WebGui-Auth: move authentication to unified service implementation. closes https://github.com/opnsense/core/issues/4505

eventually we might want to consider using pam, but at the moment this won't offer much more and would involve additional complexity when it comes to password expiry.
2026-03-13 16:14:40 +00:00 · 2021-01-08 18:46:30 +01:00 · 2021-01-08 18:46:30 +01:00 · 993c9e545f
commit 993c9e545f
parent 42e36973f7
2 changed files with 96 additions and 13 deletions
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@ -94,21 +94,11 @@ function session_auth(&$Login_Error)

    /* Validate incoming login request */
    if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
-        // authenticate using config settings, or local if failed
-        $authservers = !empty($config['system']['webgui']['authmode']) ?
-            explode(',', $config['system']['webgui']['authmode']) : array('Local Database');
-        $is_authenticated = false;
-        $authenticator = null;
-
-        foreach ($authservers as $authserver) {
-            $authenticator = get_authenticator(auth_get_authserver($authserver));
-            if ($authenticator != null && $authenticator->authenticate($_POST['usernamefld'], $_POST['passwordfld'])) {
-                $is_authenticated = true;
-                break;
-            }
-        }
+        $authFactory = new \OPNsense\Auth\AuthenticationFactory();
+        $is_authenticated = $authFactory->authenticate("WebGui", $_POST['usernamefld'], $_POST['passwordfld']);

        if ($is_authenticated) {
+            $authenticator = $authFactory->lastUsedAuth;
            // Generate a new id to avoid session fixation
            session_regenerate_id();
            // XXX: eventually we should replace the login flow for a service based one (IService).
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php
@ -0,0 +1,93 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Auth\Services;
+
+use OPNsense\Core\ACL;
+use OPNsense\Core\Config;
+use OPNsense\Auth\IService;
+
+/**
+ * WebGui service
+ * @package OPNsense\Auth
+ */
+class WebGui implements IService
+{
+    /**
+     * @var string username for the current request
+     */
+    private $username;
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function aliases()
+    {
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function supportedAuthenticators()
+    {
+        $result = array();
+        $configObj = Config::getInstance()->object();
+        if (!empty((string)$configObj->system->webgui->authmode)) {
+            $result = explode(',', (string)$configObj->system->webgui->authmode);
+        } else {
+            $result[] = 'Local Database';
+        }
+        return $result;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function setUserName($username)
+    {
+        $this->username = $username;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function getUserName()
+    {
+        return $this->username;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function checkConstraints()
+    {
+        // no constraints
+        return true;
+    }
+}