(proxy) auth, don't quit when squid sends an empty string

(cherry picked from commit 9fd6504d)

(proxy) auth, don't quit when squid sends an empty string
(cherry picked from commit 9fd6504d)
85664101 · Ad Schellevis · Franco Fichtner · 2b392a67 · 85664101
Commit 85664101 authored Apr 22, 2016 by Ad Schellevis Committed by Franco Fichtner Apr 27, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 35 deletions

squid.auth-user.php src/etc/inc/squid.auth-user.php +38 -35

No files found.
--- a/src/etc/inc/squid.auth-user.php
+++ b/src/etc/inc/squid.auth-user.php
@@ -36,48 +36,51 @@ openlog("squid", LOG_ODELAY, LOG_AUTH);
 $authFactory = new \OPNsense\Auth\AuthenticationFactory();

 $f = fopen("php://stdin", "r");
-while ($line = fgets($f)) {
-    $fields = explode(' ', trim($line));
-    $username = rawurldecode($fields[0]);
-    $password = rawurldecode($fields[1]);
+while (!(feof($f))) {
+    $line = fgets($f);
+    if ($line) {
+        $fields = explode(' ', trim($line));
+        $username = rawurldecode($fields[0]);
+        $password = rawurldecode($fields[1]);

-    $isAuthenticated = false;
-    if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
-        foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
-            $authServer = $authFactory->get(trim($authServerName));
-            if ($authServer == null) {
-                // authenticator not found, use local
-                $authServer = $authFactory->get('Local Database');
-            }
-            $isAuthenticated = $authServer->authenticate($username, $password);
-            if ($isAuthenticated) {
-                if (get_class($authServer) == "OPNsense\Auth\Local") {
-                    // todo: user priv check needs a reload of squid, maybe it's better to move the token check to
-                    //       the auth object.
-                    //
-                    // when using local authentication, check if user has role user-proxy-auth
-                    $user = getUserEntry($username);
-                    if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
-                        break;
+        $isAuthenticated = false;
+        if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
+            foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
+                $authServer = $authFactory->get(trim($authServerName));
+                if ($authServer == null) {
+                    // authenticator not found, use local
+                    $authServer = $authFactory->get('Local Database');
+                }
+                $isAuthenticated = $authServer->authenticate($username, $password);
+                if ($isAuthenticated) {
+                    if (get_class($authServer) == "OPNsense\Auth\Local") {
+                        // todo: user priv check needs a reload of squid, maybe it's better to move the token check to
+                        //       the auth object.
+                        //
+                        // when using local authentication, check if user has role user-proxy-auth
+                        $user = getUserEntry($username);
+                        if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
+                            break;
+                        } else {
+                            // log user auth failure
+                            syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
+                            fwrite(STDOUT, "ERR\n");
+                            $isAuthenticated = false;
+                        }
                    } else {
-                        // log user auth failure
-                        syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
-                        fwrite(STDOUT, "ERR\n");
-                        $isAuthenticated = false;
+                        break;
                    }
-                } else {
-                    break;
                }
            }
        }
-    }

-    if ($isAuthenticated) {
-        syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
-        fwrite(STDOUT, "OK\n");
-    } else {
-        syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-        fwrite(STDOUT, "ERR\n");
+        if ($isAuthenticated) {
+            syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
+            fwrite(STDOUT, "OK\n");
+        } else {
+            syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
+            fwrite(STDOUT, "ERR\n");
+        }
    }
 }