/src/etc/inc/authgui.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/authgui.inc @ 48a15754

1	16513324	Holger Bauer	<?php
2	ac24dc24	Renato Botelho	/*
3			* authgui.inc
4	995df6c3	Stephen Beaver	*
5	ac24dc24	Renato Botelho	* part of pfSense (https://www.pfsense.org)
6			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
7			* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
8			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>
9	38809d47	Renato Botelho do Couto	* Copyright (c) 2004-2013 BSD Perimeter
10			* Copyright (c) 2013-2016 Electric Sheep Fencing
11	0284d79e	jim-p	* Copyright (c) 2014-2020 Rubicon Communications, LLC (Netgate)
12	ac24dc24	Renato Botelho	* All rights reserved.
13	995df6c3	Stephen Beaver	*
14	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
15			* you may not use this file except in compliance with the License.
16			* You may obtain a copy of the License at
17	995df6c3	Stephen Beaver	*
18	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
19	995df6c3	Stephen Beaver	*
20	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
21			* distributed under the License is distributed on an "AS IS" BASIS,
22			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23			* See the License for the specific language governing permissions and
24			* limitations under the License.
25	995df6c3	Stephen Beaver	*/
26	ac24dc24	Renato Botelho
27	483e6de8	Scott Ullrich	include_once("auth.inc");
28	6dc88d53	Ermal Luci	include_once("priv.inc");
29	1e0b1727	Phil Davis	if (!function_exists('platform_booting')) {
30	cb054444	Ermal LUÇI	require_once('globals.inc');
31	1e0b1727	Phil Davis	}
32	059e1bd2	doktornotor	require_once('pfsense-utils.inc');
33	16513324	Holger Bauer
34			/* Authenticate user - exit if failed */
35	6306b5dd	Ermal Lu?i	if (!session_auth()) {
36			display_login_form();
37	45ee90ed	Matthew Grooms	exit;
38	6306b5dd	Ermal Lu?i	}
39	ca44a37c	Steve Beaver
40	82cd6022	PiBa-NL	phpsession_begin();
41	ca44a37c	Steve Beaver
42	45ee90ed	Matthew Grooms	/*
43			* Once here, the user has authenticated with the web server.
44			* We give them access only to the appropriate pages based on
45			* the user or group privileges.
46			*/
47	c4a9f99a	jim-p	$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
48	16513324	Holger Bauer
49	8bab524e	Phil Davis	/*
50			* Get user-based preference settings so they can be easily referenced.
51			*/
52			$user_settings = get_user_settings($_SESSION['Username']);
53
54	45ee90ed	Matthew Grooms	/*
55	403a270e	Ermal Luçi	* redirect to first allowed page if requesting a wrong url
56	45ee90ed	Matthew Grooms	*/
57	8559c9d9	jim-p
58			/* Fix this up otherwise the privilege check will fail. See Redmine #5909. */
59			if ($_SERVER['REQUEST_URI'] == "/") {
60			$_SERVER['REQUEST_URI'] = "/index.php";
61			}
62
63	14f5f705	marcelloc	if (!isAllowedPage($_SERVER['REQUEST_URI'])) {
64	403a270e	Ermal Luçi	if (count($allowedpages) > 0) {
65			$page = str_replace('*', '', $allowedpages[0]);
66			$_SESSION['Post_Login'] = true;
67	5c15e649	sullrich	require_once("functions.inc");
68	403a270e	Ermal Luçi	pfSenseHeader("/{$page}");
69	0d4f348f	jim-p
70	d629601a	jim-p	$username = get_config_user();
71	0d4f348f	jim-p	log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}.");
72
73	403a270e	Ermal Luçi	exit;
74			} else {
75	179377b0	robjarsen	// add this so they don't get stuck on the logout page when they have no permissions.
76	d69a55e3	Stephen Jones	$_SESSION["Logged_In"] = false;
77	0b70d9f4	Carlos Eduardo Ramos	display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
78	d69a55e3	Stephen Jones
79	403a270e	Ermal Luçi	exit;
80			}
81	1e0b1727	Phil Davis	} else {
82	403a270e	Ermal Luçi	$_SESSION['Post_Login'] = true;
83	1e0b1727	Phil Davis	}
84	16513324	Holger Bauer
85	45ee90ed	Matthew Grooms	/*
86	d97ab688	Matthew Grooms	* redirect browsers post-login to avoid pages
87	1e0b1727	Phil Davis	* taking action in response to a POST request
88	45ee90ed	Matthew Grooms	*/
89	d97ab688	Matthew Grooms	if (!$_SESSION['Post_Login']) {
90	c9dddd59	sullrich	$_SESSION['Post_Login'] = true;
91	5c15e649	sullrich	require_once("functions.inc");
92	d97ab688	Matthew Grooms	pfSenseHeader($_SERVER['REQUEST_URI']);
93			exit;
94			}
95	16513324	Holger Bauer
96	1180e4f0	Sjon Hortensius	/*
97	4111fcf5	Ermal	* Close session data to allow other scripts from same host to come in.
98	82cd6022	PiBa-NL	* A session can be reactivated from calling phpsession_begin again
99	4111fcf5	Ermal	*/
100	82cd6022	PiBa-NL	phpsession_end(true);
101	4111fcf5	Ermal
102	45ee90ed	Matthew Grooms	/*
103			* determine if the user is allowed access to the requested page
104			*/
105	16513324	Holger Bauer	function display_error_form($http_code, $desc) {
106	8bab524e	Phil Davis	global $config, $user_settings, $g;
107	995df6c3	Stephen Beaver
108	1e0b1727	Phil Davis	if (isAjax()) {
109	addc0439	Renato Botelho	printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc);
110	16513324	Holger Bauer	return;
111			}
112
113	fde09aa8	Steve Beaver	$logincssfile = "#770101";
114	16513324	Holger Bauer	?>
115	fde09aa8	Steve Beaver
116	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
117			<html lang="en">
118	fde09aa8	Steve Beaver	<head>
119			<meta name="viewport" content="width=device-width, initial-scale=1">
120			<link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css">
121	08a5e9a6	Jared Dillard	<link rel="stylesheet" href="/css/login.css?v=<?=filemtime('/usr/local/www/css/login.css')?>" type="text/css">
122	fde09aa8	Steve Beaver	<title><?=gettext("Error"); ?></title>
123			</head>
124
125			<body id="error" >
126			<div id="total">
127			<header>
128			<div id="headerrow">
129			<div class="row">
130			<div class="col-sm-4">
131			<div id="logodiv" style="text-align:center" class="nowarning">
132	f9a6637a	Renato Botelho	<?php include("/usr/local/www/logo.svg"); ?>
133	fde09aa8	Steve Beaver	</div>
134			</div>
135			<div class="col-sm-8 nowarning msgbox text-center">
136			<span id="hostspan">
137			</span>
138			</div>
139			</div>
140			</div>
141			</header>
142
143			<div style="background: <?=$logincssfile?>;" class="pagebody">
144			<div class="col-sm-2"></div>
145
146			<div class="col-sm-8 offset-md-4 logoCol">
147			<div class="loginCont center-block error-panel">
148			<a href="index.php?logout"><?=$desc;?></a>
149			</div>
150			</div>
151
152			<div class="col-sm-2"></div>
153	c7d61071	Sander van Leeuwen	</div>
154	fde09aa8	Steve Beaver
155			<footer id="3">
156			<div id="footertext">
157			<p class="text-muted">
158	16050763	Steve Beaver	<?=print_credit()?>
159	fde09aa8	Steve Beaver	</p>
160			</div>
161			</footer>
162	45ee90ed	Matthew Grooms	</div>
163	fde09aa8	Steve Beaver	</body>
164	16513324	Holger Bauer	</html>
165	fde09aa8	Steve Beaver
166	16513324	Holger Bauer	<?php
167
168	45ee90ed	Matthew Grooms	} // end function
169	16513324	Holger Bauer
170
171			function display_login_form() {
172	45ee90ed	Matthew Grooms	require_once("globals.inc");
173			global $config, $g;
174
175			unset($input_errors);
176
177	1e0b1727	Phil Davis	if (isAjax()) {
178	45ee90ed	Matthew Grooms	if (isset($_POST['login'])) {
179	1e0b1727	Phil Davis	if ($_SESSION['Logged_In'] <> "True") {
180	0b70d9f4	Carlos Eduardo Ramos	isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
181	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
182	45ee90ed	Matthew Grooms	}
183			if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
184			// TODO: add the IP from the user who did lock the device
185			$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
186	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
187	45ee90ed	Matthew Grooms	}
188			}
189	49e2b19a	Stephen Jones	//If session ended
190			echo "SESSION_TIMEOUT";
191	45ee90ed	Matthew Grooms	exit;
192			}
193	16513324	Holger Bauer
194	ee8f5c6a	Steve Beaver	/* Check against locally configured IP addresses, which will catch when someone
195			port forwards WebGUI access from WAN to an internal IP on the router. */
196			global $FilterIflist, $nifty_background;
197
198			$local_ip = false;
199
200			if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) {
201			$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
202			$http_host = $http_host_port[0];
203			} else {
204			$http_host = $_SERVER['HTTP_HOST'];
205	f48d337f	Seth Mos	}
206	ee8f5c6a	Steve Beaver
207			if (empty($FilterIflist)) {
208			require_once('filter.inc');
209			require_once('shaper.inc');
210			filter_generate_optcfg_array();
211	1e0b1727	Phil Davis	}
212	ee8f5c6a	Steve Beaver
213			foreach ($FilterIflist as $iflist) {
214			if ($iflist['ip'] == $http_host) {
215			$local_ip = true;
216			} else if ($iflist['ipv6'] == $http_host) {
217			$local_ip = true;
218			} else if (is_array($iflist['vips'])) {
219			foreach ($iflist['vips'] as $vip) {
220			if ($vip['ip'] == $http_host) {
221			$local_ip = true;
222			break;
223			}
224	02156b4b	Ermal LUÇI	}
225	ee8f5c6a	Steve Beaver
226			unset($vip);
227			}
228
229			if ($local_ip == true) {
230			break;
231			}
232			}
233
234			unset($FilterIflist);
235			unset($iflist);
236
237			if ($local_ip == false) {
238			if (is_array($config['openvpn']['openvpn-server'])) {
239			foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
240			if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) {
241			$local_ip = true;
242			} else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) {
243			$local_ip = true;
244			}
245
246			if ($local_ip == true) {
247			break;
248			}
249	1e0b1727	Phil Davis	}
250	71034b51	Renato Botelho	}
251			}
252	0041092c	jim-p
253	ee8f5c6a	Steve Beaver	// For the login form, get the settings of no particular user.
254			// That ensures we will use the system default theme for the login form.
255			$user_settings = get_user_settings("");
256			$cssfile = "/css/pfSense.css";
257	9d624e6b	Jared Dillard
258	ee8f5c6a	Steve Beaver	if (isset($user_settings['webgui']['webguicss'])) {
259			if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) {
260			$cssfile = "/css/" . $user_settings['webgui']['webguicss'];
261			}
262	9d624e6b	Jared Dillard	}
263
264	f902a15c	Steve Beaver	$logincssfile = "#1e3f75";
265	e79ff1ee	Steve Beaver
266	1eca4f60	Steve Beaver	if (isset($user_settings['webgui']['logincss']) && strlen($user_settings['webgui']['logincss']) == 6) {
267	d58a7378	Steve Beaver	$logincssfile = "#" . $user_settings['webgui']['logincss'];
268	e79ff1ee	Steve Beaver	}
269
270	ee8f5c6a	Steve Beaver	if (isset($config['system']['webgui']['loginshowhost'])) {
271	e79ff1ee	Steve Beaver	$loginbannerstr = sprintf(gettext('%1$s.%2$s'), htmlspecialchars($config['system']['hostname']), htmlspecialchars($config['system']['domain']));
272	814a7c2f	clinton	$login_title = gettext(htmlspecialchars($config['system']['hostname'] . " - Login"));
273	ee8f5c6a	Steve Beaver	} else {
274			$loginbannerstr = sprintf(gettext('Login to %1$s'), $g['product_name']);
275	814a7c2f	clinton	$login_title = gettext("pfSense - Login");
276	ee8f5c6a	Steve Beaver	}
277	a22947a4	Steve Beaver
278	e79ff1ee	Steve Beaver	$loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"';
279
280	2d933f5a	Steve Beaver	if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) {
281	0e4500e7	Steve Beaver	$warnclass = "pagebodywarn"; // Make room for a warning display row
282	2d933f5a	Steve Beaver	} else {
283	ef1e838b	Steve Beaver	$warnclass = "pagebody";
284	2d933f5a	Steve Beaver	}
285	16513324	Holger Bauer	?>
286	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
287			<html lang="en">
288	81b22639	Steve Beaver	<head>
289			<meta name="viewport" content="width=device-width, initial-scale=1">
290	c21d913d	Steve Beaver	<link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css">
291	08a5e9a6	Jared Dillard	<link rel="stylesheet" href="/css/login.css?v=<?=filemtime('/usr/local/www/css/login.css')?>" type="text/css">
292	814a7c2f	clinton	<title><?=$login_title; ?></title>
293	81b22639	Steve Beaver	<script type="text/javascript">
294			//<![CDATA{
295			var events = events \|\| [];
296			//]]>
297			</script>
298			</head>
299
300			<body id="login" >
301			<div id="total">
302			<header>
303			<div id="headerrow">
304			<div class="row">
305	ca44a37c	Steve Beaver	<!-- Header left logo box -->
306	81b22639	Steve Beaver	<div class="col-sm-4">
307			<div id="logodiv" style="text-align:center" class="nowarning">
308	f9a6637a	Renato Botelho	<?php include("/usr/local/www/logo.svg"); ?>
309	81b22639	Steve Beaver	</div>
310	d58a7378	Steve Beaver	</div>
311	ca44a37c	Steve Beaver
312			<!-- Header center message box -->
313			<div class="col-sm-4 nowarning msgbox text-center text-danger">
314			<?php
315			if (!empty($_POST['usernamefld'])) {
316			print("<h4>" . $_SESSION['Login_Error'] . "</h4>");
317			}
318			?>
319			</div>
320
321			<!-- Header right message box (hostname or msg)-->
322			<div class="col-sm-4 nowarning msgbox text-center">
323	81b22639	Steve Beaver	<span id="hostspan">
324			<a><h4><?=$loginbannerstr?></h4></a>
325	a33ece86	Steve Beaver	</span>
326	81b22639	Steve Beaver	</div>
327	2d933f5a	Steve Beaver	</div>
328			<?php
329	ef1e838b	Steve Beaver	if ($warnclass == "pagebodywarn") {
330	2d933f5a	Steve Beaver	?>
331	81b22639	Steve Beaver	<div class="row">
332			<div class="col-sm-12">
333			<div class="alert alert-warning <?=$warnclass?>">
334			<?=gettext("The IP address being used to access this router is not configured locally, which may be forwarded by NAT or other means.
335			If this forwarding is unexpected, it should be verified that a man-in-the-middle attack is not taking place.")?>
336			</div>
337	d58a7378	Steve Beaver	</div>
338	2d933f5a	Steve Beaver	</div>
339			<?php
340	10ba62c2	Steve Beaver	}
341	2d933f5a	Steve Beaver	?>
342	81b22639	Steve Beaver	</div>
343			</header>
344
345			<div style="background: <?=$logincssfile?>;" class="<?=$warnclass?>">
346			<div class="col-sm-4"></div>
347
348			<div class="col-sm-4 offset-md-4 logoCol">
349			<div class="loginCont center-block">
350	4eb92692	Steve Beaver	<form method="post" <?=$loginautocomplete?> class="login">
351	81b22639	Steve Beaver	<p class="form-title">Sign In</p>
352	ee8e4e73	Steve Beaver	<input name="usernamefld" id="usernamefld" type="text" placeholder="Username" autocorrect="off" autocapitalize="none"/>
353	81b22639	Steve Beaver	<input name="passwordfld" id="passwordfld" type="password" placeholder="Password" />
354			<input type="submit" name="login" value="Sign In" class="btn btn-success btn-sm" />
355			</form>
356			</div>
357			</div>
358
359			<div class="col-sm-4"></div>
360			</div>
361
362			<footer id="3">
363			<div id="footertext">
364			<p class="text-muted">
365	16050763	Steve Beaver	<?=print_credit()?>
366	81b22639	Steve Beaver	</p>
367			</div>
368			</footer>
369			</div>
370
371	bb31e48e	Steve Beaver	<script src="/vendor/jquery/jquery-3.4.1.min.js?v=<?=filemtime('/usr/local/www/vendor/jquery/jquery-3.4.1.min.js')?>"></script>
372	81b22639	Steve Beaver	<script src="/vendor/bootstrap/js/bootstrap.min.js?v=<?=filemtime('/usr/local/www/vendor/bootstrap/js/bootstrap.min.js')?>"></script>
373			<script src="/js/pfSense.js?v=<?=filemtime('/usr/local/www/js/pfSense.js')?>"></script>
374
375			<script type="text/javascript">
376			//!<[CDATA[
377			events.push(function() {
378			document.cookie=
379			"cookie_test=1" +
380			"<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>";
381
382			if (document.cookie.indexOf("cookie_test") == -1) {
383			alert("<?=gettext('The browser must support cookies to login.')?>");
384			}
385	e79ff1ee	Steve Beaver
386	81b22639	Steve Beaver	// Delete it
387			document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
388			});
389			//]]>
390			</script>
391	45d6ada5	Sjon Hortensius
392	81b22639	Steve Beaver	</body>
393	f902a15c	Steve Beaver	</html>
394	16513324	Holger Bauer
395	81b22639	Steve Beaver	<?php
396	17ef09c3	Colin Fleming	} // end function

Project

General

Profile

pfSense