admin
1 year ago
lib
1 year ago
captcha.php
2 years ago
cloudsecure-wp.php
1 year ago
common.php
1 year ago
config.php
2 years ago
disable-access-system-file.php
1 year ago
disable-author-query.php
2 years ago
disable-login.php
1 year ago
disable-restapi.php
2 years ago
disable-xmlrpc.php
1 year ago
htaccess.php
1 year ago
login-log.php
1 year ago
login-notification.php
1 year ago
rename-login-page.php
1 year ago
restrict-admin-page.php
1 year ago
server-error-notification.php
1 year ago
two-factor-authentication.php
1 year ago
unify-messages.php
2 years ago
update-notice.php
2 years ago
waf-engine.php
1 year ago
waf.php
1 year ago
two-factor-authentication.php
253 lines
| 1 | <?php |
| 2 | |
| 3 | if ( ! defined( 'ABSPATH' ) ) { |
| 4 | exit; |
| 5 | } |
| 6 | |
| 7 | class CloudSecureWP_Two_Factor_Authentication extends CloudSecureWP_Common { |
| 8 | private const KEY_FEATURE = 'two_factor_authentication'; |
| 9 | |
| 10 | private $config; |
| 11 | |
| 12 | /** |
| 13 | * @var CloudSecureWP_Disable_Login |
| 14 | */ |
| 15 | private $disable_login; |
| 16 | |
| 17 | function __construct( array $info, CloudSecureWP_Config $config, CloudSecureWP_Disable_Login $disable_login ) { |
| 18 | parent::__construct( $info ); |
| 19 | $this->config = $config; |
| 20 | $this->disable_login = $disable_login; |
| 21 | } |
| 22 | |
| 23 | /** |
| 24 | * 機能毎のKEY取得 |
| 25 | * |
| 26 | * @return string |
| 27 | */ |
| 28 | public function get_feature_key(): string { |
| 29 | return self::KEY_FEATURE; |
| 30 | } |
| 31 | |
| 32 | /** |
| 33 | * 有効無効判定 |
| 34 | * |
| 35 | * @return bool |
| 36 | */ |
| 37 | public function is_enabled(): bool { |
| 38 | return $this->config->get( $this->get_feature_key() ) === 't'; |
| 39 | } |
| 40 | |
| 41 | /** |
| 42 | * 初期設定値取得 |
| 43 | * |
| 44 | * @return array |
| 45 | */ |
| 46 | public function get_default(): array { |
| 47 | return array( self::KEY_FEATURE => 'f' ); |
| 48 | } |
| 49 | |
| 50 | /** |
| 51 | * 設定値key取得 |
| 52 | */ |
| 53 | public function get_keys(): array { |
| 54 | return array( self::KEY_FEATURE ); |
| 55 | } |
| 56 | |
| 57 | /** |
| 58 | * 設定値取得 |
| 59 | */ |
| 60 | public function get_settings(): array { |
| 61 | $settings = array(); |
| 62 | $keys = $this->get_keys(); |
| 63 | |
| 64 | foreach ( $keys as $key ) { |
| 65 | $settings[ $key ] = $this->config->get( $key ); |
| 66 | } |
| 67 | |
| 68 | return $settings; |
| 69 | } |
| 70 | |
| 71 | /** |
| 72 | * 設定値保存 |
| 73 | * |
| 74 | * @param array $settings |
| 75 | * |
| 76 | * @return void |
| 77 | */ |
| 78 | public function save_settings( array $settings ): void { |
| 79 | $keys = $this->get_keys(); |
| 80 | |
| 81 | foreach ( $keys as $key ) { |
| 82 | $this->config->set( $key, $settings[ $key ] ?? '' ); |
| 83 | } |
| 84 | $this->config->save(); |
| 85 | } |
| 86 | |
| 87 | /** |
| 88 | * 有効化 |
| 89 | * |
| 90 | * @return void |
| 91 | */ |
| 92 | public function activate(): void { |
| 93 | $settings = $this->get_default(); |
| 94 | $this->save_settings( $settings ); |
| 95 | } |
| 96 | |
| 97 | /** |
| 98 | * 無効化 |
| 99 | * |
| 100 | * @return void |
| 101 | */ |
| 102 | public function deactivate(): void { |
| 103 | $settings = $this->get_settings(); |
| 104 | $settings[ self::KEY_FEATURE ] = 'f'; |
| 105 | $this->save_settings( $settings ); |
| 106 | } |
| 107 | |
| 108 | /** |
| 109 | * 管理画面上での有効無効判定 |
| 110 | * 2段階認証の管理画面で「変更を保存」ボタンを押下時、 |
| 111 | * is_enabled()のみを使うとデバイス登録のメニューが正しく表示されない。 |
| 112 | * |
| 113 | * @return bool |
| 114 | */ |
| 115 | public function is_enabled_on_screen(): bool { |
| 116 | if ( isset( $_POST['two_factor_authentication'] ) && ! empty( $_POST['two_factor_authentication'] ) ) { |
| 117 | return $this->check_environment() && sanitize_text_field( $_POST['two_factor_authentication'] ) === 't'; |
| 118 | } |
| 119 | |
| 120 | return $this->is_enabled(); |
| 121 | } |
| 122 | |
| 123 | /** |
| 124 | * 有効な権限グループに含まれるかどうか |
| 125 | * |
| 126 | * @param $role |
| 127 | * |
| 128 | * @return bool |
| 129 | */ |
| 130 | private function is_role_enabled( $role ): bool { |
| 131 | return in_array( $role, get_option( 'cloudsecurewp_two_factor_authentication_roles', array() ) ); |
| 132 | } |
| 133 | |
| 134 | /** |
| 135 | * ログインフォーム2段階認証チェック |
| 136 | */ |
| 137 | public function wp_login( $user_login, $user ) { |
| 138 | // 2段階認証が無効なとき |
| 139 | if ( ! $this->is_enabled() ) { |
| 140 | return; |
| 141 | } |
| 142 | |
| 143 | // 有効な権限グループに含まれないとき |
| 144 | if ( ! $this->is_role_enabled( $user->roles[0] ) ) { |
| 145 | return; |
| 146 | } |
| 147 | |
| 148 | $secret = get_user_option( 'cloudsecurewp_two_factor_authentication_secret', $user->ID ); |
| 149 | // ユーザーがデバイス登録をしていないとき |
| 150 | if ( ! $secret ) { |
| 151 | return; |
| 152 | } |
| 153 | |
| 154 | // 2段階認証コードが送られたとき |
| 155 | if ( ! empty( $_POST['google_authenticator_code'] ) && check_admin_referer( $this->get_feature_key() . '_csrf' ) ) { |
| 156 | $google_authenticator_code = sanitize_text_field( $_POST['google_authenticator_code'] ); |
| 157 | // 2段階認証コードが有効なとき |
| 158 | if ( CloudSecureWP_Time_Based_One_Time_Password::verify_code( $secret, $google_authenticator_code, 2 ) ) { |
| 159 | return; |
| 160 | } |
| 161 | // ログイン失敗回数をインクリメントしデータベースに格納 |
| 162 | $this->disable_login->wp_login_failed( $user_login ); |
| 163 | } |
| 164 | |
| 165 | wp_logout(); |
| 166 | login_header( '2段階認証画面' ); |
| 167 | $this->login_error(); |
| 168 | $this->login_form(); |
| 169 | login_footer(); |
| 170 | exit; |
| 171 | } |
| 172 | |
| 173 | /** |
| 174 | * 2段階認証のエラーを出力 |
| 175 | * |
| 176 | * @return void |
| 177 | */ |
| 178 | private function login_error() { |
| 179 | if ( array_key_exists( 'google_authenticator_code', $_REQUEST ) ) { |
| 180 | if ( sanitize_text_field( $_REQUEST['google_authenticator_code'] ) ) { |
| 181 | $errors = '認証コードが間違っているか、有効期限が切れています。'; |
| 182 | } else { |
| 183 | $errors = '認証コードが� |
| 184 | �力されていません。'; |
| 185 | } |
| 186 | echo '<div id="login_error">' . esc_html( apply_filters( 'login_errors', $errors ) ) . "</div>\n"; |
| 187 | } |
| 188 | } |
| 189 | |
| 190 | /** |
| 191 | * 2段階認証のログインフォームを出力 |
| 192 | * |
| 193 | * @return void |
| 194 | */ |
| 195 | private function login_form() { |
| 196 | ?> |
| 197 | <form name="loginform" id="loginform" |
| 198 | action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post"> |
| 199 | <input type="hidden" name="log" value="<?php echo esc_attr( sanitize_text_field( $_REQUEST['log'] ) ); ?>"/> |
| 200 | <input type="hidden" name="pwd" value="<?php echo esc_attr( sanitize_text_field( $_REQUEST['pwd'] ) ); ?>"/> |
| 201 | <?php if ( array_key_exists( 'cloudsecurewp_captcha', $_REQUEST ) ) : ?> |
| 202 | <input type="hidden" name="cloudsecurewp_captcha" |
| 203 | value="<?php echo esc_attr( sanitize_text_field( $_REQUEST['cloudsecurewp_captcha'] ) ); ?>"/> |
| 204 | <?php endif; ?> |
| 205 | <?php if ( array_key_exists( 'cloudsecurewp_captcha_prefix', $_REQUEST ) ) : ?> |
| 206 | <input type="hidden" name="cloudsecurewp_captcha_prefix" |
| 207 | value="<?php echo esc_attr( sanitize_text_field( $_REQUEST['cloudsecurewp_captcha_prefix'] ) ); ?>"/> |
| 208 | <?php endif; ?> |
| 209 | <?php if ( array_key_exists( 'cloudsecurewp_captcha_wpnonce', $_REQUEST ) ) : ?> |
| 210 | <input type="hidden" name="cloudsecurewp_captcha_wpnonce" |
| 211 | value="<?php echo esc_attr( sanitize_text_field( $_REQUEST['cloudsecurewp_captcha_wpnonce'] ) ); ?>"/> |
| 212 | <?php endif; ?> |
| 213 | <?php if ( array_key_exists( 'rememberme', $_REQUEST ) && 'forever' === sanitize_text_field( $_REQUEST['rememberme'] ) ) : ?> |
| 214 | <input name="rememberme" type="hidden" id="rememberme" value="forever"/> |
| 215 | <?php endif; ?> |
| 216 | <p> |
| 217 | <label for="google_authenticator_code">認証コード</label> |
| 218 | <input type="text" name="google_authenticator_code" id="google_authenticator_code" class="input" |
| 219 | value="" size="20"/> |
| 220 | </p> |
| 221 | <script type="text/javascript">document.getElementById("google_authenticator_code").focus();</script> |
| 222 | <p>デバイスのGoogle Authenticator アプリケーションに表示されている6桁の認証コードを� |
| 223 | �力してください。</p> |
| 224 | <p class="submit"> |
| 225 | <?php wp_nonce_field( $this->get_feature_key() . '_csrf' ); ?> |
| 226 | <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" |
| 227 | value="<?php esc_attr_e( 'Log In' ); ?>"/> |
| 228 | <input type="hidden" name="redirect_to" |
| 229 | value="<?php echo esc_attr( sanitize_text_field( $_REQUEST['redirect_to'] ?? admin_url() ) ); ?>"/> |
| 230 | <input type="hidden" name="testcookie" value="1"/> |
| 231 | </p> |
| 232 | </form> |
| 233 | <?php |
| 234 | } |
| 235 | |
| 236 | /** |
| 237 | * デバイス登録がまだのユーザーは、デバイス登録画面にリダイレクト |
| 238 | * |
| 239 | * @param $user_login |
| 240 | * @param $user |
| 241 | * |
| 242 | * @return void |
| 243 | * @noinspection PhpUnusedParameterInspection |
| 244 | */ |
| 245 | public function redirect_if_not_two_factor_authentication_registered( $user_login, $user ) { |
| 246 | $secret = get_user_option( 'cloudsecurewp_two_factor_authentication_secret', $user->ID ); |
| 247 | if ( $this->is_enabled() && $this->is_role_enabled( $user->roles[0] ) && ! $secret && $_SERVER['REQUEST_URI'] !== '/wp-admin/admin.php?page=cloudsecurewp_two_factor_authentication_registration' ) { |
| 248 | wp_redirect( admin_url( 'admin.php?page=cloudsecurewp_two_factor_authentication_registration' ) ); |
| 249 | exit; |
| 250 | } |
| 251 | } |
| 252 | } |
| 253 |