ILIAS  release_8 Revision v8.19
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilAuthFrontend.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
26 //TODO check why authfront does not include frontendInterface
27 class ilAuthFrontend
28 {
29  public const MIG_EXTERNAL_ACCOUNT = 'mig_ext_account';
30  public const MIG_TRIGGER_AUTHMODE = 'mig_trigger_auth_mode';
31  public const MIG_DESIRED_AUTHMODE = 'mig_desired_auth_mode';
32 
33  private ilLogger $logger;
34  private ilSetting $settings;
35  private ilLanguage $lng;
36 
37  private ilAuthCredentials $credentials;
38  private ilAuthStatus $status;
40  private array $providers;
41  private ilAuthSession $auth_session;
42  private ilAppEventHandler $ilAppEventHandler;
43 
44  private bool $authenticated = false;
45 
52  public function __construct(ilAuthSession $session, ilAuthStatus $status, ilAuthCredentials $credentials, array $providers)
53  {
54  global $DIC;
55  $this->logger = $DIC->logger()->auth();
56  $this->settings = $DIC->settings();
57  $this->lng = $DIC->language();
58  $this->ilAppEventHandler = $DIC->event();
59 
60  $this->auth_session = $session;
61  $this->credentials = $credentials;
62  $this->status = $status;
63  $this->providers = $providers;
64  }
65 
69  public function getAuthSession(): ilAuthSession
70  {
71  return $this->auth_session;
72  }
73 
77  public function getCredentials(): ilAuthCredentials
78  {
79  return $this->credentials;
80  }
81 
86  public function getProviders(): array
87  {
88  return $this->providers;
89  }
90 
94  public function getStatus(): ilAuthStatus
95  {
96  return $this->status;
97  }
98 
102  public function resetStatus(): void
103  {
104  $this->getStatus()->setStatus(ilAuthStatus::STATUS_UNDEFINED);
105  $this->getStatus()->setReason('');
106  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
107  }
108 
113  public function migrateAccount(ilAuthSession $session): bool
114  {
115  if (!$session->isAuthenticated()) {
116  $this->logger->warning('Desired user account is not authenticated');
117  return false;
118  }
119  $user = ilObjectFactory::getInstanceByObjId($session->getUserId(), false);
120 
121  if (!$user instanceof ilObjUser) {
122  $this->logger->info('Cannot instantiate user account for account migration: ' . $session->getUserId());
123  return false;
124  }
125 
126  $user->setAuthMode(ilSession::get(static::MIG_DESIRED_AUTHMODE));
127 
128  $this->logger->debug('new auth mode is: ' . ilSession::get(self::MIG_DESIRED_AUTHMODE));
129 
130  $user->setExternalAccount(ilSession::get(static::MIG_EXTERNAL_ACCOUNT));
131  $user->update();
132 
133  foreach ($this->getProviders() as $provider) {
134  if (!$provider instanceof ilAuthProviderAccountMigrationInterface) {
135  $this->logger->warning('Provider: ' . get_class($provider) . ' does not support account migration.');
136  throw new InvalidArgumentException('Invalid auth provider given.');
137  }
138  $this->getCredentials()->setUsername(ilSession::get(static::MIG_EXTERNAL_ACCOUNT));
139  $provider->migrateAccount($this->getStatus());
140  if ($this->getStatus()->getStatus() === ilAuthStatus::STATUS_AUTHENTICATED) {
141  return $this->handleAuthenticationSuccess($provider);
142  }
143  }
144  return $this->handleAuthenticationFail();
145  }
146 
150  public function migrateAccountNew(): bool
151  {
152  foreach ($this->providers as $provider) {
153  if (!$provider instanceof ilAuthProviderAccountMigrationInterface) {
154  $this->logger->warning('Provider: ' . get_class($provider) . ' does not support account migration.');
155  throw new InvalidArgumentException('Invalid auth provider given.');
156  }
157  $provider->createNewAccount($this->getStatus());
158 
159  if ($provider instanceof ilAuthProviderInterface &&
160  $this->getStatus()->getStatus() === ilAuthStatus::STATUS_AUTHENTICATED) {
161  return $this->handleAuthenticationSuccess($provider);
162  }
163  }
164  return $this->handleAuthenticationFail();
165  }
166 
167 
168 
172  public function authenticate(): bool
173  {
174  foreach ($this->getProviders() as $provider) {
175  $this->resetStatus();
176 
177  $this->logger->debug('Trying authentication against: ' . get_class($provider));
178 
179  $provider->doAuthentication($this->getStatus());
180 
181  $this->logger->debug('Authentication user id: ' . $this->getStatus()->getAuthenticatedUserId());
182 
183  switch ($this->getStatus()->getStatus()) {
184  case ilAuthStatus::STATUS_AUTHENTICATED:
185  return $this->handleAuthenticationSuccess($provider);
186 
187  case ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED:
188  $this->logger->notice("Account migration required.");
189  if ($provider instanceof ilAuthProviderAccountMigrationInterface) {
190  return $this->handleAccountMigration($provider);
191  }
192 
193  $this->logger->error('Authentication migratittion required but provider does not support interface' . get_class($provider));
194  break;
195  case ilAuthStatus::STATUS_AUTHENTICATION_FAILED:
196  default:
197  $this->logger->debug('Authentication failed against: ' . get_class($provider));
198  break;
199  }
200  }
201  return $this->handleAuthenticationFail();
202  }
203 
208  protected function handleAccountMigration(ilAuthProviderAccountMigrationInterface $provider): bool
209  {
210  $this->logger->debug('Trigger auth mode: ' . $provider->getTriggerAuthMode());
211  $this->logger->debug('Desired auth mode: ' . $provider->getUserAuthModeName());
212  $this->logger->debug('External account: ' . $provider->getExternalAccountName());
213 
214  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
215  #$this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
216 
217  ilSession::set(static::MIG_TRIGGER_AUTHMODE, $provider->getTriggerAuthMode());
218  ilSession::set(static::MIG_DESIRED_AUTHMODE, $provider->getUserAuthModeName());
219  ilSession::set(static::MIG_EXTERNAL_ACCOUNT, $provider->getExternalAccountName());
220 
221  $this->logger->dump(ilSession::dumpToString(), ilLogLevel::DEBUG);
222 
223  return true;
224  }
225 
229  protected function handleAuthenticationSuccess(ilAuthProviderInterface $provider): bool
230  {
231  $user = ilObjectFactory::getInstanceByObjId($this->getStatus()->getAuthenticatedUserId(), false);
232 
233  // reset expired status
234  $this->getAuthSession()->setExpired(false);
235 
236  if (!$user instanceof ilObjUser) {
237  $this->logger->error('Cannot instantiate user account with id: ' . $this->getStatus()->getAuthenticatedUserId());
238  $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
239  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
240  $this->getStatus()->setReason('auth_err_invalid_user_account');
241  return false;
242  }
243 
244  if (!$this->checkExceededLoginAttempts($user)) {
245  $this->logger->info('Authentication failed for inactive user with id and too may login attempts: ' . $this->getStatus()->getAuthenticatedUserId());
246  $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
247  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
248  $this->getStatus()->setReason('auth_err_login_attempts_deactivation');
249  return false;
250  }
251 
252  if (!$this->checkActivation($user)) {
253  $this->logger->info('Authentication failed for inactive user with id: ' . $this->getStatus()->getAuthenticatedUserId());
254  $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
255  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
256  $this->getStatus()->setReason('err_inactive');
257  return false;
258  }
259 
260  // time limit
261  if (!$this->checkTimeLimit($user)) {
262  $this->logger->info('Authentication failed (time limit restriction) for user with id: ' . $this->getStatus()->getAuthenticatedUserId());
263 
264  if ($this->settings->get('user_reactivate_code')) {
265  $this->logger->debug('Accout reactivation codes are active');
266  $this->getStatus()->setStatus(ilAuthStatus::STATUS_CODE_ACTIVATION_REQUIRED);
267  } else {
268  $this->logger->debug('Accout reactivation codes are inactive');
269  $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
270  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
271  }
272  $this->getStatus()->setReason('time_limit_reached');
273  return false;
274  }
275 
276  // ip check
277  if (!$this->checkIp($user)) {
278  $this->logger->info('Authentication failed (wrong ip) for user with id: ' . $this->getStatus()->getAuthenticatedUserId());
279  $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
280  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
281 
282  $this->getStatus()->setTranslatedReason(
283  sprintf(
284  $this->lng->txt('wrong_ip_detected'),
285  $_SERVER['REMOTE_ADDR']
286  )
287  );
288  return false;
289  }
290 
291  // check simultaneos logins
292  $this->logger->debug('Check simutaneous login');
293  if (!$this->checkSimultaneousLogins($user)) {
294  $this->logger->info('Authentication failed: simultaneous logins forbidden for user: ' . $this->getStatus()->getAuthenticatedUserId());
295  $this->getStatus()->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
296  $this->getStatus()->setAuthenticatedUserId(ANONYMOUS_USER_ID);
297  $this->getStatus()->setReason('simultaneous_login_detected');
298  return false;
299  }
300 
301  // check if profile is complete
302  if (
303  ilUserProfile::isProfileIncomplete($user) &&
304  ilAuthFactory::getContext() !== ilAuthFactory::CONTEXT_ECS &&
305  ilContext::getType() !== ilContext::CONTEXT_LTI_PROVIDER
306  ) {
307  ilLoggerFactory::getLogger('auth')->info('User profile is incomplete.');
308  $user->setProfileIncomplete(true);
309  $user->update();
310  }
311 
312  // redirects in case of error (session pool limit reached)
313  ilSessionControl::handleLoginEvent($user->getLogin(), $this->getAuthSession());
314 
315 
316  // @todo move to event handling
317  ilOnlineTracking::addUser($user->getId());
318 
319  // @todo move to event handling
320  ilObjForum::_updateOldAccess($user->getId());
321 
322  $security_settings = ilSecuritySettings::_getInstance();
323 
324  // determine first login of user for setting an indicator
325  // which still is available in PersonalDesktop, Repository, ...
326  // (last login date is set to current date in next step)
327  if (
328  $security_settings->isPasswordChangeOnFirstLoginEnabled() &&
329  $user->getLastLogin() === ''
330  ) {
331  $user->resetLastPasswordChange();
332  }
333  $user->refreshLogin();
334 
335  if ($user->getLoginAttempts() > 0) {
336  $user->setLoginAttempts(0);
337  $user->update();
338  }
339 
340 
341  $this->logger->info('Successfully authenticated: ' . ilObjUser::_lookupLogin($this->getStatus()->getAuthenticatedUserId()));
342  $this->getAuthSession()->setAuthenticated(true, $this->getStatus()->getAuthenticatedUserId());
343 
344  ilInitialisation::initUserAccount();
345 
346  ilSession::set('orig_request_target', '');
347  $user->hasToAcceptTermsOfServiceInSession(true);
348 
349 
350  // --- anonymous/registered user
351  if (PHP_SAPI !== "cli") {
352  $this->logger->info(
353  'logged in as ' . $user->getLogin() .
354  ', remote:' . $_SERVER['REMOTE_ADDR'] . ':' . $_SERVER['REMOTE_PORT'] .
355  ', server:' . $_SERVER['SERVER_ADDR'] . ':' . $_SERVER['SERVER_PORT']
356  );
357  } else {
358  $this->logger->info(
359  'logged in as ' . $user->getLogin() . ' from CLI'
360  );
361  }
362 
363  // finally raise event
364  $this->ilAppEventHandler->raise(
365  'Services/Authentication',
366  'afterLogin',
367  array(
368  'username' => $user->getLogin())
369  );
370 
371  return true;
372  }
373 
377  protected function checkActivation(ilObjUser $user): bool
378  {
379  return $user->getActive();
380  }
381 
382  protected function checkExceededLoginAttempts(ilObjUser $user): bool
383  {
384  if ($user->getId() === ANONYMOUS_USER_ID) {
385  return true;
386  }
387 
388  $isInactive = !$user->getActive();
389  if (!$isInactive) {
390  return true;
391  }
392 
393  $security = ilSecuritySettings::_getInstance();
394  $maxLoginAttempts = $security->getLoginMaxAttempts();
395 
396  if (!$maxLoginAttempts) {
397  return true;
398  }
399 
400  $numLoginAttempts = \ilObjUser::_getLoginAttempts($user->getId());
401 
402  return $numLoginAttempts < $maxLoginAttempts;
403  }
404 
408  protected function checkTimeLimit(ilObjUser $user): bool
409  {
410  return $user->checkTimeLimit();
411  }
412 
416  protected function checkIp(ilObjUser $user): bool
417  {
418  $clientip = $user->getClientIP();
419  if (trim($clientip) !== "") {
420  $clientip = preg_replace("/[^0-9.?*,:]+/", "", $clientip);
421  $clientip = str_replace([".", "?", "*", ","], ["\\.", "[0-9]", "[0-9]*", "|"], $clientip);
422 
423  ilLoggerFactory::getLogger('auth')->debug('Check ip ' . $clientip . ' against ' . $_SERVER['REMOTE_ADDR']);
424 
425  if (!preg_match("/^" . $clientip . "$/", $_SERVER["REMOTE_ADDR"])) {
426  return false;
427  }
428  }
429  return true;
430  }
431 
435  protected function checkSimultaneousLogins(ilObjUser $user): bool
436  {
437  $this->logger->debug('Setting prevent simultaneous session is: ' . $this->settings->get('ps_prevent_simultaneous_logins'));
438  return !($this->settings->get('ps_prevent_simultaneous_logins') &&
439  ilObjUser::hasActiveSession($user->getId(), $this->getAuthSession()->getId()));
440  }
441 
445  protected function handleAuthenticationFail(): bool
446  {
447  $this->logger->debug('Authentication failed for all authentication methods.');
448 
449  $user_id = ilObjUser::_lookupId($this->getCredentials()->getUsername());
450  if (is_int($user_id) && $user_id !== ANONYMOUS_USER_ID) {
451  ilObjUser::_incrementLoginAttempts($user_id);
452  $login_attempts = ilObjUser::_getLoginAttempts($user_id);
453 
454  $this->logger->notice('Increased login attempts for user: ' . $this->getCredentials()->getUsername());
455 
456  $security = ilSecuritySettings::_getInstance();
457  $max_attempts = $security->getLoginMaxAttempts();
458 
459  if ($max_attempts && $login_attempts >= $max_attempts) {
460  $this->getStatus()->setReason('auth_err_login_attempts_deactivation');
461  $this->logger->warning('User account set to inactive due to exceeded login attempts.');
462  ilObjUser::_setUserInactive($user_id);
463  }
464  }
465  return false;
466  }
467 }
ilObjUser\hasActiveSession
static hasActiveSession(int $a_user_id, string $a_session_id)
Definition: class.ilObjUser.php:1944
ilAuthFrontend\migrateAccount
migrateAccount(ilAuthSession $session)
Migrate Account to existing user account.
Definition: class.ilAuthFrontend.php:113
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:459
ilUserProfile\isProfileIncomplete
static isProfileIncomplete(ilObjUser $a_user, bool $a_include_udf=true, bool $a_personal_data_only=true)
Check if all required personal data fields are set.
Definition: class.ilUserProfile.php:857
ilAppEventHandler
Global event handler.
Definition: class.ilAppEventHandler.php:51
ilObjUser\_getLoginAttempts
static _getLoginAttempts(int $a_usr_id)
Definition: class.ilObjUser.php:3497
ilAuthFrontend\getProviders
getProviders()
Get providers.
Definition: class.ilAuthFrontend.php:86
ilSession\dumpToString
static dumpToString()
Definition: class.ilSession.php:479
ilAuthFrontend\checkIp
checkIp(ilObjUser $user)
Check ip.
Definition: class.ilAuthFrontend.php:416
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:27
ANONYMOUS_USER_ID
const ANONYMOUS_USER_ID
Definition: constants.php:27
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:35
ilAuthFrontend\handleAuthenticationSuccess
handleAuthenticationSuccess(ilAuthProviderInterface $provider)
Handle successful authentication.
Definition: class.ilAuthFrontend.php:229
$session
$session
Definition: proxy_ylocal.php:32
ilAuthFrontend\checkSimultaneousLogins
checkSimultaneousLogins(ilObjUser $user)
Check simultaneous logins.
Definition: class.ilAuthFrontend.php:435
ilContext\CONTEXT_LTI_PROVIDER
const CONTEXT_LTI_PROVIDER
Definition: class.ilContext.php:46
ilAuthSession\isAuthenticated
isAuthenticated()
Check if session is authenticated.
Definition: class.ilAuthSession.php:127
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:674
ilAuthFrontend\handleAccountMigration
handleAccountMigration(ilAuthProviderAccountMigrationInterface $provider)
Handle account migration.
Definition: class.ilAuthFrontend.php:208
ilAuthFrontend\resetStatus
resetStatus()
Reset status.
Definition: class.ilAuthFrontend.php:102
ilAuthFrontend\checkExceededLoginAttempts
checkExceededLoginAttempts(ilObjUser $user)
Definition: class.ilAuthFrontend.php:382
ilAuthFrontend\getCredentials
getCredentials()
Get auth credentials.
Definition: class.ilAuthFrontend.php:77
ilAuthFrontend\migrateAccountNew
migrateAccountNew()
Create new user account.
Definition: class.ilAuthFrontend.php:150
ilAuthFrontend\$auth_session
ilAuthSession $auth_session
Definition: class.ilAuthFrontend.php:41
ilAuthSession\getUserId
getUserId()
Get authenticated user id.
Definition: class.ilAuthSession.php:175
$DIC
global $DIC
Definition: feed.php:28
$provider
$provider
Definition: ltitoken.php:83
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:27
ilAuthFrontend\authenticate
authenticate()
Try to authenticate user.
Definition: class.ilAuthFrontend.php:172
ilOnlineTracking\addUser
static addUser(int $a_user_id)
Definition: class.ilOnlineTracking.php:37
ilAuthFrontend\checkTimeLimit
checkTimeLimit(ilObjUser $user)
Check time limit.
Definition: class.ilAuthFrontend.php:408
ilAuthFrontend\handleAuthenticationFail
handleAuthenticationFail()
Handle failed authenication.
Definition: class.ilAuthFrontend.php:445
ilObjForum\_updateOldAccess
static _updateOldAccess(int $a_usr_id)
Definition: class.ilObjForum.php:280
ilAuthFrontend\checkActivation
checkActivation(ilObjUser $user)
Check activation.
Definition: class.ilAuthFrontend.php:377
ilObjUser\_setUserInactive
static _setUserInactive(int $a_usr_id)
Definition: class.ilObjUser.php:3527
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:10
ilAuthProviderAccountMigrationInterface\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
ilAuthFactory\CONTEXT_ECS
const CONTEXT_ECS
Calendar authentication with auth token.
Definition: class.ilAuthFactory.php:64
ilAuthFrontend\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthFrontend.php:37
ilSessionControl\handleLoginEvent
static handleLoginEvent(string $a_login, ilAuthSession $auth_session)
when current session is allowed to be created it marks it with type regarding to the sessions user co...
Definition: class.ilSessionControl.php:89
ilObjectFactory\getInstanceByObjId
static getInstanceByObjId(?int $obj_id, bool $stop_on_error=true)
get an instance of an Ilias object by object id
Definition: class.ilObjectFactory.php:84
ilAuthFrontend\$ilAppEventHandler
ilAppEventHandler $ilAppEventHandler
Definition: class.ilAuthFrontend.php:42
ilAuthStatus\STATUS_CODE_ACTIVATION_REQUIRED
const STATUS_CODE_ACTIVATION_REQUIRED
Definition: class.ilAuthStatus.php:37
ilObjUser\_incrementLoginAttempts
static _incrementLoginAttempts(int $a_usr_id)
Definition: class.ilObjUser.php:3510
ilAuthFrontend\__construct
__construct(ilAuthSession $session, ilAuthStatus $status, ilAuthCredentials $credentials, array $providers)
Definition: class.ilAuthFrontend.php:52
ilContext\getType
static getType()
Get context type.
Definition: class.ilContext.php:165
ilInitialisation\initUserAccount
static initUserAccount()
Init user with current account id.
Definition: class.ilInitialisation.php:932
ilAuthFrontend\getAuthSession
getAuthSession()
Get auth session.
Definition: class.ilAuthFrontend.php:69
ilAuthProviderAccountMigrationInterface\getExternalAccountName
getExternalAccountName()
Get external account name.
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:27
ilSecuritySettings\_getInstance
static _getInstance()
Get instance of ilSecuritySettings.
Definition: class.ilSecuritySettings.php:92
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:36
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:451
ilAuthProviderAccountMigrationInterface\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth...
ilAppEventHandler\raise
raise(string $a_component, string $a_event, array $a_parameter=[])
Raise an event.
Definition: class.ilAppEventHandler.php:102
ilObjUser\_lookupLogin
static _lookupLogin(int $a_user_id)
Definition: class.ilObjUser.php:660