2021-05-21 15:43:06 +02:00
|
|
|
<?php
|
|
|
|
/* Icinga Web 2 | (c) 2021 Icinga GmbH | GPLv2+ */
|
|
|
|
|
|
|
|
namespace Icinga\Web;
|
|
|
|
|
|
|
|
use Icinga\Application\Config;
|
|
|
|
use Icinga\Authentication\Auth;
|
|
|
|
use Icinga\Crypt\AesCrypt;
|
|
|
|
use Icinga\Common\Database;
|
|
|
|
use Icinga\User;
|
|
|
|
use ipl\Sql\Expression;
|
|
|
|
use ipl\Sql\Select;
|
|
|
|
use RuntimeException;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Remember me component
|
|
|
|
*
|
|
|
|
* Retains credentials for 30 days by default in order to stay signed in even after the session is closed.
|
|
|
|
*/
|
|
|
|
class RememberMe
|
|
|
|
{
|
|
|
|
use Database;
|
|
|
|
|
|
|
|
/** @var string Cookie name */
|
|
|
|
const COOKIE = 'icingaweb2-remember-me';
|
|
|
|
|
|
|
|
/** @var string Database table name */
|
|
|
|
const TABLE = 'icingaweb_rememberme';
|
|
|
|
|
|
|
|
/** @var string Encrypted password of the user */
|
|
|
|
protected $encryptedPassword;
|
|
|
|
|
|
|
|
/** @var string */
|
|
|
|
protected $username;
|
|
|
|
|
|
|
|
/** @var AesCrypt Instance for encrypting/decrypting the credentials */
|
|
|
|
protected $aesCrypt;
|
|
|
|
|
|
|
|
/** @var int Timestamp when the remember me cookie expires */
|
|
|
|
protected $expiresAt;
|
|
|
|
|
2021-08-10 10:09:15 +02:00
|
|
|
/**
|
|
|
|
* Get whether staying logged in is possible
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public static function isSupported()
|
|
|
|
{
|
|
|
|
$self = new self();
|
|
|
|
|
|
|
|
if (! $self->hasDb()) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
(new AesCrypt())->getMethod();
|
|
|
|
} catch (RuntimeException $_) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-05-21 15:43:06 +02:00
|
|
|
/**
|
|
|
|
* Get whether the remember cookie is set
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public static function hasCookie()
|
|
|
|
{
|
|
|
|
return isset($_COOKIE[static::COOKIE]);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-08-09 16:39:46 +02:00
|
|
|
* Remove the database entry if exists and unset the remember me cookie from PHP's `$_COOKIE` superglobal
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
2021-08-09 16:39:46 +02:00
|
|
|
* @return Cookie The invalidation cookie which has to be sent to client in oder to remove the remember me cookie
|
2021-05-21 15:43:06 +02:00
|
|
|
*/
|
|
|
|
public static function forget()
|
|
|
|
{
|
2021-08-09 16:39:46 +02:00
|
|
|
if (self::hasCookie()) {
|
|
|
|
$data = explode('|', $_COOKIE[static::COOKIE]);
|
|
|
|
$iv = base64_decode(array_pop($data));
|
|
|
|
(new self())->remove(bin2hex($iv));
|
|
|
|
}
|
|
|
|
|
2021-05-21 15:43:06 +02:00
|
|
|
unset($_COOKIE[static::COOKIE]);
|
|
|
|
|
|
|
|
return (new Cookie(static::COOKIE))
|
|
|
|
->setHttpOnly(true)
|
|
|
|
->forgetMe();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create the remember me component from the remember me cookie
|
|
|
|
*
|
|
|
|
* @return static
|
|
|
|
*/
|
|
|
|
public static function fromCookie()
|
|
|
|
{
|
|
|
|
$data = explode('|', $_COOKIE[static::COOKIE]);
|
|
|
|
$iv = base64_decode(array_pop($data));
|
|
|
|
|
|
|
|
$select = (new Select())
|
|
|
|
->from(static::TABLE)
|
|
|
|
->columns('*')
|
|
|
|
->where(['random_iv = ?' => bin2hex($iv)]);
|
|
|
|
|
|
|
|
$rememberMe = new static();
|
|
|
|
$rs = $rememberMe->getDb()->select($select)->fetch();
|
|
|
|
|
|
|
|
if (! $rs) {
|
|
|
|
throw new RuntimeException(sprintf(
|
|
|
|
"No database entry found for IV '%s'",
|
|
|
|
bin2hex($iv)
|
|
|
|
));
|
|
|
|
}
|
|
|
|
|
|
|
|
$rememberMe->aesCrypt = (new AesCrypt())
|
|
|
|
->setKey(hex2bin($rs->passphrase))
|
|
|
|
->setIV($iv);
|
2021-07-26 17:37:38 +02:00
|
|
|
|
2021-08-09 16:39:46 +02:00
|
|
|
if (count($data) > 1) {
|
|
|
|
$rememberMe->aesCrypt->setTag(
|
|
|
|
base64_decode(array_pop($data))
|
|
|
|
);
|
|
|
|
} elseif ($rememberMe->aesCrypt->isAuthenticatedEncryptionRequired()) {
|
|
|
|
throw new RuntimeException(
|
|
|
|
"The given decryption method needs a tag, but is not specified. "
|
|
|
|
. "You have probably updated the PHP version."
|
|
|
|
);
|
2021-07-26 17:37:38 +02:00
|
|
|
}
|
|
|
|
|
2021-05-21 15:43:06 +02:00
|
|
|
$rememberMe->username = $rs->username;
|
|
|
|
$rememberMe->encryptedPassword = $data[0];
|
|
|
|
|
|
|
|
return $rememberMe;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create the remember me component from the given username and password
|
|
|
|
*
|
|
|
|
* @param string $username
|
|
|
|
* @param string $password
|
|
|
|
*
|
|
|
|
* @return static
|
|
|
|
*/
|
|
|
|
public static function fromCredentials($username, $password)
|
|
|
|
{
|
|
|
|
$aesCrypt = new AesCrypt();
|
|
|
|
$rememberMe = new static();
|
2021-08-09 16:39:46 +02:00
|
|
|
$rememberMe->encryptedPassword = $aesCrypt->encrypt($password);
|
2021-05-21 15:43:06 +02:00
|
|
|
$rememberMe->username = $username;
|
|
|
|
$rememberMe->aesCrypt = $aesCrypt;
|
|
|
|
|
|
|
|
return $rememberMe;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Remove expired remember me information from the database
|
|
|
|
*/
|
|
|
|
public static function removeExpired()
|
|
|
|
{
|
|
|
|
$rememberMe = new static();
|
|
|
|
if (! $rememberMe->hasDb()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
$rememberMe->getDb()->delete(static::TABLE, [
|
|
|
|
'expires_at < NOW()'
|
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the remember me cookie
|
|
|
|
*
|
|
|
|
* @return Cookie
|
|
|
|
*/
|
|
|
|
public function getCookie()
|
|
|
|
{
|
2021-07-26 17:37:38 +02:00
|
|
|
$values = [
|
|
|
|
$this->encryptedPassword,
|
|
|
|
base64_encode($this->aesCrypt->getIV()),
|
|
|
|
];
|
|
|
|
|
2021-08-09 16:39:46 +02:00
|
|
|
if ($this->aesCrypt->isAuthenticatedEncryptionRequired()) {
|
2021-07-26 17:37:38 +02:00
|
|
|
array_splice($values, 1, 0, base64_encode($this->aesCrypt->getTag()));
|
|
|
|
}
|
|
|
|
|
2021-05-21 15:43:06 +02:00
|
|
|
return (new Cookie(static::COOKIE))
|
|
|
|
->setExpire($this->getExpiresAt())
|
|
|
|
->setHttpOnly(true)
|
2021-07-26 17:37:38 +02:00
|
|
|
->setValue(implode('|', $values));
|
2021-05-21 15:43:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the timestamp when the cookie expires
|
|
|
|
*
|
|
|
|
* Defaults to now plus 30 days, if not set via {@link setExpiresAt()}.
|
|
|
|
*
|
|
|
|
* @return int
|
|
|
|
*/
|
|
|
|
public function getExpiresAt()
|
|
|
|
{
|
|
|
|
if ($this->expiresAt === null) {
|
|
|
|
$this->expiresAt = time() + 60 * 60 * 24 * 30;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $this->expiresAt;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set the timestamp when the cookie expires
|
|
|
|
*
|
|
|
|
* @param int $expiresAt
|
|
|
|
*
|
|
|
|
* @return $this
|
|
|
|
*/
|
|
|
|
public function setExpiresAt($expiresAt)
|
|
|
|
{
|
|
|
|
$this->expiresAt = $expiresAt;
|
|
|
|
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Authenticate via the remember me cookie
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*
|
|
|
|
* @throws \Icinga\Exception\AuthenticationException
|
|
|
|
*/
|
|
|
|
public function authenticate()
|
|
|
|
{
|
|
|
|
$auth = Auth::getInstance();
|
|
|
|
$authChain = $auth->getAuthChain();
|
|
|
|
$authChain->setSkipExternalBackends(true);
|
|
|
|
$user = new User($this->username);
|
|
|
|
if (! $user->hasDomain()) {
|
|
|
|
$user->setDomain(Config::app()->get('authentication', 'default_domain'));
|
|
|
|
}
|
|
|
|
|
2021-08-09 16:39:46 +02:00
|
|
|
$authenticated = $authChain->authenticate(
|
|
|
|
$user,
|
|
|
|
$this->aesCrypt->decrypt($this->encryptedPassword)
|
|
|
|
);
|
|
|
|
|
2021-05-21 15:43:06 +02:00
|
|
|
if ($authenticated) {
|
|
|
|
$auth->setAuthenticated($user);
|
|
|
|
}
|
|
|
|
|
|
|
|
return $authenticated;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Persist the remember me information into the database
|
|
|
|
*
|
2021-08-09 16:39:46 +02:00
|
|
|
* To remove any previous stored information, set the iv
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
2021-08-09 16:39:46 +02:00
|
|
|
* @param string|null $iv To remove a specific iv record from the database
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
|
|
|
* @return $this
|
|
|
|
*/
|
|
|
|
public function persist($iv = null)
|
|
|
|
{
|
|
|
|
if ($iv) {
|
2021-07-26 17:37:38 +02:00
|
|
|
$this->remove(bin2hex($iv));
|
2021-05-21 15:43:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$this->getDb()->insert(static::TABLE, [
|
|
|
|
'username' => $this->username,
|
|
|
|
'passphrase' => bin2hex($this->aesCrypt->getKey()),
|
|
|
|
'random_iv' => bin2hex($this->aesCrypt->getIV()),
|
|
|
|
'http_user_agent' => (new UserAgent)->getAgent(),
|
|
|
|
'expires_at' => date('Y-m-d H:i:s', $this->getExpiresAt()),
|
|
|
|
'ctime' => new Expression('NOW()'),
|
|
|
|
'mtime' => new Expression('NOW()')
|
|
|
|
]);
|
|
|
|
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-08-09 16:39:46 +02:00
|
|
|
* Remove remember me information from the database on the basis of iv
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
|
|
|
* @param string $iv
|
|
|
|
*
|
|
|
|
* @return $this
|
|
|
|
*/
|
|
|
|
public function remove($iv)
|
|
|
|
{
|
|
|
|
$this->getDb()->delete(static::TABLE, [
|
2021-07-26 17:37:38 +02:00
|
|
|
'random_iv = ?' => $iv
|
2021-05-21 15:43:06 +02:00
|
|
|
]);
|
|
|
|
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create renewed remember me cookie
|
|
|
|
*
|
|
|
|
* @return static New remember me cookie which has to be sent to the client
|
|
|
|
*/
|
|
|
|
public function renew()
|
|
|
|
{
|
|
|
|
return static::fromCredentials(
|
|
|
|
$this->username,
|
2021-08-09 16:39:46 +02:00
|
|
|
$this->aesCrypt->decrypt($this->encryptedPassword)
|
2021-05-21 15:43:06 +02:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-08-09 16:39:46 +02:00
|
|
|
* Get all users using remember me cookie
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
2021-08-09 16:39:46 +02:00
|
|
|
* @return array Array of users
|
2021-05-21 15:43:06 +02:00
|
|
|
*/
|
|
|
|
public static function getAllUser()
|
|
|
|
{
|
|
|
|
$rememberMe = new static();
|
|
|
|
if (! $rememberMe->hasDb()) {
|
|
|
|
return [];
|
|
|
|
}
|
|
|
|
|
|
|
|
$select = (new Select())
|
|
|
|
->from(static::TABLE)
|
|
|
|
->columns('username')
|
|
|
|
->groupBy('username');
|
|
|
|
|
|
|
|
return $rememberMe->getDb()->select($select)->fetchAll();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-08-09 16:39:46 +02:00
|
|
|
* Get all remember me entries from the database of the given user.
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
|
|
|
* @param $username
|
|
|
|
*
|
2021-08-09 16:39:46 +02:00
|
|
|
* @return array Array of database entries
|
2021-05-21 15:43:06 +02:00
|
|
|
*/
|
|
|
|
public static function getAllByUsername($username)
|
|
|
|
{
|
|
|
|
$rememberMe = new static();
|
|
|
|
if (! $rememberMe->hasDb()) {
|
|
|
|
return [];
|
|
|
|
}
|
|
|
|
|
|
|
|
$select = (new Select())
|
|
|
|
->from(static::TABLE)
|
|
|
|
->columns(['http_user_agent', 'random_iv'])
|
|
|
|
->where(['username = ?' => $username]);
|
|
|
|
|
|
|
|
return $rememberMe->getDb()->select($select)->fetchAll();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-08-09 16:39:46 +02:00
|
|
|
* Get the AesCrypt instance
|
2021-05-21 15:43:06 +02:00
|
|
|
*
|
|
|
|
* @return AesCrypt
|
|
|
|
*/
|
|
|
|
public function getAesCrypt()
|
|
|
|
{
|
|
|
|
return $this->aesCrypt;
|
|
|
|
}
|
|
|
|
}
|