Initial commit of PHP side authentication code for pfSense

1 files changed, 82 insertions, 0 deletions

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
new file mode 100644
index 0000000..7083b86
--- /dev/null
+++ b/etc/inc/auth.inc
@@ -0,0 +1,82 @@
+<?php
+/* $Id$ */
+/*
+        Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>
+        All rights reserved.
+
+        Redistribution and use in source and binary forms, with or without
+        modification, are permitted provided that the following conditions are met:
+
+        1. Redistributions of source code must retain the above copyright notice,
+           this list of conditions and the following disclaimer.
+
+        2. Redistributions in binary form must reproduce the above copyright
+           notice, this list of conditions and the following disclaimer in the
+           documentation and/or other materials provided with the distribution.
+
+        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+        POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("config.inc");
+require_once("globals.inc");
+
+/* We only support file backed HTTP Basic auth right now */
+$auth_method="file_backed_basic_auth";
+
+/* Authenticate user - exit if failed (we should have a callback for this maybe) */
+if (!$auth_method())
+	exit;
+
+function basic_auth_prompt(){
+	header("WWW-Authenticate: Basic realm=\"pfSense\"");
+	header("HTTP/1.0 401 Unauthorized");
+	echo "You must enter valid credentials to access this resource.";
+	exit;
+}
+
+function file_backed_basic_auth() {
+	global $HTTP_SERVER_VARS;
+
+	$authfile = file("/etc/master.passwd");
+
+	/* Prompt three times and give up */
+	for($attempt = 0; $attempt <= 3; basic_auth_prompt()){
+		$attempt++;
+		/* Check for PHP_AUTH_USER */
+		if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER']))
+			continue;
+
+		/* Check to see if user even exists */
+		$username = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
+		if(!($line = array_shift(preg_grep("/$username:.*$/", $authfile))))
+			continue;
+
+		/* Get crypted password */
+		preg_match("/$username:((...[0-9A-Za-z_]{8}.)[0-9A-Za-z_]{22})/", $line, $matches);
+		$pass = $matches[1];
+		$salt = $matches[2];
+
+		/* Encrypt entered password with salt */
+		$authpass = crypt($HTTP_SERVER_VARS['PHP_AUTH_PW'], $salt);
+
+		/* And finally validate password */
+		if($authpass == $pass)
+			return true;
+		else
+			continue;
+	}
+
+	/* Should only get here if user fails login three times */
+	return false;
+}
+
+?>