Namespaces

Classes

1: <?php
2: /**
3: * This code is licensed under AGPLv3 license or Afterlogic Software License
4: * if commercial version of the product was purchased.
5: * For full statements of the licenses see LICENSE-AFTERLOGIC and LICENSE-AGPL3 files.
6: */
7:
8: namespace Aurora\Modules\AdminAuth;
9:
10: use Aurora\Modules\Core\Module as CoreModule;
11:
12: /**
13: * This module adds ability to login to the admin panel as a Super Administrator.
14: *
15: * @license https://www.gnu.org/licenses/agpl-3.0.html AGPL-3.0
16: * @license https://afterlogic.com/products/common-licensing Afterlogic Software License
17: * @copyright Copyright (c) 2023, Afterlogic Corp.
18: *
19: * @property Settings $oModuleSettings
20: *
21: * @package Modules
22: */
23: class Module extends \Aurora\System\Module\AbstractModule
24: {
25: /**
26: * @return Module
27: */
28: public static function getInstance()
29: {
30: return parent::getInstance();
31: }
32:
33: /**
34: * @return Module
35: */
36: public static function Decorator()
37: {
38: return parent::Decorator();
39: }
40:
41: /**
42: * @return Settings
43: */
44: public function getModuleSettings()
45: {
46: return $this->oModuleSettings;
47: }
48:
49: /***** private functions *****/
50: /**
51: * @return void
52: */
53: public function init()
54: {
55: $this->subscribeEvent('Login', array($this, 'onLogin'), 10);
56: $this->subscribeEvent('CheckAccountExists', array($this, 'onCheckAccountExists'));
57: $this->subscribeEvent('System::RunEntry::before', array($this, 'onBeforeRunEntry'));
58: }
59:
60: public function LoginAsSuperadmin($Login, $Password)
61: {
62: \Aurora\System\Api::checkUserRoleIsAtLeast(\Aurora\System\Enums\UserRole::Anonymous);
63:
64: $aAuthData = self::Decorator()->Login($Login, $Password);
65:
66: $mResult = CoreModule::Decorator()->SetAuthDataAndGetAuthToken($aAuthData);
67:
68: return $mResult;
69: }
70:
71: public function Login($Login, $Password)
72: {
73: $sIp = \Aurora\System\Utils::getClientIp();
74: CoreModule::Decorator()->IsBlockedUser($Login, $sIp);
75:
76: $mResult = false;
77: $oSettings = &\Aurora\System\Api::GetSettings();
78: if ($Login === $oSettings->AdminLogin) {
79: if ($this->isClientIpInWhitelist()) {
80: $sAdminPassword = $oSettings->AdminPassword;
81: $bCorrectEmptyPass = empty($Password) && empty($sAdminPassword);
82: $bCorrectPass = password_verify(trim($Password), $sAdminPassword);
83:
84: if ($bCorrectEmptyPass || $bCorrectPass) {
85: $mResult = [
86: 'token' => 'admin',
87: 'id' => '-1'
88: ];
89: }
90: }
91: }
92:
93: if (!$mResult) {
94: CoreModule::Decorator()->BlockUser($Login, $sIp);
95: CoreModule::Decorator()->IsBlockedUser($Login, $sIp);
96: } else {
97: $oBlockedUser = CoreModule::Decorator()->GetBlockedUser($Login, $sIp);
98: if ($oBlockedUser) {
99: $oBlockedUser->delete();
100: }
101: }
102:
103: return $mResult;
104: }
105:
106: /**
107: * Checks if superadmin has specified login.
108: *
109: * @param array $aArgs
110: *
111: * @throws \Aurora\System\Exceptions\ApiException
112: */
113: public function onCheckAccountExists($aArgs)
114: {
115: $oSettings = &\Aurora\System\Api::GetSettings();
116: if ($aArgs['Login'] === $oSettings->AdminLogin) {
117: throw new \Aurora\System\Exceptions\ApiException(\Aurora\System\Notifications::AccountExists);
118: }
119: }
120:
121: /**
122: * Tries to log in with specified credentials.
123: *
124: * @param array $aArgs Parameters contain the required credentials.
125: * @param array|mixed $mResult Parameter is passed by reference for further filling with result. Result is the array with data for authentication token.
126: */
127: public function onLogin(&$aArgs, &$mResult)
128: {
129: $bAllowLoginFromCoreModule = $this->oModuleSettings->AllowLoginFromCoreModule;
130: $oSettings = &\Aurora\System\Api::GetSettings();
131: if ($bAllowLoginFromCoreModule && $aArgs['Login'] === $oSettings->AdminLogin) {
132: $mResult = $this->Login($aArgs['Login'], $aArgs['Password']);
133: return true;
134: }
135: }
136:
137: protected function isClientIpInWhitelist()
138: {
139: $mResult = true;
140:
141: $aWhitelistIp = $this->oModuleSettings->SuperadminWhitelistIp;
142: $ip = \Aurora\System\Utils::getClientIp();
143:
144: if (!empty($ip) && count($aWhitelistIp) > 0 && !in_array($ip, $aWhitelistIp)) {
145: $mResult = false;
146: }
147:
148: return $mResult;
149: }
150:
151: public function onBeforeRunEntry(&$aArgs, &$mResult)
152: {
153: $oAuthenticatedUser = \Aurora\System\Api::getAuthenticatedUser();
154: if (
155: $oAuthenticatedUser instanceof \Aurora\Modules\Core\Models\User
156: && $oAuthenticatedUser->Role === \Aurora\System\Enums\UserRole::SuperAdmin
157: && !$this->isClientIpInWhitelist()
158: ) {
159: if (isset($aArgs['EntryName']) && strtolower($aArgs['EntryName']) === 'default') {
160: CoreModule::Decorator()->Logout();
161: } else {
162: throw new \Aurora\System\Exceptions\ApiException(
163: \Aurora\System\Notifications::AccessDenied,
164: null,
165: $this->i18N('ERROR_USER_ACCESS_DENIED'),
166: [],
167: $this
168: );
169: // aborting the RunEntry execution stack
170: return true;
171: }
172: }
173: }
174: /***** private functions *****/
175: }
176:
Aurora Files API documentation generated by ApiGen v7.0.0-alpha.4