1: <?php
2: /**
3: * This code is licensed under AGPLv3 license or Afterlogic Software License
4: * if commercial version of the product was purchased.
5: * For full statements of the licenses see LICENSE-AFTERLOGIC and LICENSE-AGPL3 files.
6: */
7:
8: namespace Aurora\Modules\AdminAuth;
9:
10: use Aurora\Modules\Core\Module as CoreModule;
11:
12: /**
13: * This module adds ability to login to the admin panel as a Super Administrator.
14: *
15: * @license https://www.gnu.org/licenses/agpl-3.0.html AGPL-3.0
16: * @license https://afterlogic.com/products/common-licensing Afterlogic Software License
17: * @copyright Copyright (c) 2023, Afterlogic Corp.
18: *
19: * @package Modules
20: */
21: class Module extends \Aurora\System\Module\AbstractModule
22: {
23: /**
24: *
25: * @return Module
26: */
27: public static function getInstance()
28: {
29: return \Aurora\System\Api::GetModule(self::GetName());
30: }
31:
32: /***** private functions *****/
33: /**
34: * @return void
35: */
36: public function init()
37: {
38: $this->subscribeEvent('Login', array($this, 'onLogin'), 10);
39: $this->subscribeEvent('CheckAccountExists', array($this, 'onCheckAccountExists'));
40: $this->subscribeEvent('System::RunEntry::before', array($this, 'onBeforeRunEntry'));
41: }
42:
43: /**
44: * Return crypted password.
45: *
46: * @param string $Password
47: * @return string
48: */
49: public function CryptPassword($Password)
50: {
51: return crypt(trim($Password), \Aurora\System\Api::$sSalt);
52: }
53:
54: public function LoginAsSuperadmin($Login, $Password)
55: {
56: \Aurora\System\Api::checkUserRoleIsAtLeast(\Aurora\System\Enums\UserRole::Anonymous);
57:
58: $aAuthData = self::Decorator()->Login($Login, $Password);
59:
60: return \Aurora\Modules\Core\Module::Decorator()->SetAuthDataAndGetAuthToken($aAuthData);
61: }
62:
63: public function Login($Login, $Password)
64: {
65: $sIp = \Aurora\System\Utils::getClientIp();
66: CoreModule::Decorator()->IsBlockedUser($Login, $sIp);
67:
68: $mResult = false;
69: $oSettings =& \Aurora\System\Api::GetSettings();
70: if ($Login === $oSettings->AdminLogin) {
71: if ($this->isClientIpInWhitelist()) {
72: $sAdminPassword = $oSettings->AdminPassword;
73: $bCorrectEmptyPass = empty($Password) && empty($sAdminPassword);
74: $bCorrectPass = $this->CryptPassword($Password) === $sAdminPassword;
75:
76: if ($bCorrectEmptyPass || $bCorrectPass) {
77: $mResult = [
78: 'token' => 'admin',
79: 'id' => '-1'
80: ];
81: }
82: }
83: }
84:
85: if (!$mResult) {
86: CoreModule::Decorator()->BlockUser($Login, $sIp);
87: CoreModule::Decorator()->IsBlockedUser($Login, $sIp);
88: } else {
89: $oBlockedUser = CoreModule::Decorator()->GetBlockedUser($Login, $sIp);
90: if ($oBlockedUser) {
91: $oBlockedUser->delete();
92: }
93: }
94:
95: return $mResult;
96: }
97:
98: /**
99: * Checks if superadmin has specified login.
100: *
101: * @param string $sLogin Login for checking.
102: *
103: * @throws \Aurora\System\Exceptions\ApiException
104: */
105: public function onCheckAccountExists($aArgs)
106: {
107: $oSettings =&\Aurora\System\Api::GetSettings();
108: if ($aArgs['Login'] === $oSettings->AdminLogin) {
109: throw new \Aurora\System\Exceptions\ApiException(\Aurora\System\Notifications::AccountExists);
110: }
111: }
112:
113: /**
114: * Tries to log in with specified credentials.
115: *
116: * @param array $aParams Parameters contain the required credentials.
117: * @param array|mixed $mResult Parameter is passed by reference for further filling with result. Result is the array with data for authentication token.
118: */
119: public function onLogin(&$aArgs, &$mResult)
120: {
121: $bAllowLoginFromCoreModule = $this->getConfig('AllowLoginFromCoreModule', false);
122: $oSettings =&\Aurora\System\Api::GetSettings();
123: if ($bAllowLoginFromCoreModule && $aArgs['Login'] === $oSettings->AdminLogin) {
124: $mResult = $this->Login($aArgs['Login'], $aArgs['Password']);
125: return true;
126: }
127: }
128:
129: protected function isClientIpInWhitelist()
130: {
131: $mResult = true;
132:
133: $aWhitelistIp = $this->getConfig('SuperadminWhitelistIp', []);
134: $ip = \Aurora\System\Utils::getClientIp();
135:
136: if (!empty($ip) && count($aWhitelistIp) > 0 && !in_array($ip, $aWhitelistIp)) {
137: $mResult = false;
138: }
139:
140: return $mResult;
141: }
142:
143: public function onBeforeRunEntry(&$aArgs, &$mResult)
144: {
145: $oAuthenticatedUser = \Aurora\System\Api::getAuthenticatedUser();
146: if ($oAuthenticatedUser instanceof \Aurora\Modules\Core\Models\User &&
147: $oAuthenticatedUser->Role === \Aurora\System\Enums\UserRole::SuperAdmin && !$this->isClientIpInWhitelist()) {
148: if (isset($aArgs['EntryName']) && strtolower($aArgs['EntryName']) === 'default') {
149: \Aurora\Modules\Core\Module::Decorator()->Logout();
150: } else {
151: $mResult = \Aurora\System\Managers\Response::GetJsonFromObject(
152: 'Json',
153: \Aurora\System\Managers\Response::ExceptionResponse(
154: 'RunEntry',
155: new \Aurora\System\Exceptions\ApiException(
156: \Aurora\System\Notifications::AccessDenied,
157: null,
158: $this->i18N('ERROR_USER_ACCESS_DENIED'),
159: [],
160: $this
161: )
162: )
163: );
164: return true;
165: }
166: }
167: }
168: /***** private functions *****/
169: }
170: