mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-20 11:26:13 +00:00
(proxy) auth, don't quit when squid sends an empty string
This commit is contained in:
Ad Schellevis
parent
e9369b5c1b
commit
9fd6504d25
@ -36,48 +36,51 @@ openlog("squid", LOG_ODELAY, LOG_AUTH);
|
||||
$authFactory = new \OPNsense\Auth\AuthenticationFactory();
|
||||
|
||||
$f = fopen("php://stdin", "r");
|
||||
while ($line = fgets($f)) {
|
||||
$fields = explode(' ', trim($line));
|
||||
$username = rawurldecode($fields[0]);
|
||||
$password = rawurldecode($fields[1]);
|
||||
while (!(feof($f))) {
|
||||
$line = fgets($f);
|
||||
if ($line) {
|
||||
$fields = explode(' ', trim($line));
|
||||
$username = rawurldecode($fields[0]);
|
||||
$password = rawurldecode($fields[1]);
|
||||
|
||||
$isAuthenticated = false;
|
||||
if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
|
||||
foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
|
||||
$authServer = $authFactory->get(trim($authServerName));
|
||||
if ($authServer == null) {
|
||||
// authenticator not found, use local
|
||||
$authServer = $authFactory->get('Local Database');
|
||||
}
|
||||
$isAuthenticated = $authServer->authenticate($username, $password);
|
||||
if ($isAuthenticated) {
|
||||
if (get_class($authServer) == "OPNsense\Auth\Local") {
|
||||
// todo: user priv check needs a reload of squid, maybe it's better to move the token check to
|
||||
// the auth object.
|
||||
//
|
||||
// when using local authentication, check if user has role user-proxy-auth
|
||||
$user = getUserEntry($username);
|
||||
if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
|
||||
break;
|
||||
$isAuthenticated = false;
|
||||
if (isset($config['OPNsense']['proxy']['forward']['authentication']['method'])) {
|
||||
foreach (explode(',', $config['OPNsense']['proxy']['forward']['authentication']['method']) as $authServerName) {
|
||||
$authServer = $authFactory->get(trim($authServerName));
|
||||
if ($authServer == null) {
|
||||
// authenticator not found, use local
|
||||
$authServer = $authFactory->get('Local Database');
|
||||
}
|
||||
$isAuthenticated = $authServer->authenticate($username, $password);
|
||||
if ($isAuthenticated) {
|
||||
if (get_class($authServer) == "OPNsense\Auth\Local") {
|
||||
// todo: user priv check needs a reload of squid, maybe it's better to move the token check to
|
||||
// the auth object.
|
||||
//
|
||||
// when using local authentication, check if user has role user-proxy-auth
|
||||
$user = getUserEntry($username);
|
||||
if (is_array($user) && userHasPrivilege($user, "user-proxy-auth")) {
|
||||
break;
|
||||
} else {
|
||||
// log user auth failure
|
||||
syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
|
||||
fwrite(STDOUT, "ERR\n");
|
||||
$isAuthenticated = false;
|
||||
}
|
||||
} else {
|
||||
// log user auth failure
|
||||
syslog(LOG_WARNING, "user '{$username}' cannot authenticate for squid because of missing user-proxy-auth role");
|
||||
fwrite(STDOUT, "ERR\n");
|
||||
$isAuthenticated = false;
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($isAuthenticated) {
|
||||
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
|
||||
fwrite(STDOUT, "OK\n");
|
||||
} else {
|
||||
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
|
||||
fwrite(STDOUT, "ERR\n");
|
||||
if ($isAuthenticated) {
|
||||
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
|
||||
fwrite(STDOUT, "OK\n");
|
||||
} else {
|
||||
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
|
||||
fwrite(STDOUT, "ERR\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user