ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilWebAccessChecker.php
Go to the documentation of this file.
1 <?php
2 // declare(strict_types=1);
3 
4 use ILIAS\HTTP\Cookies\CookieFactory;
5 use ILIAS\HTTP\Cookies\CookieWrapper;
6 use ILIAS\HTTP\GlobalHttpState;
7 use Psr\Http\Message\UriInterface;
8 
9 require_once('./Services/WebAccessChecker/classes/class.ilWACSignedPath.php');
10 require_once('./Services/WebAccessChecker/classes/class.ilWACPath.php');
11 require_once('./Services/WebAccessChecker/classes/class.ilWACSecurePath.php');
12 require_once('./Services/Init/classes/class.ilInitialisation.php');
13 require_once('./Services/FileDelivery/classes/class.ilFileDelivery.php');
14 
21 class ilWebAccessChecker
22 {
23  const DISPOSITION = 'disposition';
24  const STATUS_CODE = 'status_code';
25  const REVALIDATE = 'revalidate';
26  const CM_FILE_TOKEN = 1;
27  const CM_FOLDER_TOKEN = 2;
28  const CM_CHECKINGINSTANCE = 3;
29  const CM_SECFOLDER = 4;
33  protected $path_object = null;
37  protected $checked = false;
41  protected $disposition = ilFileDelivery::DISP_INLINE;
45  protected $override_mimetype = '';
49  protected $send_status_code = false;
53  protected $initialized = false;
57  protected $revalidate_folder_tokens = true;
61  protected static $use_seperate_logfile = false;
65  protected $applied_checking_methods = array();
69  private $http;
73  private $cookieFactory;
74 
75 
82  public function __construct(GlobalHttpState $httpState, CookieFactory $cookieFactory)
83  {
84  $this->setPathObject(new ilWACPath($httpState->request()->getRequestTarget()));
85  $this->http = $httpState;
86  $this->cookieFactory = $cookieFactory;
87  }
88 
89 
94  public function check()
95  {
96  if (!$this->getPathObject()) {
97  throw new ilWACException(ilWACException::CODE_NO_PATH);
98  }
99 
100  // Check if Path has been signed with a token
101  $ilWACSignedPath = new ilWACSignedPath($this->getPathObject(), $this->http, $this->cookieFactory);
102  if ($ilWACSignedPath->isSignedPath()) {
103  $this->addAppliedCheckingMethod(self::CM_FILE_TOKEN);
104  if ($ilWACSignedPath->isSignedPathValid()) {
105  $this->setChecked(true);
106  $this->sendHeader('checked using token');
107 
108  return true;
109  }
110  }
111 
112  // Check if the whole secured folder has been signed
113  if ($ilWACSignedPath->isFolderSigned()) {
114  $this->addAppliedCheckingMethod(self::CM_FOLDER_TOKEN);
115  if ($ilWACSignedPath->isFolderTokenValid()) {
116  if ($this->isRevalidateFolderTokens()) {
117  $ilWACSignedPath->revalidatingFolderToken();
118  }
119  $this->setChecked(true);
120  $this->sendHeader('checked using secure folder');
121 
122  return true;
123  }
124  }
125 
126  // Fallback, have to initiate ILIAS
127  $this->initILIAS();
128 
129  if (ilWACSecurePath::hasCheckingInstanceRegistered($this->getPathObject())) {
130  // Maybe the path has been registered, lets check
131  $checkingInstance = ilWACSecurePath::getCheckingInstance($this->getPathObject());
132  $this->addAppliedCheckingMethod(self::CM_CHECKINGINSTANCE);
133  $canBeDelivered = $checkingInstance->canBeDelivered($this->getPathObject());
134  if ($canBeDelivered) {
135  $this->sendHeader('checked using fallback');
136  if ($ilWACSignedPath->isFolderSigned() && $this->isRevalidateFolderTokens()) {
137  $ilWACSignedPath->revalidatingFolderToken();
138  }
139 
140  $this->setChecked(true);
141 
142  return true;
143  } else {
144  $this->setChecked(true);
145 
146  return false;
147  }
148  }
149 
150  // none of the checking mechanisms could have been applied. no access
151  $this->setChecked(true);
152  if ($this->getPathObject()->isInSecFolder()) {
153  $this->addAppliedCheckingMethod(self::CM_SECFOLDER);
154 
155  return false;
156  } else {
157  $this->addAppliedCheckingMethod(self::CM_SECFOLDER);
158 
159  return true;
160  }
161  }
162 
163 
169  protected function sendHeader($message)
170  {
171  $response = $this->http->response()->withHeader('X-ILIAS-WebAccessChecker', $message);
172  $this->http->saveResponse($response);
173  }
174 
175 
179  public function initILIAS()
180  {
181  if ($this->isInitialized()) {
182  return;
183  }
184 
185  $GLOBALS['COOKIE_PATH'] = '/';
186 
187  $cookie = $this->cookieFactory->create('ilClientId', $this->getPathObject()->getClient())
188  ->withPath('/')
189  ->withExpires(0);
190 
191  $response = $this->http->cookieJar()
192  ->with($cookie)
193  ->renderIntoResponseHeader($this->http->response());
194 
195  $this->http->saveResponse($response);
196 
197  ilContext::init(ilContext::CONTEXT_WAC);
198  try {
199  ilInitialisation::initILIAS();
200  $this->checkUser();
201  $this->checkPublicSection();
202  } catch (Exception $e) {
203  if ($e instanceof ilWACException
204  && $e->getCode() !== ilWACException::ACCESS_DENIED_NO_LOGIN) {
205  throw $e;
206  }
207  if (($e instanceof Exception && $e->getMessage() == 'Authentication failed.')
208  || $e->getCode() === ilWACException::ACCESS_DENIED_NO_LOGIN) {
209  $this->initAnonymousSession();
210  $this->checkUser();
211  $this->checkPublicSection();
212  }
213  }
214  $this->setInitialized(true);
215  }
216 
217 
222  protected function checkPublicSection()
223  {
224  global $DIC;
225  $on_login_page = !$this->isRequestNotFromLoginPage();
226  $is_anonymous = ((int) $DIC->user()->getId() === (int) ANONYMOUS_USER_ID);
227  $is_null_user = ($DIC->user()->getId() === 0);
228  $pub_section_activated = (bool) $DIC['ilSetting']->get('pub_section');
229  $isset = isset($DIC['ilSetting']);
230  $instanceof = $DIC['ilSetting'] instanceof ilSetting;
231 
232  if (!$isset || !$instanceof) {
233  throw new ilWACException(ilWACException::ACCESS_DENIED_NO_PUB);
234  }
235 
236  if ($on_login_page && ($is_null_user || $is_anonymous)) {
237  // Request is initiated from login page
238  return;
239  }
240 
241  if ($pub_section_activated && ($is_null_user || $is_anonymous)) {
242  // Request is initiated from an enabled public area
243  return;
244  }
245 
246  if ($is_anonymous || $is_null_user) {
247  throw new ilWACException(ilWACException::ACCESS_DENIED_NO_PUB);
248  }
249  }
250 
251 
252  protected function checkUser()
253  {
254  global $DIC;
255 
256  $is_user = $DIC->user() instanceof ilObjUser;
257  $user_id_is_zero = ((int) $DIC->user()->getId() === 0);
258  $not_on_login_page = $this->isRequestNotFromLoginPage();
259  if (!$is_user || ($user_id_is_zero && $not_on_login_page)) {
260  throw new ilWACException(ilWACException::ACCESS_DENIED_NO_LOGIN);
261  }
262  }
263 
264 
268  public function isChecked()
269  {
270  return (bool) $this->checked;
271  }
272 
273 
279  public function setChecked($checked)
280  {
281  assert(is_bool($checked));
282  $this->checked = $checked;
283  }
284 
285 
289  public function getPathObject()
290  {
291  return $this->path_object;
292  }
293 
294 
300  public function setPathObject(ilWACPath $path_object)
301  {
302  $this->path_object = $path_object;
303  }
304 
305 
309  public function getDisposition()
310  {
311  return (string) $this->disposition;
312  }
313 
314 
320  public function setDisposition($disposition)
321  {
322  assert(is_string($disposition));
323  $this->disposition = $disposition;
324  }
325 
326 
330  public function getOverrideMimetype()
331  {
332  return (string) $this->override_mimetype;
333  }
334 
335 
341  public function setOverrideMimetype($override_mimetype)
342  {
343  assert(is_string($override_mimetype));
344  $this->override_mimetype = $override_mimetype;
345  }
346 
347 
351  public function isInitialized()
352  {
353  return (bool) $this->initialized;
354  }
355 
356 
360  public function setInitialized($initialized)
361  {
362  assert(is_bool($initialized));
363  $this->initialized = $initialized;
364  }
365 
366 
370  public function isSendStatusCode()
371  {
372  return (bool) $this->send_status_code;
373  }
374 
375 
381  public function setSendStatusCode($send_status_code)
382  {
383  assert(is_bool($send_status_code));
384  $this->send_status_code = $send_status_code;
385  }
386 
387 
391  public function isRevalidateFolderTokens()
392  {
393  return (bool) $this->revalidate_folder_tokens;
394  }
395 
396 
402  public function setRevalidateFolderTokens($revalidate_folder_tokens)
403  {
404  assert(is_bool($revalidate_folder_tokens));
405  $this->revalidate_folder_tokens = $revalidate_folder_tokens;
406  }
407 
408 
412  public static function isUseSeperateLogfile()
413  {
414  return (bool) self::$use_seperate_logfile;
415  }
416 
417 
423  public static function setUseSeperateLogfile($use_seperate_logfile)
424  {
425  assert(is_bool($use_seperate_logfile));
426  self::$use_seperate_logfile = $use_seperate_logfile;
427  }
428 
429 
433  public function getAppliedCheckingMethods()
434  {
435  return (array) $this->applied_checking_methods;
436  }
437 
438 
444  public function setAppliedCheckingMethods(array $applied_checking_methods)
445  {
446  $this->applied_checking_methods = $applied_checking_methods;
447  }
448 
449 
455  protected function addAppliedCheckingMethod($method)
456  {
457  assert(is_int($method));
458  $this->applied_checking_methods[] = $method;
459  }
460 
461 
462  protected function initAnonymousSession()
463  {
464  global $DIC;
465  include_once './Services/Context/classes/class.ilContext.php';
466  ilContext::init(ilContext::CONTEXT_WAC);
467  require_once("Services/Init/classes/class.ilInitialisation.php");
468  ilInitialisation::reinitILIAS();
472  $ilAuthSession = $DIC['ilAuthSession'];
473  $ilAuthSession->init();
474  $ilAuthSession->regenerateId();
475  $a_id = (int) ANONYMOUS_USER_ID;
476  $ilAuthSession->setUserId($a_id);
477  $ilAuthSession->setAuthenticated(false, $a_id);
478  $DIC->user()->setId($a_id);
479  }
480 
481 
485  protected function isRequestNotFromLoginPage()
486  {
487  $referrer = (string) ($_SERVER['HTTP_REFERER'] ?? '');
488  $not_on_login_page = (strpos($referrer, 'login.php') === false
489  && strpos($referrer, '&baseClass=ilStartUpGUI') === false);
490 
491  if ($not_on_login_page && $referrer !== '') {
492  // In some scenarios (observed for content styles on login page, the HTTP_REFERER does not contain a PHP script
493  $referrer_url_parts = parse_url($referrer);
494  $ilias_url_parts = parse_url(ilUtil::_getHttpPath());
495  if (
496  $ilias_url_parts['host'] === $referrer_url_parts['host'] &&
497  (
498  !isset($referrer_url_parts['path']) ||
499  strpos($referrer_url_parts['path'], '.php') === false
500  )
501  ) {
502  $not_on_login_page = false;
503  }
504  }
505 
506  return $not_on_login_page;
507  }
508 }
ilWebAccessChecker\setPathObject
setPathObject(ilWACPath $path_object)
Definition: class.ilWebAccessChecker.php:300
ilWebAccessChecker\setUseSeperateLogfile
static setUseSeperateLogfile($use_seperate_logfile)
Definition: class.ilWebAccessChecker.php:423
ILIAS\HTTP\GlobalHttpState
Interface GlobalHttpState.
Definition: GlobalHttpState.php:24
ILIAS\HTTP\GlobalHttpState\request
request()
Returns the current psr-7 server request.
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
ilWACException
Class ilWACException.
Definition: class.ilWACException.php:10
ilContext\CONTEXT_WAC
const CONTEXT_WAC
Definition: class.ilContext.php:32
$DIC
global $DIC
Definition: saml.php:7
ilWebAccessChecker\setAppliedCheckingMethods
setAppliedCheckingMethods(array $applied_checking_methods)
Definition: class.ilWebAccessChecker.php:444
ilWACPath
Class ilWACPath.
Definition: class.ilWACPath.php:10
ilWebAccessChecker\setRevalidateFolderTokens
setRevalidateFolderTokens($revalidate_folder_tokens)
Definition: class.ilWebAccessChecker.php:402
ilWebAccessChecker\__construct
__construct(GlobalHttpState $httpState, CookieFactory $cookieFactory)
ilWebAccessChecker constructor.
Definition: class.ilWebAccessChecker.php:82
ilInitialisation\initILIAS
static initILIAS()
ilias initialisation
Definition: class.ilInitialisation.php:996
$message
catch(Exception $e) $message
Definition: saml2-logout.php:34
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:36
ilWebAccessChecker
Class ilWebAccessChecker.
Definition: class.ilWebAccessChecker.php:21
ilWebAccessChecker\setSendStatusCode
setSendStatusCode($send_status_code)
Definition: class.ilWebAccessChecker.php:381
ilWACSignedPath
Class ilWACSignedPath.
Definition: class.ilWACSignedPath.php:22
ilWebAccessChecker\setOverrideMimetype
setOverrideMimetype($override_mimetype)
Definition: class.ilWebAccessChecker.php:341
ilContext\init
static init($a_type)
Init context by type.
Definition: class.ilContext.php:45
ilUtil\_getHttpPath
static _getHttpPath()
Definition: class.ilUtil.php:4674
ilWACSecurePath\hasCheckingInstanceRegistered
static hasCheckingInstanceRegistered(ilWACPath $ilWACPath)
Searches a checking instance for the given wac path.
Definition: class.ilWACSecurePath.php:67
$response
$response
Definition: proxy_ylocal.php:39
$GLOBALS
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
Definition: module.tag.xmp.php:702