Migrate openvpn authentication to use fcgicli rather than forking a php process. Maybe should could consider to write a short library todo this

2 files changed, 45 insertions, 23 deletions

diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php
index 2ddadca..e76351c 100755
--- a/etc/inc/openvpn.auth-user.php
+++ b/etc/inc/openvpn.auth-user.php
@@ -83,14 +83,27 @@ function getNasIP()
 /* setup syslog logging */
 openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 
-/* read data from environment */
-$username = getenv("username");
-$password = getenv("password");
-$common_name = getenv("common_name");
+if (isset($_GET)) {
+	$authmodes = explode(",", $_GET['authcfg']);
+	$username = $_GET['username'];
+	$password = urldecode($_GET['password']);
+	$common_name = $_GET['cn'];
+	$modeid = $_GET['modeid'];
+	$strictusercn = $_GET['strictcn'] == "false" ? false : true;
+} else {
+	/* read data from environment */
+	$username = getenv("username");
+	$password = getenv("password");
+	$common_name = getenv("common_name");
+}
 
 if (!$username || !$password) {
 	syslog(LOG_ERR, "invalid user authentication environment");
-	exit(-1);
+	if (isset($_GET)) {
+		echo "FAILED";
+		return;
+	} else
+		exit(-1);
 }
 
 /* Replaced by a sed with propper variables used below(ldap parameters). */
@@ -105,7 +118,20 @@ $authenticated = false;
 
 if (($strictusercn === true) && ($common_name != $username)) {
 	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
-	exit(1);
+	if (isset($_GET)) {
+		echo "FAILED";
+		return;
+	} else
+		exit(1);
+}
+
+if (!is_array($authmodes)) {
+	syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
+	if (isset($_GET)) {
+		echo "FAILED";
+		return;
+	} else
+		exit(1);
 }
 
 $attributes = array();
@@ -121,7 +147,11 @@ foreach ($authmodes as $authmode) {
 
 if ($authenticated == false) {
 	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-	exit(-1);
+	if (isset($_GET)) {
+		echo "FAILED";
+		return;
+	} else
+		exit(-1);
 }
 
 if (file_exists("/etc/inc/openvpn.attributes.php"))
@@ -136,7 +166,7 @@ if (is_array($attributes['dns-servers'])) {
 }
 if (is_array($attributes['routes'])) {
         foreach ($attributes['routes'] as $route)
-                        $content .= "push \"route {$route} vpn_gateway\"\n";
+		$content .= "push \"route {$route} vpn_gateway\"\n";
 }
 
 if (isset($attributes['framed_ip'])) {
@@ -156,6 +186,9 @@ if (!empty($content))
 
 syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
 
-exit(0);
+if (isset($_GET))
+	echo "OK";
+else
+	exit(0);
 
 ?>
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 3e04318..c1c4579 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -582,22 +582,11 @@ function openvpn_reconfigure($mode, $settings) {
 				if (stristr($conf, "server-bridge") === false)
 					$conf .= "username-as-common-name\n";
 				if (!empty($settings['authmode'])) {
-					$authcfgs = explode(",", $settings['authmode']);
-					$sed = "\$authmodes=array(";
-					$firstsed = 0;
-					foreach ($authcfgs as $authcfg) {
-						if ($firstsed > 0)
-							$sed .= ",";
-						$firstsed = 1;
-						$sed .= "\"{$authcfg}\"";
-					}
-					$sed .= ");\\\n";
+					$strictusercn = "false";
 					if ($settings['strictusercn'])
-						$sed .= "\$strictusercn = true;";
-					$sed .= " \$modeid = \"{$mode_id}\";";
+						$strictusercn = "true";
 					mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.php");
-					mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
-					$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";
+					$conf .= "auth-user-pass-verify /usr/local/sbin/ovpn_auth_verify '{$settings['authmode']}' {$strictusercn} {$mode_id} via-env\n";
 				}
 				break;
 		}