/src/etc/inc/acb.inc - Annotate - pfSense - pfSense bugtracker

054f0ed0

Steve Beaver

<?php

2

/*

3

 * autoconfigbackup.inc

4

5

 * part of pfSense (https://www.pfsense.org)

6

 * Copyright (c) 2008-2016 Rubicon Communications, LLC (Netgate)

7

 * All rights reserved.

8

9

 * Licensed under the Apache License, Version 2.0 (the "License");

10

 * you may not use this file except in compliance with the License.

11

 * You may obtain a copy of the License at

12

13

 * http://www.apache.org/licenses/LICENSE-2.0

14

15

 * Unless required by applicable law or agreed to in writing, software

16

 * distributed under the License is distributed on an "AS IS" BASIS,

17

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

18

 * See the License for the specific language governing permissions and

19

 * limitations under the License.

20

*/

21

22

require_once("filter.inc");

23

require_once("notices.inc");

24

25

// If there is no ssh key in the system to identify this firewall, generate a pair now

26

function get_device_key() {

27

	if (!file_exists("/etc/ssh/ssh_host_ed25519_key.pub")) {

28

		exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -b 4096 -N '' -f /etc/ssh//ssh_host_ed25519_key");

29

30

31

	// The userkey (firewall identifier) is an MD5 has of the ed25519 public key

32

	return hash("sha256", file_get_contents("/etc/ssh/ssh_host_ed25519_key.pub"));

33

34

35

$origkey = get_device_key();

36

37

if (isset($_REQUEST['userkey']) && !empty($_REQUEST['userkey'])) {

38

	$userkey = htmlentities($_REQUEST['userkey']);

39

} else {

40

	$userkey = get_device_key();

41

42

43

// Defined username. Username must be sent lowercase. See Redmine #7127 and Netgate Redmine #163

44

$username = strtolower($config['system']['acb']['gold_username']);

45

46

// Defined password

47

$password = $config['system']['acb']['gold_password'];

48

49

$uniqueID = system_get_uniqueid();

50

51

/* Check whether ACB is enabled */

52

function acb_enabled() {

53

	global $config;

54

	$acb_enabled = false;

55

56

	if (is_array($config['system']['acb'])) {

57

		if ($config['system']['acb']['enable'] == "yes") {

58

			$acb_enabled = true;

	return $acb_enabled;

63

64

65

// Ensures patches match

66

function acb_custom_php_validation_command($post, &$input_errors) {

67

	global $_POST, $savemsg, $config;

68

69

	// Do nothing when ACB is disabled in configuration

70

	// This also makes it possible to delete the credentials from config.xml

71

	if (!acb_enabled()) {

72

		// We do not need to store this value.

73

		unset($_POST['testconnection']);

74

		return;

75

76

77

	if (!$post['crypto_password'] or !$post['crypto_password2']) {

78

		$input_errors[] = "The encryption password is required.";

79

80

81

	if ($post['crypto_password'] <> $post['crypto_password2']) {

82

		$input_errors[] = "Sorry, the entered encryption passwords do not match.";

83

84

85

	if ($post['testconnection']) {

86

		$status = test_connection($post);

87

		if ($status) {

88

			$savemsg = "Connection to the ACB server was tested with no errors.";

	// We do not need to store this value.

93

	unset($_POST['testconnection']);

94

95

96

function acb_custom_php_resync_config_command() {

97

	// Do nothing when ACB is disabled in configuration

98

	if (!acb_enabled()) {

99

		return;

100

101

104

054f0ed0

Steve Beaver

	if (!function_exists("filter_configure")) {

105

		require_once("filter.inc");

106

108

054f0ed0

Steve Beaver

	filter_configure();

110

054f0ed0

Steve Beaver

	if ($savemsg) {

111

		$savemsg .= "<br/>";

112

114

054f0ed0

Steve Beaver

	$savemsg .= "A configuration backup has been queued.";

115

116

117

function configure_proxy() {

118

	global $config;

119

	$ret = array();

120

	if (!empty($config['system']['proxyurl'])) {

121

		$ret[CURLOPT_PROXY] = $config['system']['proxyurl'];

122

		if (!empty($config['system']['proxyport'])) {

123

			$ret[CURLOPT_PROXYPORT] = $config['system']['proxyport'];

124

125

		if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) {

126

			$ret[CURLOPT_PROXYAUTH] = CURLAUTH_ANY | CURLAUTH_ANYSAFE;

127

			$ret[CURLOPT_PROXYUSERPWD] = "{$config['system']['proxyuser']}:{$config['system']['proxypass']}";

128

129

130

	return $ret;

131

132

133

function test_connection($post) {

134

	global $savemsg, $config, $g, $legacy;

135

136

	// Do nothing when booting or when not enabled

137

	if (platform_booting() || !acb_enabled()) {

138

		return;

139

140

141

	// Seperator used during client / server communications

142

	$oper_sep = "\|\|";

143

144

	// Encryption password

145

	$decrypt_password = $post['crypto_password'];

146

147

	// Defined username. Username must be sent lowercase. See Redmine #7127 and Netgate Redmine #163

148

	$username = strtolower($post['username']);

149

150

	// Defined password

151

	$password = $post['password'];

152

153

	// Set hostname

154

	$hostname = $config['system']['hostname'] . "." . $config['system']['domain'];

155

156

	// URL to restore.php

157

	$get_url = $legacy ? "https://portal.pfsense.org/pfSconfigbackups/restore.php":"https://acb.netgate.com/getbkp";

158

159

	// Populate available backups

160

	$curl_session = curl_init();

161

	curl_setopt($curl_session, CURLOPT_URL, $get_url);

163

054f0ed0

Steve Beaver

	if ($legacy) {

164

		curl_setopt($curl_session, CURLOPT_HTTPHEADER, array("Authorization: Basic " . base64_encode("{$username}:{$password}")));

165

167

054f0ed0

Steve Beaver

	curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 1);

168

	curl_setopt($curl_session, CURLOPT_POST, 1);

169

	curl_setopt($curl_session, CURLOPT_RETURNTRANSFER, 1);

170

	curl_setopt($curl_session, CURLOPT_CONNECTTIMEOUT, 55);

171

	curl_setopt($curl_session, CURLOPT_TIMEOUT, 30);

172

	curl_setopt($curl_session, CURLOPT_USERAGENT, $g['product_name'] . '/' . rtrim(file_get_contents("/etc/version")));

173

	// Proxy

174

	curl_setopt_array($curl_session, configure_proxy());

175

176

	curl_setopt($curl_session, CURLOPT_POSTFIELDS, "action=showbackups&hostname={$hostname}");

177

	$data = curl_exec($curl_session);

178

179

	if (curl_errno($curl_session)) {

180

		return("An error occurred " . curl_error($curl_session));

181

	} else {

182

		curl_close($curl_session);

183

184

185

	return;

186

187

188

function upload_config($reasonm = "") {

189

	global $config, $g, $input_errors, $userkey, $uniqueID;

190

191

	if (empty($userkey)) {

192

		$userkey = get_device_key();

193

194

195

	if (empty($uniqueID)) {

196

		$uniqueID = system_get_uniqueid();

197

198

199

	// Do nothing when booting or when not enabled

200

	if (platform_booting() || !acb_enabled()) {

201

		return;

202

203

204

/*

205

	 * pfSense upload config to pfSense.org script

206

	 * This file plugs into config.inc (/usr/local/pkg/parse_config)

207

	 * and runs every time the running firewall filter changes.

208

209

*/

210

211

	if (file_exists("/tmp/acb_nooverwrite")) {

212

		unlink("/tmp/acb_nooverwrite");

213

		$nooverwrite = "true";

214

	} else {

215

		$nooverwrite = "false";

216

217

218

	// Define some needed variables

219

	if (file_exists("/cf/conf/lastpfSbackup.txt")) {

220

		$last_backup_date = str_replace("\n", "", file_get_contents("/cf/conf/lastpfSbackup.txt"));

221

	} else {

222

		$last_backup_date = "";

223

224

225

	$last_config_change = $config['revision']['time'];

226

	$hostname = $config['system']['hostname'] . "." . $config['system']['domain'];

228

054f0ed0

Steve Beaver

	if ($reasonm) {

229

		$reason = $reasonm;

230

	} else {

231

		$reason	= $config['revision']['description'];

232

233

234

/*

235

	* Syncing vouchers happens every minute and sometimes multiple times. We don't

236

	* want to fill up our db with a lot of the same config so just ignore that case.

237

*/

238

	if((strpos($reason, 'Syncing vouchers') !== false ||

239

		strpos($reason, 'Captive Portal Voucher database synchronized') !== false) ) {

240

		return;

054f0ed0

Steve Beaver

246

	// Define upload_url, must be present after other variable definitions due to username, password

247

	$upload_url = "https://acb.netgate.com/save";

248

249

	if (!$encryptpw) {

250

		if (!file_exists("/cf/conf/autoconfigback.notice")) {

251

			$notice_text = "The encryption password is not set for Automatic Configuration Backup.";

253

054f0ed0

Steve Beaver

			//log_error($notice_text);

254

			//file_notice("AutoConfigBackup", $notice_text, $notice_text, "");

255

			touch("/cf/conf/autoconfigback.notice");

256

257

	} else {

258

		/* If configuration has changed, upload to pfS */

259

		if ($last_backup_date <> $last_config_change) {

260

261

			$notice_text = "Beginning configuration backup to ." . $upload_url;

262

			log_error($notice_text);

263

			update_filter_reload_status($notice_text);

264

265

			// Encrypt config.xml

266

			$data = file_get_contents("/cf/conf/config.xml");

267

			$raw_config_sha256_hash = trim(shell_exec("/sbin/sha256 /cf/conf/config.xml | /usr/bin/awk '{ print $4 }'"));

268

			$data = encrypt_data($data, $encryptpw);

269

			$tmpname = "/tmp/" . $raw_config_sha256_hash . ".tmp";

270

			tagfile_reformat($data, $data, "config.xml");

271

			file_put_contents($tmpname, $data);

272

273

			$post_fields = array(

274

				'reason' => htmlspecialchars($reason),

275

				'uid' => $uniqueID,

276

				'file' => curl_file_create($tmpname, 'image/jpg', 'config.jpg'),

277

				'userkey' => htmlspecialchars($userkey),

278

				'sha256_hash' => $raw_config_sha256_hash,

279

				'version' => $g['product_version'],

280

				'hint' => $config['system']['acb']['hint']

281

);

282

283

			// Check configuration into the ESF repo

284

			$curl_session = curl_init();

285

286

			curl_setopt($curl_session, CURLOPT_URL, "https://acb.netgate.com/save");

287

			curl_setopt($curl_session, CURLOPT_POST, count($post_fields));

288

			curl_setopt($curl_session, CURLOPT_POSTFIELDS, $post_fields);

289

			curl_setopt($curl_session, CURLOPT_RETURNTRANSFER, 1);

290

			curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0);

291

			curl_setopt($curl_session, CURLOPT_CONNECTTIMEOUT, 55);

292

			curl_setopt($curl_session, CURLOPT_TIMEOUT, 30);

293

			curl_setopt($curl_session, CURLOPT_USERAGENT, $g['product_name'] . '/' . rtrim(file_get_contents("/etc/version")));

294

			// Proxy

295

			curl_setopt_array($curl_session, configure_proxy());

296

297

			$data = curl_exec($curl_session);

298

300

054f0ed0

Steve Beaver

301

			if (curl_errno($curl_session)) {

302

				$fd = fopen("/tmp/backupdebug.txt", "w");

303

				fwrite($fd, $upload_url . "" . $fields_string . "\n\n");

304

				fwrite($fd, $data);

305

				fwrite($fd, curl_error($curl_session));

306

				fclose($fd);

307

			} else {

308

				curl_close($curl_session);

309

310

311

			if (strpos($data, "500") != false) {

312

				$notice_text = "An error occurred while uploading your pfSense configuration to " . $upload_url . " (" . htmlspecialchars($data) . ")";

313

				log_error($notice_text . " - " . $data);

314

				file_notice("AutoConfigBackup", $notice_text, "Backup Failure", "/pkg_edit.php?xml=autoconfigbackup.xml&id=0");

315

				update_filter_reload_status($notice_text);

316

				$input_errors["acb_upload"] = $notice_text;

317

			} else {

318

				// Update last pfS backup time

319

				$fd = fopen("/cf/conf/lastpfSbackup.txt", "w");

320

				fwrite($fd, $config['revision']['time']);

321

				fclose($fd);

322

				$notice_text = "End of configuration backup to " . $upload_url . " (success).";

323

				log_error($notice_text);

324

				update_filter_reload_status($notice_text);

325

326

327

		} else {

328

			// Debugging

329

			//log_error("No https://portal.pfsense.org backup required.");

330

331

332

Project

General

Profile

pfSense

Project

General

Profile

pfSense

root/src/etc/inc/acb.inc @ 443a8b1b