361 lines
9.7 KiB
PHP
361 lines
9.7 KiB
PHP
|
<?php
|
||
|
/**
|
||
|
* Abstract class for the authentication plugins
|
||
|
*/
|
||
|
|
||
|
declare(strict_types=1);
|
||
|
|
||
|
namespace PhpMyAdmin\Plugins;
|
||
|
|
||
|
use PhpMyAdmin\Config;
|
||
|
use PhpMyAdmin\Core;
|
||
|
use PhpMyAdmin\IpAllowDeny;
|
||
|
use PhpMyAdmin\Logging;
|
||
|
use PhpMyAdmin\Message;
|
||
|
use PhpMyAdmin\ResponseRenderer;
|
||
|
use PhpMyAdmin\Session;
|
||
|
use PhpMyAdmin\Template;
|
||
|
use PhpMyAdmin\TwoFactor;
|
||
|
use PhpMyAdmin\Url;
|
||
|
use PhpMyAdmin\Util;
|
||
|
|
||
|
use function __;
|
||
|
use function array_keys;
|
||
|
use function defined;
|
||
|
use function htmlspecialchars;
|
||
|
use function intval;
|
||
|
use function max;
|
||
|
use function min;
|
||
|
use function session_destroy;
|
||
|
use function session_unset;
|
||
|
use function sprintf;
|
||
|
use function time;
|
||
|
|
||
|
/**
|
||
|
* Provides a common interface that will have to be implemented by all of the
|
||
|
* authentication plugins.
|
||
|
*/
|
||
|
abstract class AuthenticationPlugin
|
||
|
{
|
||
|
/**
|
||
|
* Username
|
||
|
*
|
||
|
* @var string
|
||
|
*/
|
||
|
public $user = '';
|
||
|
|
||
|
/**
|
||
|
* Password
|
||
|
*
|
||
|
* @var string
|
||
|
*/
|
||
|
public $password = '';
|
||
|
|
||
|
/** @var IpAllowDeny */
|
||
|
protected $ipAllowDeny;
|
||
|
|
||
|
/** @var Template */
|
||
|
public $template;
|
||
|
|
||
|
public function __construct()
|
||
|
{
|
||
|
$this->ipAllowDeny = new IpAllowDeny();
|
||
|
$this->template = new Template();
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Displays authentication form
|
||
|
*/
|
||
|
abstract public function showLoginForm(): bool;
|
||
|
|
||
|
/**
|
||
|
* Gets authentication credentials
|
||
|
*/
|
||
|
abstract public function readCredentials(): bool;
|
||
|
|
||
|
/**
|
||
|
* Set the user and password after last checkings if required
|
||
|
*/
|
||
|
public function storeCredentials(): bool
|
||
|
{
|
||
|
global $cfg;
|
||
|
|
||
|
$this->setSessionAccessTime();
|
||
|
|
||
|
$cfg['Server']['user'] = $this->user;
|
||
|
$cfg['Server']['password'] = $this->password;
|
||
|
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Stores user credentials after successful login.
|
||
|
*/
|
||
|
public function rememberCredentials(): void
|
||
|
{
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* User is not allowed to login to MySQL -> authentication failed
|
||
|
*
|
||
|
* @param string $failure String describing why authentication has failed
|
||
|
*/
|
||
|
public function showFailure($failure): void
|
||
|
{
|
||
|
Logging::logUser($this->user, $failure);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Perform logout
|
||
|
*/
|
||
|
public function logOut(): void
|
||
|
{
|
||
|
global $config;
|
||
|
|
||
|
/* Obtain redirect URL (before doing logout) */
|
||
|
if (! empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
|
||
|
$redirect_url = $GLOBALS['cfg']['Server']['LogoutURL'];
|
||
|
} else {
|
||
|
$redirect_url = $this->getLoginFormURL();
|
||
|
}
|
||
|
|
||
|
/* Clear credentials */
|
||
|
$this->user = '';
|
||
|
$this->password = '';
|
||
|
|
||
|
/*
|
||
|
* Get a logged-in server count in case of LoginCookieDeleteAll is disabled.
|
||
|
*/
|
||
|
$server = 0;
|
||
|
if ($GLOBALS['cfg']['LoginCookieDeleteAll'] === false && $GLOBALS['cfg']['Server']['auth_type'] === 'cookie') {
|
||
|
foreach (array_keys($GLOBALS['cfg']['Servers']) as $key) {
|
||
|
if (! $config->issetCookie('pmaAuth-' . $key)) {
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
$server = $key;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if ($server === 0) {
|
||
|
/* delete user's choices that were stored in session */
|
||
|
if (! defined('TESTSUITE')) {
|
||
|
session_unset();
|
||
|
session_destroy();
|
||
|
}
|
||
|
|
||
|
/* Redirect to login form (or configured URL) */
|
||
|
Core::sendHeaderLocation($redirect_url);
|
||
|
} else {
|
||
|
/* Redirect to other authenticated server */
|
||
|
$_SESSION['partial_logout'] = true;
|
||
|
Core::sendHeaderLocation(
|
||
|
'./index.php?route=/' . Url::getCommonRaw(['server' => $server], '&')
|
||
|
);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Returns URL for login form.
|
||
|
*
|
||
|
* @return string
|
||
|
*/
|
||
|
public function getLoginFormURL()
|
||
|
{
|
||
|
return './index.php?route=/';
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Returns error message for failed authentication.
|
||
|
*
|
||
|
* @param string $failure String describing why authentication has failed
|
||
|
*
|
||
|
* @return string
|
||
|
*/
|
||
|
public function getErrorMessage($failure)
|
||
|
{
|
||
|
global $dbi;
|
||
|
|
||
|
if ($failure === 'empty-denied') {
|
||
|
return __('Login without a password is forbidden by configuration (see AllowNoPassword)');
|
||
|
}
|
||
|
|
||
|
if ($failure === 'root-denied' || $failure === 'allow-denied') {
|
||
|
return __('Access denied!');
|
||
|
}
|
||
|
|
||
|
if ($failure === 'no-activity') {
|
||
|
return sprintf(
|
||
|
__('You have been automatically logged out due to inactivity of %s seconds.'
|
||
|
. ' Once you log in again, you should be able to resume the work where you left off.'),
|
||
|
intval($GLOBALS['cfg']['LoginCookieValidity'])
|
||
|
);
|
||
|
}
|
||
|
|
||
|
$dbi_error = $dbi->getError();
|
||
|
if (! empty($dbi_error)) {
|
||
|
return htmlspecialchars($dbi_error);
|
||
|
}
|
||
|
|
||
|
if (isset($GLOBALS['errno'])) {
|
||
|
return '#' . $GLOBALS['errno'] . ' '
|
||
|
. __('Cannot log in to the MySQL server');
|
||
|
}
|
||
|
|
||
|
return __('Cannot log in to the MySQL server');
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Callback when user changes password.
|
||
|
*
|
||
|
* @param string $password New password to set
|
||
|
*/
|
||
|
public function handlePasswordChange($password): void
|
||
|
{
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Store session access time in session.
|
||
|
*
|
||
|
* Tries to workaround PHP 5 session garbage collection which
|
||
|
* looks at the session file's last modified time
|
||
|
*/
|
||
|
public function setSessionAccessTime(): void
|
||
|
{
|
||
|
if (isset($_REQUEST['guid'])) {
|
||
|
$guid = (string) $_REQUEST['guid'];
|
||
|
} else {
|
||
|
$guid = 'default';
|
||
|
}
|
||
|
|
||
|
if (isset($_REQUEST['access_time'])) {
|
||
|
// Ensure access_time is in range <0, LoginCookieValidity + 1>
|
||
|
// to avoid excessive extension of validity.
|
||
|
//
|
||
|
// Negative values can cause session expiry extension
|
||
|
// Too big values can cause overflow and lead to same
|
||
|
$time = time() - min(max(0, intval($_REQUEST['access_time'])), $GLOBALS['cfg']['LoginCookieValidity'] + 1);
|
||
|
} else {
|
||
|
$time = time();
|
||
|
}
|
||
|
|
||
|
$_SESSION['browser_access_time'][$guid] = $time;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* High level authentication interface
|
||
|
*
|
||
|
* Gets the credentials or shows login form if necessary
|
||
|
*/
|
||
|
public function authenticate(): void
|
||
|
{
|
||
|
$success = $this->readCredentials();
|
||
|
|
||
|
/* Show login form (this exits) */
|
||
|
if (! $success) {
|
||
|
/* Force generating of new session */
|
||
|
Session::secure();
|
||
|
$this->showLoginForm();
|
||
|
}
|
||
|
|
||
|
/* Store credentials (eg. in cookies) */
|
||
|
$this->storeCredentials();
|
||
|
/* Check allow/deny rules */
|
||
|
$this->checkRules();
|
||
|
/* clear user cache */
|
||
|
Util::clearUserCache();
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Check configuration defined restrictions for authentication
|
||
|
*/
|
||
|
public function checkRules(): void
|
||
|
{
|
||
|
global $cfg;
|
||
|
|
||
|
// Check IP-based Allow/Deny rules as soon as possible to reject the
|
||
|
// user based on mod_access in Apache
|
||
|
if (isset($cfg['Server']['AllowDeny']['order'])) {
|
||
|
$allowDeny_forbidden = false; // default
|
||
|
if ($cfg['Server']['AllowDeny']['order'] === 'allow,deny') {
|
||
|
$allowDeny_forbidden = true;
|
||
|
if ($this->ipAllowDeny->allow()) {
|
||
|
$allowDeny_forbidden = false;
|
||
|
}
|
||
|
|
||
|
if ($this->ipAllowDeny->deny()) {
|
||
|
$allowDeny_forbidden = true;
|
||
|
}
|
||
|
} elseif ($cfg['Server']['AllowDeny']['order'] === 'deny,allow') {
|
||
|
if ($this->ipAllowDeny->deny()) {
|
||
|
$allowDeny_forbidden = true;
|
||
|
}
|
||
|
|
||
|
if ($this->ipAllowDeny->allow()) {
|
||
|
$allowDeny_forbidden = false;
|
||
|
}
|
||
|
} elseif ($cfg['Server']['AllowDeny']['order'] === 'explicit') {
|
||
|
if ($this->ipAllowDeny->allow() && ! $this->ipAllowDeny->deny()) {
|
||
|
$allowDeny_forbidden = false;
|
||
|
} else {
|
||
|
$allowDeny_forbidden = true;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// Ejects the user if banished
|
||
|
if ($allowDeny_forbidden) {
|
||
|
$this->showFailure('allow-denied');
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// is root allowed?
|
||
|
if (! $cfg['Server']['AllowRoot'] && $cfg['Server']['user'] === 'root') {
|
||
|
$this->showFailure('root-denied');
|
||
|
}
|
||
|
|
||
|
// is a login without password allowed?
|
||
|
if ($cfg['Server']['AllowNoPassword'] || $cfg['Server']['password'] !== '') {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
$this->showFailure('empty-denied');
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Checks whether two factor authentication is active
|
||
|
* for given user and performs it.
|
||
|
*/
|
||
|
public function checkTwoFactor(): void
|
||
|
{
|
||
|
$twofactor = new TwoFactor($this->user);
|
||
|
|
||
|
/* Do we need to show the form? */
|
||
|
if ($twofactor->check()) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
$response = ResponseRenderer::getInstance();
|
||
|
if ($response->loginPage()) {
|
||
|
if (defined('TESTSUITE')) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
exit;
|
||
|
}
|
||
|
|
||
|
echo $this->template->render('login/header');
|
||
|
echo Message::rawNotice(
|
||
|
__('You have enabled two factor authentication, please confirm your login.')
|
||
|
)->getDisplay();
|
||
|
echo $this->template->render('login/twofactor', [
|
||
|
'form' => $twofactor->render(),
|
||
|
'show_submit' => $twofactor->showSubmit(),
|
||
|
]);
|
||
|
echo $this->template->render('login/footer');
|
||
|
echo Config::renderFooter();
|
||
|
if (! defined('TESTSUITE')) {
|
||
|
exit;
|
||
|
}
|
||
|
}
|
||
|
}
|