Project

General

Profile

Download (26.1 KB) Statistics
| Branch: | Tag: | Revision:
1 1df17ba9 Scott Ullrich
<?php
2 fab7ff44 Bill Marquette
/*
3 4c291f4c Renato Botelho
	system_usermanager.php
4 fab7ff44 Bill Marquette
*/
5 7d2e572f Stephen Beaver
/* ====================================================================
6
 *	Copyright (c)  2004-2015  Electric Sheep Fencing, LLC. All rights reserved.
7
 *	Copyright (c)  2008 Shrew Soft Inc.
8
 *	Copyright (c)  2005 Paul Taylor <paultaylor@winn-dixie.com>
9
 *
10 cb41dd63 Renato Botelho
 *	Some or all of this file is based on the m0n0wall project which is
11
 *	Copyright (c)  2004 Manuel Kasper (BSD 2 clause)
12 191cb31d Stephen Beaver
 *
13 7d2e572f Stephen Beaver
 *	Redistribution and use in source and binary forms, with or without modification,
14
 *	are permitted provided that the following conditions are met:
15
 *
16
 *	1. Redistributions of source code must retain the above copyright notice,
17
 *		this list of conditions and the following disclaimer.
18
 *
19
 *	2. Redistributions in binary form must reproduce the above copyright
20
 *		notice, this list of conditions and the following disclaimer in
21
 *		the documentation and/or other materials provided with the
22
 *		distribution.
23
 *
24
 *	3. All advertising materials mentioning features or use of this software
25
 *		must display the following acknowledgment:
26
 *		"This product includes software developed by the pfSense Project
27
 *		 for use in the pfSense software distribution. (http://www.pfsense.org/).
28
 *
29
 *	4. The names "pfSense" and "pfSense Project" must not be used to
30
 *		 endorse or promote products derived from this software without
31
 *		 prior written permission. For written permission, please contact
32
 *		 coreteam@pfsense.org.
33
 *
34
 *	5. Products derived from this software may not be called "pfSense"
35
 *		nor may "pfSense" appear in their names without prior written
36
 *		permission of the Electric Sheep Fencing, LLC.
37
 *
38
 *	6. Redistributions of any form whatsoever must retain the following
39
 *		acknowledgment:
40
 *
41
 *	"This product includes software developed by the pfSense Project
42
 *	for use in the pfSense software distribution (http://www.pfsense.org/).
43
 *
44
 *	THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45
 *	EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46
 *	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47
 *	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48
 *	ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49
 *	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50
 *	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51
 *	LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52
 *	HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53
 *	STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54
 *	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55
 *	OF THE POSSIBILITY OF SUCH DAMAGE.
56
 *
57
 *	====================================================================
58
 *
59
 */
60 fab7ff44 Bill Marquette
61 6b07c15a Matthew Grooms
##|+PRIV
62
##|*IDENT=page-system-usermanager
63 5230f468 jim-p
##|*NAME=System: User Manager
64 6b07c15a Matthew Grooms
##|*DESCR=Allow access to the 'System: User Manager' page.
65
##|*MATCH=system_usermanager.php*
66
##|-PRIV
67
68 ead24d63 sullrich
require("certs.inc");
69 fab7ff44 Bill Marquette
require("guiconfig.inc");
70
71 e33be77c Ermal
// start admin user code
72 73fa304b Phil Davis
if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
73 1a6769a6 Renato Botelho
	$id = $_POST['userid'];
74 73fa304b Phil Davis
}
75 1df17ba9 Scott Ullrich
76 7411c285 Stephen Beaver
if (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
77
	$id = $_GET['userid'];
78
}
79
80 73fa304b Phil Davis
if (!isset($config['system']['user']) || !is_array($config['system']['user'])) {
81 e33be77c Ermal
	$config['system']['user'] = array();
82 73fa304b Phil Davis
}
83 1df17ba9 Scott Ullrich
84 e33be77c Ermal
$a_user = &$config['system']['user'];
85 7411c285 Stephen Beaver
$act = $_GET['act'];
86 45ee90ed Matthew Grooms
87 73fa304b Phil Davis
if (isset($_SERVER['HTTP_REFERER'])) {
88 7c2d0050 Renato Botelho
	$referer = $_SERVER['HTTP_REFERER'];
89 73fa304b Phil Davis
} else {
90 7c2d0050 Renato Botelho
	$referer = '/system_usermanager.php';
91 73fa304b Phil Davis
}
92 7c2d0050 Renato Botelho
93 adacdf5f jim-p
if (isset($id) && $a_user[$id]) {
94
	$pconfig['usernamefld'] = $a_user[$id]['name'];
95
	$pconfig['descr'] = $a_user[$id]['descr'];
96
	$pconfig['expires'] = $a_user[$id]['expires'];
97
	$pconfig['groups'] = local_user_get_groups($a_user[$id]);
98
	$pconfig['utype'] = $a_user[$id]['scope'];
99
	$pconfig['uid'] = $a_user[$id]['uid'];
100
	$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
101
	$pconfig['priv'] = $a_user[$id]['priv'];
102
	$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
103
	$pconfig['disabled'] = isset($a_user[$id]['disabled']);
104
}
105
106 43acaa2f Stephen Beaver
if ($_GET['act'] == "deluser") {
107 45ee90ed Matthew Grooms
108 43acaa2f Stephen Beaver
	if (!isset($_GET['username']) || !isset($a_user[$id]) || ($_GET['username'] != $a_user[$id]['name'])) {
109 e33be77c Ermal
		pfSenseHeader("system_usermanager.php");
110
		exit;
111 6b07c15a Matthew Grooms
	}
112
113 01a0385e Phil Davis
	if ($_GET['username'] == $_SESSION['Username']) {
114
		$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $_GET['username']);
115
	} else {
116
		conf_mount_rw();
117
		local_user_del($a_user[$id]);
118
		conf_mount_ro();
119
		$userdeleted = $a_user[$id]['name'];
120
		unset($a_user[$id]);
121
		write_config();
122
		$savemsg = sprintf(gettext("User %s successfully deleted."), $userdeleted);
123
	}
124 d61309a0 Phil Davis
} else if ($act == "new") {
125 e33be77c Ermal
	/*
126
	 * set this value cause the text field is read only
127
	 * and the user should not be able to mess with this
128
	 * setting.
129
	 */
130
	$pconfig['utype'] = "user";
131
	$pconfig['lifetime'] = 3650;
132
}
133 45ee90ed Matthew Grooms
134 64c31615 Stephen Beaver
if (isset($_POST['dellall'])) {
135 4e21c82e bruno
136
	$del_users = $_POST['delete_check'];
137 01a0385e Phil Davis
	$deleted_users = "";
138
	$deleted_count = 0;
139
	$comma = "";
140 4e21c82e bruno
141 73fa304b Phil Davis
	if (!empty($del_users)) {
142
		foreach ($del_users as $userid) {
143 4e21c82e bruno
			if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
144 01a0385e Phil Davis
				if ($a_user[$userid]['name'] == $_SESSION['Username']) {
145
					$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $a_user[$userid]['name']);
146
				} else {
147
					conf_mount_rw();
148
					$deleted_users = $deleted_users . $comma . $a_user[$userid]['name'];
149
					$comma = ", ";
150
					$deleted_count++;
151
					local_user_del($a_user[$userid]);
152
					conf_mount_ro();
153
					unset($a_user[$userid]);
154
				}
155
			} else {
156
				$delete_errors[] = sprintf(gettext("Cannot delete user %s because it is a system user."), $a_user[$userid]['name']);
157 4e21c82e bruno
			}
158
		}
159 01a0385e Phil Davis
160
		if ($deleted_count > 0) {
161
			if ($deleted_count == 1) {
162
				$savemsg = sprintf(gettext("User %s successfully deleted."), $deleted_users);
163
			} else {
164
				$savemsg = sprintf(gettext("Users %s successfully deleted."), $deleted_users);
165
			}
166
			write_config($savemsg);
167
		}
168 4e21c82e bruno
	}
169
}
170
171 98402844 Stephen Beaver
if ($_POST['act'] == "delcert") {
172
173
	if (!$a_user[$id]) {
174
		pfSenseHeader("system_usermanager.php");
175
		exit;
176
	}
177
178
	$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
179
	$certdeleted = $certdeleted['descr'];
180
	unset($a_user[$id]['cert'][$_POST['certid']]);
181
	write_config();
182
	$_POST['act'] = "edit";
183 ed10e389 Phil Davis
	$savemsg = sprintf(gettext("Certificate %s association removed."), $certdeleted);
184 98402844 Stephen Beaver
}
185 64c31615 Stephen Beaver
186 945204b1 Stephen Beaver
if ($_POST['act'] == "delprivid") {
187
	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
188
	unset($a_user[$id]['priv'][$_POST['privid']]);
189
	local_user_set($a_user[$id]);
190
	write_config();
191
	$_POST['act'] = "edit";
192 ed10e389 Phil Davis
	$savemsg = sprintf(gettext("Privilege %s removed."), $privdeleted);
193 4c879f95 heper
}
194 98402844 Stephen Beaver
195 1a6769a6 Renato Botelho
if ($_POST['save']) {
196 e33be77c Ermal
	unset($input_errors);
197
	$pconfig = $_POST;
198 45ee90ed Matthew Grooms
199 e33be77c Ermal
	/* input validation */
200
	if (isset($id) && ($a_user[$id])) {
201
		$reqdfields = explode(" ", "usernamefld");
202
		$reqdfieldsn = array(gettext("Username"));
203
	} else {
204
		if (empty($_POST['name'])) {
205
			$reqdfields = explode(" ", "usernamefld passwordfld1");
206
			$reqdfieldsn = array(
207
				gettext("Username"),
208
				gettext("Password"));
209 45ee90ed Matthew Grooms
		} else {
210 e33be77c Ermal
			$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
211
			$reqdfieldsn = array(
212
				gettext("Username"),
213
				gettext("Password"),
214
				gettext("Descriptive name"),
215
				gettext("Certificate authority"),
216
				gettext("Key length"),
217
				gettext("Lifetime"));
218 45ee90ed Matthew Grooms
		}
219 e33be77c Ermal
	}
220 45ee90ed Matthew Grooms
221 1e9b4611 Renato Botelho
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
222 45ee90ed Matthew Grooms
223 73fa304b Phil Davis
	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
224 e33be77c Ermal
		$input_errors[] = gettext("The username contains invalid characters.");
225 73fa304b Phil Davis
	}
226 45ee90ed Matthew Grooms
227 73fa304b Phil Davis
	if (strlen($_POST['usernamefld']) > 16) {
228 e33be77c Ermal
		$input_errors[] = gettext("The username is longer than 16 characters.");
229 73fa304b Phil Davis
	}
230 94d455da jim-p
231 73fa304b Phil Davis
	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
232 e33be77c Ermal
		$input_errors[] = gettext("The passwords do not match.");
233 73fa304b Phil Davis
	}
234 45ee90ed Matthew Grooms
235 73fa304b Phil Davis
	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
236 123d8700 Renato Botelho
		$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
237 73fa304b Phil Davis
	}
238 123d8700 Renato Botelho
239 b2267ff9 jim-p
	/* Check the POSTed groups to ensure they are valid and exist */
240
	foreach ($_POST['groups'] as $newgroup) {
241
		if (empty(getGroupEntry($newgroup))) {
242
			$input_errors[] = gettext("One or more invalid groups was submitted.");
243
		}
244
	}
245
246 73fa304b Phil Davis
	if (isset($id) && $a_user[$id]) {
247 e33be77c Ermal
		$oldusername = $a_user[$id]['name'];
248 73fa304b Phil Davis
	} else {
249 e33be77c Ermal
		$oldusername = "";
250 73fa304b Phil Davis
	}
251 e33be77c Ermal
	/* make sure this user name is unique */
252
	if (!$input_errors) {
253
		foreach ($a_user as $userent) {
254
			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
255
				$input_errors[] = gettext("Another entry with the same username already exists.");
256
				break;
257 58664cc9 Scott Ullrich
			}
258 3dec33d4 Erik Fonnesbeck
		}
259 e33be77c Ermal
	}
260
	/* also make sure it is not reserved */
261
	if (!$input_errors) {
262
		$system_users = explode("\n", file_get_contents("/etc/passwd"));
263
		foreach ($system_users as $s_user) {
264
			$ent = explode(":", $s_user);
265
			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
266
				$input_errors[] = gettext("That username is reserved by the system.");
267
				break;
268 8339ab6d jim-p
			}
269 7e4a4513 Scott Ullrich
		}
270 e33be77c Ermal
	}
271 1df17ba9 Scott Ullrich
272 e33be77c Ermal
	/*
273 e30050b6 Phil Davis
	 * Check for a valid expiration date if one is set at all (valid means,
274 4d148b59 Yehuda Katz
	 * DateTime puts out a time stamp so any DateTime compatible time
275 e33be77c Ermal
	 * format may be used. to keep it simple for the enduser, we only
276
	 * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
277
	 * like "+1 day", which will be converted to MM/DD/YYYY based on "now".
278 e30050b6 Phil Davis
	 * Otherwise such an entry would lead to an invalid expiration data.
279 e33be77c Ermal
	 */
280 73fa304b Phil Davis
	if ($_POST['expires']) {
281 4d148b59 Yehuda Katz
		try {
282
			$expdate = new DateTime($_POST['expires']);
283
			//convert from any DateTime compatible date to MM/DD/YYYY
284
			$_POST['expires'] = $expdate->format("m/d/Y");
285 73fa304b Phil Davis
		} catch (Exception $ex) {
286 e33be77c Ermal
			$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
287 0092b3bd mgrooms
		}
288 e33be77c Ermal
	}
289 0092b3bd mgrooms
290 e33be77c Ermal
	if (!empty($_POST['name'])) {
291
		$ca = lookup_ca($_POST['caref']);
292 73fa304b Phil Davis
		if (!$ca) {
293 4c291f4c Renato Botelho
			$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
294 73fa304b Phil Davis
		}
295 e33be77c Ermal
	}
296 c9794c06 Ermal
297 e33be77c Ermal
	/* if this is an AJAX caller then handle via JSON */
298
	if (isAjax() && is_array($input_errors)) {
299
		input_errors2Ajax($input_errors);
300
		exit;
301
	}
302 64c31615 Stephen Beaver
303 e33be77c Ermal
	if (!$input_errors) {
304 4ee51131 Sjon Hortensius
305 e33be77c Ermal
		conf_mount_rw();
306
		$userent = array();
307 73fa304b Phil Davis
		if (isset($id) && $a_user[$id]) {
308 e33be77c Ermal
			$userent = $a_user[$id];
309 73fa304b Phil Davis
		}
310 e879fc81 Ermal
311 e33be77c Ermal
		isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
312
313
		/* the user name was modified */
314 926e0a2f Phil Davis
		if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
315 e33be77c Ermal
			$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
316 fdcf104c jim-p
			local_user_del($userent);
317
		}
318 1df17ba9 Scott Ullrich
319 e30050b6 Phil Davis
		/* the user password was modified */
320 73fa304b Phil Davis
		if ($_POST['passwordfld1']) {
321 e33be77c Ermal
			local_user_set_password($userent, $_POST['passwordfld1']);
322 73fa304b Phil Davis
		}
323 1df17ba9 Scott Ullrich
324 5cde9005 NewEraCracker
		/* only change description if sent */
325
		if (isset($_POST['descr'])) {
326
			$userent['descr'] = $_POST['descr'];
327
		}
328
329 e33be77c Ermal
		$userent['name'] = $_POST['usernamefld'];
330
		$userent['expires'] = $_POST['expires'];
331
		$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
332
		$userent['ipsecpsk'] = $_POST['ipsecpsk'];
333 3ccb9689 Charlie Marshall
334 73fa304b Phil Davis
		if ($_POST['disabled']) {
335 e33be77c Ermal
			$userent['disabled'] = true;
336 73fa304b Phil Davis
		} else {
337 e33be77c Ermal
			unset($userent['disabled']);
338 73fa304b Phil Davis
		}
339 e33be77c Ermal
340 73fa304b Phil Davis
		if (isset($id) && $a_user[$id]) {
341 e33be77c Ermal
			$a_user[$id] = $userent;
342 73fa304b Phil Davis
		} else {
343 e33be77c Ermal
			if (!empty($_POST['name'])) {
344
				$cert = array();
345
				$cert['refid'] = uniqid();
346 4c291f4c Renato Botelho
				$userent['cert'] = array();
347 e33be77c Ermal
348
				$cert['descr'] = $_POST['name'];
349
350 4c291f4c Renato Botelho
				$subject = cert_get_subject_array($ca['crt']);
351 e33be77c Ermal
352 4c291f4c Renato Botelho
				$dn = array(
353
					'countryName' => $subject[0]['v'],
354
					'stateOrProvinceName' => $subject[1]['v'],
355
					'localityName' => $subject[2]['v'],
356
					'organizationName' => $subject[3]['v'],
357
					'emailAddress' => $subject[4]['v'],
358
					'commonName' => $userent['name']);
359 e33be77c Ermal
360
				cert_create($cert, $_POST['caref'], $_POST['keylen'],
361
					(int)$_POST['lifetime'], $dn);
362
363 73fa304b Phil Davis
				if (!is_array($config['cert'])) {
364 e33be77c Ermal
					$config['cert'] = array();
365 73fa304b Phil Davis
				}
366 e33be77c Ermal
				$config['cert'][] = $cert;
367
				$userent['cert'][] = $cert['refid'];
368
			}
369
			$userent['uid'] = $config['system']['nextuid']++;
370
			/* Add the user to All Users group. */
371
			foreach ($config['system']['group'] as $gidx => $group) {
372
				if ($group['name'] == "all") {
373 73fa304b Phil Davis
					if (!is_array($config['system']['group'][$gidx]['member'])) {
374 e33be77c Ermal
						$config['system']['group'][$gidx]['member'] = array();
375 73fa304b Phil Davis
					}
376 e33be77c Ermal
					$config['system']['group'][$gidx]['member'][] = $userent['uid'];
377
					break;
378
				}
379
			}
380 970db70b Scott Ullrich
381 e33be77c Ermal
			$a_user[] = $userent;
382 45ee90ed Matthew Grooms
		}
383 e33be77c Ermal
384 900ce3b0 jim-p
		/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
385 d61309a0 Phil Davis
		local_user_set_groups($userent, $_POST['groups']);
386 e33be77c Ermal
		local_user_set($userent);
387 900ce3b0 jim-p
		/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
388 73fa304b Phil Davis
		local_user_set_groups($userent, $_POST['groups']);
389 e33be77c Ermal
		write_config();
390
391 73fa304b Phil Davis
		if (is_dir("/etc/inc/privhooks")) {
392 e33be77c Ermal
			run_plugins("/etc/inc/privhooks");
393 73fa304b Phil Davis
		}
394 e33be77c Ermal
395
		conf_mount_ro();
396 3ccb9689 Charlie Marshall
397 e33be77c Ermal
		pfSenseHeader("system_usermanager.php");
398 45ee90ed Matthew Grooms
	}
399 e33be77c Ermal
}
400 fab7ff44 Bill Marquette
401 7411c285 Stephen Beaver
function build_priv_table() {
402
	global $a_user, $id;
403
404
	$privhtml = '<div class="table-responsive">';
405
	$privhtml .=	'<table class="table table-striped table-hover table-condensed">';
406
	$privhtml .=		'<thead>';
407 7d2e572f Stephen Beaver
	$privhtml .=			'<tr>';
408
	$privhtml .=				'<th>' . gettext('Inherited from') . '</th>';
409
	$privhtml .=				'<th>' . gettext('Name') . '</th>';
410
	$privhtml .=				'<th>' . gettext('Description') . '</th>';
411 f460db90 NOYB
	$privhtml .=				'<th>' . gettext('Action') . '</th>';
412 7d2e572f Stephen Beaver
	$privhtml .=			'</tr>';
413 7411c285 Stephen Beaver
	$privhtml .=		'</thead>';
414
	$privhtml .=		'<tbody>';
415
416 945204b1 Stephen Beaver
	$i = 0;
417
418
	foreach (get_user_privdesc($a_user[$id]) as $priv) {
419
		$group = false;
420
		if ($priv['group']) {
421
			$group = $priv['group'];
422
		}
423
424 7411c285 Stephen Beaver
		$privhtml .=		'<tr>';
425
		$privhtml .=			'<td>' . htmlspecialchars($priv['group']) . '</td>';
426
		$privhtml .=			'<td>' . htmlspecialchars($priv['name']) . '</td>';
427
		$privhtml .=			'<td>' . htmlspecialchars($priv['descr']) . '</td>';
428 945204b1 Stephen Beaver
		$privhtml .=			'<td>';
429 d61309a0 Phil Davis
		if (!$group) {
430 f460db90 NOYB
			$privhtml .=			'<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
431 d61309a0 Phil Davis
		}
432 945204b1 Stephen Beaver
433
		$privhtml .=			'</td>';
434 7411c285 Stephen Beaver
		$privhtml .=		'</tr>';
435 945204b1 Stephen Beaver
436 d61309a0 Phil Davis
		if (!$group) {
437 945204b1 Stephen Beaver
			$i++;
438 d61309a0 Phil Davis
		}
439 7411c285 Stephen Beaver
	}
440
441
	$privhtml .=		'</tbody>';
442
	$privhtml .=	'</table>';
443
	$privhtml .= '</div>';
444
445
	$privhtml .= '<nav class="action-buttons">';
446 37676f4e jim-p
	$privhtml .=	'<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
447 7411c285 Stephen Beaver
	$privhtml .= '</nav>';
448
449
	return($privhtml);
450
}
451 98402844 Stephen Beaver
452 7411c285 Stephen Beaver
function build_cert_table() {
453
	global $a_user, $id;
454
455
	$certhtml = '<div class="table-responsive">';
456
	$certhtml .=	'<table class="table table-striped table-hover table-condensed">';
457
	$certhtml .=		'<thead>';
458 7d2e572f Stephen Beaver
	$certhtml .=			'<tr>';
459
	$certhtml .=				'<th>' . gettext('Name') . '</th>';
460
	$certhtml .=				'<th>' . gettext('CA') . '</th>';
461 98402844 Stephen Beaver
	$certhtml .=				'<th></th>';
462 7d2e572f Stephen Beaver
	$certhtml .=			'</tr>';
463 7411c285 Stephen Beaver
	$certhtml .=		'</thead>';
464
	$certhtml .=		'<tbody>';
465
466
	$a_cert = $a_user[$id]['cert'];
467
	if (is_array($a_cert)) {
468
		$i = 0;
469
		foreach ($a_cert as $certref) {
470 7d2e572f Stephen Beaver
			$cert = lookup_cert($certref);
471
			$ca = lookup_ca($cert['caref']);
472
			$revokedstr =	is_cert_revoked($cert) ? '<b> Revoked</b>':'';
473
474 7411c285 Stephen Beaver
			$certhtml .=	'<tr>';
475 7d2e572f Stephen Beaver
			$certhtml .=		'<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
476 7411c285 Stephen Beaver
			$certhtml .=		'<td>' . htmlspecialchars($ca['descr']) . '</td>';
477 db676e5b Stephen Beaver
			$certhtml .=		'<td>';
478 945204b1 Stephen Beaver
			$certhtml .=			'<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
479 f14ff867 Phil Davis
			$certhtml .=			gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
480 db676e5b Stephen Beaver
			$certhtml .=		'</td>';
481 7411c285 Stephen Beaver
			$certhtml .=	'</tr>';
482 db676e5b Stephen Beaver
			$i++;
483 7411c285 Stephen Beaver
		}
484 db676e5b Stephen Beaver
485 7411c285 Stephen Beaver
	}
486
487
	$certhtml .=		'</tbody>';
488
	$certhtml .=	'</table>';
489
	$certhtml .= '</div>';
490
491
	$certhtml .= '<nav class="action-buttons">';
492 37676f4e jim-p
	$certhtml .=	'<a href="system_certmanager.php?act=new&amp;userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
493 7411c285 Stephen Beaver
	$certhtml .= '</nav>';
494
495
	return($certhtml);
496
}
497
498 8f1ab2a4 k-paulius
$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
499
500
if ($act == "new" || $act == "edit" || $input_errors) {
501
	$pgtitle[] = gettext('Edit');
502
}
503 e33be77c Ermal
include("head.inc");
504 fab7ff44 Bill Marquette
505 01a0385e Phil Davis
if ($delete_errors) {
506
	print_input_errors($delete_errors);
507
}
508
509 d61309a0 Phil Davis
if ($input_errors) {
510 4ee51131 Sjon Hortensius
	print_input_errors($input_errors);
511 d61309a0 Phil Davis
}
512 98402844 Stephen Beaver
513 d61309a0 Phil Davis
if ($savemsg) {
514 98402844 Stephen Beaver
	print_info_box($savemsg, 'success');
515 d61309a0 Phil Davis
}
516 4ee51131 Sjon Hortensius
517
$tab_array = array();
518
$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
519
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
520
$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
521 2d1f33d9 k-paulius
$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
522 4ee51131 Sjon Hortensius
display_top_tabs($tab_array);
523
524 7411c285 Stephen Beaver
if (!($act == "new" || $act == "edit" || $input_errors)) {
525 64600f94 Sjon Hortensius
?>
526 64c31615 Stephen Beaver
<form method="post">
527 060ed238 Stephen Beaver
<div class="panel panel-default">
528
	<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
529
	<div class="panel-body">
530
		<div class="table-responsive">
531
			<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap" data-sortable>
532
				<thead>
533
					<tr>
534
						<th>&nbsp;</th>
535
						<th><?=gettext("Username")?></th>
536
						<th><?=gettext("Full name")?></th>
537
						<th><?=gettext("Disabled")?></th>
538
						<th><?=gettext("Groups")?></th>
539 70dc5cd6 Phil Davis
						<th><?=gettext("Actions")?></th>
540 060ed238 Stephen Beaver
					</tr>
541
				</thead>
542
				<tbody>
543 a0165602 Sjon Hortensius
<?php
544 d61309a0 Phil Davis
foreach ($a_user as $i => $userent):
545 a0165602 Sjon Hortensius
	?>
546 060ed238 Stephen Beaver
					<tr>
547
						<td>
548 01a0385e Phil Davis
							<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=((($userent['scope'] == "system") || ($userent['name'] == $_SESSION['Username'])) ? 'disabled' : '')?>/>
549 060ed238 Stephen Beaver
						</td>
550
						<td>
551 a0165602 Sjon Hortensius
<?php
552 d61309a0 Phil Davis
	if ($userent['scope'] != "user") {
553 a0165602 Sjon Hortensius
		$usrimg = 'eye-open';
554 d61309a0 Phil Davis
	} else {
555 a0165602 Sjon Hortensius
		$usrimg = 'user';
556 d61309a0 Phil Davis
	}
557 a0165602 Sjon Hortensius
?>
558 060ed238 Stephen Beaver
							<i class="fa fa-<?=$usrimg?>"></i>
559
							<?=htmlspecialchars($userent['name'])?>
560
						</td>
561
						<td><?=htmlspecialchars($userent['descr'])?></td>
562
						<td><?php if (isset($userent['disabled'])) echo "*"?></td>
563
						<td><?=implode(",", local_user_get_groups($userent))?></td>
564
						<td>
565
							<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&amp;userid=<?=$i?>"></a>
566 01a0385e Phil Davis
<?php if (($userent['scope'] != "system") && ($userent['name'] != $_SESSION['Username'])): ?>
567 060ed238 Stephen Beaver
							<a class="fa fa-trash"	title="<?=gettext("Delete user")?>" href="?act=deluser&amp;userid=<?=$i?>&amp;username=<?=$userent['name']?>"></a>
568 a0165602 Sjon Hortensius
<?php endif; ?>
569 060ed238 Stephen Beaver
						</td>
570
					</tr>
571 a0165602 Sjon Hortensius
<?php endforeach; ?>
572 060ed238 Stephen Beaver
				</tbody>
573
			</table>
574
		</div>
575
	</div>
576 94404d94 Sander van Leeuwen
</div>
577 c10cb196 Stephen Beaver
<nav class="action-buttons">
578 64c31615 Stephen Beaver
	<a href="?act=new" class="btn btn-sm btn-success">
579 9d5a20cf heper
		<i class="fa fa-plus icon-embed-btn"></i>
580 b921ab63 Stephen Beaver
		<?=gettext("Add")?>
581
	</a>
582 64c31615 Stephen Beaver
583
	<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
584
		<i class="fa fa-trash icon-embed-btn"></i>
585
		<?=gettext("Delete")?>
586
	</button>
587 94404d94 Sander van Leeuwen
</nav>
588 d825dfea NOYB
</form>
589 3c3ede28 Stephen Beaver
<div class="infoblock">
590 a0165602 Sjon Hortensius
<?php
591 a0d084fe k-paulius
	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
592
		"the webConfigurator can be assigned directly or inherited from group memberships. " .
593
		"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
594
		'<p>' . gettext("Accounts added here are also used for other parts of the system " .
595
		"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
596
	);
597 3c3ede28 Stephen Beaver
?></div><?php
598 a0165602 Sjon Hortensius
	include("foot.inc");
599
	exit;
600
}
601 4ee51131 Sjon Hortensius
602
$form = new Form;
603
604 7411c285 Stephen Beaver
if ($act == "new" || $act == "edit" || $input_errors):
605 4ee51131 Sjon Hortensius
606 7411c285 Stephen Beaver
	$form->addGlobal(new Form_Input(
607
		'act',
608
		null,
609
		'hidden',
610
		''
611
	));
612 4ee51131 Sjon Hortensius
613 7411c285 Stephen Beaver
	$form->addGlobal(new Form_Input(
614
		'userid',
615
		null,
616
		'hidden',
617
		isset($id) ? $id:''
618
	));
619 4ee51131 Sjon Hortensius
620 7411c285 Stephen Beaver
	$form->addGlobal(new Form_Input(
621
		'privid',
622
		null,
623
		'hidden',
624
		''
625
	));
626 4ee51131 Sjon Hortensius
627 7411c285 Stephen Beaver
	$form->addGlobal(new Form_Input(
628
		'certid',
629
		null,
630
		'hidden',
631
		''
632
	));
633 4ee51131 Sjon Hortensius
634 7411c285 Stephen Beaver
	$ro = "";
635
	if ($pconfig['utype'] == "system") {
636 c4b60a9a Colin Fleming
		$ro = "readonly";
637 7411c285 Stephen Beaver
	}
638 4ee51131 Sjon Hortensius
639 7411c285 Stephen Beaver
	$section = new Form_Section('User Properties');
640 4ee51131 Sjon Hortensius
641 7411c285 Stephen Beaver
	$section->addInput(new Form_StaticText(
642
		'Defined by',
643
		strtoupper($pconfig['utype'])
644
	));
645 4ee51131 Sjon Hortensius
646 7411c285 Stephen Beaver
	$form->addGlobal(new Form_Input(
647
		'utype',
648
		null,
649
		'hidden',
650
		$pconfig['utype']
651
	));
652 4ee51131 Sjon Hortensius
653 7411c285 Stephen Beaver
	$section->addInput(new Form_Checkbox(
654
		'disabled',
655
		'Disabled',
656
		'This user cannot login',
657
		$pconfig['disabled']
658
	));
659 6b07c15a Matthew Grooms
660 7411c285 Stephen Beaver
	$section->addInput($input = new Form_Input(
661
		'usernamefld',
662
		'Username',
663
		'text',
664
		$pconfig['usernamefld']
665
	));
666 61dec0b0 Renato Botelho
667 d61309a0 Phil Davis
	if ($ro) {
668 1fe9cc38 Stephen Beaver
		$input->setReadonly();
669 d61309a0 Phil Davis
	}
670 7411c285 Stephen Beaver
671
	$form->addGlobal(new Form_Input(
672
		'oldusername',
673 4ee51131 Sjon Hortensius
		null,
674 7411c285 Stephen Beaver
		'hidden',
675
		$pconfig['usernamefld']
676 4ee51131 Sjon Hortensius
	));
677 6b07c15a Matthew Grooms
678 7411c285 Stephen Beaver
	$group = new Form_Group('Password');
679
	$group->add(new Form_Input(
680
		'passwordfld1',
681
		'Password',
682
		'password'
683
	));
684
	$group->add(new Form_Input(
685
		'passwordfld2',
686
		'Confirm Password',
687
		'password'
688
	));
689
690
	$section->add($group);
691
692
	$section->addInput($input = new Form_Input(
693
		'descr',
694
		'Full name',
695
		'text',
696
		htmlspecialchars($pconfig['descr'])
697 89140b63 NOYB
	))->setHelp('User\'s full name, for administrative information only');
698 7411c285 Stephen Beaver
699 d61309a0 Phil Davis
	if ($ro) {
700 7411c285 Stephen Beaver
		$input->setDisabled();
701 d61309a0 Phil Davis
	}
702 7411c285 Stephen Beaver
703
	$section->addInput(new Form_Input(
704
		'expires',
705
		'Expiration date',
706 5ce16fc1 Stephen Beaver
		'text',
707 7411c285 Stephen Beaver
		$pconfig['expires']
708
	))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
709
		'the expiration date');
710
711
	// ==== Group membership ==================================================
712
	$group = new Form_Group('Group membership');
713
714 7d2e572f Stephen Beaver
	// Make a list of all the groups configured on the system, and a list of
715 7411c285 Stephen Beaver
	// those which this user is a member of
716
	$systemGroups = array();
717
	$usersGroups = array();
718
719
	$usergid = [$pconfig['usernamefld']];
720
721
	foreach ($config['system']['group'] as $Ggroup) {
722 d61309a0 Phil Davis
		if ($Ggroup['name'] != "all") {
723
			if (($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member'])) {
724 b4333696 Stephen Beaver
				$usersGroups[ $Ggroup['name'] ] = $Ggroup['name'];	// Add it to the user's list
725 d61309a0 Phil Davis
			} else {
726 b4333696 Stephen Beaver
				$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
727 d61309a0 Phil Davis
			}
728 b4333696 Stephen Beaver
		}
729 7411c285 Stephen Beaver
	}
730
731
	$group->add(new Form_Select(
732
		'sysgroups',
733
		null,
734
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
735
		$systemGroups,
736
		true
737 953385a3 heper
	))->setHelp('Not member of');
738 6b07c15a Matthew Grooms
739 7411c285 Stephen Beaver
	$group->add(new Form_Select(
740
		'groups',
741
		null,
742
		array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
743
		$usersGroups,
744
		true
745 953385a3 heper
	))->setHelp('Member of');
746 7411c285 Stephen Beaver
747
	$section->add($group);
748
749
	$group = new Form_Group('');
750
751
	$group->add(new Form_Button(
752
		'movetoenabled',
753 faab522f Renato Botelho
		'Move to "Member of" list',
754 37676f4e jim-p
		null,
755
		'fa-angle-double-right'
756 347c0214 Phil Davis
	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
757 7411c285 Stephen Beaver
758
	$group->add(new Form_Button(
759
		'movetodisabled',
760 faab522f Renato Botelho
		'Move to "Not member of" list',
761 37676f4e jim-p
		null,
762
		'fa-angle-double-left'
763 347c0214 Phil Davis
	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
764 4ee51131 Sjon Hortensius
765 48d321ca NewEraCracker
	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
766 7411c285 Stephen Beaver
	$section->add($group);
767 4ee51131 Sjon Hortensius
768 7411c285 Stephen Beaver
	// ==== Button for adding user certificate ================================
769 d61309a0 Phil Davis
	if ($act == 'new') {
770 4ee51131 Sjon Hortensius
		$section->addInput(new Form_Checkbox(
771 7411c285 Stephen Beaver
			'showcert',
772
			'Certificate',
773
			'Click to create a user certificate',
774
			false
775 4ee51131 Sjon Hortensius
		));
776 6b07c15a Matthew Grooms
	}
777
778 7411c285 Stephen Beaver
	$form->add($section);
779 6b07c15a Matthew Grooms
780 7411c285 Stephen Beaver
	// ==== Effective privileges section ======================================
781
	if (isset($pconfig['uid'])) {
782
		// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
783
		// is the best way to make the display we need.
784 6b07c15a Matthew Grooms
785 7411c285 Stephen Beaver
		$section = new Form_Section('Effective Privileges');
786 4ee51131 Sjon Hortensius
787 7411c285 Stephen Beaver
		$section->addInput(new Form_StaticText(
788
			null,
789
			build_priv_table()
790
		));
791 4ee51131 Sjon Hortensius
792 7411c285 Stephen Beaver
		$form->add($section);
793 4ee51131 Sjon Hortensius
794 7411c285 Stephen Beaver
		// ==== Certificate table section =====================================
795 5f88f964 k-paulius
		$section = new Form_Section('User Certificates');
796 7411c285 Stephen Beaver
797
		$section->addInput(new Form_StaticText(
798
			null,
799
			build_cert_table()
800
		));
801 64600f94 Sjon Hortensius
802
		$form->add($section);
803 c9794c06 Ermal
	}
804 7411c285 Stephen Beaver
805 f14ff867 Phil Davis
	// ==== Add user certificate for a new user
806
	if (is_array($config['ca']) && count($config['ca']) > 0) {
807 5f88f964 k-paulius
		$section = new Form_Section('Create Certificate for User');
808 f14ff867 Phil Davis
		$section->addClass('cert-options');
809 c9794c06 Ermal
810 f14ff867 Phil Davis
		$nonPrvCas = array();
811
		foreach($config['ca'] as $ca) {
812
			if (!$ca['prv']) {
813
				continue;
814
			}
815 7411c285 Stephen Beaver
816 f14ff867 Phil Davis
			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
817
		}
818 7411c285 Stephen Beaver
819 f14ff867 Phil Davis
		if (!empty($nonPrvCas)) {
820
			$section->addInput(new Form_Input(
821
				'name',
822
				'Descriptive name',
823
				'text',
824
				$pconfig['name']
825
			));
826 7411c285 Stephen Beaver
827 f14ff867 Phil Davis
			$section->addInput(new Form_Select(
828
				'caref',
829
				'Certificate authority',
830
				null,
831
				$nonPrvCas
832
			));
833 7411c285 Stephen Beaver
834 f14ff867 Phil Davis
			$section->addInput(new Form_Select(
835
				'keylen',
836
				'Key length',
837
				2048,
838
				array(
839
					512 => '512 bits',
840
					1024 => '1024 bits',
841 bf408592 jim-p
					2048 => '2048 bits',
842 f14ff867 Phil Davis
					4096 => '4096 bits',
843
				)
844
			));
845 7411c285 Stephen Beaver
846 f14ff867 Phil Davis
			$section->addInput(new Form_Input(
847
				'lifetime',
848
				'Lifetime',
849
				'number',
850
				$pconfig['lifetime']
851
			));
852 7411c285 Stephen Beaver
		}
853
854 f14ff867 Phil Davis
		$form->add($section);
855
	}
856
857 7411c285 Stephen Beaver
endif;
858
// ==== Paste a key for the new user
859 4ee51131 Sjon Hortensius
$section = new Form_Section('Keys');
860
861 35e0cd70 Stephen Beaver
$section->addInput(new Form_Checkbox(
862
	'showkey',
863
	'Authorized keys',
864
	'Click to paste an authorized key',
865
	false
866
));
867
868 4ee51131 Sjon Hortensius
$section->addInput(new Form_Textarea(
869
	'authorizedkeys',
870 d1e73829 Stephen Beaver
	'Authorized SSH Keys',
871 4ee51131 Sjon Hortensius
	$pconfig['authorizedkeys']
872 d1e73829 Stephen Beaver
))->setHelp('Enter authorized SSH keys for this user');
873 4ee51131 Sjon Hortensius
874 35e0cd70 Stephen Beaver
$section->addInput(new Form_Input(
875 4ee51131 Sjon Hortensius
	'ipsecpsk',
876
	'IPsec Pre-Shared Key',
877
	'text',
878
	$pconfig['ipsecpsk']
879
));
880
881
$form->add($section);
882 7411c285 Stephen Beaver
883 a0165602 Sjon Hortensius
print $form;
884 7411c285 Stephen Beaver
?>
885 8fd9052f Colin Fleming
<script type="text/javascript">
886 7411c285 Stephen Beaver
//<![CDATA[
887 d61309a0 Phil Davis
events.push(function() {
888 7411c285 Stephen Beaver
889
	// On click . .
890
	$("#movetodisabled").click(function() {
891
		moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
892
	});
893
894
	$("#movetoenabled").click(function() {
895
		moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
896
	});
897
898
	$("#showcert").click(function() {
899
		hideClass('cert-options', !this.checked);
900
	});
901
902
	$("#showkey").click(function() {
903 35e0cd70 Stephen Beaver
		hideInput('authorizedkeys', false);
904
		hideCheckbox('showkey', true);
905 7411c285 Stephen Beaver
	});
906
907 98402844 Stephen Beaver
	$('[id^=delcert]').click(function(event) {
908 d61309a0 Phil Davis
		if (confirm(event.target.title)) {
909 98402844 Stephen Beaver
			$('#certid').val(event.target.id.match(/\d+$/)[0]);
910
			$('#userid').val('<?=$id;?>');
911
			$('#act').val('delcert');
912
			$('form').submit();
913
		}
914
	});
915 945204b1 Stephen Beaver
916 408d0882 heper
	$('[id^=delprivid]').click(function(event) {
917 d61309a0 Phil Davis
		if (confirm(event.target.title)) {
918 4c879f95 heper
			$('#privid').val(event.target.id.match(/\d+$/)[0]);
919 408d0882 heper
			$('#userid').val('<?=$id;?>');
920
			$('#act').val('delprivid');
921
			$('form').submit();
922
		}
923
	});
924 64c31615 Stephen Beaver
925 f11862a3 Stephen Beaver
	$('#expires').datepicker();
926 98402844 Stephen Beaver
927 eef93144 Jared Dillard
	// ---------- On initial page load ------------------------------------------------------------
928
929
	hideClass('cert-options', true);
930
	//hideInput('authorizedkeys', true);
931 d1e73829 Stephen Beaver
	hideCheckbox('showkey', true);
932 7411c285 Stephen Beaver
933
	// On submit mark all the user's groups as "selected"
934 d61309a0 Phil Davis
	$('form').submit(function() {
935 7411c285 Stephen Beaver
		AllServers($('[name="groups[]"] option'), true);
936
	});
937
});
938
//]]>
939
</script>
940
<?php
941 bb1b5c6f heper
include('foot.inc');
942 01a0385e Phil Davis
?>