ILIAS  trunk Revision v12.0_alpha-1540-g00f839d5fa1
ILIASAuthenticationFileCache.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21namespace ILIAS\WebDAV\Auth;
22
23use ILIAS\FileDelivery\Token\DataSigner;
24use ILIAS\FileDelivery\Token\Signer\Key\Secret\SecretKeyRotation;
25use ILIAS\Filesystem\Filesystem;
26
30class ILIASAuthenticationFileCache
31{
32 private const string SALT = 'webdav';
33 private const string F_USERNAME = 'username';
34 private const string F_USR_ID = 'usr_id';
35 private const string F_PW_HASH = 'password';
36 private DataSigner $data_signer;
37
38 public function __construct(
39 private Filesystem $filesystem,
40 SecretKeyRotation $secret_key_rotation
41 ) {
42 $this->data_signer = new DataSigner(
43 $secret_key_rotation
44 );
45 }
46
47 private function getAuthCacheFile(string $username): string
48 {
49 return 'davcache_' . hash('sha256', $username);
50 }
51
52 private function readAuthCache(string $username): ?array
53 {
54 $file = $this->getAuthCacheFile($username);
55 if (!$this->filesystem->has($file)) {
56 return null;
57 }
58 $raw = $this->filesystem->read($file);
59
60 return $this->data_signer->verify($raw, self::SALT);
61 }
62
63 private function writeAuthCache(string $username, string $password_hash, int $usr_id): void
64 {
65 $file = $this->getAuthCacheFile($username);
66
67 $payload = [
68 self::F_USR_ID => $usr_id,
69 self::F_USERNAME => $username,
70 self::F_PW_HASH => $password_hash,
71 ];
72
73 $payload = $this->data_signer->sign($payload, self::SALT);
74 $this->filesystem->put($file, $payload);
75 }
76
77 public function isAuthenticated(string $username, string $password): ?int
78 {
79 $cached = $this->readAuthCache($username);
80 if ($cached === null) {
81 return null;
82 }
83 // has the password, since we stored it hashed
84 $password = hash('sha256', $password);
85
86 if ($cached[self::F_USERNAME] === $username && $cached[self::F_PW_HASH] === $password) {
87 return (int) $cached[self::F_USR_ID]; // retun user_id if corrent
88 }
89
90 return null;
91 }
92
93 public function setAuthenticated(
94 string $username,
95 string $password,
96 int $user_id
97 ): void {
98 // has the password, since we do not want to store them
99 $password = hash('sha256', $password);
100
101 $this->writeAuthCache($username, $password, $user_id);
102 }
103
104}
ILIAS\FileDelivery\Token\Signer\Key\Secret\SecretKeyRotation
Key rotation can provide an extra layer of mitigation against an attacker discovering a secret key.
Definition: SecretKeyRotation.php:42
ILIAS\WebDAV\Auth\ILIASAuthenticationFileCache\writeAuthCache
writeAuthCache(string $username, string $password_hash, int $usr_id)
Definition: ILIASAuthenticationFileCache.php:63
ILIAS\WebDAV\Auth\ILIASAuthenticationFileCache\setAuthenticated
setAuthenticated(string $username, string $password, int $user_id)
Definition: ILIASAuthenticationFileCache.php:93
ILIAS\WebDAV\Auth\ILIASAuthenticationFileCache\__construct
__construct(private Filesystem $filesystem, SecretKeyRotation $secret_key_rotation)
Definition: ILIASAuthenticationFileCache.php:38
ILIAS\Filesystem\Filesystem
The filesystem interface provides the public interface for the Filesystem service API consumer.
Definition: Filesystem.php:37
$payload
if(count($parts) !=3) $payload
Definition: ltitoken.php:67