From 02fd4f4c7f216cbd4b2d65fd725cc3e232c32c2c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 28 Feb 2019 09:57:54 +0100
Subject: [PATCH] Web proxy, switch to PAM, closes
 https://github.com/opnsense/core/issues/3261

---
 plist                                         |  1 -
 src/etc/inc/plugins.inc.d/squid/auth-user.php | 87 -------------------
 .../OPNsense/Proxy/squid.user.local_auth.conf |  2 +-
 3 files changed, 1 insertion(+), 89 deletions(-)
 delete mode 100755 src/etc/inc/plugins.inc.d/squid/auth-user.php

diff --git a/plist b/plist
index f605e33f1..ae843d9b5 100644
--- a/plist
+++ b/plist
@@ -41,7 +41,6 @@
 /usr/local/etc/inc/plugins.inc.d/openvpn/wizard.inc
 /usr/local/etc/inc/plugins.inc.d/pf.inc
 /usr/local/etc/inc/plugins.inc.d/squid.inc
-/usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
 /usr/local/etc/inc/plugins.inc.d/suricata.inc
 /usr/local/etc/inc/plugins.inc.d/unbound.inc
 /usr/local/etc/inc/plugins.inc.d/unbound/root.min.hints
diff --git a/src/etc/inc/plugins.inc.d/squid/auth-user.php b/src/etc/inc/plugins.inc.d/squid/auth-user.php
deleted file mode 100755
index 0be92963e..000000000
--- a/src/etc/inc/plugins.inc.d/squid/auth-user.php
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/local/bin/php
-<?php
-/**
- *    Copyright (C) 2015 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-require_once("config.inc");
-require_once("auth.inc");
-
-openlog("squid", LOG_ODELAY, LOG_AUTH);
-
-$authFactory = new \OPNsense\Auth\AuthenticationFactory();
-
-$f = fopen("php://stdin", "r");
-while (!(feof($f))) {
-    $line = fgets($f);
-    if ($line) {
-        $fields = explode(' ', trim($line));
-        $username = rawurldecode($fields[0]);
-        $password = rawurldecode($fields[1]);
-
-        $isAuthenticated = false;
-        if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
-            foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
-                $authServer = $authFactory->get(trim($authServerName));
-                if ($authServer == null) {
-                    // authenticator not found, use local
-                    $authServer = $authFactory->get('Local Database');
-                }
-                $isAuthenticated = $authServer->authenticate($username, $password);
-                if ($isAuthenticated) {
-                    if (get_class($authServer) == "OPNsense\Auth\Local") {
-                        // todo: user priv check needs a reload of squid, maybe it's better to move the token check to
-                        //       the auth object.
-                        //
-                        // when using local authentication, check if user has role user-proxy-auth
-                        $user = getUserEntry($username);
-                        if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
-                            break;
-                        } else {
-                            // log user auth failure
-                            syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
-                            fwrite(STDOUT, "ERR\n");
-                            $isAuthenticated = false;
-                        }
-                    } else {
-                        break;
-                    }
-                }
-            }
-        }
-
-        if ($isAuthenticated) {
-            syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
-            fwrite(STDOUT, "OK\n");
-        } else {
-            syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-            fwrite(STDOUT, "ERR\n");
-        }
-    }
-}
-
-closelog();
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
index 6800f79e1..7cd8e8c5a 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
@@ -1,5 +1,5 @@
 # Configure Local User Authentication helper
-auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
+auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
 {% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
 auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
 {% endif %}