/usr/local/captiveportal/index.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/captiveportal/index.php @ 470d24a3

1	8c1ce6c7	Scott Ullrich	<?php
2	5b237745	Scott Ullrich	/*
3	65fbb388	Scott Ullrich	$Id$
4			part of m0n0wall (http://m0n0.ch/wall)
5
6	9568c1a1	Ermal Lu?i	Copyrigth (C) 2009 Ermal Lu?i
7	65fbb388	Scott Ullrich	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
8			All rights reserved.
9
10			Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12
13			1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15
16			2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19
20			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30	5b237745	Scott Ullrich	*/
31	f5024891	Scott Ullrich	/*
32			pfSense_MODULE: captiveportal
33			*/
34	5b237745	Scott Ullrich
35	0092b3bd	mgrooms	require_once("auth.inc");
36	65fbb388	Scott Ullrich	require_once("functions.inc");
37	483e6de8	Scott Ullrich	require_once("captiveportal.inc");
38	65fbb388	Scott Ullrich
39	eb15decb	Ermal	$errormsg = "Invalid credentials specified.";
40
41	65fbb388	Scott Ullrich	header("Expires: 0");
42			header("Cache-Control: no-store, no-cache, must-revalidate");
43			header("Cache-Control: post-check=0, pre-check=0", false);
44			header("Pragma: no-cache");
45	232846a2	Ermal	header("Connection: close");
46	5b237745	Scott Ullrich
47	b4792bf8	Ermal	$cpzone = $_REQUEST['zone'];
48			$cpcfg = $config['captiveportal'][$cpzone];
49
50	5b237745	Scott Ullrich	$orig_host = $_ENV['HTTP_HOST'];
51	fe383a26	Ermal	$orig_request = $_REQUEST['redirurl'];
52	6fa4bdc6	Scott Ullrich	$clientip = $_SERVER['REMOTE_ADDR'];
53	5b237745	Scott Ullrich
54			if (!$clientip) {
55	c9cb32c4	Ermal	/* not good - bail out */
56			log_error("Captive portal could not determine client's IP address.");
57			$error_message = "An error occurred. Please check the system logs for more information.";
58			portal_reply_page($redirurl, "error", $errormsg);
59			exit;
60	65fbb388	Scott Ullrich	}
61
62	470d24a3	Darren Embry	$listenporthttps = $cpcfg['listenporthttps'] ? $cpcfg['listenporthttps'] : ($cpcfg['zoneid'] + 1);
63			$listenporthttp = $cpcfg['listenporthttp'] ? $cpcfg['listenporthttp'] : $cpcfg['zoneid'];
64
65	b4792bf8	Ermal	if (isset($config['captiveportal'][$cpzone]['httpslogin']))
66	470d24a3	Darren Embry	$ourhostname = $config['captiveportal'][$cpzone]['httpsname'] . ":" . $listenporthttps;
67	f8b11310	Ermal Lu?i	else {
68			$ifip = portal_ip_from_client_ip($clientip);
69			if (!$ifip)
70	470d24a3	Darren Embry	$ourhostname = $config['system']['hostname'] . $config['system']['domain'] . ":{$listenporthttp}";
71	f8b11310	Ermal Lu?i	else
72	470d24a3	Darren Embry	$ourhostname = "{$ifip}:{$listenporthttp}";
73	f8b11310	Ermal Lu?i	}
74	65fbb388	Scott Ullrich
75			if ($orig_host != $ourhostname) {
76			/* the client thinks it's connected to the desired web server, but instead
77			it's connected to us. Issue a redirect... */
78
79	b4792bf8	Ermal	if (isset($config['captiveportal'][$cpzone]['httpslogin']))
80			header("Location: https://{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
81	65fbb388	Scott Ullrich	else
82	b4792bf8	Ermal	header("Location: http://{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
83	65fbb388	Scott Ullrich
84			exit;
85	5b237745	Scott Ullrich	}
86	b4792bf8	Ermal	if (!empty($config['captiveportal'][$cpzone]['redirurl']))
87			$redirurl = $config['captiveportal'][$cpzone]['redirurl'];
88	adbb495c	Ermal	else if (preg_match("/redirurl=(.*)/", $orig_request, $matches))
89			$redirurl = urldecode($matches[1]);
90			else if ($_REQUEST['redirurl'])
91			$redirurl = $_REQUEST['redirurl'];
92	65fbb388	Scott Ullrich
93	b4792bf8	Ermal	$macfilter = !isset($config['captiveportal'][$cpzone]['nomacfilter']);
94			$passthrumac = isset($config['captiveportal'][$cpzone]['passthrumacadd']);
95	65fbb388	Scott Ullrich
96	5b237745	Scott Ullrich	/* find MAC address for client */
97			$clientmac = arp_get_mac_by_ip($clientip);
98	0852838c	Ermal	if (!$clientmac && ($macfilter \|\| $passthrumac)) {
99	65fbb388	Scott Ullrich	/* unable to find MAC address - shouldn't happen! - bail out */
100			captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
101	18cbd65f	Chris Buechler	echo "An error occurred. Please check the system logs for more information.";
102	d102e3ed	Chris Buechler	log_error("Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality.");
103	65fbb388	Scott Ullrich	exit;
104	5b237745	Scott Ullrich	}
105
106	65fbb388	Scott Ullrich	/* find out if we need RADIUS + RADIUSMAC or not */
107	b4792bf8	Ermal	if (file_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db")) {
108	65fbb388	Scott Ullrich	$radius_enable = TRUE;
109	b4792bf8	Ermal	if (isset($config['captiveportal'][$cpzone]['radmac_enable']))
110	65fbb388	Scott Ullrich	$radmac_enable = TRUE;
111			}
112	6e865a74	Scott Ullrich
113	ebc0e4b6	Ermal	/* find radius context */
114			$radiusctx = 'first';
115			if ($_POST['auth_user2'])
116			$radiusctx = 'second';
117
118	65fbb388	Scott Ullrich	if ($_POST['logout_id']) {
119	532cb894	Ermal	echo <<<EOD
120	5b237745	Scott Ullrich	<HTML>
121			<HEAD><TITLE>Disconnecting...</TITLE></HEAD>
122			<BODY BGCOLOR="#435370">
123			<SPAN STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">
124	b2ce71ff	Scott Ullrich	<B>You have been disconnected.</B>
125	5b237745	Scott Ullrich	</SPAN>
126			<SCRIPT LANGUAGE="JavaScript">
127			<!--
128			setTimeout('window.close();',5000) ;
129			-->
130			</SCRIPT>
131			</BODY>
132			</HTML>
133
134			EOD;
135	006802ab	Ermal	captiveportal_disconnect_client($_POST['logout_id']);
136	532cb894	Ermal	exit;
137	ebc0e4b6	Ermal	} else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip, $radiusctx)) {
138	65fbb388	Scott Ullrich	/* radius functions handle everything so we exit here since we're done */
139			exit;
140
141	8015e67b	Erik Fonnesbeck	} else if (portal_consume_passthrough_credit($clientmac)) {
142			/* allow the client through if it had a pass-through credit for its MAC */
143			captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
144			portal_allow($clientip, $clientmac, "unauthenticated");
145
146	bef75b4c	Darren Embry	} else if ($config['voucher'][$cpzone]['enable'] && $_POST['accept'] && $_POST['auth_voucher']) {
147	336e3c1c	Charlie
148			$voucher = trim($_POST['auth_voucher']);
149			$timecredit = voucher_auth($voucher);
150			// $timecredit contains either a credit in minutes or an error message
151			if ($timecredit > 0) { // voucher is valid. Remaining minutes returned
152			// if multiple vouchers given, use the first as username
153	48387425	Erik Fonnesbeck	$a_vouchers = preg_split("/[\t\n\r ]+/s",$voucher);
154	336e3c1c	Charlie	$voucher = $a_vouchers[0];
155			$attr = array( 'voucher' => 1,
156			'session_timeout' => $timecredit*60,
157			'session_terminate_time' => 0);
158			if (portal_allow($clientip, $clientmac,$voucher,null,$attr)) {
159
160			// YES: user is good for $timecredit minutes.
161	d102e3ed	Chris Buechler	captiveportal_logportalauth($voucher,$clientmac,$clientip,"Voucher login good for $timecredit min.");
162	336e3c1c	Charlie	} else {
163	b4792bf8	Ermal	portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
164	336e3c1c	Charlie	}
165			} else if (-1 == $timecredit) { // valid but expired
166			captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE","voucher expired");
167	b4792bf8	Ermal	portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
168	336e3c1c	Charlie	} else {
169			captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE");
170	b4792bf8	Ermal	portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgnoaccess'] ? $config['voucher'][$cpzone]['msgnoaccess'] : $errormsg);
171	336e3c1c	Charlie	}
172
173	65fbb388	Scott Ullrich	} else if ($_POST['accept'] && $radius_enable) {
174
175	ebc0e4b6	Ermal	if (($_POST['auth_user'] && $_POST['auth_pass']) \|\| ($_POST['auth_user2'] && $_POST['auth_pass2'])) {
176			if (!empty($_POST['auth_user'])) {
177			$user = $_POST['auth_user'];
178			$paswd = $_POST['auth_pass'];
179			} else if (!empty($_POST['auth_user2'])) {
180			$user = $_POST['auth_user2'];
181			$paswd = $_POST['auth_pass2'];
182			}
183			$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);
184	814992f7	Ermal	$type = "error";
185			if (!empty($auth_list['url_redirection'])) {
186			$redirurl = $auth_list['url_redirection'];
187			$type = "redir";
188			}
189	65fbb388	Scott Ullrich
190			if ($auth_list['auth_val'] == 1) {
191	ebc0e4b6	Ermal	captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']);
192	eb15decb	Ermal	portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg);
193	65fbb388	Scott Ullrich	}
194			else if ($auth_list['auth_val'] == 3) {
195	ebc0e4b6	Ermal	captiveportal_logportalauth($user,$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);
196	eb15decb	Ermal	portal_reply_page($redirurl, $type, $auth_list['reply_message'] ? $auth_list['reply_message'] : $errormsg);
197	65fbb388	Scott Ullrich	}
198			} else {
199	ebc0e4b6	Ermal	if (!empty($_POST['auth_user']))
200			$user = $_POST['auth_user'];
201			else if (!empty($_POST['auth_user2']))
202			$user = $_POST['auth_user2'];
203			else
204			$user = 'unknown';
205			captiveportal_logportalauth($user ,$clientmac,$clientip,"ERROR");
206	eb15decb	Ermal	portal_reply_page($redirurl, "error", $errormsg);
207	65fbb388	Scott Ullrich	}
208	8c1ce6c7	Scott Ullrich
209	b4792bf8	Ermal	} else if ($_POST['accept'] && $config['captiveportal'][$cpzone]['auth_method'] == "local") {
210	8c1ce6c7	Scott Ullrich
211	90477318	Ermal	if ($_POST['auth_user'] && $_POST['auth_pass']) {
212	0092b3bd	mgrooms	//check against local user manager
213			$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']);
214	90477318	Ermal	if ($loginok){
215			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
216			portal_allow($clientip, $clientmac,$_POST['auth_user']);
217			} else {
218			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
219			portal_reply_page($redirurl, "error", $errormsg);
220			}
221			} else
222	eb15decb	Ermal	portal_reply_page($redirurl, "error", $errormsg);
223	b4792bf8	Ermal	} else if ($_POST['accept'] && $clientip && $config['captiveportal'][$cpzone]['auth_method'] == "none") {
224	65fbb388	Scott Ullrich	captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
225			portal_allow($clientip, $clientmac, "unauthenticated");
226			} else {
227			/* display captive portal page */
228	4993f81c	Chris Buechler	portal_reply_page($redirurl, "login",null,$clientmac,$clientip);
229	5b237745	Scott Ullrich	}
230
231			exit;
232
233	03552507	Erik Fonnesbeck
234	60b66b60	Ermal	?>

Project

General

Profile

pfSense