diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-26 15:12:02 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-26 15:12:02 -0300 |
commit | 03b19a93f4d8d870507ee96121cee4acd748dd2a (patch) | |
tree | 71a34e9e7e73d13de21cb4ad831799fb10c30df4 /src/etc/inc/authgui.inc | |
parent | 7f410a121522c5d0e2660256ae50c1fde1df3645 (diff) | |
parent | 30ce58ac1ea27b758d5112cb5a3b190c9760f010 (diff) | |
download | pfsense-03b19a93f4d8d870507ee96121cee4acd748dd2a.zip pfsense-03b19a93f4d8d870507ee96121cee4acd748dd2a.tar.gz |
Merge branch 'master' into bootstrap
Diffstat (limited to 'src/etc/inc/authgui.inc')
-rw-r--r-- | src/etc/inc/authgui.inc | 285 |
1 files changed, 285 insertions, 0 deletions
diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc new file mode 100644 index 0000000..721be47 --- /dev/null +++ b/src/etc/inc/authgui.inc @@ -0,0 +1,285 @@ +<?php +/* $Id$ */ +/* + Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + + Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com> + All rights reserved. + + Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>. + All rights reserved. + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + pfSense_MODULE: authgui +*/ + +include_once("auth.inc"); +include_once("priv.inc"); +if (!function_exists('platform_booting')) { + require_once('globals.inc'); +} + +/* Authenticate user - exit if failed */ +if (!session_auth()) { + display_login_form(); + exit; +} + +/* + * Once here, the user has authenticated with the web server. + * We give them access only to the appropriate pages based on + * the user or group privileges. + */ +$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']); + +/* + * redirect to first allowed page if requesting a wrong url + */ +if (!isAllowedPage($_SERVER['REQUEST_URI'])) { + if (count($allowedpages) > 0) { + $page = str_replace('*', '', $allowedpages[0]); + $_SESSION['Post_Login'] = true; + require_once("functions.inc"); + pfSenseHeader("/{$page}"); + + $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; + if (!empty($_SERVER['REMOTE_ADDR'])) { + $username .= '@' . $_SERVER['REMOTE_ADDR']; + } + log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}."); + + exit; + } else { + display_error_form("201", gettext("No page assigned to this user! Click here to logout.")); + exit; + } +} else { + $_SESSION['Post_Login'] = true; +} + +/* + * redirect browsers post-login to avoid pages + * taking action in response to a POST request + */ +if (!$_SESSION['Post_Login']) { + $_SESSION['Post_Login'] = true; + require_once("functions.inc"); + pfSenseHeader($_SERVER['REQUEST_URI']); + exit; +} + +/* + * Close session data to allow other scripts from same host to come in. + * A session can be reactivated from calling session_start again + */ +session_commit(); + +/* + * determine if the user is allowed access to the requested page + */ +function display_error_form($http_code, $desc) { + global $config, $g; + $g['theme'] = get_current_theme(); + if (isAjax()) { + printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc); + return; + } + +?> +<<<<<<< HEAD +<!DOCTYPE html> +<html lang="en"> +<head> + <link rel="stylesheet" href="/bootstrap/css/pfSense.css" /> + <title><?=gettext("Error: not allowed"); ?></title> +</head> +<body id="error" class="no-menu"> + <div id="jumbotron"> + <div class="container"> + <div class="col-sm-offset-3 col-sm-6 col-xs-12"> + <!-- FIXME: We really need to POST the logout action --> + <div class="alert alert-danger" role="alert"><a href="index.php?logout"><?=$desc;?></a></div> + </div> + </div> + </div> +</body> +</html> +<?php + +} // end function + + +function display_login_form() { + require_once("globals.inc"); + global $config, $g; + $g['theme'] = get_current_theme(); + + unset($input_errors); + + if (isAjax()) { + if (isset($_POST['login'])) { + if ($_SESSION['Logged_In'] <> "True") { + isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason"); + printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error); + } + if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + // TODO: add the IP from the user who did lock the device + $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock"); + printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom); + } + } + exit; + } + +/* Check against locally configured IP addresses, which will catch when someone + port forwards WebGUI access from WAN to an internal IP on the router. */ +global $FilterIflist, $nifty_background; +$local_ip = false; +if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) { + $http_host_port = explode(":", $_SERVER['HTTP_HOST']); + $http_host = $http_host_port[0]; +} else { + $http_host = $_SERVER['HTTP_HOST']; +} +if (empty($FilterIflist)) { + require_once('filter.inc'); + require_once('shaper.inc'); + filter_generate_optcfg_array(); +} +foreach ($FilterIflist as $iflist) { + if ($iflist['ip'] == $http_host) { + $local_ip = true; + } else if ($iflist['ipv6'] == $http_host) { + $local_ip = true; + } else if (is_array($iflist['vips'])) { + foreach ($iflist['vips'] as $vip) { + if ($vip['ip'] == $http_host) { + $local_ip = true; + break; + } + } + unset($vip); + } + if ($local_ip == true) { + break; + } +} +unset($FilterIflist); +unset($iflist); + +if ($local_ip == false) { + if (is_array($config['openvpn']['openvpn-server'])) { + foreach ($config['openvpn']['openvpn-server'] as $ovpns) { + if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) { + $local_ip = true; + } else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) { + $local_ip = true; + } + if ($local_ip == true) { + break; + } + } + } +} + +?> +<!DOCTYPE html> +<html lang="en"> +<head> + <link rel="stylesheet" href="/bootstrap/css/pfSense.css" /> + <title><?=gettext("Login"); ?></title> + <script>var events = events || [];</script> +</head> +<body id="login" class="no-menu"> + <div id="jumbotron"> + <div class="container"> + <div class="col-sm-offset-3 col-sm-6 col-xs-12"> +<?php + if(is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) { + $nifty_background = "#999"; + print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br /><br />If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); + } + + $loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"'; +?> + + <div class="panel panel-default"> + <div class="panel-heading"> + <h2 class="panel-title">Login to pfSense</h2> + </div> + + <div class="panel-body"> +<?php if (!empty($_SESSION['Login_Error'])): ?> + <div class="alert alert-danger" role="alert"><?=$_SESSION['Login_Error'];?></div> +<?php endif ?> + <div class="alert alert-warning" class="hidden" id="no_cookies"><?= gettext("Your browser must support cookies to login."); ?></div> + + <form method="post" <?= $loginautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>" class="form-horizontal"> + <div class="form-group"> + <label for="usernamefld" class="col-sm-3 control-label">Username</label> + <div class="col-sm-9 col-md-7"> + <input type="text" class="form-control" name="usernamefld" id="usernamefld" placeholder="Enter your username"> + </div> + </div> + + <div class="form-group"> + <label for="passwordfld" class="col-sm-3 control-label">Password</label> + <div class="col-sm-9 col-md-7"> + <input type="password" class="form-control" name="passwordfld" id="passwordfld" placeholder="Enter your password"> + </div> + </div> + + <div class="form-group"> + <div class="col-sm-offset-3 col-sm-9 col-md-7"> + <button type="submit" class="btn btn-primary" name="login">Login</button> + </div> + </div> + </form> + </div> + </div> + </div> + </div> + + <script> + events.push(function() { + document.cookie= + "cookie_test=1" + + "<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>"; + + if (document.cookie.indexOf("cookie_test") == -1) + document.getElementById("no_cookies").style.display=""; + else + document.getElementById("no_cookies").style.display="none"; + + // Delete it + document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT"; + }); + </script> +<?php +require('foot.inc'); + +} // end function |