218 lines
7.9 KiB
PHP
218 lines
7.9 KiB
PHP
<?php
|
|
|
|
namespace SilverStripe\Security;
|
|
|
|
use SilverStripe\Control\Controller;
|
|
use SilverStripe\Control\Director;
|
|
use SilverStripe\Control\HTTPRequest;
|
|
use SilverStripe\Control\HTTPResponse;
|
|
use SilverStripe\Control\HTTPResponse_Exception;
|
|
use SilverStripe\Core\Config\Configurable;
|
|
use SilverStripe\Dev\Debug;
|
|
use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
|
|
|
|
/**
|
|
* Provides an interface to HTTP basic authentication.
|
|
*
|
|
* This utility class can be used to secure any request with basic authentication. To do so,
|
|
* {@link BasicAuth::requireLogin()} from your Controller's init() method or action handler method.
|
|
*
|
|
* It also has a function to protect your entire site. See {@link BasicAuth::protect_entire_site()}
|
|
* for more information. You can control this setting on controller-level by using {@link Controller->basicAuthEnabled}.
|
|
*/
|
|
class BasicAuth
|
|
{
|
|
use Configurable;
|
|
|
|
/**
|
|
* @config
|
|
* @var Boolean Flag set by {@link self::protect_entire_site()}
|
|
*/
|
|
private static $entire_site_protected = false;
|
|
|
|
/**
|
|
* Set to true to ignore in CLI mode
|
|
*
|
|
* @var bool
|
|
*/
|
|
private static $ignore_cli = true;
|
|
|
|
/**
|
|
* @config
|
|
* @var String|array Holds a {@link Permission} code that is required
|
|
* when calling {@link protect_site_if_necessary()}. Set this value through
|
|
* {@link protect_entire_site()}.
|
|
*/
|
|
private static $entire_site_protected_code = 'ADMIN';
|
|
|
|
/**
|
|
* @config
|
|
* @var String Message that shows in the authentication box.
|
|
* Set this value through {@link protect_entire_site()}.
|
|
*/
|
|
private static $entire_site_protected_message = 'SilverStripe test website. Use your CMS login.';
|
|
|
|
/**
|
|
* Require basic authentication. Will request a username and password if none is given.
|
|
*
|
|
* Used by {@link Controller::init()}.
|
|
*
|
|
*
|
|
* @param HTTPRequest $request
|
|
* @param string $realm
|
|
* @param string|array $permissionCode Optional
|
|
* @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the
|
|
* session log-in if those credentials are disabled.
|
|
* @return bool|Member
|
|
* @throws HTTPResponse_Exception
|
|
*/
|
|
public static function requireLogin(
|
|
HTTPRequest $request,
|
|
$realm,
|
|
$permissionCode = null,
|
|
$tryUsingSessionLogin = true
|
|
) {
|
|
if (!Security::database_is_ready() || (Director::is_cli() && static::config()->get('ignore_cli'))) {
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache
|
|
* Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
|
|
* REDIRECT_HTTP_AUTHORIZATION
|
|
*
|
|
* The follow rewrite rule must be in the sites .htaccess file to enable this workaround
|
|
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
|
|
*/
|
|
$authHeader = $request->getHeader('Authorization');
|
|
$matches = array();
|
|
if ($authHeader && preg_match('/Basic\s+(.*)$/i', $authHeader, $matches)) {
|
|
list($name, $password) = explode(':', base64_decode($matches[1]));
|
|
$request->addHeader('PHP_AUTH_USER', strip_tags($name));
|
|
$request->addHeader('PHP_AUTH_PW', strip_tags($password));
|
|
}
|
|
|
|
$member = null;
|
|
|
|
if ($request->getHeader('PHP_AUTH_USER') && $request->getHeader('PHP_AUTH_PW')) {
|
|
/** @var MemberAuthenticator $authenticator */
|
|
$authenticators = Security::singleton()->getApplicableAuthenticators(Authenticator::LOGIN);
|
|
|
|
foreach ($authenticators as $name => $authenticator) {
|
|
$member = $authenticator->authenticate([
|
|
'Email' => $request->getHeader('PHP_AUTH_USER'),
|
|
'Password' => $request->getHeader('PHP_AUTH_PW'),
|
|
], $request);
|
|
if ($member instanceof Member) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($member instanceof Member) {
|
|
Security::setCurrentUser($member);
|
|
}
|
|
|
|
if (!$member && $tryUsingSessionLogin) {
|
|
$member = Security::getCurrentUser();
|
|
}
|
|
|
|
// If we've failed the authentication mechanism, then show the login form
|
|
if (!$member) {
|
|
$response = new HTTPResponse(null, 401);
|
|
$response->addHeader('WWW-Authenticate', "Basic realm=\"$realm\"");
|
|
|
|
if ($request->getHeader('PHP_AUTH_USER')) {
|
|
$response->setBody(
|
|
_t(
|
|
'SilverStripe\\Security\\BasicAuth.ERRORNOTREC',
|
|
"That username / password isn't recognised"
|
|
)
|
|
);
|
|
} else {
|
|
$response->setBody(
|
|
_t(
|
|
'SilverStripe\\Security\\BasicAuth.ENTERINFO',
|
|
'Please enter a username and password.'
|
|
)
|
|
);
|
|
}
|
|
|
|
// Exception is caught by RequestHandler->handleRequest() and will halt further execution
|
|
$e = new HTTPResponse_Exception(null, 401);
|
|
$e->setResponse($response);
|
|
throw $e;
|
|
}
|
|
|
|
if ($permissionCode && !Permission::checkMember($member->ID, $permissionCode)) {
|
|
$response = new HTTPResponse(null, 401);
|
|
$response->addHeader('WWW-Authenticate', "Basic realm=\"$realm\"");
|
|
|
|
if ($request->getHeader('PHP_AUTH_USER')) {
|
|
$response->setBody(
|
|
_t(
|
|
'SilverStripe\\Security\\BasicAuth.ERRORNOTADMIN',
|
|
'That user is not an administrator.'
|
|
)
|
|
);
|
|
}
|
|
|
|
// Exception is caught by RequestHandler->handleRequest() and will halt further execution
|
|
$e = new HTTPResponse_Exception(null, 401);
|
|
$e->setResponse($response);
|
|
throw $e;
|
|
}
|
|
|
|
return $member;
|
|
}
|
|
|
|
/**
|
|
* Enable protection of the entire site with basic authentication.
|
|
*
|
|
* This log-in uses the Member database for authentication, but doesn't interfere with the
|
|
* regular log-in form. This can be useful for test sites, where you want to hide the site
|
|
* away from prying eyes, but still be able to test the regular log-in features of the site.
|
|
*
|
|
* If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
|
|
* this feature by adding this line to your .env:
|
|
*
|
|
* SS_USE_BASIC_AUTH=1
|
|
*
|
|
* @param boolean $protect Set this to false to disable protection.
|
|
* @param string $code {@link Permission} code that is required from the user.
|
|
* Defaults to "ADMIN". Set to NULL to just require a valid login, regardless
|
|
* of the permission codes a user has.
|
|
* @param string $message
|
|
*/
|
|
public static function protect_entire_site($protect = true, $code = 'ADMIN', $message = null)
|
|
{
|
|
static::config()
|
|
->set('entire_site_protected', $protect)
|
|
->set('entire_site_protected_code', $code);
|
|
if ($message) {
|
|
static::config()->set('entire_site_protected_message', $message);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Call {@link BasicAuth::requireLogin()} if {@link BasicAuth::protect_entire_site()} has been called.
|
|
* This is a helper function used by {@link Controller::init()}.
|
|
*
|
|
* If you want to enabled protection (rather than enforcing it),
|
|
* please use {@link protect_entire_site()}.
|
|
*/
|
|
public static function protect_site_if_necessary()
|
|
{
|
|
$config = static::config();
|
|
$request = Controller::curr()->getRequest();
|
|
if ($config->get('entire_site_protected')) {
|
|
static::requireLogin(
|
|
$request,
|
|
$config->get('entire_site_protected_message'),
|
|
$config->get('entire_site_protected_code'),
|
|
false
|
|
);
|
|
}
|
|
}
|
|
}
|