/src/usr/local/captiveportal/index.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/captiveportal/index.php @ a68f7a3d

1	8c1ce6c7	Scott Ullrich	<?php
2	5b237745	Scott Ullrich	/*
3	ac24dc24	Renato Botelho	* index.php
4			*
5			* part of pfSense (https://www.pfsense.org)
6	38809d47	Renato Botelho do Couto	* Copyright (c) 2004-2013 BSD Perimeter
7			* Copyright (c) 2013-2016 Electric Sheep Fencing
8	a68f7a3d	Luiz Otavio O Souza	* Copyright (c) 2014-2024 Rubicon Communications, LLC (Netgate)
9	ac24dc24	Renato Botelho	* All rights reserved.
10			*
11			* Originally part of m0n0wall (http://m0n0.ch/wall)
12	c5d81585	Renato Botelho	* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
13	ac24dc24	Renato Botelho	* All rights reserved.
14			*
15	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
16			* you may not use this file except in compliance with the License.
17			* You may obtain a copy of the License at
18	ac24dc24	Renato Botelho	*
19	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
20	ac24dc24	Renato Botelho	*
21	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
22			* distributed under the License is distributed on an "AS IS" BASIS,
23			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24			* See the License for the specific language governing permissions and
25			* limitations under the License.
26	ac24dc24	Renato Botelho	*/
27	5b237745	Scott Ullrich
28	0092b3bd	mgrooms	require_once("auth.inc");
29	de9ba32b	jim-p	require_once("util.inc");
30	65fbb388	Scott Ullrich	require_once("functions.inc");
31	483e6de8	Scott Ullrich	require_once("captiveportal.inc");
32	65fbb388	Scott Ullrich
33			header("Expires: 0");
34	2ebbb0bc	Jose Luis Duran	header("Cache-Control: no-cache, no-store, must-revalidate");
35	65fbb388	Scott Ullrich	header("Pragma: no-cache");
36	232846a2	Ermal	header("Connection: close");
37	5b237745	Scott Ullrich
38	7c2468c5	Viktor G	global $cpzone, $cpzoneid, $cpzoneprefix;
39	5370146c	Ermal
40	7949eac7	Renato Botelho	$cpzone = strtolower($_REQUEST['zone']);
41	829322b3	Christian McDonald	$cpcfg = config_get_path("captiveportal/{$cpzone}");
42	de9ba32b	jim-p
43			/* NOTE: IE 8/9 is buggy and that is why this is needed */
44			$orig_request = trim($_REQUEST['redirurl'], " /");
45
46			/* If the post-auth redirect is set, always use it. Otherwise take what was supplied in URL. */
47	9fc1648e	jim-p	if (!empty($cpcfg) && is_URL($cpcfg['redirurl'], true)) {
48	de9ba32b	jim-p	$redirurl = $cpcfg['redirurl'];
49			} elseif (preg_match("/redirurl=(.*)/", $orig_request, $matches)) {
50			$redirurl = urldecode($matches[1]);
51			} elseif ($_REQUEST['redirurl']) {
52			$redirurl = $_REQUEST['redirurl'];
53			}
54			/* Sanity check: If the redirect target is not a URL, do not attempt to use it like one. */
55	9fc1648e	jim-p	if (!is_URL(urldecode($redirurl), true)) {
56	de9ba32b	jim-p	$redirurl = "";
57			}
58
59	09294e84	Ermal	if (empty($cpcfg)) {
60	762a7b89	Phil Davis	log_error("Submission to captiveportal with unknown parameter zone: " . htmlspecialchars($cpzone));
61	eb43c5b1	Augustin FL	portal_reply_page($redirurl, "error", gettext("Internal error"));
62	09294e84	Ermal	ob_flush();
63			return;
64			}
65	b4792bf8	Ermal
66	baec2b00	Ermal	$cpzoneid = $cpcfg['zoneid'];
67	7c2468c5	Viktor G	$cpzoneprefix = CPPREFIX . $cpzoneid;
68	362ec35d	Ermal	$orig_host = $_SERVER['HTTP_HOST'];
69	6fa4bdc6	Scott Ullrich	$clientip = $_SERVER['REMOTE_ADDR'];
70	5b237745	Scott Ullrich
71			if (!$clientip) {
72	c9cb32c4	Ermal	/* not good - bail out */
73	12feed15	Ermal	log_error("Zone: {$cpzone} - Captive portal could not determine client's IP address.");
74	eb43c5b1	Augustin FL	$errormsg = gettext("An error occurred. Please check the system logs for more information.");
75	c9cb32c4	Ermal	portal_reply_page($redirurl, "error", $errormsg);
76	4a5feb83	Ermal	ob_flush();
77			return;
78	65fbb388	Scott Ullrich	}
79
80	de132ae3	bcyrill	$ourhostname = portal_hostname_from_client_ip($clientip);
81	88479de6	jim-p	$protocol = (isset($config['captiveportal'][$cpzone]['httpslogin'])) ? 'https://' : 'http://';
82			$logouturl = "{$protocol}{$ourhostname}/";
83
84			$cpsession = captiveportal_isip_logged($clientip);
85			if (!empty($cpsession)) {
86			$sessionid = $cpsession['sessionid'];
87			}
88
89	d2ecbddc	jim-p	/* Automatically switching to the logout page requires a custom logout page to be present. */
90			if ((!empty($cpsession)) && (! $_POST['logout_id']) && (!empty($cpcfg['page']['logouttext']))) {
91	c857583b	Augustin-FL	/* if client already connected and a custom logout page is set : show logout page */
92	d2ecbddc	jim-p	$attributes = array();
93			if (!empty($cpsession['session_timeout']))
94			$attributes['session_timeout'] = $cpsession['session_timeout'];
95			if (!empty($cpsession['session_terminate_time']))
96			$attributes['session_terminate_time'] = $cpsession['session_terminate_time'];
97
98			include("{$g['varetc_path']}/captiveportal-{$cpzone}-logout.html");
99			ob_flush();
100			return;
101	88479de6	jim-p	} elseif (!empty($cpsession) && !isset($_POST['logout_id'])) {
102			/* If the client tries to access the captive portal page while already connected,
103			but no custom logout page exists */
104			$logo_src = get_captive_portal_logo();
105			$bg_src = get_captive_portal_bg();
106			?>
107			<!DOCTYPE html>
108			<html>
109			<head>
110			<meta charset="UTF-8">
111			<meta name="viewport" content="width=device-width, initial-scale=1.0">
112			<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
113			<title>Captive Portal</title>
114			<style>
115			#content,.login,.login-card a,.login-card h1,.login-help{text-align:center}body,html{margin:0;padding:0;width:100%;height:100%;display:table}#content{font-family:'Source Sans Pro',sans-serif;background-color:#1C1275;background:<?= $bg_src ?>;-webkit-background-size:cover;-moz-background-size:cover;-o-background-size:cover;background-size:cover;display:table-cell;vertical-align:middle}.login-card{padding:40px;width:280px;background-color:#F7F7F7;margin:100px auto 10px;border-radius:2px;box-shadow:0 2px 2px rgba(0,0,0,.3);overflow:hidden}.login-card h1{font-weight:400;font-size:2.3em;color:#1383c6}.login-card h1 span{color:#f26721}.login-card img{width:70%;height:70%}.login-card input[type=submit]{width:100%;display:block;margin-bottom:10px;position:relative}.login-card input[type=text],input[type=password]{height:44px;font-size:16px;width:100%;margin-bottom:10px;-webkit-appearance:none;background:#fff;border:1px solid #d9d9d9;border-top:1px solid silver;padding:0 8px;box-sizing:border-box;-moz-box-sizing:border-box}.login-card input[type=text]:hover,input[type=password]:hover{border:1px solid #b9b9b9;border-top:1px solid #a0a0a0;-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.login{font-size:14px;font-family:Arial,sans-serif;font-weight:700;height:36px;padding:0 8px}.login-submit{-webkit-appearance:none;-moz-appearance:none;appearance:none;border:0;color:#fff;text-shadow:0 1px rgba(0,0,0,.1);background-color:#4d90fe}.login-submit:disabled{opacity:.6}.login-submit:hover{border:0;text-shadow:0 1px rgba(0,0,0,.3);background-color:#357ae8}.login-card a{text-decoration:none;color:#222;font-weight:400;display:inline-block;opacity:.6;transition:opacity ease .5s}.login-card a:hover{opacity:1}.login-help{width:100%;font-size:12px}.list{list-style-type:none;padding:0}.list__item{margin:0 0 .7rem;padding:0}label{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-align:center;-webkit-align-items:center;-ms-flex-align:center;align-items:center;text-align:left;font-size:14px;}input[type=checkbox]{-webkit-box-flex:0;-webkit-flex:none;-ms-flex:none;flex:none;margin-right:10px;float:left}@media screen and (max-width:450px){.login-card{width:70%!important}.login-card img{width:30%;height:30%}}textarea{width:66%;margin:auto;height:120px;max-height:120px;background-color:#f7f7f7;padding:20px}#terms{display:none;padding-top:100px;padding-bottom:300px;}.auth_source{border: 1px solid lightgray; padding:20px 8px 0px 8px; margin-top: -2em; border-radius: 2px; }.auth_head{background-color:#f7f7f7;display:inline-block;}.auth_head_div{text-align:left;}#error-message{text-align:left;color:#ff3e3e;font-style:italic;}
116			</style>
117			</head>
118
119			<body>
120			<div id="content">
121			<div class="login-card">
122			<img src="<?= $logo_src ?>"/><br>
123			<h1></h1>
124			<div class="login-help">
125			<?= gettext("The portal session is connected.") ?>
126			<?php if (!empty($redirurl)):
127			$redirurl = htmlspecialchars($redirurl); ?>
128			<br/><br/>
129			<?= gettext("Proceed to: ") ?>
130			<a href="<?=$redirurl?>"><?=$redirurl?></a>
131			<?php endif; ?>
132			</div>
133			<br/>
134			<form method="POST" action="<?=$logouturl;?>">
135			<input name="logout_id" type="hidden" value="<?=$sessionid;?>" />
136			<input name="zone" type="hidden" value="<?=$cpzone;?>" />
137			<input name="logout" type="submit" value="<?= gettext("Disconnect") ?>" />
138			</form>
139			<br />
140			<span> <i>Made with &hearts; by</i> <strong>Netgate</strong></span>
141			</div>
142			</div>
143			</body>
144			</html>
145			<?php
146	eb43c5b1	Augustin FL	ob_flush();
147			return;
148			} elseif ($orig_host != $ourhostname) {
149	3b832418	bcyrill	/* the client thinks it's connected to the desired web server, but instead
150			it's connected to us. Issue a redirect... */
151	de132ae3	bcyrill	$protocol = (isset($cpcfg['httpslogin'])) ? 'https://' : 'http://';
152			header("Location: {$protocol}{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
153	65fbb388	Scott Ullrich
154	3b832418	bcyrill	ob_flush();
155			return;
156	5b237745	Scott Ullrich	}
157	de132ae3	bcyrill
158	5b237745	Scott Ullrich	/* find MAC address for client */
159	7c2468c5	Viktor G	$tmpres = pfSense_ip_to_mac($clientip);
160			if (!is_array($tmpres)) {
161			if (!isset($cpcfg['nomacfilter']) \|\| isset($cpcfg['passthrumacadd'])) {
162	3b832418	bcyrill	/* unable to find MAC address - shouldn't happen! - bail out */
163	6c07db48	Phil Davis	captiveportal_logportalauth("unauthenticated", "noclientmac", $clientip, "ERROR");
164	3b832418	bcyrill	echo "An error occurred. Please check the system logs for more information.";
165	12feed15	Ermal	log_error("Zone: {$cpzone} - Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality.");
166	3b832418	bcyrill	ob_flush();
167			return;
168	007161dc	Ermal	}
169	7c2468c5	Viktor G	} else {
170			/* always save MAC address in DB to allow macfilter/nomacfilter switching without flushing all clients */
171	0d20a040	Ermal	$clientmac = $tmpres['macaddr'];
172	5b237745	Scott Ullrich	}
173	7c2468c5	Viktor G	unset($tmpres);
174	5b237745	Scott Ullrich
175	65fbb388	Scott Ullrich	if ($_POST['logout_id']) {
176	69c97c32	Chris Buechler	$safe_logout_id = SQLite3::escapeString($_POST['logout_id']);
177			captiveportal_disconnect_client($safe_logout_id);
178	7c2468c5	Viktor G	header("Location: index.php?zone=" . $cpzone);
179	88479de6	jim-p	ob_flush();
180			return;
181	7e5dbbfc	Marcos Mendoza	} elseif (($_POST['accept'] \|\| $cpcfg['auth_method'] === 'radmac' \|\| !empty($cpcfg['blockedmacsurl'])) && !isset($cpcfg['nomacfilter']) && $clientmac && captiveportal_blocked_mac($clientmac)) {
182	6c07db48	Phil Davis	captiveportal_logportalauth($clientmac, $clientmac, $clientip, "Blocked MAC address");
183	7d61beba	Phil Davis	if (!empty($cpcfg['blockedmacsurl'])) {
184	8d5ddc09	Renato Botelho	portal_reply_page($cpcfg['blockedmacsurl'], "redir");
185	7d61beba	Phil Davis	} else {
186	eb43c5b1	Augustin FL	if ($cpcfg['auth_method'] === 'radmac') {
187			echo gettext("This MAC address has been blocked");
188			} else {
189	acb89722	Viktor G	portal_reply_page($redirurl, "error", "This MAC address has been blocked", $clientmac, $clientip);
190	eb43c5b1	Augustin FL	}
191	7d61beba	Phil Davis	}
192	eb43c5b1	Augustin FL	} elseif (portal_consume_passthrough_credit($clientmac)) {
193	3b832418	bcyrill	/* allow the client through if it had a pass-through credit for its MAC */
194	6c07db48	Phil Davis	captiveportal_logportalauth("unauthenticated", $clientmac, $clientip, "ACCEPT");
195	24600471	Augustin-FL	portal_allow($clientip, $clientmac, "unauthenticated", null, $redirurl);
196	8015e67b	Erik Fonnesbeck
197	53ea4b8b	Viktor G	} elseif (isset($config['voucher'][$cpzone]['enable']) && ($_POST['accept'] && $_POST['auth_voucher']) \|\| $_GET['voucher']) {
198			if (isset($_POST['auth_voucher'])) {
199			$voucher = trim($_POST['auth_voucher']);
200			} else {
201			/* submit voucher via URL, see https://redmine.pfsense.org/issues/1984 */
202			$voucher = trim($_GET['voucher']);
203	8407e59f	Viktor G	portal_reply_page($redirurl, "login", null, $clientmac, $clientip, null, null, $voucher);
204	53ea4b8b	Viktor G	return;
205			}
206	eb43c5b1	Augustin FL	$errormsg = gettext("Invalid credentials specified.");
207	3b832418	bcyrill	$timecredit = voucher_auth($voucher);
208			// $timecredit contains either a credit in minutes or an error message
209			if ($timecredit > 0) { // voucher is valid. Remaining minutes returned
210			// if multiple vouchers given, use the first as username
211	6c07db48	Phil Davis	$a_vouchers = preg_split("/[\t\n\r ]+/s", $voucher);
212	3b832418	bcyrill	$voucher = $a_vouchers[0];
213	6c07db48	Phil Davis	$attr = array(
214			'voucher' => 1,
215			'session_timeout' => $timecredit*60,
216			'session_terminate_time' => 0);
217	5ed493d8	Viktor G	if (portal_allow($clientip, $clientmac, $voucher, null, $redirurl, $attr, null, 'voucher', 'voucher') === 2) {
218	acb89722	Viktor G	portal_reply_page($redirurl, "error", "Reuse of identification not allowed.", $clientmac, $clientip);
219	5ed493d8	Viktor G	} elseif (portal_allow($clientip, $clientmac, $voucher, null, $redirurl, $attr, null, 'voucher', 'voucher')) {
220	3b832418	bcyrill	// YES: user is good for $timecredit minutes.
221	6c07db48	Phil Davis	captiveportal_logportalauth($voucher, $clientmac, $clientip, "Voucher login good for $timecredit min.");
222	3b832418	bcyrill	} else {
223	acb89722	Viktor G	portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['descrmsgexpired'] ? $config['voucher'][$cpzone]['descrmsgexpired']: $errormsg, $clientmac, $clientip);
224	3b832418	bcyrill	}
225	eb43c5b1	Augustin FL	} elseif (-1 == $timecredit) { // valid but expired
226	6c07db48	Phil Davis	captiveportal_logportalauth($voucher, $clientmac, $clientip, "FAILURE", "voucher expired");
227	acb89722	Viktor G	portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['descrmsgexpired'] ? $config['voucher'][$cpzone]['descrmsgexpired']: $errormsg, $clientmac, $clientip);
228	3b832418	bcyrill	} else {
229	6c07db48	Phil Davis	captiveportal_logportalauth($voucher, $clientmac, $clientip, "FAILURE");
230	acb89722	Viktor G	portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['descrmsgnoaccess'] ? $config['voucher'][$cpzone]['descrmsgnoaccess'] : $errormsg, $clientmac, $clientip);
231	3b832418	bcyrill	}
232	336e3c1c	Charlie
233	eb43c5b1	Augustin FL	} elseif ($_POST['accept'] \|\| $cpcfg['auth_method'] === 'radmac') {
234
235	774ff51b	Augustin-FL	if ($cpcfg['auth_method'] === 'radmac' && !isset($_POST['accept'])) {
236			$user = $clientmac;
237			$passwd = $cpcfg['radmac_secret'];
238			$context = 'radmac'; // Radius MAC authentication
239	d6601c8f	Augustin-FL	} elseif (!empty(trim($_POST['auth_user2']))) {
240	28a5469e	heper	$user = trim($_POST['auth_user2']);
241	eb43c5b1	Augustin FL	$passwd = $_POST['auth_pass2'];
242			$context = 'second'; // Assume users to use the first context if auth_user2 is empty/does not exist
243			} else {
244	28a5469e	heper	$user = trim($_POST['auth_user']);
245	eb43c5b1	Augustin FL	$passwd = $_POST['auth_pass'];
246			$context = 'first';
247			}
248
249	32661caf	Viktor G	$pipeno = captiveportal_get_next_dn_ruleno('auth', 2000, 64500, true);
250	eb43c5b1	Augustin FL	/* if the pool is empty, return appropriate message and exit */
251			if (is_null($pipeno)) {
252			$replymsg = gettext("System reached maximum login capacity");
253			if ($cpcfg['auth_method'] === 'radmac') {
254			echo $replymsg;
255			ob_flush();
256			return;
257	7d61beba	Phil Davis	} else {
258	acb89722	Viktor G	portal_reply_page($redirurl, "error", $replymsg, $clientmac, $clientip);
259	7d61beba	Phil Davis	}
260	eb43c5b1	Augustin FL	log_error("Zone: {$cpzone} - WARNING! Captive portal has reached maximum login capacity");
261
262	814992f7	Ermal	}
263	eb43c5b1	Augustin FL
264			$auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context);
265
266			if ($auth_result['result']) {
267			captiveportal_logportalauth($user, $clientmac, $clientip, $auth_result['login_status']);
268	c0f216b9	Kristof Provost	portal_allow($clientip, $clientmac, $user, $passwd, $redirurl, $auth_result['attributes'], null, $auth_result['auth_method'], $context);
269	eb43c5b1	Augustin FL	} else {
270			$type = "error";
271
272	9fc1648e	jim-p	if (is_URL($auth_result['attributes']['url_redirection'], true)) {
273	eb43c5b1	Augustin FL	$redirurl = $auth_result['attributes']['url_redirection'];
274			$type = "redir";
275	7d61beba	Phil Davis	}
276	eb43c5b1	Augustin FL
277			if ($auth_result['login_message']) {
278			$replymsg = $auth_result['login_message'];
279	3b832418	bcyrill	} else {
280	eb43c5b1	Augustin FL	$replymsg = gettext("Invalid credentials specified.");
281			}
282
283			captiveportal_logportalauth($user, $clientmac, $clientip, $auth_result['login_status'], $replymsg);
284
285	774ff51b	Augustin-FL	/* Radius MAC authentication. */
286			if ($context === 'radmac' && $type !== 'redir' && !isset($cpcfg['radmac_fallback'])) {
287			echo $replymsg;
288	eb43c5b1	Augustin FL	} else {
289	acb89722	Viktor G	portal_reply_page($redirurl, $type, $replymsg, $clientmac, $clientip);
290	3b832418	bcyrill	}
291	7d61beba	Phil Davis	}
292	65fbb388	Scott Ullrich	} else {
293	3b832418	bcyrill	/* display captive portal page */
294	6c07db48	Phil Davis	portal_reply_page($redirurl, "login", null, $clientmac, $clientip);
295	5b237745	Scott Ullrich	}
296
297	4a5feb83	Ermal	ob_flush();
298	03552507	Erik Fonnesbeck
299	60b66b60	Ermal	?>

Project

General

Profile

pfSense