[TASK] General code cleanup in ext:sv
[Packages/TYPO3.CMS.git] / typo3 / sysext / sv / Classes / AuthenticationService.php
1 <?php
2 namespace TYPO3\CMS\Sv;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Utility\GeneralUtility;
18
19 /**
20 * Authentication services class
21 *
22 * @author René Fritz <r.fritz@colorcube.de>
23 */
24 class AuthenticationService extends AbstractAuthenticationService {
25
26 /**
27 * Process the submitted credentials.
28 * In this case hash the clear text password if it has been submitted.
29 *
30 * @param array $loginData Credentials that are submitted and potentially modified by other services
31 * @param string $passwordTransmissionStrategy Keyword of how the password has been hashed or encrypted before submission
32 * @return bool
33 */
34 public function processLoginData(array &$loginData, $passwordTransmissionStrategy) {
35 $isProcessed = TRUE;
36 // Processing data according to the state it was submitted in.
37 switch ($passwordTransmissionStrategy) {
38 case 'normal':
39 $loginData['uident_text'] = $loginData['uident'];
40 break;
41 case 'challenged':
42 $loginData['uident_text'] = '';
43 $loginData['uident_challenged'] = $loginData['uident'];
44 $loginData['uident_superchallenged'] = '';
45 break;
46 case 'superchallenged':
47 $loginData['uident_text'] = '';
48 $loginData['uident_challenged'] = '';
49 $loginData['uident_superchallenged'] = $loginData['uident'];
50 break;
51 default:
52 $isProcessed = FALSE;
53 }
54 if (!empty($loginData['uident_text'])) {
55 $loginData['uident_challenged'] = (string)md5(($loginData['uname'] . ':' . $loginData['uident_text'] . ':' . $loginData['chalvalue']));
56 $loginData['uident_superchallenged'] = (string)md5(($loginData['uname'] . ':' . md5($loginData['uident_text']) . ':' . $loginData['chalvalue']));
57 $isProcessed = TRUE;
58 }
59 return $isProcessed;
60 }
61
62 /**
63 * Find a user (eg. look up the user record in database when a login is sent)
64 *
65 * @return mixed User array or FALSE
66 */
67 public function getUser() {
68 $user = FALSE;
69 if ($this->login['status'] === 'login') {
70 if ($this->login['uident']) {
71 $user = $this->fetchUserRecord($this->login['uname']);
72 if (!is_array($user)) {
73 // Failed login attempt (no username found)
74 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
75 // Logout written to log
76 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\' not found!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
77 } else {
78 if ($this->writeDevLog) {
79 GeneralUtility::devLog('User found: ' . GeneralUtility::arrayToLogString($user, array($this->db_user['userid_column'], $this->db_user['username_column'])), AuthenticationService::class);
80 }
81 }
82 } else {
83 // Failed Login attempt (no password given)
84 $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
85 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
86 }
87 }
88 return $user;
89 }
90
91 /**
92 * Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
93 *
94 * @param array $user Data of user.
95 * @return int >= 200: User authenticated successfully.
96 * No more checking is needed by other auth services.
97 * >= 100: User not authenticated; this service is not responsible.
98 * Other auth services will be asked.
99 * > 0: User authenticated successfully.
100 * Other auth services will still be asked.
101 * <= 0: Authentication failed, no more checking needed
102 * by other auth services.
103 */
104 public function authUser(array $user) {
105 $OK = 100;
106 if ($this->login['uident'] && $this->login['uname']) {
107 // Checking password match for user:
108 $OK = $this->compareUident($user, $this->login);
109 if (!$OK) {
110 // Failed login attempt (wrong password) - write that to the log!
111 if ($this->writeAttemptLog) {
112 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
113 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', password not accepted!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
114 }
115 if ($this->writeDevLog) {
116 GeneralUtility::devLog('Password not accepted: ' . $this->login['uident'], AuthenticationService::class, 2);
117 }
118 }
119 // Checking the domain (lockToDomain)
120 if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
121 // Lock domain didn't match, so error:
122 if ($this->writeAttemptLog) {
123 $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
124 GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
125 }
126 $OK = 0;
127 }
128 }
129 return $OK;
130 }
131
132 /**
133 * Find usergroup records, currently only for frontend
134 *
135 * @param array $user Data of user.
136 * @param array $knownGroups Group data array of already known groups. This is handy if you want select other related groups. Keys in this array are unique IDs of those groups.
137 * @return mixed Groups array, keys = uid which must be unique
138 */
139 public function getGroups($user, $knownGroups) {
140 $groupDataArr = array();
141 if ($this->mode === 'getGroupsFE') {
142 $groups = array();
143 if (is_array($user) && $user[$this->db_user['usergroup_column']]) {
144 $groupList = $user[$this->db_user['usergroup_column']];
145 $groups = array();
146 $this->getSubGroups($groupList, '', $groups);
147 }
148 // ADD group-numbers if the IPmask matches.
149 if (is_array($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'])) {
150 foreach ($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'] as $IPel) {
151 if ($this->authInfo['REMOTE_ADDR'] && $IPel[0] && GeneralUtility::cmpIP($this->authInfo['REMOTE_ADDR'], $IPel[0])) {
152 $groups[] = (int)$IPel[1];
153 }
154 }
155 }
156 $groups = array_unique($groups);
157 if (!empty($groups)) {
158 $list = implode(',', $groups);
159 if ($this->writeDevLog) {
160 GeneralUtility::devLog('Get usergroups with id: ' . $list, __CLASS__);
161 }
162 $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . $this->authInfo['HTTP_HOST'] . '\')';
163 $hiddenP = !$this->authInfo['showHiddenRecords'] ? 'AND hidden=0 ' : '';
164 $res = $this->getDatabaseConnection()->exec_SELECTquery('*', $this->db_groups['table'], 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $list . ')' . $lockToDomain_SQL);
165 while ($row = $this->getDatabaseConnection()->sql_fetch_assoc($res)) {
166 $groupDataArr[$row['uid']] = $row;
167 }
168 if ($res) {
169 $this->getDatabaseConnection()->sql_free_result($res);
170 }
171 } else {
172 if ($this->writeDevLog) {
173 GeneralUtility::devLog('No usergroups found.', AuthenticationService::class, 2);
174 }
175 }
176 }
177 return $groupDataArr;
178 }
179
180 /**
181 * Fetches subgroups of groups. Function is called recursively for each subgroup.
182 * Function was previously copied from
183 * \TYPO3\CMS\Core\Authentication\BackendUserAuthentication->fetchGroups and has been slightly modified.
184 *
185 * @param string $grList Commalist of fe_groups uid numbers
186 * @param string $idList List of already processed fe_groups-uids so the function will not fall into a eternal recursion.
187 * @param array $groups
188 * @return array
189 * @access private
190 */
191 public function getSubGroups($grList, $idList = '', &$groups) {
192 // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
193 $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . $this->authInfo['HTTP_HOST'] . '\')';
194 $hiddenP = !$this->authInfo['showHiddenRecords'] ? 'AND hidden=0 ' : '';
195 $res = $this->getDatabaseConnection()->exec_SELECTquery('uid,subgroup', 'fe_groups', 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $grList . ')' . $lockToDomain_SQL);
196 // Internal group record storage
197 $groupRows = array();
198 // The groups array is filled
199 while ($row = $this->getDatabaseConnection()->sql_fetch_assoc($res)) {
200 if (!in_array($row['uid'], $groups)) {
201 $groups[] = $row['uid'];
202 }
203 $groupRows[$row['uid']] = $row;
204 }
205 // Traversing records in the correct order
206 $include_staticArr = GeneralUtility::intExplode(',', $grList);
207 // traversing list
208 foreach ($include_staticArr as $uid) {
209 // Get row:
210 $row = $groupRows[$uid];
211 // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
212 if (is_array($row) && !GeneralUtility::inList($idList, $uid)) {
213 // Include sub groups
214 if (trim($row['subgroup'])) {
215 // Make integer list
216 $theList = implode(',', GeneralUtility::intExplode(',', $row['subgroup']));
217 // Call recursively, pass along list of already processed groups so they are not processed again.
218 $this->getSubGroups($theList, $idList . ',' . $uid, $groups);
219 }
220 }
221 }
222 }
223
224 /**
225 * Returns the database connection
226 *
227 * @return \TYPO3\CMS\Core\Database\DatabaseConnection
228 */
229 protected function getDatabaseConnection() {
230 return $GLOBALS['TYPO3_DB'];
231 }
232
233 }