Merge to 4.0.6

inverse-inc · Sep 5, 2013 · 3c8afb4 · 3c8afb4
2 parents 4e50773 + 08679b4
commit 3c8afb4
Show file tree

Hide file tree

Showing 125 changed files with 5,428 additions and 1,121 deletions.
diff --git a/ChangeLog b/ChangeLog
diff --git a/NEWS.asciidoc b/NEWS.asciidoc
@@ -11,6 +11,49 @@ This is a list of noteworthy changes across releases.
 For more details and developer visible changes see the ChangeLog file.
 For a list of compatibility related changes see the UPGRADE.asciidoc file.
 
+Version 4.0.6 released on 2013-09-05
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+New Features
+++++++++++++
+
+* New Polish (pl_PL) translation (thanks to Maciej Uhlig <[email protected]>)
+
+Enhancements
+++++++++++++
+
+* Improved display of filters and sources (DynamicTable) in portal profile editor
+* Ensure the VLAN naming scheme is set on start up
+* When no authentication source is associated to the default portal profile, all available sources are used
+* Phone number is now editable from the user editor
+* Updated fingerprints of gaming devices (Xbox)
+* Moved pfmon to a single process daemon and added the ability to restart itself upon error
+* Added new test tool bin/pftest
+* Improved SQL query in pf::node when matching a valid MAC
+* Allow change of owner in node editor (with auto-completion)
+* iptables management by packetfence is now optional
+* Allow advanced search of users and nodes by notes (#1701)
+* Added better error/warning messages when adding a violation with pfcmd
+* Output the violation id for pfcmd violation add command when the json option is supplied
+
+Bug Fixes
++++++++++
+
+* Fixed XML encoding of RADIUS attributes in SOAP request
+* Fixed retrieval of user role for gaming devices
+* Fixed SQL query of connection types report in Web admin
+* Fixed issue with anonymous LDAP bind failing with searches
+* Fixed email subject when self-registering by email
+* Fixed empty variables of preregistration email template
+* Fixed detection of guest-only authentication sources when no source is associated to the portal
+* Fixed stylesheet for Firefox and IE when printing user access credentials
+* Fixed display of IP address in advanced search of nodes
+* Fixed advanced search of nodes by violation
+* Fixed advanced search of users by sponsor
+* Fixed various caching issues
+* Fixed various logged warnings
+* Fixed various authentication issues (#1693, #1695)
+
 Version 4.0.5-2 released on 2013-08-12
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/UPGRADE.asciidoc b/UPGRADE.asciidoc
@@ -5,6 +5,18 @@ http://www.packetfence.org/
 
 Notes on upgrading from an older release.
 
+Upgrading from a version prior to 4.0.6
+---------------------------------------
+
+Changes to authentication API
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The method pf::authentication::authenticate now expects an array of pf::authentication::Source objects
+instead of an array of source IDs.
+
+The methods getSourceByType, getInternalSources, and getExternalSources of the module pf::Portal::Profile
+now return pf::authentication::Source objects instead of source IDs.
+
 Upgrading from a version prior to 4.0.5
 ---------------------------------------
 

diff --git a/addons/packages/packetfence.spec b/addons/packages/packetfence.spec
@@ -66,8 +66,7 @@ BuildRequires: perl(Parse::RecDescent)
 
 PacketFence is an open source network access control (NAC) system.
 It can be used to effectively secure networks, from small to very large
-heterogeneous networks. PacketFence provides features such
-as
+heterogeneous networks. PacketFence provides features such as
 * registration of new network devices
 * detection of abnormal network activities
 * isolation of problematic devices
@@ -220,6 +219,8 @@ Requires: perl(File::Flock)
 Requires: perl(Perl::Version)
 Requires: perl(Cache::FastMmap)
 Requires: perl(Moo) >= 1.0
+Requires: perl(Term::ANSIColor)
+Requires: perl(IO::Interactive)
 # configuration-wizard
 Requires: iproute, vconfig
 #
@@ -296,7 +297,7 @@ mv pfcmd_pregrammar.pm lib/pf/pfcmd/
 
 # generate translations
 # TODO this is duplicated in debian/rules, we should aim to consolidate in a 'make' style step
-for TRANSLATION in de en es fr he_IL it nl pt_BR; do 
+for TRANSLATION in de en es fr he_IL it nl pl_PL pt_BR; do
     /usr/bin/msgfmt conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.po \
       --output-file conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.mo
 done
@@ -640,6 +641,7 @@ fi
 %dir                    /usr/local/pf/bin
 %attr(0755, pf, pf)     /usr/local/pf/bin/pfcmd.pl
 %attr(0755, pf, pf)     /usr/local/pf/bin/pfcmd_vlan
+%attr(0755, pf, pf)     /usr/local/pf/bin/pftest
 %doc                    /usr/local/pf/ChangeLog
 %dir                    /usr/local/pf/conf
 %config(noreplace)      /usr/local/pf/conf/authentication.conf
@@ -648,7 +650,6 @@ fi
 %config                 /usr/local/pf/conf/documentation.conf
 %config(noreplace)      /usr/local/pf/conf/floating_network_device.conf
 %config(noreplace)      /usr/local/pf/conf/guest-managers.conf
-%config(noreplace)      /usr/local/pf/conf/profiles.conf
 %dir                    /usr/local/pf/conf/locale
 %dir                    /usr/local/pf/conf/locale/de
 %dir                    /usr/local/pf/conf/locale/de/LC_MESSAGES
@@ -678,6 +679,10 @@ fi
 %dir                    /usr/local/pf/conf/locale/nl/LC_MESSAGES
 %config(noreplace)      /usr/local/pf/conf/locale/nl/LC_MESSAGES/packetfence.po
 %config(noreplace)      /usr/local/pf/conf/locale/nl/LC_MESSAGES/packetfence.mo
+%dir                    /usr/local/pf/conf/locale/pl_PL
+%dir                    /usr/local/pf/conf/locale/pl_PL/LC_MESSAGES
+%config(noreplace)      /usr/local/pf/conf/locale/pl_PL/LC_MESSAGES/packetfence.po
+%config(noreplace)      /usr/local/pf/conf/locale/pl_PL/LC_MESSAGES/packetfence.mo
 %dir                    /usr/local/pf/conf/locale/pt_BR
 %dir                    /usr/local/pf/conf/locale/pt_BR/LC_MESSAGES
 %config(noreplace)      /usr/local/pf/conf/locale/pt_BR/LC_MESSAGES/packetfence.po
@@ -688,11 +693,8 @@ fi
 %config(noreplace)      /usr/local/pf/conf/networks.conf
 %config                 /usr/local/pf/conf/openssl.cnf
 %config                 /usr/local/pf/conf/oui.txt
-#%config(noreplace)      /usr/local/pf/conf/pf.conf
 %config                 /usr/local/pf/conf/pf.conf.defaults
                         /usr/local/pf/conf/pf-release
-%config(noreplace)      /usr/local/pf/conf/profiles.conf
-#%config                 /usr/local/pf/conf/services.conf
 %dir			/usr/local/pf/conf/radiusd
 %config(noreplace)	/usr/local/pf/conf/radiusd/eap.conf
 %config(noreplace)	/usr/local/pf/conf/radiusd/radiusd.conf
@@ -716,6 +718,7 @@ fi
 %config(noreplace)      /usr/local/pf/conf/iptables.conf
 %config(noreplace)      /usr/local/pf/conf/listener.msg
 %config(noreplace)      /usr/local/pf/conf/popup.msg
+%config(noreplace)      /usr/local/pf/conf/profiles.conf
 %config(noreplace)      /usr/local/pf/conf/snmptrapd.conf
 %config(noreplace)      /usr/local/pf/conf/snort.conf
 %config(noreplace)      /usr/local/pf/conf/snort.conf.pre_snort-2.8
@@ -846,6 +849,9 @@ fi
 %attr(6755, root, root) /usr/local/pf/bin/pfcmd
 
 %changelog
+* Thu Sep 5 2013 Francis Lachapelle <[email protected]> - 4.0.6-1
+- New release 4.0.6
+
 * Fri Aug 9 2013 Francis Lachapelle <[email protected]> - 4.0.5-1
 - New release 4.0.5
 

diff --git a/bin/pfcmd.pl b/bin/pfcmd.pl
@@ -278,7 +278,7 @@ sub manage {
     } elsif ( $option eq "vopen" ) {
         return 3 if ( !$id );
         require pf::violation;
-        print pf::violation::violation_add( $mac, $id );
+        print (pf::violation::violation_add( $mac, $id ) ? 1 : 0);
     }
     require pf::enforcement;
     pf::enforcement::reevaluate_access( $mac, $function );
@@ -1269,11 +1269,13 @@ sub service {
             }
         }
         if ( $nb_running_services == 0 ) {
-            $logger->info("saving current iptables to var/iptables.bak");
-            require pf::inline::custom;
-            my $iptables = pf::inline::custom->new();
-            my $technique = $iptables->{_technique};
-            $technique->iptables_save( $install_dir . '/var/iptables.bak' );
+            if(isenabled($Config{services}{iptables})) {
+                $logger->info("saving current iptables to var/iptables.bak");
+                require pf::inline::custom;
+                my $iptables = pf::inline::custom->new();
+                my $technique = $iptables->{_technique};
+                $technique->iptables_save( $install_dir . '/var/iptables.bak' );
+            }
         }
     }
 
@@ -1283,11 +1285,13 @@ sub service {
         require pf::os;
         pf::os::import_dhcp_fingerprints();
         pf::services::read_violations_conf();
-        print "iptables|$command\n";
-        require pf::inline::custom;
-        my $iptables = pf::inline::custom->new();
-        my $technique = $iptables->{_technique};
-        $technique->iptables_generate();
+        if(isenabled($Config{services}{iptables})) {
+            print "iptables|$command\n";
+            require pf::inline::custom;
+            my $iptables = pf::inline::custom->new();
+            my $technique = $iptables->{_technique};
+            $technique->iptables_generate();
+        }
     }
 
     foreach my $srv (@services) {
@@ -1310,10 +1314,12 @@ sub service {
             }
         }
         if ( $nb_running_services == 0 ) {
-            require pf::inline::custom;
-            my $iptables = pf::inline::custom->new();
-            my $technique = $iptables->{_technique};
-            $technique->iptables_restore( $install_dir . '/var/iptables.bak' );
+            if(isenabled($Config{services}{iptables})) {
+                require pf::inline::custom;
+                my $iptables = pf::inline::custom->new();
+                my $technique = $iptables->{_technique};
+                $technique->iptables_restore( $install_dir . '/var/iptables.bak' );
+            }
         } else {
             if ( lc($service) eq 'pf' ) {
                 $logger->error(
@@ -1924,9 +1930,23 @@ sub command_param {
         if (!exists(&{$main::{$function}})) {
             print "No such sub: $function at line ".__LINE__.".\n";
         } else {
+            require JSON;
+            my $output  = $cmd{$options}[3];
             # execute coderef main::$function sub
             $logger->info( "pfcmd calling $function for " . $params{mac} );
-            &{$main::{$function}}($params{mac}, $params{vid}, %params);
+            my ($result) = &{$main::{$function}}($params{mac}, $params{vid}, %params);
+            if(defined $output && $output eq 'json') {
+                my %json;
+                $json{'id'} = $result if $result > 0;
+                $json{'warnings'} = [violation_last_warnings()];
+                $json{'errors'} = [violation_last_errors()];
+                print JSON::to_json(\%json);
+            } else {
+                my @warnings = violation_last_warnings();
+                my @errors = violation_last_errors();
+                print STDERR join("\n","Warnings:",@warnings),"\n" if @warnings;
+                print STDERR join("\n","Errors:",@errors),"\n" if @errors;
+            }
         }
     } else {
         if ( $function eq "violation_delete" ) {

diff --git a/bin/pftest b/bin/pftest
@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+=head1 NAME
+
+pftest.pl
+
+=cut
+
+=head1 DESCRIPTION
+
+The driver script for pftest
+
+=cut
+
+use strict;
+use warnings;
+use FindBin qw($Bin);
+use lib "$Bin/../lib";
+
+use pf::pftest;
+exit pf::pftest->new({args => \@ARGV})->run();
+
+=head1 AUTHOR
+
+Inverse inc. <[email protected]>
+
+Minor parts of this file may have been contributed. See CREDITS.
+
+=head1 COPYRIGHT
+
+Copyright (C) 2005-2013 Inverse inc.
+
+=head1 LICENSE
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+USA.
+
+=cut
+
diff --git a/conf/authentication.conf b/conf/authentication.conf
@@ -9,9 +9,8 @@ type=Htpasswd
 
 [file1 rule admins]
 description=All admins
-match=any
+match=all
 action0=set_access_level=4294967295
-condition0=username,equals,admin
 
 [sms]
 description=SMS-based registration
@@ -25,12 +24,23 @@ action0=set_role=guest
 action1=set_access_duration=1D
 
 [email]
-description=Email/sponsor-based registration
+description=Email-based registration
 email_activation_timeout=10m
 type=Email
+allow_localdomain=1
 
 [email rule catchall]
 description=
 match=all
 action0=set_role=guest
 action1=set_access_duration=1D
+
+[sponsor]
+description=Sponsor-based registration
+type=SponsorEmail
+
+[sponsor rule catchall]
+description=
+match=all
+action0=set_role=guest
+action1=set_access_duration=1D
diff --git a/conf/documentation.conf b/conf/documentation.conf
@@ -25,7 +25,7 @@ EOT
 
 [general.locale]
 type=multi
-options=de_DE|en_US|es_ES|fr_FR|he_IL|it_IT|nl_NL|pt_BR
+options=de_DE|en_US|es_ES|fr_FR|he_IL|it_IT|nl_NL|pt_BR|pl_PL
 description=<<EOT
 Locale used for message translation. More than one can be specified.
 EOT
@@ -119,6 +119,13 @@ description=<<EOT
 Should radiusd be managed by PacketFence?
 EOT
 
+[services.iptables]
+type=toggle
+options=enabled|disabled
+description=<<EOT
+Should iptables be managed by PacketFence? Keep enabled unless you know what you're doing.
+EOT
+
 [services.httpd_binary]
 type=text
 description=<<EOT

diff --git a/conf/httpd.conf.d/captive-portal-cleanurls.conf b/conf/httpd.conf.d/captive-portal-cleanurls.conf
@@ -6,27 +6,27 @@
 # template variables described in pf::web::constants
 
 # normal flow
-RewriteRule ^%%URL_ACCESS%%$                /cgi-perl/register.cgi?mode=release [PT,QSA]
-RewriteRule ^%%URL_AUTHENTICATE%%$          /cgi-perl/register.cgi [PT]
-RewriteRule ^%%URL_AUP%%$                   /cgi-perl/register.cgi?mode=aup [PT,QSA]
-RewriteRule ^%%URL_BILLING%%$               /cgi-perl/billing-engine.cgi [PT]
-RewriteRule ^%%URL_CAPTIVE_PORTAL%%$        /cgi-perl/redir.cgi [PT]
-RewriteRule ^%%URL_ENABLER%%$               /cgi-perl/redir.cgi?enable_menu=1 [PT,QSA]
-RewriteRule ^%%URL_OAUTH2%%                 /cgi-perl/oauth2.cgi$1 [PT,QSA]
-RewriteRule ^%%URL_OAUTH2_FACEBOOK%%        /cgi-perl/oauth2.cgi?result=facebook$1 [PT,QSA]
-RewriteRule ^%%URL_OAUTH2_GITHUB%%          /cgi-perl/oauth2.cgi?result=github$1 [PT,QSA]
-RewriteRule ^%%URL_OAUTH2_GOOGLE%%          /cgi-perl/oauth2.cgi?result=google$1 [PT,QSA]
-RewriteRule ^%%URL_REMEDIATION%%            /cgi-perl/remediation.cgi [PT]
-RewriteRule ^%%URL_RELEASE%%$               /perl/release [PT]
-RewriteRule ^%%URL_WIRELESS_PROFILE%%$      /cgi-perl/wireless-profile.cgi [PT]
-RewriteRule ^%%URL_GAMING_REGISTRATION%%$   /cgi-perl/register-gaming-device.cgi [PT]
+RewriteRule ^%%URL_ACCESS%%$                              /cgi-perl/register.cgi?mode=release [PT,QSA]
+RewriteRule ^%%URL_AUTHENTICATE%%$                        /cgi-perl/register.cgi [PT]
+RewriteRule ^%%URL_AUP%%$                                 /cgi-perl/register.cgi?mode=aup [PT,QSA]
+RewriteRule ^%%URL_BILLING%%$                             /cgi-perl/billing-engine.cgi [PT]
+RewriteRule ^%%URL_CAPTIVE_PORTAL%%$                      /cgi-perl/redir.cgi [PT]
+RewriteRule ^%%URL_ENABLER%%$                             /cgi-perl/redir.cgi?enable_menu=1 [PT,QSA]
+RewriteRule ^%%URL_OAUTH2%%                               /cgi-perl/oauth2.cgi$1 [PT,QSA]
+RewriteRule ^%%URL_OAUTH2_FACEBOOK%%                      /cgi-perl/oauth2.cgi?result=facebook$1 [PT,QSA]
+RewriteRule ^%%URL_OAUTH2_GITHUB%%                        /cgi-perl/oauth2.cgi?result=github$1 [PT,QSA]
+RewriteRule ^%%URL_OAUTH2_GOOGLE%%                        /cgi-perl/oauth2.cgi?result=google$1 [PT,QSA]
+RewriteRule ^%%URL_REMEDIATION%%                          /cgi-perl/remediation.cgi [PT]
+RewriteRule ^%%URL_RELEASE%%$                             /perl/release [PT]
+RewriteRule ^%%URL_WIRELESS_PROFILE%%$                    /cgi-perl/wireless-profile.cgi [PT]
+RewriteRule ^%%URL_GAMING_REGISTRATION%%$                 /cgi-perl/register-gaming-device.cgi [PT]
 
 # guest related
 # /signup detects if user is local or remote and performs adequate guest [pre-]registration
-RewriteRule ^%%URL_SIGNUP%%$                        %%CGI_SIGNUP%% [PT]
+RewriteRule ^%%URL_SIGNUP%%$                              %%CGI_SIGNUP%% [PT]
 # /preregister forces pre-registration
-RewriteRule ^%%URL_PREREGISTER%%$                   %%CGI_SIGNUP%%?preregistration=forced$1 [PT,QSA]
+RewriteRule ^%%URL_PREREGISTER%%$                         %%CGI_SIGNUP%%?preregistration=forced$1 [PT,QSA]
 # /activate/email/<code> confirms your email address
 RewriteRule ^%%URL_EMAIL_ACTIVATION_LINK%%/([0-9a-z]+)$   %%CGI_EMAIL_ACTIVATION%%?code=$1 [PT,QSA]
-RewriteRule ^%%URL_EMAIL_ACTIVATION%%([0-9a-z]+)$   %%CGI_EMAIL_ACTIVATION%%?code=$1 [PT,QSA]
-RewriteRule ^%%URL_SMS_ACTIVATION%%$                /cgi-perl/mobile-confirmation.cgi [PT]
+RewriteRule ^%%URL_EMAIL_ACTIVATION%%([0-9a-z]+)$         %%CGI_EMAIL_ACTIVATION%%?code=$1 [PT,QSA]
+RewriteRule ^%%URL_SMS_ACTIVATION%%$                      /cgi-perl/mobile-confirmation.cgi [PT]