private function auth($username, $password)
{
global $config;
$login_ok = false;
if (!empty($username) && !empty($password)) {
$attributes = array();
$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
if (authenticate_user($username, $password, $authcfg, $attributes) || authenticate_user($username, $password)) {
$login_ok = true;
}
}
if (!$login_ok) {
log_auth("webConfigurator authentication error for '" . $username . "' from " . $this->remote_addr);
require_once "XML/RPC2/Exception.php";
throw new XML_RPC2_FaultException(gettext('Authentication failed: Invalid username or password'), -1);
}
$user_entry = getUserEntry($username);
/*
* admin (uid = 0) is allowed
* or regular user with necessary privilege
*/
if (isset($user_entry['uid']) && $user_entry['uid'] != '0' && !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {
log_auth("webConfigurator authentication error for '" . $username . "' from " . $this->remote_addr . " not enough privileges");
require_once "XML/RPC2/Exception.php";
throw new XML_RPC2_FaultException(gettext('Authentication failed: not enough privileges'), -2);
}
return;
}
if (!empty($_POST['auth_user2'])) {
$user = $_POST['auth_user2'];
} else {
$user = '******';
}
}
captiveportal_logportalauth($user, $clientmac, $clientip, "ERROR");
portal_reply_page($redirurl, "error", $errormsg);
}
} else {
if ($_POST['accept'] && $cpcfg['auth_method'] == "local") {
if ($_POST['auth_user'] && $_POST['auth_pass']) {
//check against local user manager
$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']);
if ($loginok && isset($cpcfg['localauth_priv'])) {
$loginok = userHasPrivilege(getUserEntry($_POST['auth_user']), "user-services-captiveportal-login");
}
if ($loginok) {
captiveportal_logportalauth($_POST['auth_user'], $clientmac, $clientip, "LOGIN");
portal_allow($clientip, $clientmac, $_POST['auth_user']);
} else {
captiveportal_logportalauth($_POST['auth_user'], $clientmac, $clientip, "FAILURE");
portal_reply_page($redirurl, "error", $errormsg);
}
} else {
portal_reply_page($redirurl, "error", $errormsg);
}
} else {
if ($_POST['accept'] && $clientip && $cpcfg['auth_method'] == "none") {
captiveportal_logportalauth("unauthenticated", $clientmac, $clientip, "ACCEPT");
portal_allow($clientip, $clientmac, "unauthenticated");
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
require_once "config.inc";
require_once "auth.inc";
openlog("squid", LOG_ODELAY, LOG_AUTH);
$f = fopen("php://stdin", "r");
while ($line = fgets($f)) {
$fields = explode(' ', trim($line));
$username = rawurldecode($fields[0]);
$password = rawurldecode($fields[1]);
if (authenticate_user($username, $password)) {
$user = getUserEntry($username);
if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
fwrite(STDOUT, "OK\n");
} else {
syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
fwrite(STDOUT, "ERR\n");
}
} else {
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
fwrite(STDOUT, "ERR\n");
}
}
closelog();
} else {
closelog();
exit(1);
}
}
$attributes = array();
foreach ($authmodes as $authmode) {
$authcfg = auth_get_authserver($authmode);
if (!$authcfg && $authmode != "Local Database") {
continue;
}
$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
if ($authenticated == true) {
if ($authmode == "Local Database") {
$user = getUserEntry($username);
if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
$authenticated = false;
syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
continue;
}
}
break;
}
}
if ($authenticated == false) {
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
if (isset($_GET['username'])) {
echo "FAILED";
closelog();
return;
} else {
if ($vip['mode'] == "ipalias") {
$found_other_alias = true;
}
}
}
}
if ($found_carp === true && $found_other_alias === false && $found_if === false) {
$input_errors[] = gettext("This entry cannot be deleted because it is still referenced by a CARP IP with the description") . " {$vip['descr']}.";
}
}
if (!$input_errors) {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
$user = getUserEntry($_SESSION['Username']);
if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) {
header("Location: firewall_virtual_ip.php");
exit;
}
session_write_close();
// Special case since every proxyarp vip is handled by the same daemon.
if ($a_vip[$_GET['id']]['mode'] == "proxyarp") {
$viface = $a_vip[$_GET['id']]['interface'];
unset($a_vip[$_GET['id']]);
interface_proxyarp_configure($viface);
} else {
interface_vip_bring_down($a_vip[$_GET['id']]);
unset($a_vip[$_GET['id']]);
}
if (count($config['virtualip']['vip']) == 0) {
unset($config['virtualip']['vip']);
/**
* redirect user if config may not be saved.
*/
function redirectReadOnlyUser()
{
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
$user = getUserEntry($_SESSION['Username']);
if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) {
header("Location: firewall_virtual_ip.php");
exit;
}
session_write_close();
}
