Newer
Older
* Copyright Maarch since 2008 under license.
* See LICENSE.txt file at the root folder for more details.
* This file is part of Maarch software.
*/
/**
* @brief Authentication Controller
*
* @author dev@maarch.org
*/
namespace SrcCore\controllers;
use Configuration\models\ConfigurationModel;
use Email\controllers\EmailController;
use Respect\Validation\Validator;
use Slim\Http\Request;
use Slim\Http\Response;
use SrcCore\models\PasswordModel;
use SrcCore\models\ValidatorModel;
const ROUTES_WITHOUT_AUTHENTICATION = [
'GET/authenticationInformations', 'POST/authenticate', 'GET/authenticate/token',
'POST/password', 'PUT/password', 'GET/passwordRules', 'GET/languages/{lang}', 'GET/commitInformation',
'GET/documents/{id}/workflows/{workflowId}/files/{fileId}'
public function getInformations(Request $request, Response $response)
{
$connection = ConfigurationModel::getConnection();
$encryptKey = CoreConfigModel::getEncryptKey();
$coreUrl = UrlController::getCoreUrl();
Guillaume Heurtier
committed
$emailConfiguration = ConfigurationModel::getByIdentifier(['identifier' => 'emailServer', 'select' => ['value']]);
$emailConfiguration = !empty($emailConfiguration[0]['value']) ? json_decode($emailConfiguration[0]['value'], true) : null;
$mailServerOnline = !empty($emailConfiguration['online']);
$customization = ConfigurationModel::getByIdentifier(['identifier' => 'customization', 'select' => ['value']]);
$customization = !empty($customization[0]['value']) ? json_decode($customization[0]['value'], true) : null;
return $response->withJson([
Guillaume Heurtier
committed
'connection' => $connection,
'changeKey' => $encryptKey == 'Security Key Maarch Parapheur #2008',
'instanceId' => $hashedPath,
'coreUrl' => $coreUrl,
'mailServerOnline' => $mailServerOnline,
'loginMessage' => $customization['loginMessage'],
'applicationUrl' => $customization['applicationUrl']
]);
public static function authentication($authorizationHeaders = [])
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$login = strtolower($_SERVER['PHP_AUTH_USER']);
if (AuthenticationModel::authentication(['login' => $login, 'password' => $_SERVER['PHP_AUTH_PW']])) {
$user = UserModel::getByLogin(['select' => ['id'], 'login' => $login]);
if (!empty($authorizationHeaders)) {
$token = null;
foreach ($authorizationHeaders as $authorizationHeader) {
if (strpos($authorizationHeader, 'Bearer') === 0) {
$token = str_replace('Bearer ', '', $authorizationHeader);
}
}
if (!empty($token)) {
try {
$jwt = (array)JWT::decode($token, CoreConfigModel::getEncryptKey(), ['HS256']);
} catch (\Exception $e) {
return null;
}
if (!empty($jwt) && !empty($jwt['user']['id'])) {
public function authenticate(Request $request, Response $response)
$connection = ConfigurationModel::getConnection();
if (in_array($connection, ['default', 'ldap'])) {
if (!array_key_exists('login', $body) || !array_key_exists('password', $body) || !Validator::stringType()->notEmpty()->validate($body['login']) || !Validator::stringType()->notEmpty()->validate($body['password'])) {
return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
}
$login = strtolower($body['login']);
if ($connection == 'ldap') {
$ldapConfigurations = ConfigurationModel::getByIdentifier(['identifier' => 'ldapServer', 'select' => ['value']]);
if (empty($ldapConfigurations)) {
return $response->withStatus(400)->withJson(['errors' => 'Ldap configuration is missing']);
}
foreach ($ldapConfigurations as $ldapConfiguration) {
$ldapConfiguration = json_decode($ldapConfiguration['value'], true);
$uri = ($ldapConfiguration['ssl'] === true ? "LDAPS://{$ldapConfiguration['uri']}" : $ldapConfiguration['uri']);
$ldap = @ldap_connect($uri);
if ($ldap === false) {
$error = 'Ldap connect failed : uri is maybe wrong';
continue;
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 10);
$ldapLogin = (!empty($ldapConfiguration['prefix']) ? $ldapConfiguration['prefix'] . '\\' . $body['login'] : $body['login']);
$ldapLogin = (!empty($ldapConfiguration['suffix']) ? $ldapLogin . $ldapConfiguration['suffix'] : $ldapLogin);
if (!empty($ldapConfiguration['baseDN'])) { //OpenLDAP
$search = @ldap_search($ldap, $ldapConfiguration['baseDN'], "(uid={$ldapLogin})", ['dn']);
$error = 'Ldap search failed : baseDN is maybe wrong => ' . ldap_error($ldap);
$entries = @ldap_get_entries($ldap, $search);
if ($entries === false) {
$error = 'Ldap fetching failed : ' . ldap_error($ldap);
continue;
}
if ($entries['count'] < 1) {
$error = 'No entries found in ldap search : invalid user DN or ldap configuration';
continue;
}
$ldapLogin = $entries[0]['dn'];
$authenticated = @ldap_bind($ldap, $ldapLogin, $body['password']);
if (!$authenticated) {
$error = ldap_error($ldap);
if (empty($authenticated) && !empty($error) && $error != 'Invalid credentials') {
return $response->withStatus(400)->withJson(['errors' => $error]);
} elseif ($connection == 'x509') {
if (!empty($_SERVER['SSL_CLIENT_CERT'])) {
$x509Fingerprint = openssl_x509_fingerprint($_SERVER["SSL_CLIENT_CERT"]);
$user = UserModel::get(['select' => ['login'], 'where' => ['x509_fingerprint = ?'], 'data' => [strtoupper(wordwrap($x509Fingerprint, 2, " ", true))]]);
if (empty($user)) {
return $response->withStatus(401)->withJson(['errors' => 'Authentication unauthorized']);
}
$login = $user[0]['login'];
} else {
return $response->withStatus(401)->withJson(['errors' => 'No certificate detected']);
}
$authenticated = true;
} elseif ($connection == 'kerberos') {
if (!empty($_SERVER['REMOTE_USER']) && $_SERVER['AUTH_TYPE'] == 'Negotiate') {
$login = strtolower($_SERVER['REMOTE_USER']);
} else {
return $response->withStatus(401)->withJson(['errors' => 'No identifier detected for kerberos']);
}
$authenticated = true;
} else if ($connection == 'azure_saml') {
$authenticated = AuthenticationController::azureSamlConnection();
if (!empty($authenticated['errors'])) {
return $response->withStatus(401)->withJson(['errors' => $authenticated['errors']]);
}
$login = strtolower($authenticated['login']);
$authenticated = true;
$authenticated = AuthenticationModel::authentication(['login' => $login, 'password' => $body['password']]);
if (empty($authenticated)) {
$user = UserModel::getByLogin(['login' => $login, 'select' => ['id']]);
if (!empty($user)) {
$handle = AuthenticationController::handleFailedAuthentication(['userId' => $user['id']]);
if (!empty($handle['accountLocked'])) {
return $response->withStatus(401)->withJson(['errors' => 'Account Locked', 'date' => $handle['lockedDate']]);
}
}
return $response->withStatus(401)->withJson(['errors' => 'Authentication Failed']);
}
$user = UserModel::getByLogin(['login' => $login, 'select' => ['id', '"isRest"', 'refresh_token']]);
return $response->withStatus(403)->withJson(['errors' => 'Authentication unauthorized']);
$user['refresh_token'] = json_decode($user['refresh_token'], true);
foreach ($user['refresh_token'] as $key => $refreshToken) {
try {
JWT::decode($refreshToken, CoreConfigModel::getEncryptKey(), ['HS256']);
} catch (\Exception $e) {
unset($user['refresh_token'][$key]);
}
}
$user['refresh_token'] = array_values($user['refresh_token']);
if (count($user['refresh_token']) > 10) {
array_shift($user['refresh_token']);
}
$refreshToken = AuthenticationController::getRefreshJWT();
$user['refresh_token'][] = $refreshToken;
UserModel::update([
'set' => ['reset_token' => null, 'refresh_token' => json_encode($user['refresh_token'])],
'where' => ['id = ?'],
'data' => [$user['id']]
]);
$response = $response->withHeader('Token', AuthenticationController::getJWT());
$response = $response->withHeader('Refresh-Token', $refreshToken);
'code' => 'OK',
'objectType' => 'users',
'objectId' => $user['id'],
'type' => 'LOGIN',
private static function azureSamlConnection()
{
$libDir = CoreConfigModel::getLibrariesDirectory();
if (!is_file($libDir . 'simplesamlphp/lib/_autoload.php')) {
return ['errors' => 'Library simplesamlphp not present'];
}
require_once($libDir . 'simplesamlphp/lib/_autoload.php');
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth([
'ReturnTo' => UrlController::getCoreUrl(),
'skipRedirection' => true
]);
$attributes = $as->getAttributes();
$login = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0];
if (empty($login)) {
return ['errors' => 'Authentication Failed : login not present in attributes'];
}
return ['login' => $login];
}
public function getRefreshedToken(Request $request, Response $response)
$queryParams = $request->getQueryParams();
if (!Validator::stringType()->notEmpty()->validate($queryParams['refreshToken'])) {
return $response->withStatus(400)->withJson(['errors' => 'Refresh Token is empty']);
}
try {
$jwt = JWT::decode($queryParams['refreshToken'], CoreConfigModel::getEncryptKey(), ['HS256']);
} catch (\Exception $e) {
return $response->withStatus(401)->withJson(['errors' => 'Authentication Failed']);
}
$user = UserModel::getById(['select' => ['id', 'refresh_token'], 'id' => $jwt->user->id]);
if (empty($user['refresh_token'])) {
return $response->withStatus(401)->withJson(['errors' => 'Authentication Failed']);
}
$user['refresh_token'] = json_decode($user['refresh_token'], true);
if (!in_array($queryParams['refreshToken'], $user['refresh_token'])) {
return $response->withStatus(401)->withJson(['errors' => 'Authentication Failed']);
}
$GLOBALS['id'] = $user['id'];
return $response->withJson(['token' => AuthenticationController::getJWT()]);
public function logout(Request $request, Response $response)
{
HistoryController::add([
'code' => 'OK',
'objectType' => 'users',
'objectId' => $GLOBALS['id'],
'type' => 'LOGOUT',
'message' => '{userLogOut}'
]);
$response->withStatus(204);
}
{
$sessionTime = AuthenticationController::MAX_DURATION_TOKEN;
$loadedXml = CoreConfigModel::getConfig();
if ($loadedXml) {
if (!empty($loadedXml->config->sessionTime)) {
if ($sessionTime > (int)$loadedXml->config->sessionTime) {
$sessionTime = (int)$loadedXml->config->sessionTime;
}
}
}
$user = UserController::getUserInformationsById(['id' => $GLOBALS['id']]);
unset($user['picture']);
$token = [
'exp' => time() + 60 * $sessionTime,
'user' => $user,
'connection' => ConfigurationModel::getConnection()
];
$jwt = JWT::encode($token, CoreConfigModel::getEncryptKey());
return $jwt;
}
public static function getRefreshJWT()
$sessionTime = AuthenticationController::MAX_DURATION_TOKEN;
$loadedXml = CoreConfigModel::getConfig();
if ($loadedXml) {
if (!empty($loadedXml->config->sessionTime)) {
$sessionTime = (int)$loadedXml->config->sessionTime;
}
'exp' => time() + 60 * $sessionTime,
'user' => [
'id' => $GLOBALS['id']
]
];
$jwt = JWT::encode($token, CoreConfigModel::getEncryptKey());
return $jwt;
public static function getResetJWT($args = [])
'exp' => time() + $args['expirationTime'],
],
'connection' => ConfigurationModel::getConnection()
];
$jwt = JWT::encode($token, CoreConfigModel::getEncryptKey());
return $jwt;
}
public static function sendAccountActivationNotification(array $args)
{
$connection = ConfigurationModel::getConnection();
if ($connection == 'default') {
$resetToken = AuthenticationController::getResetJWT(['id' => $args['userId'], 'expirationTime' => 1209600]); // 14 days
UserModel::update(['set' => ['reset_token' => $resetToken], 'where' => ['id = ?'], 'data' => [$args['userId']]]);
$user = UserModel::getById(['select' => ['login'], 'id' => $args['userId']]);
$lang = LanguageController::get(['lang' => 'fr']);
$url = ConfigurationModel::getApplicationUrl() . 'dist/#/update-password?token=' . $resetToken;
EmailController::createEmail([
'userId' => $args['userId'],
'data' => [
'sender' => 'Notification',
'recipients' => [$args['userEmail']],
'subject' => $lang['notificationNewAccountSubject'],
'body' => $lang['notificationNewAccountBody'] . '<a href="' . $url . '">'.$url.'</a>' . $lang['notificationNewAccountId'] . ' ' . $user['login'] . $lang['notificationNewAccountFooter'],
'isHtml' => true
]
]);
}
return true;
}
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
public static function isRouteAvailable(array $args)
{
ValidatorModel::notEmpty($args, ['userId', 'currentRoute']);
ValidatorModel::intVal($args, ['userId']);
ValidatorModel::stringType($args, ['currentRoute']);
$user = UserModel::getById(['select' => ['password_modification_date', '"isRest"'], 'id' => $args['userId']]);
if (!in_array($args['currentRoute'], ['/passwordRules', '/users/{id}/password']) && empty($user['isRest'])) {
$connectionConfiguration = ConfigurationModel::getByIdentifier(['identifier' => 'connection', 'select' => ['value']]);
if ($connectionConfiguration[0]['value'] == '"default"') {
$passwordRules = PasswordModel::getEnabledRules();
if (!empty($passwordRules['renewal'])) {
$currentDate = new \DateTime();
$lastModificationDate = new \DateTime($user['password_modification_date']);
$lastModificationDate->add(new \DateInterval("P{$passwordRules['renewal']}D"));
if ($currentDate > $lastModificationDate) {
return ['isRouteAvailable' => false, 'errors' => 'Password expired : User must change his password'];
}
}
}
}
return ['isRouteAvailable' => true];
}
public static function handleFailedAuthentication(array $args)
{
ValidatorModel::notEmpty($args, ['userId']);
ValidatorModel::intVal($args, ['userId']);
$passwordRules = PasswordModel::getEnabledRules();
if (!empty($passwordRules['lockAttempts'])) {
$user = UserModel::getById(['select' => ['failed_authentication', 'locked_until'], 'id' => $args['userId']]);
$set = [];
if (!empty($user['locked_until'])) {
$currentDate = new \DateTime();
$lockedUntil = new \DateTime($user['locked_until']);
if ($lockedUntil < $currentDate) {
$set['locked_until'] = null;
$user['failed_authentication'] = 0;
} else {
return ['accountLocked' => true, 'lockedDate' => $user['locked_until']];
}
}
$set['failed_authentication'] = $user['failed_authentication'] + 1;
UserModel::update([
'set' => $set,
'where' => ['id = ?'],
'data' => [$args['userId']]
]);
if (!empty($user['failed_authentication']) && ($user['failed_authentication'] + 1) >= $passwordRules['lockAttempts'] && !empty($passwordRules['lockTime'])) {
$lockedUntil = time() + 60 * $passwordRules['lockTime'];
UserModel::update([
'set' => ['locked_until' => date('Y-m-d H:i:s', $lockedUntil)],
'where' => ['id = ?'],
'data' => [$args['userId']]
]);
return ['accountLocked' => true, 'lockedDate' => date('Y-m-d H:i:s', $lockedUntil)];
}
}
return true;
}
public function getGitCommitInformation(Request $request, Response $response)
{
if (!file_exists('.git/HEAD')) {
return $response->withJson(['hash' => null]);
}
$head = file_get_contents('.git/HEAD');
if ($head === false) {
return $response->withJson(['hash' => null]);
}
preg_match('#^ref:(.+)$#', $head, $matches);
$currentHead = trim($matches[1]);
if (empty($currentHead)) {
return $response->withJson(['hash' => null]);
}
$hash = file_get_contents('.git/' . $currentHead);
if ($hash === false) {
return $response->withJson(['hash' => null]);
}
$hash = explode("\n", $hash)[0];
return $response->withJson(['hash' => $hash]);
}