/src/usr/local/www/system_usermanager.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/system_usermanager.php @ a69f79bd

1	1df17ba9	Scott Ullrich	<?php
2	fab7ff44	Bill Marquette	/*
3	c5d81585	Renato Botelho	* system_usermanager.php
4	7d2e572f	Stephen Beaver	*
5	c5d81585	Renato Botelho	* part of pfSense (https://www.pfsense.org)
6	38809d47	Renato Botelho do Couto	* Copyright (c) 2004-2013 BSD Perimeter
7			* Copyright (c) 2013-2016 Electric Sheep Fencing
8	8f585441	Luiz Souza	* Copyright (c) 2014-2021 Rubicon Communications, LLC (Netgate)
9	c5d81585	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc.
10			* Copyright (c) 2005 Paul Taylor <paultaylor@winn-dixie.com>
11			* All rights reserved.
12	191cb31d	Stephen Beaver	*
13	c5d81585	Renato Botelho	* originally based on m0n0wall (http://m0n0.ch/wall)
14			* Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.
15			* All rights reserved.
16	7d2e572f	Stephen Beaver	*
17	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
18			* you may not use this file except in compliance with the License.
19			* You may obtain a copy of the License at
20	7d2e572f	Stephen Beaver	*
21	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
22	7d2e572f	Stephen Beaver	*
23	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
24			* distributed under the License is distributed on an "AS IS" BASIS,
25			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
26			* See the License for the specific language governing permissions and
27			* limitations under the License.
28	7d2e572f	Stephen Beaver	*/
29	fab7ff44	Bill Marquette
30	6b07c15a	Matthew Grooms	##\|+PRIV
31			##\|*IDENT=page-system-usermanager
32	5230f468	jim-p	##\|*NAME=System: User Manager
33	6b07c15a	Matthew Grooms	##\|*DESCR=Allow access to the 'System: User Manager' page.
34	57188e47	Phil Davis	##\|*WARN=standard-warning-root
35	6b07c15a	Matthew Grooms	##\|MATCH=system_usermanager.php
36			##\|-PRIV
37
38	c81ef6e2	Phil Davis	require_once("certs.inc");
39			require_once("guiconfig.inc");
40	43e07671	doktornotor	require_once("pfsense-utils.inc");
41	fab7ff44	Bill Marquette
42	3fa6d462	jim-p	$logging_level = LOG_WARNING;
43			$logging_prefix = gettext("Local User Database");
44	ccb301a4	Viktor G	$cert_keylens = array("1024", "2048", "3072", "4096", "6144", "7680", "8192", "15360", "16384");
45			$cert_keytypes = array("RSA", "ECDSA");
46			$openssl_ecnames = cert_build_curve_list();
47
48			global $openssl_digest_algs;
49	3fa6d462	jim-p
50	e33be77c	Ermal	// start admin user code
51	4611e283	Steve Beaver	if (isset($_REQUEST['userid']) && is_numericint($_REQUEST['userid'])) {
52			$id = $_REQUEST['userid'];
53	73fa304b	Phil Davis	}
54	1df17ba9	Scott Ullrich
55	c6c398c6	jim-p	init_config_arr(array('system', 'user'));
56	e33be77c	Ermal	$a_user = &$config['system']['user'];
57	4611e283	Steve Beaver	$act = $_REQUEST['act'];
58	45ee90ed	Matthew Grooms
59	73fa304b	Phil Davis	if (isset($_SERVER['HTTP_REFERER'])) {
60	7c2d0050	Renato Botelho	$referer = $_SERVER['HTTP_REFERER'];
61	73fa304b	Phil Davis	} else {
62	7c2d0050	Renato Botelho	$referer = '/system_usermanager.php';
63	73fa304b	Phil Davis	}
64	7c2d0050	Renato Botelho
65	adacdf5f	jim-p	if (isset($id) && $a_user[$id]) {
66			$pconfig['usernamefld'] = $a_user[$id]['name'];
67			$pconfig['descr'] = $a_user[$id]['descr'];
68			$pconfig['expires'] = $a_user[$id]['expires'];
69	8bab524e	Phil Davis	$pconfig['customsettings'] = isset($a_user[$id]['customsettings']);
70			$pconfig['webguicss'] = $a_user[$id]['webguicss'];
71			$pconfig['webguifixedmenu'] = $a_user[$id]['webguifixedmenu'];
72			$pconfig['webguihostnamemenu'] = $a_user[$id]['webguihostnamemenu'];
73			$pconfig['dashboardcolumns'] = $a_user[$id]['dashboardcolumns'];
74	1d3510cf	Phil Davis	$pconfig['interfacessort'] = isset($a_user[$id]['interfacessort']);
75	8bab524e	Phil Davis	$pconfig['dashboardavailablewidgetspanel'] = isset($a_user[$id]['dashboardavailablewidgetspanel']);
76			$pconfig['systemlogsfilterpanel'] = isset($a_user[$id]['systemlogsfilterpanel']);
77			$pconfig['systemlogsmanagelogpanel'] = isset($a_user[$id]['systemlogsmanagelogpanel']);
78			$pconfig['statusmonitoringsettingspanel'] = isset($a_user[$id]['statusmonitoringsettingspanel']);
79			$pconfig['webguileftcolumnhyper'] = isset($a_user[$id]['webguileftcolumnhyper']);
80	d9058974	Phil Davis	$pconfig['disablealiaspopupdetail'] = isset($a_user[$id]['disablealiaspopupdetail']);
81	8bab524e	Phil Davis	$pconfig['pagenamefirst'] = isset($a_user[$id]['pagenamefirst']);
82	adacdf5f	jim-p	$pconfig['groups'] = local_user_get_groups($a_user[$id]);
83			$pconfig['utype'] = $a_user[$id]['scope'];
84			$pconfig['uid'] = $a_user[$id]['uid'];
85			$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
86			$pconfig['priv'] = $a_user[$id]['priv'];
87			$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
88			$pconfig['disabled'] = isset($a_user[$id]['disabled']);
89			}
90
91	acd7e560	jim-p	/*
92			* Check user privileges to test if the user is allowed to make changes.
93			* Otherwise users can end up in an inconsistent state where some changes are
94			* performed and others denied. See https://redmine.pfsense.org/issues/9259
95			*/
96			phpsession_begin();
97			$guiuser = getUserEntry($_SESSION['Username']);
98			$read_only = (is_array($guiuser) && userHasPrivilege($guiuser, "user-config-readonly"));
99			phpsession_end();
100
101			if (!empty($_POST) && $read_only) {
102			$input_errors = array(gettext("Insufficient privileges to make the requested change (read only)."));
103			}
104
105			if (($_POST['act'] == "deluser") && !$read_only) {
106	45ee90ed	Matthew Grooms
107	f5c9c0c7	Steve Beaver	if (!isset($_POST['username']) \|\| !isset($a_user[$id]) \|\| ($_POST['username'] != $a_user[$id]['name'])) {
108	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
109			exit;
110	6b07c15a	Matthew Grooms	}
111
112	f5c9c0c7	Steve Beaver	if ($_POST['username'] == $_SESSION['Username']) {
113			$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $_POST['username']);
114	d6b79c39	Phil Davis	} else {
115			local_user_del($a_user[$id]);
116			$userdeleted = $a_user[$id]['name'];
117			unset($a_user[$id]);
118	92c27793	jim-p	/* Reindex the array to avoid operating on an incorrect index https://redmine.pfsense.org/issues/7733 */
119			$a_user = array_values($a_user);
120	3fa6d462	jim-p	$savemsg = sprintf(gettext("Successfully deleted user: %s"), $userdeleted);
121			write_config($savemsg);
122			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
123	d6b79c39	Phil Davis	}
124	f5c9c0c7	Steve Beaver
125	d61309a0	Phil Davis	} else if ($act == "new") {
126	e33be77c	Ermal	/*
127			* set this value cause the text field is read only
128			* and the user should not be able to mess with this
129			* setting.
130			*/
131			$pconfig['utype'] = "user";
132			$pconfig['lifetime'] = 3650;
133	fc1913fe	jim-p
134			$nonPrvCas = array();
135			if (is_array($config['ca']) && count($config['ca']) > 0) {
136			foreach ($config['ca'] as $ca) {
137			if (!$ca['prv']) {
138			continue;
139			}
140
141			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
142			}
143			}
144
145	e33be77c	Ermal	}
146	45ee90ed	Matthew Grooms
147	acd7e560	jim-p	if (isset($_POST['dellall']) && !$read_only) {
148	4e21c82e	bruno
149			$del_users = $_POST['delete_check'];
150	3fa6d462	jim-p	$deleted_users = array();
151	4e21c82e	bruno
152	73fa304b	Phil Davis	if (!empty($del_users)) {
153			foreach ($del_users as $userid) {
154	4e21c82e	bruno	if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
155	d6b79c39	Phil Davis	if ($a_user[$userid]['name'] == $_SESSION['Username']) {
156			$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $a_user[$userid]['name']);
157			} else {
158	3fa6d462	jim-p	$deleted_users[] = $a_user[$userid]['name'];
159	d6b79c39	Phil Davis	local_user_del($a_user[$userid]);
160			unset($a_user[$userid]);
161			}
162			} else {
163			$delete_errors[] = sprintf(gettext("Cannot delete user %s because it is a system user."), $a_user[$userid]['name']);
164	4e21c82e	bruno	}
165			}
166	d6b79c39	Phil Davis
167	3fa6d462	jim-p	if (count($deleted_users) > 0) {
168			$savemsg = sprintf(gettext("Successfully deleted %s: %s"), (count($deleted_users) == 1) ? gettext("user") : gettext("users"), implode(', ', $deleted_users));
169	92c27793	jim-p	/* Reindex the array to avoid operating on an incorrect index https://redmine.pfsense.org/issues/7733 */
170			$a_user = array_values($a_user);
171	d6b79c39	Phil Davis	write_config($savemsg);
172	3fa6d462	jim-p	syslog($logging_level, "{$logging_prefix}: {$savemsg}");
173	d6b79c39	Phil Davis	}
174	4e21c82e	bruno	}
175			}
176
177	acd7e560	jim-p	if (($_POST['act'] == "delcert") && !$read_only) {
178	98402844	Stephen Beaver
179			if (!$a_user[$id]) {
180			pfSenseHeader("system_usermanager.php");
181			exit;
182			}
183
184			$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
185			$certdeleted = $certdeleted['descr'];
186			unset($a_user[$id]['cert'][$_POST['certid']]);
187	3fa6d462	jim-p	$savemsg = sprintf(gettext("Removed certificate association \"%s\" from user %s"), $certdeleted, $a_user[$id]['name']);
188			write_config($savemsg);
189			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
190	98402844	Stephen Beaver	$_POST['act'] = "edit";
191			}
192	64c31615	Stephen Beaver
193	acd7e560	jim-p	if (($_POST['act'] == "delprivid") && !$read_only) {
194	945204b1	Stephen Beaver	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
195			unset($a_user[$id]['priv'][$_POST['privid']]);
196			local_user_set($a_user[$id]);
197	3fa6d462	jim-p	$savemsg = sprintf(gettext("Removed Privilege \"%s\" from user %s"), $privdeleted, $a_user[$id]['name']);
198			write_config($savemsg);
199			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
200	945204b1	Stephen Beaver	$_POST['act'] = "edit";
201	4c879f95	heper	}
202	98402844	Stephen Beaver
203	acd7e560	jim-p	if ($_POST['save'] && !$read_only) {
204	e33be77c	Ermal	unset($input_errors);
205			$pconfig = $_POST;
206	45ee90ed	Matthew Grooms
207	e33be77c	Ermal	/* input validation */
208			if (isset($id) && ($a_user[$id])) {
209			$reqdfields = explode(" ", "usernamefld");
210			$reqdfieldsn = array(gettext("Username"));
211			} else {
212			if (empty($_POST['name'])) {
213			$reqdfields = explode(" ", "usernamefld passwordfld1");
214			$reqdfieldsn = array(
215			gettext("Username"),
216			gettext("Password"));
217	45ee90ed	Matthew Grooms	} else {
218	e33be77c	Ermal	$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
219			$reqdfieldsn = array(
220			gettext("Username"),
221			gettext("Password"),
222			gettext("Descriptive name"),
223			gettext("Certificate authority"),
224			gettext("Key length"),
225			gettext("Lifetime"));
226	45ee90ed	Matthew Grooms	}
227	e33be77c	Ermal	}
228	45ee90ed	Matthew Grooms
229	1e9b4611	Renato Botelho	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
230	45ee90ed	Matthew Grooms
231	73fa304b	Phil Davis	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
232	e33be77c	Ermal	$input_errors[] = gettext("The username contains invalid characters.");
233	73fa304b	Phil Davis	}
234	45ee90ed	Matthew Grooms
235	a84fb545	Andrei Miu	if (strlen($_POST['usernamefld']) > 32) {
236			$input_errors[] = gettext("The username is longer than 32 characters.");
237	73fa304b	Phil Davis	}
238	94d455da	jim-p
239	73fa304b	Phil Davis	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
240	e33be77c	Ermal	$input_errors[] = gettext("The passwords do not match.");
241	73fa304b	Phil Davis	}
242	45ee90ed	Matthew Grooms
243	73fa304b	Phil Davis	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
244	123d8700	Renato Botelho	$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
245	73fa304b	Phil Davis	}
246	123d8700	Renato Botelho
247	e63321a5	jim-p	/* Check the POSTed groups to ensure they are valid and exist */
248	9d3e8723	Phil Davis	if (is_array($_POST['groups'])) {
249	9f472202	NewEraCracker	foreach ($_POST['groups'] as $newgroup) {
250			if (empty(getGroupEntry($newgroup))) {
251			$input_errors[] = gettext("One or more invalid groups was submitted.");
252			}
253	e63321a5	jim-p	}
254			}
255
256	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
257	e33be77c	Ermal	$oldusername = $a_user[$id]['name'];
258	73fa304b	Phil Davis	} else {
259	e33be77c	Ermal	$oldusername = "";
260	73fa304b	Phil Davis	}
261	e33be77c	Ermal	/* make sure this user name is unique */
262			if (!$input_errors) {
263			foreach ($a_user as $userent) {
264			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
265			$input_errors[] = gettext("Another entry with the same username already exists.");
266			break;
267	58664cc9	Scott Ullrich	}
268	3dec33d4	Erik Fonnesbeck	}
269	e33be77c	Ermal	}
270			/* also make sure it is not reserved */
271			if (!$input_errors) {
272			$system_users = explode("\n", file_get_contents("/etc/passwd"));
273			foreach ($system_users as $s_user) {
274			$ent = explode(":", $s_user);
275			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
276			$input_errors[] = gettext("That username is reserved by the system.");
277			break;
278	8339ab6d	jim-p	}
279	7e4a4513	Scott Ullrich	}
280	e33be77c	Ermal	}
281	1df17ba9	Scott Ullrich
282	e33be77c	Ermal	/*
283	e30050b6	Phil Davis	* Check for a valid expiration date if one is set at all (valid means,
284	4d148b59	Yehuda Katz	* DateTime puts out a time stamp so any DateTime compatible time
285	e33be77c	Ermal	* format may be used. to keep it simple for the enduser, we only
286			* claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
287			* like "+1 day", which will be converted to MM/DD/YYYY based on "now".
288	e30050b6	Phil Davis	* Otherwise such an entry would lead to an invalid expiration data.
289	e33be77c	Ermal	*/
290	73fa304b	Phil Davis	if ($_POST['expires']) {
291	4d148b59	Yehuda Katz	try {
292			$expdate = new DateTime($_POST['expires']);
293			//convert from any DateTime compatible date to MM/DD/YYYY
294			$_POST['expires'] = $expdate->format("m/d/Y");
295	73fa304b	Phil Davis	} catch (Exception $ex) {
296	e33be77c	Ermal	$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
297	0092b3bd	mgrooms	}
298	e33be77c	Ermal	}
299	0092b3bd	mgrooms
300	e33be77c	Ermal	if (!empty($_POST['name'])) {
301			$ca = lookup_ca($_POST['caref']);
302	73fa304b	Phil Davis	if (!$ca) {
303	4c291f4c	Renato Botelho	$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
304	73fa304b	Phil Davis	}
305	e33be77c	Ermal	}
306	9ceace25	jim-p	validate_webguicss_field($input_errors, $_POST['webguicss']);
307			validate_webguifixedmenu_field($input_errors, $_POST['webguifixedmenu']);
308			validate_webguihostnamemenu_field($input_errors, $_POST['webguihostnamemenu']);
309			validate_dashboardcolumns_field($input_errors, $_POST['dashboardcolumns']);
310	c9794c06	Ermal
311	e33be77c	Ermal	if (!$input_errors) {
312	4ee51131	Sjon Hortensius
313	e33be77c	Ermal	$userent = array();
314	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
315	e33be77c	Ermal	$userent = $a_user[$id];
316	73fa304b	Phil Davis	}
317	e879fc81	Ermal
318	e33be77c	Ermal	isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
319
320			/* the user name was modified */
321	926e0a2f	Phil Davis	if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
322	e33be77c	Ermal	$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
323	fdcf104c	jim-p	local_user_del($userent);
324			}
325	1df17ba9	Scott Ullrich
326	e30050b6	Phil Davis	/* the user password was modified */
327	73fa304b	Phil Davis	if ($_POST['passwordfld1']) {
328	e33be77c	Ermal	local_user_set_password($userent, $_POST['passwordfld1']);
329	73fa304b	Phil Davis	}
330	1df17ba9	Scott Ullrich
331	5cde9005	NewEraCracker	/* only change description if sent */
332			if (isset($_POST['descr'])) {
333			$userent['descr'] = $_POST['descr'];
334			}
335
336	e33be77c	Ermal	$userent['name'] = $_POST['usernamefld'];
337			$userent['expires'] = $_POST['expires'];
338	8bab524e	Phil Davis	$userent['dashboardcolumns'] = $_POST['dashboardcolumns'];
339	e33be77c	Ermal	$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
340			$userent['ipsecpsk'] = $_POST['ipsecpsk'];
341	3ccb9689	Charlie Marshall
342	73fa304b	Phil Davis	if ($_POST['disabled']) {
343	e33be77c	Ermal	$userent['disabled'] = true;
344	73fa304b	Phil Davis	} else {
345	e33be77c	Ermal	unset($userent['disabled']);
346	73fa304b	Phil Davis	}
347	e33be77c	Ermal
348	8bab524e	Phil Davis	if ($_POST['customsettings']) {
349			$userent['customsettings'] = true;
350			} else {
351			unset($userent['customsettings']);
352			}
353
354			if ($_POST['webguicss']) {
355			$userent['webguicss'] = $_POST['webguicss'];
356			} else {
357			unset($userent['webguicss']);
358			}
359
360			if ($_POST['webguifixedmenu']) {
361			$userent['webguifixedmenu'] = $_POST['webguifixedmenu'];
362			} else {
363			unset($userent['webguifixedmenu']);
364			}
365
366			if ($_POST['webguihostnamemenu']) {
367			$userent['webguihostnamemenu'] = $_POST['webguihostnamemenu'];
368			} else {
369			unset($userent['webguihostnamemenu']);
370			}
371
372	1d3510cf	Phil Davis	if ($_POST['interfacessort']) {
373			$userent['interfacessort'] = true;
374			} else {
375			unset($userent['interfacessort']);
376			}
377
378	8bab524e	Phil Davis	if ($_POST['dashboardavailablewidgetspanel']) {
379			$userent['dashboardavailablewidgetspanel'] = true;
380			} else {
381			unset($userent['dashboardavailablewidgetspanel']);
382			}
383
384			if ($_POST['systemlogsfilterpanel']) {
385			$userent['systemlogsfilterpanel'] = true;
386			} else {
387			unset($userent['systemlogsfilterpanel']);
388			}
389
390			if ($_POST['systemlogsmanagelogpanel']) {
391			$userent['systemlogsmanagelogpanel'] = true;
392			} else {
393			unset($userent['systemlogsmanagelogpanel']);
394			}
395
396			if ($_POST['statusmonitoringsettingspanel']) {
397			$userent['statusmonitoringsettingspanel'] = true;
398			} else {
399			unset($userent['statusmonitoringsettingspanel']);
400			}
401
402			if ($_POST['webguileftcolumnhyper']) {
403			$userent['webguileftcolumnhyper'] = true;
404			} else {
405			unset($userent['webguileftcolumnhyper']);
406			}
407
408	d9058974	Phil Davis	if ($_POST['disablealiaspopupdetail']) {
409			$userent['disablealiaspopupdetail'] = true;
410			} else {
411			unset($userent['disablealiaspopupdetail']);
412			}
413
414	8bab524e	Phil Davis	if ($_POST['pagenamefirst']) {
415			$userent['pagenamefirst'] = true;
416			} else {
417			unset($userent['pagenamefirst']);
418			}
419
420	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
421	e33be77c	Ermal	$a_user[$id] = $userent;
422	73fa304b	Phil Davis	} else {
423	e33be77c	Ermal	if (!empty($_POST['name'])) {
424			$cert = array();
425			$cert['refid'] = uniqid();
426	4c291f4c	Renato Botelho	$userent['cert'] = array();
427	e33be77c	Ermal
428			$cert['descr'] = $_POST['name'];
429
430	1ec79365	jim-p	$subject = cert_get_subject_hash($ca['crt']);
431
432			$dn = array();
433			if (!empty($subject['C'])) {
434			$dn['countryName'] = $subject['C'];
435			}
436			if (!empty($subject['ST'])) {
437			$dn['stateOrProvinceName'] = $subject['ST'];
438			}
439			if (!empty($subject['L'])) {
440			$dn['localityName'] = $subject['L'];
441			}
442			if (!empty($subject['O'])) {
443			$dn['organizationName'] = $subject['O'];
444			}
445			if (!empty($subject['OU'])) {
446	354b1c75	jim-p	$dn['organizationalUnitName'] = $subject['OU'];
447	1ec79365	jim-p	}
448			$dn['commonName'] = $userent['name'];
449	e562fca2	jim-p	$cn_altname = cert_add_altname_type($userent['name']);
450			if (!empty($cn_altname)) {
451			$dn['subjectAltName'] = $cn_altname;
452	b767fe6c	jim-p	}
453	e33be77c	Ermal
454			cert_create($cert, $_POST['caref'], $_POST['keylen'],
455	0aa7f5a7	jim-p	(int)$_POST['lifetime'], $dn, 'user',
456	ccb301a4	Viktor G	$_POST['digest_alg'], $_POST['keytype'],
457	0aa7f5a7	jim-p	$_POST['ecname']);
458	e33be77c	Ermal
459	73fa304b	Phil Davis	if (!is_array($config['cert'])) {
460	e33be77c	Ermal	$config['cert'] = array();
461	73fa304b	Phil Davis	}
462	e33be77c	Ermal	$config['cert'][] = $cert;
463			$userent['cert'][] = $cert['refid'];
464			}
465			$userent['uid'] = $config['system']['nextuid']++;
466			/* Add the user to All Users group. */
467			foreach ($config['system']['group'] as $gidx => $group) {
468			if ($group['name'] == "all") {
469	73fa304b	Phil Davis	if (!is_array($config['system']['group'][$gidx]['member'])) {
470	e33be77c	Ermal	$config['system']['group'][$gidx]['member'] = array();
471	73fa304b	Phil Davis	}
472	e33be77c	Ermal	$config['system']['group'][$gidx]['member'][] = $userent['uid'];
473			break;
474			}
475			}
476	970db70b	Scott Ullrich
477	e33be77c	Ermal	$a_user[] = $userent;
478	45ee90ed	Matthew Grooms	}
479	e33be77c	Ermal
480	dc3bc1f8	Renato Botelho	/* Sort it alphabetically */
481			usort($config['system']['user'], function($a, $b) {
482			return strcmp($a['name'], $b['name']);
483			});
484
485	d61309a0	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
486	e33be77c	Ermal	local_user_set($userent);
487	e6c79cd3	jim-p
488			/* Update user index to account for new changes */
489			global $userindex;
490			$userindex = index_users();
491
492	3fa6d462	jim-p	$savemsg = sprintf(gettext("Successfully %s user %s"), (isset($id)) ? gettext("edited") : gettext("created"), $userent['name']);
493			write_config($savemsg);
494			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
495	73fa304b	Phil Davis	if (is_dir("/etc/inc/privhooks")) {
496	e33be77c	Ermal	run_plugins("/etc/inc/privhooks");
497	73fa304b	Phil Davis	}
498	e33be77c	Ermal
499			pfSenseHeader("system_usermanager.php");
500	45ee90ed	Matthew Grooms	}
501	e33be77c	Ermal	}
502	fab7ff44	Bill Marquette
503	7411c285	Stephen Beaver	function build_priv_table() {
504	acd7e560	jim-p	global $a_user, $id, $read_only;
505	7411c285	Stephen Beaver
506			$privhtml = '<div class="table-responsive">';
507			$privhtml .= '<table class="table table-striped table-hover table-condensed">';
508			$privhtml .= '<thead>';
509	7d2e572f	Stephen Beaver	$privhtml .= '<tr>';
510			$privhtml .= '<th>' . gettext('Inherited from') . '</th>';
511			$privhtml .= '<th>' . gettext('Name') . '</th>';
512			$privhtml .= '<th>' . gettext('Description') . '</th>';
513	f460db90	NOYB	$privhtml .= '<th>' . gettext('Action') . '</th>';
514	7d2e572f	Stephen Beaver	$privhtml .= '</tr>';
515	7411c285	Stephen Beaver	$privhtml .= '</thead>';
516			$privhtml .= '<tbody>';
517
518	945204b1	Stephen Beaver	$i = 0;
519	57188e47	Phil Davis	$user_has_root_priv = false;
520	945204b1	Stephen Beaver
521			foreach (get_user_privdesc($a_user[$id]) as $priv) {
522			$group = false;
523			if ($priv['group']) {
524			$group = $priv['group'];
525			}
526
527	7411c285	Stephen Beaver	$privhtml .= '<tr>';
528			$privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>';
529			$privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>';
530	57188e47	Phil Davis	$privhtml .= '<td>' . htmlspecialchars($priv['descr']);
531			if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) {
532	21312954	Phil Davis	$privhtml .= ' ' . gettext('(admin privilege)');
533	57188e47	Phil Davis	$user_has_root_priv = true;
534			}
535			$privhtml .= '</td>';
536	945204b1	Stephen Beaver	$privhtml .= '<td>';
537	acd7e560	jim-p	if (!$group && !$read_only) {
538	f460db90	NOYB	$privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
539	d61309a0	Phil Davis	}
540	945204b1	Stephen Beaver
541			$privhtml .= '</td>';
542	7411c285	Stephen Beaver	$privhtml .= '</tr>';
543	945204b1	Stephen Beaver
544	d61309a0	Phil Davis	if (!$group) {
545	945204b1	Stephen Beaver	$i++;
546	d61309a0	Phil Davis	}
547	7411c285	Stephen Beaver	}
548
549	57188e47	Phil Davis	if ($user_has_root_priv) {
550			$privhtml .= '<tr>';
551			$privhtml .= '<td colspan="3">';
552	9187d6f7	Phil Davis	$privhtml .= '<b>' . gettext('Security notice: This user effectively has administrator-level access') . '</b>';
553	57188e47	Phil Davis	$privhtml .= '</td>';
554			$privhtml .= '<td>';
555			$privhtml .= '</td>';
556			$privhtml .= '</tr>';
557	f5c9c0c7	Steve Beaver
558	57188e47	Phil Davis	}
559
560	7411c285	Stephen Beaver	$privhtml .= '</tbody>';
561			$privhtml .= '</table>';
562			$privhtml .= '</div>';
563
564			$privhtml .= '<nav class="action-buttons">';
565	acd7e560	jim-p	if (!$read_only) {
566			$privhtml .= '<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
567			}
568	7411c285	Stephen Beaver	$privhtml .= '</nav>';
569
570			return($privhtml);
571			}
572	98402844	Stephen Beaver
573	7411c285	Stephen Beaver	function build_cert_table() {
574	acd7e560	jim-p	global $a_user, $id, $read_only;
575	7411c285	Stephen Beaver
576			$certhtml = '<div class="table-responsive">';
577			$certhtml .= '<table class="table table-striped table-hover table-condensed">';
578			$certhtml .= '<thead>';
579	7d2e572f	Stephen Beaver	$certhtml .= '<tr>';
580			$certhtml .= '<th>' . gettext('Name') . '</th>';
581			$certhtml .= '<th>' . gettext('CA') . '</th>';
582	98402844	Stephen Beaver	$certhtml .= '<th></th>';
583	7d2e572f	Stephen Beaver	$certhtml .= '</tr>';
584	7411c285	Stephen Beaver	$certhtml .= '</thead>';
585			$certhtml .= '<tbody>';
586
587			$a_cert = $a_user[$id]['cert'];
588			if (is_array($a_cert)) {
589			$i = 0;
590			foreach ($a_cert as $certref) {
591	7d2e572f	Stephen Beaver	$cert = lookup_cert($certref);
592			$ca = lookup_ca($cert['caref']);
593			$revokedstr = is_cert_revoked($cert) ? '<b> Revoked</b>':'';
594
595	7411c285	Stephen Beaver	$certhtml .= '<tr>';
596	7d2e572f	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
597	7411c285	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($ca['descr']) . '</td>';
598	db676e5b	Stephen Beaver	$certhtml .= '<td>';
599	acd7e560	jim-p	if (!$read_only) {
600			$certhtml .= '<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
601			$certhtml .= gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
602			}
603	db676e5b	Stephen Beaver	$certhtml .= '</td>';
604	7411c285	Stephen Beaver	$certhtml .= '</tr>';
605	db676e5b	Stephen Beaver	$i++;
606	7411c285	Stephen Beaver	}
607	db676e5b	Stephen Beaver
608	7411c285	Stephen Beaver	}
609
610			$certhtml .= '</tbody>';
611			$certhtml .= '</table>';
612			$certhtml .= '</div>';
613
614			$certhtml .= '<nav class="action-buttons">';
615	acd7e560	jim-p	if (!$read_only) {
616			$certhtml .= '<a href="system_certmanager.php?act=new&userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
617			}
618	7411c285	Stephen Beaver	$certhtml .= '</nav>';
619
620			return($certhtml);
621			}
622
623	8f1ab2a4	k-paulius	$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
624	edcd7535	Phil Davis	$pglinks = array("", "system_usermanager.php", "system_usermanager.php");
625	8f1ab2a4	k-paulius
626			if ($act == "new" \|\| $act == "edit" \|\| $input_errors) {
627			$pgtitle[] = gettext('Edit');
628	edcd7535	Phil Davis	$pglinks[] = "@self";
629	8f1ab2a4	k-paulius	}
630	4611e283	Steve Beaver
631	e33be77c	Ermal	include("head.inc");
632	fab7ff44	Bill Marquette
633	d6b79c39	Phil Davis	if ($delete_errors) {
634			print_input_errors($delete_errors);
635			}
636
637	d61309a0	Phil Davis	if ($input_errors) {
638	4ee51131	Sjon Hortensius	print_input_errors($input_errors);
639	d61309a0	Phil Davis	}
640	98402844	Stephen Beaver
641	d61309a0	Phil Davis	if ($savemsg) {
642	98402844	Stephen Beaver	print_info_box($savemsg, 'success');
643	d61309a0	Phil Davis	}
644	4ee51131	Sjon Hortensius
645			$tab_array = array();
646			$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
647			$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
648			$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
649	2d1f33d9	k-paulius	$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
650	4ee51131	Sjon Hortensius	display_top_tabs($tab_array);
651
652	7411c285	Stephen Beaver	if (!($act == "new" \|\| $act == "edit" \|\| $input_errors)) {
653	64600f94	Sjon Hortensius	?>
654	64c31615	Stephen Beaver	<form method="post">
655	060ed238	Stephen Beaver	<div class="panel panel-default">
656			<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
657			<div class="panel-body">
658			<div class="table-responsive">
659	1c10ce97	PiBa-NL	<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap table-rowdblclickedit" data-sortable>
660	060ed238	Stephen Beaver	<thead>
661			<tr>
662			<th> </th>
663			<th><?=gettext("Username")?></th>
664			<th><?=gettext("Full name")?></th>
665	edd88334	NOYB	<th><?=gettext("Status")?></th>
666	060ed238	Stephen Beaver	<th><?=gettext("Groups")?></th>
667	70dc5cd6	Phil Davis	<th><?=gettext("Actions")?></th>
668	060ed238	Stephen Beaver	</tr>
669			</thead>
670			<tbody>
671	a0165602	Sjon Hortensius	<?php
672	d61309a0	Phil Davis	foreach ($a_user as $i => $userent):
673	a0165602	Sjon Hortensius	?>
674	060ed238	Stephen Beaver	<tr>
675			<td>
676	d6b79c39	Phil Davis	<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=((($userent['scope'] == "system") \|\| ($userent['name'] == $_SESSION['Username'])) ? 'disabled' : '')?>/>
677	060ed238	Stephen Beaver	</td>
678			<td>
679	a0165602	Sjon Hortensius	<?php
680	d61309a0	Phil Davis	if ($userent['scope'] != "user") {
681	a0165602	Sjon Hortensius	$usrimg = 'eye-open';
682	d61309a0	Phil Davis	} else {
683	a0165602	Sjon Hortensius	$usrimg = 'user';
684	d61309a0	Phil Davis	}
685	a0165602	Sjon Hortensius	?>
686	060ed238	Stephen Beaver	<i class="fa fa-<?=$usrimg?>"></i>
687			<?=htmlspecialchars($userent['name'])?>
688			</td>
689			<td><?=htmlspecialchars($userent['descr'])?></td>
690	0fdbaca8	NOYB	<td><i class="fa fa-<?= (isset($userent['disabled'])) ? 'ban" title="' . gettext("Disabled") . '"' : 'check" title="' . gettext("Enabled") . '"' ; ?>><span style='display: none'><?= (isset($userent['disabled'])) ? gettext("Disabled") : gettext("Enabled") ; ?></span></i></td>
691	060ed238	Stephen Beaver	<td><?=implode(",", local_user_get_groups($userent))?></td>
692			<td>
693	4611e283	Steve Beaver	<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&userid=<?=$i?>"></a>
694	acd7e560	jim-p	<?php if (($userent['scope'] != "system") && ($userent['name'] != $_SESSION['Username']) && !$read_only): ?>
695	f5c9c0c7	Steve Beaver	<a class="fa fa-trash" title="<?=gettext("Delete user")?>" href="?act=deluser&userid=<?=$i?>&username=<?=$userent['name']?>" usepost></a>
696	a0165602	Sjon Hortensius	<?php endif; ?>
697	060ed238	Stephen Beaver	</td>
698			</tr>
699	a0165602	Sjon Hortensius	<?php endforeach; ?>
700	060ed238	Stephen Beaver	</tbody>
701			</table>
702			</div>
703			</div>
704	94404d94	Sander van Leeuwen	</div>
705	c10cb196	Stephen Beaver	<nav class="action-buttons">
706	acd7e560	jim-p	<?php if (!$read_only): ?>
707
708	4611e283	Steve Beaver	<a href="?act=new" class="btn btn-sm btn-success">
709	9d5a20cf	heper	<i class="fa fa-plus icon-embed-btn"></i>
710	b921ab63	Stephen Beaver	<?=gettext("Add")?>
711			</a>
712	64c31615	Stephen Beaver
713			<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
714			<i class="fa fa-trash icon-embed-btn"></i>
715			<?=gettext("Delete")?>
716			</button>
717	acd7e560	jim-p	<?php endif; ?>
718	f5c9c0c7	Steve Beaver
719	94404d94	Sander van Leeuwen	</nav>
720	d825dfea	NOYB	</form>
721	3c3ede28	Stephen Beaver	<div class="infoblock">
722	a0165602	Sjon Hortensius	<?php
723	a0d084fe	k-paulius	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
724			"the webConfigurator can be assigned directly or inherited from group memberships. " .
725			"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
726			'<p>' . gettext("Accounts added here are also used for other parts of the system " .
727			"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
728			);
729	f5c9c0c7	Steve Beaver
730	d3f59a8c	Steve Beaver	?></div>
731
732	f5c9c0c7	Steve Beaver	<?php
733	a0165602	Sjon Hortensius	include("foot.inc");
734			exit;
735			}
736	4ee51131	Sjon Hortensius
737			$form = new Form;
738
739	7411c285	Stephen Beaver	if ($act == "new" \|\| $act == "edit" \|\| $input_errors):
740	4ee51131	Sjon Hortensius
741	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
742			'act',
743			null,
744			'hidden',
745			''
746			));
747	4ee51131	Sjon Hortensius
748	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
749			'userid',
750			null,
751			'hidden',
752			isset($id) ? $id:''
753			));
754	4ee51131	Sjon Hortensius
755	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
756			'privid',
757			null,
758			'hidden',
759			''
760			));
761	4ee51131	Sjon Hortensius
762	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
763			'certid',
764			null,
765			'hidden',
766			''
767			));
768	4ee51131	Sjon Hortensius
769	7411c285	Stephen Beaver	$ro = "";
770			if ($pconfig['utype'] == "system") {
771	c4b60a9a	Colin Fleming	$ro = "readonly";
772	7411c285	Stephen Beaver	}
773	4ee51131	Sjon Hortensius
774	7411c285	Stephen Beaver	$section = new Form_Section('User Properties');
775	4ee51131	Sjon Hortensius
776	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
777			'Defined by',
778			strtoupper($pconfig['utype'])
779			));
780	4ee51131	Sjon Hortensius
781	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
782			'utype',
783			null,
784			'hidden',
785			$pconfig['utype']
786			));
787	4ee51131	Sjon Hortensius
788	7411c285	Stephen Beaver	$section->addInput(new Form_Checkbox(
789			'disabled',
790			'Disabled',
791			'This user cannot login',
792			$pconfig['disabled']
793			));
794	6b07c15a	Matthew Grooms
795	7411c285	Stephen Beaver	$section->addInput($input = new Form_Input(
796			'usernamefld',
797	153c3aa6	Phil Davis	'*Username',
798	7411c285	Stephen Beaver	'text',
799	659a8a26	jim-p	$pconfig['usernamefld'],
800			['autocomplete' => 'new-password']
801	7411c285	Stephen Beaver	));
802	61dec0b0	Renato Botelho
803	d61309a0	Phil Davis	if ($ro) {
804	1fe9cc38	Stephen Beaver	$input->setReadonly();
805	d61309a0	Phil Davis	}
806	7411c285	Stephen Beaver
807			$form->addGlobal(new Form_Input(
808			'oldusername',
809	4ee51131	Sjon Hortensius	null,
810	7411c285	Stephen Beaver	'hidden',
811			$pconfig['usernamefld']
812	4ee51131	Sjon Hortensius	));
813	6b07c15a	Matthew Grooms
814	153c3aa6	Phil Davis	if ($act == "edit") {
815			$pwd_required = "";
816			} else {
817			$pwd_required = "*";
818			}
819
820			$group = new Form_Group($pwd_required . 'Password');
821	7411c285	Stephen Beaver	$group->add(new Form_Input(
822			'passwordfld1',
823			'Password',
824	659a8a26	jim-p	'password',
825			null,
826			['autocomplete' => 'new-password']
827	7411c285	Stephen Beaver	));
828			$group->add(new Form_Input(
829			'passwordfld2',
830			'Confirm Password',
831	659a8a26	jim-p	'password',
832			null,
833			['autocomplete' => 'new-password']
834	7411c285	Stephen Beaver	));
835
836			$section->add($group);
837
838			$section->addInput($input = new Form_Input(
839			'descr',
840			'Full name',
841			'text',
842			htmlspecialchars($pconfig['descr'])
843	89140b63	NOYB	))->setHelp('User\'s full name, for administrative information only');
844	7411c285	Stephen Beaver
845	d61309a0	Phil Davis	if ($ro) {
846	7411c285	Stephen Beaver	$input->setDisabled();
847	d61309a0	Phil Davis	}
848	7411c285	Stephen Beaver
849			$section->addInput(new Form_Input(
850			'expires',
851			'Expiration date',
852	d78dbc34	Stephen Beaver	'text',
853	7411c285	Stephen Beaver	$pconfig['expires']
854			))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
855	98b87cfa	Jonathon Anderson	'the expiration date as MM/DD/YYYY');
856	7411c285	Stephen Beaver
857	8bab524e	Phil Davis	$section->addInput(new Form_Checkbox(
858			'customsettings',
859			'Custom Settings',
860			'Use individual customized GUI options and dashboard layout for this user.',
861			$pconfig['customsettings']
862			));
863
864			gen_user_settings_fields($section, $pconfig);
865
866	7411c285	Stephen Beaver	// ==== Group membership ==================================================
867			$group = new Form_Group('Group membership');
868
869	7d2e572f	Stephen Beaver	// Make a list of all the groups configured on the system, and a list of
870	7411c285	Stephen Beaver	// those which this user is a member of
871			$systemGroups = array();
872			$usersGroups = array();
873
874			$usergid = [$pconfig['usernamefld']];
875
876			foreach ($config['system']['group'] as $Ggroup) {
877	d61309a0	Phil Davis	if ($Ggroup['name'] != "all") {
878	5c3a8a9c	Stephen Jones	if (($act == 'edit' \|\| $input_errors) && $Ggroup['member'] && in_array($a_user[$id]['uid'], $Ggroup['member'])) {
879	b4333696	Stephen Beaver	$usersGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the user's list
880	d61309a0	Phil Davis	} else {
881	b4333696	Stephen Beaver	$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
882	d61309a0	Phil Davis	}
883	b4333696	Stephen Beaver	}
884	7411c285	Stephen Beaver	}
885
886			$group->add(new Form_Select(
887			'sysgroups',
888			null,
889			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
890			$systemGroups,
891			true
892	953385a3	heper	))->setHelp('Not member of');
893	6b07c15a	Matthew Grooms
894	7411c285	Stephen Beaver	$group->add(new Form_Select(
895			'groups',
896			null,
897			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
898			$usersGroups,
899			true
900	953385a3	heper	))->setHelp('Member of');
901	7411c285	Stephen Beaver
902			$section->add($group);
903
904			$group = new Form_Group('');
905
906			$group->add(new Form_Button(
907			'movetoenabled',
908	faab522f	Renato Botelho	'Move to "Member of" list',
909	37676f4e	jim-p	null,
910			'fa-angle-double-right'
911	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
912	7411c285	Stephen Beaver
913			$group->add(new Form_Button(
914			'movetodisabled',
915	faab522f	Renato Botelho	'Move to "Not member of" list',
916	37676f4e	jim-p	null,
917			'fa-angle-double-left'
918	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
919	4ee51131	Sjon Hortensius
920	e4c7d45f	NewEraCracker	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
921	7411c285	Stephen Beaver	$section->add($group);
922	4ee51131	Sjon Hortensius
923	7411c285	Stephen Beaver	// ==== Button for adding user certificate ================================
924	d61309a0	Phil Davis	if ($act == 'new') {
925	fc1913fe	jim-p	if (count($nonPrvCas) > 0) {
926			$section->addInput(new Form_Checkbox(
927			'showcert',
928			'Certificate',
929			'Click to create a user certificate',
930			false
931			));
932			} else {
933			$section->addInput(new Form_StaticText(
934			'Certificate',
935			gettext('No private CAs found. A private CA is required to create a new user certificate. ' .
936			'Save the user first to import an external certificate.')
937			));
938			}
939	6b07c15a	Matthew Grooms	}
940
941	7411c285	Stephen Beaver	$form->add($section);
942	6b07c15a	Matthew Grooms
943	7411c285	Stephen Beaver	// ==== Effective privileges section ======================================
944			if (isset($pconfig['uid'])) {
945			// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
946			// is the best way to make the display we need.
947	6b07c15a	Matthew Grooms
948	7411c285	Stephen Beaver	$section = new Form_Section('Effective Privileges');
949	4ee51131	Sjon Hortensius
950	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
951			null,
952			build_priv_table()
953			));
954	4ee51131	Sjon Hortensius
955	7411c285	Stephen Beaver	$form->add($section);
956	4ee51131	Sjon Hortensius
957	7411c285	Stephen Beaver	// ==== Certificate table section =====================================
958	5f88f964	k-paulius	$section = new Form_Section('User Certificates');
959	7411c285	Stephen Beaver
960			$section->addInput(new Form_StaticText(
961			null,
962			build_cert_table()
963			));
964	64600f94	Sjon Hortensius
965			$form->add($section);
966	c9794c06	Ermal	}
967	7411c285	Stephen Beaver
968	f14ff867	Phil Davis	// ==== Add user certificate for a new user
969			if (is_array($config['ca']) && count($config['ca']) > 0) {
970	5f88f964	k-paulius	$section = new Form_Section('Create Certificate for User');
971	f14ff867	Phil Davis	$section->addClass('cert-options');
972	c9794c06	Ermal
973	f14ff867	Phil Davis	if (!empty($nonPrvCas)) {
974			$section->addInput(new Form_Input(
975			'name',
976			'Descriptive name',
977			'text',
978			$pconfig['name']
979			));
980	7411c285	Stephen Beaver
981	f14ff867	Phil Davis	$section->addInput(new Form_Select(
982			'caref',
983			'Certificate authority',
984			null,
985			$nonPrvCas
986			));
987	7411c285	Stephen Beaver
988	f14ff867	Phil Davis	$section->addInput(new Form_Select(
989	ccb301a4	Viktor G	'keytype',
990			'*Key type',
991			$pconfig['keytype'],
992			array_combine($cert_keytypes, $cert_keytypes)
993			));
994
995			$group = new Form_Group($i == 0 ? '*Key length':'');
996			$group->addClass('rsakeys');
997			$group->add(new Form_Select(
998	f14ff867	Phil Davis	'keylen',
999	ccb301a4	Viktor G	null,
1000	293c7335	jim-p	$pconfig['keylen'] ? $pconfig['keylen'] : '2048',
1001	ccb301a4	Viktor G	array_combine($cert_keylens, $cert_keylens)
1002			))->setHelp('The length to use when generating a new RSA key, in bits. %1$s' .
1003			'The Key Length should not be lower than 2048 or some platforms ' .
1004			'may consider the certificate invalid.', '<br/>');
1005			$section->add($group);
1006
1007			$group = new Form_Group($i == 0 ? '*Elliptic Curve Name':'');
1008			$group->addClass('ecnames');
1009			$group->add(new Form_Select(
1010			'ecname',
1011			null,
1012	293c7335	jim-p	$pconfig['ecname'] ? $pconfig['ecname'] : 'prime256v1',
1013	ccb301a4	Viktor G	$openssl_ecnames
1014			))->setHelp('Curves may not be compatible with all uses. Known compatible curve uses are denoted in brackets.');
1015			$section->add($group);
1016
1017			$section->addInput(new Form_Select(
1018	0aa7f5a7	jim-p	'digest_alg',
1019	ccb301a4	Viktor G	'*Digest Algorithm',
1020	0aa7f5a7	jim-p	$pconfig['digest_alg'] ? $pconfig['digest_alg'] : 'sha256',
1021	ccb301a4	Viktor G	array_combine($openssl_digest_algs, $openssl_digest_algs)
1022			))->setHelp('The digest method used when the certificate is signed. %1$s' .
1023			'The best practice is to use an algorithm stronger than SHA1. '.
1024			'Some platforms may consider weaker digest algorithms invalid', '<br/>');
1025	7411c285	Stephen Beaver
1026	f14ff867	Phil Davis	$section->addInput(new Form_Input(
1027			'lifetime',
1028			'Lifetime',
1029			'number',
1030			$pconfig['lifetime']
1031			));
1032	7411c285	Stephen Beaver	}
1033
1034	f14ff867	Phil Davis	$form->add($section);
1035			}
1036
1037	7411c285	Stephen Beaver	endif;
1038			// ==== Paste a key for the new user
1039	4ee51131	Sjon Hortensius	$section = new Form_Section('Keys');
1040
1041	35e0cd70	Stephen Beaver	$section->addInput(new Form_Checkbox(
1042			'showkey',
1043			'Authorized keys',
1044			'Click to paste an authorized key',
1045			false
1046			));
1047
1048	4ee51131	Sjon Hortensius	$section->addInput(new Form_Textarea(
1049			'authorizedkeys',
1050	d1e73829	Stephen Beaver	'Authorized SSH Keys',
1051	4ee51131	Sjon Hortensius	$pconfig['authorizedkeys']
1052	d1e73829	Stephen Beaver	))->setHelp('Enter authorized SSH keys for this user');
1053	4ee51131	Sjon Hortensius
1054	35e0cd70	Stephen Beaver	$section->addInput(new Form_Input(
1055	4ee51131	Sjon Hortensius	'ipsecpsk',
1056			'IPsec Pre-Shared Key',
1057			'text',
1058			$pconfig['ipsecpsk']
1059			));
1060
1061			$form->add($section);
1062	7411c285	Stephen Beaver
1063	a0165602	Sjon Hortensius	print $form;
1064	8bab524e	Phil Davis
1065			$csswarning = sprintf(gettext("%sUser-created themes are unsupported, use at your own risk."), "<br />");
1066	7411c285	Stephen Beaver	?>
1067	8fd9052f	Colin Fleming	<script type="text/javascript">
1068	7411c285	Stephen Beaver	//<![CDATA[
1069	d61309a0	Phil Davis	events.push(function() {
1070	7411c285	Stephen Beaver
1071	8bab524e	Phil Davis	function setcustomoptions() {
1072			var adv = $('#customsettings').prop('checked');
1073
1074			hideInput('webguicss', !adv);
1075			hideInput('webguifixedmenu', !adv);
1076			hideInput('webguihostnamemenu', !adv);
1077			hideInput('dashboardcolumns', !adv);
1078	1d3510cf	Phil Davis	hideCheckbox('interfacessort', !adv);
1079	8bab524e	Phil Davis	hideCheckbox('dashboardavailablewidgetspanel', !adv);
1080			hideCheckbox('systemlogsfilterpanel', !adv);
1081			hideCheckbox('systemlogsmanagelogpanel', !adv);
1082			hideCheckbox('statusmonitoringsettingspanel', !adv);
1083			hideCheckbox('webguileftcolumnhyper', !adv);
1084	d9058974	Phil Davis	hideCheckbox('disablealiaspopupdetail', !adv);
1085	8bab524e	Phil Davis	hideCheckbox('pagenamefirst', !adv);
1086			}
1087
1088			// Handle displaying a warning message if a user-created theme is selected.
1089			function setThemeWarning() {
1090			if ($('#webguicss').val().startsWith("pfSense")) {
1091			$('#csstxt').html("").addClass("text-default");
1092			} else {
1093			$('#csstxt').html("<?=$csswarning?>").addClass("text-danger");
1094			}
1095			}
1096
1097	ccb301a4	Viktor G	function change_keytype() {
1098			hideClass('rsakeys', ($('#keytype').val() != 'RSA'));
1099			hideClass('ecnames', ($('#keytype').val() != 'ECDSA'));
1100			}
1101
1102	8bab524e	Phil Davis	$('#webguicss').change(function() {
1103			setThemeWarning();
1104			});
1105
1106			setThemeWarning();
1107
1108	7411c285	Stephen Beaver	// On click . .
1109	8bab524e	Phil Davis	$('#customsettings').click(function () {
1110			setcustomoptions();
1111			});
1112
1113	7411c285	Stephen Beaver	$("#movetodisabled").click(function() {
1114			moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
1115			});
1116
1117			$("#movetoenabled").click(function() {
1118			moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
1119			});
1120
1121			$("#showcert").click(function() {
1122			hideClass('cert-options', !this.checked);
1123			});
1124
1125			$("#showkey").click(function() {
1126	35e0cd70	Stephen Beaver	hideInput('authorizedkeys', false);
1127			hideCheckbox('showkey', true);
1128	7411c285	Stephen Beaver	});
1129
1130	98402844	Stephen Beaver	$('[id^=delcert]').click(function(event) {
1131	d61309a0	Phil Davis	if (confirm(event.target.title)) {
1132	98402844	Stephen Beaver	$('#certid').val(event.target.id.match(/\d+$/)[0]);
1133			$('#userid').val('<?=$id;?>');
1134			$('#act').val('delcert');
1135			$('form').submit();
1136			}
1137			});
1138	945204b1	Stephen Beaver
1139	408d0882	heper	$('[id^=delprivid]').click(function(event) {
1140	d61309a0	Phil Davis	if (confirm(event.target.title)) {
1141	4c879f95	heper	$('#privid').val(event.target.id.match(/\d+$/)[0]);
1142	408d0882	heper	$('#userid').val('<?=$id;?>');
1143			$('#act').val('delprivid');
1144			$('form').submit();
1145			}
1146			});
1147	64c31615	Stephen Beaver
1148	53c38ff1	Stephen Beaver	$('#expires').datepicker();
1149	98402844	Stephen Beaver
1150	ccb301a4	Viktor G	$('#keytype').change(function () {
1151			change_keytype();
1152			});
1153
1154	eef93144	Jared Dillard	// ---------- On initial page load ------------------------------------------------------------
1155
1156			hideClass('cert-options', true);
1157			//hideInput('authorizedkeys', true);
1158	d1e73829	Stephen Beaver	hideCheckbox('showkey', true);
1159	8bab524e	Phil Davis	setcustomoptions();
1160	ccb301a4	Viktor G	change_keytype();
1161	7411c285	Stephen Beaver
1162			// On submit mark all the user's groups as "selected"
1163	d61309a0	Phil Davis	$('form').submit(function() {
1164	7411c285	Stephen Beaver	AllServers($('[name="groups[]"] option'), true);
1165			});
1166	f5c9c0c7	Steve Beaver
1167	7411c285	Stephen Beaver	});
1168			//]]>
1169			</script>
1170			<?php
1171	bb1b5c6f	heper	include('foot.inc');
1172	d6b79c39	Phil Davis	?>

Project

General

Profile

pfSense