diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-01-27 19:06:40 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-01-27 19:06:40 +0000 |
| commit | ea85f54a756ff1e6603cdee28a90785b3f8db08d (patch) | |
| tree | edc4f707f1746f9b6a600611d0ad5fd60147b5e3 | |
| parent | 54caba2ba7ffbfa451a1cc92e0c5096968ff20ba (diff) | |
| download | pki-ea85f54a756ff1e6603cdee28a90785b3f8db08d.tar.gz pki-ea85f54a756ff1e6603cdee28a90785b3f8db08d.tar.xz pki-ea85f54a756ff1e6603cdee28a90785b3f8db08d.zip | |
Bugzilla BZ# 479092: TPS roles enhancements
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@198 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
41 files changed, 3729 insertions, 1092 deletions
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index bd39b3b26..7385ad00b 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -1364,3 +1364,10 @@ tokendb.editAdminResultTemplate=editAdminResults.template tokendb.searchAdminTemplate=searchAdmin.template tokendb.searchAdminResultTemplate=searchAdminResults.template tokendb.defaultPolicy=RE_ENROLL=YES +tokendb.newUserTemplate=newUser.template +tokendb.userDeleteTemplate=userDelete.template +tokendb.searchUserResultTemplate=searchUserResults.template +tokendb.searchUserTemplate=searchUser.template +tokendb.editUserTemplate=editUser.template +tokendb.indexOperatorTemplate=indexOperator.template +target.tokenType.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey diff --git a/pki/base/tps/scripts/addAgents.ldif b/pki/base/tps/scripts/addAgents.ldif index 709e9525d..af10c34cf 100644 --- a/pki/base/tps/scripts/addAgents.ldif +++ b/pki/base/tps/scripts/addAgents.ldif @@ -39,11 +39,11 @@ description: Agents for TUS dn: cn=TUS Officers,ou=Groups,$TOKENDB_ROOT objectClass: top objectClass: groupOfUniqueNames -cn: TUS Administrators +cn: TUS Officers uniqueMember: uid=admin,ou=People,$TOKENDB_ROOT -description: Administrators for TUS +description: Operators for TUS -dn: cn=TUS Adminstrators,ou=Groups,$TOKENDB_ROOT +dn: cn=TUS Administrators,ou=Groups,$TOKENDB_ROOT objectClass: top objectClass: groupOfUniqueNames cn: TUS Administrators diff --git a/pki/base/tps/scripts/schemaMods.ldif b/pki/base/tps/scripts/schemaMods.ldif index 526ee155c..fd7b09331 100644 --- a/pki/base/tps/scripts/schemaMods.ldif +++ b/pki/base/tps/scripts/schemaMods.ldif @@ -49,8 +49,10 @@ attributeTypes: ( tokenKeyType-oid NAME 'tokenKeyType' DESC 'CMS defined attribu attributeTypes: ( tokenReason-oid NAME 'tokenReason' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( tokenNotBefore-oid NAME 'tokenNotBefore' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( tokenNotAfter-oid NAME 'tokenNotAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( profileID-oid NAME 'profileID' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - add: objectClasses -objectClasses: ( tokenRecord-oid NAME 'tokenRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate ) X-ORIGIN 'user defined' ) -objectClasses: ( tokenActivity-oid NAME 'tokenActivity' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions ) X-ORIGIN 'user defined' ) +objectClasses: ( tokenRecord-oid NAME 'tokenRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN 'user defined' ) +objectClasses: ( tokenActivity-oid NAME 'tokenActivity' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN 'user defined' ) objectClasses: ( tokenCert-oid NAME 'tokenCert' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN 'user defined' ) +objectClasses: ( tpsProfileID-oid NAME 'tpsProfileID' DESC 'CMS defined class' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN 'user-defined' ) diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp index 460f9d0bc..23318ac78 100644 --- a/pki/base/tps/src/engine/RA.cpp +++ b/pki/base/tps/src/engine/RA.cpp @@ -2012,9 +2012,9 @@ TPS_PUBLIC int RA::ra_allow_token_reenroll(char *cuid) return allow_token_reenroll(cuid); } -int RA::tdb_activity(char *ip, char *cuid, const char *op, const char *result, const char *msg, const char *userid) +int RA::tdb_activity(char *ip, char *cuid, const char *op, const char *result, const char *msg, const char *userid, const char *token_type) { - return add_activity(ip, cuid, op, result, msg, userid); + return add_activity(ip, cuid, op, result, msg, userid, token_type); } int RA::tdb_update_certificates(char* cuid, char **tokentypes, char *userid, CERTCertificate ** certificates, char **ktypes, char **origins, int numOfCerts) @@ -2077,7 +2077,7 @@ int RA::tdb_update_certificates(char* cuid, char **tokentypes, char *userid, CER /* * This adds a brand new token entry to tus. */ -int RA::tdb_add_token_entry(char *userid, char* cuid, const char *status) { +int RA::tdb_add_token_entry(char *userid, char* cuid, const char *status, const char *token_type) { int rc = -1; int r = -1; LDAPMessage *ldapResult = NULL; @@ -2092,7 +2092,7 @@ int RA::tdb_add_token_entry(char *userid, char* cuid, const char *status) { if ((rc = find_tus_db_entry(cuid, 0, &ldapResult)) != LDAP_SUCCESS) { /* create a new entry */ - rc = add_default_tus_db_entry(userid, "~tps", cuid, status, NULL, NULL); + rc = add_default_tus_db_entry(userid, "~tps", cuid, status, NULL, NULL, token_type); if (rc != LDAP_SUCCESS) { RA::Error(LL_PER_PDU, "RA:tdb_add_token_entry", "failed to add tokendb entry"); @@ -2145,7 +2145,7 @@ loser: * This adds entry to tokendb if entry not found * It is then supposed to modify entry (not yet implemented) */ -int RA::tdb_update(const char *userid, char* cuid, char* applet_version, char *key_info, const char *state, const char *reason) +int RA::tdb_update(const char *userid, char* cuid, char* applet_version, char *key_info, const char *state, const char *reason, const char *token_type) { int rc = -1; LDAPMessage *ldapResult = NULL; @@ -2164,7 +2164,7 @@ int RA::tdb_update(const char *userid, char* cuid, char* applet_version, char *k if ((rc = find_tus_db_entry(cuid, 0, &ldapResult)) != LDAP_SUCCESS) { /* create a new entry */ rc = add_default_tus_db_entry(userid, "~tps", cuid, state, applet_version, - key_info); + key_info, token_type); if (rc != LDAP_SUCCESS) { RA::Error(LL_PER_PDU, "RA:tdb_update", "failed to add tokendb entry"); diff --git a/pki/base/tps/src/include/engine/RA.h b/pki/base/tps/src/include/engine/RA.h index d0625f2b2..5bf076851 100644 --- a/pki/base/tps/src/include/engine/RA.h +++ b/pki/base/tps/src/include/engine/RA.h @@ -179,10 +179,10 @@ class RA char *filter, LDAPMessage **msg, int order); TPS_PUBLIC static int ra_update_token_status_reason_userid(char *userid, char *cuid, const char *status, const char *reason, int modifyDateOfCreate); - static int tdb_add_token_entry(char *userid, char* cuid, const char *status); - static int tdb_update(const char *userid, char *cuid, char *applet_version, char *key_info, const char *state, const char *reason); + static int tdb_add_token_entry(char *userid, char* cuid, const char *status, const char *token_type); + static int tdb_update(const char *userid, char *cuid, char *applet_version, char *key_info, const char *state, const char *reason, const char * token_type); static int tdb_update_certificates(char *cuid, char **tokentypes, char *userid, CERTCertificate **certificates, char **ktypes, char **origins, int numOfCerts); - static int tdb_activity(char *ip, char *cuid, const char *op, const char *result, const char *msg, const char *userid); + static int tdb_activity(char *ip, char *cuid, const char *op, const char *result, const char *msg, const char *userid, const char *token_type); static int testTokendb(); static int InitializeAuthentication(); static AuthenticationEntry *GetAuth(const char *id); diff --git a/pki/base/tps/src/include/processor/RA_Enroll_Processor.h b/pki/base/tps/src/include/processor/RA_Enroll_Processor.h index e109783a6..88427d8dd 100644 --- a/pki/base/tps/src/include/processor/RA_Enroll_Processor.h +++ b/pki/base/tps/src/include/processor/RA_Enroll_Processor.h @@ -235,7 +235,8 @@ class RA_Enroll_Processor : public RA_Processor char *a_cuid, AuthenticationEntry *a_auth, AuthParams *& o_login, - RA_Status &o_status); + RA_Status &o_status, + const char *token_type); bool CheckAndUpgradeApplet( RA_Session *a_session, diff --git a/pki/base/tps/src/include/tus/tus_db.h b/pki/base/tps/src/include/tus/tus_db.h index 092b16a51..f05c8ced3 100644 --- a/pki/base/tps/src/include/tus/tus_db.h +++ b/pki/base/tps/src/include/tus/tus_db.h @@ -117,8 +117,27 @@ #define I_STATE_DISABLED 2 #define STATE_DISABLED "disabled" +#define C_TIME "createTimeStamp" +#define M_TIME "modifyTimeStamp" +#define USER_ID "uid" +#define USER_PASSWORD "userPassword" +#define USER_SN "sn" +#define USER_CN "cn" +#define USER_CERT "userCertificate" +#define PROFILE_ID "profileID" +#define GROUP_UNIQUEMEMBER "uniqueMember" +#define SUBGROUP_ID "cn" + +/* roles */ +#define OPERATOR "Officers" +#define AGENT "Agents" +#define ADMINISTRATOR "Administrators" #define MAX_RETRIES 2 +#define ALL_PROFILES "All Profiles" +#define NO_PROFILES "NO_PROFILES" +#define NO_TOKEN_TYPE "no_token_type" + TPS_PUBLIC void set_tus_db_port(int number); TPS_PUBLIC void set_tus_db_host(char *name); TPS_PUBLIC void set_tus_db_baseDN(char *dn); @@ -137,7 +156,7 @@ TPS_PUBLIC char *get_token_policy (char *cn); TPS_PUBLIC char *get_token_userid(char *cn); TPS_PUBLIC void tus_db_end(); TPS_PUBLIC int is_tus_db_entry_disabled(char *cn); -TPS_PUBLIC int add_default_tus_db_entry (const char *uid, const char *agentid, char *cn, const char *status, char *applet_version, char *key_info ); +TPS_PUBLIC int add_default_tus_db_entry (const char *uid, const char *agentid, char *cn, const char *status, char *applet_version, char *key_info, const char *token_type ); TPS_PUBLIC int delete_tus_db_entry (char *userid, char *cn); TPS_PUBLIC int find_tus_db_entry (char *cn, int max, LDAPMessage **result); TPS_PUBLIC int find_tus_db_entries (const char *filter, int max, LDAPMessage **result); @@ -153,14 +172,14 @@ TPS_PUBLIC int update_tus_db_entry (const char *agentid, TPS_PUBLIC int update_tus_db_entry_with_mods (const char *agentid, const char *cn, LDAPMod **mods); TPS_PUBLIC int check_and_modify_tus_db_entry (char *userid, char *cn, char *check, LDAPMod **mods); TPS_PUBLIC int modify_tus_db_entry (char *userid, char *cn, LDAPMod **mods); -TPS_PUBLIC int add_activity (char *ip, char *id, const char *op, const char *result, const char *msg, const char *userid); +TPS_PUBLIC int add_activity (char *ip, char *id, const char *op, const char *result, const char *msg, const char *userid, const char *token_type); TPS_PUBLIC int find_tus_certificate_entries_by_order_no_vlv (char *filter, LDAPMessage **result, int order); TPS_PUBLIC int find_tus_certificate_entries_by_order (char *filter, int max, LDAPMessage **result, int order); TPS_PUBLIC int add_certificate (char *tokenid, char *origin, char *tokenType, char *userid, CERTCertificate *certificate, char *ktype, const char *status); TPS_PUBLIC int add_tus_db_entry (char *cn, LDAPMod **mods); -TPS_PUBLIC int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int flag, const char *status, char *applet_version, char *key_info); +TPS_PUBLIC int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int flag, const char *status, char *applet_version, char *key_info, const char *token_type); TPS_PUBLIC int find_tus_activity_entries (char *filter, int max, LDAPMessage **result); TPS_PUBLIC int find_tus_activity_entries_no_vlv (char *filter, LDAPMessage **result, int order); TPS_PUBLIC int get_number_of_entries (LDAPMessage *result); @@ -173,6 +192,8 @@ TPS_PUBLIC CERTCertificate **get_certificates(LDAPMessage *entry); TPS_PUBLIC char **get_token_states(); TPS_PUBLIC char **get_token_attributes(); TPS_PUBLIC char **get_activity_attributes(); +TPS_PUBLIC char **get_user_attributes(); +TPS_PUBLIC char **get_view_user_attributes(); TPS_PUBLIC char **get_attribute_values(LDAPMessage *entry, const char *attribute); TPS_PUBLIC void free_values(char **values, int ldapValues); TPS_PUBLIC char **get_token_users(LDAPMessage *entry); @@ -212,6 +233,7 @@ TPS_PUBLIC char *get_number_of_resets_name(); TPS_PUBLIC char *get_number_of_enrollments_name(); TPS_PUBLIC char *get_number_of_renewals_name(); TPS_PUBLIC char *get_number_of_recoveries_name(); +TPS_PUBLIC char *get_dn(LDAPMessage *entry); TPS_PUBLIC LDAPMod **allocate_modifications(int size); TPS_PUBLIC void free_modifications(LDAPMod **mods, int ldapValues); @@ -226,4 +248,15 @@ TPS_PUBLIC int update_token_status_reason(char *userid, char *cuid, TPS_PUBLIC int update_token_status_reason_userid(const char *userid, char *cuid, const char *tokenStatus, const char *reason, int modifyDateOfCreate); +TPS_PUBLIC int add_user_db_entry(const char *agentid, char *userid, char *userPassword, char *sn, char *cn, char * userCert); +TPS_PUBLIC int find_tus_user_entries_no_vlv(char *filter, LDAPMessage **result, int order); +TPS_PUBLIC int update_user_db_entry(const char *agentid, char *uid, char *lastName, char *userCN, char *userCert); +TPS_PUBLIC int add_profile_to_user(const char *agentid, char *userid, const char *profile); +TPS_PUBLIC int delete_profile_from_user(const char *agentid, char *userid, const char *profile); +TPS_PUBLIC int add_user_to_role_db_entry(const char *agentid, char *userid, const char *role); +TPS_PUBLIC int delete_user_from_role_db_entry(const char *agentid, char *userid, const char *role); +TPS_PUBLIC int find_tus_user_role_entries( const char*uid, LDAPMessage **result); +TPS_PUBLIC char *get_authorized_profiles(const char *userid, int is_admin); +TPS_PUBLIC int delete_user_db_entry(const char *agentid, char *uid); +TPS_PUBLIC int delete_all_profiles_from_user(const char *agentid, char *userid); #endif /* TUS_DB_H */ diff --git a/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp b/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp index 0e67e4fc2..6b475f611 100644 --- a/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp +++ b/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp @@ -58,12 +58,14 @@ extern "C" #include "httpd/http_log.h" #include "httpd/http_protocol.h" #include "httpd/http_main.h" +#include "httpd/http_request.h" #include "apr_strings.h" #include "cms/CertEnroll.h" #include "engine/RA.h" #include "tus/tus_db.h" +#include "processor/RA_Processor.h" extern TOKENDB_PUBLIC char *nss_var_lookup( apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, @@ -86,9 +88,43 @@ extern TOKENDB_PUBLIC char *nss_var_lookup( apr_pool_t *p, server_rec *s, #define BASE64_HEADER "-----BEGIN CERTIFICATE-----\n" #define BASE64_FOOTER "-----END CERTIFICATE-----\n" +#define TOKENDB_OPERATORS_IDENTIFIER "TUS Officers" #define TOKENDB_AGENTS_IDENTIFIER "TUS Agents" #define TOKENDB_ADMINISTRATORS_IDENTIFIER "TUS Administrators" +#define OP_PREFIX "op.format" + +#define NUM_PROFILES_TO_DISPLAY 15 +#define MAX_LEN_PROFILES_TO_DISPLAY 1000 + +#define error_out(msg1,msg2) \ + PR_snprintf(injection, MAX_INJECTION_SIZE, \ + "%s%s%s%s%s", JS_START, "var error = \"Error: ", \ + msg1,"\";\n", JS_STOP ); \ + buf = getData( errorTemplate, injection ); \ + ap_log_error( ( const char * ) "tus", __LINE__, \ + APLOG_ERR, 0, rq->server, \ + ( const char * ) msg2 ); \ + ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); + +#define ldap_error_out(msg1,msg2) \ + PR_snprintf( injection, MAX_INJECTION_SIZE, \ + "%s%s%s%s%s%s", JS_START, \ + "var error = \"", msg1, \ + ldap_err2string( status ), \ + "\";\n", JS_STOP ); \ + buf = getData( errorTemplate, injection ); \ + ap_log_error( ( const char * ) "tus", __LINE__, \ + APLOG_ERR, 0, rq->server, \ + ( const char * ) msg2, \ + ldap_err2string( status ) ); \ + ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); + +#define post_ldap_error(msg) \ + ap_log_error( ( const char * ) "tus", __LINE__, \ + APLOG_ERR, 0, rq->server, \ + (const char *) msg, ldap_err2string( status ) ); + /** * Provide reasonable defaults for some defines. */ @@ -110,6 +146,7 @@ static char *templateDir = NULL; static char *errorTemplate = NULL; static char *indexTemplate = NULL; static char *indexAdminTemplate = NULL; +static char *indexOperatorTemplate = NULL; static char *newTemplate = NULL; static char *searchTemplate = NULL; static char *searchResultTemplate = NULL; @@ -132,8 +169,15 @@ static char *doTokenConfirmTemplate = NULL; static char *revokeTemplate = NULL; static char *addResultTemplate = NULL; static char *deleteResultTemplate = NULL; +static char *editUserTemplate = NULL; +static char *searchUserResultTemplate = NULL; +static char *searchUserTemplate = NULL; +static char *newUserTemplate = NULL; +static char *userDeleteTemplate = NULL; +static char *profileList = NULL; static int sendInPieces = 0; +static RA_Processor m_processor; @@ -210,7 +254,123 @@ void tokendbDebug( const char* msg ) #endif } +inline void do_free(char * buf) +{ + if (buf != NULL) { + PR_Free(buf); + buf = NULL; + } +} + +/** + * unencode + * summary: takes a URL encoded string and returns an unencoded string + * : must be freed by caller + */ +char *unencode(const char *src) +{ + char *dest = NULL; + char *dp = NULL; + dest = (char *) PR_Malloc(PL_strlen(src)* sizeof(char) + 1); + dp = dest; + for(; PL_strlen(src) > 0 ; src++, dp++) + if(*src == '+') + *dp = ' '; + else if(*src == '%') { + int code; + if (sscanf(src+1, "%2x", &code) != 1) code = '?'; + *dp = code; + src +=2; + } + else + *dp = *src; + *dp = '\0'; + return dest; +} + +/** + * get_field + * summary: used to parse query strings in get and post requests + * : returns the value of the parameter following fname, in query string s. + * must be freed by caller. + * example: get_field("op=hello&name=foo&title=bar", "name=") returns foo + */ +char *get_field( char *s, char* fname) +{ + char *end = NULL; + int n; + + if( ( s = PL_strstr( s, fname ) ) == NULL ) { + return NULL; + } + + s += strlen(fname); + end = PL_strchr( s, '&' ); + + if( end != NULL ) { + n = end - s; + } else { + n = PL_strlen( s ); + } + + if (n == 0) { + return NULL; + } else { + return PL_strndup( s, n ); + } +} + +/** + * get_post_field + * summary: get value from apr_table containing HTTP-Post values + * params: post - apr_table with post data + * : fname = name of post-field + */ +char *get_post_field( apr_table_t *post, const char *fname) +{ + if (post) { + return unencode(apr_table_get(post, fname)); + } else { + return NULL; + } +} +/** + * similar to get_post_field - but returns the original post data + * without unencoding - used for userCert + */ +char *get_encoded_post_field(apr_table_t *post, const char *fname) +{ + if (post) { + return PL_strdup(apr_table_get(post, fname)); + } else { + return NULL; + } +} + +/** + * match_profile + * summary: returns true if the profile passed in matches an existing profile + * in the profileList read from CS.cfg. Called when confirming that + * a user entered "other profile" is a real profile + */ +bool match_profile(const char *profile) +{ + char *pList = PL_strdup(profileList); + char *sresult = NULL; + + sresult = strtok(pList, ","); + while (sresult != NULL) { + if (PL_strcmp(sresult, profile) == 0) { + do_free(pList); + return true; + } + sresult = strtok(NULL, ","); + } + do_free(pList); + return false; +} + char *getTemplateFile( char *fileName, int *injectionTagOffset ) { char *buf = NULL; @@ -520,6 +680,85 @@ void getActivityFilter( char *filter, char *query ) } } +/** + * get_user_filter + * summary: returns an ldap search filter used for displaying + * user data when searching users based on uid, firstName and lastName + * params: filter - ldap search filter. Resu;t returned here. + * query - query string passed in + */ +void getUserFilter (char *filter, char *query) { + char *uid = NULL; + char *firstName = NULL; + char *lastName = NULL; + + uid = get_field(query, "uid="); + firstName = get_field(query, "firstName="); + lastName = get_field(query, "lastName="); + + filter[0] = '\0'; + + if ((uid == NULL) && (firstName == NULL) && (lastName ==NULL)) { + PL_strcat(filter, "(objectClass=Person"); + } else { + PL_strcat(filter, "(&(objectClass=Person)"); + } + + if (uid != NULL) { + PL_strcat(filter, "(uid="); + PL_strcat(filter, uid); + PL_strcat(filter,")"); + } + + if (lastName != NULL) { + PL_strcat(filter, "(sn="); + PL_strcat(filter, lastName); + PL_strcat(filter,")"); + } + + if (firstName != NULL) { + PL_strcat(filter, "(cn="); + PL_strcat(filter, firstName); + PL_strcat(filter,"*)"); + } + + PL_strcat(filter, ")"); + + do_free(uid); + do_free(firstName); + do_free(lastName); +} + +/** + * add_profile_filter + * summary: returns an ldap search filter which is a concatenation + * of the authorized profile search filter and the regular search + * filter. To be freed by caller. + * params: filter - search filter + * auth_filter: authorized profiles filter + */ +char *add_profile_filter( char *filter, char *auth_filter) +{ + char *ret; + int size; + char no_auth_filter[] = "(tokenType=\"\")"; + if (filter == NULL) return NULL; + if ((auth_filter == NULL) || (PL_strstr( auth_filter, ALL_PROFILES))) { + ret = PL_strdup(filter); + } else if (PL_strstr( auth_filter, NO_PROFILES)) { + size = (PL_strlen(filter) + PL_strlen(no_auth_filter) + 4) * sizeof(char); + ret = (char *) PR_Malloc(size); + PR_snprintf(ret, size, "%s%s%s%s", + "(&", filter,no_auth_filter, ")"); + } else { + size = (PL_strlen(filter) + PL_strlen(auth_filter) + 4) * sizeof(char); + ret = (char *) PR_Malloc(size); + PR_snprintf(ret, size, "%s%s%s%s", + "(&", filter, auth_filter, ")"); + } + return ret; +} + void getFilter( char *filter, char *query ) { @@ -1124,6 +1363,33 @@ int get_tus_config( char *name ) } } + if( ( s = PL_strstr( buf, "tokendb.indexOperatorTemplate=" ) ) != NULL ) { + s += PL_strlen( "tokendb.indexOperatorTemplate=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 ) ( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + if( indexOperatorTemplate != NULL ) { + PL_strfree( indexOperatorTemplate ); + indexOperatorTemplate = NULL; + } + indexOperatorTemplate = s; + } else { + if( buf != NULL ) { + PR_Free( buf ); + buf = NULL; + } + return 0; + } + } + if( ( s = PL_strstr( buf, "tokendb.newTemplate=" ) ) != NULL ) { s += PL_strlen( "tokendb.newTemplate=" ); v = s; @@ -1150,6 +1416,48 @@ int get_tus_config( char *name ) return 0; } } + + if( ( s = PL_strstr( buf, "tokendb.searchUserResultTemplate=" ) ) != NULL ) { + s += PL_strlen( "tokendb.searchUserResultTemplate=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 )( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + do_free(searchUserResultTemplate); + searchUserResultTemplate = s; + } else { + do_free(buf); + return 0; + } + } + + if( ( s = PL_strstr( buf, "tokendb.newUserTemplate=" ) ) != NULL ) { + s += PL_strlen( "tokendb.newUserTemplate=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 )( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + do_free(newUserTemplate); + newUserTemplate = s; + } else { + do_free(buf); + return 0; + } + } if( ( s = PL_strstr( buf, "tokendb.searchTemplate=" ) ) != NULL ) { s += PL_strlen( "tokendb.searchTemplate=" ); @@ -1231,6 +1539,33 @@ int get_tus_config( char *name ) return 0; } } + + if( ( s = PL_strstr( buf, "tokendb.searchUserTemplate=" ) ) != NULL ) { + s += PL_strlen( "tokendb.searchUserTemplate=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 ) ( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + if( searchUserTemplate != NULL ) { + PL_strfree( searchUserTemplate ); + searchUserTemplate = NULL; + } + searchUserTemplate = s; + } else { + if( buf != NULL ) { + PR_Free( buf ); + buf = NULL; + } + return 0; + } + } if( ( s = PL_strstr( buf, "tokendb.searchActivityTemplate=" ) ) != NULL) { s += PL_strlen( "tokendb.searchActivityTemplate=" ); @@ -1396,6 +1731,33 @@ int get_tus_config( char *name ) } } + if( ( s = PL_strstr( buf, "tokendb.userDeleteTemplate=" ) ) != NULL ) { + s += PL_strlen( "tokendb.userDeleteTemplate=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 ) ( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + if( userDeleteTemplate != NULL ) { + PL_strfree( userDeleteTemplate ); + userDeleteTemplate = NULL; + } + userDeleteTemplate = s; + } else { + if( buf != NULL ) { + PR_Free( buf ); + buf = NULL; + } + return 0; + } + } + if( ( s = PL_strstr( buf, "tokendb.doTokenConfirmTemplate=" ) ) != NULL ) { s += PL_strlen( "tokendb.doTokenConfirmTemplate=" ); v = s; @@ -1585,6 +1947,33 @@ int get_tus_config( char *name ) } } + if( ( s = PL_strstr( buf, "tokendb.editUserTemplate=" ) ) != NULL ) { + s += PL_strlen( "tokendb.editUserTemplate=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 ) ( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + if( editUserTemplate != NULL ) { + PL_strfree( editUserTemplate ); + editUserTemplate = NULL; + } + editUserTemplate = s; + } else { + if( buf != NULL ) { + PR_Free( buf ); + buf = NULL; + } + return 0; + } + } + if( ( s = PL_strstr( buf, "tokendb.editTemplate=" ) ) != NULL ) { s += PL_strlen( "tokendb.editTemplate=" ); v = s; @@ -1746,6 +2135,31 @@ int get_tus_config( char *name ) } } + if( ( s = PL_strstr( buf, "target.tokenType.list=" ) ) != NULL ) { + s += PL_strlen( "target.tokenType.list=" ); + v = s; + + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && + ( PRUint32 ) ( s - buf ) < size ) { + s++; + } + + n = s - v; + + s = PL_strndup( v, n ); + if( s != NULL ) { + if( profileList != NULL ) { + PL_strfree( profileList ); + profileList = NULL; + } + profileList = s; + } else { + do_free(buf); + return 0; + } + } + + if( buf != NULL ) { PR_Free( buf ); buf = NULL; @@ -1953,6 +2367,93 @@ char *stripBase64HeaderAndFooter( char *cert ) return base64_data; } +/** + * util_read + * summary: called from read_post. reads posted data + */ +static int util_read(request_rec *r, const char **rbuf) +{ + int rc = OK; + + if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) { + return rc; + } + + if (ap_should_client_block(r)) { + char argsbuffer[HUGE_STRING_LEN]; + int rsize, len_read, rpos=0; + long length = r->remaining; + *rbuf = (const char*) apr_pcalloc(r->pool, length + 1); + + + while ((len_read = + ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) { + if ((rpos + len_read) > length) { + rsize = length - rpos; + } + else { + rsize = len_read; + } + memcpy((char*)*rbuf + rpos, argsbuffer, rsize); + rpos += rsize; + } + + } + + return rc; +} + +/** + * read_post + * read data in a post request and store it in an apr_table + */ +static int read_post(request_rec *r, apr_table_t **tab) +{ + const char *data; + const char *key, *val, *type; + int rc = OK; + + if((rc = util_read(r, &data)) != OK) { + return rc; + } + + if(*tab) { + apr_table_clear(*tab); + } + else { + *tab = apr_table_make(r->pool, 8); + } + + while(*data && (val = ap_getword(r->pool, &data, '&'))) { + key = ap_getword(r->pool, &val, '='); + + ap_unescape_url((char*)key); + ap_unescape_url((char*)val); + + apr_table_merge(*tab, key, val); + } + + return OK; +} + +/** + * add_authorization_data + * writes variable that describe whether the user is an admin, agent or operator to the + * injection data. Used by templates to determine which tabs to display + */ +void add_authorization_data(const char *userid, int is_admin, int is_operator, int is_agent, char *injection) +{ + if (is_agent) { + PL_strcat(injection, "var agentAuth = \"true\";\n"); + } + if (is_operator) { + PL_strcat(injection, "var operatorAuth = \"true\";\n"); + } + if (is_admin) { + PL_strcat(injection, "var adminAuth = \"true\";\n"); + } +} + /** * mod_tokendb_handler handles the protocol between the tokendb and the RA @@ -1976,7 +2477,22 @@ mod_tokendb_handler( request_rec *rq ) char *error = NULL; char *tid = NULL; char *question = NULL; - char **a = NULL; + const char *tokentype = NULL; + + + /* user fields */ + char *uid = NULL; + char *firstName = NULL; + char *lastName = NULL; + char *opOperator = NULL; + char *opAdmin = NULL; + char *opAgent = NULL; + char *userCert = NULL; + + /* keep track of which menu we are in - operator or agent */ + char *topLevel = NULL; + + char **attrs = NULL; char **vals = NULL; int maxReturns; int q; @@ -1992,10 +2508,23 @@ mod_tokendb_handler( request_rec *rq ) char cuid[256]; char cuidUserId[100]; char serial[100]; + char userCN[256]; + char tokenType[512]; + apr_table_t *post = NULL; /* used for POST data */ + char *statusString; char *s1, *s2; char *end; char **attr_values; + char *auth_filter = NULL; + + /* authorization */ + int is_admin = 0; + int is_agent = 0; + int is_operator = 0; + + int end_val =0; + int start_val = 0; RA::Debug( "mod_tokendb_handler::mod_tokendb_handler", "mod_tokendb_handler::mod_tokendb_handler" ); @@ -2066,25 +2595,8 @@ mod_tokendb_handler( request_rec *rq ) rq, ( char * ) "SSL_CLIENT_CERT" ); if( cert == NULL ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authentication Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authenticate request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - + error_out("Authentication Failure", "Failed to authenticate request"); + do_free(buf); return DECLINED; } @@ -2097,35 +2609,37 @@ mod_tokendb_handler( request_rec *rq ) tokendbDebug( "\n" ); userid = tus_authenticate( base64_cert ); + do_free(base64_cert); if( userid == NULL ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authentication Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authenticate request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } + error_out("Authentication Failure", "Failed to authenticate request"); + do_free(buf); return DECLINED; } + /* authorization */ + is_admin = tus_authorize(TOKENDB_ADMINISTRATORS_IDENTIFIER, userid); + is_agent = tus_authorize(TOKENDB_AGENTS_IDENTIFIER, userid); + is_operator = tus_authorize(TOKENDB_OPERATORS_IDENTIFIER, userid); + auth_filter = get_authorized_profiles(userid, is_admin); + + tokendbDebug("auth_filter"); + tokendbDebug(auth_filter); + if( rq->uri != NULL ) { uri = PL_strdup( rq->uri ); } - - if( rq->args != NULL ) { - query = PL_strdup( rq->args ); + + if (rq->method_number == M_POST) { + status = read_post(rq, &post); + if(post && !apr_is_empty_table(post)) { + query = PL_strdup( apr_table_get(post, "query")); + } + } else { + /* GET request */ + if( rq->args != NULL ) { + query = PL_strdup( rq->args ); + } } RA::Debug( "mod_tokendb_handler::mod_tokendb_handler", @@ -2133,122 +2647,79 @@ mod_tokendb_handler( request_rec *rq ) uri, ( query==NULL?"":query ) ); if( query == NULL ) { - tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } + char *itemplate = NULL; + tokendbDebug( "authorization for index case\n" ); + if (is_agent) { + itemplate = indexTemplate; + } else if (is_operator) { + itemplate = indexOperatorTemplate; + } else if (is_admin) { + itemplate = indexAdminTemplate; + } else { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + return DECLINED; + } + PR_snprintf( injection, MAX_INJECTION_SIZE, + "%s%s%s%s%s%s%s", JS_START, + "var uriBase = \"", uri, "\";\n", + "var userid = \"", userid, + "\";\n" ); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); + + buf = getData( itemplate, injection ); + itemplate = NULL; + } else if( ( PL_strstr( query, "op=index_operator" ) ) ) { + tokendbDebug( "authorization for op=index_operator\n" ); + if (!is_operator) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n" ); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); - buf = getData( indexTemplate, injection ); + buf = getData( indexOperatorTemplate, injection ); } else if( ( PL_strstr( query, "op=index_admin" ) ) ) { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + if (!is_admin) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n" ); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( indexAdminTemplate, injection ); } else if( ( PL_strstr( query, "op=do_token" ) ) ) { - tokendbDebug( "authorization\n" ); - - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + tokendbDebug( "authorization for do_token\n" ); + if( !is_agent ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -2291,6 +2762,19 @@ mod_tokendb_handler( request_rec *rq ) attr_values = get_attribute_values( e, "tokenUserID" ); PL_strcpy( cuidUserId, attr_values[0] ); tokendbDebug( cuidUserId ); + if (attr_values != NULL) { + free_values(attr_values, 1); + attr_values = NULL; + } + + attr_values = get_attribute_values( e, "tokenType" ); + PL_strcpy( tokenType, attr_values[0] ); + tokendbDebug( tokenType ); + if (attr_values != NULL) { + free_values(attr_values, 1); + attr_values = NULL; + } + } } @@ -2300,7 +2784,7 @@ mod_tokendb_handler( request_rec *rq ) PR_snprintf((char *)msg, 256, "'%s' marked token physically damaged", userid); RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", - msg, cuidUserId); + msg, cuidUserId, tokenType); /* get the certificates on this lost token */ PR_snprintf( ( char * ) filter, 256, @@ -2365,11 +2849,11 @@ mod_tokendb_handler( request_rec *rq ) // update certificate status if( strcmp( revokeReason, "6" ) == 0 ) { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked_on_hold", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked_on_hold" ); } else { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked" ); } @@ -2425,20 +2909,9 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } else if( rc > 0 ) { @@ -2460,20 +2933,9 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -2488,7 +2950,7 @@ mod_tokendb_handler( request_rec *rq ) "'%s' marked token terminated", userid); } RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", - msg, cuidUserId); + msg, cuidUserId, tokenType); /* get the certificates on this lost token */ PR_snprintf( ( char * ) filter, 256, @@ -2557,11 +3019,11 @@ mod_tokendb_handler( request_rec *rq ) // update certificate status if( strcmp(revokeReason, "6" ) == 0 ) { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked_on_hold", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked_on_hold" ); } else { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked" ); } @@ -2625,20 +3087,9 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } else if( rc > 0 ) { @@ -2658,20 +3109,9 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -2682,7 +3122,7 @@ mod_tokendb_handler( request_rec *rq ) PR_snprintf((char *)msg, 256, "'%s' marked token temporarily lost", userid); RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", - msg, cuidUserId); + msg, cuidUserId, tokenType); /* all certs on the token are revoked (onHold) */ tokendbDebug( "Revoke all the certs on this token " @@ -2754,11 +3194,11 @@ mod_tokendb_handler( request_rec *rq ) if( strcmp( revokeReason, "6" ) == 0 ) { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked_on_hold", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked_on_hold" ); } else { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked" ); } } @@ -2805,20 +3245,9 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } else if( rc > 0 ) { @@ -2838,20 +3267,9 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -2862,7 +3280,7 @@ mod_tokendb_handler( request_rec *rq ) PR_snprintf((char *)msg, 256, "'%s' marked lost token found", userid); RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", - msg, cuidUserId); + msg, cuidUserId, tokenType); tokendbDebug( "The temporarily lost token is found.\n" ); @@ -2926,7 +3344,7 @@ mod_tokendb_handler( request_rec *rq ) PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as active", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "active" ); if( attr_cn != NULL ) { @@ -2964,67 +3382,19 @@ mod_tokendb_handler( request_rec *rq ) update_token_status_reason( cuidUserId, cuid, "active", NULL ); if( rc == -1 ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s", JS_START, - "var error = \"Failed to create LDAPMod: ", - "\";\n", JS_STOP ); + error_out("Failed to create LDAPMod: ", "Failed to create LDAPMod"); - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to create LDAPMod" ); - - ( void ) ap_rwrite( ( const void * ) buf, - PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } else if( rc > 0 ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"LDAP mod error: ", - ldap_err2string( rc ), - "\";\n", JS_STOP ); + ldap_error_out("LDAP mod error: ", "LDAP error: %s"); - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP error: %s", - ldap_err2string( rc ) ); - - ( void ) ap_rwrite( ( const void * ) buf, - PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -3035,7 +3405,7 @@ mod_tokendb_handler( request_rec *rq ) PR_snprintf((char *)msg, 256, "'%s' marked lost token permanently lost", userid); RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", - msg, cuidUserId); + msg, cuidUserId, tokenType); tokendbDebug( "Change the revocation reason from onHold " "to keyCompromise\n" ); @@ -3123,11 +3493,11 @@ mod_tokendb_handler( request_rec *rq ) if( strcmp( revokeReason, "6" ) == 0 ) { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked_on_hold", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked_on_hold" ); } else { PR_snprintf((char *)msg, 256, "Certificate '%s' is marked as revoked", attr_cn); - RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId); + RA::tdb_activity(rq->connection->remote_ip, cuid, "do_token", "initiated", msg, cuidUserId, attr_tokenType); update_cert_status( attr_cn, "revoked" ); } @@ -3170,45 +3540,24 @@ mod_tokendb_handler( request_rec *rq ) tokendbDebug( "do_token: rc = 0\n" ); PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%d%s%s%s%s%s%s%s%s", JS_START, + "%s%s%d%s%s%s%s%s%s%s", JS_START, "var rc = \"", rc, "\";\n", "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n" ); + + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( doTokenTemplate, injection ); } else if( ( PL_strstr( query, "op=revoke" ) ) ) { tokendbDebug("authorization\n"); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + if( ! is_agent ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -3217,307 +3566,219 @@ mod_tokendb_handler( request_rec *rq ) /* tid=cuid */ PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n" ); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( revokeTemplate, injection ); } else if( ( PL_strstr( query, "op=search_activity" ) ) ) { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + /* check removed - all roles permit this + if ((! is_agent) && (! is_operator) && (! is_admin)) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; - } + } */ PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n" ); + + topLevel = get_field(query, "top="); + if ((topLevel != NULL) && (PL_strstr(topLevel, "operator"))) { + PL_strcat(injection, "var topLevel = \"operator\";\n"); + } + do_free(topLevel); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( searchActivityTemplate, injection ); - } else if( ( PL_strstr( query, "op=search_admin" ) ) ) { + } else if( ( PL_strstr( query, "op=search_admin" ) ) || + ( PL_strstr( query, "op=search_users" ) )) { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_ADMINISTRATORS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n" ); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); - buf = getData( searchAdminTemplate, injection ); - } else if( ( PL_strstr( query, "op=search_certificate" ) ) ) { + if ( PL_strstr( query, "op=search_admin" ) ) { + buf = getData( searchAdminTemplate, injection ); + } else if ( PL_strstr( query, "op=search_users" ) ) { + buf = getData( searchUserTemplate, injection ); + } + } else if ( PL_strstr( query, "op=search_certificate" ) ) { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + if ((! is_agent) && (! is_operator)) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n"); + + topLevel = get_field(query, "top="); + if ((topLevel != NULL) && (PL_strstr(topLevel, "operator"))) { + PL_strcat(injection, "var topLevel = \"operator\";\n"); + } + do_free(topLevel); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( searchCertificateTemplate, injection ); } else if( ( PL_strstr( query, "op=search" ) ) ) { - tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + tokendbDebug( "authorization for op=search\n" ); + if ((! is_agent) && (! is_operator)) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n"); + + topLevel = get_field(query, "top="); + if ((topLevel != NULL) && (PL_strstr(topLevel, "operator"))) { + PL_strcat(injection, "var topLevel = \"operator\";\n"); + } + do_free(topLevel); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( searchTemplate, injection ); } else if( ( PL_strstr( query, "op=new" ) ) ) { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_ADMINISTRATORS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } + if( ! is_agent ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); + return DECLINED; + } - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } + PR_snprintf( injection, MAX_INJECTION_SIZE, + "%s%s%s%s%s%s%s", JS_START, + "var uriBase = \"", uri, "\";\n", + "var userid = \"", userid, + "\";\n" ); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + buf = getData( newTemplate,injection ); + } else if ( ( PL_strstr( query, "op=add_user" ) ) ) { + tokendbDebug( "authorization for add_user\n" ); + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s", JS_START, - "var uriBase = \"", uri, "\";\n", + "%s%s%s%s%s%s%s", JS_START, + "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, - "\";\n", JS_STOP ); + "\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); - buf = getData( newTemplate,injection ); + buf = getData( newUserTemplate,injection ); } else if( ( PL_strstr( query, "op=view_admin" ) ) || ( PL_strstr( query, "op=view_certificate" ) ) || ( PL_strstr( query, "op=view_activity" ) ) || + ( PL_strstr( query, "op=view_users" ) ) || ( PL_strstr( query, "op=view" ) ) || ( PL_strstr( query, "op=edit_admin" ) ) || + ( PL_strstr( query, "op=edit_user" ) ) || ( PL_strstr( query, "op=edit" ) ) || ( PL_strstr( query, "op=show_certificate" ) ) || ( PL_strstr( query, "op=show" ) ) || ( PL_strstr( query, "op=do_confirm_token" ) ) || + ( PL_strstr( query, "op=user_delete_confirm"))|| ( PL_strstr( query, "op=confirm" ) ) ) { if( ( PL_strstr( query, "op=confirm" ) ) || ( PL_strstr( query, "op=view_admin" ) ) || ( PL_strstr( query, "op=show_admin" ) ) || + ( PL_strstr( query, "op=view_users") ) || + ( PL_strstr( query, "op=edit_user") ) || + ( PL_strstr( query, "op=user_delete_confirm") ) || ( PL_strstr( query, "op=edit_admin" ) ) ) { - tokendbDebug( "authorization\n" ); - - if( !tus_authorize( TOKENDB_ADMINISTRATORS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); + tokendbDebug( "authorization for admin ops\n" ); - buf = getData( errorTemplate, injection ); + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, - PL_strlen( buf ), rq ); + return DECLINED; + } + } else if ((PL_strstr(query, "op=edit")) || + (PL_strstr(query, "do_confirm_token"))) { + tokendbDebug( "authorization for op=edit and op=do_confirm_token\n" ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } + if (! is_agent ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } + return DECLINED; + } + } else if (PL_strstr(query, "op=view_activity")) { + tokendbDebug( "authorization for view_activity\n" ); - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + /* check removed -- all roles permitted + if ( (! is_agent) && (! is_operator) && (! is_admin)) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; - } + } */ } else { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) - { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, - PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + if ((! is_agent) && (!is_operator)) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -3529,11 +3790,18 @@ mod_tokendb_handler( request_rec *rq ) getCertificateFilter( filter, query ); } else if( PL_strstr( query, "op=show_certificate" ) ) { getCertificateFilter( filter, query ); + } else if ((PL_strstr( query, "op=view_users" ) ) || + (PL_strstr( query, "op=user_delete_confirm")) || + (PL_strstr( query, "op=edit_user" ) )) { + getUserFilter( filter, query ); } else { getFilter( filter, query ); } + char *complete_filter = add_profile_filter(filter, auth_filter); + do_free(auth_filter); tokendbDebug( "looking for filter:" ); + tokendbDebug( complete_filter ); tokendbDebug( filter ); tokendbDebug( "\n" ); @@ -3553,14 +3821,14 @@ mod_tokendb_handler( request_rec *rq ) } if( PL_strstr( query, "op=view_activity" ) ) { - status = find_tus_activity_entries_no_vlv( filter, &result, 0 ); + status = find_tus_activity_entries_no_vlv( complete_filter, &result, 0 ); } else if( PL_strstr( query, "op=view_certificate" ) ) { ap_log_error( ( const char * ) "tus", __LINE__, APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP filter: %s", filter); + ( const char * ) "LDAP filter: %s", complete_filter); - status = find_tus_certificate_entries_by_order_no_vlv( filter, + status = find_tus_certificate_entries_by_order_no_vlv( complete_filter, &result, 0 ); } else if( PL_strstr( query, "op=show_certificate" ) || @@ -3571,9 +3839,9 @@ mod_tokendb_handler( request_rec *rq ) ap_log_error( ( const char * ) "tus", __LINE__, APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP filter: %s", filter); + ( const char * ) "LDAP filter: %s", complete_filter); - status = find_tus_certificate_entries_by_order_no_vlv( filter, + status = find_tus_certificate_entries_by_order_no_vlv( complete_filter, &result, 0 ); } else if( PL_strstr( query, "op=show_admin" ) || @@ -3581,45 +3849,26 @@ mod_tokendb_handler( request_rec *rq ) PL_strstr( query, "op=edit_admin" ) || PL_strstr( query, "op=confirm" ) || PL_strstr( query, "op=do_confirm_token" ) ) { - status = find_tus_token_entries_no_vlv( filter, &result, 0 ); + status = find_tus_token_entries_no_vlv( complete_filter, &result, 0 ); + } else if ((PL_strstr (query, "op=view_users" )) || + (PL_strstr (query, "op=user_delete_confirm")) || + (PL_strstr (query, "op=edit_user" ))) { + status = find_tus_user_entries_no_vlv( filter, &result, 0); } else { - status = find_tus_db_entries( filter, maxReturns, &result ); + status = find_tus_db_entries( complete_filter, maxReturns, &result ); } if( status != LDAP_SUCCESS ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"LDAP search error: ", - ldap_err2string( status ), - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP search error: %s", - ldap_err2string( status ) ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + ldap_error_out("LDAP search error: ", "LDAP search error: %s"); + do_free(complete_filter); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } + do_free(complete_filter); nEntries = get_number_of_entries( result ); entryNum = 0; maxEntries = 0; @@ -3649,6 +3898,12 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, tagOffset, rq ); sendPieces = 1; } + } else if (sendInPieces && PL_strstr( query, "op=view_users" )) { + buf = getTemplateFile( searchUserResultTemplate, &tagOffset ); + if( buf != NULL && tagOffset >= 0 ) { + ( void ) ap_rwrite( ( const void * ) buf, tagOffset, rq ); + sendPieces = 1; + } } else if( sendInPieces && PL_strstr( query, "op=view" ) ) { buf = getTemplateFile( searchResultTemplate, &tagOffset ); if( buf != NULL && tagOffset >= 0 ) { @@ -3699,14 +3954,43 @@ mod_tokendb_handler( request_rec *rq ) PL_strcat( injection, "\";\n" ); } + /* get attributes to be displayed to the user */ if( PL_strstr( query, "op=view_activity" ) ) { - a = get_activity_attributes(); + attrs = get_activity_attributes(); } else if( PL_strstr( query, "op=view_certificate" ) ) { - a = get_certificate_attributes(); + attrs = get_certificate_attributes(); } else if( PL_strstr( query, "op=show_certificate" ) ) { - a = get_certificate_attributes(); + attrs = get_certificate_attributes(); + } else if ((PL_strstr( query, "op=user_delete_confirm")) || + (PL_strstr( query, "op=edit_user") ) ) { + attrs = get_user_attributes(); + } else if (PL_strstr( query, "op=view_users") ) { + attrs = get_view_user_attributes(); } else { - a = get_token_attributes(); + attrs = get_token_attributes(); + } + + /* start_val used in paging of profiles on the edit_user page */ + if (PL_strstr( query, "op=edit_user") ) { + char *start_val_str = get_field(query, "start_val="); + if (start_val_str != NULL) { + start_val = atoi(start_val_str); + do_free(start_val_str); + } else { + start_val = 0; + } + end_val = start_val + NUM_PROFILES_TO_DISPLAY; + } + + /* flash used to display edit result upon redirection back to the edit_user page */ + if (PL_strstr(query, "op=edit_user") ) { + char *flash = get_field(query, "flash="); + if (flash != NULL) { + PL_strcat(injection, "var flash = \""); + PL_strcat(injection, flash); + PL_strcat(injection, "\";\n"); + do_free(flash); + } } for( e = get_first_entry( result ); @@ -3716,15 +4000,22 @@ mod_tokendb_handler( request_rec *rq ) PL_strcat( injection, "var o = new Object();\n" ); - for( n = 0; a[n] != NULL; n++ ) { + for( n = 0; attrs[n] != NULL; n++ ) { /* Get the values of the attribute. */ - if( ( vals = get_attribute_values( e, a[n] ) ) != NULL ) { + if( ( vals = get_attribute_values( e, attrs[n] ) ) != NULL ) { + int v_start =0; + int v_end = MAX_INJECTION_SIZE; PL_strcat( injection, "o." ); - PL_strcat( injection, a[n] ); + PL_strcat( injection, attrs[n] ); PL_strcat( injection, " = " ); - for( i = 0; vals[i] != NULL; i++ ) { - if( i > 0 ) { + if (PL_strstr(attrs[n], PROFILE_ID)) { + v_start = start_val; + v_end = end_val; + } + + for( i = v_start; (vals[i] != NULL) && (i < v_end); i++ ) { + if( i > start_val ) { PL_strcat( injection, "#" ); } else { PL_strcat( injection, "\"" ); @@ -3733,12 +4024,23 @@ mod_tokendb_handler( request_rec *rq ) PL_strcat( injection, vals[i] ); } - if( i > 0 ) { + if( i > v_start ) { PL_strcat( injection, "\";\n" ); } else { PL_strcat( injection, "null;\n" ); } + if (PL_strstr(attrs[n], PROFILE_ID)) { + if (vals[i] != NULL) { + PL_strcat( injection, "var has_more_profile_vals = \"true\";\n"); + } else { + PL_strcat( injection, "var has_more_profile_vals = \"false\";\n"); + } + PR_snprintf(msg, 256, "var start_val = %d ;\n var end_val = %d ;\n", + start_val, i); + PL_strcat( injection, msg); + } + /* Free the attribute values from memory when done. */ if( vals != NULL ) { free_values( vals, 1 ); @@ -3803,6 +4105,99 @@ mod_tokendb_handler( request_rec *rq ) PL_strcat( injection, "\";\n" ); } + /* populate the user roles */ + if ((PL_strstr( query, "op=edit_user")) || + (PL_strstr( query, "op=user_delete_confirm"))) { + + uid = get_field(query, "uid="); + bool officer = false; + bool agent = false; + bool admin = false; + status = find_tus_user_role_entries( uid, &result ); + for (e = get_first_entry( result ); + e != NULL; + e = get_next_entry( e ) ) { + char *dn = NULL; + dn = get_dn(e); + if (PL_strstr(dn, "Officers")) + officer=true; + if (PL_strstr(dn, "Agents")) + agent = true; + if (PL_strstr(dn, "Administrators")) + admin = true; + if (dn != NULL) { + PL_strfree(dn); + dn=NULL; + } + } + if (officer) { + PL_strcat( injection, "var operator = \"CHECKED\"\n"); + } else { + PL_strcat( injection, "var operator = \"\"\n"); + } + if (agent) { + PL_strcat( injection, "var agent = \"CHECKED\"\n"); + } else { + PL_strcat( injection, "var agent = \"\"\n"); + } + if (admin) { + PL_strcat( injection, "var admin = \"CHECKED\"\n"); + } else { + PL_strcat( injection, "var admin = \"\"\n"); + } + + if( result != NULL ) { + free_results( result ); + result = NULL; + } + do_free(uid); + } + + /* populate the profile checkbox */ + /* for sanity, we limit the number of entries displayed as well as the max number of characters transferred */ + if (PL_strstr( query, "op=edit_user")) { + if (profileList != NULL) { + int n_profiles = 0; + int l_profiles = 0; + bool more_profiles = false; + + char *pList = PL_strdup(profileList); + char *sresult = NULL; + + PL_strcat( injection, "var profile_list = new Array("); + sresult = strtok(pList, ","); + n_profiles++; + while (sresult != NULL) { + n_profiles++; + l_profiles += PL_strlen(sresult); + if ((n_profiles > NUM_PROFILES_TO_DISPLAY) || (l_profiles > MAX_LEN_PROFILES_TO_DISPLAY)) { + PL_strcat(injection, "\"Other Profiles\","); + more_profiles = true; + break; + } + + PL_strcat(injection, "\""); + PL_strcat(injection, sresult); + PL_strcat(injection, "\","); + sresult = strtok(NULL, ","); + } + do_free(pList); + PL_strcat(injection, "\"All Profiles\")\n"); + if (more_profiles) { + PL_strcat(injection, "var more_profiles=\"true\";\n"); + } else { + PL_strcat(injection, "var more_profiles=\"false\";\n"); + } + } + } + topLevel = get_field(query, "top="); + if ((topLevel != NULL) && (PL_strstr(topLevel, "operator"))) { + PL_strcat(injection, "var topLevel = \"operator\";\n"); + } + do_free(topLevel); + + + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); PL_strcat( injection, JS_STOP ); if( sendPieces ) { @@ -3831,8 +4226,12 @@ mod_tokendb_handler( request_rec *rq ) buf = getData( showAdminTemplate, injection ); } else if( PL_strstr( query, "op=view_admin" ) ) { buf = getData( searchAdminResultTemplate, injection ); + } else if (PL_strstr( query, "op=view_users") ) { + buf = getData( searchUserResultTemplate, injection); } else if( PL_strstr( query, "op=view" ) ) { buf = getData( searchResultTemplate, injection ); + } else if (PL_strstr( query, "op=edit_user") ) { + buf = getData( editUserTemplate, injection); } else if( PL_strstr( query, "op=edit" ) ) { buf = getData( editTemplate, injection ); } else if( PL_strstr( query, "op=show_certificate" ) ) { @@ -3843,7 +4242,10 @@ mod_tokendb_handler( request_rec *rq ) buf = getData( showTemplate, injection ); } else if( PL_strstr( query, "op=confirm" ) ) { buf = getData( deleteTemplate, injection ); + } else if ( PL_strstr( query, "op=user_delete_confirm" ) ) { + buf = getData( userDeleteTemplate, injection ); } + } if( injection != fixed_injection ) { @@ -3854,38 +4256,204 @@ mod_tokendb_handler( request_rec *rq ) injection = fixed_injection; } - } else if( PL_strstr( query, "op=save_admin" ) ) { - tokendbDebug( "authorization\n" ); + } else if ( PL_strstr( query, "op=add_profile_user" )) { + tokendbDebug("authorization for op=add_profile_user"); + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); - if( !tus_authorize( TOKENDB_ADMINISTRATORS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); + return DECLINED; + } + uid = get_post_field(post, "uid"); + char *profile = get_post_field(post, "profile_0"); + char *other_profile = get_post_field(post, "other_profile"); + if ((profile != NULL) && (uid != NULL)) { + if (PL_strstr(profile, "Other Profiles")) { + if ((other_profile != NULL) && (match_profile(other_profile))) { + do_free(profile); + profile = PL_strdup(other_profile); + } else { + error_out("Invalid Profile to be added", "Invalid Profile to be added"); + do_free(profile); + do_free(other_profile); + do_free(uid); + do_free(buf); + do_free(uri); + do_free(query); - buf = getData( errorTemplate, injection ); + return OK; + } + } + if (PL_strstr(profile, ALL_PROFILES)) { + status = delete_all_profiles_from_user(userid, uid); + } - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); + status = add_profile_to_user(userid, uid, profile); + if ((status != LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "LDAP Error in adding profile %s to user %s", + profile, uid); + post_ldap_error(msg); + } + } + do_free(other_profile); + do_free(buf); + do_free(uri); + do_free(query); - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); + PR_snprintf((char *)msg, 512, + "'%s' has added profile %s to user %s", userid, profile, uid); + RA::tdb_activity(rq->connection->remote_ip, "", "add_profile", "success", msg, uid, NO_TOKEN_TYPE); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; + + PR_snprintf(injection, MAX_INJECTION_SIZE, + "/tus/tus?op=edit_user&uid=%s&flash=Profile+%s+has+been+added+to+the+user+record", + uid, profile); + do_free(profile); + do_free(uid); + rq->method = apr_pstrdup(rq->pool, "GET"); + rq->method_number = M_GET; + + ap_internal_redirect_handler(injection, rq); + return OK; + } else if ( PL_strstr( query, "op=save_user" )) { + tokendbDebug( "authorization for op=save_user\n" ); + + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); + + return DECLINED; + } + // first save user details + uid = get_post_field(post, "uid"); + firstName = get_post_field(post, "firstName"); + lastName = get_post_field(post, "lastName"); + userCert = get_encoded_post_field(post, "userCert"); + opOperator = get_post_field(post, "opOperator"); + opAgent = get_post_field(post, "opAgent"); + opAdmin = get_post_field(post, "opAdmin"); + + PR_snprintf((char *)userCN, 256, + "%s %s", firstName, lastName); + + status = update_user_db_entry(userid, uid, lastName, userCN, userCert); + + do_free(firstName); + do_free(lastName); + do_free(userCert); + + if( status != LDAP_SUCCESS ) { + ldap_error_out("LDAP modify error: ", "LDAP error: %s"); + do_free(buf); + do_free(uri); + do_free(query); + do_free(uid); + do_free(opOperator); + do_free(opAgent); + do_free(opAdmin); + + return DECLINED; + } + + if ((opOperator != NULL) && (PL_strstr(opOperator, OPERATOR))) { + status = add_user_to_role_db_entry(userid, uid, OPERATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "Error adding user %s to role %s", uid, OPERATOR); + post_ldap_error(msg); + } + } else { + status = delete_user_from_role_db_entry(userid, uid, OPERATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, OPERATOR); + post_ldap_error(msg); } + } - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; + if ((opAgent != NULL) && (PL_strstr(opAgent, AGENT))) { + status = add_user_to_role_db_entry(userid, uid, AGENT); + if ((status!= LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "Error adding user %s to role %s", uid, AGENT); + post_ldap_error(msg); + } + } else { + status = delete_user_from_role_db_entry(userid, uid, AGENT); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, AGENT); + post_ldap_error(msg); } - if( query != NULL ) { - PR_Free( query ); - query = NULL; + } + + if ((opAdmin != NULL) && (PL_strstr(opAdmin, ADMINISTRATOR))) { + status = add_user_to_role_db_entry(userid, uid, ADMINISTRATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "Error adding user %s to role %s", uid, ADMINISTRATOR); + post_ldap_error(msg); + } + } else { + status = delete_user_from_role_db_entry(userid, uid, ADMINISTRATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, ADMINISTRATOR); + post_ldap_error(msg); + } + } + + do_free(opOperator); + do_free(opAgent); + do_free(opAdmin); + + // save profile details + int nProfiles = atoi (get_post_field(post, "nProfiles")); + + for (int i=0; i< nProfiles; i++) { + char p_name[256]; + char p_delete[256]; + PR_snprintf(p_name, 256, "profile_%d", i); + PR_snprintf(p_delete, 256, "delete_%d", i); + char *profile = get_post_field(post, p_name); + char *p_del = get_post_field(post, p_delete); + + if ((profile != NULL) && (p_del != NULL) && (PL_strstr(p_del, "delete"))) { + status = delete_profile_from_user(userid, uid, profile); + if ((status != LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "LDAP Error in deleting profile %s from user %s", + profile, uid); + post_ldap_error(msg); + } } + do_free(profile); + do_free(p_del); + } + + do_free(buf); + do_free(uri); + do_free(query); + + PR_snprintf((char *)msg, 512, + "'%s' has modified user %s", userid, uid); + RA::tdb_activity(rq->connection->remote_ip, "", "modify_user", "success", msg, uid, NO_TOKEN_TYPE); + + PR_snprintf(injection, MAX_INJECTION_SIZE, + "/tus/tus?op=edit_user&uid=%s&flash=User+record+%s+has+been+updated", + uid, uid); + do_free(uid); + rq->method = apr_pstrdup(rq->pool, "GET"); + rq->method_number = M_GET; + + ap_internal_redirect_handler(injection, rq); + return OK; + } else if( PL_strstr( query, "op=save_admin" ) ) { + tokendbDebug( "authorization\n" ); + + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -3914,36 +4482,10 @@ mod_tokendb_handler( request_rec *rq ) } if( status != LDAP_SUCCESS ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"LDAP modify error: ", - ldap_err2string( status ), - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP error: %s", - ldap_err2string( status ) ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + ldap_error_out("LDAP modify error: ", "LDAP error: %s"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -3951,42 +4493,20 @@ mod_tokendb_handler( request_rec *rq ) "%s%s%s%s%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, "\";\n", - "var tid = \"", filter, "\";\n", JS_STOP ); + "var editType = \"Token\";\n", + "var tid = \"", filter, "\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( editAdminResultTemplate, injection ); } else if( PL_strstr( query, "op=save" ) ) { tokendbDebug( "authorization\n" ); - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + if( ! is_agent ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -4011,157 +4531,272 @@ mod_tokendb_handler( request_rec *rq ) } if( status != LDAP_SUCCESS ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"LDAP modify error: ", - ldap_err2string( status ), - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP error: %s", - ldap_err2string( status ) ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } - + ldap_error_out("LDAP modify error: ", "LDAP error: %s"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s%s%s%s%s%s%s", JS_START, + "%s%s%s%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, "\";\n", - "var tid = \"", filter, "\";\n", JS_STOP ); + "var tid = \"", filter, "\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( editResultTemplate, injection ); - } else if( PL_strstr( query, "op=add" ) ) { - tokendbDebug( "authorization\n" ); + } else if ( PL_strstr( query, "op=do_delete_user" ) ) { + tokendbDebug( "authorization for do_delete_user\n" ); - if( !tus_authorize( TOKENDB_ADMINISTRATORS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", - "\";\n", JS_STOP ); + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); - buf = getData( errorTemplate, injection ); + return DECLINED; + } - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); + uid = get_post_field(post, "uid"); + opOperator = get_post_field(post, "opOperator"); + opAdmin = get_post_field(post, "opAdmin"); + opAgent = get_post_field(post, "opAgent"); - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); + if (uid == NULL) { + error_out("Error in delete user. userid is null", "Error in delete user. userid is null"); + do_free(buf); + do_free(uri); + do_free(query); + do_free(opOperator); + do_free(opAdmin); + do_free(opAgent); + + return DECLINED; + } - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; + if (opOperator != NULL) { + status = delete_user_from_role_db_entry(userid, uid, OPERATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, OPERATOR); + post_ldap_error(msg); } + } - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; + if (opAgent != NULL) { + status = delete_user_from_role_db_entry(userid, uid, AGENT); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, AGENT); + post_ldap_error(msg); } + } - if( query != NULL ) { - PR_Free( query ); - query = NULL; + if (opAdmin != NULL) { + status = delete_user_from_role_db_entry(userid, uid, ADMINISTRATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, ADMINISTRATOR); + post_ldap_error(msg); } + } + do_free(opOperator); + do_free(opAdmin); + do_free(opAgent); + + status = delete_user_db_entry(userid, uid); + + if ((status != LDAP_SUCCESS) && (status != LDAP_NO_SUCH_OBJECT)) { + PR_snprintf(msg, 512, "Error deleting user %s", uid); + ldap_error_out(msg, msg); + do_free(buf); + do_free(uri); + do_free(query); + do_free(uid); + return DECLINED; } - getCN( filter, query ); - PR_snprintf((char *)msg, 256, - "'%s' has created new token", userid); - RA::tdb_activity(rq->connection->remote_ip, filter, "add", "token", msg, ""); + "'%s' has deleted user %s", userid, uid); + RA::tdb_activity(rq->connection->remote_ip, "", "delete_user", "success", msg, uid, NO_TOKEN_TYPE); - if( strcmp( filter, "" ) == 0 ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "No Token ID Found", - "\";\n", JS_STOP ); + PR_snprintf( injection, MAX_INJECTION_SIZE, + "%s%s%s%s%s%s%s%s%s%s%s", JS_START, + "var uriBase = \"", uri, "\";\n", + "var userid = \"", userid, "\";\n", + "var tid = \"", uid, "\";\n", + "var deleteType = \"user\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); - buf = getData( errorTemplate, injection ); + do_free(uid); + + buf = getData( deleteResultTemplate, injection ); + } else if ( PL_strstr( query, "op=addUser" ) ) { + tokendbDebug( "authorization for addUser\n" ); - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); + return DECLINED; + } - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; + uid = get_post_field(post, "userid"); + firstName = get_post_field(post, "firstName"); + lastName = get_post_field(post, "lastName"); + opOperator = get_post_field(post, "opOperator"); + opAdmin = get_post_field(post, "opAdmin"); + opAgent = get_post_field(post, "opAgent"); + userCert = get_encoded_post_field(post, "cert"); + + if ((PL_strlen(uid) == 0) || (PL_strlen(firstName) == 0) || (PL_strlen(lastName) == 0)) { + error_out("Bad input to op=addUser", "Bad input to op=addUser"); + do_free(uid); + do_free(firstName); + do_free(lastName); + do_free(opOperator); + do_free(opAdmin); + do_free(opAgent); + do_free(userCert); + do_free(buf); + do_free(uri); + do_free(query); + + return OK; + } + PR_snprintf((char *)userCN, 256, + "%s %s", firstName, lastName); + + status = add_user_db_entry(userid, uid, "", lastName, userCN, userCert); + if (status != LDAP_SUCCESS) { + PR_snprintf((char *)msg, 512, "LDAP Error in adding new user %s", uid); + ldap_error_out(msg, msg); + do_free(uid); + do_free(firstName); + do_free(lastName); + do_free(opOperator); + do_free(opAdmin); + do_free(opAgent); + do_free(userCert); + do_free(buf); + do_free(uri); + do_free(query); + + return OK; + } + + PR_snprintf((char *)msg, 512, + "'%s' has created new user %s", userid, uid); + RA::tdb_activity(rq->connection->remote_ip, "", "add_user", "success", msg, uid, NO_TOKEN_TYPE); + + if ((opOperator != NULL) && (PL_strstr(opOperator, OPERATOR))) { + status = add_user_to_role_db_entry(userid, uid, OPERATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "Error adding user %s to role %s", uid, OPERATOR); + post_ldap_error(msg); } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; + } else { + status = delete_user_from_role_db_entry(userid, uid, OPERATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, OPERATOR); + post_ldap_error(msg); } + } - if( query != NULL ) { - PR_Free( query ); - query = NULL; + if ((opAgent != NULL) && (PL_strstr(opOperator, AGENT))) { + status = add_user_to_role_db_entry(userid, uid, AGENT); + if ((status!= LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "Error adding user %s to role %s", uid, AGENT); + post_ldap_error(msg); + } + } else { + status = delete_user_from_role_db_entry(userid, uid, AGENT); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, AGENT); + post_ldap_error(msg); } - - return DECLINED; } + if ((opAdmin != NULL) && (PL_strstr(opAdmin, ADMINISTRATOR))) { + status = add_user_to_role_db_entry(userid, uid, ADMINISTRATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_TYPE_OR_VALUE_EXISTS)) { + PR_snprintf(msg, 512, "Error adding user %s to role %s", uid, ADMINISTRATOR); + post_ldap_error(msg); + } + } else { + status = delete_user_from_role_db_entry(userid, uid, ADMINISTRATOR); + if ((status!= LDAP_SUCCESS) && (status != LDAP_NO_SUCH_ATTRIBUTE)) { + PR_snprintf(msg, 512, "Error deleting user %s from role %s", uid, ADMINISTRATOR); + post_ldap_error(msg); + } - status = add_default_tus_db_entry( NULL, userid, - filter, "uninitialized", - NULL, NULL ); + } - if( status != LDAP_SUCCESS ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"LDAP add error: ", - ldap_err2string( status ), - "\";\n", JS_STOP ); + do_free(firstName); + do_free(lastName); + do_free(opOperator); + do_free(opAdmin); + do_free(opAgent); + do_free(userCert); + + PR_snprintf( injection, MAX_INJECTION_SIZE, + "%s%s%s%s%s%s%s%s%s%s%s", JS_START, + "var uriBase = \"", uri, "\";\n", + "var userid = \"", userid, "\";\n", + "var tid = \"", uid, "\";\n", + "var addType = \"user\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); - buf = getData( errorTemplate, injection ); + do_free(uid); + + buf = getData( addResultTemplate, injection ); - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP error: %s", - ldap_err2string( status ) ); + } else if( PL_strstr( query, "op=add" ) ) { + tokendbDebug( "authorization for op=add\n" ); + RA_Status token_type_status; + if( ! is_agent ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); + return DECLINED; + } - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); + getCN( filter, query ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } + if (m_processor.GetTokenType(OP_PREFIX, 0, 0, filter, (const char*) NULL, (NameValueSet*) NULL, + token_type_status, tokentype)) { + PL_strcpy(tokenType, tokentype); + } else { + PL_strcpy(tokenType, NO_TOKEN_TYPE); + } + + PR_snprintf((char *)msg, 256, + "'%s' has created new token", userid); + RA::tdb_activity(rq->connection->remote_ip, filter, "add", "token", msg, "", tokenType); - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } + if( strcmp( filter, "" ) == 0 ) { + error_out("No Token ID Found", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); + return DECLINED; + } - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + status = add_default_tus_db_entry( NULL, userid, + filter, "uninitialized", + NULL, NULL, tokenType ); + if( status != LDAP_SUCCESS ) { + ldap_error_out("LDAP add error: ", "LDAP error: %s"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -4169,82 +4804,47 @@ mod_tokendb_handler( request_rec *rq ) "%s%s%s%s%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, "\";\n", - "var tid = \"", filter, "\";\n", JS_STOP ); + "var tid = \"", filter, "\";\n", + "var addType = \"token\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); + buf = getData( addResultTemplate, injection ); } else if( PL_strstr( query, "op=delete" ) ) { - tokendbDebug( "authorization\n" ); - - if( !tus_authorize( TOKENDB_ADMINISTRATORS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); + RA_Status token_type_status; + tokendbDebug( "authorization for op=delete\n" ); - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + if( ! is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } getCN( filter, query ); + if (m_processor.GetTokenType(OP_PREFIX, 0, 0, filter, (const char*) NULL, (NameValueSet*) NULL, + token_type_status, tokentype)) { + PL_strcpy(tokenType, tokentype); + } else { + PL_strcpy(tokenType, NO_TOKEN_TYPE); + } + + PR_snprintf((char *)msg, 256, "'%s' has deleted token", userid); - RA::tdb_activity(rq->connection->remote_ip, filter, "delete", "token", msg, ""); + RA::tdb_activity(rq->connection->remote_ip, filter, "delete", "token", msg, "", tokenType); status = delete_tus_db_entry( userid, filter ); if( status != LDAP_SUCCESS ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"LDAP delete error: ", - ldap_err2string( status ), - "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "LDAP error: %s", - ldap_err2string( status ) ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } - - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + ldap_error_out("LDAP delete error: ", "LDAP error: %s"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -4253,40 +4853,20 @@ mod_tokendb_handler( request_rec *rq ) "%s%s%s%s%s%s%s%s%s%s%s", JS_START, "var uriBase = \"", uri, "\";\n", "var userid = \"", userid, "\";\n", - "var tid = \"", filter, "\";\n", JS_STOP ); + "var tid = \"", filter, "\";\n", + "var deleteType = \"token\";\n"); + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); buf = getData( deleteResultTemplate, injection ); } else if( PL_strstr( query, "op=load" ) ) { - tokendbDebug( "authorization\n" ); - - if( !tus_authorize( TOKENDB_AGENTS_IDENTIFIER, userid ) ) { - PR_snprintf( injection, MAX_INJECTION_SIZE, - "%s%s%s%s%s", JS_START, - "var error = \"Error: ", - "Authorization Failure", "\";\n", JS_STOP ); - - buf = getData( errorTemplate, injection ); - - ap_log_error( ( const char * ) "tus", __LINE__, - APLOG_ERR, 0, rq->server, - ( const char * ) "Failed to authorize request" ); - - ( void ) ap_rwrite( ( const void * ) buf, PL_strlen( buf ), rq ); - - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; - } + tokendbDebug( "authorization for op=load\n" ); - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + if( (! is_agent ) && (! is_operator) ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); return DECLINED; } @@ -4301,21 +4881,11 @@ mod_tokendb_handler( request_rec *rq ) ( void ) ap_rwrite( ( const void * ) buf, len, rq ); - if( buf != NULL ) { - PR_Free( buf ); - buf = NULL; - } - } - - if( uri != NULL ) { - PR_Free( uri ); - uri = NULL; + do_free(buf); } - if( query != NULL ) { - PR_Free( query ); - query = NULL; - } + do_free(uri); + do_free(query); return OK; } diff --git a/pki/base/tps/src/processor/RA_Enroll_Processor.cpp b/pki/base/tps/src/processor/RA_Enroll_Processor.cpp index 3603b3f18..6370d9258 100644 --- a/pki/base/tps/src/processor/RA_Enroll_Processor.cpp +++ b/pki/base/tps/src/processor/RA_Enroll_Processor.cpp @@ -1007,7 +1007,7 @@ bool RA_Enroll_Processor::FormatAppletVersionInfo( "no applet found and applet upgrade not enabled"); o_status = STATUS_ERROR_SECURE_CHANNEL; // XXX incorrect error message r=false; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel not established", ""); // XXX incorrect error message + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel not established", "", a_tokenType); // XXX incorrect error message goto loser; } } else { @@ -1104,7 +1104,7 @@ bool RA_Enroll_Processor::CheckAndUpgradeApplet( * Bugscape #55709: Re-select Net Key Applet ONLY on failure. */ SelectApplet(a_session, 0x04, 0x00, a_aid); - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "applet upgrade error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "applet upgrade error", "", a_tokenType); o_status = STATUS_ERROR_UPGRADE_APPLET; r = false; goto loser; @@ -1122,7 +1122,7 @@ bool RA_Enroll_Processor::CheckAndUpgradeApplet( if (token_status == NULL) { RA::Error(FN, "Get Status Failed"); o_status = STATUS_ERROR_SECURE_CHANNEL; // XXX - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel error", "", a_tokenType); r = false; goto loser; } @@ -1152,7 +1152,8 @@ bool RA_Enroll_Processor::AuthenticateUserLDAP( char *a_cuid, AuthenticationEntry *a_auth, AuthParams *&login, - RA_Status &o_status + RA_Status &o_status, + const char *a_token_type ) { const char *FN = "RA_Enroll_Processor::AuthenticateUserLDAP"; @@ -1189,20 +1190,20 @@ bool RA_Enroll_Processor::AuthenticateUserLDAP( RA::Error(FN, "Authentication failed. LDAP Error"); o_status = STATUS_ERROR_LDAP_CONN; RA::Debug(LL_PER_PDU, FN, "Authentication status=%d rc=%d", o_status,rc); - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", "", a_token_type); r = false; break; case TPS_AUTH_ERROR_USERNOTFOUND: RA::Error(FN, "Authentication failed. User not found"); o_status = STATUS_ERROR_LOGIN; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", "", a_token_type); r = false; break; case TPS_AUTH_ERROR_PASSWORDINCORRECT: RA::Error(FN, "Authentication failed. Password Incorrect"); o_status = STATUS_ERROR_LOGIN; RA::Debug(LL_PER_PDU, FN, "Authentication status=%d rc=%d", o_status,rc); - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", "", a_token_type); r = false; break; default: @@ -1279,7 +1280,7 @@ bool RA_Enroll_Processor::RequestUserId( "login not provided"); o_status = STATUS_ERROR_LOGIN; RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, - "enrollment", "failure", "login not found", ""); + "enrollment", "failure", "login not found", "", a_tokenType); return false; } @@ -1295,7 +1296,7 @@ bool RA_Enroll_Processor::RequestUserId( "login not provided"); o_status = STATUS_ERROR_LOGIN; RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, - "enrollment", "failure", "login not found", o_userid); + "enrollment", "failure", "login not found", o_userid, a_tokenType); return false; } o_userid = PL_strdup( o_login->GetUID() ); @@ -1337,14 +1338,14 @@ bool RA_Enroll_Processor::AuthenticateUser( const char *authid = RA::GetConfigStore()->GetConfigAsString(configname); if (authid == NULL) { o_status = STATUS_ERROR_LOGIN; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "login not found", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "login not found", "", a_tokenType); goto loser; } AuthenticationEntry *auth = RA::GetAuth(authid); if (auth == NULL) { o_status = STATUS_ERROR_LOGIN; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", "", a_tokenType); goto loser; } @@ -1353,20 +1354,20 @@ bool RA_Enroll_Processor::AuthenticateUser( char *type = auth->GetType(); if (type == NULL) { o_status = STATUS_ERROR_LOGIN; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication is missing param type", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication is missing param type", "", a_tokenType); r = false; goto loser; } if (strcmp(type, "LDAP_Authentication") == 0) { RA::Debug("RA_Enroll_Processor::AuthenticateUser", "LDAP started"); - r = AuthenticateUserLDAP(a_session, a_extensions, a_cuid, auth, a_login, o_status); + r = AuthenticateUserLDAP(a_session, a_extensions, a_cuid, auth, a_login, o_status, a_tokenType); o_status = STATUS_ERROR_LOGIN; goto loser; } else { RA::Error("RA_Enroll_Processor::AuthenticateUser", "No Authentication type was found."); o_status = STATUS_ERROR_LOGIN; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "authentication error", "", a_tokenType); r = false; goto loser; } @@ -1486,7 +1487,7 @@ bool RA_Enroll_Processor::CheckAndUpgradeSymKeys( RA::Audit("Enrollment", "status='error' key_ver=00 cuid='%s' msn='%s' note='failed to create secure channel'", a_cuid, a_msn ); RA::Error(FN, "failed to establish secure channel"); o_status = STATUS_ERROR_SECURE_CHANNEL; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel error", "", a_tokenType); goto loser; } @@ -1497,7 +1498,7 @@ bool RA_Enroll_Processor::CheckAndUpgradeSymKeys( RA::Error(FN, "External authentication in secure channel failed"); o_status = STATUS_ERROR_EXTERNAL_AUTH; /* XXX should print out error codes */ - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "external authentication error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "external authentication error", "", a_tokenType); goto loser; } @@ -1528,7 +1529,7 @@ bool RA_Enroll_Processor::CheckAndUpgradeSymKeys( if (rc != 1) { RA::Error(FN, "failed to create new key set"); o_status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "create card key error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "create card key error", "", a_tokenType); goto loser; } @@ -1559,7 +1560,7 @@ bool RA_Enroll_Processor::CheckAndUpgradeSymKeys( if (o_channel == NULL) { RA::Error(FN, "failed to establish secure channel after reselect"); o_status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel setup error", ""); + RA::tdb_activity(a_session->GetRemoteIP(), a_cuid, "enrollment", "failure", "secure channel setup error", "", a_tokenType); goto loser; } else { RA::Debug(FN, "Key Upgrade has completed successfully."); @@ -1593,7 +1594,7 @@ loser: */ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValueSet *extensions) { - char *FN = ( char * ) "RA_Enroll_Processor::Process"; + char *FN = ( char * ) "RA_Enroll_Processor::Process"; char configname[256]; char *cuid = NULL; char *msn = NULL; @@ -1673,46 +1674,53 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue session->GetRemoteIP()); RA::Debug(LL_PER_PDU, FN, "Begin enroll process"); - // XXX need to validate all user input (convert to 'string' types) - // to ensure that no buffer overruns + // XXX need to validate all user input (convert to 'string' types) + // to ensure that no buffer overruns start = PR_IntervalNow(); - /* Get the card serial number */ - if (!GetCardManagerAppletInfo(session, CardManagerAID, st, msn, cuid, token_cuid)) goto loser; + /* Get the card serial number */ + if (!GetCardManagerAppletInfo(session, CardManagerAID, st, msn, cuid, token_cuid)) goto loser; /* Get the applet version information */ - if (!GetAppletInfo(session, NetKeyAID, - /*by ref*/ major_version, minor_version, - app_major_version, app_minor_version )) goto loser; - + if (!GetAppletInfo(session, NetKeyAID, + /*by ref*/ major_version, minor_version, + app_major_version, app_minor_version )) goto loser; + + if (!GetTokenType(OP_PREFIX, major_version, minor_version, + cuid, msn, extensions, + status, tokenType)) { /* last two are 'out' params */ + /* ADE figure out what to do here for this line*/ + // RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token type not found", ""); + goto loser; + } if (RA::ra_is_token_present(cuid)) { - RA::Debug(FN, "Found token %s", cuid); - if (RA::ra_is_tus_db_entry_disabled(cuid)) { - RA::Error(FN, "CUID %s Disabled", cuid); - status = STATUS_ERROR_DISABLED_TOKEN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token disabled", ""); - goto loser; - } + RA::Debug(FN, "Found token %s", cuid); + if (RA::ra_is_tus_db_entry_disabled(cuid)) { + RA::Error(FN, "CUID %s Disabled", cuid); + status = STATUS_ERROR_DISABLED_TOKEN; + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token disabled", "", tokenType); + goto loser; + } - if (!RA::ra_allow_token_reenroll(cuid)) { - RA::Error(FN, "CUID %s Re-Enrolled Disallowed", cuid); - status = STATUS_ERROR_DISABLED_TOKEN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token re-enrollment disallowed", ""); - goto loser; - } + if (!RA::ra_allow_token_reenroll(cuid)) { + RA::Error(FN, "CUID %s Re-Enrolled Disallowed", cuid); + status = STATUS_ERROR_DISABLED_TOKEN; + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token re-enrollment disallowed", "", tokenType); + goto loser; + } } else { - RA::Debug(FN, "Not Found token %s", cuid); - // This is a new token. We need to check our policy to see - // if we should allow enrollment. raidzilla #57414 - PR_snprintf((char *)configname, 256, "%s.allowUnknownToken", - OP_PREFIX); - if (!RA::GetConfigStore()->GetConfigAsBool(configname, 1)) { - RA::Error(FN, "CUID %s Enroll Unknown Token", cuid); - status = STATUS_ERROR_DISABLED_TOKEN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "unknown token disallowed", ""); - goto loser; - } + RA::Debug(FN, "Not Found token %s", cuid); + // This is a new token. We need to check our policy to see + // if we should allow enrollment. raidzilla #57414 + PR_snprintf((char *)configname, 256, "%s.allowUnknownToken", + OP_PREFIX); + if (!RA::GetConfigStore()->GetConfigAsBool(configname, 1)) { + RA::Error(FN, "CUID %s Enroll Unknown Token", cuid); + status = STATUS_ERROR_DISABLED_TOKEN; + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "unknown token disallowed", "", tokenType); + goto loser; + } } /* XXX - this comment does not belong here @@ -1722,12 +1730,6 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue * The token will be locked if no external authenticate * follows the initialize update. */ - if (!GetTokenType(OP_PREFIX, major_version, minor_version, - cuid, msn, extensions, - status, tokenType)) { /* last two are 'out' params */ - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token type not found", ""); - goto loser; - } PR_snprintf((char *)configname, 256, "%s.%s.tks.conn", OP_PREFIX, tokenType); @@ -1735,7 +1737,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue if (tksid == NULL) { RA::Error(FN, "TKS Connection Parameter %s Not Found", configname); status = STATUS_ERROR_DEFAULT_TOKENTYPE_NOT_FOUND; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token type not found", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "token type not found", "", tokenType); goto loser; } @@ -1798,7 +1800,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue if (channel == NULL) { RA::Error(FN, "no good channel"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "secure channel setup error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "secure channel setup error", "",tokenType); goto loser; } @@ -1816,7 +1818,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue if (rc == -1) { RA::Error(FN, "external authenticate failed"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "external authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "external authentication error", "", tokenType); goto loser; } @@ -1835,7 +1837,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue RA::Error(FN, "new pin request failed"); status = STATUS_ERROR_MAC_RESET_PIN_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "new pin request error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "new pin request error", "", tokenType); goto loser; } RA::Debug(LL_PER_CONNECTION, "RA_Enroll_Processor::Process", @@ -1856,7 +1858,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue "create pin failed"); status = STATUS_ERROR_MAC_RESET_PIN_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "create pin request error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "create pin request error", "", tokenType); goto loser; } } @@ -1868,7 +1870,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue "reset pin failed"); status = STATUS_ERROR_MAC_RESET_PIN_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "reset pin request error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "reset pin request error", "", tokenType); goto loser; } } @@ -1889,7 +1891,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue RA::Error("RA_Enroll_Processor::Process", "random challenge creation failed"); status = STATUS_ERROR_MAC_ENROLL_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "general challenge error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "general challenge error", "", tokenType); goto loser; } */ @@ -1908,7 +1910,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue RA::Error("RA_Enroll_Processor::Process", "encryt data failed"); status = STATUS_ERROR_MAC_ENROLL_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "challenge encryption error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "challenge encryption error", "", tokenType); goto loser; } // read objects back @@ -1986,7 +1988,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue } - rc = RA::tdb_add_token_entry((char *)userid, cuid, "uninitialized"); + rc = RA::tdb_add_token_entry((char *)userid, cuid, "uninitialized", tokenType); if (rc == -1) { status = STATUS_ERROR_CREATE_TUS_TOKEN_ENTRY; goto loser; @@ -2241,7 +2243,7 @@ op.enroll.certificates.caCert.label=caCert Label RA::Error("RA_Enroll_Processor::Process", "Set life cycle state failed"); status = STATUS_ERROR_MAC_LIFESTYLE_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "set life cycle state error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "set life cycle state error", "", tokenType); goto loser; } @@ -2250,7 +2252,7 @@ op.enroll.certificates.caCert.label=caCert Label RA::Error("RA_Enroll_Processor::Process", "Failed to close channel"); status = STATUS_ERROR_CONNECTION; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "channel not closed", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "channel not closed", "", tokenType); goto loser; } @@ -2260,8 +2262,8 @@ op.enroll.certificates.caCert.label=caCert Label sprintf(activity_msg, "applet_version=%s tokenType=%s userid=%s", final_applet_version, tokentype, userid); - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "success", activity_msg, userid); - RA::tdb_update((char *)userid, cuid, (char *)final_applet_version, (char *)keyVersion, "active", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "success", activity_msg, userid, tokenType); + RA::tdb_update((char *)userid, cuid, (char *)final_applet_version, (char *)keyVersion, "active", "", tokenType); RA::tdb_update_certificates(cuid, tokenTypes, (char*)userid, certificates, ktypes, origins, o_certNums); @@ -2528,7 +2530,7 @@ bool RA_Enroll_Processor::GenerateCertificate(AuthParams *login, int keyTypeNum, RA::Debug(LL_PER_CONNECTION,FN, "Got a status error from DoEnrollment: %d", o_status); - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "enrollment error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "enrollment error", "", tokenType); goto loser; } diff --git a/pki/base/tps/src/processor/RA_Format_Processor.cpp b/pki/base/tps/src/processor/RA_Format_Processor.cpp index 386421654..ce1867dd7 100644 --- a/pki/base/tps/src/processor/RA_Format_Processor.cpp +++ b/pki/base/tps/src/processor/RA_Format_Processor.cpp @@ -189,6 +189,12 @@ TPS_PUBLIC RA_Status RA_Format_Processor::Process(RA_Session *session, NameValue RA::Debug(LL_PER_PDU, "RA_Format_Processor::Process", "Applet Major=%d Applet Minor=%d", app_major_version, app_minor_version); + if (!GetTokenType(OP_PREFIX, major_version, + minor_version, cuid, msn, + extensions, status, tokenType)) { + goto loser; + } + if (RA::ra_is_token_present(cuid)) { RA::Debug("RA_Format_Processor::Process", @@ -198,7 +204,7 @@ TPS_PUBLIC RA_Status RA_Format_Processor::Process(RA_Session *session, NameValue RA::Error("RA_Format_Processor::Process", "CUID %s Disabled", cuid); status = STATUS_ERROR_DISABLED_TOKEN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "token disabled", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "token disabled", "", tokenType); goto loser; } } else { @@ -211,18 +217,12 @@ TPS_PUBLIC RA_Status RA_Format_Processor::Process(RA_Session *session, NameValue if (!RA::GetConfigStore()->GetConfigAsBool(configname, 1)) { RA::Error("Process", "CUID %s Format Unknown Token", cuid); status = STATUS_ERROR_DISABLED_TOKEN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "unknown token disallowed", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "unknown token disallowed", "", tokenType); goto loser; } } - if (!GetTokenType(OP_PREFIX, major_version, - minor_version, cuid, msn, - extensions, status, tokenType)) { - goto loser; - } - PR_snprintf((char *)configname, 256, "%s.%s.tks.conn", OP_PREFIX, tokenType); tksid = RA::GetConfigStore()->GetConfigAsString(configname); @@ -242,7 +242,7 @@ TPS_PUBLIC RA_Status RA_Format_Processor::Process(RA_Session *session, NameValue RA::Error("RA_Format_Processor::Process", "no applet found and applet upgrade not enabled"); status = STATUS_ERROR_SECURE_CHANNEL; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "secure channel not established", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "secure channel not established", "", tokenType); goto loser; } } else { @@ -338,7 +338,7 @@ locale), RA::Error("RA_Format_Processor::Process", "login not provided"); status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "login not found", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "login not found", "", tokenType); goto loser; } if( userid != NULL ) { @@ -364,7 +364,7 @@ locale), if (login == NULL) { RA::Error("RA_Format_Processor::Process", "Login Request Disabled. Authentication failed."); status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "login not found", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "login not found", "", tokenType); goto loser; } @@ -372,7 +372,7 @@ locale), authid = RA::GetConfigStore()->GetConfigAsString(configname); if (authid == NULL) { status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "login not found", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "login not found", "", tokenType); goto loser; } AuthenticationEntry *auth = RA::GetAuth(authid); @@ -387,7 +387,7 @@ locale), char *type = auth->GetType(); if (type == NULL) { status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication is missing param type", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication is missing param type", "", tokenType); goto loser; } if (strcmp(type, "LDAP_Authentication") == 0) { @@ -409,7 +409,7 @@ locale), if (login == NULL || login->GetUID() == NULL) { RA::Error("RA_Format_Processor::Process", "Authentication failed."); status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "authentication error", "", tokenType); goto loser; } authParams->SetUID(login->GetUID()); @@ -421,7 +421,7 @@ locale), RA::Error("RA_Format_Processor::Process", "Authentication failed."); status = STATUS_ERROR_LDAP_CONN; RA::Debug(LL_PER_PDU, "RA_Format_Processor::Process", "Authentication status = %d", status); - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "authentication error", "", tokenType); goto loser; } @@ -429,7 +429,7 @@ locale), RA::Error("RA_Format_Processor::Process", "Authentication failed."); status = STATUS_ERROR_LOGIN; RA::Debug(LL_PER_PDU, "RA_Format_Processor::Process", "Authentication status = %d", status); - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "authentication error", "", tokenType); goto loser; } @@ -437,7 +437,7 @@ locale), } else { RA::Error("RA_Format_Processor::Process", "No Authentication type was found."); status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication error", "", tokenType); goto loser; } } else { @@ -481,7 +481,7 @@ locale), * Bugscape #55709: Re-select Net Key Applet ONLY on failure. */ SelectApplet(session, 0x04, 0x00, NetKeyAID); - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "applet upgrade error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "applet upgrade error", "", tokenType); goto loser; } RA::Audit("Upgrade", @@ -588,7 +588,7 @@ locale), RA::Error("RA_Format_Processor::Process", "failed to create new key set"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "create key set error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "create key set error", "", tokenType); goto loser; } @@ -639,7 +639,7 @@ locale), RA::Error("RA_Format_Processor::Process", "failed to establish secure channel after reselect"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "secure channel not established", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "failure", "secure channel not established", "", tokenType); goto loser; } } @@ -757,7 +757,7 @@ locale), goto loser; } - rc = RA::tdb_update("", cuid, (char *)final_applet_version, keyVersion, "uninitialized", ""); + rc = RA::tdb_update("", cuid, (char *)final_applet_version, keyVersion, "uninitialized", "", tokenType); if (rc != 0) { RA::Debug(LL_PER_PDU, "RA_Format_Processor::Process", @@ -766,7 +766,7 @@ locale), goto loser; } } else { - rc = RA::tdb_update("", cuid, (char *)final_applet_version, keyVersion, "uninitialized", ""); + rc = RA::tdb_update("", cuid, (char *)final_applet_version, keyVersion, "uninitialized", "", tokenType); if (rc != 0) { RA::Debug(LL_PER_PDU, "RA_Format_Processor::Process", "Failed to update the token database"); @@ -789,7 +789,7 @@ locale), sprintf(activity_msg, "applet_version=%s tokenType=%s", final_applet_version, tokenType); - RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "success", activity_msg, userid); + RA::tdb_activity(session->GetRemoteIP(), cuid, "format", "success", activity_msg, userid, tokenType); /* audit log for successful enrollment */ if (authid == NULL) diff --git a/pki/base/tps/src/processor/RA_Pin_Reset_Processor.cpp b/pki/base/tps/src/processor/RA_Pin_Reset_Processor.cpp index 7c1bf7bb8..748a25213 100644 --- a/pki/base/tps/src/processor/RA_Pin_Reset_Processor.cpp +++ b/pki/base/tps/src/processor/RA_Pin_Reset_Processor.cpp @@ -177,30 +177,30 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa goto loser; } - if (RA::ra_is_tus_db_entry_disabled(cuid)) { + // retrieve CUID + + if (!GetTokenType(OP_PREFIX, major_version, + minor_version, cuid, msn, + extensions, status, tokenType)) { + goto loser; + } + + if (RA::ra_is_tus_db_entry_disabled(cuid)) { RA::Error("RA_Pin_Reset_Processor::Process", "CUID %s Disabled", cuid); status = STATUS_ERROR_DISABLED_TOKEN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "token disabled", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "token disabled", "", tokenType); goto loser; } - if (!RA::ra_is_token_pin_resetable(cuid)) { + if (!RA::ra_is_token_pin_resetable(cuid)) { RA::Error("RA_Pin_Reset_Processor::Process", "CUID %s Cannot Pin Reset", cuid); status = STATUS_ERROR_NOT_PIN_RESETABLE; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "pin not resetable", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "pin not resetable", "", tokenType); goto loser; } - // retrieve CUID - - if (!GetTokenType(OP_PREFIX, major_version, - minor_version, cuid, msn, - extensions, status, tokenType)) { - goto loser; - } - PR_snprintf((char *)configname, 256, "%s.%s.tks.conn", OP_PREFIX, tokenType); tksid = RA::GetConfigStore()->GetConfigAsString(configname); @@ -221,7 +221,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "no applet found and applet upgrade not enabled"); status = STATUS_ERROR_SECURE_CHANNEL; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", "", tokenType); goto loser; } } else { @@ -273,7 +273,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "upgrade failure"); status = STATUS_ERROR_UPGRADE_APPLET; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "applet upgrade error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "applet upgrade error", "", tokenType); /** * Bugscape #55709: Re-select Net Key Applet ONLY on failure. */ @@ -313,7 +313,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "setup secure channel failure"); status = STATUS_ERROR_SECURE_CHANNEL; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", "", tokenType); goto loser; } @@ -322,7 +322,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "External authentication in secure channel failed"); status = STATUS_ERROR_EXTERNAL_AUTH; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "external authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "external authentication error", "", tokenType); goto loser; } @@ -342,7 +342,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "failed to create new key set"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "create key set error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "create key set error", "", tokenType); goto loser; } @@ -373,7 +373,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "setup secure channel failure"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", "", tokenType); goto loser; } } @@ -394,7 +394,7 @@ TPS_PUBLIC RA_Status RA_Pin_Reset_Processor::Process(RA_Session *session, NameVa RA::Error("RA_Pin_Reset_Processor::Process", "no channel creation failure"); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel not established", "", tokenType); goto loser; } @@ -461,7 +461,7 @@ locale), RA::Error("RA_Pin_Reset_Processor::Process", "login not provided"); status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "login not found", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "login not found", "", tokenType); goto loser; } if( userid != NULL ) { @@ -523,7 +523,7 @@ locale), char *type = auth->GetType(); if (type == NULL) { status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication is missing param type", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication is missing param type", "", tokenType); goto loser; } if (strcmp(type, "LDAP_Authentication") == 0) { @@ -570,7 +570,7 @@ locale), } else { RA::Error("RA_Pin_Reset_Processor::Process", "No Authentication type was found."); status = STATUS_ERROR_LOGIN; - RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "authentication error", "", tokenType); goto loser; } } else { @@ -613,7 +613,7 @@ locale), RA::Error("RA_Pin_Reset_Processor::Process", "External Authenticate failed."); status = STATUS_ERROR_CREATE_CARDMGR; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "external authentication error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "external authentication error", "", tokenType); goto loser; } RA::Debug(LL_PER_PDU, "RA_Pin_Reset_Processor::Process", @@ -627,7 +627,7 @@ locale), RA::Error("RA_Pin_Reset_Processor::Process", "Set Pin failed."); status = STATUS_ERROR_MAC_RESET_PIN_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "request new pin error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "request new pin error", "", tokenType); goto loser; } @@ -640,7 +640,7 @@ locale), rc = channel->ResetPin(0x0, new_pin); if (rc == -1) { status = STATUS_ERROR_MAC_RESET_PIN_PDU; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "ereset pin error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "ereset pin error", "", tokenType); goto loser; } @@ -649,7 +649,7 @@ locale), RA::Error("RA_Pin_Reset_Processor::Process", "Failed to close channel"); status = STATUS_ERROR_CONNECTION; - RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel close error", ""); + RA::tdb_activity(session->GetRemoteIP(), cuid, "pin reset", "failure", "secure channel close error", "", tokenType); goto loser; } @@ -685,7 +685,7 @@ locale), sprintf(activity_msg, "applet_version=%s tokenType=%s", (char *)final_applet_version, tokenType); - RA::tdb_activity(session->GetRemoteIP(), (char *)cuid, "pin reset", "success", activity_msg, userid); + RA::tdb_activity(session->GetRemoteIP(), (char *)cuid, "pin reset", "success", activity_msg, userid, tokenType); /* audit log for successful pin reset */ if (authid == NULL) diff --git a/pki/base/tps/src/tus/tus_db.c b/pki/base/tps/src/tus/tus_db.c index ee4240ffb..8719fce7b 100644 --- a/pki/base/tps/src/tus/tus_db.c +++ b/pki/base/tps/src/tus/tus_db.c @@ -60,6 +60,7 @@ static char *tokenActivityAttributes[] = { TOKEN_ID, TOKEN_IP, TOKEN_C_DATE, TOKEN_M_DATE, + TOKEN_TYPE, NULL }; static char *tokenAttributes[] = { TOKEN_ID, TOKEN_USER, @@ -75,6 +76,7 @@ static char *tokenAttributes[] = { TOKEN_ID, TOKEN_RECOVERIES, TOKEN_POLICY, TOKEN_REASON, + TOKEN_TYPE, NULL }; static char *tokenCertificateAttributes[] = { TOKEN_ID, TOKEN_CUID, @@ -93,7 +95,22 @@ static char *tokenCertificateAttributes[] = { TOKEN_ID, TOKEN_STATUS, NULL }; - +static char *userAttributes[] = {USER_ID, + USER_SN, + USER_CN, + USER_CERT, + C_TIME, + M_TIME, + PROFILE_ID, + NULL}; + +static char *viewUserAttributes[] = {USER_ID, + USER_SN, + USER_CN, + C_TIME, + M_TIME, + NULL}; + static char *tokenStates[] = { STATE_UNINITIALIZED, STATE_ACTIVE, STATE_DISABLED, @@ -566,7 +583,7 @@ TPS_PUBLIC char *tus_authenticate(char *cert) LDAPMessage *entry = NULL; int i,j; char *certX = NULL; - int tries; + int tries; tus_check_conn(); if (cert == NULL) @@ -586,8 +603,10 @@ TPS_PUBLIC char *tus_authenticate(char *cert) len = base64_decode(certX, ( unsigned char * ) dst); free(certX); - if (len <= 0) + if (len <= 0) { + if (dst != NULL) free(dst); return NULL; + } PR_snprintf(filter, MAX_FILTER_LEN, "(userCertificate="); @@ -596,6 +615,7 @@ TPS_PUBLIC char *tus_authenticate(char *cert) PR_snprintf(filter, MAX_FILTER_LEN, "%s\\%02x", filter, (c & 0xff) ); } PR_snprintf(filter, MAX_FILTER_LEN, "%s)", filter); + if (dst != NULL) free(dst); for (tries = 0; tries < MAX_RETRIES; tries++) { if ((rc = ldap_search_ext_s(ld, userBaseDN, LDAP_SCOPE_SUBTREE, @@ -612,19 +632,34 @@ TPS_PUBLIC char *tus_authenticate(char *cert) } if (rc != LDAP_SUCCESS) { - return NULL; + if (result != NULL) { + free_results(result); + result = NULL; + } + return NULL; } if (result == NULL) return NULL; entry = get_first_entry (result); - if (entry == NULL) - return NULL; + if (entry == NULL) { + if (result != NULL) { + free_results(result); + result = NULL; + } + return NULL; + } v = ldap_get_values(ld, entry, "uid"); - if (v == NULL) - return NULL; + if (v == NULL) { + if (result != NULL) { + free_results(result); + result = NULL; + } + return NULL; + } + if (v[0] != NULL && PL_strlen(v[0]) > 0) { userid = PL_strdup(v[0]); } @@ -633,9 +668,23 @@ TPS_PUBLIC char *tus_authenticate(char *cert) v = NULL; } + if (result != NULL) { + free_results(result); + result = NULL; + } + return userid; } +/********* + * tus_authorize + * parameters passed in: + * char * group ("TUS Agents", "TUS Officers", "TUS Administrators") + * const char* userid + * returns : 1 if userid is member of that group + * 0 otherwise + **/ + TPS_PUBLIC int tus_authorize(const char *group, const char *userid) { int rc; @@ -660,14 +709,132 @@ TPS_PUBLIC int tus_authorize(const char *group, const char *userid) } if (rc != LDAP_SUCCESS) { + if (result != NULL) { + free_results(result); + result = NULL; + } return 0; } if (ldap_count_entries (ld, result) <= 0) { + if (result != NULL) { + free_results(result); + result = NULL; + } return 0; } + if (result != NULL) { + free_results(result); + result = NULL; + } return 1; } +/****** + * get_authorized_profiles() + * params: userid + * : is_admin (1 if user is in admin group, 0 otherwise + * returns: ldap filter with the tokenTypes the user has access to - to be appended + * to any other user search filer. + * examples: (|(tokenType=foo)(tokenType=bar) + * example: (!(tokenType=foo)(tokenType=no_token_type)) -- if user is an admin, always + * add no_token_type to catch admin events + * example: NO_PROFILES -- not an admin, and no profiles + * exmaple: (tokenType=no_token_type) : admin with no other tokens + * + * Caller must free the result (char*) + **/ +TPS_PUBLIC char *get_authorized_profiles(const char *userid, int is_admin) +{ + int rc; + int status; + char filter[512]; + char ret[4096] = ""; + char *profile_filter = NULL; + char **vals; + int nVals; + int i; + + LDAPMessage *result = NULL; + LDAPMessage *e = NULL; + + PR_snprintf(filter, 512, "(uid=%s)", userid); + status = find_tus_user_entries_no_vlv(filter, &result, 0); + + if (status == LDAP_SUCCESS) { + + e = get_first_entry(result); + + if ((vals = get_attribute_values(e,"profileID")) != NULL ) { + nVals = ldap_count_values(vals); + if (nVals == 1) { + if (PL_strstr(vals[0], ALL_PROFILES)) { + PR_snprintf(ret, 4096, ALL_PROFILES); + } else { + if (is_admin) { + PL_strcat(ret, "(|(tokenType="); + PL_strcat(ret, NO_TOKEN_TYPE); + PL_strcat(ret, ")(tokenType="); + PL_strcat(ret, vals[0]); + PL_strcat(ret, "))"); + } else { + PL_strcat(ret, "(tokenType="); + PL_strcat(ret, vals[0]); + PL_strcat(ret, ")"); + } + } + } else if (nVals > 1) { + for( i = 0; vals[i] != NULL; i++ ) { + if (i==0) { + PL_strcat(ret, "(|"); + if (is_admin) { + PL_strcat(ret, "(tokenType="); + PL_strcat(ret, NO_TOKEN_TYPE); + PL_strcat(ret, ")"); + } + } + PL_strcat(ret, "(tokenType="); + PL_strcat(ret, vals[i]); + PL_strcat(ret, ")"); + } + PL_strcat(ret, ")"); + } else if (nVals == 0) { + if (is_admin) { + PR_snprintf(ret, 4096, "(tokenType=%s)", NO_TOKEN_TYPE); + } else { + PR_snprintf(ret, 4096, NO_PROFILES); + } + } else { //error + return -1; + } + } else { + if (is_admin) { + PR_snprintf(ret, 4096, "(tokenType=%s)", NO_TOKEN_TYPE); + } else { + PR_snprintf(ret, 4096, NO_PROFILES); + } + } + } else { + // log error message here + PR_snprintf(ret, 4096, NO_PROFILES); + } + + profile_filter = PL_strdup(ret); + + if (vals != NULL) { + free_values(vals, 1); + vals = NULL; + } + + if (result != NULL) { + free_results(result); + result = NULL; + } + + e = NULL; + + return profile_filter; +} + static int tus_check_conn() { int version = LDAP_VERSION3; @@ -899,6 +1066,112 @@ TPS_PUBLIC int update_tus_db_entry_with_mods (const char *agentid, const char *c return rc; } +/**** + * update_tus_general_db_entry + * summary: internal function to modify a general db entry using ldap_modify_ext_s + * params: agentid - who is doing this modification (for audit logging) + * dn - dn to modify + * mods - NULL terminated list of modifications to apply + **/ +int update_tus_general_db_entry(const char *agentid, const char *dn, LDAPMod **mods) +{ + int tries; + int rc = -1; + + tus_check_conn(); + + for (tries = 0; tries < MAX_RETRIES; tries++) { + if ((rc = ldap_modify_ext_s(ld, dn, mods, NULL, NULL)) == LDAP_SUCCESS) { + break; + } else if (rc == LDAP_SERVER_DOWN || rc == LDAP_CONNECT_ERROR) { + rc = ldap_simple_bind_s (ld, bindDN, bindPass); + if (rc != LDAP_SUCCESS) { + bindStatus = rc; + break; + } + } + } + + return rc; +} + +/*** + * update_user_db_entry + * summary: modifies an existing user entry + * params : agentid - agent that is performing this action (for audit log purposes) + * uid, lastName, userCN, userCert - for entry to be added + * returns: ldap return code + * */ +TPS_PUBLIC int update_user_db_entry(const char *agentid, char *uid, char *lastName, char *userCN, char *userCert) +{ + char dn[256]; + LDAPMod a01; + LDAPMod a02; + LDAPMod a03; + LDAPMod *mods[4]; + int rc = -1; + int certlen=0; + int i,j; + char *certX = NULL; + char *dst = NULL; + + char *sn_values[] = {lastName, NULL}; + char *cn_values[] = {userCN, NULL}; + struct berval berval; + struct berval *cert_values[2]; + + a01.mod_op = LDAP_MOD_REPLACE; + a01.mod_type = USER_SN; + a01.mod_values = sn_values; + + a02.mod_op = LDAP_MOD_REPLACE; + a02.mod_type = USER_CN; + a02.mod_values = cn_values; + + mods[0] = &a01; + mods[1] = &a02; + + certlen = strlen(userCert); + + certX = malloc(certlen); + j = 0; + for (i = 0; i < certlen; i++) { + if (userCert[i] != '\n' && userCert[i] != '\r') { + certX[j++] = userCert[i]; + } + } + certX[j++] = '\0'; + dst = malloc(3 * strlen(certX) / 4); + certlen = base64_decode(certX, ( unsigned char * ) dst); + free(certX); + + if (certlen > 0) { + berval.bv_len = certlen; + berval.bv_val = ( char * ) dst; + cert_values[0] = &berval; + cert_values[1] = NULL; + + a03.mod_op =LDAP_MOD_REPLACE |LDAP_MOD_BVALUES; + a03.mod_type = "userCertificate"; + a03.mod_values = cert_values; + + mods[2] = &a03; + } else { + mods[2] = NULL; + } + mods[3] = NULL; + + if (PR_snprintf(dn, 255, "uid=%s, ou=People, %s", uid, userBaseDN) < 0 ) + return -1; + + rc = update_tus_general_db_entry(agentid, dn, mods); + if (dst != NULL) free(dst); + if (rc == LDAP_SUCCESS) + audit_log("modify_user", agentid, uid); + + return rc; +} + TPS_PUBLIC int update_tus_db_entry (const char *agentid, char *cn, const char *uid, char *keyInfo, const char *status, char *applet_version, const char *reason) { char dn[256]; @@ -1349,7 +1622,7 @@ int add_certificate (char *tokenid, char *origin, char *tokenType, char *userid, return rc; } -int add_activity (char *ip, char *id, const char *op, const char *result, const char *msg, const char *userid) +int add_activity (char *ip, char *id, const char *op, const char *result, const char *msg, const char *userid, const char *token_type) { PRExplodedTime time; PRTime now; @@ -1363,7 +1636,8 @@ int add_activity (char *ip, char *id, const char *op, const char *result, const LDAPMod a08; LDAPMod a09; LDAPMod a10; - LDAPMod *mods[11]; + LDAPMod a11; + LDAPMod *mods[12]; int rc = 0, tries = 0; char dn[256]; char cdate[256]; @@ -1377,6 +1651,7 @@ int add_activity (char *ip, char *id, const char *op, const char *result, const char *msg_values[2]; char *ip_values[2]; char *userid_values[2]; + char *token_type_values[2]; PRThread *ct; tus_check_conn(); @@ -1392,6 +1667,8 @@ int add_activity (char *ip, char *id, const char *op, const char *result, const ip_values[1] = NULL; userid_values[0] = userid; userid_values[1] = NULL; + token_type_values[0] = token_type; + token_type_values[1] = NULL; ct = PR_GetCurrentThread(); now = PR_Now(); @@ -1450,6 +1727,9 @@ int add_activity (char *ip, char *id, const char *op, const char *result, const a10.mod_type = TOKEN_USER; a10.mod_values = userid_values; + a11.mod_op = 0; + a11.mod_type = TOKEN_TYPE; + a11.mod_values = token_type_values; mods[0] = &a01; mods[1] = &a02; mods[2] = &a03; @@ -1460,7 +1740,8 @@ int add_activity (char *ip, char *id, const char *op, const char *result, const mods[7] = &a08; mods[8] = &a09; mods[9] = &a10; - mods[10] = NULL; + mods[10] = &a11; + mods[11] = NULL; if (PR_snprintf(dn, 255, "cn=%s,%s", zcdate, activityBaseDN) < 0) return -1; @@ -1480,6 +1761,33 @@ int add_activity (char *ip, char *id, const char *op, const char *result, const return rc; } +/** + * add_tus_general_db_entry + * summary: internal function to add a general ldap entry + * params: dn = dn to add + * mods = NULL terminated list of modifications (contains attribute values) + * returns: LDAP return code + **/ +int add_tus_general_db_entry (char *dn, LDAPMod **mods) +{ + int rc = 0, tries = 0; + + tus_check_conn(); + + for (tries = 0; tries < MAX_RETRIES; tries++) { + if ((rc = ldap_add_ext_s(ld, dn, mods, NULL, NULL)) == LDAP_SUCCESS) { + break; + } else if (rc == LDAP_SERVER_DOWN || rc == LDAP_CONNECT_ERROR) { + rc = ldap_simple_bind_s (ld, bindDN, bindPass); + if (rc != LDAP_SUCCESS) { + bindStatus = rc; + break; + } + } + + } + return rc; +} int add_tus_db_entry (char *cn, LDAPMod **mods) { @@ -1505,7 +1813,7 @@ int add_tus_db_entry (char *cn, LDAPMod **mods) return rc; } -int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int flag, const char *status, char *applet_version, char *key_info) +int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int flag, const char *status, char *applet_version, char *key_info, const char* token_type) { PRExplodedTime time; PRTime now; @@ -1524,7 +1832,8 @@ int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int fla LDAPMod a13; LDAPMod a14; LDAPMod a15; - LDAPMod *mods[16]; + LDAPMod a16; + LDAPMod *mods[17]; int rc = 0, tries = 0; char dn[256]; char cdate[256]; @@ -1542,6 +1851,7 @@ int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int fla char *key_info_values[] = { "", NULL }; char *reason_values[] = { "", NULL }; char *policy_values[2]; + char *token_type_values[]= {"", NULL }; tus_check_conn(); cn_values[0] = cn; @@ -1553,6 +1863,7 @@ int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int fla if (uid != NULL) uid_values[0] = ( char * ) uid; if (key_info != NULL) key_info_values[0] = key_info; status_values[0] = ( char * ) status; + token_type_values[0] = ( char *) token_type; a01.mod_op = 0; a01.mod_type = TOKEN_ID; @@ -1619,6 +1930,10 @@ int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int fla a15.mod_type = TOKEN_REASON; a15.mod_values = reason_values; + a16.mod_op = 0; + a16.mod_type = TOKEN_TYPE; + a16.mod_values = token_type_values; + mods[0] = &a01; mods[1] = &a02; mods[2] = &a03; @@ -1634,7 +1949,8 @@ int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int fla mods[12] = &a13; mods[13] = &a14; mods[14] = &a15; - mods[15] = NULL; + mods[15] = &a16; + mods[16] = NULL; now = PR_Now(); PR_ExplodeTime(now, PR_LocalTimeParameters, &time); @@ -1666,9 +1982,300 @@ int add_new_tus_db_entry (const char *userid, char *cn, const char *uid, int fla return rc; } -TPS_PUBLIC int add_default_tus_db_entry (const char *uid, const char *agentid, char *cn, const char *status, char *applet_version, char *key_info) +TPS_PUBLIC int add_default_tus_db_entry (const char *uid, const char *agentid, char *cn, const char *status, char *applet_version, char *key_info, const char *token_type) { - return add_new_tus_db_entry (agentid, cn, uid, 0, status, applet_version, key_info); + return add_new_tus_db_entry (agentid, cn, uid, 0, status, applet_version, key_info, token_type); +} + +/**** + * add_user_db_entry + * summary: adds a new user entry + * params: agentid - user who is performing this change (for audit log) + * :userid, userPassword, sn, cn, userCert - details for user to be added + * returns: ldap return code + */ +TPS_PUBLIC int add_user_db_entry(const char *agentid, char *userid, char *userPassword, char *sn, char *cn, char *userCert) +{ + LDAPMod a01; + LDAPMod a02; + LDAPMod a03; + LDAPMod a04; + LDAPMod a05; + LDAPMod a06; + LDAPMod *mods[7]; + int rc = 0; + char dn[256]; + int i,j, certlen; + char *dst = NULL; + char *certX = NULL; + char *userid_values[] = {userid, NULL}; + char *objectClass_values[] = { "top", "person", "organizationalPerson", "inetOrgPerson", "tpsProfileId", NULL }; + char *userPassword_values[] = { userPassword, NULL }; + char *sn_values[] = {sn, NULL}; + char *cn_values[] = {cn, NULL}; + struct berval berval; + struct berval *userCert_values[2]; + + a01.mod_op = 0; + a01.mod_type = USER_ID; + a01.mod_values = userid_values; + + a02.mod_op = 0; + a02.mod_type = "objectClass"; + a02.mod_values = objectClass_values; + + a03.mod_op =0; + a03.mod_type = USER_PASSWORD; + a03.mod_values = userPassword_values; + + a04.mod_op = 0; + a04.mod_type = USER_SN; + a04.mod_values = sn_values; + + a05.mod_op =0; + a05.mod_type = USER_CN; + a05.mod_values = cn_values; + + mods[0] = &a01; + mods[1] = &a02; + mods[2] = &a03; + mods[3] = &a04; + mods[4] = &a05; + + // now handle certificate + certlen = strlen(userCert); + + certX = malloc(certlen); + j = 0; + for (i = 0; i < certlen; i++) { + if (userCert[i] != '\n' && userCert[i] != '\r') { + certX[j++] = userCert[i]; + } + } + certX[j++] = '\0'; + dst = malloc(3 * strlen(certX) / 4); + certlen = base64_decode(certX, ( unsigned char * ) dst); + free(certX); + + if (certlen > 0) { + berval.bv_len = certlen; + berval.bv_val = ( char * ) dst; + userCert_values[0] = &berval; + userCert_values[1] = NULL; + + a06.mod_op =0; + a06.mod_type = USER_CERT; + a06.mod_values = userCert_values; + + mods[5] = &a06; + } else { + mods[5] = NULL; + } + + mods[6] = NULL; + + if (PR_snprintf(dn, 255, "uid=%s,ou=People, %s", userid, userBaseDN) < 0) + return -1; + + rc = add_tus_general_db_entry(dn, mods); + if (dst != NULL) free(dst); + + if (rc != LDAP_SUCCESS) { + return rc; + } + + audit_log("add_user", agentid, userid); + return rc; +} + +/** + * add_user_to_role_db_entry + * summary: adds user to be member of group (administrators, agents, operators) + * params: agentid -user who is performing this change + * : userid - userid of user to be added to role + * : role - Officers, Agents or Administrators + * returns: LDAP return code + */ +TPS_PUBLIC int add_user_to_role_db_entry(const char *agentid, char *userid, const char *role) { + LDAPMod a01; + LDAPMod *mods[2]; + int rc = 0; + int i=0; + char dn[256]; + char userdn[256]; + char msg[256]; + char *userid_values[2]; + + if (PR_snprintf(userdn, 255, "uid=%s, ou=People, %s", userid, userBaseDN) < 0) + return -1; + + userid_values[0] = userdn; + userid_values[1] = NULL; + + a01.mod_op = LDAP_MOD_ADD; + a01.mod_type = GROUP_UNIQUEMEMBER; + a01.mod_values = userid_values; + mods[0] = &a01; + mods[1] = NULL; + + if (PR_snprintf(dn, 255, "cn=TUS %s,ou=groups, %s", role, userBaseDN) < 0) + return -1; + + rc = update_tus_general_db_entry(agentid, dn, mods); + + if (rc == LDAP_SUCCESS) { + PR_snprintf("Added role %s to user %s", role, userid); + audit_log("add_user_to_role", agentid, msg); + } + return rc; +} + +/** + * delete_user_to_role_db_entry + * summary: removes user from role group (administrators, agents, operators) + * params: agentid -user who is performing this change + * : userid - userid of user to be removed from role + * : role - Officers, Agents or Administrators + * returns: LDAP return code + */ +TPS_PUBLIC int delete_user_from_role_db_entry(const char *agentid, char *userid, const char *role) { + LDAPMod a01; + LDAPMod *mods[2]; + int rc = 0; + int i=0; + char dn[256]; + char userdn[256]; + char *userid_values[2]; + char msg[256]; + + if (PR_snprintf(userdn, 255, "uid=%s, ou=People, %s", userid, userBaseDN) < 0) + return -1; + + userid_values[0] = userdn; + userid_values[1] = NULL; + + a01.mod_op = LDAP_MOD_DELETE; + a01.mod_type = GROUP_UNIQUEMEMBER; + a01.mod_values = userid_values; + mods[0] = &a01; + mods[1] = NULL; + + if (PR_snprintf(dn, 255, "cn=TUS %s,ou=groups, %s", role, userBaseDN) < 0) + return -1; + + rc = update_tus_general_db_entry(agentid, dn, mods); + if (rc == LDAP_SUCCESS) { + PR_snprintf("Deleted role %s from user %s", role, userid); + audit_log("delete_user_from_role", agentid, msg); + } + + return rc; +} + +/** + * delete_profile_from_user + * summary: removes attribute profileID=profile from user entry + * params: agentid -user who is performing this change + * : userid - userid of user to be modified + * : profile - profile to be deleted + * returns: LDAP return code + */ +TPS_PUBLIC int delete_profile_from_user(const char *agentid, char *userid, const char *profile) { + LDAPMod a01; + LDAPMod *mods[2]; + int rc = 0; + int i=0; + char dn[256]; + char msg[256]; + char *profileid_values[2] = {profile, NULL}; + + if (PR_snprintf(dn, 255, "uid=%s, ou=People, %s", userid, userBaseDN) < 0) + return -1; + + a01.mod_op = LDAP_MOD_DELETE; + a01.mod_type = PROFILE_ID; + a01.mod_values = profileid_values; + mods[0] = &a01; + mods[1] = NULL; + + rc = update_tus_general_db_entry(agentid, dn, mods); + if (rc == LDAP_SUCCESS) { + PR_snprintf("Deleted profile %s from user %s", profile, userid); + audit_log("delete_profile_from_user", agentid, msg); + } + + return rc; +} + +/** + * delete_all_profiles_from_user + * summary: removes all attributes profileID from user entry + * same as above, but passing NULL for mod_values + * params: agentid -user who is performing this change + * : userid - userid of user to be modified + * : profile - profile to be deleted + * returns: LDAP return code + */ +TPS_PUBLIC int delete_all_profiles_from_user(const char *agentid, char *userid) { + LDAPMod a01; + LDAPMod *mods[2]; + int rc = 0; + int i=0; + char dn[256]; + char msg[256]; + + if (PR_snprintf(dn, 255, "uid=%s, ou=People, %s", userid, userBaseDN) < 0) + return -1; + + a01.mod_op = LDAP_MOD_DELETE; + a01.mod_type = PROFILE_ID; + a01.mod_values = NULL; /* NULL will remove all values */ + mods[0] = &a01; + mods[1] = NULL; + + rc = update_tus_general_db_entry(agentid, dn, mods); + if (rc == LDAP_SUCCESS) { + PR_snprintf(msg, 256, "Deleted all profiles from user %s", userid); + audit_log("delete_all_profiles_from_user", agentid, msg); + } + + return rc; +} + + +/** + * add_profile_to_user + * summary: adds attribute profileID=profile to user entry + * params: agentid -user who is performing this change + * : userid - userid of user to be modified + * : profile - profile (tokenType) to be added + * returns: LDAP return code + */ +TPS_PUBLIC int add_profile_to_user(const char *agentid, char *userid, const char *profile) { + LDAPMod a01; + LDAPMod *mods[2]; + int rc = 0; + int i=0; + char dn[256]; + char msg[256]; + char *profileid_values[2] = {profile, NULL}; + + if (PR_snprintf(dn, 255, "uid=%s, ou=People, %s", userid, userBaseDN) < 0) + return -1; + + a01.mod_op = LDAP_MOD_ADD; + a01.mod_type = PROFILE_ID; + a01.mod_values = profileid_values; + mods[0] = &a01; + mods[1] = NULL; + + rc = update_tus_general_db_entry(agentid, dn, mods); + if (rc == LDAP_SUCCESS) { + PR_snprintf(msg, 256, "Added profile %s to user %s", profile, userid); + audit_log("add_profile_to_user", agentid, msg); + } + + return rc; } int delete_tus_db_entry (char *userid, char *cn) @@ -1700,6 +2307,50 @@ int delete_tus_db_entry (char *userid, char *cn) return rc; } +int delete_tus_general_db_entry (char *dn) +{ + int rc = 0, tries = 0; + + tus_check_conn(); + + for (tries = 0; tries < MAX_RETRIES; tries++) { + if ((rc = ldap_delete_ext_s(ld, dn, NULL, NULL)) == LDAP_SUCCESS) { + break; + } else if (rc == LDAP_SERVER_DOWN || rc == LDAP_CONNECT_ERROR) { + rc = ldap_simple_bind_s (ld, bindDN, bindPass); + if (rc != LDAP_SUCCESS) { + bindStatus = rc; + break; + } + } + } + + return rc; +} + +/** + * delete_user_db_entry + * Deletes user entry + * params: agentid - user performing this change + * uid - user to be deleted + * returns: LDAP return code + */ +TPS_PUBLIC int delete_user_db_entry(const char *agentid, char *uid) +{ + char dn[256]; + int rc =0; + if (PR_snprintf(dn, 255, "uid=%s,ou=People,%s", uid, userBaseDN) < 0) + return -1; + rc = delete_tus_general_db_entry(dn); + + if (rc == LDAP_SUCCESS) { + audit_log("delete user", agentid, uid); + } + + return rc; +} + + TPS_PUBLIC int find_tus_db_entry (char *cn, int max, LDAPMessage **result) { char dn[256]; @@ -1825,6 +2476,76 @@ TPS_PUBLIC int find_tus_token_entries_no_vlv(char *filter, LDAPMessage **result, return rc; } +/** + * find_tus_user_entries_no_vlv + * params: filter - ldap search filter + * result - hash of LDAP Search results. + * order - 0 (order results increasing by uid), (!=0) order by decreasing uid + */ +TPS_PUBLIC int find_tus_user_entries_no_vlv(char *filter, LDAPMessage **result, int order) +{ + int rc = LDAP_OTHER, tries = 0; + char peopleBaseDN[256]; + + PR_snprintf(peopleBaseDN, 256, "ou=People,%s", userBaseDN); + + tus_check_conn(); + for (tries = 0; tries < MAX_RETRIES; tries++) { + if ((rc = ldap_search_s (ld, peopleBaseDN, LDAP_SCOPE_ONELEVEL, filter, + userAttributes, 0, result)) == LDAP_SUCCESS) { + /* we do client-side sorting here */ + if (order == 0) { + rc = ldap_sort_entries(ld, result, USER_ID, sort_cmp); + } else { + rc = ldap_sort_entries(ld, result, USER_ID, reverse_sort_cmp); + } + break; + } else if (rc == LDAP_SERVER_DOWN || rc == LDAP_CONNECT_ERROR) { + rc = ldap_simple_bind_s (ld, bindDN, bindPass); + if (rc != LDAP_SUCCESS) { + bindStatus = rc; + break; + } + } + } + + return rc; +} + +/** + * find_tus_user_role_entries + * summary: return the dns for the groups to which the user belongs + * (TUS Administrators, Agents, Operator) + * params: uid - userid + * result - hash of LDAPResults + */ +TPS_PUBLIC int find_tus_user_role_entries( const char*uid, LDAPMessage **result) +{ + int rc = LDAP_OTHER, tries = 0; + char groupBaseDN[256]; + char filter[256]; + char *subgroup_attrs[] = {SUBGROUP_ID, NULL}; + + PR_snprintf(groupBaseDN, 256, "ou=Groups,%s", userBaseDN); + PR_snprintf(filter, 256, "uniqueMember=uid=%s,ou=People,%s", uid, userBaseDN); + + tus_check_conn(); + for (tries = 0; tries < MAX_RETRIES; tries++) { + if ((rc = ldap_search_s (ld, groupBaseDN, LDAP_SCOPE_SUBTREE, filter, + subgroup_attrs, 0, result)) == LDAP_SUCCESS) { + break; + } else if (rc == LDAP_SERVER_DOWN || rc == LDAP_CONNECT_ERROR) { + rc = ldap_simple_bind_s (ld, bindDN, bindPass); + if (rc != LDAP_SUCCESS) { + bindStatus = rc; + break; + } + } + } + + return rc; +} + TPS_PUBLIC int find_tus_activity_entries_no_vlv(char *filter, LDAPMessage **result, int order) { int rc = LDAP_OTHER, tries = 0; @@ -2351,6 +3072,16 @@ TPS_PUBLIC char **get_token_attributes() return tokenAttributes; } +TPS_PUBLIC char **get_user_attributes() +{ + return userAttributes; +} + +TPS_PUBLIC char **get_view_user_attributes() +{ + return viewUserAttributes; +} + CERTCertificate **get_certificates(LDAPMessage *entry) { int i; struct berval **bvals; @@ -2416,6 +3147,9 @@ char **get_attribute_values(LDAPMessage *entry, const char *attribute) ret[c] = strdup(buffer); c++; } + if (bvals != NULL) { + free_values(bvals, 1); + } ret[c] = NULL; return ret; } else { @@ -2762,6 +3496,17 @@ int get_number_of_modifications(LDAPMessage *entry) return n; } +TPS_PUBLIC char *get_dn(LDAPMessage *entry) +{ + char *ret = NULL; + char *dn = NULL; + if ((dn = ldap_get_dn( ld, entry )) != NULL) { + ret = PL_strdup(dn); + ldap_memfree(dn); + } + return ret; +} + char *get_number_of_resets_name() { return tokenAttributes[I_TOKEN_RESETS]; diff --git a/pki/base/tps/tools/tus/add.c b/pki/base/tps/tools/tus/add.c index 4a464b97b..f88ae9753 100644 --- a/pki/base/tps/tools/tus/add.c +++ b/pki/base/tps/tools/tus/add.c @@ -53,6 +53,7 @@ static int start = 1; static int len = 0; static char *who = NULL; static char *password = NULL; +static char *token_type = NULL; #define SCOPE LDAP_SCOPE_SUBTREE @@ -64,8 +65,8 @@ int main (int argc, char **argv) char cn[256]; char *errorMsg = NULL; - if (argc < 8 || argc > 10) { - printf ("Usage:\n %s baseDN prefix suffix start len who password host port", argv[0]); + if (argc < 9 || argc > 11) { + printf ("Usage:\n %s baseDN prefix suffix start len who password token_type host port", argv[0]); return 1; } @@ -76,13 +77,14 @@ int main (int argc, char **argv) len = atoi(argv[5]); who = argv[6]; password = argv[7]; + token_type = argv[8]; - if (argc > 8) { - host = argv[8]; + if (argc > 9) { + host = argv[9]; } - if (argc > 9) { - port = atoi(argv[9]); + if (argc > 10) { + port = atoi(argv[10]); } set_tus_db_baseDN(baseDN); @@ -101,7 +103,7 @@ int main (int argc, char **argv) sprintf(cn, "%s%08X%s", prefix, h, suffix); printf ("Adding %s\n", cn); - rc = add_default_tus_db_entry (NULL, "", cn, "active", "", ""); + rc = add_default_tus_db_entry (NULL, "", cn, "active", "", "", token_type); if (rc != LDAP_SUCCESS) { fprintf( stderr, "ldap_add_ext_s: %s\n", ldap_err2string( rc ) ); return 1; diff --git a/pki/dogtag/tps-ui/dogtag-pki-tps-ui.spec b/pki/dogtag/tps-ui/dogtag-pki-tps-ui.spec index 591552c1f..5a9cf07c0 100644 --- a/pki/dogtag/tps-ui/dogtag-pki-tps-ui.spec +++ b/pki/dogtag/tps-ui/dogtag-pki-tps-ui.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_ui_prefix}-%{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 4 +%define base_release 5 %define base_group System Environment/Base %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -222,6 +222,8 @@ rm -rf ${RPM_BUILD_ROOT} ############################################################################### %changelog +* Tue Jan 27 2008 Ade Lee <alee@redhat.com> 1.0.0-5 +- Bugzilla Bug #479092 TPS roles enhancements * Fri Nov 28 2008 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-4 - Bugzilla Bug #445402 - changed "linux"/"fedora" to "dogtag"; changed "pki-svn.fedora.redhat.com" to "pki.fedoraproject.org" diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/addResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/addResults.template index c02b2d9dc..0f154827a 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/addResults.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/addResults.template @@ -60,11 +60,11 @@ document.write("<HR NOSHADE SIZE=1>\n"); if (typeof(tid) == "undefined") { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">\n"); - document.write("Missing token ID</font>\n"); + document.write("Missing "+addType+" ID</font>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); } else { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">\n"); - document.write("New token record "+tid+" has been added.</font>\n"); + document.write("New "+addType+" record "+tid+" has been added.</font>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); } //--> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/delete.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/delete.template index bb5dda0dc..1a48d9018 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/delete.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/delete.template @@ -209,6 +209,18 @@ if (typeof(results) == "undefined" || results.length == 0) { results[0].tokenPolicy+"</font>\n"); document.write("</td>\n"); document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<p>\n"); document.write("<b>System Information:</b>"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/deleteResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/deleteResults.template index d15dd6827..20945aedb 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/deleteResults.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/deleteResults.template @@ -61,11 +61,11 @@ document.write("<HR NOSHADE SIZE=1>\n"); if (typeof(tid) == "undefined") { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">\n"); - document.write("Missing token ID</font>\n"); + document.write("Missing " + deleteType + " ID</font>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); } else { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">\n"); - document.write("Token record "+tid+" has been deleted.</font>\n"); + document.write(deleteType + " record "+tid+" has been deleted.</font>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); } //--> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/doToken.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/doToken.template index e682df99f..432c008e6 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/doToken.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/doToken.template @@ -228,6 +228,17 @@ if (rc == "0") { document.write("</td>\n"); document.write("</tr>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<p>\n"); document.write("<b>System Information:</b>"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/doTokenConfirm.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/doTokenConfirm.template index 06b642ead..065334896 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/doTokenConfirm.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/doTokenConfirm.template @@ -225,6 +225,17 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("</td>\n"); document.write("</tr>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<p>\n"); document.write("<b>System Information:</b>"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/edit.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/edit.template index e94bdf91e..dc65bf20d 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/edit.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/edit.template @@ -161,6 +161,16 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("</td>\n"); document.write("</tr>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write(results[0].tokenType+"\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdmin.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdmin.template index fea19cba3..c9db8bb09 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdmin.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdmin.template @@ -99,7 +99,7 @@ function doSave(form) { } else { uri += uriBase; } - uri += "?op=save&tid="+results[0].cn; + uri += "?op=save_admin&tid="+results[0].cn; if (results[0].tokenUserID != form.uid.value) { uri += "&uid=" + form.uid.value; @@ -189,6 +189,17 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("</td>\n"); document.write("</tr>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); @@ -201,10 +212,10 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("<td>\n"); document.write("<input TYPE=button VALUE=Cancel onClick=\"doCancel();\">"); document.write("</td>\n"); + document.write("</form>\n"); document.write("</tr>\n"); document.write("</table>\n"); - document.write("</form>\n"); } //--> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdminResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdminResults.template index 07a25b833..91d39babc 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdminResults.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/editAdminResults.template @@ -61,11 +61,11 @@ document.write("<HR NOSHADE SIZE=1>\n"); if (typeof(tid) == "undefined") { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">\n"); - document.write("Missing token ID</font>\n"); + document.write("Missing "+ editType + " ID</font>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); } else { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">\n"); - document.write("Token record "+tid+" has been updated.</font>\n"); + document.write(editType + " record "+tid+" has been updated.</font>\n"); document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); } diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/editUser.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/editUser.template new file mode 100644 index 000000000..acc18f59b --- /dev/null +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/editUser.template @@ -0,0 +1,313 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<HTML> +<meta HTTP-EQUIV="content-type" CONTENT="text/html; charset=UTF-8"> +<HEAD> +<TITLE>TPS</Title> +</HEAD> + +<table border="0" width="100%" cellspacing="0" cellpadding="6"> + <tr bgcolor="#666699"> + <td width=25%> + <table border="0" cellspacing="0" cellpadding="6"> + <tr> + <td nowrap><font size="-1" face="PrimaSans BT, Verdana, sans-serif" color="white">Dogtag<b>®<br> + Certificate<br>System</b></font> </td> + </tr> + </table> + </td> + <td align=right width=65% nowrap><font size="+1" face="PrimaSans BT, Verdana, sans-serif" color="white">TPS Services</font></td> + <td width="10%"> </td> + </tr> +</table> +<p> + +<BODY> + +<CMS_TEMPLATE> + +<SCRIPT type="text/JavaScript"> +<!-- +var uri0 = ""; +if (typeof(uriBase) == "undefined") { + uri0 += "/tus"; +} else { + uri0 += uriBase; +} + +document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Administrator Operations : Edit User</font>\n"); + +if ((typeof(flash) != "undefined") && (flash != "")) { + document.write("<table width=\"100%\"><tr><td align=\"left\">" + + "<font color=\"#ff0000\"><b>" + flash.replace(/\+/g, " ") + "</b><font>" + + "</td></tr></table>\n"); +} + +document.write("<table width=\"100%\"><tr><td align=\"right\">" + + "<b>UID:</b>" + userid + + "</td></tr></table>\n"); +document.write("<HR NOSHADE SIZE=1>\n"); + +function validate_required(field,alerttxt) { + with (field) { + if (value==null||value=="") { + alert(alerttxt); + return false; + } + else { + return true; + } + } +} + +function validate_form(thisform) { + with (thisform) { + if (validate_required(firstName,"First Name is required")==false) { + firstName.focus(); + return false; + } + if (validate_required(lastName,"Last Name is required")==false) { + lastName.focus(); + return false; + } + if (validate_required(userCert,"User Certificate is required")==false) { + userCert.focus(); + return false; + } + + } +} + +function doUpdateUser(form) { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus"; + } else { + uri += uriBase; + } + if (validate_form(this)) { + this.action = uri; + return true; + } else { + return false; + } +} + +function doUpdateUserProfile(form) { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus"; + } else { + uri += uriBase; + } + this.action = uri; + return true; +} + +function doCancel() { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus"; + } else { + uri += uriBase; + } + location.href = uri; +} + +function doCheckBox(val) { + document.addUserProfileForm.other_profile.disabled = false; +} + + + +if (typeof(results) == "undefined" || results.length == 0) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "User Not Found</font>\n"); +} else if (results.length > 1) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Found too many users to edit</font>\n"); +} else { + document.write("<BR>"); + document.write("<form NAME =\"editUserForm\" METHOD=POST onSubmit=\"return doUpdateUser(this);\">"); + document.write("<input TYPE=HIDDEN NAME=query VALUE=\"op=save_user\">"); + + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "UserID: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].uid+"</font>\n"); + document.write("<input TYPE=HIDDEN NAME=uid VALUE=\"" + results[0].uid + "\">"); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "First Name: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<input TYPE=TEXT NAME=firstName SIZE=20 VALUE="+results[0].cn.substring(0, results[0].cn.indexOf(" "))+">\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Last Name: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<input TYPE=TEXT NAME=lastName SIZE=20 VALUE="+results[0].sn+">\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Role: </font>\n"); + document.write("</td>\n"); + document.write("<td ><input type=checkbox name=opOperator value=Officers " + operator + ">Operator</td>\n"); + document.write("<td ><input type=checkbox name=opAgent value=Agents " + agent + ">Agent</td>\n"); + document.write("<td ><input type=checkbox name=opAdmin value=Administrators " + admin + ">Administrator</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "User Certificate: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + if ((typeof(results[0].userCertificate) == "undefined") || (results[0].userCertificate.length == 0) ) { + document.write("<textarea name=userCert cols=40 rows=10>\n"); + document.write("Paste the base 64 user certificate here (without the header and footer)"); + document.write("</textarea>\n"); + } else { + document.write("<textarea name=userCert cols=40 rows=10>\n"); + document.write(results[0].userCertificate.replace(/\.\./g, "\r\n")); + document.write("</textarea>\n"); + } + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("</table>\n"); + + document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); + + if ((typeof(results[0].profileID) != "undefined") && (results[0].profileID.length != 0)) { + + var profile_array = results[0].profileID.split("#"); + document.write("<input TYPE=HIDDEN NAME=nProfiles VALUE=\"" + profile_array.length + "\">"); + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%>\n"); + document.write("<tr bgcolor=#e5e5e5>\n"); + + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Profile ID</font>\n"); + document.write("</td>\n"); + + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Remove Profile Access</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + + for (var i=0; i < profile_array.length; i++) { + document.write("<tr>\n"); + document.write("<td>\n"); + document.write(profile_array[i]); + document.write("<input type=hidden name=\"profile_" + i + "\" value=\""+ profile_array[i] + "\">"); + document.write("</td>\n"); + document.write("<td><input type=checkbox name=\"delete_" + i + "\" value=\"delete\"></td>\n"); + document.write("</tr>\n"); + } + document.write("</table>\n"); + } else { + document.write("<p>Profile Memberships</p>"); + } + + document.write("<DIV ALIGN=RIGHT>\n"); + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0>\n"); + document.write("<tr>\n"); + document.write("<td>\n"); + document.write("<input TYPE=submit VALUE=Update>"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<input TYPE=button VALUE=Cancel onClick=\"doCancel();\">"); + document.write("</td>\n"); + document.write("</form>\n"); + document.write("<td>\n"); + document.write("<form name=deleteUser method=GET action='tus'>\n"); + document.write("<input type=hidden name=op value=user_delete_confirm>"); + document.write("<input type=hidden name=uid value=" + results[0].uid + ">"); + document.write("<input TYPE=submit VALUE=\"Delete User\">"); + document.write("</form>"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); + + document.write("<DIV ALIGN=LEFT>\n"); + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0>\n"); + document.write("<tr>\n"); + + if ((typeof(start_val) != "undefined") && (start_val > 0)) { + var new_start = start_val - 5; + if (new_start < 0) new_start =0; + document.write("<td> <form name=prev_edit method=get action=\"doCancel()\">"); + document.write("<input TYPE=hidden name=op VALUE=edit_user>"); + document.write("<input TYPE=hidden name=uid VALUE=" + results[0].uid + ">"); + document.write("<input TYPE=hidden name=start_val VALUE=" + new_start + ">"); + document.write("<input TYPE=submit VALUE=\"\<\"></form><td>\n"); + } + + if ((typeof(has_more_profile_vals) != "undefined") && (has_more_profile_vals == "true")) { + var new_start = end_val; + document.write("<td> <form method=get name=prev_edit action=\"doCancel()\">"); + document.write("<input TYPE=hidden name=op VALUE=edit_user>"); + document.write("<input TYPE=hidden name=uid VALUE=" + results[0].uid + ">"); + document.write("<input TYPE=hidden name=start_val VALUE=" + new_start + ">"); + document.write("<input TYPE=submit VALUE=\"\>\"></form><td>\n"); + } + document.write("</tr>"); + + document.write("<form NAME =\"addUserProfileForm\" METHOD=POST onSubmit=\"return doUpdateUserProfile(this);\">"); + document.write("<tr>"); + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0 >\n"); + document.write("<input TYPE=HIDDEN NAME=query VALUE=\"op=add_profile_user\">"); + document.write("<input TYPE=HIDDEN NAME=uid VALUE=\"" + results[0].uid + "\">"); + document.write("<td>Add new profile: <select name=\"profile_0\" onChange=\"doCheckbox(this.options[selectedIndex].value)\">"); + for (var i=0; i < profile_list.length; i++) { + document.write("<option value=\""+ profile_list[i] + "\">" + profile_list[i] + "</option>\n"); + } + document.write("</select></td>"); + document.write("<td><input type=text name=other_profile></td>"); + document.write("<td><input TYPE=submit VALUE=\"Add Profile\"></td></tr>"); + document.write("</table>"); + document.write("</form>\n"); +} + +//--> +</SCRIPT> + +</BODY> +</HTML> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/index.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/index.template index 69c377f1a..c77c624cb 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/index.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/index.template @@ -73,18 +73,28 @@ function doFind(form) { location.href = uri; } } + +var lastCol = 100; +document.write("<table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%><tr>"); +if ((typeof(operatorAuth) != "undefined") && (operatorAuth == "true")) { + document.write("<td width=\"20%\"><a href=\"/tus?op=index_operator\">Operator Operations</td>"); + lastCol -= 20; +} +if ((typeof(agentAuth) != "undefined") && (agentAuth == "true")) { + document.write("<td bgcolor=\"#e5e5e5\" width=\"20%\"><a href=\"/tus\">Agent Operations</td>"); + lastCol -= 20; +} +if ((typeof(adminAuth) != "undefined") && (adminAuth == "true")) { + document.write("<td width=\"20%\"><a href=\"/tus?op=index_admin\">Administrator Operations</td>"); + lastCol -= 20; +} +document.write("<td width=\"" + lastCol + "%\"></td>"); +document.write("</tr></table>"); //--> </SCRIPT> <table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%> <tr> - <td bgcolor="#e5e5e5" width="20%"><a href="/tus">Agent Operations</td> - <td width="20%"><a href="/tus?op=index_admin">Administrator Operations</td> - <td width="60%"></td> -</tr> -</table> -<table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%> -<tr> <td bgcolor=#e5e5e5> </td> </tr> </table> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/indexAdmin.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/indexAdmin.template index 7f5413409..ac25e4022 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/indexAdmin.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/indexAdmin.template @@ -73,18 +73,27 @@ function doFind(form) { location.href = uri; } } +var lastCol = 100; +document.write("<table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%><tr>"); +if ((typeof(operatorAuth) != "undefined") && (operatorAuth == "true")) { + document.write("<td width=\"20%\"><a href=\"/tus?op=index_operator\">Operator Operations</td>"); + lastCol -= 20; +} +if ((typeof(agentAuth) != "undefined") && (agentAuth == "true")) { + document.write("<td width=\"20%\"><a href=\"/tus\">Agent Operations</td>"); + lastCol -=20; +} +if ((typeof(adminAuth) != "undefined") && (adminAuth == "true")) { + document.write("<td bgcolor=\"#e5e5e5\" width=\"20%\"><a href=\"/tus?op=index_admin\">Administrator Operations</td>"); + lastCol -=20; +} +document.write("<td width=\"" + lastCol + "%\"></td>"); +document.write("</tr></table>"); //--> </SCRIPT> <table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%> <tr> - <td width="20%"><a href="/tus">Agent Operations</td> - <td bgcolor="#e5e5e5" width="20%"><a href="/tus?op=index_admin">Administrator Operations</td> - <td width="60%"></td> -</tr> -</table> -<table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%> -<tr> <td bgcolor=#e5e5e5> </td> </tr> </table> @@ -101,6 +110,27 @@ function doFind(form) { <tr> <td><li><a href="tus?op=search_admin">Search Tokens</a></td> </tr> + <tr> + <td><i>Users</i></td> + </tr> + <tr> + <td><li><a href="tus?op=add_user?tid=&uid=">Add User</a></td> + </tr> + <tr> + <td><li><a href="tus?op=view_users">List Users</a></td> + </tr> + <tr> + <td><li><a href="tus?op=search_users">Search Users</a></td> + </tr> + <tr> + <td><i>Activities</i></td> + </tr> + <tr> + <td><li><a href="tus?op=view_activity">List Activities</a></td> + </tr> + <tr> + <td><li><a href="tus?op=search_activity">Search Activities</a></td> + </tr> </table> <HR NOSHADE SIZE=1> <DIV ALIGN=RIGHT> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/indexOperator.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/indexOperator.template new file mode 100644 index 000000000..838f8038d --- /dev/null +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/indexOperator.template @@ -0,0 +1,136 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<HTML> +<meta HTTP-EQUIV="content-type" CONTENT="text/html; charset=UTF-8"> +<HEAD> +<TITLE>TPS</Title> +</HEAD> +<table border="0" width="100%" cellspacing="0" cellpadding="6"> + <tr bgcolor="#666699"> + <td width=25%> + <table border="0" cellspacing="0" cellpadding="6"> + <tr> + <td nowrap><font size="-1" face="PrimaSans BT, Verdana, sans-serif" color="white">Dogtag<b>®<br> + Certificate<br>System</b></font> </td> + </tr> + </table> + </td> + <td align=right width=65% nowrap><font size="+1" face="PrimaSans BT, Verdana, sans-serif" color="white">TPS Services</font></td> + <td width="10%"> </td> + </tr> +</table> +<p> + +<BODY> + +<CMS_TEMPLATE> + +<SCRIPT type="text/JavaScript"> +<!-- +var uri0 = ""; +if (typeof(uriBase) == "undefined") { + uri0 += "/tus"; +} else { + uri0 += uriBase; +} + +document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a></font>\n"); +document.write("<table width=\"100%\"><tr><td align=\"right\"><b>UID:</b>" + + userid + "</td></tr></table>\n"); +document.write("<HR NOSHADE SIZE=1>\n"); + +function doFind(form) { + if (form.uid.value == "" && form.tid.value == "") { + alert("Enter token or user ID"); + } else { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus" + } else { + uri += uriBase; + } + uri += "?op=view"; + if (form.tid.value.length > 0) uri += "&tid=" + form.tid.value; + if (form.uid.value.length > 0) uri += "&uid=" + form.uid.value; + location.href = uri; + } +} + +var lastCol = 100; +document.write("<table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%><tr>"); +if ((typeof(operatorAuth) != "undefined") && (operatorAuth == "true")) { + document.write("<td bgcolor=\"#e5e5e5\" width=\"20%\"><a href=\"/tus?op=index_operator\">Operator Operations</td>"); + lastCol -= 20; +} +if ((typeof(agentAuth) != "undefined") && (agentAuth == "true")) { + document.write("<td width=\"20%\"><a href=\"/tus\">Agent Operations</td>"); + lastCol -=20; +} +if ((typeof(adminAuth) != "undefined") && (adminAuth == "true")) { + document.write("<td width=\"20%\"><a href=\"/tus?op=index_admin\">Administrator Operations</td>"); + lastCol -=20; +} +document.write("<td width=\"" + lastCol + "%\"></td>"); +document.write("</tr></table>"); +//--> +</SCRIPT> + +<table BORDER=0 CELLSPACING=0 CELLPADDING=0 width=100%> +<tr> + <td bgcolor=#e5e5e5> </td> +</tr> +</table> +<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%> + <tr> + <td><i>Tokens</i></td> + </tr> + <tr> + <td><li><a href="tus?op=view?tid=&uid=&top=operator">List Tokens</a></td> + </tr> + <tr> + <td><li><a href="tus?op=search&top=operator">Search Tokens</a></td> + </tr> + <tr> + <td><i>Certificates</i></td> + </tr> + <tr> + <td><li><a href="tus?op=view_certificate?tid=&uid=&top=operator">List Certificates</a></td> + </tr> + <tr> + <td><li><a href="tus?op=search_certificate&top=operator">Search Certificates</a></td> + </tr> + <tr> + <td><i>Activities</i></td> + </tr> + <tr> + <td><li><a href="tus?op=view_activity&top=operator">List Activities</a></td> + </tr> + <tr> + <td><li><a href="tus?op=search_activity&top=operator">Search Activities</a></td> + </tr> + <tr> + <td></td> + </tr> +</table> +<HR NOSHADE SIZE=1> +<DIV ALIGN=RIGHT> +</BODY> +</HTML> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/newUser.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/newUser.template new file mode 100644 index 000000000..f434ba388 --- /dev/null +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/newUser.template @@ -0,0 +1,180 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + + Copyright (C) 2008 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<HTML> +<meta HTTP-EQUIV="content-type" CONTENT="text/html; charset=UTF-8"> +<HEAD> +<TITLE>TPS</Title> +</HEAD> + +<table border="0" width="100%" cellspacing="0" cellpadding="6"> + <tr bgcolor="#666699"> + <td width=25%> + <table border="0" cellspacing="0" cellpadding="6"> + <tr> + <td nowrap><font size="-1" face="PrimaSans BT, Verdana, sans-serif" color="white">Dogtag<b>®<br> + Certificate<br>System</b></font> </td> + </tr> + </table> + </td> + <td align=right width=65% nowrap><font size="+1" face="PrimaSans BT, Verdana, sans-serif" color="white">TPS Services</font></td> + <td width="10%"> </td> + </tr> +</table> +<p> + +<BODY> + +<CMS_TEMPLATE> + +<SCRIPT type="text/JavaScript"> +<!-- +var uri0 = ""; +if (typeof(uriBase) == "undefined") { + uri0 += "/tus"; +} else { + uri0 += uriBase; +} + +document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Admin Operations : Add New User</font>\n"); +document.write("<table width=\"100%\"><tr><td align=\"right\">" + + "<b>UID:</b>" + + userid + "</td></tr></table>\n"); +document.write("<HR NOSHADE SIZE=1>\n"); + +function validate_required(field,alerttxt) { + with (field) { + if (value==null||value=="") { + alert(alerttxt); + return false; + } + else { + return true; + } + } +} + +function validate_form(thisform) { + with (thisform) { + if (validate_required(userid,"Userid is required")==false) { + userid.focus(); + return false; + } + if (validate_required(firstName,"First Name is required")==false) { + firstName.focus(); + return false; + } + if (validate_required(lastName,"Last Name is required")==false) { + lastName.focus(); + return false; + } + if (validate_required(groupid,"Group ID is required")==false) { + groupid.focus(); + return false; + } + + } +} + +function doAdd(form) { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus" + } else { + uri += uriBase; + } + if (validate_form(this)) { + document.addUserForm.action = uri; + return true; + } else { + return false; + } +} + + +//--> +</SCRIPT> + +<FORM NAME ="addUserForm" METHOD="POST" onSubmit="return doAdd(this)" > +<input TYPE="hidden" NAME="query" VALUE="op=addUser"> +<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + User ID: + </font> + </td> + <td> + <input TYPE=TEXT NAME=userid SIZE=20> + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + User First Name: + </font> + </td> + <td> + <input TYPE=TEXT NAME=firstName SIZE=20> + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + User Last Name: + </font> + </td> + <td> + <input TYPE=TEXT NAME=lastName SIZE=20> + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + Role: + </font> + </td> + <td> Operator + <input TYPE=CHECKBOX NAME=opOperator value="Officers" CHECKED> + Agent + <input TYPE=CHECKBOX NAME=opAgent value="Agents" > + Admin + <input TYPE=CHECKBOX NAME=opAdmin value="Administrators" > + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + Certificate: + </font> + </td> + <td> + <textarea name="cert" cols="40" rows="10" > +Paste the base 64 user certificate here (without the header and footer) + </textarea> + </td> + </tr> +</table> +<HR NOSHADE SIZE=1> +<DIV ALIGN=RIGHT> +<input TYPE=submit VALUE="Add User" > +</form> +</BODY> +</HTML> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/revoke.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/revoke.template index 2d223287c..5b498b7eb 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/revoke.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/revoke.template @@ -225,6 +225,17 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("</td>\n"); document.write("</tr>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<p>\n"); document.write("<b>System Information:</b>"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/search.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/search.template index 929796080..b433429d3 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/search.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/search.template @@ -70,6 +70,9 @@ function doFind(form) { uri += "&tid=" + form.tid.value; uri += "&uid=" + form.uid.value; uri += "&maxCount=" + form.maxCount.value; + if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + uri += "top=operator"; + } location.href = uri; } //--> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivity.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivity.template index d271f0144..1057c5ec2 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivity.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivity.template @@ -52,8 +52,13 @@ if (typeof(uriBase) == "undefined") { uri0 += uriBase; } -document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ +if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Operator Operations : Search Activity</font>\n"); +} else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ "<a href=\""+uri0+"\">Main Menu</a> : Agent Operations : Search Activity</font>\n"); +} document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); @@ -70,6 +75,9 @@ function doFind(form) { uri += "&tid=" + form.tid.value; uri += "&uid=" + form.uid.value; uri += "&maxCount=" + form.maxCount.value; + if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + uri += "top=operator"; + } location.href = uri; } //--> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivityResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivityResults.template index 505ded271..dd4e17104 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivityResults.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchActivityResults.template @@ -74,15 +74,20 @@ if (typeof(uriBase) == "undefined") { uri += uriBase; } -document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ +if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri+"\">Main Menu</a> : Operator Operations : Search Activity Results</font>\n"); + uri += "?op=show&top=operator&tid="; +} else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ "<a href=\""+uri+"\">Main Menu</a> : Agent Operations : Search Activity Results</font>\n"); + uri += "?op=show&tid="; +} document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); document.write("<HR NOSHADE SIZE=1>\n"); -uri += "?op=show&tid="; - if (typeof(results) == "undefined" || results.length == 0) { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ "Token Not Found</font>\n"); @@ -139,7 +144,7 @@ if (typeof(results) == "undefined" || results.length == 0) { results[i].cn+"</font>\n"); document.write("</td>\n"); document.write("<td>\n"); - document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"/tus?op=show&tid="+ + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"" + uri + results[i].tokenID+"\">" + results[i].tokenID + "</a></font>\n"); document.write("</td>\n"); document.write("<td>\n"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificate.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificate.template index 9bb630cc5..668b1a8d7 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificate.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificate.template @@ -53,7 +53,7 @@ if (typeof(uriBase) == "undefined") { } document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ - "<a href=\""+uri0+"\">Main Menu</a> : Search Tokens</font>\n"); + "<a href=\""+uri0+"\">Main Menu</a> : Search Certificates</font>\n"); document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); @@ -70,6 +70,9 @@ function doFind(form) { uri += "&tid=" + form.tid.value; uri += "&uid=" + form.uid.value; uri += "&maxCount=" + form.maxCount.value; + if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + uri += "&top=operator"; + } location.href = uri; } //--> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificateResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificateResults.template index 219ccf9a3..5b0104b6b 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificateResults.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchCertificateResults.template @@ -73,16 +73,22 @@ if (typeof(uriBase) == "undefined") { } else { uri += uriBase; } - -document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ +if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri+"\">Main Menu</a> : Operator Operations : Search Certificate Results</font>\n"); + cert_uri = uri + "?op=show_certificate&top=operator&cn="; + uri += "?op=show&top=operator&tid="; +} else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ "<a href=\""+uri+"\">Main Menu</a> : Agent Operations : Search Certificate Results</font>\n"); + cert_uri = uri + "?op=show_certificate&cn="; + uri += "?op=show&tid="; +} document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); document.write("<HR NOSHADE SIZE=1>\n"); -uri += "?op=show&tid="; - if (typeof(results) == "undefined" || results.length == 0) { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ "Token Not Found</font>\n"); @@ -127,7 +133,7 @@ if (typeof(results) == "undefined" || results.length == 0) { for (var i = 0; i < results.length; i++) { document.write("<tr>\n"); document.write("<td>\n"); - document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"/tus?op=show_certificate&cn="+ + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\""+ cert_uri + results[i].cn+"\">" + results[i].cn + "</a></font>\n"); document.write("</td>\n"); document.write("<td>\n"); @@ -139,7 +145,7 @@ if (typeof(results) == "undefined" || results.length == 0) { results[i].tokenSubject+"</font>\n"); document.write("</td>\n"); document.write("<td>\n"); - document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"/tus?op=show&tid="+ + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"" + uri + results[i].tokenID+"\">" + results[i].tokenID + "</a></font>\n"); document.write("</td>\n"); document.write("<td>\n"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchResults.template index 833796ce6..5addf5cab 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchResults.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchResults.template @@ -74,15 +74,20 @@ if (typeof(uriBase) == "undefined") { uri += uriBase; } -document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ +if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri+"\">Main Menu</a> : Operator Operations : Search Results</font>\n"); + uri += "?op=show&top=operator&tid="; +} else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ "<a href=\""+uri+"\">Main Menu</a> : Agent Operations : Search Results</font>\n"); + uri += "?op=show&tid="; +} document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); document.write("<HR NOSHADE SIZE=1>\n"); -uri += "?op=show&tid="; - if (typeof(results) == "undefined" || results.length == 0) { document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ "Token Not Found</font>\n"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchUser.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchUser.template new file mode 100644 index 000000000..77aa9dd4f --- /dev/null +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchUser.template @@ -0,0 +1,127 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + + Copyright (C) 2008 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<HTML> +<meta HTTP-EQUIV="content-type" CONTENT="text/html; charset=UTF-8"> +<HEAD> +<TITLE>TPS</Title> +</HEAD> + +<table border="0" width="100%" cellspacing="0" cellpadding="6"> + <tr bgcolor="#666699"> + <td width=25%> + <table border="0" cellspacing="0" cellpadding="6"> + <tr> + <td nowrap><font size="-1" face="PrimaSans BT, Verdana, sans-serif" color="white">Dogtag<b>®<br> + Certificate<br>System</b></font> </td> + </tr> + </table> + </td> + <td align=right width=65% nowrap><font size="+1" face="PrimaSans BT, Verdana, sans-serif" color="white">TPS Services</font></td> + <td width="10%"> </td> + </tr> +</table> +<p> + +<BODY> + +<CMS_TEMPLATE> + +<SCRIPT type="text/JavaScript"> +<!-- +var uri0 = ""; +if (typeof(uriBase) == "undefined") { + uri0 += "/tus"; +} else { + uri0 += uriBase; +} + +document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Administrator Operations : Search Users</font>\n"); +document.write("<table width=\"100%\"><tr><td align=\"right\">" + + "<b>UID:</b>" + + userid + "</td></tr></table>\n"); +document.write("<HR NOSHADE SIZE=1>\n"); + +function doFind(form) { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus" + } else { + uri += uriBase; + } + uri += "?op=view_users"; + uri += "&uid=" + form.uid.value; + uri += "&firstName=" + form.firstName.value; + uri += "&lastName=" + form.lastName.value; + uri += "&maxCount=" + form.maxCount.value; + location.href = uri; +} +//--> +</SCRIPT> + +<FORM NAME ="findForm" ACTION="" METHOD=GET> +<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + User ID: + </font> + </td> + <td> + <input TYPE=TEXT NAME=uid SIZE=20> + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + First Name: + </font> + </td> + <td> + <input TYPE=TEXT NAME=firstName SIZE=20> + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + Last Name: + </font> + </td> + <td> + <input TYPE=TEXT NAME=lastName SIZE=20> + </td> + </tr> + <tr> + <td ALIGN=LEFT width=30%> + <font size=-1 face="PrimaSans BT, Verdana, sans-serif"> + Max Count: + </font> + </td> + <td> + <input TYPE=TEXT NAME=maxCount SIZE=4 value="20"> + </td> + </tr> +</table> +<HR NOSHADE SIZE=1> +<DIV ALIGN=RIGHT> +<input TYPE=button VALUE=Find onClick="doFind(findForm);"> +</form> +</BODY> +</HTML> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/searchUserResults.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchUserResults.template new file mode 100644 index 000000000..da2d07266 --- /dev/null +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/searchUserResults.template @@ -0,0 +1,151 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + + Copyright (C) 2008 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<HTML> +<meta HTTP-EQUIV="content-type" CONTENT="text/html; charset=UTF-8"> +<HEAD> +<TITLE>TPS</Title> +</HEAD> + +<table border="0" width="100%" cellspacing="0" cellpadding="6"> + <tr bgcolor="#666699"> + <td width=25%> + <table border="0" cellspacing="0" cellpadding="6"> + <tr> + <td nowrap><font size="-1" face="PrimaSans BT, Verdana, sans-serif" color="white">Dogtag<b>®<br> + Certificate<br>System</b></font> </td> + </tr> + </table> + </td> + <td align=right width=65% nowrap><font size="+1" face="PrimaSans BT, Verdana, sans-serif" color="white">TPS Services</font></td> + <td width="10%"> </td> + </tr> +</table> +<p> + +<BODY> + +<CMS_TEMPLATE> + +<SCRIPT type="text/JavaScript"> +<!-- +function checkDate(str) { + var newString; + + if (str.length == 15 && str.charAt(14) == 'Z') { + newString = str.substring(0, 4); + newString += '/'; + newString += str.substring(4, 6); + newString += '/'; + newString += str.substring(6, 8); + newString += ' '; + newString += str.substring(8, 10); + newString += ':'; + newString += str.substring(10, 12); + newString += ':'; + newString += str.substring(12, 14); + } else { + newString = str; + } + + return newString; +} + +var uri = ""; +if (typeof(uriBase) == "undefined") { + uri += "/tus"; +} else { + uri += uriBase; +} + +document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri+"\">Main Menu</a> : Administrator Operations : Search Results</font>\n"); +document.write("<table width=\"100%\"><tr><td align=\"right\">" + + "<b>UID:</b>" + + userid + "</td></tr></table>\n"); +document.write("<HR NOSHADE SIZE=1>\n"); + +uri += "?op=edit_user&uid="; + +if (typeof(results) == "undefined" || results.length == 0) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "User Not Found</font>\n"); +} else { + document.write("<BR>"); + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%>\n"); + document.write("<tr bgcolor=#e5e5e5>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "User ID</font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Name</font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Date Created</font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Date Modified</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + + for (var i = 0; i < results.length; i++) { + document.write("<tr>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "<a href=\""+uri+results[i].uid+"\">"+ + results[i].uid+"</a></font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[i].cn+"</font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + checkDate(results[i].createTimeStamp)+"</font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + checkDate(results[i].modifyTimeStamp)+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + } + document.write("</table>\n"); + document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); + if (typeof(results) != "undefined" && results.length > 0) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-2\">"); + if (typeof(results) != "undefined" || results.length == 0) { + if (typeof(limited) != "undefined" && typeof(total) != "undefined") { + document.write("<br>" + limited + " of " + total + "\n"); + } else if (typeof(total) != "undefined") { + document.write("<br>Total: " + total + "\n"); + } + } + document.write("</font>"); + } +} + +//--> +</SCRIPT> + +</BODY> +</HTML> diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/show.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/show.template index dd5922f6f..8b9c3b71b 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/show.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/show.template @@ -52,8 +52,13 @@ if (typeof(uriBase) == "undefined") { uri0 += uriBase; } -document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ +if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Operator Operations : Token Details</font>\n"); +} else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ "<a href=\""+uri0+"\">Main Menu</a> : Agent Operations : Token Details</font>\n"); +} document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); @@ -225,6 +230,17 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("</td>\n"); document.write("</tr>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<p>\n"); document.write("<b>System Information:</b>"); @@ -281,19 +297,36 @@ if (typeof(results) == "undefined" || results.length == 0) { document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0>\n"); document.write("<tr>\n"); document.write("<td width=60%>\n"); - document.write("<form method='get' action='tus'><select name=\"question\"><option value=\"1\">This token has been physically damaged.</option><option value=\"2\">This token has been permanently lost.</option><option value=\"3\">This token has been temporarily lost.</option><option value=\"4\">This temporarily lost token has been found.</option><option value=\"5\">This temporarily lost token cannot be found (becomes permanently lost).</option><option value=\"6\">This token has been terminated.</option></select><input type=hidden name=op value=do_confirm_token><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Go\"></form>"); + + if ((typeof(topLevel) == "undefined") || (topLevel != "operator")) { + document.write("<form method='get' action='tus'><select name=\"question\"><option value=\"1\">This token has been physically damaged.</option><option value=\"2\">This token has been permanently lost.</option><option value=\"3\">This token has been temporarily lost.</option><option value=\"4\">This temporarily lost token has been found.</option><option value=\"5\">This temporarily lost token cannot be found (becomes permanently lost).</option><option value=\"6\">This token has been terminated.</option></select><input type=hidden name=op value=do_confirm_token><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Go\"></form>"); + } document.write("</td>\n"); document.write("<td align=right width=10%>\n"); document.write("</td>\n"); + document.write("<td align=right width=10%>\n"); - document.write("<form method='get' action='tus'><input type=hidden name=op value=edit><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Edit\"></form>"); + if ((typeof(topLevel) == "undefined") || (topLevel != "operator")) { + document.write("<form method='get' action='tus'><input type=hidden name=op value=edit><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Edit\"></form>"); + } document.write("</td>\n"); + document.write("<td align=right width=10%>\n"); - document.write("<form method='get' action='tus'><input type=hidden name=op value=view_certificate><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Show Certificates\"></form>"); + if ((typeof(topLevel) == "undefined") || (topLevel != "operator")) { + document.write("<form method='get' action='tus'><input type=hidden name=op value=view_certificate><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Show Certificates\"></form>"); + } else { + document.write("<form method='get' action='tus'><input type=hidden name=op value=view_certificate><input type=hidden name=top value=operator><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Show Certificates\"></form>"); + } document.write("</td>\n"); + document.write("<td align=right width=10%>\n"); - document.write("<form method='get' action='tus'><input type=hidden name=op value=view_activity><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Show Activities\"></form>"); + if ((typeof(topLevel) == "undefined") || (topLevel != "operator")) { + document.write("<form method='get' action='tus'><input type=hidden name=op value=view_activity><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Show Activities\"></form>"); + } else { + document.write("<form method='get' action='tus'><input type=hidden name=op value=view_activity><input type=hidden name=top value=operator><input type=hidden name=tid value=" + results[0].cn + "><input TYPE=submit VALUE=\"Show Activities\"></form>"); + } document.write("</td>\n"); + document.write("</tr>\n"); document.write("</table>\n"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/showAdmin.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/showAdmin.template index c4f182773..04a61b1a7 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/showAdmin.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/showAdmin.template @@ -219,6 +219,16 @@ if (typeof(results) == "undefined" || results.length == 0) { results[0].tokenPolicy+"</font>\n"); document.write("</td>\n"); document.write("</tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Token Type: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].tokenType+"</font>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); document.write("<p>\n"); document.write("<b>System Information:</b>"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/showCert.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/showCert.template index a9c4822f0..33d3d50b9 100644 --- a/pki/dogtag/tps-ui/shared/docroot/tokendb/showCert.template +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/showCert.template @@ -52,8 +52,13 @@ if (typeof(uriBase) == "undefined") { uri0 += uriBase; } -document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ +if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Operator Operations : Certificate Details</font>\n"); +} else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ "<a href=\""+uri0+"\">Main Menu</a> : Agent Operations : Certificate Details</font>\n"); +} document.write("<table width=\"100%\"><tr><td align=\"right\">" + "<b>UID:</b>" + userid + "</td></tr></table>\n"); @@ -203,8 +208,13 @@ if (typeof(results) == "undefined" || results.length == 0) { "Token ID: </font>\n"); document.write("</td>\n"); document.write("<td>\n"); - document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"tus?op=show&tid=" + results[0].tokenID + "\">"+ + if ((typeof(topLevel) != "undefined") && (topLevel == "operator")) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"tus?op=show&top=operator&tid=" + results[0].tokenID + "\">"+ results[0].tokenID+"</a></font>\n"); + } else { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\"><a href=\"tus?op=show&tid=" + results[0].tokenID + "\">"+ + results[0].tokenID+"</a></font>\n"); + } document.write("</td>\n"); document.write("</tr>\n"); diff --git a/pki/dogtag/tps-ui/shared/docroot/tokendb/userDelete.template b/pki/dogtag/tps-ui/shared/docroot/tokendb/userDelete.template new file mode 100755 index 000000000..18c30f76f --- /dev/null +++ b/pki/dogtag/tps-ui/shared/docroot/tokendb/userDelete.template @@ -0,0 +1,175 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<HTML> +<meta HTTP-EQUIV="content-type" CONTENT="text/html; charset=UTF-8"> +<HEAD> +<TITLE>TPS</Title> +</HEAD> + +<table border="0" width="100%" cellspacing="0" cellpadding="6"> + <tr bgcolor="#666699"> + <td width=25%> + <table border="0" cellspacing="0" cellpadding="6"> + <tr> + <td nowrap><font size="-1" face="PrimaSans BT, Verdana, sans-serif" color="white">Dogtag<b>®<br> + Certificate<br>System</b></font> </td> + </tr> + </table> + </td> + <td align=right width=65% nowrap><font size="+1" face="PrimaSans BT, Verdana, sans-serif" color="white">TPS Services</font></td> + <td width="10%"> </td> + </tr> +</table> +<p> + +<BODY> + +<CMS_TEMPLATE> + +<SCRIPT type="text/JavaScript"> +<!-- +var uri0 = ""; +if (typeof(uriBase) == "undefined") { + uri0 += "/tus"; +} else { + uri0 += uriBase; +} + +document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"+1\">"+ + "<a href=\""+uri0+"\">Main Menu</a> : Administrator Operations : Delete User</font>\n"); +document.write("<table width=\"100%\"><tr><td align=\"right\">" + + "<b>UID:</b>" + + userid + "</td></tr></table>\n"); +document.write("<HR NOSHADE SIZE=1>\n"); + +function doDeleteUser(form) { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus"; + } else { + uri += uriBase; + } + this.action = uri; + return true; +} + +function doCancel() { + var uri = ""; + if (typeof(uriBase) == "undefined") { + uri += "/tus"; + } else { + uri += uriBase; + } + location.href = uri; +} + + + +if (typeof(results) == "undefined" || results.length == 0) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "User Not Found</font>\n"); +} else if (results.length > 1) { + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Found too many users to edit</font>\n"); +} else { + document.write("<BR>"); + document.write("<form NAME =\"deleteUserForm\" METHOD=POST onSubmit=\"return doDeleteUser(this);\">"); + document.write("<input TYPE=HIDDEN NAME=query VALUE=\"op=do_delete_user\">"); + + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0 width=100%>\n"); + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "UserID: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + results[0].uid+"</font>\n"); + document.write("<input TYPE=HIDDEN NAME=uid VALUE=\"" + results[0].uid + "\">"); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "First Name: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write(results[0].cn.substring(0, results[0].cn.indexOf(" "))); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Last Name: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write(results[0].sn); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "Role: </font>\n"); + document.write("</td>\n"); + document.write("<td ><input type=checkbox name=opOperator value=Officers disabled=true " + operator + ">Operator</td>\n"); + document.write("<td ><input type=checkbox name=opAgent value=Agents disabled=true " + agent + ">Agent</td>\n"); + document.write("<td ><input type=checkbox name=opAdmin value=Administrators disabled=true " + admin + ">Administrator</td>\n"); + document.write("</tr>\n"); + + document.write("<tr>\n"); + document.write("<td ALIGN=LEFT width=30% bgcolor=#e5e5e5>\n"); + document.write("<font face=\"PrimaSans BT, Verdana, sans-serif\" size=\"-1\">"+ + "User Certificate: </font>\n"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<textarea name=userCert disabled=true cols=40 rows=10>\n"); + document.write(results[0].userCertificate); + document.write("</textarea>\n"); + document.write("</td>\n"); + document.write("</tr>\n"); + + document.write("</table>\n"); + document.write("<BR>\n<HR NOSHADE SIZE=1>\n"); + + document.write("<DIV ALIGN=RIGHT>\n"); + document.write("<table BORDER=0 CELLSPACING=2 CELLPADDING=0>\n"); + document.write("<tr>\n"); + document.write("<td>\n"); + document.write("Are you sure?"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<input TYPE=button VALUE=Cancel onClick=\"doCancel();\">"); + document.write("</td>\n"); + document.write("<td>\n"); + document.write("<input TYPE=submit VALUE=Delete>"); + document.write("</td>\n"); + document.write("</tr>\n"); + document.write("</table>\n"); + document.write("</form>"); +} + +//--> +</SCRIPT> + +</BODY> +</HTML> diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec index 7ef000247..cd9c4714c 100644 --- a/pki/dogtag/tps/pki-tps.spec +++ b/pki/dogtag/tps/pki-tps.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 15 +%define base_release 16 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license LGPLv2 with exceptions @@ -308,6 +308,8 @@ fi ############################################################################### %changelog +* Tue Jan 27 2009 Ade Lee <alee@redhat.com> 1.0.0-16 +- Bugzilla Bug 479092 - TPS roles enhancements * Tue Jan 27 2009 Ade Lee <alee@redhat.com> 1.0.0-15 - Bugzilla Bug 480679 - Integrate selinux into framework * Thu Jan 23 2009 Jack Magne <jmagne@redhat.com> 1.0.0-14 |