![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id: class_sudoManagement.inc 10099 2008-04-01 12:52:01Z hickert $$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 /*! \brief This is the sudo management class. \
24 This class allows to add/remove/edit sudo roles with GOsa. \
25 All roles will be listed by this plugin, the displayed objects \
26 can also be filtered.
27 */
28 class sudoManagement extends plugin
29 {
30 /* Definitions */
31 public $plHeadline = "Sudo roles";
32 public $plDescription = "Manage sudo roles";
34 private $DivListSudo = NULL;
35 private $sudotabs = NULL;
36 private $base = "";
38 private $start_pasting_copied_objects = FALSE;
40 public $acl_module = array("sudo");
42 /*! \brief */
43 public function __construct(&$config, &$ui)
44 {
45 /* Save configuration for internal use */
46 $this->config = &$config;
47 $this->ui = &$ui;
48 $this->base = sudo::get_sudoers_ou($this->config);
50 /* Copy & Paste enabled ?*/
51 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
52 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
53 }
55 /* Create dialog object */
56 $this->DivListSudo = new divListSudo($this->config,$this);
57 }
60 /*! \brief Generate && Display HTML content
61 */
62 public function execute()
63 {
64 /* Call parent execute */
65 plugin::execute();
67 /********************
68 Handle Posts
69 ********************/
71 /* Store these posts if the current object is locked (used by somebody else)*/
72 session::set('LOCK_VARS_TO_USE',array(
73 "/^act$/","/^id$/","/^sudo_edit_/","/^cut_/","/^copy_/",
74 "/^sudo_del_/","/^item_selected/","/menu_action/"));
77 /* Get html posts */
78 $s_action = "";
79 $s_entry = "";
80 foreach($_POST as $name => $value){
81 if(preg_match("/^sudo_edit_/",$name)){
82 $s_action = "edit_role";
83 $s_entry = preg_replace("/^sudo_edit_([0-9]*).*$/","\\1",$name);
84 }
85 if(preg_match("/^sudo_del_/",$name)){
86 $s_action = "del_role";
87 $s_entry = preg_replace("/^sudo_del_([0-9]*).*$/","\\1",$name);
88 }elseif(preg_match("/^editPaste.*/i",$name)){
89 $s_action="editPaste";
90 }elseif(preg_match("/^copy_.*/",$name)){
91 $s_action="copy";
92 $s_entry = preg_replace("/^copy_([0-9]*).*$/i","\\1",$name);
93 # }elseif(preg_match("/^cut_.*/",$name)){
94 # $s_action="cut";
95 # $s_entry = preg_replace("/^cut_([0-9]*).*$/i","\\1",$name);
96 }
97 }
99 if(isset($_GET['act']) && isset($_GET['id']) && $_GET['act'] == "edit_entry"){
100 $id = trim($_GET['id']);
101 if(isset($this->list[$id])){
102 $s_action = "edit_role";
103 $s_entry = $id;
104 }
105 }
107 if(isset($_POST['menu_action']) && in_array($_POST['menu_action'],array("new_role","del_role","new_default","editPaste"))){
108 $s_action = $_POST['menu_action'];
109 }
111 /* handle C&P from layers menu */
112 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
113 $s_action = "copy_multiple";
114 }
116 $smarty= get_smarty();
118 /********************
119 Copy & Paste Handling ...
120 ********************/
122 /* Display the copy & paste dialog, if it is currently open */
123 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
124 if($ret){
125 return($ret);
126 }
129 /********************
130 Create a new sudo ...
131 ********************/
133 /* New sudo? */
134 if ($s_action=="new_role" || $s_action == "new_default"){
136 /* Check create permissions */
137 $acl = $this->ui->get_permissions($this->base,"sudo/sudo");
138 if(preg_match("/c/",$acl)){
140 /* By default we set 'dn' to 'new', all relevant plugins will
141 react on this. */
142 $this->dn= "new";
144 /* Create new sudotabs object */
145 $this->sudotabs= new sudotabs($this->config, $this->config->data['TABS']['SUDOTABS'], $this->dn);
147 /* Set up the sudo ACL's for this 'dn' */
148 $this->sudotabs->set_acl_base($this->base);
150 /* This entry will become the default entry */
151 if($s_action == "new_default"){
152 $this->sudotabs->set_default(TRUE);
153 }
154 }
155 }
158 /********************
159 Save Sudo Tab/Object Changes
160 ********************/
162 /* Save changes */
163 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && is_object($this->sudotabs)){
165 /* Check tabs, will feed message array
166 Save, or display error message? */
167 $message= $this->sudotabs->check();
168 if (count($message) == 0){
170 /* Save user data to ldap */
171 $this->sudotabs->save();
173 if (!isset($_POST['edit_apply'])){
175 /* Sudo has been saved successfully, remove lock from LDAP. */
176 if ($this->dn != "new"){
177 $this->remove_lock();
178 }
179 unset ($this->sudotabs);
180 $this->sudotabs= NULL;
181 session::un_set('objectinfo');
182 }else{
184 /* Reinitialize tab */
185 if($this->sudotabs instanceof tabs){
186 $this->sudotabs->re_init();
187 }
188 }
189 } else {
190 /* Ok. There seem to be errors regarding to the tab data,
191 show message and continue as usual. */
192 msg_dialog::displayChecks($message);
193 }
194 }
197 /********************
198 Edit existing role
199 ********************/
201 /* User wants to edit data? */
202 if (($s_action=="edit_role") && !is_object($this->sudotabs)){
204 /* Get 'dn' from posted 'uid', must be unique */
205 $this->dn= $this->list[trim($s_entry)]['dn'];
207 /* Check locking & lock entry if required */
208 $user = get_lock($this->dn);
209 if ($user != ""){
210 return(gen_locked_message ($user, $this->dn));
211 }
212 add_lock ($this->dn, $this->ui->dn);
214 /* Register sudotabs to trigger edit dialog */
215 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $this->dn);
216 $this->sudotabs->set_acl_base($this->base);
217 session::set('objectinfo',$this->dn);
218 }
221 /********************
222 Delete entries requested, display confirm dialog
223 ********************/
225 if ($s_action=="del_role"){
226 $ids = $this->list_get_selected_items();
227 if(!count($ids) && $s_entry!=""){
228 $ids = array($s_entry);
229 }
231 $this->dns = array();
232 if(count($ids)){
233 $disallowed = array();
234 foreach($ids as $id){
235 $dn = $this->list[$id]['dn'];
236 $acl = $this->ui->get_permissions($dn, "sudo/sudo");
237 if(preg_match("/d/",$acl)){
238 $this->dns[$id] = $dn;
239 }else{
240 $disallowed[] = $dn;
241 }
242 }
244 if(count($disallowed)){
245 msg_dialog::display(_("Permission"),msgPool::permDelete($disallowed),INFO_DIALOG);
246 }
248 if(count($this->dns)){
250 /* Check locking of entries */
251 $users = get_multiple_locks($this->dns);
252 if(count($users)){
253 return(gen_locked_message($users,$this->dns));
254 }
256 /* Add locks */
257 add_lock($this->dns,$this->ui->dn);
259 /* Lock the current entry, so nobody will edit it during deletion */
260 $smarty->assign("info", msgPool::deleteInfo($this->dns,_("Sudo role")));
261 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
262 }
263 }
264 }
267 /********************
268 Delete entries confirmed
269 ********************/
271 /* Confirmation for deletion has been passed. Sudo should be deleted. */
272 if (isset($_POST['delete_sudos_confirmed'])){
274 /* Remove user by user and check acls before removeing them */
275 foreach($this->dns as $key => $dn){
277 /* Load permissions for selected 'dn' and check if
278 we're allowed to remove this 'dn' */
279 $acl = $this->ui->get_permissions($dn,"sudo/sudo");
280 if(preg_match("/d/",$acl)){
282 /* Delete request is permitted, perform LDAP action */
283 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $dn);
284 $this->sudotabs->set_acl_base($dn);
285 $this->sudotabs->delete ();
286 unset ($this->sudotabs);
287 $this->sudotabs= NULL;
289 } else {
291 /* Normally this shouldn't be reached, send some extra
292 logs to notify the administrator */
293 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
294 new log("security","sudo/".get_class($this),$dn,array(),"Tried to trick deletion.");
295 }
296 }
298 /* Remove lock file after successfull deletion */
299 $this->remove_lock();
300 $this->dns = array();
301 }
304 /********************
305 Delete entries Canceled
306 ********************/
308 /* Remove lock */
309 if(isset($_POST['delete_sudo_cancel'])){
310 $this->remove_lock();
311 $this->dns = array();
312 }
314 /********************
315 A dialog was canceled
316 ********************/
318 /* Cancel dialogs */
319 if (isset($_POST['edit_cancel']) && is_object($this->sudotabs)){
320 $this->remove_lock();
321 $this->sudotabs= NULL;
322 session::un_set('objectinfo');
323 }
326 /********************
327 If there is currently a dialog open, display it
328 ********************/
330 /* Show tab dialog if object is present */
331 if (is_object($this->sudotabs)){
332 $display= $this->sudotabs->execute();
334 /* Don't show buttons if tab dialog requests this */
335 if(isset($this->sudotabs->by_object)){
336 if (!$this->sudotabs->by_object[$this->sudotabs->current]->dialog){
337 $display.= "<p style=\"text-align:right\">\n";
338 $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
339 $display.= " \n";
340 if ($this->dn != "new"){
341 $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
342 $display.= " \n";
343 }
344 $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
345 $display.= "</p>";
346 }
347 }
348 return ($display);
349 }
351 /* Check if there is a snapshot dialog open */
352 if($str = $this->showSnapshotDialog(sudo::get_sudoers_ou($this->config),$this->get_used_snapshot_bases(),$this)){
353 return($str);
354 }
356 /* Display dialog with sudo list */
357 $this->DivListSudo->execute();
358 $this->reload ();
359 $this->DivListSudo->setEntries($this->list);
360 return($this->DivListSudo->Draw());
361 }
364 /*! \brief Return all selected elements from HTML list
365 @return Array List of all selected list elements
366 */
367 private function list_get_selected_items()
368 {
369 $ids = array();
370 foreach($_POST as $name => $value){
371 if(preg_match("/^item_selected_[0-9]*$/",$name)){
372 $id = preg_replace("/^item_selected_/","",$name);
373 $ids[$id] = $id;
374 }
375 }
376 return($ids);
377 }
380 /*! \brief Reload the list of sudo roles.
381 */
382 private function reload($CreatePosixsList=false)
383 {
384 $this->list = array();
385 $base = $this->base;
387 $Regex = trim($this->DivListSudo->Regex);
388 $UserRegex = trim($this->DivListSudo->UserRegex);
389 $SubSearch = $this->DivListSudo->SubSearch;
391 /********************
392 Create filter depending on selected checkboxes
393 ********************/
394 $values = array("cn","description","sudoUser","sudoCommand","sudoOption");
395 if($UserRegex == "*"){
396 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(objectClass=sudoRole))";
397 }else{
398 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(sudoUser=".$UserRegex.")(objectClass=sudoRole))";
399 }
400 $res = get_list($ff, "sudo",$base,$values, GL_SIZELIMIT);
401 $tmp = array();
402 foreach($res as $attrs){
403 $tmp[$attrs['cn'][0]] = $attrs;
404 }
405 uksort($tmp, 'strnatcasecmp');
406 $this->list = array_values($tmp);
407 }
410 /*! \brief Save HTML post data to object
411 */
412 public function save_object()
413 {
414 $this->DivListSudo->save_object();
415 if(is_object($this->CopyPasteHandler)){
416 $this->CopyPasteHandler->save_object();
417 }
418 }
421 /*! \brief Remove this account
422 */
423 public function remove_from_parent()
424 {
425 /* Optionally execute a command after we're done */
426 $this->postremove();
427 }
430 /*! \brief Save to LDAP
431 */
432 public function save()
433 {
434 /* Optionally execute a command after we're done */
435 $this->postcreate();
436 }
439 /*! \brief Remove lock from entry
440 */
441 public function remove_lock()
442 {
443 if (is_object($this->sudotabs) && $this->sudotabs->dn != "new"){
444 del_lock ($this->sudotabs->dn);
445 }
446 if(isset($this->dns) && is_array($this->dns) && count($this->dns)){
447 del_lock($this->dns);
448 }
449 }
451 function get_used_snapshot_bases()
452 {
453 return(array(sudo::get_sudoers_ou($this->config)));
454 }
457 function copyPasteHandling_from_queue($s_action,$s_entry)
458 {
459 /* Check if Copy & Paste is disabled */
460 if(!is_object($this->CopyPasteHandler)){
461 return("");
462 }
464 $ui = get_userinfo();
466 /* Add a single entry to queue */
467 if($s_action == "cut" || $s_action == "copy"){
469 /* Cleanup object queue */
470 $this->CopyPasteHandler->cleanup_queue();
471 $dn = $this->list[$s_entry]['dn'];
473 if($s_action == "copy" && $ui->is_copyable($dn,"sudo","sudo")){
474 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"sudotabs","SUDOTABS","sudo");
475 }
476 # if($s_action == "cut" && $ui->is_cutable($dn,"sudo","sudo")){
477 # $this->CopyPasteHandler->add_to_queue($dn,$s_action,"sudotabs","SUDOTABS","sudo");
478 # }
479 }
481 /* Add entries to queue */
482 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
484 /* Cleanup object queue */
485 $this->CopyPasteHandler->cleanup_queue();
487 /* Add new entries to CP queue */
488 foreach($this->list_get_selected_items() as $id){
489 $dn = $this->list[$id]['dn'];
491 if($s_action == "copy_multiple" && $ui->is_copyable($dn,"sudo","sudo")){
492 $this->CopyPasteHandler->add_to_queue($dn,"copy","sudotabs","SUDOTABS","sudo");
493 }
494 # if($s_action == "cut_multiple" && $ui->is_cutable($dn,"sudo","sudo")){
495 # $this->CopyPasteHandler->add_to_queue($dn,"cut","sudotabs","SUDOTABS","sudo");
496 # }
497 }
498 }
500 /* Start pasting entries */
501 if($s_action == "editPaste"){
502 $this->start_pasting_copied_objects = TRUE;
503 }
505 /* Return C&P dialog */
506 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
508 /* Get dialog */
509 $this->CopyPasteHandler->SetVar("base",$this->DivListSudo->selectedBase);
510 $data = $this->CopyPasteHandler->execute();
512 /* Return dialog data */
513 if(!empty($data)){
514 return($data);
515 }
516 }
518 /* Automatically disable status for pasting */
519 if(!$this->CopyPasteHandler->entries_queued()){
520 $this->start_pasting_copied_objects = FALSE;
521 }
522 return("");
523 }
524 }
525 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
526 ?>