From 7c52028870ca43c61f8657fb91fb08f8534b6015 Mon Sep 17 00:00:00 2001 From: hickert Date: Tue, 8 Apr 2008 06:30:28 +0000 Subject: [PATCH] Updated sudo -Added ACL handling git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@10261 594d385d-05f5-0310-b6e9-bd551577e9d8 --- .../sudo/admin/sudo/class_divListSudo.inc | 1 - .../sudo/admin/sudo/class_sudoGeneric.inc | 308 ++++++++++-------- gosa-plugins/sudo/admin/sudo/generic.tpl | 68 +++- 3 files changed, 222 insertions(+), 155 deletions(-) diff --git a/gosa-plugins/sudo/admin/sudo/class_divListSudo.inc b/gosa-plugins/sudo/admin/sudo/class_divListSudo.inc index 8e90e6b56..a02d5a24c 100644 --- a/gosa-plugins/sudo/admin/sudo/class_divListSudo.inc +++ b/gosa-plugins/sudo/admin/sudo/class_divListSudo.inc @@ -37,7 +37,6 @@ class divListSudo extends MultiSelectWindow /* Subsearch checkbox */ var $SubSearch = FALSE; - var $parent ; var $ui ; diff --git a/gosa-plugins/sudo/admin/sudo/class_sudoGeneric.inc b/gosa-plugins/sudo/admin/sudo/class_sudoGeneric.inc index a2ba757bf..a7697f1bb 100644 --- a/gosa-plugins/sudo/admin/sudo/class_sudoGeneric.inc +++ b/gosa-plugins/sudo/admin/sudo/class_sudoGeneric.inc @@ -33,14 +33,14 @@ class sudo extends plugin var $sudoUser = array("ALL"); var $sudoCommand= array(); var $sudoHost = array("ALL"); - var $sudoRunas = array("ALL"); + var $sudoRunAs = array("ALL"); var $accessTo = array(); var $trustModel = ""; var $show_ws_dialog = FALSE; var $objectclasses = array("top","sudoRole"); - var $attributes = array("cn","description","sudoUser","sudoCommand","sudoHost","sudoRunas","accessTo","trustModel"); + var $attributes = array("cn","description","sudoUser","sudoCommand","sudoHost","sudoRunAs","accessTo","trustModel"); var $is_account = TRUE; @@ -84,7 +84,7 @@ class sudo extends plugin plugin::plugin ($config, $dn); if($this->initially_was_account){ - foreach(array("sudoUser","sudoCommand","sudoHost","sudoRunas") as $attr){ + foreach(array("sudoUser","sudoCommand","sudoHost","sudoRunAs") as $attr){ $this->$attr = array(); if(isset($this->attrs[$attr])){ $tmp = array(); @@ -125,10 +125,10 @@ class sudo extends plugin plugin::execute(); /********************* - Access control list + Access control list / trust mode *********************/ - /* Add user workstation? */ + /* Add user workstation? */ if (isset($_POST["add_ws"])){ $this->show_ws_dialog= TRUE; $this->dialog= TRUE; @@ -157,62 +157,9 @@ class sudo extends plugin $this->dialog= FALSE; } - /* Show ws dialog */ + /* Show ws dialog */ if ($this->show_ws_dialog){ - - $smarty = get_smarty(); - - - /* Save data */ - $sysfilter= session::get("sysfilter"); - foreach( array("depselect", "regex") as $type){ - if (isset($_POST[$type])){ - $sysfilter[$type]= $_POST[$type]; - } - } - if (isset($_GET['search'])){ - $s= mb_substr($_GET['search'], 0, 1, "UTF8")."*"; - if ($s == "**"){ - $s= "*"; - } - $sysfilter['regex']= $s; - } - session::set("sysfilter", $sysfilter); - - /* Get workstation list */ - $exclude= ""; - foreach($this->accessTo as $ws){ - $exclude.= "(cn=$ws)"; - } - if ($exclude != ""){ - $exclude= "(!(|$exclude))"; - } - $regex= $sysfilter['regex']; - $filter= "(&(|(objectClass=goServer)(objectClass=gotoWorkstation)(objectClass=gotoTerminal))$exclude(cn=*)(cn=$regex))"; - - $deps_a = array(get_ou("serverou"), - get_ou("terminalou"), - get_ou("workstationou")); - - $res= get_sub_list($filter, array("terminal","server","workstation"), $deps_a, get_ou("systemsou").$sysfilter['depselect'], array("cn"), GL_SUBSEARCH | GL_SIZELIMIT); - $wslist= array(); - foreach ($res as $attrs){ - $wslist[]= preg_replace('/\$/', '', $attrs['cn'][0]); - } - asort($wslist); - $smarty->assign("search_image", get_template_path('images/search.png')); - $smarty->assign("launchimage", get_template_path('images/small_filter.png')); - $smarty->assign("tree_image", get_template_path('images/tree.png')); - $smarty->assign("deplist", $this->config->idepartments); - $smarty->assign("alphabet", generate_alphabet()); - foreach( array("depselect", "regex") as $type){ - $smarty->assign("$type", $sysfilter[$type]); - } - $smarty->assign("hint", print_sizelimit_warning()); - $smarty->assign("wslist", $wslist); - $smarty->assign("apply", apply_filter()); - $display= $smarty->fetch (get_template_path('trust_machines.tpl', TRUE, dirname(__FILE__))); - return ($display); + $this->display_trust_add_dialog(); } @@ -220,7 +167,7 @@ class sudo extends plugin Add users *********************/ - if(isset($_POST['list_sudoUser']) && !is_object($this->dialog)){ + if(isset($_POST['list_sudoUser']) && !is_object($this->dialog) && $this->acl_is_writeable("sudoUser")){ $used = array(); foreach($this->sudoUser as $name){ $used[] = preg_replace("/^!/","",$name); @@ -230,12 +177,14 @@ class sudo extends plugin /* Add selected hosts to the sudoUser list */ if(isset($_POST['SaveMultiSelectWindow']) && $this->dialog instanceof target_list_users){ - foreach($this->dialog->save() as $entry){ - $cn = trim($entry['uid'][0]); - if(!in_array($cn,$this->sudoUser) && !in_array("!".$cn,$this->sudoUser)){ - $this->sudoUser[] = $cn; - } - } + if($this->acl_is_writeable("sudoUser")){ + foreach($this->dialog->save() as $entry){ + $cn = trim($entry['uid'][0]); + if(!in_array($cn,$this->sudoUser) && !in_array("!".$cn,$this->sudoUser)){ + $this->sudoUser[] = $cn; + } + } + } unset($this->dialog); $this->dialog = NULL; } @@ -245,7 +194,7 @@ class sudo extends plugin Add systems *********************/ - if(isset($_POST['list_sudoHost']) && !is_object($this->dialog)){ + if(isset($_POST['list_sudoHost']) && !is_object($this->dialog) && $this->acl_is_writeable("sudoHost")){ $used = array(); foreach($this->sudoHost as $name){ $used[] = preg_replace("/^!/","",$name); @@ -255,11 +204,13 @@ class sudo extends plugin /* Add selected hosts to the sudoHost list */ if(isset($_POST['SaveMultiSelectWindow']) && $this->dialog instanceof target_list_systems){ - foreach($this->dialog->save() as $entry){ - $cn = trim($entry['cn'][0]); - if(!in_array($cn,$this->sudoHost) && !in_array("!".$cn,$this->sudoHost)){ - $this->sudoHost[] = $cn; - } + if($this->acl_is_writeable("sudoHost")){ + foreach($this->dialog->save() as $entry){ + $cn = trim($entry['cn'][0]); + if(!in_array($cn,$this->sudoHost) && !in_array("!".$cn,$this->sudoHost)){ + $this->sudoHost[] = $cn; + } + } } unset($this->dialog); $this->dialog = NULL; @@ -287,16 +238,18 @@ class sudo extends plugin if(preg_match("/^neg_/",$name)){ $attr = preg_replace("/^neg_([^_]*)_.*$/","\\1",$name); $value= preg_replace("/^neg_[^_]*_([0-9]*)_.*$/","\\1",$name); - - $attrs = $this->$attr; - if(isset( $attrs[$value])){ - $v = $attrs[$value]; - if(preg_match("/^!/",$v)){ - $attrs[$value] = preg_replace("/^!/","",$v); - }else{ - $attrs[$value] = "!".$v; + + if($this->acl_is_writeable($attr)){ + $attrs = $this->$attr; + if(isset( $attrs[$value])){ + $v = $attrs[$value]; + if(preg_match("/^!/",$v)){ + $attrs[$value] = preg_replace("/^!/","",$v); + }else{ + $attrs[$value] = "!".$v; + } + $this->$attr = $attrs; } - $this->$attr = $attrs; } break; // Do it once, image inputs will be posted twice } @@ -309,10 +262,12 @@ class sudo extends plugin if(preg_match("/^del_/",$name)){ $attr = preg_replace("/^del_([^_]*)_.*$/","\\1",$name); $value= preg_replace("/^del_[^_]*_([0-9]*)_.*$/","\\1",$name); - $attrs = $this->$attr; - if(isset( $attrs[$value])){ - unset($attrs[$value]); - $this->$attr = $attrs; + if($this->acl_is_writeable($attr)){ + $attrs = $this->$attr; + if(isset( $attrs[$value])){ + unset($attrs[$value]); + $this->$attr = $attrs; + } } break; // Do it once, image inputs will be posted twice } @@ -321,9 +276,14 @@ class sudo extends plugin /********************* ADD values - *********************/ - foreach(array("sudoUser","sudoHost","sudoRunas") as $attr){ - if(isset($_POST["add_".$attr]) && isset($_POST['new_'.$attr]) && !empty($_POST['new_'.$attr])){ + *********************/ + + /* User / Host / Runas */ + foreach(array("sudoUser","sudoHost","sudoRunAs") as $attr){ + if($this->acl_is_writeable($attr) && + isset($_POST["add_".$attr]) && + isset($_POST['new_'.$attr]) && + !empty($_POST['new_'.$attr])){ if(preg_match("/^[a-z\.0-9]*$/i",$_POST['new_'.$attr])){ $attrs = $this->$attr; $attrs[] = trim($_POST['new_'.$attr]); @@ -334,80 +294,85 @@ class sudo extends plugin } } + /* Command */ foreach(array("sudoCommand") as $attr){ - if(isset($_POST["add_".$attr]) && isset($_POST['new_'.$attr])){ + if($this->acl_is_writeable($attr) && isset($_POST["add_".$attr]) && isset($_POST['new_'.$attr])){ $attrs = $this->$attr; $attrs[] = trim($_POST['new_'.$attr]); $this->$attr = $attrs; } } + + /********************* + SMARTY assignments + *********************/ $smarty = get_smarty(); foreach($this->attributes as $attr){ $smarty->assign($attr,$this->$attr); + $smarty->assign($attr."ACL",$this->getacl($attr)); } - -/* Work on trust modes */ + /* Work on trust modes */ $smarty->assign("trusthide", " disabled "); - $smarty->assign("trustmodeACL", $this->getacl("trustModel")); if ($this->trustModel == "fullaccess"){ $trustmode= 1; - // pervent double disable tag in html code, this will disturb our clean w3c html - $smarty->assign("trustmode", $this->getacl("trustModel")); - } elseif ($this->trustModel == "byhost"){ $trustmode= 2; $smarty->assign("trusthide", ""); } else { - // pervent double disable tag in html code, this will disturb our clean w3c html - $smarty->assign("trustmode", $this->getacl("trustModel")); $trustmode= 0; } $smarty->assign("trustmode", $trustmode); - $smarty->assign("trustmodes", array( 0 => _("disabled"), 1 => _("full access"), + $smarty->assign("trustmodes", array( + 0 => _("disabled"), + 1 => _("full access"), 2 => _("allow access to these hosts"))); - if((count($this->accessTo))==0) + if((count($this->accessTo))==0){ $smarty->assign("emptyArrAccess",true); - else + }else{ $smarty->assign("emptyArrAccess",false); - - + } $smarty->assign("workstations", $this->accessTo); - - + /* Create lists + */ $divlist_sudoUser = new divSelectBox("divlist_sudoUser"); $divlist_sudoUser->SetHeight("90"); $divlist_sudoHost = new divSelectBox("divlist_sudoHost"); $divlist_sudoHost->Setheight("90"); - $divlist_sudoRunas = new divSelectBox("divlist_sudoRunas"); - $divlist_sudoRunas->Setheight("90"); + $divlist_sudoRunAs = new divSelectBox("divlist_sudoRunAs"); + $divlist_sudoRunAs->Setheight("90"); $divlist_sudoCommand = new divSelectBox("divlist_sudoCommand"); $divlist_sudoCommand->Setheight("90"); + /* Fill divlists + */ $neg_img= "!"; $option = ""; $option.= ""; - foreach(array("sudoUser","sudoCommand","sudoHost","sudoRunas") as $attr){ - foreach($this->$attr as $key => $entry){ - $entry = preg_replace("/^!/",$neg_img,$entry); - $list_name = "divlist_".$attr; - $$list_name->AddEntry( - array( - array("string" => $entry), - array("string" => preg_replace(array("/%KEY%/","/%ATTR%/"),array($key,$attr),$option), - "attach" => "style='width:40px; border-right: 0px;'"))); + foreach(array("sudoUser","sudoCommand","sudoHost","sudoRunAs") as $attr){ + if($this->acl_is_readable($attr)){ + foreach($this->$attr as $key => $entry){ + $entry = preg_replace("/^!/",$neg_img,$entry); + $list_name = "divlist_".$attr; + $$list_name->AddEntry( + array( + array("string" => $entry), + array("string" => preg_replace(array("/%KEY%/","/%ATTR%/"),array($key,$attr),$option), + "attach" => "style='width:40px; border-right: 0px;'"))); + } } } - $smarty->assign("divlist_sudoUser",$divlist_sudoUser->DrawList()); - $smarty->assign("divlist_sudoHost",$divlist_sudoHost->DrawList()); - $smarty->assign("divlist_sudoRunas",$divlist_sudoRunas->DrawList()); + /* Tell smarty about our divlists + */ + $smarty->assign("divlist_sudoUser", $divlist_sudoUser->DrawList()); + $smarty->assign("divlist_sudoHost", $divlist_sudoHost->DrawList()); + $smarty->assign("divlist_sudoRunAs", $divlist_sudoRunAs->DrawList()); $smarty->assign("divlist_sudoCommand",$divlist_sudoCommand->DrawList()); - return($smarty->fetch(get_template_path('generic.tpl', TRUE))); } @@ -437,24 +402,22 @@ class sudo extends plugin $this->dialog->save_object(); } - /* Trust mode - special handling */ - if($this->acl_is_writeable("trustModel")){ - if (isset($_POST['trustmode'])){ - $saved= $this->trustModel; - if ($_POST['trustmode'] == "1"){ - $this->trustModel= "fullaccess"; - } elseif ($_POST['trustmode'] == "2"){ - $this->trustModel= "byhost"; - } else { - $this->trustModel= ""; - } - if ($this->trustModel != $saved){ - $this->is_modified= TRUE; - } + /* Trust mode - special handling */ + if($this->acl_is_writeable("trustModel")){ + if (isset($_POST['trustmode'])){ + $saved= $this->trustModel; + if ($_POST['trustmode'] == "1"){ + $this->trustModel= "fullaccess"; + } elseif ($_POST['trustmode'] == "2"){ + $this->trustModel= "byhost"; + } else { + $this->trustModel= ""; + } + if ($this->trustModel != $saved){ + $this->is_modified= TRUE; } } - - + } } @@ -472,7 +435,7 @@ class sudo extends plugin $objectclasses[]= $this->attrs['objectClass'][$key]; } - $this->attrs['objectClass']= $objectclasses; + $this->attrs['objectClass']= $objectclasses; if ($this->trustModel != ""){ $this->attrs['objectClass'][]= "trustAccount"; $this->attrs['trustModel']= $this->trustModel; @@ -489,15 +452,18 @@ class sudo extends plugin } } - + /* Ensure a correct array index */ $this->attrs['sudoHost'] = array_values($this->attrs['sudoHost']); - $this->attrs['sudoRunas'] = array_values($this->attrs['sudoRunas']); + $this->attrs['sudoRunAs'] = array_values($this->attrs['sudoRunAs']); $this->attrs['sudoUser'] = array_values($this->attrs['sudoUser']); $this->attrs['sudoCommand'] = array_values($this->attrs['sudoCommand']); + print_a($this->attrs); $this->cleanup(); + print_a($this->attrs); + $ldap = $this->config->get_ldap_link(); $ldap->cd($this->config->current['BASE']); if($this->is_new){ @@ -531,6 +497,68 @@ class sudo extends plugin } + /*! \brief Display the System Trust Add Workstation dialog + @return String HTML dialog to add a system to the trust list. + + */ + private function display_trust_add_dialog() + { + $smarty = get_smarty(); + + /* Save data */ + $sysfilter= session::get("sysfilter"); + foreach( array("depselect", "regex") as $type){ + if (isset($_POST[$type])){ + $sysfilter[$type]= $_POST[$type]; + } + } + if (isset($_GET['search'])){ + $s= mb_substr($_GET['search'], 0, 1, "UTF8")."*"; + if ($s == "**"){ + $s= "*"; + } + $sysfilter['regex']= $s; + } + session::set("sysfilter", $sysfilter); + + /* Get workstation list */ + $exclude= ""; + foreach($this->accessTo as $ws){ + $exclude.= "(cn=$ws)"; + } + if ($exclude != ""){ + $exclude= "(!(|$exclude))"; + } + $regex= $sysfilter['regex']; + $filter= "(&(|(objectClass=goServer)(objectClass=gotoWorkstation)(objectClass=gotoTerminal))$exclude(cn=*)(cn=$regex))"; + + $deps_a = array(get_ou("serverou"), + get_ou("terminalou"), + get_ou("workstationou")); + + $res= get_sub_list($filter, array("terminal","server","workstation"), $deps_a, + get_ou("systemsou").$sysfilter['depselect'], array("cn"), GL_SUBSEARCH | GL_SIZELIMIT); + $wslist= array(); + foreach ($res as $attrs){ + $wslist[]= preg_replace('/\$/', '', $attrs['cn'][0]); + } + asort($wslist); + foreach( array("depselect","regex") as $type){ + $smarty->assign("$type", $sysfilter[$type]); + } + $smarty->assign("search_image", get_template_path('images/search.png')); + $smarty->assign("launchimage", get_template_path('images/small_filter.png')); + $smarty->assign("tree_image", get_template_path('images/tree.png')); + $smarty->assign("deplist", $this->config->idepartments); + $smarty->assign("alphabet", generate_alphabet()); + $smarty->assign("hint", print_sizelimit_warning()); + $smarty->assign("wslist", $wslist); + $smarty->assign("apply", apply_filter()); + $display= $smarty->fetch (get_template_path('trust_machines.tpl', TRUE, dirname(__FILE__))); + return ($display); + } + + /*! \brief Add ACL object @return Returns the ACL object. */ @@ -551,7 +579,7 @@ class sudo extends plugin "sudoUser" => _("Users"), "sudoHost" => _("Host"), "sudoCommand" => _("Command"), - "sudoRunas" => _("Run as user")) + "sudoRunAs" => _("Run as user")) )); } } diff --git a/gosa-plugins/sudo/admin/sudo/generic.tpl b/gosa-plugins/sudo/admin/sudo/generic.tpl index 765bd271d..08450eefa 100644 --- a/gosa-plugins/sudo/admin/sudo/generic.tpl +++ b/gosa-plugins/sudo/admin/sudo/generic.tpl @@ -8,7 +8,9 @@ {t}Name{/t} + {render acl=$cnACL} + {/render} @@ -16,23 +18,26 @@ {t}Description{/t} + {render acl=$descriptionACL} + {/render} -

{t}System trust{/t}

- {t}Trust mode{/t}  - {render acl=$trustmodeACL} +

  {t}System trust{/t}

+ {t}Trust mode{/t}  + {render acl=$trustModelACL} +
{/render} - {render acl=$trustmodeACL} + {render acl=$trustModelACL} {/render}
- {render acl=$trustmodeACL} + {render acl=$trustModelACL}   {/render} - {render acl=$trustmodeACL} + {render acl=$trustModelACL} {/render} @@ -54,25 +59,60 @@

 User / Groups

+ {render acl=$sudoUserACL} {$divlist_sudoUser} - + {/render} + {render acl=$sudoUserACL} + + {/render} + {render acl=$sudoUserACL} + + {/render} + {render acl=$sudoUserACL} + {/render} -

 Hosts

+ +

 Hosts

+ {render acl=$sudoHostACL} {$divlist_sudoHost} - + {/render} + {render acl=$sudoHostACL} + + {/render} + {render acl=$sudoHostACL} + + {/render} + {render acl=$sudoHostACL} + {/render}

 

-

Commands

+ +

 Commands

+ {render acl=$sudoCommandACL} {$divlist_sudoCommand} - + {/render} + {render acl=$sudoCommandACL} + + {/render} + {render acl=$sudoCommandACL} + + {/render} -

 Run as

- {$divlist_sudoRunas} - + +

 Run as

+ {render acl=$sudoRunAsACL} + {$divlist_sudoRunAs} + {/render} + {render acl=$sudoRunAsACL} + + {/render} + {render acl=$sudoRunAsACL} + + {/render} -- 2.30.2