|
1
|
<?php
|
|
2
|
/*
|
|
3
|
* authgui.inc
|
|
4
|
*
|
|
5
|
* part of pfSense (https://www.pfsense.org)
|
|
6
|
* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
|
|
7
|
* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
|
|
8
|
* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>
|
|
9
|
* Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
|
|
10
|
* All rights reserved.
|
|
11
|
*
|
|
12
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
13
|
* you may not use this file except in compliance with the License.
|
|
14
|
* You may obtain a copy of the License at
|
|
15
|
*
|
|
16
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
17
|
*
|
|
18
|
* Unless required by applicable law or agreed to in writing, software
|
|
19
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
20
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
21
|
* See the License for the specific language governing permissions and
|
|
22
|
* limitations under the License.
|
|
23
|
*/
|
|
24
|
|
|
25
|
include_once("auth.inc");
|
|
26
|
include_once("priv.inc");
|
|
27
|
if (!function_exists('platform_booting')) {
|
|
28
|
require_once('globals.inc');
|
|
29
|
}
|
|
30
|
require_once('pfsense-utils.inc');
|
|
31
|
|
|
32
|
/* Authenticate user - exit if failed */
|
|
33
|
if (!session_auth()) {
|
|
34
|
display_login_form();
|
|
35
|
exit;
|
|
36
|
}
|
|
37
|
phpsession_begin();
|
|
38
|
/*
|
|
39
|
* Once here, the user has authenticated with the web server.
|
|
40
|
* We give them access only to the appropriate pages based on
|
|
41
|
* the user or group privileges.
|
|
42
|
*/
|
|
43
|
$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']);
|
|
44
|
|
|
45
|
/*
|
|
46
|
* Get user-based preference settings so they can be easily referenced.
|
|
47
|
*/
|
|
48
|
$user_settings = get_user_settings($_SESSION['Username']);
|
|
49
|
|
|
50
|
/*
|
|
51
|
* redirect to first allowed page if requesting a wrong url
|
|
52
|
*/
|
|
53
|
|
|
54
|
/* Fix this up otherwise the privilege check will fail. See Redmine #5909. */
|
|
55
|
if ($_SERVER['REQUEST_URI'] == "/") {
|
|
56
|
$_SERVER['REQUEST_URI'] = "/index.php";
|
|
57
|
}
|
|
58
|
|
|
59
|
if (!isAllowedPage($_SERVER['REQUEST_URI'])) {
|
|
60
|
if (count($allowedpages) > 0) {
|
|
61
|
$page = str_replace('*', '', $allowedpages[0]);
|
|
62
|
$_SESSION['Post_Login'] = true;
|
|
63
|
require_once("functions.inc");
|
|
64
|
pfSenseHeader("/{$page}");
|
|
65
|
|
|
66
|
$username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username'];
|
|
67
|
if (!empty($_SERVER['REMOTE_ADDR'])) {
|
|
68
|
$username .= '@' . $_SERVER['REMOTE_ADDR'];
|
|
69
|
}
|
|
70
|
log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}.");
|
|
71
|
|
|
72
|
exit;
|
|
73
|
} else {
|
|
74
|
display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
|
|
75
|
exit;
|
|
76
|
}
|
|
77
|
} else {
|
|
78
|
$_SESSION['Post_Login'] = true;
|
|
79
|
}
|
|
80
|
|
|
81
|
/*
|
|
82
|
* redirect browsers post-login to avoid pages
|
|
83
|
* taking action in response to a POST request
|
|
84
|
*/
|
|
85
|
if (!$_SESSION['Post_Login']) {
|
|
86
|
$_SESSION['Post_Login'] = true;
|
|
87
|
require_once("functions.inc");
|
|
88
|
pfSenseHeader($_SERVER['REQUEST_URI']);
|
|
89
|
exit;
|
|
90
|
}
|
|
91
|
|
|
92
|
/*
|
|
93
|
* Close session data to allow other scripts from same host to come in.
|
|
94
|
* A session can be reactivated from calling phpsession_begin again
|
|
95
|
*/
|
|
96
|
phpsession_end(true);
|
|
97
|
|
|
98
|
/*
|
|
99
|
* determine if the user is allowed access to the requested page
|
|
100
|
*/
|
|
101
|
function display_error_form($http_code, $desc) {
|
|
102
|
global $config, $user_settings, $g;
|
|
103
|
|
|
104
|
if (isAjax()) {
|
|
105
|
printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc);
|
|
106
|
return;
|
|
107
|
}
|
|
108
|
|
|
109
|
$cssfile = "/css/pfSense.css";
|
|
110
|
|
|
111
|
if (isset($user_settings['webgui']['webguicss'])) {
|
|
112
|
if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) {
|
|
113
|
$cssfile = "/css/" . $user_settings['webgui']['webguicss'];
|
|
114
|
}
|
|
115
|
}
|
|
116
|
|
|
117
|
?>
|
|
118
|
<!DOCTYPE html>
|
|
119
|
<html lang="en">
|
|
120
|
<head>
|
|
121
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
122
|
<link rel="stylesheet" href="<?=$cssfile?>" />
|
|
123
|
<title><?=gettext("Error: not allowed"); ?></title>
|
|
124
|
</head>
|
|
125
|
<body id="error" class="no-menu">
|
|
126
|
<div id="jumbotron">
|
|
127
|
<div class="container">
|
|
128
|
<div class="col-sm-offset-3 col-sm-6 col-xs-12">
|
|
129
|
<!-- FIXME: We really need to POST the logout action -->
|
|
130
|
<div class="alert alert-danger" role="alert"><a href="index.php?logout"><?=$desc;?></a></div>
|
|
131
|
</div>
|
|
132
|
</div>
|
|
133
|
</div>
|
|
134
|
</body>
|
|
135
|
</html>
|
|
136
|
<?php
|
|
137
|
|
|
138
|
} // end function
|
|
139
|
|
|
140
|
|
|
141
|
function display_login_form() {
|
|
142
|
require_once("globals.inc");
|
|
143
|
global $config, $g;
|
|
144
|
|
|
145
|
unset($input_errors);
|
|
146
|
|
|
147
|
if (isAjax()) {
|
|
148
|
if (isset($_POST['login'])) {
|
|
149
|
if ($_SESSION['Logged_In'] <> "True") {
|
|
150
|
isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
|
|
151
|
printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
|
|
152
|
}
|
|
153
|
if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
|
|
154
|
// TODO: add the IP from the user who did lock the device
|
|
155
|
$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
|
|
156
|
printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
|
|
157
|
}
|
|
158
|
}
|
|
159
|
exit;
|
|
160
|
}
|
|
161
|
|
|
162
|
/* Check against locally configured IP addresses, which will catch when someone
|
|
163
|
port forwards WebGUI access from WAN to an internal IP on the router. */
|
|
164
|
global $FilterIflist, $nifty_background;
|
|
165
|
|
|
166
|
$local_ip = false;
|
|
167
|
|
|
168
|
if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) {
|
|
169
|
$http_host_port = explode(":", $_SERVER['HTTP_HOST']);
|
|
170
|
$http_host = $http_host_port[0];
|
|
171
|
} else {
|
|
172
|
$http_host = $_SERVER['HTTP_HOST'];
|
|
173
|
}
|
|
174
|
|
|
175
|
if (empty($FilterIflist)) {
|
|
176
|
require_once('filter.inc');
|
|
177
|
require_once('shaper.inc');
|
|
178
|
filter_generate_optcfg_array();
|
|
179
|
}
|
|
180
|
|
|
181
|
foreach ($FilterIflist as $iflist) {
|
|
182
|
if ($iflist['ip'] == $http_host) {
|
|
183
|
$local_ip = true;
|
|
184
|
} else if ($iflist['ipv6'] == $http_host) {
|
|
185
|
$local_ip = true;
|
|
186
|
} else if (is_array($iflist['vips'])) {
|
|
187
|
foreach ($iflist['vips'] as $vip) {
|
|
188
|
if ($vip['ip'] == $http_host) {
|
|
189
|
$local_ip = true;
|
|
190
|
break;
|
|
191
|
}
|
|
192
|
}
|
|
193
|
|
|
194
|
unset($vip);
|
|
195
|
}
|
|
196
|
|
|
197
|
if ($local_ip == true) {
|
|
198
|
break;
|
|
199
|
}
|
|
200
|
}
|
|
201
|
|
|
202
|
unset($FilterIflist);
|
|
203
|
unset($iflist);
|
|
204
|
|
|
205
|
if ($local_ip == false) {
|
|
206
|
if (is_array($config['openvpn']['openvpn-server'])) {
|
|
207
|
foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
|
|
208
|
if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) {
|
|
209
|
$local_ip = true;
|
|
210
|
} else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) {
|
|
211
|
$local_ip = true;
|
|
212
|
}
|
|
213
|
|
|
214
|
if ($local_ip == true) {
|
|
215
|
break;
|
|
216
|
}
|
|
217
|
}
|
|
218
|
}
|
|
219
|
}
|
|
220
|
|
|
221
|
// For the login form, get the settings of no particular user.
|
|
222
|
// That ensures we will use the system default theme for the login form.
|
|
223
|
$user_settings = get_user_settings("");
|
|
224
|
$cssfile = "/css/pfSense.css";
|
|
225
|
|
|
226
|
if (isset($user_settings['webgui']['webguicss'])) {
|
|
227
|
if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) {
|
|
228
|
$cssfile = "/css/" . $user_settings['webgui']['webguicss'];
|
|
229
|
}
|
|
230
|
}
|
|
231
|
|
|
232
|
$logincssfile = "#1e3f75";
|
|
233
|
|
|
234
|
if (isset($user_settings['webgui']['logincss']) && strlen($user_settings['webgui']['logincss']) == 6) {
|
|
235
|
$logincssfile = "#" . $user_settings['webgui']['logincss'];
|
|
236
|
}
|
|
237
|
|
|
238
|
if (isset($config['system']['webgui']['loginshowhost'])) {
|
|
239
|
$loginbannerstr = sprintf(gettext('%1$s.%2$s'), htmlspecialchars($config['system']['hostname']), htmlspecialchars($config['system']['domain']));
|
|
240
|
} else {
|
|
241
|
$loginbannerstr = sprintf(gettext('Login to %1$s'), $g['product_name']);
|
|
242
|
}
|
|
243
|
|
|
244
|
$loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"';
|
|
245
|
|
|
246
|
|
|
247
|
?>
|
|
248
|
<!DOCTYPE html>
|
|
249
|
<html lang="en">
|
|
250
|
<head>
|
|
251
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
252
|
<link rel="stylesheet" href="vendor/bootstrap/css/bootstrap.min.css" type="text/css">
|
|
253
|
<link rel="stylesheet" href="css/login.css" type="text/css">
|
|
254
|
<title><?=gettext("Login"); ?></title>
|
|
255
|
<script type="text/javascript">
|
|
256
|
//<![CDATA{
|
|
257
|
var events = events || [];
|
|
258
|
//]]>
|
|
259
|
</script>
|
|
260
|
</head>
|
|
261
|
|
|
262
|
<body id="login" >
|
|
263
|
<div id="total">
|
|
264
|
<header id="1">
|
|
265
|
<div id="a">
|
|
266
|
<div class="row ">
|
|
267
|
<div class="col-sm-4">
|
|
268
|
<div id="logodiv" style="text-align:center" class="bbbb">
|
|
269
|
<img src="pfsense-trans.png" height="100%"/>
|
|
270
|
</div>
|
|
271
|
</div>
|
|
272
|
|
|
273
|
<div class="col-sm-8 bbbb msgbox text-center">
|
|
274
|
<span id="hostspan">
|
|
275
|
<a><h4>pfsense.local.com</h4></a>
|
|
276
|
</span
|
|
277
|
</div>
|
|
278
|
|
|
279
|
<!--
|
|
280
|
<div class="col-sm-8 bbbb msgbox text-center">
|
|
281
|
<div class="alert alert-warning">
|
|
282
|
The IP address being used to access this router is not configured locally, which may be forwarded by NAT or other means. If this forwarding is unexpected, it should be verified that a man-in-the-middle attack is not taking place.
|
|
283
|
</div>
|
|
284
|
</div>
|
|
285
|
-->
|
|
286
|
<!--
|
|
287
|
<div class="col-sm-4 text-center bbbb" style="padding-top: 2%">
|
|
288
|
<a><h4>something.pfsense.com</h4></a>
|
|
289
|
</div>
|
|
290
|
-->
|
|
291
|
</div>
|
|
292
|
</div>
|
|
293
|
</header>
|
|
294
|
|
|
295
|
<div id="bb" style="background: <?=$logincssfile?>;">
|
|
296
|
<div class="col-sm-4">
|
|
297
|
</div>
|
|
298
|
|
|
299
|
<div class="col-sm-4 logoCol">
|
|
300
|
<div class="loginCont center-block">
|
|
301
|
<p class="form-title">
|
|
302
|
Sign In
|
|
303
|
</p>
|
|
304
|
|
|
305
|
<form method="post" class="login">
|
|
306
|
<input name="usernamefld" id="usernamefld" type="text" placeholder="Username" />
|
|
307
|
<input name="passwordfld" id="passwordfld" type="password" placeholder="Password" />
|
|
308
|
<input type="submit" name="login" value="Sign In" class="btn btn-success btn-sm" />
|
|
309
|
</form>
|
|
310
|
</div>
|
|
311
|
</div>
|
|
312
|
|
|
313
|
<div class="col-sm-4">
|
|
314
|
</div>
|
|
315
|
</div>
|
|
316
|
<footer id="3">
|
|
317
|
<div id="c">
|
|
318
|
<p class="text-muted">
|
|
319
|
<a target="_blank" href="https://www.pfsense.org/?gui=bootstrap">pfSense</a> is ©
|
|
320
|
2004 - 2017 by <a href="https://pfsense.org/license" class="tblnk">Rubicon Communications, LLC (Netgate)</a>. All Rights Reserved.
|
|
321
|
[<a href="/license.php" class="tblnk">view license</a>]
|
|
322
|
</p>
|
|
323
|
</div>
|
|
324
|
</footer>
|
|
325
|
</div>
|
|
326
|
|
|
327
|
<script src="/vendor/jquery/jquery-1.12.0.min.js?v=<?=filemtime('/usr/local/www/vendor/jquery/jquery-1.12.0.min.js')?>"></script>
|
|
328
|
<script src="/vendor/bootstrap/js/bootstrap.min.js?v=<?=filemtime('/usr/local/www/vendor/bootstrap/js/bootstrap.min.js')?>"></script>
|
|
329
|
<script src="/js/pfSense.js?v=<?=filemtime('/usr/local/www/js/pfSense.js')?>"></script>
|
|
330
|
|
|
331
|
<script type="text/javascript">
|
|
332
|
//!<[CDATA[
|
|
333
|
events.push(function() {
|
|
334
|
document.cookie=
|
|
335
|
"cookie_test=1" +
|
|
336
|
"<?php echo $config['system']['webgui']['protocol'] == 'https' ? '; secure' : '';?>";
|
|
337
|
|
|
338
|
if (document.cookie.indexOf("cookie_test") == -1) {
|
|
339
|
alert("<?=gettext('The browser must support cookies to login.')?>");
|
|
340
|
}
|
|
341
|
|
|
342
|
// Delete it
|
|
343
|
document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
|
|
344
|
});
|
|
345
|
//]]>
|
|
346
|
</script>
|
|
347
|
|
|
348
|
</body>
|
|
349
|
</html>
|
|
350
|
<?php
|
|
351
|
|
|
352
|
} // end function
|
|
353
|
|