1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id: class_sudoManagement.inc 10099 2008-04-01 12:52:01Z hickert $$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 /*! \brief This is the sudo management class. \
24 This class allows to add/remove/edit sudo roles with GOsa. \
25 All roles will be listed by this plugin, the displayed objects \
26 can also be filtered.
27 */
28 class sudoManagement extends plugin
29 {
30 /* Definitions */
31 public $plHeadline = "Sudo roles";
32 public $plDescription = "Manage sudo roles";
34 private $DivListSudo = NULL;
35 private $sudotabs = NULL;
36 private $base = "";
38 private $start_pasting_copied_objects = FALSE;
40 /*! \brief */
41 public function __construct(&$config, &$ui)
42 {
43 /* Save configuration for internal use */
44 $this->config = &$config;
45 $this->ui = &$ui;
46 $this->base = sudo::get_sudoers_ou($this->config);
48 /* Copy & Paste enabled ?*/
49 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
50 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
51 }
53 /* Create dialog object */
54 $this->DivListSudo = new divListSudo($this->config,$this);
55 }
58 /*! \brief Generate && Display HTML content
59 */
60 public function execute()
61 {
62 /* Call parent execute */
63 plugin::execute();
65 /********************
66 Handle Posts
67 ********************/
69 /* Store these posts if the current object is locked (used by somebody else)*/
70 session::set('LOCK_VARS_TO_USE',array(
71 "/^act$/","/^id$/","/^sudo_edit_/","/^cut_/","/^copy_/",
72 "/^sudo_del_/","/^item_selected/","/menu_action/"));
75 /* Get html posts */
76 $s_action = "";
77 $s_entry = "";
78 foreach($_POST as $name => $value){
79 if(preg_match("/^sudo_edit_/",$name)){
80 $s_action = "edit_role";
81 $s_entry = preg_replace("/^sudo_edit_([0-9]*).*$/","\\1",$name);
82 }
83 if(preg_match("/^sudo_del_/",$name)){
84 $s_action = "del_role";
85 $s_entry = preg_replace("/^sudo_del_([0-9]*).*$/","\\1",$name);
86 }elseif(preg_match("/^editPaste.*/i",$name)){
87 $s_action="editPaste";
88 }elseif(preg_match("/^copy_.*/",$name)){
89 $s_action="copy";
90 $s_entry = preg_replace("/^copy_([0-9]*).*$/i","\\1",$name);
91 # }elseif(preg_match("/^cut_.*/",$name)){
92 # $s_action="cut";
93 # $s_entry = preg_replace("/^cut_([0-9]*).*$/i","\\1",$name);
94 }
95 }
97 if(isset($_GET['act']) && isset($_GET['id']) && $_GET['act'] == "edit_entry"){
98 $id = trim($_GET['id']);
99 if(isset($this->list[$id])){
100 $s_action = "edit_role";
101 $s_entry = $id;
102 }
103 }
105 if(isset($_POST['menu_action']) && in_array($_POST['menu_action'],array("new_role","del_role","new_default","editPaste"))){
106 $s_action = $_POST['menu_action'];
107 }
109 /* handle C&P from layers menu */
110 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_sudo/",$_POST['menu_action'])){
111 $s_action = "copy_multiple";
112 }
114 $smarty= get_smarty();
116 /********************
117 Copy & Paste Handling ...
118 ********************/
120 /* Display the copy & paste dialog, if it is currently open */
121 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
122 if($ret){
123 return($ret);
124 }
127 /********************
128 Create a new sudo ...
129 ********************/
131 /* New sudo? */
132 if ($s_action=="new_role" || $s_action == "new_default"){
134 /* Check create permissions */
135 $acl = $this->ui->get_permissions($this->base,"sudo/sudo");
136 if(preg_match("/c/",$acl)){
138 /* By default we set 'dn' to 'new', all relevant plugins will
139 react on this. */
140 $this->dn= "new";
142 /* Create new sudotabs object */
143 $this->sudotabs= new sudotabs($this->config, $this->config->data['TABS']['SUDOTABS'], $this->dn);
145 /* Set up the sudo ACL's for this 'dn' */
146 $this->sudotabs->set_acl_base($this->base);
148 /* This entry will become the default entry */
149 if($s_action == "new_default"){
150 $this->sudotabs->set_default(TRUE);
151 }
152 }
153 }
156 /********************
157 Save Sudo Tab/Object Changes
158 ********************/
160 /* Save changes */
161 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && is_object($this->sudotabs)){
163 /* Check tabs, will feed message array
164 Save, or display error message? */
165 $message= $this->sudotabs->check();
166 if (count($message) == 0){
168 /* Save user data to ldap */
169 $this->sudotabs->save();
171 if (!isset($_POST['edit_apply'])){
173 /* Sudo has been saved successfully, remove lock from LDAP. */
174 if ($this->dn != "new"){
175 del_lock ($this->dn);
176 }
177 unset ($this->sudotabs);
178 $this->sudotabs= NULL;
179 session::un_set('objectinfo');
180 }else{
182 /* Reinitialize tab */
183 if($this->sudotabs instanceof tabs){
184 $this->sudotabs->re_init();
185 }
186 }
187 } else {
188 /* Ok. There seem to be errors regarding to the tab data,
189 show message and continue as usual. */
190 msg_dialog::displayChecks($message);
191 }
192 }
195 /********************
196 Edit existing role
197 ********************/
199 /* User wants to edit data? */
200 if (($s_action=="edit_role") && !is_object($this->sudotabs)){
202 /* Get 'dn' from posted 'uid', must be unique */
203 $this->dn= $this->list[trim($s_entry)]['dn'];
205 /* Check locking & lock entry if required */
206 $user = get_lock($this->dn);
207 if ($user != ""){
208 return(gen_locked_message ($user, $this->dn));
209 }
210 add_lock ($this->dn, $this->ui->dn);
212 /* Register sudotabs to trigger edit dialog */
213 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $this->dn);
214 $this->sudotabs->set_acl_base($this->base);
215 session::set('objectinfo',$this->dn);
216 }
219 /********************
220 Delete entries requested, display confirm dialog
221 ********************/
223 if ($s_action=="del_role"){
224 $ids = $this->list_get_selected_items();
225 if(!count($ids) && $s_entry!=""){
226 $ids = array($s_entry);
227 }
229 if(count($ids)){
231 /* Create list of entries to delete */
232 $this->dns = array();
233 $dns_names = array();
234 foreach($ids as $id){
235 $dn = $this->list[$id]['dn'];
236 $this->dns[$id] = $dn;
237 $dns_names[] =@LDAP::fix($dn);
238 }
240 /* Check locking of entries */
241 $users = get_multiple_locks($this->dns);
242 if(count($users)){
243 return(gen_locked_message($users,$this->dns));
244 }
246 /* Add locks */
247 add_lock($this->dns,$this->ui->dn);
249 /* Lock the current entry, so nobody will edit it during deletion */
250 $smarty->assign("info", msgPool::deleteInfo($dns_names,_("Sudo role")));
251 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
252 }
253 }
256 /********************
257 Delete entries confirmed
258 ********************/
260 /* Confirmation for deletion has been passed. Sudo should be deleted. */
261 if (isset($_POST['delete_sudos_confirmed'])){
263 /* Remove user by user and check acls before removeing them */
264 foreach($this->dns as $key => $dn){
266 /* Load permissions for selected 'dn' and check if
267 we're allowed to remove this 'dn' */
268 $acl = $this->ui->get_permissions($dn,"sudo/sudo");
269 if(preg_match("/d/",$acl)){
271 /* Delete request is permitted, perform LDAP action */
272 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $dn);
273 $this->sudotabs->set_acl_base($dn);
274 $this->sudotabs->delete ();
275 unset ($this->sudotabs);
276 $this->sudotabs= NULL;
278 } else {
280 /* Normally this shouldn't be reached, send some extra
281 logs to notify the administrator */
282 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
283 new log("security","sudo/".get_class($this),$dn,array(),"Tried to trick deletion.");
284 }
285 /* Remove lock file after successfull deletion */
286 del_lock ($dn);
287 unset($this->dns[$key]);
288 }
289 }
292 /********************
293 Delete entries Canceled
294 ********************/
296 /* Remove lock */
297 if(isset($_POST['delete_sudo_cancel'])){
298 del_lock ($this->dns);
299 unset($this->dns);
300 }
302 /********************
303 A dialog was canceled
304 ********************/
306 /* Cancel dialogs */
307 if (isset($_POST['edit_cancel']) && is_object($this->sudotabs)){
308 if(isset($this->sudotabs->dn)){
309 del_lock ($this->sudotabs->dn);
310 }
311 unset ($this->sudotabs);
312 $this->sudotabs= NULL;
313 session::un_set('objectinfo');
314 }
317 /********************
318 If there is currently a dialog open, display it
319 ********************/
321 /* Show tab dialog if object is present */
322 if (is_object($this->sudotabs)){
323 $display= $this->sudotabs->execute();
325 /* Don't show buttons if tab dialog requests this */
326 if(isset($this->sudotabs->by_object)){
327 if (!$this->sudotabs->by_object[$this->sudotabs->current]->dialog){
328 $display.= "<p style=\"text-align:right\">\n";
329 $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
330 $display.= " \n";
331 if ($this->dn != "new"){
332 $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
333 $display.= " \n";
334 }
335 $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
336 $display.= "</p>";
337 }
338 }
339 return ($display);
340 }
342 /* Check if there is a snapshot dialog open */
343 if($str = $this->showSnapshotDialog(sudo::get_sudoers_ou($this->config),$this->get_used_snapshot_bases())){
344 return($str);
345 }
347 /* Display dialog with sudo list */
348 $this->DivListSudo->execute();
349 $this->reload ();
350 $this->DivListSudo->setEntries($this->list);
351 return($this->DivListSudo->Draw());
352 }
355 /*! \brief Return all selected elements from HTML list
356 @return Array List of all selected list elements
357 */
358 private function list_get_selected_items()
359 {
360 $ids = array();
361 foreach($_POST as $name => $value){
362 if(preg_match("/^item_selected_[0-9]*$/",$name)){
363 $id = preg_replace("/^item_selected_/","",$name);
364 $ids[$id] = $id;
365 }
366 }
367 return($ids);
368 }
371 /*! \brief Reload the list of sudo roles.
372 */
373 private function reload($CreatePosixsList=false)
374 {
375 $this->list = array();
376 $base = $this->base;
378 $Regex = trim($this->DivListSudo->Regex);
379 $UserRegex = trim($this->DivListSudo->UserRegex);
380 $SubSearch = $this->DivListSudo->SubSearch;
382 /********************
383 Create filter depending on selected checkboxes
384 ********************/
385 $values = array("cn","description","sudoUser","sudoCommand","sudoOption");
386 if($UserRegex == "*"){
387 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(objectClass=sudoRole))";
388 }else{
389 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(sudoUser=".$UserRegex.")(objectClass=sudoRole))";
390 }
391 $res = get_list($ff, "sudo",$base,$values, GL_SIZELIMIT);
392 $tmp = array();
393 foreach($res as $attrs){
394 $tmp[$attrs['cn'][0]] = $attrs;
395 }
396 uksort($tmp, 'strnatcasecmp');
397 $this->list = array_values($tmp);
398 }
401 /*! \brief Save HTML post data to object
402 */
403 public function save_object()
404 {
405 $this->DivListSudo->save_object();
406 if(is_object($this->CopyPasteHandler)){
407 $this->CopyPasteHandler->save_object();
408 }
409 }
412 /*! \brief Remove this account
413 */
414 public function remove_from_parent()
415 {
416 /* Optionally execute a command after we're done */
417 $this->postremove();
418 }
421 /*! \brief Save to LDAP
422 */
423 public function save()
424 {
425 /* Optionally execute a command after we're done */
426 $this->postcreate();
427 }
430 /*! \brief Remove lock from entry
431 */
432 public function remove_lock()
433 {
434 if (is_object($this->sudotabs) && $this->sudotabs->dn != "new"){
435 del_lock ($this->sudotabs->dn);
436 }
437 if(isset($this->dns) && is_array($this->dns) && count($this->dns)){
438 del_lock($this->dns);
439 }
440 }
442 function get_used_snapshot_bases()
443 {
444 return(array(sudo::get_sudoers_ou($this->config)));
445 }
448 function copyPasteHandling_from_queue($s_action,$s_entry)
449 {
450 /* Check if Copy & Paste is disabled */
451 if(!is_object($this->CopyPasteHandler)){
452 return("");
453 }
455 /* Add a single entry to queue */
456 if($s_action == "cut" || $s_action == "copy"){
458 /* Cleanup object queue */
459 $this->CopyPasteHandler->cleanup_queue();
460 $dn = $this->list[$s_entry]['dn'];
461 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"sudotabs","SUDOTABS","sudo");
462 }
464 /* Add entries to queue */
465 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
467 /* Cleanup object queue */
468 $this->CopyPasteHandler->cleanup_queue();
470 /* Add new entries to CP queue */
471 foreach($this->list_get_selected_items() as $id){
472 $dn = $this->list[$id]['dn'];
474 if($s_action == "copy_multiple"){
475 $this->CopyPasteHandler->add_to_queue($dn,"copy","sudotabs","SUDOTABS","sudo");
476 }
477 if($s_action == "cut_multiple"){
478 $this->CopyPasteHandler->add_to_queue($dn,"cut","sudotabs","SUDOTABS","sudo");
479 }
480 }
481 }
483 /* Start pasting entries */
484 if($s_action == "editPaste"){
485 $this->start_pasting_copied_objects = TRUE;
486 }
488 /* Return C&P dialog */
489 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
491 /* Get dialog */
492 $data = $this->CopyPasteHandler->execute();
493 $this->CopyPasteHandler->SetVar("base",$this->DivListSudo->selectedBase);
495 /* Return dialog data */
496 if(!empty($data)){
497 return($data);
498 }
499 }
501 /* Automatically disable status for pasting */
502 if(!$this->CopyPasteHandler->entries_queued()){
503 $this->start_pasting_copied_objects = FALSE;
504 }
505 return("");
506 }
507 }
508 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
509 ?>