bsiggel
127fa6503b
- Updated copyright headers in 3,055 core application files - Changed 'Copyright (C) 2014-2025' to 'Copyright (C) 2014-2026' - Added 123 new files from EspoCRM core updates - Removed 4 deprecated files - Total changes: 61,637 insertions, 54,283 deletions This is a routine maintenance update for the new year 2026.
314 lines
9.4 KiB
PHP
314 lines
9.4 KiB
PHP
<?php
|
||
/************************************************************************
|
||
* This file is part of EspoCRM.
|
||
*
|
||
* EspoCRM – Open Source CRM application.
|
||
* Copyright (C) 2014-2026 EspoCRM, Inc.
|
||
* Website: https://www.espocrm.com
|
||
*
|
||
* This program is free software: you can redistribute it and/or modify
|
||
* it under the terms of the GNU Affero General Public License as published by
|
||
* the Free Software Foundation, either version 3 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* This program is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU Affero General Public License for more details.
|
||
*
|
||
* You should have received a copy of the GNU Affero General Public License
|
||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
*
|
||
* The interactive user interfaces in modified source and object code versions
|
||
* of this program must display Appropriate Legal Notices, as required under
|
||
* Section 5 of the GNU Affero General Public License version 3.
|
||
*
|
||
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
|
||
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
|
||
************************************************************************/
|
||
|
||
namespace Espo\Tools\UserSecurity;
|
||
|
||
use Espo\Core\Authentication\TwoFactor\Exceptions\NotConfigured;
|
||
use Espo\Core\Exceptions\Error\Body;
|
||
use Espo\Core\Exceptions\Forbidden;
|
||
use Espo\Core\Exceptions\NotFound;
|
||
use Espo\Core\Exceptions\BadRequest;
|
||
use Espo\Core\Utils\Log;
|
||
use Espo\ORM\EntityManager;
|
||
use Espo\Entities\User;
|
||
use Espo\Entities\UserData;
|
||
use Espo\Repositories\UserData as UserDataRepository;
|
||
use Espo\Core\Api\RequestNull;
|
||
use Espo\Core\Authentication\Login\Data as LoginData;
|
||
use Espo\Core\Authentication\LoginFactory;
|
||
use Espo\Core\Authentication\TwoFactor\UserSetupFactory as TwoFactorUserSetupFactory;
|
||
use Espo\Core\Utils\Config;
|
||
|
||
use stdClass;
|
||
|
||
class Service
|
||
{
|
||
public function __construct(
|
||
private EntityManager $entityManager,
|
||
private User $user,
|
||
private Config $config,
|
||
private LoginFactory $authLoginFactory,
|
||
private TwoFactorUserSetupFactory $twoFactorUserSetupFactory,
|
||
private Log $log
|
||
) {}
|
||
|
||
/**
|
||
* @throws Forbidden
|
||
* @throws NotFound
|
||
*/
|
||
public function read(string $id): stdClass
|
||
{
|
||
if (!$this->user->isAdmin() && $id !== $this->user->getId()) {
|
||
throw new Forbidden();
|
||
}
|
||
|
||
/** @var ?User $user */
|
||
$user = $this->entityManager->getEntityById(User::ENTITY_TYPE, $id);
|
||
|
||
if (!$user) {
|
||
throw new NotFound();
|
||
}
|
||
|
||
$allow =
|
||
$user->isAdmin() ||
|
||
$user->isRegular() ||
|
||
$user->isPortal() && $this->config->get('auth2FAInPortal');
|
||
|
||
if (!$allow) {
|
||
throw new Forbidden();
|
||
}
|
||
|
||
$userData = $this->getUserDataRepository()->getByUserId($id);
|
||
|
||
if (!$userData) {
|
||
throw new NotFound();
|
||
}
|
||
|
||
return (object) [
|
||
'auth2FA' => $userData->get('auth2FA'),
|
||
'auth2FAMethod' => $userData->get('auth2FAMethod'),
|
||
];
|
||
}
|
||
|
||
/**
|
||
* @throws BadRequest
|
||
* @throws Forbidden
|
||
* @throws NotFound
|
||
*/
|
||
public function getTwoFactorUserSetupData(string $id, stdClass $data): stdClass
|
||
{
|
||
if (
|
||
!$this->user->isAdmin() &&
|
||
$id !== $this->user->getId()
|
||
) {
|
||
throw new Forbidden();
|
||
}
|
||
|
||
$isReset = $data->reset ?? false;
|
||
|
||
/** @var ?User $user */
|
||
$user = $this->entityManager->getEntityById(User::ENTITY_TYPE, $id);
|
||
|
||
if (!$user) {
|
||
throw new NotFound();
|
||
}
|
||
|
||
$allow =
|
||
$this->config->get('auth2FA') &&
|
||
(
|
||
$user->isAdmin() ||
|
||
$user->isRegular() ||
|
||
$user->isPortal() && $this->config->get('auth2FAInPortal')
|
||
);
|
||
|
||
if (!$allow) {
|
||
throw new Forbidden();
|
||
}
|
||
|
||
$password = $data->password ?? null;
|
||
|
||
if (!$password) {
|
||
throw new Forbidden('Passport required.');
|
||
}
|
||
|
||
if (!$this->user->isAdmin()) {
|
||
$this->checkPassword($id, $password);
|
||
}
|
||
|
||
if ($this->user->isAdmin()) {
|
||
$this->checkPassword($this->user->getId(), $password);
|
||
}
|
||
|
||
$auth2FAMethod = $data->auth2FAMethod ?? null;
|
||
|
||
if (!$auth2FAMethod) {
|
||
throw new BadRequest();
|
||
}
|
||
|
||
try {
|
||
$clientData = $this->twoFactorUserSetupFactory
|
||
->create($auth2FAMethod)
|
||
->getData($user);
|
||
} catch (NotConfigured $e) {
|
||
$this->log->error($e->getMessage());
|
||
|
||
throw Forbidden::createWithBody(
|
||
"2FA method '$auth2FAMethod' is not fully configured.",
|
||
Body::create()->withMessageTranslation('2faMethodNotConfigured', 'User')
|
||
);
|
||
}
|
||
|
||
if ($isReset) {
|
||
$userData = $this->getUserDataRepository()->getByUserId($id);
|
||
|
||
if (!$userData) {
|
||
throw new NotFound();
|
||
}
|
||
|
||
$userData->set('auth2FA', false);
|
||
/** @noinspection PhpRedundantOptionalArgumentInspection */
|
||
$userData->set('auth2FAMethod', null);
|
||
|
||
$this->entityManager->saveEntity($userData);
|
||
}
|
||
|
||
return $clientData;
|
||
}
|
||
|
||
/**
|
||
* @throws Forbidden
|
||
* @throws NotFound
|
||
* @throws BadRequest
|
||
*/
|
||
public function update(string $id, stdClass $data): stdClass
|
||
{
|
||
if (!$this->user->isAdmin() && $id !== $this->user->getId()) {
|
||
throw new Forbidden();
|
||
}
|
||
|
||
/** @var ?User $user */
|
||
$user = $this->entityManager->getEntityById(User::ENTITY_TYPE, $id);
|
||
|
||
if (!$user) {
|
||
throw new NotFound();
|
||
}
|
||
|
||
$allow =
|
||
$user->isAdmin() ||
|
||
$user->isRegular() ||
|
||
$user->isPortal() && $this->config->get('auth2FAInPortal');
|
||
|
||
if (!$allow) {
|
||
throw new Forbidden();
|
||
}
|
||
|
||
$userData = $this->getUserDataRepository()->getByUserId($id);
|
||
|
||
if (!$userData) {
|
||
throw new NotFound();
|
||
}
|
||
|
||
$password = $data->password ?? null;
|
||
|
||
if (!$password) {
|
||
throw new Forbidden('Password required.');
|
||
}
|
||
|
||
if (!$this->user->isAdmin() || $this->user->getId() === $id) {
|
||
$this->checkPassword($id, $password);
|
||
}
|
||
|
||
if (property_exists($data, 'auth2FA')) {
|
||
$userData->set('auth2FA', $data->auth2FA);
|
||
}
|
||
|
||
if (property_exists($data, 'auth2FAMethod')) {
|
||
$userData->set('auth2FAMethod', $data->auth2FAMethod);
|
||
}
|
||
|
||
if (!$userData->get('auth2FA')) {
|
||
/** @noinspection PhpRedundantOptionalArgumentInspection */
|
||
$userData->set('auth2FAMethod', null);
|
||
}
|
||
|
||
if ($userData->get('auth2FA') && $userData->isAttributeChanged('auth2FA')) {
|
||
if (!$this->config->get('auth2FA')) {
|
||
throw new Forbidden('2FA is not enabled.');
|
||
}
|
||
}
|
||
|
||
if (
|
||
$userData->get('auth2FA') &&
|
||
$userData->get('auth2FAMethod') &&
|
||
($userData->isAttributeChanged('auth2FA') || $userData->isAttributeChanged('auth2FAMethod')) &&
|
||
(
|
||
!$user->isPortal() ||
|
||
$this->config->get('auth2FAInPortal')
|
||
)
|
||
) {
|
||
$auth2FAMethod = $userData->get('auth2FAMethod');
|
||
|
||
if (!in_array($auth2FAMethod, $this->config->get('auth2FAMethodList', []))) {
|
||
throw new Forbidden('Not allowed 2FA auth method.');
|
||
}
|
||
|
||
$verifyResult = $this->twoFactorUserSetupFactory
|
||
->create($auth2FAMethod)
|
||
->verifyData($user, $data);
|
||
|
||
if (!$verifyResult) {
|
||
throw new Forbidden('Not verified.');
|
||
}
|
||
}
|
||
|
||
$this->entityManager->saveEntity($userData);
|
||
|
||
return (object) [
|
||
'auth2FA' => $userData->get('auth2FA'),
|
||
'auth2FAMethod' => $userData->get('auth2FAMethod'),
|
||
];
|
||
}
|
||
|
||
/**
|
||
* @throws Forbidden
|
||
*/
|
||
private function checkPassword(string $id, string $password): void
|
||
{
|
||
$user = $this->entityManager
|
||
->getRDBRepository(User::ENTITY_TYPE)
|
||
->where([
|
||
'id' => $id,
|
||
])
|
||
->findOne();
|
||
|
||
if (!$user) {
|
||
throw new Forbidden('User is not found.');
|
||
}
|
||
|
||
$loginData = LoginData::createBuilder()
|
||
->setUsername($user->get('userName'))
|
||
->setPassword($password)
|
||
->build();
|
||
|
||
$login = $this->authLoginFactory->createDefault();
|
||
|
||
$result = $login->login($loginData, new RequestNull());
|
||
|
||
if ($result->isFail()) {
|
||
throw new Forbidden('Password is incorrect.');
|
||
}
|
||
}
|
||
|
||
private function getUserDataRepository(): UserDataRepository
|
||
{
|
||
/** @var UserDataRepository */
|
||
return $this->entityManager->getRepository(UserData::ENTITY_TYPE);
|
||
}
|
||
}
|