[!!!][TASK] Remove sysext:sv, move files to sysext:core
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Classes / Authentication / AuthenticationService.php
1 <?php
2 namespace TYPO3\CMS\Core\Authentication;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Database\Connection;
18 use TYPO3\CMS\Core\Database\ConnectionPool;
19 use TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;
20 use TYPO3\CMS\Core\Utility\GeneralUtility;
21
22 /**
23 * Authentication services class
24 */
25 class AuthenticationService extends AbstractAuthenticationService
26 {
27 /**
28 * Process the submitted credentials.
29 * In this case hash the clear text password if it has been submitted.
30 *
31 * @param array $loginData Credentials that are submitted and potentially modified by other services
32 * @param string $passwordTransmissionStrategy Keyword of how the password has been hashed or encrypted before submission
33 * @return bool
34 */
35 public function processLoginData(array &$loginData, $passwordTransmissionStrategy)
36 {
37 $isProcessed = false;
38 if ($passwordTransmissionStrategy === 'normal') {
39 $loginData['uident_text'] = $loginData['uident'];
40 $isProcessed = true;
41 }
42 return $isProcessed;
43 }
44
45 /**
46 * Find a user (eg. look up the user record in database when a login is sent)
47 *
48 * @return mixed User array or FALSE
49 */
50 public function getUser()
51 {
52 if ($this->login['status'] !== 'login') {
53 return false;
54 }
55 if ((string)$this->login['uident_text'] === '') {
56 // Failed Login attempt (no password given)
57 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', [
58 $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']
59 ]);
60 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
61 return false;
62 }
63
64 $user = $this->fetchUserRecord($this->login['uname']);
65 if (!is_array($user)) {
66 // Failed login attempt (no username found)
67 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
68 // Logout written to log
69 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\' not found!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
70 } else {
71 if ($this->writeDevLog) {
72 GeneralUtility::devLog('User found: ' . GeneralUtility::arrayToLogString($user, [$this->db_user['userid_column'], $this->db_user['username_column']]), self::class);
73 }
74 }
75 return $user;
76 }
77
78 /**
79 * Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
80 *
81 * @param array $user Data of user.
82 * @return int >= 200: User authenticated successfully.
83 * No more checking is needed by other auth services.
84 * >= 100: User not authenticated; this service is not responsible.
85 * Other auth services will be asked.
86 * > 0: User authenticated successfully.
87 * Other auth services will still be asked.
88 * <= 0: Authentication failed, no more checking needed
89 * by other auth services.
90 */
91 public function authUser(array $user)
92 {
93 $OK = 100;
94 // This authentication service can only work correctly, if a non empty username along with a non empty password is provided.
95 // Otherwise a different service is allowed to check for other login credentials
96 if ((string)$this->login['uident_text'] !== '' && (string)$this->login['uname'] !== '') {
97 // Checking password match for user:
98 $OK = $this->compareUident($user, $this->login);
99 if (!$OK) {
100 // Failed login attempt (wrong password) - write that to the log!
101 if ($this->writeAttemptLog) {
102 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
103 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', password not accepted!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
104 }
105 if ($this->writeDevLog) {
106 GeneralUtility::devLog('Password not accepted: ' . $this->login['uident'], self::class, 2);
107 }
108 }
109 // Checking the domain (lockToDomain)
110 if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
111 // Lock domain didn't match, so error:
112 if ($this->writeAttemptLog) {
113 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
114 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
115 }
116 $OK = 0;
117 }
118 }
119 return $OK;
120 }
121
122 /**
123 * Find usergroup records, currently only for frontend
124 *
125 * @param array $user Data of user.
126 * @param array $knownGroups Group data array of already known groups. This is handy if you want select other related groups. Keys in this array are unique IDs of those groups.
127 * @return mixed Groups array, keys = uid which must be unique
128 */
129 public function getGroups($user, $knownGroups)
130 {
131 /*
132 * Attention: $knownGroups is not used within this method, but other services can use it.
133 * This parameter should not be removed!
134 * The FrontendUserAuthentication call getGroups and handover the previous detected groups.
135 */
136 $groupDataArr = [];
137 if ($this->mode === 'getGroupsFE') {
138 $groups = [];
139 if (is_array($user) && $user[$this->db_user['usergroup_column']]) {
140 $groupList = $user[$this->db_user['usergroup_column']];
141 $groups = [];
142 $this->getSubGroups($groupList, '', $groups);
143 }
144 // ADD group-numbers if the IPmask matches.
145 if (is_array($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'])) {
146 foreach ($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'] as $IPel) {
147 if ($this->authInfo['REMOTE_ADDR'] && $IPel[0] && GeneralUtility::cmpIP($this->authInfo['REMOTE_ADDR'], $IPel[0])) {
148 $groups[] = (int)$IPel[1];
149 }
150 }
151 }
152 $groups = array_unique($groups);
153 if (!empty($groups)) {
154 if ($this->writeDevLog) {
155 GeneralUtility::devLog('Get usergroups with id: ' . implode(',', $groups), __CLASS__);
156 }
157 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
158 ->getQueryBuilderForTable($this->db_groups['table']);
159 if (!empty($this->authInfo['showHiddenRecords'])) {
160 $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
161 }
162
163 $res = $queryBuilder->select('*')
164 ->from($this->db_groups['table'])
165 ->where(
166 $queryBuilder->expr()->in(
167 'uid',
168 $queryBuilder->createNamedParameter($groups, Connection::PARAM_INT_ARRAY)
169 ),
170 $queryBuilder->expr()->orX(
171 $queryBuilder->expr()->eq(
172 'lockToDomain',
173 $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
174 ),
175 $queryBuilder->expr()->isNull('lockToDomain'),
176 $queryBuilder->expr()->eq(
177 'lockToDomain',
178 $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'], \PDO::PARAM_STR)
179 )
180 )
181 )
182 ->execute();
183
184 while ($row = $res->fetch()) {
185 $groupDataArr[$row['uid']] = $row;
186 }
187 } else {
188 if ($this->writeDevLog) {
189 GeneralUtility::devLog('No usergroups found.', self::class, 2);
190 }
191 }
192 }
193 return $groupDataArr;
194 }
195
196 /**
197 * Fetches subgroups of groups. Function is called recursively for each subgroup.
198 * Function was previously copied from
199 * \TYPO3\CMS\Core\Authentication\BackendUserAuthentication->fetchGroups and has been slightly modified.
200 *
201 * @param string $grList Commalist of fe_groups uid numbers
202 * @param string $idList List of already processed fe_groups-uids so the function will not fall into an eternal recursion.
203 * @param array $groups
204 * @return array
205 * @access private
206 */
207 public function getSubGroups($grList, $idList = '', &$groups)
208 {
209 // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
210 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('fe_groups');
211 if (!empty($this->authInfo['showHiddenRecords'])) {
212 $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
213 }
214
215 $res = $queryBuilder
216 ->select('uid', 'subgroup')
217 ->from($this->db_groups['table'])
218 ->where(
219 $queryBuilder->expr()->in(
220 'uid',
221 $queryBuilder->createNamedParameter(
222 GeneralUtility::intExplode(',', $grList, true),
223 Connection::PARAM_INT_ARRAY
224 )
225 ),
226 $queryBuilder->expr()->orX(
227 $queryBuilder->expr()->eq(
228 'lockToDomain',
229 $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
230 ),
231 $queryBuilder->expr()->isNull('lockToDomain'),
232 $queryBuilder->expr()->eq(
233 'lockToDomain',
234 $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'], \PDO::PARAM_STR)
235 )
236 )
237 )
238 ->execute();
239
240 // Internal group record storage
241 $groupRows = [];
242 // The groups array is filled
243 while ($row = $res->fetch()) {
244 if (!in_array($row['uid'], $groups)) {
245 $groups[] = $row['uid'];
246 }
247 $groupRows[$row['uid']] = $row;
248 }
249 // Traversing records in the correct order
250 $include_staticArr = GeneralUtility::intExplode(',', $grList);
251 // traversing list
252 foreach ($include_staticArr as $uid) {
253 // Get row:
254 $row = $groupRows[$uid];
255 // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
256 if (is_array($row) && !GeneralUtility::inList($idList, $uid)) {
257 // Include sub groups
258 if (trim($row['subgroup'])) {
259 // Make integer list
260 $theList = implode(',', GeneralUtility::intExplode(',', $row['subgroup']));
261 // Call recursively, pass along list of already processed groups so they are not processed again.
262 $this->getSubGroups($theList, $idList . ',' . $uid, $groups);
263 }
264 }
265 }
266 }
267 }