icingaweb2/library/Icinga/Web/Form/Validator/TokenValidator.php

<?php
// {{{ICINGA_LICENSE_HEADER}}}
// {{{ICINGA_LICENSE_HEADER}}}

namespace Icinga\Web\Form\Validator;

use Exception;
use Zend_Validate_Abstract;
use Icinga\Util\File;

/**
 * Validator that checks if a token matches with the contents of a corresponding token-file
 */
class TokenValidator extends Zend_Validate_Abstract
{
    /**
     * The path to the token file
     *
     * @var string
     */
    protected $tokenPath;

    /**
     * Create a new TokenValidator
     *
     * @param   string      $tokenPath      The path to the token-file
     */
    public function __construct($tokenPath)
    {
        $this->tokenPath = $tokenPath;
        $this->_messageTemplates = array(
            'TOKEN_FILE_ERROR'  => sprintf(
                t('Cannot validate token: %s (%s)'),
                $tokenPath,
                '%value%'
            ),
            'TOKEN_FILE_EMPTY'  => sprintf(
                t('Cannot validate token, file "%s" is empty. Please define a token.'),
                $tokenPath
            ),
            'TOKEN_FILE_PUBLIC' => sprintf(
                t('Cannot validate token, file "%s" must only be accessible by the webserver\'s user.'),
                $tokenPath
            ),
            'TOKEN_INVALID'     => t('Invalid token supplied.')
        );
    }

    /**
     * Validate the given token with the one in the token-file
     *
     * @param   string  $value      The token to validate
     * @param   null    $context    The form context (ignored)
     *
     * @return  bool
     */
    public function isValid($value, $context = null)
    {
        $tokenStats = @stat($this->tokenPath);
        if (($tokenStats['mode'] & 4) === 4) {
            $this->_error('TOKEN_FILE_PUBLIC');
            return false;
        }

        try {
            $file = new File($this->tokenPath);
            $expectedToken = trim($file->fgets());
        } catch (Exception $e) {
            $msg = $e->getMessage();
            $this->_error('TOKEN_FILE_ERROR', substr($msg, strpos($msg, ']: ') + 3));
            return false;
        }

        if (empty($expectedToken)) {
            $this->_error('TOKEN_FILE_EMPTY');
            return false;
        } elseif ($value !== $expectedToken) {
            $this->_error('TOKEN_INVALID');
            return false;
        }

        return true;
    }
}