Commit a612e155 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(proxy) hook in new auth factory

(cherry picked from commit 58ab1e61)
(cherry picked from commit e34dd6a6)
parent b3ef42e2
...@@ -33,21 +33,48 @@ require_once("auth.inc"); ...@@ -33,21 +33,48 @@ require_once("auth.inc");
openlog("squid", LOG_ODELAY, LOG_AUTH); openlog("squid", LOG_ODELAY, LOG_AUTH);
$authFactory = new \OPNsense\Auth\AuthenticationFactory();
$f = fopen("php://stdin", "r"); $f = fopen("php://stdin", "r");
while ($line = fgets($f)) { while ($line = fgets($f)) {
$fields = explode(' ', trim($line)); $fields = explode(' ', trim($line));
$username = rawurldecode($fields[0]); $username = rawurldecode($fields[0]);
$password = rawurldecode($fields[1]); $password = rawurldecode($fields[1]);
if (authenticate_user($username, $password)) { $isAuthenticated = false;
if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
foreach (explode(',',$config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
$authServer = $authFactory->get(trim($authServerName));
if ($authsrv == null) {
// authenticator not found, use local
$authServer = $authFactory->get('Local Database');
}
$isAuthenticated = $authServer->authenticate($username, $password);
if ($isAuthenticated) {
if (get_class($authServer) == "OPNsense\Auth\Local") {
// todo: user priv check needs a reload of squid, maybe it's better to move the token check to
// the auth object.
//
// when using local authentication, check if user has role user-proxy-auth
$user = getUserEntry($username); $user = getUserEntry($username);
if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) { if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
syslog(LOG_NOTICE, "user '{$username}' authenticated\n"); break;
fwrite(STDOUT, "OK\n");
} else { } else {
// log user auth failure
syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role"); syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
fwrite(STDOUT, "ERR\n"); fwrite(STDOUT, "ERR\n");
$isAuthenticated = false;
}
} else {
break;
} }
}
}
}
if ($isAuthenticated) {
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
fwrite(STDOUT, "OK\n");
} else { } else {
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n"); syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
fwrite(STDOUT, "ERR\n"); fwrite(STDOUT, "ERR\n");
......
...@@ -339,7 +339,8 @@ ...@@ -339,7 +339,8 @@
<field> <field>
<id>proxy.forward.authentication.method</id> <id>proxy.forward.authentication.method</id>
<label>Authentication method</label> <label>Authentication method</label>
<type>dropdown</type> <type>select_multiple</type>
<style>tokenize</style>
<help><![CDATA[Select Authentication method]]></help> <help><![CDATA[Select Authentication method]]></help>
</field> </field>
<field> <field>
......
...@@ -247,13 +247,10 @@ ...@@ -247,13 +247,10 @@
</remoteACLs> </remoteACLs>
</acl> </acl>
<authentication> <authentication>
<method type="OptionField"> <method type="AuthenticationServerField">
<default>none</default>
<Required>N</Required> <Required>N</Required>
<OptionValues> <multiple>Y</multiple>
<none>No Authentication</none> <default>Local Database</default>
<local>Local User Authentication</local>
</OptionValues>
</method> </method>
<realm type="TextField"> <realm type="TextField">
<default>OPNsense proxy authentication</default> <default>OPNsense proxy authentication</default>
......
...@@ -167,7 +167,7 @@ acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default( ...@@ -167,7 +167,7 @@ acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default(
acl CONNECT method CONNECT acl CONNECT method CONNECT
# Authentication Settings # Authentication Settings
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method=='local' %} {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
# Configure Local User Authentication helper # Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid.auth-user.php auth_param basic program /usr/local/etc/inc/squid.auth-user.php
{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %} {% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment