(proxy feature) add basic auth helper and acl tag

0949ac91 · Ad Schellevis · 10381025 · 0949ac91 · 0949ac91 · 0949ac91
Commit 0949ac91 authored May 08, 2015 by Ad Schellevis
3 changed files
--- a/src/etc/inc/squid.auth-user.php
+++ b/src/etc/inc/squid.auth-user.php
+#!/usr/local/bin/php
+<?php
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+require_once("auth.inc");
+
+openlog("squid", LOG_ODELAY, LOG_AUTH);
+
+$f = fopen("php://stdin", "r");
+while ($line = fgets($f)) {
+    $fields = explode(' ', trim($line));
+    $username = rawurldecode($fields[0]);
+    $password = rawurldecode($fields[1]);
+
+    if (authenticate_user($username, $password)) {
+        $user = getUserEntry($username);
+        if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
+            syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
+            fwrite(STDOUT, "OK\n");
+        } else {
+            syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
+            fwrite(STDOUT, "ERR\n");
+        }
+    } else {
+        syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
+        fwrite(STDOUT, "ERR\n");
+    }
+}
+
+closelog();
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.json
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.json
@@ -35,6 +35,10 @@
        "name": "User - VPN - PPTP Dialin",
        "descr": "Indicates whether the user is allowed to dial in via PPTP"
    },
+    "user-proxy-auth": {
+        "name": "User - Proxy - Login",
+        "descr": "Indicates whether the user is allowed to use the proxy"
+    },
    "page-getserviceproviders": {
        "name": "WebCfg - AJAX: Get Service Providers",
        "descr": "Allow access to the 'AJAX: Service Providers' page.",

--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -151,7 +151,7 @@ acl CONNECT method CONNECT
 # Authentication Settings
 {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method=='local' %}
 # Configure Local User Authentication helper
-auth_param basic program /usr/local/etc/inc/squid_auth
+auth_param basic program /usr/local/etc/inc/squid.auth-user.php
 {% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
 auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
 {% endif %}