voucher.inc 16.2 KB
Newer Older
Ad Schellevis's avatar
Ad Schellevis committed
1
<?php
2

Ad Schellevis's avatar
Ad Schellevis committed
3
/*
4 5
    Copyright (C) 2010-2012 Ermal Luci <eri@pfsense.org>
    Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
Ad Schellevis's avatar
Ad Schellevis committed
6 7
    Copyright (C) 2007 Marcel Wiget <mwiget@mac.com>
    All rights reserved.
8

Ad Schellevis's avatar
Ad Schellevis committed
9 10
    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:
11

Ad Schellevis's avatar
Ad Schellevis committed
12 13
    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
14

Ad Schellevis's avatar
Ad Schellevis committed
15 16 17
    2. Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.
18

Ad Schellevis's avatar
Ad Schellevis committed
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.

*/

function voucher_expire($voucher_received) {
	global $g, $config, $cpzone;

35 36
	$cpdb = new OPNsense\CaptivePortal\DB($cpzone);
	$cpc = new OPNsense\CaptivePortal\CPClient();
37

Ad Schellevis's avatar
Ad Schellevis committed
38 39 40 41 42 43 44 45 46 47 48
	// read rolls into assoc array with rollid as key and minutes as value
	$tickets_per_roll = array();
	$minutes_per_roll = array();
	if (is_array($config['voucher'][$cpzone]['roll'])) {
		foreach ($config['voucher'][$cpzone]['roll'] as $rollent) {
			$tickets_per_roll[$rollent['number']] = $rollent['count'];
			$minutes_per_roll[$rollent['number']] = $rollent['minutes'];
		}
	}

	// split into an array. Useful for multiple vouchers given
49
	$a_vouchers_received = preg_split("/[\t\n\r ]+/s", $voucher_received);
Ad Schellevis's avatar
Ad Schellevis committed
50 51 52 53 54 55 56 57 58 59
	$active_dirty = false;

	// go through all received vouchers, check their valid and extract
	// Roll# and Ticket# using the external readvoucher binary
	foreach ($a_vouchers_received as $voucher) {
		$v = escapeshellarg($voucher);
		if (strlen($voucher) < 3)
			continue;   // seems too short to be a voucher!

		unset($output);
60
		$_gb = exec("/usr/local/bin/voucher -c /var/etc/voucher_{$cpzone}.cfg -k /var/etc/voucher_{$cpzone}.public -- $v", $output);
Ad Schellevis's avatar
Ad Schellevis committed
61 62
		list($status, $roll, $nr) = explode(" ", $output[0]);
		if ($status == "OK") {
63
			// check if we have this ticket on a registered roll for this ticket
Ad Schellevis's avatar
Ad Schellevis committed
64
			if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) {
65
				// voucher is from a registered roll.
Ad Schellevis's avatar
Ad Schellevis committed
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
				if (!isset($active_vouchers[$roll]))
					$active_vouchers[$roll] = voucher_read_active_db($roll);
				// valid voucher. Store roll# and ticket#
				if (!empty($active_vouchers[$roll][$voucher])) {
					$active_dirty = true;
					unset($active_vouchers[$roll][$voucher]);
				}
				// check if voucher already marked as used
				if (!isset($bitstring[$roll]))
					$bitstring[$roll] = voucher_read_used_db($roll);
				$pos = $nr >> 3; // divide by 8 -> octet
				$mask = 1 << ($nr % 8);
				// mark bit for this voucher as used
				if (!(ord($bitstring[$roll][$pos]) & $mask))
					$bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask);
				captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire");

				/* Check if this voucher has any active sessions */
84 85 86
				$clients  = $cpdb->listClients(array("username"=>$voucher),null, null);
				foreach($clients as $client ){
					$cpc->disconnect($cpzone,$client->sessionid);
Ad Schellevis's avatar
Ad Schellevis committed
87
				}
88

Ad Schellevis's avatar
Ad Schellevis committed
89 90 91 92 93 94 95 96 97
			} else
				captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll");
		} else
			// hmm, thats weird ... not what I expected
			captiveportal_syslog("$voucher invalid: {$output[0]}!!");
	}

	// Refresh active DBs
	if ($active_dirty == true) {
98
		foreach ($active_vouchers as $roll => $active) {
Ad Schellevis's avatar
Ad Schellevis committed
99
			voucher_write_active_db($roll, $active);
100
		}
Ad Schellevis's avatar
Ad Schellevis committed
101 102
		unset($active_vouchers);

103 104
		/* trigger a sync of the vouchers on config */
		voucher_save_db_to_config();
Ad Schellevis's avatar
Ad Schellevis committed
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
	}

	// Write back the used DB's
	if (is_array($bitstring)) {
		foreach ($bitstring as $roll => $used) {
			if(is_array($used)) {
				foreach($used as $u)
					voucher_write_used_db($roll, base64_encode($u));
			} else {
				voucher_write_used_db($roll, base64_encode($used));
			}
		}
		unset($bitstring);
	}

120 121 122
	unset($cpdb);
	unset($cpc);

Ad Schellevis's avatar
Ad Schellevis committed
123 124 125 126

	return true;
}

127
/*
Ad Schellevis's avatar
Ad Schellevis committed
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150
 * Authenticate a voucher and return the remaining time credit in minutes
 * if $test is set, don't mark the voucher as used nor add it to the list
 * of active vouchers
 * If $test is set, simply test the voucher. Don't change anything
 * but return a more verbose error and result message back
 */
function voucher_auth($voucher_received, $test = 0) {
	global $g, $config, $cpzone, $dbc;

	if (!isset($config['voucher'][$cpzone]['enable']))
		return 0;

	// read rolls into assoc array with rollid as key and minutes as value
	$tickets_per_roll = array();
	$minutes_per_roll = array();
	if (is_array($config['voucher'][$cpzone]['roll'])) {
		foreach ($config['voucher'][$cpzone]['roll'] as $rollent) {
			$tickets_per_roll[$rollent['number']] = $rollent['count'];
			$minutes_per_roll[$rollent['number']] = $rollent['minutes'];
		}
	}

	// split into an array. Useful for multiple vouchers given
151
	$a_vouchers_received = preg_split("/[\t\n\r ]+/s", $voucher_received);
Ad Schellevis's avatar
Ad Schellevis committed
152 153 154 155 156 157 158 159 160 161 162 163 164
	$error = 0;
	$test_result = array();     // used to display for voucher test option in GUI
	$total_minutes = 0;
	$first_voucher = "";
	$first_voucher_roll = 0;

	// go through all received vouchers, check their valid and extract
	// Roll# and Ticket# using the external readvoucher binary
	foreach ($a_vouchers_received as $voucher) {
		$v = escapeshellarg($voucher);
		if (strlen($voucher) < 3)
			continue;   // seems too short to be a voucher!

165
		$result = exec("/usr/local/bin/voucher -c /var/etc/voucher_{$cpzone}.cfg -k /var/etc/voucher_{$cpzone}.public -- $v");
Ad Schellevis's avatar
Ad Schellevis committed
166 167 168 169 170 171 172
		list($status, $roll, $nr) = explode(" ", $result);
		if ($status == "OK") {
			if (!$first_voucher) {
				// store first voucher. Thats the one we give the timecredit
				$first_voucher = $voucher;
				$first_voucher_roll = $roll;
			}
173
			// check if we have this ticket on a registered roll for this ticket
Ad Schellevis's avatar
Ad Schellevis committed
174
			if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) {
175
				// voucher is from a registered roll.
Ad Schellevis's avatar
Ad Schellevis committed
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263
				if (!isset($active_vouchers[$roll]))
					$active_vouchers[$roll] = voucher_read_active_db($roll);
				// valid voucher. Store roll# and ticket#
				if (!empty($active_vouchers[$roll][$voucher])) {
					list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]);
					// we have an already active voucher here.
					$remaining = intval((($timestamp + (60*$minutes)) - time())/60);
					$test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) active and good for %4$d Minutes'), $voucher, $roll, $nr, $remaining);
					$total_minutes += $remaining;
				} else {
					// voucher not used. Check if ticket Id is on the roll (not too high)
					// and if the ticket is marked used.
					// check if voucher already marked as used
					if (!isset($bitstring[$roll]))
						$bitstring[$roll] = voucher_read_used_db($roll);
					$pos = $nr >> 3; // divide by 8 -> octet
					$mask = 1 << ($nr % 8);
					if (ord($bitstring[$roll][$pos]) & $mask) {
						$test_result[] = "$voucher ($roll/$nr) already used and expired";
						captiveportal_syslog("$voucher ($roll/$nr) already used and expired");
						$total_minutes = -1;    // voucher expired
						$error++;
					} else {
						// mark bit for this voucher as used
						$bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask);
						$test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes";
						$total_minutes += $minutes_per_roll[$roll];
					}
				}
			} else {
				$test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll";
				captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll");
			}
		} else {
			// hmm, thats weird ... not what I expected
			$test_result[] = "$voucher invalid: $result !!";
			captiveportal_syslog("$voucher invalid: $result !!");
			$error++;
		}
	}

	// if this was a test call, we're done. Return the result.
	if ($test) {
		if ($error) {
			$test_result[] = gettext("Access denied!");
		} else {
			$test_result[] = sprintf(gettext("Access granted for %d Minutes in total."),$total_minutes);
		}

		return $test_result;
	}

	// if we had an error (one of the vouchers is invalid), return 0.
	// Discussion: we could return the time remaining for good vouchers, but then
	// the user wouldn't know that he used at least one invalid voucher.
	if ($error) {
		if ($total_minutes > 0)     // probably not needed, but want to make sure
			$total_minutes = 0;     // we only report -1 (expired) or 0 (no access)
		return $total_minutes;       // well, at least one voucher had errors. Say NO ACCESS
	}

	// All given vouchers were valid and this isn't simply a test.
	// Write back the used DB's
	if (is_array($bitstring)) {
		foreach ($bitstring as $roll => $used) {
			if(is_array($used)) {
				foreach($used as $u)
					voucher_write_used_db($roll, base64_encode($u));
			} else {
				voucher_write_used_db($roll, base64_encode($used));
			}
		}
	}

	// Active DB: we only add the first voucher if multiple given
	// and give that one all the time credit. This allows the user to logout and
	// log in later using just the first voucher. It also keeps username limited
	// to one voucher and that voucher shows the correct time credit in 'active vouchers'
	if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) {
		list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]);
	} else {
		$timestamp = time();    // new voucher
		$minutes = $total_minutes;
	}

	$active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes";
	voucher_write_active_db($first_voucher_roll, $active_vouchers[$first_voucher_roll]);

264 265
	/* trigger a sync of the vouchers on config */
	voucher_save_db_to_config();
Ad Schellevis's avatar
Ad Schellevis committed
266 267 268 269

	return $total_minutes;
}

270 271 272
function voucher_configure($sync = false)
{
	global $config, $cpzone;
Ad Schellevis's avatar
Ad Schellevis committed
273

274 275
	$ret = true;

276
	if (!isset($config['voucher']) || !is_array($config['voucher'])) {
277 278 279 280 281 282 283 284
		return $ret;
	}

	foreach ($config['voucher'] as $voucherzone => $vcfg) {
		$cpzone = $voucherzone;
		$error = voucher_configure_zone($sync);
		if ($error) {
			$ret = false;
Ad Schellevis's avatar
Ad Schellevis committed
285 286
		}
	}
287 288

	return $ret;
Ad Schellevis's avatar
Ad Schellevis committed
289 290
}

291 292
function voucher_configure_zone($sync = false)
{
Ad Schellevis's avatar
Ad Schellevis committed
293 294
	global $config, $g, $cpzone;

295
	if (!isset($config['voucher'][$cpzone]['enable'])) {
Ad Schellevis's avatar
Ad Schellevis committed
296
		return 0;
297
	}
Ad Schellevis's avatar
Ad Schellevis committed
298 299 300

	$voucherlck = lock("voucher{$cpzone}", LOCK_EX);

301 302
	/* write public key used to verify vouchers */
	$pubkey = base64_decode($config['voucher'][$cpzone]['publickey']);
303
	$fd = fopen("/var/etc/voucher_{$cpzone}.public", "w");
304 305 306 307 308 309 310
	if (!$fd) {
		captiveportal_syslog("Voucher error: cannot write voucher.public\n");
		unlock($voucherlck);
		return 1;
	}
	fwrite($fd, $pubkey);
	fclose($fd);
311
	@chmod("/var/etc/voucher_{$cpzone}.public", 0600);
312 313

	/* write config file used by voucher binary to decode vouchers */
314
	$fd = fopen("/var/etc/voucher_{$cpzone}.cfg", "w");
315 316 317 318 319 320 321
	if (!$fd) {
		captiveportal_syslog(gettext("Error: cannot write voucher.cfg") . "\n");
		unlock($voucherlck);
		return 1;
	}
	fwrite($fd, "{$config['voucher'][$cpzone]['rollbits']},{$config['voucher'][$cpzone]['ticketbits']},{$config['voucher'][$cpzone]['checksumbits']},{$config['voucher'][$cpzone]['magic']},{$config['voucher'][$cpzone]['charset']}\n");
	fclose($fd);
322
	@chmod("/var/etc/voucher_{$cpzone}.cfg", 0600);
Ad Schellevis's avatar
Ad Schellevis committed
323 324
	unlock($voucherlck);

325 326 327 328 329
	if (!$sync) {
		return 0;
	}

	captiveportal_syslog('Writing voucher db from sync data...');
Ad Schellevis's avatar
Ad Schellevis committed
330

331
	if (isset($config['voucher'][$cpzone]['roll'])) {
Ad Schellevis's avatar
Ad Schellevis committed
332 333
		$voucherlck = lock("voucher{$cpzone}", LOCK_EX);

334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353
		// create active and used DB per roll on ramdisk from config
		foreach ($config['voucher'][$cpzone]['roll'] as $rollent) {
			$roll = $rollent['number'];
			voucher_write_used_db($roll, $rollent['used']);
			$minutes = $rollent['minutes'];
			$active_vouchers = array();
			$a_active = &$rollent['active'];
			if (is_array($a_active)) {
				foreach ($a_active as $activent) {
					$voucher = $activent['voucher'];
					$timestamp = $activent['timestamp'];
					$minutes = $activent['minutes'];
					// its tempting to check for expired timestamps, but during
					// bootup, we most likely don't have the correct time time.
					$active_vouchers[$voucher] = "$timestamp,$minutes";
				}
			}

			voucher_write_active_db($roll, $active_vouchers);
		}
Ad Schellevis's avatar
Ad Schellevis committed
354 355

		unlock($voucherlck);
356
	}
Ad Schellevis's avatar
Ad Schellevis committed
357 358 359 360

	return 0;
}

361
/* write bitstring of used vouchers to ramdisk.
Ad Schellevis's avatar
Ad Schellevis committed
362 363
 * Bitstring must already be base64_encoded!
 */
364 365 366 367 368
function voucher_write_used_db($roll, $vdb)
{
	global $cpzone;

	$fn = "/var/db/voucher_{$cpzone}_used_{$roll}.db";
Ad Schellevis's avatar
Ad Schellevis committed
369

370
	$fd = fopen($fn, 'w');
Ad Schellevis's avatar
Ad Schellevis committed
371 372 373
	if ($fd) {
		fwrite($fd, $vdb . "\n");
		fclose($fd);
374 375 376
	} else {
		voucher_log(LOG_ERR, sprintf(gettext('Can\'t write %s'), $fn));
	}
Ad Schellevis's avatar
Ad Schellevis committed
377 378 379
}

/* return assoc array of active vouchers with activation timestamp
380
 * voucher is index.
Ad Schellevis's avatar
Ad Schellevis committed
381 382 383 384 385 386
 */
function voucher_read_active_db($roll) {
	global $g, $cpzone;

	$active = array();
	$dirty = 0;
387
	$file = "/var/db/voucher_{$cpzone}_active_{$roll}.db";
Ad Schellevis's avatar
Ad Schellevis committed
388 389 390 391 392 393 394 395 396 397 398 399 400 401
	if (file_exists($file)) {
		$fd = fopen($file, "r");
		if ($fd) {
			while (!feof($fd)) {
				$line = trim(fgets($fd));
				if ($line) {
					list($voucher,$timestamp,$minutes) = explode(",", $line); // voucher,timestamp
					if ((($timestamp + (60*$minutes)) - time()) > 0)
						$active[$voucher] = "$timestamp,$minutes";
					else
						$dirty=1;
				}
			}
			fclose($fd);
402 403
			if ($dirty) {
				/* if we found expired entries, lets save our snapshot */
Ad Schellevis's avatar
Ad Schellevis committed
404
				voucher_write_active_db($roll, $active);
405 406
				/* trigger a sync of the vouchers on config */
				voucher_save_db_to_config();
Ad Schellevis's avatar
Ad Schellevis committed
407 408 409 410 411 412 413 414 415 416 417 418
			}
		}
	}
	return $active;
}

/* store array of active vouchers back to DB */
function voucher_write_active_db($roll, $active) {
    global $g, $cpzone;

	if (!is_array($active))
		return;
419
    $fd = fopen("/var/db/voucher_{$cpzone}_active_{$roll}.db", "w");
Ad Schellevis's avatar
Ad Schellevis committed
420 421 422 423 424 425 426
    if ($fd) {
        foreach($active as $voucher => $value)
            fwrite($fd, "$voucher,$value\n");
        fclose($fd);
    }
}

427 428 429
function voucher_read_used_db($roll)
{
	global $cpzone;
Ad Schellevis's avatar
Ad Schellevis committed
430

431 432 433 434
	$fn = "/var/db/voucher_{$cpzone}_used_{$roll}.db";
	$vdb = '';

        $fd = fopen($fn, 'r');
Ad Schellevis's avatar
Ad Schellevis committed
435
        if ($fd) {
436 437 438 439 440 441 442
		$vdb = trim(fgets($fd));
		fclose($fd);
	} else {
		voucher_log(LOG_ERR, sprintf(gettext('Can\'t read %s'), $fn));
	}

	return base64_decode($vdb);
Ad Schellevis's avatar
Ad Schellevis committed
443 444 445 446
}


/* we share the log with captiveportal for now */
447 448
function voucher_log($priority, $message)
{
Ad Schellevis's avatar
Ad Schellevis committed
449 450 451 452 453 454
    $message = trim($message);
    openlog("logportalauth", LOG_PID, LOG_LOCAL4);
    syslog($priority, sprintf(gettext("Voucher: %s"),$message));
    closelog();
}

455 456 457
/*
 * Save active and used voucher DB into XML config and write it to config
 * Called during reboot and every active voucher change
Ad Schellevis's avatar
Ad Schellevis committed
458
 */
459 460 461
function voucher_save_db_to_config()
{
	global $config, $cpzone;
Ad Schellevis's avatar
Ad Schellevis committed
462

463 464 465 466 467 468 469 470 471 472 473 474 475
	if (!isset($config['voucher'])) {
		return;
	}

	$needs_write = 0;

	foreach ($config['voucher'] as $voucherzone => $vcfg) {
		$cpzone = $voucherzone;
		$needs_write += voucher_save_db_to_config_zone();
	}

	if ($needs_write) {
		write_config("Backing up vouchers");
Ad Schellevis's avatar
Ad Schellevis committed
476 477 478
	}
}

479 480 481
function voucher_save_db_to_config_zone()
{
	global $config, $cpzone;
482

483 484 485 486
	if (!isset($config['voucher'][$cpzone]['enable'])) {
		// no vouchers or don't want to save DB's
		return 0;
	}
Ad Schellevis's avatar
Ad Schellevis committed
487

488 489 490
	if (!isset($config['voucher'][$cpzone]['roll'])) {
		return 0;
	}
Ad Schellevis's avatar
Ad Schellevis committed
491

492
	$voucherlck = lock("voucher{$cpzone}", LOCK_EX);
Ad Schellevis's avatar
Ad Schellevis committed
493

494 495 496 497 498 499 500 501 502
	// walk all active rolls and save runtime DBs
	$a_roll = &$config['voucher'][$cpzone]['roll'];
	while (list($key, $value) = each($a_roll)) {
		$rollent = &$a_roll[$key];
		$roll = $rollent['number'];
		$bitmask = voucher_read_used_db($roll);
		$rollent['used'] = base64_encode($bitmask);
		$active_vouchers = voucher_read_active_db($roll);
		$db = array();
Ad Schellevis's avatar
Ad Schellevis committed
503 504
		$dbi = 1;

505 506 507 508 509 510 511 512
		foreach($active_vouchers as $voucher => $line) {
			list($timestamp, $minutes) = explode(',', $line);
			$activent['voucher'] = $voucher;
			$activent['timestamp'] = $timestamp;
			$activent['minutes'] = $minutes;
			$db["v{$dbi}"] = $activent;
			$dbi++;
		}
Ad Schellevis's avatar
Ad Schellevis committed
513

514 515 516
		$rollent['active'] = $db;
		unset($active_vouchers);
	}
Ad Schellevis's avatar
Ad Schellevis committed
517

518 519 520 521
	unlock($voucherlck);

	return 1;
}