lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-16 17:44:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

added transition class for legacy ACL support (based on pages)

Browse Source
This commit is contained in:
Ad Schellevis 2015-02-12 18:27:51 +01:00
parent 78e41a00cb
commit f77f5ed955
6 changed files with 391 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
View File

@ -61,6 +61,7 @@ class ControllerBase extends Controller
}
/**
* shared functionality
* @param $dispatcher
*/
public function beforeExecuteRoute($dispatcher)
@ -76,6 +77,9 @@ class ControllerBase extends Controller
$menu = new Menu\MenuSystem();
$this->view->menuSystem = $menu->getItems("/ui".$this->router->getRewriteUri());
$acl = new \OPNsense\Core\ACL();
$this->view->acl = $acl;
// prevent session lock
session_write_close();
}

142
src/opnsense/mvc/app/models/OPNsense/Core/ACL.php Normal file
View File

@ -0,0 +1,142 @@
<?php
/**
* Copyright (C) 2015 Deciso B.V.
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\Core;
/**
* Class ACL, this version is only for legacy support and should eventually be replaced by a decent model.
* @package OPNsense\Core
*/
class ACL
{
private $legacyUsers = array();
private $legacyGroupPrivs = array();
/**
* temporary hack to support the old pfSense priv to page mapping.
* @return array
*/
private function loadLegacyPageMap()
{
$legacyPageMap = array();
$handle = fopen(__DIR__."/ACL_Legacy_Page_Map.txt", "r");
if ($handle) {
while (($line = fgets($handle)) !== false) {
$parts = explode("=", $line);
if (count($parts) == 2) {
if (array_key_exists($parts[0], $legacyPageMap) == 0) {
$legacyPageMap[$parts[0]] = array();
}
$legacyPageMap[$parts[0]][] = trim($parts[1]);
}
}
fclose($handle);
}
return $legacyPageMap;
}
/**
* init legacy ACL features
*/
private function initLegacy()
{
$this->legacyUsers = array();
$this->legacyGroupPrivs = array();
$legacyPageMap = $this->loadLegacyPageMap();
$groupmap = array();
// gather user / group data from config.xml
$config = Config::getInstance()->object() ;
foreach ($config->system->children() as $key => $node) {
if ($key == "user") {
$this->legacyUsers[$node->name->__toString()] = array() ;
$this->legacyUsers[$node->name->__toString()]["uid"] = $node->uid->__toString();
$this->legacyUsers[$node->name->__toString()]["groups"] = array();
} elseif ($key == "group") {
$groupmap[$node->name->__toString()] = $node ;
}
}
// interpret group privilege data and update user data with group information.
foreach ($groupmap as $groupkey => $groupNode) {
$legacyGroupPrivs[$groupkey] = array();
foreach ($groupNode->children() as $itemKey => $node) {
if ($node->getName() == "member" && $node->__toString() != "") {
foreach ($this->legacyUsers as $username => $userinfo) {
if ($this->legacyUsers[$username]["uid"] == $node->__toString()) {
$this->legacyUsers[$username]["groups"][] = $groupkey;
}
}
} elseif ($node->getName() == "priv" && substr($node->__toString(), 0, 5) == "page-") {
if (array_key_exists($node->__toString(), $legacyPageMap)) {
$this->legacyGroupPrivs[$groupkey][] = $legacyPageMap[$node->__toString()];
}
}
}
}
}
/**
* legacy functionality to check if a page is accessible for the specified user.
* @param $username user name
* @param $url full url, for example /firewall_rules.php
* @return bool
*/
public function isPageAccessible($username, $url)
{
if (array_key_exists($username, $this->legacyUsers)) {
// search groups
foreach ($this->legacyUsers[$username]["groups"] as $itemkey => $group) {
if (array_key_exists($group, $this->legacyGroupPrivs)) {
foreach ($this->legacyGroupPrivs[$group] as $privset) {
foreach ($privset as $urlmask) {
$match = str_replace(array(".", "*","?"), array("\.", ".*","\?"), $urlmask);
$result = preg_match("@^/{$match}$@", "{$url}");
if ($result) {
return true;
}
}
}
}
}
}
return false;
}
public function __construct()
{
$this->initLegacy();
}
}

241
src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.txt Normal file
View File

@ -0,0 +1,241 @@
page-all=*
page-status-carp=carp_status.php*
page-diagnostics-crash-reporter=crash_reporter.php*
page-diagnostics-arptable=diag_arp.php*
page-diagnostics-authentication=diag_authentication.php*
page-diagnostics-backup/restore=diag_backup.php*
page-diagnostics-configurationhistory=diag_confbak.php*
page-diagnostics-factorydefaults=diag_defaults.php*
page-diagnostics-ndptable=diag_ndp.php*
page-diagnostics-restore-full-backup=system_firmware_restorefullbackup.php
page-diagnostics-showstates=diag_dump_states.php*
page-diagnostics-sockets=diag_sockets.php*
page-diagnostics-testport=diag_testport.php*
page-status-ipsec=diag_ipsec.php*
page-status-ipsec-leases=diag_ipsec_leases.php*
page-status-ipsec-sad=diag_ipsec_sad.php*
page-status-ipsec-spd=diag_ipsec_spd.php*
page-status-ntp=status_ntpd.php*
page-ipsecxml=diag_ipsec_xml.php
page-diagnostics-logs-system=diag_logs.php*
page-status-systemlogs-portalauth=diag_logs_auth.php*
page-diagnostics-logs-dhcp=diag_logs_dhcp.php*
page-diagnostics-logs-firewall=diag_logs_filter.php*
page-diagnostics-logs-gateways=diag_logs_gateways.php*
page-diagnostics-logs-resolver=diag_logs_resolver.php*
page-hidden-nolongerincluded=diag_logs_filter_dynamic.php*
page-status-systemlogs-ipsecvpn=diag_logs_ipsec.php*
page-status-systemlogs-ntpd=diag_logs_ntpd.php*
page-status-systemlogs-openvpn=diag_logs_openvpn.php*
page-status-systemlogs-ppp=diag_logs_ppp.php*
page-status-systemlogs-loadbalancer=diag_logs_relayd.php*
page-status-systemlogs-routing=diag_logs_routing.php*
page-status-systemlogs-wireless=diag_logs_wireless.php*
page-diagnostics-logs-settings=diag_logs_settings.php*
page-diagnostics-logs-pptpvpn=diag_logs_vpn.php*
page-diagnostics-nanobsd=diag_nanobsd.php*
page-diagnostics-packetcapture=diag_packet_capture.php*
page-diagnostics-patters=patterns.php*
page-diagnostics-limiter-info=diag_limiter_info.php*
page-diagnostics-pf-info=diag_pf_info.php*
page-diagnostics-system-activity=diag_system_activity.php*
page-diagnostics-system-pftop=diag_system_pftop.php*
page-diagnostics-ping=diag_ping.php*
page-status-packagelogs=diag_pkglogs.php*
page-diagnostics-resetstate=diag_resetstate.php*
page-diagnostics-routingtables=diag_routes.php*
page-diagnostics-statessummary=diag_states_summary.php*
page-diagnostics-tables=diag_tables.php*
page-diagnostics-traceroute=diag_traceroute.php*
page-diagnostics-edit=edit.php*
page-diagnostics-edit=browser.php*
page-diagnostics-edit=filebrowser/browser.php*
page-diagnostics-command=exec.php*
page-firewall-aliases=firewall_aliases.php*
page-firewall-alias-edit=firewall_aliases_edit.php*
page-firewall-alias-import=firewall_aliases_import.php*
page-firewall-nat-npt=firewall_nat_npt.php*
page-firewall-nat-npt-edit=firewall_nat_npt_edit.php*
page-firewall-nat-portforward=firewall_nat.php*
page-firewall-nat-1-1=firewall_nat_1to1.php*
page-firewall-nat-1-1-edit=firewall_nat_1to1_edit.php*
page-firewall-nat-portforward-edit=firewall_nat_edit.php*
page-firewall-nat-outbound=firewall_nat_out.php*
page-firewall-nat-outbound-edit=firewall_nat_out_edit.php*
page-firewall-rules=firewall_rules.php*
page-firewall-rules-edit=firewall_rules_edit.php*
page-firewall-schedules=firewall_schedule.php*
page-firewall-schedules-edit=firewall_schedule_edit.php*
page-firewall-trafficshaper=firewall_shaper.php*
page-firewall-trafficshaper-layer7=firewall_shaper_layer7.php*
page-firewall-trafficshaper-queues=firewall_shaper_queues.php*
page-firewall-trafficshaper-limiter=firewall_shaper_vinterface.php*
page-firewall-trafficshaper-wizard=firewall_shaper_wizards.php*
page-firewall-virtualipaddresses=firewall_virtual_ip.php*
page-firewall-virtualipaddress-edit=firewall_virtual_ip_edit.php*
page-getserviceproviders=getserviceproviders.php*
page-getstats=getstats.php*
page-diagnostics-interfacetraffic=graph.php*
page-diagnostics-cpuutilization=graph_cpu.php*
page-diagnostics-haltsystem=halt.php*
page-requiredforjavascript=headjs.php*
page-xmlrpcinterfacestats=ifstats.php*
page-system-login/logout=index.php*
page-interfaces=interfaces.php*
page-interfaces-assignnetworkports=interfaces_assign.php*
page-interfaces-bridge=interfaces_bridge.php*
page-interfaces-bridge-edit=interfaces_bridge_edit.php*
page-interfaces-gif=interfaces_gif.php*
page-interfaces-gif-edit=interfaces_gif_edit.php*
page-interfaces-gre=interfaces_gre.php*
page-interfaces-gre-edit=interfaces_gre_edit.php*
page-interfaces-groups=interfaces_groups.php*
page-interfaces-groups-edit=interfaces_groups_edit.php*
page-interfaces-lagg=interfaces_lagg.php*
page-interfaces-lagg-edit=interfaces_lagg_edit.php*
page-interfaces-ppps=interfaces_ppps.php*
page-interfaces-ppps-edit=interfaces_ppps_edit.php*
page-interfaces-qinq=interfaces_qinq.php*
page-interfaces-qinq-edit=interfaces_qinq_edit.php*
page-interfaces-vlan=interfaces_vlan.php*
page-interfaces-vlan-edit=interfaces_vlan_edit.php*
page-interfaces-wireless=interfaces_wireless.php*
page-interfaces-wireless-edit=interfaces_wireless_edit.php*
page-system-license=license.php*
page-services-loadbalancer-monitor=load_balancer_monitor.php*
page-services-loadbalancer-monitor-edit=load_balancer_monitor_edit.php*
page-loadbalancer-pool=load_balancer_pool.php*
page-loadbalancer-pool-edit=load_balancer_pool_edit.php*
page-services-loadbalancer-relay-action=load_balancer_relay_action.php*
page-services-loadbalancer-relay-action-edit=load_balancer_relay_action_edit.php*
page-services-loadbalancer-relay-protocol=load_balancer_relay_protocol.php*
page-services-loadbalancer-relay-protocol-edit=load_balancer_relay_protocol_edit.php*
page-services-loadbalancer-setting=load_balancer_setting.php*
page-services-loadbalancer-virtualservers=load_balancer_virtual_server.php*
page-services-ntpd=services_ntpd.php*
page-services-ntp-gps=status_ntpd_gps.php*
page-services-ntp-pps=status_ntpd_pps.php*
page-loadbalancer-virtualserver-edit=load_balancer_virtual_server_edit.php*
page-package-settings=pkg.php*
page-package-edit=pkg_edit.php*
page-system-packagemanager=pkg_mgr.php*
page-system-packagemanager-installpackage=pkg_mgr_install.php*
page-system-packagemanager-installed=pkg_mgr_installed.php*
page-pkg-mgr-settings=pkg_mgr_settings.php*
page-diagnostics-rebootsystem=reboot.php*
page-diagnostics-restart-httpd=restart_httpd.php*
page-services-captiveportal=services_captiveportal.php*
page-services-captiveportal-filemanager=services_captiveportal_filemanager.php*
page-services-captiveportal-allowedips=services_captiveportal_ip.php*
page-services-captiveportal-editallowedips=services_captiveportal_ip_edit.php*
page-services-captiveportal-macaddresses=services_captiveportal_mac.php*
page-services-captiveportal-editmacaddresses=services_captiveportal_mac_edit.php*
page-services-captiveportal-allowedhostnames=services_captiveportal_hostname.php*
page-services-captiveportal-editallowedhostnames=services_captiveportal_hostname_edit.php*
page-services-captiveportal-editzones=services_captiveportal_zones_edit.php*
page-services-captiveportal-vouchers=services_captiveportal_vouchers.php*
page-services-captiveportal-voucher-edit=services_captiveportal_vouchers_edit.php*
page-services-captiveportal-zones=services_captiveportal_zones.php*
page-services-dhcpserver=services_dhcp.php*
page-services-dhcpserver-editstaticmapping=services_dhcp_edit.php*
page-services-dhcprelay=services_dhcp_relay.php*
page-services-dhcpv6server=services_dhcpv6.php*
page-services-dhcpserverv6-editstaticmapping=services_dhcpv6_edit.php*
page-services-dhcpv6relay=services_dhcpv6_relay.php*
page-services-dnsforwarder=services_dnsmasq.php*
page-services-dnsforwarder-editdomainoverride=services_dnsmasq_domainoverride_edit.php*
page-services-dnsforwarder-edithost=services_dnsmasq_edit.php*
page-services-dnsresolver=services_unbound.php*
page-services-dnsresolver-advanced=services_unbound_advanced.php*
page-services-dnsresolver-acls=services_unbound_acls.php*
page-services-dnsresolver-editacls=services_unbound_acls_edit.php*
page-services-dnsresolver-editdomainoverride=services_unbound_domainoverride_edit.php*
page-services-dnsresolver-edithost=services_unbound_host_edit.php*
page-services-dynamicdnsclients=services_dyndns.php*
page-services-dynamicdnsclient=services_dyndns_edit.php*
page-services-igmpproxy=services_igmpproxy.php*
page-services-igmpproxy-edit=services_igmpproxy_edit.php*
page-services-rfc2136clients=services_rfc2136.php*
page-services-router-advertisements=services_router_advertisements.php*
page-services-snmp=services_snmp.php*
page-services-wakeonlan=services_wol.php*
page-services-wakeonlan-edit=services_wol_edit.php*
page-diagnostics-cpuutilization=stats.php*
page-hidden-detailedstatus=status.php*
page-status-captiveportal=status_captiveportal.php*
page-status-captiveportal-expire=status_captiveportal_expire.php*
page-status-captiveportal-test=status_captiveportal_test.php*
page-status-captiveportal-voucher-rolls=status_captiveportal_voucher_rolls.php*
page-status-captiveportal-vouchers=status_captiveportal_vouchers.php*
page-status-dhcpleases=status_dhcp_leases.php*
page-status-dhcpv6leases=status_dhcpv6_leases.php*
page-status-filterreloadstatus=status_filter_reload.php*
page-status-gatewaygroups=status_gateway_groups.php*
page-status-gateways=status_gateways.php*
page-status-trafficgraph=status_graph.php*
page-status-trafficgraph=bandwidth_by_ip.php*
page-status-trafficgraph=graph.php*
page-status-trafficgraph=ifstats.php*
page-status-cpuload=status_graph_cpu.php*
page-status-interfaces=status_interfaces.php*
page-status-loadbalancer-pool=status_lb_pool.php*
page-status-loadbalancer-virtualserver=status_lb_vs.php*
page-status-openvpn=status_openvpn.php*
page-status-trafficshaper-queues=status_queues.php*
page-status-rrdgraphs=status_rrd_graph.php*
page-status-rrdgraphs=status_rrd_graph_img.php*
page-status-rrdgraph-settings=status_rrd_graph_settings.php*
page-status-services=status_services.php*
page-status-upnpstatus=status_upnp.php*
page-diagnostics-wirelessstatus=status_wireless.php*
page-system-generalsetup=system.php*
page-system-advanced-admin=system_advanced_admin.php*
page-system-advanced-firewall=system_advanced_firewall.php*
page-system-advanced-misc=system_advanced_misc.php*
page-system-advanced-network=system_advanced_network.php*
page-system-advanced-notifications=system_advanced_notifications.php*
page-system-advanced-sysctl=system_advanced_sysctl.php*
page-system-authservers=system_authservers.php*
page-system-camanager=system_camanager.php*
page-system-certmanager=system_certmanager.php*
page-system-crlmanager=system_crlmanager.php*
page-system-firmware-manualupdate=system_firmware.php*
page-system-firmware-checkforupdate=system_firmware_auto.php*
page-system-firmware-autoupdate=system_firmware_check.php*
page-system-firmware-settings=system_firmware_settings.php*
page-system-gatewaygroups=system_gateway_groups.php*
page-system-gateways-editgatewaygroups=system_gateway_groups_edit.php*
page-system-gateways=system_gateways.php*
page-system-gateways-editgateway=system_gateways_edit.php*
page-system-groupmanager=system_groupmanager.php*
page-system-groupmanager-addprivs=system_groupmanager_addprivs.php*
page-system-hasync=system_hasync.php*
page-system-staticroutes=system_routes.php*
page-system-staticroutes-editroute=system_routes_edit.php*
page-system-usermanager=system_usermanager.php*
page-system-usermanager-addprivs=system_usermanager_addprivs.php*
page-system-usermanager-passwordmg=system_usermanager_passwordmg.php*
page-system-usermanager-settings=system_usermanager_settings.php*
page-system-usermanager-settings-testldap=system_usermanager_settings_test.php*
page-upload_progress=upload_progress*
page-hidden-uploadconfiguration=uploadconfig.php*
page-vpn-ipsec=vpn_ipsec.php*
page-vpn-ipsec-listkeys=vpn_ipsec_keys.php*
page-vpn-ipsec-editkeys=vpn_ipsec_keys_edit.php*
page-vpn-ipsec-mobile=vpn_ipsec_mobile.php*
page-vpn-ipsec-editphase1=vpn_ipsec_phase1.php*
page-vpn-ipsec-editphase2=vpn_ipsec_phase2.php*
page-vpn-vpnl2tp=vpn_l2tp.php*
page-vpn-vpnl2tp-users=vpn_l2tp_users.php*
page-vpn-vpnl2tp-users-edit=vpn_l2tp_users_edit.php*
page-openvpn-client=vpn_openvpn_client.php*
page-openvpn-csc=vpn_openvpn_csc.php*
page-openvpn-server=vpn_openvpn_server.php*
page-services-pppoeserver=vpn_pppoe.php*
page-services-pppoeserver-edit=vpn_pppoe_edit.php*
page-vpn-vpnpptp=vpn_pptp.php*
page-vpn-vpnpptp-users=vpn_pptp_users.php*
page-vpn-vpnpptp-user-edit=vpn_pptp_users_edit.php*
page-pfsensewizardsubsystem=wizard.php*
page-xmlrpclibrary=xmlrpc.php*
page-firewall-easyrule=easyrule.php*

1
src/opnsense/mvc/app/models/OPNsense/Core/Config.php
View File

@ -181,7 +181,6 @@ class Config extends Singleton
$this->configxml->loadXML($xml);
$this->simplexml = simplexml_import_dom($this->configxml);
$this->isValid = true;
}
/**

8
src/opnsense/mvc/app/views/layout_partials/base_menu_system.volt
View File

@ -1,14 +1,14 @@
<aside id="navigation" class="page-side col-xs-12 col-sm-2 hidden-xs">
<div class="row">
<nav class="page-side-nav" role="navigation">
<div class="list-group" id="mainmenu">
{% for topMenuItem in menuSystem %}
<a href="#{{ topMenuItem.Id }}" class="list-group-item " data-toggle="collapse" data-parent="#mainmenu"><span class="{{ topMenuItem.CssClass }} __iconspacer"></span>{{ topMenuItem.VisibleName }}</a>
<a href="#{{ topMenuItem.Id }}" class="list-group-item " data-toggle="collapse" data-parent="#mainmenu"><span class="{{ topMenuItem.CssClass }} __iconspacer"></span>{{ topMenuItem.VisibleName }} </a>
<div class="collapse {% if topMenuItem.Selected %} active-menu in {% endif %}" id="{{ topMenuItem.Id }}">
{% for subMenuItem in topMenuItem.Children %}
<a href="{{ subMenuItem.Url }}" class="list-group-item {% if subMenuItem.Selected %} active {% endif %}">{{ subMenuItem.VisibleName }}</a>
{% if acl.isPageAccessible(session.get('Username'),subMenuItem.Url) %}
<a href="{{ subMenuItem.Url }}" class="list-group-item {% if subMenuItem.Selected %} active {% endif %}">{{ subMenuItem.VisibleName }}</a>
{% endif %}
{% endfor %}
</div>
{% endfor %}

5
src/opnsense/mvc/public/index.php
View File

@ -3,11 +3,6 @@
error_reporting(E_ALL);
try {
// Fix authentication for local testing
// session_start();
// $_SESSION["Username"]="admin";
// session_write_close();
/**
* Read the configuration
*/