Web proxy, switch to PAM, closes https://github.com/opnsense/core/issues/3261

2026-03-14 08:34:39 +00:00 · 2019-02-28 09:57:54 +01:00 · 2019-02-28 09:57:54 +01:00 · 02fd4f4c7f
commit 02fd4f4c7f
parent 38919ec895
3 changed files with 1 additions and 89 deletions
--- a/1
+++ b/1
@ -41,7 +41,6 @@
 /usr/local/etc/inc/plugins.inc.d/openvpn/wizard.inc
 /usr/local/etc/inc/plugins.inc.d/pf.inc
 /usr/local/etc/inc/plugins.inc.d/squid.inc
-/usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
 /usr/local/etc/inc/plugins.inc.d/suricata.inc
 /usr/local/etc/inc/plugins.inc.d/unbound.inc
 /usr/local/etc/inc/plugins.inc.d/unbound/root.min.hints
--- a/src/etc/inc/plugins.inc.d/squid/auth-user.php
+++ b/src/etc/inc/plugins.inc.d/squid/auth-user.php
@ -1,87 +0,0 @@
-#!/usr/local/bin/php
-<?php
-/**
- *    Copyright (C) 2015 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-require_once("config.inc");
-require_once("auth.inc");
-
-openlog("squid", LOG_ODELAY, LOG_AUTH);
-
-$authFactory = new \OPNsense\Auth\AuthenticationFactory();
-
-$f = fopen("php://stdin", "r");
-while (!(feof($f))) {
-    $line = fgets($f);
-    if ($line) {
-        $fields = explode(' ', trim($line));
-        $username = rawurldecode($fields[0]);
-        $password = rawurldecode($fields[1]);
-
-        $isAuthenticated = false;
-        if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
-            foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
-                $authServer = $authFactory->get(trim($authServerName));
-                if ($authServer == null) {
-                    // authenticator not found, use local
-                    $authServer = $authFactory->get('Local Database');
-                }
-                $isAuthenticated = $authServer->authenticate($username, $password);
-                if ($isAuthenticated) {
-                    if (get_class($authServer) == "OPNsense\Auth\Local") {
-                        // todo: user priv check needs a reload of squid, maybe it's better to move the token check to
-                        //       the auth object.
-                        //
-                        // when using local authentication, check if user has role user-proxy-auth
-                        $user = getUserEntry($username);
-                        if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
-                            break;
-                        } else {
-                            // log user auth failure
-                            syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
-                            fwrite(STDOUT, "ERR\n");
-                            $isAuthenticated = false;
-                        }
-                    } else {
-                        break;
-                    }
-                }
-            }
-        }
-
-        if ($isAuthenticated) {
-            syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
-            fwrite(STDOUT, "OK\n");
-        } else {
-            syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-            fwrite(STDOUT, "ERR\n");
-        }
-    }
-}
-
-closelog();
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
@ -1,5 +1,5 @@
 # Configure Local User Authentication helper
-auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
+auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
 {% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
 auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
 {% endif %}