/src/etc/inc/ipsec.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/ipsec.auth-user.php @ 8cd6e269

1	cb7d18d5	Renato Botelho	#!/usr/local/bin/php-cgi -f
2	52c9f9fa	Ermal	<?php
3			/*
4	ac24dc24	Renato Botelho	* ipsec.auth-user.php
5			*
6			* part of pfSense (https://www.pfsense.org)
7	c5d81585	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc
8	38809d47	Renato Botelho do Couto	* Copyright (c) 2008-2013 BSD Perimeter
9			* Copyright (c) 2013-2016 Electric Sheep Fencing
10	8f2f85c3	Luiz Otavio O Souza	* Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)
11	ac24dc24	Renato Botelho	* All rights reserved.
12			*
13	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
14			* you may not use this file except in compliance with the License.
15			* You may obtain a copy of the License at
16	ac24dc24	Renato Botelho	*
17	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
18	ac24dc24	Renato Botelho	*
19	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
20			* distributed under the License is distributed on an "AS IS" BASIS,
21			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22			* See the License for the specific language governing permissions and
23			* limitations under the License.
24	ac24dc24	Renato Botelho	*/
25	09221bc3	Renato Botelho
26	52c9f9fa	Ermal	/*
27	4881e5a9	Ermal	* ipsec calls this script to authenticate a user
28	52c9f9fa	Ermal	* based on a username and password. We lookup these
29			* in our config.xml file and check the credentials.
30			*/
31
32			require_once("globals.inc");
33			require_once("config.inc");
34			require_once("auth.inc");
35			require_once("interfaces.inc");
36
37	5ed92e19	Viktor G	global $config;
38	52c9f9fa	Ermal
39			/* setup syslog logging */
40	9eb4257f	Ermal	openlog("charon", LOG_ODELAY, LOG_AUTH);
41	52c9f9fa	Ermal
42	9e74f980	Ermal	if (isset($_GET['username'])) {
43	85d0e959	Ermal	$authmodes = explode(",", $_GET['authcfg']);
44			$username = $_GET['username'];
45			$password = $_GET['password'];
46			$common_name = $_GET['cn'];
47			} else {
48			/* read data from environment */
49			$username = getenv("username");
50			$password = getenv("password");
51			$common_name = getenv("common_name");
52	2a3e3057	Ermal	$authmodes = explode(",", getenv("authcfg"));
53	85d0e959	Ermal	}
54	52c9f9fa	Ermal
55	eeceb2ca	Augustin-FL	if (!$username) {
56	52c9f9fa	Ermal	syslog(LOG_ERR, "invalid user authentication environment");
57	fe06990e	Ermal	if (isset($_GET['username'])) {
58	85d0e959	Ermal	echo "FAILED";
59			closelog();
60			return;
61			} else {
62			closelog();
63	9a92e2ef	Renato Botelho	exit (-1);
64	85d0e959	Ermal	}
65	52c9f9fa	Ermal	}
66
67			$authenticated = false;
68
69			if (($strictusercn === true) && ($common_name != $username)) {
70	882af7b4	jim-p	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.");
71	eadda967	Ermal	if (isset($_GET['username'])) {
72	85d0e959	Ermal	echo "FAILED";
73			closelog();
74			return;
75			} else {
76			closelog();
77	9a92e2ef	Renato Botelho	exit (1);
78	85d0e959	Ermal	}
79	52c9f9fa	Ermal	}
80
81	f15fdef3	Augustin FL	$attributes = array("nas_identifier" => "xauthIPsec");
82	5ed92e19	Viktor G	if (($config['ipsec']['client']['group_source'] == 'enabled') &&
83			!empty($config['ipsec']['client']['auth_groups'])) {
84			$ipsec_groups = explode(",", ($config['ipsec']['client']['auth_groups']));
85			} else {
86			$ipsec_groups = '';
87			}
88	52c9f9fa	Ermal	foreach ($authmodes as $authmode) {
89			$authcfg = auth_get_authserver($authmode);
90	821a4351	Renato Botelho	if (!$authcfg && $authmode != "Local Database") {
91	52c9f9fa	Ermal	continue;
92	b37a2e8c	Phil Davis	}
93	52c9f9fa	Ermal
94			$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
95	936fc874	Ermal	if ($authenticated == true) {
96	4537e922	Viktor G	$userGroups = getUserGroups($username, $authcfg, $attributes);
97	821a4351	Renato Botelho	if ($authmode == "Local Database") {
98	b37a2e8c	Phil Davis	$user = getUserEntry($username);
99	5ed92e19	Viktor G	if (!is_array($user) \|\| !userHasPrivilege($user, "user-ipsec-xauth-dialin") \|\|
100			(!empty($ipsec_groups) && (count(array_intersect($userGroups, $ipsec_groups)) == 0))) {
101	a9157b6b	Ermal	$authenticated = false;
102	882af7b4	jim-p	syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.");
103	a9157b6b	Ermal	continue;
104			}
105	936fc874	Ermal	}
106	52c9f9fa	Ermal	break;
107	936fc874	Ermal	}
108	52c9f9fa	Ermal	}
109
110			if ($authenticated == false) {
111	882af7b4	jim-p	syslog(LOG_WARNING, "user '{$username}' could not authenticate.");
112	eadda967	Ermal	if (isset($_GET['username'])) {
113	85d0e959	Ermal	echo "FAILED";
114			closelog();
115			return;
116			} else {
117			closelog();
118	9a92e2ef	Renato Botelho	exit (-1);
119	85d0e959	Ermal	}
120	52c9f9fa	Ermal	}
121
122	b37a2e8c	Phil Davis	if (file_exists("/etc/inc/ipsec.attributes.php")) {
123			include_once("/etc/inc/ipsec.attributes.php");
124			}
125
126	882af7b4	jim-p	syslog(LOG_NOTICE, "user '{$username}' authenticated");
127	85d0e959	Ermal	closelog();
128	52c9f9fa	Ermal
129	b37a2e8c	Phil Davis	if (isset($_GET['username'])) {
130	85d0e959	Ermal	echo "OK";
131	b37a2e8c	Phil Davis	} else {
132	9a92e2ef	Renato Botelho	exit (0);
133	b37a2e8c	Phil Davis	}
134	52c9f9fa	Ermal
135			?>

Project

General

Profile

pfSense