Subversion Repositories oidplus

Rev

Rev 329 | Rev 392 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

  1. <?php
  2.  
  3. /*
  4.  * OIDplus 2.0
  5.  * Copyright 2019 Daniel Marschall, ViaThinkSoft
  6.  *
  7.  * Licensed under the Apache License, Version 2.0 (the "License");
  8.  * you may not use this file except in compliance with the License.
  9.  * You may obtain a copy of the License at
  10.  *
  11.  *     http://www.apache.org/licenses/LICENSE-2.0
  12.  *
  13.  * Unless required by applicable law or agreed to in writing, software
  14.  * distributed under the License is distributed on an "AS IS" BASIS,
  15.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16.  * See the License for the specific language governing permissions and
  17.  * limitations under the License.
  18.  */
  19.  
  20. class OIDplusAuthUtils {
  21.  
  22.         // RA authentication functions
  23.  
  24.         public static function raLogin($email) {
  25.                 if (strpos($email, '|') !== false) return;
  26.  
  27.                 $ses = OIDplus::sesHandler();
  28.                 $list = $ses->getValue('oidplus_logged_in');
  29.                 if (is_null($list)) $list = '';
  30.  
  31.                 $ary = ($list == '') ? array() : explode('|', $list);
  32.                 if (!in_array($email, $ary)) $ary[] = $email;
  33.                 $list = implode('|', $ary);
  34.  
  35.                 $ses->setValue('oidplus_logged_in', $list);
  36.         }
  37.  
  38.         public static function raLogout($email) {
  39.                 $ses = OIDplus::sesHandler();
  40.                 $list = $ses->getValue('oidplus_logged_in');
  41.                 if (is_null($list)) $list = '';
  42.  
  43.                 $ary = ($list == '') ? array() : explode('|', $list);
  44.                 $key = array_search($email, $ary);
  45.                 if ($key !== false) unset($ary[$key]);
  46.                 $list = implode('|', $ary);
  47.  
  48.                 $ses->setValue('oidplus_logged_in', $list);
  49.  
  50.                 if (($list == '') && (!self::isAdminLoggedIn())) {
  51.                         // Nobody logged in anymore. Destroy session cookie to make GDPR people happy
  52.                         $ses->destroySession();
  53.                 }
  54.         }
  55.  
  56.         public static function raCheckPassword($ra_email, $password) {
  57.                 $ra = new OIDplusRA($ra_email);
  58.                 return $ra->checkPassword($password);
  59.         }
  60.  
  61.         public static function raNumLoggedIn() {
  62.                 return count(self::loggedInRaList());
  63.         }
  64.  
  65.         public static function raLogoutAll() {
  66.                 $ses = OIDplus::sesHandler();
  67.                 $ses->setValue('oidplus_logged_in', '');
  68.         }
  69.  
  70.         public static function loggedInRaList() {
  71.                 if (self::forceAllLoggedOut()) {
  72.                         return array();
  73.                 }
  74.  
  75.                 $ses = OIDplus::sesHandler();
  76.                 $list = $ses->getValue('oidplus_logged_in');
  77.                 if (is_null($list)) $list = '';
  78.  
  79.                 $res = array();
  80.                 foreach (array_unique(explode('|',$list)) as $ra_email) {
  81.                         if ($ra_email == '') continue;
  82.                         $res[] = new OIDplusRA($ra_email);
  83.                 }
  84.                 return $res;
  85.         }
  86.  
  87.         public static function isRaLoggedIn($email) {
  88.                 foreach (self::loggedInRaList() as $ra) {
  89.                         if ($email == $ra->raEmail()) return true;
  90.                 }
  91.                 return false;
  92.         }
  93.  
  94.         // Admin authentication functions
  95.  
  96.         public static function adminLogin() {
  97.                 $ses = OIDplus::sesHandler();
  98.                 $ses->setValue('oidplus_admin_logged_in', '1');
  99.         }
  100.  
  101.         public static function adminLogout() {
  102.                 $ses = OIDplus::sesHandler();
  103.                 $ses->setValue('oidplus_admin_logged_in', '0');
  104.  
  105.                 if (self::raNumLoggedIn() == 0) {
  106.                         // Nobody logged in anymore. Destroy session cookie to make GDPR people happy
  107.                         $ses->destroySession();
  108.                 }
  109.         }
  110.  
  111.         public static function adminCheckPassword($password) {
  112.                 $hashed = OIDplus::baseConfig()->getValue('ADMIN_PASSWORD', '');
  113.                 if (empty($hashed)) {
  114.                         throw new OIDplusException(_L('No admin password set in %1','userdata/baseconfig/config.inc.php'));
  115.                 }
  116.                 $calc_authkey = bin2hex(version_compare(PHP_VERSION, '7.1.0') >= 0 ? hash('sha3-512', $password, true) : bb\Sha3\Sha3::hash($password, 512, true));
  117.                 return $calc_authkey == bin2hex(base64_decode($hashed));
  118.         }
  119.  
  120.         public static function isAdminLoggedIn() {
  121.                 if (self::forceAllLoggedOut()) {
  122.                         return false;
  123.                 }
  124.                 $ses = OIDplus::sesHandler();
  125.                 return $ses->getValue('oidplus_admin_logged_in') == '1';
  126.         }
  127.  
  128.         // Authentication keys for validating arguments (e.g. sent by mail)
  129.  
  130.         public static function makeAuthKey($data) {
  131.                 $data = OIDplus::baseConfig()->getValue('SERVER_SECRET') . $data;
  132.                 $calc_authkey = bin2hex(version_compare(PHP_VERSION, '7.1.0') >= 0 ? hash('sha3-512', $data, true) : bb\Sha3\Sha3::hash($data, 512, true));
  133.                 return $calc_authkey;
  134.         }
  135.  
  136.         public static function validateAuthKey($data, $auth_key) {
  137.                 return self::makeAuthKey($data) == $auth_key;
  138.         }
  139.  
  140.         // "Veto" functions to force logout state
  141.  
  142.         public static function forceAllLoggedOut() {
  143.                 if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'sitemap.php')) {
  144.                         // The sitemap may not contain any confidential information,
  145.                         // even if the user is logged in, because the admin could
  146.                         // accidentally copy-paste the sitemap to a
  147.                         // search engine control panel while they are logged in
  148.                         return true;
  149.                 } else {
  150.                         return false;
  151.                 }
  152.         }
  153.  
  154. }