Merge pull request #414 from nodogsplash/v4.0.2beta

V4.0.2beta numerous fixes and enhancements
nodogsplash · Aug 13, 2019 · 5f89da6 · 5f89da6
2 parents 277613f + 30c4d7e
commit 5f89da6
Show file tree

Hide file tree

Showing 10 changed files with 285 additions and 180 deletions.
diff --git a/docs/source/fas.rst b/docs/source/fas.rst
@@ -92,6 +92,8 @@ Example FAS Query strings
 
    `ndsctl json $clientip | grep token | cut -c 10- | cut -c -8`
 
+  A more sophisticated json parser could be used to extract all the client variables supplied by ndsctl, an example can be found in the default PreAuth Login script in /usr/lib/nogogsplash/login.sh.
+
   **Level 2** (fas_secure_enabled = 2), NDS sends enrypted information to FAS.
 
   `http://fasremotefqdn:fasport/faspath?fas=[aes-256-cbc data]&iv=[random initialisation vector]`

diff --git a/docs/source/preauth.rst b/docs/source/preauth.rst
@@ -9,20 +9,29 @@ Overview
 **PreAuth** is a pre-authentication process that enables NDS to directly serve dynamic web content generated by a script or executable program.
 
 .. note::
- From version 3.3.1 onwards, a PreAuth login script is preinstalled. This generates a page asking for username and email address. Logins are recorded in a log file. It is enabled by uncommenting just 3 lines in the config file.
+ From version 3.3.1 onwards, a PreAuth login script is preinstalled. This generates a page asking for username and email address. Logins are recorded in a log file. It is enabled by uncommenting just 3 lines in the config file. **From version 4.0.2 onwards** it is enabled by a single line in the config file that overrides any other FAS configuration. 
 
-**PreAuth is enabled** by configuring NDS FAS to point to a virtual URL in the NDS web root instead of an independent FAS server. In addition, NDS is configured with the location of the PreAuth script or program.
+**PreAuth is enabled** by configuring NDS FAS to point to a virtual URL in the NDS web root instead of an independent FAS server. The location of the PreAuth script or program is provided in the config file.
 
 **The PreAuth script** can be a shell script or any other script type that an interpreter is available for (for example, PHP-cli, Python etc.).
 
 A PreAuth program could be, for example, a compiled program written in C or any other language that has a compiler available for the platform.
 
 The PreAuth script or program will parse the url encoded command line (query string) passed to it and output html depending on the contents of the query string it receives from NDS. In turn, NDS will serve this html to the client device that is attempting to access the Internet.
 
+Using PreAuth version 4.0.2 onwards
+***********************************
+From version 4.0.2 onwards, PreAuth is enabled with a single line in the config files setting "option preauth".
+This option overrides any other FAS configuration and takes the form of the path to the PreAuth script.
+The path to the preinstalled login script is included in option preauth in the default config files, for example in OpenWrt:
 
-Using PreAuth
-*************
-PreAuth is set up using the standard NDS configuration for FAS
+`#option preauth '/usr/lib/nodogsplash/login.sh'`
+
+The "#" symbol means the line is commented. To activate, remove the "#". save and restart Nodogsplash.
+
+Using PreAuth version 3.3.1 to version 4.0.1
+********************************************
+From version 3.3.1 to version 4.0.1, PreAuth is set up using the standard NDS configuration for FAS
 (See the **Forwarding Authentication Service (FAS)** section of this documentation).
 
 In addition a single PreAuth configuration option is required to inform NDS of the location of the PreAuth script or program.
@@ -42,11 +51,11 @@ In OpenWrt this will be of the form
 option preauth /etc/nodogsplash/demo-preauth.sh
 For other Linux distributions this is set in the nodogsplash.conf file.
 
-Enabling the Preinstalled UserName/Email-address Login Script
-*************************************************************
+Enabling the Preinstalled Login Script (v3.3.1 to 4.0.1)
+********************************************************
 
 .. note::
- From version 3.1.1 onwards, this example PreAuth script is preinstalled.
+ From version 3.3.1 onwards, this example PreAuth script is preinstalled.
 
 **Enabling the Preinstalled Script**
 
@@ -70,6 +79,9 @@ For other operating systems edit the equivalent lines in the /etc/nodogsplash/no
 
 After making the change, save the file and restart the router.
 
+What Does the Example Login Script Do?
+**************************************
+
 **This example shell script** generates html output for NDS to serve as a dynamic splash page.
 
 The example asks the client user to enter their name and email address.

diff --git a/forward_authentication_service/PreAuth/demo-preauth-remote-image.sh b/forward_authentication_service/PreAuth/demo-preauth-remote-image.sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+#Copyright &copy; The Nodogsplash Contributors 2004-2019
+#Copyright &copy; Blue Wave Projects and Services 2015-2019
+#This software is released under the GNU GPL license.
 
 ### functions
 
@@ -142,19 +145,30 @@ imageurl="https://avatars0.githubusercontent.com/u/4403602"
 get_image_file
 
 footer="
-	<img src=\"/images/remote/$filename\" alt=\"Splash Page: For access to the Internet.\">
-	<hr>
+	<img style=\"height:60px; width:60px; float:left;\" src=\"/images/remote/$filename\" alt=\"Splash Page: For access to the Internet.\">
+
 	<copy-right>
+		<br><br>
 		Nodogsplash $version.
-		Copyright &copy; The Nodogsplash Contributors 2004-$year.
-		This software is released under the GNU GPL license.
 	</copy-right>
 	</div>
 	</div>
 	</body>
 	</html>
 "
 
+# Define a login form
+login_form="
+	<form action=\"/nodogsplash_preauth/\" method=\"get\">
+	<input type=\"hidden\" name=\"clientip\" value=\"$clientip\">
+	<input type=\"hidden\" name=\"gatewayname\" value=\"$gatewayname\">
+	<input type=\"hidden\" name=\"redir\" value=\"$requested\">
+	<input type=\"text\" name=\"username\" value=\"$username\" autocomplete=\"on\" ><br>:Name<br><br>
+	<input type=\"email\" name=\"emailaddr\" value=\"$emailaddr\" autocomplete=\"on\" ><br>:Email<br><br>
+	<input type=\"submit\" value=\"Continue\" >
+	</form><hr>
+"
+
 # Output the page common header
 echo -e $header
 
@@ -179,26 +193,49 @@ fi
 #
 if [ -z $username ] || [ -z $emailaddr ]; then
 	echo "<big-red>Welcome!</big-red><italic-black> To access the Internet you must enter your Name and Email Address</italic-black><hr>"
-	echo "<form action=\"/nodogsplash_preauth/\" method=\"get\">"
-	echo "<input type=\"hidden\" name=\"clientip\" value=\"$clientip\">"
-	echo "<input type=\"hidden\" name=\"gatewayname\" value=\"$gatewayname\">"
-	echo "<input type=\"hidden\" name=\"redir\" value=\"$requested\">"
-	echo "<input type=\"text\" name=\"username\" value=\"$username\" autocomplete=\"on\" >:Name<br><br>"
-	echo "<input type=\"email\" name=\"emailaddr\" value=\"$emailaddr\" autocomplete=\"on\" >:Email<br><br>"
-	echo "<input type=\"submit\" value=\"Continue\" >"
-	echo "</form><hr>"
+	echo -e $login_form
 else
-	# We have both fields, so get the token and in this case also the mac address
-	tok="$(ndsctl json $clientip | grep token | cut -c 10- | cut -c -8)"
-	clientmac="$(ndsctl json $clientip | grep mac | cut -c 8- | cut -c -17)"
+	# If we got here, we have both the username and emailaddr fields as completed on the login page on the client,
+	# so we will now call ndsctl to get client data we need to authenticate and add to our log.
+
+	# Variables returned from ndsctl are listed in $varlist.
+
+	# We at least need the client token to authenticate.
+	# In this example we will also log the client mac address.
+
+	varlist="id ip mac added active duration token state downloaded avg_down_speed uploaded avg_up_speed"
+	clientinfo=$(ndsctl json $clientip)
+
+	if [ -z $clientinfo ]; then
+		echo "<big-red>Sorry!</big-red><italic-black> The portal is busy, please try again.</italic-black><hr>"
+		echo -e $login_form
+		echo -e $footer
+		exit 0
+	else
+		for var in $varlist; do
+			eval $var=$(echo "$clientinfo" | grep $var | awk -F'"' '{print $4}')
+		done
+	fi
+
+	tok=$token
+	clientmac=$mac
+
+	# We now output the "Thankyou page" with a "Continue" button.
+
+	# This is the place to include information or advertising on this page,
+	# as this page will stay open until the client user taps or clicks "Continue"
 
-	# Output the "Thankyou page" with a continue button
-	# You could include information or advertising on this page
 	# Be aware that many devices will close the login browser as soon as
-	# the client taps continue, so now is the time to deliver your message.
+	# the client user continues, so now is the time to deliver your message.
+
 	echo "<big-red>Thankyou!</big-red>"
 	echo "<br><b>Welcome $username</b>"
+
+	# Add your message here:
+	# You could retrieve text or images from a remote server using wget or curl
+	# as this router has Internet access whilst the client device does not (yet).
 	echo "<br><italic-black> Your News or Advertising could be here, contact the owners of this Hotspot to find out how!</italic-black>"
+
 	echo "<form action=\"/nodogsplash_auth/\" method=\"get\">"
 	echo "<input type=\"hidden\" name=\"tok\" value=\"$tok\">"
 	echo "<input type=\"hidden\" name=\"redir\" value=\"$requested\"><br>"

diff --git a/forward_authentication_service/PreAuth/demo-preauth.sh b/forward_authentication_service/PreAuth/demo-preauth.sh
@@ -1,4 +1,8 @@
 #!/bin/sh
+#Copyright &copy; The Nodogsplash Contributors 2004-2019
+#Copyright &copy; Blue Wave Projects and Services 2015-2019
+#This software is released under the GNU GPL license.
+
 # Get the urlencoded querystring
 query_enc="$1"
 
@@ -113,19 +117,30 @@ header="
 version="$(ndsctl status | grep Version)"
 year="$(date | awk -F ' ' '{print $(6)}')"
 footer="
-	<img src=\"/images/splash.jpg\" alt=\"Splash Page: For access to the Internet.\">
-	<hr>
+	<img style=\"height:60px; width:60px; float:left;\" src=\"/images/splash.jpg\" alt=\"Splash Page: For access to the Internet.\">
+
 	<copy-right>
+		<br><br>
 		Nodogsplash $version.
-		Copyright &copy; The Nodogsplash Contributors 2004-$year.
-		This software is released under the GNU GPL license.
 	</copy-right>
 	</div>
 	</div>
 	</body>
 	</html>
 "
 
+# Define a login form
+login_form="
+	<form action=\"/nodogsplash_preauth/\" method=\"get\">
+	<input type=\"hidden\" name=\"clientip\" value=\"$clientip\">
+	<input type=\"hidden\" name=\"gatewayname\" value=\"$gatewayname\">
+	<input type=\"hidden\" name=\"redir\" value=\"$requested\">
+	<input type=\"text\" name=\"username\" value=\"$username\" autocomplete=\"on\" ><br>:Name<br><br>
+	<input type=\"email\" name=\"emailaddr\" value=\"$emailaddr\" autocomplete=\"on\" ><br>:Email<br><br>
+	<input type=\"submit\" value=\"Continue\" >
+	</form><hr>
+"
+
 # Output the page common header
 echo -e $header
 
@@ -150,26 +165,49 @@ fi
 #
 if [ -z $username ] || [ -z $emailaddr ]; then
 	echo "<big-red>Welcome!</big-red><italic-black> To access the Internet you must enter your Name and Email Address</italic-black><hr>"
-	echo "<form action=\"/nodogsplash_preauth/\" method=\"get\">"
-	echo "<input type=\"hidden\" name=\"clientip\" value=\"$clientip\">"
-	echo "<input type=\"hidden\" name=\"gatewayname\" value=\"$gatewayname\">"
-	echo "<input type=\"hidden\" name=\"redir\" value=\"$requested\">"
-	echo "<input type=\"text\" name=\"username\" value=\"$username\" autocomplete=\"on\" >:Name<br><br>"
-	echo "<input type=\"email\" name=\"emailaddr\" value=\"$emailaddr\" autocomplete=\"on\" >:Email<br><br>"
-	echo "<input type=\"submit\" value=\"Continue\" >"
-	echo "</form><hr>"
+	echo -e $login_form
 else
-	# We have both fields, so get the token and in this case also the mac address
-	tok="$(ndsctl json $clientip | grep token | cut -c 10- | cut -c -8)"
-	clientmac="$(ndsctl json $clientip | grep mac | cut -c 8- | cut -c -17)"
+	# If we got here, we have both the username and emailaddr fields as completed on the login page on the client,
+	# so we will now call ndsctl to get client data we need to authenticate and add to our log.
+
+	# Variables returned from ndsctl are listed in $varlist.
+
+	# We at least need the client token to authenticate.
+	# In this example we will also log the client mac address.
+
+	varlist="id ip mac added active duration token state downloaded avg_down_speed uploaded avg_up_speed"
+	clientinfo=$(ndsctl json $clientip)
+
+	if [ -z $clientinfo ]; then
+		echo "<big-red>Sorry!</big-red><italic-black> The portal is busy, please try again.</italic-black><hr>"
+		echo -e $login_form
+		echo -e $footer
+		exit 0
+	else
+		for var in $varlist; do
+			eval $var=$(echo "$clientinfo" | grep $var | awk -F'"' '{print $4}')
+		done
+	fi
+
+	tok=$token
+	clientmac=$mac
+
+	# We now output the "Thankyou page" with a "Continue" button.
+
+	# This is the place to include information or advertising on this page,
+	# as this page will stay open until the client user taps or clicks "Continue"
 
-	# Output the "Thankyou page" with a continue button
-	# You could include information or advertising on this page
 	# Be aware that many devices will close the login browser as soon as
-	# the client taps continue, so now is the time to deliver your message.
+	# the client user continues, so now is the time to deliver your message.
+
 	echo "<big-red>Thankyou!</big-red>"
 	echo "<br><b>Welcome $username</b>"
+
+	# Add your message here:
+	# You could retrieve text or images from a remote server using wget or curl
+	# as this router has Internet access whilst the client device does not (yet).
 	echo "<br><italic-black> Your News or Advertising could be here, contact the owners of this Hotspot to find out how!</italic-black>"
+
 	echo "<form action=\"/nodogsplash_auth/\" method=\"get\">"
 	echo "<input type=\"hidden\" name=\"tok\" value=\"$tok\">"
 	echo "<input type=\"hidden\" name=\"redir\" value=\"$requested\"><br>"

diff --git a/openwrt/nodogsplash/files/etc/config/nodogsplash b/openwrt/nodogsplash/files/etc/config/nodogsplash
@@ -10,6 +10,15 @@ config nodogsplash
   # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
   option fwhook_enabled '1'
 
+  # Nodogsplash comes preconfigured for two basic modes of operation
+  # 1. A simple static splash page (splash.html) with template variables and click to continue (enabled by default)
+  # 2. A simple login page requiring username and email address to be entered. (enabled by uncommenting the following line)
+
+  #option preauth '/usr/lib/nodogsplash/login.sh'
+
+  # Both modes may be customised or a full custom system can be developed using FAS and BinAuth
+  # See documentation at: https://nodogsplashdocs.readthedocs.io/
+
   # WebRoot
   # Default: /etc/nodogsplash/htdocs
   #
@@ -157,17 +166,15 @@ config nodogsplash
   # Enable PreAuth Support.
   # PreAuth support allows FAS to call a local program or script with html served by NDS
   #
-  # A functional preauth script is installed by default providing
-  # username/emailaddress login as an alternative to the basic splash page. 
+  # A PreAuth login script is installed by default providing
+  # username/emailaddress login as an alternative to the basic splash page.
+  #
   # This generates a login page asking for usename and email address.
   # User logins are recorded in the log file /tmp/ndslog.log
   # Details of how the script works are contained in comments in the script itself.
   #
   # If set, a program/script is called by the NDS FAS handler
-  # when all three of the following conditions are met:
-  # 1. fasremoteip is NOT set,
-  # 2. fasport is set to the gateway port
-  # 3. faspath is set to /nodogsplash_preauth/
+  # All other FAS settings will be overidden.
   #
   # Initially FAS appends its query string to faspath.
   #
@@ -179,15 +186,18 @@ config nodogsplash
   #
   # The Preauth program should append at least the client ip to the query string
   # (using html input type hidden) for all calls to /nodogsplash_preauth/
-  # It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
+  # It must also obtain the client token using ndsctl
   # for NDS authentication when calling /nodogsplash_auth/
   #
-  # Enable username/emailaddress login.
-  # Note: fasport must be set to the same value as gatewayport (default = 2050)
-  # Enable by uncommenting the following three lines
-  #option fasport '2050'
-  #option faspath '/nodogsplash_preauth/'
+
+  ################################################################################
+  # Enable Default PreAuth login script
+  ################################################################################
+  # Enable by uncommenting the following line.
   #option preauth '/usr/lib/nodogsplash/login.sh'
+  ################################################################################
+  #
+  ################################################################################
 
   # Your router may have several interfaces, and you
   # probably want to keep them private from the gatewayinterface.