pfSense

#!/usr/local/bin/php -f

<?php

/*

 * generate-privdefs.php

 *

 * part of pfSense (https://www.pfsense.org)

 * Copyright (c) 2004-2013 BSD Perimeter

 * Copyright (c) 2013-2016 Electric Sheep Fencing

 * Copyright (c) 2014-2019 Rubicon Communications, LLC (Netgate)

 * All rights reserved.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

/*

 * This utility processes the <prefix>/usr/local/www

 * directory and builds a privilege definition file

 * based on the embedded metadata tags. For more info

 * please see <prefix>/etc/inc/meta.inc

 */

if (count($argv) < 2) {

	echo "usage: generate-privdefs <prefix>\n";

	echo "\n";

	echo "This utility generates privilege definitions and writes them to\n";

	echo "'<prefix>/etc/inc/priv.defs.inc'. The <prefix> parameter should\n";

	echo "be specified as your base pfSense working directory.\n";

	echo "\n";

	echo "Examples:\n";

	echo "#generate-privdefs /\n";

	echo "#generate-privdefs /home/pfsense/src/\n";

	echo "\n";

	exit -1;

}

$prefix = $argv[1];

if (!file_exists($prefix)) {

	echo "prefix {$prefix} is invalid";

	exit -1;

}

$metainc = $prefix."etc/inc/meta.inc";

if (!file_exists($metainc)) {

	echo "unable to locate {$metainc} file\n";

	exit -1;

}

require_once($metainc);

echo "--Locating www php files--\n";

$path = $prefix."/usr/local/www";

list_phpfiles($path, $found);

echo "--Gathering privilege metadata--\n";

$data;

sort($found);

foreach ($found as $fname)

	read_file_metadata($path."/".$fname, $data, "PRIV");

echo "--Generating privilege definitions--\n";

$privdef = $prefix."etc/inc/priv.defs.inc";

$fp = fopen($privdef, "w");

if (!$fp) {

	echo "unable to open {$privdef}\n";

	exit -2;

}

$pdata;

$pdata  = "<?php\n";

$pdata .= "/*\n";

$pdata .= " * priv.defs.inc - Default Privilege Definitions\n";

$pdata .= " * Generated by pfSense/tools/scripts/generate-privdefs.php\n";

$pdata .= " *\n";

$pdata .= " * ***************************************************\n";

$pdata .= " * DO NOT EDIT THIS FILE. IT IS GENERATED BY A SCRIPT.\n";

$pdata .= " * ***************************************************\n";

$pdata .= " *\n";

$pdata .= " * Text is pulled from metadata headers in the referenced files.\n";

$pdata .= " *\n";

$pdata .= " */\n";

$pdata .= "\n";

$pdata .= "\$priv_list = array();\n";

$pdata .= "\n";

$pdata .= "\$priv_list['page-all'] = array();\n";

$pdata .= "\$priv_list['page-all']['name'] = gettext(\"WebCfg - All pages\");\n";

$pdata .= "\$priv_list['page-all']['descr'] = gettext(\"Allow access to all pages\");\n";

$pdata .= "\$priv_list['page-all']['warn'] = \"standard-warning-root\";\n";

$pdata .= "\$priv_list['page-all']['match'] = array();\n";

$pdata .= "\$priv_list['page-all']['match'][] = \"*\";\n";

$pdata .= "\n";

foreach ($data as $fname => $tags) {

	foreach ($tags as $tname => $vals) {

		$ident = "";

		$name = "";

		$descr = "";

		$warn = "";

		$match = array();

		foreach ($vals as $vname => $vlist) {

			switch ($vname) {

				case "IDENT":

					$ident = $vlist[0];

					break;

				case "NAME":

					$name = $vlist[0];

					break;

				case "DESCR":

					$descr = $vlist[0];

					break;

				case "WARN":

					$warn = $vlist[0];

					break;

				case "MATCH":

					$match = $vlist;

					break;

			}

		}

		if (!$ident) {

			echo "invalid IDENT in {$fname} privilege\n";

			continue;

		}

		if (!count($match)) {

			echo "invalid MATCH in {$fname} privilege\n";

			continue;

		}

		$pdata .= "\$priv_list['{$ident}'] = array();\n";

		$pdata .= "\$priv_list['{$ident}']['name'] = gettext(\"WebCfg - {$name}\");\n";

		$pdata .= "\$priv_list['{$ident}']['descr'] = gettext(\"{$descr}\");\n";

		if (strlen($warn) > 0) {

			$pdata .= "\$priv_list['{$ident}']['warn'] = \"{$warn}\";\n";

		}

		$pdata .= "\$priv_list['{$ident}']['match'] = array();\n";

		foreach ($match as $url)

			$pdata .= "\$priv_list['{$ident}']['match'][] = \"{$url}\";\n";

		$pdata .= "\n";

	}

}

$pdata .= "\n";

$pdata .= "\$priv_rmvd = array();\n";

$pdata .= "\n";

$pdata .= "?>\n";

fwrite($fp, $pdata);

fclose($fp);

/*

 * TODO : Build additional functionality

 *

echo "--Checking for pages without privilege definitions--\n";

foreach ($found as $fname) {

	$match = false;

	foreach ($pages_current as $pname => $pdesc) {

		if (!strcmp($pname, $fname)) {

			$match = true;

			break;

		}

	}

	if (!$match)

		echo "missing: $fname\n";

}

echo "--Checking for stale privilege definitions--\n";

foreach ($pages_current as $pname => $pdesc) {

	$match = false;

	foreach ($found as $fname) {

		if (!strncmp($fname, $pname, strlen($fname))) {

			$match = true;

			break;

		}

	}

	if (!$match)

		echo "stale: $pname\n";

}

 */

?>