Initial commit

application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php

@@ -0,0 +1,113 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Util;
+use Espo\Core\Authentication\HeaderKey;
+use Espo\Core\Authentication\Hook\BeforeLogin;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\ORM\EntityManager;
+use Espo\Entities\AuthLogRecord;
+
+use DateTime;
+use Espo\ORM\Name\Attribute;
+use Exception;
+use RuntimeException;
+
+/**
+ * @noinspection PhpUnused
+ */
+class FailedAttemptsLimit implements BeforeLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private EntityManager $entityManager,
+        private Util $util
+    ) {}
+
+    /**
+     * @throws Forbidden
+     */
+    public function process(AuthenticationData $data, Request $request): void
+    {
+        $isByTokenOnly = !$data->getMethod() && $request->getHeader(HeaderKey::AUTHORIZATION_BY_TOKEN) === 'true';
+
+        if ($isByTokenOnly || $this->configDataProvider->isAuthLogDisabled()) {
+            return;
+        }
+
+        $failedAttemptsPeriod = $this->configDataProvider->getFailedAttemptsPeriod();
+
+        $ipAddress = $this->util->obtainIpFromRequest($request);
+
+        $where = [
+            'requestTime>' => $this->getTimeFrom($request, $failedAttemptsPeriod)->format('U'),
+            'isDenied' => true,
+            'ipAddress' => $ipAddress,
+        ];
+
+        $wasFailed = (bool) $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->select([Attribute::ID])
+            ->where($where)
+            ->findOne();
+
+        if (!$wasFailed) {
+            return;
+        }
+
+        $failAttemptCount = $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->where($where)
+            ->count();
+
+        if ($failAttemptCount <= $this->configDataProvider->getMaxFailedAttemptNumber()) {
+            return;
+        }
+
+        throw new Forbidden("Max failed login attempts exceeded for IP address $ipAddress.");
+    }
+
+    private function getTimeFrom(Request $request, string $failedAttemptsPeriod): DateTime
+    {
+        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
+
+        try {
+            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
+        } catch (Exception $e) {
+            throw new RuntimeException($e->getMessage());
+        }
+
+        return $requestTimeFrom;
+    }
+}

application/Espo/Core/Authentication/Hook/Hooks/FailedCodeAttemptsLimit.php

@@ -0,0 +1,118 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\Core\Authentication\Hook\BeforeLogin;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Entities\AuthLogRecord;
+use Espo\ORM\EntityManager;
+
+use DateTime;
+use Espo\ORM\Name\Attribute;
+use Exception;
+use RuntimeException;
+
+/**
+ * @noinspection PhpUnused
+ */
+class FailedCodeAttemptsLimit implements BeforeLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private EntityManager $entityManager,
+    ) {}
+
+    /**
+     * @throws Forbidden
+     */
+    public function process(AuthenticationData $data, Request $request): void
+    {
+        if (
+            $request->getHeader('Espo-Authorization-Code') === null ||
+            $this->configDataProvider->isAuthLogDisabled()
+        ) {
+            return;
+        }
+
+        $isByTokenOnly = !$data->getMethod() && $request->getHeader('Espo-Authorization-By-Token') === 'true';
+
+        if ($isByTokenOnly) {
+            return;
+        }
+
+        $failedAttemptsPeriod = $this->configDataProvider->getFailedCodeAttemptsPeriod();
+
+        $where = [
+            'requestTime>' => $this->getTimeFrom($request, $failedAttemptsPeriod)->format('U'),
+            'isDenied' => true,
+            'username' => $data->getUsername(),
+            'denialReason' => AuthLogRecord::DENIAL_REASON_WRONG_CODE,
+        ];
+
+        $wasFailed = (bool) $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->select([Attribute::ID])
+            ->where($where)
+            ->findOne();
+
+        if (!$wasFailed) {
+            return;
+        }
+
+        $failAttemptCount = $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->where($where)
+            ->count();
+
+        if ($failAttemptCount <= $this->configDataProvider->getMaxFailedAttemptNumber()) {
+            return;
+        }
+
+        $username = $data->getUsername() ?? '';
+
+        throw new Forbidden("Max failed 2FA login attempts exceeded for username '$username'.");
+    }
+
+    private function getTimeFrom(Request $request, string $failedAttemptsPeriod): DateTime
+    {
+        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
+
+        try {
+            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
+        } catch (Exception $e) {
+            throw new RuntimeException($e->getMessage());
+        }
+
+        return $requestTimeFrom;
+    }
+}

application/Espo/Core/Authentication/Hook/Hooks/IpAddressWhitelist.php

@@ -0,0 +1,87 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Request;
+use Espo\Core\Api\Util;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\Core\Authentication\Hook\OnLogin;
+use Espo\Core\Authentication\Result;
+use Espo\Core\Authentication\Util\IpAddressUtil;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Utils\Config;
+
+class IpAddressWhitelist implements OnLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private Util $util,
+        private Config $config,
+        private IpAddressUtil $ipAddressUtil
+    ) {}
+
+    public function process(Result $result, AuthenticationData $data, Request $request): void
+    {
+        if (!$this->configDataProvider->ipAddressCheck()) {
+            return;
+        }
+
+        $ipAddress = $this->util->obtainIpFromRequest($request);
+
+        if (
+            $ipAddress &&
+            $this->ipAddressUtil->isInWhitelist($ipAddress, $this->configDataProvider->getIpAddressWhitelist())
+        ) {
+            return;
+        }
+
+        $user = $result->getUser();
+
+        if ($user && $user->isPortal()) {
+            return;
+        }
+
+        if ($user && $user->isSuperAdmin() && $this->config->get('restrictedMode')) {
+            return;
+        }
+
+        if (
+            $user &&
+            in_array($user->getId(), $this->configDataProvider->getIpAddressCheckExcludedUserIdList())
+        ) {
+            return;
+        }
+
+        $username = $user ? $user->getUserName() : '?';
+
+        throw new Forbidden("Not allowed IP address $ipAddress, user: $username.");
+    }
+}