upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-06-09 00:42:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

web proxy plugin for signle sign-on on Active Directory

Browse source 
PR: https://github.com/opnsense/plugins/pull/42
This commit is contained in:
gitdevmod 2016-06-21 16:39:45 +02:00 committed by Franco Fichtner
parent 4339d7171a
commit 3efe3c46cf
18 changed files with 772 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -3,7 +3,7 @@ PAGER?= less
all:
@cat ${.CURDIR}/README.md | ${PAGER}
CATEGORIES= devel net sysutils security
CATEGORIES= devel net sysutils security www
.for CATEGORY in ${CATEGORIES}
_${CATEGORY}!= ls -1d ${CATEGORY}/*

8
www/web-proxy-sso/Makefile Normal file
View file

@ -0,0 +1,8 @@
PLUGIN_NAME= web-proxy-sso
PLUGIN_VERSION= 0.1
PLUGIN_PRIVATE= yes
PLUGIN_COMMENT= Add SSO Active Directory to use in Proxy
PLUGIN_DEPENDS= msktutil
PLUGIN_MAINTAINER= gitdevmod@github.com
.include "../../Mk/plugins.mk"

101
www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/ServiceController.php Normal file
View file

@ -0,0 +1,101 @@
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\SSOProxyAD\Api;
use \OPNsense\Base\ApiControllerBase;
use \OPNsense\SSOProxyAD\SSOProxyAD;
use \OPNsense\Core\Backend;
use \OPNsense\Cron\Cron;
class ServiceController extends ApiControllerBase
{
public function reloadAction()
{
$status = "failed";
if ($this->request->isPost()) {
$mdlSSOProxyAD = new SSOProxyAD();
if ((string)$mdlSSOProxyAD->general->UpdateCron == "") {
$mdlCron = new Cron();
$mdlSSOProxyAD->general->UpdateCron = $mdlCron->newDailyJob("SSOProyAD", "ssoproxyad updateDomain", "SSOProxyAD updateDomain cron", "1");
if ($mdlCron->performValidation()->count() == 0) {
$mdlCron->serializeToConfig();
$mdlMymodule->serializeToConfig($validateFullModel = false, $disable_validation = true);
Config::getInstance()->save();
}
}
$backend = new Backend();
$bckresult = trim($backend->configdRun("template reload OPNsense.SSOProxyAD"));
if ($bckresult == "OK") {
$status = "ok";
}
}
return array("status" => $status);
}
public function testAction()
{
if ($this->request->isPost()) {
$backend = new Backend();
$bckresult = json_decode(trim($backend->configdRun("ssoproxyad test")), true);
if ($bckresult !== null) {
// only return valid json type responses
return $bckresult;
}
}
return array("message" => "unable to run config action");
}
public function joinDomainAction()
{
if ($this->request->isPost()) {
$backend = new Backend();
$bckresult = json_decode(trim($backend->configdRun("ssoproxyad joinDomain")), true);
if ($bckresult !== null) {
// only return valid json type responses
return $bckresult;
}
}
return array("message" => "unable to run config action");
}
public function updateDomainAction()
{
if ($this->request->isPost()) {
$backend = new Backend();
$bckresult = json_decode(trim($backend->configdRun("ssoproxyad updateDomain")), true);
if ($bckresult !== null) {
// only return valid json type responses
return $bckresult;
}
}
return array("message" => "unable to run config action");
}
}

84
www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/Api/SettingsController.php Normal file
View file

@ -0,0 +1,84 @@
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\SSOProxyAD\Api;
use \OPNsense\Base\ApiControllerBase;
use \OPNsense\SSOProxyAD\SSOProxyAD;
use \OPNsense\Core\Config;
class SettingsController extends ApiControllerBase
{
/*
* retrieve SSO Proxy Active Directory general settings
* @return array general settings
*/
public function getAction()
{
// define list of configurable settings
$result = array();
if ($this->request->isGet()) {
$mdlSSOProxyAD= new SSOProxyAD();
$result['ssoproxyad'] = $mdlSSOProxyAD->getNodes();
}
return $result;
}
/**
* update SSOProxyAD settings
* @return array status
*/
public function setAction()
{
$result = array("result"=>"failed");
if ($this->request->isPost()) {
// load model and update with provided data
$mdlSSOProxyAD= new SSOProxyAD();
$mdlSSOProxyAD->setNodes($this->request->getPost("ssoproxyad"));
// perform validation
$valMsgs = $mdlSSOProxyAD->performValidation();
foreach ($valMsgs as $field => $msg) {
if (!array_key_exists("validations", $result)) {
$result["validations"] = array();
}
$result["validations"]["general.".$msg->getField()] = $msg->getMessage();
}
// serialize model to config and save
if ($valMsgs->count() == 0) {
$mdlSSOProxyAD->serializeToConfig();
Config::getInstance()->save();
$result["result"] = "saved";
}
}
return $result;
}
}

42
www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/IndexController.php Normal file
View file

@ -0,0 +1,42 @@
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\SSOProxyAD;
class IndexController extends \OPNsense\Base\IndexController
{
public function indexAction()
{
// set page title, used by the standard template in layouts/default.volt.
$this->view->title = "SSO Proxy Active Directory";
// pick the template to serve to our users.
$this->view->pick('OPNsense/SSOProxyAD/index');
$this->view->generalForm = $this->getForm("general");
}
}

33
www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/SSOProxyAD/forms/general.xml Normal file
View file

@ -0,0 +1,33 @@
<form>
<field>
<id>ssoproxyad.general.Enabled</id>
<label>enabled</label>
<type>checkbox</type>
<help>Enable this feature</help>
</field>
<field>
<id>ssoproxyad.general.DomainName</id>
<label>Active Directory Domain Name</label>
<type>text</type>
</field>
<field>
<id>ssoproxyad.general.DomainDC</id>
<label>Active Directory Domain Controller</label>
<type>text</type>
</field>
<field>
<id>ssoproxyad.general.DomainVersion</id>
<label>Active Directory Domain Version</label>
<type>text</type>
</field>
<field>
<id>ssoproxyad.general.DomainUser</id>
<label>Active Directory Domin User</label>
<type>text</type>
</field>
<field>
<id>ssoproxyad.general.DomainPassword</id>
<label>Active Directory Domain Password</label>
<type>password</type>
</field>
</form>

73
www/web-proxy-sso/src/opnsense/mvc/app/library/OPNsense/Auth/SSOProxyAD.php Normal file
View file

@ -0,0 +1,73 @@
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\Auth;
use OPNsense\Core\Config;
/**
* Class SSOProxyAD connector
* @package OPNsense\Auth
*/
class SSOProxyAD implements IAuthConnector
{
public static function getType()
{
return 'ssoproxyad';
}
/**
* user friendly description of this authenticator
* @return string
*/
public function getDescription()
{
return gettext("SSO Proxy AD");
}
/**
* set connector properties
* @param array $config connection properties
*/
public function setProperties($config)
{
}
/**
* unused
* @return array mixed named list of authentication properties
*/
public function getLastAuthProperties()
{
return array();
}
public function authenticate($username,$password)
{
}
}

11
www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/ACL/ACL.xml Normal file
View file

@ -0,0 +1,11 @@
<acl>
<!-- unique acl key, must be globally unique for all acl's -->
<page-user-ssoproxyad>
<name>WebCfg - Users: SSO Proxy AD</name>
<description>Allow access to the SSO Proxy AD module</description>
<patterns>
<pattern>ui/ssoproxyad/*</pattern>
<pattern>api/ssoproxyad/*</pattern>
</patterns>
</page-user-ssoproxyad>
</acl>

6
www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/Menu/Menu.xml Normal file
View file

@ -0,0 +1,6 @@
<menu>
<!-- Plugin SSOProxyAD menu -->
<User order="999">
<SSOProxyAD VisibleName="SSO Proxy AD" url="/ui/ssoproxyad/"/>
</User>
</menu>

35
www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.php Normal file
View file

@ -0,0 +1,35 @@
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\SSOProxyAD;
use OPNsense\Base\BaseModel;
class SSOProxyAD extends BaseModel
{
}

43
www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/SSOProxyAD/SSOProxyAD.xml Normal file
View file

@ -0,0 +1,43 @@
<model>
<mount>//OPNsense/ssoproxyad</mount>
<description>
SSO Active Directory plugin
</description>
<items>
<general>
<Enabled type="BooleanField">
<default>1</default>
<Required>Y</Required>
</Enabled>
<DomainName type="TextField">
<Required>Y</Required>
</DomainName>
<DomainDC type="TextField">
<Required>Y</Required>
</DomainDC>
<DomainVersion type="TextField">
<Required>Y</Required>
</DomainVersion>
<DomainUser type="TextField">
<Required>Y</Required>
</DomainUser>
<DomainPassword type="UpdateOnly">
<Required>Y</Required>
</DomainPassword>
<UpdateCron type="ModelRelationField">
<Model>
<queues>
<source>OPNsense.Cron.Cron</source>
<items>jobs.job</items>
<display>description</display>
<filters>
<origin>/SSOProxyAD/</origin>
</filters>
</queues>
</Model>
<ValidationMessage>Related cron not found.</ValidationMessage>
<Required>N</Required>
</UpdateCron>
</general>
</items>
</model>

84
www/web-proxy-sso/src/opnsense/mvc/app/views/OPNsense/SSOProxyAD/index.volt Normal file
View file

@ -0,0 +1,84 @@
{#
Copyright (C) 2016 gitdevmod@github.com
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
#}
{{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
<script type="text/javascript">
$( document ).ready(function() {
var data_get_map = {'frm_GeneralSettings':"/api/ssoproxyad/settings/get"};
mapDataToFormUI(data_get_map).done(function(data){
// place actions to run after load, for example update form styles.
});
// link save button to API set action
$("#saveAct").click(function(){
saveFormToEndpoint(url="/api/ssoproxyad/settings/set",formid='frm_GeneralSettings',callback_ok=function(){
// action to run after successful save, for example reconfigure service.
ajaxCall(url="/api/ssoproxyad/service/reload", sendData={},callback=function(data,status) {
// action to run after reload
});
});
});
$("#testAct").click(function(){
$("#responseMsg").removeClass("hidden");
ajaxCall(url="/api/ssoproxyad/service/test", sendData={},callback=function(data,status) {
// action to run after reload
$("#responseMsg").html(data['message']);
});
});
$("#joinDomainAct").click(function(){
$("#responseMsg").removeClass("hidden");
ajaxCall(url="/api/ssoproxyad/service/joinDomain", sendData={},callback=function(data,status) {
// action to run after reload
$("#responseMsg").html(data['message']);
});
});
$("#updateDomainAct").click(function(){
$("#responseMsg").removeClass("hidden");
ajaxCall(url="/api/ssoproxyad/service/updateDomain", sendData={},callback=function(data,status) {
// action to run after reload
$("#responseMsg").html(data['message']);
});
});
});
</script>
<div class="col-md-12">
<button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b></button>
</div>
<div class="alert alert-info hidden" role="alert" id="responseMsg">
</div>
<button class="btn btn-primary" id="testAct" type="button"><b>{{ lang._('Test') }}</b></button>
<button class="btn btn-primary" id="joinDomainAct" type="button"><b>{{ lang._('Join Domain') }}</b></button>
<button class="btn btn-primary" id="updateDomainAct" type="button"><b>{{ lang._('Update Domain') }}</b></button>

89
www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php Executable file
View file

@ -0,0 +1,89 @@
#!/usr/local/bin/php
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
// Use legacy code to export certificates to the filesystem.
require_once("config.inc");
require_once("certs.inc");
require_once("legacy_bindings.inc");
use OPNsense\Core\Config;
global $config;
$configObj = Config::getInstance()->object();
$hostname = $configObj->system->hostname;
$fqdn = $hostname . "." . $configObj->system->domain;
if (isset($configObj->OPNsense->ssoproxyad)) {
foreach ($configObj->OPNsense->ssoproxyad->general as $ssoproxyad) {
$enabled = $ssoproxyad->Enabled;
$domainname = $ssoproxyad->DomainName;
$domaindc = $ssoproxyad->DomainDC;
$domainversion = $ssoproxyad->DomainVersion;
$domainuser = $ssoproxyad->DomainUser;
$domainpassword = $ssoproxyad->DomainPassword;
}
}
$keytab = '/usr/local/etc/ssoproxyad/PROXY.keytab';
$cmd_2003 = '/usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k ' . $keytab . ' --computer-name ' . strtoupper($hostname) . ' --upn HTTP/' . $fqdn. ' --server ' . $domaindc . ' 2>&1';
$cmd_2008 = '/usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k ' . $keytab . ' --computer-name ' . strtoupper($hostname) . ' --upn HTTP/' . $fqdn. ' --server ' . $domaindc . ' --enctypes 28 2>&1';
if ($enabled == 1) {
$krb5secret = '/usr/local/etc/ssoproxyad/krb5secret';
if ( !file_exists($keytab) ) {
file_put_contents($krb5secret, $domainpassword);
chmod($krb5secret, 0600);
exec('/usr/bin/kinit --password-file="' . $krb5secret . '" ' . $domainuser. "@" . strtoupper($domainname) . " 2>&1",$output_kinit,$error_kinit);
if ($error_kinit > 0) {
$return = array('message' => "$output_kinit");
}
else {
if ( $domainversion == '2003' ) {
exec($cmd_2003,$output_msktutil,$error_msktutil);
} elseif ( $domainversion == '2008' ) {
exec($cmd_2008,$output_msktutil,$error_msktutil);
}
if ( (file_exists($keytab)) and ($error_msktutil <= 0) ) {
chown($keytab,'squid');
chgrp($keytab,'squid');
exec("/usr/bin/kdestroy 2>&1",$output_kdestroy,$error_kdestroy);
unlink($krb5secret);
$return = array('message' => "keytab created");
}
else {
$out = implode($output_msktutil);
$return = array('message' => "Unable to create keytab: $out");
}
}
}
else {
$return = array('message' => "keytab already exists");
}
}
echo json_encode($return);

45
www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py Executable file
View file

@ -0,0 +1,45 @@
#!/usr/local/bin/python2.7
"""
Copyright (c) 2015 Ad Schellevis
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------------
perform some tests for the helloworld application
"""
import os
import socket
import json
ssoproxyad_config = '/usr/local/etc/ssoproxyad/krb5.conf'
result = {}
if os.path.exists(ssoproxyad_config):
result['message'] = 'test ok!'
else:
# no config
result['message'] = 'no configuration file found'
print (json.dumps(result))

66
www/web-proxy-sso/src/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php Executable file
View file

@ -0,0 +1,66 @@
#!/usr/local/bin/php
<?php
/**
* Copyright (C) 2016 gitdevmod@github.com
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
// Use legacy code to export certificates to the filesystem.
require_once("config.inc");
require_once("certs.inc");
require_once("legacy_bindings.inc");
use OPNsense\Core\Config;
global $config;
$configObj = Config::getInstance()->object();
$hostname = $configObj->system->hostname;
$fqdn = $hostname . "." . $configObj->system->domain;
if (isset($configObj->OPNsense->ssoproxyad)) {
foreach ($configObj->OPNsense->ssoproxyad->general as $ssoproxyad) {
$enabled = $ssoproxyad->Enabled;
}
}
if ($enabled == 1) {
$keytab = '/usr/local/etc/ssoproxyad/PROXY.keytab';
if ( file_exists($keytab) ) {
$cmd = '/usr/local/sbin/msktutil --auto-update --computer-name ' . strtolower($hostname) . ' --keytab ' . $keytab . ' 2>&1';
exec($cmd,$output_msktutil,$error_msktutil);
$out = implode($output_msktutil);
if ($error_msktutil > 0) {
$return = array('message' => "Unable to auto-update: $out)");
}
else {
$return = array('message' => "Auto-update successful: $out");
}
}
else {
$return = array('message' => "keytab do not exists");
}
}
echo json_encode($return);

17
www/web-proxy-sso/src/opnsense/service/conf/actions.d/actions_ssoproxyad.conf Normal file
View file

@ -0,0 +1,17 @@
[test]
command:/usr/local/opnsense/scripts/OPNsense/SSOProxyAD/testConnection.py
parameters:
type:script_output
message:SSO Proxy AD module test
[joinDomain]
command:/usr/local/opnsense/scripts/OPNsense/SSOProxyAD/joinDomain.php
parameters:
type:script_output
message:SSO Proxy AD module join AD domain
[updateDomain]
command:/usr/local/opnsense/scripts/OPNsense/SSOProxyAD/updateDomain.php
parameters:
type:script_output
message:SSO Proxy AD module update AD domain

1
www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/+TARGETS Normal file
View file

@ -0,0 +1 @@
krb5.conf:/usr/local/etc/ssoproxyad/krb5.conf

33
www/web-proxy-sso/src/opnsense/service/templates/OPNsense/SSOProxyAD/krb5.conf Normal file
View file

@ -0,0 +1,33 @@
{% if helpers.exists('OPNsense.ssoproxyad.general') and OPNsense.ssoproxyad.general.Enabled|default("0") == "1" %}
[libdefaults]
default_realm = {{ OPNsense.ssoproxyad.general.DomainName|upper }}
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab
{% if helpers.exists('OPNsense.ssoproxyad.general.DomainVersion') and OPNsense.ssoproxyad.general.DomainVersion == '2003' %}
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
{% endif %}
{% if helpers.exists('OPNsense.ssoproxyad.general.DomainVersion') and OPNsense.ssoproxyad.general.DomainVersion == '2008' %}
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
{% endif %}
[realms]
{{ OPNsense.ssoproxyad.general.DomainName|upper }} = {
kdc = {{ OPNsense.ssoproxyad.general.DomainDC|lower }}.{{ OPNsense.ssoproxyad.general.DomainName|lower }}
admin_server = {{ OPNsense.ssoproxyad.general.DomainDC|lower }}.{{ OPNsense.ssoproxyad.general.DomainName|lower }}
default_domain = {{ OPNsense.ssoproxyad.general.DomainName|lower }}
}
[domain_realm]
.{{ OPNsense.ssoproxyad.general.DomainName|lower }} = {{ OPNsense.ssoproxyad.general.DomainName|upper }}
{{ OPNsense.ssoproxyad.general.DomainName|lower }} = {{ OPNsense.ssoproxyad.general.DomainName|upper }}
{% endif %}