vendor/pimcore/pimcore/lib/Tool/Authentication.php line 63

Open in your IDE?
  1. <?php
  3. /**
  4. * Pimcore
  5. *
  6. * This source file is available under two different licenses:
  7. * - GNU General Public License version 3 (GPLv3)
  8. * - Pimcore Commercial License (PCL)
  9. * Full copyright and license information is available in
  10. * LICENSE.md which is distributed with this source code.
  11. *
  12. * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13. * @license http://www.pimcore.org/license GPLv3 and PCL
  14. */
  16. namespace Pimcore\Tool;
  18. use Defuse\Crypto\Crypto;
  19. use Defuse\Crypto\Exception\CryptoException;
  20. use Pimcore\Logger;
  21. use Pimcore\Model\User;
  22. use Pimcore\Tool;
  23. use Symfony\Component\HttpFoundation\Request;
  25. class Authentication
  26. {
  27. /**
  28. * @deprecated
  29. *
  30. * @param string $username
  31. * @param string $password
  32. *
  33. * @return null|User
  34. */
  35. public static function authenticatePlaintext($username, $password)
  36. {
  37. trigger_deprecation(
  38. 'pimcore/pimcore',
  39. '10.6',
  40. sprintf('%s is deprecated and will be removed in Pimcore 11', __METHOD__),
  41. );
  43. /** @var User $user */
  44. $user = User::getByName($username);
  46. // user needs to be active, needs a password and an ID (do not allow system user to login, ...)
  47. if (self::isValidUser($user)) {
  48. if (self::verifyPassword($user, $password)) {
  49. $user->setLastLoginDate(); //set user current login date
  51. return $user;
  52. }
  53. }
  55. return null;
  56. }
  58. /**
  59. * @param Request|null $request
  60. *
  61. * @return User|null
  62. */
  63. public static function authenticateSession(Request $request = null)
  64. {
  65. if (null === $request) {
  66. $request = \Pimcore::getContainer()->get('request_stack')->getCurrentRequest();
  68. if (null === $request) {
  69. return null;
  70. }
  71. }
  73. if (!Session::requestHasSessionId($request, true)) {
  74. // if no session cookie / ID no authentication possible, we don't need to start a session
  75. return null;
  76. }
  78. $session = Session::getReadOnly();
  79. $user = $session->get('user');
  81. if ($user instanceof User) {
  82. // renew user
  83. $user = User::getById($user->getId());
  85. if (self::isValidUser($user)) {
  86. return $user;
  87. }
  88. }
  90. return null;
  91. }
  93. /**
  94. * @deprecated
  95. *
  96. * @throws \Exception
  97. *
  98. * @return User
  99. */
  100. public static function authenticateHttpBasic()
  101. {
  102. trigger_deprecation(
  103. 'pimcore/pimcore',
  104. '10.6',
  105. sprintf('%s is deprecated and will be removed in Pimcore 11', __METHOD__),
  106. );
  108. // we're using Sabre\HTTP for basic auth
  109. $request = \Sabre\HTTP\Sapi::getRequest();
  110. $response = new \Sabre\HTTP\Response();
  111. $auth = new \Sabre\HTTP\Auth\Basic(Tool::getHostname(), $request, $response);
  112. $result = $auth->getCredentials();
  114. if (is_array($result)) {
  115. list($username, $password) = $result;
  116. $user = self::authenticatePlaintext($username, $password);
  117. if ($user) {
  118. return $user;
  119. }
  120. }
  122. $auth->requireLogin();
  123. $response->setBody('Authentication required');
  124. Logger::error('Authentication Basic (WebDAV) required');
  125. \Sabre\HTTP\Sapi::sendResponse($response);
  126. die();
  127. }
  129. /**
  130. * @param string $token
  131. * @param bool $adminRequired
  132. *
  133. * @return null|User
  134. */
  135. public static function authenticateToken($token, $adminRequired = false)
  136. {
  137. $username = null;
  138. $timestamp = null;
  140. try {
  141. $decrypted = self::tokenDecrypt($token);
  142. list($timestamp, $username) = $decrypted;
  143. } catch (CryptoException $e) {
  144. return null;
  145. }
  147. $user = User::getByName($username);
  148. if (self::isValidUser($user)) {
  149. if ($adminRequired && !$user->isAdmin()) {
  150. return null;
  151. }
  153. try {
  154. $timeZone = date_default_timezone_get();
  155. date_default_timezone_set('UTC');
  157. if ($timestamp > time() || $timestamp < (time() - (60 * 60 * 24))) {
  158. return null;
  159. }
  160. } finally {
  161. date_default_timezone_set($timeZone);
  162. }
  164. return $user;
  165. }
  167. return null;
  168. }
  170. /**
  171. * @param User $user
  172. * @param string $password
  173. *
  174. * @return bool
  175. */
  176. public static function verifyPassword($user, $password)
  177. {
  178. if (!$user->getPassword()) {
  179. // do not allow logins for users without a password
  180. return false;
  181. }
  183. $password = self::preparePlainTextPassword($user->getName(), $password);
  185. if (!password_verify($password, $user->getPassword())) {
  186. return false;
  187. }
  189. $config = \Pimcore::getContainer()->getParameter('pimcore.config')['security']['password'];
  191. if (password_needs_rehash($user->getPassword(), $config['algorithm'], $config['options'])) {
  192. $user->setPassword(self::getPasswordHash($user->getName(), $password));
  193. $user->save();
  194. }
  196. return true;
  197. }
  199. /**
  200. * @param User|null $user
  201. *
  202. * @return bool
  203. */
  204. public static function isValidUser($user)
  205. {
  206. if ($user instanceof User && $user->isActive() && $user->getId() && $user->getPassword()) {
  207. return true;
  208. }
  210. return false;
  211. }
  213. /**
  214. * @internal
  215. *
  216. * @param string $username
  217. * @param string $plainTextPassword
  218. *
  219. * @return string
  220. *
  221. * @throws \Exception
  222. */
  223. public static function getPasswordHash($username, $plainTextPassword)
  224. {
  225. $password = self::preparePlainTextPassword($username, $plainTextPassword);
  226. $config = \Pimcore::getContainer()->getParameter('pimcore.config')['security']['password'];
  228. if ($hash = password_hash($password, $config['algorithm'], $config['options'])) {
  229. return $hash;
  230. }
  232. throw new \Exception('Unable to create password hash for user: ' . $username);
  233. }
  235. /**
  236. * @param string $username
  237. * @param string $plainTextPassword
  238. *
  239. * @return string
  240. */
  241. private static function preparePlainTextPassword($username, $plainTextPassword)
  242. {
  243. // plaintext password is prepared as digest A1 hash, this is to be backward compatible because this was
  244. // the former hashing algorithm in pimcore (< version 2.1.1)
  245. return md5($username . ':pimcore:' . $plainTextPassword);
  246. }
  248. /**
  249. * @internal
  250. *
  251. * @param string $username
  252. *
  253. * @return string
  254. */
  255. public static function generateToken($username)
  256. {
  257. $secret = \Pimcore::getContainer()->getParameter('secret');
  259. $data = time() - 1 . '|' . $username;
  260. $token = Crypto::encryptWithPassword($data, $secret);
  262. return $token;
  263. }
  265. /**
  266. * @param string $token
  267. *
  268. * @return array
  269. */
  270. private static function tokenDecrypt($token)
  271. {
  272. $secret = \Pimcore::getContainer()->getParameter('secret');
  273. $decrypted = Crypto::decryptWithPassword($token, $secret);
  275. return explode('|', $decrypted);
  276. }
  277. }