1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id: class_sudoManagement.inc 10099 2008-04-01 12:52:01Z hickert $$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 /*! \brief This is the sudo management class. \
24 This class allows to add/remove/edit sudo roles with GOsa. \
25 All roles will be listed by this plugin, the displayed objects \
26 can also be filtered.
27 */
28 class sudoManagement extends plugin
29 {
30 /* Definitions */
31 public $plHeadline = "Sudo roles";
32 public $plDescription = "Manage sudo roles";
34 private $DivListSudo = NULL;
35 private $sudotabs = NULL;
36 private $base = "";
38 private $start_pasting_copied_objects = FALSE;
40 /*! \brief */
41 public function __construct(&$config, &$ui)
42 {
43 /* Save configuration for internal use */
44 $this->config = &$config;
45 $this->ui = &$ui;
46 $this->base = sudo::get_sudoers_ou($this->config);
48 /* Copy & Paste enabled ?*/
49 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
50 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
51 }
53 /* Create dialog object */
54 $this->DivListSudo = new divListSudo($this->config,$this);
55 }
58 /*! \brief Generate && Display HTML content
59 */
60 public function execute()
61 {
62 /* Call parent execute */
63 plugin::execute();
65 /********************
66 Handle Posts
67 ********************/
69 /* Store these posts if the current object is locked (used by somebody else)*/
70 session::set('LOCK_VARS_TO_USE',array(
71 "/^act$/","/^id$/","/^sudo_edit_/","/^cut_/","/^copy_/",
72 "/^sudo_del_/","/^item_selected/","/menu_action/"));
75 /* Get html posts */
76 $s_action = "";
77 $s_entry = "";
78 foreach($_POST as $name => $value){
79 if(preg_match("/^sudo_edit_/",$name)){
80 $s_action = "edit_role";
81 $s_entry = preg_replace("/^sudo_edit_([0-9]*).*$/","\\1",$name);
82 }
83 if(preg_match("/^sudo_del_/",$name)){
84 $s_action = "del_role";
85 $s_entry = preg_replace("/^sudo_del_([0-9]*).*$/","\\1",$name);
86 }elseif(preg_match("/^editPaste.*/i",$name)){
87 $s_action="editPaste";
88 }elseif(preg_match("/^copy_.*/",$name)){
89 $s_action="copy";
90 $s_entry = preg_replace("/^copy_([0-9]*).*$/i","\\1",$name);
91 # }elseif(preg_match("/^cut_.*/",$name)){
92 # $s_action="cut";
93 # $s_entry = preg_replace("/^cut_([0-9]*).*$/i","\\1",$name);
94 }
95 }
97 if(isset($_GET['act']) && isset($_GET['id']) && $_GET['act'] == "edit_entry"){
98 $id = trim($_GET['id']);
99 if(isset($this->list[$id])){
100 $s_action = "edit_role";
101 $s_entry = $id;
102 }
103 }
105 if(isset($_POST['menu_action']) && in_array($_POST['menu_action'],array("new_role","del_role","new_default","editPaste"))){
106 $s_action = $_POST['menu_action'];
107 }
109 /* handle C&P from layers menu */
110 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
111 $s_action = "copy_multiple";
112 }
114 $smarty= get_smarty();
116 /********************
117 Copy & Paste Handling ...
118 ********************/
120 /* Display the copy & paste dialog, if it is currently open */
121 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
122 if($ret){
123 return($ret);
124 }
127 /********************
128 Create a new sudo ...
129 ********************/
131 /* New sudo? */
132 if ($s_action=="new_role" || $s_action == "new_default"){
134 /* Check create permissions */
135 $acl = $this->ui->get_permissions($this->base,"sudo/sudo");
136 if(preg_match("/c/",$acl)){
138 /* By default we set 'dn' to 'new', all relevant plugins will
139 react on this. */
140 $this->dn= "new";
142 /* Create new sudotabs object */
143 $this->sudotabs= new sudotabs($this->config, $this->config->data['TABS']['SUDOTABS'], $this->dn);
145 /* Set up the sudo ACL's for this 'dn' */
146 $this->sudotabs->set_acl_base($this->base);
148 /* This entry will become the default entry */
149 if($s_action == "new_default"){
150 $this->sudotabs->set_default(TRUE);
151 }
152 }
153 }
156 /********************
157 Save Sudo Tab/Object Changes
158 ********************/
160 /* Save changes */
161 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && is_object($this->sudotabs)){
163 /* Check tabs, will feed message array
164 Save, or display error message? */
165 $message= $this->sudotabs->check();
166 if (count($message) == 0){
168 /* Save user data to ldap */
169 $this->sudotabs->save();
171 if (!isset($_POST['edit_apply'])){
173 /* Sudo has been saved successfully, remove lock from LDAP. */
174 if ($this->dn != "new"){
175 $this->remove_lock();
176 }
177 unset ($this->sudotabs);
178 $this->sudotabs= NULL;
179 session::un_set('objectinfo');
180 }else{
182 /* Reinitialize tab */
183 if($this->sudotabs instanceof tabs){
184 $this->sudotabs->re_init();
185 }
186 }
187 } else {
188 /* Ok. There seem to be errors regarding to the tab data,
189 show message and continue as usual. */
190 msg_dialog::displayChecks($message);
191 }
192 }
195 /********************
196 Edit existing role
197 ********************/
199 /* User wants to edit data? */
200 if (($s_action=="edit_role") && !is_object($this->sudotabs)){
202 /* Get 'dn' from posted 'uid', must be unique */
203 $this->dn= $this->list[trim($s_entry)]['dn'];
205 /* Check locking & lock entry if required */
206 $user = get_lock($this->dn);
207 if ($user != ""){
208 return(gen_locked_message ($user, $this->dn));
209 }
210 add_lock ($this->dn, $this->ui->dn);
212 /* Register sudotabs to trigger edit dialog */
213 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $this->dn);
214 $this->sudotabs->set_acl_base($this->base);
215 session::set('objectinfo',$this->dn);
216 }
219 /********************
220 Delete entries requested, display confirm dialog
221 ********************/
223 if ($s_action=="del_role"){
224 $ids = $this->list_get_selected_items();
225 if(!count($ids) && $s_entry!=""){
226 $ids = array($s_entry);
227 }
229 $this->dns = array();
230 if(count($ids)){
231 $disallowed = array();
232 foreach($ids as $id){
233 $dn = $this->list[$id]['dn'];
234 $acl = $this->ui->get_permissions($dn, "sudo/sudo");
235 if(preg_match("/d/",$acl)){
236 $this->dns[$id] = $dn;
237 }else{
238 $disallowed[] = $dn;
239 }
240 }
242 if(count($disallowed)){
243 msg_dialog::display(_("Permission"),msgPool::permDelete($disallowed),INFO_DIALOG);
244 }
246 if(count($this->dns)){
248 /* Check locking of entries */
249 $users = get_multiple_locks($this->dns);
250 if(count($users)){
251 return(gen_locked_message($users,$this->dns));
252 }
254 /* Add locks */
255 add_lock($this->dns,$this->ui->dn);
257 /* Lock the current entry, so nobody will edit it during deletion */
258 $smarty->assign("info", msgPool::deleteInfo($this->dns,_("Sudo role")));
259 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
260 }
261 }
262 }
265 /********************
266 Delete entries confirmed
267 ********************/
269 /* Confirmation for deletion has been passed. Sudo should be deleted. */
270 if (isset($_POST['delete_sudos_confirmed'])){
272 /* Remove user by user and check acls before removeing them */
273 foreach($this->dns as $key => $dn){
275 /* Load permissions for selected 'dn' and check if
276 we're allowed to remove this 'dn' */
277 $acl = $this->ui->get_permissions($dn,"sudo/sudo");
278 if(preg_match("/d/",$acl)){
280 /* Delete request is permitted, perform LDAP action */
281 $this->sudotabs= new sudotabs($this->config,$this->config->data['TABS']['SUDOTABS'], $dn);
282 $this->sudotabs->set_acl_base($dn);
283 $this->sudotabs->delete ();
284 unset ($this->sudotabs);
285 $this->sudotabs= NULL;
287 } else {
289 /* Normally this shouldn't be reached, send some extra
290 logs to notify the administrator */
291 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
292 new log("security","sudo/".get_class($this),$dn,array(),"Tried to trick deletion.");
293 }
294 }
296 /* Remove lock file after successfull deletion */
297 $this->remove_lock();
298 $this->dns = array();
299 }
302 /********************
303 Delete entries Canceled
304 ********************/
306 /* Remove lock */
307 if(isset($_POST['delete_sudo_cancel'])){
308 $this->remove_lock();
309 $this->dns = array();
310 }
312 /********************
313 A dialog was canceled
314 ********************/
316 /* Cancel dialogs */
317 if (isset($_POST['edit_cancel']) && is_object($this->sudotabs)){
318 $this->remove_lock();
319 $this->sudotabs= NULL;
320 session::un_set('objectinfo');
321 }
324 /********************
325 If there is currently a dialog open, display it
326 ********************/
328 /* Show tab dialog if object is present */
329 if (is_object($this->sudotabs)){
330 $display= $this->sudotabs->execute();
332 /* Don't show buttons if tab dialog requests this */
333 if(isset($this->sudotabs->by_object)){
334 if (!$this->sudotabs->by_object[$this->sudotabs->current]->dialog){
335 $display.= "<p style=\"text-align:right\">\n";
336 $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
337 $display.= " \n";
338 if ($this->dn != "new"){
339 $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
340 $display.= " \n";
341 }
342 $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
343 $display.= "</p>";
344 }
345 }
346 return ($display);
347 }
349 /* Check if there is a snapshot dialog open */
350 if($str = $this->showSnapshotDialog(sudo::get_sudoers_ou($this->config),$this->get_used_snapshot_bases())){
351 return($str);
352 }
354 /* Display dialog with sudo list */
355 $this->DivListSudo->execute();
356 $this->reload ();
357 $this->DivListSudo->setEntries($this->list);
358 return($this->DivListSudo->Draw());
359 }
362 /*! \brief Return all selected elements from HTML list
363 @return Array List of all selected list elements
364 */
365 private function list_get_selected_items()
366 {
367 $ids = array();
368 foreach($_POST as $name => $value){
369 if(preg_match("/^item_selected_[0-9]*$/",$name)){
370 $id = preg_replace("/^item_selected_/","",$name);
371 $ids[$id] = $id;
372 }
373 }
374 return($ids);
375 }
378 /*! \brief Reload the list of sudo roles.
379 */
380 private function reload($CreatePosixsList=false)
381 {
382 $this->list = array();
383 $base = $this->base;
385 $Regex = trim($this->DivListSudo->Regex);
386 $UserRegex = trim($this->DivListSudo->UserRegex);
387 $SubSearch = $this->DivListSudo->SubSearch;
389 /********************
390 Create filter depending on selected checkboxes
391 ********************/
392 $values = array("cn","description","sudoUser","sudoCommand","sudoOption");
393 if($UserRegex == "*"){
394 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(objectClass=sudoRole))";
395 }else{
396 $ff = "(&(|(cn=".$Regex.")(description=".$Regex."))(sudoUser=".$UserRegex.")(objectClass=sudoRole))";
397 }
398 $res = get_list($ff, "sudo",$base,$values, GL_SIZELIMIT);
399 $tmp = array();
400 foreach($res as $attrs){
401 $tmp[$attrs['cn'][0]] = $attrs;
402 }
403 uksort($tmp, 'strnatcasecmp');
404 $this->list = array_values($tmp);
405 }
408 /*! \brief Save HTML post data to object
409 */
410 public function save_object()
411 {
412 $this->DivListSudo->save_object();
413 if(is_object($this->CopyPasteHandler)){
414 $this->CopyPasteHandler->save_object();
415 }
416 }
419 /*! \brief Remove this account
420 */
421 public function remove_from_parent()
422 {
423 /* Optionally execute a command after we're done */
424 $this->postremove();
425 }
428 /*! \brief Save to LDAP
429 */
430 public function save()
431 {
432 /* Optionally execute a command after we're done */
433 $this->postcreate();
434 }
437 /*! \brief Remove lock from entry
438 */
439 public function remove_lock()
440 {
441 if (is_object($this->sudotabs) && $this->sudotabs->dn != "new"){
442 del_lock ($this->sudotabs->dn);
443 }
444 if(isset($this->dns) && is_array($this->dns) && count($this->dns)){
445 del_lock($this->dns);
446 }
447 }
449 function get_used_snapshot_bases()
450 {
451 return(array(sudo::get_sudoers_ou($this->config)));
452 }
455 function copyPasteHandling_from_queue($s_action,$s_entry)
456 {
457 /* Check if Copy & Paste is disabled */
458 if(!is_object($this->CopyPasteHandler)){
459 return("");
460 }
462 $ui = get_userinfo();
464 /* Add a single entry to queue */
465 if($s_action == "cut" || $s_action == "copy"){
467 /* Cleanup object queue */
468 $this->CopyPasteHandler->cleanup_queue();
469 $dn = $this->list[$s_entry]['dn'];
471 if($s_action == "copy" && $ui->is_copyable($dn,"sudo","sudo")){
472 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"sudotabs","SUDOTABS","sudo");
473 }
474 # if($s_action == "cut" && $ui->is_cutable($dn,"sudo","sudo")){
475 # $this->CopyPasteHandler->add_to_queue($dn,$s_action,"sudotabs","SUDOTABS","sudo");
476 # }
477 }
479 /* Add entries to queue */
480 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
482 /* Cleanup object queue */
483 $this->CopyPasteHandler->cleanup_queue();
485 /* Add new entries to CP queue */
486 foreach($this->list_get_selected_items() as $id){
487 $dn = $this->list[$id]['dn'];
489 if($s_action == "copy_multiple" && $ui->is_copyable($dn,"sudo","sudo")){
490 $this->CopyPasteHandler->add_to_queue($dn,"copy","sudotabs","SUDOTABS","sudo");
491 }
492 # if($s_action == "cut_multiple" && $ui->is_cutable($dn,"sudo","sudo")){
493 # $this->CopyPasteHandler->add_to_queue($dn,"cut","sudotabs","SUDOTABS","sudo");
494 # }
495 }
496 }
498 /* Start pasting entries */
499 if($s_action == "editPaste"){
500 $this->start_pasting_copied_objects = TRUE;
501 }
503 /* Return C&P dialog */
504 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
506 /* Get dialog */
507 $this->CopyPasteHandler->SetVar("base",$this->DivListSudo->selectedBase);
508 $data = $this->CopyPasteHandler->execute();
510 /* Return dialog data */
511 if(!empty($data)){
512 return($data);
513 }
514 }
516 /* Automatically disable status for pasting */
517 if(!$this->CopyPasteHandler->entries_queued()){
518 $this->start_pasting_copied_objects = FALSE;
519 }
520 return("");
521 }
522 }
523 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
524 ?>