/src/usr/local/www/system_usermanager.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/system_usermanager.php @ c0d3797c

1	1df17ba9	Scott Ullrich	<?php
2	fab7ff44	Bill Marquette	/*
3	c5d81585	Renato Botelho	* system_usermanager.php
4	7d2e572f	Stephen Beaver	*
5	c5d81585	Renato Botelho	* part of pfSense (https://www.pfsense.org)
6	38809d47	Renato Botelho do Couto	* Copyright (c) 2004-2013 BSD Perimeter
7			* Copyright (c) 2013-2016 Electric Sheep Fencing
8	8f2f85c3	Luiz Otavio O Souza	* Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)
9	c5d81585	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc.
10			* Copyright (c) 2005 Paul Taylor <paultaylor@winn-dixie.com>
11			* All rights reserved.
12	191cb31d	Stephen Beaver	*
13	c5d81585	Renato Botelho	* originally based on m0n0wall (http://m0n0.ch/wall)
14			* Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.
15			* All rights reserved.
16	7d2e572f	Stephen Beaver	*
17	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
18			* you may not use this file except in compliance with the License.
19			* You may obtain a copy of the License at
20	7d2e572f	Stephen Beaver	*
21	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
22	7d2e572f	Stephen Beaver	*
23	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
24			* distributed under the License is distributed on an "AS IS" BASIS,
25			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
26			* See the License for the specific language governing permissions and
27			* limitations under the License.
28	7d2e572f	Stephen Beaver	*/
29	fab7ff44	Bill Marquette
30	6b07c15a	Matthew Grooms	##\|+PRIV
31			##\|*IDENT=page-system-usermanager
32	5230f468	jim-p	##\|*NAME=System: User Manager
33	6b07c15a	Matthew Grooms	##\|*DESCR=Allow access to the 'System: User Manager' page.
34	57188e47	Phil Davis	##\|*WARN=standard-warning-root
35	6b07c15a	Matthew Grooms	##\|MATCH=system_usermanager.php
36			##\|-PRIV
37
38	c81ef6e2	Phil Davis	require_once("certs.inc");
39			require_once("guiconfig.inc");
40	43e07671	doktornotor	require_once("pfsense-utils.inc");
41	fab7ff44	Bill Marquette
42	3fa6d462	jim-p	$logging_level = LOG_WARNING;
43			$logging_prefix = gettext("Local User Database");
44	ccb301a4	Viktor G	$cert_keylens = array("1024", "2048", "3072", "4096", "6144", "7680", "8192", "15360", "16384");
45			$cert_keytypes = array("RSA", "ECDSA");
46			$openssl_ecnames = cert_build_curve_list();
47
48			global $openssl_digest_algs;
49	3fa6d462	jim-p
50	e33be77c	Ermal	// start admin user code
51	4611e283	Steve Beaver	if (isset($_REQUEST['userid']) && is_numericint($_REQUEST['userid'])) {
52			$id = $_REQUEST['userid'];
53	73fa304b	Phil Davis	}
54	1df17ba9	Scott Ullrich
55	c6c398c6	jim-p	init_config_arr(array('system', 'user'));
56	e33be77c	Ermal	$a_user = &$config['system']['user'];
57	4611e283	Steve Beaver	$act = $_REQUEST['act'];
58	45ee90ed	Matthew Grooms
59	73fa304b	Phil Davis	if (isset($_SERVER['HTTP_REFERER'])) {
60	7c2d0050	Renato Botelho	$referer = $_SERVER['HTTP_REFERER'];
61	73fa304b	Phil Davis	} else {
62	7c2d0050	Renato Botelho	$referer = '/system_usermanager.php';
63	73fa304b	Phil Davis	}
64	7c2d0050	Renato Botelho
65	adacdf5f	jim-p	if (isset($id) && $a_user[$id]) {
66			$pconfig['usernamefld'] = $a_user[$id]['name'];
67			$pconfig['descr'] = $a_user[$id]['descr'];
68			$pconfig['expires'] = $a_user[$id]['expires'];
69	8bab524e	Phil Davis	$pconfig['customsettings'] = isset($a_user[$id]['customsettings']);
70			$pconfig['webguicss'] = $a_user[$id]['webguicss'];
71			$pconfig['webguifixedmenu'] = $a_user[$id]['webguifixedmenu'];
72			$pconfig['webguihostnamemenu'] = $a_user[$id]['webguihostnamemenu'];
73			$pconfig['dashboardcolumns'] = $a_user[$id]['dashboardcolumns'];
74	1d3510cf	Phil Davis	$pconfig['interfacessort'] = isset($a_user[$id]['interfacessort']);
75	8bab524e	Phil Davis	$pconfig['dashboardavailablewidgetspanel'] = isset($a_user[$id]['dashboardavailablewidgetspanel']);
76			$pconfig['systemlogsfilterpanel'] = isset($a_user[$id]['systemlogsfilterpanel']);
77			$pconfig['systemlogsmanagelogpanel'] = isset($a_user[$id]['systemlogsmanagelogpanel']);
78			$pconfig['statusmonitoringsettingspanel'] = isset($a_user[$id]['statusmonitoringsettingspanel']);
79			$pconfig['webguileftcolumnhyper'] = isset($a_user[$id]['webguileftcolumnhyper']);
80	d9058974	Phil Davis	$pconfig['disablealiaspopupdetail'] = isset($a_user[$id]['disablealiaspopupdetail']);
81	8bab524e	Phil Davis	$pconfig['pagenamefirst'] = isset($a_user[$id]['pagenamefirst']);
82	adacdf5f	jim-p	$pconfig['groups'] = local_user_get_groups($a_user[$id]);
83			$pconfig['utype'] = $a_user[$id]['scope'];
84			$pconfig['uid'] = $a_user[$id]['uid'];
85			$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
86			$pconfig['priv'] = $a_user[$id]['priv'];
87			$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
88			$pconfig['disabled'] = isset($a_user[$id]['disabled']);
89	98ecfb9f	Jim Pingle	$pconfig['keephistory'] = isset($a_user[$id]['keephistory']);
90	adacdf5f	jim-p	}
91
92	acd7e560	jim-p	/*
93			* Check user privileges to test if the user is allowed to make changes.
94			* Otherwise users can end up in an inconsistent state where some changes are
95			* performed and others denied. See https://redmine.pfsense.org/issues/9259
96			*/
97			phpsession_begin();
98			$guiuser = getUserEntry($_SESSION['Username']);
99			$read_only = (is_array($guiuser) && userHasPrivilege($guiuser, "user-config-readonly"));
100			phpsession_end();
101
102			if (!empty($_POST) && $read_only) {
103			$input_errors = array(gettext("Insufficient privileges to make the requested change (read only)."));
104			}
105
106			if (($_POST['act'] == "deluser") && !$read_only) {
107	45ee90ed	Matthew Grooms
108	f5c9c0c7	Steve Beaver	if (!isset($_POST['username']) \|\| !isset($a_user[$id]) \|\| ($_POST['username'] != $a_user[$id]['name'])) {
109	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
110			exit;
111	6b07c15a	Matthew Grooms	}
112
113	f5c9c0c7	Steve Beaver	if ($_POST['username'] == $_SESSION['Username']) {
114			$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $_POST['username']);
115	d6b79c39	Phil Davis	} else {
116			local_user_del($a_user[$id]);
117			$userdeleted = $a_user[$id]['name'];
118			unset($a_user[$id]);
119	92c27793	jim-p	/* Reindex the array to avoid operating on an incorrect index https://redmine.pfsense.org/issues/7733 */
120			$a_user = array_values($a_user);
121	3fa6d462	jim-p	$savemsg = sprintf(gettext("Successfully deleted user: %s"), $userdeleted);
122			write_config($savemsg);
123			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
124	d6b79c39	Phil Davis	}
125	f5c9c0c7	Steve Beaver
126	d61309a0	Phil Davis	} else if ($act == "new") {
127	e33be77c	Ermal	/*
128			* set this value cause the text field is read only
129			* and the user should not be able to mess with this
130			* setting.
131			*/
132			$pconfig['utype'] = "user";
133			$pconfig['lifetime'] = 3650;
134	fc1913fe	jim-p
135			$nonPrvCas = array();
136			if (is_array($config['ca']) && count($config['ca']) > 0) {
137			foreach ($config['ca'] as $ca) {
138			if (!$ca['prv']) {
139			continue;
140			}
141
142			$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
143			}
144			}
145
146	e33be77c	Ermal	}
147	45ee90ed	Matthew Grooms
148	acd7e560	jim-p	if (isset($_POST['dellall']) && !$read_only) {
149	4e21c82e	bruno
150			$del_users = $_POST['delete_check'];
151	3fa6d462	jim-p	$deleted_users = array();
152	4e21c82e	bruno
153	73fa304b	Phil Davis	if (!empty($del_users)) {
154			foreach ($del_users as $userid) {
155	4e21c82e	bruno	if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
156	d6b79c39	Phil Davis	if ($a_user[$userid]['name'] == $_SESSION['Username']) {
157			$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $a_user[$userid]['name']);
158			} else {
159	3fa6d462	jim-p	$deleted_users[] = $a_user[$userid]['name'];
160	d6b79c39	Phil Davis	local_user_del($a_user[$userid]);
161			unset($a_user[$userid]);
162			}
163			} else {
164			$delete_errors[] = sprintf(gettext("Cannot delete user %s because it is a system user."), $a_user[$userid]['name']);
165	4e21c82e	bruno	}
166			}
167	d6b79c39	Phil Davis
168	3fa6d462	jim-p	if (count($deleted_users) > 0) {
169			$savemsg = sprintf(gettext("Successfully deleted %s: %s"), (count($deleted_users) == 1) ? gettext("user") : gettext("users"), implode(', ', $deleted_users));
170	92c27793	jim-p	/* Reindex the array to avoid operating on an incorrect index https://redmine.pfsense.org/issues/7733 */
171			$a_user = array_values($a_user);
172	d6b79c39	Phil Davis	write_config($savemsg);
173	3fa6d462	jim-p	syslog($logging_level, "{$logging_prefix}: {$savemsg}");
174	d6b79c39	Phil Davis	}
175	4e21c82e	bruno	}
176			}
177
178	acd7e560	jim-p	if (($_POST['act'] == "delcert") && !$read_only) {
179	98402844	Stephen Beaver
180			if (!$a_user[$id]) {
181			pfSenseHeader("system_usermanager.php");
182			exit;
183			}
184
185			$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
186			$certdeleted = $certdeleted['descr'];
187			unset($a_user[$id]['cert'][$_POST['certid']]);
188	3fa6d462	jim-p	$savemsg = sprintf(gettext("Removed certificate association \"%s\" from user %s"), $certdeleted, $a_user[$id]['name']);
189			write_config($savemsg);
190			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
191	98402844	Stephen Beaver	$_POST['act'] = "edit";
192			}
193	64c31615	Stephen Beaver
194	acd7e560	jim-p	if (($_POST['act'] == "delprivid") && !$read_only) {
195	945204b1	Stephen Beaver	$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
196			unset($a_user[$id]['priv'][$_POST['privid']]);
197			local_user_set($a_user[$id]);
198	3fa6d462	jim-p	$savemsg = sprintf(gettext("Removed Privilege \"%s\" from user %s"), $privdeleted, $a_user[$id]['name']);
199			write_config($savemsg);
200			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
201	945204b1	Stephen Beaver	$_POST['act'] = "edit";
202	4c879f95	heper	}
203	98402844	Stephen Beaver
204	acd7e560	jim-p	if ($_POST['save'] && !$read_only) {
205	e33be77c	Ermal	unset($input_errors);
206			$pconfig = $_POST;
207	45ee90ed	Matthew Grooms
208	e33be77c	Ermal	/* input validation */
209			if (isset($id) && ($a_user[$id])) {
210			$reqdfields = explode(" ", "usernamefld");
211			$reqdfieldsn = array(gettext("Username"));
212			} else {
213			if (empty($_POST['name'])) {
214			$reqdfields = explode(" ", "usernamefld passwordfld1");
215			$reqdfieldsn = array(
216			gettext("Username"),
217			gettext("Password"));
218	45ee90ed	Matthew Grooms	} else {
219	e33be77c	Ermal	$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
220			$reqdfieldsn = array(
221			gettext("Username"),
222			gettext("Password"),
223			gettext("Descriptive name"),
224			gettext("Certificate authority"),
225			gettext("Key length"),
226			gettext("Lifetime"));
227	45ee90ed	Matthew Grooms	}
228	e33be77c	Ermal	}
229	45ee90ed	Matthew Grooms
230	1e9b4611	Renato Botelho	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
231	45ee90ed	Matthew Grooms
232	73fa304b	Phil Davis	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
233	e33be77c	Ermal	$input_errors[] = gettext("The username contains invalid characters.");
234	73fa304b	Phil Davis	}
235	45ee90ed	Matthew Grooms
236	a84fb545	Andrei Miu	if (strlen($_POST['usernamefld']) > 32) {
237			$input_errors[] = gettext("The username is longer than 32 characters.");
238	73fa304b	Phil Davis	}
239	94d455da	jim-p
240	73fa304b	Phil Davis	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
241	e33be77c	Ermal	$input_errors[] = gettext("The passwords do not match.");
242	73fa304b	Phil Davis	}
243	45ee90ed	Matthew Grooms
244	73fa304b	Phil Davis	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
245	123d8700	Renato Botelho	$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
246	73fa304b	Phil Davis	}
247	123d8700	Renato Botelho
248	e63321a5	jim-p	/* Check the POSTed groups to ensure they are valid and exist */
249	9d3e8723	Phil Davis	if (is_array($_POST['groups'])) {
250	9f472202	NewEraCracker	foreach ($_POST['groups'] as $newgroup) {
251			if (empty(getGroupEntry($newgroup))) {
252			$input_errors[] = gettext("One or more invalid groups was submitted.");
253			}
254	e63321a5	jim-p	}
255			}
256
257	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
258	e33be77c	Ermal	$oldusername = $a_user[$id]['name'];
259	73fa304b	Phil Davis	} else {
260	e33be77c	Ermal	$oldusername = "";
261	73fa304b	Phil Davis	}
262	e33be77c	Ermal	/* make sure this user name is unique */
263			if (!$input_errors) {
264			foreach ($a_user as $userent) {
265			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
266			$input_errors[] = gettext("Another entry with the same username already exists.");
267			break;
268	58664cc9	Scott Ullrich	}
269	3dec33d4	Erik Fonnesbeck	}
270	e33be77c	Ermal	}
271			/* also make sure it is not reserved */
272			if (!$input_errors) {
273			$system_users = explode("\n", file_get_contents("/etc/passwd"));
274			foreach ($system_users as $s_user) {
275			$ent = explode(":", $s_user);
276			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
277			$input_errors[] = gettext("That username is reserved by the system.");
278			break;
279	8339ab6d	jim-p	}
280	7e4a4513	Scott Ullrich	}
281	e33be77c	Ermal	}
282	1df17ba9	Scott Ullrich
283	e33be77c	Ermal	/*
284	e30050b6	Phil Davis	* Check for a valid expiration date if one is set at all (valid means,
285	4d148b59	Yehuda Katz	* DateTime puts out a time stamp so any DateTime compatible time
286	e33be77c	Ermal	* format may be used. to keep it simple for the enduser, we only
287			* claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
288			* like "+1 day", which will be converted to MM/DD/YYYY based on "now".
289	e30050b6	Phil Davis	* Otherwise such an entry would lead to an invalid expiration data.
290	e33be77c	Ermal	*/
291	73fa304b	Phil Davis	if ($_POST['expires']) {
292	4d148b59	Yehuda Katz	try {
293			$expdate = new DateTime($_POST['expires']);
294			//convert from any DateTime compatible date to MM/DD/YYYY
295			$_POST['expires'] = $expdate->format("m/d/Y");
296	73fa304b	Phil Davis	} catch (Exception $ex) {
297	e33be77c	Ermal	$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
298	0092b3bd	mgrooms	}
299	e33be77c	Ermal	}
300	0092b3bd	mgrooms
301	e33be77c	Ermal	if (!empty($_POST['name'])) {
302			$ca = lookup_ca($_POST['caref']);
303	73fa304b	Phil Davis	if (!$ca) {
304	4c291f4c	Renato Botelho	$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
305	73fa304b	Phil Davis	}
306	e33be77c	Ermal	}
307	9ceace25	jim-p	validate_webguicss_field($input_errors, $_POST['webguicss']);
308			validate_webguifixedmenu_field($input_errors, $_POST['webguifixedmenu']);
309			validate_webguihostnamemenu_field($input_errors, $_POST['webguihostnamemenu']);
310			validate_dashboardcolumns_field($input_errors, $_POST['dashboardcolumns']);
311	c9794c06	Ermal
312	e33be77c	Ermal	if (!$input_errors) {
313	4ee51131	Sjon Hortensius
314	e33be77c	Ermal	$userent = array();
315	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
316	e33be77c	Ermal	$userent = $a_user[$id];
317	73fa304b	Phil Davis	}
318	e879fc81	Ermal
319	e33be77c	Ermal	isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
320
321			/* the user name was modified */
322	926e0a2f	Phil Davis	if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
323	e33be77c	Ermal	$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
324	fdcf104c	jim-p	local_user_del($userent);
325			}
326	1df17ba9	Scott Ullrich
327	e30050b6	Phil Davis	/* the user password was modified */
328	73fa304b	Phil Davis	if ($_POST['passwordfld1']) {
329	e33be77c	Ermal	local_user_set_password($userent, $_POST['passwordfld1']);
330	73fa304b	Phil Davis	}
331	1df17ba9	Scott Ullrich
332	5cde9005	NewEraCracker	/* only change description if sent */
333			if (isset($_POST['descr'])) {
334			$userent['descr'] = $_POST['descr'];
335			}
336
337	e33be77c	Ermal	$userent['name'] = $_POST['usernamefld'];
338			$userent['expires'] = $_POST['expires'];
339	8bab524e	Phil Davis	$userent['dashboardcolumns'] = $_POST['dashboardcolumns'];
340	e33be77c	Ermal	$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
341			$userent['ipsecpsk'] = $_POST['ipsecpsk'];
342	3ccb9689	Charlie Marshall
343	73fa304b	Phil Davis	if ($_POST['disabled']) {
344	e33be77c	Ermal	$userent['disabled'] = true;
345	73fa304b	Phil Davis	} else {
346	e33be77c	Ermal	unset($userent['disabled']);
347	73fa304b	Phil Davis	}
348	e33be77c	Ermal
349	8bab524e	Phil Davis	if ($_POST['customsettings']) {
350			$userent['customsettings'] = true;
351			} else {
352			unset($userent['customsettings']);
353			}
354
355			if ($_POST['webguicss']) {
356			$userent['webguicss'] = $_POST['webguicss'];
357			} else {
358			unset($userent['webguicss']);
359			}
360
361			if ($_POST['webguifixedmenu']) {
362			$userent['webguifixedmenu'] = $_POST['webguifixedmenu'];
363			} else {
364			unset($userent['webguifixedmenu']);
365			}
366
367			if ($_POST['webguihostnamemenu']) {
368			$userent['webguihostnamemenu'] = $_POST['webguihostnamemenu'];
369			} else {
370			unset($userent['webguihostnamemenu']);
371			}
372
373	1d3510cf	Phil Davis	if ($_POST['interfacessort']) {
374			$userent['interfacessort'] = true;
375			} else {
376			unset($userent['interfacessort']);
377			}
378
379	8bab524e	Phil Davis	if ($_POST['dashboardavailablewidgetspanel']) {
380			$userent['dashboardavailablewidgetspanel'] = true;
381			} else {
382			unset($userent['dashboardavailablewidgetspanel']);
383			}
384
385			if ($_POST['systemlogsfilterpanel']) {
386			$userent['systemlogsfilterpanel'] = true;
387			} else {
388			unset($userent['systemlogsfilterpanel']);
389			}
390
391			if ($_POST['systemlogsmanagelogpanel']) {
392			$userent['systemlogsmanagelogpanel'] = true;
393			} else {
394			unset($userent['systemlogsmanagelogpanel']);
395			}
396
397			if ($_POST['statusmonitoringsettingspanel']) {
398			$userent['statusmonitoringsettingspanel'] = true;
399			} else {
400			unset($userent['statusmonitoringsettingspanel']);
401			}
402
403			if ($_POST['webguileftcolumnhyper']) {
404			$userent['webguileftcolumnhyper'] = true;
405			} else {
406			unset($userent['webguileftcolumnhyper']);
407			}
408
409	d9058974	Phil Davis	if ($_POST['disablealiaspopupdetail']) {
410			$userent['disablealiaspopupdetail'] = true;
411			} else {
412			unset($userent['disablealiaspopupdetail']);
413			}
414
415	8bab524e	Phil Davis	if ($_POST['pagenamefirst']) {
416			$userent['pagenamefirst'] = true;
417			} else {
418			unset($userent['pagenamefirst']);
419			}
420
421	98ecfb9f	Jim Pingle	if ($_POST['keephistory']) {
422			$userent['keephistory'] = true;
423			} else {
424			unset($userent['keephistory']);
425			}
426
427	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
428	e33be77c	Ermal	$a_user[$id] = $userent;
429	73fa304b	Phil Davis	} else {
430	e33be77c	Ermal	if (!empty($_POST['name'])) {
431			$cert = array();
432			$cert['refid'] = uniqid();
433	4c291f4c	Renato Botelho	$userent['cert'] = array();
434	e33be77c	Ermal
435			$cert['descr'] = $_POST['name'];
436
437	1ec79365	jim-p	$subject = cert_get_subject_hash($ca['crt']);
438
439			$dn = array();
440			if (!empty($subject['C'])) {
441			$dn['countryName'] = $subject['C'];
442			}
443			if (!empty($subject['ST'])) {
444			$dn['stateOrProvinceName'] = $subject['ST'];
445			}
446			if (!empty($subject['L'])) {
447			$dn['localityName'] = $subject['L'];
448			}
449			if (!empty($subject['O'])) {
450			$dn['organizationName'] = $subject['O'];
451			}
452			if (!empty($subject['OU'])) {
453	354b1c75	jim-p	$dn['organizationalUnitName'] = $subject['OU'];
454	1ec79365	jim-p	}
455			$dn['commonName'] = $userent['name'];
456	e562fca2	jim-p	$cn_altname = cert_add_altname_type($userent['name']);
457			if (!empty($cn_altname)) {
458			$dn['subjectAltName'] = $cn_altname;
459	b767fe6c	jim-p	}
460	e33be77c	Ermal
461			cert_create($cert, $_POST['caref'], $_POST['keylen'],
462	0aa7f5a7	jim-p	(int)$_POST['lifetime'], $dn, 'user',
463	ccb301a4	Viktor G	$_POST['digest_alg'], $_POST['keytype'],
464	0aa7f5a7	jim-p	$_POST['ecname']);
465	e33be77c	Ermal
466	73fa304b	Phil Davis	if (!is_array($config['cert'])) {
467	e33be77c	Ermal	$config['cert'] = array();
468	73fa304b	Phil Davis	}
469	e33be77c	Ermal	$config['cert'][] = $cert;
470			$userent['cert'][] = $cert['refid'];
471			}
472			$userent['uid'] = $config['system']['nextuid']++;
473			/* Add the user to All Users group. */
474			foreach ($config['system']['group'] as $gidx => $group) {
475			if ($group['name'] == "all") {
476	73fa304b	Phil Davis	if (!is_array($config['system']['group'][$gidx]['member'])) {
477	e33be77c	Ermal	$config['system']['group'][$gidx]['member'] = array();
478	73fa304b	Phil Davis	}
479	e33be77c	Ermal	$config['system']['group'][$gidx]['member'][] = $userent['uid'];
480			break;
481			}
482			}
483	970db70b	Scott Ullrich
484	e33be77c	Ermal	$a_user[] = $userent;
485	45ee90ed	Matthew Grooms	}
486	e33be77c	Ermal
487	dc3bc1f8	Renato Botelho	/* Sort it alphabetically */
488			usort($config['system']['user'], function($a, $b) {
489			return strcmp($a['name'], $b['name']);
490			});
491
492	d61309a0	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
493	e33be77c	Ermal	local_user_set($userent);
494	e6c79cd3	jim-p
495			/* Update user index to account for new changes */
496			global $userindex;
497			$userindex = index_users();
498
499	3fa6d462	jim-p	$savemsg = sprintf(gettext("Successfully %s user %s"), (isset($id)) ? gettext("edited") : gettext("created"), $userent['name']);
500			write_config($savemsg);
501			syslog($logging_level, "{$logging_prefix}: {$savemsg}");
502	73fa304b	Phil Davis	if (is_dir("/etc/inc/privhooks")) {
503	e33be77c	Ermal	run_plugins("/etc/inc/privhooks");
504	73fa304b	Phil Davis	}
505	e33be77c	Ermal
506	5d0c974d	jim-p	if ($userent['uid'] == 0) {
507			log_error(gettext("Restarting sshd due to admin account change."));
508			send_event("service restart sshd");
509			}
510
511	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
512	45ee90ed	Matthew Grooms	}
513	e33be77c	Ermal	}
514	fab7ff44	Bill Marquette
515	7411c285	Stephen Beaver	function build_priv_table() {
516	acd7e560	jim-p	global $a_user, $id, $read_only;
517	7411c285	Stephen Beaver
518			$privhtml = '<div class="table-responsive">';
519			$privhtml .= '<table class="table table-striped table-hover table-condensed">';
520			$privhtml .= '<thead>';
521	7d2e572f	Stephen Beaver	$privhtml .= '<tr>';
522			$privhtml .= '<th>' . gettext('Inherited from') . '</th>';
523			$privhtml .= '<th>' . gettext('Name') . '</th>';
524			$privhtml .= '<th>' . gettext('Description') . '</th>';
525	f460db90	NOYB	$privhtml .= '<th>' . gettext('Action') . '</th>';
526	7d2e572f	Stephen Beaver	$privhtml .= '</tr>';
527	7411c285	Stephen Beaver	$privhtml .= '</thead>';
528			$privhtml .= '<tbody>';
529
530	945204b1	Stephen Beaver	$i = 0;
531	57188e47	Phil Davis	$user_has_root_priv = false;
532	945204b1	Stephen Beaver
533			foreach (get_user_privdesc($a_user[$id]) as $priv) {
534			$group = false;
535			if ($priv['group']) {
536			$group = $priv['group'];
537			}
538
539	7411c285	Stephen Beaver	$privhtml .= '<tr>';
540			$privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>';
541			$privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>';
542	57188e47	Phil Davis	$privhtml .= '<td>' . htmlspecialchars($priv['descr']);
543			if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) {
544	21312954	Phil Davis	$privhtml .= ' ' . gettext('(admin privilege)');
545	57188e47	Phil Davis	$user_has_root_priv = true;
546			}
547			$privhtml .= '</td>';
548	945204b1	Stephen Beaver	$privhtml .= '<td>';
549	acd7e560	jim-p	if (!$group && !$read_only) {
550	f460db90	NOYB	$privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
551	d61309a0	Phil Davis	}
552	945204b1	Stephen Beaver
553			$privhtml .= '</td>';
554	7411c285	Stephen Beaver	$privhtml .= '</tr>';
555	945204b1	Stephen Beaver
556	d61309a0	Phil Davis	if (!$group) {
557	945204b1	Stephen Beaver	$i++;
558	d61309a0	Phil Davis	}
559	7411c285	Stephen Beaver	}
560
561	57188e47	Phil Davis	if ($user_has_root_priv) {
562			$privhtml .= '<tr>';
563			$privhtml .= '<td colspan="3">';
564	9187d6f7	Phil Davis	$privhtml .= '<b>' . gettext('Security notice: This user effectively has administrator-level access') . '</b>';
565	57188e47	Phil Davis	$privhtml .= '</td>';
566			$privhtml .= '<td>';
567			$privhtml .= '</td>';
568			$privhtml .= '</tr>';
569	f5c9c0c7	Steve Beaver
570	57188e47	Phil Davis	}
571
572	7411c285	Stephen Beaver	$privhtml .= '</tbody>';
573			$privhtml .= '</table>';
574			$privhtml .= '</div>';
575
576			$privhtml .= '<nav class="action-buttons">';
577	acd7e560	jim-p	if (!$read_only) {
578			$privhtml .= '<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
579			}
580	7411c285	Stephen Beaver	$privhtml .= '</nav>';
581
582			return($privhtml);
583			}
584	98402844	Stephen Beaver
585	7411c285	Stephen Beaver	function build_cert_table() {
586	acd7e560	jim-p	global $a_user, $id, $read_only;
587	7411c285	Stephen Beaver
588			$certhtml = '<div class="table-responsive">';
589			$certhtml .= '<table class="table table-striped table-hover table-condensed">';
590			$certhtml .= '<thead>';
591	7d2e572f	Stephen Beaver	$certhtml .= '<tr>';
592			$certhtml .= '<th>' . gettext('Name') . '</th>';
593			$certhtml .= '<th>' . gettext('CA') . '</th>';
594	98402844	Stephen Beaver	$certhtml .= '<th></th>';
595	7d2e572f	Stephen Beaver	$certhtml .= '</tr>';
596	7411c285	Stephen Beaver	$certhtml .= '</thead>';
597			$certhtml .= '<tbody>';
598
599			$a_cert = $a_user[$id]['cert'];
600			if (is_array($a_cert)) {
601			$i = 0;
602			foreach ($a_cert as $certref) {
603	7d2e572f	Stephen Beaver	$cert = lookup_cert($certref);
604			$ca = lookup_ca($cert['caref']);
605			$revokedstr = is_cert_revoked($cert) ? '<b> Revoked</b>':'';
606
607	7411c285	Stephen Beaver	$certhtml .= '<tr>';
608	7d2e572f	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
609	7411c285	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($ca['descr']) . '</td>';
610	db676e5b	Stephen Beaver	$certhtml .= '<td>';
611	acd7e560	jim-p	if (!$read_only) {
612			$certhtml .= '<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
613			$certhtml .= gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
614			}
615	db676e5b	Stephen Beaver	$certhtml .= '</td>';
616	7411c285	Stephen Beaver	$certhtml .= '</tr>';
617	db676e5b	Stephen Beaver	$i++;
618	7411c285	Stephen Beaver	}
619	db676e5b	Stephen Beaver
620	7411c285	Stephen Beaver	}
621
622			$certhtml .= '</tbody>';
623			$certhtml .= '</table>';
624			$certhtml .= '</div>';
625
626			$certhtml .= '<nav class="action-buttons">';
627	acd7e560	jim-p	if (!$read_only) {
628			$certhtml .= '<a href="system_certmanager.php?act=new&userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
629			}
630	7411c285	Stephen Beaver	$certhtml .= '</nav>';
631
632			return($certhtml);
633			}
634
635	8f1ab2a4	k-paulius	$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
636	edcd7535	Phil Davis	$pglinks = array("", "system_usermanager.php", "system_usermanager.php");
637	8f1ab2a4	k-paulius
638			if ($act == "new" \|\| $act == "edit" \|\| $input_errors) {
639			$pgtitle[] = gettext('Edit');
640	edcd7535	Phil Davis	$pglinks[] = "@self";
641	8f1ab2a4	k-paulius	}
642	4611e283	Steve Beaver
643	e33be77c	Ermal	include("head.inc");
644	fab7ff44	Bill Marquette
645	d6b79c39	Phil Davis	if ($delete_errors) {
646			print_input_errors($delete_errors);
647			}
648
649	d61309a0	Phil Davis	if ($input_errors) {
650	4ee51131	Sjon Hortensius	print_input_errors($input_errors);
651	d61309a0	Phil Davis	}
652	98402844	Stephen Beaver
653	d61309a0	Phil Davis	if ($savemsg) {
654	98402844	Stephen Beaver	print_info_box($savemsg, 'success');
655	d61309a0	Phil Davis	}
656	4ee51131	Sjon Hortensius
657			$tab_array = array();
658			$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
659			$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
660			$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
661	2d1f33d9	k-paulius	$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
662	4ee51131	Sjon Hortensius	display_top_tabs($tab_array);
663
664	7411c285	Stephen Beaver	if (!($act == "new" \|\| $act == "edit" \|\| $input_errors)) {
665	64600f94	Sjon Hortensius	?>
666	64c31615	Stephen Beaver	<form method="post">
667	060ed238	Stephen Beaver	<div class="panel panel-default">
668			<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
669			<div class="panel-body">
670			<div class="table-responsive">
671	1c10ce97	PiBa-NL	<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap table-rowdblclickedit" data-sortable>
672	060ed238	Stephen Beaver	<thead>
673			<tr>
674			<th> </th>
675			<th><?=gettext("Username")?></th>
676			<th><?=gettext("Full name")?></th>
677	edd88334	NOYB	<th><?=gettext("Status")?></th>
678	060ed238	Stephen Beaver	<th><?=gettext("Groups")?></th>
679	70dc5cd6	Phil Davis	<th><?=gettext("Actions")?></th>
680	060ed238	Stephen Beaver	</tr>
681			</thead>
682			<tbody>
683	a0165602	Sjon Hortensius	<?php
684	d61309a0	Phil Davis	foreach ($a_user as $i => $userent):
685	a0165602	Sjon Hortensius	?>
686	060ed238	Stephen Beaver	<tr>
687			<td>
688	d6b79c39	Phil Davis	<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=((($userent['scope'] == "system") \|\| ($userent['name'] == $_SESSION['Username'])) ? 'disabled' : '')?>/>
689	060ed238	Stephen Beaver	</td>
690			<td>
691	a0165602	Sjon Hortensius	<?php
692	d61309a0	Phil Davis	if ($userent['scope'] != "user") {
693	edf6dbfa	jim-p	$usrimg = 'eye';
694	d61309a0	Phil Davis	} else {
695	a0165602	Sjon Hortensius	$usrimg = 'user';
696	d61309a0	Phil Davis	}
697	a0165602	Sjon Hortensius	?>
698	edf6dbfa	jim-p	<i class="fa fa-<?=$usrimg?>" title="<?= gettext("Scope") . ": {$userent['scope']}" ?>"></i>
699	060ed238	Stephen Beaver	<?=htmlspecialchars($userent['name'])?>
700			</td>
701			<td><?=htmlspecialchars($userent['descr'])?></td>
702	0fdbaca8	NOYB	<td><i class="fa fa-<?= (isset($userent['disabled'])) ? 'ban" title="' . gettext("Disabled") . '"' : 'check" title="' . gettext("Enabled") . '"' ; ?>><span style='display: none'><?= (isset($userent['disabled'])) ? gettext("Disabled") : gettext("Enabled") ; ?></span></i></td>
703	060ed238	Stephen Beaver	<td><?=implode(",", local_user_get_groups($userent))?></td>
704			<td>
705	4611e283	Steve Beaver	<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&userid=<?=$i?>"></a>
706	acd7e560	jim-p	<?php if (($userent['scope'] != "system") && ($userent['name'] != $_SESSION['Username']) && !$read_only): ?>
707	f5c9c0c7	Steve Beaver	<a class="fa fa-trash" title="<?=gettext("Delete user")?>" href="?act=deluser&userid=<?=$i?>&username=<?=$userent['name']?>" usepost></a>
708	a0165602	Sjon Hortensius	<?php endif; ?>
709	060ed238	Stephen Beaver	</td>
710			</tr>
711	a0165602	Sjon Hortensius	<?php endforeach; ?>
712	060ed238	Stephen Beaver	</tbody>
713			</table>
714			</div>
715			</div>
716	94404d94	Sander van Leeuwen	</div>
717	c10cb196	Stephen Beaver	<nav class="action-buttons">
718	acd7e560	jim-p	<?php if (!$read_only): ?>
719
720	4611e283	Steve Beaver	<a href="?act=new" class="btn btn-sm btn-success">
721	9d5a20cf	heper	<i class="fa fa-plus icon-embed-btn"></i>
722	b921ab63	Stephen Beaver	<?=gettext("Add")?>
723			</a>
724	64c31615	Stephen Beaver
725			<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
726			<i class="fa fa-trash icon-embed-btn"></i>
727			<?=gettext("Delete")?>
728			</button>
729	acd7e560	jim-p	<?php endif; ?>
730	f5c9c0c7	Steve Beaver
731	94404d94	Sander van Leeuwen	</nav>
732	d825dfea	NOYB	</form>
733	3c3ede28	Stephen Beaver	<div class="infoblock">
734	a0165602	Sjon Hortensius	<?php
735	a0d084fe	k-paulius	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
736			"the webConfigurator can be assigned directly or inherited from group memberships. " .
737			"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
738			'<p>' . gettext("Accounts added here are also used for other parts of the system " .
739			"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
740			);
741	f5c9c0c7	Steve Beaver
742	d3f59a8c	Steve Beaver	?></div>
743
744	f5c9c0c7	Steve Beaver	<?php
745	a0165602	Sjon Hortensius	include("foot.inc");
746			exit;
747			}
748	4ee51131	Sjon Hortensius
749			$form = new Form;
750
751	7411c285	Stephen Beaver	if ($act == "new" \|\| $act == "edit" \|\| $input_errors):
752	4ee51131	Sjon Hortensius
753	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
754			'act',
755			null,
756			'hidden',
757			''
758			));
759	4ee51131	Sjon Hortensius
760	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
761			'userid',
762			null,
763			'hidden',
764			isset($id) ? $id:''
765			));
766	4ee51131	Sjon Hortensius
767	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
768			'privid',
769			null,
770			'hidden',
771			''
772			));
773	4ee51131	Sjon Hortensius
774	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
775			'certid',
776			null,
777			'hidden',
778			''
779			));
780	4ee51131	Sjon Hortensius
781	7411c285	Stephen Beaver	$ro = "";
782			if ($pconfig['utype'] == "system") {
783	c4b60a9a	Colin Fleming	$ro = "readonly";
784	7411c285	Stephen Beaver	}
785	4ee51131	Sjon Hortensius
786	7411c285	Stephen Beaver	$section = new Form_Section('User Properties');
787	4ee51131	Sjon Hortensius
788	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
789			'Defined by',
790			strtoupper($pconfig['utype'])
791			));
792	4ee51131	Sjon Hortensius
793	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
794			'utype',
795			null,
796			'hidden',
797			$pconfig['utype']
798			));
799	4ee51131	Sjon Hortensius
800	7411c285	Stephen Beaver	$section->addInput(new Form_Checkbox(
801			'disabled',
802			'Disabled',
803			'This user cannot login',
804			$pconfig['disabled']
805			));
806	6b07c15a	Matthew Grooms
807	7411c285	Stephen Beaver	$section->addInput($input = new Form_Input(
808			'usernamefld',
809	153c3aa6	Phil Davis	'*Username',
810	7411c285	Stephen Beaver	'text',
811	659a8a26	jim-p	$pconfig['usernamefld'],
812			['autocomplete' => 'new-password']
813	7411c285	Stephen Beaver	));
814	61dec0b0	Renato Botelho
815	d61309a0	Phil Davis	if ($ro) {
816	1fe9cc38	Stephen Beaver	$input->setReadonly();
817	d61309a0	Phil Davis	}
818	7411c285	Stephen Beaver
819			$form->addGlobal(new Form_Input(
820			'oldusername',
821	4ee51131	Sjon Hortensius	null,
822	7411c285	Stephen Beaver	'hidden',
823			$pconfig['usernamefld']
824	4ee51131	Sjon Hortensius	));
825	6b07c15a	Matthew Grooms
826	153c3aa6	Phil Davis	if ($act == "edit") {
827			$pwd_required = "";
828			} else {
829			$pwd_required = "*";
830			}
831
832			$group = new Form_Group($pwd_required . 'Password');
833	7411c285	Stephen Beaver	$group->add(new Form_Input(
834			'passwordfld1',
835			'Password',
836	659a8a26	jim-p	'password',
837			null,
838			['autocomplete' => 'new-password']
839	7411c285	Stephen Beaver	));
840			$group->add(new Form_Input(
841			'passwordfld2',
842			'Confirm Password',
843	659a8a26	jim-p	'password',
844			null,
845			['autocomplete' => 'new-password']
846	7411c285	Stephen Beaver	));
847
848			$section->add($group);
849
850			$section->addInput($input = new Form_Input(
851			'descr',
852			'Full name',
853			'text',
854			htmlspecialchars($pconfig['descr'])
855	89140b63	NOYB	))->setHelp('User\'s full name, for administrative information only');
856	7411c285	Stephen Beaver
857	d61309a0	Phil Davis	if ($ro) {
858	7411c285	Stephen Beaver	$input->setDisabled();
859	d61309a0	Phil Davis	}
860	7411c285	Stephen Beaver
861			$section->addInput(new Form_Input(
862			'expires',
863			'Expiration date',
864	d78dbc34	Stephen Beaver	'text',
865	7411c285	Stephen Beaver	$pconfig['expires']
866			))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
867	98b87cfa	Jonathon Anderson	'the expiration date as MM/DD/YYYY');
868	7411c285	Stephen Beaver
869	8bab524e	Phil Davis	$section->addInput(new Form_Checkbox(
870			'customsettings',
871			'Custom Settings',
872			'Use individual customized GUI options and dashboard layout for this user.',
873			$pconfig['customsettings']
874			));
875
876			gen_user_settings_fields($section, $pconfig);
877
878	7411c285	Stephen Beaver	// ==== Group membership ==================================================
879			$group = new Form_Group('Group membership');
880
881	7d2e572f	Stephen Beaver	// Make a list of all the groups configured on the system, and a list of
882	7411c285	Stephen Beaver	// those which this user is a member of
883			$systemGroups = array();
884			$usersGroups = array();
885
886			$usergid = [$pconfig['usernamefld']];
887
888			foreach ($config['system']['group'] as $Ggroup) {
889	d61309a0	Phil Davis	if ($Ggroup['name'] != "all") {
890	5c3a8a9c	Stephen Jones	if (($act == 'edit' \|\| $input_errors) && $Ggroup['member'] && in_array($a_user[$id]['uid'], $Ggroup['member'])) {
891	b4333696	Stephen Beaver	$usersGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the user's list
892	d61309a0	Phil Davis	} else {
893	b4333696	Stephen Beaver	$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
894	d61309a0	Phil Davis	}
895	b4333696	Stephen Beaver	}
896	7411c285	Stephen Beaver	}
897
898			$group->add(new Form_Select(
899			'sysgroups',
900			null,
901			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
902			$systemGroups,
903			true
904	953385a3	heper	))->setHelp('Not member of');
905	6b07c15a	Matthew Grooms
906	7411c285	Stephen Beaver	$group->add(new Form_Select(
907			'groups',
908			null,
909			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
910			$usersGroups,
911			true
912	953385a3	heper	))->setHelp('Member of');
913	7411c285	Stephen Beaver
914			$section->add($group);
915
916			$group = new Form_Group('');
917
918			$group->add(new Form_Button(
919			'movetoenabled',
920	faab522f	Renato Botelho	'Move to "Member of" list',
921	37676f4e	jim-p	null,
922			'fa-angle-double-right'
923	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
924	7411c285	Stephen Beaver
925			$group->add(new Form_Button(
926			'movetodisabled',
927	faab522f	Renato Botelho	'Move to "Not member of" list',
928	37676f4e	jim-p	null,
929			'fa-angle-double-left'
930	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
931	4ee51131	Sjon Hortensius
932	e4c7d45f	NewEraCracker	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
933	7411c285	Stephen Beaver	$section->add($group);
934	4ee51131	Sjon Hortensius
935	7411c285	Stephen Beaver	// ==== Button for adding user certificate ================================
936	d61309a0	Phil Davis	if ($act == 'new') {
937	fc1913fe	jim-p	if (count($nonPrvCas) > 0) {
938			$section->addInput(new Form_Checkbox(
939			'showcert',
940			'Certificate',
941			'Click to create a user certificate',
942			false
943			));
944			} else {
945			$section->addInput(new Form_StaticText(
946			'Certificate',
947			gettext('No private CAs found. A private CA is required to create a new user certificate. ' .
948			'Save the user first to import an external certificate.')
949			));
950			}
951	6b07c15a	Matthew Grooms	}
952
953	7411c285	Stephen Beaver	$form->add($section);
954	6b07c15a	Matthew Grooms
955	7411c285	Stephen Beaver	// ==== Effective privileges section ======================================
956			if (isset($pconfig['uid'])) {
957			// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
958			// is the best way to make the display we need.
959	6b07c15a	Matthew Grooms
960	7411c285	Stephen Beaver	$section = new Form_Section('Effective Privileges');
961	4ee51131	Sjon Hortensius
962	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
963			null,
964			build_priv_table()
965			));
966	4ee51131	Sjon Hortensius
967	7411c285	Stephen Beaver	$form->add($section);
968	4ee51131	Sjon Hortensius
969	7411c285	Stephen Beaver	// ==== Certificate table section =====================================
970	5f88f964	k-paulius	$section = new Form_Section('User Certificates');
971	7411c285	Stephen Beaver
972			$section->addInput(new Form_StaticText(
973			null,
974			build_cert_table()
975			));
976	64600f94	Sjon Hortensius
977			$form->add($section);
978	c9794c06	Ermal	}
979	7411c285	Stephen Beaver
980	f14ff867	Phil Davis	// ==== Add user certificate for a new user
981			if (is_array($config['ca']) && count($config['ca']) > 0) {
982	5f88f964	k-paulius	$section = new Form_Section('Create Certificate for User');
983	f14ff867	Phil Davis	$section->addClass('cert-options');
984	c9794c06	Ermal
985	f14ff867	Phil Davis	if (!empty($nonPrvCas)) {
986			$section->addInput(new Form_Input(
987			'name',
988			'Descriptive name',
989			'text',
990			$pconfig['name']
991			));
992	7411c285	Stephen Beaver
993	f14ff867	Phil Davis	$section->addInput(new Form_Select(
994			'caref',
995			'Certificate authority',
996			null,
997			$nonPrvCas
998			));
999	7411c285	Stephen Beaver
1000	f14ff867	Phil Davis	$section->addInput(new Form_Select(
1001	ccb301a4	Viktor G	'keytype',
1002			'*Key type',
1003			$pconfig['keytype'],
1004			array_combine($cert_keytypes, $cert_keytypes)
1005			));
1006
1007			$group = new Form_Group($i == 0 ? '*Key length':'');
1008			$group->addClass('rsakeys');
1009			$group->add(new Form_Select(
1010	f14ff867	Phil Davis	'keylen',
1011	ccb301a4	Viktor G	null,
1012	293c7335	jim-p	$pconfig['keylen'] ? $pconfig['keylen'] : '2048',
1013	ccb301a4	Viktor G	array_combine($cert_keylens, $cert_keylens)
1014			))->setHelp('The length to use when generating a new RSA key, in bits. %1$s' .
1015			'The Key Length should not be lower than 2048 or some platforms ' .
1016			'may consider the certificate invalid.', '<br/>');
1017			$section->add($group);
1018
1019			$group = new Form_Group($i == 0 ? '*Elliptic Curve Name':'');
1020			$group->addClass('ecnames');
1021			$group->add(new Form_Select(
1022			'ecname',
1023			null,
1024	293c7335	jim-p	$pconfig['ecname'] ? $pconfig['ecname'] : 'prime256v1',
1025	ccb301a4	Viktor G	$openssl_ecnames
1026			))->setHelp('Curves may not be compatible with all uses. Known compatible curve uses are denoted in brackets.');
1027			$section->add($group);
1028
1029			$section->addInput(new Form_Select(
1030	0aa7f5a7	jim-p	'digest_alg',
1031	ccb301a4	Viktor G	'*Digest Algorithm',
1032	0aa7f5a7	jim-p	$pconfig['digest_alg'] ? $pconfig['digest_alg'] : 'sha256',
1033	ccb301a4	Viktor G	array_combine($openssl_digest_algs, $openssl_digest_algs)
1034			))->setHelp('The digest method used when the certificate is signed. %1$s' .
1035			'The best practice is to use an algorithm stronger than SHA1. '.
1036			'Some platforms may consider weaker digest algorithms invalid', '<br/>');
1037	7411c285	Stephen Beaver
1038	f14ff867	Phil Davis	$section->addInput(new Form_Input(
1039			'lifetime',
1040			'Lifetime',
1041			'number',
1042			$pconfig['lifetime']
1043			));
1044	7411c285	Stephen Beaver	}
1045
1046	f14ff867	Phil Davis	$form->add($section);
1047			}
1048
1049	7411c285	Stephen Beaver	endif;
1050			// ==== Paste a key for the new user
1051	4ee51131	Sjon Hortensius	$section = new Form_Section('Keys');
1052
1053	35e0cd70	Stephen Beaver	$section->addInput(new Form_Checkbox(
1054			'showkey',
1055			'Authorized keys',
1056			'Click to paste an authorized key',
1057			false
1058			));
1059
1060	4ee51131	Sjon Hortensius	$section->addInput(new Form_Textarea(
1061			'authorizedkeys',
1062	d1e73829	Stephen Beaver	'Authorized SSH Keys',
1063	4ee51131	Sjon Hortensius	$pconfig['authorizedkeys']
1064	d1e73829	Stephen Beaver	))->setHelp('Enter authorized SSH keys for this user');
1065	4ee51131	Sjon Hortensius
1066	35e0cd70	Stephen Beaver	$section->addInput(new Form_Input(
1067	4ee51131	Sjon Hortensius	'ipsecpsk',
1068			'IPsec Pre-Shared Key',
1069			'text',
1070			$pconfig['ipsecpsk']
1071			));
1072
1073			$form->add($section);
1074	7411c285	Stephen Beaver
1075	98ecfb9f	Jim Pingle	$section = new Form_Section('Shell Behavior');
1076
1077			$section->addInput(new Form_Checkbox(
1078			'keephistory',
1079			'Keep Command History',
1080			'Keep shell command history between login sessions',
1081			$pconfig['keephistory']
1082			))->setHelp('If this user has shell access, this option preserves the last 1000 unique commands entered at a shell prompt between login sessions. ' .
1083			'The user can access history using the up and down arrows at an SSH or console shell prompt ' .
1084			'and search the history by typing a partial command and then using the up or down arrows.');
1085
1086			$form->add($section);
1087
1088	a0165602	Sjon Hortensius	print $form;
1089	8bab524e	Phil Davis
1090			$csswarning = sprintf(gettext("%sUser-created themes are unsupported, use at your own risk."), "<br />");
1091	7411c285	Stephen Beaver	?>
1092	8fd9052f	Colin Fleming	<script type="text/javascript">
1093	7411c285	Stephen Beaver	//<![CDATA[
1094	d61309a0	Phil Davis	events.push(function() {
1095	7411c285	Stephen Beaver
1096	8bab524e	Phil Davis	function setcustomoptions() {
1097			var adv = $('#customsettings').prop('checked');
1098
1099			hideInput('webguicss', !adv);
1100			hideInput('webguifixedmenu', !adv);
1101			hideInput('webguihostnamemenu', !adv);
1102			hideInput('dashboardcolumns', !adv);
1103	1d3510cf	Phil Davis	hideCheckbox('interfacessort', !adv);
1104	8bab524e	Phil Davis	hideCheckbox('dashboardavailablewidgetspanel', !adv);
1105			hideCheckbox('systemlogsfilterpanel', !adv);
1106			hideCheckbox('systemlogsmanagelogpanel', !adv);
1107			hideCheckbox('statusmonitoringsettingspanel', !adv);
1108			hideCheckbox('webguileftcolumnhyper', !adv);
1109	d9058974	Phil Davis	hideCheckbox('disablealiaspopupdetail', !adv);
1110	8bab524e	Phil Davis	hideCheckbox('pagenamefirst', !adv);
1111			}
1112
1113			// Handle displaying a warning message if a user-created theme is selected.
1114			function setThemeWarning() {
1115			if ($('#webguicss').val().startsWith("pfSense")) {
1116			$('#csstxt').html("").addClass("text-default");
1117			} else {
1118			$('#csstxt').html("<?=$csswarning?>").addClass("text-danger");
1119			}
1120			}
1121
1122	ccb301a4	Viktor G	function change_keytype() {
1123			hideClass('rsakeys', ($('#keytype').val() != 'RSA'));
1124			hideClass('ecnames', ($('#keytype').val() != 'ECDSA'));
1125			}
1126
1127	8bab524e	Phil Davis	$('#webguicss').change(function() {
1128			setThemeWarning();
1129			});
1130
1131			setThemeWarning();
1132
1133	7411c285	Stephen Beaver	// On click . .
1134	8bab524e	Phil Davis	$('#customsettings').click(function () {
1135			setcustomoptions();
1136			});
1137
1138	7411c285	Stephen Beaver	$("#movetodisabled").click(function() {
1139			moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
1140			});
1141
1142			$("#movetoenabled").click(function() {
1143			moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
1144			});
1145
1146			$("#showcert").click(function() {
1147			hideClass('cert-options', !this.checked);
1148			});
1149
1150			$("#showkey").click(function() {
1151	35e0cd70	Stephen Beaver	hideInput('authorizedkeys', false);
1152			hideCheckbox('showkey', true);
1153	7411c285	Stephen Beaver	});
1154
1155	98402844	Stephen Beaver	$('[id^=delcert]').click(function(event) {
1156	d61309a0	Phil Davis	if (confirm(event.target.title)) {
1157	98402844	Stephen Beaver	$('#certid').val(event.target.id.match(/\d+$/)[0]);
1158			$('#userid').val('<?=$id;?>');
1159			$('#act').val('delcert');
1160			$('form').submit();
1161			}
1162			});
1163	945204b1	Stephen Beaver
1164	408d0882	heper	$('[id^=delprivid]').click(function(event) {
1165	d61309a0	Phil Davis	if (confirm(event.target.title)) {
1166	4c879f95	heper	$('#privid').val(event.target.id.match(/\d+$/)[0]);
1167	408d0882	heper	$('#userid').val('<?=$id;?>');
1168			$('#act').val('delprivid');
1169			$('form').submit();
1170			}
1171			});
1172	64c31615	Stephen Beaver
1173	53c38ff1	Stephen Beaver	$('#expires').datepicker();
1174	98402844	Stephen Beaver
1175	ccb301a4	Viktor G	$('#keytype').change(function () {
1176			change_keytype();
1177			});
1178
1179	eef93144	Jared Dillard	// ---------- On initial page load ------------------------------------------------------------
1180
1181			hideClass('cert-options', true);
1182			//hideInput('authorizedkeys', true);
1183	d1e73829	Stephen Beaver	hideCheckbox('showkey', true);
1184	8bab524e	Phil Davis	setcustomoptions();
1185	ccb301a4	Viktor G	change_keytype();
1186	7411c285	Stephen Beaver
1187			// On submit mark all the user's groups as "selected"
1188	d61309a0	Phil Davis	$('form').submit(function() {
1189	7411c285	Stephen Beaver	AllServers($('[name="groups[]"] option'), true);
1190			});
1191	f5c9c0c7	Steve Beaver
1192	7411c285	Stephen Beaver	});
1193			//]]>
1194			</script>
1195			<?php
1196	bb1b5c6f	heper	include('foot.inc');
1197	d6b79c39	Phil Davis	?>

Project

General

Profile

pfSense