[platal.git] / classes / plsession.php

<?php
/***************************************************************************
 *  Copyright (C) 2003-2010 Polytechnique.org                              *
 *  http://opensource.polytechnique.org/                                   *
 *                                                                         *
 *  This program is free software; you can redistribute it and/or modify   *
 *  it under the terms of the GNU General Public License as published by   *
 *  the Free Software Foundation; either version 2 of the License, or      *
 *  (at your option) any later version.                                    *
 *                                                                         *
 *  This program is distributed in the hope that it will be useful,        *
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
 *  GNU General Public License for more details.                           *
 *                                                                         *
 *  You should have received a copy of the GNU General Public License      *
 *  along with this program; if not, write to the Free Software            *
 *  Foundation, Inc.,                                                      *
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
 ***************************************************************************/

/** Authentication level.
 * Only AUTH_PUBLIC is mandatory. The others are defined as useful values,
 * but can be overwritten by others auth levels definitions.
 */
define('AUTH_SUID',   -1);
define('AUTH_PUBLIC', 0);
define('AUTH_COOKIE', 5);
define('AUTH_MDP',    10);


/** The PlSession is a wrapper around the user session management.
 */
abstract class PlSession
{
    /** Build a new session object.
     * If a session is already started, this just wraps the session... if no
     * session is currently started, this set the base session variables.
     *  * auth        contains the current authentication level. The level is
     *                an integer that grows with the security of the authentication
     *                method.
     *  * perms       contains the current permission flags of the user. This flags
     *                depends on the category of the user.
     *  * challenge   contains a random uniq id for authentication.
     *  * xsrf_token  contains a random uniq id for xsrf prevention.
     *  * user        contains a reference to the current user.
     */
    public function __construct()
    {
        $this->create();
    }

    /** Build the session structure with system fields.
     */
    private function fillSession()
    {
        S::bootstrap('user', null);
        S::bootstrap('auth', AUTH_PUBLIC);
        S::bootstrap('challenge', sha1(uniqid(rand(), true)));
        S::bootstrap('xsrf_token', rand_url_id());
        S::bootstrap('perms', new PlFlagSet());
    }

    /** Write current session and close it.
     */
    public function close()
    {
        session_write_close();
    }

    /** Create a new session
     */
    private function create()
    {
        session_start();
        $this->fillSession();
    }

    /** Kill the current session.
     */
    public function destroy()
    {
        session_destroy();
        unset($_SESSION);
        $this->create();
    }

    /** Check if the user has at least the given authentication level.
     */
    public function checkAuth($level)
    {
        return S::i('auth') >= $level;
    }

    /** Check if the user has the given permissions.
     */
    public function checkPerms($perms)
    {
        return S::v('perms')->hasFlagCombination($perms);
    }

    /** Run authentication procedure to reach at least the given level.
     */
    public function start($level)
    {
        if ($this->checkAuth($level)) {
            return true;
        }
        $user = $this->doAuth($level);
        if (is_null($user)) {
            return false;
        }
        if (!$this->checkAuth($level)) {
            $this->destroy();
            return false;
        }
        if ($this->startSessionAs($user, $level)) {
            if (is_null(S::v('user'))) {
                S::set('user', $user);
            }
            return true;
        } else {
            $this->destroy();
        }
        return false;
    }


    /*** Abstract methods ***/

    /** Function that check authentication at build time of the session object.
     * This is useful to perform authentication from a cookie or when coming
     * back from a authentication service.
     *
     * This function must NOT try to launch a new authenticatioin procedure. It
     * just tests if the environment contains sufficient information to start
     * a user session.
     *
     * This function return false if informations are available but lead to an
     * authentication failure (invalid cookie, invalid service return data...)
     */
    abstract public function startAvailableAuth();

    /** Run the effectively authentication procedure to reach the given user.
     * This method must return a user object (that will be used to fill the
     * $_SESSION['user'] field).
     *
     * If auth failed, the function MUST return null. If auth succeed, the
     * field $_SESSION['auth'] MUST be filled to the current effective level.
     */
    abstract protected function doAuth($level);

    /** Set the session environment to the given user and authentication level.
     * This function MUST return false if a session is already started and the
     * user mismatch.
     *
     * On succes, this function MUST return true.
     * If $level is set to -1, this means you are building a new SUID session.
     */
    abstract protected function startSessionAs($user, $level);

    /** Check authentication with the given token.
     *
     * Token authentication is a light-weight authentication based on a user-specific token.
     * This can be used for protocols that requires a 'cookie'-free authentication, such as
     * RSS, iCal registration...
     *
     * This function returns a valid user object if authentication is successful, or null if
     * token mismatch.
     */
    abstract public function tokenAuth($login, $token);

    /** Set the permissions to the given flagset.
     *
     * This function sets S::set('perms') with a flagset represeting the combination of
     * $perms and $is_admin.
     *
     * $perms is an abstract object representing the permissions.
     * $is_admin is a boolean, true if the current user has site-administration rights.
     */
    abstract protected function makePerms($perms, $is_admin);

    /*** SUID management ***/

    /** Start a new SUID session.
     */
    public function startSUID($user, $perms = null)
    {
        if (S::suid()) {
            return false;
        }
        $backup = S::changeSession(array());
        $this->fillSession();
        S::set('suid', $backup);
        if (!$this->startSessionAs($user, AUTH_SUID)) {
            $this->stopSUID();
            return false;
        }
        S::set('user', $user);
        if (!is_null($perms)) {
            $this->makePerms($perms, false);
        }
        return true;
    }

    /** Stop a SUID session
     */
    public function stopSUID()
    {
        if (!S::suid()) {
            return false;
        }
        S::changeSession(S::v('suid'));
        return true;
    }


    /*** Thresholds ***/

    /** Minimum level of authentication that is considered as logged.
     */
    abstract public function loggedLevel();

    /** Minimum level of authentication that is considered as sure.
     */
    abstract public function sureLevel();
}

// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
?>
Commit	Line	Data
88a4c51b FB	1	<?php
88a4c51b FB	2	/***************************************************************************
2ab75571	3	* Copyright (C) 2003-2010 Polytechnique.org *
88a4c51b FB	4	* http://opensource.polytechnique.org/ *
	5	* *
	6	* This program is free software; you can redistribute it and/or modify *
	7	* it under the terms of the GNU General Public License as published by *
	8	* the Free Software Foundation; either version 2 of the License, or *
	9	* (at your option) any later version. *
	10	* *
	11	* This program is distributed in the hope that it will be useful, *
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
	14	* GNU General Public License for more details. *
	15	* *
	16	* You should have received a copy of the GNU General Public License *
	17	* along with this program; if not, write to the Free Software *
	18	* Foundation, Inc., *
	19	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
	20	***************************************************************************/
	21
47fa97fe FB	22	/** Authentication level.
	23	* Only AUTH_PUBLIC is mandatory. The others are defined as useful values,
	24	* but can be overwritten by others auth levels definitions.
	25	*/
5a074c2f	26	define('AUTH_SUID', -1);
47fa97fe	27	define('AUTH_PUBLIC', 0);
8cd8f58b FB	28	define('AUTH_COOKIE', 5);
8cd8f58b FB	29	define('AUTH_MDP', 10);
47fa97fe	30
88a4c51b FB	31
	32	/** The PlSession is a wrapper around the user session management.
	33	*/
	34	abstract class PlSession
	35	{
	36	/** Build a new session object.
	37	* If a session is already started, this just wraps the session... if no
	38	* session is currently started, this set the base session variables.
	39	* * auth contains the current authentication level. The level is
	40	* an integer that grows with the security of the authentication
	41	* method.
	42	* * perms contains the current permission flags of the user. This flags
	43	* depends on the category of the user.
	44	* * challenge contains a random uniq id for authentication.
	45	* * xsrf_token contains a random uniq id for xsrf prevention.
	46	* * user contains a reference to the current user.
	47	*/
	48	public function __construct()
	49	{
c0799142	50	$this->create();
88a4c51b FB	51	}
	52
	53	/** Build the session structure with system fields.
	54	*/
	55	private function fillSession()
	56	{
	57	S::bootstrap('user', null);
	58	S::bootstrap('auth', AUTH_PUBLIC);
	59	S::bootstrap('challenge', sha1(uniqid(rand(), true)));
	60	S::bootstrap('xsrf_token', rand_url_id());
	61	S::bootstrap('perms', new PlFlagSet());
	62	}
	63
	64	/** Write current session and close it.
	65	*/
	66	public function close()
	67	{
	68	session_write_close();
	69	}
	70
c0799142 FB	71	/** Create a new session
	72	*/
	73	private function create()
	74	{
	75	session_start();
	76	$this->fillSession();
	77	}
	78
88a4c51b FB	79	/** Kill the current session.
	80	*/
	81	public function destroy()
	82	{
	83	session_destroy();
	84	unset($_SESSION);
c0799142	85	$this->create();
88a4c51b FB	86	}
	87
	88	/** Check if the user has at least the given authentication level.
	89	*/
	90	public function checkAuth($level)
	91	{
	92	return S::i('auth') >= $level;
	93	}
	94
	95	/** Check if the user has the given permissions.
	96	*/
	97	public function checkPerms($perms)
	98	{
	99	return S::v('perms')->hasFlagCombination($perms);
	100	}
	101
	102	/** Run authentication procedure to reach at least the given level.
	103	*/
	104	public function start($level)
	105	{
	106	if ($this->checkAuth($level)) {
	107	return true;
	108	}
	109	$user = $this->doAuth($level);
c0799142 FB	110	if (is_null($user)) {
	111	return false;
	112	}
	113	if (!$this->checkAuth($level)) {
	114	$this->destroy();
88a4c51b FB	115	return false;
	116	}
	117	if ($this->startSessionAs($user, $level)) {
	118	if (is_null(S::v('user'))) {
	119	S::set('user', $user);
	120	}
	121	return true;
	122	} else {
	123	$this->destroy();
	124	}
	125	return false;
	126	}
	127
	128
	129	/* Abstract methods */
	130
c0799142 FB	131	/** Function that check authentication at build time of the session object.
	132	* This is useful to perform authentication from a cookie or when coming
	133	* back from a authentication service.
	134	*
	135	* This function must NOT try to launch a new authenticatioin procedure. It
	136	* just tests if the environment contains sufficient information to start
	137	* a user session.
	138	*
	139	* This function return false if informations are available but lead to an
	140	* authentication failure (invalid cookie, invalid service return data...)
	141	*/
	142	abstract public function startAvailableAuth();
	143
88a4c51b FB	144	/** Run the effectively authentication procedure to reach the given user.
	145	* This method must return a user object (that will be used to fill the
	146	* $_SESSION['user'] field).
	147	*
	148	* If auth failed, the function MUST return null. If auth succeed, the
	149	* field $_SESSION['auth'] MUST be filled to the current effective level.
	150	*/
	151	abstract protected function doAuth($level);
	152
	153	/** Set the session environment to the given user and authentication level.
	154	* This function MUST return false if a session is already started and the
	155	* user mismatch.
	156	*
	157	* On succes, this function MUST return true.
	158	* If $level is set to -1, this means you are building a new SUID session.
	159	*/
	160	abstract protected function startSessionAs($user, $level);
	161
8bdb07ee FB	162	/** Check authentication with the given token.
	163	*
	164	* Token authentication is a light-weight authentication based on a user-specific token.
	165	* This can be used for protocols that requires a 'cookie'-free authentication, such as
	166	* RSS, iCal registration...
	167	*
	168	* This function returns a valid user object if authentication is successful, or null if
	169	* token mismatch.
	170	*/
	171	abstract public function tokenAuth($login, $token);
	172
7adcbe0e FB	173	/** Set the permissions to the given flagset.
	174	*
	175	* This function sets S::set('perms') with a flagset represeting the combination of
	176	* $perms and $is_admin.
	177	*
	178	* $perms is an abstract object representing the permissions.
	179	* $is_admin is a boolean, true if the current user has site-administration rights.
	180	*/
	181	abstract protected function makePerms($perms, $is_admin);
88a4c51b FB	182
	183	/* SUID management */
	184
	185	/** Start a new SUID session.
	186	*/
7adcbe0e	187	public function startSUID($user, $perms = null)
88a4c51b	188	{
f1c8bb75	189	if (S::suid()) {
88a4c51b FB	190	return false;
88a4c51b FB	191	}
663c7f8e	192	$backup = S::changeSession(array());
88a4c51b FB	193	$this->fillSession();
88a4c51b FB	194	S::set('suid', $backup);
5a074c2f	195	if (!$this->startSessionAs($user, AUTH_SUID)) {
88a4c51b FB	196	$this->stopSUID();
	197	return false;
	198	}
732e5855	199	S::set('user', $user);
7adcbe0e FB	200	if (!is_null($perms)) {
	201	$this->makePerms($perms, false);
	202	}
88a4c51b FB	203	return true;
	204	}
	205
	206	/** Stop a SUID session
	207	*/
	208	public function stopSUID()
	209	{
f1c8bb75	210	if (!S::suid()) {
88a4c51b FB	211	return false;
88a4c51b FB	212	}
663c7f8e	213	S::changeSession(S::v('suid'));
88a4c51b FB	214	return true;
	215	}
	216
	217
	218	/* Thresholds */
	219
8cd8f58b FB	220	/** Minimum level of authentication that is considered as logged.
	221	*/
	222	abstract public function loggedLevel();
	223
88a4c51b FB	224	/** Minimum level of authentication that is considered as sure.
	225	*/
	226	abstract public function sureLevel();
	227	}
	228
	229	// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
	230	?>