diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/auth.inc | 37 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 3 | ||||
-rw-r--r-- | etc/inc/certs.inc | 450 | ||||
-rw-r--r-- | etc/inc/functions.inc | 3 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 340 | ||||
-rw-r--r-- | etc/inc/priv.inc | 531 | ||||
-rw-r--r-- | etc/inc/rrd.inc | 5 | ||||
-rw-r--r-- | etc/inc/util.inc | 13 |
8 files changed, 523 insertions, 859 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 09e0273..dd69a28 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -42,7 +42,7 @@ * file courtesy of Michael Retterklieber. */ -require_once("functions.inc"); +require_once("config.inc"); $groupindex = index_groups(); $userindex = index_users(); @@ -107,6 +107,39 @@ function & getGroupEntryByGID($gid) { return false; } +function get_user_privileges(& $user) { + + $privs = $user['priv']; + if (!is_array($privs)) + $privs = array(); + + $names = local_user_get_groups($user, true); + + foreach ($names as $name) { + $group = getGroupEntry($name); + if (is_array($group['priv'])) + $privs = array_merge( $privs, $group['priv']); + } + + return $privs; +} + +function userHasPrivilege($userent, $privid = false) { + + if (!$privid || !is_array($userent)) + return false; + + $privs = get_user_privileges($userent); + + if (!is_array($privs)) + return false; + + if (!in_array($privid, $privs)) + return false; + + return true; +} + function local_backed($username, $passwd) { $user = getUserEntry($username); @@ -872,7 +905,7 @@ function session_auth($backing) { return false; /* redirect to page the user is on, it'll prompt them to login again */ - pfSenseHeader($scriptName); + Header("Location: {$scriptName}"); return false; } diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 0acb63b..d9611d2 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -35,8 +35,7 @@ POSSIBILITY OF SUCH DAMAGE. */ -include_once("auth.inc"); -require_once("functions.inc"); +include_once("priv.inc"); /* We only support htpasswd backed HTTP Basic auth and session * based backing methods at the moment. diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index b7c0e60..4177545 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -1,226 +1,224 @@ -<?php
-/* $Id$ */
-/*
- Copyright (C) 2008 Shrew Soft Inc
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- DISABLE_PHP_LINT_CHECKING
-*/
-
-require_once("functions.inc");
-
-function & lookup_ca($refid) {
- global $config;
-
- if (is_array($config['system']['ca']))
- foreach ($config['system']['ca'] as & $ca)
- if ($ca['refid'] == $refid)
- return $ca;
-
- return false;
-}
-
-function & lookup_cert($refid) {
- global $config;
-
- if (is_array($config['system']['cert']))
- foreach ($config['system']['cert'] as & $cert)
- if ($cert['refid'] == $refid)
- return $cert;
-
- return false;
-}
-
-function ca_import(& $ca, $str) {
-
- $ca['crt'] = base64_encode($str);
-
- return true;
-}
-
-function ca_create(& $ca, $keylen, $lifetime, $dn) {
-
- $args = array(
- "digest_alg" => "sha1",
- "private_key_bits" => $keylen,
- "private_key_type" => OPENSSL_KEYTYPE_RSA,
- "encrypt_key" => false);
-
- // generate a new key pair
- $res_key = openssl_pkey_new();
-
- // generate a certificate signing request
- $res_csr = openssl_csr_new($dn, $res_key, $args);
-
- // self sign the certificate
- $res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args);
-
- // export our certificate data
- openssl_pkey_export($res_key, $str_key);
- openssl_x509_export($res_crt, $str_crt);
-
- // return our ca information
- $ca['crt'] = base64_encode($str_crt);
- $ca['prv'] = base64_encode($str_key);
- $ca['serial'] = 0;
-
- return true;
-}
-
-function cert_import(& $cert, $crt_str, $key_str) {
-
- $cert['crt'] = base64_encode($crt_str);
- $cert['prv'] = base64_encode($key_str);
-
- return true;
-}
-
-function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
-
- $ca =& lookup_ca($caref);
- if (!$ca)
- return false;
-
- $ca_str_crt = base64_decode($ca['crt']);
- $ca_str_key = base64_decode($ca['prv']);
- $ca_res_crt = openssl_x509_read($ca_str_crt);
- $ca_res_key = openssl_pkey_get_private($ca_str_key);
- $ca_serial = $ca['serial']++;
-
- $args = array(
- "digest_alg" => "sha1",
- "private_key_bits" => $keylen,
- "private_key_type" => OPENSSL_KEYTYPE_RSA,
- "encrypt_key" => false);
-
- // generate a new key pair
- $res_key = openssl_pkey_new();
-
- // generate a certificate signing request
- $res_csr = openssl_csr_new($dn, $res_key, $args);
-
- // self sign the certificate
- $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
- $args, $ca_serial);
-
- // export our certificate data
- openssl_pkey_export($res_key, $str_key);
- openssl_x509_export($res_crt, $str_crt);
-
- // return our certificate information
- $cert['caref'] = $caref;
- $cert['crt'] = base64_encode($str_crt);
- $cert['prv'] = base64_encode($str_key);
-
- return true;
-}
-
-function csr_generate(& $cert, $keylen, $dn) {
-
- $args = array(
- "digest_alg" => "sha1",
- "private_key_bits" => $keylen,
- "private_key_type" => OPENSSL_KEYTYPE_RSA,
- "encrypt_key" => false);
-
- // generate a new key pair
- $res_key = openssl_pkey_new();
-
- // generate a certificate signing request
- $res_csr = openssl_csr_new($dn, $res_key, $args);
-
- // export our request data
- openssl_pkey_export($res_key, $str_key);
- openssl_csr_export($res_csr, $str_csr);
-
- // return our request information
- $cert['csr'] = base64_encode($str_csr);
- $cert['prv'] = base64_encode($str_key);
-
- return true;
-}
-
-function csr_complete(& $cert, $str_crt) {
-
- // return our request information
- $cert['crt'] = base64_encode($str_crt);
- unset($cert['csr']);
-
- return true;
-}
-
-function csr_get_subject($str_crt, $decode = true) {
-
- if ($decode)
- $str_crt = base64_decode($str_crt);
-
- $components = openssl_csr_get_subject($str_crt);
-
- if (!is_array($components))
- return "unknown";
-
- foreach ($components as $a => $v) {
- if (!strlen($subject))
- $subject = "{$a}={$v}";
- else
- $subject = "{$a}={$v}, {$subject}";
- }
-
- return $subject;
-}
-
-function cert_get_subject($str_crt, $decode = true) {
-
- if ($decode)
- $str_crt = base64_decode($str_crt);
-
- $inf_crt = openssl_x509_parse($str_crt);
- $components = $inf_crt['subject'];
-
- if (!is_array($components))
- return "unknown";
-
- foreach ($components as $a => $v) {
- if (!strlen($subject))
- $subject = "{$a}={$v}";
- else
- $subject = "{$a}={$v}, {$subject}";
- }
-
- return $subject;
-}
-
-function cert_get_subject_array($crt) {
- $str_crt = base64_decode($crt);
- $inf_crt = openssl_x509_parse($str_crt);
- $components = $inf_crt['subject'];
- $subject_array = array();
-
- foreach($components as $a => $v)
- $subject_array[] = array('a' => $a, 'v' => $v);
-
- return $subject_array;
-}
-
-?>
+<?php +/* $Id$ */ +/* + Copyright (C) 2008 Shrew Soft Inc + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + DISABLE_PHP_LINT_CHECKING +*/ + +function & lookup_ca($refid) { + global $config; + + if (is_array($config['system']['ca'])) + foreach ($config['system']['ca'] as & $ca) + if ($ca['refid'] == $refid) + return $ca; + + return false; +} + +function & lookup_cert($refid) { + global $config; + + if (is_array($config['system']['cert'])) + foreach ($config['system']['cert'] as & $cert) + if ($cert['refid'] == $refid) + return $cert; + + return false; +} + +function ca_import(& $ca, $str) { + + $ca['crt'] = base64_encode($str); + + return true; +} + +function ca_create(& $ca, $keylen, $lifetime, $dn) { + + $args = array( + "digest_alg" => "sha1", + "private_key_bits" => $keylen, + "private_key_type" => OPENSSL_KEYTYPE_RSA, + "encrypt_key" => false); + + // generate a new key pair + $res_key = openssl_pkey_new(); + + // generate a certificate signing request + $res_csr = openssl_csr_new($dn, $res_key, $args); + + // self sign the certificate + $res_crt = openssl_csr_sign($res_csr, null, $res_key, $lifetime, $args); + + // export our certificate data + openssl_pkey_export($res_key, $str_key); + openssl_x509_export($res_crt, $str_crt); + + // return our ca information + $ca['crt'] = base64_encode($str_crt); + $ca['prv'] = base64_encode($str_key); + $ca['serial'] = 0; + + return true; +} + +function cert_import(& $cert, $crt_str, $key_str) { + + $cert['crt'] = base64_encode($crt_str); + $cert['prv'] = base64_encode($key_str); + + return true; +} + +function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) { + + $ca =& lookup_ca($caref); + if (!$ca) + return false; + + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $ca_res_crt = openssl_x509_read($ca_str_crt); + $ca_res_key = openssl_pkey_get_private($ca_str_key); + $ca_serial = $ca['serial']++; + + $args = array( + "digest_alg" => "sha1", + "private_key_bits" => $keylen, + "private_key_type" => OPENSSL_KEYTYPE_RSA, + "encrypt_key" => false); + + // generate a new key pair + $res_key = openssl_pkey_new(); + + // generate a certificate signing request + $res_csr = openssl_csr_new($dn, $res_key, $args); + + // self sign the certificate + $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, + $args, $ca_serial); + + // export our certificate data + openssl_pkey_export($res_key, $str_key); + openssl_x509_export($res_crt, $str_crt); + + // return our certificate information + $cert['caref'] = $caref; + $cert['crt'] = base64_encode($str_crt); + $cert['prv'] = base64_encode($str_key); + + return true; +} + +function csr_generate(& $cert, $keylen, $dn) { + + $args = array( + "digest_alg" => "sha1", + "private_key_bits" => $keylen, + "private_key_type" => OPENSSL_KEYTYPE_RSA, + "encrypt_key" => false); + + // generate a new key pair + $res_key = openssl_pkey_new(); + + // generate a certificate signing request + $res_csr = openssl_csr_new($dn, $res_key, $args); + + // export our request data + openssl_pkey_export($res_key, $str_key); + openssl_csr_export($res_csr, $str_csr); + + // return our request information + $cert['csr'] = base64_encode($str_csr); + $cert['prv'] = base64_encode($str_key); + + return true; +} + +function csr_complete(& $cert, $str_crt) { + + // return our request information + $cert['crt'] = base64_encode($str_crt); + unset($cert['csr']); + + return true; +} + +function csr_get_subject($str_crt, $decode = true) { + + if ($decode) + $str_crt = base64_decode($str_crt); + + $components = openssl_csr_get_subject($str_crt); + + if (!is_array($components)) + return "unknown"; + + foreach ($components as $a => $v) { + if (!strlen($subject)) + $subject = "{$a}={$v}"; + else + $subject = "{$a}={$v}, {$subject}"; + } + + return $subject; +} + +function cert_get_subject($str_crt, $decode = true) { + + if ($decode) + $str_crt = base64_decode($str_crt); + + $inf_crt = openssl_x509_parse($str_crt); + $components = $inf_crt['subject']; + + if (!is_array($components)) + return "unknown"; + + foreach ($components as $a => $v) { + if (!strlen($subject)) + $subject = "{$a}={$v}"; + else + $subject = "{$a}={$v}, {$subject}"; + } + + return $subject; +} + +function cert_get_subject_array($crt) { + $str_crt = base64_decode($crt); + $inf_crt = openssl_x509_parse($str_crt); + $components = $inf_crt['subject']; + $subject_array = array(); + + foreach($components as $a => $v) + $subject_array[] = array('a' => $a, 'v' => $v); + + return $subject_array; +} + +?> diff --git a/etc/inc/functions.inc b/etc/inc/functions.inc index 1365742..0cc5675 100644 --- a/etc/inc/functions.inc +++ b/etc/inc/functions.inc @@ -70,11 +70,9 @@ if(!function_exists("pfSenseHeader")) { /* END compatibility goo with HEAD */ /* include all configuration functions */ -require_once("auth.inc"); require_once("priv.inc"); require_once("certs.inc"); require_once("crypt.inc"); -require_once("util.inc"); require_once("interfaces.inc"); require_once("gwlb.inc"); require_once("services.inc"); @@ -86,7 +84,6 @@ require_once("openvpn.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); require_once("vslb.inc"); -require_once("notices.inc"); require_once("cmd_chain.inc"); require_once("rrd.inc"); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 401787d..9c62180 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -705,21 +705,6 @@ function get_filename_from_url($url) { } /* - * update_output_window: update bottom textarea dynamically. - */ -function update_output_window($text) { - global $pkg_interface; - $log = ereg_replace("\n", "\\n", $text); - if($pkg_interface == "console") { - /* too chatty */ - } else { - echo "\n<script language=\"JavaScript\">this.document.forms[0].output.value = \"" . $log . "\";</script>"; - } - /* ensure that contents are written out */ - ob_flush(); -} - -/* * get_dir: return an array of $dir */ function get_dir($dir) { @@ -732,35 +717,6 @@ function get_dir($dir) { return $dir_array; } -/* - * update_output_window: update top textarea dynamically. - */ -function update_status($status) { - global $pkg_interface; - if($pkg_interface == "console") { - echo $status . "\n"; - } else { - echo "\n<script type=\"text/javascript\">this.document.forms[0].status.value=\"" . $status . "\";</script>"; - } - /* ensure that contents are written out */ - ob_flush(); -} - -/* - * update_progress_bar($percent): updates the javascript driven progress bar. - */ -function update_progress_bar($percent) { - global $pkg_interface; - if($percent > 100) $percent = 1; - if($pkg_interface <> "console") { - echo "\n<script type=\"text/javascript\" language=\"javascript\">"; - echo "\ndocument.progressbar.style.width='" . $percent . "%';"; - echo "\n</script>"; - } else { - echo " {$percent}%"; - } -} - /****f* pfsense-utils/WakeOnLan * NAME * WakeOnLan - Wake a machine up using the wake on lan format/protocol @@ -1071,157 +1027,6 @@ function get_disk_info() { // $size, $used, $avail, $cap } -/****f* pfsense-utils/display_top_tabs - * NAME - * display_top_tabs - display tabs with rounded edges - * INPUTS - * $text - array of tabs - * RESULT - * null - ******/ -function display_top_tabs(& $tab_array) { - global $HTTP_SERVER_VARS; - global $config; - global $g; - - /* does the user have access to this tab? - * master user has access to everything. - * if the user does not have access, simply - * unset the tab item. - */ - - $tab_temp = array (); - foreach ($tab_array as $ta) - if(isAllowedPage($ta[2])) - $tab_temp[] = $ta; - /* - // FIXME : if the checks are not good enough - // in isAllowedPage, it needs to be - // fixed instead of kludging here - - // TODO: humm what shall we do with pkg_edit.php and pkg.php? - if ((strpos($link, "pkg.php")) !== false || (strpos($link, "pkg_edit.php")) !== false) { - $pos_equal = strpos($link, "="); - $pos_xmlsuffix = strpos($link, ".xml"); - // do we match an absolute url including ?xml= foo - if(!isAllowedPage($link, $allowed)) - $link = substr($link, $pos_equal +1, ($pos_xmlsuffix - $pos_equal +3)); - } - // next check - what if the basename contains a query string? - if ((strpos($link, "?")) !== false) { - $pos_qmark = strpos($link, "?"); - $link = substr($link, 0, $pos_qmark); - } - $authorized_text = print_r($allowed, true); - if(is_array($authorized)) - if (in_array(basename($link), $authorized)) - */ - - unset ($tab_array); - $tab_array = & $tab_temp; - - $tab_active_bg = "#EEEEEE"; - $tab_inactive_bg = "#777777"; - $nifty_tabs_corners = "#FFF"; - $font_color = "white"; - - /* if tabcontrols.php exist for a theme, allow it to be overriden */ - $themename = $config['theme']; - $filename = "/usr/local/www/themes/{$themename}/tabcontrols.php"; - if(file_exists($filename)) { - $eval_code = file_get_contents($filename); - eval($eval_code); - } - - $tabcharcount = 0; - foreach ($tab_array as $ta) - $tabcharcount = $tabcharcount + strlen($ta[0]); - - // If the character count of the tab names is > 670 - // then show a select item dropdown menubox. - if($tabcharcount > 82) { - echo "Currently viewing: "; - echo "<select name='TabSelect'>\n"; - foreach ($tab_array as $ta) { - if($ta[1]=="true") - $selected = " SELECTED"; - else - $selected = ""; - echo "<option onClick=\"document.location='{$ta[2]}';\"{$selected}>{$ta['0']}</option>\n"; - } - echo "</select>\n<p/>"; - } else { - echo "<table cellpadding='0' cellspacing='0'>\n"; - echo " <tr>\n"; - $tabscounter = 0; - foreach ($tab_array as $ta) { - if ($ta[1] == true) { - echo " <td bgcolor='{$tab_active_bg}' onClick=\"document.location='{$ta[2]}'\" style=\"cursor: pointer;\"><div id='tabactive'></div></td>\n"; - } else { - echo " <td bgcolor='{$tab_inactive_bg}' onClick=\"document.location='{$ta[2]}'\" style=\"cursor: pointer;\"><div id='tabdeactive{$tabscounter}'></div></td>\n"; - } - $tabscounter++; - } - echo "</tr>\n<tr>\n"; - foreach ($tab_array as $ta) { - if ($ta[1] == true) { - echo " <td height=\"15\" valign=\"middle\" bgcolor='{$tab_active_bg}' onClick=\"document.location='{$ta[2]}'\" style=\"cursor: pointer;\"><B> {$ta[0]}"; - echo " "; - echo "<font size='-12'> </font></B></td>\n"; - } else { - echo " <td height=\"15\" valign=\"middle\" bgcolor='{$tab_inactive_bg}' onClick=\"document.location='{$ta[2]}'\" style=\"cursor: pointer;\"><B> <a href='{$ta[2]}'>"; - echo "<font color='{$font_color}'>{$ta[0]}</font></a> "; - echo "<font size='-12'> </font></B></td>\n"; - } - } - echo "</tr>\n<tr>\n"; - foreach ($tab_array as $ta) { - if ($ta[1] == true) { - echo " <td bgcolor='{$tab_active_bg}' onClick=\"document.location='{$ta[2]}'\" style=\"cursor: pointer;\"></td>\n"; - } else { - echo " <td bgcolor='{$tab_inactive_bg}' onClick=\"document.location='{$ta[2]}'\" style=\"cursor: pointer;\"></td>\n"; - } - $tabscounter++; - } - echo " </tr>\n"; - echo "</table>\n"; - echo "<script type=\"text/javascript\">"; - echo "NiftyCheck();\n"; - echo "Rounded(\"div#tabactive\",\"top\",\"{$nifty_tabs_corners}\",\"{$tab_active_bg}\",\"smooth\");\n"; - for ($x = 0; $x < $tabscounter; $x++) - echo "Rounded(\"div#tabdeactive{$x}\",\"top\",\"{$nifty_tabs_corners}\",\"{$tab_inactive_bg}\",\"smooth\");\n"; - echo "</script>"; - } -} - - -/****f* pfsense-utils/display_topbar - * NAME - * display_topbar - top a table off with rounded edges - * INPUTS - * $text - (optional) Text to include in bar - * RESULT - * null - ******/ -function display_topbar($text = "", $bg_color="#990000", $replace_color="#FFFFFF", $rounding_style="smooth") { - echo " <table width='100%' cellpadding='0' cellspacing='0'>\n"; - echo " <tr height='1'>\n"; - echo " <td width='100%' valign='top' color='{$bg_color}' bgcolor='{$bg_color}'>"; - echo " <div id='topbar'></div></td>\n"; - echo " </tr>\n"; - echo " <tr height='1'>\n"; - if ($text != "") - echo " <td height='1' class='listtopic'>{$text}</td>\n"; - else - echo " <td height='1' class='listtopic'></td>\n"; - echo " </tr>\n"; - echo " </table>"; - echo "<script type=\"text/javascript\">"; - echo "NiftyCheck();\n"; - echo "Rounded(\"div#topbar\",\"top\",\"{$replace_color}\",\"{$bg_color}\",\"{$rounding_style}\");\n"; - echo "</script>"; -} - /****f* pfsense-utils/strncpy * NAME * strncpy - copy strings @@ -1579,18 +1384,6 @@ function is_dhcp_server_enabled() return $dhcpdenable; } -/****f* pfsense-utils/isAjax - * NAME - * isAjax - reports if the request is driven from prototype - * INPUTS - * none - * RESULT - * true/false - ******/ -function isAjax() { - return isset ($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'; -} - //returns interface information function get_interface_info($ifdescr) { global $config, $linkinfo, $netstatrninfo; @@ -1889,139 +1682,6 @@ function pfsense_default_state_size() { return $max_states; } -function rule_popup($src,$srcport,$dst,$dstport){ -global $config; -$aliases_array = array(); -if($config['aliases']['alias'] <> "" and is_array($config['aliases']['alias'])) -{ -$span_begin = ""; - $alias_src_span_begin = ""; - $alias_src_span_end = ""; - $alias_src_port_span_begin = ""; - $alias_src_port_span_end = ""; - $alias_dst_span_begin = ""; - $alias_dst_span_end = ""; - $alias_dst_port_span_begin = ""; - $alias_dst_port_span_end = ""; - $alias_content_text = ""; - foreach($config['aliases']['alias'] as $alias_name) - { - $alias_addresses = explode (" ", $alias_name['address']); - $alias_details = explode ("||", $alias_name['detail']); - $alias_objects_with_details = ""; - $counter = 0; - foreach($alias_addresses as $alias_ports_address) - { - $alias_objects_with_details .= $alias_addresses[$counter]; - $alias_detail_default = strpos ($alias_details[$counter],"Entry added"); - if ($alias_details[$counter] != "" && $alias_detail_default === False){ - $alias_objects_with_details .=" - " . $alias_details[$counter]; - } - $alias_objects_with_details .= "<br>"; - $counter++; - } - //max character length for caption field - $maxlength = 60; - - $alias_descr_substr = $alias_name['descr']; - $alias_content_text = htmlspecialchars($alias_objects_with_details); - $alias_caption = htmlspecialchars($alias_descr_substr . ":"); - $strlength = strlen ($alias_caption); - if ($strlength >= $maxlength) - $alias_caption = substr($alias_caption, 0, $maxlength) . "..."; - - $span_begin = "<span style=\"cursor: help;\" onmouseover=\"domTT_activate(this, event, 'content', '<h1>$alias_caption</h1><p>$alias_content_text</p>', 'trail', true, 'delay', 0, 'fade', 'both', 'fadeMax', 93, 'styleClass', 'niceTitle');\" onmouseout=\"this.style.color = ''; domTT_mouseout(this, event);\"><U>"; - - - if ($alias_name['name'] == $src) - { - $alias_src_span_begin = $span_begin; - } - if ($alias_name['name'] == $srcport) - { - $alias_src_port_span_begin = $span_begin; - } - if ($alias_name['name'] == $dst) - { - $alias_dst_span_begin = $span_begin; - } - if ($alias_name['name'] == $dstport) - { - $alias_dst_port_span_begin = $span_begin; - } - - } - $descriptions = array (); - $descriptions['src'] = $alias_src_span_begin; - $descriptions['srcport'] = $alias_src_port_span_begin; - $descriptions['dst'] = $alias_dst_span_begin; - $descriptions['dstport'] = $alias_dst_port_span_begin; - return $descriptions; - } -} -function download_file_with_progress_bar($url_file, $destination_file, $readbody = 'read_body') { - global $ch, $fout, $file_size, $downloaded; - $file_size = 1; - $downloaded = 1; - /* open destination file */ - $fout = fopen($destination_file, "wb"); - - /* - * Originally by Author: Keyvan Minoukadeh - * Modified by Scott Ullrich to return Content-Length size - */ - - $ch = curl_init(); - curl_setopt($ch, CURLOPT_URL, $url_file); - curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header'); - curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody); - curl_setopt($ch, CURLOPT_NOPROGRESS, '1'); - curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '5'); - curl_setopt($ch, CURLOPT_TIMEOUT, 0); - - curl_exec($ch); - $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); - if($fout) - fclose($fout); - curl_close($ch); - return ($http_code == 200) ? true : $http_code; -} - -function read_header($ch, $string) { - global $file_size, $fout; - $length = strlen($string); - $regs = ""; - ereg("(Content-Length:) (.*)", $string, $regs); - if($regs[2] <> "") { - $file_size = intval($regs[2]); - } - ob_flush(); - return $length; -} - -function read_body($ch, $string) { - global $fout, $file_size, $downloaded, $sendto, $static_status, $static_output, $lastseen; - $length = strlen($string); - $downloaded += intval($length); - $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); - $downloadProgress = 100 - $downloadProgress; - if($lastseen <> $downloadProgress and $downloadProgress < 101) { - if($sendto == "status") { - $tostatus = $static_status . $downloadProgress . "%"; - update_status($tostatus); - } else { - $tooutput = $static_output . $downloadProgress . "%"; - update_output_window($tooutput); - } - update_progress_bar($downloadProgress); - $lastseen = $downloadProgress; - } - if($fout) - fwrite($fout, $string); - ob_flush(); - return $length; -} - /* Compare the current hostname DNS to the DNS cache we made * if it has changed we return the old records * if no change we return true */ diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index 824ea7b..9b6c97c 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -1,282 +1,249 @@ -<?php
-/* $Id$ */
-/*
- Copyright (C) 2008 Shrew Soft Inc
- All rights reserved.
-
- Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
- All rights reserved.
-
- Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
- All rights reserved.
-
- Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
- All rights reserved.
-
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- DISABLE_PHP_LINT_CHECKING
-*/
-
-require_once("functions.inc");
-require_once("priv.defs.inc");
-
-/*
- * USER PRIVILEGE DEFINITIONS
- */
-
-$priv_list['user-shell-access'] = array();
-$priv_list['user-shell-access']['name'] = "User - Shell account access";
-$priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ".
- "example via SSH.";
-
-$priv_list['user-copy-files'] = array();
-$priv_list['user-copy-files']['name'] = "User - Copy files";
-$priv_list['user-copy-files']['descr'] = "Indicates whether the user is allowed to copy files ".
- "onto the {$g['product_name']} appliance via SCP/SFTP. ".
- "If you are going to use this privilege, you must install ".
- "scponly on the appliance (Hint: pkg_add -r scponly).";
-
-sort_privs($priv_list);
-
-function cmp_privkeys($a, $b) {
- /* user privs at the top */
- $auser = strncmp("user-", $a, 5);
- $buser = strncmp("user-", $b, 5);
- if($auser != $buser)
- return $auser - buser;
-
- /* name compare others */
- return strcasecmp($a, $b);
-}
-
-function sort_privs(& $privs) {
-
- uksort($privs, "cmp_privkeys");
-}
-
-function cmp_page_matches($page, & $matches, $fullwc = true) {
-
-// $dbg_matches = implode(",", $matches);
-// log_error("debug: checking page {$page} match with {$dbg_matches}");
-
- if (!is_array($matches))
- return false;
-
- /* skip any leading fwdslash */
- $test = strpos($page, "/");
- if ($test !== false && $test == 0)
- $page = substr($page, 1);
-
- /* look for a match */
- foreach ($matches as $match) {
-
- /* possibly ignore full wildcard match */
- if (!$fullwc && !strcmp($match ,"*"))
- continue;
-
- /* compare exact or wildcard match */
- $wcpos = strpos($match, "*");
- if ($wcpos === false)
- $result = strcmp($page, $match);
- else
- $result = strncmp($page, $match, $wcpos);
-
- if (!$result)
- return true;
- }
-
- return false;
-}
-
-function map_page_privname($page) {
- global $priv_list;
-
- foreach ($priv_list as $pname => $pdata) {
- if (strncmp($pname, "page-", 5))
- continue;
- $fullwc = false;
- if (!strcasecmp($page,"any")||!strcmp($page,"*"))
- $fullwc = true;
- if (cmp_page_matches($page, $pdata['match'], $fullwc))
- return $pname;
- }
-
- return false;
-}
-
-function get_user_privileges(& $user) {
-
- $privs = $user['priv'];
- if (!is_array($privs))
- $privs = array();
-
- $names = local_user_get_groups($user, true);
-
- foreach ($names as $name) {
- $group = getGroupEntry($name);
- if (is_array($group['priv']))
- $privs = array_merge( $privs, $group['priv']);
- }
-
- return $privs;
-}
-
-function get_user_privdesc(& $user) {
- global $priv_list;
-
- $privs = array();
-
- $user_privs = $user['priv'];
- if (!is_array($user_privs))
- $user_privs = array();
-
- $names = local_user_get_groups($user, true);
-
- foreach ($names as $name) {
- $group = getGroupEntry($name);
- $group_privs = $group['priv'];
- if (!is_array($group_privs))
- continue;
- foreach ($group_privs as $pname) {
- if (in_array($pname,$user_privs))
- continue;
- if (!$priv_list[$pname])
- continue;
- $priv = $priv_list[$pname];
- $priv['group'] = $group['name'];
- $privs[] = $priv;
- }
- }
-
- foreach ($user_privs as $pname)
- if($priv_list[$pname])
- $privs[] = $priv_list[$pname];
-
- return $privs;
-}
-
-function isAllowedPage($page) {
- global $_SESSION;
-
- $username = $_SESSION['Username'];
- if (!isset($username))
- return false;
-
- /* admin/root access check */
- $user = getUserEntry($username);
- if (isset($user))
- if (isset($user['uid']))
- if ($user['uid']==0)
- return true;
-
- /* user privelege access check */
- if (cmp_page_matches($page, $_SESSION['page-match']))
- return true;
-
- return false;
-}
-
-function getPrivPages(& $entry, & $allowed_pages) {
- global $priv_list;
-
- if (!is_array($entry['priv']))
- return;
-
- foreach ($entry['priv'] as $pname) {
- if (strncmp($pname, "page-", 5))
- continue;
- $priv = &$priv_list[$pname];
- if (!is_array($priv))
- continue;
- $matches = &$priv['match'];
- if (!is_array($matches))
- continue;
- foreach ($matches as $match)
- $allowed_pages[] = $match;
- }
-}
-
-function getAllowedPages($username) {
- global $config, $_SESSION;
-
- if (!function_exists("ldap_connect"))
- return;
-
- $allowed_pages = array();
- $allowed_groups = array();
-
- $ldapon = $_SESSION['ldapon'];
-
- // search for a local user by name
- $local_user = getUserEntry($username);
-
- // obtain local groups if we have a local user
- if ($local_user) {
- $allowed_groups = local_user_get_groups($local_user);
- getPrivPages($local_user, $allowed_pages);
- }
-
- // obtain ldap groups if we are in ldap mode
- if ($config['system']['webgui']['backend'] == "ldap" && !$local_user)
- $allowed_groups = ldap_get_groups($username);
-
- // obtain ldapother groups if we are in ldap mode
- if ($config['system']['webgui']['backend'] == "ldapother" && !$local_user)
- $allowed_groups = ldap_get_groups($username);
-
- // build a list of allowed pages
- if (is_array($config['system']['group']) && is_array($allowed_groups))
- foreach ($config['system']['group'] as $group)
- if (in_array($group['name'], $allowed_groups))
- getPrivPages($group, $allowed_pages);
-
-// $dbg_pages = implode(",", $allowed_pages);
-// $dbg_groups = implode(",", $allowed_groups);
-// log_error("debug: user {$username} groups = {$dbg_groups}");
-// log_error("debug: user {$username} pages = {$dbg_pages}");
-
- $_SESSION['page-match'] = $allowed_pages;
-
- return $allowed_pages;
-}
-
-function userHasPrivilege($userent, $privid = false) {
-
- if (!$privid || !is_array($userent))
- return false;
-
- $privs = get_user_privileges($userent);
-
- if (!is_array($privs))
- return false;
-
- if (!in_array($privid, $privs))
- return false;
-
- return true;
-}
-
-?>
+<?php +/* $Id$ */ +/* + Copyright (C) 2008 Shrew Soft Inc + All rights reserved. + + Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + + Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com> + All rights reserved. + + Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>. + All rights reserved. + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + DISABLE_PHP_LINT_CHECKING +*/ + +require_once("priv.defs.inc"); +require_once("auth.inc"); + +/* + * USER PRIVILEGE DEFINITIONS + */ + +$priv_list['user-shell-access'] = array(); +$priv_list['user-shell-access']['name'] = "User - Shell account access"; +$priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ". + "example via SSH."; + +$priv_list['user-copy-files'] = array(); +$priv_list['user-copy-files']['name'] = "User - Copy files"; +$priv_list['user-copy-files']['descr'] = "Indicates whether the user is allowed to copy files ". + "onto the {$g['product_name']} appliance via SCP/SFTP. ". + "If you are going to use this privilege, you must install ". + "scponly on the appliance (Hint: pkg_add -r scponly)."; + +sort_privs($priv_list); + +function cmp_privkeys($a, $b) { + /* user privs at the top */ + $auser = strncmp("user-", $a, 5); + $buser = strncmp("user-", $b, 5); + if($auser != $buser) + return $auser - buser; + + /* name compare others */ + return strcasecmp($a, $b); +} + +function sort_privs(& $privs) { + + uksort($privs, "cmp_privkeys"); +} + +function cmp_page_matches($page, & $matches, $fullwc = true) { + +// $dbg_matches = implode(",", $matches); +// log_error("debug: checking page {$page} match with {$dbg_matches}"); + + if (!is_array($matches)) + return false; + + /* skip any leading fwdslash */ + $test = strpos($page, "/"); + if ($test !== false && $test == 0) + $page = substr($page, 1); + + /* look for a match */ + foreach ($matches as $match) { + + /* possibly ignore full wildcard match */ + if (!$fullwc && !strcmp($match ,"*")) + continue; + + /* compare exact or wildcard match */ + $wcpos = strpos($match, "*"); + if ($wcpos === false) + $result = strcmp($page, $match); + else + $result = strncmp($page, $match, $wcpos); + + if (!$result) + return true; + } + + return false; +} + +function map_page_privname($page) { + global $priv_list; + + foreach ($priv_list as $pname => $pdata) { + if (strncmp($pname, "page-", 5)) + continue; + $fullwc = false; + if (!strcasecmp($page,"any")||!strcmp($page,"*")) + $fullwc = true; + if (cmp_page_matches($page, $pdata['match'], $fullwc)) + return $pname; + } + + return false; +} + +function get_user_privdesc(& $user) { + global $priv_list; + + $privs = array(); + + $user_privs = $user['priv']; + if (!is_array($user_privs)) + $user_privs = array(); + + $names = local_user_get_groups($user, true); + + foreach ($names as $name) { + $group = getGroupEntry($name); + $group_privs = $group['priv']; + if (!is_array($group_privs)) + continue; + foreach ($group_privs as $pname) { + if (in_array($pname,$user_privs)) + continue; + if (!$priv_list[$pname]) + continue; + $priv = $priv_list[$pname]; + $priv['group'] = $group['name']; + $privs[] = $priv; + } + } + + foreach ($user_privs as $pname) + if($priv_list[$pname]) + $privs[] = $priv_list[$pname]; + + return $privs; +} + +function isAllowedPage($page) { + global $_SESSION; + + $username = $_SESSION['Username']; + if (!isset($username)) + return false; + + /* admin/root access check */ + $user = getUserEntry($username); + if (isset($user)) + if (isset($user['uid'])) + if ($user['uid']==0) + return true; + + /* user privelege access check */ + if (cmp_page_matches($page, $_SESSION['page-match'])) + return true; + + return false; +} + +function getPrivPages(& $entry, & $allowed_pages) { + global $priv_list; + + if (!is_array($entry['priv'])) + return; + + foreach ($entry['priv'] as $pname) { + if (strncmp($pname, "page-", 5)) + continue; + $priv = &$priv_list[$pname]; + if (!is_array($priv)) + continue; + $matches = &$priv['match']; + if (!is_array($matches)) + continue; + foreach ($matches as $match) + $allowed_pages[] = $match; + } +} + +function getAllowedPages($username) { + global $config, $_SESSION; + + if (!function_exists("ldap_connect")) + return; + + $allowed_pages = array(); + $allowed_groups = array(); + + $ldapon = $_SESSION['ldapon']; + + // search for a local user by name + $local_user = getUserEntry($username); + + // obtain local groups if we have a local user + if ($local_user) { + $allowed_groups = local_user_get_groups($local_user); + getPrivPages($local_user, $allowed_pages); + } + + // obtain ldap groups if we are in ldap mode + if ($config['system']['webgui']['backend'] == "ldap" && !$local_user) + $allowed_groups = ldap_get_groups($username); + + // obtain ldapother groups if we are in ldap mode + if ($config['system']['webgui']['backend'] == "ldapother" && !$local_user) + $allowed_groups = ldap_get_groups($username); + + // build a list of allowed pages + if (is_array($config['system']['group']) && is_array($allowed_groups)) + foreach ($config['system']['group'] as $group) + if (in_array($group['name'], $allowed_groups)) + getPrivPages($group, $allowed_pages); + +// $dbg_pages = implode(",", $allowed_pages); +// $dbg_groups = implode(",", $allowed_groups); +// log_error("debug: user {$username} groups = {$dbg_groups}"); +// log_error("debug: user {$username} pages = {$dbg_pages}"); + + $_SESSION['page-match'] = $allowed_pages; + + return $allowed_pages; +} + +?> diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 1160f40..9feda59 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -28,10 +28,7 @@ */ /* include all configuration functions */ -require_once("functions.inc"); -require_once("pkg-utils.inc"); -require_once("notices.inc"); -require_once("globals.inc"); +require_once("config.inc"); function dump_rrd_to_xml($rrddatabase, $xmldumpfile) { $rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool"; diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 8cecbd0..cc785f0 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -975,4 +975,17 @@ function carp_sync_client() { touch($g['tmp_path'] . "/filter_sync"); } +/****f* util/isAjax + * NAME + * isAjax - reports if the request is driven from prototype + * INPUTS + * none + * RESULT + * true/false + ******/ +function isAjax() { + return isset ($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'; +} + + ?> |