/src/etc/inc/authgui.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/authgui.inc @ e85efdca

1	16513324	Holger Bauer	<?php
2	ac24dc24	Renato Botelho	/*
3			* authgui.inc
4	995df6c3	Stephen Beaver	*
5	ac24dc24	Renato Botelho	* part of pfSense (https://www.pfsense.org)
6			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
7			* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
8			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>
9	b8f91b7c	Luiz Souza	* Copyright (c) 2004-2018 Rubicon Communications, LLC (Netgate)
10	ac24dc24	Renato Botelho	* All rights reserved.
11	995df6c3	Stephen Beaver	*
12	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
13			* you may not use this file except in compliance with the License.
14			* You may obtain a copy of the License at
15	995df6c3	Stephen Beaver	*
16	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
17	995df6c3	Stephen Beaver	*
18	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
19			* distributed under the License is distributed on an "AS IS" BASIS,
20			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21			* See the License for the specific language governing permissions and
22			* limitations under the License.
23	995df6c3	Stephen Beaver	*/
24	ac24dc24	Renato Botelho
25	483e6de8	Scott Ullrich	include_once("auth.inc");
26	6dc88d53	Ermal Luci	include_once("priv.inc");
27	1e0b1727	Phil Davis	if (!function_exists('platform_booting')) {
28	cb054444	Ermal LUÇI	require_once('globals.inc');
29	1e0b1727	Phil Davis	}
30	059e1bd2	doktornotor	require_once('pfsense-utils.inc');
31	16513324	Holger Bauer
32			/* Authenticate user - exit if failed */
33	6306b5dd	Ermal Lu?i	if (!session_auth()) {
34			display_login_form();
35	45ee90ed	Matthew Grooms	exit;
36	6306b5dd	Ermal Lu?i	}
37	ca44a37c	Steve Beaver
38	82cd6022	PiBa-NL	phpsession_begin();
39	ca44a37c	Steve Beaver
40	45ee90ed	Matthew Grooms	/*
41			* Once here, the user has authenticated with the web server.
42			* We give them access only to the appropriate pages based on
43			* the user or group privileges.
44			*/
45	c4a9f99a	jim-p	$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
46	16513324	Holger Bauer
47	8bab524e	Phil Davis	/*
48			* Get user-based preference settings so they can be easily referenced.
49			*/
50			$user_settings = get_user_settings($_SESSION['Username']);
51
52	45ee90ed	Matthew Grooms	/*
53	403a270e	Ermal Luçi	* redirect to first allowed page if requesting a wrong url
54	45ee90ed	Matthew Grooms	*/
55	8559c9d9	jim-p
56			/* Fix this up otherwise the privilege check will fail. See Redmine #5909. */
57			if ($_SERVER['REQUEST_URI'] == "/") {
58			$_SERVER['REQUEST_URI'] = "/index.php";
59			}
60
61	14f5f705	marcelloc	if (!isAllowedPage($_SERVER['REQUEST_URI'])) {
62	403a270e	Ermal Luçi	if (count($allowedpages) > 0) {
63			$page = str_replace('*', '', $allowedpages[0]);
64			$_SESSION['Post_Login'] = true;
65	5c15e649	sullrich	require_once("functions.inc");
66	403a270e	Ermal Luçi	pfSenseHeader("/{$page}");
67	0d4f348f	jim-p
68			$username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username'];
69	1e0b1727	Phil Davis	if (!empty($_SERVER['REMOTE_ADDR'])) {
70	0d4f348f	jim-p	$username .= '@' . $_SERVER['REMOTE_ADDR'];
71	1e0b1727	Phil Davis	}
72	0d4f348f	jim-p	log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}.");
73
74	403a270e	Ermal Luçi	exit;
75			} else {
76	179377b0	robjarsen	// add this so they don't get stuck on the logout page when they have no permissions.
77	d69a55e3	Stephen Jones	$_SESSION["Logged_In"] = false;
78	0b70d9f4	Carlos Eduardo Ramos	display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
79	d69a55e3	Stephen Jones
80	403a270e	Ermal Luçi	exit;
81			}
82	1e0b1727	Phil Davis	} else {
83	403a270e	Ermal Luçi	$_SESSION['Post_Login'] = true;
84	1e0b1727	Phil Davis	}
85	16513324	Holger Bauer
86	45ee90ed	Matthew Grooms	/*
87	d97ab688	Matthew Grooms	* redirect browsers post-login to avoid pages
88	1e0b1727	Phil Davis	* taking action in response to a POST request
89	45ee90ed	Matthew Grooms	*/
90	d97ab688	Matthew Grooms	if (!$_SESSION['Post_Login']) {
91	c9dddd59	sullrich	$_SESSION['Post_Login'] = true;
92	5c15e649	sullrich	require_once("functions.inc");
93	d97ab688	Matthew Grooms	pfSenseHeader($_SERVER['REQUEST_URI']);
94			exit;
95			}
96	16513324	Holger Bauer
97	1180e4f0	Sjon Hortensius	/*
98	4111fcf5	Ermal	* Close session data to allow other scripts from same host to come in.
99	82cd6022	PiBa-NL	* A session can be reactivated from calling phpsession_begin again
100	4111fcf5	Ermal	*/
101	82cd6022	PiBa-NL	phpsession_end(true);
102	4111fcf5	Ermal
103	45ee90ed	Matthew Grooms	/*
104			* determine if the user is allowed access to the requested page
105			*/
106	16513324	Holger Bauer	function display_error_form($http_code, $desc) {
107	8bab524e	Phil Davis	global $config, $user_settings, $g;
108	995df6c3	Stephen Beaver
109	1e0b1727	Phil Davis	if (isAjax()) {
110	addc0439	Renato Botelho	printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc);
111	16513324	Holger Bauer	return;
112			}
113
114	fde09aa8	Steve Beaver	$logincssfile = "#770101";
115	16513324	Holger Bauer	?>
116	fde09aa8	Steve Beaver
117	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
118			<html lang="en">
119	fde09aa8	Steve Beaver	<head>
120			<meta name="viewport" content="width=device-width, initial-scale=1">
121			<link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css">
122	08a5e9a6	Jared Dillard	<link rel="stylesheet" href="/css/login.css?v=<?=filemtime('/usr/local/www/css/login.css')?>" type="text/css">
123	fde09aa8	Steve Beaver	<title><?=gettext("Error"); ?></title>
124			</head>
125
126			<body id="error" >
127			<div id="total">
128			<header>
129			<div id="headerrow">
130			<div class="row">
131			<div class="col-sm-4">
132			<div id="logodiv" style="text-align:center" class="nowarning">
133	f9a6637a	Renato Botelho	<?php include("/usr/local/www/logo.svg"); ?>
134	fde09aa8	Steve Beaver	</div>
135			</div>
136			<div class="col-sm-8 nowarning msgbox text-center">
137			<span id="hostspan">
138			</span>
139			</div>
140			</div>
141			</div>
142			</header>
143
144			<div style="background: <?=$logincssfile?>;" class="pagebody">
145			<div class="col-sm-2"></div>
146
147			<div class="col-sm-8 offset-md-4 logoCol">
148			<div class="loginCont center-block error-panel">
149			<a href="index.php?logout"><?=$desc;?></a>
150			</div>
151			</div>
152
153			<div class="col-sm-2"></div>
154	c7d61071	Sander van Leeuwen	</div>
155	fde09aa8	Steve Beaver
156			<footer id="3">
157			<div id="footertext">
158			<p class="text-muted">
159			<a target="_blank" href="https://www.pfsense.org/?gui=bootstrap">pfSense</a> is ©
160	0445f0d3	Luiz Souza	2004 - 2018 by <a href="https://pfsense.org/license" class="tblnk">Rubicon Communications, LLC (Netgate)</a>. All Rights Reserved.
161	fde09aa8	Steve Beaver	[<a href="/license.php" class="tblnk">view license</a>]
162			</p>
163			</div>
164			</footer>
165	45ee90ed	Matthew Grooms	</div>
166	fde09aa8	Steve Beaver	</body>
167	16513324	Holger Bauer	</html>
168	fde09aa8	Steve Beaver
169	16513324	Holger Bauer	<?php
170
171	45ee90ed	Matthew Grooms	} // end function
172	16513324	Holger Bauer
173
174			function display_login_form() {
175	45ee90ed	Matthew Grooms	require_once("globals.inc");
176			global $config, $g;
177
178			unset($input_errors);
179
180	1e0b1727	Phil Davis	if (isAjax()) {
181	45ee90ed	Matthew Grooms	if (isset($_POST['login'])) {
182	1e0b1727	Phil Davis	if ($_SESSION['Logged_In'] <> "True") {
183	0b70d9f4	Carlos Eduardo Ramos	isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
184	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
185	45ee90ed	Matthew Grooms	}
186			if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
187			// TODO: add the IP from the user who did lock the device
188			$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
189	3cfc695c	Vinicius Coque	printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
190	45ee90ed	Matthew Grooms	}
191			}
192	49e2b19a	Stephen Jones	//If session ended
193			echo "SESSION_TIMEOUT";
194	45ee90ed	Matthew Grooms	exit;
195			}
196	16513324	Holger Bauer
197	ee8f5c6a	Steve Beaver	/* Check against locally configured IP addresses, which will catch when someone
198			port forwards WebGUI access from WAN to an internal IP on the router. */
199			global $FilterIflist, $nifty_background;
200
201			$local_ip = false;
202
203			if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) {
204			$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
205			$http_host = $http_host_port[0];
206			} else {
207			$http_host = $_SERVER['HTTP_HOST'];
208	f48d337f	Seth Mos	}
209	ee8f5c6a	Steve Beaver
210			if (empty($FilterIflist)) {
211			require_once('filter.inc');
212			require_once('shaper.inc');
213			filter_generate_optcfg_array();
214	1e0b1727	Phil Davis	}
215	ee8f5c6a	Steve Beaver
216			foreach ($FilterIflist as $iflist) {
217			if ($iflist['ip'] == $http_host) {
218			$local_ip = true;
219			} else if ($iflist['ipv6'] == $http_host) {
220			$local_ip = true;
221			} else if (is_array($iflist['vips'])) {
222			foreach ($iflist['vips'] as $vip) {
223			if ($vip['ip'] == $http_host) {
224			$local_ip = true;
225			break;
226			}
227	02156b4b	Ermal LUÇI	}
228	ee8f5c6a	Steve Beaver
229			unset($vip);
230			}
231
232			if ($local_ip == true) {
233			break;
234			}
235			}
236
237			unset($FilterIflist);
238			unset($iflist);
239
240			if ($local_ip == false) {
241			if (is_array($config['openvpn']['openvpn-server'])) {
242			foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
243			if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) {
244			$local_ip = true;
245			} else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) {
246			$local_ip = true;
247			}
248
249			if ($local_ip == true) {
250			break;
251			}
252	1e0b1727	Phil Davis	}
253	71034b51	Renato Botelho	}
254			}
255	0041092c	jim-p
256	ee8f5c6a	Steve Beaver	// For the login form, get the settings of no particular user.
257			// That ensures we will use the system default theme for the login form.
258			$user_settings = get_user_settings("");
259			$cssfile = "/css/pfSense.css";
260	9d624e6b	Jared Dillard
261	ee8f5c6a	Steve Beaver	if (isset($user_settings['webgui']['webguicss'])) {
262			if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) {
263			$cssfile = "/css/" . $user_settings['webgui']['webguicss'];
264			}
265	9d624e6b	Jared Dillard	}
266
267	f902a15c	Steve Beaver	$logincssfile = "#1e3f75";
268	e79ff1ee	Steve Beaver
269	1eca4f60	Steve Beaver	if (isset($user_settings['webgui']['logincss']) && strlen($user_settings['webgui']['logincss']) == 6) {
270	d58a7378	Steve Beaver	$logincssfile = "#" . $user_settings['webgui']['logincss'];
271	e79ff1ee	Steve Beaver	}
272
273	ee8f5c6a	Steve Beaver	if (isset($config['system']['webgui']['loginshowhost'])) {
274	e79ff1ee	Steve Beaver	$loginbannerstr = sprintf(gettext('%1$s.%2$s'), htmlspecialchars($config['system']['hostname']), htmlspecialchars($config['system']['domain']));
275	ee8f5c6a	Steve Beaver	} else {
276			$loginbannerstr = sprintf(gettext('Login to %1$s'), $g['product_name']);
277			}
278	a22947a4	Steve Beaver
279	e79ff1ee	Steve Beaver	$loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"';
280
281	2d933f5a	Steve Beaver	if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) {
282	0e4500e7	Steve Beaver	$warnclass = "pagebodywarn"; // Make room for a warning display row
283	2d933f5a	Steve Beaver	} else {
284	ef1e838b	Steve Beaver	$warnclass = "pagebody";
285	2d933f5a	Steve Beaver	}
286	16513324	Holger Bauer	?>
287	1180e4f0	Sjon Hortensius	<!DOCTYPE html>
288			<html lang="en">
289	81b22639	Steve Beaver	<head>
290			<meta name="viewport" content="width=device-width, initial-scale=1">
291	c21d913d	Steve Beaver	<link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css">
292	08a5e9a6	Jared Dillard	<link rel="stylesheet" href="/css/login.css?v=<?=filemtime('/usr/local/www/css/login.css')?>" type="text/css">
293	81b22639	Steve Beaver	<title><?=gettext("Login"); ?></title>
294			<script type="text/javascript">
295			//<![CDATA{
296			var events = events \|\| [];
297			//]]>
298			</script>
299			</head>
300
301			<body id="login" >
302			<div id="total">
303			<header>
304			<div id="headerrow">
305			<div class="row">
306	ca44a37c	Steve Beaver	<!-- Header left logo box -->
307	81b22639	Steve Beaver	<div class="col-sm-4">
308			<div id="logodiv" style="text-align:center" class="nowarning">
309	f9a6637a	Renato Botelho	<?php include("/usr/local/www/logo.svg"); ?>
310	81b22639	Steve Beaver	</div>
311	d58a7378	Steve Beaver	</div>
312	ca44a37c	Steve Beaver
313			<!-- Header center message box -->
314			<div class="col-sm-4 nowarning msgbox text-center text-danger">
315			<?php
316			if (!empty($_POST['usernamefld'])) {
317			print("<h4>" . $_SESSION['Login_Error'] . "</h4>");
318			}
319			?>
320			</div>
321
322			<!-- Header right message box (hostname or msg)-->
323			<div class="col-sm-4 nowarning msgbox text-center">
324	81b22639	Steve Beaver	<span id="hostspan">
325			<a><h4><?=$loginbannerstr?></h4></a>
326	a33ece86	Steve Beaver	</span>
327	81b22639	Steve Beaver	</div>
328	2d933f5a	Steve Beaver	</div>
329			<?php
330	ef1e838b	Steve Beaver	if ($warnclass == "pagebodywarn") {
331	2d933f5a	Steve Beaver	?>
332	81b22639	Steve Beaver	<div class="row">
333			<div class="col-sm-12">
334			<div class="alert alert-warning <?=$warnclass?>">
335			<?=gettext("The IP address being used to access this router is not configured locally, which may be forwarded by NAT or other means.
336			If this forwarding is unexpected, it should be verified that a man-in-the-middle attack is not taking place.")?>
337			</div>
338	d58a7378	Steve Beaver	</div>
339	2d933f5a	Steve Beaver	</div>
340			<?php
341	10ba62c2	Steve Beaver	}
342	2d933f5a	Steve Beaver	?>
343	81b22639	Steve Beaver	</div>
344			</header>
345
346			<div style="background: <?=$logincssfile?>;" class="<?=$warnclass?>">
347			<div class="col-sm-4"></div>
348
349			<div class="col-sm-4 offset-md-4 logoCol">
350			<div class="loginCont center-block">
351	4eb92692	Steve Beaver	<form method="post" <?=$loginautocomplete?> class="login">
352	81b22639	Steve Beaver	<p class="form-title">Sign In</p>
353	ee8e4e73	Steve Beaver	<input name="usernamefld" id="usernamefld" type="text" placeholder="Username" autocorrect="off" autocapitalize="none"/>
354	81b22639	Steve Beaver	<input name="passwordfld" id="passwordfld" type="password" placeholder="Password" />
355			<input type="submit" name="login" value="Sign In" class="btn btn-success btn-sm" />
356			</form>
357			</div>
358			</div>
359
360			<div class="col-sm-4"></div>
361			</div>
362
363			<footer id="3">
364			<div id="footertext">
365			<p class="text-muted">
366			<a target="_blank" href="https://www.pfsense.org/?gui=bootstrap">pfSense</a> is ©
367	0445f0d3	Luiz Souza	2004 - 2018 by <a href="https://pfsense.org/license" class="tblnk">Rubicon Communications, LLC (Netgate)</a>. All Rights Reserved.
368	81b22639	Steve Beaver	[<a href="/license.php" class="tblnk">view license</a>]
369			</p>
370			</div>
371			</footer>
372			</div>
373
374			<script src="/vendor/jquery/jquery-1.12.0.min.js?v=<?=filemtime('/usr/local/www/vendor/jquery/jquery-1.12.0.min.js')?>"></script>
375			<script src="/vendor/bootstrap/js/bootstrap.min.js?v=<?=filemtime('/usr/local/www/vendor/bootstrap/js/bootstrap.min.js')?>"></script>
376			<script src="/js/pfSense.js?v=<?=filemtime('/usr/local/www/js/pfSense.js')?>"></script>
377
378			<script type="text/javascript">
379			//!<[CDATA[
380			events.push(function() {
381			document.cookie=
382			"cookie_test=1" +
383			"<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>";
384
385			if (document.cookie.indexOf("cookie_test") == -1) {
386			alert("<?=gettext('The browser must support cookies to login.')?>");
387			}
388	e79ff1ee	Steve Beaver
389	81b22639	Steve Beaver	// Delete it
390			document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
391			});
392			//]]>
393			</script>
394	45d6ada5	Sjon Hortensius
395	81b22639	Steve Beaver	</body>
396	f902a15c	Steve Beaver	</html>
397	16513324	Holger Bauer
398	81b22639	Steve Beaver	<?php
399	17ef09c3	Colin Fleming	} // end function

Project

General

Profile

pfSense