(proxy) hook in new auth factory

(cherry picked from commit 58ab1e61) (cherry picked from commit e34dd6a6)

(proxy) hook in new auth factory
(cherry picked from commit 58ab1e61) (cherry picked from commit e34dd6a6)
a612e155 · Ad Schellevis · Franco Fichtner · b3ef42e2 · a612e155 · a612e155
Commit a612e155 authored Dec 04, 2015 by Ad Schellevis Committed by Franco Fichtner Dec 09, 2015
4 changed files
--- a/src/etc/inc/squid.auth-user.php
+++ b/src/etc/inc/squid.auth-user.php
@@ -33,21 +33,48 @@ require_once("auth.inc");

 openlog("squid", LOG_ODELAY, LOG_AUTH);

+$authFactory = new \OPNsense\Auth\AuthenticationFactory();
+
 $f = fopen("php://stdin", "r");
 while ($line = fgets($f)) {
    $fields = explode(' ', trim($line));
    $username = rawurldecode($fields[0]);
    $password = rawurldecode($fields[1]);

-    if (authenticate_user($username, $password)) {
-        $user = getUserEntry($username);
-        if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
-            syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
-            fwrite(STDOUT, "OK\n");
-        } else {
-            syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
-            fwrite(STDOUT, "ERR\n");
+    $isAuthenticated = false;
+    if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
+        foreach (explode(',',$config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
+            $authServer = $authFactory->get(trim($authServerName));
+            if ($authsrv == null) {
+                // authenticator not found, use local
+                $authServer = $authFactory->get('Local Database');
+            }
+            $isAuthenticated = $authServer->authenticate($username, $password);
+            if ($isAuthenticated) {
+                if (get_class($authServer) == "OPNsense\Auth\Local") {
+                    // todo: user priv check needs a reload of squid, maybe it's better to move the token check to
+                    //       the auth object.
+                    //
+                    // when using local authentication, check if user has role user-proxy-auth
+                    $user = getUserEntry($username);
+                    if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
+                        break;
+                    } else {
+                        // log user auth failure
+                        syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
+                        fwrite(STDOUT, "ERR\n");
+                        $isAuthenticated = false;
+                    }
+                } else {
+                    break;
+                }
+            }
        }
+    }
+
+    if ($isAuthenticated) {
+        syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
+        fwrite(STDOUT, "OK\n");
    } else {
        syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
        fwrite(STDOUT, "ERR\n");

--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -339,7 +339,8 @@
            <field>
                <id>proxy.forward.authentication.method</id>
                <label>Authentication method</label>
-                <type>dropdown</type>
+                <type>select_multiple</type>
+                <style>tokenize</style>
                <help><![CDATA[Select Authentication method]]></help>
            </field>
            <field>

--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -247,13 +247,10 @@
                </remoteACLs>
            </acl>
            <authentication>
-                <method type="OptionField">
-                    <default>none</default>
+                <method type="AuthenticationServerField">
                    <Required>N</Required>
-                    <OptionValues>
-                        <none>No Authentication</none>
-                        <local>Local User Authentication</local>
-                    </OptionValues>
+                    <multiple>Y</multiple>
+                    <default>Local Database</default>
                </method>
                <realm type="TextField">
                    <default>OPNsense proxy authentication</default>

--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -167,7 +167,7 @@ acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default(
 acl CONNECT method CONNECT

 # Authentication Settings
-{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method=='local' %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
 # Configure Local User Authentication helper
 auth_param basic program /usr/local/etc/inc/squid.auth-user.php
 {% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}