forked from rebillar/site-accueil-insa
		
	
		
			
				
	
	
		
			202 lines
		
	
	
	
		
			5.8 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			202 lines
		
	
	
	
		
			5.8 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| /**
 | |
|  * Matomo - free/libre analytics platform
 | |
|  *
 | |
|  * @link https://matomo.org
 | |
|  * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
 | |
|  */
 | |
| namespace Piwik\Plugins\TwoFactorAuth;
 | |
| 
 | |
| use Piwik\Common;
 | |
| use Piwik\Db;
 | |
| use Piwik\Option;
 | |
| use Piwik\Piwik;
 | |
| use Piwik\Plugins\TwoFactorAuth\Dao\RecoveryCodeDao;
 | |
| use Piwik\Plugins\TwoFactorAuth\Dao\TwoFaSecretRandomGenerator;
 | |
| use Piwik\Plugins\UsersManager\Model;
 | |
| use Exception;
 | |
| use Piwik\SettingsPiwik;
 | |
| 
 | |
| require_once PIWIK_DOCUMENT_ROOT . '/libs/Authenticator/TwoFactorAuthenticator.php';
 | |
| 
 | |
| class TwoFactorAuthentication
 | |
| {
 | |
|     const OPTION_PREFIX_TWO_FA_CODE_USED = 'twofa_codes_used_';
 | |
| 
 | |
|     /**
 | |
|      * Make sure the same fa code was not used in the last X minutes.
 | |
|      * Technically, even 2 minutes be fine since every token is only valid for 30 sec and we only allow the 2 most
 | |
|      * recent tokens.
 | |
|      */
 | |
|     const BLOCK_TWOFA_CODE_MINUTES = 10;
 | |
| 
 | |
|     /**
 | |
|      * @var SystemSettings
 | |
|      */
 | |
|     private $settings;
 | |
| 
 | |
|     /**
 | |
|      * @var RecoveryCodeDao
 | |
|      */
 | |
|     private $recoveryCodeDao;
 | |
| 
 | |
|     /**
 | |
|      * @var TwoFaSecretRandomGenerator
 | |
|      */
 | |
|     private $secretGenerator;
 | |
| 
 | |
|     public function __construct(SystemSettings $systemSettings, RecoveryCodeDao $recoveryCodeDao, TwoFaSecretRandomGenerator $twoFaSecretRandomGenerator)
 | |
|     {
 | |
|         $this->settings = $systemSettings;
 | |
|         $this->recoveryCodeDao = $recoveryCodeDao;
 | |
|         $this->secretGenerator = $twoFaSecretRandomGenerator;
 | |
|     }
 | |
| 
 | |
|     private static function getUserModel()
 | |
|     {
 | |
|         return new Model();
 | |
|     }
 | |
| 
 | |
|     public function generateSecret()
 | |
|     {
 | |
|         return $this->secretGenerator->generateSecret();
 | |
|     }
 | |
| 
 | |
|     public function disable2FAforUser($login)
 | |
|     {
 | |
|         $this->saveSecret($login, '');
 | |
|         $this->recoveryCodeDao->deleteAllRecoveryCodesForLogin($login);
 | |
| 
 | |
|         Piwik::postEvent('TwoFactorAuth.disabled', array($login));
 | |
|     }
 | |
| 
 | |
|     private static function isAnonymous($login)
 | |
|     {
 | |
|         return strtolower($login) === 'anonymous';
 | |
|     }
 | |
| 
 | |
|     public function saveSecret($login, $secret)
 | |
|     {
 | |
|         if (self::isAnonymous($login)) {
 | |
|             throw new Exception('Anonymous cannot use two-factor authentication');
 | |
|         }
 | |
| 
 | |
|         if (!empty($secret) && !$this->recoveryCodeDao->getAllRecoveryCodesForLogin($login)) {
 | |
|             // ensures the user has seen and ideally backuped the recovery codes... we don't create them here on demand
 | |
|             throw new Exception('Cannot enable two-factor authentication, no recovery codes have been created');
 | |
|         }
 | |
| 
 | |
|         $model = self::getUserModel();
 | |
|         $model->updateUserFields($login, array('twofactor_secret' => $secret));
 | |
|     }
 | |
| 
 | |
|     public function isUserRequiredToHaveTwoFactorEnabled()
 | |
|     {
 | |
|         return $this->settings->twoFactorAuthRequired->getValue();
 | |
|     }
 | |
| 
 | |
|     public static function isUserUsingTwoFactorAuthentication($login)
 | |
|     {
 | |
|         if (self::isAnonymous($login)) {
 | |
|             return false; // not possible to use auth code with anonymous
 | |
|         }
 | |
| 
 | |
|         $user = self::getUser($login);
 | |
|         return !empty($user['twofactor_secret']);
 | |
|     }
 | |
| 
 | |
|     private static function getUser($login)
 | |
|     {
 | |
|         $model = self::getUserModel();
 | |
|         return $model->getUser($login);
 | |
|     }
 | |
| 
 | |
|     private function wasTwoFaCodeUsedRecently($login, $authCode)
 | |
|     {
 | |
|         $time = Option::get($this->gettwoFaCodeUsedKey($login, $authCode));
 | |
|         if (empty($time)) {
 | |
|             return false;
 | |
|         }
 | |
|         $fiveMinutes = 60 * self::BLOCK_TWOFA_CODE_MINUTES;
 | |
|         if (time() - $fiveMinutes >= (int)$time) {
 | |
|             return true;
 | |
|         }
 | |
|         return false;
 | |
|     }
 | |
| 
 | |
|     private function gettwoFaCodeUsedKey($login, $authCode)
 | |
|     {
 | |
|         return self::OPTION_PREFIX_TWO_FA_CODE_USED . md5($login . $authCode . SettingsPiwik::getSalt());
 | |
|     }
 | |
| 
 | |
|     private function setTwoFaCodeWasUsed($login, $authCode)
 | |
|     {
 | |
|         $table = Common::prefixTable('option');
 | |
|         $bind = array($this->gettwoFaCodeUsedKey($login, $authCode), time(), 0);
 | |
|         try {
 | |
|             Db::query('INSERT INTO `' . $table . '` (option_name, option_value, autoload) VALUES (?, ?, ?) ', $bind);
 | |
|             return true;
 | |
|         } catch (Exception $e) {
 | |
|             // when 2 process try to insert at same time should result in duplicate error
 | |
|             return false;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     public function cleanupTwoFaCodesUsedRecently()
 | |
|     {
 | |
|         $values = Option::getLike(TwoFactorAuthentication::OPTION_PREFIX_TWO_FA_CODE_USED . '%');
 | |
|         if (!empty($values)) {
 | |
|             foreach ($values as $optionName => $timeCodeWasUsed) {
 | |
|                 $fiveMinutesAgo = time() - (60 * self::BLOCK_TWOFA_CODE_MINUTES);
 | |
|                 if ($timeCodeWasUsed < $fiveMinutesAgo) {
 | |
|                     // delete any entry created more than 5 min ago
 | |
|                     Option::delete($optionName);
 | |
|                 }
 | |
|             }
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     public function validateAuthCode($login, $authCode)
 | |
|     {
 | |
|         if (!self::isUserUsingTwoFactorAuthentication($login)) {
 | |
|             return false;
 | |
|         }
 | |
| 
 | |
|         $user = self::getUser($login);
 | |
| 
 | |
|         if ($this->wasTwoFaCodeUsedRecently($user['login'], $authCode)) {
 | |
|             return false;
 | |
|         }
 | |
| 
 | |
|         if (!$this->setTwoFaCodeWasUsed($user['login'], $authCode)) {
 | |
|             return false;
 | |
|         }
 | |
| 
 | |
|         if (!empty($user['twofactor_secret'])
 | |
|             && $this->validateAuthCodeDuringSetup($authCode, $user['twofactor_secret'])) {
 | |
|             return true;
 | |
|         }
 | |
| 
 | |
|         if ($this->recoveryCodeDao->useRecoveryCode($user['login'], $authCode)) {
 | |
|             return true;
 | |
|         }
 | |
| 
 | |
|         return false;
 | |
|     }
 | |
| 
 | |
|     public function validateAuthCodeDuringSetup($authCode, $secret)
 | |
|     {
 | |
|         $twoFactorAuth = $this->makeAuthenticator();
 | |
| 
 | |
|         if (!empty($secret) && $twoFactorAuth->verifyCode($secret, $authCode, 2)) {
 | |
|             return true;
 | |
|         }
 | |
|         return false;
 | |
|     }
 | |
| 
 | |
|     private function makeAuthenticator()
 | |
|     {
 | |
|         return new \TwoFactorAuthenticator();
 | |
|     }
 | |
| 
 | |
| }
 |