ipsec: local group enforcement, some comments follow #1748

o group_source was removed as it was unused
o stop passing global authcfg through the ipsec config--wtf?
o if the mobile client section is disable, refuse authentication
o make xauth privilege optional, it will go away in 18.1

src/etc/inc/plugins.inc.d/ipsec.inc

@@ -911,20 +911,6 @@ EOD;
             if ($a_client['user_source'] != "none" && $disable_xauth == false) {
                 $strongswan .= "\t\txauth-generic {\n";
                 $strongswan .= "\t\t\tscript = /usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php\n";
-                $strongswan .= "\t\t\tauthcfg = ";
-                $firstsed = 0;
-                $authcfgs = explode(",", $a_client['user_source']);
-                foreach ($authcfgs as $authcfg) {
-                    if ($firstsed > 0) {
-                        $strongswan .= ",";
-                    }
-                    if ($authcfg == "system") {
-                        $authcfg = "Local Database";
-                    }
-                    $strongswan .= $authcfg;
-                    $firstsed = 1;
-                }
-                $strongswan .= "\n";
                 $strongswan .= "\t\t}\n";
             }
         }

src/etc/inc/plugins.inc.d/ipsec/auth-user.php

@@ -45,28 +45,52 @@ openlog("charon", LOG_ODELAY, LOG_AUTH);
 /* read data from environment */
 $username = getenv("username");
 $password = getenv("password");
-$authmodes = explode(",", getenv("authcfg"));
 
 if (!$username || !$password) {
-    syslog(LOG_ERR, "invalid user authentication environment");
+    syslog(LOG_ERR, "Invalid user authentication environment.");
+    closelog();
+    exit(-1);
+}
+
+if (empty($config['ipsec']['client']['enable'])) {
+    syslog(LOG_ERR, "IPsec mobile extension is disabled.");
     closelog();
     exit(-1);
 }
 
 $authenticated = false;
-foreach ($authmodes as $authmode) {
+$priv_fallback = true;
+
+if (!empty($config['ipsec']['client']['local_group'])) {
+    if (!in_array($config['ipsec']['client']['local_group'], getUserGroups($username))) {
+        syslog(LOG_WARNING, "User '{$username}' requires membership in the local group '{$client['ipsec']['client']['local_group']}'.");
+        closelog();
+        exit(1);
+    }
+
+    $priv_fallback = false;
+}
+
+$user_source = '';
+if (!empty($config['ipsec']['client']['user_source'])) {
+     $user_source = $config['ipsec']['client']['user_source'];
+}
+
+foreach (explode(',', $user_source) as $authmode) {
     $authcfg = auth_get_authserver($authmode);
+
+    /* XXX looks funny, like OpenVPN */
     if (!$authcfg && $authmode != "local") {
         continue;
     }
 
     $authenticated = authenticate_user($username, $password, $authcfg);
     if ($authenticated == true) {
-        if (stristr($authmode, "local")) {
+        if ($priv_fallback && stristr($authmode, "local")) {
             $user = getUserEntry($username);
             if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
                 $authenticated = false;
-                syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
+                syslog(LOG_WARNING, "User '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
                 continue;
             }
         }
@@ -74,11 +98,11 @@ foreach ($authmodes as $authmode) {
     }
 }
 
-if ($authenticated == false) {
-    syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
+if (!$authenticated) {
+    syslog(LOG_WARNING, "User '{$username}' could not authenticate.\n");
     exit(-1);
-} else {
-    syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
-    closelog();
-    exit(0);
 }
+
+syslog(LOG_NOTICE, "User '{$username}' authenticated\n");
+closelog();
+exit(0);

src/www/vpn_ipsec_mobile.php

@@ -37,7 +37,7 @@ config_read_array('ipsec', 'client');
 config_read_array('ipsec', 'phase1');
 
 // define formfields
-$form_fields = "user_source,group_source,pool_address,pool_netbits,net_list
+$form_fields = "user_source,local_group,pool_address,pool_netbits,net_list
 ,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3
 ,dns_server4,wins_server1,wins_server2,pfs_group,login_banner";
 
@@ -93,8 +93,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         }
 
         /* input validation */
-        $reqdfields = explode(" ", "user_source group_source");
-        $reqdfieldsn =  array(gettext("User Authentication Source"),gettext("Group Authentication Source"));
+        $reqdfields = explode(" ", "user_source");
+        $reqdfieldsn =  array(gettext("User Authentication Source"));
         do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
 
         if (!empty($pconfig['pool_address']) && !is_ipaddr($pconfig['pool_address'])) {
@@ -137,7 +137,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
         if (count($input_errors) == 0) {
             $client = array();
-            $copy_fields = "user_source,group_source,pool_address,pool_netbits,dns_domain,dns_server1
+            $copy_fields = "user_source,local_group,pool_address,pool_netbits,dns_domain,dns_server1
             ,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2
             ,dns_split,pfs_group,login_banner";
             foreach (explode(",", $copy_fields) as $fieldname) {
@@ -384,13 +384,21 @@ foreach ($auth_servers as $auth_key => $auth_server) : ?>
                     </td>
                   </tr>
                   <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Group Authentication"); ?></td>
+                    <td><a id="help_for_local_group" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Enforce local group') ?></td>
                     <td>
-                      <select name="group_source" class="form-control" id="group_source">
-                        <option value="none"><?=gettext("none"); ?></option>
-                        <option value="system" <?= $pconfig['group_source'] == "system" ?  "selected=\"selected\"" : "";
-?>><?=gettext("system"); ?></option>
+                      <select name="local_group" class="form-control" id="local_group">
+                        <option value="" <?= empty($pconfig['local_group']) ? 'selected="selected"' : '' ?>>(<?= gettext('none') ?>)</option>
+<?php
+                      foreach (config_read_array('system', 'group') as $group):
+                          $selected = $pconfig['local_group'] == $group['name'] ? 'selected="selected"' : ''; ?>
+                        <option value="<?= $group['name'] ?>" <?= $selected ?>><?= $group['name'] ?></option>
+<?php
+                      endforeach ?>
                       </select>
+                      <div class="hidden" for="help_for_local_group">
+                        <?= gettext('Restrict access to users in the selected local group. Please be aware ' .
+                          'that other authentication backends will refuse to authenticate when using this option.') ?>
+                      </div>
                     </td>
                   </tr>
                     <tr>

src/www/vpn_openvpn_server.php

@@ -673,7 +673,7 @@ $( document ).ready(function() {
                         endforeach; ?>
                         </select>
                         <div class="hidden" for="help_for_local_group">
-                          <?= gettext('Restrict access to users in the selected  local group. Please be aware ' .
+                          <?= gettext('Restrict access to users in the selected local group. Please be aware ' .
                             'that other authentication backends will refuse to authenticate when using this option.') ?>
                         </div>
                       </td>