2 namespace TYPO3\CMS\Sv
;
5 * This file is part of the TYPO3 CMS project.
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
14 * The TYPO3 project - inspiring people to share!
18 * Authentication services class
20 * @author René Fritz <r.fritz@colorcube.de>
22 class AuthenticationService
extends \TYPO3\CMS\Sv\AbstractAuthenticationService
{
25 * Process the submitted credentials.
26 * In this case hash the clear text password if it has been submitted.
28 * @param array $loginData Credentials that are submitted and potentially modified by other services
29 * @param string $passwordTransmissionStrategy Keyword of how the password has been hashed or encrypted before submission
32 public function processLoginData(array &$loginData, $passwordTransmissionStrategy) {
34 // Processing data according to the state it was submitted in.
35 switch ($passwordTransmissionStrategy) {
37 $loginData['uident_text'] = $loginData['uident'];
40 $loginData['uident_text'] = '';
41 $loginData['uident_challenged'] = $loginData['uident'];
42 $loginData['uident_superchallenged'] = '';
44 case 'superchallenged':
45 $loginData['uident_text'] = '';
46 $loginData['uident_challenged'] = '';
47 $loginData['uident_superchallenged'] = $loginData['uident'];
52 if (!empty($loginData['uident_text'])) {
53 $loginData['uident_challenged'] = (string)md5(($loginData['uname'] . ':' . $loginData['uident_text'] . ':' . $loginData['chalvalue']));
54 $loginData['uident_superchallenged'] = (string)md5(($loginData['uname'] . ':' . md5($loginData['uident_text']) . ':' . $loginData['chalvalue']));
61 * Find a user (eg. look up the user record in database when a login is sent)
63 * @return mixed User array or FALSE
65 public function getUser() {
67 if ($this->login
['status'] == 'login') {
68 if ($this->login
['uident']) {
69 $user = $this->fetchUserRecord($this->login
['uname']);
70 if (!is_array($user)) {
71 // Failed login attempt (no username found)
72 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', array($this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $this->login
['uname']));
73 // Logout written to log
74 \TYPO3\CMS\Core\Utility\GeneralUtility
::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\' not found!', $this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $this->login
['uname']), 'Core', \TYPO3\CMS\Core\Utility\GeneralUtility
::SYSLOG_SEVERITY_WARNING
);
76 if ($this->writeDevLog
) {
77 \TYPO3\CMS\Core\Utility\GeneralUtility
::devLog('User found: ' . \TYPO3\CMS\Core\Utility\GeneralUtility
::arrayToLogString($user, array($this->db_user
['userid_column'], $this->db_user
['username_column'])), \TYPO3\CMS\Sv\AuthenticationService
::class);
81 // Failed Login attempt (no password given)
82 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', array($this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $this->login
['uname']));
83 \TYPO3\CMS\Core\Utility\GeneralUtility
::sysLog(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $this->login
['uname']), 'Core', \TYPO3\CMS\Core\Utility\GeneralUtility
::SYSLOG_SEVERITY_WARNING
);
90 * Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
92 * @param array $user Data of user.
93 * @return int >= 200: User authenticated successfully.
94 * No more checking is needed by other auth services.
95 * >= 100: User not authenticated; this service is not responsible.
96 * Other auth services will be asked.
97 * > 0: User authenticated successfully.
98 * Other auth services will still be asked.
99 * <= 0: Authentication failed, no more checking needed
100 * by other auth services.
102 public function authUser(array $user) {
104 if ($this->login
['uident'] && $this->login
['uname']) {
105 // Checking password match for user:
106 $OK = $this->compareUident($user, $this->login
);
108 // Failed login attempt (wrong password) - write that to the log!
109 if ($this->writeAttemptLog
) {
110 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', array($this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $this->login
['uname']));
111 \TYPO3\CMS\Core\Utility\GeneralUtility
::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', password not accepted!', $this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $this->login
['uname']), 'Core', \TYPO3\CMS\Core\Utility\GeneralUtility
::SYSLOG_SEVERITY_WARNING
);
113 if ($this->writeDevLog
) {
114 \TYPO3\CMS\Core\Utility\GeneralUtility
::devLog('Password not accepted: ' . $this->login
['uident'], \TYPO3\CMS\Sv\AuthenticationService
::class, 2);
117 // Checking the domain (lockToDomain)
118 if ($OK && $user['lockToDomain'] && $user['lockToDomain'] != $this->authInfo
['HTTP_HOST']) {
119 // Lock domain didn't match, so error:
120 if ($this->writeAttemptLog
) {
121 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', array($this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $user[$this->db_user
['username_column']], $user['lockToDomain'], $this->authInfo
['HTTP_HOST']));
122 \TYPO3\CMS\Core\Utility\GeneralUtility
::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', $this->authInfo
['REMOTE_ADDR'], $this->authInfo
['REMOTE_HOST'], $user[$this->db_user
['username_column']], $user['lockToDomain'], $this->authInfo
['HTTP_HOST']), 'Core', \TYPO3\CMS\Core\Utility\GeneralUtility
::SYSLOG_SEVERITY_WARNING
);
131 * Find usergroup records, currently only for frontend
133 * @param array $user Data of user.
134 * @param array $knownGroups Group data array of already known groups. This is handy if you want select other related groups. Keys in this array are unique IDs of those groups.
135 * @return mixed Groups array, keys = uid which must be unique
137 public function getGroups($user, $knownGroups) {
138 $groupDataArr = array();
139 if ($this->mode
== 'getGroupsFE') {
141 if (is_array($user) && $user[$this->db_user
['usergroup_column']]) {
142 $groupList = $user[$this->db_user
['usergroup_column']];
144 $this->getSubGroups($groupList, '', $groups);
146 // ADD group-numbers if the IPmask matches.
147 if (is_array($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'])) {
148 foreach ($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'] as $IPel) {
149 if ($this->authInfo
['REMOTE_ADDR'] && $IPel[0] && \TYPO3\CMS\Core\Utility\GeneralUtility
::cmpIP($this->authInfo
['REMOTE_ADDR'], $IPel[0])) {
150 $groups[] = (int)$IPel[1];
154 $groups = array_unique($groups);
155 if (count($groups)) {
156 $list = implode(',', $groups);
157 if ($this->writeDevLog
) {
158 \TYPO3\CMS\Core\Utility\GeneralUtility
::devLog('Get usergroups with id: ' . $list, \TYPO3\CMS\Sv\AuthenticationService
::class);
160 $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . $this->authInfo
['HTTP_HOST'] . '\')';
161 if (!$this->authInfo
['showHiddenRecords']) {
162 $hiddenP = 'AND hidden=0 ';
164 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', $this->db_groups
['table'], 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $list . ')' . $lockToDomain_SQL);
165 while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
166 $groupDataArr[$row['uid']] = $row;
169 $GLOBALS['TYPO3_DB']->sql_free_result($res);
172 if ($this->writeDevLog
) {
173 \TYPO3\CMS\Core\Utility\GeneralUtility
::devLog('No usergroups found.', \TYPO3\CMS\Sv\AuthenticationService
::class, 2);
176 } elseif ($this->mode
== 'getGroupsBE') {
179 return $groupDataArr;
183 * Fetches subgroups of groups. Function is called recursively for each subgroup.
184 * Function was previously copied from
185 * \TYPO3\CMS\Core\Authentication\BackendUserAuthentication->fetchGroups and has been slightly modified.
187 * @param string $grList Commalist of fe_groups uid numbers
188 * @param string $idList List of already processed fe_groups-uids so the function will not fall into a eternal recursion.
189 * @param array $groups
193 public function getSubGroups($grList, $idList = '', &$groups) {
194 // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
195 $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . $this->authInfo
['HTTP_HOST'] . '\')';
196 if (!$this->authInfo
['showHiddenRecords']) {
197 $hiddenP = 'AND hidden=0 ';
199 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid,subgroup', 'fe_groups', 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $grList . ')' . $lockToDomain_SQL);
200 // Internal group record storage
201 $groupRows = array();
202 // The groups array is filled
203 while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
204 if (!in_array($row['uid'], $groups)) {
205 $groups[] = $row['uid'];
207 $groupRows[$row['uid']] = $row;
209 // Traversing records in the correct order
210 $include_staticArr = \TYPO3\CMS\Core\Utility\GeneralUtility
::intExplode(',', $grList);
212 foreach ($include_staticArr as $uid) {
214 $row = $groupRows[$uid];
215 // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
216 if (is_array($row) && !\TYPO3\CMS\Core\Utility\GeneralUtility
::inList($idList, $uid)) {
217 // Include sub groups
218 if (trim($row['subgroup'])) {
220 $theList = implode(',', \TYPO3\CMS\Core\Utility\GeneralUtility
::intExplode(',', $row['subgroup']));
221 // Call recursively, pass along list of already processed groups so they are not recursed again.
222 $this->getSubGroups($theList, $idList . ',' . $uid, $groups);