ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
class.ilAuthFrontend.php
Go to the documentation of this file.
1<?php
2
3/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4
11class ilAuthFrontend
12{
13 const MIG_EXTERNAL_ACCOUNT = 'mig_ext_account';
14 const MIG_TRIGGER_AUTHMODE = 'mig_trigger_auth_mode';
15 const MIG_DESIRED_AUTHMODE = 'mig_desired_auth_mode';
16
17 private $logger = null;
18 private $credentials = null;
19 private $status = null;
20 private $providers = array();
21 private $auth_session = null;
22
23 private $authenticated = false;
24
30 public function __construct(ilAuthSession $session, ilAuthStatus $status, ilAuthCredentials $credentials, array $providers)
31 {
32 $this->logger = ilLoggerFactory::getLogger('auth');
33
34 $this->auth_session = $session;
35 $this->credentials = $credentials;
36 $this->status = $status;
37 $this->providers = $providers;
38 }
39
44 public function getAuthSession()
45 {
46 return $this->auth_session;
47 }
48
53 public function getCredentials()
54 {
55 return $this->credentials;
56 }
57
62 public function getProviders()
63 {
64 return $this->providers;
65 }
66
70 public function getStatus()
71 {
72 return $this->status;
73 }
74
78 public function resetStatus()
79 {
80 $this->getStatus()->setStatus(ilAuthStatus::STATUS_UNDEFINED);
81 $this->getStatus()->setReason('');
82 $this->getStatus()->setAuthenticatedUserId(0);
83 }
84
89 public function getLogger()
90 {
91 return $this->logger;
92 }
93
102 public function migrateAccount(ilAuthSession $session)
103 {
104 if(!$session->isAuthenticated())
105 {
106 $this->getLogger()->warning('Desired user account is not authenticated');
107 return false;
108 }
109 include_once './Services/Object/classes/class.ilObjectFactory.php';
110 $user_factory = new ilObjectFactory();
111 $user = $user_factory->getInstanceByObjId($session->getUserId(), false);
112
113 if(!$user instanceof ilObjUser)
114 {
115 $this->getLogger()->info('Cannot instanitate user account for account migration: ' . $session->getUserId());
116 return false;
117 }
118
119 $user->setAuthMode(ilSession::get(static::MIG_DESIRED_AUTHMODE));
120
121 $this->getLogger()->debug('new auth mode is: ' . ilSession::get(self::MIG_DESIRED_AUTHMODE));
122
123 $user->setExternalAccount(ilSession::get(static::MIG_EXTERNAL_ACCOUNT));
124 $user->update();
125
126 foreach($this->getProviders() as $provider)
127 {
128 if(!$provider instanceof ilAuthProviderAccountMigrationInterface)
129 {
130 $this->logger->warning('Provider: ' . get_class($provider) .' does not support account migration.');
131 throw new InvalidArgumentException('Invalid auth provider given.');
132 }
133 $this->getCredentials()->setUsername(ilSession::get(static::MIG_EXTERNAL_ACCOUNT));
134 $provider->migrateAccount($this->getStatus());
135 switch($this->getStatus()->getStatus())
136 {
137 case ilAuthStatus::STATUS_AUTHENTICATED:
138 return $this->handleAuthenticationSuccess($provider);
139
140 }
141 }
142 return $this->handleAuthenticationFail();
143 }
144
148 public function migrateAccountNew()
149 {
150 foreach($this->providers as $provider)
151 {
152 if(!$provider instanceof ilAuthProviderAccountMigrationInterface)
153 {
154 $this->logger->warning('Provider: ' . get_class($provider) .' does not support account migration.');
155 throw new InvalidArgumentException('Invalid auth provider given.');
156 }
157 $provider->createNewAccount($this->getStatus());
158
159 switch($this->getStatus()->getStatus())
160 {
161 case ilAuthStatus::STATUS_AUTHENTICATED:
162 return $this->handleAuthenticationSuccess($provider);
163
164 }
165 }
166 return $this->handleAuthenticationFail();
167 }
168
169
170
174 public function authenticate()
175 {
176 foreach($this->getProviders() as $provider)
177 {
178 $this->resetStatus();
179
180 $this->getLogger()->debug('Trying authentication against: ' . get_class($provider));
181
182 $provider->doAuthentication($this->getStatus());
183
184 $this->getLogger()->debug('Authentication user id: ' . $this->getStatus()->getAuthenticatedUserId());
185
186 switch($this->getStatus()->getStatus())
187 {
188 case ilAuthStatus::STATUS_AUTHENTICATED:
189 return $this->handleAuthenticationSuccess($provider);
190
191 case ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED:
192 $this->getLogger()->notice("Account migration required.");
193 return $this->handleAccountMigration($provider);
194
195 case ilAuthStatus::STATUS_AUTHENTICATION_FAILED:
196 default:
197 $this->getLogger()->debug('Authentication failed against: ' . get_class($provider));
198 break;
199 }
200 }
201 return $this->handleAuthenticationFail();
202 }
203
208 protected function handleAccountMigration(ilAuthProviderAccountMigrationInterface $provider)
209 {
210 $this->getLogger()->debug('Trigger auth mode: ' . $provider->getTriggerAuthMode());
211 $this->getLogger()->debug('Desired auth mode: ' . $provider->getUserAuthModeName());
212 $this->getLogger()->debug('External account: ' . $provider->getExternalAccountName());
213
214 $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
215 #$this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
216
217 ilSession::set(static::MIG_TRIGGER_AUTHMODE, $provider->getTriggerAuthMode());
218 ilSession::set(static::MIG_DESIRED_AUTHMODE, $provider->getUserAuthModeName());
219 ilSession::set(static::MIG_EXTERNAL_ACCOUNT, $provider->getExternalAccountName());
220
221 $this->getLogger()->dump($_SESSION, ilLogLevel::DEBUG);
222
223 return true;
224 }
225
230 protected function handleAuthenticationSuccess(ilAuthProviderInterface $provider)
231 {
232 include_once './Services/Object/classes/class.ilObjectFactory.php';
233 $factory = new ilObjectFactory();
234 $user = $factory->getInstanceByObjId($this->getStatus()->getAuthenticatedUserId(),false);
235
236 // reset expired status
237 $this->getAuthSession()->setExpired(false);
238
239 if(!$user instanceof ilObjUser)
240 {
241 $this->getLogger()->error('Cannot instatiate user account with id: ' . $this->getStatus()->getAuthenticatedUserId());
242 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
243 $this->getStatus()->setAuthenticatedUserId(0);
244 $this->getStatus()->setReason('auth_err_invalid_user_account');
245 return false;
246 }
247
248 if(!$this->checkExceededLoginAttempts($user))
249 {
250 $this->getLogger()->info('Authentication failed for inactive user with id and too may login attempts: ' . $this->getStatus()->getAuthenticatedUserId());
251 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
252 $this->getStatus()->setAuthenticatedUserId(0);
253 $this->getStatus()->setReason('err_inactive_login_attempts');
254 return false;
255 }
256
257 if(!$this->checkActivation($user))
258 {
259 $this->getLogger()->info('Authentication failed for inactive user with id: ' . $this->getStatus()->getAuthenticatedUserId());
260 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
261 $this->getStatus()->setAuthenticatedUserId(0);
262 $this->getStatus()->setReason('err_inactive');
263 return false;
264 }
265
266 // time limit
267 if(!$this->checkTimeLimit($user))
268 {
269 $this->getLogger()->info('Authentication failed (time limit restriction) for user with id: ' . $this->getStatus()->getAuthenticatedUserId());
270
271 if($GLOBALS['ilSetting']->get('user_reactivate_code'))
272 {
273 $this->getLogger()->debug('Accout reactivation codes are active');
274 $this->getStatus()->setStatus(ilAuthStatus::STATUS_CODE_ACTIVATION_REQUIRED);
275 }
276 else
277 {
278 $this->getLogger()->debug('Accout reactivation codes are inactive');
279 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
280 $this->getStatus()->setAuthenticatedUserId(0);
281 }
282 $this->getStatus()->setReason('time_limit_reached');
283 return false;
284 }
285
286 // ip check
287 if(!$this->checkIp($user))
288 {
289 $this->getLogger()->info('Authentication failed (wrong ip) for user with id: ' . $this->getStatus()->getAuthenticatedUserId());
290 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
291 $this->getStatus()->setAuthenticatedUserId(0);
292
293 $this->getStatus()->setTranslatedReason(
294 sprintf(
295 $GLOBALS['DIC']->language()->txt('wrong_ip_detected'),
296 $_SERVER['REMOTE_ADDR']
297 )
298 );
299 return false;
300 }
301
302 // check simultaneos logins
303 $this->getLogger()->debug('Check simutaneous login');
304 if(!$this->checkSimultaneousLogins($user))
305 {
306 $this->getLogger()->info('Authentication failed: simultaneous logins forbidden for user: ' . $this->getStatus()->getAuthenticatedUserId());
307 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
308 $this->getStatus()->setAuthenticatedUserId(0);
309 $this->getStatus()->setReason('simultaneous_login_detected');
310 return false;
311 }
312
313 // check if profile is complete
314 include_once "Services/User/classes/class.ilUserProfile.php";
315 if(ilUserProfile::isProfileIncomplete($user) && ilAuthFactory::getContext() != ilAuthFactory::CONTEXT_ECS)
316 {
317 ilLoggerFactory::getLogger('auth')->info('User profile is incomplete.');
318 $user->setProfileIncomplete(true);
319 $user->update();
320 }
321
322 // redirects in case of error (session pool limit reached)
323 ilSessionControl::handleLoginEvent($user->getLogin(), $this->getAuthSession());
324
325
326 // @todo move to event handling
327 include_once 'Services/Tracking/classes/class.ilOnlineTracking.php';
328 ilOnlineTracking::addUser($user->getId());
329
330 // @todo move to event handling
331 include_once 'Modules/Forum/classes/class.ilObjForum.php';
332 ilObjForum::_updateOldAccess($user->getId());
333
334 require_once 'Services/PrivacySecurity/classes/class.ilSecuritySettings.php';
335 $security_settings = ilSecuritySettings::_getInstance();
336
337 // determine first login of user for setting an indicator
338 // which still is available in PersonalDesktop, Repository, ...
339 // (last login date is set to current date in next step)
340 if(
341 $security_settings->isPasswordChangeOnFirstLoginEnabled() &&
342 $user->getLastLogin() == null
343 )
344 {
345 $user->resetLastPasswordChange();
346 }
347 $user->refreshLogin();
348
349 // reset counter for failed logins
350 ilObjUser::_resetLoginAttempts($user->getId());
351
352
353 $this->getLogger()->info('Successfully authenticated: ' . ilObjUser::_lookupLogin($this->getStatus()->getAuthenticatedUserId()));
354 $this->getAuthSession()->setAuthenticated(true, $this->getStatus()->getAuthenticatedUserId());
355
356 include_once './Services/Init/classes/class.ilInitialisation.php';
357 ilInitialisation::initUserAccount();
358
359 ilSession::set('orig_request_target', '');
360 $user->hasToAcceptTermsOfServiceInSession(true);
361
362
363 // --- anonymous/registered user
364 $this->getLogger()->info(
365 'logged in as '. $user->getLogin() .
366 ', remote:' . $_SERVER['REMOTE_ADDR'] . ':' . $_SERVER['REMOTE_PORT'] .
367 ', server:' . $_SERVER['SERVER_ADDR'] . ':' . $_SERVER['SERVER_PORT']
368 );
369
370 // finally raise event
371 global $ilAppEventHandler;
372 $ilAppEventHandler->raise(
373 'Services/Authentication',
374 'afterLogin',
375 array(
376 'username' => $user->getLogin())
377 );
378
379 return true;
380
381 }
382
387 protected function checkActivation(ilObjUser $user)
388 {
389 return $user->getActive();
390 }
391
396 protected function checkExceededLoginAttempts(\ilObjUser $user)
397 {
398 if(in_array($user->getId(), array(ANONYMOUS_USER_ID)))
399 {
400 return true;
401 }
402
403 $isInactive = !$user->getActive();
404 if(!$isInactive)
405 {
406 return true;
407 }
408
409 require_once 'Services/PrivacySecurity/classes/class.ilSecuritySettings.php';
410 $security = ilSecuritySettings::_getInstance();
411 $maxLoginAttempts = $security->getLoginMaxAttempts();
412
413 if(!(int)$maxLoginAttempts)
414 {
415 return true;
416 }
417
418 $numLoginAttempts = \ilObjUser::_getLoginAttempts($user->getId());
419
420 return $numLoginAttempts < $maxLoginAttempts;
421 }
422
428 protected function checkTimeLimit(ilObjUser $user)
429 {
430 return $user->checkTimeLimit();
431 }
432
436 protected function checkIp(ilObjUser $user)
437 {
438 $clientip = $user->getClientIP();
439 if (trim($clientip) != "")
440 {
441 $clientip = preg_replace("/[^0-9.?*,:]+/","",$clientip);
442 $clientip = str_replace(".","\\.",$clientip);
443 $clientip = str_replace(Array("?","*",","), Array("[0-9]","[0-9]*","|"), $clientip);
444
445 ilLoggerFactory::getLogger('auth')->debug('Check ip ' . $clientip . ' against ' . $_SERVER['REMOTE_ADDR']);
446
447 if (!preg_match("/^".$clientip."$/", $_SERVER["REMOTE_ADDR"]))
448 {
449 return false;
450 }
451 }
452 return true;
453 }
454
459 protected function checkSimultaneousLogins(ilObjUser $user)
460 {
461 $this->getLogger()->debug('Setting prevent simultaneous session is: ' . (string) $GLOBALS['ilSetting']->get('ps_prevent_simultaneous_logins'));
462 if(
463 $GLOBALS['ilSetting']->get('ps_prevent_simultaneous_logins') &&
464 ilObjUser::hasActiveSession($user->getId(), $this->getAuthSession()->getId())
465 )
466 {
467 return false;
468 }
469 return true;
470 }
471
475 protected function handleAuthenticationFail()
476 {
477 $this->getLogger()->debug('Authentication failed for all authentication methods.');
478
479 $user_id = ilObjUser::_lookupId($this->getCredentials()->getUsername());
480 if(!in_array($user_id, array(ANONYMOUS_USER_ID)))
481 {
482 ilObjUser::_incrementLoginAttempts($user_id);
483 $login_attempts = ilObjUser::_getLoginAttempts($user_id);
484
485 $this->getLogger()->notice('Increased login attempts for user: ' . $this->getCredentials()->getUsername());
486
487 include_once './Services/PrivacySecurity/classes/class.ilSecuritySettings.php';
488 $security = ilSecuritySettings::_getInstance();
489 $max_attempts = $security->getLoginMaxAttempts();
490
491 if((int) $max_attempts && $login_attempts >= $max_attempts)
492 {
493 $this->getStatus()->setReason('auth_err_login_attempts_deactivation');
494 $this->getLogger()->warning('User account set to inactive due to exceeded login attempts.');
495 ilObjUser::_setUserInactive($user_id);
496 }
497 }
498 }
499
500}
501?>
sprintf
sprintf('%.4f', $callTime)
Definition: 01pharSimple.php:87
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
php
An exception for terminatinating execution or to throw for unit testing.
ilAuthFrontend
Description of class class.
Definition: class.ilAuthFrontend.php:12
ilAuthFrontend\resetStatus
resetStatus()
Reset status.
Definition: class.ilAuthFrontend.php:78
ilAuthFrontend\getLogger
getLogger()
Get logger.
Definition: class.ilAuthFrontend.php:89
ilAuthFrontend\checkActivation
checkActivation(ilObjUser $user)
Check activation.
Definition: class.ilAuthFrontend.php:387
ilAuthFrontend\checkIp
checkIp(ilObjUser $user)
Check ip.
Definition: class.ilAuthFrontend.php:436
ilAuthFrontend\handleAuthenticationFail
handleAuthenticationFail()
Handle failed authenication.
Definition: class.ilAuthFrontend.php:475
ilAuthFrontend\authenticate
authenticate()
Try to authenticate user.
Definition: class.ilAuthFrontend.php:174
ilAuthFrontend\checkExceededLoginAttempts
checkExceededLoginAttempts(\ilObjUser $user)
Definition: class.ilAuthFrontend.php:396
ilAuthFrontend\checkTimeLimit
checkTimeLimit(ilObjUser $user)
Check time limit.
Definition: class.ilAuthFrontend.php:428
ilAuthFrontend\handleAccountMigration
handleAccountMigration(ilAuthProviderAccountMigrationInterface $provider)
Handle account migration.
Definition: class.ilAuthFrontend.php:208
ilAuthFrontend\migrateAccountNew
migrateAccountNew()
Create new user account.
Definition: class.ilAuthFrontend.php:148
ilAuthFrontend\__construct
__construct(ilAuthSession $session, ilAuthStatus $status, ilAuthCredentials $credentials, array $providers)
Constructor.
Definition: class.ilAuthFrontend.php:30
ilAuthFrontend\checkSimultaneousLogins
checkSimultaneousLogins(ilObjUser $user)
Check simultaneous logins.
Definition: class.ilAuthFrontend.php:459
ilAuthFrontend\migrateAccount
migrateAccount(ilAuthSession $session)
Migrate Account to existing user account.
Definition: class.ilAuthFrontend.php:102
ilAuthFrontend\getAuthSession
getAuthSession()
Get auth session.
Definition: class.ilAuthFrontend.php:44
ilAuthFrontend\getCredentials
getCredentials()
Get auth credentials.
Definition: class.ilAuthFrontend.php:53
ilAuthFrontend\getProviders
getProviders()
Get providers.
Definition: class.ilAuthFrontend.php:62
ilAuthFrontend\handleAuthenticationSuccess
handleAuthenticationSuccess(ilAuthProviderInterface $provider)
Handle successful authentication.
Definition: class.ilAuthFrontend.php:230
ilAuthSession\getUserId
getUserId()
Get authenticated user id.
Definition: class.ilAuthSession.php:177
ilAuthSession\isAuthenticated
isAuthenticated()
Check if session is authenticated.
Definition: class.ilAuthSession.php:122
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12
ilAuthStatus\STATUS_CODE_ACTIVATION_REQUIRED
const STATUS_CODE_ACTIVATION_REQUIRED
Definition: class.ilAuthStatus.php:21
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82
ilObjUser\_resetLoginAttempts
static _resetLoginAttempts($a_usr_id)
Definition: class.ilObjUser.php:4670
ilObjUser\getActive
getActive()
get user active state @access public
Definition: class.ilObjUser.php:2137
ilObjUser\_lookupLogin
static _lookupLogin($a_user_id)
lookup login
Definition: class.ilObjUser.php:771
ilObjUser\_incrementLoginAttempts
static _incrementLoginAttempts($a_usr_id)
Definition: class.ilObjUser.php:4693
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:787
ilObjUser\_setUserInactive
static _setUserInactive($a_usr_id)
Definition: class.ilObjUser.php:4704
ilObjUser\_getLoginAttempts
static _getLoginAttempts($a_usr_id)
Definition: class.ilObjUser.php:4681
ilObjUser\hasActiveSession
static hasActiveSession($a_user_id, $a_session_id)
Check for simultaneous login.
Definition: class.ilObjUser.php:2451
ilObjUser\getClientIP
getClientIP()
get client ip number @access public
Definition: class.ilObjUser.php:1816
ilObjectFactory
Class ilObjectFactory.
Definition: class.ilObjectFactory.php:21
ilObject\getId
getId()
get object id @access public
Definition: class.ilObject.php:290
ilSecuritySettings\_getInstance
static _getInstance()
Get instance of ilSecuritySettings.
Definition: class.ilSecuritySettings.php:105
ilSessionControl\handleLoginEvent
static handleLoginEvent($a_login, ilAuthSession $auth_session)
when current session is allowed to be created it marks it with type regarding to the sessions user co...
Definition: class.ilSessionControl.php:164
ilSession\set
static set($a_var, $a_val)
Set a value.
Definition: class.ilSession.php:401
ilSession\get
static get($a_var)
Get a value.
Definition: class.ilSession.php:412
ilUserProfile\isProfileIncomplete
static isProfileIncomplete($a_user, $a_include_udf=true, $a_personal_data_only=true)
Check if all required personal data fields are set.
Definition: class.ilUserProfile.php:872
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12
ilAuthProviderAccountMigrationInterface\getExternalAccountName
getExternalAccountName()
Get external account name.
ilAuthProviderAccountMigrationInterface\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
ilAuthProviderAccountMigrationInterface\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth.
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54