public function genCSRFToken(): string { |
return random_bytes_ex(64, false, false); |
} |
|
/** |
* @return void |
* @throws OIDplusException |
*/ |
public function checkCSRF() { |
if (!$this->enable_csrf) return; |
|
346,7 → 459,12 |
|
// Generate RA passwords |
|
public static function raGeneratePassword($password): OIDplusRAAuthInfo { |
/** |
* @param string $password |
* @return OIDplusRAAuthInfo |
* @throws OIDplusException |
*/ |
public static function raGeneratePassword(string $password): OIDplusRAAuthInfo { |
$plugin = OIDplus::getDefaultRaAuthPlugin(true); |
return $plugin->generate(self::raPepperProcessing($password)); |
} |