/src/etc/inc/openvpn.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/openvpn.auth-user.php @ cea9d2d0

1	3c11bd3c	Matthew Grooms	<?php
2			/*
3	ac24dc24	Renato Botelho	* openvpn.auth-user.php
4			*
5			* part of pfSense (https://www.pfsense.org)
6	c5d81585	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc
7	38809d47	Renato Botelho do Couto	* Copyright (c) 2008-2013 BSD Perimeter
8			* Copyright (c) 2013-2016 Electric Sheep Fencing
9	402c98a2	Reid Linnemann	* Copyright (c) 2014-2023 Rubicon Communications, LLC (Netgate)
10	ac24dc24	Renato Botelho	* All rights reserved.
11			*
12	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
13			* you may not use this file except in compliance with the License.
14			* You may obtain a copy of the License at
15	ac24dc24	Renato Botelho	*
16	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
17	ac24dc24	Renato Botelho	*
18	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
19			* distributed under the License is distributed on an "AS IS" BASIS,
20			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21			* See the License for the specific language governing permissions and
22			* limitations under the License.
23	ac24dc24	Renato Botelho	*/
24	09221bc3	Renato Botelho
25	3c11bd3c	Matthew Grooms	/*
26			* OpenVPN calls this script to authenticate a user
27			* based on a username and password. We lookup these
28			* in our config.xml file and check the credentials.
29			*/
30
31	befad728	Ermal	require_once("globals.inc");
32	3c11bd3c	Matthew Grooms	require_once("config.inc");
33	a13ce628	Ermal Lu?i	require_once("auth.inc");
34	cc686d98	Ermal Lu?i	require_once("interfaces.inc");
35	3c11bd3c	Matthew Grooms
36			/* setup syslog logging */
37			openlog("openvpn", LOG_ODELAY, LOG_AUTH);
38
39	ae472dc1	Shawn Bruce	global $common_name, $username, $dev, $untrusted_port;
40	a2e92e18	jim-p
41	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
42	c165a17e	jim-p	$authmodes = explode(",", base64_decode($_GET['authcfg']));
43	a3d88018	Edin Sarajlic	/* Any string retrieved through $_GET is automatically urlDecoded */
44			$username = base64_decode($_GET['username']);
45			$password = base64_decode($_GET['password']);
46	5e28dad4	Ermal	$common_name = $_GET['cn'];
47			$modeid = $_GET['modeid'];
48			$strictusercn = $_GET['strictcn'] == "false" ? false : true;
49	ae472dc1	Shawn Bruce	$dev = $_GET['dev'];
50			$untrusted_port = $_GET['untrusted_port'];
51	5e28dad4	Ermal	} else {
52			/* read data from environment */
53			$username = getenv("username");
54			$password = getenv("password");
55			$common_name = getenv("common_name");
56	ae472dc1	Shawn Bruce	$dev = getenv("dev");
57			$untrusted_port = getenv("untrusted_port");
58	5e28dad4	Ermal	}
59	3c11bd3c	Matthew Grooms
60	eeceb2ca	Augustin-FL	if (!$username) {
61	1f5309a3	Matthew Grooms	syslog(LOG_ERR, "invalid user authentication environment");
62	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
63	5e28dad4	Ermal	echo "FAILED";
64	b2af12ad	Ermal	closelog();
65	5e28dad4	Ermal	return;
66	b2af12ad	Ermal	} else {
67			closelog();
68	52550ca5	Ermal LUÇI	return (-1);
69	b2af12ad	Ermal	}
70	3c11bd3c	Matthew Grooms	}
71
72	b37a2e8c	Phil Davis	/* Replaced by a sed with proper variables used below(ldap parameters). */
73	c61e4626	Ermal Lu?i	//<template>
74
75			$authenticated = false;
76	8901958c	jim-p
77	5319cf40	Talle	if (($strictusercn === true) && (mb_strtolower($common_name) !== mb_strtolower($username))) {
78	882af7b4	jim-p	syslog(LOG_WARNING, "Username does not match certificate common name (\"{$username}\" != \"{$common_name}\"), access denied.");
79	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
80	5e28dad4	Ermal	echo "FAILED";
81	b2af12ad	Ermal	closelog();
82	5e28dad4	Ermal	return;
83	b2af12ad	Ermal	} else {
84			closelog();
85	52550ca5	Ermal LUÇI	return (1);
86	b2af12ad	Ermal	}
87	5e28dad4	Ermal	}
88
89			if (!is_array($authmodes)) {
90			syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
91	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
92	5e28dad4	Ermal	echo "FAILED";
93	b2af12ad	Ermal	closelog();
94	5e28dad4	Ermal	return;
95	b2af12ad	Ermal	} else {
96			closelog();
97	52550ca5	Ermal LUÇI	return (1);
98	b2af12ad	Ermal	}
99	8901958c	jim-p	}
100
101	f15fdef3	Augustin FL
102			$attributes = array("nas_identifier" => "openVPN",
103			"nas_port_type" => RADIUS_VIRTUAL,
104	95f3d049	Kacper	"nas_port" => $_GET['nas_port'],
105			"calling_station_id" => get_interface_ip() . ":" . $_GET['nas_port']);
106	f15fdef3	Augustin FL
107	c61e4626	Ermal Lu?i	foreach ($authmodes as $authmode) {
108			$authcfg = auth_get_authserver($authmode);
109	821a4351	Renato Botelho	if (!$authcfg && $authmode != "Local Database") {
110	c61e4626	Ermal Lu?i	continue;
111	b37a2e8c	Phil Davis	}
112	c61e4626	Ermal Lu?i
113	1492e02c	Ermal	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
114	b37a2e8c	Phil Davis	if ($authenticated == true) {
115	006a162f	Ermal Lu?i	break;
116	b37a2e8c	Phil Davis	}
117	c61e4626	Ermal Lu?i	}
118
119			if ($authenticated == false) {
120	882af7b4	jim-p	syslog(LOG_WARNING, "user '{$username}' could not authenticate.");
121	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
122	5e28dad4	Ermal	echo "FAILED";
123	b2af12ad	Ermal	closelog();
124	5e28dad4	Ermal	return;
125	b2af12ad	Ermal	} else {
126			closelog();
127	52550ca5	Ermal LUÇI	return (-1);
128	b2af12ad	Ermal	}
129	3c11bd3c	Matthew Grooms	}
130
131	b37a2e8c	Phil Davis	if (file_exists("/etc/inc/openvpn.attributes.php")) {
132			include_once("/etc/inc/openvpn.attributes.php");
133			}
134
135	1492e02c	Ermal	$content = "";
136			if (is_array($attributes['dns-servers'])) {
137	b37a2e8c	Phil Davis	foreach ($attributes['dns-servers'] as $dnssrv) {
138			if (is_ipaddr($dnssrv)) {
139			$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
140			}
141			}
142	1492e02c	Ermal	}
143			if (is_array($attributes['routes'])) {
144	b37a2e8c	Phil Davis	foreach ($attributes['routes'] as $route) {
145	5e28dad4	Ermal	$content .= "push \"route {$route} vpn_gateway\"\n";
146	b37a2e8c	Phil Davis	}
147	1492e02c	Ermal	}
148
149			if (isset($attributes['framed_ip'])) {
150	ee8f9940	doktornotor	if (isset($attributes['framed_mask'])) {
151	b37a2e8c	Phil Davis	$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
152			} else {
153	356ec787	doktornotor	$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) - 1));
154	ee8f9940	doktornotor	}
155	b37a2e8c	Phil Davis	}
156
157			if (!empty($content)) {
158			@file_put_contents("{$g['tmp_path']}/{$username}", $content);
159	1492e02c	Ermal	}
160
161	882af7b4	jim-p	syslog(LOG_NOTICE, "user '{$username}' authenticated");
162	b2af12ad	Ermal	closelog();
163	a13ce628	Ermal Lu?i
164	b37a2e8c	Phil Davis	if (isset($_GET['username'])) {
165	5e28dad4	Ermal	echo "OK";
166	b37a2e8c	Phil Davis	} else {
167	52550ca5	Ermal LUÇI	return (0);
168	b37a2e8c	Phil Davis	}
169	3c11bd3c	Matthew Grooms
170	fe2031ab	Ermal	?>

Project

General

Profile

pfSense