ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
class.ilAuthFrontend.php
Go to the documentation of this file.
1<?php
2
3/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4
11class ilAuthFrontend
12{
13 const MIG_EXTERNAL_ACCOUNT = 'mig_ext_account';
14 const MIG_TRIGGER_AUTHMODE = 'mig_trigger_auth_mode';
15 const MIG_DESIRED_AUTHMODE = 'mig_desired_auth_mode';
16
17 private $logger = null;
18 private $credentials = null;
19 private $status = null;
20 private $providers = array();
21 private $auth_session = null;
22
23 private $authenticated = false;
24
30 public function __construct(ilAuthSession $session, ilAuthStatus $status, ilAuthCredentials $credentials, array $providers)
31 {
32 $this->logger = ilLoggerFactory::getLogger('auth');
33
34 $this->auth_session = $session;
35 $this->credentials = $credentials;
36 $this->status = $status;
37 $this->providers = $providers;
38 }
39
44 public function getAuthSession()
45 {
46 return $this->auth_session;
47 }
48
53 public function getCredentials()
54 {
55 return $this->credentials;
56 }
57
62 public function getProviders()
63 {
64 return $this->providers;
65 }
66
70 public function getStatus()
71 {
72 return $this->status;
73 }
74
78 public function resetStatus()
79 {
80 $this->getStatus()->setStatus(ilAuthStatus::STATUS_UNDEFINED);
81 $this->getStatus()->setReason('');
82 $this->getStatus()->setAuthenticatedUserId(0);
83 }
84
89 public function getLogger()
90 {
91 return $this->logger;
92 }
93
102 public function migrateAccount(ilAuthSession $session)
103 {
104 if (!$session->isAuthenticated()) {
105 $this->getLogger()->warning('Desired user account is not authenticated');
106 return false;
107 }
108 include_once './Services/Object/classes/class.ilObjectFactory.php';
109 $user_factory = new ilObjectFactory();
110 $user = $user_factory->getInstanceByObjId($session->getUserId(), false);
111
112 if (!$user instanceof ilObjUser) {
113 $this->getLogger()->info('Cannot instantiate user account for account migration: ' . $session->getUserId());
114 return false;
115 }
116
117 $user->setAuthMode(ilSession::get(static::MIG_DESIRED_AUTHMODE));
118
119 $this->getLogger()->debug('new auth mode is: ' . ilSession::get(self::MIG_DESIRED_AUTHMODE));
120
121 $user->setExternalAccount(ilSession::get(static::MIG_EXTERNAL_ACCOUNT));
122 $user->update();
123
124 foreach ($this->getProviders() as $provider) {
125 if (!$provider instanceof ilAuthProviderAccountMigrationInterface) {
126 $this->logger->warning('Provider: ' . get_class($provider) . ' does not support account migration.');
127 throw new InvalidArgumentException('Invalid auth provider given.');
128 }
129 $this->getCredentials()->setUsername(ilSession::get(static::MIG_EXTERNAL_ACCOUNT));
130 $provider->migrateAccount($this->getStatus());
131 switch ($this->getStatus()->getStatus()) {
132 case ilAuthStatus::STATUS_AUTHENTICATED:
133 return $this->handleAuthenticationSuccess($provider);
134
135 }
136 }
137 return $this->handleAuthenticationFail();
138 }
139
143 public function migrateAccountNew()
144 {
145 foreach ($this->providers as $provider) {
146 if (!$provider instanceof ilAuthProviderAccountMigrationInterface) {
147 $this->logger->warning('Provider: ' . get_class($provider) . ' does not support account migration.');
148 throw new InvalidArgumentException('Invalid auth provider given.');
149 }
150 $provider->createNewAccount($this->getStatus());
151
152 switch ($this->getStatus()->getStatus()) {
153 case ilAuthStatus::STATUS_AUTHENTICATED:
154 return $this->handleAuthenticationSuccess($provider);
155
156 }
157 }
158 return $this->handleAuthenticationFail();
159 }
160
161
162
166 public function authenticate()
167 {
168 foreach ($this->getProviders() as $provider) {
169 $this->resetStatus();
170
171 $this->getLogger()->debug('Trying authentication against: ' . get_class($provider));
172
173 $provider->doAuthentication($this->getStatus());
174
175 $this->getLogger()->debug('Authentication user id: ' . $this->getStatus()->getAuthenticatedUserId());
176
177 switch ($this->getStatus()->getStatus()) {
178 case ilAuthStatus::STATUS_AUTHENTICATED:
179 return $this->handleAuthenticationSuccess($provider);
180
181 case ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED:
182 $this->getLogger()->notice("Account migration required.");
183 return $this->handleAccountMigration($provider);
184
185 case ilAuthStatus::STATUS_AUTHENTICATION_FAILED:
186 default:
187 $this->getLogger()->debug('Authentication failed against: ' . get_class($provider));
188 break;
189 }
190 }
191 return $this->handleAuthenticationFail();
192 }
193
198 protected function handleAccountMigration(ilAuthProviderAccountMigrationInterface $provider)
199 {
200 $this->getLogger()->debug('Trigger auth mode: ' . $provider->getTriggerAuthMode());
201 $this->getLogger()->debug('Desired auth mode: ' . $provider->getUserAuthModeName());
202 $this->getLogger()->debug('External account: ' . $provider->getExternalAccountName());
203
204 $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
205 #$this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
206
207 ilSession::set(static::MIG_TRIGGER_AUTHMODE, $provider->getTriggerAuthMode());
208 ilSession::set(static::MIG_DESIRED_AUTHMODE, $provider->getUserAuthModeName());
209 ilSession::set(static::MIG_EXTERNAL_ACCOUNT, $provider->getExternalAccountName());
210
211 $this->getLogger()->dump($_SESSION, ilLogLevel::DEBUG);
212
213 return true;
214 }
215
220 protected function handleAuthenticationSuccess(ilAuthProviderInterface $provider)
221 {
222 include_once './Services/Object/classes/class.ilObjectFactory.php';
223 $factory = new ilObjectFactory();
224 $user = $factory->getInstanceByObjId($this->getStatus()->getAuthenticatedUserId(), false);
225
226 // reset expired status
227 $this->getAuthSession()->setExpired(false);
228
229 if (!$user instanceof ilObjUser) {
230 $this->getLogger()->error('Cannot instantiate user account with id: ' . $this->getStatus()->getAuthenticatedUserId());
231 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
232 $this->getStatus()->setAuthenticatedUserId(0);
233 $this->getStatus()->setReason('auth_err_invalid_user_account');
234 return false;
235 }
236
237 if (!$this->checkExceededLoginAttempts($user)) {
238 $this->getLogger()->info('Authentication failed for inactive user with id and too may login attempts: ' . $this->getStatus()->getAuthenticatedUserId());
239 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
240 $this->getStatus()->setAuthenticatedUserId(0);
241 $this->getStatus()->setReason('err_inactive_login_attempts');
242 return false;
243 }
244
245 if (!$this->checkActivation($user)) {
246 $this->getLogger()->info('Authentication failed for inactive user with id: ' . $this->getStatus()->getAuthenticatedUserId());
247 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
248 $this->getStatus()->setAuthenticatedUserId(0);
249 $this->getStatus()->setReason('err_inactive');
250 return false;
251 }
252
253 // time limit
254 if (!$this->checkTimeLimit($user)) {
255 $this->getLogger()->info('Authentication failed (time limit restriction) for user with id: ' . $this->getStatus()->getAuthenticatedUserId());
256
257 if ($GLOBALS['ilSetting']->get('user_reactivate_code')) {
258 $this->getLogger()->debug('Accout reactivation codes are active');
259 $this->getStatus()->setStatus(ilAuthStatus::STATUS_CODE_ACTIVATION_REQUIRED);
260 } else {
261 $this->getLogger()->debug('Accout reactivation codes are inactive');
262 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
263 $this->getStatus()->setAuthenticatedUserId(0);
264 }
265 $this->getStatus()->setReason('time_limit_reached');
266 return false;
267 }
268
269 // ip check
270 if (!$this->checkIp($user)) {
271 $this->getLogger()->info('Authentication failed (wrong ip) for user with id: ' . $this->getStatus()->getAuthenticatedUserId());
272 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
273 $this->getStatus()->setAuthenticatedUserId(0);
274
275 $this->getStatus()->setTranslatedReason(
276 sprintf(
277 $GLOBALS['DIC']->language()->txt('wrong_ip_detected'),
278 $_SERVER['REMOTE_ADDR']
279 )
280 );
281 return false;
282 }
283
284 // check simultaneos logins
285 $this->getLogger()->debug('Check simutaneous login');
286 if (!$this->checkSimultaneousLogins($user)) {
287 $this->getLogger()->info('Authentication failed: simultaneous logins forbidden for user: ' . $this->getStatus()->getAuthenticatedUserId());
288 $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
289 $this->getStatus()->setAuthenticatedUserId(0);
290 $this->getStatus()->setReason('simultaneous_login_detected');
291 return false;
292 }
293
294 // check if profile is complete
295 include_once "Services/User/classes/class.ilUserProfile.php";
296 include_once './Services/Context/classes/class.ilContext.php';
297 if (
298 ilUserProfile::isProfileIncomplete($user) &&
299 ilAuthFactory::getContext() != ilAuthFactory::CONTEXT_ECS &&
300 ilContext::getType() != ilContext::CONTEXT_LTI_PROVIDER
301 ) {
302 ilLoggerFactory::getLogger('auth')->info('User profile is incomplete.');
303 $user->setProfileIncomplete(true);
304 $user->update();
305 }
306
307 // redirects in case of error (session pool limit reached)
308 ilSessionControl::handleLoginEvent($user->getLogin(), $this->getAuthSession());
309
310
311 // @todo move to event handling
312 include_once 'Services/Tracking/classes/class.ilOnlineTracking.php';
313 ilOnlineTracking::addUser($user->getId());
314
315 // @todo move to event handling
316 include_once 'Modules/Forum/classes/class.ilObjForum.php';
317 ilObjForum::_updateOldAccess($user->getId());
318
319 require_once 'Services/PrivacySecurity/classes/class.ilSecuritySettings.php';
320 $security_settings = ilSecuritySettings::_getInstance();
321
322 // determine first login of user for setting an indicator
323 // which still is available in PersonalDesktop, Repository, ...
324 // (last login date is set to current date in next step)
325 if (
326 $security_settings->isPasswordChangeOnFirstLoginEnabled() &&
327 $user->getLastLogin() == null
328 ) {
329 $user->resetLastPasswordChange();
330 }
331 $user->refreshLogin();
332
333 // reset counter for failed logins
334 ilObjUser::_resetLoginAttempts($user->getId());
335
336
337 $this->getLogger()->info('Successfully authenticated: ' . ilObjUser::_lookupLogin($this->getStatus()->getAuthenticatedUserId()));
338 $this->getAuthSession()->setAuthenticated(true, $this->getStatus()->getAuthenticatedUserId());
339
340 include_once './Services/Init/classes/class.ilInitialisation.php';
341 ilInitialisation::initUserAccount();
342
343 ilSession::set('orig_request_target', '');
344 $user->hasToAcceptTermsOfServiceInSession(true);
345
346
347 // --- anonymous/registered user
348 $this->getLogger()->info(
349 'logged in as ' . $user->getLogin() .
350 ', remote:' . $_SERVER['REMOTE_ADDR'] . ':' . $_SERVER['REMOTE_PORT'] .
351 ', server:' . $_SERVER['SERVER_ADDR'] . ':' . $_SERVER['SERVER_PORT']
352 );
353
354 // finally raise event
355 global $ilAppEventHandler;
356 $ilAppEventHandler->raise(
357 'Services/Authentication',
358 'afterLogin',
359 array(
360 'username' => $user->getLogin())
361 );
362
363 return true;
364 }
365
370 protected function checkActivation(ilObjUser $user)
371 {
372 return $user->getActive();
373 }
374
379 protected function checkExceededLoginAttempts(\ilObjUser $user)
380 {
381 if (in_array($user->getId(), array(ANONYMOUS_USER_ID))) {
382 return true;
383 }
384
385 $isInactive = !$user->getActive();
386 if (!$isInactive) {
387 return true;
388 }
389
390 require_once 'Services/PrivacySecurity/classes/class.ilSecuritySettings.php';
391 $security = ilSecuritySettings::_getInstance();
392 $maxLoginAttempts = $security->getLoginMaxAttempts();
393
394 if (!(int) $maxLoginAttempts) {
395 return true;
396 }
397
398 $numLoginAttempts = \ilObjUser::_getLoginAttempts($user->getId());
399
400 return $numLoginAttempts < $maxLoginAttempts;
401 }
402
408 protected function checkTimeLimit(ilObjUser $user)
409 {
410 return $user->checkTimeLimit();
411 }
412
416 protected function checkIp(ilObjUser $user)
417 {
418 $clientip = $user->getClientIP();
419 if (trim($clientip) != "") {
420 $clientip = preg_replace("/[^0-9.?*,:]+/", "", $clientip);
421 $clientip = str_replace(".", "\\.", $clientip);
422 $clientip = str_replace(array("?","*",","), array("[0-9]","[0-9]*","|"), $clientip);
423
424 ilLoggerFactory::getLogger('auth')->debug('Check ip ' . $clientip . ' against ' . $_SERVER['REMOTE_ADDR']);
425
426 if (!preg_match("/^" . $clientip . "$/", $_SERVER["REMOTE_ADDR"])) {
427 return false;
428 }
429 }
430 return true;
431 }
432
437 protected function checkSimultaneousLogins(ilObjUser $user)
438 {
439 $this->getLogger()->debug('Setting prevent simultaneous session is: ' . (string) $GLOBALS['ilSetting']->get('ps_prevent_simultaneous_logins'));
440 if (
441 $GLOBALS['ilSetting']->get('ps_prevent_simultaneous_logins') &&
442 ilObjUser::hasActiveSession($user->getId(), $this->getAuthSession()->getId())
443 ) {
444 return false;
445 }
446 return true;
447 }
448
452 protected function handleAuthenticationFail()
453 {
454 $this->getLogger()->debug('Authentication failed for all authentication methods.');
455
456 $user_id = ilObjUser::_lookupId($this->getCredentials()->getUsername());
457 if (!in_array($user_id, array(ANONYMOUS_USER_ID))) {
458 ilObjUser::_incrementLoginAttempts($user_id);
459 $login_attempts = ilObjUser::_getLoginAttempts($user_id);
460
461 $this->getLogger()->notice('Increased login attempts for user: ' . $this->getCredentials()->getUsername());
462
463 include_once './Services/PrivacySecurity/classes/class.ilSecuritySettings.php';
464 $security = ilSecuritySettings::_getInstance();
465 $max_attempts = $security->getLoginMaxAttempts();
466
467 if ((int) $max_attempts && $login_attempts >= $max_attempts) {
468 $this->getStatus()->setReason('auth_err_login_attempts_deactivation');
469 $this->getLogger()->warning('User account set to inactive due to exceeded login attempts.');
470 ilObjUser::_setUserInactive($user_id);
471 }
472 }
473 }
474}
sprintf
sprintf('%.4f', $callTime)
Definition: 01pharSimple.php:87
$factory
$factory
Definition: metadata.php:47
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
php
An exception for terminatinating execution or to throw for unit testing.
ilAuthFrontend
Description of class class.
Definition: class.ilAuthFrontend.php:12
ilAuthFrontend\resetStatus
resetStatus()
Reset status.
Definition: class.ilAuthFrontend.php:78
ilAuthFrontend\getLogger
getLogger()
Get logger.
Definition: class.ilAuthFrontend.php:89
ilAuthFrontend\checkActivation
checkActivation(ilObjUser $user)
Check activation.
Definition: class.ilAuthFrontend.php:370
ilAuthFrontend\checkIp
checkIp(ilObjUser $user)
Check ip.
Definition: class.ilAuthFrontend.php:416
ilAuthFrontend\handleAuthenticationFail
handleAuthenticationFail()
Handle failed authenication.
Definition: class.ilAuthFrontend.php:452
ilAuthFrontend\authenticate
authenticate()
Try to authenticate user.
Definition: class.ilAuthFrontend.php:166
ilAuthFrontend\checkExceededLoginAttempts
checkExceededLoginAttempts(\ilObjUser $user)
Definition: class.ilAuthFrontend.php:379
ilAuthFrontend\checkTimeLimit
checkTimeLimit(ilObjUser $user)
Check time limit.
Definition: class.ilAuthFrontend.php:408
ilAuthFrontend\handleAccountMigration
handleAccountMigration(ilAuthProviderAccountMigrationInterface $provider)
Handle account migration.
Definition: class.ilAuthFrontend.php:198
ilAuthFrontend\migrateAccountNew
migrateAccountNew()
Create new user account.
Definition: class.ilAuthFrontend.php:143
ilAuthFrontend\__construct
__construct(ilAuthSession $session, ilAuthStatus $status, ilAuthCredentials $credentials, array $providers)
Constructor.
Definition: class.ilAuthFrontend.php:30
ilAuthFrontend\checkSimultaneousLogins
checkSimultaneousLogins(ilObjUser $user)
Check simultaneous logins.
Definition: class.ilAuthFrontend.php:437
ilAuthFrontend\migrateAccount
migrateAccount(ilAuthSession $session)
Migrate Account to existing user account.
Definition: class.ilAuthFrontend.php:102
ilAuthFrontend\getAuthSession
getAuthSession()
Get auth session.
Definition: class.ilAuthFrontend.php:44
ilAuthFrontend\getCredentials
getCredentials()
Get auth credentials.
Definition: class.ilAuthFrontend.php:53
ilAuthFrontend\getProviders
getProviders()
Get providers.
Definition: class.ilAuthFrontend.php:62
ilAuthFrontend\handleAuthenticationSuccess
handleAuthenticationSuccess(ilAuthProviderInterface $provider)
Handle successful authentication.
Definition: class.ilAuthFrontend.php:220
ilAuthSession\getUserId
getUserId()
Get authenticated user id.
Definition: class.ilAuthSession.php:177
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12
ilAuthStatus\STATUS_CODE_ACTIVATION_REQUIRED
const STATUS_CODE_ACTIVATION_REQUIRED
Definition: class.ilAuthStatus.php:21
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilContext\getType
static getType()
Get context type.
Definition: class.ilContext.php:182
ilContext\CONTEXT_LTI_PROVIDER
const CONTEXT_LTI_PROVIDER
Definition: class.ilContext.php:35
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:79
ilObjForum\_updateOldAccess
static _updateOldAccess($a_usr_id)
Definition: class.ilObjForum.php:379
ilObjUser\_resetLoginAttempts
static _resetLoginAttempts($a_usr_id)
Definition: class.ilObjUser.php:4614
ilObjUser\getActive
getActive()
get user active state @access public
Definition: class.ilObjUser.php:2143
ilObjUser\_lookupLogin
static _lookupLogin($a_user_id)
lookup login
Definition: class.ilObjUser.php:768
ilObjUser\_incrementLoginAttempts
static _incrementLoginAttempts($a_usr_id)
Definition: class.ilObjUser.php:4640
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:784
ilObjUser\_setUserInactive
static _setUserInactive($a_usr_id)
Definition: class.ilObjUser.php:4654
ilObjUser\_getLoginAttempts
static _getLoginAttempts($a_usr_id)
Definition: class.ilObjUser.php:4628
ilObjUser\hasActiveSession
static hasActiveSession($a_user_id, $a_session_id)
Check for simultaneous login.
Definition: class.ilObjUser.php:2461
ilObjUser\getClientIP
getClientIP()
get client ip number @access public
Definition: class.ilObjUser.php:1800
ilObjectFactory
Class ilObjectFactory.
Definition: class.ilObjectFactory.php:21
ilObject\getId
getId()
get object id @access public
Definition: class.ilObject.php:308
ilSecuritySettings\_getInstance
static _getInstance()
Get instance of ilSecuritySettings.
Definition: class.ilSecuritySettings.php:104
ilSessionControl\handleLoginEvent
static handleLoginEvent($a_login, ilAuthSession $auth_session)
when current session is allowed to be created it marks it with type regarding to the sessions user co...
Definition: class.ilSessionControl.php:160
ilSession\set
static set($a_var, $a_val)
Set a value.
Definition: class.ilSession.php:403
ilSession\get
static get($a_var)
Get a value.
Definition: class.ilSession.php:414
ilUserProfile\isProfileIncomplete
static isProfileIncomplete($a_user, $a_include_udf=true, $a_personal_data_only=true)
Check if all required personal data fields are set.
Definition: class.ilUserProfile.php:826
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12
ilAuthProviderAccountMigrationInterface\getExternalAccountName
getExternalAccountName()
Get external account name.
ilAuthProviderAccountMigrationInterface\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
ilAuthProviderAccountMigrationInterface\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth.
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12
$session
$session
Definition: proxy_ylocal.php:32
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54