summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2008-01-31 18:16:40 +0000
committerScott Ullrich <sullrich@pfsense.org>2008-01-31 18:16:40 +0000
commitb0ed07d189f24b43c51c4399ebcdc58ec8a1dccc (patch)
treee56cbbf51ec22491fba1ad569b9225663df82073 /etc
parentf42fa13f971ebe66a855f3520b0199c76db0f6ad (diff)
downloadpfsense-b0ed07d189f24b43c51c4399ebcdc58ec8a1dccc.zip
pfsense-b0ed07d189f24b43c51c4399ebcdc58ec8a1dccc.tar.gz
Latest eDir / Active Directory tweaks from Mark Batchelor.
Thanks again for him helping us with this project!
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/auth.inc1971
-rw-r--r--etc/inc/authgui.inc634
2 files changed, 1333 insertions, 1272 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 47b889d..262e8ab 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1,963 +1,1008 @@
-<?php
-/* $Id$ */
-/*
- Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
- All rights reserved.
-
- Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
- All rights reserved.
-
- Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
- All rights reserved.
-
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require_once("functions.inc");
-$groupindex = index_groups();
-$userindex = index_users();
-
-function logout_session() {
- global $_SESSION;
-
- if (hasLockAbility($_SESSION['Username'])) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- /* and destroy it */
- session_destroy();
-
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
-}
-
-function getAllowedGroups($logged_in_user) {
- global $g, $config;
-
- if(!function_exists("ldap_connect"))
- return;
-
- $allowed = array();
- $allowed_groups = array();
-
- log_error("Getting groups for {$logged_in_user}.");
-
- $local_user = false;
-
- foreach($config['system']['user'] as $username)
- if($username['name'] == $logged_in_user)
- $local_user = true;
-
- /* return ldap groups if we are in ldap mode */
- if($config['system']['webgui']['backend'] == "ldap" && $local_user == false) {
- $allowed_groups = ldap_get_groups($logged_in_user);
- $fdny = fopen("/tmp/groups","w");
- fwrite($fdny, print_r($allowed, true));
- fclose($fdny);
- $allowed = array();
- if(is_array($config['system']['group']) && is_array($allowed_groups)) {
- foreach($config['system']['group'] as $group) {
- if(in_array($group['name'], $allowed_groups)) {
- foreach($group['pages'] as $page) {
- $allowed[] = $page;
- }
- }
- }
- }
- return $allowed;
- }
-
- $final_allowed = array();
-
- foreach($config['system']['user'] as $username) {
- if($username['name'] == $logged_in_user)
- $allowed_groups = explode(",", $username['groupname']);
- }
-
- foreach($config['system']['group'] as $group) {
- if(in_array($group['name'], $allowed_groups)) {
- foreach($group['pages'] as $page) {
- $allowed[] = $page;
- }
- }
- }
-
- return $allowed;
-}
-
-function &getSystemAdminNames() {
- global $config, $g, $userindex;
- $adminUsers = array();
-
- if (is_array($config['system']['user'])) {
- foreach($config['system']['user'] as $user){
- if (isSystemAdmin($user['name'])) {
- $adminUsers[] = $user['name'];
- }
- }
- }
-
- return $adminUsers;
-}
-
-function &getSystemPrivs() {
- global $g;
-
- $privs = array();
-
- $privs[] = array("id" => "lockwc",
- "name" => "Lock webConfigurator",
- "desc" => "Indicates whether this user will lock access to " .
- "the webConfigurator for other users.");
- $privs[] = array("id" => "lock-ipages",
- "name" => "Lock individual pages",
- "desc" => "Indicates whether this user will lock individual " .
- "HTML pages after having accessed a particular page" .
- "(the lock will be freed if the user leaves or " .
- "saves the page form).");
- $privs[] = array("id" => "hasshell",
- "name" => "Has shell access",
- "desc" => "Indicates whether this user is able to login for " .
- "example via SSH.");
- $privs[] = array("id" => "copyfiles",
- "name" => "Is allowed to copy files",
- "desc" => "Indicates whether this user is allowed to copy files " .
- "onto the {$g['product_name']} appliance via SCP/SFTP. " .
- "If you are going to use this privilege, you must install " .
- "scponly on the appliance (Hint: pkg_add -r scponly).");
- $privs[] = array("id" => "isroot",
- "name" => "Is root user",
- "desc" => "This user is associated with the UNIX root user " .
- "(you should associate this privilege only with one " .
- "single user).");
-
- return $privs;
-}
-
-function assignUID($username = "") {
- global $userindex, $config, $g;
-
- if ($username == "") { return; }
-
- $nextuid = $config['system']['nextuid'];
- $user =& $config['system']['user'][$userindex[$username]];
-
- if (empty($user['uid'])) {
- $user['uid'] = $nextuid;
- $nextuid++;
- $config['system']['nextuid'] = $nextuid;
-
- write_config();
-
- return $user;
- }
-}
-
-function assignGID($groupname = "") {
- global $groupindex, $config, $g;
-
- if ($groupname == "") { return; }
-
- $nextgid = $config['system']['nextgid'];
- $group =& $config['system']['group'][$groupindex[$groupname]];
-
- if (empty($group['gid'])) {
- $group['gid'] = $nextgid;
- $nextgid++;
- $config['system']['nextgid'] = $nextgid;
-
- write_config();
-
- return $group;
- }
-}
-
-function hasPrivilege($user, $privid = "") {
- global $userindex, $config, $g;
-
- if ($privid == "" || ! isset($userindex[$user])) { return 0; }
-
- $privs = &$config['system']['user'][$userindex[$user]]['priv'];
-
- if (is_array($privs)) {
- foreach($privs as $priv){
- if ($priv['id'] == $privid) {
- return 1;
- }
- }
- }
-
- return 0;
-}
-
-function isAllowedToCopyFiles($username) {
- global $userindex, $config, $g;
-
- if ($username == "") { return 0; }
-
- return hasPrivilege($username, "copyfiles");
-}
-
-function hasLockAbility($username) {
- global $userindex, $config, $g;
-
- if ($username == "") { return 0; }
-
- return hasPrivilege($username, "lockwc");
-}
-
-function hasPageLockAbility($username) {
- global $userindex, $config, $g;
-
- if ($username == "") { return 0; }
-
- return hasPrivilege($username, "lock-ipages");
-}
-
-function hasShellAccess($username) {
- global $userindex, $config, $g;
-
- if ($username == "") { return 0; }
-
- return hasPrivilege($username, "hasshell");
-}
-
-function isUNIXRoot($username = "") {
- global $userindex, $config;
-
- if ($username == "") { return 0; }
-
- if (isSystemAdmin($username)) {
- return hasPrivilege($username, "isroot");
- }
-
- return 0;
-}
-
-function setUserFullName($name = "", $new_name = "") {
- global $config, $g, $userindex;
-
- if ($name == "" || $new_name == "") { return; }
-
- $user = &$config['system']['user'][$userindex[$name]];
- $user['fullname'] = $new_name;
-}
-
-function setUserName($name = "", $new_name = "") {
- global $config, $g, $userindex;
-
- if ($name == "" || $new_name == "") { return; }
-
- $user = &$config['system']['user'][$userindex[$name]];
- $user['name'] = $new_name;
-}
-
-function setUserPWD($name = "", $password = "") {
- global $config, $g, $userindex;
-
- if ($name == "" || $password == "") { return; }
-
- $user = &$config['system']['user'][$userindex[$name]];
- $user['password'] = crypt($password);
-}
-
-function setUserGroupName($name = "", $new_name = "") {
- global $config, $g, $userindex;
-
- if ($name == "" || $new_name == "") { return; }
-
- $user = &$config['system']['user'][$userindex[$name]];
- $user['groupname'] = $new_name;
-}
-
-function setUserType($name = "", $new_type = "") {
- global $config, $g, $userindex;
-
- if ($name == "" || $new_type == "") { return; }
-
- $user = &$config['system']['user'][$userindex[$name]];
- $user['scope'] = $new_type;
-}
-
-function getUNIXRoot() {
- global $config, $g, $userindex;
-
- if (is_array($config['system']['user'])) {
- foreach($config['system']['user'] as $user){
- if (isUNIXRoot($user['name'])) {
- $root = &$config['system']['user'][$userindex[$user['name']]];
- return $root;
- }
- }
- }
-
- return NULL;
-}
-
-function getUNIXRootName() {
- global $config, $g, $userindex;
-
- if (is_array($config['system']['user'])) {
- foreach($config['system']['user'] as $user){
- if (isUNIXRoot($user['name'])) {
- return $user['name'];
- }
- }
- }
-
- return NULL;
-}
-
-function getGroupHomePage($group = "") {
- global $groupindex, $config, $g;
-
- if ($group == "") { return ""; }
-
- $page = $config['system']['group'][$groupindex[$group]]['home'];
- if(empty($page)) { $page = ""; }
- return $page;
-}
-
-function isSystemAdmin($username = "") {
- global $groupindex, $userindex, $config, $g, $_SESSION;
-
- if($_SESSION['isSystemAdmin'])
- return $_SESSION['isSystemAdmin'];
-
- if(!function_exists("ldap_connect"))
- return;
-
- if($config['system']['webgui']['backend'] == "ldap") {
- $groups = ldap_get_groups($username);
- if(is_array($groups)){
- if(in_array("admins", $groups)) {
- $_SESSION['isSystemAdmin'] = true;
- return true;
- }
- }
- }
-
- if ($username == "") {
- $_SESSION['isSystemAdmin'] = false;
- return 0;
- }
-
- $gname = $config['system']['group'][$groupindex[$config['system']['user'][$userindex[$username]]['groupname']]]['name'];
-
- if (isset($gname)) {
- $_SESSION['isSystemAdmin'] = $gname === $g["admin_group"];
- return ($gname === $g["admin_group"]);
- }
-
- $_SESSION['isSystemAdmin'] = false;
-
- return 0;
-}
-
-function getRealName($username = "") {
- global $userindex, $config;
-
- if ($username == "") { return ""; }
-
- return $config['system']['user'][$userindex[$username]]['fullname'];
-
-}
-
-function basic_auth($backing) {
- global $HTTP_SERVER_VARS;
-
- /* Check for AUTH_USER */
- if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
- $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
- $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
- }
- if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) {
- require_once("authgui.inc");
- header("WWW-Authenticate: Basic realm=\".\"");
- header("HTTP/1.0 401 Unauthorized");
- display_error_form("401", gettext("You must enter valid credentials to access this resource."));
- exit;
- } else {
- return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']);
- }
-}
-
-function session_auth($backing) {
- global $g, $HTTP_SERVER_VARS, $userindex, $config;
-
- session_start();
-
- /* Validate incoming login request */
- if (isset($_POST['login'])) {
- if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
- $_SESSION['Logged_In'] = "True";
- $_SESSION['Username'] = $_POST['usernamefld'];
- $_SESSION['last_access'] = time();
- } else {
- /* give the user a more detailed error message */
- if (isset($userindex[$_POST['usernamefld']])) {
- $_SESSION['Login_Error'] = "Wrong password";
- if(isAjax()) {
- echo "showajaxmessage('Wrong password');";
- return;
- }
- } else {
- $_SESSION['Login_Error'] = "User does not exist";
- if(isAjax()) {
- echo "showajaxmessage('User does not exist');";
- return;
- }
- }
- }
- }
-
- /* Show login page if they aren't logged in */
- if (empty($_SESSION['Logged_In'])) {
- /* Don't display login forms to AJAX */
- if (isAjax())
- return false;
- require_once("authgui.inc");
- display_login_form();
- return false;
- } else {
- /* If session timeout isn't set, we don't mark sessions stale */
- if (!isset($config['system']['webgui']['session_timeout']) or
- $config['system']['webgui']['session_timeout'] == 0 or
- $config['system']['webgui']['session_timeout'] == "")
- $_SESSION['last_access'] = time();
- else
- /* Check for stale session */
- if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60)))
- $_GET['logout'] = true;
- else
- /* only update if it wasn't ajax */
- if (!isAjax())
- $_SESSION['last_access'] = time();
-
- /* user hit the logout button */
- if (isset($_GET['logout'])) {
- if (hasLockAbility($_SESSION['Username'])) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- if (isset($_COOKIE[session_name()])) {
- setcookie(session_name(), '', time()-42000, '/');
- }
-
- /* and destroy it */
- session_destroy();
-
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
-
- if (isAjax())
- return false;
-
- /* redirect to page the user is on, it'll prompt them to login again */
- pfSenseHeader($scriptName);
-
- return false;
-
- /* user wants to explicitely delete the log file.
- * Requires a particular privilege.
- */
- } else if ($_GET['deletelock'] && hasLockAbility($_SESSION['Username'])) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-
- /* this is for debugging purpose if you do not want to use Ajax
- * to submit a HTML form. It basically diables the observation
- * of the submit event and hence does not trigger Ajax.
- */
- } else if ($_GET['disable_ajax']) {
- $_SESSION['NO_AJAX'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-
- /* Same to re-enable Ajax.
- */
- } else if ($_GET['enable_ajax']) {
- unset($_SESSION['NO_AJAX']);
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-
- /* user wants to explicitely create a lock.
- * Requires a particular privilege.
- */
- } else if ($_GET['createlock'] && hasLockAbility($_SESSION['Username'])) {
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" .
- getRealName($_SESSION['Username']) . ")");
- fclose($fd);
- /* if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-
- /* proceed with the login process */
- } else {
- /* if the user is allowed to create a lock,
- * create it once per session.
- */
- if (hasLockAbility($_SESSION['Username']) &&
- ! isset($_SESSION['Lock_Created'])) {
-
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" .
- getRealName($_SESSION['Username']) . ")");
- fclose($fd);
- /* if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
-
- /* give regular users a chance to automatically invalidate
- * a lock if its older than a particular time.
- */
- } else if (! hasLockAbility($_SESSION['Username']) &&
- file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
-
- $offset = 12; //hours
- $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
- $now_minus_offset = mktime(date("H") - $offset, 0, 0, date("m"), date("d"), date("Y"));
-
- if (($mtime - $now_minus_offset) < $mtime) {
- require_once("authgui.inc");
- display_login_form();
- return false;
- } else {
- /* file is older than mtime + offset which may
- * indicate a stale lockfile, hence we are going
- * to remove it.
- */
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
- }
-
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
- }
-}
-
-function pam_backed($username = "", $password = "") {
- /* do not allow blank passwords */
- if ($username == "" || password == "") { return false; }
-
- if(! extension_loaded( 'pam_auth' )) {
- if(! @dl( 'pam_auth.so' )) {
- return false;
- } else {
- /* no php file no auth, sorry */
- if (! file_exists("/etc/pam.d/php")) {
- if (! file_exists("/etc/pam.d")) { mkdir("/etc/pam.d"); }
-
- $pam_php = <<<EOD
-# /etc/pam.d/php
-#
-# note: both an auth and account entry are required
-
-# auth
-auth required pam_nologin.so no_warn
-auth sufficient pam_opie.so no_warn no_fake_prompts
-auth requisite pam_opieaccess.so no_warn allow_local
-auth required pam_unix.so no_warn try_first_pass
-
-# account
-account required pam_unix.so
-
-# session
-session required pam_permit.so
-
-# password
-password required pam_unix.so no_warn try_first_pass
-
-EOD;
-
- file_put_contents("/etc/pam.d/php", $pam_php);
- } // end if
-
- if (pam_auth($username, $password, &$error)) {
- return true;
- } else {
- return false;
- }
- }
- }
-}
-
-function passwd_backed($username, $passwd) {
- $authfile = file("/etc/master.passwd");
-
- $matches="";
-
- /* Check to see if user even exists */
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /* Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
- else
- return false;
-}
-
-function ldap_test_connection() {
- global $config, $g;
-
- $ldapserver = $config['system']['webgui']['ldapserver'];
- $ldapbindun = $config['system']['webgui']['ldapbindun'];
- $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
-
- if (!($ldap = ldap_connect($ldapserver))) {
- return false;
- }
-
- return true;
-}
-
-function ldap_test_bind() {
- global $config, $g;
-
- $ldapserver = $config['system']['webgui']['ldapserver'];
- $ldapbindun = $config['system']['webgui']['ldapbindun'];
- $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
-
- if (!($ldap = ldap_connect($ldapserver))) {
- return false;
- }
-
- ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
- ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
-
- if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- return false;
- }
-
- return true;
-}
-
-function ldap_get_user_ous($show_complete_ou=false) {
- global $config, $g;
-
- if(!function_exists("ldap_connect"))
- return;
-
- $ldapserver = $config['system']['webgui']['ldapserver'];
- $ldapbindun = $config['system']['webgui']['ldapbindun'];
- $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
- $ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
-
- $ldapfilter = "(ou=*)";
-
- if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
- ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
-
- if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter);
-
- $info = ldap_get_entries($ldap, $search);
-
- $ous = array();
-
- if(is_array($info)) {
- foreach($info as $inf) {
- if(!$show_complete_ou) {
- $inf_split = split(",", $inf['dn']);
- $ou = $inf_split[0];
- $ou = str_replace("OU=","", $ou);
- } else {
- if($inf['dn'])
- $ou = $inf['dn'];
- }
- if($ou)
- $ous[] = $ou;
- }
- }
-
- $ous[] = "OU=Users," . $ldapsearchbase;
-
- return $ous;
-
-}
-
-function ldap_get_groups($username) {
- global $config;
-
- if(!function_exists("ldap_connect"))
- return;
-
- if(!$username)
- return false;
-
- if(stristr($username, "@")) {
- $username_split=split("\@", $username);
- $username = $username_split[0];
- }
-
- log_error("Getting LDAP groups for {$username}.");
-
- $ldapserver = $config['system']['webgui']['ldapserver'];
- $ldapbindun = $config['system']['webgui']['ldapbindun'];
- $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
-
- $ldapfilter = $config['system']['webgui']['ldapfilter'];
- $ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
- $ldapfilter = str_replace("\$username", $username, $ldapfilter);
- $ldapauthcontainers = $config['system']['webgui']['ldapauthcontainers'];
-
- if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
- ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
-
- if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- /* user specified login containers */
- $ldac_split = split(";", $ldapauthcontainers);
- $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter);
-
- if(!$search) {
- log_error("ERROR! Could not locate User group container for username {$username}.");
- log_error(" Please ensure that the needed container is defined in the ldap auth containers setting feature.");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- $info = ldap_get_entries($ldap, $search);
-
- /* find home container */
- foreach($info as $inf) {
- $inf_split = split(",", $inf['dn']);
- $ou = $inf_split[1];
- }
-
- if(!$ou) {
- log_error("Could not resolve users home container for {$username}");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- $search = ldap_search($ldap, $ldapauthcontainers, $ldapfilter, array('groupmembership'));
-
- $info = ldap_get_entries($ldap, $search);
- $countem = $info["count"];
- $memberof = array();
-
- log_error("USER HAS {$countem} LDAP Groups it is {$info[0]['groupmembership'][0]}");
-
- if(is_array($info[0]['groupmembership'])) {
- foreach($info[0]['groupmembership'] as $member) {
- if(strstr($member, "cn=") !== false) {
- $membersplit = split(",", $member);
- $memberof[] = str_replace("cn=", "", $membersplit[0]);
- }
- }
- }
-
- /* Time to close LDAP connection */
- ldap_close($ldap);
-
- $groups = print_r($memberof,true);
-
- log_error("Returning groups " . $groups . " for user $username");
-
- return $memberof;
-}
-
-function ldap_backed($username, $passwd) {
- global $config;
-
- if(!$username)
- return;
-
- if(!function_exists("ldap_connect"))
- return;
-
- $ldapserver = $config['system']['webgui']['ldapserver'];
- $ldapbindun = $config['system']['webgui']['ldapbindun'];
- $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
- $ldapauthcont = $config['system']['webgui']['ldapauthcontainers'];
-
- if(!$ldapserver) {
- log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
- /* HARD CODED - need to have a uid or something here */
- $binduser = 'cn='.$username.','.$ldapauthcont;
- log_error("BINDUSER ==== {$binduser}");
- if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
- return $status;
- }
-
- log_error("$username logged in via LDAP.");
- log_error("$binduser ldap name logged in via LDAP.");
- /* At this point we are binded to LDAP so the user was auth'd okay. */
- return true;
-}
-
-function htpasswd_backed($username, $passwd) {
- $authfile = file("/var/run/htpasswd");
-
- /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
- unlink_if_exists("/usr/local/www/.htpasswd");
-
- $matches="";
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /* Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
- else
- return false;
-}
-
-function radius_backed($username, $passwd){
- global $config, $debug;
- $ret = false;
- $radiusservers = $config['system']['radius']['servers'];
-
- $rauth = new Auth_RADIUS_PAP($username, $passwd);
- foreach ($radiusservers as $radsrv) {
- // Add a new server to our instance
- $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret']);
- }
-
- if (!$rauth->start()) {
- $retvalue['auth_val'] = 1;
- $retvalue['error'] = $rauth->getError();
- if ($debug)
- printf("Radius start: %s<br>\n", $retvalue['error']);
- }
-
- // XXX - billm - somewhere in here we need to handle securid challenge/response
-
- // Send request
- $result = $rauth->send();
- if (PEAR::isError($result)) {
- $retvalue['auth_val'] = 1;
- $retvalue['error'] = $result->getMessage();
- if ($debug)
- printf("Radius send failed: %s<br>\n", $retvalue['error']);
- } else if ($result === true) {
- $retvalue['auth_val'] = 2;
- if ($debug)
- printf (gettext("Radius Auth succeeded") . "<br>\n");
- $ret = true;
- } else {
- $retvalue['auth_val'] = 3;
- if ($debug)
- printf (gettext("Radius Auth rejected") . "<br>\n");
- }
- // close OO RADIUS_AUTHENTICATION
- $rauth->close();
-
- return $ret;
-}
-
-
-function index_groups() {
- global $g, $config, $groupindex;
-
- $groupindex = array();
-
- if (isset($config['system']['group'])) {
- $i = 0;
- foreach($config['system']['group'] as $groupent) {
- $groupindex[$groupent['name']] = $i;
- $i++;
- }
- }
- return ($groupindex);
-}
-
-function index_users() {
- global $g, $config;
-
- if (isset($config['system']['user'])) {
- $i = 0;
- foreach($config['system']['user'] as $userent) {
- $userindex[$userent['name']] = $i;
- $i++;
- }
- }
- return ($userindex);
-}
-
-?> \ No newline at end of file
+<?php
+/* $Id$ */
+/*
+ Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
+ All rights reserved.
+
+ Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
+ All rights reserved.
+
+ Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
+ All rights reserved.
+
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("functions.inc");
+$groupindex = index_groups();
+$userindex = index_users();
+
+function logout_session() {
+ global $_SESSION;
+
+ if (hasLockAbility($_SESSION['Username'])) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+}
+
+function getAllowedGroups($logged_in_user) {
+ global $g, $config;
+
+ if(!function_exists("ldap_connect"))
+ return;
+
+ $allowed = array();
+ $allowed_groups = array();
+
+ log_error("Getting groups for {$logged_in_user}.");
+
+ $local_user = false;
+
+ foreach($config['system']['user'] as $username)
+ if($username['name'] == $logged_in_user)
+ $local_user = true;
+
+ /* return ldap groups if we are in ldap mode */
+ if($config['system']['webgui']['backend'] == "ldap" && $local_user == false) {
+ $allowed_groups = ldap_get_groups($logged_in_user);
+ $fdny = fopen("/tmp/groups","w");
+ fwrite($fdny, print_r($allowed, true));
+ fclose($fdny);
+ $allowed = array();
+ if(is_array($config['system']['group']) && is_array($allowed_groups)) {
+ foreach($config['system']['group'] as $group) {
+ if(in_array($group['name'], $allowed_groups)) {
+ foreach($group['pages'] as $page) {
+ $allowed[] = $page;
+ }
+ }
+ }
+ }
+ return $allowed;
+ }
+ if($config['system']['webgui']['backend'] == "ldapother" && $local_user == false) {
+ $allowed_groups = ldap_get_groups($logged_in_user);
+ $fdny = fopen("/tmp/groups","w");
+ fwrite($fdny, print_r($allowed, true));
+ fclose($fdny);
+ $allowed = array();
+ if(is_array($config['system']['group']) && is_array($allowed_groups)) {
+ foreach($config['system']['group'] as $group) {
+ if(in_array($group['name'], $allowed_groups)) {
+ foreach($group['pages'] as $page) {
+ $allowed[] = $page;
+ }
+ }
+ }
+ }
+ return $allowed;
+ }
+
+ $final_allowed = array();
+
+ foreach($config['system']['user'] as $username) {
+ if($username['name'] == $logged_in_user)
+ $allowed_groups = explode(",", $username['groupname']);
+ }
+
+ foreach($config['system']['group'] as $group) {
+ if(in_array($group['name'], $allowed_groups)) {
+ foreach($group['pages'] as $page) {
+ $allowed[] = $page;
+ }
+ }
+ }
+
+ return $allowed;
+}
+
+function &getSystemAdminNames() {
+ global $config, $g, $userindex;
+ $adminUsers = array();
+
+ if (is_array($config['system']['user'])) {
+ foreach($config['system']['user'] as $user){
+ if (isSystemAdmin($user['name'])) {
+ $adminUsers[] = $user['name'];
+ }
+ }
+ }
+
+ return $adminUsers;
+}
+
+function &getSystemPrivs() {
+ global $g;
+
+ $privs = array();
+
+ $privs[] = array("id" => "lockwc",
+ "name" => "Lock webConfigurator",
+ "desc" => "Indicates whether this user will lock access to " .
+ "the webConfigurator for other users.");
+ $privs[] = array("id" => "lock-ipages",
+ "name" => "Lock individual pages",
+ "desc" => "Indicates whether this user will lock individual " .
+ "HTML pages after having accessed a particular page" .
+ "(the lock will be freed if the user leaves or " .
+ "saves the page form).");
+ $privs[] = array("id" => "hasshell",
+ "name" => "Has shell access",
+ "desc" => "Indicates whether this user is able to login for " .
+ "example via SSH.");
+ $privs[] = array("id" => "copyfiles",
+ "name" => "Is allowed to copy files",
+ "desc" => "Indicates whether this user is allowed to copy files " .
+ "onto the {$g['product_name']} appliance via SCP/SFTP. " .
+ "If you are going to use this privilege, you must install " .
+ "scponly on the appliance (Hint: pkg_add -r scponly).");
+ $privs[] = array("id" => "isroot",
+ "name" => "Is root user",
+ "desc" => "This user is associated with the UNIX root user " .
+ "(you should associate this privilege only with one " .
+ "single user).");
+
+ return $privs;
+}
+
+function assignUID($username = "") {
+ global $userindex, $config, $g;
+
+ if ($username == "") { return; }
+
+ $nextuid = $config['system']['nextuid'];
+ $user =& $config['system']['user'][$userindex[$username]];
+
+ if (empty($user['uid'])) {
+ $user['uid'] = $nextuid;
+ $nextuid++;
+ $config['system']['nextuid'] = $nextuid;
+
+ write_config();
+
+ return $user;
+ }
+}
+
+function assignGID($groupname = "") {
+ global $groupindex, $config, $g;
+
+ if ($groupname == "") { return; }
+
+ $nextgid = $config['system']['nextgid'];
+ $group =& $config['system']['group'][$groupindex[$groupname]];
+
+ if (empty($group['gid'])) {
+ $group['gid'] = $nextgid;
+ $nextgid++;
+ $config['system']['nextgid'] = $nextgid;
+
+ write_config();
+
+ return $group;
+ }
+}
+
+function hasPrivilege($user, $privid = "") {
+ global $userindex, $config, $g;
+
+ if ($privid == "" || ! isset($userindex[$user])) { return 0; }
+
+ $privs = &$config['system']['user'][$userindex[$user]]['priv'];
+
+ if (is_array($privs)) {
+ foreach($privs as $priv){
+ if ($priv['id'] == $privid) {
+ return 1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+function isAllowedToCopyFiles($username) {
+ global $userindex, $config, $g;
+
+ if ($username == "") { return 0; }
+
+ return hasPrivilege($username, "copyfiles");
+}
+
+function hasLockAbility($username) {
+ global $userindex, $config, $g;
+
+ if ($username == "") { return 0; }
+
+ return hasPrivilege($username, "lockwc");
+}
+
+function hasPageLockAbility($username) {
+ global $userindex, $config, $g;
+
+ if ($username == "") { return 0; }
+
+ return hasPrivilege($username, "lock-ipages");
+}
+
+function hasShellAccess($username) {
+ global $userindex, $config, $g;
+
+ if ($username == "") { return 0; }
+
+ return hasPrivilege($username, "hasshell");
+}
+
+function isUNIXRoot($username = "") {
+ global $userindex, $config;
+
+ if ($username == "") { return 0; }
+
+ if (isSystemAdmin($username)) {
+ return hasPrivilege($username, "isroot");
+ }
+
+ return 0;
+}
+
+function setUserFullName($name = "", $new_name = "") {
+ global $config, $g, $userindex;
+
+ if ($name == "" || $new_name == "") { return; }
+
+ $user = &$config['system']['user'][$userindex[$name]];
+ $user['fullname'] = $new_name;
+}
+
+function setUserName($name = "", $new_name = "") {
+ global $config, $g, $userindex;
+
+ if ($name == "" || $new_name == "") { return; }
+
+ $user = &$config['system']['user'][$userindex[$name]];
+ $user['name'] = $new_name;
+}
+
+function setUserPWD($name = "", $password = "") {
+ global $config, $g, $userindex;
+
+ if ($name == "" || $password == "") { return; }
+
+ $user = &$config['system']['user'][$userindex[$name]];
+ $user['password'] = crypt($password);
+}
+
+function setUserGroupName($name = "", $new_name = "") {
+ global $config, $g, $userindex;
+
+ if ($name == "" || $new_name == "") { return; }
+
+ $user = &$config['system']['user'][$userindex[$name]];
+ $user['groupname'] = $new_name;
+}
+
+function setUserType($name = "", $new_type = "") {
+ global $config, $g, $userindex;
+
+ if ($name == "" || $new_type == "") { return; }
+
+ $user = &$config['system']['user'][$userindex[$name]];
+ $user['scope'] = $new_type;
+}
+
+function getUNIXRoot() {
+ global $config, $g, $userindex;
+
+ if (is_array($config['system']['user'])) {
+ foreach($config['system']['user'] as $user){
+ if (isUNIXRoot($user['name'])) {
+ $root = &$config['system']['user'][$userindex[$user['name']]];
+ return $root;
+ }
+ }
+ }
+
+ return NULL;
+}
+
+function getUNIXRootName() {
+ global $config, $g, $userindex;
+
+ if (is_array($config['system']['user'])) {
+ foreach($config['system']['user'] as $user){
+ if (isUNIXRoot($user['name'])) {
+ return $user['name'];
+ }
+ }
+ }
+
+ return NULL;
+}
+
+function getGroupHomePage($group = "") {
+ global $groupindex, $config, $g;
+
+ if ($group == "") { return ""; }
+
+ $page = $config['system']['group'][$groupindex[$group]]['home'];
+ if(empty($page)) { $page = ""; }
+ return $page;
+}
+
+function isSystemAdmin($username = "") {
+ global $groupindex, $userindex, $config, $g, $_SESSION;
+
+ if($_SESSION['isSystemAdmin'])
+ return $_SESSION['isSystemAdmin'];
+
+ if(!function_exists("ldap_connect"))
+ return;
+
+ if($config['system']['webgui']['backend'] == "ldap") {
+ $groups = ldap_get_groups($username);
+ if(is_array($groups)){
+ if(in_array("admins", $groups)) {
+ $_SESSION['isSystemAdmin'] = true;
+ return true;
+ }
+ }
+ }
+ if($config['system']['webgui']['backend'] == "ldapother") {
+ $groups = ldap_get_groups($username);
+ if(is_array($groups)){
+ if(in_array("admins", $groups)) {
+ $_SESSION['isSystemAdmin'] = true;
+ return true;
+ }
+ }
+ }
+
+ if ($username == "") {
+ $_SESSION['isSystemAdmin'] = false;
+ return 0;
+ }
+
+ $gname = $config['system']['group'][$groupindex[$config['system']['user'][$userindex[$username]]['groupname']]]['name'];
+
+ if (isset($gname)) {
+ $_SESSION['isSystemAdmin'] = $gname === $g["admin_group"];
+ return ($gname === $g["admin_group"]);
+ }
+
+ $_SESSION['isSystemAdmin'] = false;
+
+ return 0;
+}
+
+function getRealName($username = "") {
+ global $userindex, $config;
+
+ if ($username == "") { return ""; }
+
+ return $config['system']['user'][$userindex[$username]]['fullname'];
+
+}
+
+function basic_auth($backing) {
+ global $HTTP_SERVER_VARS;
+
+ /* Check for AUTH_USER */
+ if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
+ $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
+ $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
+ }
+ if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) {
+ require_once("authgui.inc");
+ header("WWW-Authenticate: Basic realm=\".\"");
+ header("HTTP/1.0 401 Unauthorized");
+ display_error_form("401", gettext("You must enter valid credentials to access this resource."));
+ exit;
+ } else {
+ return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']);
+ }
+}
+
+function session_auth($backing) {
+ global $g, $HTTP_SERVER_VARS, $userindex, $config;
+
+ session_start();
+
+ /* Validate incoming login request */
+ if (isset($_POST['login'])) {
+ if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
+ $_SESSION['Logged_In'] = "True";
+ $_SESSION['Username'] = $_POST['usernamefld'];
+ $_SESSION['last_access'] = time();
+ } else {
+ /* give the user a more detailed error message */
+ if (isset($userindex[$_POST['usernamefld']])) {
+ $_SESSION['Login_Error'] = "Wrong password";
+ if(isAjax()) {
+ echo "showajaxmessage('Wrong password');";
+ return;
+ }
+ } else {
+ $_SESSION['Login_Error'] = "User does not exist";
+ if(isAjax()) {
+ echo "showajaxmessage('User does not exist');";
+ return;
+ }
+ }
+ }
+ }
+
+ /* Show login page if they aren't logged in */
+ if (empty($_SESSION['Logged_In'])) {
+ /* Don't display login forms to AJAX */
+ if (isAjax())
+ return false;
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ } else {
+ /* If session timeout isn't set, we don't mark sessions stale */
+ if (!isset($config['system']['webgui']['session_timeout']) or
+ $config['system']['webgui']['session_timeout'] == 0 or
+ $config['system']['webgui']['session_timeout'] == "")
+ $_SESSION['last_access'] = time();
+ else
+ /* Check for stale session */
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60)))
+ $_GET['logout'] = true;
+ else
+ /* only update if it wasn't ajax */
+ if (!isAjax())
+ $_SESSION['last_access'] = time();
+
+ /* user hit the logout button */
+ if (isset($_GET['logout'])) {
+ if (hasLockAbility($_SESSION['Username'])) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ if (isset($_COOKIE[session_name()])) {
+ setcookie(session_name(), '', time()-42000, '/');
+ }
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+
+ if (isAjax())
+ return false;
+
+ /* redirect to page the user is on, it'll prompt them to login again */
+ pfSenseHeader($scriptName);
+
+ return false;
+
+ /* user wants to explicitely delete the log file.
+ * Requires a particular privilege.
+ */
+ } else if ($_GET['deletelock'] && hasLockAbility($_SESSION['Username'])) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+
+ /* this is for debugging purpose if you do not want to use Ajax
+ * to submit a HTML form. It basically diables the observation
+ * of the submit event and hence does not trigger Ajax.
+ */
+ } else if ($_GET['disable_ajax']) {
+ $_SESSION['NO_AJAX'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+
+ /* Same to re-enable Ajax.
+ */
+ } else if ($_GET['enable_ajax']) {
+ unset($_SESSION['NO_AJAX']);
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+
+ /* user wants to explicitely create a lock.
+ * Requires a particular privilege.
+ */
+ } else if ($_GET['createlock'] && hasLockAbility($_SESSION['Username'])) {
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" .
+ getRealName($_SESSION['Username']) . ")");
+ fclose($fd);
+ /* if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+
+ /* proceed with the login process */
+ } else {
+ /* if the user is allowed to create a lock,
+ * create it once per session.
+ */
+ if (hasLockAbility($_SESSION['Username']) &&
+ ! isset($_SESSION['Lock_Created'])) {
+
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" .
+ getRealName($_SESSION['Username']) . ")");
+ fclose($fd);
+ /* if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+
+ /* give regular users a chance to automatically invalidate
+ * a lock if its older than a particular time.
+ */
+ } else if (! hasLockAbility($_SESSION['Username']) &&
+ file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+
+ $offset = 12; //hours
+ $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
+ $now_minus_offset = mktime(date("H") - $offset, 0, 0, date("m"), date("d"), date("Y"));
+
+ if (($mtime - $now_minus_offset) < $mtime) {
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ } else {
+ /* file is older than mtime + offset which may
+ * indicate a stale lockfile, hence we are going
+ * to remove it.
+ */
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+ }
+
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+ }
+}
+
+function pam_backed($username = "", $password = "") {
+ /* do not allow blank passwords */
+ if ($username == "" || password == "") { return false; }
+
+ if(! extension_loaded( 'pam_auth' )) {
+ if(! @dl( 'pam_auth.so' )) {
+ return false;
+ } else {
+ /* no php file no auth, sorry */
+ if (! file_exists("/etc/pam.d/php")) {
+ if (! file_exists("/etc/pam.d")) { mkdir("/etc/pam.d"); }
+
+ $pam_php = <<<EOD
+# /etc/pam.d/php
+#
+# note: both an auth and account entry are required
+
+# auth
+auth required pam_nologin.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_unix.so
+
+# session
+session required pam_permit.so
+
+# password
+password required pam_unix.so no_warn try_first_pass
+
+EOD;
+
+ file_put_contents("/etc/pam.d/php", $pam_php);
+ } // end if
+
+ if (pam_auth($username, $password, &$error)) {
+ return true;
+ } else {
+ return false;
+ }
+ }
+ }
+}
+
+function passwd_backed($username, $passwd) {
+ $authfile = file("/etc/master.passwd");
+
+ $matches="";
+
+ /* Check to see if user even exists */
+ if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
+ return false;
+
+ /* Get crypted password */
+ preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
+ $pass = $matches[1];
+ $salt = $matches[2];
+
+ /* Encrypt entered password with salt
+ * And finally validate password
+ */
+ if ($pass == crypt($passwd, $salt))
+ return true;
+ else
+ return false;
+}
+
+function ldap_test_connection() {
+ global $config, $g;
+
+ $ldapserver = $config['system']['webgui']['ldapserver'];
+ $ldapbindun = $config['system']['webgui']['ldapbindun'];
+ $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
+
+ if (!($ldap = ldap_connect($ldapserver))) {
+ return false;
+ }
+
+ return true;
+}
+
+function ldap_test_bind() {
+ global $config, $g;
+
+ $ldapserver = $config['system']['webgui']['ldapserver'];
+ $ldapbindun = $config['system']['webgui']['ldapbindun'];
+ $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
+
+ if (!($ldap = ldap_connect($ldapserver))) {
+ return false;
+ }
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+
+ if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ return false;
+ }
+
+ return true;
+}
+
+function ldap_get_user_ous($show_complete_ou=false) {
+ global $config, $g;
+
+ if(!function_exists("ldap_connect"))
+ return;
+
+ $ldapserver = $config['system']['webgui']['ldapserver'];
+ $ldapbindun = $config['system']['webgui']['ldapbindun'];
+ $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
+ $ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
+
+ $ldapfilter = "(ou=*)";
+
+ if (!($ldap = ldap_connect($ldapserver))) {
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+
+ if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter);
+
+ $info = ldap_get_entries($ldap, $search);
+
+ $ous = array();
+
+ if(is_array($info)) {
+ foreach($info as $inf) {
+ if(!$show_complete_ou) {
+ $inf_split = split(",", $inf['dn']);
+ $ou = $inf_split[0];
+ $ou = str_replace("OU=","", $ou);
+ } else {
+ if($inf['dn'])
+ $ou = $inf['dn'];
+ }
+ if($ou)
+ $ous[] = $ou;
+ }
+ }
+
+ $ous[] = "OU=Users," . $ldapsearchbase;
+
+ return $ous;
+
+}
+
+function ldap_get_groups($username) {
+ global $config;
+
+ if(!function_exists("ldap_connect"))
+ return;
+
+ if(!$username)
+ return false;
+
+ if(stristr($username, "@")) {
+ $username_split=split("\@", $username);
+ $username = $username_split[0];
+ }
+
+ log_error("Getting LDAP groups for {$username}.");
+
+ $ldapserver = $config['system']['webgui']['ldapserver'];
+ $ldapbindun = $config['system']['webgui']['ldapbindun'];
+ $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
+ $ldapfilter = $config['system']['webgui']['ldapfilter'];
+ $ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
+ $ldapfilter = str_replace("\$username", $username, $ldapfilter);
+ $ldapauthcontainers = $config['system']['webgui']['ldapauthcontainers'];
+ $ldapgroupattribute = $config['system']['webgui']['ldapgroupattribute'];
+
+ /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */
+ $ldapgroupattribute = strtolower($ldapgroupattribute);
+
+ if (!($ldap = ldap_connect($ldapserver))) {
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+
+ if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ /* user specified login containers */
+ $ldac_split = split(";", $ldapauthcontainers);
+ $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter);
+
+ if(!$search) {
+ log_error("ERROR! Could not locate User group container for username {$username}.");
+ log_error(" Please ensure that the needed container is defined in the ldap auth containers setting feature.");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ $info = ldap_get_entries($ldap, $search);
+
+ /* find home container */
+ foreach($info as $inf) {
+ $inf_split = split(",", $inf['dn']);
+ $ou = $inf_split[1];
+ }
+
+ if(!$ou) {
+ log_error("Could not resolve users home container for {$username}");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+
+ log_error("LDAPGroupAttribute ===== {$ldapgroupattribute}");
+ $search = ldap_search($ldap, $ldapauthcontainers, $ldapfilter, array($ldapgroupattribute));
+
+ $info = ldap_get_entries($ldap, $search);
+ $countem = $info["count"];
+ $memberof = array();
+
+ log_error("USER HAS {$countem} LDAP Groups it is {$info[0][$ldapgroupattribute][0]}");
+
+ if(is_array($info[0][$ldapgroupattribute])) {
+
+ foreach($info[0][$ldapgroupattribute] as $member) {
+ //$member = strtoupper($member);
+ log_error("MEMBER===={$member}");
+ if(stristr($member, "CN=") !== false) {
+ $membersplit = split(",", $member);
+ $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
+ }
+ }
+ }
+
+ /* Time to close LDAP connection */
+ ldap_close($ldap);
+
+ $groups = print_r($memberof,true);
+
+ log_error("Returning groups " . $groups . " for user $username");
+
+ return $memberof;
+}
+
+function ldap_backed($username, $passwd) {
+ global $config;
+
+ if(!$username)
+ return;
+
+ if(!function_exists("ldap_connect"))
+ return;
+
+ $ldapserver = $config['system']['webgui']['ldapserver'];
+ $ldapbindun = $config['system']['webgui']['ldapbindun'];
+ $ldapbindpw = $config['system']['webgui']['ldapbindpw'];
+ $ldapauthcont = $config['system']['webgui']['ldapauthcontainers'];
+ $ldapnameattribute = $config['system']['webgui']['ldapnameattribute'];
+ /* NEED TO FIGURE OUT LDAP TYPE */
+ $ldaptype = $config['system']['webgui']['backend'];
+ /********************************/
+
+ if(!$ldapserver) {
+ log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ if (!($ldap = ldap_connect($ldapserver))) {
+ log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+ /* TAKE AD INTO ACCOUNT */
+ if ($ldaptype == 'ldap'){
+ $binduser = $username;
+ }
+ if ($ldaptype == 'ldapother'){
+ $binduser = $ldapnameattribute.'='.$username.','.$ldapauthcont;
+ }
+ log_error("BINDUSER ==== {$binduser}");
+ /************************/
+
+ if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
+ $status = htpasswd_backed($username, $passwd);
+ return $status;
+ }
+
+ log_error("$username logged in via LDAP.");
+ log_error("$binduser ldap name logged in via LDAP.");
+ /* At this point we are binded to LDAP so the user was auth'd okay. */
+ return true;
+}
+
+function htpasswd_backed($username, $passwd) {
+ $authfile = file("/var/run/htpasswd");
+
+ /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
+ unlink_if_exists("/usr/local/www/.htpasswd");
+
+ $matches="";
+ if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
+ return false;
+
+ /* Get crypted password */
+ preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
+ $pass = $matches[1];
+ $salt = $matches[2];
+
+ /* Encrypt entered password with salt
+ * And finally validate password
+ */
+ if ($pass == crypt($passwd, $salt))
+ return true;
+ else
+ return false;
+}
+
+function radius_backed($username, $passwd){
+ global $config, $debug;
+ $ret = false;
+ $radiusservers = $config['system']['radius']['servers'];
+
+ $rauth = new Auth_RADIUS_PAP($username, $passwd);
+ foreach ($radiusservers as $radsrv) {
+ // Add a new server to our instance
+ $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret']);
+ }
+
+ if (!$rauth->start()) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $rauth->getError();
+ if ($debug)
+ printf("Radius start: %s<br>\n", $retvalue['error']);
+ }
+
+ // XXX - billm - somewhere in here we need to handle securid challenge/response
+
+ // Send request
+ $result = $rauth->send();
+ if (PEAR::isError($result)) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $result->getMessage();
+ if ($debug)
+ printf("Radius send failed: %s<br>\n", $retvalue['error']);
+ } else if ($result === true) {
+ $retvalue['auth_val'] = 2;
+ if ($debug)
+ printf (gettext("Radius Auth succeeded") . "<br>\n");
+ $ret = true;
+ } else {
+ $retvalue['auth_val'] = 3;
+ if ($debug)
+ printf (gettext("Radius Auth rejected") . "<br>\n");
+ }
+ // close OO RADIUS_AUTHENTICATION
+ $rauth->close();
+
+ return $ret;
+}
+
+
+function index_groups() {
+ global $g, $config, $groupindex;
+
+ $groupindex = array();
+
+ if (isset($config['system']['group'])) {
+ $i = 0;
+ foreach($config['system']['group'] as $groupent) {
+ $groupindex[$groupent['name']] = $i;
+ $i++;
+ }
+ }
+ return ($groupindex);
+}
+
+function index_users() {
+ global $g, $config;
+
+ if (isset($config['system']['user'])) {
+ $i = 0;
+ foreach($config['system']['user'] as $userent) {
+ $userindex[$userent['name']] = $i;
+ $i++;
+ }
+ }
+ return ($userindex);
+}
+
+?>
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc
index 7dc1779..692e070 100644
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@@ -1,309 +1,325 @@
-<?php
-/* $Id$ */
-/*
- Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
- All rights reserved.
-
- Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
- All rights reserved.
-
- Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
- All rights reserved.
-
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-include_once("auth.inc");
-require_once("functions.inc");
-
-/* We only support htpasswd backed HTTP Basic auth and session
- * based backing methods at the moment.
- * session_auth - this will use session based authentication and timeout
- * htpasswd_backed - this uses the "standard" .htpasswd file
- * passwd_backed - this will use the system passwd file in /etc
- * radius_backed - this will allow you to use a radius server
- * pam_backed - this uses the system's PAM facility .htpasswd file
- */
-$auth_method="session_auth";
-
-/* enable correct auth backend, default to htpasswd_backed */
-if($config['system']['webgui']['backend'] == "ldap")
- $backing_method="ldap_backed";
-else
- $backing_method="htpasswd_backed";
-
-/* Authenticate user - exit if failed */
-if (!$auth_method($backing_method)) { exit; }
-
-/* scriptname is set in headjs.php if the user did try to access a page other
- * than index.php without beeing logged in.
- */
-if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
- pfSenseHeader("{$_POST['scriptname']}");
- exit;
-}
-
-// Once here, the user has authenticated with the web server.
-// Now, we give them access only to the appropriate pages for their group.
-if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) {
- $_SESSION['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']);
- $allowed = $_SESSION['privs'];
-
- $allowed_groups = print_r($_SESSION['privs'],true);
- $fdny = fopen("/tmp/groups", "w");
- fwrite($fdny, $allowed_groups);
- fclose($fdny);
-
- $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname'];
- /* get the group homepage, to be able to forward
- * the user to this particular PHP page.
- */
- getGroupHomePage($group) == "" ? $home = "/index.php" : $home = "/" . getGroupHomePage($group);
-
- /* okay but if the user realy tries to explicitely access a particular
- * page, set $home to that page instead.
- */
- if (isset($_POST['scriptname']) && $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") {
- $home = str_replace('/', '', basename($_POST['scriptname']));
- $pagereq = $home;
- }
-
- // If the user is attempting to hit the default page, set it to specifically look for /index.php.
- // Without this, any user would have access to the index page.
- if ($_SERVER['SCRIPT_NAME'] == '/')
- $_SERVER['SCRIPT_NAME'] = $home;
- if ($pagereq == "")
- $pagereq = str_replace('/', '', basename($_SERVER['SCRIPT_NAME']));
-
- // Strip the leading / from the currently requested PHP page
- if (!in_array($pagereq,$allowed) && !in_array("ANY", $allowed)) {
- // The currently logged in user is not allowed to access the page
- // they are attempting to go to. Redirect them to an allowed page.
-
- if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) {
- echo "||Access to AJAX has been disallowed for this user.";
- exit;
- }
-
- if ($pagereq <> "" && (in_array($pagereq, $allowed) || in_array("ANY", $allowed))) {
- pfSenseHeader("{$home}");
- exit;
- } else {
- header("HTTP/1.0 401 Unauthorized");
- header("Status: 401 Unauthorized");
-
- echo display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}");
- exit;
- }
- }
-
- if (isset($_SESSION['Logged_In'])) {
- /*
- * only forward if the user has just logged in
- * TODO: session auth based - may be an issue.
- */
- if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) {
- $_SESSION['First_Visit'] = "False";
- pfSenseHeader("{$home}");
- exit;
- }
- }
-}
-
-function display_error_form($http_code, $desc) {
- global $config, $g;
- $g['theme'] = $config['theme'];
- if(isAjax()) {
- echo "Error: {$http_code} Description: {$desc}";
- return;
- }
- $htmlstr = <<<EOD
-<html>
- <head>
- <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
- <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
- <title>An error occurred: {$http_code}</title>
- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
- <link rel="shortcut icon" href="/themes/{$g['theme']}/images/icons/favicon.ico" />
- <link rel="stylesheet" type="text/css" href="/themes/{$g['theme']}/all.css" media="all" />
- <style type="text/css">
- #errordesc {
- background: #cccccc;
- border: 0px solid #666666;
- margin: 5em auto;
- padding: 0em;
- width: 340px;
- }
- #errordesc h1 {
- background: url(/themes/{$g['theme']}/images/misc/logon.png) no-repeat top left;
- margin-top: 0;
- display: block;
- text-indent: -1000px;
- height: 50px;
- border-bottom: none;
- }
-
- #login p {
- font-size: 1em;
- font-weight: bold;
- padding: 3px;
- margin: 0em;
- text-indent: 10px;
- }
-
- #login span {
- font-size: 1em;
- font-weight: bold;
- width: 20%;
- padding: 3px;
- margin: 0em;
- text-indent: 10px;
- }
-
- #login p#text {
- font-size: 1em;
- font-weight: normal;
- padding: 3px;
- margin: 0em;
- text-indent: 10px;
- }
- </style>
-
- <script type="text/javascript">
- <!--
- function page_load() {
- NiftyCheck();
- Rounded("div#errordesc","bl br","#333","#cccccc","smooth");
- Effect.Pulsate('errortext', { duration: 10 });
- }
- <?php
- require("headjs.php");
- echo getHeadJS();
- ?>
- //-->
- </script>
- <script type="text/javascript" src="/themes/{$g['theme']}/javascript/niftyjsCode.js"></script>
- </head>
- <body onload="page_load();">
- <div id="errordesc">
- <h1>&nbsp</h1>
- <a href="/">
- <p id="errortext" style="vertical-align: middle; text-align: center;"><span style="color: #000000; font-weight: bold;">{$desc}</span></p>
- </div>
- </body>
-</html>
-
-EOD;
-
- return $htmlstr;
-}
-
-function display_login_form() {
- require_once("globals.inc");
- global $config, $g;
- $g['theme'] = $config['theme'];
-
- unset($input_errors);
-
- if(isAjax()) {
- if (isset($_POST['login'])) {
- if($_SESSION['Logged_In'] <> "True") {
- isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason";
- echo "showajaxmessage('Invalid login ({$login_error}).');";
- }
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
- // TODO: add the IP from the user who did lock the device
- $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
- echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');";
- }
- }
- exit;
- }
-
-?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html>
- <head>
- <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
- <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
- <title><?=gettext("Login"); ?></title>
- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
- <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" />
- <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?>
- <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" />
- <?php else: ?>
- <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" />
- <?php endif; ?>
- <script type="text/javascript">
- <!--
- function page_load() {
- NiftyCheck();
- Rounded("div#login","bl br","#333","#cccccc","smooth");
- document.login_iform.usernamefld.focus();
- }
- function clearError() {
- if($('inputerrors'))
- $('inputerrors').innerHTML='';
- }
- <?php
- require("headjs.php");
- echo getHeadJS();
- ?>
- //-->
- </script>
- <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script>
- </head>
- <body onload="page_load()">
- <div id="login">
- <h1>&nbsp;</h1>
- <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>">
- <div id="inputerrors"></div>
- <p>
- <span style="text-align: left;width=40%">
- <?=gettext("Username"); ?>:&nbsp;&nbsp;
- <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" />
- </span>
- </p>
- <p>
- <span style="text-align: left;width=40%;">
- <?=gettext("Password"); ?>:&nbsp;&nbsp;
- </span>
- <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" />
- </p>
- <table width="90%" style="margin-right: auto; margin-left: auto;">
- <tr>
- <td valign="middle" align="right" style="font-style: italic;"><br /><?=gettext("Enter username and password to login."); ?></td>
- <td valign="middle" align="left"><input type="submit" id="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" /></td>
- </tr>
- </table>
- </form>
- </div>
- </body>
-</html>
-<?php
-} // end function
-
-?> \ No newline at end of file
+<?php
+/* $Id$ */
+/*
+ Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
+ All rights reserved.
+
+ Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
+ All rights reserved.
+
+ Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
+ All rights reserved.
+
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+include_once("auth.inc");
+require_once("functions.inc");
+
+/* We only support htpasswd backed HTTP Basic auth and session
+ * based backing methods at the moment.
+ * session_auth - this will use session based authentication and timeout
+ * htpasswd_backed - this uses the "standard" .htpasswd file
+ * passwd_backed - this will use the system passwd file in /etc
+ * radius_backed - this will allow you to use a radius server
+ * pam_backed - this uses the system's PAM facility .htpasswd file
+ */
+$auth_method="session_auth";
+
+/* enable correct auth backend, default to htpasswd_backed */
+$ldapcase = $config['system']['webgui']['backend'];
+switch($ldapcase)
+{
+case ldap:
+ $backing_method="ldap_backed";
+ break;
+case ldapother:
+ $backing_method="ldap_backed";
+ break;
+default:
+ $backing_method="htpasswd_backed";
+}
+
+
+//if($config['system']['webgui']['backend'] == "ldap"){
+// $backing_method="ldap_backed";
+//} elseif($config['system']['webgui']['backend'] == "ldapother")
+// $backing_method="ldap_backed";
+//else
+// $backing_method="htpasswd_backed";
+
+/* Authenticate user - exit if failed */
+if (!$auth_method($backing_method)) { exit; }
+
+/* scriptname is set in headjs.php if the user did try to access a page other
+ * than index.php without beeing logged in.
+ */
+if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
+ pfSenseHeader("{$_POST['scriptname']}");
+ exit;
+}
+
+// Once here, the user has authenticated with the web server.
+// Now, we give them access only to the appropriate pages for their group.
+if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) {
+ $_SESSION['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']);
+ $allowed = $_SESSION['privs'];
+
+ $allowed_groups = print_r($_SESSION['privs'],true);
+ $fdny = fopen("/tmp/groups", "w");
+ fwrite($fdny, $allowed_groups);
+ fclose($fdny);
+
+ $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname'];
+ /* get the group homepage, to be able to forward
+ * the user to this particular PHP page.
+ */
+ getGroupHomePage($group) == "" ? $home = "/index.php" : $home = "/" . getGroupHomePage($group);
+
+ /* okay but if the user realy tries to explicitely access a particular
+ * page, set $home to that page instead.
+ */
+ if (isset($_POST['scriptname']) && $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") {
+ $home = str_replace('/', '', basename($_POST['scriptname']));
+ $pagereq = $home;
+ }
+
+ // If the user is attempting to hit the default page, set it to specifically look for /index.php.
+ // Without this, any user would have access to the index page.
+ if ($_SERVER['SCRIPT_NAME'] == '/')
+ $_SERVER['SCRIPT_NAME'] = $home;
+ if ($pagereq == "")
+ $pagereq = str_replace('/', '', basename($_SERVER['SCRIPT_NAME']));
+
+ // Strip the leading / from the currently requested PHP page
+ if (!in_array($pagereq,$allowed) && !in_array("ANY", $allowed)) {
+ // The currently logged in user is not allowed to access the page
+ // they are attempting to go to. Redirect them to an allowed page.
+
+ if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) {
+ echo "||Access to AJAX has been disallowed for this user.";
+ exit;
+ }
+
+ if ($pagereq <> "" && (in_array($pagereq, $allowed) || in_array("ANY", $allowed))) {
+ pfSenseHeader("{$home}");
+ exit;
+ } else {
+ header("HTTP/1.0 401 Unauthorized");
+ header("Status: 401 Unauthorized");
+
+ echo display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}");
+ exit;
+ }
+ }
+
+ if (isset($_SESSION['Logged_In'])) {
+ /*
+ * only forward if the user has just logged in
+ * TODO: session auth based - may be an issue.
+ */
+ if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) {
+ $_SESSION['First_Visit'] = "False";
+ pfSenseHeader("{$home}");
+ exit;
+ }
+ }
+}
+
+function display_error_form($http_code, $desc) {
+ global $config, $g;
+ $g['theme'] = $config['theme'];
+ if(isAjax()) {
+ echo "Error: {$http_code} Description: {$desc}";
+ return;
+ }
+ $htmlstr = <<<EOD
+<html>
+ <head>
+ <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
+ <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
+ <title>An error occurred: {$http_code}</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+ <link rel="shortcut icon" href="/themes/{$g['theme']}/images/icons/favicon.ico" />
+ <link rel="stylesheet" type="text/css" href="/themes/{$g['theme']}/all.css" media="all" />
+ <style type="text/css">
+ #errordesc {
+ background: #cccccc;
+ border: 0px solid #666666;
+ margin: 5em auto;
+ padding: 0em;
+ width: 340px;
+ }
+ #errordesc h1 {
+ background: url(/themes/{$g['theme']}/images/misc/logon.png) no-repeat top left;
+ margin-top: 0;
+ display: block;
+ text-indent: -1000px;
+ height: 50px;
+ border-bottom: none;
+ }
+
+ #login p {
+ font-size: 1em;
+ font-weight: bold;
+ padding: 3px;
+ margin: 0em;
+ text-indent: 10px;
+ }
+
+ #login span {
+ font-size: 1em;
+ font-weight: bold;
+ width: 20%;
+ padding: 3px;
+ margin: 0em;
+ text-indent: 10px;
+ }
+
+ #login p#text {
+ font-size: 1em;
+ font-weight: normal;
+ padding: 3px;
+ margin: 0em;
+ text-indent: 10px;
+ }
+ </style>
+
+ <script type="text/javascript">
+ <!--
+ function page_load() {
+ NiftyCheck();
+ Rounded("div#errordesc","bl br","#333","#cccccc","smooth");
+ Effect.Pulsate('errortext', { duration: 10 });
+ }
+ <?php
+ require("headjs.php");
+ echo getHeadJS();
+ ?>
+ //-->
+ </script>
+ <script type="text/javascript" src="/themes/{$g['theme']}/javascript/niftyjsCode.js"></script>
+ </head>
+ <body onload="page_load();">
+ <div id="errordesc">
+ <h1>&nbsp</h1>
+ <a href="/">
+ <p id="errortext" style="vertical-align: middle; text-align: center;"><span style="color: #000000; font-weight: bold;">{$desc}</span></p>
+ </div>
+ </body>
+</html>
+
+EOD;
+
+ return $htmlstr;
+}
+
+function display_login_form() {
+ require_once("globals.inc");
+ global $config, $g;
+ $g['theme'] = $config['theme'];
+
+ unset($input_errors);
+
+ if(isAjax()) {
+ if (isset($_POST['login'])) {
+ if($_SESSION['Logged_In'] <> "True") {
+ isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason";
+ echo "showajaxmessage('Invalid login ({$login_error}).');";
+ }
+ if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+ // TODO: add the IP from the user who did lock the device
+ $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
+ echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');";
+ }
+ }
+ exit;
+ }
+
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+ <head>
+ <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
+ <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
+ <title><?=gettext("Login"); ?></title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+ <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" />
+ <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?>
+ <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" />
+ <?php else: ?>
+ <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" />
+ <?php endif; ?>
+ <script type="text/javascript">
+ <!--
+ function page_load() {
+ NiftyCheck();
+ Rounded("div#login","bl br","#333","#cccccc","smooth");
+ document.login_iform.usernamefld.focus();
+ }
+ function clearError() {
+ if($('inputerrors'))
+ $('inputerrors').innerHTML='';
+ }
+ <?php
+ require("headjs.php");
+ echo getHeadJS();
+ ?>
+ //-->
+ </script>
+ <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script>
+ </head>
+ <body onload="page_load()">
+ <div id="login">
+ <h1>&nbsp;</h1>
+ <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>">
+ <div id="inputerrors"></div>
+ <p>
+ <span style="text-align: left;width=40%">
+ <?=gettext("Username"); ?>:&nbsp;&nbsp;
+ <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" />
+ </span>
+ </p>
+ <p>
+ <span style="text-align: left;width=40%;">
+ <?=gettext("Password"); ?>:&nbsp;&nbsp;
+ </span>
+ <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" />
+ </p>
+ <table width="90%" style="margin-right: auto; margin-left: auto;">
+ <tr>
+ <td valign="middle" align="right" style="font-style: italic;"><br /><?=gettext("Enter username and password to login."); ?></td>
+ <td valign="middle" align="left"><input type="submit" id="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" /></td>
+ </tr>
+ </table>
+ </form>
+ </div>
+ </body>
+</html>
+<?php
+} // end function
+
+?>
OpenPOWER on IntegriCloud