Skip to content

O
OpnSense
Commit 85664101 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner
Browse files
Options

(proxy) auth, don't quit when squid sends an empty string 

(cherry picked from commit 9fd6504d)
parent 2b392a67
Hide whitespace changes
Inline Side-by-side
Showing with 38 additions and 35 deletions
src/etc/inc/squid.auth-user.php
View file @ 85664101
...@@ -36,48 +36,51 @@ openlog("squid", LOG_ODELAY, LOG_AUTH); ...@@ -36,48 +36,51 @@ openlog("squid", LOG_ODELAY, LOG_AUTH);
$authFactory = new \OPNsense\Auth\AuthenticationFactory(); $authFactory = new \OPNsense\Auth\AuthenticationFactory();
$f = fopen("php://stdin", "r"); $f = fopen("php://stdin", "r");
while ($line = fgets($f)) { while (!(feof($f))) {
$fields = explode(' ', trim($line)); $line = fgets($f);
$username = rawurldecode($fields[0]); if ($line) {
$password = rawurldecode($fields[1]); $fields = explode(' ', trim($line));
$username = rawurldecode($fields[0]);
$password = rawurldecode($fields[1]);
$isAuthenticated = false; $isAuthenticated = false;
if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) { if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) { foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
$authServer = $authFactory->get(trim($authServerName)); $authServer = $authFactory->get(trim($authServerName));
if ($authServer == null) { if ($authServer == null) {
// authenticator not found, use local // authenticator not found, use local
$authServer = $authFactory->get('Local Database'); $authServer = $authFactory->get('Local Database');
} }
$isAuthenticated = $authServer->authenticate($username, $password); $isAuthenticated = $authServer->authenticate($username, $password);
if ($isAuthenticated) { if ($isAuthenticated) {
if (get_class($authServer) == "OPNsense\Auth\Local") { if (get_class($authServer) == "OPNsense\Auth\Local") {
// todo: user priv check needs a reload of squid, maybe it's better to move the token check to // todo: user priv check needs a reload of squid, maybe it's better to move the token check to
// the auth object. // the auth object.
// //
// when using local authentication, check if user has role user-proxy-auth // when using local authentication, check if user has role user-proxy-auth
$user = getUserEntry($username); $user = getUserEntry($username);
if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) { if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
break; break;
} else {
// log user auth failure
syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
fwrite(STDOUT, "ERR\n");
$isAuthenticated = false;
}
} else { } else {
// log user auth failure break;
syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
fwrite(STDOUT, "ERR\n");
$isAuthenticated = false;
} }
} else {
break;
} }
} }
} }
}
if ($isAuthenticated) { if ($isAuthenticated) {
syslog(LOG_NOTICE, "user '{$username}' authenticated\n"); syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
fwrite(STDOUT, "OK\n"); fwrite(STDOUT, "OK\n");
} else { } else {
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n"); syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
fwrite(STDOUT, "ERR\n"); fwrite(STDOUT, "ERR\n");
}
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023