diff options
| author | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-03 17:54:35 +0000 |
|---|---|---|
| committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-03 17:54:35 +0000 |
| commit | 659fa7f23bb28d316ec6c99a538ee74bc7ffc0a3 (patch) | |
| tree | 31ce9604a21b27b3f88c50332251ea570136c817 /etc/inc/auth.inc | |
| parent | 5064cec7670cffa8efa3d7276ebf13c2c9d5e23c (diff) | |
| download | pfsense-659fa7f23bb28d316ec6c99a538ee74bc7ffc0a3.zip pfsense-659fa7f23bb28d316ec6c99a538ee74bc7ffc0a3.tar.gz | |
Cleanup authentication code. The basic auth method, the passwd, htpasswd
and pam backing functions have been removed. The basic auth method was
legacy code and the backing functions were redundant with no added value
that I could see. A simplified replacement backing function named
local_backed has been added that authenticates to the local configuration
info which should be identical to system pwdb credentials. Since the
htpassword file is no longer required, sync_webgui_passwords and its
wrapper function system_password_configure have been removed.
The local account management functions were renamed for consistency. A few
minor bugs related to setting local passwords have also been corrected.
Diffstat (limited to 'etc/inc/auth.inc')
| -rw-r--r-- | etc/inc/auth.inc | 630 |
1 files changed, 261 insertions, 369 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 2d89e5d..3d5b3ac 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -102,7 +102,18 @@ function & getGroupEntryByGID($gid) { return false;
}
-function sync_local_accounts() {
+function local_backed($username, $passwd) {
+
+ $user = getUserEntry($username);
+ if (!$user)
+ return false;
+
+ $passwd = crypt($passwd, $user['password']);
+
+ return ($passwd == $user['password']);
+}
+
+function local_sync_accounts() {
global $config;
/* remove local users to avoid uid conflicts */
@@ -140,22 +151,20 @@ function sync_local_accounts() { /* make sure the all group exists */
$allgrp = getGroupEntryByGID(1998);
- set_local_group($allgrp, true);
+ local_group_set($allgrp, true);
/* sync all local users */
if (is_array($config['system']['user']))
foreach ($config['system']['user'] as $user)
- set_local_user($user);
+ local_user_set($user);
/* sync all local groups */
if (is_array($config['system']['group']))
foreach ($config['system']['group'] as $group)
- set_local_group($group);
-
- sync_webgui_passwords();
+ local_group_set($group);
}
-function set_local_user(& $user, $password = false) {
+function local_user_set(& $user) {
global $g;
$home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home";
@@ -168,30 +177,6 @@ function set_local_user(& $user, $password = false) { $user_shell = "/etc/rc.initial";
$user_group = "nobody";
- /* set all password hashes if required */
- if ($password && strlen($password)) {
-
- $user['password'] = crypt($password);
- $user['md5-hash'] = md5($password);
-
- /*
- * NOTE : This section of code id based on the BSD
- * licensed CHAP.php courtesy of Michael Retterklieber.
- */
- /* Waiting for mhash to settle into the tree
- // Converts ascii to unicode.
- $astr = (string) $password;
- $ustr = '';
- for ($i = 0; $i < strlen($astr); $i++) {
- $a = ord($astr{$i}) << 8;
- $ustr.= sprintf("%X", $a);
- }
-
- // Generate the NT-HASH from the unicode string
- $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
- */
- }
-
/* configure shell type */
if (!hasPrivilegeShell($user)) {
if (!hasPrivilegeCopyFiles($user))
@@ -241,10 +226,10 @@ function set_local_user(& $user, $password = false) { create_authorized_keys($user_name, $user_home);
}
-function del_local_user($user) {
+function local_user_del($user) {
/* remove all memberships */
- set_local_user_groups($user);
+ local_user_get_groups($user);
/* delete from pw db */
$cmd = "/usr/sbin/pw userdel {$user['name']}";
@@ -255,7 +240,30 @@ function del_local_user($user) { pclose($fd);
}
-function get_local_user_groups($user, $all = false) {
+function local_user_set_password(& $user, $password) {
+
+ $user['password'] = crypt($password);
+ $user['md5-hash'] = md5($password);
+
+ /*
+ * NOTE : This section of code id based on the BSD
+ * licensed CHAP.php courtesy of Michael Retterklieber.
+ */
+ /* Waiting for mhash to settle into the tree
+ // Converts ascii to unicode.
+ $astr = (string) $password;
+ $ustr = '';
+ for ($i = 0; $i < strlen($astr); $i++) {
+ $a = ord($astr{$i}) << 8;
+ $ustr.= sprintf("%X", $a);
+ }
+
+ // Generate the NT-HASH from the unicode string
+ $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
+ */
+}
+
+function local_user_get_groups($user, $all = false) {
global $config;
$groups = array();
@@ -273,13 +281,13 @@ function get_local_user_groups($user, $all = false) { return $groups;
}
-function set_local_user_groups($user, $new_groups = NULL ) {
+function local_user_set_groups($user, $new_groups = NULL ) {
global $config, $groupindex;
if (!is_array($config['system']['group']))
return;
- $cur_groups = get_local_user_groups($user);
+ $cur_groups = local_user_get_groups($user);
$mod_groups = array();
if (!is_array($new_groups))
@@ -309,10 +317,10 @@ function set_local_user_groups($user, $new_groups = NULL ) { /* sync all modified groups */
foreach ($mod_groups as $group)
- set_local_group($group);
+ local_group_set($group);
}
-function set_local_group($group, $reset = false) {
+function local_group_set($group, $reset = false) {
$group_name = $group['name'];
$group_gid = $group['gid'];
@@ -340,7 +348,7 @@ function set_local_group($group, $reset = false) { pclose($fd);
}
-function del_local_group($group) {
+function local_group_del($group) {
/* delete from group db */
$cmd = "/usr/sbin/pw groupdel {$group['name']}";
@@ -351,294 +359,6 @@ function del_local_group($group) { pclose($fd);
}
-function basic_auth($backing) {
- global $HTTP_SERVER_VARS;
-
- /* Check for AUTH_USER */
- if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
- $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
- $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
- }
-
- if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) {
- require_once("authgui.inc");
- header("WWW-Authenticate: Basic realm=\".\"");
- header("HTTP/1.0 401 Unauthorized");
- display_error_form("401", gettext("You must enter valid credentials to access this resource."));
- exit;
- }
-
- return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']);
-}
-
-function session_auth($backing) {
- global $g, $HTTP_SERVER_VARS, $userindex, $config;
-
- session_start();
-
- /* Validate incoming login request */
- if (isset($_POST['login'])) {
- if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
- $_SESSION['Logged_In'] = "True";
- $_SESSION['Username'] = $_POST['usernamefld'];
- $_SESSION['last_access'] = time();
- log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- } else {
- /* give the user a more detailed error message */
- if (isset($userindex[$_POST['usernamefld']])) {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- } else {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- }
- }
- }
-
- /* Show login page if they aren't logged in */
- if (empty($_SESSION['Logged_In'])) {
- /* Don't display login forms to AJAX */
- if (isAjax())
- return false;
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /* If session timeout isn't set, we don't mark sessions stale */
- if (!isset($config['system']['webgui']['session_timeout']) ||
- $config['system']['webgui']['session_timeout'] == 0 ||
- $config['system']['webgui']['session_timeout'] == "")
- $_SESSION['last_access'] = time();
- else {
- /* Check for stale session */
- if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
- $_GET['logout'] = true;
- $_SESSION['Logout'] = true;
- } else {
- /* only update if it wasn't ajax */
- if (!isAjax())
- $_SESSION['last_access'] = time();
- }
- }
-
- /* obtain user object */
- $user = getUserEntry($_SESSION['Username']);
-
- /* user hit the logout button */
- if (isset($_GET['logout'])) {
-
- if ($_SESSION['Logout'])
- log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
- else
- log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
-
- if (hasPrivilegeLock($user))
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- if (isset($_COOKIE[session_name()]))
- setcookie(session_name(), '', time()-42000, '/');
-
- /* and destroy it */
- session_destroy();
-
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
-
- if (isAjax())
- return false;
-
- /* redirect to page the user is on, it'll prompt them to login again */
- pfSenseHeader($scriptName);
-
- return false;
- }
-
- /*
- * user wants to explicitely delete the lock file.
- * Requires a particular privilege.
- */
- if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * user wants to explicitely create a lock.
- * Requires a particular privilege.
- */
- if ($_GET['createlock'] && hasPrivilegeLock($user)) {
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * this is for debugging purpose if you do not want to use Ajax
- * to submit a HTML form. It basically diables the observation
- * of the submit event and hence does not trigger Ajax.
- */
- if ($_GET['disable_ajax']) {
- $_SESSION['NO_AJAX'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * Same to re-enable Ajax.
- */
- if ($_GET['enable_ajax']) {
- unset($_SESSION['NO_AJAX']);
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * is the user is allowed to create a lock
- */
- if (hasPrivilegeLock($user)) {
-
- /*
- * create a lock once per session
- */
- if (!isset($_SESSION['Lock_Created'])) {
-
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- }
-
- } else {
-
- /*
- * give regular users a chance to automatically invalidate
- * a lock if its older than a particular time.
- */
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
-
- $offset = 12; //hours
- $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
- $now_minus_offset = mktime(date("H") - $offset, 0, 0,
- date("m"), date("d"), date("Y"));
-
- if (($mtime - $now_minus_offset) < $mtime) {
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /*
- * file is older than mtime + offset which may
- * indicate a stale lockfile, hence we are going
- * to remove it.
- */
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
- }
-
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-}
-
-function pam_backed($username = "", $password = "") {
-
- /* do not allow blank passwords */
- if ($username == "" || password == "")
- return false;
-
- if (!extension_loaded( 'pam_auth'))
- if (!@dl('pam_auth.so'))
- return false;
-
- /* no php file no auth, sorry */
- if (!file_exists("/etc/pam.d/php")) {
-
- if (!file_exists("/etc/pam.d"))
- mkdir("/etc/pam.d");
-
- $pam_php = <<<EOD
-
-# /etc/pam.d/php
-#
-# note: both an auth and account entry are required
-
-# auth
-auth required pam_nologin.so no_warn
-auth sufficient pam_opie.so no_warn no_fake_prompts
-auth requisite pam_opieaccess.so no_warn allow_local
-auth required pam_unix.so no_warn try_first_pass
-
-# account
-account required pam_unix.so
-
-# session
-session required pam_permit.so
-
-# password
-password required pam_unix.so no_warn try_first_pass
-
-EOD;
-
- file_put_contents("/etc/pam.d/php", $pam_php);
- }
-
- if (pam_auth($username, $password, &$error))
- return true;
-
- return false;
-}
-
-function passwd_backed($username, $passwd) {
-
- $authfile = file("/etc/master.passwd");
- $matches="";
-
- /* Check to see if user even exists */
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /*
- * Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function ldap_test_connection() {
global $config, $g;
@@ -686,8 +406,8 @@ function ldap_get_user_ous($show_complete_ou=true) { $ldapfilter = "(ou=*)";
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -695,8 +415,8 @@ function ldap_get_user_ous($show_complete_ou=true) { ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -762,8 +482,8 @@ function ldap_get_groups($username) { /* connect and see if server is up */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -772,8 +492,8 @@ function ldap_get_groups($username) { /* bind as user that has rights to read group attributes */
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -838,8 +558,8 @@ function ldap_backed($username, $passwd) { /* first check if there is even an LDAP server populated */
if(!$ldapserver) {
- log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -849,15 +569,15 @@ function ldap_backed($username, $passwd) { /* Make sure we can connect to LDAP */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
/* ok, its up. now, lets bind as the bind user so we can search it */
if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
ldap_close($ldap);
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -914,7 +634,7 @@ function ldap_backed($username, $passwd) { }
if ($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
$_SESSION['ldapon'] = "false";
ldap_close($ldap);
return $status;
@@ -956,7 +676,7 @@ function ldap_backed($username, $passwd) { }
if($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
ldap_close($ldap);
$_SESSION['ldapon'] = "false";
return $status;
@@ -965,8 +685,8 @@ function ldap_backed($username, $passwd) { /* Now lets bind as the user we found */
if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -976,30 +696,6 @@ function ldap_backed($username, $passwd) { return true;
}
-function htpasswd_backed($username, $passwd) {
- $authfile = file("/var/run/htpasswd");
-
- /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
- unlink_if_exists("/usr/local/www/.htpasswd");
-
- $matches="";
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /* Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function radius_backed($username, $passwd){
global $config, $debug;
$ret = false;
@@ -1043,4 +739,200 @@ function radius_backed($username, $passwd){ return $ret;
}
+function session_auth($backing) {
+ global $g, $HTTP_SERVER_VARS, $userindex, $config;
+
+ session_start();
+
+ /* Validate incoming login request */
+ if (isset($_POST['login'])) {
+ if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
+ $_SESSION['Logged_In'] = "True";
+ $_SESSION['Username'] = $_POST['usernamefld'];
+ $_SESSION['last_access'] = time();
+ log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ } else {
+ /* give the user a more detailed error message */
+ if (isset($userindex[$_POST['usernamefld']])) {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ } else {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ }
+ }
+ }
+
+ /* Show login page if they aren't logged in */
+ if (empty($_SESSION['Logged_In'])) {
+ /* Don't display login forms to AJAX */
+ if (isAjax())
+ return false;
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /* If session timeout isn't set, we don't mark sessions stale */
+ if (!isset($config['system']['webgui']['session_timeout']) ||
+ $config['system']['webgui']['session_timeout'] == 0 ||
+ $config['system']['webgui']['session_timeout'] == "")
+ $_SESSION['last_access'] = time();
+ else {
+ /* Check for stale session */
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
+ $_GET['logout'] = true;
+ $_SESSION['Logout'] = true;
+ } else {
+ /* only update if it wasn't ajax */
+ if (!isAjax())
+ $_SESSION['last_access'] = time();
+ }
+ }
+
+ /* obtain user object */
+ $user = getUserEntry($_SESSION['Username']);
+
+ /* user hit the logout button */
+ if (isset($_GET['logout'])) {
+
+ if ($_SESSION['Logout'])
+ log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+ else
+ log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+
+ if (hasPrivilegeLock($user))
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ if (isset($_COOKIE[session_name()]))
+ setcookie(session_name(), '', time()-42000, '/');
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+
+ if (isAjax())
+ return false;
+
+ /* redirect to page the user is on, it'll prompt them to login again */
+ pfSenseHeader($scriptName);
+
+ return false;
+ }
+
+ /*
+ * user wants to explicitely delete the lock file.
+ * Requires a particular privilege.
+ */
+ if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * user wants to explicitely create a lock.
+ * Requires a particular privilege.
+ */
+ if ($_GET['createlock'] && hasPrivilegeLock($user)) {
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * this is for debugging purpose if you do not want to use Ajax
+ * to submit a HTML form. It basically diables the observation
+ * of the submit event and hence does not trigger Ajax.
+ */
+ if ($_GET['disable_ajax']) {
+ $_SESSION['NO_AJAX'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * Same to re-enable Ajax.
+ */
+ if ($_GET['enable_ajax']) {
+ unset($_SESSION['NO_AJAX']);
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * is the user is allowed to create a lock
+ */
+ if (hasPrivilegeLock($user)) {
+
+ /*
+ * create a lock once per session
+ */
+ if (!isset($_SESSION['Lock_Created'])) {
+
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ }
+
+ } else {
+
+ /*
+ * give regular users a chance to automatically invalidate
+ * a lock if its older than a particular time.
+ */
+ if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+
+ $offset = 12; //hours
+ $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
+ $now_minus_offset = mktime(date("H") - $offset, 0, 0,
+ date("m"), date("d"), date("Y"));
+
+ if (($mtime - $now_minus_offset) < $mtime) {
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /*
+ * file is older than mtime + offset which may
+ * indicate a stale lockfile, hence we are going
+ * to remove it.
+ */
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+ }
+
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+}
+
?>
|
