/src/etc/inc/authgui.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/authgui.inc @ add3c6c5

1	16513324	Holger Bauer	<?php
2	995df6c3	Stephen Beaver	/* ====================================================================
3			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
4			* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
5			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
6			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
7			*
8			* Redistribution and use in source and binary forms, with or without modification,
9			* are permitted provided that the following conditions are met:
10			*
11			* 1. Redistributions of source code must retain the above copyright notice,
12			* this list of conditions and the following disclaimer.
13			*
14			* 2. Redistributions in binary form must reproduce the above copyright
15			* notice, this list of conditions and the following disclaimer in
16			* the documentation and/or other materials provided with the
17			* distribution.
18			*
19			* 3. All advertising materials mentioning features or use of this software
20			* must display the following acknowledgment:
21			* "This product includes software developed by the pfSense Project
22			* for use in the pfSense software distribution. (http://www.pfsense.org/).
23			*
24			* 4. The names "pfSense" and "pfSense Project" must not be used to
25			* endorse or promote products derived from this software without
26			* prior written permission. For written permission, please contact
27			* coreteam@pfsense.org.
28			*
29			* 5. Products derived from this software may not be called "pfSense"
30			* nor may "pfSense" appear in their names without prior written
31			* permission of the Electric Sheep Fencing, LLC.
32			*
33			* 6. Redistributions of any form whatsoever must retain the following
34			* acknowledgment:
35			*
36			* "This product includes software developed by the pfSense Project
37			* for use in the pfSense software distribution (http://www.pfsense.org/).
38			*
39			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
40			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
43			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50			* OF THE POSSIBILITY OF SUCH DAMAGE.
51			*
52			* ====================================================================
53			*
54			*/
55	483e6de8	Scott Ullrich	include_once("auth.inc");
56	6dc88d53	Ermal Luci	include_once("priv.inc");
57	1e0b1727	Phil Davis	if (!function_exists('platform_booting')) {
58	cb054444	Ermal LUÇI	require_once('globals.inc');
59	1e0b1727	Phil Davis	}
60	16513324	Holger Bauer
61			/* Authenticate user - exit if failed */
62	6306b5dd	Ermal Lu?i	if (!session_auth()) {
63			display_login_form();
64	45ee90ed	Matthew Grooms	exit;
65	6306b5dd	Ermal Lu?i	}
66	45ee90ed	Matthew Grooms
67			/*
68			* Once here, the user has authenticated with the web server.
69			* We give them access only to the appropriate pages based on
70			* the user or group privileges.
71			*/
72	c4a9f99a	jim-p	$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
73	16513324	Holger Bauer
74	595b074d	Phil Davis	/*
75			* Get user-based preference settings so they can be easily referenced.
76			*/
77			$user_settings = get_user_settings($_SESSION['Username']);
78
79	45ee90ed	Matthew Grooms	/*
80	403a270e	Ermal Luçi	* redirect to first allowed page if requesting a wrong url
81	45ee90ed	Matthew Grooms	*/
82	8559c9d9	jim-p
83			/* Fix this up otherwise the privilege check will fail. See Redmine #5909. */
84			if ($_SERVER['REQUEST_URI'] == "/") {
85			$_SERVER['REQUEST_URI'] = "/index.php";
86			}
87
88	14f5f705	marcelloc	if (!isAllowedPage($_SERVER['REQUEST_URI'])) {
89	403a270e	Ermal Luçi	if (count($allowedpages) > 0) {
90			$page = str_replace('*', '', $allowedpages[0]);
91			$_SESSION['Post_Login'] = true;
92	5c15e649	sullrich	require_once("functions.inc");
93	403a270e	Ermal Luçi	pfSenseHeader("/{$page}");
94	0d4f348f	jim-p
95			$username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username'];
96	1e0b1727	Phil Davis	if (!empty($_SERVER['REMOTE_ADDR'])) {
97	0d4f348f	jim-p	$username .= '@' . $_SERVER['REMOTE_ADDR'];
98	1e0b1727	Phil Davis	}
99	0d4f348f	jim-p	log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}.");
100
101	403a270e	Ermal Luçi	exit;
102			} else {
103	0b70d9f4	Carlos Eduardo Ramos	display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
104	403a270e	Ermal Luçi	exit;
105			}
106	1e0b1727	Phil Davis	} else {
107	403a270e	Ermal Luçi	$_SESSION['Post_Login'] = true;
108	1e0b1727	Phil Davis	}
109	16513324	Holger Bauer
110	45ee90ed	Matthew Grooms	/*
111	d97ab688	Matthew Grooms	* redirect browsers post-login to avoid pages
112	1e0b1727	Phil Davis	* taking action in response to a POST request
113	45ee90ed	Matthew Grooms	*/
114	d97ab688	Matthew Grooms	if (!$_SESSION['Post_Login']) {
115	c9dddd59	sullrich	$_SESSION['Post_Login'] = true;
116	5c15e649	sullrich	require_once("functions.inc");
117	d97ab688	Matthew Grooms	pfSenseHeader($_SERVER['REQUEST_URI']);
118			exit;
119			}
120	16513324	Holger Bauer
121	1180e4f0	Sjon Hortensius	/*
122	4111fcf5	Ermal	* Close session data to allow other scripts from same host to come in.
123			* A session can be reactivated from calling session_start again
124			*/
125			session_commit();
126
127	45ee90ed	Matthew Grooms	/*
128			* determine if the user is allowed access to the requested page
129			*/
130	16513324	Holger Bauer	function display_error_form($http_code, $desc) {
131	595b074d	Phil Davis	global $config, $user_settings, $g;
132	995df6c3	Stephen Beaver
133	1e0b1727	Phil Davis	if (isAjax()) {
134	addc0439	Renato Botelho	printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc);
135	16513324	Holger Bauer	return;
136			}
137
138	b4738ddc	NewEraCracker	$cssfile = "/css/pfSense.css";
139	9d624e6b	Jared Dillard
140	595b074d	Phil Davis	if (isset($user_settings['webgui']['webguicss'])) {
141			if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) {
142			$cssfile = "/css/" . $user_settings['webgui']['webguicss'];
143			}
144	9d624e6b	Jared Dillard	}
145
146	16513324	Holger Bauer	?>
147	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
148			<html lang="en">
149			<head>
150	e71c09fa	heper	<meta name="viewport" content="width=device-width, initial-scale=1">
151	9d624e6b	Jared Dillard	<link rel="stylesheet" href="<?=$cssfile?>" />
152	1180e4f0	Sjon Hortensius	<title><?=gettext("Error: not allowed"); ?></title>
153			</head>
154			<body id="error" class="no-menu">
155			<div id="jumbotron">
156			<div class="container">
157	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
158			<!-- FIXME: We really need to POST the logout action -->
159			<div class="alert alert-danger" role="alert"><a href="index.php?logout"><?=$desc;?></a></div>
160			</div>
161	45ee90ed	Matthew Grooms	</div>
162	1180e4f0	Sjon Hortensius	</div>
163			</body>
164	16513324	Holger Bauer	</html>
165			<?php
166
167	45ee90ed	Matthew Grooms	} // end function
168	16513324	Holger Bauer
169
170			function display_login_form() {
171	45ee90ed	Matthew Grooms	require_once("globals.inc");
172			global $config, $g;
173
174			unset($input_errors);
175
176	1e0b1727	Phil Davis	if (isAjax()) {
177	45ee90ed	Matthew Grooms	if (isset($_POST['login'])) {
178	1e0b1727	Phil Davis	if ($_SESSION['Logged_In'] <> "True") {
179	0b70d9f4	Carlos Eduardo Ramos	isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
180	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
181	45ee90ed	Matthew Grooms	}
182			if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
183			// TODO: add the IP from the user who did lock the device
184			$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
185	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
186	45ee90ed	Matthew Grooms	}
187			}
188			exit;
189			}
190	16513324	Holger Bauer
191	1180e4f0	Sjon Hortensius	/* Check against locally configured IP addresses, which will catch when someone
192	2003b5d8	jim-p	port forwards WebGUI access from WAN to an internal IP on the router. */
193	6cfa23eb	Scott Ullrich	global $FilterIflist, $nifty_background;
194	2003b5d8	jim-p	$local_ip = false;
195	1fb55001	Ermal LUÇI	if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) {
196	2003b5d8	jim-p	$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
197			$http_host = $http_host_port[0];
198			} else {
199			$http_host = $_SERVER['HTTP_HOST'];
200			}
201			if (empty($FilterIflist)) {
202			require_once('filter.inc');
203			require_once('shaper.inc');
204			filter_generate_optcfg_array();
205			}
206	f48d337f	Seth Mos	foreach ($FilterIflist as $iflist) {
207	1e0b1727	Phil Davis	if ($iflist['ip'] == $http_host) {
208	2003b5d8	jim-p	$local_ip = true;
209	1e0b1727	Phil Davis	} else if ($iflist['ipv6'] == $http_host) {
210	f48d337f	Seth Mos	$local_ip = true;
211	1e0b1727	Phil Davis	} else if (is_array($iflist['vips'])) {
212	1fb55001	Ermal LUÇI	foreach ($iflist['vips'] as $vip) {
213			if ($vip['ip'] == $http_host) {
214	067e48ab	Scott Ullrich	$local_ip = true;
215	1fb55001	Ermal LUÇI	break;
216			}
217	f48d337f	Seth Mos	}
218	1fb55001	Ermal LUÇI	unset($vip);
219	f48d337f	Seth Mos	}
220	1e0b1727	Phil Davis	if ($local_ip == true) {
221	1fb55001	Ermal LUÇI	break;
222	1e0b1727	Phil Davis	}
223	f48d337f	Seth Mos	}
224	1fb55001	Ermal LUÇI	unset($FilterIflist);
225			unset($iflist);
226
227	02156b4b	Ermal LUÇI	if ($local_ip == false) {
228			if (is_array($config['openvpn']['openvpn-server'])) {
229			foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
230			if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) {
231			$local_ip = true;
232			} else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) {
233			$local_ip = true;
234			}
235	1e0b1727	Phil Davis	if ($local_ip == true) {
236	02156b4b	Ermal LUÇI	break;
237	1e0b1727	Phil Davis	}
238	71034b51	Renato Botelho	}
239			}
240			}
241	0041092c	jim-p
242	595b074d	Phil Davis	// For the login form, get the settings of no particular user.
243			// That ensures we will use the system default theme for the login form.
244			$user_settings = get_user_settings("");
245	f0c5e7c1	Jared Dillard	$cssfile = "/css/pfSense.css";
246	9d624e6b	Jared Dillard
247	595b074d	Phil Davis	if (isset($user_settings['webgui']['webguicss'])) {
248			if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) {
249			$cssfile = "/css/" . $user_settings['webgui']['webguicss'];
250	9d624e6b	Jared Dillard	}
251			}
252
253	16513324	Holger Bauer	?>
254	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
255			<html lang="en">
256			<head>
257	e71c09fa	heper	<meta name="viewport" content="width=device-width, initial-scale=1">
258	9d624e6b	Jared Dillard	<link rel="stylesheet" href="<?=$cssfile?>" />
259	1180e4f0	Sjon Hortensius	<title><?=gettext("Login"); ?></title>
260	a9e60275	Chris Buechler	<script type="text/javascript">
261	8fd9052f	Colin Fleming	//<![CDATA{
262			var events = events \|\| [];
263			//]]>
264			</script>
265	1180e4f0	Sjon Hortensius	</head>
266			<body id="login" class="no-menu">
267			<div id="jumbotron">
268			<div class="container">
269	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
270	a42e7aa2	Sjon Hortensius	<?php
271	4de8f7ba	Phil Davis	if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) {
272	a42e7aa2	Sjon Hortensius	$nifty_background = "#999";
273	a16d923f	NOYB	print_info_box(gettext("The IP address being used to access this router is not configured locally, which may be forwarded by NAT or other means. <br /><br />If this forwarding is unexpected, it should be verified that a man-in-the-middle attack is not taking place."));
274	a42e7aa2	Sjon Hortensius	}
275	1180e4f0	Sjon Hortensius
276	a42e7aa2	Sjon Hortensius	$loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"';
277			?>
278	1180e4f0	Sjon Hortensius
279	c7d61071	Sander van Leeuwen	<div class="panel panel-default">
280			<div class="panel-heading">
281	6d128e2b	Phil Davis	<h2 class="panel-title"><?=sprintf(gettext("Login to %s"), $g['product_name'])?></h2>
282	c7d61071	Sander van Leeuwen	</div>
283	1180e4f0	Sjon Hortensius
284	c7d61071	Sander van Leeuwen	<div class="panel-body">
285	a42e7aa2	Sjon Hortensius	<?php if (!empty($_SESSION['Login_Error'])): ?>
286	c7d61071	Sander van Leeuwen	<div class="alert alert-danger" role="alert"><?=$_SESSION['Login_Error'];?></div>
287	a42e7aa2	Sjon Hortensius	<?php endif ?>
288	a16d923f	NOYB	<div class="alert alert-warning hidden" id="no_cookies"><?= gettext("The browser must support cookies to login."); ?></div>
289	c7d61071	Sander van Leeuwen
290			<form method="post" <?= $loginautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>" class="form-horizontal">
291			<div class="form-group">
292	d18f3f6e	Phil Davis	<label for="usernamefld" class="col-sm-3 control-label"><?=gettext("Username")?></label>
293	0a353c81	Sander van Leeuwen	<div class="col-sm-9 col-md-7">
294	d18f3f6e	Phil Davis	<input type="text" class="form-control" name="usernamefld" id="usernamefld" placeholder="<?=gettext("Enter your username")?>" autocorrect="off" autocapitalize="none" spellcheck="false">
295	c7d61071	Sander van Leeuwen	</div>
296			</div>
297
298			<div class="form-group">
299	d18f3f6e	Phil Davis	<label for="passwordfld" class="col-sm-3 control-label"><?=gettext("Password")?></label>
300	0a353c81	Sander van Leeuwen	<div class="col-sm-9 col-md-7">
301	d18f3f6e	Phil Davis	<input type="password" class="form-control" name="passwordfld" id="passwordfld" placeholder="<?=gettext("Enter your password")?>">
302	c7d61071	Sander van Leeuwen	</div>
303			</div>
304
305			<div class="form-group">
306	0a353c81	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-9 col-md-7">
307	d18f3f6e	Phil Davis	<button type="submit" class="btn btn-primary" name="login"><?=gettext("Login")?></button>
308	c7d61071	Sander van Leeuwen	</div>
309			</div>
310			</form>
311	a42e7aa2	Sjon Hortensius	</div>
312	c7d61071	Sander van Leeuwen	</div>
313	1180e4f0	Sjon Hortensius	</div>
314	45ee90ed	Matthew Grooms	</div>
315	45d6ada5	Sjon Hortensius
316	8fd9052f	Colin Fleming	<script type="text/javascript">
317			//!<[CDATA[
318	45d6ada5	Sjon Hortensius	events.push(function() {
319			document.cookie=
320			"cookie_test=1" +
321			"<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>";
322
323			if (document.cookie.indexOf("cookie_test") == -1)
324	60987639	Stephen Beaver	document.getElementById("no_cookies").style.display="";
325			else
326			document.getElementById("no_cookies").style.display="none";
327	45d6ada5	Sjon Hortensius
328			// Delete it
329			document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
330			});
331	8fd9052f	Colin Fleming	//]]>
332	45d6ada5	Sjon Hortensius	</script>
333	16513324	Holger Bauer	<?php
334	aceaf18c	Phil Davis	require_once('foot.inc');
335	16513324	Holger Bauer
336	17ef09c3	Colin Fleming	} // end function

Project

General

Profile

pfSense