From 993c9e545fb5035eae82e91e2e56296fbe1c5155 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 8 Jan 2021 18:46:30 +0100
Subject: [PATCH] WebGui-Auth: move authentication to unified service
 implementation. closes https://github.com/opnsense/core/issues/4505

eventually we might want to consider using pam, but at the moment this won't offer much more and would involve additional complexity when it comes to password expiry.
---
 src/etc/inc/authgui.inc                       | 16 +---
 .../library/OPNsense/Auth/Services/WebGui.php | 93 +++++++++++++++++++
 2 files changed, 96 insertions(+), 13 deletions(-)
 create mode 100644 src/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index 17fa8e884..ac56fc1d9 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -94,21 +94,11 @@ function session_auth(&$Login_Error)
 
     /* Validate incoming login request */
     if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
-        // authenticate using config settings, or local if failed
-        $authservers = !empty($config['system']['webgui']['authmode']) ?
-            explode(',', $config['system']['webgui']['authmode']) : array('Local Database');
-        $is_authenticated = false;
-        $authenticator = null;
-
-        foreach ($authservers as $authserver) {
-            $authenticator = get_authenticator(auth_get_authserver($authserver));
-            if ($authenticator != null && $authenticator->authenticate($_POST['usernamefld'], $_POST['passwordfld'])) {
-                $is_authenticated = true;
-                break;
-            }
-        }
+        $authFactory = new \OPNsense\Auth\AuthenticationFactory();
+        $is_authenticated = $authFactory->authenticate("WebGui", $_POST['usernamefld'], $_POST['passwordfld']);
 
         if ($is_authenticated) {
+            $authenticator = $authFactory->lastUsedAuth;
             // Generate a new id to avoid session fixation
             session_regenerate_id();
             // XXX: eventually we should replace the login flow for a service based one (IService).
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php
new file mode 100644
index 000000000..1be7b66c3
--- /dev/null
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php
@@ -0,0 +1,93 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Auth\Services;
+
+use OPNsense\Core\ACL;
+use OPNsense\Core\Config;
+use OPNsense\Auth\IService;
+
+/**
+ * WebGui service
+ * @package OPNsense\Auth
+ */
+class WebGui implements IService
+{
+    /**
+     * @var string username for the current request
+     */
+    private $username;
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function aliases()
+    {
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function supportedAuthenticators()
+    {
+        $result = array();
+        $configObj = Config::getInstance()->object();
+        if (!empty((string)$configObj->system->webgui->authmode)) {
+            $result = explode(',', (string)$configObj->system->webgui->authmode);
+        } else {
+            $result[] = 'Local Database';
+        }
+        return $result;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function setUserName($username)
+    {
+        $this->username = $username;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function getUserName()
+    {
+        return $this->username;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function checkConstraints()
+    {
+        // no constraints
+        return true;
+    }
+}