diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-25 08:08:24 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-25 14:49:54 -0300 |
commit | 46bc6e545a17e77202aaf01ec0cd8d5a46567525 (patch) | |
tree | 32d18dda436ec739c67c489ceb771e8629cd926f /src/etc/inc/auth.inc | |
parent | 4d9801c2dbd2b3e54a39578ee62b93af66607227 (diff) | |
download | pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.zip pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.tar.gz |
Move main pfSense content to src/
Diffstat (limited to 'src/etc/inc/auth.inc')
-rw-r--r-- | src/etc/inc/auth.inc | 1627 |
1 files changed, 1627 insertions, 0 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc new file mode 100644 index 0000000..3c0acaa --- /dev/null +++ b/src/etc/inc/auth.inc @@ -0,0 +1,1627 @@ +<?php +/* $Id$ */ +/* + Copyright (C) 2010 Ermal Luçi + All rights reserved. + + Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + + Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com> + All rights reserved. + + Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>. + All rights reserved. + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + pfSense_BUILDER_BINARIES: /usr/sbin/pw /bin/cp + pfSense_MODULE: auth +*/ + +/* + * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php + * file courtesy of Michael Retterklieber. + */ +if (!$do_not_include_config_gui_inc) { + require_once("config.gui.inc"); +} + +// Will be changed to false if security checks fail +$security_passed = true; + +/* If this function doesn't exist, we're being called from Captive Portal or + another internal subsystem which does not include authgui.inc */ +if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { + /* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */ + $found_host = false; + + /* Either a IPv6 address with or without a alternate port */ + if (strstr($_SERVER['HTTP_HOST'], "]")) { + $http_host_port = explode("]", $_SERVER['HTTP_HOST']); + /* v6 address has more parts, drop the last part */ + if (count($http_host_port) > 1) { + array_pop($http_host_port); + $http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port)); + } else { + $http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port)); + } + } else { + $http_host = explode(":", $_SERVER['HTTP_HOST']); + $http_host = $http_host[0]; + } + if (is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or + strcasecmp($http_host, "localhost") == 0 or $_SERVER['SERVER_ADDR'] == "::1") { + $found_host = true; + } + if (strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or + strcasecmp($http_host, $config['system']['hostname']) == 0) { + $found_host = true; + } + + if (is_array($config['dyndnses']['dyndns']) && !$found_host) { + foreach ($config['dyndnses']['dyndns'] as $dyndns) { + if (strcasecmp($dyndns['host'], $http_host) == 0) { + $found_host = true; + break; + } + } + } + + if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) { + foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) { + if (strcasecmp($rfc2136['host'], $http_host) == 0) { + $found_host = true; + break; + } + } + } + + if (!empty($config['system']['webgui']['althostnames']) && !$found_host) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if (strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) { + $found_host = true; + break; + } + } + } + + if ($found_host == false) { + if (!security_checks_disabled()) { + display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br />Try accessing the router by IP address instead of by hostname.")); + exit; + } + $security_passed = false; + } +} + +// If the HTTP_REFERER is something other than ourselves then disallow. +if (function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) { + if ($_SERVER['HTTP_REFERER']) { + if (file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) { + if ($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) { + unlink("{$g['tmp_path']}/setupwizard_lastreferrer"); + header("Refresh: 1; url=index.php"); + echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">"; + echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>"; + exit; + } + } + $found_host = false; + $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); + $referrer_host = str_replace(array("[", "]"), "", $referrer_host); + if ($referrer_host) { + if (strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 || + strcasecmp($referrer_host, $config['system']['hostname']) == 0) { + $found_host = true; + } + + if (!empty($config['system']['webgui']['althostnames']) && !$found_host) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if (strcasecmp($referrer_host, $ah) == 0) { + $found_host = true; + break; + } + } + } + + if (is_array($config['dyndnses']['dyndns']) && !$found_host) { + foreach ($config['dyndnses']['dyndns'] as $dyndns) { + if (strcasecmp($dyndns['host'], $referrer_host) == 0) { + $found_host = true; + break; + } + } + } + + if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) { + foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) { + if (strcasecmp($rfc2136['host'], $referrer_host) == 0) { + $found_host = true; + break; + } + } + } + + if (!$found_host) { + $interface_list_ips = get_configured_ip_addresses(); + foreach ($interface_list_ips as $ilips) { + if (strcasecmp($referrer_host, $ilips) == 0) { + $found_host = true; + break; + } + } + $interface_list_ipv6s = get_configured_ipv6_addresses(); + foreach ($interface_list_ipv6s as $ilipv6s) { + if (strcasecmp($referrer_host, $ilipv6s) == 0) { + $found_host = true; + break; + } + } + if ($referrer_host == "127.0.0.1" || $referrer_host == "localhost") { + // allow SSH port forwarded connections and links from localhost + $found_host = true; + } + } + } + if ($found_host == false) { + if (!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + $security_passed = false; + } + } else { + $security_passed = false; + } +} + +if (function_exists("display_error_form") && $security_passed) { + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +} +unset($security_passed); + +$groupindex = index_groups(); +$userindex = index_users(); + +function index_groups() { + global $g, $debug, $config, $groupindex; + + $groupindex = array(); + + if (is_array($config['system']['group'])) { + $i = 0; + foreach ($config['system']['group'] as $groupent) { + $groupindex[$groupent['name']] = $i; + $i++; + } + } + + return ($groupindex); +} + +function index_users() { + global $g, $debug, $config; + + if (is_array($config['system']['user'])) { + $i = 0; + foreach ($config['system']['user'] as $userent) { + $userindex[$userent['name']] = $i; + $i++; + } + } + + return ($userindex); +} + +function & getUserEntry($name) { + global $debug, $config, $userindex; + if (isset($userindex[$name])) { + return $config['system']['user'][$userindex[$name]]; + } +} + +function & getUserEntryByUID($uid) { + global $debug, $config; + + if (is_array($config['system']['user'])) { + foreach ($config['system']['user'] as & $user) { + if ($user['uid'] == $uid) { + return $user; + } + } + } + + return false; +} + +function & getGroupEntry($name) { + global $debug, $config, $groupindex; + if (isset($groupindex[$name])) { + return $config['system']['group'][$groupindex[$name]]; + } +} + +function & getGroupEntryByGID($gid) { + global $debug, $config; + + if (is_array($config['system']['group'])) { + foreach ($config['system']['group'] as & $group) { + if ($group['gid'] == $gid) { + return $group; + } + } + } + + return false; +} + +function get_user_privileges(& $user) { + + $privs = $user['priv']; + if (!is_array($privs)) { + $privs = array(); + } + + $names = local_user_get_groups($user, true); + + foreach ($names as $name) { + $group = getGroupEntry($name); + if (is_array($group['priv'])) { + $privs = array_merge($privs, $group['priv']); + } + } + + return $privs; +} + +function userHasPrivilege($userent, $privid = false) { + + if (!$privid || !is_array($userent)) { + return false; + } + + $privs = get_user_privileges($userent); + + if (!is_array($privs)) { + return false; + } + + if (!in_array($privid, $privs)) { + return false; + } + + return true; +} + +function local_backed($username, $passwd) { + + $user = getUserEntry($username); + if (!$user) { + return false; + } + + if (is_account_disabled($username) || is_account_expired($username)) { + return false; + } + + if ($user['password']) { + if (crypt($passwd, $user['password']) == $user['password']) { + return true; + } + } + + if ($user['md5-hash']) { + if (md5($passwd) == $user['md5-hash']) { + return true; + } + } + + return false; +} + +function local_sync_accounts() { + global $debug, $config; + conf_mount_rw(); + + /* remove local users to avoid uid conflicts */ + $fd = popen("/usr/sbin/pw usershow -a", "r"); + if ($fd) { + while (!feof($fd)) { + $line = explode(":", fgets($fd)); + if (((!strncmp($line[0], "_", 1)) || ($line[2] < 2000) || ($line[2] > 65000)) && ($line[0] != "admin")) { + continue; + } + /* + * If a crontab was created to user, pw userdel will be interactive and + * can cause issues. Just remove crontab before run it when necessary + */ + unlink_if_exists("/var/cron/tabs/{$line[0]}"); + $cmd = "/usr/sbin/pw userdel -n '{$line[0]}'"; + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + } + pclose($fd); + } + + /* remove local groups to avoid gid conflicts */ + $gids = array(); + $fd = popen("/usr/sbin/pw groupshow -a", "r"); + if ($fd) { + while (!feof($fd)) { + $line = explode(":", fgets($fd)); + if (!strncmp($line[0], "_", 1)) { + continue; + } + if ($line[2] < 2000) { + continue; + } + if ($line[2] > 65000) { + continue; + } + $cmd = "/usr/sbin/pw groupdel {$line[2]}"; + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + } + pclose($fd); + } + + /* make sure the all group exists */ + $allgrp = getGroupEntryByGID(1998); + local_group_set($allgrp, true); + + /* sync all local users */ + if (is_array($config['system']['user'])) { + foreach ($config['system']['user'] as $user) { + local_user_set($user); + } + } + + /* sync all local groups */ + if (is_array($config['system']['group'])) { + foreach ($config['system']['group'] as $group) { + local_group_set($group); + } + } + + conf_mount_ro(); + +} + +function local_user_set(& $user) { + global $g, $debug; + + if (empty($user['password'])) { + log_error("There is something wrong in your config because user {$user['name']} password is missing!"); + return; + } + + conf_mount_rw(); + + $home_base = "/home/"; + $user_uid = $user['uid']; + $user_name = $user['name']; + $user_home = "{$home_base}{$user_name}"; + $user_shell = "/etc/rc.initial"; + $user_group = "nobody"; + + // Ensure $home_base exists and is writable + if (!is_dir($home_base)) { + mkdir($home_base, 0755); + } + + $lock_account = false; + /* configure shell type */ + /* Cases here should be ordered by most privileged to least privileged. */ + if (userHasPrivilege($user, "user-shell-access") || userHasPrivilege($user, "page-all")) { + $user_shell = "/bin/tcsh"; + } elseif (userHasPrivilege($user, "user-copy-files")) { + $user_shell = "/usr/local/bin/scponly"; + } elseif (userHasPrivilege($user, "user-ssh-tunnel")) { + $user_shell = "/usr/local/sbin/ssh_tunnel_shell"; + } elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) { + $user_shell = "/sbin/nologin"; + } else { + $user_shell = "/sbin/nologin"; + $lock_account = true; + } + + /* Lock out disabled or expired users, unless it's root/admin. */ + if ((is_account_disabled($user_name) || is_account_expired($user_name)) && ($user_uid != 0)) { + $user_shell = "/sbin/nologin"; + $lock_account = true; + } + + /* root user special handling */ + if ($user_uid == 0) { + $cmd = "/usr/sbin/pw usermod -q -n root -s /bin/sh -H 0"; + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + $fd = popen($cmd, "w"); + fwrite($fd, $user['password']); + pclose($fd); + $user_group = "wheel"; + $user_home = "/root"; + $user_shell = "/etc/rc.initial"; + } + + /* read from pw db */ + $fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r"); + $pwread = fgets($fd); + pclose($fd); + $userattrs = explode(":", trim($pwread)); + + /* determine add or mod */ + if (($userattrs[0] != $user['name']) || (!strncmp($pwread, "pw:", 3))) { + $user_op = "useradd -m -k /etc/skel -o"; + } else { + $user_op = "usermod"; + } + + $comment = str_replace(array(":", "!", "@"), " ", $user['descr']); + /* add or mod pw db */ + $cmd = "/usr/sbin/pw {$user_op} -q -u {$user_uid} -n {$user_name}". + " -g {$user_group} -s {$user_shell} -d {$user_home}". + " -c ".escapeshellarg($comment)." -H 0 2>&1"; + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + $fd = popen($cmd, "w"); + fwrite($fd, $user['password']); + pclose($fd); + + /* create user directory if required */ + if (!is_dir($user_home)) { + mkdir($user_home, 0700); + } + @chown($user_home, $user_name); + @chgrp($user_home, $user_group); + + /* write out ssh authorized key file */ + if ($user['authorizedkeys']) { + if (!is_dir("{$user_home}/.ssh")) { + @mkdir("{$user_home}/.ssh", 0700); + @chown("{$user_home}/.ssh", $user_name); + } + $keys = base64_decode($user['authorizedkeys']); + @file_put_contents("{$user_home}/.ssh/authorized_keys", $keys); + @chown("{$user_home}/.ssh/authorized_keys", $user_name); + } else { + unlink_if_exists("{$user_home}/.ssh/authorized_keys"); + } + + $un = $lock_account ? "" : "un"; + exec("/usr/sbin/pw {$un}lock {$user_name} -q"); + + conf_mount_ro(); +} + +function local_user_del($user) { + global $debug; + + /* remove all memberships */ + local_user_set_groups($user); + + /* Don't remove /root */ + if ($user['uid'] != 0) { + $rmhome = "-r"; + } + + /* read from pw db */ + $fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r"); + $pwread = fgets($fd); + pclose($fd); + $userattrs = explode(":", trim($pwread)); + + if ($userattrs[0] != $user['name']) { + log_error("Tried to remove user {$user['name']} but got user {$userattrs[0]} instead. Bailing."); + return; + } + + /* delete from pw db */ + $cmd = "/usr/sbin/pw userdel -n {$user['name']} {$rmhome}"; + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + + /* Delete user from groups needs a call to write_config() */ + local_group_del_user($user); +} + +function local_user_set_password(&$user, $password) { + + $user['password'] = crypt($password); + $user['md5-hash'] = md5($password); + + // Converts ascii to unicode. + $astr = (string) $password; + $ustr = ''; + for ($i = 0; $i < strlen($astr); $i++) { + $a = ord($astr{$i}) << 8; + $ustr .= sprintf("%X", $a); + } + +} + +function local_user_get_groups($user, $all = false) { + global $debug, $config; + + $groups = array(); + if (!is_array($config['system']['group'])) { + return $groups; + } + + foreach ($config['system']['group'] as $group) { + if ($all || (!$all && ($group['name'] != "all"))) { + if (is_array($group['member'])) { + if (in_array($user['uid'], $group['member'])) { + $groups[] = $group['name']; + } + } + } + } + + if ($all) { + $groups[] = "all"; + } + + sort($groups); + + return $groups; + +} + +function local_user_set_groups($user, $new_groups = NULL) { + global $debug, $config, $groupindex; + + if (!is_array($config['system']['group'])) { + return; + } + + $cur_groups = local_user_get_groups($user, true); + $mod_groups = array(); + + if (!is_array($new_groups)) { + $new_groups = array(); + } + + if (!is_array($cur_groups)) { + $cur_groups = array(); + } + + /* determine which memberships to add */ + foreach ($new_groups as $groupname) { + if ($groupname == '' || in_array($groupname, $cur_groups)) { + continue; + } + $group = & $config['system']['group'][$groupindex[$groupname]]; + $group['member'][] = $user['uid']; + $mod_groups[] = $group; + } + unset($group); + + /* determine which memberships to remove */ + foreach ($cur_groups as $groupname) { + if (in_array($groupname, $new_groups)) { + continue; + } + if (!isset($config['system']['group'][$groupindex[$groupname]])) { + continue; + } + $group = & $config['system']['group'][$groupindex[$groupname]]; + if (is_array($group['member'])) { + $index = array_search($user['uid'], $group['member']); + array_splice($group['member'], $index, 1); + $mod_groups[] = $group; + } + } + unset($group); + + /* sync all modified groups */ + foreach ($mod_groups as $group) { + local_group_set($group); + } +} + +function local_group_del_user($user) { + global $config; + + if (!is_array($config['system']['group'])) { + return; + } + + foreach ($config['system']['group'] as $group) { + if (is_array($group['member'])) { + foreach ($group['member'] as $idx => $uid) { + if ($user['uid'] == $uid) { + unset($config['system']['group']['member'][$idx]); + } + } + } + } +} + +function local_group_set($group, $reset = false) { + global $debug; + + $group_name = $group['name']; + $group_gid = $group['gid']; + $group_members = ''; + if (!$reset && !empty($group['member']) && count($group['member']) > 0) { + $group_members = implode(",", $group['member']); + } + + if (empty($group_name)) { + return; + } + + /* read from group db */ + $fd = popen("/usr/sbin/pw groupshow {$group_name} 2>&1", "r"); + $pwread = fgets($fd); + pclose($fd); + + /* determine add or mod */ + if (!strncmp($pwread, "pw:", 3)) { + $group_op = "groupadd"; + } else { + $group_op = "groupmod"; + } + + /* add or mod group db */ + $cmd = "/usr/sbin/pw {$group_op} {$group_name} -g {$group_gid} -M '{$group_members}' 2>&1"; + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + +} + +function local_group_del($group) { + global $debug; + + /* delete from group db */ + $cmd = "/usr/sbin/pw groupdel {$group['name']}"; + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); +} + +function ldap_test_connection($authcfg) { + global $debug, $config, $g; + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) { + $ldapproto = "ldap"; + } else { + $ldapproto = "ldaps"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + return false; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname)); + return false; + } + + return true; +} + +function ldap_setup_caenv($authcfg) { + global $g; + require_once("certs.inc"); + + unset($caref); + if (empty($authcfg['ldap_caref']) || !strstr($authcfg['ldap_urltype'], "SSL")) { + putenv('LDAPTLS_REQCERT=never'); + return; + } else { + $caref = lookup_ca($authcfg['ldap_caref']); + if (!$caref) { + log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); + /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ + putenv('LDAPTLS_REQCERT=hard'); + return; + } + if (!is_dir("{$g['varrun_path']}/certs")) { + @mkdir("{$g['varrun_path']}/certs"); + } + if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) { + @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca"); + } + file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt'])); + @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600); + putenv('LDAPTLS_REQCERT=hard'); + /* XXX: Probably even the hashed link should be created for this? */ + putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs"); + putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca"); + } +} + +function ldap_test_bind($authcfg) { + global $debug, $config, $g; + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) { + $ldapproto = "ldap"; + } else { + $ldapproto = "ldaps"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbndun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + return false; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname)); + return false; + } + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + @ldap_close($ldap); + return false; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + @ldap_close($ldap); + return false; + } + + @ldap_unbind($ldap); + + return true; +} + +function ldap_get_user_ous($show_complete_ou=true, $authcfg) { + global $debug, $config, $g; + + if (!function_exists("ldap_connect")) { + return; + } + + $ous = array(); + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) { + $ldapproto = "ldap"; + } else { + $ldapproto = "ldaps"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + log_error(gettext("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined.")); + return $ous; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname)); + return $ous; + } + + $ldapfilter = "(|(ou=*)(cn=Users))"; + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname)); + @ldap_close($ldap); + return $ous; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind to server %s."), $ldapname)); + @ldap_close($ldap); + return $ous; + } + + if ($ldapscope == "one") { + $ldapfunc = "ldap_list"; + } else { + $ldapfunc = "ldap_search"; + } + + $search = @$ldapfunc($ldap, $ldapbasedn, $ldapfilter); + $info = @ldap_get_entries($ldap, $search); + + if (is_array($info)) { + foreach ($info as $inf) { + if (!$show_complete_ou) { + $inf_split = explode(",", $inf['dn']); + $ou = $inf_split[0]; + $ou = str_replace("OU=", "", $ou); + $ou = str_replace("CN=", "", $ou); + } else { + if ($inf['dn']) { + $ou = $inf['dn']; + } + } + if ($ou) { + $ous[] = $ou; + } + } + } + + @ldap_unbind($ldap); + + return $ous; +} + +function ldap_get_groups($username, $authcfg) { + global $debug, $config; + + if (!function_exists("ldap_connect")) { + return; + } + + if (!$username) { + return false; + } + + if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { + $username_split = explode("@", $username); + $username = $username_split[0]; + } + + if (stristr($username, "\\")) { + $username_split = explode("\\", $username); + $username = $username_split[0]; + } + + //log_error("Getting LDAP groups for {$username}."); + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) { + $ldapproto = "ldap"; + } else { + $ldapproto = "ldaps"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']); + $ldapfilter = "({$ldapnameattribute}={$username})"; + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + return false; + } + + $ldapdn = $_SESSION['ldapdn']; + + /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */ + $ldapgroupattribute = strtolower($ldapgroupattribute); + $memberof = array(); + + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() Could not connect to server %s."), $ldapname)); + return memberof; + } + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + + /* bind as user that has rights to read group attributes */ + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind to server %s."), $ldapname)); + @ldap_close($ldap); + return memberof; + } + + /* get groups from DN found */ + /* use ldap_read instead of search so we don't have to do a bunch of extra work */ + /* since we know the DN is in $_SESSION['ldapdn'] */ + //$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute)); + if ($ldapscope == "one") { + $ldapfunc = "ldap_list"; + } else { + $ldapfunc = "ldap_search"; + } + + $search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); + $info = @ldap_get_entries($ldap, $search); + + $countem = $info["count"]; + + if (is_array($info[0][$ldapgroupattribute])) { + /* Iterate through the groups and throw them into an array */ + foreach ($info[0][$ldapgroupattribute] as $member) { + if (stristr($member, "CN=") !== false) { + $membersplit = explode(",", $member); + $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]); + } + } + } + + /* Time to close LDAP connection */ + @ldap_unbind($ldap); + + $groups = print_r($memberof, true); + + //log_error("Returning groups ".$groups." for user $username"); + + return $memberof; +} + +function ldap_format_host($host) { + return is_ipaddrv6($host) ? "[$host]" : $host ; +} + +function ldap_backed($username, $passwd, $authcfg) { + global $debug, $config; + + if (!$username) { + return; + } + + if (!function_exists("ldap_connect")) { + return; + } + + if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { + $username_split = explode("@", $username); + $username = $username_split[0]; + } + if (stristr($username, "\\")) { + $username_split = explode("\\", $username); + $username = $username_split[0]; + } + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) { + $ldapproto = "ldap"; + } else { + $ldapproto = "ldaps"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapextendedqueryenabled = $authcfg['ldap_extended_enabled']; + $ldapextendedquery = $authcfg['ldap_extended_query']; + $ldapfilter = ""; + if (!$ldapextendedqueryenabled) { + $ldapfilter = "({$ldapnameattribute}={$username})"; + } else { + $ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))"; + } + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + $ldapname = $authcfg['name']; + $ldapscope = $authcfg['ldap_scope']; + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + if ($ldapfallback) { + log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager.")); + return local_backed($username, $passwd); + } else { + log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined.")); + } + + return false; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + + /* Make sure we can connect to LDAP */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname)); + return false; + } + + /* ok, its up. now, lets bind as the bind user so we can search it */ + $error = false; + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + $error = true; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + $error = true; + } + + if ($error == true) { + @ldap_close($ldap); + log_error(sprintf(gettext("ERROR! Could not bind to server %s."), $ldapname)); + return false; + } + + /* Get LDAP Authcontainers and split em up. */ + $ldac_splits = explode(";", $ldapauthcont); + + /* setup the usercount so we think we haven't found anyone yet */ + $usercount = 0; + + /*****************************************************************/ + /* We First find the user based on username and filter */ + /* Then, once we find the first occurrence of that person */ + /* We set session variables to point to the OU and DN of the */ + /* Person. To later be used by ldap_get_groups. */ + /* that way we don't have to search twice. */ + /*****************************************************************/ + if ($debug) { + log_auth(sprintf(gettext("Now Searching for %s in directory."), $username)); + } + /* Iterate through the user containers for search */ + foreach ($ldac_splits as $i => $ldac_split) { + $ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split; + $ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter; + $ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}"; + /* Make sure we just use the first user we find */ + if ($debug) { + log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter))); + } + if ($ldapscope == "one") { + $ldapfunc = "ldap_list"; + } else { + $ldapfunc = "ldap_search"; + } + /* Support legacy auth container specification. */ + if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) { + $search = @$ldapfunc($ldap,$ldac_split,$ldapfilter); + } else { + $search = @$ldapfunc($ldap,$ldapsearchbasedn,$ldapfilter); + } + if (!$search) { + log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap))); + continue; + } + $info = ldap_get_entries($ldap, $search); + $matches = $info['count']; + if ($matches == 1) { + $userdn = $_SESSION['ldapdn'] = $info[0]['dn']; + $_SESSION['ldapou'] = $ldac_split[$i]; + $_SESSION['ldapon'] = "true"; + $usercount = 1; + break; + } + } + + if ($usercount != 1) { + @ldap_unbind($ldap); + log_error(gettext("ERROR! Either LDAP search failed, or multiple users were found.")); + return false; + } + + /* Now lets bind as the user we found */ + $passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd; + if (!($res = @ldap_bind($ldap, $userdn, $passwd))) { + log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap))); + @ldap_unbind($ldap); + return false; + } + + if ($debug) { + $userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn; + log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn)); + } + + /* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */ + @ldap_unbind($ldap); + + return true; +} + +function radius_backed($username, $passwd, $authcfg, &$attributes = array()) { + global $debug, $config; + $ret = false; + + require_once("radius.inc"); + + $rauth = new Auth_RADIUS_PAP($username, $passwd); + if ($authcfg) { + $radiusservers = array(); + $radiusservers[0]['ipaddr'] = $authcfg['host']; + $radiusservers[0]['port'] = $authcfg['radius_auth_port']; + $radiusservers[0]['sharedsecret'] = $authcfg['radius_secret']; + $radiusservers[0]['timeout'] = $authcfg['radius_timeout']; + } else { + return false; + } + + /* Add new servers to our instance */ + foreach ($radiusservers as $radsrv) { + $timeout = (is_numeric($radsrv['timeout'])) ? $radsrv['timeout'] : 5; + $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret'], $timeout); + } + + if (PEAR::isError($rauth->start())) { + $retvalue['auth_val'] = 1; + $retvalue['error'] = $rauth->getError(); + if ($debug) { + printf(gettext("Radius start: %s<br />\n"), $retvalue['error']); + } + } + + // XXX - billm - somewhere in here we need to handle securid challenge/response + + /* Send request */ + $result = $rauth->send(); + if (PEAR::isError($result)) { + $retvalue['auth_val'] = 1; + $retvalue['error'] = $result->getMessage(); + if ($debug) { + printf(gettext("Radius send failed: %s<br />\n"), $retvalue['error']); + } + } else if ($result === true) { + if ($rauth->getAttributes()) { + $attributes = $rauth->listAttributes(); + } + $retvalue['auth_val'] = 2; + if ($debug) { + printf(gettext("Radius Auth succeeded")."<br />\n"); + } + $ret = true; + } else { + $retvalue['auth_val'] = 3; + if ($debug) { + printf(gettext("Radius Auth rejected")."<br />\n"); + } + } + + // close OO RADIUS_AUTHENTICATION + $rauth->close(); + + return $ret; +} + +/* + $attributes must contain a "class" key containing the groups and local + groups must exist to match. +*/ +function radius_get_groups($attributes) { + $groups = array(); + if (!empty($attributes) && is_array($attributes) && !empty($attributes['class'])) { + $groups = explode(";", $attributes['class']); + foreach ($groups as & $grp) { + $grp = trim($grp); + if (strtolower(substr($grp, 0, 3)) == "ou=") { + $grp = substr($grp, 3); + } + } + } + return $groups; +} + +function get_user_expiration_date($username) { + $user = getUserEntry($username); + if ($user['expires']) { + return $user['expires']; + } +} + +function is_account_expired($username) { + $expirydate = get_user_expiration_date($username); + if ($expirydate) { + if (strtotime("-1 day") > strtotime(date("m/d/Y", strtotime($expirydate)))) { + return true; + } + } + + return false; +} + +function is_account_disabled($username) { + $user = getUserEntry($username); + if (isset($user['disabled'])) { + return true; + } + + return false; +} + +function auth_get_authserver($name) { + global $config; + + if (is_array($config['system']['authserver'])) { + foreach ($config['system']['authserver'] as $authcfg) { + if ($authcfg['name'] == $name) { + return $authcfg; + } + } + } + if ($name == "Local Database") { + return array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']); + } +} + +function auth_get_authserver_list() { + global $config; + + $list = array(); + + if (is_array($config['system']['authserver'])) { + foreach ($config['system']['authserver'] as $authcfg) { + /* Add support for disabled entries? */ + $list[$authcfg['name']] = $authcfg; + } + } + + $list["Local Database"] = array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']); + return $list; +} + +function getUserGroups($username, $authcfg, &$attributes = array()) { + global $config; + + $allowed_groups = array(); + + switch ($authcfg['type']) { + case 'ldap': + $allowed_groups = @ldap_get_groups($username, $authcfg); + break; + case 'radius': + $allowed_groups = @radius_get_groups($attributes); + break; + default: + $user = getUserEntry($username); + $allowed_groups = @local_user_get_groups($user, true); + break; + } + + $member_groups = array(); + if (is_array($config['system']['group'])) { + foreach ($config['system']['group'] as $group) { + if (in_array($group['name'], $allowed_groups)) { + $member_groups[] = $group['name']; + } + } + } + + return $member_groups; +} + +function authenticate_user($username, $password, $authcfg = NULL, &$attributes = array()) { + + if (!$authcfg) { + return local_backed($username, $password); + } + + $authenticated = false; + switch ($authcfg['type']) { + case 'ldap': + if (ldap_backed($username, $password, $authcfg)) { + $authenticated = true; + } + break; + case 'radius': + if (radius_backed($username, $password, $authcfg, $attributes)) { + $authenticated = true; + } + break; + default: + /* lookup user object by name */ + if (local_backed($username, $password)) { + $authenticated = true; + } + break; + } + + return $authenticated; +} + +function session_auth() { + global $config, $_SESSION, $page; + + // Handle HTTPS httponly and secure flags + $currentCookieParams = session_get_cookie_params(); + session_set_cookie_params( + $currentCookieParams["lifetime"], + $currentCookieParams["path"], + NULL, + ($config['system']['webgui']['protocol'] == "https"), + true + ); + + if (!session_id()) { + session_start(); + } + + // Detect protocol change + if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) { + return false; + } + + /* Validate incoming login request */ + $attributes = array(); + if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) { + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes) || + authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + // Generate a new id to avoid session fixation + session_regenerate_id(); + $_SESSION['Logged_In'] = "True"; + $_SESSION['Username'] = $_POST['usernamefld']; + $_SESSION['user_radius_attributes'] = $attributes; + $_SESSION['last_access'] = time(); + $_SESSION['protocol'] = $config['system']['webgui']['protocol']; + if (!isset($config['system']['webgui']['quietlogin'])) { + log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); + } + if (isset($_POST['postafterlogin'])) { + return true; + } else { + if (empty($page)) { + $page = "/"; + } + header("Location: {$page}"); + } + exit; + } else { + /* give the user an error message */ + $_SESSION['Login_Error'] = "Username or Password incorrect"; + log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); + if (isAjax()) { + echo "showajaxmessage('{$_SESSION['Login_Error']}');"; + return; + } + } + } + + /* Show login page if they aren't logged in */ + if (empty($_SESSION['Logged_In'])) { + return false; + } + + /* If session timeout isn't set, we don't mark sessions stale */ + if (!isset($config['system']['webgui']['session_timeout'])) { + /* Default to 4 hour timeout if one is not set */ + if ($_SESSION['last_access'] < (time() - 14400)) { + $_GET['logout'] = true; + $_SESSION['Logout'] = true; + } else { + $_SESSION['last_access'] = time(); + } + } else if (intval($config['system']['webgui']['session_timeout']) == 0) { + /* only update if it wasn't ajax */ + if (!isAjax()) { + $_SESSION['last_access'] = time(); + } + } else { + /* Check for stale session */ + if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) { + $_GET['logout'] = true; + $_SESSION['Logout'] = true; + } else { + /* only update if it wasn't ajax */ + if (!isAjax()) { + $_SESSION['last_access'] = time(); + } + } + } + + /* user hit the logout button */ + if (isset($_GET['logout'])) { + + if ($_SESSION['Logout']) { + log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); + } else { + log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); + } + + /* wipe out $_SESSION */ + $_SESSION = array(); + + if (isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time()-42000, '/'); + } + + /* and destroy it */ + session_destroy(); + + $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]); + $scriptElms = count($scriptName); + $scriptName = $scriptName[$scriptElms-1]; + + if (isAjax()) { + return false; + } + + /* redirect to page the user is on, it'll prompt them to login again */ + header("Location: {$scriptName}"); + + return false; + } + + /* + * this is for debugging purpose if you do not want to use Ajax + * to submit a HTML form. It basically disables the observation + * of the submit event and hence does not trigger Ajax. + */ + if ($_GET['disable_ajax']) { + $_SESSION['NO_AJAX'] = "True"; + } + + /* + * Same to re-enable Ajax. + */ + if ($_GET['enable_ajax']) { + unset($_SESSION['NO_AJAX']); + } + + return true; +} + +?> |