UnivNautes

<?php

function display_saml_tabs($file_name) {

    $tab_array = array();

    $tab_array[] = array(gettext("Service provider"), false, "services_captiveportal_saml_sp.php");

    # $tab_array[] = array(gettext("Identity provider"), false, "services_captiveportal_saml_idp.php");

    $tab_array[] = array(gettext("Federations"), false, "services_captiveportal_saml_federation.php");

    $tab_array[] = array(gettext("Whitelists"), false, "services_captiveportal_saml_whitelist.php");

    $tab_array[] = array(gettext("Blacklists"), false, "services_captiveportal_saml_blacklist.php");

    for ($i = 0; $i < sizeof($tab_array); $i++) {

        if ($tab_array[$i][2] == $file_name) {

            $tab_array[$i][1] = true;

        }

    }

    display_top_tabs($tab_array);

}

?>

function syncbl() {

    echo "sync blacklist in progress (backgrounded)" | logger -p local4.info -t sp/syncblacklists

    (

      cd /usr/local/univnautes/sp/

      ./update-blacklists.sh | logger -p local4.info -t sp/update-blacklists

    ) &

}

    syncbl

import re

from sp import pfconfigxml

COMMENT=re.compile('^\s*($|#)')

    # user blacklist

    try:

        nameid_bl = pfconfigxml.get_blacklists('nameid')

        for line in nameid_bl.splitlines(True):

            if COMMENT.match(line):

                continue

            userbl = line.strip()

            # if the line starts with ~, it's a regex

            if userbl[0] == '~' and re.match(userbl[1::], username):

                request.session['pfsenseid'] = 'BLACKLISTED'

                messages.error(request, u"Connexion refusée (règle dans une liste noire).")

                syslog.openlog("logportalauth", syslog.LOG_PID)

                syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED-REGEX: %s,,%s" % (username, ip))

                return False

            elif userbl.strip() == username:

                request.session['pfsenseid'] = 'BLACKLISTED'

                messages.error(request, u"Connexion refusée (présent dans une liste noire).")

                syslog.openlog("logportalauth", syslog.LOG_PID)

                syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED: %s,,%s" % (username, ip))

                return False

    except:

        pass

import sys

def get(key, args):

    elif key == 'blacklist':

        if len(args) > 2:

            print pfconfigxml.get_blacklists(args[2])

        else:

            print >> sys.stderr, 'you need to choose a blacklist (nameid or macadresses)'

            return get(key, args)

def get_blacklists(list_type):

    """

    <blacklists>

        <macaddresses>base64</macaddresses>

	<nameid>base64</nameid>

    </blacklists>

    """

    xml_blacklist = root().find('univnautes/blacklists/%s' % list_type)

    if xml_blacklist is not None and xml_blacklist.text:

        return xml_blacklist.text.decode('base64')

    return ''

              marker.bindPopup('<p>' + name + '</p><p align="center"><a href="/authsaml2/sso?entity_id=' + entityid + '"><button class="connexion">Connexion</button></a></p>');

#!/bin/sh

log() {

    logger -p local4.info -t macblacklist -- "$*"

}

log "update MAC blacklist"

cd /usr/local/univnautes/sp

for ctx in $(./manage.py configxml get cpnames); do

    /sbin/ipfw -x $ctx -fq delete 666

    for MAC in $(./manage.py configxml get blacklist macaddresses | sed 's/#.*$//'); do

        # sanitize

        MAC=`echo $MAC | tr -dc 0-9a-fA-F:`

        if test -n "$MAC"; then

            if /sbin/ipfw -x $ctx -fq add 666 deny MAC $MAC any; then

                log "added: $MAC in $ctx"

            else

                log "ERROR can't add: $MAC (incorrect MAC address ?)"

            fi

        fi

    done

done

exit 0

<?php

/*

	services_captiveportal_saml_sp.php

	part of m0n0wall (http://m0n0.ch/wall)

	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.

	Copyright (C) 2014 Entr'ouvert <info@entrouvert.com>.

	All rights reserved.

	Redistribution and use in source and binary forms, with or without

	modification, are permitted provided that the following conditions are met:

	1. Redistributions of source code must retain the above copyright notice,

	   this list of conditions and the following disclaimer.

	2. Redistributions in binary form must reproduce the above copyright

	   notice, this list of conditions and the following disclaimer in the

	   documentation and/or other materials provided with the distribution.

	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

	POSSIBILITY OF SUCH DAMAGE.

*/

/*

	pfSense_MODULE:	captiveportal

*/

##|+PRIV

##|*IDENT=page-services-captiveportal-saml-sp

##|*NAME=Services: Captive portal SAML SP page

##|*DESCR=Allow access to the 'Services: Captive portal SAML SP' page.

##|*MATCH=services_captiveportal_saml_sp.php*

##|-PRIV

require_once("guiconfig.inc");

require_once("functions.inc");

require_once("filter.inc");

require_once("shaper.inc");

require_once("captiveportal.inc");

require_once("captiveportal_saml.inc");

if (!is_array($config['captiveportal']))

	$config['captiveportal'] = array();

$a_cp =& $config['captiveportal'];

if (!is_array($config['univnautes']))

	$config['univnautes'] = array();

$a_un =& $config['univnautes'];

if (!is_array($a_un['blacklists']))

    $a_un['blacklists'] = array(

        'macaddresses' => array(),

        'nameid' => array()

    );

$a_blacklist =& $a_un['blacklists'];

$pconfig['macaddresses'] = base64_decode($a_blacklist['macaddresses']);

$pconfig['nameid'] = base64_decode($a_blacklist['nameid']);

$pgtitle = array(gettext("Services"),gettext("Captive portal"), "SAML 2.0 Blacklists");

$shortcut_section = "captiveportal";

if ($_POST) {

	unset($input_errors);

	$pconfig = $_POST;

	/* input validation */

    $reqdfields = array();

	$reqdfieldsn = array();

	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);

    /* if this is an AJAX caller then handle via JSON */

    if (isAjax() && is_array($input_errors)) {

        input_errors2Ajax($input_errors);

        exit;

    }

	if (!$input_errors) {

		$a_blacklist['macaddresses'] = base64_encode($pconfig['macaddresses']);

		$a_blacklist['nameid'] = base64_encode($pconfig['nameid']);

		/* write config.xml */

		write_config();

		/* reload whitelists */

		mwexec_bg("/usr/local/univnautes/sp/rc.sh syncbl");

		/* back to the page */

		pfSenseHeader("services_captiveportal_saml_blacklist.php");

	}

}

include("head.inc");

?>

<body link="#0000CC" vlink="#0000CC" alink="#0000CC">

<?php include("fbegin.inc"); ?>

<?php if ($input_errors) print_input_errors($input_errors); ?>

<?php if ($savemsg) print_info_box($savemsg); ?>

<form action="services_captiveportal_saml_blacklist.php" method="post" enctype="multipart/form-data" name="iform" id="iform">

<table width="100%" border="0" cellpadding="0" cellspacing="0">

  <tr><td class="tabnavtbl"><?php display_saml_tabs(basename(__FILE__)); ?></td></tr>

  <tr>

  <td class="tabcont">

  <table width="100%" border="0" cellpadding="6" cellspacing="0">

	<tr>

		<td colspan="2" class="list" height="12"></td>

	</tr>

	<tr>

		<td valign="top" class="vncellreq"><?=gettext("Mac addresses"); ?></td>

		<td class="vtable">

        <textarea name="macaddresses" cols="65" rows="4" id="macaddresses" class="formpre"><?=htmlspecialchars($pconfig['macaddresses']);?></textarea>

			<br>

			<?=gettext("List of mac address to ban, one per line."); ?>

		</td>

	</tr>

	<tr>

		<td colspan="2" class="list" height="12"></td>

	</tr>

<tr>

    <td valign="top" class="vncellreq"><?=gettext("SAML NameIDs"); ?></td>

		<td class="vtable">

            <textarea name="nameid" cols="65" rows="4" id="nameid" class="formpre"><?=htmlspecialchars($pconfig['nameid']);?></textarea>

			<br>

			<?=gettext("List of NameID (SAML identifier) to ban, one per line."); ?>

		</td>

	</tr>

	<tr>

	  <td width="22%" valign="top">&nbsp;</td>

	  <td width="78%">

		<?php echo "<input name='zone' id='zone' type='hidden' value='" . htmlspecialchars($cpzone) . "'/>"; ?>

		<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" onClick="enable_change(true)">

		<a href="services_captiveportal_zones.php"><input name="Cancel" type="button" class="formbtn" value="<?=gettext("Cancel"); ?>" onClick="enable_change(true)"></a>

	  </td>

	</tr>

  </table>

  </td>

  </tr>

  </table>

</form>

<script language="JavaScript">

<!--

enable_change(false);

//-->

</script>

<?php include("fend.inc"); ?>

</body>

</html>

<a href="services_captiveportal_saml_whitelist.php">Whitelist</a> |

<a href="services_captiveportal_saml_blacklist.php">Blacklist</a>