ILIAS  trunk Revision v11.0_alpha-1689-g66c127b4ae8
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
class.LocalUserPasswordManager.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
21 namespace ILIAS\Authentication\Password;
22 
23 use ilAuthUtils;
24 use ilDBInterface;
25 use ilFileUtils;
26 use ilObjUser;
27 use ilPasswordException;
28 use ilPasswordUtils;
29 use ilSession;
30 use ilSetting;
31 use ilUserException;
32 
33 class LocalUserPasswordManager
34 {
35  private const MIN_SALT_SIZE = 16;
36 
37  private static ?self $instance = null;
38  private ?LocalUserPasswordEncoderFactory $encoderFactory = null;
39  private ?ilSetting $settings = null;
40  private ?ilDBInterface $db = null;
41  private ?string $encoderName = null;
42 
49  public function __construct(array $config = [])
50  {
51  if (!empty($config)) {
52  foreach ($config as $key => $value) {
53  switch (strtolower($key)) {
54  case 'settings':
55  $this->setSettings($value);
56 
57  break;
58  case 'db':
59  $this->setDb($value);
60 
61  break;
62  case 'password_encoder':
63  $this->setEncoderName($value);
64 
65  break;
66  case 'encoder_factory':
67  $this->setEncoderFactory($value);
68 
69  break;
70  }
71  }
72  }
73 
74  if (!$this->getEncoderName()) {
75  throw new ilUserException(sprintf(
76  '"password_encoder" must be set in %s.',
77  print_r($config, true)
78  ));
79  }
80 
81  if (!$this->getEncoderFactory() instanceof LocalUserPasswordEncoderFactory) {
82  throw new ilUserException(sprintf(
83  '"encoder_factory" must be instance of LocalUserPasswordEncoderFactory and set in %s.',
84  print_r($config, true)
85  ));
86  }
87  }
88 
94  public static function getInstance(): self
95  {
96  global $DIC;
97 
98  if (self::$instance instanceof self) {
99  return self::$instance;
100  }
101 
102  $password_manager = new LocalUserPasswordManager(
103  [
104  'encoder_factory' => new LocalUserPasswordEncoderFactory(
105  [
106  // bcrypt (native PHP impl.) is still the default for the factory
107  'default_password_encoder' => 'bcryptphp',
108  // Recommended: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
109  'memory_cost' => 19_456,
110  'ignore_security_flaw' => true,
111  'data_directory' => ilFileUtils::getDataDir()
112  ]
113  ),
114  // https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
115  'password_encoder' => 'argon2id',
116  'settings' => $DIC->isDependencyAvailable('settings') ? $DIC->settings() : null,
117  'db' => $DIC->database(),
118  ]
119  );
120 
121  self::$instance = $password_manager;
122 
123  return self::$instance;
124  }
125 
126  public function setSettings(?ilSetting $settings): void
127  {
128  $this->settings = $settings;
129  }
130 
131  public function setDb(ilDBInterface $db): void
132  {
133  $this->db = $db;
134  }
135 
136  public function getEncoderName(): ?string
137  {
138  return $this->encoderName;
139  }
140 
141  public function setEncoderName(string $encoderName): void
142  {
143  $this->encoderName = $encoderName;
144  }
145 
146  public function getEncoderFactory(): ?LocalUserPasswordEncoderFactory
147  {
148  return $this->encoderFactory;
149  }
150 
151  public function setEncoderFactory(LocalUserPasswordEncoderFactory $encoderFactory): void
152  {
153  $this->encoderFactory = $encoderFactory;
154  }
155 
156  public function encodePassword(ilObjUser $user, string $raw): void
157  {
158  $encoder = $this->getEncoderFactory()->getEncoderByName($this->getEncoderName());
159  $user->setPasswordEncodingType($encoder->getName());
160  if ($encoder->requiresSalt()) {
161  $user->setPasswordSalt(
162  substr(
163  str_replace(
164  '+',
165  '.',
166  base64_encode(ilPasswordUtils::getBytes(self::MIN_SALT_SIZE))
167  ),
168  0,
169  22
170  )
171  );
172  } else {
173  $user->setPasswordSalt(null);
174  }
175  $user->setPasswd(
176  $encoder->encodePassword($raw, (string) $user->getPasswordSalt()),
177  ilObjUser::PASSWD_CRYPTED
178  );
179  }
180 
181  public function isEncodingTypeSupported(string $name): bool
182  {
183  return in_array($name, $this->getEncoderFactory()->getSupportedEncoderNames());
184  }
185 
186  public function verifyPassword(ilObjUser $user, string $raw): bool
187  {
188  $encoder = $this->getEncoderFactory()->getEncoderByName($user->getPasswordEncodingType());
189  if ($this->getEncoderName() !== $encoder->getName()) {
190  if ($encoder->isPasswordValid($user->getPasswd(), $raw, (string) $user->getPasswordSalt())) {
191  $user->resetPassword($raw, $raw);
192 
193  return true;
194  }
195  } elseif ($encoder->isPasswordValid($user->getPasswd(), $raw, (string) $user->getPasswordSalt())) {
196  if ($encoder->requiresReencoding($user->getPasswd())) {
197  $user->resetPassword($raw, $raw);
198  }
199 
200  return true;
201  }
202 
203  return false;
204  }
205 
206  public function resetLastPasswordChangeForLocalUsers(): void
207  {
208  $defaultAuthMode = $this->settings->get('auth_mode');
209  $defaultAuthModeCondition = '';
210  if ((int) $defaultAuthMode === ilAuthUtils::AUTH_LOCAL) {
211  $defaultAuthModeCondition = ' OR auth_mode = ' . $this->db->quote('default', 'text');
212  }
213 
214  $this->db->manipulateF(
215  "UPDATE usr_data SET passwd_policy_reset = %s WHERE (auth_mode = %s $defaultAuthModeCondition)",
216  ['integer', 'text'],
217  [1, 'local']
218  );
219  }
220 
221  public function allowPasswordChange(ilObjUser $user): bool
222  {
223  if (ilSession::get('used_external_auth_mode')) {
224  return false;
225  }
226 
227  $status = ilAuthUtils::isPasswordModificationEnabled($user->getAuthMode(true));
228  if ($status) {
229  return true;
230  }
231 
232  return ilAuthUtils::isPasswordModificationHidden()
233  && ($user->isPasswordChangeDemanded() || $user->isPasswordExpired());
234  }
235 }
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:401
ilObjUser\resetPassword
resetPassword(string $raw, string $raw_retype)
Resets the user password.
Definition: class.ilObjUser.php:778
ilObjUser\setPasswordSalt
setPasswordSalt(?string $password_salt)
Definition: class.ilObjUser.php:238
ilObjUser\getAuthMode
getAuthMode(bool $a_auth_key=false)
Definition: class.ilObjUser.php:2654
ilObjUser\setPasswd
setPasswd(string $a_str, string $a_type=ilObjUser::PASSWD_PLAIN)
Definition: class.ilObjUser.php:1267
null
while($session_entry=$r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) return null
Definition: shib_logout.php:142
ILIAS\Data\Password\LocalUserPasswordManager\getInstance
static getInstance()
Singleton method to reduce footprint (included files, created instances)
Definition: class.LocalUserPasswordManager.php:94
$DIC
global $DIC
Definition: shib_login.php:22
ilPasswordUtils\getBytes
static getBytes(int $length)
Generate random bytes using OpenSSL or Mcrypt and mt_rand() as fallback.
Definition: class.ilPasswordUtils.php:32
ilFileUtils\getDataDir
static getDataDir()
get data directory (outside webspace)
Definition: class.ilFileUtils.php:250
ilObjUser\PASSWD_CRYPTED
const PASSWD_CRYPTED
Definition: class.ilObjUser.php:38
ilObjUser\setPasswordEncodingType
setPasswordEncodingType(?string $password_encryption_type)
Definition: class.ilObjUser.php:228
ILIAS\Data\Password\LocalUserPasswordManager\__construct
__construct(array $config=[])
Please use the singleton method for instance creation The constructor is still public because of the ...
Definition: class.LocalUserPasswordManager.php:49
ILIAS\Data\Password\LocalUserPasswordManager\setEncoderFactory
setEncoderFactory(LocalUserPasswordEncoderFactory $encoderFactory)
Definition: class.LocalUserPasswordManager.php:151
ilAuthUtils\isPasswordModificationEnabled
static isPasswordModificationEnabled($a_authmode)
Check if password modification is enabled.
Definition: class.ilAuthUtils.php:621