/src/etc/inc/priv.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/priv.inc @ 1d85e963

1	6dc88d53	Ermal Luci	<?php
2			/*
3	ce77a9c4	Phil Davis	priv.inc
4			Copyright (C) 2008 Shrew Soft Inc
5			All rights reserved.
6	6dc88d53	Ermal Luci
7	ce77a9c4	Phil Davis	Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
8			All rights reserved.
9	6dc88d53	Ermal Luci
10	ce77a9c4	Phil Davis	Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
11			All rights reserved.
12	6dc88d53	Ermal Luci
13	ce77a9c4	Phil Davis	Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
14			All rights reserved.
15	6dc88d53	Ermal Luci
16	ce77a9c4	Phil Davis	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
17			All rights reserved.
18	6dc88d53	Ermal Luci
19	ce77a9c4	Phil Davis	Redistribution and use in source and binary forms, with or without
20			modification, are permitted provided that the following conditions are met:
21	6dc88d53	Ermal Luci
22	ce77a9c4	Phil Davis	1. Redistributions of source code must retain the above copyright notice,
23			this list of conditions and the following disclaimer.
24	6dc88d53	Ermal Luci
25	ce77a9c4	Phil Davis	2. Redistributions in binary form must reproduce the above copyright
26			notice, this list of conditions and the following disclaimer in the
27			documentation and/or other materials provided with the distribution.
28	6dc88d53	Ermal Luci
29	ce77a9c4	Phil Davis	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
30			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
31			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
32			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
33			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
34			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
36			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
37			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
38			POSSIBILITY OF SUCH DAMAGE.
39	6dc88d53	Ermal Luci
40			*/
41
42	523855b0	Scott Ullrich	/*
43			pfSense_MODULE: auth
44			*/
45
46	6306b5dd	Ermal Lu?i	require_once("priv.defs.inc");
47
48	2816a089	sullrich	/* Load and process custom privs. */
49	f5bdff7f	sullrich	function get_priv_files($directory) {
50	dd415d52	sullrich	$dir_array = array();
51	b37a2e8c	Phil Davis	if (!is_dir($directory)) {
52	dd415d52	sullrich	return;
53	b37a2e8c	Phil Davis	}
54	dd415d52	sullrich	if ($dh = opendir($directory)) {
55			while (($file = readdir($dh)) !== false) {
56			$canadd = 0;
57	b37a2e8c	Phil Davis	if ($file == ".") {
58	dd415d52	sullrich	$canadd = 1;
59	b37a2e8c	Phil Davis	}
60			if ($file == "..") {
61	dd415d52	sullrich	$canadd = 1;
62	b37a2e8c	Phil Davis	}
63			if ($canadd == 0) {
64	dd415d52	sullrich	array_push($dir_array, $file);
65	b37a2e8c	Phil Davis	}
66	dd415d52	sullrich	}
67			closedir($dh);
68			}
69	b37a2e8c	Phil Davis	if (!is_array($dir_array)) {
70	dd415d52	sullrich	return;
71	b37a2e8c	Phil Davis	}
72	f5bdff7f	sullrich	return $dir_array;
73	dd415d52	sullrich	}
74	0b013ef0	sullrich
75	dd415d52	sullrich	// Load and sort privs
76	f5bdff7f	sullrich	$dir_array = get_priv_files("/etc/inc/priv");
77	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
78	086cf944	Phil Davis	if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) {
79	f5bdff7f	sullrich	include("/etc/inc/priv/{$file}");
80	b37a2e8c	Phil Davis	}
81			}
82			if (is_dir("/usr/local/pkg/priv")) {
83	f5bdff7f	sullrich	$dir_array = get_priv_files("/usr/local/pkg/priv");
84	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
85	086cf944	Phil Davis	if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) {
86	f5bdff7f	sullrich	include("/usr/local/pkg/priv/{$file}");
87	b37a2e8c	Phil Davis	}
88			}
89	f5bdff7f	sullrich	}
90
91	b37a2e8c	Phil Davis	if (is_array($priv_list)) {
92	f5bdff7f	sullrich	sort_privs($priv_list);
93	b37a2e8c	Phil Davis	}
94	6dc88d53	Ermal Luci
95			function cmp_privkeys($a, $b) {
96			/* user privs at the top */
97			$auser = strncmp("user-", $a, 5);
98			$buser = strncmp("user-", $b, 5);
99	b37a2e8c	Phil Davis	if ($auser != $buser) {
100	84d86f07	jim-p	return $auser - $buser;
101	b37a2e8c	Phil Davis	}
102	6dc88d53	Ermal Luci
103			/* name compare others */
104			return strcasecmp($a, $b);
105			}
106
107			function sort_privs(& $privs) {
108			uksort($privs, "cmp_privkeys");
109			}
110
111			function cmp_page_matches($page, & $matches, $fullwc = true) {
112
113			// $dbg_matches = implode(",", $matches);
114			// log_error("debug: checking page {$page} match with {$dbg_matches}");
115
116	b37a2e8c	Phil Davis	if (!is_array($matches)) {
117	6dc88d53	Ermal Luci	return false;
118	b37a2e8c	Phil Davis	}
119	6dc88d53	Ermal Luci
120			/* skip any leading fwdslash */
121			$test = strpos($page, "/");
122	b37a2e8c	Phil Davis	if ($test !== false && $test == 0) {
123	6dc88d53	Ermal Luci	$page = substr($page, 1);
124	b37a2e8c	Phil Davis	}
125	6dc88d53	Ermal Luci
126			/* look for a match */
127			foreach ($matches as $match) {
128
129			/* possibly ignore full wildcard match */
130	086cf944	Phil Davis	if (!$fullwc && !strcmp($match , "*")) {
131	6dc88d53	Ermal Luci	continue;
132	b37a2e8c	Phil Davis	}
133	6dc88d53	Ermal Luci
134			/* compare exact or wildcard match */
135	6c07db48	Phil Davis	$match = str_replace(array(".", "", "?"), array("\.", ".", "\?"), $match);
136	14f5f705	marcelloc	$result = preg_match("@^/{$match}$@", "/{$page}");
137	b37a2e8c	Phil Davis
138			if ($result) {
139	6dc88d53	Ermal Luci	return true;
140	b37a2e8c	Phil Davis	}
141	6dc88d53	Ermal Luci	}
142
143			return false;
144			}
145
146			function map_page_privname($page) {
147			global $priv_list;
148
149			foreach ($priv_list as $pname => $pdata) {
150	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
151	6dc88d53	Ermal Luci	continue;
152	b37a2e8c	Phil Davis	}
153	6dc88d53	Ermal Luci	$fullwc = false;
154	086cf944	Phil Davis	if (!strcasecmp($page, "any")\|\|!strcmp($page, "*")) {
155	6dc88d53	Ermal Luci	$fullwc = true;
156	b37a2e8c	Phil Davis	}
157			if (cmp_page_matches($page, $pdata['match'], $fullwc)) {
158	6dc88d53	Ermal Luci	return $pname;
159	b37a2e8c	Phil Davis	}
160	6dc88d53	Ermal Luci	}
161
162			return false;
163			}
164
165			function get_user_privdesc(& $user) {
166			global $priv_list;
167
168			$privs = array();
169
170			$user_privs = $user['priv'];
171	b37a2e8c	Phil Davis	if (!is_array($user_privs)) {
172	6dc88d53	Ermal Luci	$user_privs = array();
173	b37a2e8c	Phil Davis	}
174	6dc88d53	Ermal Luci
175			$names = local_user_get_groups($user, true);
176
177			foreach ($names as $name) {
178			$group = getGroupEntry($name);
179			$group_privs = $group['priv'];
180	b37a2e8c	Phil Davis	if (!is_array($group_privs)) {
181	6dc88d53	Ermal Luci	continue;
182	b37a2e8c	Phil Davis	}
183	6dc88d53	Ermal Luci	foreach ($group_privs as $pname) {
184	086cf944	Phil Davis	if (in_array($pname, $user_privs)) {
185	6dc88d53	Ermal Luci	continue;
186	b37a2e8c	Phil Davis	}
187			if (!$priv_list[$pname]) {
188	6dc88d53	Ermal Luci	continue;
189	b37a2e8c	Phil Davis	}
190	6dc88d53	Ermal Luci	$priv = $priv_list[$pname];
191			$priv['group'] = $group['name'];
192			$privs[] = $priv;
193			}
194			}
195
196	b37a2e8c	Phil Davis	foreach ($user_privs as $pname) {
197			if ($priv_list[$pname]) {
198	6dc88d53	Ermal Luci	$privs[] = $priv_list[$pname];
199	b37a2e8c	Phil Davis	}
200			}
201	6dc88d53	Ermal Luci
202			return $privs;
203			}
204
205	2816a089	sullrich	function isAllowed($username, $page) {
206	6dc88d53	Ermal Luci	global $_SESSION;
207
208	b37a2e8c	Phil Davis	if (!isset($username)) {
209	dff909d8	sullrich	return false;
210	b37a2e8c	Phil Davis	}
211	dff909d8	sullrich
212			/* admin/root access check */
213			$user = getUserEntry($username);
214	b37a2e8c	Phil Davis	if (isset($user)) {
215			if (isset($user['uid'])) {
216	086cf944	Phil Davis	if ($user['uid'] == 0) {
217	dff909d8	sullrich	return true;
218	b37a2e8c	Phil Davis	}
219			}
220			}
221	dff909d8	sullrich
222	e30050b6	Phil Davis	/* user privilege access check */
223	b37a2e8c	Phil Davis	if (cmp_page_matches($page, $_SESSION['page-match'])) {
224	dff909d8	sullrich	return true;
225	b37a2e8c	Phil Davis	}
226	dff909d8	sullrich
227			return false;
228			}
229
230
231			function isAllowedPage($page) {
232			global $_SESSION;
233
234
235			$username = $_SESSION['Username'];
236	953ab2d4	sullrich
237	b37a2e8c	Phil Davis	if (!isset($username)) {
238	6dc88d53	Ermal Luci	return false;
239	b37a2e8c	Phil Davis	}
240	6dc88d53	Ermal Luci
241			/* admin/root access check */
242			$user = getUserEntry($username);
243	b37a2e8c	Phil Davis	if (isset($user)) {
244			if (isset($user['uid'])) {
245	086cf944	Phil Davis	if ($user['uid'] == 0) {
246	6dc88d53	Ermal Luci	return true;
247	b37a2e8c	Phil Davis	}
248			}
249			}
250	6dc88d53	Ermal Luci
251	e30050b6	Phil Davis	/* user privilege access check */
252	14f5f705	marcelloc	return cmp_page_matches($page, $_SESSION['page-match']);
253	6dc88d53	Ermal Luci	}
254
255			function getPrivPages(& $entry, & $allowed_pages) {
256			global $priv_list;
257
258	b37a2e8c	Phil Davis	if (!is_array($entry['priv'])) {
259	6dc88d53	Ermal Luci	return;
260	b37a2e8c	Phil Davis	}
261	6dc88d53	Ermal Luci
262			foreach ($entry['priv'] as $pname) {
263	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
264	6dc88d53	Ermal Luci	continue;
265	b37a2e8c	Phil Davis	}
266	6dc88d53	Ermal Luci	$priv = &$priv_list[$pname];
267	b37a2e8c	Phil Davis	if (!is_array($priv)) {
268	6dc88d53	Ermal Luci	continue;
269	b37a2e8c	Phil Davis	}
270	6dc88d53	Ermal Luci	$matches = &$priv['match'];
271	b37a2e8c	Phil Davis	if (!is_array($matches)) {
272	6dc88d53	Ermal Luci	continue;
273	b37a2e8c	Phil Davis	}
274			foreach ($matches as $match) {
275	6dc88d53	Ermal Luci	$allowed_pages[] = $match;
276	b37a2e8c	Phil Davis	}
277	6dc88d53	Ermal Luci	}
278			}
279
280	c4a9f99a	jim-p	function getAllowedPages($username, &$attributes = array()) {
281	6dc88d53	Ermal Luci	global $config, $_SESSION;
282
283	b37a2e8c	Phil Davis	if (!function_exists("ldap_connect")) {
284	6dc88d53	Ermal Luci	return;
285	b37a2e8c	Phil Davis	}
286
287	6dc88d53	Ermal Luci	$allowed_pages = array();
288			$allowed_groups = array();
289	b37a2e8c	Phil Davis
290	6306b5dd	Ermal Lu?i	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
291	6dc88d53	Ermal Luci	// obtain ldap groups if we are in ldap mode
292	b37a2e8c	Phil Davis	if ($authcfg['type'] == "ldap") {
293	6306b5dd	Ermal Lu?i	$allowed_groups = @ldap_get_groups($username, $authcfg);
294	c4a9f99a	jim-p	} elseif ($authcfg['type'] == "radius") {
295			$allowed_groups = @radius_get_groups($attributes);
296	fe65bb3a	Phil Davis	}
297			if (!$allowed_groups) {
298	6306b5dd	Ermal Lu?i	// search for a local user by name
299			$local_user = getUserEntry($username);
300
301	fe65bb3a	Phil Davis	// obtain local user pages and groups if we have a local user
302	b37a2e8c	Phil Davis	if ($local_user) {
303	fe65bb3a	Phil Davis	getPrivPages($local_user, $allowed_pages);
304	6306b5dd	Ermal Lu?i	$allowed_groups = local_user_get_groups($local_user);
305	b37a2e8c	Phil Davis	}
306	6306b5dd	Ermal Lu?i	}
307	6dc88d53	Ermal Luci
308			// build a list of allowed pages
309	b37a2e8c	Phil Davis	if (is_array($config['system']['group']) && is_array($allowed_groups)) {
310			foreach ($config['system']['group'] as $group) {
311			if (in_array($group['name'], $allowed_groups)) {
312	6dc88d53	Ermal Luci	getPrivPages($group, $allowed_pages);
313	b37a2e8c	Phil Davis	}
314			}
315			}
316	6dc88d53	Ermal Luci
317			// $dbg_pages = implode(",", $allowed_pages);
318			// $dbg_groups = implode(",", $allowed_groups);
319			// log_error("debug: user {$username} groups = {$dbg_groups}");
320			// log_error("debug: user {$username} pages = {$dbg_pages}");
321
322			$_SESSION['page-match'] = $allowed_pages;
323
324			return $allowed_pages;
325			}
326
327	3f109700	jim-p	function sort_user_privs($privs) {
328			// Privileges to place first, to redirect properly.
329			$priority_privs = array("page-dashboard-all", "page-system-login/logout");
330
331			$fprivs = array_intersect($privs, $priority_privs);
332	6c07db48	Phil Davis	$sprivs = array_diff($privs, $priority_privs);
333	3f109700	jim-p
334			return array_merge($fprivs, $sprivs);
335			}
336	fe65bb3a	Phil Davis	?>

Project

General

Profile

pfSense