/src/etc/inc/priv.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/priv.inc @ c478d7cf

1	6dc88d53	Ermal Luci	<?php
2			/* $Id$ */
3			/*
4	ce77a9c4	Phil Davis	priv.inc
5			Copyright (C) 2008 Shrew Soft Inc
6			All rights reserved.
7	6dc88d53	Ermal Luci
8	ce77a9c4	Phil Davis	Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
9			All rights reserved.
10	6dc88d53	Ermal Luci
11	ce77a9c4	Phil Davis	Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
12			All rights reserved.
13	6dc88d53	Ermal Luci
14	ce77a9c4	Phil Davis	Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
15			All rights reserved.
16	6dc88d53	Ermal Luci
17	ce77a9c4	Phil Davis	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
18			All rights reserved.
19	6dc88d53	Ermal Luci
20	ce77a9c4	Phil Davis	Redistribution and use in source and binary forms, with or without
21			modification, are permitted provided that the following conditions are met:
22	6dc88d53	Ermal Luci
23	ce77a9c4	Phil Davis	1. Redistributions of source code must retain the above copyright notice,
24			this list of conditions and the following disclaimer.
25	6dc88d53	Ermal Luci
26	ce77a9c4	Phil Davis	2. Redistributions in binary form must reproduce the above copyright
27			notice, this list of conditions and the following disclaimer in the
28			documentation and/or other materials provided with the distribution.
29	6dc88d53	Ermal Luci
30	ce77a9c4	Phil Davis	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
31			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
32			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
33			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
34			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
35			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
37			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
38			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
39			POSSIBILITY OF SUCH DAMAGE.
40	6dc88d53	Ermal Luci
41			*/
42
43	523855b0	Scott Ullrich	/*
44			pfSense_MODULE: auth
45			*/
46
47	6306b5dd	Ermal Lu?i	require_once("priv.defs.inc");
48
49	2816a089	sullrich	/* Load and process custom privs. */
50	f5bdff7f	sullrich	function get_priv_files($directory) {
51	dd415d52	sullrich	$dir_array = array();
52	b37a2e8c	Phil Davis	if (!is_dir($directory)) {
53	dd415d52	sullrich	return;
54	b37a2e8c	Phil Davis	}
55	dd415d52	sullrich	if ($dh = opendir($directory)) {
56			while (($file = readdir($dh)) !== false) {
57			$canadd = 0;
58	b37a2e8c	Phil Davis	if ($file == ".") {
59	dd415d52	sullrich	$canadd = 1;
60	b37a2e8c	Phil Davis	}
61			if ($file == "..") {
62	dd415d52	sullrich	$canadd = 1;
63	b37a2e8c	Phil Davis	}
64			if ($canadd == 0) {
65	dd415d52	sullrich	array_push($dir_array, $file);
66	b37a2e8c	Phil Davis	}
67	dd415d52	sullrich	}
68			closedir($dh);
69			}
70	b37a2e8c	Phil Davis	if (!is_array($dir_array)) {
71	dd415d52	sullrich	return;
72	b37a2e8c	Phil Davis	}
73	f5bdff7f	sullrich	return $dir_array;
74	dd415d52	sullrich	}
75	0b013ef0	sullrich
76	dd415d52	sullrich	// Load and sort privs
77	f5bdff7f	sullrich	$dir_array = get_priv_files("/etc/inc/priv");
78	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
79	086cf944	Phil Davis	if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) {
80	f5bdff7f	sullrich	include("/etc/inc/priv/{$file}");
81	b37a2e8c	Phil Davis	}
82			}
83			if (is_dir("/usr/local/pkg/priv")) {
84	f5bdff7f	sullrich	$dir_array = get_priv_files("/usr/local/pkg/priv");
85	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
86	086cf944	Phil Davis	if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) {
87	f5bdff7f	sullrich	include("/usr/local/pkg/priv/{$file}");
88	b37a2e8c	Phil Davis	}
89			}
90	f5bdff7f	sullrich	}
91
92	b37a2e8c	Phil Davis	if (is_array($priv_list)) {
93	f5bdff7f	sullrich	sort_privs($priv_list);
94	b37a2e8c	Phil Davis	}
95	6dc88d53	Ermal Luci
96			function cmp_privkeys($a, $b) {
97			/* user privs at the top */
98			$auser = strncmp("user-", $a, 5);
99			$buser = strncmp("user-", $b, 5);
100	b37a2e8c	Phil Davis	if ($auser != $buser) {
101	84d86f07	jim-p	return $auser - $buser;
102	b37a2e8c	Phil Davis	}
103	6dc88d53	Ermal Luci
104			/* name compare others */
105			return strcasecmp($a, $b);
106			}
107
108			function sort_privs(& $privs) {
109			uksort($privs, "cmp_privkeys");
110			}
111
112			function cmp_page_matches($page, & $matches, $fullwc = true) {
113
114			// $dbg_matches = implode(",", $matches);
115			// log_error("debug: checking page {$page} match with {$dbg_matches}");
116
117	b37a2e8c	Phil Davis	if (!is_array($matches)) {
118	6dc88d53	Ermal Luci	return false;
119	b37a2e8c	Phil Davis	}
120	6dc88d53	Ermal Luci
121			/* skip any leading fwdslash */
122			$test = strpos($page, "/");
123	b37a2e8c	Phil Davis	if ($test !== false && $test == 0) {
124	6dc88d53	Ermal Luci	$page = substr($page, 1);
125	b37a2e8c	Phil Davis	}
126	6dc88d53	Ermal Luci
127			/* look for a match */
128			foreach ($matches as $match) {
129
130			/* possibly ignore full wildcard match */
131	086cf944	Phil Davis	if (!$fullwc && !strcmp($match , "*")) {
132	6dc88d53	Ermal Luci	continue;
133	b37a2e8c	Phil Davis	}
134	6dc88d53	Ermal Luci
135			/* compare exact or wildcard match */
136	6c07db48	Phil Davis	$match = str_replace(array(".", "", "?"), array("\.", ".", "\?"), $match);
137	14f5f705	marcelloc	$result = preg_match("@^/{$match}$@", "/{$page}");
138	b37a2e8c	Phil Davis
139			if ($result) {
140	6dc88d53	Ermal Luci	return true;
141	b37a2e8c	Phil Davis	}
142	6dc88d53	Ermal Luci	}
143
144			return false;
145			}
146
147			function map_page_privname($page) {
148			global $priv_list;
149
150			foreach ($priv_list as $pname => $pdata) {
151	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
152	6dc88d53	Ermal Luci	continue;
153	b37a2e8c	Phil Davis	}
154	6dc88d53	Ermal Luci	$fullwc = false;
155	086cf944	Phil Davis	if (!strcasecmp($page, "any")\|\|!strcmp($page, "*")) {
156	6dc88d53	Ermal Luci	$fullwc = true;
157	b37a2e8c	Phil Davis	}
158			if (cmp_page_matches($page, $pdata['match'], $fullwc)) {
159	6dc88d53	Ermal Luci	return $pname;
160	b37a2e8c	Phil Davis	}
161	6dc88d53	Ermal Luci	}
162
163			return false;
164			}
165
166			function get_user_privdesc(& $user) {
167			global $priv_list;
168
169			$privs = array();
170
171			$user_privs = $user['priv'];
172	b37a2e8c	Phil Davis	if (!is_array($user_privs)) {
173	6dc88d53	Ermal Luci	$user_privs = array();
174	b37a2e8c	Phil Davis	}
175	6dc88d53	Ermal Luci
176			$names = local_user_get_groups($user, true);
177
178			foreach ($names as $name) {
179			$group = getGroupEntry($name);
180			$group_privs = $group['priv'];
181	b37a2e8c	Phil Davis	if (!is_array($group_privs)) {
182	6dc88d53	Ermal Luci	continue;
183	b37a2e8c	Phil Davis	}
184	6dc88d53	Ermal Luci	foreach ($group_privs as $pname) {
185	086cf944	Phil Davis	if (in_array($pname, $user_privs)) {
186	6dc88d53	Ermal Luci	continue;
187	b37a2e8c	Phil Davis	}
188			if (!$priv_list[$pname]) {
189	6dc88d53	Ermal Luci	continue;
190	b37a2e8c	Phil Davis	}
191	6dc88d53	Ermal Luci	$priv = $priv_list[$pname];
192			$priv['group'] = $group['name'];
193			$privs[] = $priv;
194			}
195			}
196
197	b37a2e8c	Phil Davis	foreach ($user_privs as $pname) {
198			if ($priv_list[$pname]) {
199	6dc88d53	Ermal Luci	$privs[] = $priv_list[$pname];
200	b37a2e8c	Phil Davis	}
201			}
202	6dc88d53	Ermal Luci
203			return $privs;
204			}
205
206	2816a089	sullrich	function isAllowed($username, $page) {
207	6dc88d53	Ermal Luci	global $_SESSION;
208
209	b37a2e8c	Phil Davis	if (!isset($username)) {
210	dff909d8	sullrich	return false;
211	b37a2e8c	Phil Davis	}
212	dff909d8	sullrich
213			/* admin/root access check */
214			$user = getUserEntry($username);
215	b37a2e8c	Phil Davis	if (isset($user)) {
216			if (isset($user['uid'])) {
217	086cf944	Phil Davis	if ($user['uid'] == 0) {
218	dff909d8	sullrich	return true;
219	b37a2e8c	Phil Davis	}
220			}
221			}
222	dff909d8	sullrich
223	e30050b6	Phil Davis	/* user privilege access check */
224	b37a2e8c	Phil Davis	if (cmp_page_matches($page, $_SESSION['page-match'])) {
225	dff909d8	sullrich	return true;
226	b37a2e8c	Phil Davis	}
227	dff909d8	sullrich
228			return false;
229			}
230
231
232			function isAllowedPage($page) {
233			global $_SESSION;
234
235
236			$username = $_SESSION['Username'];
237	953ab2d4	sullrich
238	b37a2e8c	Phil Davis	if (!isset($username)) {
239	6dc88d53	Ermal Luci	return false;
240	b37a2e8c	Phil Davis	}
241	6dc88d53	Ermal Luci
242			/* admin/root access check */
243			$user = getUserEntry($username);
244	b37a2e8c	Phil Davis	if (isset($user)) {
245			if (isset($user['uid'])) {
246	086cf944	Phil Davis	if ($user['uid'] == 0) {
247	6dc88d53	Ermal Luci	return true;
248	b37a2e8c	Phil Davis	}
249			}
250			}
251	6dc88d53	Ermal Luci
252	e30050b6	Phil Davis	/* user privilege access check */
253	14f5f705	marcelloc	return cmp_page_matches($page, $_SESSION['page-match']);
254	6dc88d53	Ermal Luci	}
255
256			function getPrivPages(& $entry, & $allowed_pages) {
257			global $priv_list;
258
259	b37a2e8c	Phil Davis	if (!is_array($entry['priv'])) {
260	6dc88d53	Ermal Luci	return;
261	b37a2e8c	Phil Davis	}
262	6dc88d53	Ermal Luci
263			foreach ($entry['priv'] as $pname) {
264	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
265	6dc88d53	Ermal Luci	continue;
266	b37a2e8c	Phil Davis	}
267	6dc88d53	Ermal Luci	$priv = &$priv_list[$pname];
268	b37a2e8c	Phil Davis	if (!is_array($priv)) {
269	6dc88d53	Ermal Luci	continue;
270	b37a2e8c	Phil Davis	}
271	6dc88d53	Ermal Luci	$matches = &$priv['match'];
272	b37a2e8c	Phil Davis	if (!is_array($matches)) {
273	6dc88d53	Ermal Luci	continue;
274	b37a2e8c	Phil Davis	}
275			foreach ($matches as $match) {
276	6dc88d53	Ermal Luci	$allowed_pages[] = $match;
277	b37a2e8c	Phil Davis	}
278	6dc88d53	Ermal Luci	}
279			}
280
281	c4a9f99a	jim-p	function getAllowedPages($username, &$attributes = array()) {
282	6dc88d53	Ermal Luci	global $config, $_SESSION;
283
284	b37a2e8c	Phil Davis	if (!function_exists("ldap_connect")) {
285	6dc88d53	Ermal Luci	return;
286	b37a2e8c	Phil Davis	}
287
288	6dc88d53	Ermal Luci	$allowed_pages = array();
289			$allowed_groups = array();
290	b37a2e8c	Phil Davis
291	6306b5dd	Ermal Lu?i	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
292	6dc88d53	Ermal Luci	// obtain ldap groups if we are in ldap mode
293	b37a2e8c	Phil Davis	if ($authcfg['type'] == "ldap") {
294	6306b5dd	Ermal Lu?i	$allowed_groups = @ldap_get_groups($username, $authcfg);
295	c4a9f99a	jim-p	} elseif ($authcfg['type'] == "radius") {
296			$allowed_groups = @radius_get_groups($attributes);
297	fe65bb3a	Phil Davis	}
298			if (!$allowed_groups) {
299	6306b5dd	Ermal Lu?i	// search for a local user by name
300			$local_user = getUserEntry($username);
301
302	fe65bb3a	Phil Davis	// obtain local user pages and groups if we have a local user
303	b37a2e8c	Phil Davis	if ($local_user) {
304	fe65bb3a	Phil Davis	getPrivPages($local_user, $allowed_pages);
305	6306b5dd	Ermal Lu?i	$allowed_groups = local_user_get_groups($local_user);
306	b37a2e8c	Phil Davis	}
307	6306b5dd	Ermal Lu?i	}
308	6dc88d53	Ermal Luci
309			// build a list of allowed pages
310	b37a2e8c	Phil Davis	if (is_array($config['system']['group']) && is_array($allowed_groups)) {
311			foreach ($config['system']['group'] as $group) {
312			if (in_array($group['name'], $allowed_groups)) {
313	6dc88d53	Ermal Luci	getPrivPages($group, $allowed_pages);
314	b37a2e8c	Phil Davis	}
315			}
316			}
317	6dc88d53	Ermal Luci
318			// $dbg_pages = implode(",", $allowed_pages);
319			// $dbg_groups = implode(",", $allowed_groups);
320			// log_error("debug: user {$username} groups = {$dbg_groups}");
321			// log_error("debug: user {$username} pages = {$dbg_pages}");
322
323			$_SESSION['page-match'] = $allowed_pages;
324
325			return $allowed_pages;
326			}
327
328	3f109700	jim-p	function sort_user_privs($privs) {
329			// Privileges to place first, to redirect properly.
330			$priority_privs = array("page-dashboard-all", "page-system-login/logout");
331
332			$fprivs = array_intersect($privs, $priority_privs);
333	6c07db48	Phil Davis	$sprivs = array_diff($privs, $priority_privs);
334	3f109700	jim-p
335			return array_merge($fprivs, $sprivs);
336			}
337	fe65bb3a	Phil Davis	?>

Project

General

Profile

pfSense