Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
eb03dc1a
Commit
eb03dc1a
authored
Jul 08, 2015
by
Ad Schellevis
Committed by
Franco Fichtner
Jul 20, 2015
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(legacy) cleanups related to auth.inc (remove unused, move single usage, isset issues)
parent
f97a2b0f
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
142 additions
and
152 deletions
+142
-152
auth.inc
src/etc/inc/auth.inc
+5
-152
authgui.inc
src/etc/inc/authgui.inc
+118
-0
xmlrpc.php
src/www/xmlrpc.php
+19
-0
No files found.
src/etc/inc/auth.inc
View file @
eb03dc1a
...
...
@@ -335,7 +335,7 @@ function local_sync_accounts()
if
(
$fd
)
{
while
(
!
feof
(
$fd
))
{
$line
=
explode
(
':'
,
fgets
(
$fd
));
if
(
((
!
strncmp
(
$line
[
0
],
'_'
,
1
))
||
(
$line
[
2
]
<
2000
)
||
(
$line
[
2
]
>
65000
))
)
{
if
(
count
(
$line
)
<
3
||
!
strncmp
(
$line
[
0
],
'_'
,
1
)
||
$line
[
2
]
<
2000
||
$line
[
2
]
>
65000
)
{
continue
;
}
/*
...
...
@@ -354,13 +354,7 @@ function local_sync_accounts()
if
(
$fd
)
{
while
(
!
feof
(
$fd
))
{
$line
=
explode
(
':'
,
fgets
(
$fd
));
if
(
!
strncmp
(
$line
[
0
],
'_'
,
1
))
{
continue
;
}
if
(
$line
[
2
]
<
2000
)
{
continue
;
}
if
(
$line
[
2
]
>
65000
)
{
if
(
count
(
$line
)
<
3
||
!
strncmp
(
$line
[
0
],
'_'
,
1
)
||
$line
[
2
]
<
2000
||
$line
[
2
]
>
65000
)
{
continue
;
}
mwexecf
(
'/usr/sbin/pw groupdel %s'
,
$line
[
2
]);
...
...
@@ -1186,17 +1180,10 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array())
return
$ret
;
}
function
get_user_expiration_date
(
$username
)
{
$user
=
getUserEntry
(
$username
);
if
(
isset
(
$user
[
'expires'
]))
{
return
$user
[
'expires'
];
}
}
function
is_account_expired
(
$username
)
{
$
expirydate
=
get_user_expiration_date
(
$username
);
if
(
$expirydate
)
{
if
(
strtotime
(
"-1 day"
)
>
strtotime
(
date
(
"m/d/Y"
,
strtotime
(
$
expirydate
))))
$
user
=
getUserEntry
(
$username
);
if
(
isset
(
$user
[
'expires'
])
&&
!
empty
(
$user
[
'expires'
])
)
{
if
(
strtotime
(
"-1 day"
)
>
strtotime
(
date
(
"m/d/Y"
,
strtotime
(
$
user
[
'expires'
]
))))
return
true
;
}
...
...
@@ -1296,138 +1283,4 @@ function authenticate_user($username, $password, $authcfg = NULL, &$attributes =
return
$authenticated
;
}
function
session_auth
()
{
global
$config
,
$_SESSION
;
// Handle HTTPS httponly and secure flags
$currentCookieParams
=
session_get_cookie_params
();
session_set_cookie_params
(
$currentCookieParams
[
"lifetime"
],
$currentCookieParams
[
"path"
],
NULL
,
(
$config
[
'system'
][
'webgui'
][
'protocol'
]
==
"https"
),
true
);
if
(
session_status
()
==
PHP_SESSION_NONE
)
{
session_start
();
}
// Detect protocol change
if
(
!
isset
(
$_POST
[
'login'
])
&&
!
empty
(
$_SESSION
[
'Logged_In'
])
&&
$_SESSION
[
'protocol'
]
!=
$config
[
'system'
][
'webgui'
][
'protocol'
])
return
false
;
/* Validate incoming login request */
if
(
isset
(
$_POST
[
'login'
])
&&
!
empty
(
$_POST
[
'usernamefld'
])
&&
!
empty
(
$_POST
[
'passwordfld'
]))
{
if
(
isset
(
$config
[
'system'
][
'webgui'
][
'authmode'
]))
{
$authcfg
=
auth_get_authserver
(
$config
[
'system'
][
'webgui'
][
'authmode'
]);
}
else
{
$authcfg
=
null
;
}
if
(
authenticate_user
(
$_POST
[
'usernamefld'
],
$_POST
[
'passwordfld'
],
$authcfg
)
||
authenticate_user
(
$_POST
[
'usernamefld'
],
$_POST
[
'passwordfld'
]))
{
// Generate a new id to avoid session fixation
session_regenerate_id
();
$_SESSION
[
'Logged_In'
]
=
"True"
;
$_SESSION
[
'Username'
]
=
$_POST
[
'usernamefld'
];
$_SESSION
[
'last_access'
]
=
time
();
$_SESSION
[
'protocol'
]
=
$config
[
'system'
][
'webgui'
][
'protocol'
];
if
(
!
isset
(
$config
[
'system'
][
'webgui'
][
'quietlogin'
]))
{
log_error
(
sprintf
(
gettext
(
"Successful login for user '%1
\$
s' from: %2
\$
s"
),
$_POST
[
'usernamefld'
],
$_SERVER
[
'REMOTE_ADDR'
]));
}
if
(
isset
(
$_POST
[
'postafterlogin'
]))
return
true
;
else
{
header
(
"Location:
{
$_SERVER
[
'REQUEST_URI'
]
}
"
);
}
exit
;
}
else
{
/* give the user an error message */
$_SESSION
[
'Login_Error'
]
=
_
(
'Wrong username or password.'
);
log_error
(
"webConfigurator authentication error for '
{
$_POST
[
'usernamefld'
]
}
' from
{
$_SERVER
[
'REMOTE_ADDR'
]
}
"
);
if
(
isAjax
())
{
echo
"showajaxmessage('
{
$_SESSION
[
'Login_Error'
]
}
');"
;
return
;
}
}
}
/* Show login page if they aren't logged in */
if
(
empty
(
$_SESSION
[
'Logged_In'
]))
return
false
;
/* If session timeout isn't set, we don't mark sessions stale */
if
(
!
isset
(
$config
[
'system'
][
'webgui'
][
'session_timeout'
]))
{
/* Default to 4 hour timeout if one is not set */
if
(
$_SESSION
[
'last_access'
]
<
(
time
()
-
14400
))
{
$_GET
[
'logout'
]
=
true
;
$_SESSION
[
'Logout'
]
=
true
;
}
else
$_SESSION
[
'last_access'
]
=
time
();
}
else
if
(
intval
(
$config
[
'system'
][
'webgui'
][
'session_timeout'
])
==
0
)
{
/* only update if it wasn't ajax */
if
(
!
isAjax
())
$_SESSION
[
'last_access'
]
=
time
();
}
else
{
/* Check for stale session */
if
(
$_SESSION
[
'last_access'
]
<
(
time
()
-
(
$config
[
'system'
][
'webgui'
][
'session_timeout'
]
*
60
)))
{
$_GET
[
'logout'
]
=
true
;
$_SESSION
[
'Logout'
]
=
true
;
}
else
{
/* only update if it wasn't ajax */
if
(
!
isAjax
())
$_SESSION
[
'last_access'
]
=
time
();
}
}
/* user hit the logout button */
if
(
isset
(
$_GET
[
'logout'
]))
{
if
(
$_SESSION
[
'Logout'
])
log_error
(
sprintf
(
gettext
(
"Session timed out for user '%1
\$
s' from: %2
\$
s"
),
$_SESSION
[
'Username'
],
$_SERVER
[
'REMOTE_ADDR'
]));
else
log_error
(
sprintf
(
gettext
(
"User logged out for user '%1
\$
s' from: %2
\$
s"
),
$_SESSION
[
'Username'
],
$_SERVER
[
'REMOTE_ADDR'
]));
/* wipe out $_SESSION */
$_SESSION
=
array
();
if
(
isset
(
$_COOKIE
[
session_name
()]))
setcookie
(
session_name
(),
''
,
time
()
-
42000
,
'/'
);
/* and destroy it */
session_destroy
();
$scriptName
=
explode
(
"/"
,
$_SERVER
[
"SCRIPT_FILENAME"
]);
$scriptElms
=
count
(
$scriptName
);
$scriptName
=
$scriptName
[
$scriptElms
-
1
];
if
(
isAjax
())
return
false
;
/* redirect to page the user is on, it'll prompt them to login again */
header
(
"Location:
{
$scriptName
}
"
);
return
false
;
}
return
true
;
}
/**
* do a basic authentication, uses $_SERVER['HTTP_AUTHORIZATION'] to validate user.
* @param $http_auth_header http_authorization header content
* @return bool
*/
function
http_basic_auth
(
$http_auth_header
)
{
$tags
=
explode
(
" "
,
$http_auth_header
)
;
if
(
count
(
$tags
)
>=
2
)
{
$userinfo
=
explode
(
":"
,
base64_decode
(
$tags
[
1
]))
;
if
(
count
(
$userinfo
)
>=
2
)
{
return
authenticate_user
(
$userinfo
[
0
],
$userinfo
[
1
]);
}
}
// not authenticated
return
false
;
}
src/etc/inc/authgui.inc
View file @
eb03dc1a
...
...
@@ -32,6 +32,124 @@
include_once
(
"auth.inc"
);
include_once
(
"priv.inc"
);
function
session_auth
()
{
global
$config
,
$_SESSION
;
// Handle HTTPS httponly and secure flags
$currentCookieParams
=
session_get_cookie_params
();
session_set_cookie_params
(
$currentCookieParams
[
"lifetime"
],
$currentCookieParams
[
"path"
],
NULL
,
(
$config
[
'system'
][
'webgui'
][
'protocol'
]
==
"https"
),
true
);
if
(
session_status
()
==
PHP_SESSION_NONE
)
{
session_start
();
}
// Detect protocol change
if
(
!
isset
(
$_POST
[
'login'
])
&&
!
empty
(
$_SESSION
[
'Logged_In'
])
&&
$_SESSION
[
'protocol'
]
!=
$config
[
'system'
][
'webgui'
][
'protocol'
])
return
false
;
/* Validate incoming login request */
if
(
isset
(
$_POST
[
'login'
])
&&
!
empty
(
$_POST
[
'usernamefld'
])
&&
!
empty
(
$_POST
[
'passwordfld'
]))
{
if
(
isset
(
$config
[
'system'
][
'webgui'
][
'authmode'
]))
{
$authcfg
=
auth_get_authserver
(
$config
[
'system'
][
'webgui'
][
'authmode'
]);
}
else
{
$authcfg
=
null
;
}
if
(
authenticate_user
(
$_POST
[
'usernamefld'
],
$_POST
[
'passwordfld'
],
$authcfg
)
||
authenticate_user
(
$_POST
[
'usernamefld'
],
$_POST
[
'passwordfld'
]))
{
// Generate a new id to avoid session fixation
session_regenerate_id
();
$_SESSION
[
'Logged_In'
]
=
"True"
;
$_SESSION
[
'Username'
]
=
$_POST
[
'usernamefld'
];
$_SESSION
[
'last_access'
]
=
time
();
$_SESSION
[
'protocol'
]
=
$config
[
'system'
][
'webgui'
][
'protocol'
];
if
(
!
isset
(
$config
[
'system'
][
'webgui'
][
'quietlogin'
]))
{
log_error
(
sprintf
(
gettext
(
"Successful login for user '%1
\$
s' from: %2
\$
s"
),
$_POST
[
'usernamefld'
],
$_SERVER
[
'REMOTE_ADDR'
]));
}
if
(
isset
(
$_POST
[
'postafterlogin'
]))
return
true
;
else
{
header
(
"Location:
{
$_SERVER
[
'REQUEST_URI'
]
}
"
);
}
exit
;
}
else
{
/* give the user an error message */
$_SESSION
[
'Login_Error'
]
=
_
(
'Wrong username or password.'
);
log_error
(
"webConfigurator authentication error for '
{
$_POST
[
'usernamefld'
]
}
' from
{
$_SERVER
[
'REMOTE_ADDR'
]
}
"
);
if
(
isAjax
())
{
echo
"showajaxmessage('
{
$_SESSION
[
'Login_Error'
]
}
');"
;
return
;
}
}
}
/* Show login page if they aren't logged in */
if
(
empty
(
$_SESSION
[
'Logged_In'
]))
return
false
;
/* If session timeout isn't set, we don't mark sessions stale */
if
(
!
isset
(
$config
[
'system'
][
'webgui'
][
'session_timeout'
]))
{
/* Default to 4 hour timeout if one is not set */
if
(
$_SESSION
[
'last_access'
]
<
(
time
()
-
14400
))
{
$_GET
[
'logout'
]
=
true
;
$_SESSION
[
'Logout'
]
=
true
;
}
else
$_SESSION
[
'last_access'
]
=
time
();
}
else
if
(
intval
(
$config
[
'system'
][
'webgui'
][
'session_timeout'
])
==
0
)
{
/* only update if it wasn't ajax */
if
(
!
isAjax
())
$_SESSION
[
'last_access'
]
=
time
();
}
else
{
/* Check for stale session */
if
(
$_SESSION
[
'last_access'
]
<
(
time
()
-
(
$config
[
'system'
][
'webgui'
][
'session_timeout'
]
*
60
)))
{
$_GET
[
'logout'
]
=
true
;
$_SESSION
[
'Logout'
]
=
true
;
}
else
{
/* only update if it wasn't ajax */
if
(
!
isAjax
())
$_SESSION
[
'last_access'
]
=
time
();
}
}
/* user hit the logout button */
if
(
isset
(
$_GET
[
'logout'
]))
{
if
(
$_SESSION
[
'Logout'
])
log_error
(
sprintf
(
gettext
(
"Session timed out for user '%1
\$
s' from: %2
\$
s"
),
$_SESSION
[
'Username'
],
$_SERVER
[
'REMOTE_ADDR'
]));
else
log_error
(
sprintf
(
gettext
(
"User logged out for user '%1
\$
s' from: %2
\$
s"
),
$_SESSION
[
'Username'
],
$_SERVER
[
'REMOTE_ADDR'
]));
/* wipe out $_SESSION */
$_SESSION
=
array
();
if
(
isset
(
$_COOKIE
[
session_name
()]))
setcookie
(
session_name
(),
''
,
time
()
-
42000
,
'/'
);
/* and destroy it */
session_destroy
();
$scriptName
=
explode
(
"/"
,
$_SERVER
[
"SCRIPT_FILENAME"
]);
$scriptElms
=
count
(
$scriptName
);
$scriptName
=
$scriptName
[
$scriptElms
-
1
];
if
(
isAjax
())
return
false
;
/* redirect to page the user is on, it'll prompt them to login again */
header
(
"Location:
{
$scriptName
}
"
);
return
false
;
}
return
true
;
}
/* Authenticate user - exit if failed */
if
(
!
session_auth
())
{
display_login_form
();
...
...
src/www/xmlrpc.php
View file @
eb03dc1a
...
...
@@ -29,6 +29,25 @@
require_once
(
"xmlrpc.inc"
);
require_once
(
"auth.inc"
);
/**
* do a basic authentication, uses $_SERVER['HTTP_AUTHORIZATION'] to validate user.
* @param $http_auth_header http_authorization header content
* @return bool
*/
function
http_basic_auth
(
$http_auth_header
)
{
$tags
=
explode
(
" "
,
$http_auth_header
)
;
if
(
count
(
$tags
)
>=
2
)
{
$userinfo
=
explode
(
":"
,
base64_decode
(
$tags
[
1
]))
;
if
(
count
(
$userinfo
)
>=
2
)
{
return
authenticate_user
(
$userinfo
[
0
],
$userinfo
[
1
]);
}
}
// not authenticated
return
false
;
}
/**
* Simple XML-RPC server using IXR_Library
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment