[TASK] Remove ext:dbal from installation steps
[Packages/TYPO3.CMS.git] / typo3 / sysext / sv / Classes / AuthenticationService.php
1 <?php
2 namespace TYPO3\CMS\Sv;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Database\ConnectionPool;
18 use TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;
19 use TYPO3\CMS\Core\Utility\GeneralUtility;
20
21 /**
22 * Authentication services class
23 */
24 class AuthenticationService extends AbstractAuthenticationService
25 {
26 /**
27 * Process the submitted credentials.
28 * In this case hash the clear text password if it has been submitted.
29 *
30 * @param array $loginData Credentials that are submitted and potentially modified by other services
31 * @param string $passwordTransmissionStrategy Keyword of how the password has been hashed or encrypted before submission
32 * @return bool
33 */
34 public function processLoginData(array &$loginData, $passwordTransmissionStrategy)
35 {
36 $isProcessed = false;
37 if ($passwordTransmissionStrategy === 'normal') {
38 $loginData['uident_text'] = $loginData['uident'];
39 $isProcessed = true;
40 }
41 return $isProcessed;
42 }
43
44 /**
45 * Find a user (eg. look up the user record in database when a login is sent)
46 *
47 * @return mixed User array or FALSE
48 */
49 public function getUser()
50 {
51 if ($this->login['status'] !== 'login') {
52 return false;
53 }
54 if ((string)$this->login['uident_text'] === '') {
55 // Failed Login attempt (no password given)
56 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', [
57 $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']
58 ]);
59 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
60 return false;
61 }
62
63 $user = $this->fetchUserRecord($this->login['uname']);
64 if (!is_array($user)) {
65 // Failed login attempt (no username found)
66 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
67 // Logout written to log
68 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\' not found!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
69 } else {
70 if ($this->writeDevLog) {
71 GeneralUtility::devLog('User found: ' . GeneralUtility::arrayToLogString($user, [$this->db_user['userid_column'], $this->db_user['username_column']]), AuthenticationService::class);
72 }
73 }
74 return $user;
75 }
76
77 /**
78 * Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
79 *
80 * @param array $user Data of user.
81 * @return int >= 200: User authenticated successfully.
82 * No more checking is needed by other auth services.
83 * >= 100: User not authenticated; this service is not responsible.
84 * Other auth services will be asked.
85 * > 0: User authenticated successfully.
86 * Other auth services will still be asked.
87 * <= 0: Authentication failed, no more checking needed
88 * by other auth services.
89 */
90 public function authUser(array $user)
91 {
92 $OK = 100;
93 // This authentication service can only work correctly, if a non empty username along with a non empty password is provided.
94 // Otherwise a different service is allowed to check for other login credentials
95 if ((string)$this->login['uident_text'] !== '' && (string)$this->login['uname'] !== '') {
96 // Checking password match for user:
97 $OK = $this->compareUident($user, $this->login);
98 if (!$OK) {
99 // Failed login attempt (wrong password) - write that to the log!
100 if ($this->writeAttemptLog) {
101 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
102 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', password not accepted!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
103 }
104 if ($this->writeDevLog) {
105 GeneralUtility::devLog('Password not accepted: ' . $this->login['uident'], AuthenticationService::class, 2);
106 }
107 }
108 // Checking the domain (lockToDomain)
109 if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
110 // Lock domain didn't match, so error:
111 if ($this->writeAttemptLog) {
112 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
113 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
114 }
115 $OK = 0;
116 }
117 }
118 return $OK;
119 }
120
121 /**
122 * Find usergroup records, currently only for frontend
123 *
124 * @param array $user Data of user.
125 * @param array $knownGroups Group data array of already known groups. This is handy if you want select other related groups. Keys in this array are unique IDs of those groups.
126 * @return mixed Groups array, keys = uid which must be unique
127 */
128 public function getGroups($user, $knownGroups)
129 {
130 /*
131 * Attention: $knownGroups is not used within this method, but other services can use it.
132 * This parameter should not be removed!
133 * The FrontendUserAuthentication call getGroups and handover the previous detected groups.
134 */
135 $groupDataArr = [];
136 if ($this->mode === 'getGroupsFE') {
137 $groups = [];
138 if (is_array($user) && $user[$this->db_user['usergroup_column']]) {
139 $groupList = $user[$this->db_user['usergroup_column']];
140 $groups = [];
141 $this->getSubGroups($groupList, '', $groups);
142 }
143 // ADD group-numbers if the IPmask matches.
144 if (is_array($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'])) {
145 foreach ($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'] as $IPel) {
146 if ($this->authInfo['REMOTE_ADDR'] && $IPel[0] && GeneralUtility::cmpIP($this->authInfo['REMOTE_ADDR'], $IPel[0])) {
147 $groups[] = (int)$IPel[1];
148 }
149 }
150 }
151 $groups = array_unique($groups);
152 if (!empty($groups)) {
153 if ($this->writeDevLog) {
154 GeneralUtility::devLog('Get usergroups with id: ' . implode(',', $groups), __CLASS__);
155 }
156 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
157 ->getQueryBuilderForTable($this->db_groups['table']);
158 if (!empty($this->authInfo['showHiddenRecords'])) {
159 $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
160 }
161
162 $res = $queryBuilder->select('*')
163 ->from($this->db_groups['table'])
164 ->where(
165 $queryBuilder->expr()->in('uid', array_map('intval', $groups)),
166 $queryBuilder->expr()->orX(
167 $queryBuilder->expr()->eq('lockToDomain', $queryBuilder->quote('')),
168 $queryBuilder->expr()->isNull('lockToDomain'),
169 $queryBuilder->expr()->eq(
170 'lockToDomain',
171 $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'])
172 )
173 )
174 )
175 ->execute();
176
177 while ($row = $res->fetch()) {
178 $groupDataArr[$row['uid']] = $row;
179 }
180 } else {
181 if ($this->writeDevLog) {
182 GeneralUtility::devLog('No usergroups found.', AuthenticationService::class, 2);
183 }
184 }
185 }
186 return $groupDataArr;
187 }
188
189 /**
190 * Fetches subgroups of groups. Function is called recursively for each subgroup.
191 * Function was previously copied from
192 * \TYPO3\CMS\Core\Authentication\BackendUserAuthentication->fetchGroups and has been slightly modified.
193 *
194 * @param string $grList Commalist of fe_groups uid numbers
195 * @param string $idList List of already processed fe_groups-uids so the function will not fall into an eternal recursion.
196 * @param array $groups
197 * @return array
198 * @access private
199 */
200 public function getSubGroups($grList, $idList = '', &$groups)
201 {
202 // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
203 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('fe_groups');
204 if (!empty($this->authInfo['showHiddenRecords'])) {
205 $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
206 }
207
208 $res = $queryBuilder
209 ->select('uid', 'subgroup')
210 ->from($this->db_groups['table'])
211 ->where(
212 $queryBuilder->expr()->in('uid', GeneralUtility::intExplode(',', $grList, true)),
213 $queryBuilder->expr()->orX(
214 $queryBuilder->expr()->eq('lockToDomain', $queryBuilder->quote('')),
215 $queryBuilder->expr()->isNull('lockToDomain'),
216 $queryBuilder->expr()->eq(
217 'lockToDomain',
218 $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'])
219 )
220 )
221 )
222 ->execute();
223
224 // Internal group record storage
225 $groupRows = [];
226 // The groups array is filled
227 while ($row = $res->fetch()) {
228 if (!in_array($row['uid'], $groups)) {
229 $groups[] = $row['uid'];
230 }
231 $groupRows[$row['uid']] = $row;
232 }
233 // Traversing records in the correct order
234 $include_staticArr = GeneralUtility::intExplode(',', $grList);
235 // traversing list
236 foreach ($include_staticArr as $uid) {
237 // Get row:
238 $row = $groupRows[$uid];
239 // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
240 if (is_array($row) && !GeneralUtility::inList($idList, $uid)) {
241 // Include sub groups
242 if (trim($row['subgroup'])) {
243 // Make integer list
244 $theList = implode(',', GeneralUtility::intExplode(',', $row['subgroup']));
245 // Call recursively, pass along list of already processed groups so they are not processed again.
246 $this->getSubGroups($theList, $idList . ',' . $uid, $groups);
247 }
248 }
249 }
250 }
251 }