ILIAS  release_4-3 Revision
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilSecuritySettings.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
34 class ilSecuritySettings
35 {
36  public static $SECURITY_SETTINGS_ERR_CODE_AUTO_HTTPS = 1;
37  public static $SECURITY_SETTINGS_ERR_CODE_HTTP_NOT_AVAILABLE = 2;
38  public static $SECURITY_SETTINGS_ERR_CODE_HTTPS_NOT_AVAILABLE = 3;
39 
40  const SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MIN_LENGTH = 4;
41  const SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_LENGTH = 5;
42  const SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_AGE = 6;
43  const SECURITY_SETTINGS_ERR_CODE_INVALID_LOGIN_MAX_ATTEMPTS = 7;
44  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN2 = 8;
45  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN3 = 9;
46  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MAX_LENGTH_LESS_MIN_LENGTH = 10;
47 
48 
49  const ACCOUNT_SECURITY_MODE_DEFAULT = 1;
50  const ACCOUNT_SECURITY_MODE_CUSTOMIZED = 2;
51 
52 
53  private static $instance = null;
54  private $db;
55  private $settings;
56 
57  private $https_header_enable;
58  private $https_header_name;
59  private $https_header_value;
60  private $https_enable;
61 
62  const DEFAULT_ACCOUNT_SECURITY_MODE = self::ACCOUNT_SECURITY_MODE_DEFAULT;
63  const DEFAULT_PASSWORD_CHARS_AND_NUMBERS_ENABLED = true;
64  const DEFAULT_PASSWORD_SPECIAL_CHARS_ENABLED = false;
65  const DEFAULT_PASSWORD_MIN_LENGTH = 8;
66  const DEFAULT_PASSWORD_MAX_LENGTH = 0;
67  const DEFAULT_PASSWORD_MAX_AGE = 90;
68  const DEFAULT_LOGIN_MAX_ATTEMPTS = 5;
69 
70  const DEFAULT_PASSWORD_CHANGE_ON_FIRST_LOGIN_ENABLED = false;
71  const DEFAULT_PREVENT_SIMULTANEOUS_LOGINS = false;
72 
73  private $account_security_mode = self::DEFAULT_ACCOUNT_SECURITY_MODE;
74  private $password_chars_and_numbers_enabled = self::DEFAULT_PASSWORD_CHARS_AND_NUMBERS_ENABLED;
75  private $password_special_chars_enabled = self::DEFAULT_PASSWORD_SPECIAL_CHARS_ENABLED;
76  private $password_min_length = self::DEFAULT_PASSWORD_MIN_LENGTH;
77  private $password_max_length = self::DEFAULT_PASSWORD_MAX_LENGTH;
78  private $password_max_age = self::DEFAULT_PASSWORD_MAX_AGE;
79  private $login_max_attempts = self::DEFAULT_LOGIN_MAX_ATTEMPTS;
80 
81  private $password_change_on_first_login_enabled = self::DEFAULT_PASSWORD_CHANGE_ON_FIRST_LOGIN_ENABLED;
82  private $prevent_simultaneous_logins = self::DEFAULT_PREVENT_SIMULTANEOUS_LOGINS;
83 
84  private $protect_admin_role = false;
85 
93  private function __construct()
94  {
95 
96  global $ilSetting,$ilDB;
97 
98  $this->db = $ilDB;
99  $this->settings = $ilSetting;
100 
101  $this->read();
102  }
103 
111  public static function _getInstance()
112  {
113  if(is_object(self::$instance))
114  {
115  return self::$instance;
116  }
117  return self::$instance = new ilSecuritySettings();
118  }
119 
120  public function getSecuritySettingsRefId()
121  {
122  return $this->ref_id;
123  }
124 
125 
126 
127 
128 
135  public function setAccountSecurityMode($a_mode)
136  {
137  $this->account_security_mode = $a_mode;
138  }
139 
146  public function getAccountSecurityMode()
147  {
148  return $this->account_security_mode;
149  }
150 
158  public function setPasswordCharsAndNumbersEnabled($a_chars_and_numbers_enabled)
159  {
160  $this->password_chars_and_numbers_enabled = $a_chars_and_numbers_enabled;
161  }
162 
170  public function isPasswordCharsAndNumbersEnabled()
171  {
172  return $this->password_chars_and_numbers_enabled;
173  }
174 
182  public function setPasswordSpecialCharsEnabled($a_password_special_chars_enabled)
183  {
184  $this->password_special_chars_enabled = $a_password_special_chars_enabled;
185  }
186 
194  public function isPasswordSpecialCharsEnabled()
195  {
196  return $this->password_special_chars_enabled;
197  }
198 
204  public function setPasswordMinLength($a_password_min_length)
205  {
206  $this->password_min_length = $a_password_min_length;
207  }
208 
214  public function getPasswordMinLength()
215  {
216  return $this->password_min_length;
217  }
218 
224  public function setPasswordMaxLength($a_password_max_length)
225  {
226  $this->password_max_length = $a_password_max_length;
227  }
228 
234  public function getPasswordMaxLength()
235  {
236  return $this->password_max_length;
237  }
238 
244  public function setPasswordMaxAge($a_password_max_age)
245  {
246  $this->password_max_age = $a_password_max_age;
247  }
248 
254  public function getPasswordMaxAge()
255  {
256  return $this->password_max_age;
257  }
258 
264  public function setLoginMaxAttempts($a_login_max_attempts)
265  {
266  $this->login_max_attempts = $a_login_max_attempts;
267  }
268 
274  public function getLoginMaxAttempts()
275  {
276  return $this->login_max_attempts;
277  }
278 
285  public function setAutomaticHTTPSEnabled($varname)
286  {
287  $this->https_header_enable = $varname;
288  }
289 
295  public function setAutomaticHTTPSHeaderName($varname)
296  {
297  $this->https_header_name = $varname;
298  }
299 
305  public function setAutomaticHTTPSHeaderValue($varname)
306  {
307  $this->https_header_value = $varname;
308  }
309 
315  public function getAutomaticHTTPSHeaderName()
316  {
317  return $this->https_header_name;
318  }
319 
325  public function getAutomaticHTTPSHeaderValue()
326  {
327  return $this->https_header_value;
328  }
329 
335  public function isAutomaticHTTPSEnabled()
336  {
337  return $this->https_header_enable;
338  }
339 
345  public function setHTTPSEnabled ($value)
346  {
347  $this->https_enable = $value;
348  }
349 
355  public function isHTTPSEnabled ()
356  {
357  return $this->https_enable;
358  }
359 
367  public function setPasswordChangeOnFirstLoginEnabled($a_password_change_on_first_login_enabled)
368  {
369  $this->password_change_on_first_login_enabled = $a_password_change_on_first_login_enabled;
370  }
371 
379  public function isPasswordChangeOnFirstLoginEnabled()
380  {
381  return $this->password_change_on_first_login_enabled;
382  }
383 
388  public function isAdminRoleProtected()
389  {
390  return (bool) $this->protect_admin_role;
391  }
392 
397  public function protectedAdminRole($a_stat)
398  {
399  $this->protect_admin_role = $a_stat;
400  }
401 
406  public function checkAdminRoleAccessible($a_usr_id)
407  {
408  global $rbacreview;
409 
410  if(!$this->isAdminRoleProtected())
411  {
412  return true;
413  }
414  if($rbacreview->isAssigned($a_usr_id,SYSTEM_ROLE_ID))
415  {
416  return true;
417  }
418  return false;
419  }
420 
426  public function save()
427  {
428  $this->settings->set('ps_auto_https_enabled',(bool) $this->isAutomaticHTTPSEnabled());
429  $this->settings->set('ps_auto_https_headername',(string) $this->getAutomaticHTTPSHeaderName());
430  $this->settings->set('ps_auto_https_headervalue',(string) $this->getAutomaticHTTPSHeaderValue());
431  $this->settings->set('https',(string) $this->isHTTPSEnabled());
432 
433  $this->settings->set('ps_account_security_mode',(int) $this->getAccountSecurityMode());
434  $this->settings->set('ps_password_chars_and_numbers_enabled',(bool) $this->isPasswordCharsAndNumbersEnabled());
435  $this->settings->set('ps_password_special_chars_enabled',(bool) $this->isPasswordSpecialCharsEnabled());
436  $this->settings->set('ps_password_min_length',(int) $this->getPasswordMinLength());
437  $this->settings->set('ps_password_max_length',(int) $this->getPasswordMaxLength());
438  $this->settings->set('ps_password_max_age',(int) $this->getPasswordMaxAge());
439  $this->settings->set('ps_login_max_attempts',(int) $this->getLoginMaxAttempts());
440 
441  $this->settings->set('ps_password_change_on_first_login_enabled',(bool) $this->isPasswordChangeOnFirstLoginEnabled());
442  $this->settings->set('ps_prevent_simultaneous_logins', (int)$this->isPreventionOfSimultaneousLoginsEnabled());
443  $this->settings->set('ps_protect_admin', (int) $this->isAdminRoleProtected());
444  }
452  private function read()
453  {
454  global $ilDB;
455 
456  $query = "SELECT object_reference.ref_id FROM object_reference,tree,object_data ".
457  "WHERE tree.parent = ".$ilDB->quote(SYSTEM_FOLDER_ID,'integer')." ".
458  "AND object_data.type = 'ps' ".
459  "AND object_reference.ref_id = tree.child ".
460  "AND object_reference.obj_id = object_data.obj_id";
461  $res = $this->db->query($query);
462  $row = $res->fetchRow(DB_FETCHMODE_ASSOC);
463  $this->ref_id = $row["ref_id"];
464 
465  $this->https_header_enable = (bool) $this->settings->get('ps_auto_https_enabled',false);
466  $this->https_header_name = (string) $this->settings->get('ps_auto_https_headername',"ILIAS_HTTPS_ENABLED");
467  $this->https_header_value = (string) $this->settings->get('ps_auto_https_headervalue',"1");
468  $this->https_enable = (boolean) $this->settings->get('https', false);
469 
470  $this->account_security_mode = (int) $this->settings->get('ps_account_security_mode', self::DEFAULT_ACCOUNT_SECURITY_MODE);
471  $this->password_chars_and_numbers_enabled = (bool) $this->settings->get('ps_password_chars_and_numbers_enabled', self::DEFAULT_PASSWORD_CHARS_AND_NUMBERS_ENABLED);
472  $this->password_special_chars_enabled = (bool) $this->settings->get('ps_password_special_chars_enabled', self::DEFAULT_PASSWORD_SPECIAL_CHARS_ENABLED);
473  $this->password_min_length = (int) $this->settings->get('ps_password_min_length', self::DEFAULT_PASSWORD_MIN_LENGTH);
474  $this->password_max_length = (int) $this->settings->get('ps_password_max_length', self::DEFAULT_PASSWORD_MAX_LENGTH);
475  $this->password_max_age = (int) $this->settings->get('ps_password_max_age', self::DEFAULT_PASSWORD_MAX_AGE);
476  $this->login_max_attempts = (int) $this->settings->get('ps_login_max_attempts', self::DEFAULT_LOGIN_MAX_ATTEMPTS);
477 
478  $this->password_change_on_first_login_enabled = (bool) $this->settings->get('ps_password_change_on_first_login_enabled', self::DEFAULT_PASSWORD_CHANGE_ON_FIRST_LOGIN_ENABLED);
479  $this->prevent_simultaneous_logins = (bool) $this->settings->get('ps_prevent_simultaneous_logins', self::DEFAULT_PREVENT_SIMULTANEOUS_LOGINS);
480 
481  $this->protect_admin_role = (bool) $this->settings->get('ps_protect_admin',$this->protect_admin_role);
482  }
483 
489  public function validate()
490  {
491  if ($this->isAutomaticHTTPSEnabled() &&
492  (strlen($this->getAutomaticHTTPSHeaderName()) == 0 ||
493  strlen($this->getAutomaticHTTPSHeaderValue()) == 0)
494  )
495  {
496  return ilSecuritySettings::SECURITY_SETTINGS_ERR_CODE_AUTO_HTTPS;
497  }
498  include_once './Services/Http/classes/class.ilHTTPS.php';
499 
500  if ($this->isHTTPSEnabled())
501  {
502  if(!ilHTTPS::_checkHTTPS())
503  {
504  return ilSecuritySettings::$SECURITY_SETTINGS_ERR_CODE_HTTPS_NOT_AVAILABLE;
505  }
506  }
507  #elseif(!ilHTTPS::_checkHTTP())
508  #{
509  # return ilSecuritySettings::$SECURITY_SETTINGS_ERR_CODE_HTTP_NOT_AVAILABLE;
510  #}
511 
512  if( $this->getAccountSecurityMode() == self::ACCOUNT_SECURITY_MODE_CUSTOMIZED )
513  {
514  if( $this->getPasswordMinLength() < 0 )
515  {
516  return self::SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MIN_LENGTH;
517  }
518 
519  if( $this->getPasswordMaxLength() < 0 )
520  {
521  return self::SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_LENGTH;
522  }
523 
524  $password_min_length = 1;
525  if( $this->isPasswordCharsAndNumbersEnabled() )
526  {
527  $password_min_length++;
528  $password_min_length_error_code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN2;
529 
530  if( $this->isPasswordSpecialCharsEnabled() )
531  {
532  $password_min_length++;
533  $password_min_length_error_code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN3;
534  }
535  }
536  if( $this->getPasswordMinLength() > 0 && $this->getPasswordMinLength() < $password_min_length )
537  {
538  return $password_min_length_error_code;
539  }
540  if( $this->getPasswordMaxLength() > 0 && $this->getPasswordMaxLength() < $this->getPasswordMinLength() )
541  {
542  return self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MAX_LENGTH_LESS_MIN_LENGTH;
543  }
544 
545  if( $this->getPasswordMaxAge() < 0 )
546  {
547  return self::SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_AGE;
548  }
549 
550  if( $this->getLoginMaxAttempts() < 0 )
551  {
552  return self::SECURITY_SETTINGS_ERR_CODE_INVALID_LOGIN_MAX_ATTEMPTS;
553  }
554  }
555 
556  /*
557  * todo: have to check for local auth if first login password change is enabled??
558  * than: add errorcode
559  */
560 
561  return 0;
562  }
563 
569  public function isPreventionOfSimultaneousLoginsEnabled()
570  {
571  return (bool)$this->prevent_simultaneous_logins;
572  }
573 
579  public function setPreventionOfSimultaneousLogins($value)
580  {
581  $this->prevent_simultaneous_logins = (bool)$value;
582  }
583 }
584 ?>