9.5/_backend_module_controller_8php_source.html

<?php

declare(strict_types = 1);

namespace ‪TYPO3\CMS\Install\Controller;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use Psr\Http\Message\ResponseInterface;

use Psr\Http\Message\ServerRequestInterface;

use ‪TYPO3\CMS\Backend\Routing\UriBuilder;

use ‪TYPO3\CMS\Core\Authentication\AbstractAuthenticationService;

use ‪TYPO3\CMS\Core\Authentication\BackendUserAuthentication;

use ‪TYPO3\CMS\Core\Core\Environment;

use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;

use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;

use ‪TYPO3\CMS\Core\Http\HtmlResponse;

use ‪TYPO3\CMS\Core\Http\RedirectResponse;

use ‪TYPO3\CMS\Core\Http\Uri;

use ‪TYPO3\CMS\Core\Utility\ExtensionManagementUtility;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;

use ‪TYPO3\CMS\Fluid\View\StandaloneView;

use ‪TYPO3\CMS\Install\Service\SessionService;

use ‪TYPO3\CMS\Rsaauth\RsaEncryptionEncoder;


class ‪BackendModuleController

{

    private const ‪FLAG_CONFIRMATION_REQUEST = 1;

    protected const ‪FLAG_INSTALL_TOOL_PASSWORD = 2;

    private const ‪ALLOWED_ACTIONS = ['maintenance', 'settings', 'upgrade', 'environment'];


    protected ‪$sessionService;


    protected ‪$uriBuilder;


    public function ‪__construct()

    {

        $this->uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);

    }


    public function ‪backendUserConfirmationAction(ServerRequestInterface $request): ResponseInterface

    {

        $flags = (int)($request->getQueryParams()['flags'] ?? 0);

        $targetController = (string)($request->getQueryParams()['targetController'] ?? '');

        $targetHash = (string)($request->getQueryParams()['targetHash'] ?? '');

        $expectedTargetHash = GeneralUtility::hmac($targetController, BackendModuleController::class);

        $flagInstallToolPassword = (bool)($flags & self::FLAG_INSTALL_TOOL_PASSWORD);

        $flagInvalidPassword = false;


        if (!in_array($targetController, self::ALLOWED_ACTIONS, true)

            || !hash_equals($expectedTargetHash, $targetHash)) {

            return new ‪HtmlResponse('', 403);

        }

        if ($flags & self::FLAG_CONFIRMATION_REQUEST) {

            if ($flagInstallToolPassword && $this->‪verifyInstallToolPassword($request)) {

                return $this->‪setAuthorizedAndRedirect($targetController);

            }

            if (!$flagInstallToolPassword && $this->‪verifyBackendUserPassword($request)) {

                return $this->‪setAuthorizedAndRedirect($targetController);

            }

            $flagInvalidPassword = true;

        }


        $view = GeneralUtility::makeInstance(StandaloneView::class);

        $view->getTemplatePaths()->setTemplatePathAndFilename(

            ‪ExtensionManagementUtility::extPath(

                'install',

                'Resources/Private/Templates/BackendModule/BackendUserConfirmation.html'

            )

        );

        $view->assignMultiple([

            'flagInvalidPassword' => $flagInvalidPassword,

            'flagInstallToolPassword' => $flagInstallToolPassword,

            'languageFileReference' => 'LLL:EXT:install/Resources/Private/Language/BackendModule.xlf',

            'passwordModeUri' => $this->‪getBackendUserConfirmationUri([

                'targetController' => $targetController,

                'targetHash' => $targetHash,

                // current flags, unset FLAG_CONFIRMATION_REQUEST, toggle FLAG_INSTALL_TOOL_PASSWORD

                'flags' => $flags & ~self::FLAG_CONFIRMATION_REQUEST ^ self::FLAG_INSTALL_TOOL_PASSWORD,

            ]),

            'verifyUri' => $this->‪getBackendUserConfirmationUri([

                'targetController' => $targetController,

                'targetHash' => $targetHash,

                // current flags, add FLAG_CONFIRMATION_REQUEST

                'flags' => $flags | self::FLAG_CONFIRMATION_REQUEST,

            ]),

            'cancelUri' => '',

        ]);

        $this->‪applyRsaAuthModules();

        return new HtmlResponse($view->render());

    }


    public function ‪maintenanceAction(): ResponseInterface

    {

        return $this->‪getBackendUserConfirmationRedirect('maintenance')

            ?? $this->‪setAuthorizedAndRedirect('maintenance');

    }


    public function ‪settingsAction(): ResponseInterface

    {

        return $this->‪getBackendUserConfirmationRedirect('settings')

            ?? $this->‪setAuthorizedAndRedirect('settings');

    }


    public function ‪upgradeAction(): ResponseInterface

    {

        return $this->‪getBackendUserConfirmationRedirect('upgrade')

            ?? $this->‪setAuthorizedAndRedirect('upgrade');

    }


    public function ‪environmentAction(): ResponseInterface

    {

        return $this->‪getBackendUserConfirmationRedirect('environment')

            ?? $this->‪setAuthorizedAndRedirect('environment');

    }


    protected function ‪getBackendUserConfirmationRedirect(string $targetController): ?ResponseInterface

    {

        if ($this->‪getSessionService()->isAuthorizedBackendUserSession()) {

            return null;

        }

        if (‪Environment::getContext()->isDevelopment()) {

            return null;

        }

        $redirectUri = $this->‪getBackendUserConfirmationUri([

            'targetController' => $targetController,

            'targetHash' => GeneralUtility::hmac($targetController, BackendModuleController::class),

        ]);

        return new RedirectResponse((string)$redirectUri, 403);

    }


    protected function ‪getBackendUserConfirmationUri(array $parameters): ‪Uri

    {

        return $this->uriBuilder->buildUriFromRoute(

            'install.backend-user-confirmation',

            $parameters

        );

    }


    protected function ‪setAuthorizedAndRedirect(string $controller): ResponseInterface

    {

        $this->‪getSessionService()->‪setAuthorizedBackendSession();

        $redirectLocation = 'install.php?install[controller]=' . $controller . '&install[context]=backend';

        return new RedirectResponse($redirectLocation, 303);

    }


    protected function ‪verifyInstallToolPassword(ServerRequestInterface $request): bool

    {

        $parsedBody = $request->getParsedBody();

        $password = $parsedBody['confirmationPassword'] ?? null;

        $installToolPassword = ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] ?? null;

        if (!is_string($password) || empty($installToolPassword)) {

            return false;

        }


        try {

            $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);

            $hashInstance = $hashFactory->get($installToolPassword, 'BE');

            return $hashInstance->checkPassword($password, $installToolPassword);

        } catch (InvalidPasswordHashException $exception) {

            return false;

        }

    }


    protected function ‪verifyBackendUserPassword(ServerRequestInterface $request): bool

    {

        $parsedBody = $request->getParsedBody();

        $password = empty($parsedBody['confirmationPasswordInternal'])

            ? ($parsedBody['confirmationPassword'] ?? null) // default field

            : $parsedBody['confirmationPasswordInternal']; // filled e.g. by `ext:rsaauth`

        if (!is_string($password)) {

            return false;

        }


        // clone current backend user object to avoid

        // possible side effects for the real instance

        $backendUser = clone $this->‪getBackendUser();

        $loginData = [

            'status' => 'sudo-mode',

            'origin' => BackendModuleController::class,

            'uname'  => $backendUser->user['username'],

            'uident' => $password,

        ];

        // currently there is no dedicated API to perform authentication

        // that's why this process partially has to be simulated here

        $loginData = $backendUser->‪processLoginData($loginData);

        $authInfo = $backendUser->‪getAuthInfoArray();


        $authenticated = false;

        foreach ($this->getAuthServices($backendUser, $loginData, $authInfo) as ‪$service) {

            $ret = (int)‪$service->authUser($backendUser->user);

            if ($ret <= 0) {

                return false;

            }

            if ($ret >= 200) {

                return true;

            }

            if ($ret >= 100) {

                continue;

            }

            $authenticated = true;

            continue;

        }

        return $authenticated;

    }


    protected function getAuthServices(BackendUserAuthentication $backendUser, array $loginData, array $authInfo): \Generator

    {

        $serviceChain = [];

        $subType = 'authUserBE';

        while (‪$service = GeneralUtility::makeInstanceService('auth', $subType, $serviceChain)) {

            $serviceChain[] = ‪$service->getServiceKey();

            if (!is_object(‪$service)) {

                break;

            }

            ‪$service->initAuth($subType, $loginData, $authInfo, $backendUser);

            yield ‪$service;

        }

    }


    protected function ‪getBackendUser(): ‪BackendUserAuthentication

    {

        return ‪$GLOBALS['BE_USER'];

    }


    protected function ‪getSessionService(): SessionService

    {

        if ($this->sessionService === null) {

            $this->sessionService = new SessionService();

            $this->sessionService->startSession();

        }

        return ‪$this->sessionService;

    }


    protected function ‪applyRsaAuthModules()

    {

        if (!‪ExtensionManagementUtility::isLoaded('rsaauth')) {

            return;

        }

        $rsaEncryptionEncoder = GeneralUtility::makeInstance(RsaEncryptionEncoder::class);

        $rsaEncryptionEncoder->enableRsaEncryption(true);

    }

}