lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 16:44:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

system: move auth settings to administration settings #1929

Browse Source
This commit is contained in:
Franco Fichtner 2018-05-01 10:19:30 +00:00
parent 9a010a9794
commit 2dd067e313
4 changed files with 159 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
View File

@ -25,11 +25,10 @@
<All url="/system_groupmanager.php*" visibility="hidden"/>
<Privileges url="/system_groupmanager_addprivs.php*" visibility="hidden"/>
</Groups>
<Settings order="30" url="/system_usermanager_settings.php"/>
<Servers order="40" url="/system_authservers.php">
<Servers order="30" url="/system_authservers.php">
<Edit url="/system_authservers.php*" visibility="hidden"/>
</Servers>
<Tester order="50" url="/diag_authentication.php"/>
<Tester order="40" url="/diag_authentication.php"/>
</Access>
<Configuration cssClass="fa fa-history fa-fw">
<Backups url="/diag_backup.php"/>

7
src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
View File

@ -632,6 +632,7 @@
<name>System: Authentication Servers</name>
<patterns>
<pattern>system_authservers.php*</pattern>
<pattern>system_usermanager_settings_ldapacpicker.php*</pattern>
</patterns>
</page-system-authservers>
<page-system-camanager>
@ -733,12 +734,6 @@
<pattern>system_usermanager_addprivs.php?user*</pattern>
</patterns>
</page-system-usermanager-addprivs>
<page-system-usermanager-settings>
<name>System: User Manager: settings</name>
<patterns>
<pattern>system_usermanager_settings.php*</pattern>
</patterns>
</page-system-usermanager-settings>
<page-system-usermanager-settings-testldap>
<name>System: User Manager: Settings: Test LDAP</name>
<patterns>

146
src/www/system_advanced_admin.php
View File

@ -5,6 +5,7 @@
* Copyright (C) 2014-2015 Deciso B.V.
* Copyright (C) 2005-2010 Scott Ullrich <sullrich@gmail.com>
* Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
* Copyright (C) 2007 Bill Marquette <bill.marquette@gmail.com>
* Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
* All rights reserved.
*
@ -36,10 +37,20 @@ require_once("system.inc");
require_once("services.inc");
$a_group = &config_read_array('system', 'group');
$a_authmode = auth_get_authserver_list();
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
'password_policy_complexity', 'password_policy_length') as $fieldname) {
if (!empty($config['system']['webgui'][$fieldname])) {
$pconfig[$fieldname] = $config['system']['webgui'][$fieldname];
} else {
$pconfig[$fieldname] = null;
}
}
$pconfig['webguiinterfaces'] = !empty($config['system']['webgui']['interfaces']) ? explode(',', $config['system']['webgui']['interfaces']) : array();
$pconfig['authmode'] = !empty($config['system']['webgui']['authmode']) ? explode(',', $config['system']['webgui']['authmode']) : array();
$pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
$pconfig['webguiport'] = $config['system']['webgui']['port'];
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
@ -90,6 +101,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext('You must specify a valid SSH port number.');
}
if (!empty($pconfig['session_timeout']) && (!is_numeric($pconfig['session_timeout']) || $pconfig['session_timeout'] <= 0)) {
$input_errors[] = gettext('Session timeout must be an integer value.');
}
if (!empty($pconfig['authmode'])) {
foreach ($pconfig['authmode'] as $auth_mode) {
if (!isset($a_authmode[$auth_mode])) {
$input_errors[] = sprintf(gettext('Authentication server "%s" is invalid.'), $auth_mode);
}
}
}
if (count($input_errors) == 0) {
$newinterfaces = !empty($pconfig['webguiinterfaces']) ? implode(',', $pconfig['webguiinterfaces']) : '';
$newciphers = !empty($pconfig['ssl-ciphers']) ? implode(':', $pconfig['ssl-ciphers']) : '';
@ -187,6 +210,21 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['webgui']['althostnames']);
}
foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
'password_policy_complexity', 'password_policy_length') as $fieldname) {
if (!empty($pconfig[$fieldname])) {
$config['system']['webgui'][$fieldname] = $pconfig[$fieldname];
} elseif (isset($config['system']['webgui'][$fieldname])) {
unset($config['system']['webgui'][$fieldname]);
}
}
if (!empty($pconfig['authmode'])) {
$config['system']['webgui']['authmode'] = implode(',', $pconfig['authmode']);
} elseif (isset($config['system']['webgui']['authmode'])) {
unset($config['system']['webgui']['authmode']);
}
/* always store setting to prevent installer auto-start */
$config['system']['ssh']['noauto'] = 1;
@ -367,6 +405,25 @@ $(document).ready(function() {
});
</script>
<style>
.password_policy_constraints {
display:none;
}
</style>
<script>
$(document).ready(function() {
$("#enable_password_policy_constraints").change(function(){
if ($("#enable_password_policy_constraints").prop('checked')) {
$(".password_policy_constraints").show();
} else {
$(".password_policy_constraints").hide();
}
});
$("#enable_password_policy_constraints").change();
});
</script>
<section class="page-content-main">
<div class="container-fluid">
<div class="row">
@ -652,7 +709,7 @@ $(document).ready(function() {
<div class="content-box tab-content table-responsive __mb">
<table class="table table-striped opnsense_standard_table_form">
<tr>
<td style="width:22%"><strong><?= gettext('Console Options') ?></strong></td>
<td style="width:22%"><strong><?= gettext('Console') ?></strong></td>
<td style="width:78%"></td>
</tr>
<tr>
@ -736,6 +793,93 @@ $(document).ready(function() {
</tr>
</table>
</div>
<div class="content-box tab-content table-responsive __mb">
<table class="table table-striped opnsense_standard_table_form">
<tr>
<td style="width:22%"><strong><?= gettext('Authentication') ?></strong></td>
<td style="width:78%"></td>
</tr>
<tr>
<td><a id="help_for_authmode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Server') ?></td>
<td>
<select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
<?php
foreach ($a_authmode as $auth_key => $auth_server): ?>
<option value="<?= html_safe($auth_key) ?>" <?= in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
<?= html_safe($auth_server['name']) ?>
</option>
<?php
endforeach ?>
</select>
<div class="hidden" data-for="help_for_authmode">
<?= gettext('Select one or more authentication servers to validate user credentials against. ' .
'Multiple servers can make sense with remote authentication methods to provide a fallback ' .
'during connectivity issues. When nothing is specified the default of "Local Database" is used.') ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_session_timeout" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Timeout') ?></td>
<td>
<input class="form-control" name="session_timeout" id="session_timeout" type="text" placeholder="240" value="<?=$pconfig['session_timeout'];?>" />
<div class="hidden" data-for="help_for_session_timeout">
<?= gettext('Time in minutes to expire idle management sessions. The default is 4 hours (240 minutes).') ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_enable_password_policy_constraints" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Policy'); ?></td>
<td>
<input id="enable_password_policy_constraints" name="enable_password_policy_constraints" type="checkbox" <?= empty($pconfig['enable_password_policy_constraints']) ? '' : 'checked="checked"';?> />
<?= gettext('Enable password policy constraints') ?>
<div class="hidden" data-for="help_for_enable_password_policy_constraints">
<?= gettext('Use hardened security policies for local accounts. Methods other than local these will usually be configured by the respective provider (e.g. LDAP, RADIUS, ...).');?>
</div>
</td>
</tr>
<tr class="password_policy_constraints">
<td><a id="help_for_password_policy_duration" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Duration'); ?></td>
<td>
<select id="password_policy_duration" name="password_policy_duration" class="selectpicker" data-style="btn-default">
<option <?=empty($pconfig['password_policy_duration']) ? "selected=\"selected\"" : "";?> value="0"><?=gettext("Disable");?></option>
<option <?=$pconfig['password_policy_duration'] == '30' ? "selected=\"selected\"" : "";?> value="30"><?=sprintf(gettext("%d days"), "30");?></option>
<option <?=$pconfig['password_policy_duration'] == '90' ? "selected=\"selected\"" : "";?> value="90"><?=sprintf(gettext("%d days"), "90");?></option>
<option <?=$pconfig['password_policy_duration'] == '180' ? "selected=\"selected\"" : "";?> value="180"><?=sprintf(gettext("%d days"), "180");?></option>
<option <?=$pconfig['password_policy_duration'] == '360' ? "selected=\"selected\"" : "";?> value="360"><?=sprintf(gettext("%d days"), "360");?></option>
</select>
<div class="hidden" data-for="help_for_password_policy_duration">
<?= gettext("Password duration settings, the interval in days in which passwords stay valid. ".
"When reached, the user will be forced to change his or her password before continuing.");?>
</div>
</td>
</tr>
<tr class="password_policy_constraints">
<td><a id="help_for_password_policy_length" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Length'); ?></td>
<td>
<select id="password_policy_length" name="password_policy_length" class="selectpicker" data-style="btn-default">
<option <?=empty($pconfig['password_policy_length']) || $pconfig['password_policy_length'] == '8' ? "selected=\"selected\"" : "";?> value="8">8</option>
<option <?=$pconfig['password_policy_length'] == '10' ? "selected=\"selected\"" : "";?> value="10">10</option>
<option <?=$pconfig['password_policy_length'] == '12' ? "selected=\"selected\"" : "";?> value="12">12</option>
<option <?=$pconfig['password_policy_length'] == '14' ? "selected=\"selected\"" : "";?> value="14">14</option>
<option <?=$pconfig['password_policy_length'] == '16' ? "selected=\"selected\"" : "";?> value="16">16</option>
</select>
<div class="hidden" data-for="help_for_password_policy_length">
<?= gettext("Sets the minimum length for a password");?>
</div>
</td>
</tr>
<tr class="password_policy_constraints">
<td><a id="help_for_password_policy_complexity" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Complexity'); ?></td>
<td>
<input id="password_policy_complexity" name="password_policy_complexity" type="checkbox" <?= empty($pconfig['password_policy_complexity']) ? '' : 'checked="checked"';?> />
<?= gettext('Enable complexity requirements') ?>
<div class="hidden" data-for="help_for_password_policy_complexity">
<?= gettext("Require passwords to meet complexity rules");?>
</div>
</td>
</tr>
</table>
</div>
<div class="content-box tab-content table-responsive">
<table class="table table-striped opnsense_standard_table_form">
<tr>

167
src/www/system_usermanager_settings.php
View File

@ -31,52 +31,14 @@
require_once("guiconfig.inc");
$save_and_test = false;
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
foreach (array('session_timeout', 'password_policy_duration',
'enable_password_policy_constraints',
'password_policy_complexity', 'password_policy_length') as $fieldname) {
if (!empty($config['system']['webgui'][$fieldname])) {
$pconfig[$fieldname] = $config['system']['webgui'][$fieldname];
} else {
$pconfig[$fieldname] = null;
}
}
$pconfig['authmode'] = !empty($config['system']['webgui']['authmode']) ? explode(',', $config['system']['webgui']['authmode']) : array();
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pconfig = $_POST;
$input_errors = array();
if (!empty($pconfig['session_timeout']) && (!is_numeric($pconfig['session_timeout']) || $pconfig['session_timeout'] <= 0)) {
$input_errors[] = gettext("Session timeout must be an integer value.");
}
if (count($input_errors) == 0) {
$authsrv = auth_get_authserver($pconfig['authmode']);
if (!empty($pconfig['savetest'])) {
# XXX this needs repairing...
if ($authsrv['type'] == "ldap") {
$save_and_test = true;
} else {
$savemsg = gettext("The test was not performed because it is supported only for ldap based backends.");
}
}
foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
'password_policy_complexity', 'password_policy_length') as $fieldname) {
if (!empty($pconfig[$fieldname])) {
$config['system']['webgui'][$fieldname] = $pconfig[$fieldname];
} elseif (isset($config['system']['webgui'][$fieldname])) {
unset($config['system']['webgui'][$fieldname]);
}
}
if (!empty($pconfig['authmode'])) {
$config['system']['webgui']['authmode'] = implode(',', $pconfig['authmode']);
} elseif (isset($config['system']['webgui']['authmode'])) {
unset($config['system']['webgui']['authmode']);
}
write_config();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
# XXX this needs repairing, can also be a list
$authsrv = auth_get_authserver($config['system']['webgui']['authmode']);
if ($authsrv['type'] == 'ldap') {
$save_and_test = true;
} else {
$savemsg = gettext('The test was not performed because it is supported only for LDAP-based backends.');
}
}
@ -86,24 +48,6 @@ include("head.inc");
?>
<body>
<style>
.password_policy_constraints {
display:none;
}
</style>
<script>
$(document).ready(function() {
$("#enable_password_policy_constraints").change(function(){
if ($("#enable_password_policy_constraints").prop('checked')) {
$(".password_policy_constraints").show();
} else {
$(".password_policy_constraints").hide();
}
});
$("#enable_password_policy_constraints").change();
});
</script>
<?php
if ($save_and_test):?>
<script>
@ -117,104 +61,15 @@ endif;?>
<div class="container-fluid">
<div class="row">
<?php
if (isset($input_errors) && count($input_errors) > 0) {
print_input_errors($input_errors);
}
if (isset($savemsg)) {
print_info_box($savemsg);
}
?>
<section class="col-xs-12">
<div class="tab-content content-box col-xs-12 table-responsive">
<form method="post">
<table class="table table-striped opnsense_standard_table_form">
<tr>
<td style="width:22%"><a id="help_for_session_timeout" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Session Timeout"); ?></td>
<td style="width:78%">
<input class="form-control" name="session_timeout" id="session_timeout" type="text" size="8" value="<?=$pconfig['session_timeout'];?>" />
<div class="hidden" data-for="help_for_session_timeout">
<?=gettext("Time in minutes to expire idle management sessions. The default is 4 hours (240 minutes).");?><br />
<?=gettext("Enter 0 to never expire sessions. NOTE: This is a security risk!");?><br />
</div>
</td>
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Authentication Server"); ?></td>
<td>
<select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
<?php
foreach (auth_get_authserver_list() as $auth_key => $auth_server) :?>
<option value="<?= $auth_key ?>" <?= in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
<?=htmlspecialchars($auth_server['name']);?>
</option>
<?php
endforeach; ?>
</select>
</td>
</tr>
<tr>
<td><a id="help_for_enable_password_policy_constraints" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Policy'); ?></td>
<td>
<input id="enable_password_policy_constraints" name="enable_password_policy_constraints" type="checkbox" <?= empty($pconfig['enable_password_policy_constraints']) ? '' : 'checked="checked"';?> />
<strong><?= gettext('Enable password policy constraints') ?></strong>
<div class="hidden" data-for="help_for_enable_password_policy_constraints">
<?= gettext("Harden security on local accounts, for methods other then local these will usually be configured on the " .
"respective provider (e.g. ldap/radius/..). ");?>
</div>
</td>
</tr>
<tr class="password_policy_constraints">
<td><a id="help_for_password_policy_duration" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Duration'); ?></td>
<td>
<select id="password_policy_duration" name="password_policy_duration" class="selectpicker" data-style="btn-default">
<option <?=empty($pconfig['password_policy_duration']) ? "selected=\"selected\"" : "";?> value="0"><?=gettext("Disable");?></option>
<option <?=$pconfig['password_policy_duration'] == '30' ? "selected=\"selected\"" : "";?> value="30"><?=sprintf(gettext("%d days"), "30");?></option>
<option <?=$pconfig['password_policy_duration'] == '90' ? "selected=\"selected\"" : "";?> value="90"><?=sprintf(gettext("%d days"), "90");?></option>
<option <?=$pconfig['password_policy_duration'] == '180' ? "selected=\"selected\"" : "";?> value="180"><?=sprintf(gettext("%d days"), "180");?></option>
<option <?=$pconfig['password_policy_duration'] == '360' ? "selected=\"selected\"" : "";?> value="360"><?=sprintf(gettext("%d days"), "360");?></option>
</select>
<div class="hidden" data-for="help_for_password_policy_duration">
<?= gettext("Password duration settings, the interval in days in which passwords stay valid. ".
"When reached, the user will be forced to change his or her password before continuing.");?>
</div>
</td>
</tr>
<tr class="password_policy_constraints">
<td><a id="help_for_password_policy_length" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Length'); ?></td>
<td>
<select id="password_policy_length" name="password_policy_length" class="selectpicker" data-style="btn-default">
<option <?=empty($pconfig['password_policy_length']) || $pconfig['password_policy_length'] == '8' ? "selected=\"selected\"" : "";?> value="8">8</option>
<option <?=$pconfig['password_policy_length'] == '10' ? "selected=\"selected\"" : "";?> value="10">10</option>
<option <?=$pconfig['password_policy_length'] == '12' ? "selected=\"selected\"" : "";?> value="12">12</option>
<option <?=$pconfig['password_policy_length'] == '14' ? "selected=\"selected\"" : "";?> value="14">14</option>
<option <?=$pconfig['password_policy_length'] == '16' ? "selected=\"selected\"" : "";?> value="16">16</option>
</select>
<div class="hidden" data-for="help_for_password_policy_length">
<?= gettext("Sets the minimum length for a password");?>
</div>
</td>
</tr>
<tr class="password_policy_constraints">
<td><a id="help_for_password_policy_complexity" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Complexity'); ?></td>
<td>
<input id="password_policy_complexity" name="password_policy_complexity" type="checkbox" <?= empty($pconfig['password_policy_complexity']) ? '' : 'checked="checked"';?> />
<strong><?= gettext('Enable complexity requirements') ?></strong>
<div class="hidden" data-for="help_for_password_policy_complexity">
<?= gettext("Require passwords to meet complexity rules");?>
</div>
</td>
</tr>
<tr>
<td></td>
<td>
<input name="save" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" />
<input name="savetest" type="submit" class="btn btn-default" value="<?=gettext("Save and Test");?>" />
</td>
</tr>
</table>
</form>
</div>
</section>
<form method="post">
<button type="submit" class="btn btn-default">Start LDAP Test</button>
</form>
</section>
</div>
</div>
</section>