/src/etc/inc/authgui.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/authgui.inc @ 6f838722

1	16513324	Holger Bauer	<?php
2	995df6c3	Stephen Beaver	/* ====================================================================
3			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
4			* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
5			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
6			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
7			*
8			* Redistribution and use in source and binary forms, with or without modification,
9			* are permitted provided that the following conditions are met:
10			*
11			* 1. Redistributions of source code must retain the above copyright notice,
12			* this list of conditions and the following disclaimer.
13			*
14			* 2. Redistributions in binary form must reproduce the above copyright
15			* notice, this list of conditions and the following disclaimer in
16			* the documentation and/or other materials provided with the
17			* distribution.
18			*
19			* 3. All advertising materials mentioning features or use of this software
20			* must display the following acknowledgment:
21			* "This product includes software developed by the pfSense Project
22			* for use in the pfSense software distribution. (http://www.pfsense.org/).
23			*
24			* 4. The names "pfSense" and "pfSense Project" must not be used to
25			* endorse or promote products derived from this software without
26			* prior written permission. For written permission, please contact
27			* coreteam@pfsense.org.
28			*
29			* 5. Products derived from this software may not be called "pfSense"
30			* nor may "pfSense" appear in their names without prior written
31			* permission of the Electric Sheep Fencing, LLC.
32			*
33			* 6. Redistributions of any form whatsoever must retain the following
34			* acknowledgment:
35			*
36			* "This product includes software developed by the pfSense Project
37			* for use in the pfSense software distribution (http://www.pfsense.org/).
38			*
39			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
40			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
43			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50			* OF THE POSSIBILITY OF SUCH DAMAGE.
51			*
52			* ====================================================================
53			*
54			*/
55	483e6de8	Scott Ullrich	include_once("auth.inc");
56	6dc88d53	Ermal Luci	include_once("priv.inc");
57	1e0b1727	Phil Davis	if (!function_exists('platform_booting')) {
58	cb054444	Ermal LUÇI	require_once('globals.inc');
59	1e0b1727	Phil Davis	}
60	16513324	Holger Bauer
61			/* Authenticate user - exit if failed */
62	6306b5dd	Ermal Lu?i	if (!session_auth()) {
63			display_login_form();
64	45ee90ed	Matthew Grooms	exit;
65	6306b5dd	Ermal Lu?i	}
66	45ee90ed	Matthew Grooms
67			/*
68			* Once here, the user has authenticated with the web server.
69			* We give them access only to the appropriate pages based on
70			* the user or group privileges.
71			*/
72	c4a9f99a	jim-p	$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
73	16513324	Holger Bauer
74	45ee90ed	Matthew Grooms	/*
75	403a270e	Ermal Luçi	* redirect to first allowed page if requesting a wrong url
76	45ee90ed	Matthew Grooms	*/
77	8559c9d9	jim-p
78			/* Fix this up otherwise the privilege check will fail. See Redmine #5909. */
79			if ($_SERVER['REQUEST_URI'] == "/") {
80			$_SERVER['REQUEST_URI'] = "/index.php";
81			}
82
83	14f5f705	marcelloc	if (!isAllowedPage($_SERVER['REQUEST_URI'])) {
84	403a270e	Ermal Luçi	if (count($allowedpages) > 0) {
85			$page = str_replace('*', '', $allowedpages[0]);
86			$_SESSION['Post_Login'] = true;
87	5c15e649	sullrich	require_once("functions.inc");
88	403a270e	Ermal Luçi	pfSenseHeader("/{$page}");
89	0d4f348f	jim-p
90			$username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username'];
91	1e0b1727	Phil Davis	if (!empty($_SERVER['REMOTE_ADDR'])) {
92	0d4f348f	jim-p	$username .= '@' . $_SERVER['REMOTE_ADDR'];
93	1e0b1727	Phil Davis	}
94	0d4f348f	jim-p	log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}.");
95
96	403a270e	Ermal Luçi	exit;
97			} else {
98	0b70d9f4	Carlos Eduardo Ramos	display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
99	403a270e	Ermal Luçi	exit;
100			}
101	1e0b1727	Phil Davis	} else {
102	403a270e	Ermal Luçi	$_SESSION['Post_Login'] = true;
103	1e0b1727	Phil Davis	}
104	16513324	Holger Bauer
105	45ee90ed	Matthew Grooms	/*
106	d97ab688	Matthew Grooms	* redirect browsers post-login to avoid pages
107	1e0b1727	Phil Davis	* taking action in response to a POST request
108	45ee90ed	Matthew Grooms	*/
109	d97ab688	Matthew Grooms	if (!$_SESSION['Post_Login']) {
110	c9dddd59	sullrich	$_SESSION['Post_Login'] = true;
111	5c15e649	sullrich	require_once("functions.inc");
112	d97ab688	Matthew Grooms	pfSenseHeader($_SERVER['REQUEST_URI']);
113			exit;
114			}
115	16513324	Holger Bauer
116	1180e4f0	Sjon Hortensius	/*
117	4111fcf5	Ermal	* Close session data to allow other scripts from same host to come in.
118			* A session can be reactivated from calling session_start again
119			*/
120			session_commit();
121
122	45ee90ed	Matthew Grooms	/*
123			* determine if the user is allowed access to the requested page
124			*/
125	16513324	Holger Bauer	function display_error_form($http_code, $desc) {
126	45ee90ed	Matthew Grooms	global $config, $g;
127	995df6c3	Stephen Beaver
128	1e0b1727	Phil Davis	if (isAjax()) {
129	addc0439	Renato Botelho	printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc);
130	16513324	Holger Bauer	return;
131			}
132
133	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/pfSense.css";
134
135			if (isset($config['system']['webgui']['webguicss'])) {
136	4e322e2c	Phil Davis	if (file_exists("bootstrap/css/" . $config['system']['webgui']['webguicss'])) {
137	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/" . $config['system']['webgui']['webguicss'];
138			}
139			}
140
141	16513324	Holger Bauer	?>
142	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
143			<html lang="en">
144			<head>
145	e71c09fa	heper	<meta name="viewport" content="width=device-width, initial-scale=1">
146	9d624e6b	Jared Dillard	<link rel="stylesheet" href="<?=$cssfile?>" />
147	1180e4f0	Sjon Hortensius	<title><?=gettext("Error: not allowed"); ?></title>
148			</head>
149			<body id="error" class="no-menu">
150			<div id="jumbotron">
151			<div class="container">
152	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
153			<!-- FIXME: We really need to POST the logout action -->
154			<div class="alert alert-danger" role="alert"><a href="index.php?logout"><?=$desc;?></a></div>
155			</div>
156	45ee90ed	Matthew Grooms	</div>
157	1180e4f0	Sjon Hortensius	</div>
158			</body>
159	16513324	Holger Bauer	</html>
160			<?php
161
162	45ee90ed	Matthew Grooms	} // end function
163	16513324	Holger Bauer
164
165			function display_login_form() {
166	45ee90ed	Matthew Grooms	require_once("globals.inc");
167			global $config, $g;
168
169			unset($input_errors);
170
171	1e0b1727	Phil Davis	if (isAjax()) {
172	45ee90ed	Matthew Grooms	if (isset($_POST['login'])) {
173	1e0b1727	Phil Davis	if ($_SESSION['Logged_In'] <> "True") {
174	0b70d9f4	Carlos Eduardo Ramos	isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
175	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
176	45ee90ed	Matthew Grooms	}
177			if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
178			// TODO: add the IP from the user who did lock the device
179			$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
180	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
181	45ee90ed	Matthew Grooms	}
182			}
183			exit;
184			}
185	16513324	Holger Bauer
186	1180e4f0	Sjon Hortensius	/* Check against locally configured IP addresses, which will catch when someone
187	2003b5d8	jim-p	port forwards WebGUI access from WAN to an internal IP on the router. */
188	6cfa23eb	Scott Ullrich	global $FilterIflist, $nifty_background;
189	2003b5d8	jim-p	$local_ip = false;
190	1fb55001	Ermal LUÇI	if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) {
191	2003b5d8	jim-p	$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
192			$http_host = $http_host_port[0];
193			} else {
194			$http_host = $_SERVER['HTTP_HOST'];
195			}
196			if (empty($FilterIflist)) {
197			require_once('filter.inc');
198			require_once('shaper.inc');
199			filter_generate_optcfg_array();
200			}
201	f48d337f	Seth Mos	foreach ($FilterIflist as $iflist) {
202	1e0b1727	Phil Davis	if ($iflist['ip'] == $http_host) {
203	2003b5d8	jim-p	$local_ip = true;
204	1e0b1727	Phil Davis	} else if ($iflist['ipv6'] == $http_host) {
205	f48d337f	Seth Mos	$local_ip = true;
206	1e0b1727	Phil Davis	} else if (is_array($iflist['vips'])) {
207	1fb55001	Ermal LUÇI	foreach ($iflist['vips'] as $vip) {
208			if ($vip['ip'] == $http_host) {
209	067e48ab	Scott Ullrich	$local_ip = true;
210	1fb55001	Ermal LUÇI	break;
211			}
212	f48d337f	Seth Mos	}
213	1fb55001	Ermal LUÇI	unset($vip);
214	f48d337f	Seth Mos	}
215	1e0b1727	Phil Davis	if ($local_ip == true) {
216	1fb55001	Ermal LUÇI	break;
217	1e0b1727	Phil Davis	}
218	f48d337f	Seth Mos	}
219	1fb55001	Ermal LUÇI	unset($FilterIflist);
220			unset($iflist);
221
222	02156b4b	Ermal LUÇI	if ($local_ip == false) {
223			if (is_array($config['openvpn']['openvpn-server'])) {
224			foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
225			if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) {
226			$local_ip = true;
227			} else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) {
228			$local_ip = true;
229			}
230	1e0b1727	Phil Davis	if ($local_ip == true) {
231	02156b4b	Ermal LUÇI	break;
232	1e0b1727	Phil Davis	}
233	71034b51	Renato Botelho	}
234			}
235			}
236	0041092c	jim-p
237	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/pfSense.css";
238
239			if (isset($config['system']['webgui']['webguicss'])) {
240	4e322e2c	Phil Davis	if (file_exists("bootstrap/css/" . $config['system']['webgui']['webguicss'])) {
241	9d624e6b	Jared Dillard	$cssfile = "/bootstrap/css/" . $config['system']['webgui']['webguicss'];
242			}
243			}
244
245	16513324	Holger Bauer	?>
246	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
247			<html lang="en">
248			<head>
249	e71c09fa	heper	<meta name="viewport" content="width=device-width, initial-scale=1">
250	9d624e6b	Jared Dillard	<link rel="stylesheet" href="<?=$cssfile?>" />
251	1180e4f0	Sjon Hortensius	<title><?=gettext("Login"); ?></title>
252	a9e60275	Chris Buechler	<script type="text/javascript">
253	8fd9052f	Colin Fleming	//<![CDATA{
254			var events = events \|\| [];
255			//]]>
256			</script>
257	1180e4f0	Sjon Hortensius	</head>
258			<body id="login" class="no-menu">
259			<div id="jumbotron">
260			<div class="container">
261	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
262	a42e7aa2	Sjon Hortensius	<?php
263	4de8f7ba	Phil Davis	if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) {
264	a42e7aa2	Sjon Hortensius	$nifty_background = "#999";
265			print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br /><br />If you did not setup this forwarding, you may be the target of a man-in-the-middle attack."));
266			}
267	1180e4f0	Sjon Hortensius
268	a42e7aa2	Sjon Hortensius	$loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"';
269			?>
270	1180e4f0	Sjon Hortensius
271	c7d61071	Sander van Leeuwen	<div class="panel panel-default">
272			<div class="panel-heading">
273	6d128e2b	Phil Davis	<h2 class="panel-title"><?=sprintf(gettext("Login to %s"), $g['product_name'])?></h2>
274	c7d61071	Sander van Leeuwen	</div>
275	1180e4f0	Sjon Hortensius
276	c7d61071	Sander van Leeuwen	<div class="panel-body">
277	a42e7aa2	Sjon Hortensius	<?php if (!empty($_SESSION['Login_Error'])): ?>
278	c7d61071	Sander van Leeuwen	<div class="alert alert-danger" role="alert"><?=$_SESSION['Login_Error'];?></div>
279	a42e7aa2	Sjon Hortensius	<?php endif ?>
280	62ef2804	NOYB	<div class="alert alert-warning hidden" id="no_cookies"><?= gettext("Your browser must support cookies to login."); ?></div>
281	c7d61071	Sander van Leeuwen
282			<form method="post" <?= $loginautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>" class="form-horizontal">
283			<div class="form-group">
284	d18f3f6e	Phil Davis	<label for="usernamefld" class="col-sm-3 control-label"><?=gettext("Username")?></label>
285	0a353c81	Sander van Leeuwen	<div class="col-sm-9 col-md-7">
286	d18f3f6e	Phil Davis	<input type="text" class="form-control" name="usernamefld" id="usernamefld" placeholder="<?=gettext("Enter your username")?>" autocorrect="off" autocapitalize="none" spellcheck="false">
287	c7d61071	Sander van Leeuwen	</div>
288			</div>
289
290			<div class="form-group">
291	d18f3f6e	Phil Davis	<label for="passwordfld" class="col-sm-3 control-label"><?=gettext("Password")?></label>
292	0a353c81	Sander van Leeuwen	<div class="col-sm-9 col-md-7">
293	d18f3f6e	Phil Davis	<input type="password" class="form-control" name="passwordfld" id="passwordfld" placeholder="<?=gettext("Enter your password")?>">
294	c7d61071	Sander van Leeuwen	</div>
295			</div>
296
297			<div class="form-group">
298	0a353c81	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-9 col-md-7">
299	d18f3f6e	Phil Davis	<button type="submit" class="btn btn-primary" name="login"><?=gettext("Login")?></button>
300	c7d61071	Sander van Leeuwen	</div>
301			</div>
302			</form>
303	a42e7aa2	Sjon Hortensius	</div>
304	c7d61071	Sander van Leeuwen	</div>
305	1180e4f0	Sjon Hortensius	</div>
306	45ee90ed	Matthew Grooms	</div>
307	45d6ada5	Sjon Hortensius
308	8fd9052f	Colin Fleming	<script type="text/javascript">
309			//!<[CDATA[
310	45d6ada5	Sjon Hortensius	events.push(function() {
311			document.cookie=
312			"cookie_test=1" +
313			"<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>";
314
315			if (document.cookie.indexOf("cookie_test") == -1)
316	60987639	Stephen Beaver	document.getElementById("no_cookies").style.display="";
317			else
318			document.getElementById("no_cookies").style.display="none";
319	45d6ada5	Sjon Hortensius
320			// Delete it
321			document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
322			});
323	8fd9052f	Colin Fleming	//]]>
324	45d6ada5	Sjon Hortensius	</script>
325	16513324	Holger Bauer	<?php
326	45d6ada5	Sjon Hortensius	require('foot.inc');
327	16513324	Holger Bauer
328	17ef09c3	Colin Fleming	} // end function

Project

General

Profile

pfSense