Current File : /home/tradevaly/www/phpmy/libraries/classes/Plugins/AuthenticationPlugin.php
<?php
/**
 * Abstract class for the authentication plugins
 */

declare(strict_types=1);

namespace PhpMyAdmin\Plugins;

use PhpMyAdmin\Config;
use PhpMyAdmin\Core;
use PhpMyAdmin\IpAllowDeny;
use PhpMyAdmin\Logging;
use PhpMyAdmin\Message;
use PhpMyAdmin\ResponseRenderer;
use PhpMyAdmin\Session;
use PhpMyAdmin\Template;
use PhpMyAdmin\TwoFactor;
use PhpMyAdmin\Url;
use PhpMyAdmin\Util;

use function __;
use function array_keys;
use function defined;
use function htmlspecialchars;
use function intval;
use function max;
use function min;
use function session_destroy;
use function session_unset;
use function sprintf;
use function time;

/**
 * Provides a common interface that will have to be implemented by all of the
 * authentication plugins.
 */
abstract class AuthenticationPlugin
{
    /**
     * Username
     *
     * @var string
     */
    public $user = '';

    /**
     * Password
     *
     * @var string
     */
    public $password = '';

    /** @var IpAllowDeny */
    protected $ipAllowDeny;

    /** @var Template */
    public $template;

    public function __construct()
    {
        $this->ipAllowDeny = new IpAllowDeny();
        $this->template = new Template();
    }

    /**
     * Displays authentication form
     */
    abstract public function showLoginForm(): bool;

    /**
     * Gets authentication credentials
     */
    abstract public function readCredentials(): bool;

    /**
     * Set the user and password after last checkings if required
     */
    public function storeCredentials(): bool
    {
        global $cfg;

        $this->setSessionAccessTime();

        $cfg['Server']['user'] = $this->user;
        $cfg['Server']['password'] = $this->password;

        return true;
    }

    /**
     * Stores user credentials after successful login.
     */
    public function rememberCredentials(): void
    {
    }

    /**
     * User is not allowed to login to MySQL -> authentication failed
     *
     * @param string $failure String describing why authentication has failed
     */
    public function showFailure($failure): void
    {
        Logging::logUser($this->user, $failure);
    }

    /**
     * Perform logout
     */
    public function logOut(): void
    {
        global $config;

        /* Obtain redirect URL (before doing logout) */
        if (! empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
            $redirect_url = $GLOBALS['cfg']['Server']['LogoutURL'];
        } else {
            $redirect_url = $this->getLoginFormURL();
        }

        /* Clear credentials */
        $this->user = '';
        $this->password = '';

        /*
         * Get a logged-in server count in case of LoginCookieDeleteAll is disabled.
         */
        $server = 0;
        if ($GLOBALS['cfg']['LoginCookieDeleteAll'] === false && $GLOBALS['cfg']['Server']['auth_type'] === 'cookie') {
            foreach (array_keys($GLOBALS['cfg']['Servers']) as $key) {
                if (! $config->issetCookie('pmaAuth-' . $key)) {
                    continue;
                }

                $server = $key;
            }
        }

        if ($server === 0) {
            /* delete user's choices that were stored in session */
            if (! defined('TESTSUITE')) {
                session_unset();
                session_destroy();
            }

            /* Redirect to login form (or configured URL) */
            Core::sendHeaderLocation($redirect_url);
        } else {
            /* Redirect to other authenticated server */
            $_SESSION['partial_logout'] = true;
            Core::sendHeaderLocation(
                './index.php?route=/' . Url::getCommonRaw(['server' => $server], '&')
            );
        }
    }

    /**
     * Returns URL for login form.
     *
     * @return string
     */
    public function getLoginFormURL()
    {
        return './index.php?route=/';
    }

    /**
     * Returns error message for failed authentication.
     *
     * @param string $failure String describing why authentication has failed
     *
     * @return string
     */
    public function getErrorMessage($failure)
    {
        global $dbi;

        if ($failure === 'empty-denied') {
            return __('Login without a password is forbidden by configuration (see AllowNoPassword)');
        }

        if ($failure === 'root-denied' || $failure === 'allow-denied') {
            return __('Access denied!');
        }

        if ($failure === 'no-activity') {
            return sprintf(
                __('You have been automatically logged out due to inactivity of %s seconds.'
                . ' Once you log in again, you should be able to resume the work where you left off.'),
                intval($GLOBALS['cfg']['LoginCookieValidity'])
            );
        }

        $dbi_error = $dbi->getError();
        if (! empty($dbi_error)) {
            return htmlspecialchars($dbi_error);
        }

        if (isset($GLOBALS['errno'])) {
            return '#' . $GLOBALS['errno'] . ' '
            . __('Cannot log in to the MySQL server');
        }

        return __('Cannot log in to the MySQL server');
    }

    /**
     * Callback when user changes password.
     *
     * @param string $password New password to set
     */
    public function handlePasswordChange($password): void
    {
    }

    /**
     * Store session access time in session.
     *
     * Tries to workaround PHP 5 session garbage collection which
     * looks at the session file's last modified time
     */
    public function setSessionAccessTime(): void
    {
        if (isset($_REQUEST['guid'])) {
            $guid = (string) $_REQUEST['guid'];
        } else {
            $guid = 'default';
        }

        if (isset($_REQUEST['access_time'])) {
            // Ensure access_time is in range <0, LoginCookieValidity + 1>
            // to avoid excessive extension of validity.
            //
            // Negative values can cause session expiry extension
            // Too big values can cause overflow and lead to same
            $time = time() - min(max(0, intval($_REQUEST['access_time'])), $GLOBALS['cfg']['LoginCookieValidity'] + 1);
        } else {
            $time = time();
        }

        $_SESSION['browser_access_time'][$guid] = $time;
    }

    /**
     * High level authentication interface
     *
     * Gets the credentials or shows login form if necessary
     */
    public function authenticate(): void
    {
        $success = $this->readCredentials();

        /* Show login form (this exits) */
        if (! $success) {
            /* Force generating of new session */
            Session::secure();
            $this->showLoginForm();
        }

        /* Store credentials (eg. in cookies) */
        $this->storeCredentials();
        /* Check allow/deny rules */
        $this->checkRules();
        /* clear user cache */
        Util::clearUserCache();
    }

    /**
     * Check configuration defined restrictions for authentication
     */
    public function checkRules(): void
    {
        global $cfg;

        // Check IP-based Allow/Deny rules as soon as possible to reject the
        // user based on mod_access in Apache
        if (isset($cfg['Server']['AllowDeny']['order'])) {
            $allowDeny_forbidden = false; // default
            if ($cfg['Server']['AllowDeny']['order'] === 'allow,deny') {
                $allowDeny_forbidden = true;
                if ($this->ipAllowDeny->allow()) {
                    $allowDeny_forbidden = false;
                }

                if ($this->ipAllowDeny->deny()) {
                    $allowDeny_forbidden = true;
                }
            } elseif ($cfg['Server']['AllowDeny']['order'] === 'deny,allow') {
                if ($this->ipAllowDeny->deny()) {
                    $allowDeny_forbidden = true;
                }

                if ($this->ipAllowDeny->allow()) {
                    $allowDeny_forbidden = false;
                }
            } elseif ($cfg['Server']['AllowDeny']['order'] === 'explicit') {
                if ($this->ipAllowDeny->allow() && ! $this->ipAllowDeny->deny()) {
                    $allowDeny_forbidden = false;
                } else {
                    $allowDeny_forbidden = true;
                }
            }

            // Ejects the user if banished
            if ($allowDeny_forbidden) {
                $this->showFailure('allow-denied');
            }
        }

        // is root allowed?
        if (! $cfg['Server']['AllowRoot'] && $cfg['Server']['user'] === 'root') {
            $this->showFailure('root-denied');
        }

        // is a login without password allowed?
        if ($cfg['Server']['AllowNoPassword'] || $cfg['Server']['password'] !== '') {
            return;
        }

        $this->showFailure('empty-denied');
    }

    /**
     * Checks whether two factor authentication is active
     * for given user and performs it.
     */
    public function checkTwoFactor(): void
    {
        $twofactor = new TwoFactor($this->user);

        /* Do we need to show the form? */
        if ($twofactor->check()) {
            return;
        }

        $response = ResponseRenderer::getInstance();
        if ($response->loginPage()) {
            if (defined('TESTSUITE')) {
                return;
            }

            exit;
        }

        echo $this->template->render('login/header');
        echo Message::rawNotice(
            __('You have enabled two factor authentication, please confirm your login.')
        )->getDisplay();
        echo $this->template->render('login/twofactor', [
            'form' => $twofactor->render(),
            'show_submit' => $twofactor->showSubmit(),
        ]);
        echo $this->template->render('login/footer');
        echo Config::renderFooter();
        if (! defined('TESTSUITE')) {
            exit;
        }
    }
}