Merge pull request #3728 from PiBa-NL/20170511-fastauth

8 files changed, 120 insertions, 41 deletions

diff --git a/src/etc/inc/auth_check.inc b/src/etc/inc/auth_check.inc
new file mode 100644
index 0000000..cfe938f
--- /dev/null
+++ b/src/etc/inc/auth_check.inc
@@ -0,0 +1,48 @@
+<?php
+/*
+ * auth_check.inc
+ *
+ * part of pfSense (https://www.pfsense.org)
+ * Copyright (c) 2017 Rubicon Communications, LLC (Netgate)
+ * All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * Light weight authentication check thats ment as a substitute for guiconfig.inc
+ * in cases where frequent automatic requests are made like graphs and widget pages.
+ */
+
+require_once("auth_func.inc");
+
+function session_read_single_var($varname) {
+	$session_started = false;
+	if (!session_id()) {
+		session_start();
+		$session_started = true;
+	}
+	$result = $_SESSION[$varname];
+	if ($session_started) {
+		// if we started the session then lets close it..
+		session_abort();
+	}
+	return $result;
+}
+
+$session_pagematch = session_read_single_var("page-match");
+
+$pageuri = $_SERVER['REQUEST_URI'];
+if (cmp_page_matches($pageuri, $session_pagematch)) {	
+	return; // auth OK
+}
+require_once("authgui.inc");
\ No newline at end of file
diff --git a/src/etc/inc/auth_func.inc b/src/etc/inc/auth_func.inc
new file mode 100644
index 0000000..0d9afb5
--- /dev/null
+++ b/src/etc/inc/auth_func.inc
@@ -0,0 +1,64 @@
+<?php
+/*
+ * auth_func.inc
+ *
+ * part of pfSense (https://www.pfsense.org)
+ * Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
+ * Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
+ * Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
+ * Copyright (c) 2008 Shrew Soft Inc
+ * Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Function put in seperate file to avoid processing priv.inc which is cpu intensive
+ * cmp_page_matches is used by both auth_check.inc and priv.inc which is used by guiconfig.inc
+ */
+
+function cmp_page_matches($page, & $matches, $fullwc = true) {
+
+//	$dbg_matches = implode(",", $matches);
+//	log_error("debug: checking page {$page} match with {$dbg_matches}");
+
+	if (!is_array($matches)) {
+		return false;
+	}
+
+	/* skip any leading fwdslash */
+	$test = strpos($page, "/");
+	if ($test !== false && $test == 0) {
+		$page = substr($page, 1);
+	}
+
+	/* look for a match */
+	foreach ($matches as $match) {
+
+		/* possibly ignore full wildcard match */
+		if (!$fullwc && !strcmp($match , "*")) {
+			continue;
+		}
+
+		/* compare exact or wildcard match */
+		$match = str_replace(array(".", "*", "?"), array("\.", ".*", "\?"), $match);
+		$result = preg_match("@^/{$match}$@", "/{$page}");
+
+		if ($result) {
+			return true;
+		}
+	}
+
+	return false;
+}
diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc
index a80e383..3e928a9 100644
--- a/src/etc/inc/priv.inc
+++ b/src/etc/inc/priv.inc
@@ -24,6 +24,7 @@
  */
 
 require_once("priv.defs.inc");
+require_once("auth_func.inc");
 
 /* Load and process custom privs. */
 function get_priv_files($directory) {
@@ -89,41 +90,6 @@ function sort_privs(& $privs) {
 	uksort($privs, "cmp_privkeys");
 }
 
-function cmp_page_matches($page, & $matches, $fullwc = true) {
-
-//	$dbg_matches = implode(",", $matches);
-//	log_error("debug: checking page {$page} match with {$dbg_matches}");
-
-	if (!is_array($matches)) {
-		return false;
-	}
-
-	/* skip any leading fwdslash */
-	$test = strpos($page, "/");
-	if ($test !== false && $test == 0) {
-		$page = substr($page, 1);
-	}
-
-	/* look for a match */
-	foreach ($matches as $match) {
-
-		/* possibly ignore full wildcard match */
-		if (!$fullwc && !strcmp($match , "*")) {
-			continue;
-		}
-
-		/* compare exact or wildcard match */
-		$match = str_replace(array(".", "*", "?"), array("\.", ".*", "\?"), $match);
-		$result = preg_match("@^/{$match}$@", "/{$page}");
-
-		if ($result) {
-			return true;
-		}
-	}
-
-	return false;
-}
-
 function map_page_privname($page) {
 	global $priv_list;
 
diff --git a/src/usr/local/www/bandwidth_by_ip.php b/src/usr/local/www/bandwidth_by_ip.php
index 9259924..d403dcc 100644
--- a/src/usr/local/www/bandwidth_by_ip.php
+++ b/src/usr/local/www/bandwidth_by_ip.php
@@ -19,7 +19,7 @@
  * limitations under the License.
  */
 
-require_once('guiconfig.inc');
+require_once('auth_check.inc');
 require_once('interfaces.inc');
 require_once('pfsense-utils.inc');
 require_once('util.inc');
diff --git a/src/usr/local/www/diag_routes.php b/src/usr/local/www/diag_routes.php
index 13bd65d..3561cd8 100644
--- a/src/usr/local/www/diag_routes.php
+++ b/src/usr/local/www/diag_routes.php
@@ -27,12 +27,12 @@
 ##|*MATCH=diag_routes.php*
 ##|-PRIV
 
-require_once('guiconfig.inc');
-
 $limit = '100';
 $filter = '';
 
 if (isset($_REQUEST['isAjax'])) {
+	require_once('auth_check.inc');
+	
 	$netstat = "/usr/bin/netstat -rW";
 	if (isset($_REQUEST['IPv6'])) {
 		$netstat .= " -f inet6";
@@ -61,6 +61,7 @@ if (isset($_REQUEST['isAjax'])) {
 
 	exit;
 }
+require_once('guiconfig.inc');
 
 $pgtitle = array(gettext("Diagnostics"), gettext("Routes"));
 $shortcut_section = "routing";
diff --git a/src/usr/local/www/getstats.php b/src/usr/local/www/getstats.php
index 9bc913f..940a7dc 100644
--- a/src/usr/local/www/getstats.php
+++ b/src/usr/local/www/getstats.php
@@ -32,7 +32,7 @@ header("Expires: " . gmdate("D, j M Y H:i:s", time()) . " GMT");
 header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP/1.1
 header("Pragma: no-cache"); // HTTP/1.0
 
-require_once("guiconfig.inc");
+require_once("auth_check.inc");
 include_once("includes/functions.inc.php");
 
 echo get_stats();
diff --git a/src/usr/local/www/ifstats.php b/src/usr/local/www/ifstats.php
index dd10b93..671d5df 100644
--- a/src/usr/local/www/ifstats.php
+++ b/src/usr/local/www/ifstats.php
@@ -28,7 +28,7 @@
 
 $nocsrf = true;
 
-require_once('guiconfig.inc');
+require_once('auth_check.inc');
 require_once("interfaces.inc");
 
 
diff --git a/src/usr/local/www/widgets/widgets/ipsec.widget.php b/src/usr/local/www/widgets/widgets/ipsec.widget.php
index 62aa804..1c66153 100644
--- a/src/usr/local/www/widgets/widgets/ipsec.widget.php
+++ b/src/usr/local/www/widgets/widgets/ipsec.widget.php
@@ -28,7 +28,7 @@
 
 $nocsrf = true;
 
-require_once("guiconfig.inc");
+require_once("auth_check.inc");
 require_once("functions.inc");
 require_once("ipsec.inc");