TYPO3 CMS  TYPO3_8-7
AuthenticationService.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Sv;
3 
4 /*
5  * This file is part of the TYPO3 CMS project.
6  *
7  * It is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU General Public License, either version 2
9  * of the License, or any later version.
10  *
11  * For the full copyright and license information, please read the
12  * LICENSE.txt file that was distributed with this source code.
13  *
14  * The TYPO3 project - inspiring people to share!
15  */
16 
21 
26 {
35  public function processLoginData(array &$loginData, $passwordTransmissionStrategy)
36  {
37  $isProcessed = false;
38  if ($passwordTransmissionStrategy === 'normal') {
39  $loginData['uident_text'] = $loginData['uident'];
40  $isProcessed = true;
41  }
42  return $isProcessed;
43  }
44 
50  public function getUser()
51  {
52  if ($this->login['status'] !== 'login') {
53  return false;
54  }
55  if ((string)$this->login['uident_text'] === '') {
56  // Failed Login attempt (no password given)
57  $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', [
58  $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']
59  ]);
60  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
61  return false;
62  }
63 
64  $user = $this->fetchUserRecord($this->login['uname']);
65  if (!is_array($user)) {
66  // Failed login attempt (no username found)
67  $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
68  // Logout written to log
69  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\' not found!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
70  } else {
71  if ($this->writeDevLog) {
72  GeneralUtility::devLog('User found: ' . GeneralUtility::arrayToLogString($user, [$this->db_user['userid_column'], $this->db_user['username_column']]), self::class);
73  }
74  }
75  return $user;
76  }
77 
91  public function authUser(array $user)
92  {
93  $OK = 100;
94  // This authentication service can only work correctly, if a non empty username along with a non empty password is provided.
95  // Otherwise a different service is allowed to check for other login credentials
96  if ((string)$this->login['uident_text'] !== '' && (string)$this->login['uname'] !== '') {
97  // Checking password match for user:
98  $OK = $this->compareUident($user, $this->login);
99  if (!$OK) {
100  // Failed login attempt (wrong password) - write that to the log!
101  if ($this->writeAttemptLog) {
102  $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
103  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', password not accepted!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
104  }
105  if ($this->writeDevLog) {
106  GeneralUtility::devLog('Password not accepted: ' . $this->login['uident'], self::class, 2);
107  }
108  }
109  // Checking the domain (lockToDomain)
110  if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
111  // Lock domain didn't match, so error:
112  if ($this->writeAttemptLog) {
113  $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
114  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
115  }
116  $OK = 0;
117  }
118  }
119  return $OK;
120  }
121 
129  public function getGroups($user, $knownGroups)
130  {
131  /*
132  * Attention: $knownGroups is not used within this method, but other services can use it.
133  * This parameter should not be removed!
134  * The FrontendUserAuthentication call getGroups and handover the previous detected groups.
135  */
136  $groupDataArr = [];
137  if ($this->mode === 'getGroupsFE') {
138  $groups = [];
139  if (is_array($user) && $user[$this->db_user['usergroup_column']]) {
140  $groupList = $user[$this->db_user['usergroup_column']];
141  $groups = [];
142  $this->getSubGroups($groupList, '', $groups);
143  }
144  // ADD group-numbers if the IPmask matches.
145  if (is_array($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'])) {
146  foreach ($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'] as $IPel) {
147  if ($this->authInfo['REMOTE_ADDR'] && $IPel[0] && GeneralUtility::cmpIP($this->authInfo['REMOTE_ADDR'], $IPel[0])) {
148  $groups[] = (int)$IPel[1];
149  }
150  }
151  }
152  $groups = array_unique($groups);
153  if (!empty($groups)) {
154  if ($this->writeDevLog) {
155  GeneralUtility::devLog('Get usergroups with id: ' . implode(',', $groups), __CLASS__);
156  }
157  $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
158  ->getQueryBuilderForTable($this->db_groups['table']);
159  if (!empty($this->authInfo['showHiddenRecords'])) {
160  $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
161  }
162 
163  $res = $queryBuilder->select('*')
164  ->from($this->db_groups['table'])
165  ->where(
166  $queryBuilder->expr()->in(
167  'uid',
168  $queryBuilder->createNamedParameter($groups, Connection::PARAM_INT_ARRAY)
169  ),
170  $queryBuilder->expr()->orX(
171  $queryBuilder->expr()->eq(
172  'lockToDomain',
173  $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
174  ),
175  $queryBuilder->expr()->isNull('lockToDomain'),
176  $queryBuilder->expr()->eq(
177  'lockToDomain',
178  $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'], \PDO::PARAM_STR)
179  )
180  )
181  )
182  ->execute();
183 
184  while ($row = $res->fetch()) {
185  $groupDataArr[$row['uid']] = $row;
186  }
187  } else {
188  if ($this->writeDevLog) {
189  GeneralUtility::devLog('No usergroups found.', self::class, 2);
190  }
191  }
192  }
193  return $groupDataArr;
194  }
195 
207  public function getSubGroups($grList, $idList = '', &$groups)
208  {
209  // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
210  $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('fe_groups');
211  if (!empty($this->authInfo['showHiddenRecords'])) {
212  $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
213  }
214 
215  $res = $queryBuilder
216  ->select('uid', 'subgroup')
217  ->from($this->db_groups['table'])
218  ->where(
219  $queryBuilder->expr()->in(
220  'uid',
221  $queryBuilder->createNamedParameter(
222  GeneralUtility::intExplode(',', $grList, true),
223  Connection::PARAM_INT_ARRAY
224  )
225  ),
226  $queryBuilder->expr()->orX(
227  $queryBuilder->expr()->eq(
228  'lockToDomain',
229  $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
230  ),
231  $queryBuilder->expr()->isNull('lockToDomain'),
232  $queryBuilder->expr()->eq(
233  'lockToDomain',
234  $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'], \PDO::PARAM_STR)
235  )
236  )
237  )
238  ->execute();
239 
240  // Internal group record storage
241  $groupRows = [];
242  // The groups array is filled
243  while ($row = $res->fetch()) {
244  if (!in_array($row['uid'], $groups)) {
245  $groups[] = $row['uid'];
246  }
247  $groupRows[$row['uid']] = $row;
248  }
249  // Traversing records in the correct order
250  $include_staticArr = GeneralUtility::intExplode(',', $grList);
251  // traversing list
252  foreach ($include_staticArr as $uid) {
253  // Get row:
254  $row = $groupRows[$uid];
255  // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
256  if (is_array($row) && !GeneralUtility::inList($idList, $uid)) {
257  // Include sub groups
258  if (trim($row['subgroup'])) {
259  // Make integer list
260  $theList = implode(',', GeneralUtility::intExplode(',', $row['subgroup']));
261  // Call recursively, pass along list of already processed groups so they are not processed again.
262  $this->getSubGroups($theList, $idList . ',' . $uid, $groups);
263  }
264  }
265  }
266  }
267 }
static devLog($msg, $extKey, $severity=0, $dataVar=false)
static intExplode($delimiter, $string, $removeEmptyValues=false, $limit=0)
static arrayToLogString(array $arr, $valueList=[], $valueLength=20)
writelog($type, $action, $error, $details_nr, $details, $data, $tablename='', $recuid='', $recpid='')
processLoginData(array &$loginData, $passwordTransmissionStrategy)
static makeInstance($className,... $constructorArguments)
getSubGroups($grList, $idList='', &$groups)
fetchUserRecord($username, $extraWhere='', $dbUserSetup='')
if(TYPO3_MODE==='BE') $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tsfebeuserauth.php']['frontendEditingController']['default']
compareUident(array $user, array $loginData, $passwordCompareStrategy='')