diff options
| author | jim-p <jimp@netgate.com> | 2018-08-20 13:35:53 -0400 |
|---|---|---|
| committer | jim-p <jimp@netgate.com> | 2018-08-20 13:38:34 -0400 |
| commit | d629601ab0a8a27a3b799062e16596c7683610bf (patch) | |
| tree | c5042d39ccdaf840ef7e564b89a7c62ea221c4f8 | |
| parent | 619e1950fdd96b606d3bbe8125476ea76a6190d0 (diff) | |
| download | pfsense-d629601ab0a8a27a3b799062e16596c7683610bf.zip pfsense-d629601ab0a8a27a3b799062e16596c7683610bf.tar.gz | |
User login source & proxy fwd addr to user data. Fixes #8813 Fixes #8816
While here, use this info more consistently across log messages and
places where user info is recorded when making changes.
| -rw-r--r-- | src/etc/inc/auth.inc | 30 | ||||
| -rw-r--r-- | src/etc/inc/authgui.inc | 5 | ||||
| -rw-r--r-- | src/etc/inc/config.lib.inc | 4 |
3 files changed, 29 insertions, 10 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index ad59a3f..64bb5d2 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -1931,13 +1931,19 @@ function session_auth() { session_regenerate_id(); $_SESSION['Logged_In'] = "True"; $_SESSION['remoteauth'] = $remoteauth; + if ($remoteauth) { + $_SESSION['authsource'] = ($authcfg['type'] == "Local Auth") ? "" : strtoupper(gettext($authcfg['type'])) . '/'; + $_SESSION['authsource'] .= "{$authcfg['name']}"; + } else { + $_SESSION['authsource'] = gettext('Local Database Fallback') ; + } $_SESSION['Username'] = $_POST['usernamefld']; $_SESSION['user_radius_attributes'] = $attributes; $_SESSION['last_access'] = time(); $_SESSION['protocol'] = $config['system']['webgui']['protocol']; phpsession_end(true); if (!isset($config['system']['webgui']['quietlogin'])) { - log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); + log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], get_user_remote_address() . get_user_remote_authsource())); } if (isset($_POST['postafterlogin'])) { return true; @@ -1951,7 +1957,7 @@ function session_auth() { } else { /* give the user an error message */ $_SESSION['Login_Error'] = gettext("Username or Password incorrect"); - log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); + log_auth(sprintf(gettext("webConfigurator authentication error for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], get_user_remote_address() . get_user_remote_authsource())); if (isAjax()) { echo "showajaxmessage('{$_SESSION['Login_Error']}');"; return; @@ -1996,9 +2002,9 @@ function session_auth() { if (isset($_POST['logout'])) { if ($_SESSION['Logout']) { - log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); + log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], get_user_remote_address() . get_user_remote_authsource())); } else { - log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); + log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], get_user_remote_address() . get_user_remote_authsource())); } /* wipe out $_SESSION */ @@ -2053,4 +2059,20 @@ function print_credit() { '<a target="_blank" href="https://pfsense.org/license">' . gettext(' View license.') . '</a>'; } +function get_user_remote_address() { + $remote_address = $_SERVER['REMOTE_ADDR']; + if (!empty($_SERVER['HTTP_CLIENT_IP'])) { + $remote_address .= "[{$_SERVER['HTTP_CLIENT_IP']}]"; + } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $remote_address .= "[{$_SERVER['HTTP_X_FORWARDED_FOR']}]"; + } + return $remote_address; +} +function get_user_remote_authsource() { + $authsource = ""; + if (!empty($_SESSION['authsource'])) { + $authsource .= " ({$_SESSION['authsource']})"; + } + return $authsource; +} ?> diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index 794114c..c189345 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -65,10 +65,7 @@ if (!isAllowedPage($_SERVER['REQUEST_URI'])) { require_once("functions.inc"); pfSenseHeader("/{$page}"); - $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; - if (!empty($_SERVER['REMOTE_ADDR'])) { - $username .= '@' . $_SERVER['REMOTE_ADDR']; - } + $username = get_config_user(); log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}."); exit; diff --git a/src/etc/inc/config.lib.inc b/src/etc/inc/config.lib.inc index 349cbb6..17b4f0f 100644 --- a/src/etc/inc/config.lib.inc +++ b/src/etc/inc/config.lib.inc @@ -466,7 +466,7 @@ function write_config($desc="Unknown", $backup = true, $write_config_only = fals if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) { $user = getUserEntry($_SESSION['Username']); if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { - syslog(LOG_AUTHPRIV, sprintf(gettext("Save config permission denied by the 'User - Config: Deny Config Write' permission for user '%s'."), $_SESSION['Username'])); + syslog(LOG_AUTHPRIV, sprintf(gettext("Save config permission denied by the 'User - Config: Deny Config Write' permission for user '%s'."), get_config_user())); phpsession_end(true); return false; } @@ -903,7 +903,7 @@ function get_config_user() { } if (!empty($_SERVER['REMOTE_ADDR'])) { - $username .= '@' . $_SERVER['REMOTE_ADDR']; + $username .= '@' . get_user_remote_address() . get_user_remote_authsource(); } return $username; |
