%PDF- %PDF-
Direktori : /var/www/projetos/admin.iigd.com.br/libraries/classes/Plugins/ |
Current File : /var/www/projetos/admin.iigd.com.br/libraries/classes/Plugins/AuthenticationPlugin.php |
<?php /** * Abstract class for the authentication plugins */ declare(strict_types=1); namespace PhpMyAdmin\Plugins; use PhpMyAdmin\Config; use PhpMyAdmin\Core; use PhpMyAdmin\IpAllowDeny; use PhpMyAdmin\Logging; use PhpMyAdmin\Message; use PhpMyAdmin\ResponseRenderer; use PhpMyAdmin\Session; use PhpMyAdmin\Template; use PhpMyAdmin\TwoFactor; use PhpMyAdmin\Url; use PhpMyAdmin\Util; use function __; use function array_keys; use function defined; use function htmlspecialchars; use function intval; use function max; use function min; use function session_destroy; use function session_unset; use function sprintf; use function time; /** * Provides a common interface that will have to be implemented by all of the * authentication plugins. */ abstract class AuthenticationPlugin { /** * Username * * @var string */ public $user = ''; /** * Password * * @var string */ public $password = ''; /** @var IpAllowDeny */ protected $ipAllowDeny; /** @var Template */ public $template; public function __construct() { $this->ipAllowDeny = new IpAllowDeny(); $this->template = new Template(); } /** * Displays authentication form */ abstract public function showLoginForm(): bool; /** * Gets authentication credentials */ abstract public function readCredentials(): bool; /** * Set the user and password after last checkings if required */ public function storeCredentials(): bool { global $cfg; $this->setSessionAccessTime(); $cfg['Server']['user'] = $this->user; $cfg['Server']['password'] = $this->password; return true; } /** * Stores user credentials after successful login. */ public function rememberCredentials(): void { } /** * User is not allowed to login to MySQL -> authentication failed * * @param string $failure String describing why authentication has failed */ public function showFailure($failure): void { Logging::logUser($this->user, $failure); } /** * Perform logout */ public function logOut(): void { global $config; /* Obtain redirect URL (before doing logout) */ if (! empty($GLOBALS['cfg']['Server']['LogoutURL'])) { $redirect_url = $GLOBALS['cfg']['Server']['LogoutURL']; } else { $redirect_url = $this->getLoginFormURL(); } /* Clear credentials */ $this->user = ''; $this->password = ''; /* * Get a logged-in server count in case of LoginCookieDeleteAll is disabled. */ $server = 0; if ($GLOBALS['cfg']['LoginCookieDeleteAll'] === false && $GLOBALS['cfg']['Server']['auth_type'] === 'cookie') { foreach (array_keys($GLOBALS['cfg']['Servers']) as $key) { if (! $config->issetCookie('pmaAuth-' . $key)) { continue; } $server = $key; } } if ($server === 0) { /* delete user's choices that were stored in session */ if (! defined('TESTSUITE')) { session_unset(); session_destroy(); } /* Redirect to login form (or configured URL) */ Core::sendHeaderLocation($redirect_url); } else { /* Redirect to other authenticated server */ $_SESSION['partial_logout'] = true; Core::sendHeaderLocation( './index.php?route=/' . Url::getCommonRaw(['server' => $server], '&') ); } } /** * Returns URL for login form. * * @return string */ public function getLoginFormURL() { return './index.php?route=/'; } /** * Returns error message for failed authentication. * * @param string $failure String describing why authentication has failed * * @return string */ public function getErrorMessage($failure) { global $dbi; if ($failure === 'empty-denied') { return __('Login without a password is forbidden by configuration (see AllowNoPassword)'); } if ($failure === 'root-denied' || $failure === 'allow-denied') { return __('Access denied!'); } if ($failure === 'no-activity') { return sprintf( __('You have been automatically logged out due to inactivity of %s seconds.' . ' Once you log in again, you should be able to resume the work where you left off.'), intval($GLOBALS['cfg']['LoginCookieValidity']) ); } $dbi_error = $dbi->getError(); if (! empty($dbi_error)) { return htmlspecialchars($dbi_error); } if (isset($GLOBALS['errno'])) { return '#' . $GLOBALS['errno'] . ' ' . __('Cannot log in to the MySQL server'); } return __('Cannot log in to the MySQL server'); } /** * Callback when user changes password. * * @param string $password New password to set */ public function handlePasswordChange($password): void { } /** * Store session access time in session. * * Tries to workaround PHP 5 session garbage collection which * looks at the session file's last modified time */ public function setSessionAccessTime(): void { if (isset($_REQUEST['guid'])) { $guid = (string) $_REQUEST['guid']; } else { $guid = 'default'; } if (isset($_REQUEST['access_time'])) { // Ensure access_time is in range <0, LoginCookieValidity + 1> // to avoid excessive extension of validity. // // Negative values can cause session expiry extension // Too big values can cause overflow and lead to same $time = time() - min(max(0, intval($_REQUEST['access_time'])), $GLOBALS['cfg']['LoginCookieValidity'] + 1); } else { $time = time(); } $_SESSION['browser_access_time'][$guid] = $time; } /** * High level authentication interface * * Gets the credentials or shows login form if necessary */ public function authenticate(): void { $success = $this->readCredentials(); /* Show login form (this exits) */ if (! $success) { /* Force generating of new session */ Session::secure(); $this->showLoginForm(); } /* Store credentials (eg. in cookies) */ $this->storeCredentials(); /* Check allow/deny rules */ $this->checkRules(); /* clear user cache */ Util::clearUserCache(); } /** * Check configuration defined restrictions for authentication */ public function checkRules(): void { global $cfg; // Check IP-based Allow/Deny rules as soon as possible to reject the // user based on mod_access in Apache if (isset($cfg['Server']['AllowDeny']['order'])) { $allowDeny_forbidden = false; // default if ($cfg['Server']['AllowDeny']['order'] === 'allow,deny') { $allowDeny_forbidden = true; if ($this->ipAllowDeny->allow()) { $allowDeny_forbidden = false; } if ($this->ipAllowDeny->deny()) { $allowDeny_forbidden = true; } } elseif ($cfg['Server']['AllowDeny']['order'] === 'deny,allow') { if ($this->ipAllowDeny->deny()) { $allowDeny_forbidden = true; } if ($this->ipAllowDeny->allow()) { $allowDeny_forbidden = false; } } elseif ($cfg['Server']['AllowDeny']['order'] === 'explicit') { if ($this->ipAllowDeny->allow() && ! $this->ipAllowDeny->deny()) { $allowDeny_forbidden = false; } else { $allowDeny_forbidden = true; } } // Ejects the user if banished if ($allowDeny_forbidden) { $this->showFailure('allow-denied'); } } // is root allowed? if (! $cfg['Server']['AllowRoot'] && $cfg['Server']['user'] === 'root') { $this->showFailure('root-denied'); } // is a login without password allowed? if ($cfg['Server']['AllowNoPassword'] || $cfg['Server']['password'] !== '') { return; } $this->showFailure('empty-denied'); } /** * Checks whether two factor authentication is active * for given user and performs it. */ public function checkTwoFactor(): void { $twofactor = new TwoFactor($this->user); /* Do we need to show the form? */ if ($twofactor->check()) { return; } $response = ResponseRenderer::getInstance(); if ($response->loginPage()) { if (defined('TESTSUITE')) { return; } exit; } echo $this->template->render('login/header'); echo Message::rawNotice( __('You have enabled two factor authentication, please confirm your login.') )->getDisplay(); echo $this->template->render('login/twofactor', [ 'form' => $twofactor->render(), 'show_submit' => $twofactor->showSubmit(), ]); echo $this->template->render('login/footer'); echo Config::renderFooter(); if (! defined('TESTSUITE')) { exit; } } }