/src/etc/inc/authgui.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/authgui.inc @ 29c0d920

1	16513324	Holger Bauer	<?php
2	995df6c3	Stephen Beaver	/* ====================================================================
3			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
4			* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
5			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
6			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
7			*
8			* Redistribution and use in source and binary forms, with or without modification,
9			* are permitted provided that the following conditions are met:
10			*
11			* 1. Redistributions of source code must retain the above copyright notice,
12			* this list of conditions and the following disclaimer.
13			*
14			* 2. Redistributions in binary form must reproduce the above copyright
15			* notice, this list of conditions and the following disclaimer in
16			* the documentation and/or other materials provided with the
17			* distribution.
18			*
19			* 3. All advertising materials mentioning features or use of this software
20			* must display the following acknowledgment:
21			* "This product includes software developed by the pfSense Project
22			* for use in the pfSense software distribution. (http://www.pfsense.org/).
23			*
24			* 4. The names "pfSense" and "pfSense Project" must not be used to
25			* endorse or promote products derived from this software without
26			* prior written permission. For written permission, please contact
27			* coreteam@pfsense.org.
28			*
29			* 5. Products derived from this software may not be called "pfSense"
30			* nor may "pfSense" appear in their names without prior written
31			* permission of the Electric Sheep Fencing, LLC.
32			*
33			* 6. Redistributions of any form whatsoever must retain the following
34			* acknowledgment:
35			*
36			* "This product includes software developed by the pfSense Project
37			* for use in the pfSense software distribution (http://www.pfsense.org/).
38			*
39			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
40			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
43			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50			* OF THE POSSIBILITY OF SUCH DAMAGE.
51			*
52			* ====================================================================
53			*
54			*/
55	483e6de8	Scott Ullrich	include_once("auth.inc");
56	6dc88d53	Ermal Luci	include_once("priv.inc");
57	1e0b1727	Phil Davis	if (!function_exists('platform_booting')) {
58	cb054444	Ermal LUÇI	require_once('globals.inc');
59	1e0b1727	Phil Davis	}
60	16513324	Holger Bauer
61			/* Authenticate user - exit if failed */
62	6306b5dd	Ermal Lu?i	if (!session_auth()) {
63			display_login_form();
64	45ee90ed	Matthew Grooms	exit;
65	6306b5dd	Ermal Lu?i	}
66	45ee90ed	Matthew Grooms
67			/*
68			* Once here, the user has authenticated with the web server.
69			* We give them access only to the appropriate pages based on
70			* the user or group privileges.
71			*/
72	c4a9f99a	jim-p	$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
73	16513324	Holger Bauer
74	45ee90ed	Matthew Grooms	/*
75	403a270e	Ermal Luçi	* redirect to first allowed page if requesting a wrong url
76	45ee90ed	Matthew Grooms	*/
77	14f5f705	marcelloc	if (!isAllowedPage($_SERVER['REQUEST_URI'])) {
78	403a270e	Ermal Luçi	if (count($allowedpages) > 0) {
79			$page = str_replace('*', '', $allowedpages[0]);
80			$_SESSION['Post_Login'] = true;
81	5c15e649	sullrich	require_once("functions.inc");
82	403a270e	Ermal Luçi	pfSenseHeader("/{$page}");
83	0d4f348f	jim-p
84			$username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username'];
85	1e0b1727	Phil Davis	if (!empty($_SERVER['REMOTE_ADDR'])) {
86	0d4f348f	jim-p	$username .= '@' . $_SERVER['REMOTE_ADDR'];
87	1e0b1727	Phil Davis	}
88	0d4f348f	jim-p	log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}.");
89
90	403a270e	Ermal Luçi	exit;
91			} else {
92	0b70d9f4	Carlos Eduardo Ramos	display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
93	403a270e	Ermal Luçi	exit;
94			}
95	1e0b1727	Phil Davis	} else {
96	403a270e	Ermal Luçi	$_SESSION['Post_Login'] = true;
97	1e0b1727	Phil Davis	}
98	16513324	Holger Bauer
99	45ee90ed	Matthew Grooms	/*
100	d97ab688	Matthew Grooms	* redirect browsers post-login to avoid pages
101	1e0b1727	Phil Davis	* taking action in response to a POST request
102	45ee90ed	Matthew Grooms	*/
103	d97ab688	Matthew Grooms	if (!$_SESSION['Post_Login']) {
104	c9dddd59	sullrich	$_SESSION['Post_Login'] = true;
105	5c15e649	sullrich	require_once("functions.inc");
106	d97ab688	Matthew Grooms	pfSenseHeader($_SERVER['REQUEST_URI']);
107			exit;
108			}
109	16513324	Holger Bauer
110	1180e4f0	Sjon Hortensius	/*
111	4111fcf5	Ermal	* Close session data to allow other scripts from same host to come in.
112			* A session can be reactivated from calling session_start again
113			*/
114			session_commit();
115
116	45ee90ed	Matthew Grooms	/*
117			* determine if the user is allowed access to the requested page
118			*/
119	16513324	Holger Bauer	function display_error_form($http_code, $desc) {
120	45ee90ed	Matthew Grooms	global $config, $g;
121	995df6c3	Stephen Beaver
122	1e0b1727	Phil Davis	if (isAjax()) {
123	addc0439	Renato Botelho	printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc);
124	16513324	Holger Bauer	return;
125			}
126
127	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/pfSense.css";
128
129			if (isset($config['system']['webgui']['webguicss'])) {
130	4e322e2c	Phil Davis	if (file_exists("bootstrap/css/" . $config['system']['webgui']['webguicss'])) {
131	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/" . $config['system']['webgui']['webguicss'];
132			}
133			}
134
135	16513324	Holger Bauer	?>
136	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
137			<html lang="en">
138			<head>
139	e71c09fa	heper	<meta name="viewport" content="width=device-width, initial-scale=1">
140	9d624e6b	Jared Dillard	<link rel="stylesheet" href="<?=$cssfile?>" />
141	1180e4f0	Sjon Hortensius	<title><?=gettext("Error: not allowed"); ?></title>
142			</head>
143			<body id="error" class="no-menu">
144			<div id="jumbotron">
145			<div class="container">
146	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
147			<!-- FIXME: We really need to POST the logout action -->
148			<div class="alert alert-danger" role="alert"><a href="index.php?logout"><?=$desc;?></a></div>
149			</div>
150	45ee90ed	Matthew Grooms	</div>
151	1180e4f0	Sjon Hortensius	</div>
152			</body>
153	16513324	Holger Bauer	</html>
154			<?php
155
156	45ee90ed	Matthew Grooms	} // end function
157	16513324	Holger Bauer
158
159			function display_login_form() {
160	45ee90ed	Matthew Grooms	require_once("globals.inc");
161			global $config, $g;
162
163			unset($input_errors);
164
165	1e0b1727	Phil Davis	if (isAjax()) {
166	45ee90ed	Matthew Grooms	if (isset($_POST['login'])) {
167	1e0b1727	Phil Davis	if ($_SESSION['Logged_In'] <> "True") {
168	0b70d9f4	Carlos Eduardo Ramos	isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
169	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
170	45ee90ed	Matthew Grooms	}
171			if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
172			// TODO: add the IP from the user who did lock the device
173			$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
174	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
175	45ee90ed	Matthew Grooms	}
176			}
177			exit;
178			}
179	16513324	Holger Bauer
180	1180e4f0	Sjon Hortensius	/* Check against locally configured IP addresses, which will catch when someone
181	2003b5d8	jim-p	port forwards WebGUI access from WAN to an internal IP on the router. */
182	6cfa23eb	Scott Ullrich	global $FilterIflist, $nifty_background;
183	2003b5d8	jim-p	$local_ip = false;
184	1fb55001	Ermal LUÇI	if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) {
185	2003b5d8	jim-p	$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
186			$http_host = $http_host_port[0];
187			} else {
188			$http_host = $_SERVER['HTTP_HOST'];
189			}
190			if (empty($FilterIflist)) {
191			require_once('filter.inc');
192			require_once('shaper.inc');
193			filter_generate_optcfg_array();
194			}
195	f48d337f	Seth Mos	foreach ($FilterIflist as $iflist) {
196	1e0b1727	Phil Davis	if ($iflist['ip'] == $http_host) {
197	2003b5d8	jim-p	$local_ip = true;
198	1e0b1727	Phil Davis	} else if ($iflist['ipv6'] == $http_host) {
199	f48d337f	Seth Mos	$local_ip = true;
200	1e0b1727	Phil Davis	} else if (is_array($iflist['vips'])) {
201	1fb55001	Ermal LUÇI	foreach ($iflist['vips'] as $vip) {
202			if ($vip['ip'] == $http_host) {
203	067e48ab	Scott Ullrich	$local_ip = true;
204	1fb55001	Ermal LUÇI	break;
205			}
206	f48d337f	Seth Mos	}
207	1fb55001	Ermal LUÇI	unset($vip);
208	f48d337f	Seth Mos	}
209	1e0b1727	Phil Davis	if ($local_ip == true) {
210	1fb55001	Ermal LUÇI	break;
211	1e0b1727	Phil Davis	}
212	f48d337f	Seth Mos	}
213	1fb55001	Ermal LUÇI	unset($FilterIflist);
214			unset($iflist);
215
216	02156b4b	Ermal LUÇI	if ($local_ip == false) {
217			if (is_array($config['openvpn']['openvpn-server'])) {
218			foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
219			if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) {
220			$local_ip = true;
221			} else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) {
222			$local_ip = true;
223			}
224	1e0b1727	Phil Davis	if ($local_ip == true) {
225	02156b4b	Ermal LUÇI	break;
226	1e0b1727	Phil Davis	}
227	71034b51	Renato Botelho	}
228			}
229			}
230	0041092c	jim-p
231	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/pfSense.css";
232
233			if (isset($config['system']['webgui']['webguicss'])) {
234	4e322e2c	Phil Davis	if (file_exists("bootstrap/css/" . $config['system']['webgui']['webguicss'])) {
235	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/" . $config['system']['webgui']['webguicss'];
236			}
237			}
238
239	16513324	Holger Bauer	?>
240	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
241			<html lang="en">
242			<head>
243	e71c09fa	heper	<meta name="viewport" content="width=device-width, initial-scale=1">
244	9d624e6b	Jared Dillard	<link rel="stylesheet" href="<?=$cssfile?>" />
245	1180e4f0	Sjon Hortensius	<title><?=gettext("Login"); ?></title>
246	a9e60275	Chris Buechler	<script type="text/javascript">
247	8fd9052f	Colin Fleming	//<![CDATA{
248			var events = events \|\| [];
249			//]]>
250			</script>
251	1180e4f0	Sjon Hortensius	</head>
252			<body id="login" class="no-menu">
253			<div id="jumbotron">
254			<div class="container">
255	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
256	a42e7aa2	Sjon Hortensius	<?php
257	4de8f7ba	Phil Davis	if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) {
258	a42e7aa2	Sjon Hortensius	$nifty_background = "#999";
259			print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br /><br />If you did not setup this forwarding, you may be the target of a man-in-the-middle attack."));
260			}
261	1180e4f0	Sjon Hortensius
262	a42e7aa2	Sjon Hortensius	$loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"';
263			?>
264	1180e4f0	Sjon Hortensius
265	c7d61071	Sander van Leeuwen	<div class="panel panel-default">
266			<div class="panel-heading">
267			<h2 class="panel-title">Login to pfSense</h2>
268			</div>
269	1180e4f0	Sjon Hortensius
270	c7d61071	Sander van Leeuwen	<div class="panel-body">
271	a42e7aa2	Sjon Hortensius	<?php if (!empty($_SESSION['Login_Error'])): ?>
272	c7d61071	Sander van Leeuwen	<div class="alert alert-danger" role="alert"><?=$_SESSION['Login_Error'];?></div>
273	a42e7aa2	Sjon Hortensius	<?php endif ?>
274	c7d61071	Sander van Leeuwen	<div class="alert alert-warning" class="hidden" id="no_cookies"><?= gettext("Your browser must support cookies to login."); ?></div>
275
276			<form method="post" <?= $loginautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>" class="form-horizontal">
277			<div class="form-group">
278			<label for="usernamefld" class="col-sm-3 control-label">Username</label>
279	0a353c81	Sander van Leeuwen	<div class="col-sm-9 col-md-7">
280	17ef09c3	Colin Fleming	<input type="text" class="form-control" name="usernamefld" id="usernamefld" placeholder="Enter your username">
281	c7d61071	Sander van Leeuwen	</div>
282			</div>
283
284			<div class="form-group">
285			<label for="passwordfld" class="col-sm-3 control-label">Password</label>
286	0a353c81	Sander van Leeuwen	<div class="col-sm-9 col-md-7">
287	17ef09c3	Colin Fleming	<input type="password" class="form-control" name="passwordfld" id="passwordfld" placeholder="Enter your password">
288	c7d61071	Sander van Leeuwen	</div>
289			</div>
290
291			<div class="form-group">
292	0a353c81	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-9 col-md-7">
293	c7d61071	Sander van Leeuwen	<button type="submit" class="btn btn-primary" name="login">Login</button>
294			</div>
295			</div>
296			</form>
297	a42e7aa2	Sjon Hortensius	</div>
298	c7d61071	Sander van Leeuwen	</div>
299	1180e4f0	Sjon Hortensius	</div>
300	45ee90ed	Matthew Grooms	</div>
301	45d6ada5	Sjon Hortensius
302	8fd9052f	Colin Fleming	<script type="text/javascript">
303			//!<[CDATA[
304	45d6ada5	Sjon Hortensius	events.push(function() {
305			document.cookie=
306			"cookie_test=1" +
307			"<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>";
308
309			if (document.cookie.indexOf("cookie_test") == -1)
310	60987639	Stephen Beaver	document.getElementById("no_cookies").style.display="";
311			else
312			document.getElementById("no_cookies").style.display="none";
313	45d6ada5	Sjon Hortensius
314			// Delete it
315			document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
316			});
317	8fd9052f	Colin Fleming	//]]>
318	45d6ada5	Sjon Hortensius	</script>
319	16513324	Holger Bauer	<?php
320	45d6ada5	Sjon Hortensius	require('foot.inc');
321	16513324	Holger Bauer
322	17ef09c3	Colin Fleming	} // end function

Project

General

Profile

pfSense