1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id: class_sudoManagement.inc 10099 2008-04-01 12:52:01Z hickert $$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 /*! \brief This is the sudo management class. \
24 This class allows to add/remove/edit sudo roles with GOsa. \
25 All roles will be listed by this plugin, the displayed objects \
26 can also be filtered.
27 */
28 class sudoManagement extends plugin
29 {
30 /* Definitions */
31 public $plHeadline = "Sudo roles";
32 public $plDescription = "Manage sudo roles";
34 private $DivListSudo = NULL;
35 private $sudotabs = NULL;
36 private $base = "";
38 /*! \brief */
39 public function __construct(&$config, &$ui)
40 {
41 /* Save configuration for internal use */
42 $this->config = &$config;
43 $this->ui = &$ui;
44 $this->base = sudo::get_sudoers_ou($this->config);
46 /* Create dialog object */
47 $this->DivListSudo = new divListSudo($this->config,$this);
48 }
51 /*! \brief Generate && Display HTML content
52 */
53 public function execute()
54 {
55 /* Call parent execute */
56 plugin::execute();
58 /********************
59 Handle Posts
60 ********************/
62 /* Store these posts if the current object is locked (used by somebody else)*/
63 session::set('LOCK_VARS_TO_USE',array(
64 "/^act$/","/^id$/","/^sudo_edit_/",
65 "/^sudo_del_/","/^item_selected/","/menu_action/"));
68 /* Get html posts */
69 $s_action = "";
70 $s_entry = "";
71 foreach($_POST as $name => $value){
72 if(preg_match("/^sudo_edit_/",$name)){
73 $s_action = "edit_role";
74 $s_entry = preg_replace("/^sudo_edit_([0-9]*).*$/","\\1",$name);
75 }
76 if(preg_match("/^sudo_del_/",$name)){
77 $s_action = "del_role";
78 $s_entry = preg_replace("/^sudo_del_([0-9]*).*$/","\\1",$name);
79 }
80 }
82 if(isset($_GET['act']) && isset($_GET['id']) && $_GET['act'] == "edit_entry"){
83 $id = trim($_GET['id']);
84 if(isset($this->list[$id])){
85 $s_action = "edit_role";
86 $s_entry = $id;
87 }
88 }
90 if(isset($_POST['menu_action']) && in_array($_POST['menu_action'],array("new_role","del_role","new_default"))){
91 $s_action = $_POST['menu_action'];
92 }
94 $smarty= get_smarty();
97 /********************
98 Create a new sudo ...
99 ********************/
101 /* New sudo? */
102 if ($s_action=="new_role" || $s_action == "new_default"){
104 /* Check create permissions */
105 $acl = $this->ui->get_permissions($this->base,"sudo/sudo");
106 if(preg_match("/c/",$acl)){
108 /* By default we set 'dn' to 'new', all relevant plugins will
109 react on this. */
110 $this->dn= "new";
112 /* Create new sudotabs object */
113 $this->sudotabs= new sudotabs($this->config, $this->config->data['TABS']['SUDOTABS'], $this->dn);
115 /* Set up the sudo ACL's for this 'dn' */
116 $this->sudotabs->set_acl_base($this->base);
118 /* This entry will become the default entry */
119 if($s_action == "new_default"){
120 $this->sudotabs->set_default(TRUE);
121 }
122 }
123 }
126 /********************
127 Save Sudo Tab/Object Changes
128 ********************/
130 /* Save changes */
131 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && is_object($this->sudotabs)){
133 /* Check tabs, will feed message array
134 Save, or display error message? */
135 $message= $this->sudotabs->check();
136 if (count($message) == 0){
138 /* Save user data to ldap */
139 $this->sudotabs->save();
141 if (!isset($_POST['edit_apply'])){
143 /* Sudo has been saved successfully, remove lock from LDAP. */
144 if ($this->dn != "new"){
145 del_lock ($this->dn);
146 }
147 unset ($this->sudotabs);
148 $this->sudotabs= NULL;
149 session::un_set('objectinfo');
150 }else{
151 $this->dn = $this->sudotabs->dn;
152 $this->sudotabs= new sudotabs($this->config, $this->config->data['TABS']['SUDOTABS'], $this->dn);
153 session::set('objectinfo',$this->dn);
154 }
155 } else {
156 /* Ok. There seem to be errors regarding to the tab data,
157 show message and continue as usual. */
158 msg_dialog::displayChecks($message);
159 }
160 }
163 /********************
164 Edit existing role
165 ********************/
167 /* User wants to edit data? */
168 if (($s_action=="edit_role") && !is_object($this->sudotabs)){
170 /* Get 'dn' from posted 'uid', must be unique */
171 $this->dn= $this->list[trim($s_entry)]['dn'];
173 /* Check locking & lock entry if required */
174 $user = get_lock($this->dn);
175 if ($user != ""){
176 return(gen_locked_message ($user, $this->dn));
177 }
178 add_lock ($this->dn, $this->ui->dn);
180 /* Register sudotabs to trigger edit dialog */
181 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $this->dn);
182 $this->sudotabs->set_acl_base($this->base);
183 session::set('objectinfo',$this->dn);
184 }
187 /********************
188 Delete entries requested, display confirm dialog
189 ********************/
191 if ($s_action=="del_role"){
192 $ids = $this->list_get_selected_items();
193 if(!count($ids) && $s_entry!=""){
194 $ids = array($s_entry);
195 }
197 if(count($ids)){
199 /* Create list of entries to delete */
200 $this->dns = array();
201 $dns_names = array();
202 foreach($ids as $id){
203 $dn = $this->list[$id]['dn'];
204 $this->dns[$id] = $dn;
205 $dns_names[] =@LDAP::fix($dn);
206 }
208 /* Check locking of entries */
209 $users = get_multiple_locks($this->dns);
210 if(count($users)){
211 return(gen_locked_message($users,$this->dns));
212 }
214 /* Add locks */
215 add_lock($this->dns,$this->ui->dn);
217 /* Lock the current entry, so nobody will edit it during deletion */
218 $smarty->assign("info", msgPool::deleteInfo($dns_names,_("Sudo role")));
219 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
220 }
221 }
224 /********************
225 Delete entries confirmed
226 ********************/
228 /* Confirmation for deletion has been passed. Sudo should be deleted. */
229 if (isset($_POST['delete_sudos_confirmed'])){
231 /* Remove user by user and check acls before removeing them */
232 foreach($this->dns as $key => $dn){
234 /* Load permissions for selected 'dn' and check if
235 we're allowed to remove this 'dn' */
236 $acl = $this->ui->get_permissions($dn,"sudo/sudo");
237 if(preg_match("/d/",$acl)){
239 /* Delete request is permitted, perform LDAP action */
240 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $dn);
241 $this->sudotabs->set_acl_base($dn);
242 $this->sudotabs->delete ();
243 unset ($this->sudotabs);
244 $this->sudotabs= NULL;
246 } else {
248 /* Normally this shouldn't be reached, send some extra
249 logs to notify the administrator */
250 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
251 new log("security","sudo/".get_class($this),$dn,array(),"Tried to trick deletion.");
252 }
253 /* Remove lock file after successfull deletion */
254 del_lock ($dn);
255 unset($this->dns[$key]);
256 }
257 }
260 /********************
261 Delete entries Canceled
262 ********************/
264 /* Remove lock */
265 if(isset($_POST['delete_sudo_cancel'])){
266 del_lock ($this->dns);
267 unset($this->dns);
268 }
270 /********************
271 A dialog was canceled
272 ********************/
274 /* Cancel dialogs */
275 if (isset($_POST['edit_cancel']) && is_object($this->sudotabs)){
276 if(isset($this->sudotabs->dn)){
277 del_lock ($this->sudotabs->dn);
278 }
279 unset ($this->sudotabs);
280 $this->sudotabs= NULL;
281 session::un_set('objectinfo');
282 }
285 /********************
286 If there is currently a dialog open, display it
287 ********************/
289 /* Show tab dialog if object is present */
290 if (is_object($this->sudotabs)){
291 $display= $this->sudotabs->execute();
293 /* Don't show buttons if tab dialog requests this */
294 if(isset($this->sudotabs->by_object)){
295 if (!$this->sudotabs->by_object[$this->sudotabs->current]->dialog){
296 $display.= "<p style=\"text-align:right\">\n";
297 $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
298 $display.= " \n";
299 if ($this->dn != "new"){
300 $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
301 $display.= " \n";
302 }
303 $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
304 $display.= "</p>";
305 }
306 }
307 return ($display);
308 }
310 /* Check if there is a snapshot dialog open */
311 if($str = $this->showSnapshotDialog(sudo::get_sudoers_ou($this->config),$this->get_used_snapshot_bases())){
312 return($str);
313 }
315 /* Display dialog with sudo list */
316 $this->DivListSudo->execute();
317 $this->reload ();
318 $this->DivListSudo->setEntries($this->list);
319 return($this->DivListSudo->Draw());
320 }
323 /*! \brief Return all selected elements from HTML list
324 @return Array List of all selected list elements
325 */
326 private function list_get_selected_items()
327 {
328 $ids = array();
329 foreach($_POST as $name => $value){
330 if(preg_match("/^item_selected_[0-9]*$/",$name)){
331 $id = preg_replace("/^item_selected_/","",$name);
332 $ids[$id] = $id;
333 }
334 }
335 return($ids);
336 }
339 /*! \brief Reload the list of sudo roles.
340 */
341 private function reload($CreatePosixsList=false)
342 {
343 $this->list = array();
344 $base = $this->base;
346 $Regex = trim($this->DivListSudo->Regex);
347 $UserRegex = trim($this->DivListSudo->UserRegex);
348 $SubSearch = $this->DivListSudo->SubSearch;
350 /********************
351 Create filter depending on selected checkboxes
352 ********************/
353 $values = array("cn","description","sudoUser","sudoCommand","sudoOption");
354 if($UserRegex == "*"){
355 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(objectClass=sudoRole))";
356 }else{
357 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(sudoUser=".$UserRegex.")(objectClass=sudoRole))";
358 }
359 $res = get_list($ff, "sudo",$base,$values, GL_SIZELIMIT);
360 $tmp = array();
361 foreach($res as $attrs){
362 $tmp[$attrs['cn'][0]] = $attrs;
363 }
364 uksort($tmp, 'strnatcasecmp');
365 $this->list = array_values($tmp);
366 }
369 /*! \brief Save HTML post data to object
370 */
371 public function save_object()
372 {
373 $this->DivListSudo->save_object();
374 }
377 /*! \brief Remove this account
378 */
379 public function remove_from_parent()
380 {
381 /* Optionally execute a command after we're done */
382 $this->postremove();
383 }
386 /*! \brief Save to LDAP
387 */
388 public function save()
389 {
390 /* Optionally execute a command after we're done */
391 $this->postcreate();
392 }
395 /*! \brief Remove lock from entry
396 */
397 public function remove_lock()
398 {
399 if (is_object($this->sudotabs) && $this->sudotabs->dn != "new"){
400 del_lock ($this->sudotabs->dn);
401 }
402 if(isset($this->dns) && is_array($this->dns) && count($this->dns)){
403 del_lock($this->dns);
404 }
405 }
407 function get_used_snapshot_bases(){
408 return(array(sudo::get_sudoers_ou($this->config)));
409 }
410 }
411 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
412 ?>