From 4ffb3352ddad0b2fbfc155e37e62b4197ac15bd7 Mon Sep 17 00:00:00 2001 From: Jared Hendrickson Date: Fri, 4 Mar 2022 21:53:13 -0700 Subject: [PATCH] Added support for pfSense 2.6.0-RELEASE --- README.md | 1 + .../overrides/2.6.0-RELEASE/auth.inc | 2448 +++++++++++++++++ .../overrides/2.6.0-RELEASE/authgui.inc | 427 +++ .../overrides/2.6.0-RELEASE/priv.inc | 323 +++ .../saml2_auth/overrides/default/README.md | 2 +- .../inc/saml2_auth/overrides/default/auth.inc | 47 +- .../saml2_auth/overrides/default/authgui.inc | 4 +- .../inc/saml2_auth/overrides/default/priv.inc | 5 +- 8 files changed, 3235 insertions(+), 22 deletions(-) create mode 100644 pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/auth.inc create mode 100644 pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/authgui.inc create mode 100644 pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/priv.inc diff --git a/README.md b/README.md index 2cf5971..7907a9d 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ Currently, the package fully supports the following pfSense versions including p
List of Supported pfSense Releases +- pfSense 2.6.0-RELEASE - pfSense 2.5.2-RELEASE - pfSense 2.5.1-RELEASE - pfSense 2.5.0-RELEASE diff --git a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/auth.inc b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/auth.inc new file mode 100644 index 0000000..7bd163a --- /dev/null +++ b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/auth.inc @@ -0,0 +1,2448 @@ + + * Copyright (c) 2005-2006 Bill Marquette + * Copyright (c) 2006 Paul Taylor + * Copyright (c) 2004-2013 BSD Perimeter + * Copyright (c) 2013-2016 Electric Sheep Fencing + * Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate) + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php + * file courtesy of Michael Retterklieber. + */ +include_once('phpsessionmanager.inc'); +if (!$do_not_include_config_gui_inc) { + require_once("config.gui.inc"); +} + +// Will be changed to false if security checks fail +$security_passed = true; + +/* If this function doesn't exist, we're being called from Captive Portal or + another internal subsystem which does not include authgui.inc */ +if (function_exists("display_error_form")) { + /* Extra layer of lockout protection. Check if the user is in the GUI + * lockout table before processing a request */ + + /* Fetch the contents of the lockout table. */ + $entries = array(); + exec("/sbin/pfctl -t 'sshguard' -T show", $entries); + + /* If the client is in the lockout table, print an error, kill states, and exit */ + if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) { + if (!security_checks_disabled()) { + /* They may never see the error since the connection will be cut off, but try to be nice anyhow. */ + display_error_form("501", gettext("Access Denied

Access attempt from a temporarily locked out client address.

Try accessing the firewall again after the lockout expires.")); + /* If they are locked out, they shouldn't have a state. Disconnect their connections. */ + $retval = pfSense_kill_states(utf8_encode($_SERVER['REMOTE_ADDR'])); + if (is_ipaddrv4($_SERVER['REMOTE_ADDR'])) { + $retval = pfSense_kill_states("0.0.0.0/0", utf8_encode($_SERVER['REMOTE_ADDR'])); + } elseif (is_ipaddrv6($_SERVER['REMOTE_ADDR'])) { + $retval = pfSense_kill_states("::", utf8_encode($_SERVER['REMOTE_ADDR'])); + } + exit; + } + $security_passed = false; + } +} + +if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { + /* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */ + $found_host = false; + + /* Either a IPv6 address with or without a alternate port */ + if (strstr($_SERVER['HTTP_HOST'], "]")) { + $http_host_port = explode("]", $_SERVER['HTTP_HOST']); + /* v6 address has more parts, drop the last part */ + if (count($http_host_port) > 1) { + array_pop($http_host_port); + $http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port)); + } else { + $http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port)); + } + } else { + $http_host = explode(":", $_SERVER['HTTP_HOST']); + $http_host = $http_host[0]; + } + if (is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or + strcasecmp($http_host, "localhost") == 0 or $_SERVER['SERVER_ADDR'] == "::1") { + $found_host = true; + } + if (strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or + strcasecmp($http_host, $config['system']['hostname']) == 0) { + $found_host = true; + } + + if (is_array($config['dyndnses']['dyndns']) && !$found_host) { + foreach ($config['dyndnses']['dyndns'] as $dyndns) { + if (strcasecmp($dyndns['host'], $http_host) == 0) { + $found_host = true; + break; + } + } + } + + if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) { + foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) { + if (strcasecmp($rfc2136['host'], $http_host) == 0) { + $found_host = true; + break; + } + } + } + + if (!empty($config['system']['webgui']['althostnames']) && !$found_host) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if (strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) { + $found_host = true; + break; + } + } + } + + if ($found_host == false) { + if (!security_checks_disabled()) { + display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.")); + exit; + } + $security_passed = false; + } +} + +// If the HTTP_REFERER is something other than ourselves then disallow. +if (function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) { + if ($_SERVER['HTTP_REFERER']) { + if (file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) { + if ($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) { + unlink("{$g['tmp_path']}/setupwizard_lastreferrer"); + header("Refresh: 1; url=index.php"); + ?> + + + + + <?=gettext("Redirecting..."); ?> + + +
+
+
+

+
+
+
+ + + Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). If not needed, this check can be disabled in System > Advanced > Admin Access."); + exit; + } + $security_passed = false; + } + } else { + $security_passed = false; + } +} + +if (function_exists("display_error_form") && $security_passed) { + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +} +unset($security_passed); + +$groupindex = index_groups(); +$userindex = index_users(); + +function index_groups() { + global $g, $debug, $config, $groupindex; + + $groupindex = array(); + + if (is_array($config['system']['group'])) { + $i = 0; + foreach ($config['system']['group'] as $groupent) { + $groupindex[$groupent['name']] = $i; + $i++; + } + } + + return ($groupindex); +} + +function index_users() { + global $g, $debug, $config; + + if (is_array($config['system']['user'])) { + $i = 0; + foreach ($config['system']['user'] as $userent) { + $userindex[$userent['name']] = $i; + $i++; + } + } + + return ($userindex); +} + +function & getUserEntry($name) { + global $debug, $config, $userindex; + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + + if (isset($userindex[$name])) { + return $config['system']['user'][$userindex[$name]]; + } elseif ($authcfg['type'] != "Local Database") { + $user = array(); + $user['name'] = $name; + return $user; + } +} + +function & getUserEntryByUID($uid) { + global $debug, $config; + + if (is_array($config['system']['user'])) { + foreach ($config['system']['user'] as & $user) { + if ($user['uid'] == $uid) { + return $user; + } + } + } + + return false; +} + +function & getGroupEntry($name) { + global $debug, $config, $groupindex; + if (isset($groupindex[$name])) { + return $config['system']['group'][$groupindex[$name]]; + } +} + +function & getGroupEntryByGID($gid) { + global $debug, $config; + + if (is_array($config['system']['group'])) { + foreach ($config['system']['group'] as & $group) { + if ($group['gid'] == $gid) { + return $group; + } + } + } + + return false; +} + +function get_user_privileges(& $user) { + global $config, $_SESSION; + + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + $allowed_groups = array(); + + $privs = $user['priv']; + if (!is_array($privs)) { + $privs = array(); + } + + // cache auth results for a short time to ease load on auth services & logs + if (isset($config['system']['webgui']['auth_refresh_time'])) { + $recheck_time = $config['system']['webgui']['auth_refresh_time']; + } else { + $recheck_time = 30; + } + + if ($authcfg['type'] == "ldap") { + if (isset($_SESSION["ldap_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time)) { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } else { + $allowed_groups = @ldap_get_groups($user['name'], $authcfg); + $_SESSION["ldap_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } elseif ($authcfg['type'] == "radius") { + if (isset($_SESSION["radius_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time)) { + $allowed_groups = $_SESSION["radius_allowed_groups"]; + } else { + $allowed_groups = @radius_get_groups($_SESSION['user_radius_attributes']); + $_SESSION["radius_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } + + if (empty($allowed_groups)) { + $allowed_groups = local_user_get_groups($user, true); + } + + if (!is_array($allowed_groups)) { + $allowed_groups = array('all'); + } else { + $allowed_groups[] = 'all'; + } + + foreach ($allowed_groups as $name) { + $group = getGroupEntry($name); + if (is_array($group['priv'])) { + $privs = array_merge($privs, $group['priv']); + } + } + + return $privs; +} + +function userHasPrivilege($userent, $privid = false) { + global $config; + + if (!$privid || !is_array($userent)) { + return false; + } + + $privs = get_user_privileges($userent); + + if (!is_array($privs)) { + return false; + } + + if (!in_array($privid, $privs)) { + return false; + } + + /* If someone is in admins group or is admin, do not honor the + * user-config-readonly privilege to prevent foot-shooting due to a + * bad privilege config. + * https://redmine.pfsense.org/issues/10492 */ + $userGroups = getUserGroups($userent['name'], + auth_get_authserver($config['system']['webgui']['authmode']), + $_SESSION['user_radius_attributes']); + if (($privid == 'user-config-readonly') && + (($userent['uid'] === "0") || (in_array('admins', $userGroups)))) { + return false; + } + + return true; +} + +function local_backed($username, $passwd) { + + $user = getUserEntry($username); + if (!$user) { + return false; + } + + if (is_account_disabled($username) || is_account_expired($username)) { + return false; + } + + if ($user['sha512-hash']) { + if (hash_equals($user['sha512-hash'], crypt($passwd, $user['sha512-hash']))) { + return true; + } + } + + //for backwards compatibility + if ($user['bcrypt-hash']) { + if (password_verify($passwd, $user['bcrypt-hash'])) { + return true; + } + } + + // pfSense < 2.3 password hashing, see https://redmine.pfsense.org/issues/4120 + if ($user['password']) { + if (hash_equals($user['password'], crypt($passwd, $user['password']))) { + return true; + } + } + + if ($user['md5-hash']) { + if (hash_equals($user['md5-hash'], md5($passwd))) { + return true; + } + } + + return false; +} + +function local_sync_accounts($u2add, $u2del, $g2add, $g2del) { + global $config, $debug; + + if (empty($u2add) && empty($u2del) && empty($g2add) && empty($g2del)) { + /* Nothing to be done here */ + return; + } + + foreach($u2del as $user) { + if ($user['uid'] > 65000) { + continue; + } else if ($user['uid'] < 2000 && !in_array($user, $u2add)) { + continue; + } + + /* + * If a crontab was created to user, pw userdel will be + * interactive and can cause issues. Just remove crontab + * before run it when necessary + */ + unlink_if_exists("/var/cron/tabs/{$user['name']}"); + $cmd = "/usr/sbin/pw userdel -n " . + escapeshellarg($user['name']); + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + local_group_del_user($user); + + $system_user = $config['system']['user']; + for ($i = 0; $i < count($system_user); $i++) { + if ($system_user[$i]['name'] == $user['name']) { + log_error("Removing user: {$user['name']}"); + unset($config['system']['user'][$i]); + break; + } + } + } + + foreach($g2del as $group) { + if ($group['gid'] < 1999 || $group['gid'] > 65000) { + continue; + } + + $cmd = "/usr/sbin/pw groupdel -g " . + escapeshellarg($group['name']); + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + + $system_group = $config['system']['group']; + for ($i = 0; $i < count($system_group); $i++) { + if ($system_group[$i]['name'] == $group['name']) { + log_error("Removing group: {$group['name']}"); + unset($config['system']['group'][$i]); + break; + } + } + } + + foreach ($u2add as $user) { + log_error("Adding user: {$user['name']}"); + $config['system']['user'][] = $user; + } + + foreach ($g2add as $group) { + log_error("Adding group: {$group['name']}"); + $config['system']['group'][] = $group; + } + + /* Sort it alphabetically */ + usort($config['system']['user'], function($a, $b) { + return strcmp($a['name'], $b['name']); + }); + usort($config['system']['group'], function($a, $b) { + return strcmp($a['name'], $b['name']); + }); + + write_config("Sync'd users and groups via XMLRPC"); + + /* make sure the all group exists */ + $allgrp = getGroupEntryByGID(1998); + local_group_set($allgrp, true); + + foreach ($u2add as $user) { + local_user_set($user); + } + + foreach ($g2add as $group) { + local_group_set($group); + } +} + +function local_reset_accounts() { + global $debug, $config; + + /* remove local users to avoid uid conflicts */ + $fd = popen("/usr/sbin/pw usershow -a", "r"); + if ($fd) { + while (!feof($fd)) { + $line = explode(":", fgets($fd)); + if ($line[0] != "admin") { + if (!strncmp($line[0], "_", 1)) { + continue; + } + if ($line[2] < 2000) { + continue; + } + if ($line[2] > 65000) { + continue; + } + } + /* + * If a crontab was created to user, pw userdel will be interactive and + * can cause issues. Just remove crontab before run it when necessary + */ + unlink_if_exists("/var/cron/tabs/{$line[0]}"); + $cmd = "/usr/sbin/pw userdel -n " . escapeshellarg($line[0]); + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + } + pclose($fd); + } + + /* remove local groups to avoid gid conflicts */ + $gids = array(); + $fd = popen("/usr/sbin/pw groupshow -a", "r"); + if ($fd) { + while (!feof($fd)) { + $line = explode(":", fgets($fd)); + if (!strncmp($line[0], "_", 1)) { + continue; + } + if ($line[2] < 2000) { + continue; + } + if ($line[2] > 65000) { + continue; + } + $cmd = "/usr/sbin/pw groupdel -g " . escapeshellarg($line[2]); + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + } + pclose($fd); + } + + /* make sure the all group exists */ + $allgrp = getGroupEntryByGID(1998); + local_group_set($allgrp, true); + + /* sync all local users */ + if (is_array($config['system']['user'])) { + foreach ($config['system']['user'] as $user) { + local_user_set($user); + } + } + + /* sync all local groups */ + if (is_array($config['system']['group'])) { + foreach ($config['system']['group'] as $group) { + local_group_set($group); + } + } +} + +function local_user_set(& $user) { + global $g, $debug; + + if (empty($user['sha512-hash']) && empty($user['bcrypt-hash']) && empty($user['password'])) { + log_error("There is something wrong in the config because user {$user['name']} password is missing!"); + return; + } + + + $home_base = "/home/"; + $user_uid = $user['uid']; + $user_name = $user['name']; + $user_home = "{$home_base}{$user_name}"; + $user_shell = "/etc/rc.initial"; + $user_group = "nobody"; + + // Ensure $home_base exists and is writable + if (!is_dir($home_base)) { + mkdir($home_base, 0755); + } + + $lock_account = false; + /* configure shell type */ + /* Cases here should be ordered by most privileged to least privileged. */ + if (userHasPrivilege($user, "user-shell-access") || userHasPrivilege($user, "page-all")) { + $user_shell = "/bin/tcsh"; + } elseif (userHasPrivilege($user, "user-copy-files-chroot")) { + $user_shell = "/usr/local/sbin/scponlyc"; + } elseif (userHasPrivilege($user, "user-copy-files")) { + $user_shell = "/usr/local/bin/scponly"; + } elseif (userHasPrivilege($user, "user-ssh-tunnel")) { + $user_shell = "/usr/local/sbin/ssh_tunnel_shell"; + } elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) { + $user_shell = "/sbin/nologin"; + } else { + $user_shell = "/sbin/nologin"; + $lock_account = true; + } + + /* Lock out disabled or expired users, unless it's root/admin. */ + if ((is_account_disabled($user_name) || is_account_expired($user_name)) && ($user_uid != 0)) { + $user_shell = "/sbin/nologin"; + $lock_account = true; + } + + /* root user special handling */ + if ($user_uid == 0) { + $cmd = "/usr/sbin/pw usermod -q -n root -s /bin/sh -H 0"; + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + $fd = popen($cmd, "w"); + if (isset($user['sha512-hash'])) { + fwrite($fd, $user['sha512-hash']); + } elseif (isset($user['bcrypt-hash'])) { + fwrite($fd, $user['bcrypt-hash']); + } else { + fwrite($fd, $user['password']); + } + pclose($fd); + $user_group = "wheel"; + $user_home = "/root"; + $user_shell = "/etc/rc.initial"; + } + + /* read from pw db */ + $fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r"); + $pwread = fgets($fd); + pclose($fd); + $userattrs = explode(":", trim($pwread)); + + $skel_dir = '/etc/skel'; + + /* determine add or mod */ + if (($userattrs[0] != $user['name']) || (!strncmp($pwread, "pw:", 3))) { + $user_op = "useradd -m -k " . escapeshellarg($skel_dir) . " -o"; + } else { + $user_op = "usermod"; + } + + $comment = str_replace(array(":", "!", "@"), " ", $user['descr']); + /* add or mod pw db */ + $cmd = "/usr/sbin/pw {$user_op} -q " . + " -u " . escapeshellarg($user_uid) . + " -n " . escapeshellarg($user_name) . + " -g " . escapeshellarg($user_group) . + " -s " . escapeshellarg($user_shell) . + " -d " . escapeshellarg($user_home) . + " -c " . escapeshellarg($comment) . + " -H 0 2>&1"; + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + $fd = popen($cmd, "w"); + if (isset($user['sha512-hash'])) { + fwrite($fd, $user['sha512-hash']); + } elseif (isset($user['bcrypt-hash'])) { + fwrite($fd, $user['bcrypt-hash']); + } else { + fwrite($fd, $user['password']); + } + pclose($fd); + + /* create user directory if required */ + if (!is_dir($user_home)) { + mkdir($user_home, 0700); + } + @chown($user_home, $user_name); + @chgrp($user_home, $user_group); + + /* Make sure all users have last version of config files */ + foreach (glob("{$skel_dir}/dot.*") as $dot_file) { + $target = $user_home . '/' . substr(basename($dot_file), 3); + @copy($dot_file, $target); + @chown($target, $user_name); + @chgrp($target, $user_group); + } + + /* write out ssh authorized key file */ + if ($user['authorizedkeys']) { + if (!is_dir("{$user_home}/.ssh")) { + @mkdir("{$user_home}/.ssh", 0700); + @chown("{$user_home}/.ssh", $user_name); + } + $keys = base64_decode($user['authorizedkeys']); + @file_put_contents("{$user_home}/.ssh/authorized_keys", $keys); + @chown("{$user_home}/.ssh/authorized_keys", $user_name); + } else { + unlink_if_exists("{$user_home}/.ssh/authorized_keys"); + } + + $un = $lock_account ? "" : "un"; + exec("/usr/sbin/pw {$un}lock " . escapeshellarg($user_name) . " -q 2>/dev/null"); + +} + +function local_user_del($user) { + global $debug; + + /* remove all memberships */ + local_user_set_groups($user); + + /* Don't remove /root */ + if ($user['uid'] != 0) { + $rmhome = "-r"; + } + + /* read from pw db */ + $fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r"); + $pwread = fgets($fd); + pclose($fd); + $userattrs = explode(":", trim($pwread)); + + if ($userattrs[0] != $user['name']) { + log_error("Tried to remove user {$user['name']} but got user {$userattrs[0]} instead. Bailing."); + return; + } + + /* delete from pw db */ + $cmd = "/usr/sbin/pw userdel -n " . escapeshellarg($user['name']) . " " . escapeshellarg($rmhome); + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); + + /* Delete user from groups needs a call to write_config() */ + local_group_del_user($user); +} + +function local_user_set_password(&$user, $password) { + global $config; + + unset($user['password']); + unset($user['md5-hash']); + unset($user['bcrypt-hash']); + $salt = substr(bin2hex(openssl_random_pseudo_bytes(16)),0,16); + $user['sha512-hash'] = crypt($password, '$6$'. $salt . '$'); + if (($user['name'] == $config['hasync']['username']) && + ($config['hasync']['adminsync'] == 'on')) { + $config['hasync']['new_password'] = $password; + } +} + +function local_user_get_groups($user, $all = false) { + global $debug, $config; + + $groups = array(); + if (!is_array($config['system']['group'])) { + return $groups; + } + + foreach ($config['system']['group'] as $group) { + if ($all || (!$all && ($group['name'] != "all"))) { + if (is_array($group['member'])) { + if (in_array($user['uid'], $group['member'])) { + $groups[] = $group['name']; + } + } + } + } + + if ($all) { + $groups[] = "all"; + } + + sort($groups); + + return $groups; + +} + +function local_user_set_groups($user, $new_groups = NULL) { + global $debug, $config, $groupindex, $userindex; + + if (!is_array($config['system']['group'])) { + return; + } + + $cur_groups = local_user_get_groups($user, true); + $mod_groups = array(); + + if (!is_array($new_groups)) { + $new_groups = array(); + } + + if (!is_array($cur_groups)) { + $cur_groups = array(); + } + + /* determine which memberships to add */ + foreach ($new_groups as $groupname) { + if ($groupname == '' || in_array($groupname, $cur_groups)) { + continue; + } + $group = &$config['system']['group'][$groupindex[$groupname]]; + $group['member'][] = $user['uid']; + $mod_groups[] = $group; + + /* + * If it's a new user, make sure it is added before try to + * add it as a member of a group + */ + if (!isset($userindex[$user['uid']])) { + local_user_set($user); + } + } + unset($group); + + /* determine which memberships to remove */ + foreach ($cur_groups as $groupname) { + if (in_array($groupname, $new_groups)) { + continue; + } + if (!isset($config['system']['group'][$groupindex[$groupname]])) { + continue; + } + $group = &$config['system']['group'][$groupindex[$groupname]]; + if (is_array($group['member'])) { + $index = array_search($user['uid'], $group['member']); + array_splice($group['member'], $index, 1); + $mod_groups[] = $group; + } + } + unset($group); + + /* sync all modified groups */ + foreach ($mod_groups as $group) { + local_group_set($group); + } +} + +function local_group_del_user($user) { + global $config; + + if (!is_array($config['system']['group'])) { + return; + } + + foreach ($config['system']['group'] as $group) { + if (is_array($group['member'])) { + foreach ($group['member'] as $idx => $uid) { + if ($user['uid'] == $uid) { + unset($config['system']['group']['member'][$idx]); + } + } + } + } +} + +function local_group_set($group, $reset = false) { + global $debug; + + $group_name = $group['name']; + $group_gid = $group['gid']; + $group_members = ''; + + if (!$reset && !empty($group['member']) && count($group['member']) > 0) { + $group_members = implode(",", $group['member']); + } + + if (empty($group_name)) { + return; + } + + // If the group is now remote, make sure there is no local group with the same name + if ($group['scope'] == "remote") { + local_group_del($group); + return; + } + + /* determine add or mod */ + if (mwexec("/usr/sbin/pw groupshow -g " . escapeshellarg($group_gid) . " 2>&1", true) == 0) { + $group_op = "groupmod -l"; + } else { + $group_op = "groupadd -n"; + } + + /* add or mod group db */ + $cmd = "/usr/sbin/pw {$group_op} " . + escapeshellarg($group_name) . + " -g " . escapeshellarg($group_gid) . + " -M " . escapeshellarg($group_members) . " 2>&1"; + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + + mwexec($cmd); +} + +function local_group_del($group) { + global $debug; + + /* delete from group db */ + $cmd = "/usr/sbin/pw groupdel " . escapeshellarg($group['name']); + + if ($debug) { + log_error(sprintf(gettext("Running: %s"), $cmd)); + } + mwexec($cmd); +} + +function ldap_test_connection($authcfg) { + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "SSL")) { + $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + return false; + } + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $authcfg['name'])); + return false; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + + return true; +} + +function ldap_setup_caenv($ldap, $authcfg) { + global $g; + require_once("certs.inc"); + + unset($caref); + if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) { + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); + return; + } elseif ($authcfg['ldap_caref'] == "global") { + ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/"); + ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem"); + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); + } else { + $caref = lookup_ca($authcfg['ldap_caref']); + $cert_details = openssl_x509_parse(base64_decode($caref['crt'])); + $param = array('caref' => $authcfg['ldap_caref']); + $cachain = ca_chain($param); + if (!$caref) { + log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); + /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); + return; + } + + $cert_path = "{$g['varrun_path']}/certs"; + $cert_filename = "{$cert_path}/{$cert_details['hash']}.0"; + safe_mkdir($cert_path); + unlink_if_exists($cert_filename); + file_put_contents($cert_filename, $cachain); + @chmod($cert_filename, 0600); + + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); + ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, $cert_path); + ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, $cert_filename); + } +} + +function ldap_test_bind($authcfg) { + global $debug, $config, $g; + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "SSL")) { + $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + return false; + } + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname)); + return false; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(@ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } + } + + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + @ldap_close($ldap); + return false; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + @ldap_close($ldap); + return false; + } + + @ldap_unbind($ldap); + + return true; +} + +function ldap_get_user_ous($show_complete_ou=true, $authcfg) { + global $debug, $config, $g; + + if (!function_exists("ldap_connect")) { + return; + } + + $ous = array(); + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "SSL")) { + $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; + } else { + return false; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + log_error(gettext("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined.")); + return $ous; + } + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname)); + return $ous; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + + $ldapfilter = "(|(ou=*)(cn=Users))"; + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(@ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } + } + + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname)); + @ldap_close($ldap); + return $ous; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind to server %s."), $ldapname)); + @ldap_close($ldap); + return $ous; + } + + if ($ldapscope == "one") { + $ldapfunc = "ldap_list"; + } else { + $ldapfunc = "ldap_search"; + } + + $search = @$ldapfunc($ldap, $ldapbasedn, $ldapfilter); + $info = @ldap_get_entries($ldap, $search); + + if (is_array($info)) { + foreach ($info as $inf) { + if (!$show_complete_ou) { + $inf_split = explode(",", $inf['dn']); + $ou = $inf_split[0]; + $ou = str_replace("OU=", "", $ou); + $ou = str_replace("CN=", "", $ou); + } else { + if ($inf['dn']) { + $ou = $inf['dn']; + } + } + if ($ou) { + $ous[] = $ou; + } + } + } + + @ldap_unbind($ldap); + + return $ous; +} + +function ldap_get_groups($username, $authcfg) { + global $debug, $config; + + if (!function_exists("ldap_connect")) { + return array(); + } + + if (!$username) { + return array(); + } + + if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { + $username_split = explode("@", $username); + $username = $username_split[0]; + } + + if (stristr($username, "\\")) { + $username_split = explode("\\", $username); + $username = $username_split[0]; + } + + //log_error("Getting LDAP groups for {$username}."); + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "SSL")) { + $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']); + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; + } else { + return array(); + } + + if (isset($authcfg['ldap_rfc2307'])) { + $ldapdn = $ldapbasedn; + } else { + $ldapdn = $_SESSION['ldapdn']; + } + + /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */ + $ldapgroupattribute = strtolower($ldapgroupattribute); + $memberof = array(); + + /* connect and see if server is up */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + if ($error == true) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() Could not connect to server %s."), $ldapname)); + return $memberof; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(@ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return array(); + } + } + + /* bind as user that has rights to read group attributes */ + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname)); + @ldap_close($ldap); + return array(); + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind to server %s."), $ldapname)); + @ldap_close($ldap); + return $memberof; + } + + /* get groups from DN found */ + /* use ldap_read instead of search so we don't have to do a bunch of extra work */ + /* since we know the DN is in $_SESSION['ldapdn'] */ + //$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute)); + if ($ldapscope == "one") { + $ldapfunc = "ldap_list"; + } else { + $ldapfunc = "ldap_search"; + } + + if (isset($authcfg['ldap_rfc2307'])) { + if (isset($authcfg['ldap_rfc2307_userdn'])) { + $ldac_splits = explode(";", $ldapauthcont); + foreach ($ldac_splits as $i => $ldac_split) { + $ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split; + $ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}"; + $ldapfilter = "({$ldapnameattribute}={$username})"; + if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) { + $ldapdn = $ldac_split; + } else { + $ldapdn = $ldapsearchbasedn; + } + $usersearch = @$ldapfunc($ldap, $ldapdn, $ldapfilter); + $userinfo = @ldap_get_entries($ldap, $usersearch); + } + $username = $userinfo[0]['dn']; + } + $ldapfilter = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$username}))"; + } else { + $ldapfilter = "({$ldapnameattribute}={$username})"; + } + + $search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); + $info = @ldap_get_entries($ldap, $search); + + $gresults = isset($authcfg['ldap_rfc2307']) ? $info : $info[0][$ldapgroupattribute]; + + if (is_array($gresults)) { + /* Iterate through the groups and throw them into an array */ + foreach ($gresults as $grp) { + if (((isset($authcfg['ldap_rfc2307'])) && (stristr($grp["dn"], "CN=") !== false)) || + ((!isset($authcfg['ldap_rfc2307'])) && (stristr($grp, "CN=") !== false))) { + $grpsplit = isset($authcfg['ldap_rfc2307']) ? explode(",", $grp["dn"]) : explode(",", $grp); + $memberof[] = preg_replace("/CN=/i", "", $grpsplit[0]); + } + } + } + + /* Time to close LDAP connection */ + @ldap_unbind($ldap); + + $groups = print_r($memberof, true); + + //log_error("Returning groups ".$groups." for user $username"); + + return $memberof; +} + +function ldap_format_host($host) { + return is_ipaddrv6($host) ? "[$host]" : $host ; +} + +function ldap_backed($username, $passwd, $authcfg, &$attributes = array()) { + global $debug, $config; + + if (!$username) { + $attributes['error_message'] = gettext("Invalid Login."); + return false; + } + + if (!isset($authcfg['ldap_allow_unauthenticated']) && $passwd == '') { + $attributes['error_message'] = gettext("Invalid credentials."); + return false; + } + + if (!function_exists("ldap_connect")) { + log_error(gettext("ERROR! unable to find ldap_connect() function.")); + $attributes['error_message'] = gettext("Internal error during authentication."); + return null; + } + + if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { + $username_split = explode("@", $username); + $username = $username_split[0]; + } + if (stristr($username, "\\")) { + $username_split = explode("\\", $username); + $username = $username_split[0]; + } + + $username = ldap_escape($username, null, LDAP_ESCAPE_FILTER); + + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "SSL")) { + $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; + } + $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); + $ldapport = $authcfg['ldap_port']; + if (!empty($ldapport)) { + $ldapserver .= ":{$ldapport}"; + } + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + if (empty($ldapbindun) || empty($ldapbindpw)) { + $ldapanon = true; + } else { + $ldapanon = false; + } + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapgroupattribute = $authcfg['ldap_attr_member']; + $ldapextendedqueryenabled = $authcfg['ldap_extended_enabled']; + $ldapextendedquery = $authcfg['ldap_extended_query']; + $ldapfilter = ""; + if (!$ldapextendedqueryenabled) { + $ldapfilter = "({$ldapnameattribute}={$username})"; + } else { + if (isset($authcfg['ldap_rfc2307'])) { + $ldapfilter = "({$ldapnameattribute}={$username})"; + $ldapgroupfilter = "(&({$ldapgroupattribute}={$username})({$ldapextendedquery}))"; + } else { + $ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))"; + } + } + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + $ldapname = $authcfg['name']; + $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; + } else { + return null; + } + + /* first check if there is even an LDAP server populated */ + if (!$ldapserver) { + log_error(gettext("ERROR! could not find details of the LDAP server used for authentication.")); + $attributes['error_message'] = gettext("Internal error during authentication."); + return null; + } + + /* Make sure we can connect to LDAP */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(@ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! could not connect to LDAP server %s using STARTTLS."), $ldapname)); + $attributes['error_message'] = gettext("Error : could not connect to authentication server."); + @ldap_close($ldap); + return null; + } + } + + if ($error == true) { + $errormsg = sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname); + $attributes['error_message'] = gettext("Error : could not connect to authentication server."); + return null; + } + + /* ok, its up. now, lets bind as the bind user so we can search it */ + $error = false; + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + $error = true; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + $error = true; + } + + if ($error == true) { + @ldap_close($ldap); + log_error(sprintf(gettext("ERROR! Could not bind to LDAP server %s. Please check the bind credentials."), $ldapname)); + $attributes['error_message'] = gettext("Error : could not connect to authentication server."); + return null; + } + + /* Get LDAP Authcontainers and split em up. */ + $ldac_splits = explode(";", $ldapauthcont); + + /* setup the usercount so we think we haven't found anyone yet */ + $usercount = 0; + + /*****************************************************************/ + /* We first find the user based on username and filter */ + /* then, once we find the first occurrence of that person */ + /* we set session variables to point to the OU and DN of the */ + /* person. To later be used by ldap_get_groups. */ + /* that way we don't have to search twice. */ + /*****************************************************************/ + if ($debug) { + log_auth(sprintf(gettext("Now Searching for %s in directory."), $username)); + } + /* Iterate through the user containers for search */ + foreach ($ldac_splits as $i => $ldac_split) { + $ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split; + $ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter; + $ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}"; + /* Make sure we just use the first user we find */ + if ($debug) { + log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter))); + } + if ($ldapscope == "one") { + $ldapfunc = "ldap_list"; + } else { + $ldapfunc = "ldap_search"; + } + /* Support legacy auth container specification. */ + if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) { + $ldapdn = $ldac_split; + } else { + $ldapdn = $ldapsearchbasedn; + } + $search = @$ldapfunc($ldap, $ldapdn, $ldapfilter); + if (!$search) { + log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap))); + continue; + } + if (isset($authcfg['ldap_rfc2307']) && isset($ldapgroupfilter)) { + if (isset($authcfg['ldap_rfc2307_userdn'])) { + $info = ldap_get_entries($ldap, $search); + $username = $info[0]['dn']; + } + $ldapgroupfilter = "(&({$ldapgroupattribute}={$username})({$ldapextendedquery}))"; + $groupsearch = @$ldapfunc($ldap, $ldapdn, $ldapgroupfilter); + } + + if (isset($ldapgroupfilter) && !$groupsearch) { + log_error(sprintf(gettext("Extended group search resulted in error: %s"), ldap_error($ldap))); + continue; + } + if (isset($groupsearch)) { + $validgroup = ldap_count_entries($ldap, $groupsearch); + if ($debug) { + log_auth(sprintf(gettext("LDAP group search: %s results."), $validgroup)); + } + } + $info = ldap_get_entries($ldap, $search); + $matches = $info['count']; + if ($matches == 1) { + $userdn = $_SESSION['ldapdn'] = $info[0]['dn']; + $_SESSION['ldapou'] = $ldac_split[$i]; + $_SESSION['ldapon'] = "true"; + $usercount = 1; + break; + } + } + + if ($usercount != 1) { + @ldap_unbind($ldap); + if ($debug) { + if ($usercount === 0) { + log_error(sprintf(gettext("ERROR! LDAP search failed, no user matching %s was found."), $username)); + } else { + log_error(sprintf(gettext("ERROR! LDAP search failed, multiple users matching %s were found."), $username)); + } + } + $attributes['error_message'] = gettext("Invalid login specified."); + return false; + } + + /* Now lets bind as the user we found */ + $passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd; + if (!($res = @ldap_bind($ldap, $userdn, $passwd))) { + if ($debug) { + log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap))); + } + @ldap_unbind($ldap); + return false; + } + + if ($debug) { + $userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn; + log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn)); + } + + if ($debug && isset($ldapgroupfilter) && $validgroup < 1) { + log_auth(sprintf(gettext('Logged in successfully as %1$s but did not match any field in extended query.'), $username)); + } + + /* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */ + @ldap_unbind($ldap); + + if (isset($ldapgroupfilter) && $validgroup < 1) { + return false; + } + + return true; +} + +function radius_backed($username, $password, $authcfg, &$attributes = array()) { + global $debug, $config; + $ret = false; + + require_once("Auth/RADIUS.php"); + require_once("Crypt/CHAP.php"); + + if ($authcfg) { + $radiusservers = array(); + $radiusservers[0]['ipaddr'] = $authcfg['host']; + $radiusservers[0]['port'] = $authcfg['radius_auth_port']; + $radiusservers[0]['sharedsecret'] = $authcfg['radius_secret']; + $radiusservers[0]['timeout'] = $authcfg['radius_timeout']; + if(isset($authcfg['radius_protocol'])) { + $radius_protocol = $authcfg['radius_protocol']; + } else { + $radius_protocol = 'PAP'; + } + } else { + log_error(gettext("ERROR! could not find details of the RADIUS server used for authentication.")); + $attributes['error_message'] = gettext("Internal error during authentication."); + return null; + } + + // Create our instance + $classname = 'Auth_RADIUS_' . $radius_protocol; + $rauth = new $classname($username, $password); + + /* Add new servers to our instance */ + foreach ($radiusservers as $radsrv) { + $timeout = (is_numeric($radsrv['timeout'])) ? $radsrv['timeout'] : 5; + $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret'], $timeout); + } + + // Construct data package + $rauth->username = $username; + switch ($radius_protocol) { + case 'CHAP_MD5': + case 'MSCHAPv1': + $classname = $radius_protocol == 'MSCHAPv1' ? 'Crypt_CHAP_MSv1' : 'Crypt_CHAP_MD5'; + $crpt = new $classname; + $crpt->username = $username; + $crpt->password = $password; + $rauth->challenge = $crpt->challenge; + $rauth->chapid = $crpt->chapid; + $rauth->response = $crpt->challengeResponse(); + $rauth->flags = 1; + break; + + case 'MSCHAPv2': + $crpt = new Crypt_CHAP_MSv2; + $crpt->username = $username; + $crpt->password = $password; + $rauth->challenge = $crpt->authChallenge; + $rauth->peerChallenge = $crpt->peerChallenge; + $rauth->chapid = $crpt->chapid; + $rauth->response = $crpt->challengeResponse(); + break; + + default: + $rauth->password = $password; + break; + } + + if (PEAR::isError($rauth->start())) { + $ret = null; + log_error(sprintf(gettext("Error during RADIUS authentication : %s"), $rauth->getError())); + $attributes['error_message'] = gettext("Error : could not connect to authentication server."); + } else { + $nasid = $attributes['nas_identifier']; + $nasip = $authcfg['radius_nasip_attribute']; + if (empty($nasid)) { + $nasid = gethostname(); //If no RADIUS NAS-Identifier is given : we use pfsense's hostname as NAS-Identifier + } + if (!is_ipaddr($nasip)) { + $nasip = get_interface_ip($nasip); + + if (!is_ipaddr($nasip)) { + /* use first interface with IP as fallback for NAS-IP-Address + * see https://redmine.pfsense.org/issues/11109 */ + foreach (get_configured_interface_list() as $if) { + $nasip = get_interface_ip($if); + if (is_ipaddr($nasip)) { + break; + } + } + } + } + $nasmac = get_interface_mac(find_ip_interface($nasip)); + + $rauth->putAttribute(RADIUS_NAS_IP_ADDRESS, $nasip, "addr"); + $rauth->putAttribute(RADIUS_NAS_IDENTIFIER, $nasid); + + if(!empty($attributes['calling_station_id'])) { + $rauth->putAttribute(RADIUS_CALLING_STATION_ID, $attributes['calling_station_id']); + } + // Carefully check that interface has a MAC address + if(!empty($nasmac)) { + $nasmac = mac_format($nasmac); + $rauth->putAttribute(RADIUS_CALLED_STATION_ID, $nasmac.':'.gethostname()); + } + if(!empty($attributes['nas_port_type'])) { + $rauth->putAttribute(RADIUS_NAS_PORT_TYPE, $attributes['nas_port_type']); + } + if(!empty($attributes['nas_port'])) { + $rauth->putAttribute(RADIUS_NAS_PORT, intval($attributes['nas_port']), 'integer'); + } + if(!empty($attributes['framed_ip']) && is_ipaddr($attributes['framed_ip'])) { + $rauth->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $attributes['framed_ip'], "addr"); + } + } + + // XXX - billm - somewhere in here we need to handle securid challenge/response + + /* Send request */ + $result = $rauth->send(); + if (PEAR::isError($result)) { + log_error(sprintf(gettext("Error during RADIUS authentication : %s"), $rauth->getError())); + $attributes['error_message'] = gettext("Error : could not connect to authentication server."); + $ret = null; + } else if ($result === true) { + $ret = true; + } else { + $ret = false; + } + + + // Get attributes, even if auth failed. + if ($rauth->getAttributes()) { + $attributes = array_merge($attributes,$rauth->listAttributes()); + + // We convert the session_terminate_time to unixtimestamp if its set before returning the whole array to our caller + if (!empty($attributes['session_terminate_time'])) { + $stt = &$attributes['session_terminate_time']; + $stt = strtotime(preg_replace("/\+(\d+):(\d+)$/", " +\${1}\${2}", preg_replace("/(\d+)T(\d+)/", "\${1} \${2}",$stt))); + } + } + + // close OO RADIUS_AUTHENTICATION + $rauth->close(); + + return $ret; +} + +/* + $attributes must contain a "class" key containing the groups and local + groups must exist to match. +*/ +function radius_get_groups($attributes) { + $groups = array(); + if (!empty($attributes) && is_array($attributes) && (!empty($attributes['class']) || !empty($attributes['class_int']))) { + /* Some RADIUS servers return multiple class attributes, so check them all. */ + $groups = array(); + if (!empty($attributes['class']) && is_array($attributes['class'])) { + foreach ($attributes['class'] as $class) { + $groups = array_unique(array_merge($groups, explode(";", $class))); + } + } + + foreach ($groups as & $grp) { + $grp = trim($grp); + if (strtolower(substr($grp, 0, 3)) == "ou=") { + $grp = substr($grp, 3); + } + } + } + return $groups; +} + +function get_user_expiration_date($username) { + $user = getUserEntry($username); + if ($user['expires']) { + return $user['expires']; + } +} + +function is_account_expired($username) { + $expirydate = get_user_expiration_date($username); + if ($expirydate) { + if (strtotime("-1 day") > strtotime(date("m/d/Y", strtotime($expirydate)))) { + return true; + } + } + + return false; +} + +function is_account_disabled($username) { + $user = getUserEntry($username); + if (isset($user['disabled'])) { + return true; + } + + return false; +} + +function get_user_settings($username) { + global $config; + $settings = array(); + $settings['widgets'] = $config['widgets']; + $settings['webgui']['dashboardcolumns'] = $config['system']['webgui']['dashboardcolumns']; + $settings['webgui']['webguihostnamemenu'] = $config['system']['webgui']['webguihostnamemenu']; + $settings['webgui']['webguicss'] = $config['system']['webgui']['webguicss']; + $settings['webgui']['logincss'] = $config['system']['webgui']['logincss']; + $settings['webgui']['interfacessort'] = isset($config['system']['webgui']['interfacessort']); + $settings['webgui']['dashboardavailablewidgetspanel'] = isset($config['system']['webgui']['dashboardavailablewidgetspanel']); + $settings['webgui']['webguifixedmenu'] = isset($config['system']['webgui']['webguifixedmenu']); + $settings['webgui']['webguileftcolumnhyper'] = isset($config['system']['webgui']['webguileftcolumnhyper']); + $settings['webgui']['disablealiaspopupdetail'] = isset($config['system']['webgui']['disablealiaspopupdetail']); + $settings['webgui']['systemlogsfilterpanel'] = isset($config['system']['webgui']['systemlogsfilterpanel']); + $settings['webgui']['systemlogsmanagelogpanel'] = isset($config['system']['webgui']['systemlogsmanagelogpanel']); + $settings['webgui']['statusmonitoringsettingspanel'] = isset($config['system']['webgui']['statusmonitoringsettingspanel']); + $settings['webgui']['pagenamefirst'] = isset($config['system']['webgui']['pagenamefirst']); + $user = getUserEntry($username); + if (isset($user['customsettings'])) { + $settings['customsettings'] = true; + if (isset($user['widgets'])) { + // This includes the 'sequence', and any widgetname-config per-widget settings. + $settings['widgets'] = $user['widgets']; + } + if (isset($user['dashboardcolumns'])) { + $settings['webgui']['dashboardcolumns'] = $user['dashboardcolumns']; + } + if (isset($user['webguicss'])) { + $settings['webgui']['webguicss'] = $user['webguicss']; + } + if (isset($user['webguihostnamemenu'])) { + $settings['webgui']['webguihostnamemenu'] = $user['webguihostnamemenu']; + } + $settings['webgui']['interfacessort'] = isset($user['interfacessort']); + $settings['webgui']['dashboardavailablewidgetspanel'] = isset($user['dashboardavailablewidgetspanel']); + $settings['webgui']['webguifixedmenu'] = isset($user['webguifixedmenu']); + $settings['webgui']['webguileftcolumnhyper'] = isset($user['webguileftcolumnhyper']); + $settings['webgui']['disablealiaspopupdetail'] = isset($user['disablealiaspopupdetail']); + $settings['webgui']['systemlogsfilterpanel'] = isset($user['systemlogsfilterpanel']); + $settings['webgui']['systemlogsmanagelogpanel'] = isset($user['systemlogsmanagelogpanel']); + $settings['webgui']['statusmonitoringsettingspanel'] = isset($user['statusmonitoringsettingspanel']); + $settings['webgui']['pagenamefirst'] = isset($user['pagenamefirst']); + } else { + $settings['customsettings'] = false; + } + + if ($settings['webgui']['dashboardcolumns'] < 1) { + $settings['webgui']['dashboardcolumns'] = 2; + } + + return $settings; +} + +function save_widget_settings($username, $settings, $message = "") { + global $config, $userindex; + $user = getUserEntry($username); + + if (strlen($message) > 0) { + $msgout = $message; + } else { + $msgout = gettext("Widget configuration has been changed."); + } + + if (isset($user['customsettings'])) { + $config['system']['user'][$userindex[$username]]['widgets'] = $settings; + write_config($msgout . " " . sprintf(gettext("(User %s)"), $username)); + } else { + $config['widgets'] = $settings; + write_config($msgout); + } +} + +function auth_get_authserver($name) { + global $config; + + if (is_array($config['system']['authserver'])) { + foreach ($config['system']['authserver'] as $authcfg) { + if ($authcfg['name'] == $name) { + return $authcfg; + } + } + } + if ($name == "Local Database") { + return array("name" => "Local Database", "type" => "Local Auth", "host" => $config['system']['hostname']); + } +} + +function auth_get_authserver_list() { + global $config; + + $list = array(); + + if (is_array($config['system']['authserver'])) { + foreach ($config['system']['authserver'] as $authcfg) { + /* Add support for disabled entries? */ + $list[$authcfg['name']] = $authcfg; + } + } + + $list["Local Database"] = array("name" => "Local Database", "type" => "Local Auth", "host" => $config['system']['hostname']); + return $list; +} + +function getUserGroups($username, $authcfg, &$attributes = array()) { + global $config; + + $allowed_groups = array(); + + switch ($authcfg['type']) { + case 'ldap': + $allowed_groups = @ldap_get_groups($username, $authcfg); + break; + case 'radius': + $allowed_groups = @radius_get_groups($attributes); + break; + default: + $user = getUserEntry($username); + $allowed_groups = @local_user_get_groups($user, true); + break; + } + + $member_groups = array(); + if (is_array($config['system']['group'])) { + foreach ($config['system']['group'] as $group) { + if (in_array($group['name'], $allowed_groups)) { + $member_groups[] = $group['name']; + } + } + } + + return $member_groups; +} + +/* +Possible return values : +true : authentication worked +false : authentication failed (invalid login/password, not enough permission, etc...) +null : error during authentication process (unable to reach remote server, etc...) +*/ +function authenticate_user($username, $password, $authcfg = NULL, &$attributes = array()) { + + if (is_array($username) || is_array($password)) { + return false; + } + + if (!$authcfg) { + return local_backed($username, $password, $attributes); + } + + $authenticated = false; + switch ($authcfg['type']) { + case 'ldap': + try { + $authenticated = ldap_backed($username, $password, $authcfg, $attributes); + } catch (Exception $e) { + log_error(sprintf(gettext("LDAP authentication error: %s"), $e->getMessage())); + } + break; + + break; + case 'radius': + try { + $authenticated = radius_backed($username, $password, $authcfg, $attributes); + } catch (Exception $e) { + log_error(sprintf(gettext("RADIUS authentication error: %s"), $e->getMessage())); + } + break; + default: + /* lookup user object by name */ + try { + $authenticated = local_backed($username, $password, $attributes); + } catch (Exception $e) { + log_error(sprintf(gettext("Local authentication error: %s"), $e->getMessage())); + } + break; + } + + return $authenticated; +} + +function session_auth() { + global $config, $_SESSION, $page; + + // Handle HTTPS httponly and secure flags + $currentCookieParams = session_get_cookie_params(); + session_set_cookie_params( + $currentCookieParams["lifetime"], + $currentCookieParams["path"], + NULL, + ($config['system']['webgui']['protocol'] == "https"), + true + ); + + phpsession_begin(); + + // Detect protocol change + if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) { + phpsession_end(); + return false; + } + + /* Validate incoming login request */ + $attributes = array('nas_identifier' => 'webConfigurator-' . gethostname()); + if ($_SESSION['saml2_auth'] or (isset($_POST['login']) && !empty($_POST['usernamefld']))) { + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + $remoteauth = authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes); + + # Added by pfSense-pkg-saml2-auth - set SAML2 as remote authentication + $remoteauth = ($_SESSION['saml2_auth']) ? true : $remoteauth; + + if ($remoteauth || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + // Generate a new id to avoid session fixation + session_regenerate_id(); + $_SESSION['Logged_In'] = "True"; + $_SESSION['remoteauth'] = $remoteauth; + if ($remoteauth) { + # Added by pfSense-pkg-saml2-auth - store SAML2 authentication source + if ($_SESSION['saml2_auth']) { + $_SESSION['authsource'] = "SAML2"; + } + elseif (empty($authcfg['type']) || ($authcfg['type'] == "Local Auth")) { + $_SESSION['authsource'] = "Local Database"; + } else { + $_SESSION['authsource'] = strtoupper($authcfg['type']) . "/{$authcfg['name']}"; + } + } else { + $_SESSION['authsource'] = 'Local Database Fallback'; + } + $_SESSION['Username'] = $_POST['usernamefld']; + $_SESSION['user_radius_attributes'] = $attributes; + $_SESSION['last_access'] = time(); + $_SESSION['protocol'] = $config['system']['webgui']['protocol']; + + # Added by pfSense-pkg-saml2-auth - Save username found in SAML assertion of using SAML authentication + if ($_SESSION['saml2_auth']) { + require_once("saml2_auth/SAML2Auth.inc"); + $pkg_conf = SAML2Auth::get_package_config()[1]; + $_SESSION["Username"] = $_SESSION['saml2_name_id']; + # Strip email usernames if configured + if (boolval($pkg_conf["strip_username"])) { + $_SESSION["Username"] = explode("@", $_SESSION["Username"])[0]; + } + } + + # Added by pfSense-pkg-saml2-auth - Unset the saml2 authentication success variable to avoid login loop + unset($_SESSION['saml2_auth']); + + phpsession_end(true); + if (!isset($config['system']['webgui']['quietlogin'])) { + # Added by pfSense-pkg-saml2-auth - Log the $_SESSION username rather than the POST data username + log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_SESSION['Username'], get_user_remote_address() . get_user_remote_authsource())); + } + if (isset($_POST['postafterlogin'])) { + return true; + } else { + if (empty($page)) { + $page = "/"; + } + header("Location: {$page}"); + } + exit; + } else { + /* give the user an error message */ + $_SESSION['Login_Error'] = gettext("Username or Password incorrect"); + log_auth(sprintf(gettext("webConfigurator authentication error for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], get_user_remote_address() . get_user_remote_authsource())); + if (isAjax()) { + echo "showajaxmessage('{$_SESSION['Login_Error']}');"; + return; + } + } + } + + /* Show login page if they aren't logged in */ + if (empty($_SESSION['Logged_In'])) { + phpsession_end(true); + return false; + } + + /* If session timeout isn't set, we don't mark sessions stale */ + if (!isset($config['system']['webgui']['session_timeout'])) { + /* Default to 4 hour timeout if one is not set */ + if ($_SESSION['last_access'] < (time() - 14400)) { + $_POST['logout'] = true; + $_SESSION['Logout'] = true; + } else { + $_SESSION['last_access'] = time(); + } + } else if (intval($config['system']['webgui']['session_timeout']) == 0) { + /* only update if it wasn't ajax */ + if (!isAjax()) { + $_SESSION['last_access'] = time(); + } + } else { + /* Check for stale session */ + if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) { + $_POST['logout'] = true; + $_SESSION['Logout'] = true; + } else { + /* only update if it wasn't ajax */ + if (!isAjax()) { + $_SESSION['last_access'] = time(); + } + } + } + + /* user hit the logout button */ + if (isset($_POST['logout'])) { + + if ($_SESSION['Logout']) { + log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], get_user_remote_address() . get_user_remote_authsource())); + } else { + log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], get_user_remote_address() . get_user_remote_authsource())); + } + + /* wipe out $_SESSION */ + $_SESSION = array(); + + if (isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time()-42000, '/'); + } + + /* and destroy it */ + phpsession_destroy(); + + $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]); + $scriptElms = count($scriptName); + $scriptName = $scriptName[$scriptElms-1]; + + if (isAjax()) { + return false; + } + + /* redirect to page the user is on, it'll prompt them to login again */ + header("Location: {$scriptName}"); + + return false; + } + + /* + * this is for debugging purpose if you do not want to use Ajax + * to submit a HTML form. It basically disables the observation + * of the submit event and hence does not trigger Ajax. + */ + if ($_REQUEST['disable_ajax']) { + $_SESSION['NO_AJAX'] = "True"; + } + + /* + * Same to re-enable Ajax. + */ + if ($_REQUEST['enable_ajax']) { + unset($_SESSION['NO_AJAX']); + } + phpsession_end(true); + return true; +} + +function print_credit() { + global $g; + + return '' . $g["product_label"] . '' . + gettext(' is developed and maintained by ') . + 'Netgate. ' . ' © ESF ' . $g["product_copyright_years"] . + '' . + gettext(' View license.') . ''; +} +function get_user_remote_address() { + $remote_address = $_SERVER['REMOTE_ADDR']; + if (!empty($_SERVER['HTTP_CLIENT_IP'])) { + $remote_address .= "[{$_SERVER['HTTP_CLIENT_IP']}]"; + } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $remote_address .= "[{$_SERVER['HTTP_X_FORWARDED_FOR']}]"; + } + return $remote_address; +} +function get_user_remote_authsource() { + $authsource = ""; + if (!empty($_SESSION['authsource'])) { + $authsource .= " ({$_SESSION['authsource']})"; + } + return $authsource; +} + +function set_pam_auth() { + global $config; + + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + + unlink_if_exists("/etc/radius.conf"); + unlink_if_exists("/var/etc/pam_ldap.conf"); + unlink_if_exists("/var/etc/pam_ldap_ca.crt"); + + $header = "# This file is automatically generated. Do not edit.\n\n"; + $pam_sshd =<< diff --git a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/authgui.inc b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/authgui.inc new file mode 100644 index 0000000..5715e1d --- /dev/null +++ b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/2.6.0-RELEASE/authgui.inc @@ -0,0 +1,427 @@ + + * Copyright (c) 2005-2006 Bill Marquette + * Copyright (c) 2006 Paul Taylor + * Copyright (c) 2004-2013 BSD Perimeter + * Copyright (c) 2013-2016 Electric Sheep Fencing + * Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate) + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +include_once("auth.inc"); +include_once("priv.inc"); +if (!function_exists('platform_booting')) { + require_once('globals.inc'); +} +require_once('pfsense-utils.inc'); + +/* Authenticate user - exit if failed */ +if (!session_auth()) { + display_login_form(); + exit; +} + +phpsession_begin(); + +/* + * Once here, the user has authenticated with the web server. + * We give them access only to the appropriate pages based on + * the user or group privileges. + */ +$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']); + +/* + * Get user-based preference settings so they can be easily referenced. + */ +$user_settings = get_user_settings($_SESSION['Username']); + +/* + * redirect to first allowed page if requesting a wrong url + */ + +/* Fix this up otherwise the privilege check will fail. See Redmine #5909. */ +if ($_SERVER['REQUEST_URI'] == "/") { + $_SERVER['REQUEST_URI'] = "/index.php"; +} + +if (!isAllowedPage($_SERVER['REQUEST_URI'])) { + if (count($allowedpages) > 0) { + $page = str_replace('*', '', $allowedpages[0]); + $_SESSION['Post_Login'] = true; + require_once("functions.inc"); + pfSenseHeader("/{$page}"); + + $username = get_config_user(); + log_error("{$username} attempted to access {$_SERVER['SCRIPT_NAME']} but does not have access to that page. Redirecting to {$page}."); + + exit; + } else { + // add this so they don't get stuck on the logout page when they have no permissions. + $_SESSION["Logged_In"] = false; + display_error_form("201", gettext("No page assigned to this user! Click here to logout.")); + + exit; + } +} else { + $_SESSION['Post_Login'] = true; +} + +/* + * redirect browsers post-login to avoid pages + * taking action in response to a POST request + */ +if (!$_SESSION['Post_Login']) { + $_SESSION['Post_Login'] = true; + require_once("functions.inc"); + pfSenseHeader($_SERVER['REQUEST_URI']); + exit; +} + +/* + * Close session data to allow other scripts from same host to come in. + * A session can be reactivated from calling phpsession_begin again + */ +phpsession_end(true); + +/* + * determine if the user is allowed access to the requested page + */ +function display_error_form($http_code, $desc) { + global $config, $user_settings, $g; + + if (isAjax()) { + printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc); + return; + } + + $logincssfile = "#770101"; + ?> + + + + + + + + <?=gettext("Error"); ?> + + + +
+
+
+
+
+
+ +
+
+
+ + +
+
+
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+

+ +

+
+
+
+ + + + "True") { + isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason"); + printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error); + } + if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + // TODO: add the IP from the user who did lock the device + $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock"); + printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom); + } + } + //If session ended + echo "SESSION_TIMEOUT"; + exit; + } + + /* Check against locally configured IP addresses, which will catch when someone + port forwards WebGUI access from WAN to an internal IP on the router. */ + global $FilterIflist, $nifty_background; + + $local_ip = false; + + if (strpos($_SERVER['HTTP_HOST'], ":") === FALSE) { + $http_host_port = explode(":", $_SERVER['HTTP_HOST']); + $http_host = $http_host_port[0]; + } else { + $http_host = $_SERVER['HTTP_HOST']; + } + + if (empty($FilterIflist)) { + require_once('filter.inc'); + require_once('shaper.inc'); + filter_generate_optcfg_array(); + } + + foreach ($FilterIflist as $iflist) { + if ($iflist['ip'] == $http_host) { + $local_ip = true; + } else if ($iflist['ipv6'] == $http_host) { + $local_ip = true; + } else if (is_array($iflist['vips'])) { + foreach ($iflist['vips'] as $vip) { + if ($vip['ip'] == $http_host) { + $local_ip = true; + break; + } + } + + unset($vip); + } + + if ($local_ip == true) { + break; + } + } + + unset($FilterIflist); + unset($iflist); + + if ($local_ip == false) { + if (is_array($config['openvpn']['openvpn-server'])) { + foreach ($config['openvpn']['openvpn-server'] as $ovpns) { + if (is_ipaddrv4($http_host) && !empty($ovpns['tunnel_network']) && ip_in_subnet($http_host, $ovpns['tunnel_network'])) { + $local_ip = true; + } else if (is_ipaddrv6($http_host) && !empty($ovpns['tunnel_networkv6']) && ip_in_subnet($http_host, $ovpns['tunnel_networkv6'])) { + $local_ip = true; + } + + if ($local_ip == true) { + break; + } + } + } + } + + // For the login form, get the settings of no particular user. + // That ensures we will use the system default theme for the login form. + $user_settings = get_user_settings(""); + $cssfile = "/css/pfSense.css"; + + if (isset($user_settings['webgui']['webguicss'])) { + if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) { + $cssfile = "/css/" . $user_settings['webgui']['webguicss']; + } + } + + $logincssfile = "#1e3f75"; + + if (isset($user_settings['webgui']['logincss']) && strlen($user_settings['webgui']['logincss']) == 6) { + $logincssfile = "#" . $user_settings['webgui']['logincss']; + } + + if (isset($config['system']['webgui']['loginshowhost'])) { + $loginbannerstr = sprintf(gettext('%1$s.%2$s'), htmlspecialchars($config['system']['hostname']), htmlspecialchars($config['system']['domain'])); + $login_title = gettext(htmlspecialchars($config['system']['hostname'] . " - Login")); + } else { + $loginbannerstr = sprintf(gettext('Login to %1$s'), $g['product_label']); + $login_title = sprintf(gettext("%s - Login"), $g['product_label']); + } + + $loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"'; + + if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) { + $warnclass = "pagebodywarn"; // Make room for a warning display row + } else { + $warnclass = "pagebody"; + } + ?> + + + + + + + <?=$login_title; ?> + + + + +
+
+
+
+ +
+
+ +
+
+ + +
+ " . $_SESSION['Login_Error'] . ""); + } + ?> +
+ + +
+ +

+ +
+
+ +
+
+
+ +
+
+
+ +
+
+ +
+
+ +
+
+
class="login"> +

Sign In

+ + + + + '; + echo '

Login with SSO

'; + } + ?> + +
+
+
+ +
+
+ +
+
+

+ +

+
+
+
+ + + + + + + + + + + + + + * Copyright (c) 2006 Paul Taylor . + * Copyright (c) 2008 Shrew Soft Inc + * Copyright (c) 2003-2006 Manuel Kasper . + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +require_once("priv.defs.inc"); +require_once("auth_func.inc"); + +/* Load and process custom privs. */ +function get_priv_files($directory) { + $dir_array = array(); + if (!is_dir($directory)) { + return; + } + if ($dh = opendir($directory)) { + while (($file = readdir($dh)) !== false) { + $canadd = 0; + if ($file == ".") { + $canadd = 1; + } + if ($file == "..") { + $canadd = 1; + } + if ($canadd == 0) { + array_push($dir_array, $file); + } + } + closedir($dh); + } + if (!is_array($dir_array)) { + return; + } + return $dir_array; +} + +// Load and sort privs +$dir_array = get_priv_files("/etc/inc/priv"); +foreach ($dir_array as $file) { + if (!is_dir("/etc/inc/priv/{$file}") && substr($file, -4) == ".inc") { + include_once("/etc/inc/priv/{$file}"); + } +} +if (is_dir("/usr/local/pkg/priv")) { + $dir_array = get_priv_files("/usr/local/pkg/priv"); + foreach ($dir_array as $file) { + if (!is_dir("/usr/local/pkg/priv/{$file}") && + substr($file, -4) == ".inc") { + include_once("/usr/local/pkg/priv/{$file}"); + } + } +} + +if (is_array($priv_list)) { + sort_privs($priv_list); +} + +function cmp_privkeys($a, $b) { + /* user privs at the top */ + $auser = strncmp("user-", $a, 5); + $buser = strncmp("user-", $b, 5); + if ($auser != $buser) { + return $auser - $buser; + } + + /* name compare others */ + return strcasecmp($a, $b); +} + +function sort_privs(& $privs) { + uksort($privs, "cmp_privkeys"); +} + +function map_page_privname($page) { + global $priv_list; + + foreach ($priv_list as $pname => $pdata) { + if (strncmp($pname, "page-", 5)) { + continue; + } + $fullwc = false; + if (!strcasecmp($page, "any")||!strcmp($page, "*")) { + $fullwc = true; + } + if (cmp_page_matches($page, $pdata['match'], $fullwc)) { + return $pname; + } + } + + return false; +} + +function get_user_privdesc(& $user) { + global $priv_list; + + $privs = array(); + + $user_privs = $user['priv']; + if (!is_array($user_privs)) { + $user_privs = array(); + } + + $names = local_user_get_groups($user, true); + + foreach ($names as $name) { + $group = getGroupEntry($name); + $group_privs = $group['priv']; + if (!is_array($group_privs)) { + continue; + } + foreach ($group_privs as $pname) { + if (in_array($pname, $user_privs)) { + continue; + } + if (!$priv_list[$pname]) { + continue; + } + $priv = $priv_list[$pname]; + $priv['group'] = $group['name']; + $privs[] = $priv; + } + } + + foreach ($user_privs as $pname) { + if ($priv_list[$pname]) { + $privs[] = $priv_list[$pname]; + } + } + + return $privs; +} + +function isAdminUID($username) { + global $_SESSION; + + if (!isset($username)) { + return false; + } + + /* admin/root access check */ + $user = getUserEntry($username); + if (isset($user)) { + if (isset($user['uid'])) { + if ($user['uid'] == 0) { + return true; + } + } + } + + return false; +} + +function isAllowed($username, $page) { + global $_SESSION; + + if (!isset($username)) { + return false; + } + + if (isAdminUID($username)) { + return true; + } + + /* user privilege access check */ + if (cmp_page_matches($page, $_SESSION['page-match'])) { + return true; + } + + return false; +} + +function isAllowedPage($page) { + global $_SESSION; + + + $username = $_SESSION['Username']; + + if (!isset($username)) { + return false; + } + + if (isAdminUID($username)) { + return true; + } + + /* user privilege access check */ + return cmp_page_matches($page, $_SESSION['page-match']); +} + +function getPrivPages(& $entry, & $allowed_pages) { + global $priv_list; + + if (!is_array($entry['priv'])) { + return; + } + + foreach ($entry['priv'] as $pname) { + if (strncmp($pname, "page-", 5) || + !is_array($priv_list[$pname]) || + !is_array($priv_list[$pname]['match'])) { + continue; + } + foreach ($priv_list[$pname]['match'] as $match) { + $allowed_pages[] = $match; + } + } +} + +function getAllowedPages($username, &$attributes = array()) { + global $config, $_SESSION; + + if (!function_exists("ldap_connect")) { + return; + } + + $allowed_pages = array(); + $allowed_groups = array(); + + phpsession_begin(); + if ($_SESSION['remoteauth']) { + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + // cache auth results for a short time to ease load on auth services & logs + if (isset($config['system']['webgui']['auth_refresh_time'])) { + $recheck_time = $config['system']['webgui']['auth_refresh_time']; + } else { + $recheck_time = 30; + } + // obtain ldap groups if we are in ldap mode + if ($authcfg['type'] == "ldap") { + if (isset($_SESSION["ldap_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time)) { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } else { + $allowed_groups = @ldap_get_groups($username, $authcfg); + $_SESSION["ldap_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } elseif ($authcfg['type'] == "radius") { + if (isset($_SESSION["radius_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time)) { + $allowed_groups = $_SESSION["radius_allowed_groups"]; + } else { + $allowed_groups = @radius_get_groups($attributes); + $_SESSION["radius_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } + + # Added by pfSense-pkg-saml2-auth - set SAML2 user's group assignments as specified by the SAML2 assertion + if ($_SESSION["authsource"] === "SAML2") { + require_once("saml2_auth/SAML2Auth.inc"); + $pkg_conf = SAML2Auth::get_package_config()[1]; + $allowed_groups = $_SESSION["saml2_user_data"][$pkg_conf["idp_groups_attribute"]]; + } + + } + if (!$allowed_groups) { + // search for a local user by name + $local_user = getUserEntry($username); + + // obtain local user pages and groups if we have a local user + if ($local_user) { + getPrivPages($local_user, $allowed_pages); + $allowed_groups = local_user_get_groups($local_user); + } + } + + if (!is_array($allowed_groups)) { + $allowed_groups = array('all'); + } else { + $allowed_groups[] = 'all'; + } + + // build a list of allowed pages + if (is_array($config['system']['group']) && is_array($allowed_groups)) { + foreach ($config['system']['group'] as $group) { + if (in_array($group['name'], $allowed_groups)) { + getPrivPages($group, $allowed_pages); + } + } + } + +// $dbg_pages = implode(",", $allowed_pages); +// $dbg_groups = implode(",", $allowed_groups); +// log_error("debug: user {$username} groups = {$dbg_groups}"); +// log_error("debug: user {$username} pages = {$dbg_pages}"); + + $_SESSION['page-match'] = $allowed_pages; + phpsession_end(true); + return $allowed_pages; +} + +function sort_user_privs($privs) { + // Privileges to place first, to redirect properly. + $priority_privs = array("page-dashboard-all", "page-system-login-logout"); + + $fprivs = array_intersect($privs, $priority_privs); + $sprivs = array_diff($privs, $priority_privs); + + return array_merge($fprivs, $sprivs); +} +?> diff --git a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/README.md b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/README.md index 97e4f92..ddecdab 100644 --- a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/README.md +++ b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/README.md @@ -11,4 +11,4 @@ the default overrides. In the case that the default overrides break your pfSense to restore the overridden files to their original state. ## Default Override Version -2.5.2-RELEASE +2.6.0-RELEASE diff --git a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/auth.inc b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/auth.inc index 6d048eb..7bd163a 100644 --- a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/auth.inc +++ b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/auth.inc @@ -8,7 +8,7 @@ * Copyright (c) 2006 Paul Taylor * Copyright (c) 2004-2013 BSD Perimeter * Copyright (c) 2013-2016 Electric Sheep Fencing - * Copyright (c) 2014-2021 Rubicon Communications, LLC (Netgate) + * Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate) * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -431,21 +431,28 @@ function local_backed($username, $passwd) { return false; } + if ($user['sha512-hash']) { + if (hash_equals($user['sha512-hash'], crypt($passwd, $user['sha512-hash']))) { + return true; + } + } + + //for backwards compatibility if ($user['bcrypt-hash']) { if (password_verify($passwd, $user['bcrypt-hash'])) { return true; } } - //for backwards compatibility + // pfSense < 2.3 password hashing, see https://redmine.pfsense.org/issues/4120 if ($user['password']) { - if (crypt($passwd, $user['password']) == $user['password']) { + if (hash_equals($user['password'], crypt($passwd, $user['password']))) { return true; } } if ($user['md5-hash']) { - if (md5($passwd) == $user['md5-hash']) { + if (hash_equals($user['md5-hash'], md5($passwd))) { return true; } } @@ -626,7 +633,7 @@ function local_reset_accounts() { function local_user_set(& $user) { global $g, $debug; - if (empty($user['password']) && empty($user['bcrypt-hash'])) { + if (empty($user['sha512-hash']) && empty($user['bcrypt-hash']) && empty($user['password'])) { log_error("There is something wrong in the config because user {$user['name']} password is missing!"); return; } @@ -675,10 +682,12 @@ function local_user_set(& $user) { log_error(sprintf(gettext("Running: %s"), $cmd)); } $fd = popen($cmd, "w"); - if (empty($user['bcrypt-hash'])) { - fwrite($fd, $user['password']); - } else { + if (isset($user['sha512-hash'])) { + fwrite($fd, $user['sha512-hash']); + } elseif (isset($user['bcrypt-hash'])) { fwrite($fd, $user['bcrypt-hash']); + } else { + fwrite($fd, $user['password']); } pclose($fd); $user_group = "wheel"; @@ -716,10 +725,12 @@ function local_user_set(& $user) { log_error(sprintf(gettext("Running: %s"), $cmd)); } $fd = popen($cmd, "w"); - if (empty($user['bcrypt-hash'])) { - fwrite($fd, $user['password']); - } else { + if (isset($user['sha512-hash'])) { + fwrite($fd, $user['sha512-hash']); + } elseif (isset($user['bcrypt-hash'])) { fwrite($fd, $user['bcrypt-hash']); + } else { + fwrite($fd, $user['password']); } pclose($fd); @@ -795,7 +806,9 @@ function local_user_set_password(&$user, $password) { unset($user['password']); unset($user['md5-hash']); - $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT); + unset($user['bcrypt-hash']); + $salt = substr(bin2hex(openssl_random_pseudo_bytes(16)),0,16); + $user['sha512-hash'] = crypt($password, '$6$'. $salt . '$'); if (($user['name'] == $config['hasync']['username']) && ($config['hasync']['adminsync'] == 'on')) { $config['hasync']['new_password'] = $password; @@ -1237,11 +1250,11 @@ function ldap_get_groups($username, $authcfg) { global $debug, $config; if (!function_exists("ldap_connect")) { - return; + return array(); } if (!$username) { - return false; + return array(); } if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { @@ -1284,7 +1297,7 @@ function ldap_get_groups($username, $authcfg) { $ldapscope = $authcfg['ldap_scope']; $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; } else { - return false; + return array(); } if (isset($authcfg['ldap_rfc2307'])) { @@ -1321,7 +1334,7 @@ function ldap_get_groups($username, $authcfg) { if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); - return false; + return array(); } } @@ -1332,7 +1345,7 @@ function ldap_get_groups($username, $authcfg) { if (!($res = @ldap_bind($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname)); @ldap_close($ldap); - return false; + return array(); } } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind to server %s."), $ldapname)); diff --git a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/authgui.inc b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/authgui.inc index 2a66234..5715e1d 100644 --- a/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/authgui.inc +++ b/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/overrides/default/authgui.inc @@ -8,7 +8,7 @@ * Copyright (c) 2006 Paul Taylor * Copyright (c) 2004-2013 BSD Perimeter * Copyright (c) 2013-2016 Electric Sheep Fencing - * Copyright (c) 2014-2021 Rubicon Communications, LLC (Netgate) + * Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate) * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -424,4 +424,4 @@ function display_login_form() { * Copyright (c) 2006 Paul Taylor . * Copyright (c) 2008 Shrew Soft Inc @@ -273,6 +273,7 @@ function getAllowedPages($username, &$attributes = array()) { $pkg_conf = SAML2Auth::get_package_config()[1]; $allowed_groups = $_SESSION["saml2_user_data"][$pkg_conf["idp_groups_attribute"]]; } + } if (!$allowed_groups) { // search for a local user by name @@ -319,4 +320,4 @@ function sort_user_privs($privs) { return array_merge($fprivs, $sprivs); } -?> \ No newline at end of file +?>