/src/etc/inc/ipsec.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/ipsec.auth-user.php @ 8bc76ef2

1	cb7d18d5	Renato Botelho	#!/usr/local/bin/php-cgi -f
2	52c9f9fa	Ermal	<?php
3			/*
4	ac24dc24	Renato Botelho	* ipsec.auth-user.php
5			*
6			* part of pfSense (https://www.pfsense.org)
7	c5d81585	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc
8	38809d47	Renato Botelho do Couto	* Copyright (c) 2008-2013 BSD Perimeter
9			* Copyright (c) 2013-2016 Electric Sheep Fencing
10	37d60e23	Luiz Souza	* Copyright (c) 2014-2025 Rubicon Communications, LLC (Netgate)
11	ac24dc24	Renato Botelho	* All rights reserved.
12			*
13	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
14			* you may not use this file except in compliance with the License.
15			* You may obtain a copy of the License at
16	ac24dc24	Renato Botelho	*
17	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
18	ac24dc24	Renato Botelho	*
19	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
20			* distributed under the License is distributed on an "AS IS" BASIS,
21			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22			* See the License for the specific language governing permissions and
23			* limitations under the License.
24	ac24dc24	Renato Botelho	*/
25	09221bc3	Renato Botelho
26	52c9f9fa	Ermal	/*
27	4881e5a9	Ermal	* ipsec calls this script to authenticate a user
28	52c9f9fa	Ermal	* based on a username and password. We lookup these
29			* in our config.xml file and check the credentials.
30			*/
31
32			require_once("globals.inc");
33			require_once("config.inc");
34			require_once("auth.inc");
35			require_once("interfaces.inc");
36
37			/* setup syslog logging */
38	9eb4257f	Ermal	openlog("charon", LOG_ODELAY, LOG_AUTH);
39	52c9f9fa	Ermal
40	9e74f980	Ermal	if (isset($_GET['username'])) {
41	8c81cad5	Marcos Mendoza	$authmodes = array_filter(explode(",", $_GET['authcfg']));
42	85d0e959	Ermal	$username = $_GET['username'];
43			$password = $_GET['password'];
44			$common_name = $_GET['cn'];
45			} else {
46			/* read data from environment */
47			$username = getenv("username");
48			$password = getenv("password");
49			$common_name = getenv("common_name");
50	8c81cad5	Marcos Mendoza	$authmodes = array_filter(explode(",", getenv("authcfg")));
51	85d0e959	Ermal	}
52	52c9f9fa	Ermal
53	eeceb2ca	Augustin-FL	if (!$username) {
54	52c9f9fa	Ermal	syslog(LOG_ERR, "invalid user authentication environment");
55	fe06990e	Ermal	if (isset($_GET['username'])) {
56	85d0e959	Ermal	echo "FAILED";
57			closelog();
58			return;
59			} else {
60			closelog();
61	9a92e2ef	Renato Botelho	exit (-1);
62	85d0e959	Ermal	}
63	52c9f9fa	Ermal	}
64
65			$authenticated = false;
66
67			if (($strictusercn === true) && ($common_name != $username)) {
68	882af7b4	jim-p	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.");
69	eadda967	Ermal	if (isset($_GET['username'])) {
70	85d0e959	Ermal	echo "FAILED";
71			closelog();
72			return;
73			} else {
74			closelog();
75	9a92e2ef	Renato Botelho	exit (1);
76	85d0e959	Ermal	}
77	52c9f9fa	Ermal	}
78
79	f15fdef3	Augustin FL	$attributes = array("nas_identifier" => "xauthIPsec");
80	264198a5	Christian McDonald	if ((config_get_path('ipsec/client/group_source') == 'enabled') &&
81			!empty(config_get_path('ipsec/client/auth_groups'))) {
82	65db621a	Reid Linnemann	$ipsec_groups = explode(",", config_get_path('ipsec/client/auth_groups', ''));
83	5ed92e19	Viktor G	} else {
84			$ipsec_groups = '';
85			}
86	52c9f9fa	Ermal	foreach ($authmodes as $authmode) {
87			$authcfg = auth_get_authserver($authmode);
88	821a4351	Renato Botelho	if (!$authcfg && $authmode != "Local Database") {
89	52c9f9fa	Ermal	continue;
90	b37a2e8c	Phil Davis	}
91	52c9f9fa	Ermal
92			$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
93	936fc874	Ermal	if ($authenticated == true) {
94	4537e922	Viktor G	$userGroups = getUserGroups($username, $authcfg, $attributes);
95	821a4351	Renato Botelho	if ($authmode == "Local Database") {
96	b37a2e8c	Phil Davis	$user = getUserEntry($username);
97	1bb9c407	Marcos Mendoza	$user = $user['item'];
98	5ed92e19	Viktor G	if (!is_array($user) \|\| !userHasPrivilege($user, "user-ipsec-xauth-dialin") \|\|
99			(!empty($ipsec_groups) && (count(array_intersect($userGroups, $ipsec_groups)) == 0))) {
100	a9157b6b	Ermal	$authenticated = false;
101	882af7b4	jim-p	syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.");
102	a9157b6b	Ermal	continue;
103			}
104	936fc874	Ermal	}
105	52c9f9fa	Ermal	break;
106	936fc874	Ermal	}
107	52c9f9fa	Ermal	}
108
109			if ($authenticated == false) {
110	882af7b4	jim-p	syslog(LOG_WARNING, "user '{$username}' could not authenticate.");
111	eadda967	Ermal	if (isset($_GET['username'])) {
112	85d0e959	Ermal	echo "FAILED";
113			closelog();
114			return;
115			} else {
116			closelog();
117	9a92e2ef	Renato Botelho	exit (-1);
118	85d0e959	Ermal	}
119	52c9f9fa	Ermal	}
120
121	b37a2e8c	Phil Davis	if (file_exists("/etc/inc/ipsec.attributes.php")) {
122			include_once("/etc/inc/ipsec.attributes.php");
123			}
124
125	882af7b4	jim-p	syslog(LOG_NOTICE, "user '{$username}' authenticated");
126	85d0e959	Ermal	closelog();
127	52c9f9fa	Ermal
128	b37a2e8c	Phil Davis	if (isset($_GET['username'])) {
129	85d0e959	Ermal	echo "OK";
130	b37a2e8c	Phil Davis	} else {
131	9a92e2ef	Renato Botelho	exit (0);
132	b37a2e8c	Phil Davis	}
133	52c9f9fa	Ermal
134			?>

Project

General

Profile

pfSense