diff options
Diffstat (limited to 'base/ra/lib/perl/PKI/Request')
-rw-r--r-- | base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm | 52 | ||||
-rw-r--r-- | base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm | 75 | ||||
-rw-r--r-- | base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm | 100 | ||||
-rw-r--r-- | base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm | 89 | ||||
-rw-r--r-- | base/ra/lib/perl/PKI/Request/Queue.pm | 387 |
5 files changed, 703 insertions, 0 deletions
diff --git a/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm b/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm new file mode 100644 index 000000000..671f2418d --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm @@ -0,0 +1,52 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins assigns a request to a group. +####################################### +package PKI::Request::Plugin::AutoAssign; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Instantiate this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + + my $assignTo = $cfg->get($prefix . ".assignTo"); + $queue->set_request($req->{'rowid'}, "assigned_to", $assignTo); +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm b/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm new file mode 100644 index 000000000..b90096664 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm @@ -0,0 +1,75 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins creates a one time pin. +####################################### +package PKI::Request::Plugin::CreatePin; + +use DBI; +use PKI::Base::TimeTool; +use PKI::Base::PinStore; + +####################################### +# Instantiates this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + + my $pin_store = PKI::Base::PinStore->new(); + $pin_store->open($cfg); + + + my $pin_format = $cfg->get($prefix . ".pinFormat"); + + my $client_id = ""; + my $site_id = ""; + + my $data = $req->{'data'}; + foreach $nv (split(/;/, $data)) { + my ($n, $v) = split(/=/, $nv); + $pin_format =~ s/\$$n/$v/g; + } + my $created_by = "admin"; + my $pin = $pin_store->create_pin($pin_format, $req->{'rowid'}, $created_by); + + # save pin to output + $output = "pin=" . $pin; + $queue->set_request_output($req->{'rowid'}, $output); + + $req->{'output'} = $output; + + $pin_store->close(); +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm b/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm new file mode 100644 index 000000000..95274bfa7 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm @@ -0,0 +1,100 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins mails a notification +# to an email specified in the request. +####################################### +package PKI::Request::Plugin::EmailNotification; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Instantiate this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub substitute { + my ($self, $cfg, $queue, $prefix, $req, $line) = @_; + + my $mail_to = $cfg->get($prefix . ".mailTo"); + + # if mail_to starts with $, retrieve value from request + if ($mail_to =~ /^\$/) { + $mail_to =~ s/\$//g; + $mail_to = $req->{$mail_to}; + } + my $machineName = $cfg->get("service.machineName"); + my $securePort = $cfg->get("service.securePort"); + my $unsecurePort = $cfg->get("service.unsecurePort"); + my $nonClientAuthSecurePort = $cfg->get("service.non_clientauth_securePort"); + my $subject_dn = $req->{'subject_dn'}; + + $line =~ s/\$mail_to/$mail_to/g; + $line =~ s/\$request_id/$req->{'rowid'}/g; + $line =~ s/\$machineName/$machineName/g; + $line =~ s/\$securePort/$securePort/g; + $line =~ s/\$unsecurePort/$unsecurePort/g; + $line =~ s/\$subject_dn/$subject_dn/g; + $line =~ s/\$nonClientAuthSecurePort/$nonClientAuthSecurePort/g; + return $line; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $ref = $queue->read_request($req->{rowid}); + + my $req_err = $ref->{errorString}; + if ($req_err ne "0") { + return; + } + + my $mail_to = $cfg->get($prefix . ".mailTo"); + if ($mail_to eq "") { + return; + } + + my $template_dir = $cfg->get($prefix . ".templateDir"); + my $template_file = $cfg->get($prefix . ".templateFile"); + + open(SENDMAIL, "|/usr/sbin/sendmail -t"); + open(F,"$template_dir/$template_file"); + while (<F>) { + print SENDMAIL $self->substitute($cfg, $queue, $prefix, $ref, $_); + } + close(F); + close(SENDMAIL); +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm b/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm new file mode 100644 index 000000000..1c5b7d6b2 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm @@ -0,0 +1,89 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins mails a notification +# to an email specified in the request. +####################################### +package PKI::Request::Plugin::RequestToCA; + +use DBI; +use PKI::Base::TimeTool; +use PKI::Conn::CA; + +####################################### +# Instantiate this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + + my $ca = $cfg->get($prefix . ".ca"); + my $profile_id = $cfg->get($prefix . ".profileId"); + my $req_type = $cfg->get($prefix . ".reqType"); + + my $server_id = ""; + my $site_id = ""; + my $csr = ""; + my $csr_type = ""; + + my $data = $req->{'data'}; + foreach $nv (split(/;/, $data)) { + my ($n, $v) = split(/=/, $nv); + if ($n eq "server_id") { + $server_id = $v; + } + if ($n eq "site_id") { + $site_id = $v; + } + if ($n eq "csr") { + $csr = $v; + } + if ($n eq "csr_type") { + $csr_type = $v; + } + } + + if ($csr_type ne "") { + $req_type = $csr_type; + } + + my $ca_conn = PKI::Conn::CA->new(); + $ca_conn->open($cfg); + my $cert = $ca_conn->enroll($req->{'rowid'}, $ca, $profile_id, $req_type, $csr); + $queue->set_request($req->{'rowid'}, "output", $cert); + $req->{'output'} = $cert; + $ca_conn->close(); + +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Queue.pm b/base/ra/lib/perl/PKI/Request/Queue.pm new file mode 100644 index 000000000..dc8418d22 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Queue.pm @@ -0,0 +1,387 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Request::Queue; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Constructs a request queue +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Opens request queue +####################################### +sub open { + my ($self, $cfg) = @_; + $self->{cfg} = $cfg; + my $dbfile = $cfg->get("database.dbfile"); + $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","",""); + my $timeout = $self->{dbh}->func("busy_timeout"); + $self->{dbh}->func($timeout * 10, "busy_timeout"); +} + +####################################### +# Creates a new request +####################################### +sub invoke_plugins { + my ($self, $prefix, $type, $ref) = @_; + + my $num_plugins = $self->{cfg}->get($prefix . ".num_plugins"); + for (my $i = 0; $i < $num_plugins; $i++) { + my $plugin = $self->{cfg}->get($prefix . "." . $i . ".plugin"); + eval("require $plugin"); + my $p = $plugin->new(); + $p->process($self->{cfg}, $self, $prefix . "." . $i, $ref); + } +} + +####################################### +# Creates a new request +####################################### +sub create_request { + my ($self, $type, $data, $meta_info, $created_by) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $insert = "insert into requests (" . + "type" . "," . + "status" . "," . + "errorString" . "," . + "ip" . "," . + "data" . "," . + "serialno" . "," . + "subject_dn" . "," . + "meta_info" . "," . + "created_by" . "," . + "updated_at" . "," . + "created_at" . + ") values (" . + $dbh->quote($type) . "," . + $dbh->quote("OPEN") . "," . + $dbh->quote("0") . "," . + $dbh->quote($ENV{REMOTE_ADDR}) . "," . + $dbh->quote($data) . "," . + $dbh->quote("unavailable") . "," . + $dbh->quote("unavailable") . "," . + $dbh->quote($meta_info) . "," . + $dbh->quote($created_by) . "," . + $dbh->quote($now) . "," . + $dbh->quote($now) . + ")"; +REDO_CREATE_REQUEST: + eval { + $dbh->do($insert); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_CREATE_REQUEST; + } + my $rid = $dbh->func('last_insert_rowid'); + + my $ref = $self->read_request($rid); + + # call plugins + my $prefix = "request." . $type . ".create_request"; + $self->invoke_plugins($prefix, $type, $ref); + + return $rid; +} + +####################################### +# Reads a request +####################################### +sub read_request { + my ($self, $reqid) = @_; + my $dbh = $self->{dbh}; + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub read_request_by_roles { + my ($self, $roles, $reqid) = @_; + my $dbh = $self->{dbh}; + + my $select; + if (grep /^administrators/, @$roles) { + # administrator see all requests + $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + } else { + my $filter = $self->get_role_filter($roles); + $select = "select *,rowid from requests where " . + "(" . $filter . ")" . " AND " . + "rowid=" . $dbh->quote($reqid); + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +####################################### +# Sets request attributes +####################################### +sub set_request { + my ($self, $reqid, $name, $value) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update requests set " . + $name . "=" . $dbh->quote($value) . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where rowid=" . $dbh->quote($reqid); +REDO_SET_REQUEST: + eval { + $dbh->do($update); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_SET_REQUEST; + } + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +####################################### +# Sets output +####################################### +sub set_request_output { + my ($self, $reqid, $output) = @_; + + return $self->set_request($reqid, "output", $output); +} + +####################################### +# Approves a request +####################################### +sub approve_request { + my ($self, $reqid, $processed_by) = @_; + my $dbh = $self->{dbh}; + + # XXX - check assigned_to + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update requests set " . + "processed_by=" . $dbh->quote($processed_by) . "," . + "status='APPROVED' " . "," . + "errorString='0' " . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where rowid=" . $dbh->quote($reqid); +REDO_APPROVE_REQUEST: + eval { + $dbh->do($update); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_APPROVE_REQUEST; + } + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + # call plugins + my $prefix = "request." . $ref->{'type'} . ".approve_request"; + $self->invoke_plugins($prefix, $ref->{'type'}, $ref); + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +####################################### +# Rejects a request +####################################### +sub reject_request { + my ($self, $reqid, $processed_by) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update requests set " . + "processed_by=" . $dbh->quote($processed_by) . "," . + "status='REJECTED' " . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where rowid=" . $dbh->quote($reqid); +REDO_REJECT_REQUEST: + eval { + $dbh->do($update); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_REJECT_REQUEST; + } + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + # call plugins + my $prefix = "request." . $ref->{'type'} . ".reject_request"; + $self->invoke_plugins($prefix, $ref->{'type'}, $ref); + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +sub get_role_filter { + my ($self, $roles) = @_; + my $dbh = $self->{dbh}; + + my $filter = ""; + foreach $rr (@$roles) { + if ($filter eq "") { + $filter = "assigned_to=" . $dbh->quote($rr); + } else { + $filter = $filter . " OR " . "assigned_to=" . $dbh->quote($rr); + } + } + return $filter; +} + +####################################### +# Lists requests +####################################### +sub list_requests { + my ($self, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + my $select = "select *,rowid from requests " . + "order by rowid desc " . + "limit $startpos, $maxcount"; + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +sub count_requests_by_roles { + my ($self, $roles, $status) = @_; + my $dbh = $self->{dbh}; + + my $select; + + if (grep /^administrators$/, @$roles) { + # administrator sees everything + $select = "select count(*) from requests where " . + "status like '$status%' "; + } else { + # shows requests that are owned by the groups + my $filter = $self->get_role_filter($roles); + $select = "select count(*) from requests where " . + "status like '$status%' AND " . + "(" . $filter . ") "; + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref->{'count(*)'}; +} + +sub list_requests_by_roles { + my ($self, $roles, $status, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + + my $select; + +# if ($roles =~ /administrators/) { + if (grep /^administrators$/, @$roles) { + # administrator sees everything + $select = "select *,rowid from requests where " . + "status like '$status%' " . + "order by rowid desc " . + "limit $startpos, $maxcount"; + } else { + # shows requests that are owned by the groups + my $filter = $self->get_role_filter($roles); + $select = "select *,rowid from requests where " . + "status like '$status%' AND " . + "(" . $filter . ") " . + "order by rowid desc " . + "limit $startpos, $maxcount"; + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +####################################### +# Closes request queue +####################################### +sub close { + my ($self) = @_; + my $dbh = $self->{dbh}; + $dbh->disconnect(); +} + +1; |