Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2886 → Rev 2885

/scripts/alcasar-test-debug-conup.sh
4,7 → 4,7
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
 
# Retrieve 3 ALCASAR special radius attributes (search order : default group, then user's group, then user)
# Retrieve alcasar special radius attributes
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ORDER BY ug.priority ) UNION \
18,8 → 18,8
echo "USER_NAME = $USER_NAME; filter = $filter; filterproto = $filterProto; statusOpenRequired = $statusOpenRequired";
 
# If status page isn't required :
# -add user_IP with the flag 'PERM' in /tmp/current_users.txt
# -add user_@MAC as an authenticated (with the same user's attributes)
# -add user_IP with flag PERM in /tmp/current_users.txt
# -add user_@MAC as an authenticated user (until "expiration_date")
if [ "$statusOpenRequired" == '2' ]; then # Status page is not required
echo ""
db_query="SELECT attribute, value FROM ( \
/scripts/alcasar-conup.sh
6,25 → 6,26
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is started by coova after each successfull login
# Ce script est démarré par coova à chaque connexion d'usager (authentification réussi)
# This script is launched by coova after each successfull login
# Ce script est lancé par coova à chaque connexion d'usager (authentification réussi)
 
 
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
 
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
 
# Retrieve 3 alcasar special radius attributes (search order : default group, then user's group, then user)
# Retrieve alcasar special radius attributes
db_query_additionalGroups=''
[ -n "$FILTER_ID" ] && db_query_additionalGroups="( SELECT attribute, value FROM radgroupreply WHERE groupname = '$FILTER_ID' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION "
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ORDER BY ug.priority ) UNION \
$db_query_additionalGroups \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
db_res=$(mysql -u root -p$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-) -D radius -e "$db_query" -Ns)
 
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
52,13 → 53,10
set_filterProto="proto_0";
fi
 
# Add user to his IPSET
ipset add $set_filter $FRAMED_IP_ADDRESS
ipset add $set_filterProto $FRAMED_IP_ADDRESS
 
# If status page isn't required :
# -add user_IP with flag PERM in /tmp/current_users.txt (watchdog remove these @IP at midnight)
# if the user has the "Expiration" attribute, add its @MAC as an authenticated user (with the same user's attributes)
# If status page isn't required, add user_IP with flag PERM in /tmp/current_users.txt
if [ "$statusPageRequired" == '2' ]; then # Status page is not required
current_users_file="/tmp/current_users.txt"
if [ ! -e $current_users_file ]; then
68,7 → 66,7
fi
 
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter + Alcasar-Status-Page-Must-Stay-Open).
## Debug : show all the coova parse variables (+ $set_filter + $set_filterProto).
## see "/src/chilli.c" for the complete list of parse variables
#debug_file="/tmp/debug-conup.txt"
#echo "-----------------------------------------------" >> $debug_file
84,8 → 82,8
# fi
#done
#echo >> $debug_file
#echo "ALCASAR-Filter : $set_filter" >> $debug_file
#echo "ALCASAR-Protocols-Filter : $set_filterProto" >> $debug_file
#echo "Alcasar-Status-Page-Must-Stay-Open : $statusPageRequired" >> $debug_file
#echo "set_filter : $set_filter" >> $debug_file
#echo "set_filterProto : $set_filterProto" >> $debug_file
#echo "statusPageRequired : $statusPageRequired" >> $debug_file
## END DEBUG
#################################
/scripts/alcasar-watchdog.sh
124,14 → 124,10
lan_test
exit 0
;;
--disconnect-permanent-users)
/bin/sed -i '/PERM/d' $current_users_file
exit 0
;;
*)
lan_test
# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)
# process each equipment known by chilli
# process each equipment known by chilli to check if IP address is usurped (with arping)
for system in `/usr/sbin/chilli_query list | grep -v "0\.0\.0\.0"`
do
active_ip=`echo $system |cut -d" " -f2`
138,6 → 134,7
active_session=`echo $system |cut -d" " -f5`
active_mac=`echo $system | cut -d" " -f1`
active_user=`echo $system |cut -d" " -f6`
# We disconnect inactive user here :
# We check if the user isn't an auth @MAC and if he is still connected
if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then
if [ -e $current_users_file ]; then
/scripts/alcasar-condown.sh
6,24 → 6,25
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is started by coova after each logout
# This script is launched by coova after each logout
# Ce script est lancé par coova à chaque déconnexion d'usager
 
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
 
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
 
# Retrieve 2 alcasar special radius attributes (search order : default group, then user's group, then user)
# Remove user from his IPSET
db_query_additionalGroups='' # before alcasar-3.4, filter types was in "FILTER_ID" attribute
[ -n "$FILTER_ID" ] && db_query_additionalGroups="( SELECT attribute, value FROM radgroupreply WHERE groupname = '$FILTER_ID' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) UNION "
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) UNION \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ORDER BY ug.priority ) UNION \
$db_query_additionalGroups \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
db_res=$(mysql -u root -p$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-) -D radius -e "$db_query" -Ns)
 
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
48,7 → 49,6
set_filterProto="proto_0";
fi
 
# Remove user from his IPSET
ipset del $set_filter $FRAMED_IP_ADDRESS
ipset del $set_filterProto $FRAMED_IP_ADDRESS
 
57,7 → 57,7
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file
 
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter).
## Debug : show all the coova parse variables (+ $set_filter + $set_filterProto).
## see "/src/chilli.c" for the complete list of parse variables
#debug_file="/tmp/debug-condown.txt"
#echo "-----------------------------------------------" >> $debug_file
73,7 → 73,7
# fi
#done
#echo >> $debug_file
#echo "ALCASAR-Filter : $set_filter" >> $debug_file
#echo "ALCASAR-Protocols-Filter : $set_filterProto" >> $debug_file
#echo "set_filter : $set_filter" >> $debug_file
#echo "set_filterProto : $set_filterProto" >> $debug_file
## END Debug
#################################
/alcasar.sh
1808,17 → 1808,15
cat <<EOF > /etc/cron.d/alcasar-watchdog
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
EOF
cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
# start dead daemons (after boot process and every 20')
# start dead daemons (after boot process and every 18')
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
*/20 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
EOF
cat <<EOF > /etc/cron.d/alcasar-rsync-bl
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1833,7 → 1831,7
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
EOF
cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
# Remove netflow files older than one year (daily --> see "cron.daily")
# Remove netflow files older than one year
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
EOF
# removing the users crons