/src/usr/local/www/system_usermanager.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/system_usermanager.php @ 8c2b65f8

1	1df17ba9	Scott Ullrich	<?php
2	fab7ff44	Bill Marquette	/*
3	4c291f4c	Renato Botelho	system_usermanager.php
4	fab7ff44	Bill Marquette	*/
5	7d2e572f	Stephen Beaver	/* ====================================================================
6			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
7			* Copyright (c) 2008 Shrew Soft Inc.
8			* Copyright (c) 2005 Paul Taylor <paultaylor@winn-dixie.com>
9			*
10	cb41dd63	Renato Botelho	* Some or all of this file is based on the m0n0wall project which is
11			* Copyright (c) 2004 Manuel Kasper (BSD 2 clause)
12	191cb31d	Stephen Beaver	*
13	7d2e572f	Stephen Beaver	* Redistribution and use in source and binary forms, with or without modification,
14			* are permitted provided that the following conditions are met:
15			*
16			* 1. Redistributions of source code must retain the above copyright notice,
17			* this list of conditions and the following disclaimer.
18			*
19			* 2. Redistributions in binary form must reproduce the above copyright
20			* notice, this list of conditions and the following disclaimer in
21			* the documentation and/or other materials provided with the
22			* distribution.
23			*
24			* 3. All advertising materials mentioning features or use of this software
25			* must display the following acknowledgment:
26			* "This product includes software developed by the pfSense Project
27			* for use in the pfSense software distribution. (http://www.pfsense.org/).
28			*
29			* 4. The names "pfSense" and "pfSense Project" must not be used to
30			* endorse or promote products derived from this software without
31			* prior written permission. For written permission, please contact
32			* coreteam@pfsense.org.
33			*
34			* 5. Products derived from this software may not be called "pfSense"
35			* nor may "pfSense" appear in their names without prior written
36			* permission of the Electric Sheep Fencing, LLC.
37			*
38			* 6. Redistributions of any form whatsoever must retain the following
39			* acknowledgment:
40			*
41			* "This product includes software developed by the pfSense Project
42			* for use in the pfSense software distribution (http://www.pfsense.org/).
43			*
44			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55			* OF THE POSSIBILITY OF SUCH DAMAGE.
56			*
57			* ====================================================================
58			*
59			*/
60	fab7ff44	Bill Marquette
61	6b07c15a	Matthew Grooms	##\|+PRIV
62			##\|*IDENT=page-system-usermanager
63	5230f468	jim-p	##\|*NAME=System: User Manager
64	6b07c15a	Matthew Grooms	##\|*DESCR=Allow access to the 'System: User Manager' page.
65			##\|MATCH=system_usermanager.php
66			##\|-PRIV
67
68	ead24d63	sullrich	require("certs.inc");
69	fab7ff44	Bill Marquette	require("guiconfig.inc");
70
71	e33be77c	Ermal	// start admin user code
72	73fa304b	Phil Davis	if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
73	1a6769a6	Renato Botelho	$id = $_POST['userid'];
74	73fa304b	Phil Davis	}
75	1df17ba9	Scott Ullrich
76	7411c285	Stephen Beaver	if (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
77			$id = $_GET['userid'];
78			}
79
80	73fa304b	Phil Davis	if (!isset($config['system']['user']) \|\| !is_array($config['system']['user'])) {
81	e33be77c	Ermal	$config['system']['user'] = array();
82	73fa304b	Phil Davis	}
83	1df17ba9	Scott Ullrich
84	e33be77c	Ermal	$a_user = &$config['system']['user'];
85	7411c285	Stephen Beaver	$act = $_GET['act'];
86	45ee90ed	Matthew Grooms
87	73fa304b	Phil Davis	if (isset($_SERVER['HTTP_REFERER'])) {
88	7c2d0050	Renato Botelho	$referer = $_SERVER['HTTP_REFERER'];
89	73fa304b	Phil Davis	} else {
90	7c2d0050	Renato Botelho	$referer = '/system_usermanager.php';
91	73fa304b	Phil Davis	}
92	7c2d0050	Renato Botelho
93	adacdf5f	jim-p	if (isset($id) && $a_user[$id]) {
94			$pconfig['usernamefld'] = $a_user[$id]['name'];
95			$pconfig['descr'] = $a_user[$id]['descr'];
96			$pconfig['expires'] = $a_user[$id]['expires'];
97			$pconfig['groups'] = local_user_get_groups($a_user[$id]);
98			$pconfig['utype'] = $a_user[$id]['scope'];
99			$pconfig['uid'] = $a_user[$id]['uid'];
100			$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
101			$pconfig['priv'] = $a_user[$id]['priv'];
102			$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
103			$pconfig['disabled'] = isset($a_user[$id]['disabled']);
104			}
105
106	43acaa2f	Stephen Beaver	if ($_GET['act'] == "deluser") {
107	45ee90ed	Matthew Grooms
108	43acaa2f	Stephen Beaver	if (!isset($_GET['username']) \|\| !isset($a_user[$id]) \|\| ($_GET['username'] != $a_user[$id]['name'])) {
109	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
110			exit;
111	6b07c15a	Matthew Grooms	}
112
113	8a0ae97f	Renato Botelho	conf_mount_rw();
114	e33be77c	Ermal	local_user_del($a_user[$id]);
115	8a0ae97f	Renato Botelho	conf_mount_ro();
116	e33be77c	Ermal	$userdeleted = $a_user[$id]['name'];
117			unset($a_user[$id]);
118			write_config();
119	8545adde	k-paulius	$savemsg = sprintf(gettext("User %s successfully deleted."), $userdeleted);
120	d61309a0	Phil Davis	} else if ($act == "new") {
121	e33be77c	Ermal	/*
122			* set this value cause the text field is read only
123			* and the user should not be able to mess with this
124			* setting.
125			*/
126			$pconfig['utype'] = "user";
127			$pconfig['lifetime'] = 3650;
128			}
129	45ee90ed	Matthew Grooms
130	64c31615	Stephen Beaver	if (isset($_POST['dellall'])) {
131	4e21c82e	bruno
132			$del_users = $_POST['delete_check'];
133
134	73fa304b	Phil Davis	if (!empty($del_users)) {
135			foreach ($del_users as $userid) {
136	4e21c82e	bruno	if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
137			conf_mount_rw();
138			local_user_del($a_user[$userid]);
139	64c31615	Stephen Beaver	conf_mount_ro();
140	4e21c82e	bruno	unset($a_user[$userid]);
141			}
142			}
143	8545adde	k-paulius	$savemsg = gettext("Selected users removed successfully.");
144	4e21c82e	bruno	write_config($savemsg);
145			}
146			}
147
148	98402844	Stephen Beaver	if ($_POST['act'] == "delcert") {
149
150			if (!$a_user[$id]) {
151			pfSenseHeader("system_usermanager.php");
152			exit;
153			}
154
155			$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
156			$certdeleted = $certdeleted['descr'];
157			unset($a_user[$id]['cert'][$_POST['certid']]);
158			write_config();
159			$_POST['act'] = "edit";
160	ed10e389	Phil Davis	$savemsg = sprintf(gettext("Certificate %s association removed."), $certdeleted);
161	98402844	Stephen Beaver	}
162	64c31615	Stephen Beaver
163	945204b1	Stephen Beaver	if ($_POST['act'] == "delprivid") {
164			$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
165			unset($a_user[$id]['priv'][$_POST['privid']]);
166			local_user_set($a_user[$id]);
167			write_config();
168			$_POST['act'] = "edit";
169	ed10e389	Phil Davis	$savemsg = sprintf(gettext("Privilege %s removed."), $privdeleted);
170	4c879f95	heper	}
171	98402844	Stephen Beaver
172	1a6769a6	Renato Botelho	if ($_POST['save']) {
173	e33be77c	Ermal	unset($input_errors);
174			$pconfig = $_POST;
175	45ee90ed	Matthew Grooms
176	e33be77c	Ermal	/* input validation */
177			if (isset($id) && ($a_user[$id])) {
178			$reqdfields = explode(" ", "usernamefld");
179			$reqdfieldsn = array(gettext("Username"));
180			} else {
181			if (empty($_POST['name'])) {
182			$reqdfields = explode(" ", "usernamefld passwordfld1");
183			$reqdfieldsn = array(
184			gettext("Username"),
185			gettext("Password"));
186	45ee90ed	Matthew Grooms	} else {
187	e33be77c	Ermal	$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
188			$reqdfieldsn = array(
189			gettext("Username"),
190			gettext("Password"),
191			gettext("Descriptive name"),
192			gettext("Certificate authority"),
193			gettext("Key length"),
194			gettext("Lifetime"));
195	45ee90ed	Matthew Grooms	}
196	e33be77c	Ermal	}
197	45ee90ed	Matthew Grooms
198	1e9b4611	Renato Botelho	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
199	45ee90ed	Matthew Grooms
200	73fa304b	Phil Davis	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
201	e33be77c	Ermal	$input_errors[] = gettext("The username contains invalid characters.");
202	73fa304b	Phil Davis	}
203	45ee90ed	Matthew Grooms
204	73fa304b	Phil Davis	if (strlen($_POST['usernamefld']) > 16) {
205	e33be77c	Ermal	$input_errors[] = gettext("The username is longer than 16 characters.");
206	73fa304b	Phil Davis	}
207	94d455da	jim-p
208	73fa304b	Phil Davis	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
209	e33be77c	Ermal	$input_errors[] = gettext("The passwords do not match.");
210	73fa304b	Phil Davis	}
211	45ee90ed	Matthew Grooms
212	73fa304b	Phil Davis	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
213	123d8700	Renato Botelho	$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
214	73fa304b	Phil Davis	}
215	123d8700	Renato Botelho
216	6314397f	jim-p	/* Check the POSTed groups to ensure they are valid and exist */
217			foreach ($_POST['groups'] as $newgroup) {
218			if (empty(getGroupEntry($newgroup))) {
219			$input_errors[] = gettext("One or more invalid groups was submitted.");
220			}
221			}
222
223	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
224	e33be77c	Ermal	$oldusername = $a_user[$id]['name'];
225	73fa304b	Phil Davis	} else {
226	e33be77c	Ermal	$oldusername = "";
227	73fa304b	Phil Davis	}
228	e33be77c	Ermal	/* make sure this user name is unique */
229			if (!$input_errors) {
230			foreach ($a_user as $userent) {
231			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
232			$input_errors[] = gettext("Another entry with the same username already exists.");
233			break;
234	58664cc9	Scott Ullrich	}
235	3dec33d4	Erik Fonnesbeck	}
236	e33be77c	Ermal	}
237			/* also make sure it is not reserved */
238			if (!$input_errors) {
239			$system_users = explode("\n", file_get_contents("/etc/passwd"));
240			foreach ($system_users as $s_user) {
241			$ent = explode(":", $s_user);
242			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
243			$input_errors[] = gettext("That username is reserved by the system.");
244			break;
245	8339ab6d	jim-p	}
246	7e4a4513	Scott Ullrich	}
247	e33be77c	Ermal	}
248	1df17ba9	Scott Ullrich
249	e33be77c	Ermal	/*
250	e30050b6	Phil Davis	* Check for a valid expiration date if one is set at all (valid means,
251	4d148b59	Yehuda Katz	* DateTime puts out a time stamp so any DateTime compatible time
252	e33be77c	Ermal	* format may be used. to keep it simple for the enduser, we only
253			* claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
254			* like "+1 day", which will be converted to MM/DD/YYYY based on "now".
255	e30050b6	Phil Davis	* Otherwise such an entry would lead to an invalid expiration data.
256	e33be77c	Ermal	*/
257	73fa304b	Phil Davis	if ($_POST['expires']) {
258	4d148b59	Yehuda Katz	try {
259			$expdate = new DateTime($_POST['expires']);
260			//convert from any DateTime compatible date to MM/DD/YYYY
261			$_POST['expires'] = $expdate->format("m/d/Y");
262	73fa304b	Phil Davis	} catch (Exception $ex) {
263	e33be77c	Ermal	$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
264	0092b3bd	mgrooms	}
265	e33be77c	Ermal	}
266	0092b3bd	mgrooms
267	e33be77c	Ermal	if (!empty($_POST['name'])) {
268			$ca = lookup_ca($_POST['caref']);
269	73fa304b	Phil Davis	if (!$ca) {
270	4c291f4c	Renato Botelho	$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
271	73fa304b	Phil Davis	}
272	e33be77c	Ermal	}
273	c9794c06	Ermal
274	e33be77c	Ermal	/* if this is an AJAX caller then handle via JSON */
275			if (isAjax() && is_array($input_errors)) {
276			input_errors2Ajax($input_errors);
277			exit;
278			}
279	64c31615	Stephen Beaver
280	e33be77c	Ermal	if (!$input_errors) {
281	4ee51131	Sjon Hortensius
282	e33be77c	Ermal	conf_mount_rw();
283			$userent = array();
284	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
285	e33be77c	Ermal	$userent = $a_user[$id];
286	73fa304b	Phil Davis	}
287	e879fc81	Ermal
288	e33be77c	Ermal	isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
289
290			/* the user name was modified */
291	926e0a2f	Phil Davis	if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
292	e33be77c	Ermal	$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
293	fdcf104c	jim-p	local_user_del($userent);
294			}
295	1df17ba9	Scott Ullrich
296	e30050b6	Phil Davis	/* the user password was modified */
297	73fa304b	Phil Davis	if ($_POST['passwordfld1']) {
298	e33be77c	Ermal	local_user_set_password($userent, $_POST['passwordfld1']);
299	73fa304b	Phil Davis	}
300	1df17ba9	Scott Ullrich
301	5cde9005	NewEraCracker	/* only change description if sent */
302			if (isset($_POST['descr'])) {
303			$userent['descr'] = $_POST['descr'];
304			}
305
306	e33be77c	Ermal	$userent['name'] = $_POST['usernamefld'];
307			$userent['expires'] = $_POST['expires'];
308			$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
309			$userent['ipsecpsk'] = $_POST['ipsecpsk'];
310	3ccb9689	Charlie Marshall
311	73fa304b	Phil Davis	if ($_POST['disabled']) {
312	e33be77c	Ermal	$userent['disabled'] = true;
313	73fa304b	Phil Davis	} else {
314	e33be77c	Ermal	unset($userent['disabled']);
315	73fa304b	Phil Davis	}
316	e33be77c	Ermal
317	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
318	e33be77c	Ermal	$a_user[$id] = $userent;
319	73fa304b	Phil Davis	} else {
320	e33be77c	Ermal	if (!empty($_POST['name'])) {
321			$cert = array();
322			$cert['refid'] = uniqid();
323	4c291f4c	Renato Botelho	$userent['cert'] = array();
324	e33be77c	Ermal
325			$cert['descr'] = $_POST['name'];
326
327	4c291f4c	Renato Botelho	$subject = cert_get_subject_array($ca['crt']);
328	e33be77c	Ermal
329	4c291f4c	Renato Botelho	$dn = array(
330			'countryName' => $subject[0]['v'],
331			'stateOrProvinceName' => $subject[1]['v'],
332			'localityName' => $subject[2]['v'],
333			'organizationName' => $subject[3]['v'],
334			'emailAddress' => $subject[4]['v'],
335			'commonName' => $userent['name']);
336	e33be77c	Ermal
337			cert_create($cert, $_POST['caref'], $_POST['keylen'],
338			(int)$_POST['lifetime'], $dn);
339
340	73fa304b	Phil Davis	if (!is_array($config['cert'])) {
341	e33be77c	Ermal	$config['cert'] = array();
342	73fa304b	Phil Davis	}
343	e33be77c	Ermal	$config['cert'][] = $cert;
344			$userent['cert'][] = $cert['refid'];
345			}
346			$userent['uid'] = $config['system']['nextuid']++;
347			/* Add the user to All Users group. */
348			foreach ($config['system']['group'] as $gidx => $group) {
349			if ($group['name'] == "all") {
350	73fa304b	Phil Davis	if (!is_array($config['system']['group'][$gidx]['member'])) {
351	e33be77c	Ermal	$config['system']['group'][$gidx]['member'] = array();
352	73fa304b	Phil Davis	}
353	e33be77c	Ermal	$config['system']['group'][$gidx]['member'][] = $userent['uid'];
354			break;
355			}
356			}
357	970db70b	Scott Ullrich
358	e33be77c	Ermal	$a_user[] = $userent;
359	45ee90ed	Matthew Grooms	}
360	e33be77c	Ermal
361	900ce3b0	jim-p	/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
362	d61309a0	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
363	e33be77c	Ermal	local_user_set($userent);
364	900ce3b0	jim-p	/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
365	73fa304b	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
366	e33be77c	Ermal	write_config();
367
368	73fa304b	Phil Davis	if (is_dir("/etc/inc/privhooks")) {
369	e33be77c	Ermal	run_plugins("/etc/inc/privhooks");
370	73fa304b	Phil Davis	}
371	e33be77c	Ermal
372			conf_mount_ro();
373	3ccb9689	Charlie Marshall
374	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
375	45ee90ed	Matthew Grooms	}
376	e33be77c	Ermal	}
377	fab7ff44	Bill Marquette
378	7411c285	Stephen Beaver	function build_priv_table() {
379			global $a_user, $id;
380
381			$privhtml = '<div class="table-responsive">';
382			$privhtml .= '<table class="table table-striped table-hover table-condensed">';
383			$privhtml .= '<thead>';
384	7d2e572f	Stephen Beaver	$privhtml .= '<tr>';
385			$privhtml .= '<th>' . gettext('Inherited from') . '</th>';
386			$privhtml .= '<th>' . gettext('Name') . '</th>';
387			$privhtml .= '<th>' . gettext('Description') . '</th>';
388	f460db90	NOYB	$privhtml .= '<th>' . gettext('Action') . '</th>';
389	7d2e572f	Stephen Beaver	$privhtml .= '</tr>';
390	7411c285	Stephen Beaver	$privhtml .= '</thead>';
391			$privhtml .= '<tbody>';
392
393	945204b1	Stephen Beaver	$i = 0;
394
395			foreach (get_user_privdesc($a_user[$id]) as $priv) {
396			$group = false;
397			if ($priv['group']) {
398			$group = $priv['group'];
399			}
400
401	7411c285	Stephen Beaver	$privhtml .= '<tr>';
402			$privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>';
403			$privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>';
404			$privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>';
405	945204b1	Stephen Beaver	$privhtml .= '<td>';
406	d61309a0	Phil Davis	if (!$group) {
407	f460db90	NOYB	$privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
408	d61309a0	Phil Davis	}
409	945204b1	Stephen Beaver
410			$privhtml .= '</td>';
411	7411c285	Stephen Beaver	$privhtml .= '</tr>';
412	945204b1	Stephen Beaver
413	d61309a0	Phil Davis	if (!$group) {
414	945204b1	Stephen Beaver	$i++;
415	d61309a0	Phil Davis	}
416	7411c285	Stephen Beaver	}
417
418			$privhtml .= '</tbody>';
419			$privhtml .= '</table>';
420			$privhtml .= '</div>';
421
422			$privhtml .= '<nav class="action-buttons">';
423	37676f4e	jim-p	$privhtml .= '<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
424	7411c285	Stephen Beaver	$privhtml .= '</nav>';
425
426			return($privhtml);
427			}
428	98402844	Stephen Beaver
429	7411c285	Stephen Beaver	function build_cert_table() {
430			global $a_user, $id;
431
432			$certhtml = '<div class="table-responsive">';
433			$certhtml .= '<table class="table table-striped table-hover table-condensed">';
434			$certhtml .= '<thead>';
435	7d2e572f	Stephen Beaver	$certhtml .= '<tr>';
436			$certhtml .= '<th>' . gettext('Name') . '</th>';
437			$certhtml .= '<th>' . gettext('CA') . '</th>';
438	98402844	Stephen Beaver	$certhtml .= '<th></th>';
439	7d2e572f	Stephen Beaver	$certhtml .= '</tr>';
440	7411c285	Stephen Beaver	$certhtml .= '</thead>';
441			$certhtml .= '<tbody>';
442
443			$a_cert = $a_user[$id]['cert'];
444			if (is_array($a_cert)) {
445			$i = 0;
446			foreach ($a_cert as $certref) {
447	7d2e572f	Stephen Beaver	$cert = lookup_cert($certref);
448			$ca = lookup_ca($cert['caref']);
449			$revokedstr = is_cert_revoked($cert) ? '<b> Revoked</b>':'';
450
451	7411c285	Stephen Beaver	$certhtml .= '<tr>';
452	7d2e572f	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
453	7411c285	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($ca['descr']) . '</td>';
454	db676e5b	Stephen Beaver	$certhtml .= '<td>';
455	945204b1	Stephen Beaver	$certhtml .= '<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
456	f14ff867	Phil Davis	$certhtml .= gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
457	db676e5b	Stephen Beaver	$certhtml .= '</td>';
458	7411c285	Stephen Beaver	$certhtml .= '</tr>';
459	db676e5b	Stephen Beaver	$i++;
460	7411c285	Stephen Beaver	}
461	db676e5b	Stephen Beaver
462	7411c285	Stephen Beaver	}
463
464			$certhtml .= '</tbody>';
465			$certhtml .= '</table>';
466			$certhtml .= '</div>';
467
468			$certhtml .= '<nav class="action-buttons">';
469	37676f4e	jim-p	$certhtml .= '<a href="system_certmanager.php?act=new&userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
470	7411c285	Stephen Beaver	$certhtml .= '</nav>';
471
472			return($certhtml);
473			}
474
475	8f1ab2a4	k-paulius	$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
476
477			if ($act == "new" \|\| $act == "edit" \|\| $input_errors) {
478			$pgtitle[] = gettext('Edit');
479			}
480	e33be77c	Ermal	include("head.inc");
481	fab7ff44	Bill Marquette
482	d61309a0	Phil Davis	if ($input_errors) {
483	4ee51131	Sjon Hortensius	print_input_errors($input_errors);
484	d61309a0	Phil Davis	}
485	98402844	Stephen Beaver
486	d61309a0	Phil Davis	if ($savemsg) {
487	98402844	Stephen Beaver	print_info_box($savemsg, 'success');
488	d61309a0	Phil Davis	}
489	4ee51131	Sjon Hortensius
490			$tab_array = array();
491			$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
492			$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
493			$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
494	2d1f33d9	k-paulius	$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
495	4ee51131	Sjon Hortensius	display_top_tabs($tab_array);
496
497	7411c285	Stephen Beaver	if (!($act == "new" \|\| $act == "edit" \|\| $input_errors)) {
498	64600f94	Sjon Hortensius	?>
499	64c31615	Stephen Beaver	<form method="post">
500	060ed238	Stephen Beaver	<div class="panel panel-default">
501			<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
502			<div class="panel-body">
503			<div class="table-responsive">
504			<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap" data-sortable>
505			<thead>
506			<tr>
507			<th> </th>
508			<th><?=gettext("Username")?></th>
509			<th><?=gettext("Full name")?></th>
510			<th><?=gettext("Disabled")?></th>
511			<th><?=gettext("Groups")?></th>
512	70dc5cd6	Phil Davis	<th><?=gettext("Actions")?></th>
513	060ed238	Stephen Beaver	</tr>
514			</thead>
515			<tbody>
516	a0165602	Sjon Hortensius	<?php
517	d61309a0	Phil Davis	foreach ($a_user as $i => $userent):
518	a0165602	Sjon Hortensius	?>
519	060ed238	Stephen Beaver	<tr>
520			<td>
521			<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=($userent['scope'] == "system" ? 'disabled' : '')?>/>
522			</td>
523			<td>
524	a0165602	Sjon Hortensius	<?php
525	d61309a0	Phil Davis	if ($userent['scope'] != "user") {
526	a0165602	Sjon Hortensius	$usrimg = 'eye-open';
527	d61309a0	Phil Davis	} else {
528	a0165602	Sjon Hortensius	$usrimg = 'user';
529	d61309a0	Phil Davis	}
530	a0165602	Sjon Hortensius	?>
531	060ed238	Stephen Beaver	<i class="fa fa-<?=$usrimg?>"></i>
532			<?=htmlspecialchars($userent['name'])?>
533			</td>
534			<td><?=htmlspecialchars($userent['descr'])?></td>
535			<td><?php if (isset($userent['disabled'])) echo "*"?></td>
536			<td><?=implode(",", local_user_get_groups($userent))?></td>
537			<td>
538			<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&userid=<?=$i?>"></a>
539	d61309a0	Phil Davis	<?php if ($userent['scope'] != "system"): ?>
540	060ed238	Stephen Beaver	<a class="fa fa-trash" title="<?=gettext("Delete user")?>" href="?act=deluser&userid=<?=$i?>&username=<?=$userent['name']?>"></a>
541	a0165602	Sjon Hortensius	<?php endif; ?>
542	060ed238	Stephen Beaver	</td>
543			</tr>
544	a0165602	Sjon Hortensius	<?php endforeach; ?>
545	060ed238	Stephen Beaver	</tbody>
546			</table>
547			</div>
548			</div>
549	94404d94	Sander van Leeuwen	</div>
550	c10cb196	Stephen Beaver	<nav class="action-buttons">
551	64c31615	Stephen Beaver	<a href="?act=new" class="btn btn-sm btn-success">
552	9d5a20cf	heper	<i class="fa fa-plus icon-embed-btn"></i>
553	b921ab63	Stephen Beaver	<?=gettext("Add")?>
554			</a>
555	64c31615	Stephen Beaver
556			<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
557			<i class="fa fa-trash icon-embed-btn"></i>
558			<?=gettext("Delete")?>
559			</button>
560	94404d94	Sander van Leeuwen	</nav>
561	d825dfea	NOYB	</form>
562	3c3ede28	Stephen Beaver	<div class="infoblock">
563	a0165602	Sjon Hortensius	<?php
564	a0d084fe	k-paulius	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
565			"the webConfigurator can be assigned directly or inherited from group memberships. " .
566			"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
567			'<p>' . gettext("Accounts added here are also used for other parts of the system " .
568			"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
569			);
570	3c3ede28	Stephen Beaver	?></div><?php
571	a0165602	Sjon Hortensius	include("foot.inc");
572			exit;
573			}
574	4ee51131	Sjon Hortensius
575			$form = new Form;
576
577	7411c285	Stephen Beaver	if ($act == "new" \|\| $act == "edit" \|\| $input_errors):
578	4ee51131	Sjon Hortensius
579	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
580			'act',
581			null,
582			'hidden',
583			''
584			));
585	4ee51131	Sjon Hortensius
586	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
587			'userid',
588			null,
589			'hidden',
590			isset($id) ? $id:''
591			));
592	4ee51131	Sjon Hortensius
593	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
594			'privid',
595			null,
596			'hidden',
597			''
598			));
599	4ee51131	Sjon Hortensius
600	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
601			'certid',
602			null,
603			'hidden',
604			''
605			));
606	4ee51131	Sjon Hortensius
607	7411c285	Stephen Beaver	$ro = "";
608			if ($pconfig['utype'] == "system") {
609	c4b60a9a	Colin Fleming	$ro = "readonly";
610	7411c285	Stephen Beaver	}
611	4ee51131	Sjon Hortensius
612	7411c285	Stephen Beaver	$section = new Form_Section('User Properties');
613	4ee51131	Sjon Hortensius
614	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
615			'Defined by',
616			strtoupper($pconfig['utype'])
617			));
618	4ee51131	Sjon Hortensius
619	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
620			'utype',
621			null,
622			'hidden',
623			$pconfig['utype']
624			));
625	4ee51131	Sjon Hortensius
626	7411c285	Stephen Beaver	$section->addInput(new Form_Checkbox(
627			'disabled',
628			'Disabled',
629			'This user cannot login',
630			$pconfig['disabled']
631			));
632	6b07c15a	Matthew Grooms
633	7411c285	Stephen Beaver	$section->addInput($input = new Form_Input(
634			'usernamefld',
635			'Username',
636			'text',
637			$pconfig['usernamefld']
638			));
639	61dec0b0	Renato Botelho
640	d61309a0	Phil Davis	if ($ro) {
641	1fe9cc38	Stephen Beaver	$input->setReadonly();
642	d61309a0	Phil Davis	}
643	7411c285	Stephen Beaver
644			$form->addGlobal(new Form_Input(
645			'oldusername',
646	4ee51131	Sjon Hortensius	null,
647	7411c285	Stephen Beaver	'hidden',
648			$pconfig['usernamefld']
649	4ee51131	Sjon Hortensius	));
650	6b07c15a	Matthew Grooms
651	7411c285	Stephen Beaver	$group = new Form_Group('Password');
652			$group->add(new Form_Input(
653			'passwordfld1',
654			'Password',
655			'password'
656			));
657			$group->add(new Form_Input(
658			'passwordfld2',
659			'Confirm Password',
660			'password'
661			));
662
663			$section->add($group);
664
665			$section->addInput($input = new Form_Input(
666			'descr',
667			'Full name',
668			'text',
669			htmlspecialchars($pconfig['descr'])
670	89140b63	NOYB	))->setHelp('User\'s full name, for administrative information only');
671	7411c285	Stephen Beaver
672	d61309a0	Phil Davis	if ($ro) {
673	7411c285	Stephen Beaver	$input->setDisabled();
674	d61309a0	Phil Davis	}
675	7411c285	Stephen Beaver
676			$section->addInput(new Form_Input(
677			'expires',
678			'Expiration date',
679			'date',
680			$pconfig['expires']
681			))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
682			'the expiration date');
683
684			// ==== Group membership ==================================================
685			$group = new Form_Group('Group membership');
686
687	7d2e572f	Stephen Beaver	// Make a list of all the groups configured on the system, and a list of
688	7411c285	Stephen Beaver	// those which this user is a member of
689			$systemGroups = array();
690			$usersGroups = array();
691
692			$usergid = [$pconfig['usernamefld']];
693
694			foreach ($config['system']['group'] as $Ggroup) {
695	d61309a0	Phil Davis	if ($Ggroup['name'] != "all") {
696			if (($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member'])) {
697	b4333696	Stephen Beaver	$usersGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the user's list
698	d61309a0	Phil Davis	} else {
699	b4333696	Stephen Beaver	$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
700	d61309a0	Phil Davis	}
701	b4333696	Stephen Beaver	}
702	7411c285	Stephen Beaver	}
703
704			$group->add(new Form_Select(
705			'sysgroups',
706			null,
707			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
708			$systemGroups,
709			true
710	953385a3	heper	))->setHelp('Not member of');
711	6b07c15a	Matthew Grooms
712	7411c285	Stephen Beaver	$group->add(new Form_Select(
713			'groups',
714			null,
715			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
716			$usersGroups,
717			true
718	953385a3	heper	))->setHelp('Member of');
719	7411c285	Stephen Beaver
720			$section->add($group);
721
722			$group = new Form_Group('');
723
724			$group->add(new Form_Button(
725			'movetoenabled',
726	faab522f	Renato Botelho	'Move to "Member of" list',
727	37676f4e	jim-p	null,
728			'fa-angle-double-right'
729	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
730	7411c285	Stephen Beaver
731			$group->add(new Form_Button(
732			'movetodisabled',
733	faab522f	Renato Botelho	'Move to "Not member of" list',
734	37676f4e	jim-p	null,
735			'fa-angle-double-left'
736	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
737	4ee51131	Sjon Hortensius
738	48d321ca	NewEraCracker	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
739	7411c285	Stephen Beaver	$section->add($group);
740	4ee51131	Sjon Hortensius
741	7411c285	Stephen Beaver	// ==== Button for adding user certificate ================================
742	d61309a0	Phil Davis	if ($act == 'new') {
743	4ee51131	Sjon Hortensius	$section->addInput(new Form_Checkbox(
744	7411c285	Stephen Beaver	'showcert',
745			'Certificate',
746			'Click to create a user certificate',
747			false
748	4ee51131	Sjon Hortensius	));
749	6b07c15a	Matthew Grooms	}
750
751	7411c285	Stephen Beaver	$form->add($section);
752	6b07c15a	Matthew Grooms
753	7411c285	Stephen Beaver	// ==== Effective privileges section ======================================
754			if (isset($pconfig['uid'])) {
755			// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
756			// is the best way to make the display we need.
757	6b07c15a	Matthew Grooms
758	7411c285	Stephen Beaver	$section = new Form_Section('Effective Privileges');
759	4ee51131	Sjon Hortensius
760	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
761			null,
762			build_priv_table()
763			));
764	4ee51131	Sjon Hortensius
765	7411c285	Stephen Beaver	$form->add($section);
766	4ee51131	Sjon Hortensius
767	7411c285	Stephen Beaver	// ==== Certificate table section =====================================
768	5f88f964	k-paulius	$section = new Form_Section('User Certificates');
769	7411c285	Stephen Beaver
770			$section->addInput(new Form_StaticText(
771			null,
772			build_cert_table()
773			));
774	64600f94	Sjon Hortensius
775			$form->add($section);
776	c9794c06	Ermal	}
777	7411c285	Stephen Beaver
778	f14ff867	Phil Davis	// ==== Add user certificate for a new user
779			if (is_array($config['ca']) && count($config['ca']) > 0) {
780	5f88f964	k-paulius	$section = new Form_Section('Create Certificate for User');
781	f14ff867	Phil Davis	$section->addClass('cert-options');
782	c9794c06	Ermal
783	f14ff867	Phil Davis	$nonPrvCas = array();
784			foreach($config['ca'] as $ca) {
785			if (!$ca['prv']) {
786			continue;
787			}
788	7411c285	Stephen Beaver
789	f14ff867	Phil Davis	$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
790			}
791	7411c285	Stephen Beaver
792	f14ff867	Phil Davis	if (!empty($nonPrvCas)) {
793			$section->addInput(new Form_Input(
794			'name',
795			'Descriptive name',
796			'text',
797			$pconfig['name']
798			));
799	7411c285	Stephen Beaver
800	f14ff867	Phil Davis	$section->addInput(new Form_Select(
801			'caref',
802			'Certificate authority',
803			null,
804			$nonPrvCas
805			));
806	7411c285	Stephen Beaver
807	f14ff867	Phil Davis	$section->addInput(new Form_Select(
808			'keylen',
809			'Key length',
810			2048,
811			array(
812			512 => '512 bits',
813			1024 => '1024 bits',
814	bf408592	jim-p	2048 => '2048 bits',
815	f14ff867	Phil Davis	4096 => '4096 bits',
816			)
817			));
818	7411c285	Stephen Beaver
819	f14ff867	Phil Davis	$section->addInput(new Form_Input(
820			'lifetime',
821			'Lifetime',
822			'number',
823			$pconfig['lifetime']
824			));
825	7411c285	Stephen Beaver	}
826
827	f14ff867	Phil Davis	$form->add($section);
828			}
829
830	7411c285	Stephen Beaver	endif;
831			// ==== Paste a key for the new user
832	4ee51131	Sjon Hortensius	$section = new Form_Section('Keys');
833
834	35e0cd70	Stephen Beaver	$section->addInput(new Form_Checkbox(
835			'showkey',
836			'Authorized keys',
837			'Click to paste an authorized key',
838			false
839			));
840
841	4ee51131	Sjon Hortensius	$section->addInput(new Form_Textarea(
842			'authorizedkeys',
843	d1e73829	Stephen Beaver	'Authorized SSH Keys',
844	4ee51131	Sjon Hortensius	$pconfig['authorizedkeys']
845	d1e73829	Stephen Beaver	))->setHelp('Enter authorized SSH keys for this user');
846	4ee51131	Sjon Hortensius
847	35e0cd70	Stephen Beaver	$section->addInput(new Form_Input(
848	4ee51131	Sjon Hortensius	'ipsecpsk',
849			'IPsec Pre-Shared Key',
850			'text',
851			$pconfig['ipsecpsk']
852			));
853
854			$form->add($section);
855	7411c285	Stephen Beaver
856	a0165602	Sjon Hortensius	print $form;
857	7411c285	Stephen Beaver	?>
858	8fd9052f	Colin Fleming	<script type="text/javascript">
859	7411c285	Stephen Beaver	//<![CDATA[
860	d61309a0	Phil Davis	events.push(function() {
861	7411c285	Stephen Beaver
862			// On click . .
863			$("#movetodisabled").click(function() {
864			moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
865			});
866
867			$("#movetoenabled").click(function() {
868			moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
869			});
870
871			$("#showcert").click(function() {
872			hideClass('cert-options', !this.checked);
873			});
874
875			$("#showkey").click(function() {
876	35e0cd70	Stephen Beaver	hideInput('authorizedkeys', false);
877			hideCheckbox('showkey', true);
878	7411c285	Stephen Beaver	});
879
880	98402844	Stephen Beaver	$('[id^=delcert]').click(function(event) {
881	d61309a0	Phil Davis	if (confirm(event.target.title)) {
882	98402844	Stephen Beaver	$('#certid').val(event.target.id.match(/\d+$/)[0]);
883			$('#userid').val('<?=$id;?>');
884			$('#act').val('delcert');
885			$('form').submit();
886			}
887			});
888	945204b1	Stephen Beaver
889	408d0882	heper	$('[id^=delprivid]').click(function(event) {
890	d61309a0	Phil Davis	if (confirm(event.target.title)) {
891	4c879f95	heper	$('#privid').val(event.target.id.match(/\d+$/)[0]);
892	408d0882	heper	$('#userid').val('<?=$id;?>');
893			$('#act').val('delprivid');
894			$('form').submit();
895			}
896			});
897	64c31615	Stephen Beaver
898	98402844	Stephen Beaver
899	eef93144	Jared Dillard	// ---------- On initial page load ------------------------------------------------------------
900
901			hideClass('cert-options', true);
902			//hideInput('authorizedkeys', true);
903	d1e73829	Stephen Beaver	hideCheckbox('showkey', true);
904	7411c285	Stephen Beaver
905			// On submit mark all the user's groups as "selected"
906	d61309a0	Phil Davis	$('form').submit(function() {
907	7411c285	Stephen Beaver	AllServers($('[name="groups[]"] option'), true);
908			});
909			});
910			//]]>
911			</script>
912			<?php
913	bb1b5c6f	heper	include('foot.inc');
914	d825dfea	NOYB	?>

Project

General

Profile

pfSense