/usr/local/captiveportal/index.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/captiveportal/index.php @ 447ad2f5

1	8c1ce6c7	Scott Ullrich	<?php
2	5b237745	Scott Ullrich	/*
3	3b832418	bcyrill	$Id$
4			part of m0n0wall (http://m0n0.ch/wall)
5
6			Copyrigth (C) 2009 Ermal Lu?i
7			Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
8			All rights reserved.
9
10			Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12
13			1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15
16			2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19
20			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30	5b237745	Scott Ullrich	*/
31	f5024891	Scott Ullrich	/*
32			pfSense_MODULE: captiveportal
33			*/
34	5b237745	Scott Ullrich
35	0092b3bd	mgrooms	require_once("auth.inc");
36	65fbb388	Scott Ullrich	require_once("functions.inc");
37	483e6de8	Scott Ullrich	require_once("captiveportal.inc");
38	65fbb388	Scott Ullrich
39	eb15decb	Ermal	$errormsg = "Invalid credentials specified.";
40
41	65fbb388	Scott Ullrich	header("Expires: 0");
42			header("Cache-Control: no-store, no-cache, must-revalidate");
43			header("Cache-Control: post-check=0, pre-check=0", false);
44			header("Pragma: no-cache");
45	232846a2	Ermal	header("Connection: close");
46	5b237745	Scott Ullrich
47	baec2b00	Ermal	global $cpzone, $cpzoneid;
48	5370146c	Ermal
49	4734474e	Ermal	$cpzone = $_REQUEST['zone'];
50	b4792bf8	Ermal	$cpcfg = $config['captiveportal'][$cpzone];
51	09294e84	Ermal	if (empty($cpcfg)) {
52			log_error("Submission to captiveportal with unkown parameter zone: " . htmlspecialchars($cpzone));
53			portal_reply_page($redirurl, "error", $errormsg);
54			ob_flush();
55			return;
56			}
57	b4792bf8	Ermal
58	baec2b00	Ermal	$cpzoneid = $cpcfg['zoneid'];
59
60	362ec35d	Ermal	$orig_host = $_SERVER['HTTP_HOST'];
61	6e895d5f	Ermal	/* NOTE: IE 8/9 is buggy and that is why this is needed */
62	f89afb47	Ermal	$orig_request = trim($_REQUEST['redirurl'], " /");
63	6fa4bdc6	Scott Ullrich	$clientip = $_SERVER['REMOTE_ADDR'];
64	5b237745	Scott Ullrich
65			if (!$clientip) {
66	c9cb32c4	Ermal	/* not good - bail out */
67	12feed15	Ermal	log_error("Zone: {$cpzone} - Captive portal could not determine client's IP address.");
68	c9cb32c4	Ermal	$error_message = "An error occurred. Please check the system logs for more information.";
69			portal_reply_page($redirurl, "error", $errormsg);
70	4a5feb83	Ermal	ob_flush();
71			return;
72	65fbb388	Scott Ullrich	}
73
74	de132ae3	bcyrill	$ourhostname = portal_hostname_from_client_ip($clientip);
75	65fbb388	Scott Ullrich	if ($orig_host != $ourhostname) {
76	3b832418	bcyrill	/* the client thinks it's connected to the desired web server, but instead
77			it's connected to us. Issue a redirect... */
78	de132ae3	bcyrill	$protocol = (isset($cpcfg['httpslogin'])) ? 'https://' : 'http://';
79			header("Location: {$protocol}{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
80	65fbb388	Scott Ullrich
81	3b832418	bcyrill	ob_flush();
82			return;
83	5b237745	Scott Ullrich	}
84	de132ae3	bcyrill
85	b7ae00c0	bcyrill	if (!empty($cpcfg['redirurl']))
86			$redirurl = $cpcfg['redirurl'];
87	adbb495c	Ermal	else if (preg_match("/redirurl=(.*)/", $orig_request, $matches))
88			$redirurl = urldecode($matches[1]);
89			else if ($_REQUEST['redirurl'])
90			$redirurl = $_REQUEST['redirurl'];
91	65fbb388	Scott Ullrich
92	b7ae00c0	bcyrill	$macfilter = !isset($cpcfg['nomacfilter']);
93			$passthrumac = isset($cpcfg['passthrumacadd']);
94	65fbb388	Scott Ullrich
95	5b237745	Scott Ullrich	/* find MAC address for client */
96	007161dc	Ermal	if ($macfilter \|\| $passthrumac) {
97	0d20a040	Ermal	$tmpres = pfSense_ip_to_mac($clientip);
98			if (!is_array($tmpres)) {
99	3b832418	bcyrill	/* unable to find MAC address - shouldn't happen! - bail out */
100			captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
101			echo "An error occurred. Please check the system logs for more information.";
102	12feed15	Ermal	log_error("Zone: {$cpzone} - Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality.");
103	3b832418	bcyrill	ob_flush();
104			return;
105	007161dc	Ermal	}
106	0d20a040	Ermal	$clientmac = $tmpres['macaddr'];
107			unset($tmpres);
108	5b237745	Scott Ullrich	}
109
110	65fbb388	Scott Ullrich	/* find out if we need RADIUS + RADIUSMAC or not */
111	b4792bf8	Ermal	if (file_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db")) {
112	3b832418	bcyrill	$radius_enable = TRUE;
113			if (isset($cpcfg['radmac_enable']))
114			$radmac_enable = TRUE;
115	65fbb388	Scott Ullrich	}
116	6e865a74	Scott Ullrich
117	ebc0e4b6	Ermal	/* find radius context */
118			$radiusctx = 'first';
119			if ($_POST['auth_user2'])
120			$radiusctx = 'second';
121
122	65fbb388	Scott Ullrich	if ($_POST['logout_id']) {
123	532cb894	Ermal	echo <<<EOD
124	5b237745	Scott Ullrich	<HTML>
125			<HEAD><TITLE>Disconnecting...</TITLE></HEAD>
126			<BODY BGCOLOR="#435370">
127			<SPAN STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">
128	b2ce71ff	Scott Ullrich	<B>You have been disconnected.</B>
129	5b237745	Scott Ullrich	</SPAN>
130			<SCRIPT LANGUAGE="JavaScript">
131			<!--
132			setTimeout('window.close();',5000) ;
133			-->
134			</SCRIPT>
135			</BODY>
136			</HTML>
137
138			EOD;
139	006802ab	Ermal	captiveportal_disconnect_client($_POST['logout_id']);
140	3b832418	bcyrill
141	81ce28d8	Renato Botelho	} else if ($macfilter && $clientmac && captiveportal_blocked_mac($clientmac)) {
142	8d5ddc09	Renato Botelho	captiveportal_logportalauth($clientmac,$clientmac,$clientip,"Blocked MAC address");
143			if (!empty($cpcfg['blockedmacsurl']))
144			portal_reply_page($cpcfg['blockedmacsurl'], "redir");
145			else
146			portal_reply_page($redirurl, "error", "This MAC address has been blocked");
147
148	ebc0e4b6	Ermal	} else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip, $radiusctx)) {
149	3b832418	bcyrill	/* radius functions handle everything so we exit here since we're done */
150	65fbb388	Scott Ullrich
151	8015e67b	Erik Fonnesbeck	} else if (portal_consume_passthrough_credit($clientmac)) {
152	3b832418	bcyrill	/* allow the client through if it had a pass-through credit for its MAC */
153			captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
154			portal_allow($clientip, $clientmac, "unauthenticated");
155	8015e67b	Erik Fonnesbeck
156	89341b50	Chris Buechler	} else if (isset($config['voucher'][$cpzone]['enable']) && $_POST['accept'] && $_POST['auth_voucher']) {
157	3b832418	bcyrill	$voucher = trim($_POST['auth_voucher']);
158			$timecredit = voucher_auth($voucher);
159			// $timecredit contains either a credit in minutes or an error message
160			if ($timecredit > 0) { // voucher is valid. Remaining minutes returned
161			// if multiple vouchers given, use the first as username
162			$a_vouchers = preg_split("/[\t\n\r ]+/s",$voucher);
163			$voucher = $a_vouchers[0];
164			$attr = array( 'voucher' => 1,
165			'session_timeout' => $timecredit*60,
166			'session_terminate_time' => 0);
167			if (portal_allow($clientip, $clientmac,$voucher,null,$attr)) {
168			// YES: user is good for $timecredit minutes.
169			captiveportal_logportalauth($voucher,$clientmac,$clientip,"Voucher login good for $timecredit min.");
170			} else {
171			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
172			}
173			} else if (-1 == $timecredit) { // valid but expired
174			captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE","voucher expired");
175			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
176			} else {
177			captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE");
178			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgnoaccess'] ? $config['voucher'][$cpzone]['msgnoaccess'] : $errormsg);
179			}
180	336e3c1c	Charlie
181	65fbb388	Scott Ullrich	} else if ($_POST['accept'] && $radius_enable) {
182	16a0308d	Michael Newton	if (($_POST['auth_user'] && isset($_POST['auth_pass'])) \|\| ($_POST['auth_user2'] && isset($_POST['auth_pass2']))) {
183	3b832418	bcyrill	if (!empty($_POST['auth_user'])) {
184			$user = $_POST['auth_user'];
185			$paswd = $_POST['auth_pass'];
186			} else if (!empty($_POST['auth_user2'])) {
187			$user = $_POST['auth_user2'];
188			$paswd = $_POST['auth_pass2'];
189			}
190			$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);
191			$type = "error";
192			if (!empty($auth_list['url_redirection'])) {
193			$redirurl = $auth_list['url_redirection'];
194			$type = "redir";
195			}
196
197			if ($auth_list['auth_val'] == 1) {
198			captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']);
199			portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg);
200			} else if ($auth_list['auth_val'] == 3) {
201			captiveportal_logportalauth($user,$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);
202			portal_reply_page($redirurl, $type, $auth_list['reply_message'] ? $auth_list['reply_message'] : $errormsg);
203			}
204			} else {
205			if (!empty($_POST['auth_user']))
206			$user = $_POST['auth_user'];
207			else if (!empty($_POST['auth_user2']))
208			$user = $_POST['auth_user2'];
209			else
210			$user = 'unknown';
211			captiveportal_logportalauth($user ,$clientmac,$clientip,"ERROR");
212			portal_reply_page($redirurl, "error", $errormsg);
213	814992f7	Ermal	}
214	65fbb388	Scott Ullrich
215	b7ae00c0	bcyrill	} else if ($_POST['accept'] && $cpcfg['auth_method'] == "local") {
216	3b832418	bcyrill	if ($_POST['auth_user'] && $_POST['auth_pass']) {
217			//check against local user manager
218			$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']);
219	a8cb0038	Renato Botelho
220			if ($loginok && isset($cpcfg['localauth_priv']))
221			$loginok = userHasPrivilege(getUserEntry($_POST['auth_user']), "user-services-captiveportal-login");
222
223	3b832418	bcyrill	if ($loginok){
224			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
225			portal_allow($clientip, $clientmac,$_POST['auth_user']);
226			} else {
227			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
228			portal_reply_page($redirurl, "error", $errormsg);
229			}
230			} else
231	90477318	Ermal	portal_reply_page($redirurl, "error", $errormsg);
232	3b832418	bcyrill
233	b7ae00c0	bcyrill	} else if ($_POST['accept'] && $clientip && $cpcfg['auth_method'] == "none") {
234	3b832418	bcyrill	captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
235			portal_allow($clientip, $clientmac, "unauthenticated");
236
237	65fbb388	Scott Ullrich	} else {
238	3b832418	bcyrill	/* display captive portal page */
239			portal_reply_page($redirurl, "login",null,$clientmac,$clientip);
240	5b237745	Scott Ullrich	}
241
242	4a5feb83	Ermal	ob_flush();
243	03552507	Erik Fonnesbeck
244	60b66b60	Ermal	?>

Project

General

Profile

pfSense