/src/usr/local/www/system_usermanager.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/system_usermanager.php @ cba6dcbb

1	1df17ba9	Scott Ullrich	<?php
2	fab7ff44	Bill Marquette	/*
3	4c291f4c	Renato Botelho	system_usermanager.php
4	fab7ff44	Bill Marquette	*/
5	7d2e572f	Stephen Beaver	/* ====================================================================
6			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
7			* Copyright (c) 2008 Shrew Soft Inc.
8			* Copyright (c) 2005 Paul Taylor <paultaylor@winn-dixie.com>
9			*
10	cb41dd63	Renato Botelho	* Some or all of this file is based on the m0n0wall project which is
11			* Copyright (c) 2004 Manuel Kasper (BSD 2 clause)
12	191cb31d	Stephen Beaver	*
13	7d2e572f	Stephen Beaver	* Redistribution and use in source and binary forms, with or without modification,
14			* are permitted provided that the following conditions are met:
15			*
16			* 1. Redistributions of source code must retain the above copyright notice,
17			* this list of conditions and the following disclaimer.
18			*
19			* 2. Redistributions in binary form must reproduce the above copyright
20			* notice, this list of conditions and the following disclaimer in
21			* the documentation and/or other materials provided with the
22			* distribution.
23			*
24			* 3. All advertising materials mentioning features or use of this software
25			* must display the following acknowledgment:
26			* "This product includes software developed by the pfSense Project
27			* for use in the pfSense software distribution. (http://www.pfsense.org/).
28			*
29			* 4. The names "pfSense" and "pfSense Project" must not be used to
30			* endorse or promote products derived from this software without
31			* prior written permission. For written permission, please contact
32			* coreteam@pfsense.org.
33			*
34			* 5. Products derived from this software may not be called "pfSense"
35			* nor may "pfSense" appear in their names without prior written
36			* permission of the Electric Sheep Fencing, LLC.
37			*
38			* 6. Redistributions of any form whatsoever must retain the following
39			* acknowledgment:
40			*
41			* "This product includes software developed by the pfSense Project
42			* for use in the pfSense software distribution (http://www.pfsense.org/).
43			*
44			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55			* OF THE POSSIBILITY OF SUCH DAMAGE.
56			*
57			* ====================================================================
58			*
59			*/
60	fab7ff44	Bill Marquette
61	6b07c15a	Matthew Grooms	##\|+PRIV
62			##\|*IDENT=page-system-usermanager
63	5230f468	jim-p	##\|*NAME=System: User Manager
64	6b07c15a	Matthew Grooms	##\|*DESCR=Allow access to the 'System: User Manager' page.
65			##\|MATCH=system_usermanager.php
66			##\|-PRIV
67
68	71d3c2f7	Phil Davis	require_once("certs.inc");
69			require_once("guiconfig.inc");
70	fab7ff44	Bill Marquette
71	e33be77c	Ermal	// start admin user code
72	73fa304b	Phil Davis	if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
73	1a6769a6	Renato Botelho	$id = $_POST['userid'];
74	73fa304b	Phil Davis	}
75	1df17ba9	Scott Ullrich
76	7411c285	Stephen Beaver	if (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
77			$id = $_GET['userid'];
78			}
79
80	73fa304b	Phil Davis	if (!isset($config['system']['user']) \|\| !is_array($config['system']['user'])) {
81	e33be77c	Ermal	$config['system']['user'] = array();
82	73fa304b	Phil Davis	}
83	1df17ba9	Scott Ullrich
84	e33be77c	Ermal	$a_user = &$config['system']['user'];
85	7411c285	Stephen Beaver	$act = $_GET['act'];
86	45ee90ed	Matthew Grooms
87	73fa304b	Phil Davis	if (isset($_SERVER['HTTP_REFERER'])) {
88	7c2d0050	Renato Botelho	$referer = $_SERVER['HTTP_REFERER'];
89	73fa304b	Phil Davis	} else {
90	7c2d0050	Renato Botelho	$referer = '/system_usermanager.php';
91	73fa304b	Phil Davis	}
92	7c2d0050	Renato Botelho
93	adacdf5f	jim-p	if (isset($id) && $a_user[$id]) {
94			$pconfig['usernamefld'] = $a_user[$id]['name'];
95			$pconfig['descr'] = $a_user[$id]['descr'];
96			$pconfig['expires'] = $a_user[$id]['expires'];
97			$pconfig['groups'] = local_user_get_groups($a_user[$id]);
98			$pconfig['utype'] = $a_user[$id]['scope'];
99			$pconfig['uid'] = $a_user[$id]['uid'];
100			$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
101			$pconfig['priv'] = $a_user[$id]['priv'];
102			$pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk'];
103			$pconfig['disabled'] = isset($a_user[$id]['disabled']);
104			}
105
106	43acaa2f	Stephen Beaver	if ($_GET['act'] == "deluser") {
107	45ee90ed	Matthew Grooms
108	43acaa2f	Stephen Beaver	if (!isset($_GET['username']) \|\| !isset($a_user[$id]) \|\| ($_GET['username'] != $a_user[$id]['name'])) {
109	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
110			exit;
111	6b07c15a	Matthew Grooms	}
112
113	4125445f	Phil Davis	if ($_GET['username'] == $_SESSION['Username']) {
114			$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $_GET['username']);
115			} else {
116			conf_mount_rw();
117			local_user_del($a_user[$id]);
118			conf_mount_ro();
119			$userdeleted = $a_user[$id]['name'];
120			unset($a_user[$id]);
121			write_config();
122			$savemsg = sprintf(gettext("User %s successfully deleted."), $userdeleted);
123			}
124	d61309a0	Phil Davis	} else if ($act == "new") {
125	e33be77c	Ermal	/*
126			* set this value cause the text field is read only
127			* and the user should not be able to mess with this
128			* setting.
129			*/
130			$pconfig['utype'] = "user";
131			$pconfig['lifetime'] = 3650;
132			}
133	45ee90ed	Matthew Grooms
134	64c31615	Stephen Beaver	if (isset($_POST['dellall'])) {
135	4e21c82e	bruno
136			$del_users = $_POST['delete_check'];
137	4125445f	Phil Davis	$deleted_users = "";
138			$deleted_count = 0;
139			$comma = "";
140	4e21c82e	bruno
141	73fa304b	Phil Davis	if (!empty($del_users)) {
142			foreach ($del_users as $userid) {
143	4e21c82e	bruno	if (isset($a_user[$userid]) && $a_user[$userid]['scope'] != "system") {
144	4125445f	Phil Davis	if ($a_user[$userid]['name'] == $_SESSION['Username']) {
145			$delete_errors[] = sprintf(gettext("Cannot delete user %s because you are currently logged in as that user."), $a_user[$userid]['name']);
146			} else {
147			conf_mount_rw();
148			$deleted_users = $deleted_users . $comma . $a_user[$userid]['name'];
149			$comma = ", ";
150			$deleted_count++;
151			local_user_del($a_user[$userid]);
152			conf_mount_ro();
153			unset($a_user[$userid]);
154			}
155			} else {
156			$delete_errors[] = sprintf(gettext("Cannot delete user %s because it is a system user."), $a_user[$userid]['name']);
157	4e21c82e	bruno	}
158			}
159	4125445f	Phil Davis
160			if ($deleted_count > 0) {
161			if ($deleted_count == 1) {
162			$savemsg = sprintf(gettext("User %s successfully deleted."), $deleted_users);
163			} else {
164			$savemsg = sprintf(gettext("Users %s successfully deleted."), $deleted_users);
165			}
166			write_config($savemsg);
167			}
168	4e21c82e	bruno	}
169			}
170
171	98402844	Stephen Beaver	if ($_POST['act'] == "delcert") {
172
173			if (!$a_user[$id]) {
174			pfSenseHeader("system_usermanager.php");
175			exit;
176			}
177
178			$certdeleted = lookup_cert($a_user[$id]['cert'][$_POST['certid']]);
179			$certdeleted = $certdeleted['descr'];
180			unset($a_user[$id]['cert'][$_POST['certid']]);
181			write_config();
182			$_POST['act'] = "edit";
183	ed10e389	Phil Davis	$savemsg = sprintf(gettext("Certificate %s association removed."), $certdeleted);
184	98402844	Stephen Beaver	}
185	64c31615	Stephen Beaver
186	945204b1	Stephen Beaver	if ($_POST['act'] == "delprivid") {
187			$privdeleted = $priv_list[$a_user[$id]['priv'][$_POST['privid']]]['name'];
188			unset($a_user[$id]['priv'][$_POST['privid']]);
189			local_user_set($a_user[$id]);
190			write_config();
191			$_POST['act'] = "edit";
192	ed10e389	Phil Davis	$savemsg = sprintf(gettext("Privilege %s removed."), $privdeleted);
193	4c879f95	heper	}
194	98402844	Stephen Beaver
195	1a6769a6	Renato Botelho	if ($_POST['save']) {
196	e33be77c	Ermal	unset($input_errors);
197			$pconfig = $_POST;
198	45ee90ed	Matthew Grooms
199	e33be77c	Ermal	/* input validation */
200			if (isset($id) && ($a_user[$id])) {
201			$reqdfields = explode(" ", "usernamefld");
202			$reqdfieldsn = array(gettext("Username"));
203			} else {
204			if (empty($_POST['name'])) {
205			$reqdfields = explode(" ", "usernamefld passwordfld1");
206			$reqdfieldsn = array(
207			gettext("Username"),
208			gettext("Password"));
209	45ee90ed	Matthew Grooms	} else {
210	e33be77c	Ermal	$reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime");
211			$reqdfieldsn = array(
212			gettext("Username"),
213			gettext("Password"),
214			gettext("Descriptive name"),
215			gettext("Certificate authority"),
216			gettext("Key length"),
217			gettext("Lifetime"));
218	45ee90ed	Matthew Grooms	}
219	e33be77c	Ermal	}
220	45ee90ed	Matthew Grooms
221	1e9b4611	Renato Botelho	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
222	45ee90ed	Matthew Grooms
223	73fa304b	Phil Davis	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
224	e33be77c	Ermal	$input_errors[] = gettext("The username contains invalid characters.");
225	73fa304b	Phil Davis	}
226	45ee90ed	Matthew Grooms
227	73fa304b	Phil Davis	if (strlen($_POST['usernamefld']) > 16) {
228	e33be77c	Ermal	$input_errors[] = gettext("The username is longer than 16 characters.");
229	73fa304b	Phil Davis	}
230	94d455da	jim-p
231	73fa304b	Phil Davis	if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) {
232	e33be77c	Ermal	$input_errors[] = gettext("The passwords do not match.");
233	73fa304b	Phil Davis	}
234	45ee90ed	Matthew Grooms
235	73fa304b	Phil Davis	if (isset($_POST['ipsecpsk']) && !preg_match('/^[[:ascii:]]*$/', $_POST['ipsecpsk'])) {
236	123d8700	Renato Botelho	$input_errors[] = gettext("IPsec Pre-Shared Key contains invalid characters.");
237	73fa304b	Phil Davis	}
238	123d8700	Renato Botelho
239	6314397f	jim-p	/* Check the POSTed groups to ensure they are valid and exist */
240	2031be9c	NewEraCracker	if(is_array($_POST['groups'])) {
241			foreach ($_POST['groups'] as $newgroup) {
242			if (empty(getGroupEntry($newgroup))) {
243			$input_errors[] = gettext("One or more invalid groups was submitted.");
244			}
245	6314397f	jim-p	}
246			}
247
248	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
249	e33be77c	Ermal	$oldusername = $a_user[$id]['name'];
250	73fa304b	Phil Davis	} else {
251	e33be77c	Ermal	$oldusername = "";
252	73fa304b	Phil Davis	}
253	e33be77c	Ermal	/* make sure this user name is unique */
254			if (!$input_errors) {
255			foreach ($a_user as $userent) {
256			if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
257			$input_errors[] = gettext("Another entry with the same username already exists.");
258			break;
259	58664cc9	Scott Ullrich	}
260	3dec33d4	Erik Fonnesbeck	}
261	e33be77c	Ermal	}
262			/* also make sure it is not reserved */
263			if (!$input_errors) {
264			$system_users = explode("\n", file_get_contents("/etc/passwd"));
265			foreach ($system_users as $s_user) {
266			$ent = explode(":", $s_user);
267			if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) {
268			$input_errors[] = gettext("That username is reserved by the system.");
269			break;
270	8339ab6d	jim-p	}
271	7e4a4513	Scott Ullrich	}
272	e33be77c	Ermal	}
273	1df17ba9	Scott Ullrich
274	e33be77c	Ermal	/*
275	e30050b6	Phil Davis	* Check for a valid expiration date if one is set at all (valid means,
276	4d148b59	Yehuda Katz	* DateTime puts out a time stamp so any DateTime compatible time
277	e33be77c	Ermal	* format may be used. to keep it simple for the enduser, we only
278			* claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs
279			* like "+1 day", which will be converted to MM/DD/YYYY based on "now".
280	e30050b6	Phil Davis	* Otherwise such an entry would lead to an invalid expiration data.
281	e33be77c	Ermal	*/
282	73fa304b	Phil Davis	if ($_POST['expires']) {
283	4d148b59	Yehuda Katz	try {
284			$expdate = new DateTime($_POST['expires']);
285			//convert from any DateTime compatible date to MM/DD/YYYY
286			$_POST['expires'] = $expdate->format("m/d/Y");
287	73fa304b	Phil Davis	} catch (Exception $ex) {
288	e33be77c	Ermal	$input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead.");
289	0092b3bd	mgrooms	}
290	e33be77c	Ermal	}
291	0092b3bd	mgrooms
292	e33be77c	Ermal	if (!empty($_POST['name'])) {
293			$ca = lookup_ca($_POST['caref']);
294	73fa304b	Phil Davis	if (!$ca) {
295	4c291f4c	Renato Botelho	$input_errors[] = gettext("Invalid internal Certificate Authority") . "\n";
296	73fa304b	Phil Davis	}
297	e33be77c	Ermal	}
298	c9794c06	Ermal
299	e33be77c	Ermal	/* if this is an AJAX caller then handle via JSON */
300			if (isAjax() && is_array($input_errors)) {
301			input_errors2Ajax($input_errors);
302			exit;
303			}
304	64c31615	Stephen Beaver
305	e33be77c	Ermal	if (!$input_errors) {
306	4ee51131	Sjon Hortensius
307	e33be77c	Ermal	conf_mount_rw();
308			$userent = array();
309	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
310	e33be77c	Ermal	$userent = $a_user[$id];
311	73fa304b	Phil Davis	}
312	e879fc81	Ermal
313	e33be77c	Ermal	isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
314
315			/* the user name was modified */
316	926e0a2f	Phil Davis	if (!empty($_POST['oldusername']) && ($_POST['usernamefld'] <> $_POST['oldusername'])) {
317	e33be77c	Ermal	$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
318	fdcf104c	jim-p	local_user_del($userent);
319			}
320	1df17ba9	Scott Ullrich
321	e30050b6	Phil Davis	/* the user password was modified */
322	73fa304b	Phil Davis	if ($_POST['passwordfld1']) {
323	e33be77c	Ermal	local_user_set_password($userent, $_POST['passwordfld1']);
324	73fa304b	Phil Davis	}
325	1df17ba9	Scott Ullrich
326	5cde9005	NewEraCracker	/* only change description if sent */
327			if (isset($_POST['descr'])) {
328			$userent['descr'] = $_POST['descr'];
329			}
330
331	e33be77c	Ermal	$userent['name'] = $_POST['usernamefld'];
332			$userent['expires'] = $_POST['expires'];
333			$userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
334			$userent['ipsecpsk'] = $_POST['ipsecpsk'];
335	3ccb9689	Charlie Marshall
336	73fa304b	Phil Davis	if ($_POST['disabled']) {
337	e33be77c	Ermal	$userent['disabled'] = true;
338	73fa304b	Phil Davis	} else {
339	e33be77c	Ermal	unset($userent['disabled']);
340	73fa304b	Phil Davis	}
341	e33be77c	Ermal
342	73fa304b	Phil Davis	if (isset($id) && $a_user[$id]) {
343	e33be77c	Ermal	$a_user[$id] = $userent;
344	73fa304b	Phil Davis	} else {
345	e33be77c	Ermal	if (!empty($_POST['name'])) {
346			$cert = array();
347			$cert['refid'] = uniqid();
348	4c291f4c	Renato Botelho	$userent['cert'] = array();
349	e33be77c	Ermal
350			$cert['descr'] = $_POST['name'];
351
352	4c291f4c	Renato Botelho	$subject = cert_get_subject_array($ca['crt']);
353	e33be77c	Ermal
354	4c291f4c	Renato Botelho	$dn = array(
355			'countryName' => $subject[0]['v'],
356			'stateOrProvinceName' => $subject[1]['v'],
357			'localityName' => $subject[2]['v'],
358			'organizationName' => $subject[3]['v'],
359			'emailAddress' => $subject[4]['v'],
360			'commonName' => $userent['name']);
361	e33be77c	Ermal
362			cert_create($cert, $_POST['caref'], $_POST['keylen'],
363			(int)$_POST['lifetime'], $dn);
364
365	73fa304b	Phil Davis	if (!is_array($config['cert'])) {
366	e33be77c	Ermal	$config['cert'] = array();
367	73fa304b	Phil Davis	}
368	e33be77c	Ermal	$config['cert'][] = $cert;
369			$userent['cert'][] = $cert['refid'];
370			}
371			$userent['uid'] = $config['system']['nextuid']++;
372			/* Add the user to All Users group. */
373			foreach ($config['system']['group'] as $gidx => $group) {
374			if ($group['name'] == "all") {
375	73fa304b	Phil Davis	if (!is_array($config['system']['group'][$gidx]['member'])) {
376	e33be77c	Ermal	$config['system']['group'][$gidx]['member'] = array();
377	73fa304b	Phil Davis	}
378	e33be77c	Ermal	$config['system']['group'][$gidx]['member'][] = $userent['uid'];
379			break;
380			}
381			}
382	970db70b	Scott Ullrich
383	e33be77c	Ermal	$a_user[] = $userent;
384	45ee90ed	Matthew Grooms	}
385	e33be77c	Ermal
386	900ce3b0	jim-p	/* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */
387	d61309a0	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
388	e33be77c	Ermal	local_user_set($userent);
389	900ce3b0	jim-p	/* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */
390	73fa304b	Phil Davis	local_user_set_groups($userent, $_POST['groups']);
391	e33be77c	Ermal	write_config();
392
393	73fa304b	Phil Davis	if (is_dir("/etc/inc/privhooks")) {
394	e33be77c	Ermal	run_plugins("/etc/inc/privhooks");
395	73fa304b	Phil Davis	}
396	e33be77c	Ermal
397			conf_mount_ro();
398	3ccb9689	Charlie Marshall
399	e33be77c	Ermal	pfSenseHeader("system_usermanager.php");
400	45ee90ed	Matthew Grooms	}
401	e33be77c	Ermal	}
402	fab7ff44	Bill Marquette
403	7411c285	Stephen Beaver	function build_priv_table() {
404			global $a_user, $id;
405
406			$privhtml = '<div class="table-responsive">';
407			$privhtml .= '<table class="table table-striped table-hover table-condensed">';
408			$privhtml .= '<thead>';
409	7d2e572f	Stephen Beaver	$privhtml .= '<tr>';
410			$privhtml .= '<th>' . gettext('Inherited from') . '</th>';
411			$privhtml .= '<th>' . gettext('Name') . '</th>';
412			$privhtml .= '<th>' . gettext('Description') . '</th>';
413	f460db90	NOYB	$privhtml .= '<th>' . gettext('Action') . '</th>';
414	7d2e572f	Stephen Beaver	$privhtml .= '</tr>';
415	7411c285	Stephen Beaver	$privhtml .= '</thead>';
416			$privhtml .= '<tbody>';
417
418	945204b1	Stephen Beaver	$i = 0;
419
420			foreach (get_user_privdesc($a_user[$id]) as $priv) {
421			$group = false;
422			if ($priv['group']) {
423			$group = $priv['group'];
424			}
425
426	7411c285	Stephen Beaver	$privhtml .= '<tr>';
427			$privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>';
428			$privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>';
429			$privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>';
430	945204b1	Stephen Beaver	$privhtml .= '<td>';
431	d61309a0	Phil Davis	if (!$group) {
432	f460db90	NOYB	$privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
433	d61309a0	Phil Davis	}
434	945204b1	Stephen Beaver
435			$privhtml .= '</td>';
436	7411c285	Stephen Beaver	$privhtml .= '</tr>';
437	945204b1	Stephen Beaver
438	d61309a0	Phil Davis	if (!$group) {
439	945204b1	Stephen Beaver	$i++;
440	d61309a0	Phil Davis	}
441	7411c285	Stephen Beaver	}
442
443			$privhtml .= '</tbody>';
444			$privhtml .= '</table>';
445			$privhtml .= '</div>';
446
447			$privhtml .= '<nav class="action-buttons">';
448	37676f4e	jim-p	$privhtml .= '<a href="system_usermanager_addprivs.php?userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
449	7411c285	Stephen Beaver	$privhtml .= '</nav>';
450
451			return($privhtml);
452			}
453	98402844	Stephen Beaver
454	7411c285	Stephen Beaver	function build_cert_table() {
455			global $a_user, $id;
456
457			$certhtml = '<div class="table-responsive">';
458			$certhtml .= '<table class="table table-striped table-hover table-condensed">';
459			$certhtml .= '<thead>';
460	7d2e572f	Stephen Beaver	$certhtml .= '<tr>';
461			$certhtml .= '<th>' . gettext('Name') . '</th>';
462			$certhtml .= '<th>' . gettext('CA') . '</th>';
463	98402844	Stephen Beaver	$certhtml .= '<th></th>';
464	7d2e572f	Stephen Beaver	$certhtml .= '</tr>';
465	7411c285	Stephen Beaver	$certhtml .= '</thead>';
466			$certhtml .= '<tbody>';
467
468			$a_cert = $a_user[$id]['cert'];
469			if (is_array($a_cert)) {
470			$i = 0;
471			foreach ($a_cert as $certref) {
472	7d2e572f	Stephen Beaver	$cert = lookup_cert($certref);
473			$ca = lookup_ca($cert['caref']);
474			$revokedstr = is_cert_revoked($cert) ? '<b> Revoked</b>':'';
475
476	7411c285	Stephen Beaver	$certhtml .= '<tr>';
477	7d2e572f	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($cert['descr']) . $revokedstr . '</td>';
478	7411c285	Stephen Beaver	$certhtml .= '<td>' . htmlspecialchars($ca['descr']) . '</td>';
479	db676e5b	Stephen Beaver	$certhtml .= '<td>';
480	945204b1	Stephen Beaver	$certhtml .= '<a id="delcert' . $i .'" class="fa fa-trash no-confirm icon-pointer" title="';
481	f14ff867	Phil Davis	$certhtml .= gettext('Remove this certificate association? (Certificate will not be deleted)') . '"></a>';
482	db676e5b	Stephen Beaver	$certhtml .= '</td>';
483	7411c285	Stephen Beaver	$certhtml .= '</tr>';
484	db676e5b	Stephen Beaver	$i++;
485	7411c285	Stephen Beaver	}
486	db676e5b	Stephen Beaver
487	7411c285	Stephen Beaver	}
488
489			$certhtml .= '</tbody>';
490			$certhtml .= '</table>';
491			$certhtml .= '</div>';
492
493			$certhtml .= '<nav class="action-buttons">';
494	37676f4e	jim-p	$certhtml .= '<a href="system_certmanager.php?act=new&userid=' . $id . '" class="btn btn-success"><i class="fa fa-plus icon-embed-btn"></i>' . gettext("Add") . '</a>';
495	7411c285	Stephen Beaver	$certhtml .= '</nav>';
496
497			return($certhtml);
498			}
499
500	8f1ab2a4	k-paulius	$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Users"));
501
502			if ($act == "new" \|\| $act == "edit" \|\| $input_errors) {
503			$pgtitle[] = gettext('Edit');
504			}
505	e33be77c	Ermal	include("head.inc");
506	fab7ff44	Bill Marquette
507	4125445f	Phil Davis	if ($delete_errors) {
508			print_input_errors($delete_errors);
509			}
510
511	d61309a0	Phil Davis	if ($input_errors) {
512	4ee51131	Sjon Hortensius	print_input_errors($input_errors);
513	d61309a0	Phil Davis	}
514	98402844	Stephen Beaver
515	d61309a0	Phil Davis	if ($savemsg) {
516	98402844	Stephen Beaver	print_info_box($savemsg, 'success');
517	d61309a0	Phil Davis	}
518	4ee51131	Sjon Hortensius
519			$tab_array = array();
520			$tab_array[] = array(gettext("Users"), true, "system_usermanager.php");
521			$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
522			$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
523	2d1f33d9	k-paulius	$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
524	4ee51131	Sjon Hortensius	display_top_tabs($tab_array);
525
526	7411c285	Stephen Beaver	if (!($act == "new" \|\| $act == "edit" \|\| $input_errors)) {
527	64600f94	Sjon Hortensius	?>
528	64c31615	Stephen Beaver	<form method="post">
529	060ed238	Stephen Beaver	<div class="panel panel-default">
530			<div class="panel-heading"><h2 class="panel-title"><?=gettext('Users')?></h2></div>
531			<div class="panel-body">
532			<div class="table-responsive">
533			<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap" data-sortable>
534			<thead>
535			<tr>
536			<th> </th>
537			<th><?=gettext("Username")?></th>
538			<th><?=gettext("Full name")?></th>
539			<th><?=gettext("Disabled")?></th>
540			<th><?=gettext("Groups")?></th>
541	70dc5cd6	Phil Davis	<th><?=gettext("Actions")?></th>
542	060ed238	Stephen Beaver	</tr>
543			</thead>
544			<tbody>
545	a0165602	Sjon Hortensius	<?php
546	d61309a0	Phil Davis	foreach ($a_user as $i => $userent):
547	a0165602	Sjon Hortensius	?>
548	060ed238	Stephen Beaver	<tr>
549			<td>
550	4125445f	Phil Davis	<input type="checkbox" id="frc<?=$i?>" name="delete_check[]" value="<?=$i?>" <?=((($userent['scope'] == "system") \|\| ($userent['name'] == $_SESSION['Username'])) ? 'disabled' : '')?>/>
551	060ed238	Stephen Beaver	</td>
552			<td>
553	a0165602	Sjon Hortensius	<?php
554	d61309a0	Phil Davis	if ($userent['scope'] != "user") {
555	a0165602	Sjon Hortensius	$usrimg = 'eye-open';
556	d61309a0	Phil Davis	} else {
557	a0165602	Sjon Hortensius	$usrimg = 'user';
558	d61309a0	Phil Davis	}
559	a0165602	Sjon Hortensius	?>
560	060ed238	Stephen Beaver	<i class="fa fa-<?=$usrimg?>"></i>
561			<?=htmlspecialchars($userent['name'])?>
562			</td>
563			<td><?=htmlspecialchars($userent['descr'])?></td>
564			<td><?php if (isset($userent['disabled'])) echo "*"?></td>
565			<td><?=implode(",", local_user_get_groups($userent))?></td>
566			<td>
567			<a class="fa fa-pencil" title="<?=gettext("Edit user"); ?>" href="?act=edit&userid=<?=$i?>"></a>
568	4125445f	Phil Davis	<?php if (($userent['scope'] != "system") && ($userent['name'] != $_SESSION['Username'])): ?>
569	060ed238	Stephen Beaver	<a class="fa fa-trash" title="<?=gettext("Delete user")?>" href="?act=deluser&userid=<?=$i?>&username=<?=$userent['name']?>"></a>
570	a0165602	Sjon Hortensius	<?php endif; ?>
571	060ed238	Stephen Beaver	</td>
572			</tr>
573	a0165602	Sjon Hortensius	<?php endforeach; ?>
574	060ed238	Stephen Beaver	</tbody>
575			</table>
576			</div>
577			</div>
578	94404d94	Sander van Leeuwen	</div>
579	c10cb196	Stephen Beaver	<nav class="action-buttons">
580	64c31615	Stephen Beaver	<a href="?act=new" class="btn btn-sm btn-success">
581	9d5a20cf	heper	<i class="fa fa-plus icon-embed-btn"></i>
582	b921ab63	Stephen Beaver	<?=gettext("Add")?>
583			</a>
584	64c31615	Stephen Beaver
585			<button type="submit" class="btn btn-sm btn-danger" name="dellall" value="dellall" title="<?=gettext('Delete selected users')?>">
586			<i class="fa fa-trash icon-embed-btn"></i>
587			<?=gettext("Delete")?>
588			</button>
589	94404d94	Sander van Leeuwen	</nav>
590	d825dfea	NOYB	</form>
591	3c3ede28	Stephen Beaver	<div class="infoblock">
592	a0165602	Sjon Hortensius	<?php
593	a0d084fe	k-paulius	print_callout('<p>' . gettext("Additional users can be added here. User permissions for accessing " .
594			"the webConfigurator can be assigned directly or inherited from group memberships. " .
595			"Some system object properties can be modified but they cannot be deleted.") . '</p>' .
596			'<p>' . gettext("Accounts added here are also used for other parts of the system " .
597			"such as OpenVPN, IPsec, and Captive Portal.") . '</p>'
598			);
599	3c3ede28	Stephen Beaver	?></div><?php
600	a0165602	Sjon Hortensius	include("foot.inc");
601			exit;
602			}
603	4ee51131	Sjon Hortensius
604			$form = new Form;
605
606	7411c285	Stephen Beaver	if ($act == "new" \|\| $act == "edit" \|\| $input_errors):
607	4ee51131	Sjon Hortensius
608	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
609			'act',
610			null,
611			'hidden',
612			''
613			));
614	4ee51131	Sjon Hortensius
615	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
616			'userid',
617			null,
618			'hidden',
619			isset($id) ? $id:''
620			));
621	4ee51131	Sjon Hortensius
622	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
623			'privid',
624			null,
625			'hidden',
626			''
627			));
628	4ee51131	Sjon Hortensius
629	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
630			'certid',
631			null,
632			'hidden',
633			''
634			));
635	4ee51131	Sjon Hortensius
636	7411c285	Stephen Beaver	$ro = "";
637			if ($pconfig['utype'] == "system") {
638	c4b60a9a	Colin Fleming	$ro = "readonly";
639	7411c285	Stephen Beaver	}
640	4ee51131	Sjon Hortensius
641	7411c285	Stephen Beaver	$section = new Form_Section('User Properties');
642	4ee51131	Sjon Hortensius
643	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
644			'Defined by',
645			strtoupper($pconfig['utype'])
646			));
647	4ee51131	Sjon Hortensius
648	7411c285	Stephen Beaver	$form->addGlobal(new Form_Input(
649			'utype',
650			null,
651			'hidden',
652			$pconfig['utype']
653			));
654	4ee51131	Sjon Hortensius
655	7411c285	Stephen Beaver	$section->addInput(new Form_Checkbox(
656			'disabled',
657			'Disabled',
658			'This user cannot login',
659			$pconfig['disabled']
660			));
661	6b07c15a	Matthew Grooms
662	7411c285	Stephen Beaver	$section->addInput($input = new Form_Input(
663			'usernamefld',
664			'Username',
665			'text',
666			$pconfig['usernamefld']
667			));
668	61dec0b0	Renato Botelho
669	d61309a0	Phil Davis	if ($ro) {
670	1fe9cc38	Stephen Beaver	$input->setReadonly();
671	d61309a0	Phil Davis	}
672	7411c285	Stephen Beaver
673			$form->addGlobal(new Form_Input(
674			'oldusername',
675	4ee51131	Sjon Hortensius	null,
676	7411c285	Stephen Beaver	'hidden',
677			$pconfig['usernamefld']
678	4ee51131	Sjon Hortensius	));
679	6b07c15a	Matthew Grooms
680	7411c285	Stephen Beaver	$group = new Form_Group('Password');
681			$group->add(new Form_Input(
682			'passwordfld1',
683			'Password',
684			'password'
685			));
686			$group->add(new Form_Input(
687			'passwordfld2',
688			'Confirm Password',
689			'password'
690			));
691
692			$section->add($group);
693
694			$section->addInput($input = new Form_Input(
695			'descr',
696			'Full name',
697			'text',
698			htmlspecialchars($pconfig['descr'])
699	89140b63	NOYB	))->setHelp('User\'s full name, for administrative information only');
700	7411c285	Stephen Beaver
701	d61309a0	Phil Davis	if ($ro) {
702	7411c285	Stephen Beaver	$input->setDisabled();
703	d61309a0	Phil Davis	}
704	7411c285	Stephen Beaver
705			$section->addInput(new Form_Input(
706			'expires',
707			'Expiration date',
708			'date',
709			$pconfig['expires']
710			))->setHelp('Leave blank if the account shouldn\'t expire, otherwise enter '.
711			'the expiration date');
712
713			// ==== Group membership ==================================================
714			$group = new Form_Group('Group membership');
715
716	7d2e572f	Stephen Beaver	// Make a list of all the groups configured on the system, and a list of
717	7411c285	Stephen Beaver	// those which this user is a member of
718			$systemGroups = array();
719			$usersGroups = array();
720
721			$usergid = [$pconfig['usernamefld']];
722
723			foreach ($config['system']['group'] as $Ggroup) {
724	d61309a0	Phil Davis	if ($Ggroup['name'] != "all") {
725			if (($act == 'edit') && $Ggroup['member'] && in_array($pconfig['uid'], $Ggroup['member'])) {
726	b4333696	Stephen Beaver	$usersGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the user's list
727	d61309a0	Phil Davis	} else {
728	b4333696	Stephen Beaver	$systemGroups[ $Ggroup['name'] ] = $Ggroup['name']; // Add it to the 'not a member of' list
729	d61309a0	Phil Davis	}
730	b4333696	Stephen Beaver	}
731	7411c285	Stephen Beaver	}
732
733			$group->add(new Form_Select(
734			'sysgroups',
735			null,
736			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
737			$systemGroups,
738			true
739	953385a3	heper	))->setHelp('Not member of');
740	6b07c15a	Matthew Grooms
741	7411c285	Stephen Beaver	$group->add(new Form_Select(
742			'groups',
743			null,
744			array_combine((array)$pconfig['groups'], (array)$pconfig['groups']),
745			$usersGroups,
746			true
747	953385a3	heper	))->setHelp('Member of');
748	7411c285	Stephen Beaver
749			$section->add($group);
750
751			$group = new Form_Group('');
752
753			$group->add(new Form_Button(
754			'movetoenabled',
755	faab522f	Renato Botelho	'Move to "Member of" list',
756	37676f4e	jim-p	null,
757			'fa-angle-double-right'
758	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
759	7411c285	Stephen Beaver
760			$group->add(new Form_Button(
761			'movetodisabled',
762	faab522f	Renato Botelho	'Move to "Not member of" list',
763	37676f4e	jim-p	null,
764			'fa-angle-double-left'
765	347c0214	Phil Davis	))->setAttribute('type','button')->removeClass('btn-primary')->addClass('btn-info btn-sm');
766	4ee51131	Sjon Hortensius
767	48d321ca	NewEraCracker	$group->setHelp('Hold down CTRL (PC)/COMMAND (Mac) key to select multiple items.');
768	7411c285	Stephen Beaver	$section->add($group);
769	4ee51131	Sjon Hortensius
770	7411c285	Stephen Beaver	// ==== Button for adding user certificate ================================
771	d61309a0	Phil Davis	if ($act == 'new') {
772	4ee51131	Sjon Hortensius	$section->addInput(new Form_Checkbox(
773	7411c285	Stephen Beaver	'showcert',
774			'Certificate',
775			'Click to create a user certificate',
776			false
777	4ee51131	Sjon Hortensius	));
778	6b07c15a	Matthew Grooms	}
779
780	7411c285	Stephen Beaver	$form->add($section);
781	6b07c15a	Matthew Grooms
782	7411c285	Stephen Beaver	// ==== Effective privileges section ======================================
783			if (isset($pconfig['uid'])) {
784			// We are going to build an HTML table and add it to an Input_StaticText. It may be ugly, but it
785			// is the best way to make the display we need.
786	6b07c15a	Matthew Grooms
787	7411c285	Stephen Beaver	$section = new Form_Section('Effective Privileges');
788	4ee51131	Sjon Hortensius
789	7411c285	Stephen Beaver	$section->addInput(new Form_StaticText(
790			null,
791			build_priv_table()
792			));
793	4ee51131	Sjon Hortensius
794	7411c285	Stephen Beaver	$form->add($section);
795	4ee51131	Sjon Hortensius
796	7411c285	Stephen Beaver	// ==== Certificate table section =====================================
797	5f88f964	k-paulius	$section = new Form_Section('User Certificates');
798	7411c285	Stephen Beaver
799			$section->addInput(new Form_StaticText(
800			null,
801			build_cert_table()
802			));
803	64600f94	Sjon Hortensius
804			$form->add($section);
805	c9794c06	Ermal	}
806	7411c285	Stephen Beaver
807	f14ff867	Phil Davis	// ==== Add user certificate for a new user
808			if (is_array($config['ca']) && count($config['ca']) > 0) {
809	5f88f964	k-paulius	$section = new Form_Section('Create Certificate for User');
810	f14ff867	Phil Davis	$section->addClass('cert-options');
811	c9794c06	Ermal
812	f14ff867	Phil Davis	$nonPrvCas = array();
813			foreach($config['ca'] as $ca) {
814			if (!$ca['prv']) {
815			continue;
816			}
817	7411c285	Stephen Beaver
818	f14ff867	Phil Davis	$nonPrvCas[ $ca['refid'] ] = $ca['descr'];
819			}
820	7411c285	Stephen Beaver
821	f14ff867	Phil Davis	if (!empty($nonPrvCas)) {
822			$section->addInput(new Form_Input(
823			'name',
824			'Descriptive name',
825			'text',
826			$pconfig['name']
827			));
828	7411c285	Stephen Beaver
829	f14ff867	Phil Davis	$section->addInput(new Form_Select(
830			'caref',
831			'Certificate authority',
832			null,
833			$nonPrvCas
834			));
835	7411c285	Stephen Beaver
836	f14ff867	Phil Davis	$section->addInput(new Form_Select(
837			'keylen',
838			'Key length',
839			2048,
840			array(
841			512 => '512 bits',
842			1024 => '1024 bits',
843	bf408592	jim-p	2048 => '2048 bits',
844	f14ff867	Phil Davis	4096 => '4096 bits',
845			)
846			));
847	7411c285	Stephen Beaver
848	f14ff867	Phil Davis	$section->addInput(new Form_Input(
849			'lifetime',
850			'Lifetime',
851			'number',
852			$pconfig['lifetime']
853			));
854	7411c285	Stephen Beaver	}
855
856	f14ff867	Phil Davis	$form->add($section);
857			}
858
859	7411c285	Stephen Beaver	endif;
860			// ==== Paste a key for the new user
861	4ee51131	Sjon Hortensius	$section = new Form_Section('Keys');
862
863	35e0cd70	Stephen Beaver	$section->addInput(new Form_Checkbox(
864			'showkey',
865			'Authorized keys',
866			'Click to paste an authorized key',
867			false
868			));
869
870	4ee51131	Sjon Hortensius	$section->addInput(new Form_Textarea(
871			'authorizedkeys',
872	d1e73829	Stephen Beaver	'Authorized SSH Keys',
873	4ee51131	Sjon Hortensius	$pconfig['authorizedkeys']
874	d1e73829	Stephen Beaver	))->setHelp('Enter authorized SSH keys for this user');
875	4ee51131	Sjon Hortensius
876	35e0cd70	Stephen Beaver	$section->addInput(new Form_Input(
877	4ee51131	Sjon Hortensius	'ipsecpsk',
878			'IPsec Pre-Shared Key',
879			'text',
880			$pconfig['ipsecpsk']
881			));
882
883			$form->add($section);
884	7411c285	Stephen Beaver
885	a0165602	Sjon Hortensius	print $form;
886	7411c285	Stephen Beaver	?>
887	8fd9052f	Colin Fleming	<script type="text/javascript">
888	7411c285	Stephen Beaver	//<![CDATA[
889	d61309a0	Phil Davis	events.push(function() {
890	7411c285	Stephen Beaver
891			// On click . .
892			$("#movetodisabled").click(function() {
893			moveOptions($('[name="groups[]"] option'), $('[name="sysgroups[]"]'));
894			});
895
896			$("#movetoenabled").click(function() {
897			moveOptions($('[name="sysgroups[]"] option'), $('[name="groups[]"]'));
898			});
899
900			$("#showcert").click(function() {
901			hideClass('cert-options', !this.checked);
902			});
903
904			$("#showkey").click(function() {
905	35e0cd70	Stephen Beaver	hideInput('authorizedkeys', false);
906			hideCheckbox('showkey', true);
907	7411c285	Stephen Beaver	});
908
909	98402844	Stephen Beaver	$('[id^=delcert]').click(function(event) {
910	d61309a0	Phil Davis	if (confirm(event.target.title)) {
911	98402844	Stephen Beaver	$('#certid').val(event.target.id.match(/\d+$/)[0]);
912			$('#userid').val('<?=$id;?>');
913			$('#act').val('delcert');
914			$('form').submit();
915			}
916			});
917	945204b1	Stephen Beaver
918	408d0882	heper	$('[id^=delprivid]').click(function(event) {
919	d61309a0	Phil Davis	if (confirm(event.target.title)) {
920	4c879f95	heper	$('#privid').val(event.target.id.match(/\d+$/)[0]);
921	408d0882	heper	$('#userid').val('<?=$id;?>');
922			$('#act').val('delprivid');
923			$('form').submit();
924			}
925			});
926	64c31615	Stephen Beaver
927	246be5d3	Stephen Beaver	$('#expires').datepicker();
928	98402844	Stephen Beaver
929	eef93144	Jared Dillard	// ---------- On initial page load ------------------------------------------------------------
930
931			hideClass('cert-options', true);
932			//hideInput('authorizedkeys', true);
933	d1e73829	Stephen Beaver	hideCheckbox('showkey', true);
934	7411c285	Stephen Beaver
935			// On submit mark all the user's groups as "selected"
936	d61309a0	Phil Davis	$('form').submit(function() {
937	7411c285	Stephen Beaver	AllServers($('[name="groups[]"] option'), true);
938			});
939			});
940			//]]>
941			</script>
942			<?php
943	bb1b5c6f	heper	include('foot.inc');
944	4125445f	Phil Davis	?>

Project

General

Profile

pfSense