login.php
<?php
// login.php
// This is a simple implementation of a script that
// receives a user's credentials, authenticates the
// credentials, selects an access control role for
// the user, then redirects the user back to the
// controller using a signed URL containing the selected
// access control role.
// This script assumes that the credentials are
// submitted on the form created by the example script
// net-auth.php.
//
//
// Assumptions
// ===========
// 1. The controller is configured to include its IP address
// and port in the redirection URL and the submitted login
// form contains that IP address and port. This allows the
// ECP to interact with more than one controller.
// 2. Whether the script uses HTTP or HTTPS in its redirection
// response depends on the value of use_https,
// which must be defined in php.ini.
// If the value of use_https is 1, then the script uses
// HTTPS. If the configuration variable has any other value
// or is not defined, then the script uses HTTP. In practice,
// an actual site is going to settle on using HTTP or HTTPS.
// The scripts can then assume that method is being used
// rather than looking up the method in php.ini.
// The use_https is a user-
// defined variable. It must be created in php.ini by the
// web server administrator.
require_once("ffecp_config.php");
require_once("crypt_aws_s4.php");
require_once("common_utilities.php");
// Some local constants
const EWC_HTTP_REQ = "http://";
const EWC_HTTPS_REQ = "https://";
const EWC_REDIRECT_TARGET = "/ext_approval.php?";
// The mainline begins here. The utilities are defined after the
// mainline.
// 1. Collect the parameters submitted on the login form.
// Some of these attributes come from hidden fields.
$hwc_ip = trim($_REQUEST['hwc_ip']);
$hwc_port = trim($_REQUEST['hwc_port']);
$dest = trim($_REQUEST['dest']);
$token = trim($_REQUEST['token']);
$username = (isset($_REQUEST['userid'])) ?
trim($_REQUEST['userid']) : "";
$passwd = (isset($_REQUEST['passwd'])) ?
trim($_REQUEST['passwd']) : "";
$wlan = isset($_REQUEST['wlan']) ?
trim($_REQUEST['wlan']) : "";
if(!tokenCheck($token)) {
printError("Error: <span style='color:red'>Failed to process the request: incorrect token.</span>");
exit;
} else if(isset($hwc_port) && !is_numeric($hwc_port)) {
printError("Error: <span style='color:red'>Failed to process the request: incorrect port.</span>");
exit;
} else if(!empty($wlan) && !is_numeric($wlan)) {
printError("Error: <span style='color:red'>Failed to process the request: incorrect WLAN.</span>");
exit;
}
// For this example the maximum duration of any user's
// session will be 36000 seconds. The session is terminated
// no later than this time. After the session is terminated,
// the user can access the network but will be unauthenticated
// again.
$max_duration = 36000;
// 2. Authenticate the user and select an appropriate role.
// Selecting the role is optional. If a role is not specified
// for the controller, the controller will apply the default
// authenticated role of the WLAN Service that the user is
// accessing.
$assigned_role = authenticate($username, $passwd);
if (false === $assigned_role) {
// Failed to authenticate the user.
// Authenticate prints the error message for
// the browser and exits.
exit;
}
// 3. Tell the controller that the user is authenticated,
// and tell it which role to apply to the user.
// 3.a Build the URL that needs to be signed.
$pUrl = makeUnsignedUrl($hwc_ip, $hwc_port, isHttps(), $token,
$username, $wlan, $assigned_role, $dest,
$max_duration);
// 3.b Sign the URL. Otherwise, the role and session
// duration options will be ignored by the controller.
$redirection = SimpleAws::createPresignedUrl(
$pUrl, 'BigAuthInc', $awsKeyPairs['BigAuthInc'],
$awsConfig['region'], $awsConfig['service'],
$awsConfig['expires']);
if (null == $redirection) {
// Quietly exit. createPresignedUrl has already
// reported an error to the browser.
exit;
}
header( 'Location: '.$redirection);
exit;
// End of mainline.
// A method that validates the user's credentials and
// returns the role to apply to the user. In some cases,
// this routine might also return the maximum session
// duration in seconds.
//
// For purposes of this example, this procedure is
// not much more than a stub. The stub can be replaced
// by any authentication method, such as sending access
// requests to a backend RADIUS server, or performing
// a lookup in an application credential database.
function authenticate($userid, $passwd) {
if (("" == $userid) || ("" == $passwd)) {
printError("Invalid Userid or Password. ".
"Please press the 'Back' button and try again.");
// If you generate another login page for the user,
// be sure to copy the hwc_ip address, hwc_port,
// token and dest attributes from the submitted
// login form to the login page.
return false;
} else {
// Return the name of a role to be applied
// to the station. The role must be defined on
// the controller or it will substitute the
// default authenticated role of the VNS that the
// user is logging into.
// For purposes of this example, assume all
// authenticated users get the 'Guest_Access' role.
return "Guest_Access";
}
}
/**
* A function that decides whether
* to use HTTP or HTTPS in the redirect to
* the controller. This example just uses
* a php.ini user configuration variable
* to decide.
*/
function isHttps() {
if (get_cfg_var('use_https')) {
if (1 == get_cfg_var('use_https')) {
$useHttps = true;
} else {
$useHttps = false;
}
} else {
$useHttps = false;
}
return $useHttps;
}
/**
* A method that assembles an unsigned URL out of the
* the input from the user's succesful login
* @param string $hwc_ip IP or FQDN of controller
* @param int $hwc_port Port on controller to receive redirection
* @param bool $useHttps Whether the redirect uses HTTP or HTTPS
* @param string $token Identifier for the station's session
* @param string $username The name the station's user logged in with
* @param int $wlanid Identifier for the WLAN the station is using
* @param string $assigned_role Name of the access control role to assign
* @param string $dest The URL the station was trying to get to
* @param int $max_duration The maximum length of the station's session.
*/
function makeUnsignedUrl($hwc_ip, $hwc_port, $useHttps, $token,
$username, $wlanid, $assigned_role, $dest,
$max_duration) {
$redirectUrl = ($useHttps ? EWC_HTTPS_REQ : EWC_HTTP_REQ)
.$hwc_ip;
if ((80 != $hwc_port) && (443 != $hwc_port)) {
$redirectUrl .= ":".$hwc_port;
}
$redirectUrl .= EWC_REDIRECT_TARGET
.'token='. rawurlencode($token)
.'&wlan='.rawurlencode($wlanid)
.'&username='.rawurlencode($username)
.(is_not_empty($dest) ?'&dest='.rawurlencode($dest):'')
.(is_not_empty($assigned_role) ? '&role='.
rawurlencode($assigned_role):'')
.(is_not_empty($max_duration) ?'&opt27='.$max_duration:'');
return $redirectUrl;
}
?>
