mirror of
https://github.com/lucaspalomodevelop/opnsense-core.git
synced 2026-03-13 00:07:27 +00:00
openvpn: allow local group enforcement #1748
While there, strip a bit of legacy cruft.
This commit is contained in:
Franco Fichtner
parent
1fe8341a19
commit
ee0c1705a1
@ -247,7 +247,25 @@ function index_users()
|
||||
}
|
||||
|
||||
return $userindex;
|
||||
}
|
||||
}
|
||||
|
||||
function getUserGroups($username)
|
||||
{
|
||||
global $config;
|
||||
$member_groups = array();
|
||||
$user = getUserEntry($username);
|
||||
if ($user !== false) {
|
||||
$allowed_groups = local_user_get_groups($user);
|
||||
if (isset($config['system']['group'])) {
|
||||
foreach ($config['system']['group'] as $group) {
|
||||
if (in_array($group['name'], $allowed_groups)) {
|
||||
$member_groups[] = $group['name'];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return $member_groups;
|
||||
}
|
||||
|
||||
function &getUserEntry($name)
|
||||
{
|
||||
@ -309,7 +327,7 @@ function get_user_privileges(&$user)
|
||||
$privs = $user['priv'];
|
||||
}
|
||||
|
||||
$names = local_user_get_groups($user, true);
|
||||
$names = local_user_get_groups($user);
|
||||
|
||||
foreach ($names as $name) {
|
||||
$group = getGroupEntry($name);
|
||||
@ -518,7 +536,7 @@ function local_user_set_password(&$user, $password = null)
|
||||
}
|
||||
}
|
||||
|
||||
function local_user_get_groups($user, $all = false)
|
||||
function local_user_get_groups($user)
|
||||
{
|
||||
global $config;
|
||||
|
||||
@ -530,7 +548,7 @@ function local_user_get_groups($user, $all = false)
|
||||
|
||||
foreach ($config['system']['group'] as $group) {
|
||||
if (isset($group['member'])) {
|
||||
if (in_array($user['uid'], $group['member']) || ($group['name'] == "all" && $all)) {
|
||||
if (in_array($user['uid'], $group['member'])) {
|
||||
$groups[] = $group['name'];
|
||||
}
|
||||
}
|
||||
@ -549,7 +567,7 @@ function local_user_set_groups($user, $new_groups = null)
|
||||
return;
|
||||
}
|
||||
|
||||
$cur_groups = local_user_get_groups($user, true);
|
||||
$cur_groups = local_user_get_groups($user);
|
||||
$mod_groups = array();
|
||||
|
||||
if (!is_array($new_groups)) {
|
||||
|
||||
@ -686,7 +686,7 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
|
||||
if ($settings['strictusercn']) {
|
||||
$strictusercn = "true";
|
||||
}
|
||||
$conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id}\" via-env\n";
|
||||
$conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' '{$strictusercn}' '{$mode_id}'\" via-env\n";
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
@ -78,8 +78,33 @@ if (!is_array($authmodes)) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
$a_server = null;
|
||||
|
||||
if (isset($config['openvpn']['openvpn-server'])) {
|
||||
foreach ($config['openvpn']['openvpn-server'] as $server) {
|
||||
if ($server['vpnid'] == $modeid) {
|
||||
$a_server = $server;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($a_server == null) {
|
||||
syslog(LOG_WARNING, "The server $modeid was not found. Denying authentication for user {$username}");
|
||||
closelog();
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (!empty($a_server['local_group']) && !in_array($a_server['local_group'], getUserGroups($username))) {
|
||||
syslog(LOG_WARNING, "The server $modeid requires the local group {$a_server['local_group']}. Denying authentication for user {$username}");
|
||||
closelog();
|
||||
exit(1);
|
||||
}
|
||||
|
||||
foreach ($authmodes as $authmode) {
|
||||
$authcfg = auth_get_authserver($authmode);
|
||||
|
||||
/* XXX this doesn't look right... */
|
||||
if (!$authcfg && $authmode != "local") {
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -31,25 +31,6 @@ require_once("guiconfig.inc");
|
||||
require_once("PEAR.inc");
|
||||
require_once("interfaces.inc");
|
||||
|
||||
function getUserGroups($username, $authcfg)
|
||||
{
|
||||
global $config;
|
||||
$member_groups = array();
|
||||
$user = getUserEntry($username);
|
||||
if ($user !== false) {
|
||||
$allowed_groups = local_user_get_groups($user, true);
|
||||
if (isset($config['system']['group'])) {
|
||||
foreach ($config['system']['group'] as $group) {
|
||||
if (in_array($group['name'], $allowed_groups)) {
|
||||
$member_groups[] = $group['name'];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return $member_groups;
|
||||
}
|
||||
|
||||
|
||||
$input_errors = array();
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$pconfig = array("authmode" => "", "username" => "", "password" => "");
|
||||
@ -68,7 +49,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
if (count($input_errors) == 0) {
|
||||
if (authenticate_user($_POST['username'], $_POST['password'], $authcfg)) {
|
||||
$savemsg = gettext("User") . ": " . $_POST['username'] . " " . gettext("authenticated successfully.");
|
||||
$groups = getUserGroups($_POST['username'], $authcfg);
|
||||
$groups = getUserGroups($_POST['username']);
|
||||
$savemsg .= "<br />" . gettext("This user is a member of these groups") . ": <br />";
|
||||
foreach ($groups as $group) {
|
||||
$savemsg .= "{$group} ";
|
||||
|
||||
@ -44,7 +44,7 @@ function get_user_privdesc(& $user)
|
||||
$user_privs = $user['priv'];
|
||||
}
|
||||
|
||||
$names = local_user_get_groups($user, true);
|
||||
$names = local_user_get_groups($user);
|
||||
|
||||
foreach ($names as $name) {
|
||||
$group = getGroupEntry($name);
|
||||
|
||||
@ -64,7 +64,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
,serverbridge_interface,serverbridge_dhcp_start,serverbridge_dhcp_end
|
||||
,dns_server1,dns_server2,dns_server3,dns_server4,ntp_server1
|
||||
,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
|
||||
,wins_server2,no_tun_ipv6,push_register_dns,dns_domain
|
||||
,wins_server2,no_tun_ipv6,push_register_dns,dns_domain,local_group
|
||||
,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length
|
||||
,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,reneg-sec,use-common-name";
|
||||
|
||||
@ -332,7 +332,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$copy_fields = "mode,protocol,dev_mode,local_port,description,crypto,digest,engine
|
||||
,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
|
||||
,gwredir,local_network,local_networkv6,maxclients,compression
|
||||
,passtos,client2client,dynamic_ip,pool_enable,topology_subnet
|
||||
,passtos,client2client,dynamic_ip,pool_enable,topology_subnet,local_group
|
||||
,serverbridge_dhcp,serverbridge_interface,serverbridge_dhcp_start
|
||||
,serverbridge_dhcp_end,dns_domain,dns_server1,dns_server2,dns_server3
|
||||
,dns_server4,push_register_dns,ntp_server1,ntp_server2,netbios_enable
|
||||
@ -660,6 +660,24 @@ $( document ).ready(function() {
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="opt_mode opt_mode_server_user opt_mode_server_tls_user" style="display:none">
|
||||
<td><a id="help_for_local_group" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Enforce local group') ?></td>
|
||||
<td>
|
||||
<select name='local_group' id="local_group" class="form-control">
|
||||
<option value="" <?= empty($pconfig['local_group']) ? 'selected="selected"' : '' ?>>(<?= gettext('none') ?>)</option>
|
||||
<?php
|
||||
foreach (config_read_array('system', 'group') as $group):
|
||||
$selected = $pconfig['local_group'] == $group['name'] ? 'selected="selected"' : ''; ?>
|
||||
<option value="<?= $group['name'] ?>" <?= $selected ?>><?= $group['name'] ?></option>
|
||||
<?php
|
||||
endforeach; ?>
|
||||
</select>
|
||||
<div class="hidden" for="help_for_local_group">
|
||||
<?= gettext('Restrict access to users in the selected local group. Please be aware ' .
|
||||
'that other authentication backends will refuse to authenticate when using this option.') ?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Protocol");?></td>
|
||||
<td>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user