/usr/local/captiveportal/index.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/captiveportal/index.php @ db88a3a2

1	8c1ce6c7	Scott Ullrich	<?php
2	5b237745	Scott Ullrich	/*
3	3b832418	bcyrill	$Id$
4			part of m0n0wall (http://m0n0.ch/wall)
5
6	29aef6c4	Jim Thompson	Copyright (C) 2013-2014 Electric Sheep Fencing, LP
7			Copyrigth (C) 2009 Ermal Luçi
8	3b832418	bcyrill	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
9			All rights reserved.
10
11			Redistribution and use in source and binary forms, with or without
12			modification, are permitted provided that the following conditions are met:
13
14			1. Redistributions of source code must retain the above copyright notice,
15			this list of conditions and the following disclaimer.
16
17			2. Redistributions in binary form must reproduce the above copyright
18			notice, this list of conditions and the following disclaimer in the
19			documentation and/or other materials provided with the distribution.
20
21			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30			POSSIBILITY OF SUCH DAMAGE.
31	5b237745	Scott Ullrich	*/
32	f5024891	Scott Ullrich	/*
33			pfSense_MODULE: captiveportal
34			*/
35	5b237745	Scott Ullrich
36	0092b3bd	mgrooms	require_once("auth.inc");
37	65fbb388	Scott Ullrich	require_once("functions.inc");
38	483e6de8	Scott Ullrich	require_once("captiveportal.inc");
39	65fbb388	Scott Ullrich
40	eb15decb	Ermal	$errormsg = "Invalid credentials specified.";
41
42	65fbb388	Scott Ullrich	header("Expires: 0");
43			header("Cache-Control: no-store, no-cache, must-revalidate");
44			header("Cache-Control: post-check=0, pre-check=0", false);
45			header("Pragma: no-cache");
46	232846a2	Ermal	header("Connection: close");
47	5b237745	Scott Ullrich
48	baec2b00	Ermal	global $cpzone, $cpzoneid;
49	5370146c	Ermal
50	4734474e	Ermal	$cpzone = $_REQUEST['zone'];
51	b4792bf8	Ermal	$cpcfg = $config['captiveportal'][$cpzone];
52	09294e84	Ermal	if (empty($cpcfg)) {
53	762a7b89	Phil Davis	log_error("Submission to captiveportal with unknown parameter zone: " . htmlspecialchars($cpzone));
54	09294e84	Ermal	portal_reply_page($redirurl, "error", $errormsg);
55			ob_flush();
56			return;
57			}
58	b4792bf8	Ermal
59	baec2b00	Ermal	$cpzoneid = $cpcfg['zoneid'];
60
61	362ec35d	Ermal	$orig_host = $_SERVER['HTTP_HOST'];
62	6e895d5f	Ermal	/* NOTE: IE 8/9 is buggy and that is why this is needed */
63	f89afb47	Ermal	$orig_request = trim($_REQUEST['redirurl'], " /");
64	6fa4bdc6	Scott Ullrich	$clientip = $_SERVER['REMOTE_ADDR'];
65	5b237745	Scott Ullrich
66			if (!$clientip) {
67	c9cb32c4	Ermal	/* not good - bail out */
68	12feed15	Ermal	log_error("Zone: {$cpzone} - Captive portal could not determine client's IP address.");
69	c9cb32c4	Ermal	$error_message = "An error occurred. Please check the system logs for more information.";
70			portal_reply_page($redirurl, "error", $errormsg);
71	4a5feb83	Ermal	ob_flush();
72			return;
73	65fbb388	Scott Ullrich	}
74
75	de132ae3	bcyrill	$ourhostname = portal_hostname_from_client_ip($clientip);
76	65fbb388	Scott Ullrich	if ($orig_host != $ourhostname) {
77	3b832418	bcyrill	/* the client thinks it's connected to the desired web server, but instead
78			it's connected to us. Issue a redirect... */
79	de132ae3	bcyrill	$protocol = (isset($cpcfg['httpslogin'])) ? 'https://' : 'http://';
80			header("Location: {$protocol}{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
81	65fbb388	Scott Ullrich
82	3b832418	bcyrill	ob_flush();
83			return;
84	5b237745	Scott Ullrich	}
85	de132ae3	bcyrill
86	b7ae00c0	bcyrill	if (!empty($cpcfg['redirurl']))
87			$redirurl = $cpcfg['redirurl'];
88	adbb495c	Ermal	else if (preg_match("/redirurl=(.*)/", $orig_request, $matches))
89			$redirurl = urldecode($matches[1]);
90			else if ($_REQUEST['redirurl'])
91			$redirurl = $_REQUEST['redirurl'];
92	65fbb388	Scott Ullrich
93	b7ae00c0	bcyrill	$macfilter = !isset($cpcfg['nomacfilter']);
94			$passthrumac = isset($cpcfg['passthrumacadd']);
95	65fbb388	Scott Ullrich
96	5b237745	Scott Ullrich	/* find MAC address for client */
97	007161dc	Ermal	if ($macfilter \|\| $passthrumac) {
98	0d20a040	Ermal	$tmpres = pfSense_ip_to_mac($clientip);
99			if (!is_array($tmpres)) {
100	3b832418	bcyrill	/* unable to find MAC address - shouldn't happen! - bail out */
101			captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
102			echo "An error occurred. Please check the system logs for more information.";
103	12feed15	Ermal	log_error("Zone: {$cpzone} - Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality.");
104	3b832418	bcyrill	ob_flush();
105			return;
106	007161dc	Ermal	}
107	0d20a040	Ermal	$clientmac = $tmpres['macaddr'];
108			unset($tmpres);
109	5b237745	Scott Ullrich	}
110
111	65fbb388	Scott Ullrich	/* find out if we need RADIUS + RADIUSMAC or not */
112	b4792bf8	Ermal	if (file_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db")) {
113	3b832418	bcyrill	$radius_enable = TRUE;
114			if (isset($cpcfg['radmac_enable']))
115			$radmac_enable = TRUE;
116	65fbb388	Scott Ullrich	}
117	6e865a74	Scott Ullrich
118	ebc0e4b6	Ermal	/* find radius context */
119			$radiusctx = 'first';
120			if ($_POST['auth_user2'])
121			$radiusctx = 'second';
122
123	65fbb388	Scott Ullrich	if ($_POST['logout_id']) {
124	532cb894	Ermal	echo <<<EOD
125	1d7ba683	ayvis	<html>
126			<head><title>Disconnecting...</title></head>
127			<body bgcolor="#435370">
128			<span style="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">
129			<b>You have been disconnected.</b>
130			</span>
131	91f026b0	ayvis	<script type="text/javascript">
132	5b237745	Scott Ullrich	<!--
133			setTimeout('window.close();',5000) ;
134			-->
135	1d7ba683	ayvis	</script>
136			</body>
137			</html>
138	5b237745	Scott Ullrich
139			EOD;
140	006802ab	Ermal	captiveportal_disconnect_client($_POST['logout_id']);
141	3b832418	bcyrill
142	81ce28d8	Renato Botelho	} else if ($macfilter && $clientmac && captiveportal_blocked_mac($clientmac)) {
143	8d5ddc09	Renato Botelho	captiveportal_logportalauth($clientmac,$clientmac,$clientip,"Blocked MAC address");
144			if (!empty($cpcfg['blockedmacsurl']))
145			portal_reply_page($cpcfg['blockedmacsurl'], "redir");
146			else
147			portal_reply_page($redirurl, "error", "This MAC address has been blocked");
148
149	ebc0e4b6	Ermal	} else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip, $radiusctx)) {
150	3b832418	bcyrill	/* radius functions handle everything so we exit here since we're done */
151	65fbb388	Scott Ullrich
152	8015e67b	Erik Fonnesbeck	} else if (portal_consume_passthrough_credit($clientmac)) {
153	3b832418	bcyrill	/* allow the client through if it had a pass-through credit for its MAC */
154			captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
155			portal_allow($clientip, $clientmac, "unauthenticated");
156	8015e67b	Erik Fonnesbeck
157	89341b50	Chris Buechler	} else if (isset($config['voucher'][$cpzone]['enable']) && $_POST['accept'] && $_POST['auth_voucher']) {
158	3b832418	bcyrill	$voucher = trim($_POST['auth_voucher']);
159			$timecredit = voucher_auth($voucher);
160			// $timecredit contains either a credit in minutes or an error message
161			if ($timecredit > 0) { // voucher is valid. Remaining minutes returned
162			// if multiple vouchers given, use the first as username
163			$a_vouchers = preg_split("/[\t\n\r ]+/s",$voucher);
164			$voucher = $a_vouchers[0];
165			$attr = array( 'voucher' => 1,
166			'session_timeout' => $timecredit*60,
167			'session_terminate_time' => 0);
168			if (portal_allow($clientip, $clientmac,$voucher,null,$attr)) {
169			// YES: user is good for $timecredit minutes.
170			captiveportal_logportalauth($voucher,$clientmac,$clientip,"Voucher login good for $timecredit min.");
171			} else {
172			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
173			}
174			} else if (-1 == $timecredit) { // valid but expired
175			captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE","voucher expired");
176			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
177			} else {
178			captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE");
179			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgnoaccess'] ? $config['voucher'][$cpzone]['msgnoaccess'] : $errormsg);
180			}
181	336e3c1c	Charlie
182	65fbb388	Scott Ullrich	} else if ($_POST['accept'] && $radius_enable) {
183	16a0308d	Michael Newton	if (($_POST['auth_user'] && isset($_POST['auth_pass'])) \|\| ($_POST['auth_user2'] && isset($_POST['auth_pass2']))) {
184	3b832418	bcyrill	if (!empty($_POST['auth_user'])) {
185			$user = $_POST['auth_user'];
186			$paswd = $_POST['auth_pass'];
187			} else if (!empty($_POST['auth_user2'])) {
188			$user = $_POST['auth_user2'];
189			$paswd = $_POST['auth_pass2'];
190			}
191			$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);
192			$type = "error";
193			if (!empty($auth_list['url_redirection'])) {
194			$redirurl = $auth_list['url_redirection'];
195			$type = "redir";
196			}
197
198			if ($auth_list['auth_val'] == 1) {
199			captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']);
200			portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg);
201			} else if ($auth_list['auth_val'] == 3) {
202			captiveportal_logportalauth($user,$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);
203			portal_reply_page($redirurl, $type, $auth_list['reply_message'] ? $auth_list['reply_message'] : $errormsg);
204			}
205			} else {
206			if (!empty($_POST['auth_user']))
207			$user = $_POST['auth_user'];
208			else if (!empty($_POST['auth_user2']))
209			$user = $_POST['auth_user2'];
210			else
211			$user = 'unknown';
212			captiveportal_logportalauth($user ,$clientmac,$clientip,"ERROR");
213			portal_reply_page($redirurl, "error", $errormsg);
214	814992f7	Ermal	}
215	65fbb388	Scott Ullrich
216	b7ae00c0	bcyrill	} else if ($_POST['accept'] && $cpcfg['auth_method'] == "local") {
217	3b832418	bcyrill	if ($_POST['auth_user'] && $_POST['auth_pass']) {
218			//check against local user manager
219			$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']);
220	a8cb0038	Renato Botelho
221			if ($loginok && isset($cpcfg['localauth_priv']))
222			$loginok = userHasPrivilege(getUserEntry($_POST['auth_user']), "user-services-captiveportal-login");
223
224	3b832418	bcyrill	if ($loginok){
225			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
226			portal_allow($clientip, $clientmac,$_POST['auth_user']);
227			} else {
228			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
229			portal_reply_page($redirurl, "error", $errormsg);
230			}
231			} else
232	90477318	Ermal	portal_reply_page($redirurl, "error", $errormsg);
233	3b832418	bcyrill
234	b7ae00c0	bcyrill	} else if ($_POST['accept'] && $clientip && $cpcfg['auth_method'] == "none") {
235	3b832418	bcyrill	captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
236			portal_allow($clientip, $clientmac, "unauthenticated");
237
238	65fbb388	Scott Ullrich	} else {
239	3b832418	bcyrill	/* display captive portal page */
240			portal_reply_page($redirurl, "login",null,$clientmac,$clientip);
241	5b237745	Scott Ullrich	}
242
243	4a5feb83	Ermal	ob_flush();
244	03552507	Erik Fonnesbeck
245	60b66b60	Ermal	?>

Project

General

Profile

pfSense