diff options
Diffstat (limited to 'base/ra')
111 files changed, 17651 insertions, 0 deletions
diff --git a/base/ra/CMakeLists.txt b/base/ra/CMakeLists.txt new file mode 100644 index 000000000..59910fe95 --- /dev/null +++ b/base/ra/CMakeLists.txt @@ -0,0 +1,76 @@ +project(ra) + +add_subdirectory(doc) +add_subdirectory(setup) + +# install init script +install( + FILES + etc/init.d/pki-rad + DESTINATION + ${SYSCONF_INSTALL_DIR}/rc.d/init.d + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + DIRECTORY + apache/conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) + +install( + DIRECTORY + emails/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) + +install( + DIRECTORY + forms/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot +) + +install( + DIRECTORY + lib/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib +) + +install( + FILES + scripts/nss_pcache + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES + scripts/schema.sql + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts +) + +# install empty directories +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/lock/pki/ra +) + +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/run/pki/ra +) + diff --git a/base/ra/LICENSE b/base/ra/LICENSE new file mode 100644 index 000000000..e281f4362 --- /dev/null +++ b/base/ra/LICENSE @@ -0,0 +1,291 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/base/ra/apache/conf/httpd.conf b/base/ra/apache/conf/httpd.conf new file mode 100644 index 000000000..9f81b646d --- /dev/null +++ b/base/ra/apache/conf/httpd.conf @@ -0,0 +1,1074 @@ +# +# Based upon the NCSA server configuration files originally by Rob McCool. +# +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See <URL:http://httpd.apache.org/docs-2.0/> for detailed information about +# the directives. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# The configuration directives are grouped into three basic sections: +# 1. Directives that control the operation of the Apache server process as a +# whole (the 'global environment'). +# 2. Directives that define the parameters of the 'main' or 'default' server, +# which responds to requests that aren't handled by a virtual host. +# These directives also provide default values for the settings +# of all virtual hosts. +# 3. Settings for virtual hosts, which allow Web requests to be sent to +# different IP addresses or hostnames and have them handled by the +# same Apache server process. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/foo.log" +# with ServerRoot set to "/export/apache" will be interpreted by the +# server as "/export/apache/logs/foo.log". +# + +### Section 1: Global Environment +# +# The directives in this section affect the overall operation of Apache, +# such as the number of concurrent requests it can handle or where it +# can find its configuration files. +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the LockFile documentation (available +# at <URL:http://httpd.apache.org/docs-2.0/mod/mpm_common.html#lockfile>); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +ServerRoot "[SERVER_ROOT]" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +<IfModule !mpm_winnt.c> +<IfModule !mpm_netware.c> +#LockFile logs/accept.lock +</IfModule> +</IfModule> + +# +# ScoreBoardFile: File used to store internal server process information. +# If unspecified (the default), the scoreboard will be stored in an +# anonymous shared memory segment, and will be unavailable to third-party +# applications. +# If specified, ensure that no two invocations of Apache share the same +# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK. +# +<IfModule !mpm_netware.c> +<IfModule !perchild.c> +#ScoreBoardFile logs/apache_runtime_status +</IfModule> +</IfModule> + + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# +<IfModule !mpm_netware.c> +PidFile run/[PKI_INSTANCE_ID].pid +</IfModule> + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 15 + +## +## Server-Pool Size Regulation (MPM specific) +## + +# prefork MPM +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# MaxClients: maximum number of server processes allowed to start +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule prefork.c> +StartServers 5 +MinSpareServers 5 +MaxSpareServers 10 +MaxClients 150 +MaxRequestsPerChild 0 +</IfModule> + +# worker MPM +# StartServers: initial number of server processes to start +# MaxClients: maximum number of simultaneous client connections +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule worker.c> +ServerLimit 1 +StartServers 1 +MaxClients 64 +MinSpareThreads 1 +MaxSpareThreads 75 +ThreadsPerChild 64 +MaxRequestsPerChild 0 +</IfModule> + +# perchild MPM +# NumServers: constant number of server processes +# StartThreads: initial number of worker threads in each server process +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# MaxThreadsPerChild: maximum number of worker threads in each server process +# MaxRequestsPerChild: maximum number of connections per server process +<IfModule perchild.c> +NumServers 5 +StartThreads 5 +MinSpareThreads 5 +MaxSpareThreads 10 +MaxThreadsPerChild 20 +MaxRequestsPerChild 0 +</IfModule> + +# WinNT MPM +# ThreadsPerChild: constant number of worker threads in the server process +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_winnt.c> +ThreadsPerChild 250 +MaxRequestsPerChild 0 +</IfModule> + +# BeOS MPM +# StartThreads: how many threads do we initially spawn? +# MaxClients: max number of threads we can have (1 thread == 1 client) +# MaxRequestsPerThread: maximum number of requests each thread will process +<IfModule beos.c> +StartThreads 10 +MaxClients 50 +MaxRequestsPerThread 10000 +</IfModule> + +# NetWare MPM +# ThreadStackSize: Stack size allocated for each worker thread +# StartThreads: Number of worker threads launched at server startup +# MinSpareThreads: Minimum number of idle threads, to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# MaxThreads: Maximum number of worker threads alive at the same time +# MaxRequestsPerChild: Maximum number of requests a thread serves. It is +# recommended that the default value of 0 be set for this +# directive on NetWare. This will allow the thread to +# continue to service requests indefinitely. +<IfModule mpm_netware.c> +ThreadStackSize 65536 +StartThreads 250 +MinSpareThreads 25 +MaxSpareThreads 250 +MaxThreads 1000 +MaxRequestsPerChild 0 +MaxMemFree 100 +</IfModule> + +# OS/2 MPM +# StartServers: Number of server processes to maintain +# MinSpareThreads: Minimum number of idle threads per process, +# to handle request spikes +# MaxSpareThreads: Maximum number of idle threads per process +# MaxRequestsPerChild: Maximum number of connections per server process +<IfModule mpmt_os2.c> +StartServers 2 +MinSpareThreads 5 +MaxSpareThreads 10 +MaxRequestsPerChild 0 +</IfModule> + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the <VirtualHost> +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses (0.0.0.0) +# +#Listen 12.34.56.78:80 + +Listen [PORT] + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# + +# Required modules for command 'Order': +[FORTITUDE_AUTH_MODULES] +# Required module for command 'UserDir': +LoadModule userdir_module [FORTITUDE_LIB_DIR]/modules/mod_userdir.so +# Required module for command 'DirectoryIndex': +LoadModule dir_module [FORTITUDE_LIB_DIR]/modules/mod_dir.so +# Required module for command 'TypesConfig': +LoadModule mime_module [FORTITUDE_LIB_DIR]/modules/mod_mime.so +# Required module for command 'LogFormat': +LoadModule log_config_module [FORTITUDE_LIB_DIR]/modules/mod_log_config.so +# Required module for command 'Alias': +LoadModule alias_module [FORTITUDE_LIB_DIR]/modules/mod_alias.so +# Required module for command 'SetEnvIf': +LoadModule setenvif_module [FORTITUDE_LIB_DIR]/modules/mod_setenvif.so +# Required module for command 'IndexOptions': +LoadModule autoindex_module [FORTITUDE_LIB_DIR]/modules/mod_autoindex.so +# Required module for command 'LanguagePriority': +LoadModule negotiation_module [FORTITUDE_LIB_DIR]/modules/mod_negotiation.so +# Required module for command 'CGI Scripts': +LoadModule cgi_module [FORTITUDE_LIB_DIR]/modules/mod_cgi.so +# Required module for commands in nss.conf: +[FORTITUDE_NSS_MODULES] + +<Location /nk_service> + SetHandler nk_service +</Location> + +<Location /tus> + SetHandler tus +</Location> + +# +# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d". +# +#Include conf.d/*.conf +Include [SERVER_ROOT]/conf/perl.conf + +# +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. The default is Off. +# +#ExtendedStatus On + +### Section 2: 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# <VirtualHost> definition. These values also provide defaults for +# any <VirtualHost> containers you may define later in the file. +# +# All of these directives may appear inside <VirtualHost> containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +<IfModule !mpm_winnt.c> +<IfModule !mpm_netware.c> +# +# If you wish [PKI_INSTANCE_ID] to run as a different user or group, you must run +# [PKI_INSTANCE_ID] as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run [PKI_INSTANCE_ID] as. +# . On SCO (ODT 3) use "User nouser" and "Group nogroup". +# . On HPUX you may not be able to use shared memory as nobody, and the +# suggested workaround is to create a user www and use that user. +# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) +# when the value of (unsigned)Group is above 60000; +# don't use Group #-1 on these systems! +# +User [PKI_USER] +Group [PKI_GROUP] +#Group #-1 +</IfModule> +</IfModule> + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin you@example.com + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If this is not set to valid DNS name for your host, server-generated +# redirections will not work. See also the UseCanonicalName directive. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# You will have to access it by its address anyway, and this will make +# redirections work in a sensible way. +# +#ServerName www.example.com:80 + +# +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +# +UseCanonicalName Off + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "[SERVER_ROOT]/docroot" + +# +# Each directory to which Apache has access can be configured with respect +# to which services and features are allowed and/or disabled in that +# directory (and its subdirectories). +# +# First, we configure the "default" to be a very restrictive set of +# features. +# +<Directory /> + Options FollowSymLinks + AllowOverride None +</Directory> + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# This should be changed to whatever you set DocumentRoot to. +# +<Directory "[SERVER_ROOT]/docroot"> + +# +# Possible values for the Options directive are "None", "All", +# or any combination of: +# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews +# +# Note that "MultiViews" must be named *explicitly* --- "Options All" +# doesn't give it to you. +# +# The Options directive is both complicated and important. Please see +# http://httpd.apache.org/docs-2.0/mod/core.html#options +# for more information. +# + Options Indexes ExecCGI FollowSymLinks + +# +# AllowOverride controls what directives may be placed in .htaccess files. +# It can be "All", "None", or any combination of the keywords: +# Options FileInfo AuthConfig Limit +# + AllowOverride None + +# +# Controls who can get stuff from this server. +# + Order allow,deny + Allow from all + +</Directory> + +# +# UserDir: The name of the directory that is appended onto a user's home +# directory if a ~user request is received. +# +UserDir public_html + +# +# Control access to UserDir directories. The following is an example +# for a site where these directories are restricted to read-only. +# +#<Directory /home/*/public_html> +# AllowOverride FileInfo AuthConfig Limit Indexes +# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec +# <Limit GET POST OPTIONS PROPFIND> +# Order allow,deny +# Allow from all +# </Limit> +# <LimitExcept GET POST OPTIONS PROPFIND> +# Order deny,allow +# Deny from all +# </LimitExcept> +#</Directory> + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Option can be used for the +# same purpose, but it is much slower. +# +DirectoryIndex index.html index.html.var index.cgi + +# +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# +<Files ~ "^\.ht"> + Order allow,deny + Deny from all +</Files> + +# +# TypesConfig describes where the mime.types file (or equivalent) is +# to be found. +# +TypesConfig conf/mime.types + +# +# DefaultType is the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +DefaultType text/plain + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +<IfModule mod_mime_magic.c> + MIMEMagicFile conf/magic +</IfModule> + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# +# EnableMMAP: Control whether memory-mapping is used to deliver +# files (assuming that the underlying OS supports it). +# The default is on; turn this off if you serve from NFS-mounted +# filesystems. On some systems, turning it off (regardless of +# filesystem) can improve performance; for details, please see +# http://httpd.apache.org/docs-2.0/mod/core.html#enablemmap +# +#EnableMMAP off + +# +# EnableSendfile: Control whether the sendfile kernel support is +# used to deliver files (assuming that the OS supports it). +# The default is on; turn this off if you serve from NFS-mounted +# filesystems. Please see +# http://httpd.apache.org/docs-2.0/mod/core.html#enablesendfile +# +#EnableSendfile off + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a <VirtualHost> +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a <VirtualHost> +# container, that host's errors will be logged there and not here. +# +ErrorLog logs/error_log + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +#LogLevel warn +LogLevel debug + +# +# The following directives define some format nicknames for use with +# a CustomLog directive (see below). +# +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# You need to enable mod_logio.c to use %I and %O +#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + +# +# The location and format of the access logfile (Common Logfile Format). +# If you do not define any access logfiles within a <VirtualHost> +# container, they will be logged here. Contrariwise, if you *do* +# define per-<VirtualHost> access logfiles, transactions will be +# logged therein and *not* in this file. +# +CustomLog logs/access_log common + +# +# If you would like to have agent and referer logfiles, uncomment the +# following directives. +# +#CustomLog logs/referer_log referer +#CustomLog logs/agent_log agent + +# +# If you prefer a single logfile with access, agent, and referer information +# (Combined Logfile Format) you can use the following directive. +# +#CustomLog logs/access_log combined + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +# +ServerTokens Prod + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature Off + +# +# Aliases: Add here as many aliases as you need (with no limit). The format is +# Alias fakename realname +# +# Note that if you include a trailing / on fakename then the server will +# require it to be present in the URL. So "/icons" isn't aliased in this +# example, only "/icons/". If the fakename is slash-terminated, then the +# realname must also be slash terminated, and if the fakename omits the +# trailing slash, the realname must also omit it. +# +# We include the /icons/ alias for FancyIndexed directory listings. If you +# do not use FancyIndexing, you may comment this out. +# +Alias /icons/ "[SERVER_ROOT]/icons/" + +<Directory "[SERVER_ROOT]/icons"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all +</Directory> + +# +# This should be changed to the ServerRoot/manual/. The alias provides +# the manual, even if you choose to move your DocumentRoot. You may comment +# this out if you do not care for the documentation. +# +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "[SERVER_ROOT]/manual$1" + +<Directory "[SERVER_ROOT]/manual"> + Options Indexes + AllowOverride None + Order allow,deny + Allow from all + + <Files *.html> + SetHandler type-map + </Files> + + SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|ru)/ prefer-language=$1 + RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2 +</Directory> + +# +# ScriptAlias: This controls which directories contain server scripts. +# ScriptAliases are essentially the same as Aliases, except that +# documents in the realname directory are treated as applications and +# run by the server when requested rather than as documents sent to the client. +# The same rules about trailing "/" apply to ScriptAlias directives as to +# Alias. +# +ScriptAlias /cgi-bin/ "[SERVER_ROOT]/cgi-bin/" + +<IfModule mod_cgid.c> +# +# Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path> +# for setting UNIX socket for communicating with cgid. +# +#Scriptsock logs/cgisock +</IfModule> + +# +# "[SERVER_ROOT]/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# +<Directory "[SERVER_ROOT]/cgi-bin"> + AllowOverride None + Options ExecCGI + Order allow,deny + Allow from all +</Directory> + +# +# Redirect allows you to tell clients about documents which used to exist in +# your server's namespace, but do not anymore. This allows you to tell the +# clients where to look for the relocated document. +# Example: +# Redirect permanent /foo http://www.example.com/bar + +# +# Directives controlling the display of server-generated directory listings. +# + +# +# IndexOptions: Controls the appearance of server-generated directory +# listings. +# +IndexOptions FancyIndexing VersionSort + +# +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +# +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +# +DefaultIcon /icons/unknown.gif + +# +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename +# +#AddDescription "GZIP compressed document" .gz +#AddDescription "tar archive" .tar +#AddDescription "GZIP compressed tar archive" .tgz + +# +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. +# +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +# +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + +# +# DefaultLanguage and AddLanguage allows you to specify the language of +# a document. You can then use content negotiation to give a browser a +# file in a language the user can understand. +# +# Specify a default language. This means that all data +# going out without a specific language tag (see below) will +# be marked with this one. You probably do NOT want to set +# this unless you are sure it is correct for all cases. +# +# * It is generally better to not mark a page as +# * being a certain language than marking it with the wrong +# * language! +# +# DefaultLanguage nl +# +# Note 1: The suffix does not have to be the same as the language +# keyword --- those with documents in Polish (whose net-standard +# language code is pl) may wish to use "AddLanguage pl .po" to +# avoid the ambiguity with the common suffix for perl scripts. +# +# Note 2: The example entries below illustrate that in some cases +# the two character 'Language' abbreviation is not identical to +# the two character 'Country' code for its country, +# E.g. 'Danmark/dk' versus 'Danish/da'. +# +# Note 3: In the case of 'ltz' we violate the RFC by using a three char +# specifier. There is 'work in progress' to fix this and get +# the reference data for rfc1766 cleaned up. +# +# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) +# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) +# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) +# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) +# Norwegian (no) - Polish (pl) - Portugese (pt) +# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) +# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) +# +AddLanguage ca .ca +AddLanguage cs .cz .cs +AddLanguage da .dk +AddLanguage de .de +AddLanguage el .el +AddLanguage en .en +AddLanguage eo .eo +AddLanguage es .es +AddLanguage et .et +AddLanguage fr .fr +AddLanguage he .he +AddLanguage hr .hr +AddLanguage it .it +AddLanguage ja .ja +AddLanguage ko .ko +AddLanguage ltz .ltz +AddLanguage nl .nl +AddLanguage nn .nn +AddLanguage no .no +AddLanguage pl .po +AddLanguage pt .pt +AddLanguage pt-BR .pt-br +AddLanguage ru .ru +AddLanguage sv .sv +AddLanguage zh-CN .zh-cn +AddLanguage zh-TW .zh-tw + +# +# LanguagePriority allows you to give precedence to some languages +# in case of a tie during content negotiation. +# +# Just list the languages in decreasing order of preference. We have +# more or less alphabetized them here. You probably want to change this. +# +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW + +# +# ForceLanguagePriority allows you to serve a result page rather than +# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) +# [in case no accepted languages matched the available variants] +# +ForceLanguagePriority Prefer Fallback + +# +# Commonly used filename extensions to character sets. You probably +# want to avoid clashes with the language extensions, unless you +# are good at carefully testing your setup after each change. +# See http://www.iana.org/assignments/character-sets for the +# official list of charset names and their respective RFCs. +# +AddCharset ISO-8859-1 .iso8859-1 .latin1 +AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen +AddCharset ISO-8859-3 .iso8859-3 .latin3 +AddCharset ISO-8859-4 .iso8859-4 .latin4 +AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru +AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb +AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk +AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb +AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk +AddCharset ISO-2022-JP .iso2022-jp .jis +AddCharset ISO-2022-KR .iso2022-kr .kis +AddCharset ISO-2022-CN .iso2022-cn .cis +AddCharset Big5 .Big5 .big5 +# For russian, more than one charset is used (depends on client, mostly): +AddCharset WINDOWS-1251 .cp-1251 .win-1251 +AddCharset CP866 .cp866 +AddCharset KOI8-r .koi8-r .koi8-ru +AddCharset KOI8-ru .koi8-uk .ua +AddCharset ISO-10646-UCS-2 .ucs2 +AddCharset ISO-10646-UCS-4 .ucs4 +AddCharset UTF-8 .utf8 + +# The set below does not map to a specific (iso) standard +# but works on a fairly wide range of browsers. Note that +# capitalization actually matters (it should not, but it +# does for some browsers). +# +# See http://www.iana.org/assignments/character-sets +# for a list of sorts. But browsers support few. +# +AddCharset GB2312 .gb2312 .gb +AddCharset utf-7 .utf7 +AddCharset utf-8 .utf8 +AddCharset big5 .big5 .b5 +AddCharset EUC-TW .euc-tw +AddCharset EUC-JP .euc-jp +AddCharset EUC-KR .euc-kr +AddCharset shift_jis .sjis + +# +# AddType allows you to add to or override the MIME configuration +# file mime.types for specific file types. +# +#AddType application/x-tar .tgz +# +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +# Despite the name similarity, the following Add* directives have nothing +# to do with the FancyIndexing customization directives above. +# +#AddEncoding x-compress .Z +#AddEncoding x-gzip .gz .tgz +# +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +# +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz + +# +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) +# +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +# +AddHandler cgi-script .cgi + +# +# For files that include their own HTTP headers: +# +#AddHandler send-as-is asis + +# +# For server-parsed imagemap files: +# +#AddHandler imap-file map + +# +# For type maps (negotiated resources): +# (This is enabled by default to allow the Apache "It Worked" page +# to be distributed in multiple languages.) +# +AddHandler type-map var + +# +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +# +#AddType text/html .shtml +#AddOutputFilter INCLUDES .shtml + +# +# Action lets you define media types that will execute a script whenever +# a matching file is called. This eliminates the need for repeated URL +# pathnames for oft-used CGI file processors. +# Format: Action media/type /cgi-script/location +# Format: Action handler-name /cgi-script/location +# + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# Putting this all together, we can internationalize error responses. +# +# We use Alias to redirect any /error/HTTP_<error>.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# +# You can modify the messages' appearance without changing any of the +# default HTTP_<error>.html.var files by adding the line: +# +# Alias /error/include/ "/your/include/path/" +# +# which allows you to create your own set of files by starting with the +# /export/apache/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. The default include files will display +# your Apache version number and your ServerAdmin email address regardless +# of the setting of ServerSignature. +# +# The internationalized error documents require mod_alias, mod_include +# and mod_negotiation. To activate them, uncomment the following 30 lines. + +# Alias /error/ "/export/apache/error/" +# +# <Directory "/export/apache/error"> +# AllowOverride None +# Options IncludesNoExec +# AddOutputFilter Includes html +# AddHandler type-map var +# Order allow,deny +# Allow from all +# LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr +# ForceLanguagePriority Prefer Fallback +# </Directory> +# +# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +# ErrorDocument 410 /error/HTTP_GONE.html.var +# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var +#[ErrorDocument_404] +#[ErrorDocument_500] + + +# +# The following directives modify normal HTTP response behavior to +# handle known problems with browser implementations. +# +BrowserMatch "Mozilla/2" nokeepalive +BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 +BrowserMatch "RealPlayer 4\.0" force-response-1.0 +BrowserMatch "Java/1\.0" force-response-1.0 +BrowserMatch "JDK/1\.0" force-response-1.0 + +# +# The following directive disables redirects on non-GET requests for +# a directory that does not include the trailing slash. This fixes a +# problem with Microsoft WebFolders which does not appropriately handle +# redirects for folders with DAV methods. +# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. +# +BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully +BrowserMatch "^WebDrive" redirect-carefully +BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully +BrowserMatch "^gnome-vfs" redirect-carefully + +# +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status +# Change the ".example.com" to match your domain to enable. +# +#<Location /server-status> +# SetHandler server-status +# Order deny,allow +# Deny from all +# Allow from .example.com +#</Location> + +# +# Allow remote server configuration reports, with the URL of +# http://servername/server-info (requires that mod_info.c be loaded). +# Change the ".example.com" to match your domain to enable. +# +#<Location /server-info> +# SetHandler server-info +# Order deny,allow +# Deny from all +# Allow from .example.com +#</Location> + + +# +# Bring in additional module-specific configurations +# +#<IfModule mod_ssl.c> +# Include conf/ssl.conf +#</IfModule> +Include [SERVER_ROOT]/conf/nss.conf + +### Section 3: Virtual Hosts +# +# VirtualHost: If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# <URL:http://httpd.apache.org/docs-2.0/vhosts/> +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. + +# +# Use name-based virtual hosting. +# +#NameVirtualHost *:80 + +# +# VirtualHost example: +# Almost any Apache directive may go into a VirtualHost container. +# The first VirtualHost section is used for requests without a known +# server name. +# +#<VirtualHost *:80> +# ServerAdmin webmaster@dummy-host.example.com +# DocumentRoot /www/docs/dummy-host.example.com +# ServerName dummy-host.example.com +# ErrorLog logs/dummy-host.example.com-error_log +# CustomLog logs/dummy-host.example.com-access_log common +#</VirtualHost> diff --git a/base/ra/apache/conf/magic b/base/ra/apache/conf/magic new file mode 100644 index 000000000..0de73361f --- /dev/null +++ b/base/ra/apache/conf/magic @@ -0,0 +1,382 @@ +# Magic data for mod_mime_magic Apache module (originally for file(1) command) +# The module is described in /manual/mod/mod_mime_magic.html +# +# The format is 4-5 columns: +# Column #1: byte number to begin checking from, ">" indicates continuation +# Column #2: type of data to match +# Column #3: contents of data to match +# Column #4: MIME type of result +# Column #5: MIME encoding of result (optional) + +#------------------------------------------------------------------------------ +# Localstuff: file(1) magic for locally observed files +# Add any locally observed files here. + +#------------------------------------------------------------------------------ +# end local stuff +#------------------------------------------------------------------------------ + +#------------------------------------------------------------------------------ +# Java + +0 short 0xcafe +>2 short 0xbabe application/java + +#------------------------------------------------------------------------------ +# audio: file(1) magic for sound formats +# +# from Jan Nicolai Langfeldt <janl@ifi.uio.no>, +# + +# Sun/NeXT audio data +0 string .snd +>12 belong 1 audio/basic +>12 belong 2 audio/basic +>12 belong 3 audio/basic +>12 belong 4 audio/basic +>12 belong 5 audio/basic +>12 belong 6 audio/basic +>12 belong 7 audio/basic + +>12 belong 23 audio/x-adpcm + +# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format +# that uses little-endian encoding and has a different magic number +# (0x0064732E in little-endian encoding). +0 lelong 0x0064732E +>12 lelong 1 audio/x-dec-basic +>12 lelong 2 audio/x-dec-basic +>12 lelong 3 audio/x-dec-basic +>12 lelong 4 audio/x-dec-basic +>12 lelong 5 audio/x-dec-basic +>12 lelong 6 audio/x-dec-basic +>12 lelong 7 audio/x-dec-basic +# compressed (G.721 ADPCM) +>12 lelong 23 audio/x-dec-adpcm + +# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM" +# AIFF audio data +8 string AIFF audio/x-aiff +# AIFF-C audio data +8 string AIFC audio/x-aiff +# IFF/8SVX audio data +8 string 8SVX audio/x-aiff + +# Creative Labs AUDIO stuff +# Standard MIDI data +0 string MThd audio/unknown +#>9 byte >0 (format %d) +#>11 byte >1 using %d channels +# Creative Music (CMF) data +0 string CTMF audio/unknown +# SoundBlaster instrument data +0 string SBI audio/unknown +# Creative Labs voice data +0 string Creative\ Voice\ File audio/unknown +## is this next line right? it came this way... +#>19 byte 0x1A +#>23 byte >0 - version %d +#>22 byte >0 \b.%d + +# [GRR 950115: is this also Creative Labs? Guessing that first line +# should be string instead of unknown-endian long...] +#0 long 0x4e54524b MultiTrack sound data +#0 string NTRK MultiTrack sound data +#>4 long x - version %ld + +# Microsoft WAVE format (*.wav) +# [GRR 950115: probably all of the shorts and longs should be leshort/lelong] +# Microsoft RIFF +0 string RIFF audio/unknown +# - WAVE format +>8 string WAVE audio/x-wav +# MPEG audio. +0 beshort&0xfff0 0xfff0 audio/mpeg +# C64 SID Music files, from Linus Walleij <triad@df.lth.se> +0 string PSID audio/prs.sid + +#------------------------------------------------------------------------------ +# c-lang: file(1) magic for C programs or various scripts +# + +# XPM icons (Greg Roelofs, newt@uchicago.edu) +# ideally should go into "images", but entries below would tag XPM as C source +0 string /*\ XPM image/x-xbm 7bit + +# this first will upset you if you're a PL/1 shop... (are there any left?) +# in which case rm it; ascmagic will catch real C programs +# C or REXX program text +0 string /* text/plain +# C++ program text +0 string // text/plain + +#------------------------------------------------------------------------------ +# compress: file(1) magic for pure-compression formats (no archives) +# +# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc. +# +# Formats for various forms of compressed data +# Formats for "compress" proper have been moved into "compress.c", +# because it tries to uncompress it to figure out what's inside. + +# standard unix compress +0 string \037\235 application/octet-stream x-compress + +# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver) +0 string \037\213 application/octet-stream x-gzip + +# According to gzip.h, this is the correct byte order for packed data. +0 string \037\036 application/octet-stream +# +# This magic number is byte-order-independent. +# +0 short 017437 application/octet-stream + +# XXX - why *two* entries for "compacted data", one of which is +# byte-order independent, and one of which is byte-order dependent? +# +# compacted data +0 short 0x1fff application/octet-stream +0 string \377\037 application/octet-stream +# huf output +0 short 0145405 application/octet-stream + +# Squeeze and Crunch... +# These numbers were gleaned from the Unix versions of the programs to +# handle these formats. Note that I can only uncrunch, not crunch, and +# I didn't have a crunched file handy, so the crunch number is untested. +# Keith Waclena <keith@cerberus.uchicago.edu> +#0 leshort 0x76FF squeezed data (CP/M, DOS) +#0 leshort 0x76FE crunched data (CP/M, DOS) + +# Freeze +#0 string \037\237 Frozen file 2.1 +#0 string \037\236 Frozen file 1.0 (or gzip 0.5) + +# lzh? +#0 string \037\240 LZH compressed data + +#------------------------------------------------------------------------------ +# frame: file(1) magic for FrameMaker files +# +# This stuff came on a FrameMaker demo tape, most of which is +# copyright, but this file is "published" as witness the following: +# +0 string \<MakerFile application/x-frame +0 string \<MIFFile application/x-frame +0 string \<MakerDictionary application/x-frame +0 string \<MakerScreenFon application/x-frame +0 string \<MML application/x-frame +0 string \<Book application/x-frame +0 string \<Maker application/x-frame + +#------------------------------------------------------------------------------ +# html: file(1) magic for HTML (HyperText Markup Language) docs +# +# from Daniel Quinlan <quinlan@yggdrasil.com> +# and Anna Shergold <anna@inext.co.uk> +# +0 string \<!DOCTYPE\ HTML text/html +0 string \<!doctype\ html text/html +0 string \<HEAD text/html +0 string \<head text/html +0 string \<TITLE text/html +0 string \<title text/html +0 string \<html text/html +0 string \<HTML text/html +0 string \<!-- text/html +0 string \<h1 text/html +0 string \<H1 text/html + +# XML eXtensible Markup Language, from Linus Walleij <triad@df.lth.se> +0 string \<?xml text/xml + +#------------------------------------------------------------------------------ +# images: file(1) magic for image formats (see also "c-lang" for XPM bitmaps) +# +# originally from jef@helios.ee.lbl.gov (Jef Poskanzer), +# additions by janl@ifi.uio.no as well as others. Jan also suggested +# merging several one- and two-line files into here. +# +# XXX - byte order for GIF and TIFF fields? +# [GRR: TIFF allows both byte orders; GIF is probably little-endian] +# + +# [GRR: what the hell is this doing in here?] +#0 string xbtoa btoa'd file + +# PBMPLUS +# PBM file +0 string P1 image/x-portable-bitmap 7bit +# PGM file +0 string P2 image/x-portable-greymap 7bit +# PPM file +0 string P3 image/x-portable-pixmap 7bit +# PBM "rawbits" file +0 string P4 image/x-portable-bitmap +# PGM "rawbits" file +0 string P5 image/x-portable-greymap +# PPM "rawbits" file +0 string P6 image/x-portable-pixmap + +# NIFF (Navy Interchange File Format, a modification of TIFF) +# [GRR: this *must* go before TIFF] +0 string IIN1 image/x-niff + +# TIFF and friends +# TIFF file, big-endian +0 string MM image/tiff +# TIFF file, little-endian +0 string II image/tiff + +# possible GIF replacements; none yet released! +# (Greg Roelofs, newt@uchicago.edu) +# +# GRR 950115: this was mine ("Zip GIF"): +# ZIF image (GIF+deflate alpha) +0 string GIF94z image/unknown +# +# GRR 950115: this is Jeremy Wohl's Free Graphics Format (better): +# FGF image (GIF+deflate beta) +0 string FGF95a image/unknown +# +# GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal +# (best; not yet implemented): +# PBF image (deflate compression) +0 string PBF image/unknown + +# GIF +0 string GIF image/gif + +# JPEG images +0 beshort 0xffd8 image/jpeg + +# PC bitmaps (OS/2, Windoze BMP files) (Greg Roelofs, newt@uchicago.edu) +0 string BM image/bmp +#>14 byte 12 (OS/2 1.x format) +#>14 byte 64 (OS/2 2.x format) +#>14 byte 40 (Windows 3.x format) +#0 string IC icon +#0 string PI pointer +#0 string CI color icon +#0 string CP color pointer +#0 string BA bitmap array + + +#------------------------------------------------------------------------------ +# lisp: file(1) magic for lisp programs +# +# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string ;; text/plain 8bit +# Emacs 18 - this is always correct, but not very magical. +0 string \012( application/x-elc +# Emacs 19 +0 string ;ELC\023\000\000\000 application/x-elc + +#------------------------------------------------------------------------------ +# mail.news: file(1) magic for mail and news +# +# There are tests to ascmagic.c to cope with mail and news. +0 string Relay-Version: message/rfc822 7bit +0 string #!\ rnews message/rfc822 7bit +0 string N#!\ rnews message/rfc822 7bit +0 string Forward\ to message/rfc822 7bit +0 string Pipe\ to message/rfc822 7bit +0 string Return-Path: message/rfc822 7bit +0 string Path: message/news 8bit +0 string Xref: message/news 8bit +0 string From: message/rfc822 7bit +0 string Article message/news 8bit +#------------------------------------------------------------------------------ +# msword: file(1) magic for MS Word files +# +# Contributor claims: +# Reversed-engineered MS Word magic numbers +# + +0 string \376\067\0\043 application/msword +0 string \333\245-\0\0\0 application/msword + +# disable this one because it applies also to other +# Office/OLE documents for which msword is not correct. See PR#2608. +#0 string \320\317\021\340\241\261 application/msword + + + +#------------------------------------------------------------------------------ +# printer: file(1) magic for printer-formatted files +# + +# PostScript +0 string %! application/postscript +0 string \004%! application/postscript + +# Acrobat +# (due to clamen@cs.cmu.edu) +0 string %PDF- application/pdf + +#------------------------------------------------------------------------------ +# sc: file(1) magic for "sc" spreadsheet +# +38 string Spreadsheet application/x-sc + +#------------------------------------------------------------------------------ +# tex: file(1) magic for TeX files +# +# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) +# +# From <conklin@talisman.kaleida.com> + +# Although we may know the offset of certain text fields in TeX DVI +# and font files, we can't use them reliably because they are not +# zero terminated. [but we do anyway, christos] +0 string \367\002 application/x-dvi +#0 string \367\203 TeX generic font data +#0 string \367\131 TeX packed font data +#0 string \367\312 TeX virtual font data +#0 string This\ is\ TeX, TeX transcript text +#0 string This\ is\ METAFONT, METAFONT transcript text + +# There is no way to detect TeX Font Metric (*.tfm) files without +# breaking them apart and reading the data. The following patterns +# match most *.tfm files generated by METAFONT or afm2tfm. +#2 string \000\021 TeX font metric data +#2 string \000\022 TeX font metric data +#>34 string >\0 (%s) + +# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) +#0 string \\input\ texinfo Texinfo source text +#0 string This\ is\ Info\ file GNU Info text + +# correct TeX magic for Linux (and maybe more) +# from Peter Tobias (tobias@server.et-inf.fho-emden.de) +# +0 leshort 0x02f7 application/x-dvi + +# RTF - Rich Text Format +0 string {\\rtf application/rtf + +#------------------------------------------------------------------------------ +# animation: file(1) magic for animation/movie formats +# +# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8) +# MPEG file +0 string \000\000\001\263 video/mpeg +# +# The contributor claims: +# I couldn't find a real magic number for these, however, this +# -appears- to work. Note that it might catch other files, too, +# so BE CAREFUL! +# +# Note that title and author appear in the two 20-byte chunks +# at decimal offsets 2 and 22, respectively, but they are XOR'ed with +# 255 (hex FF)! DL format SUCKS BIG ROCKS. +# +# DL file version 1 , medium format (160x100, 4 images/screen) +0 byte 1 video/unknown +0 byte 2 video/unknown +# Quicktime video, from Linus Walleij <triad@df.lth.se> +# from Apple quicktime file format documentation. +4 string moov video/quicktime +4 string mdat video/quicktime + diff --git a/base/ra/apache/conf/mime.types b/base/ra/apache/conf/mime.types new file mode 100644 index 000000000..3485692d1 --- /dev/null +++ b/base/ra/apache/conf/mime.types @@ -0,0 +1,592 @@ +# This is a comment. I love comments. + +# This file controls what Internet media types are sent to the client for +# given file extension(s). Sending the correct media type to the client +# is important so they know how to handle the content of the file. +# Extra types can either be added here or by using an AddType directive +# in your config files. For more information about Internet media types, +# please read RFC 2045, 2046, 2047, 2048, and 2077. The Internet media type +# registry is at <http://www.iana.org/assignments/media-types/>. + +# MIME type Extensions +application/activemessage +application/andrew-inset ez +application/applefile +application/atom+xml atom +application/atomicmail +application/batch-smtp +application/beep+xml +application/cals-1840 +application/cnrp+xml +application/commonground +application/cpl+xml +application/cybercash +application/dca-rft +application/dec-dx +application/dvcs +application/edi-consent +application/edifact +application/edi-x12 +application/eshop +application/font-tdpfr +application/http +application/hyperstudio +application/iges +application/index +application/index.cmd +application/index.obj +application/index.response +application/index.vnd +application/iotp +application/ipp +application/isup +application/mac-binhex40 hqx +application/mac-compactpro cpt +application/macwriteii +application/marc +application/mathematica +application/mathml+xml mathml +application/msword doc +application/news-message-id +application/news-transmission +application/ocsp-request +application/ocsp-response +application/octet-stream bin dms lha lzh exe class so dll dmg +application/oda oda +application/ogg ogg +application/parityfec +application/pdf pdf +application/pgp-encrypted +application/pgp-keys +application/pgp-signature +application/pkcs10 +application/pkcs7-mime +application/pkcs7-signature +application/pkix-cert +application/pkix-crl +application/pkixcmp +application/postscript ai eps ps +application/prs.alvestrand.titrax-sheet +application/prs.cww +application/prs.nprend +application/prs.plucker +application/qsig +application/rdf+xml rdf +application/reginfo+xml +application/remote-printing +application/riscos +application/rtf +application/sdp +application/set-payment +application/set-payment-initiation +application/set-registration +application/set-registration-initiation +application/sgml +application/sgml-open-catalog +application/sieve +application/slate +application/smil smi smil +application/srgs gram +application/srgs+xml grxml +application/timestamp-query +application/timestamp-reply +application/tve-trigger +application/vemmi +application/vnd.3gpp.pic-bw-large +application/vnd.3gpp.pic-bw-small +application/vnd.3gpp.pic-bw-var +application/vnd.3gpp.sms +application/vnd.3m.post-it-notes +application/vnd.accpac.simply.aso +application/vnd.accpac.simply.imp +application/vnd.acucobol +application/vnd.acucorp +application/vnd.adobe.xfdf +application/vnd.aether.imp +application/vnd.amiga.ami +application/vnd.anser-web-certificate-issue-initiation +application/vnd.anser-web-funds-transfer-initiation +application/vnd.audiograph +application/vnd.blueice.multipass +application/vnd.bmi +application/vnd.businessobjects +application/vnd.canon-cpdl +application/vnd.canon-lips +application/vnd.cinderella +application/vnd.claymore +application/vnd.commerce-battelle +application/vnd.commonspace +application/vnd.contact.cmsg +application/vnd.cosmocaller +application/vnd.criticaltools.wbs+xml +application/vnd.ctc-posml +application/vnd.cups-postscript +application/vnd.cups-raster +application/vnd.cups-raw +application/vnd.curl +application/vnd.cybank +application/vnd.data-vision.rdz +application/vnd.dna +application/vnd.dpgraph +application/vnd.dreamfactory +application/vnd.dxr +application/vnd.ecdis-update +application/vnd.ecowin.chart +application/vnd.ecowin.filerequest +application/vnd.ecowin.fileupdate +application/vnd.ecowin.series +application/vnd.ecowin.seriesrequest +application/vnd.ecowin.seriesupdate +application/vnd.enliven +application/vnd.epson.esf +application/vnd.epson.msf +application/vnd.epson.quickanime +application/vnd.epson.salt +application/vnd.epson.ssf +application/vnd.ericsson.quickcall +application/vnd.eudora.data +application/vnd.fdf +application/vnd.ffsns +application/vnd.fints +application/vnd.flographit +application/vnd.framemaker +application/vnd.fsc.weblaunch +application/vnd.fujitsu.oasys +application/vnd.fujitsu.oasys2 +application/vnd.fujitsu.oasys3 +application/vnd.fujitsu.oasysgp +application/vnd.fujitsu.oasysprs +application/vnd.fujixerox.ddd +application/vnd.fujixerox.docuworks +application/vnd.fujixerox.docuworks.binder +application/vnd.fut-misnet +application/vnd.grafeq +application/vnd.groove-account +application/vnd.groove-help +application/vnd.groove-identity-message +application/vnd.groove-injector +application/vnd.groove-tool-message +application/vnd.groove-tool-template +application/vnd.groove-vcard +application/vnd.hbci +application/vnd.hhe.lesson-player +application/vnd.hp-hpgl +application/vnd.hp-hpid +application/vnd.hp-hps +application/vnd.hp-pcl +application/vnd.hp-pclxl +application/vnd.httphone +application/vnd.hzn-3d-crossword +application/vnd.ibm.afplinedata +application/vnd.ibm.electronic-media +application/vnd.ibm.minipay +application/vnd.ibm.modcap +application/vnd.ibm.rights-management +application/vnd.ibm.secure-container +application/vnd.informix-visionary +application/vnd.intercon.formnet +application/vnd.intertrust.digibox +application/vnd.intertrust.nncp +application/vnd.intu.qbo +application/vnd.intu.qfx +application/vnd.irepository.package+xml +application/vnd.is-xpr +application/vnd.japannet-directory-service +application/vnd.japannet-jpnstore-wakeup +application/vnd.japannet-payment-wakeup +application/vnd.japannet-registration +application/vnd.japannet-registration-wakeup +application/vnd.japannet-setstore-wakeup +application/vnd.japannet-verification +application/vnd.japannet-verification-wakeup +application/vnd.jisp +application/vnd.kde.karbon +application/vnd.kde.kchart +application/vnd.kde.kformula +application/vnd.kde.kivio +application/vnd.kde.kontour +application/vnd.kde.kpresenter +application/vnd.kde.kspread +application/vnd.kde.kword +application/vnd.kenameaapp +application/vnd.koan +application/vnd.liberty-request+xml +application/vnd.llamagraphics.life-balance.desktop +application/vnd.llamagraphics.life-balance.exchange+xml +application/vnd.lotus-1-2-3 +application/vnd.lotus-approach +application/vnd.lotus-freelance +application/vnd.lotus-notes +application/vnd.lotus-organizer +application/vnd.lotus-screencam +application/vnd.lotus-wordpro +application/vnd.mcd +application/vnd.mediastation.cdkey +application/vnd.meridian-slingshot +application/vnd.micrografx.flo +application/vnd.micrografx.igx +application/vnd.mif mif +application/vnd.minisoft-hp3000-save +application/vnd.mitsubishi.misty-guard.trustweb +application/vnd.mobius.daf +application/vnd.mobius.dis +application/vnd.mobius.mbk +application/vnd.mobius.mqy +application/vnd.mobius.msl +application/vnd.mobius.plc +application/vnd.mobius.txf +application/vnd.mophun.application +application/vnd.mophun.certificate +application/vnd.motorola.flexsuite +application/vnd.motorola.flexsuite.adsi +application/vnd.motorola.flexsuite.fis +application/vnd.motorola.flexsuite.gotap +application/vnd.motorola.flexsuite.kmr +application/vnd.motorola.flexsuite.ttc +application/vnd.motorola.flexsuite.wem +application/vnd.mozilla.xul+xml xul +application/vnd.ms-artgalry +application/vnd.ms-asf +application/vnd.ms-excel xls +application/vnd.ms-lrm +application/vnd.ms-powerpoint ppt +application/vnd.ms-project +application/vnd.ms-tnef +application/vnd.ms-works +application/vnd.ms-wpl +application/vnd.mseq +application/vnd.msign +application/vnd.music-niff +application/vnd.musician +application/vnd.netfpx +application/vnd.noblenet-directory +application/vnd.noblenet-sealer +application/vnd.noblenet-web +application/vnd.novadigm.edm +application/vnd.novadigm.edx +application/vnd.novadigm.ext +application/vnd.obn +application/vnd.osa.netdeploy +application/vnd.palm +application/vnd.pg.format +application/vnd.pg.osasli +application/vnd.powerbuilder6 +application/vnd.powerbuilder6-s +application/vnd.powerbuilder7 +application/vnd.powerbuilder7-s +application/vnd.powerbuilder75 +application/vnd.powerbuilder75-s +application/vnd.previewsystems.box +application/vnd.publishare-delta-tree +application/vnd.pvi.ptid1 +application/vnd.pwg-multiplexed +application/vnd.pwg-xhtml-print+xml +application/vnd.quark.quarkxpress +application/vnd.rapid +application/vnd.s3sms +application/vnd.sealed.net +application/vnd.seemail +application/vnd.shana.informed.formdata +application/vnd.shana.informed.formtemplate +application/vnd.shana.informed.interchange +application/vnd.shana.informed.package +application/vnd.smaf +application/vnd.sss-cod +application/vnd.sss-dtf +application/vnd.sss-ntf +application/vnd.street-stream +application/vnd.svd +application/vnd.swiftview-ics +application/vnd.triscape.mxs +application/vnd.trueapp +application/vnd.truedoc +application/vnd.ufdl +application/vnd.uplanet.alert +application/vnd.uplanet.alert-wbxml +application/vnd.uplanet.bearer-choice +application/vnd.uplanet.bearer-choice-wbxml +application/vnd.uplanet.cacheop +application/vnd.uplanet.cacheop-wbxml +application/vnd.uplanet.channel +application/vnd.uplanet.channel-wbxml +application/vnd.uplanet.list +application/vnd.uplanet.list-wbxml +application/vnd.uplanet.listcmd +application/vnd.uplanet.listcmd-wbxml +application/vnd.uplanet.signal +application/vnd.vcx +application/vnd.vectorworks +application/vnd.vidsoft.vidconference +application/vnd.visio +application/vnd.visionary +application/vnd.vividence.scriptfile +application/vnd.vsf +application/vnd.wap.sic +application/vnd.wap.slc +application/vnd.wap.wbxml wbxml +application/vnd.wap.wmlc wmlc +application/vnd.wap.wmlscriptc wmlsc +application/vnd.webturbo +application/vnd.wrq-hp3000-labelled +application/vnd.wt.stf +application/vnd.wv.csp+wbxml +application/vnd.xara +application/vnd.xfdl +application/vnd.yamaha.hv-dic +application/vnd.yamaha.hv-script +application/vnd.yamaha.hv-voice +application/vnd.yellowriver-custom-menu +application/voicexml+xml vxml +application/watcherinfo+xml +application/whoispp-query +application/whoispp-response +application/wita +application/wordperfect5.1 +application/x-bcpio bcpio +application/x-cdlink vcd +application/x-chess-pgn pgn +application/x-compress +application/x-cpio cpio +application/x-csh csh +application/x-director dcr dir dxr +application/x-dvi dvi +application/x-futuresplash spl +application/x-gtar gtar +application/x-gzip +application/x-hdf hdf +application/x-javascript js +application/x-koan skp skd skt skm +application/x-latex latex +application/x-netcdf nc cdf +application/x-sh sh +application/x-shar shar +application/x-shockwave-flash swf +application/x-stuffit sit +application/x-sv4cpio sv4cpio +application/x-sv4crc sv4crc +application/x-tar tar +application/x-tcl tcl +application/x-tex tex +application/x-texinfo texinfo texi +application/x-troff t tr roff +application/x-troff-man man +application/x-troff-me me +application/x-troff-ms ms +application/x-ustar ustar +application/x-wais-source src +application/x400-bp +application/xhtml+xml xhtml xht +application/xslt+xml xslt +application/xml xml xsl +application/xml-dtd dtd +application/xml-external-parsed-entity +application/zip zip +audio/32kadpcm +audio/amr +audio/amr-wb +audio/basic au snd +audio/cn +audio/dat12 +audio/dsr-es201108 +audio/dvi4 +audio/evrc +audio/evrc0 +audio/g722 +audio/g.722.1 +audio/g723 +audio/g726-16 +audio/g726-24 +audio/g726-32 +audio/g726-40 +audio/g728 +audio/g729 +audio/g729D +audio/g729E +audio/gsm +audio/gsm-efr +audio/l8 +audio/l16 +audio/l20 +audio/l24 +audio/lpc +audio/midi mid midi kar +audio/mpa +audio/mpa-robust +audio/mp4a-latm +audio/mpeg mpga mp2 mp3 +audio/parityfec +audio/pcma +audio/pcmu +audio/prs.sid +audio/qcelp +audio/red +audio/smv +audio/smv0 +audio/telephone-event +audio/tone +audio/vdvi +audio/vnd.3gpp.iufp +audio/vnd.cisco.nse +audio/vnd.cns.anp1 +audio/vnd.cns.inf1 +audio/vnd.digital-winds +audio/vnd.everad.plj +audio/vnd.lucent.voice +audio/vnd.nortel.vbk +audio/vnd.nuera.ecelp4800 +audio/vnd.nuera.ecelp7470 +audio/vnd.nuera.ecelp9600 +audio/vnd.octel.sbc +audio/vnd.qcelp +audio/vnd.rhetorex.32kadpcm +audio/vnd.vmx.cvsd +audio/x-aiff aif aiff aifc +audio/x-alaw-basic +audio/x-mpegurl m3u +audio/x-pn-realaudio ram ra +audio/x-pn-realaudio-plugin +application/vnd.rn-realmedia rm +audio/x-wav wav +chemical/x-pdb pdb +chemical/x-xyz xyz +image/bmp bmp +image/cgm cgm +image/g3fax +image/gif gif +image/ief ief +image/jpeg jpeg jpg jpe +image/naplps +image/png png +image/prs.btif +image/prs.pti +image/svg+xml svg +image/t38 +image/tiff tiff tif +image/tiff-fx +image/vnd.cns.inf2 +image/vnd.djvu djvu djv +image/vnd.dwg +image/vnd.dxf +image/vnd.fastbidsheet +image/vnd.fpx +image/vnd.fst +image/vnd.fujixerox.edmics-mmr +image/vnd.fujixerox.edmics-rlc +image/vnd.globalgraphics.pgb +image/vnd.mix +image/vnd.ms-modi +image/vnd.net-fpx +image/vnd.svf +image/vnd.wap.wbmp wbmp +image/vnd.xiff +image/x-cmu-raster ras +image/x-icon ico +image/x-portable-anymap pnm +image/x-portable-bitmap pbm +image/x-portable-graymap pgm +image/x-portable-pixmap ppm +image/x-rgb rgb +image/x-xbitmap xbm +image/x-xpixmap xpm +image/x-xwindowdump xwd +message/delivery-status +message/disposition-notification +message/external-body +message/http +message/news +message/partial +message/rfc822 +message/s-http +message/sip +message/sipfrag +model/iges igs iges +model/mesh msh mesh silo +model/vnd.dwf +model/vnd.flatland.3dml +model/vnd.gdl +model/vnd.gs-gdl +model/vnd.gtw +model/vnd.mts +model/vnd.parasolid.transmit.binary +model/vnd.parasolid.transmit.text +model/vnd.vtu +model/vrml wrl vrml +multipart/alternative +multipart/appledouble +multipart/byteranges +multipart/digest +multipart/encrypted +multipart/form-data +multipart/header-set +multipart/mixed +multipart/parallel +multipart/related +multipart/report +multipart/signed +multipart/voice-message +text/calendar ics ifb +text/css css +text/directory +text/enriched +text/html html htm +text/parityfec +text/plain asc txt +text/prs.lines.tag +text/rfc822-headers +text/richtext rtx +text/rtf rtf +text/sgml sgml sgm +text/t140 +text/tab-separated-values tsv +text/uri-list +text/vnd.abc +text/vnd.curl +text/vnd.dmclientscript +text/vnd.fly +text/vnd.fmi.flexstor +text/vnd.in3d.3dml +text/vnd.in3d.spot +text/vnd.iptc.nitf +text/vnd.iptc.newsml +text/vnd.latex-z +text/vnd.motorola.reflex +text/vnd.ms-mediapackage +text/vnd.net2phone.commcenter.command +text/vnd.sun.j2me.app-descriptor +text/vnd.wap.si +text/vnd.wap.sl +text/vnd.wap.wml wml +text/vnd.wap.wmlscript wmls +text/x-setext etx +text/xml +text/xml-external-parsed-entity +video/bmpeg +video/bt656 +video/celb +video/dv +video/h261 +video/h263 +video/h263-1998 +video/h263-2000 +video/jpeg +video/mp1s +video/mp2p +video/mp2t +video/mp4v-es +video/mpv +video/mpeg mpeg mpg mpe +video/nv +video/parityfec +video/pointer +video/quicktime qt mov +video/smpte292m +video/vnd.fvt +video/vnd.motorola.video +video/vnd.motorola.videop +video/vnd.mpegurl mxu m4u +video/vnd.nokia.interleaved-multimedia +video/vnd.objectvideo +video/vnd.vivo +video/x-msvideo avi +video/x-sgi-movie movie +x-conference/x-cooltalk ice diff --git a/base/ra/apache/conf/nss.conf b/base/ra/apache/conf/nss.conf new file mode 100644 index 000000000..a3e0621ab --- /dev/null +++ b/base/ra/apache/conf/nss.conf @@ -0,0 +1,267 @@ +# +# This is the Apache server configuration file providing SSL support using. +# the mod_nss plugin. It contains the configuration directives to instruct +# the server how to serve pages over an https connection. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +# +# When we also provide SSL we have to listen to the +# standard HTTP port (see above) and to the HTTPS port +# +# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" +# +Listen [SECURE_PORT] + +Listen [NON_CLIENTAUTH_SECURE_PORT] + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +#NSSPassPhraseDialog builtin +NSSPassPhraseDialog defer:[SERVER_ROOT]/conf/password.conf + + +# Pass Phrase Helper: +# This helper program stores the token password pins between +# restarts of Apache. +NSSPassPhraseHelper /usr/share/pki/ra/scripts/nss_pcache + +# Configure the SSL Session Cache. +# SSLSessionCacheSize is the number of entries in the cache. +# SSLSessionCacheTimeout is the SSL2 session timeout (in seconds). +# SSL3SessionCacheTimeout is the SSL3/TLS session timeout (in seconds). +NSSSessionCacheSize 10000 +NSSSessionCacheTimeout 100 +NSSSession3CacheTimeout 86400 + +## +## SSL Virtual Host Context +## + +<VirtualHost _default_:[SECURE_PORT]> + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Secure_Port] +#ServerAdmin you@example.com + +# Configure OCSP checking of client certs + +#NSSOCSP on +#NSSOCSPDefaultResponder on + +# URL of the ocsp service +# +# Example of the built in ocsp service of the CS CA +# +#NSSOCSPDefaultURL http://localhost:9180/ca/ocsp + +# Nickname of ocsp signing cert +# +# Below is sufficient if using built in CS CA ocsp service +# If using outboard ocsp, make sure the cert listed below +# is imported into the local cert database. +# +#NSSOCSPDefaultName caCert + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient require + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + NSSOptions +StdEnvVars +ExportCertData +</Files> +<Directory "/cgi-bin"> + NSSOptions +StdEnvVars +</Directory> + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> + +<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]> + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + NSSOptions +StdEnvVars +ExportCertData +</Files> +<Directory "/cgi-bin"> + NSSOptions +StdEnvVars +</Directory> + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> diff --git a/base/ra/apache/conf/perl.conf b/base/ra/apache/conf/perl.conf new file mode 100644 index 000000000..50139cdab --- /dev/null +++ b/base/ra/apache/conf/perl.conf @@ -0,0 +1,102 @@ +# +# Mod_perl incorporates a Perl interpreter into the Apache web server, +# so that the Apache web server can directly execute Perl code. +# Mod_perl links the Perl runtime library into the Apache web server +# and provides an object-oriented Perl interface for Apache's C +# language API. The end result is a quicker CGI script turnaround +# process, since no external Perl interpreter has to be started. +# + +LoadModule perl_module [FORTITUDE_LIB_DIR]/modules/mod_perl.so + +# Uncomment this line to globally enable warnings, which will be +# written to the server's error log. Warnings should be enabled +# during the development process, but should be disabled on a +# production server as they affect performance. +# +#PerlWarn On + +# Uncomment this line to enable taint checking globally. When Perl is +# running in taint mode various checks are performed to reduce the +# risk of insecure data being passed to a subshell or being used to +# modify the filesystem. Unfortunatly many Perl modules are not +# taint-safe, so you should exercise care before enabling it on a +# production server. +# +#PerlTaintCheck On + +# This will allow execution of mod_perl to compile your scripts to +# subroutines which it will execute directly, avoiding the costly +# compile process for most requests. +# +#Alias /perl /var/www/perl +#<Directory /var/www/perl> +# SetHandler perl-script +# PerlResponseHandler ModPerl::Registry +# PerlOptions +ParseHeaders +# Options +ExecCGI +#</Directory> + +# This will allow remote server configuration reports, with the URL of +# http://servername/perl-status +# Change the ".your-domain.com" to match your domain to enable. +# +#PerlModule Apache::compat +#<Location /perl-status> +# SetHandler perl-script +# PerlResponseHandler Apache::Status +# Order deny,allow +# Deny from all +# Allow from .your-domain.com +#</Location> + +PerlModule ModPerl::Registry +PerlModule [FORTITUDE_APACHE]::compat +PerlModule PKI::RA::wizard +PerlSetEnv PKI_DOCROOT [SERVER_ROOT]/docroot +PerlSetEnv PKI_ROOT [SERVER_ROOT] +<Location /ra/admin/console/config/wizard> + SetHandler perl-script + PerlHandler PKI::RA::Wizard + Order deny,allow + Allow from all +</Location> + +<Location /ra/admin/console/config/login> + SetHandler perl-script + PerlHandler PKI::RA::Login + Order deny,allow + Allow from all +</Location> + +PerlModule ModPerl::PerlRun +Alias /ee/ [SERVER_ROOT]/docroot/ee/ +<Location /ee/ > + SetHandler perl-script + PerlHandler ModPerl::PerlRun + Options Indexes ExecCGI + PerlSendHeader On +</Location> + +Alias /agent/ [SERVER_ROOT]/docroot/agent/ +<Location /agent/ > + SetHandler perl-script + PerlHandler ModPerl::PerlRun + Options Indexes ExecCGI + PerlSendHeader On +</Location> + +Alias /admin/ [SERVER_ROOT]/docroot/admin/ +<Location /admin/ > + SetHandler perl-script + PerlHandler ModPerl::PerlRun + Options Indexes ExecCGI + PerlSendHeader On +</Location> + +<Location /index.cgi > + SetHandler perl-script + PerlHandler ModPerl::PerlRun + Options Indexes ExecCGI + PerlSendHeader On +</Location> diff --git a/base/ra/doc/CMakeLists.txt b/base/ra/doc/CMakeLists.txt new file mode 100644 index 000000000..4cebbe1c9 --- /dev/null +++ b/base/ra/doc/CMakeLists.txt @@ -0,0 +1,10 @@ +set(VERSION ${APPLICATION_VERSION}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/base/ra/doc/CS.cfg.in b/base/ra/doc/CS.cfg.in new file mode 100644 index 000000000..0581e3a78 --- /dev/null +++ b/base/ra/doc/CS.cfg.in @@ -0,0 +1,242 @@ +_000=## +_001=## Registration Authority (RA) Configuration File +_002=## +pidDir=[PKI_PIDDIR] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.secure_port=[SECURE_PORT] +pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] +pkicreate.unsecure_port=[PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +request._000=######################################### +request._001=# Request Queue Parameters +request._002=######################################### +agent.authorized_groups=administrators,agents +admin.authorized_groups=administrators +database.dbfile=[SERVER_ROOT]/conf/dbfile +database.lockfile=[SERVER_ROOT]/conf/dblock +request.renewal.approve_request.0.ca=ca1 +request.renewal.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA +request.renewal.approve_request.0.profileId=caDualRAuserCert +request.renewal.approve_request.0.reqType=crmf +request.renewal.approve_request.1.mailTo=$created_by +request.renewal.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.renewal.approve_request.1.templateDir=/usr/share/pki/ra/conf +request.renewal.approve_request.1.templateFile=mail_approve_request.vm +request.renewal.approve_request.num_plugins=2 +request.renewal.reject_request.num_plugins=0 +request.renewal.create_request.0.assignTo=agents +request.renewal.create_request.0.plugin=PKI::Request::Plugin::AutoAssign +request.renewal.create_request.1.mailTo=$created_by +request.renewal.create_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.renewal.create_request.1.templateDir=/usr/share/pki/ra/conf +request.renewal.create_request.1.templateFile=mail_create_request.vm +request.renewal.create_request.num_plugins=2 +request.scep.profileId=caRARouterCert +request.scep.reqType=pkcs10 +request.scep.create_request.num_plugins=2 +request.scep.create_request.0.plugin=PKI::Request::Plugin::AutoAssign +request.scep.create_request.0.assignTo=agents +request.scep.create_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.scep.create_request.1.mailTo= +request.scep.create_request.1.templateDir=/usr/share/pki/ra/conf +request.scep.create_request.1.templateFile=mail_create_request.vm +request.scep.approve_request.num_plugins=1 +request.scep.approve_request.0.plugin=PKI::Request::Plugin::CreatePin +request.scep.approve_request.0.pinFormat=$site_id +request.scep.reject_request.num_plugins=0 +request.agent.profileId=caRAagentCert +request.agent.reqType=crmf +request.agent.create_request.num_plugins=2 +request.agent.create_request.0.plugin=PKI::Request::Plugin::AutoAssign +request.agent.create_request.0.assignTo=agents +request.agent.create_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.agent.create_request.1.mailTo= +request.agent.create_request.1.templateDir=/usr/share/pki/ra/conf +request.agent.create_request.1.templateFile=mail_create_request.vm +request.agent.approve_request.num_plugins=1 +request.agent.approve_request.0.plugin=PKI::Request::Plugin::CreatePin +request.agent.approve_request.0.pinFormat=$uid +request.agent.reject_request.num_plugins=0 +request.user.create_request.num_plugins=2 +request.user.create_request.0.plugin=PKI::Request::Plugin::AutoAssign +request.user.create_request.0.assignTo=agents +request.user.create_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.user.create_request.1.templateDir=/usr/share/pki/ra/conf +request.user.create_request.1.templateFile=mail_create_request.vm +request.user.create_request.1.mailTo= +request.user.approve_request.num_plugins=2 +request.user.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA +request.user.approve_request.0.ca=ca1 +request.user.approve_request.0.profileId=caDualRAuserCert +request.user.approve_request.0.reqType=crmf +request.user.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.user.approve_request.1.mailTo=$created_by +request.user.approve_request.1.templateDir=/usr/share/pki/ra/conf +request.user.approve_request.1.templateFile=mail_approve_request.vm +request.user.reject_request.num_plugins=0 +request.server.create_request.num_plugins=2 +request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign +request.server.create_request.0.assignTo=agents +request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.server.create_request.1.mailTo= +request.server.create_request.1.templateDir=/usr/share/pki/ra/conf +request.server.create_request.1.templateFile=mail_create_request.vm +request.server.approve_request.num_plugins=2 +request.server.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA +request.server.approve_request.0.ca=ca1 +request.server.approve_request.0.profileId=caRAserverCert +request.server.approve_request.0.reqType=pkcs10 +request.server.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification +request.server.approve_request.1.mailTo=$created_by +request.server.approve_request.1.templateDir=/usr/share/pki/ra/conf +request.server.approve_request.1.templateFile=mail_approve_request.vm +request.server.reject_request.num_plugins=0 +cs.type=RA +service.machineName=[SERVER_NAME] +service.instanceDir=[SERVER_ROOT] +service.securePort=[SECURE_PORT] +service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] +service.unsecurePort=[PORT] +service.instanceID=[PKI_INSTANCE_ID] +logging._000=######################################### +logging._001=# RA configuration File +logging._002=# +logging._003=# All <...> must be replaced with +logging._004=# appropriate values. +logging._005=######################################### +logging._006=######################################## +logging._007=# logging +logging._008=# +logging._009=# logging.debug.enable: +logging._010=# logging.audit.enable: +logging._011=# logging.error.enable: +logging._012=# - enable or disable the corresponding logging +logging._013=# logging.debug.filename: +logging._014=# logging.audit.filename: +logging._015=# logging.error.filename: +logging._016=# - name of the log file +logging._017=# logging.debug.level: +logging._018=# logging.audit.level: +logging._019=# logging.error.level: +logging._020=# - level of logging. (0-10) +logging._021=# 0 - no logging, +logging._022=# 4 - LL_PER_SERVER these messages will occur only once +logging._023=# during the entire invocation of the +logging._024=# server, e. g. at startup or shutdown +logging._025=# time., reading the conf parameters. +logging._026=# Perhaps other infrequent events +logging._027=# relating to failing over of CA, TKS, +logging._028=# too +logging._029=# 6 - LL_PER_CONNECTION these messages happen once per +logging._030=# connection - most of the log events +logging._031=# will be at this level +logging._032=# 8 - LL_PER_PDU these messages relate to PDU +logging._033=# processing. If you have something that +logging._034=# is done for every PDU, such as +logging._035=# applying the MAC, it should be logged +logging._036=# at this level +logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more +logging._038=# chatty version of the above +logging._039=# 10 - all logging +logging._040=######################################### +logging.debug.enable=true +logging.debug.filename=[SERVER_ROOT]/logs/ra-debug.log +logging.debug.level=7 +logging.audit.enable=true +logging.audit.filename=[SERVER_ROOT]/logs/ra-audit.log +logging.audit.level=10 +logging.error.enable=true +logging.error.filename=[SERVER_ROOT]/logs/ra-error.log +logging.error.level=10 +conn.ca1._000=######################################### +conn.ca1._001=# CA connection +conn.ca1._002=# +conn.ca1._003=# conn.ca<n>.hostport: +conn.ca1._004=# - host name and port number of your CA, format is host:port +conn.ca1._005=# conn.ca<n>.clientNickname: +conn.ca1._006=# - nickname of the client certificate for +conn.ca1._007=# authentication +conn.ca1._008=# conn.ca<n>.servlet.enrollment: +conn.ca1._009=# - servlet to contact in CA +conn.ca1._010=# - must be '/ca/ee/ca/profileSubmitSSLClient' +conn.ca1._008=# conn.ca<n>.servlet.addagent: +conn.ca1._009=# - servlet to add ra agent on CA +conn.ca1._010=# - must be '/ca/admin/ca/registerRaUser +conn.ca1._011=# conn.ca<n>.retryConnect: +conn.ca1._012=# - number of reconnection attempts on failure +conn.ca1._013=# conn.ca<n>.timeout: +conn.ca1._014=# - connection timeout +conn.ca1._015=# conn.ca<n>.SSLOn: +conn.ca1._016=# - enable SSL or not +conn.ca1._017=# conn.ca<n>.keepAlive: +conn.ca1._018=# - enable keep alive or not +conn.ca1._019=# +conn.ca1._020=# where +conn.ca1._021=# <n> - CA connection ID +conn.ca1._022=######################################### +failover.pod.enable=false +conn.ca1.hostport=[CA_HOST]:[CA_PORT] +conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] +conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient +conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser +conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke +conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke +conn.ca1.retryConnect=3 +conn.ca1.timeout=100 +conn.ca1.SSLOn=true +conn.ca1.keepAlive=true +preop.pin=[PKI_RANDOM_NUMBER] +preop.product.version=@VERSION@ +preop.cert._000=######################################### +preop.cert._001=# Installation configuration "preop" certs parameters +preop.cert._002=######################################### +preop.cert.list=sslserver,subsystem +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] +preop.cert.sslserver.keysize.customsize=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.keysize.select=custom +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.subsystem=ra +preop.cert._003=#preop.cert.sslserver.type=local +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert._004=#preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] +preop.cert.subsystem.keysize.customsize=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.keysize.select=custom +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.subsystem=ra +preop.cert._005=#preop.cert.subsystem.type=local +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert._006=#preop.cert.subsystem.cncomponent.override=true +preop.configModules._000=######################################### +preop.configModules._001=# Installation configuration "preop" module parameters +preop.configModules._002=######################################### +preop.configModules.count=3 +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.module.token=NSS Certificate DB +preop.keysize._000=######################################### +preop.keysize._001=# Installation configuration "preop" keysize parameters +preop.keysize._002=######################################### +preop.keysize.customsize=2048 +preop.keysize.select=default +preop.keysize.size=2048 +preop.keysize.ecc.size=256 diff --git a/base/ra/emails/mail_approve_request.vm b/base/ra/emails/mail_approve_request.vm new file mode 100644 index 000000000..461eb4d10 --- /dev/null +++ b/base/ra/emails/mail_approve_request.vm @@ -0,0 +1,11 @@ +Reply-to: $mail_to +Subject: Request #$request_id approved +To: $mail_to +Content-type: text/plain\n\n +Request #$request_id has been approved +for +Subject DN: $subject_dn + +Import certificate at: +https://$machineName:$nonClientAuthSecurePort/ee/request/getcert.cgi?id=$request_id + diff --git a/base/ra/emails/mail_create_request.vm b/base/ra/emails/mail_create_request.vm new file mode 100644 index 000000000..317270efa --- /dev/null +++ b/base/ra/emails/mail_create_request.vm @@ -0,0 +1,8 @@ +Reply-to: $mail_to +Subject: New request #$request_id has been created +To: $mail_to +Content-type: text/plain\n\n +A new request has been created for you. You can access +the request by going to + +https://$machineName:$securePort/agent/request/read.cgi?id=$request_id diff --git a/base/ra/etc/init.d/pki-rad b/base/ra/etc/init.d/pki-rad new file mode 100755 index 000000000..666bf6387 --- /dev/null +++ b/base/ra/etc/init.d/pki-rad @@ -0,0 +1,87 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007-2010 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# pki-rad Startup script for the Apache HTTP pki-ra Server +# +# chkconfig: - 86 14 +# description: Registration Authority (Apache) +# processname: pki-rad +# piddir: /var/run/pki/ra +# config: ${PKI_SERVER_ROOT}/conf/httpd.conf + +PROG_NAME=`basename $0` +SERVICE_NAME="pki-rad" +SERVICE_PROG="/sbin/service" +PKI_PATH="/usr/share/pki/ra" +PKI_REGISTRY="/etc/sysconfig/pki/ra" +PKI_TYPE="pki-ra" +PKI_TOTAL_PORTS=3 + +# Avoid using 'systemctl' for now +SYSTEMCTL_SKIP_REDIRECT=1 +export SYSTEMCTL_SKIP_REDIRECT + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +command="$1" +pki_instance="$2" + +# Source function library. +. /etc/init.d/functions + +# Source the PKI function library +. /usr/share/pki/scripts/functions + +# See how we were called. +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; +esac + diff --git a/base/ra/forms/admin/group/add.cgi b/base/ra/forms/admin/group/add.cgi new file mode 100755 index 000000000..212330d0d --- /dev/null +++ b/base/ra/forms/admin/group/add.cgi @@ -0,0 +1,86 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $gid = $util->get_val($q->param('gid')); + my $name = $util->get_val($q->param('name')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + my $ref = $store->read_group($gid); + if (defined($ref)) { + # gid used + print $q->redirect("/admin/group/add_new.cgi?error=exist"); + return; + } + my $ref = $store->add_group($gid, $name); + $store->close(); + + print $q->redirect("/admin/group/index.cgi"); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/group/add_member.cgi b/base/ra/forms/admin/group/add_member.cgi new file mode 100755 index 000000000..d60fe965e --- /dev/null +++ b/base/ra/forms/admin/group/add_member.cgi @@ -0,0 +1,80 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $gid = $util->get_val($q->param('gid')); + my $userid = $util->get_val($q->param('uid')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + $store->add_user_to_group($gid, $userid); + $store->close(); + + print $q->redirect("/admin/group/read.cgi?gid=" . $gid); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/group/add_new.cgi b/base/ra/forms/admin/group/add_new.cgi new file mode 100755 index 000000000..5a1ca7eda --- /dev/null +++ b/base/ra/forms/admin/group/add_new.cgi @@ -0,0 +1,86 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + my $error = $q->param('error'); + $context{error} = $util->html_encode($error); + + my $result = $parser->execute_file_with_context("admin/group/add_new.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/group/delete.cgi b/base/ra/forms/admin/group/delete.cgi new file mode 100755 index 000000000..5fb1f22ce --- /dev/null +++ b/base/ra/forms/admin/group/delete.cgi @@ -0,0 +1,79 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $gid = $util->get_val($q->param('gid')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + $store->delete_group($gid); + $store->close(); + + print $q->redirect("/admin/group/index.cgi"); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/group/delete_member.cgi b/base/ra/forms/admin/group/delete_member.cgi new file mode 100755 index 000000000..2e516eeee --- /dev/null +++ b/base/ra/forms/admin/group/delete_member.cgi @@ -0,0 +1,79 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $gid = $util->get_val($q->param('gid')); + my $userid = $util->get_val($q->param('uid')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + $store->delete_user_from_group($gid, $userid); + $store->close(); + + print $q->redirect("/admin/group/read.cgi?gid=" . $gid); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/group/index.cgi b/base/ra/forms/admin/group/index.cgi new file mode 100755 index 000000000..07dc653e6 --- /dev/null +++ b/base/ra/forms/admin/group/index.cgi @@ -0,0 +1,115 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + + my $util = PKI::Base::Util->new(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $sp = $util->get_alphanum_val($q->param('sp')); + if ($sp eq "") { + $sp = "0"; + } + $context{sp} = $sp; + my $mc = $util->get_alphanum_val($q->param('mc')); + if ($mc eq "") { + $mc = "20"; + } + $context{mc} = $mc; + $context{pp} = $sp - $mc; # previous pos (for paging) + $context{np} = $sp + $mc; # next pos (for paging) + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + my @groups = $store->list_groups($sp, $mc); + $store->close(); + + my @r; + my $i = 0; + foreach my $group (@groups) { + $r[$i] = new PKI::RA::GlobalVar( + getGID => sub { return $util->html_encode(Encode::decode('UTF-8', $group->{'gid'})) }, + getName => sub { return $util->html_encode(Encode::decode('UTF-8', $group->{'name'})) }, + ); + $i++; + } + $context{rows} = \@r; + + my $result = $parser->execute_file_with_context("admin/group/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/group/read.cgi b/base/ra/forms/admin/group/read.cgi new file mode 100755 index 000000000..9ede3aa53 --- /dev/null +++ b/base/ra/forms/admin/group/read.cgi @@ -0,0 +1,125 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $gid = $util->get_val($q->param('gid')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + my $ref = $store->read_group($gid); + + $context{gid} = $util->html_encode(Encode::decode('UTF-8', $ref->{'gid'})); + $context{name} = $util->html_encode(Encode::decode('UTF-8', $ref->{'name'})); + + my @members = $store->list_all_members($gid); + my @users = $store->list_all_non_members($gid); + $store->close(); + + # new member in the group + my @r; + my $i = 0; + foreach my $member (@members) { + $r[$i] = new PKI::RA::GlobalVar( + getUID => sub { return $util->html_encode($member->{'uid'}) }, + ); + $i++; + } + $context{members} = \@r; + + # read users + my @u; + $i = 0; + foreach my $user (@users) { + $u[$i] = new PKI::RA::GlobalVar( + getUID => sub { return $util->html_encode($user->{'uid'}) }, + ); + $i++; + } + if ($i == 0) { + $context{non_member_exists} = 0; + } else { + $context{non_member_exists} = 1; + } + $context{users} = \@u; + + my $result = $parser->execute_file_with_context("admin/group/read.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/index.cgi b/base/ra/forms/admin/index.cgi new file mode 100755 index 000000000..2db7b2500 --- /dev/null +++ b/base/ra/forms/admin/index.cgi @@ -0,0 +1,80 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::UserStore; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/agent/error.cgi?error=Authentication%20Error"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $uid; + + my $result = $parser->execute_file_with_context("admin/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/user/add.cgi b/base/ra/forms/admin/user/add.cgi new file mode 100755 index 000000000..94c4bae81 --- /dev/null +++ b/base/ra/forms/admin/user/add.cgi @@ -0,0 +1,99 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $uid; + + my $userid = $util->get_val($q->param('uid')); + my $name = $util->get_val($q->param('name')); + my $email = $util->get_val($q->param('email')); + my $certificate = $util->get_val($q->param('certificate')); + + if ($certificate =~ /BEGIN CERTIFICATE/ || + $certificate =~ /END CERTIFICATE/) { + # do nothing + } else { + print $q->redirect("/admin/user/add_new.cgi?error=cert_header"); + return; + } + $certificate =~ s/-----BEGIN CERTIFICATE-----//g; + $certificate =~ s/-----END CERTIFICATE-----//g; + $certificate =~ s/[\r\n]//g; + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + my $ref = $store->read_user($userid); + if (defined($ref)) { + # uid used + print $q->redirect("/admin/user/add_new.cgi?error=exist"); + return; + } + my $ref = $store->add_user($userid, $name, $email, $certificate); + $store->close(); + + print $q->redirect("/admin/user/index.cgi"); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/user/add_new.cgi b/base/ra/forms/admin/user/add_new.cgi new file mode 100755 index 000000000..8bfbd0e9e --- /dev/null +++ b/base/ra/forms/admin/user/add_new.cgi @@ -0,0 +1,87 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $uid; + + my $error = $util->get_val($q->param('error')); + $context{error} = $error; + + my $result = $parser->execute_file_with_context("admin/user/add_new.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/user/delete.cgi b/base/ra/forms/admin/user/delete.cgi new file mode 100755 index 000000000..707035edb --- /dev/null +++ b/base/ra/forms/admin/user/delete.cgi @@ -0,0 +1,79 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $cfg = PKI::Base::Registry->get_config(); + + my $util = PKI::Base::Util->new(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $uid; + + my $userid = $util->get_val($q->param('uid')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + $store->delete_user($userid); + $store->close(); + + print $q->redirect("/admin/user/index.cgi"); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/user/index.cgi b/base/ra/forms/admin/user/index.cgi new file mode 100755 index 000000000..c845ae1dc --- /dev/null +++ b/base/ra/forms/admin/user/index.cgi @@ -0,0 +1,118 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use PKI::Base::Registry; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my $util = PKI::Base::Util->new(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $uid; + + my $status = $util->get_alphanum_val($q->param('status')); + $context{status} = $status; + + my $sp = $util->get_alphanum_val($q->param('sp')); + if ($sp eq "") { + $sp = "0"; + } + $context{sp} = $sp; + my $mc = $util->get_alphanum_val($q->param('mc')); + if ($mc eq "") { + $mc = "20"; + } + $context{mc} = $mc; + $context{pp} = $sp - $mc; # previous pos (for paging) + $context{np} = $sp + $mc; # next pos (for paging) + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + my @users = $store->list_users($sp, $mc); + $store->close(); + + my @r; + my $i = 0; + foreach my $user (@users) { + $r[$i] = new PKI::RA::GlobalVar( + getUID => sub { return $util->html_encode($user->{'uid'}) }, + getName => sub { return $util->html_encode(Encode::decode('UTF-8',$user->{'name'})) }, + getEmail => sub { return $util->html_encode($user->{'email'}) }, + ); + $i++; + } + $context{rows} = \@r; + + my $result = $parser->execute_file_with_context("admin/user/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/admin/user/read.cgi b/base/ra/forms/admin/user/read.cgi new file mode 100755 index 000000000..08d2fd3f7 --- /dev/null +++ b/base/ra/forms/admin/user/read.cgi @@ -0,0 +1,97 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->admin_auth($cfg)) { + print $q->redirect("/admin/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $uid; + + my $userid = $util->get_val($q->param('uid')); + + my $store = PKI::Base::UserStore->new(); + $store->open($cfg); + my $ref = $store->read_user($userid); + $store->close(); + + $context{userid} = $util->html_encode($ref->{'uid'}); + $context{name} = $util->html_encode(Encode::decode('UTF-8', $ref->{'name'})); + $context{email} = $util->html_encode($ref->{'email'}); + $context{certificate} = $util->breakline($util->html_encode($ref->{'certificate'}),40); + + my $result = $parser->execute_file_with_context("admin/user/read.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/cert/index.cgi b/base/ra/forms/agent/cert/index.cgi new file mode 100755 index 000000000..46e5b8c2c --- /dev/null +++ b/base/ra/forms/agent/cert/index.cgi @@ -0,0 +1,119 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Base::CertStore; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my @roles = $self->get_current_roles($cfg); + my $r = join(",",@roles); + + my $sp = $util->get_alphanum_val($q->param('sp')); + if ($sp eq "") { + $sp = "0"; + } + $context{sp} = $sp; + my $mc = $util->get_alphanum_val($q->param('mc')); + if ($mc eq "") { + $mc = "20"; + } + $context{mc} = $mc; + $context{pp} = $sp - $mc; # previous pos (for paging) + $context{np} = $sp + $mc; # next pos (for paging) + + my $cs = PKI::Base::CertStore->new(); + $cs->open($cfg); + my @certs = $cs->list_certs_by_approver($uid, $sp, $mc); + $cs->close(); + + my @r; + my $i = 0; + foreach my $cert (@certs) { + $r[$i] = new PKI::RA::GlobalVar( + getReqId => sub { return $util->html_encode($cert->{'rid'}) }, + getSerialno => sub { return $util->html_encode($cert->{'serialno'}) }, + getSubjectDN => sub { return $util->html_encode($cert->{'subject_dn'}) }, + getCertificate => sub { return $util->html_encode($cert->{'certificate'}) }, + getApprovedBy => sub { return $util->html_encode($cert->{'approved_by'}) }, + getCreatedAt => sub { return $util->html_encode($cert->{'created_at'}); }, + ); + $i++; + } + $context{rows} = \@r; + + my $result = $parser->execute_file_with_context("agent/cert/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/cert/read.cgi b/base/ra/forms/agent/cert/read.cgi new file mode 100755 index 000000000..f434baedb --- /dev/null +++ b/base/ra/forms/agent/cert/read.cgi @@ -0,0 +1,104 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Conn::CA; +use Encode; +use vars qw (@ISA); +use PKI::Service::Op; + +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $serialno = $util->get_alphanum_val($q->param('serialno')); + + my $cs = PKI::Base::CertStore->new(); + $cs->open($cfg); + my $ref = $cs->read_certificate_by_approver($uid, $serialno); + $cs->close(); + + my $ca = PKI::Conn::CA->new(); + $ca->open($cfg); + my $certStatus = $ca->getCertStatus("ca1", $serialno); + $ca->close(); + + + $context{certificate} = $util->breakline($util->html_encode($ref->{'certificate'}), 40); + + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8', $ref->{'subject_dn'})); + $context{created_at} = $util->html_encode($ref->{'created_at'}); + $context{approved_by} = $util->html_encode($ref->{'approved_by'}); + $context{rid} = $util->html_encode($ref->{'rid'}); + $context{certStatus} = $util->html_encode($certStatus); + + my $result = $parser->execute_file_with_context("agent/cert/read.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/cert/revoke.cgi b/base/ra/forms/agent/cert/revoke.cgi new file mode 100755 index 000000000..1e483aea0 --- /dev/null +++ b/base/ra/forms/agent/cert/revoke.cgi @@ -0,0 +1,89 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; +use PKI::Base::Util; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $serialno = $util->get_alphanum_val($q->param('serialno')); + my $subject_dn = $util->get_val($q->param('subject_dn')); + my $rid = $util->get_alphanum_val($q->param('rid')); + + $context{serialno} = $util->html_encode($serialno); + $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8',$subject_dn)); + $context{rid} = $util->html_encode($rid); + + my $result = $parser->execute_file_with_context("agent/cert/revoke.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/cert/submit.cgi b/base/ra/forms/agent/cert/submit.cgi new file mode 100755 index 000000000..571385f3a --- /dev/null +++ b/base/ra/forms/agent/cert/submit.cgi @@ -0,0 +1,104 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Conn::CA; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $serialno = $util->get_alphanum_val($q->param('serialno')); + my $subject_dn = $util->get_val($q->param('subject_dn')); + my $reason = $util->get_alphanum_val($q->param('reason')); + my $rid = $util->get_alphanum_val($q->param('rid')); + + my $ca = PKI::Conn::CA->new(); + $ca->open($cfg); + $ca->revoke($rid, "ca1", $serialno, $reason); + $ca->close(); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + + my $ref = $queue->read_request($rid); + $context{errorString} = $util->html_encode($ref->{'errorString'}); + $queue->close(); + + $context{rid} = $util->html_encode($rid); + $context{serialno} = $util->html_encode($serialno); + $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8', $subject_dn)); + + my $result = $parser->execute_file_with_context("agent/cert/submit.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/error.cgi b/base/ra/forms/agent/error.cgi new file mode 100755 index 000000000..fa13365a7 --- /dev/null +++ b/base/ra/forms/agent/error.cgi @@ -0,0 +1,81 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::UserStore; +use PKI::Base::Util; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $util = PKI::Base::Util->new(); + + my $error = $util->get_val($q->param('error')); + + my %context; + if ($error ne "") { + $context{has_error} = 1; + $context{'error'} = $util->html_encode($error); + } + + my $result = $parser->execute_file_with_context("agent/error.vm", \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/index.cgi b/base/ra/forms/agent/index.cgi new file mode 100755 index 000000000..c8f2040fe --- /dev/null +++ b/base/ra/forms/agent/index.cgi @@ -0,0 +1,83 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::UserStore; +use PKI::Base::Registry; +use PKI::Base::Util; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi?error=Authentication%20Error"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $result = $parser->execute_file_with_context("agent/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/request/add_note.cgi b/base/ra/forms/agent/request/add_note.cgi new file mode 100755 index 000000000..0ffac91c7 --- /dev/null +++ b/base/ra/forms/agent/request/add_note.cgi @@ -0,0 +1,93 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; +use PKI::Base::TimeTool; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $id = $util->get_alphanum_val($q->param('id')); + my $note = $util->get_val($q->param('note')); + + if ($note eq "") { + # dont add anything + print $q->redirect("/agent/request/read.cgi?id=" . $id); + return; + } + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $new_note = "==== Note created by $uid at $now ====\n" . + $note . "\n"; + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $ref = $queue->read_request($id); + $queue->set_request($id, "note", $ref->{'note'} . $new_note); + $queue->close(); + + print $q->redirect("/agent/request/read.cgi?id=" . $id); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/request/index.cgi b/base/ra/forms/agent/request/index.cgi new file mode 100755 index 000000000..81b25977a --- /dev/null +++ b/base/ra/forms/agent/request/index.cgi @@ -0,0 +1,146 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::RA::GlobalVar; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; +use PKI::Service::Op; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + $self->debug_log( $cfg, "in request/index.cgi, uid == $uid"); + + my %context; + $context{uid} = $util->html_encode($uid); + + my @roles = $self->get_current_roles($cfg); +# my $r = join(",",@roles); + + my $status = $util->get_alphanum_val($q->param('status')); + if ($status eq "") { + $context{status} = ""; + } else { + $context{status} = $util->html_encode($status); + } + + my $sp = $util->get_alphanum_val($q->param('sp')); + if ($sp eq "") { + $sp = "0"; + } + $context{sp} = $sp; + my $mc = $util->get_alphanum_val($q->param('mc')); + if ($mc eq "") { + $mc = "20"; + } + $context{mc} = $mc; + $context{pp} = $sp - $mc; # previous pos (for paging) + $context{np} = $sp + $mc; # next pos (for paging) + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $total = $queue->count_requests_by_roles(\@roles, $status); + $context{total} = $util->html_encode($total); + + my @reqs = $queue->list_requests_by_roles(\@roles, $status, $sp, $mc); +# my @reqs = $queue->list_requests_by_roles($r, $status, $sp, $mc); + $queue->close(); + + my @r; + my $i = 0; + foreach my $req (@reqs) { + $r[$i] = new PKI::RA::GlobalVar( + getId => sub { return $util->html_encode($req->{'rowid'}) }, + getType => sub { return $util->html_encode($req->{'type'}) }, + getStatus => sub { return $util->html_encode($req->{'status'}) }, + getError => sub { return $util->html_encode($req->{'errorString'}) }, + getAssignedTo => sub { return $util->html_encode($req->{'assigned_to'}) }, + getData => sub { return $util->html_encode($req->{'data'}); }, + getCreatedBy => sub { return $util->html_encode($req->{'created_by'}); }, + getCreatedAt => sub { return $util->html_encode($req->{'created_at'}); }, + ); + $i++; + } + $context{rows} = \@r; + + if ($sp - $mc < 0) { + $context{show_previous} = "no"; + } else { + $context{show_previous} = "yes"; + } + + if ($i < 20) { + $context{show_next} = "no"; + } else { + $context{show_next} = "yes"; + } + + my $result = $parser->execute_file_with_context("agent/request/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/request/op.cgi b/base/ra/forms/agent/request/op.cgi new file mode 100755 index 000000000..363d7121b --- /dev/null +++ b/base/ra/forms/agent/request/op.cgi @@ -0,0 +1,153 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use Benchmark; +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; +use PKI::Request::Queue; +use PKI::Base::Util; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $st = new Benchmark; + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + my $type = $util->get_alphanum_val($q->param('type')); + my $id = $util->get_alphanum_val($q->param('id')); + + my $db_st = new Benchmark; + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + + my $ref; + + my @roles = $self->get_current_roles($cfg); + my $pref = $queue->read_request_by_roles(\@roles, $id); + + if (! defined $pref) { + $queue->close(); + $self->debug_log($cfg, "Invalid attempt to process request id= " . $id . + " by userid= " . $uid); + print $q->redirect("/agent/error.cgi"); + return; + } + + my $curr_status = $pref->{'status'}; + if ($type eq "approve") { + if (($curr_status ne "OPEN") && ($curr_status ne "ERROR")) { + $queue->close(); + print $q->redirect("/agent/request/read.cgi?id=$id"); + return; + } + + $ref = $queue->approve_request($id, $uid); + } elsif ($type eq "reject") { + if (($curr_status ne "OPEN") && ($curr_status ne "ERROR")) { + $queue->close(); + print $q->redirect("/agent/request/read.cgi?id=$id"); + return; + } + + $ref = $queue->reject_request($id, $uid); + } + $queue->close(); + my $db_et = new Benchmark; + + $context{data} = $util->breakline($util->html_encode(Encode::decode('UTF-8', $ref->{'data'})), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{type} = $util->html_encode($ref->{'type'}); + $context{ip} = $util->html_encode($ref->{'ip'}); + $context{note} = $util->html_encode($ref->{'note'}); + $context{note} =~ s/\n/<br\/>/g; + $context{created_at} = $util->html_encode($ref->{'created_at'}); + $context{updated_at} = $util->html_encode($ref->{'updated_at'}); + $context{assigned_to} = $util->html_encode($ref->{'assigned_to'}); + $context{processed_by} = $util->html_encode($ref->{'processed_by'}); + $context{created_by} = $util->html_encode($ref->{'created_by'}); + $context{status} = $util->html_encode($ref->{'status'}); + $context{errorString} = $util->html_encode($ref->{'errorString'}); + $context{id} = $util->html_encode($ref->{'rowid'}); + + my $t_st = new Benchmark; + my $result = $parser->execute_file_with_context("agent/request/op.vm", + \%context); + my $t_et = new Benchmark; + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } + + my $et = new Benchmark; + + $self->debug_log($cfg, "benchmark " . + "total=" . timestr(timediff($et, $st)) . " " . + "db total=" . timestr(timediff($db_et, $db_st)) . " " . + "template total=" . timestr(timediff($t_et, $t_st)) . " " + ); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/agent/request/read.cgi b/base/ra/forms/agent/request/read.cgi new file mode 100755 index 000000000..d1633c164 --- /dev/null +++ b/base/ra/forms/agent/request/read.cgi @@ -0,0 +1,119 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; +use PKI::Base::Util; +use PKI::Request::Queue; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + if (!$self->agent_auth($cfg)) { + print $q->redirect("/agent/error.cgi"); + return; + } + my $uid = $self->get_current_uid($cfg); + + my %context; + $context{uid} = $util->html_encode($uid); + + + my @roles = $self->get_current_roles($cfg); +# my $r = join(",",@roles); + + my $id = $util->get_alphanum_val($q->param('id')); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $ref = $queue->read_request_by_roles(\@roles, $id); + $queue->close(); + + $context{data} = $util->breakline($util->html_encode(Encode::decode('UTF-8',$ref->{'data'})), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{meta_info} = $util->breakline($util->html_encode($ref->{'meta_info'}), 40); + + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{subject_dn} = $util->html_encode($ref->{'subject_dn'}); + $context{type} = $util->html_encode($ref->{'type'}); + $context{created_at} = $util->html_encode($ref->{'created_at'}); + $context{created_by} = $util->html_encode($ref->{'created_by'}); + $context{updated_at} = $util->html_encode($ref->{'updated_at'}); + $context{ip} = $util->html_encode($ref->{'ip'}); + $context{processed_by} = $util->html_encode($ref->{'processed_by'}); + $context{note} = $util->html_encode($ref->{'note'}); + $context{note} =~ s/\n/<br\/>/g; + $context{assigned_to} = $util->html_encode($ref->{'assigned_to'}); + $context{status} = $util->html_encode($ref->{'status'}); + if ($ref->{'status'} eq "OPEN") { + $context{is_open} = 1; + } + if ($ref->{'status'} eq "ERROR") { + $context{is_error} = 1; + } + $context{errorString} = $util->html_encode($ref->{'errorString'}); + $context{id} = $util->html_encode($ref->{'rowid'}); + + my $result = $parser->execute_file_with_context("agent/request/read.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/agent/enroll.cgi b/base/ra/forms/ee/agent/enroll.cgi new file mode 100755 index 000000000..4f1af8f16 --- /dev/null +++ b/base/ra/forms/ee/agent/enroll.cgi @@ -0,0 +1,127 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use MIME::Base64; +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; +use PKI::Request::Queue; +use PKI::Conn::CA; +use PKI::Base::PinStore; +use PKI::Base::Util; + +use vars qw (@ISA); +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $uid = $util->get_val($q->param('uid')); + my $pin = $util->get_alphanum_val($q->param('pin')); + my $csr = $util->get_val($q->param('csr')); + $csr = $util->normalize_csr($csr); + + my $key = $uid; + + my $pin_store = PKI::Base::PinStore->new(); + $pin_store->open($cfg); + my $pinref = $pin_store->read_pin($key); + if (defined($pinref) && $pinref->{'pin'} eq $pin) { + $pin_store->delete($key); + } else { + $pin_store->close(); + print $q->redirect("/ee/error.cgi?error=Invalid Pin"); + return; + } + my $rid = $pinref->{'rid'}; + $pin_store->close(); + + my $profile_id = $cfg->get("request.agent.profileId"); + my $cert_request_type = $cfg->get("request.agent.reqType"); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $req = $queue->read_request($rid); + $queue->set_request($rid, "subject_dn", "uid=$uid, e=$req->{'created_by'}"); + + my $ca = PKI::Conn::CA->new(); + $ca->open($cfg); + my $cert = $ca->enroll($rid, "ca1", $profile_id, $cert_request_type, $csr); + $ca->close(); + $queue->set_request($rid, "output", $cert); + + $req = $queue->read_request($rid); + if ($cert eq "") { + my $error = $req->{'errorString'}; + $queue->close(); + print $q->redirect("/ee/error.cgi?error=$error"); + return; + } + + my $decoded = decode_base64($cert); + my $encoded = encode_base64($decoded); + + my %context; + $context{cert} = $encoded; + $context{rid} = $util->html_encode($rid); + $context{subject_dn} = $util->html_encode($req->{'subject_dn'}); + $queue->close(); + + my $result = $parser->execute_file_with_context("ee/agent/enroll.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/agent/index.cgi b/base/ra/forms/ee/agent/index.cgi new file mode 100755 index 000000000..66fceb8ff --- /dev/null +++ b/base/ra/forms/ee/agent/index.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use PKI::Base::Registry; +use Template::Velocity; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/agent/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/agent/new.cgi b/base/ra/forms/ee/agent/new.cgi new file mode 100755 index 000000000..c209f5e74 --- /dev/null +++ b/base/ra/forms/ee/agent/new.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use PKI::Base::Registry; +use Template::Velocity; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/agent/new.vm", \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } + +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/agent/start.cgi b/base/ra/forms/ee/agent/start.cgi new file mode 100755 index 000000000..27aedb546 --- /dev/null +++ b/base/ra/forms/ee/agent/start.cgi @@ -0,0 +1,69 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use PKI::Base::Registry; +use Template::Velocity; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + + my $result = $parser->execute_file_with_context("ee/agent/start.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/agent/submit.cgi b/base/ra/forms/ee/agent/submit.cgi new file mode 100755 index 000000000..a68242114 --- /dev/null +++ b/base/ra/forms/ee/agent/submit.cgi @@ -0,0 +1,88 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my $uid = $util->get_val($q->param('uid')); + my $email = $util->get_val($q->param('email')); + + $self->debug_params($cfg, $q); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $request_id = $queue->create_request("agent", + "uid=" . $uid, + "0", + $email); + my %context; + $context{request_id} = $util->html_encode($request_id); + $self->debug_log($cfg, "request $request_id created"); + $queue->close(); + + my $result = $parser->execute_file_with_context("ee/agent/submit.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/error.cgi b/base/ra/forms/ee/error.cgi new file mode 100755 index 000000000..1417d4b61 --- /dev/null +++ b/base/ra/forms/ee/error.cgi @@ -0,0 +1,81 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::UserStore; +use PKI::Base::Util; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $util = PKI::Base::Util->new(); + + my %context; + + my $error = $util->get_val($q->param('error')); + if ($error ne "") { + $context{has_error} = 1; + $context{'error'} = $util->html_encode($error); + } + + my $result = $parser->execute_file_with_context("ee/error.vm", \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/index.cgi b/base/ra/forms/ee/index.cgi new file mode 100755 index 000000000..453b2873b --- /dev/null +++ b/base/ra/forms/ee/index.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/index.vm", \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/request/getcert.cgi b/base/ra/forms/ee/request/getcert.cgi new file mode 100755 index 000000000..b22444dc1 --- /dev/null +++ b/base/ra/forms/ee/request/getcert.cgi @@ -0,0 +1,93 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use PKI::Service::Op; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; +use Template::Velocity; +use MIME::Base64; +use Encode; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $id = $util->get_alphanum_val($q->param('id')); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $req = $queue->read_request($id); + $queue->close(); + + my %context; + $context{id} = $util->html_encode($req->{'rowid'}); + $context{serialno} = $util->html_encode($req->{'serialno'}); + $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8', $req->{'subject_dn'})); + if ($req->{'serialno'} eq "unavailable") { + $context{output} = ""; + } else { + $context{output} = "-----BEGIN CERTIFICATE-----\n".$util->breakline($util->html_encode($req->{'output'}), 40)."\n-----END CERTIFICATE-----"; + } + my $result = $parser->execute_file_with_context("ee/request/getcert.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/request/importcert.cgi b/base/ra/forms/ee/request/importcert.cgi new file mode 100755 index 000000000..fdc309746 --- /dev/null +++ b/base/ra/forms/ee/request/importcert.cgi @@ -0,0 +1,82 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use PKI::Service::Op; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; +use Template::Velocity; +use MIME::Base64; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $id = $util->get_alphanum_val($q->param('id')); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $req = $queue->read_request($id); + $queue->close(); + + my %context; +# $::symbol{id} = $req->{'rowid'}; +# $::symbol{status} = $req->{'status'}; + +# my $result = $parser->execute_file("ee/request/status.vm"); + + my $cert = MIME::Base64::decode($req->{'output'}); + + print "Content-Type: application/x-x509-user-cert\n\n"; + print $cert; +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/request/index.cgi b/base/ra/forms/ee/request/index.cgi new file mode 100755 index 000000000..ef2a68b23 --- /dev/null +++ b/base/ra/forms/ee/request/index.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/request/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/request/status.cgi b/base/ra/forms/ee/request/status.cgi new file mode 100755 index 000000000..6a3154716 --- /dev/null +++ b/base/ra/forms/ee/request/status.cgi @@ -0,0 +1,94 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use PKI::Service::Op; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; +use Template::Velocity; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + + my $util = PKI::Base::Util->new(); + + my $id = $util->get_alphanum_val($q->param('id')); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $req = $queue->read_request($id); + $queue->close(); + if ($req == "") { + print $q->redirect("/ee/error.cgi?error=request%20not%20found"); + return; + } + + my %context; + $context{id} = $util->html_encode($req->{'rowid'}); + $context{type} =$util->html_encode($req->{'type'}); + $context{status} = $util->html_encode($req->{'status'}); + $context{serialno} = $util->html_encode($req->{'serialno'}); + $context{errorString} = $util->html_encode($req->{'errorString'}); + + my $result = $parser->execute_file_with_context("ee/request/status.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/scep/enroll.cgi b/base/ra/forms/ee/scep/enroll.cgi new file mode 100755 index 000000000..53291636a --- /dev/null +++ b/base/ra/forms/ee/scep/enroll.cgi @@ -0,0 +1,112 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use MIME::Base64; +use URI::URL; +use URI::Escape; +use XML::Simple; +use CGI; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Conn::CA; +use PKI::Base::PinStore; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $client_id = $util->get_val($q->param('client_id')); + my $site_id = $util->get_val($q->param('site_id')); + my $pin = $util->get_alphanum_val($q->param('pin')); + my $csr = $util->get_val($q->param('csr')); + + my $key = $client_id . "/" . $site_id; + + my $pin_store = PKI::Base::PinStore->new(); + $pin_store->open($cfg); + my $pinref = $pin_store->read_pin($key); + if (defined($pinref) && $pinref->{'pin'} eq $pin) { + $pin_store->delete($key); + } else { + $pin_store->close(); + # error, redirect user back to the original enrollment page + print $q->redirect("/ee/scep/installer.cgi"); + return; + } + $pin_store->close(); + + my $profile_id = $cfg->get("request.scep.profileId"); + my $cert_request_type = $cfg->get("request.scep.reqType"); + + my $ca = PKI::Conn::CA->new(); + $ca->open($cfg); + my $cert = $ca->enroll($pinref->{'rid'}, "ca1", $profile_id, $cert_request_type, $csr); + $ca->close(); + my $decoded = decode_base64($cert); + my $encoded = encode_base64($decoded); + + my %context; + $context{cert} = $encoded; + + my $result = $parser->execute_file_with_context("ee/scep/enroll.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/scep/index.cgi b/base/ra/forms/ee/scep/index.cgi new file mode 100755 index 000000000..c73fc379a --- /dev/null +++ b/base/ra/forms/ee/scep/index.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/scep/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/scep/installer.cgi b/base/ra/forms/ee/scep/installer.cgi new file mode 100755 index 000000000..8453c2cc4 --- /dev/null +++ b/base/ra/forms/ee/scep/installer.cgi @@ -0,0 +1,74 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my %context; + $context{machine} = $cfg->get("service.machineName"); + $context{port} = $cfg->get("service.unsecurePort"); + + my $result = $parser->execute_file_with_context("ee/scep/installer.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/scep/manager.cgi b/base/ra/forms/ee/scep/manager.cgi new file mode 100755 index 000000000..8b547a928 --- /dev/null +++ b/base/ra/forms/ee/scep/manager.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/scep/manager.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/scep/pkiclient.cgi b/base/ra/forms/ee/scep/pkiclient.cgi new file mode 100755 index 000000000..a54558f37 --- /dev/null +++ b/base/ra/forms/ee/scep/pkiclient.cgi @@ -0,0 +1,113 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use MIME::Base64; +use URI::URL; +use URI::Escape; +use XML::Simple; +use CGI; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Conn::CA; +use PKI::Base::PinStore; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $operation = $util->get_alphanum_val($q->param('operation')); + my $message = $util->get_val($q->param('message')); + $message = uri_escape($message); + + my $ca = PKI::Conn::CA->new(); + $ca->open($cfg); + if ($operation eq "GetCACert") { + my $content = $ca->scep_get_ca_cert("ca1", $operation, $message); + + print "Content-Type: application/x-x509-ca-cert\n\n"; + print $content; + } elsif ($operation eq "PKIOperation") { + my $decoded = $ca->scep_decode("ca1", $operation, $message); + $decoded =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $decoded = $1; + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($decoded); + + # one time pin + my $pin = $response->{'PKCS10'}->{'ChallengePassword'}->{'Password'} ; + # IP Address + my $key = $ENV{'REMOTE_ADDR'}; + + # check PIN + if (1) { + my $pin_store = PKI::Base::PinStore->new(); + $pin_store->open($cfg); + my $pinref = $pin_store->read_pin($key); + if (defined($pinref) && $pinref->{'pin'} eq $pin) { + $pin_store->delete($key); + } else { + $pin_store->close(); + # XXX - return SCEP error + print $q->redirect("/ee/scep/installer.cgi"); + return; + } + $pin_store->close(); + } + + my $content = $ca->scep_pki_message("ca1", $operation, $message); + + print "Content-Type: application/x-pki-message\n\n"; + print $content; + } + $ca->close(); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/scep/submit.cgi b/base/ra/forms/ee/scep/submit.cgi new file mode 100755 index 000000000..b3dfd7a5d --- /dev/null +++ b/base/ra/forms/ee/scep/submit.cgi @@ -0,0 +1,91 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use DBI; +use CGI; +use PKI::Service::Op; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $client_id = $util->get_val($q->param('client_id')); + my $site_id = $util->get_val($q->param('site_id')); + my $email = $util->get_val($q->param('email')); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $request_id = $queue->create_request("scep", + "client_id=" . $client_id . ";" . + "site_id=" . $site_id, + "0", + $email); + my %context; + $context{request_id} = $util->html_encode($request_id); + $self->debug_log($cfg, "request $request_id created"); + $queue->close(); + + my $result = $parser->execute_file_with_context("ee/scep/submit.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/server/admin.cgi b/base/ra/forms/ee/server/admin.cgi new file mode 100755 index 000000000..18945da02 --- /dev/null +++ b/base/ra/forms/ee/server/admin.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/server/admin.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/server/index.cgi b/base/ra/forms/ee/server/index.cgi new file mode 100755 index 000000000..830409a8b --- /dev/null +++ b/base/ra/forms/ee/server/index.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/server/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/server/submit.cgi b/base/ra/forms/ee/server/submit.cgi new file mode 100755 index 000000000..4916033ee --- /dev/null +++ b/base/ra/forms/ee/server/submit.cgi @@ -0,0 +1,93 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Request::Queue; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $util = PKI::Base::Util->new(); + + my $server_id = $util->get_val($q->param('server_id')); + my $site_id = $util->get_val($q->param('site_id')); + my $email = $util->get_val($q->param('email')); + my $csr = $util->get_val($q->param('csr')); + + $csr = $util->normalize_csr($csr); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $request_id = $queue->create_request("server", + "server_id=" . $server_id . ";" . + "site_id=" . $site_id . ";" . + "csr=" . $csr, + "0", + $email); + my %context; + $context{request_id} = $util->html_encode($request_id); + $self->debug_log($cfg, "request $request_id created"); + $queue->close(); + + my $result = $parser->execute_file_with_context("ee/server/submit.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/user/index.cgi b/base/ra/forms/ee/user/index.cgi new file mode 100755 index 000000000..ef6b3aa47 --- /dev/null +++ b/base/ra/forms/ee/user/index.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/user/index.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/user/renew.cgi b/base/ra/forms/ee/user/renew.cgi new file mode 100755 index 000000000..63d646ec9 --- /dev/null +++ b/base/ra/forms/ee/user/renew.cgi @@ -0,0 +1,165 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Base::Conf; +use PKI::Request::Queue; +use Template::Velocity; +use PKI::Service::Op; +use PKI::Base::Util; +use PKI::Base::Registry; + +use vars qw (@ISA); +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my $util = PKI::Base::Util->new(); + my $error = ""; + + my $host = $cfg->get("service.machineName"); + my $port = $cfg->get("service.non_clientauth_securePort"); + + $self->debug_params($cfg, $q); + + my $cert = $self->get_cert_record($cfg); + $self->debug_log( $cfg, "after get_cert_record"); + if (!defined($cert) || ($cert eq "")) { + $self->debug_log( $cfg, "cert not defined"); + $error = "certificate not found in database"; + print $q->redirect("/ee/error.cgi?error=$error"); + return; + } + $self->debug_log( $cfg, "got cert"); + + my $csr = $cert->{'csr'}; + if ($csr eq "") { + $error = "csr not found in database"; + print $q->redirect("/ee/error.cgi?error=$error"); + return; + } + $self->debug_log( $cfg, "got csr"); + + my $req_id = $cert->{'rid'}; + if ($req_id eq "") { + $error = "reqid not found in database"; + print $q->redirect("/ee/error.cgi?error=$error"); + return; + } + $self->debug_log( $cfg, "got req_id = $req_id"); + $self->debug_log( $cfg, "before renewl read/create request"); + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $o_req = $queue->read_request($req_id); + if ($o_req eq "") { + $self->debug_log( $cfg, "got null o_req"); + print $q->redirect("/ee/error.cgi?error=$error"); + return; + } + + my $uid = ""; + my $site_id = ""; + my $org_csr = ""; + my $csr_type = ""; + + my $data = $o_req->{'data'}; + foreach $nv (split(/;/, $data)) { + my ($n, $v) = split(/=/, $nv); + if ($n eq "uid") { + $uid = $v; + } + if ($n eq "site_id") { + $site_id = $v; + } + if ($n eq "csr") { + $org_csr = $v; + } + if ($n eq "csr_type") { + $csr_type = $v; + } + } + + my $new_request = $queue->create_request("renewal", + "uid=" . $uid . ";" . + "site_id=" . $site_id . ";" . + "csr_type=" . $csr_type . ";" . + "csr=" . $csr, + "orig_reqid=" . $o_req->{'rowid'}, + $o_req->{'created_by'}); + + #self-renewal is created and processed by the same user + $ref = $queue->approve_request($new_request, $o_req->{'created_by'}); + my $nreq = $queue->read_request($new_request); + $error = $nreq->{'errorString'}; + if ($error ne "0") { + $self->debug_log( $cfg, "after approve request, got error=$error"); + print $q->redirect("/ee/error.cgi?error=$error"); + return; + } + + my %context; + $context{request_id} = $util->html_encode($new_request); + $self->debug_log($cfg, "request $new_request created"); + $queue->close(); + $self->debug_log( $cfg, "after renewl read/create request $new_request"); + + $context{data} = $util->breakline($util->html_encode($ref->{'data'}), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{host} = $util->html_encode($host); + $context{port} = $util->html_encode($port); + + #print $q->redirect("/ee/request/getcert.cgi?id=$new_request"); + my $result = $parser->execute_file_with_context("ee/user/renew.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/user/renewal.cgi b/base/ra/forms/ee/user/renewal.cgi new file mode 100755 index 000000000..63a211eff --- /dev/null +++ b/base/ra/forms/ee/user/renewal.cgi @@ -0,0 +1,74 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; + +use vars qw (@ISA); +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $host = $cfg->get("service.machineName"); + my $port = $cfg->get("service.securePort"); + + my %context; + $context{url} = "https://$host:$port/ee/user/renew.cgi"; + my $result = $parser->execute_file_with_context("ee/user/renewal.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/user/submit.cgi b/base/ra/forms/ee/user/submit.cgi new file mode 100755 index 000000000..26c900e00 --- /dev/null +++ b/base/ra/forms/ee/user/submit.cgi @@ -0,0 +1,112 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use Benchmark; +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Util; +use PKI::Base::Registry; +use PKI::Request::Queue; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $st = new Benchmark; + + my $util = PKI::Base::Util->new(); + + my $userid = $util->get_val($q->param('uid')); + my $fullname = $util->get_val($q->param('cn')); + my $site_id = $util->get_val($q->param('site_id')); + my $email = $util->get_val($q->param('email')); + my $csr_type = $util->get_alphanum_val($q->param('csr_type')); + my $csr = $util->get_val($q->param('csr')); + + $csr = $util->normalize_csr($csr); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + my $db_st = new Benchmark; + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $request_id = $queue->create_request("user", + "uid=" . $userid . ";" . + "cn=" . $fullname . ";" . + "site_id=" . $site_id . ";" . + "csr_type=" . $csr_type . ";" . + "csr=" . $csr, + "0", + $email); + my %context; + $context{request_id} = $util->html_encode($request_id); + $self->debug_log($cfg, "request $request_id created"); + $queue->close(); + my $db_et = new Benchmark; + + my $t_st = new Benchmark; + my $result = $parser->execute_file_with_context("ee/user/submit.vm", + \%context); + my $t_et = new Benchmark; + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } + + my $et = new Benchmark; + $self->debug_log($cfg, "benchmark " . + "total=" . timestr(timediff($et, $st)) . " " . + "db total=" . timestr(timediff($db_et, $db_st)) . " " . + "template total=" . timestr(timediff($t_et, $t_st)) . " " + ); +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/ee/user/user.cgi b/base/ra/forms/ee/user/user.cgi new file mode 100755 index 000000000..2d58a532b --- /dev/null +++ b/base/ra/forms/ee/user/user.cgi @@ -0,0 +1,68 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + my %context; + my $result = $parser->execute_file_with_context("ee/user/user.vm", + \%context); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%context); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/forms/index.cgi b/base/ra/forms/index.cgi new file mode 100755 index 000000000..0e643166b --- /dev/null +++ b/base/ra/forms/index.cgi @@ -0,0 +1,76 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package op; + +use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl"; + +use CGI; +use PKI::Service::Op; +use Template::Velocity; +use PKI::Base::Conf; +use PKI::Base::Registry; + +use vars qw (@ISA); +use PKI::Service::Op; +@ISA = qw(PKI::Service::Op); + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub process() +{ + my $self = shift; + + my $q = CGI->new(); + + my $docroot = PKI::Base::Registry->get_docroot(); + my $parser = PKI::Base::Registry->get_parser(); + my $cfg = PKI::Base::Registry->get_config(); + + $self->debug_params($cfg, $q); + + $::symbol{machineName} = $cfg->get("service.machineName"); + $::symbol{non_clientauth_securePort} = $cfg->get("service.non_clientauth_securePort"); + $::symbol{securePort} = $cfg->get("service.securePort"); + $::symbol{unsecurePort} = $cfg->get("service.unsecurePort"); + + my $result = $parser->execute_file("index.vm"); + + my $xml = $q->param('xml'); + if ($xml eq "true") { + print "Content-Type: text/xml\n\n"; + print $self->xml_output(\%::symbol); + } else { + print "Content-Type: text/html\n\n"; + print "$result"; + } +} + + +my $op = op->new(); +$op->execute(); diff --git a/base/ra/lib/perl/PKI/Base/CertStore.pm b/base/ra/lib/perl/PKI/Base/CertStore.pm new file mode 100644 index 000000000..1a31ff971 --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/CertStore.pm @@ -0,0 +1,151 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Base::CertStore; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Constructs a cert store +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Opens this store +####################################### +sub open { + my ($self, $cfg) = @_; + $self->{cfg} = $cfg; + my $dbfile = $cfg->get("database.dbfile"); + $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","",""); +} + +sub read_certificate { + my ($self, $serialno) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from certificates " . + "where serialno=" . $dbh->quote($serialno); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub map_certificate { + my ($self, $certificate) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from certificates " . + "where " . + "certificate=" . $dbh->quote($certificate); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub read_certificate_by_approver { + my ($self, $uid, $serialno) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from certificates " . + "where approved_by=". $dbh->quote($uid). + "AND serialno=" . $dbh->quote($serialno); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub list_certs_by_approver { + my ($self, $uid, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + my $select = "select *,approved_by from certificates " . + "where " . + "approved_by=". $dbh->quote($uid). + " limit $startpos, $maxcount"; + + my $sth = $dbh->prepare($select); + $sth->execute(); + my @certs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@certs, $ref); + } + $sth->finish(); + return @certs; + + +} + +sub add_certificate { + my ($self, $serialno, $csr, $subject_dn, $certificate, $reqid, $approved_by) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + # sqlite is not thread safe, do our own lock here + my $cmd = "insert into certificates (" . + "subject_dn" . "," . + "certificate" . "," . + "csr" . "," . + "serialno" . "," . + "rid" . "," . + "approved_by" . "," . + "created_at" . + ") values (" . + $dbh->quote($subject_dn) . "," . + $dbh->quote($certificate) . "," . + $dbh->quote($csr) . "," . + $dbh->quote($serialno) . "," . + $dbh->quote($reqid) . "," . + $dbh->quote($approved_by) . "," . + $dbh->quote($now) . + ")"; +REDO_ADD_CERT: + eval { + $dbh->do($cmd); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_ADD_CERT; + } + +} + +####################################### +# Closes this store +####################################### +sub close { + my ($self) = @_; + my $dbh = $self->{dbh}; + $dbh->disconnect(); +} + +1; diff --git a/base/ra/lib/perl/PKI/Base/Conf.pm b/base/ra/lib/perl/PKI/Base/Conf.pm new file mode 100755 index 000000000..895ab28a3 --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/Conf.pm @@ -0,0 +1,130 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package PKI::Base::Conf; + +use strict; +use warnings; +use Exporter; + +$PKI::Base::Conf::VERSION = '1.00'; + +####################################################### +# Configuration Store +####################################################### +sub new { + my $class = shift; + my $self = {}; + my %hash = (); + $self->{filename} = ""; + $self->{hash} = \%hash; + bless $self,$class; + return $self; +} + +sub load_file +{ + my ($self, $filename) = @_; + + $self->{filename} = $filename; + if (-e $filename) { + open(CF, "<$filename"); + if (defined fileno CF) { + while (<CF>) { + if (/^#/) { + # comments + } elsif (/([^=]+)=(.*)$/) { + # print "$1 = $2\n"; + $self->{hash}{$1} = $2; + } else { + # preserve comments + } + } + } + close(CF); + } +} + +sub get_filename +{ + my ($self) = @_; + return $self->{filename}; +} + +sub get +{ + my ($self, $n) = @_; + return $self->{hash}{$n}; +} + +sub put +{ + my ($self, $n, $v) = @_; + $self->{hash}{$n} = $v; +} + +sub commit +{ + my ($self) = @_; + + # write stuff back to the file +# print $self->{filename} . "\n"; + my $hash = $self->{hash}; + my $suffix = time(); + + if (-e $self->{filename}) { + system("mv \"" . $self->{filename} . "\" \"" . + $self->{filename} . "." . $suffix . "\""); + } + + open(F, ">" . $self->{filename}); + foreach my $k (sort keys %{$hash}) { + print F "$k=$self->{hash}{$k}\n"; + } + close(F); + + if (-e $self->{filename} . "." . $suffix) { + system("rm \"" . $self->{filename} . "." . $suffix . "\""); + } +} + +sub commit_with_backup +{ + my ($self) = @_; + + # write stuff back to the file +# print $self->{filename} . "\n"; + my $hash = $self->{hash}; + my $suffix = time(); + system("mv \"" . $self->{filename} . "\" \"" . + $self->{filename} . "." . $suffix . "\""); + + open(F, ">" . $self->{filename}); + foreach my $k (sort keys %{$hash}) { + print F "$k=$self->{hash}{$k}\n"; + } + close(F); +} + +1; diff --git a/base/ra/lib/perl/PKI/Base/PinStore.pm b/base/ra/lib/perl/PKI/Base/PinStore.pm new file mode 100644 index 000000000..437d259ff --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/PinStore.pm @@ -0,0 +1,180 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Base::PinStore; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Constructs a request queue +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Opens request queue +####################################### +sub open { + my ($self, $cfg) = @_; + $self->{cfg} = $cfg; + my $dbfile = $cfg->get("database.dbfile"); + $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","",""); +} + +####################################### +# Creates a new request +####################################### +sub generate_random +{ + my $low = $_[0]; + my $high = $_[1]; + + my $number = 0; + + if( $low >= $high || $low < 0 || $high < 0 ) { + return -1; + } + + $number = int( rand( $high -$low +1 ) ) + $low; + + return $number; +} + + +# arg0 length of string +# return random string +sub generate_random_string() +{ + my $length_of_randomstring=shift; # the length of the string + + my @chars=( 'a'..'z','A'..'Z','0'..'9' ); + my $random_string; + + foreach( 1..$length_of_randomstring ) { + $random_string .= $chars[rand @chars]; + } + + return $random_string; +} + +sub create_pin { + my ($self, $key, $rid, $created_by) = @_; + my $dbh = $self->{dbh}; + + my $pin = &generate_random_string(10); + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + # delete previous pin + my $delete = "delete from pins where key=" . $dbh->quote($key); + $dbh->do($delete); + + my $insert = "insert into pins (" . + "key" . "," . + "pin" . "," . + "rid" . "," . + "created_by" . "," . + "created_at" . + ") values (" . + $dbh->quote($key) . "," . + $dbh->quote($pin) . "," . + $dbh->quote($rid) . "," . + $dbh->quote($created_by) . "," . + $dbh->quote($now) . + ")"; +REDO_CREATE_PIN: + eval { + $dbh->do($insert); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_CREATE_PIN; + } + + my $rid = $dbh->func('last_insert_rowid'); + +# my $ref = $self->read_pin($rid); + + return $pin; +} + +####################################### +# Matches pin +####################################### +sub match { + my ($self, $key, $pin) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from pins " . + "where " . + "key=" . $dbh->quote($key) . " AND " . + "pin=" . $dbh->quote($pin); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + if (defined($ref)) { + return 1; + } else { + return 0; + } +} + +sub read_pin { + my ($self, $key) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from pins " . + "where " . + "key=" . $dbh->quote($key); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +####################################### +# Deletes pin +####################################### +sub delete { + my ($self, $key) = @_; + my $dbh = $self->{dbh}; + my $cmd = "delete from pins " . + "where " . + "key=" . $dbh->quote($key); + $dbh->do($cmd); +} + +####################################### +# Closes request queue +####################################### +sub close { + my ($self) = @_; + my $dbh = $self->{dbh}; + $dbh->disconnect(); +} + +1; diff --git a/base/ra/lib/perl/PKI/Base/Registry.pm b/base/ra/lib/perl/PKI/Base/Registry.pm new file mode 100644 index 000000000..a4fb83f28 --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/Registry.pm @@ -0,0 +1,55 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Base::Registry; + +use PKI::Base::Conf; + +my $docroot; +my $cfg; +my $parser; + +BEGIN { + $docroot = $ENV{DOCUMENT_ROOT}; + $cfg = PKI::Base::Conf->new(); + $cfg->load_file("$docroot/../conf/CS.cfg"); + $parser = new Template::Velocity($docroot); + +} + +sub get_docroot { + my ($self) = @_; + return $docroot; +} + +sub get_parser { + my ($self) = @_; + return $parser; +} + +sub get_config { + my ($self) = @_; + return $cfg; +} + +1; diff --git a/base/ra/lib/perl/PKI/Base/TimeTool.pm b/base/ra/lib/perl/PKI/Base/TimeTool.pm new file mode 100755 index 000000000..11f4be208 --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/TimeTool.pm @@ -0,0 +1,54 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Base::TimeTool; + +use Time::Local; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Constructs a request queue +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub get_time() +{ + my ($self) = @_; + my ($sec, $min, $hr, $mday, $mnth, $y, $wd, $yd, $ds) = localtime(); + my $r_year = 1900 + $y; + my $r_mnth; + my $r_day; + $r_day = $mday; + $mnth = $mnth + 1; + $r_mnth = $mnth; + return "$r_year-$r_mnth-$r_day $hr:$min:$sec"; +} + + +1; diff --git a/base/ra/lib/perl/PKI/Base/UserStore.pm b/base/ra/lib/perl/PKI/Base/UserStore.pm new file mode 100644 index 000000000..c05683792 --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/UserStore.pm @@ -0,0 +1,343 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Base::UserStore; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Constructs a request queue +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Opens this store +####################################### +sub open { + my ($self, $cfg) = @_; + $self->{cfg} = $cfg; + my $dbfile = $cfg->get("database.dbfile"); + $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","",""); + my $timeout = $self->{dbh}->func("busy_timeout"); + $self->{dbh}->func($timeout * 10, "busy_timeout"); +} + +####################################### +# Maps user +####################################### +sub map_user { + my ($self, $certificate) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from users " . + "where " . + "certificate=" . $dbh->quote($certificate); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +####################################### +# Gets roles of the given user +####################################### +sub get_roles { + my ($self, $uid) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from roles " . + "where " . + "uid=" . $dbh->quote($uid); + my @roles; + my $sth = $dbh->prepare($select); + $sth->execute(); + while (my $ref = $sth->fetchrow_hashref()) { + push(@roles, $ref->{'gid'}); + } + $sth->finish(); + return @roles; +} + + +####################################### +# Reads a user +####################################### +sub read_group { + my ($self, $gid) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from groups " . + "where gid=" . $dbh->quote($gid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub read_user { + my ($self, $uid) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from users " . + "where uid=" . $dbh->quote($uid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub set_user { + my ($self, $uid, $name, $value) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update users set " . + $name . "=" . $dbh->quote($value) . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where uid=" . $dbh->quote($uid); + $dbh->do($update); + + my $select = "select * from users " . + "where uid=" . $dbh->quote($uid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +####################################### +# Lists all members in the given group +####################################### +sub list_all_members { + my ($self, $gid) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from roles where " . + "gid=" . $dbh->quote($gid) . " " . + "order by uid desc "; + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +####################################### +# Lists +####################################### +sub list_all_non_members { + my ($self, $gid) = @_; + my $dbh = $self->{dbh}; + # find members of the given group + my $select1 = "select * from roles where " . + "gid=" . $dbh->quote($gid); + my $sth1 = $dbh->prepare($select1); + $sth1->execute(); + my $filter = ""; + while (my $ref1 = $sth1->fetchrow_hashref()) { + if ($filter eq "") { + $filter = "uid<>" . $dbh->quote($ref1->{'uid'}); + } else { + $filter = $filter . " AND " . "uid<>" . $dbh->quote($ref1->{'uid'}); + } + } + $sth1->finish(); + + my $select; + if ($filter eq "") { + $select = "select * from users " . + "order by uid desc "; + } else { + $select = "select * from users where (" . + $filter . ") " . + "order by uid desc "; + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +sub delete_user { + my ($self, $userid) = @_; + my $dbh = $self->{dbh}; + + my $cmd = "delete from roles where uid=" . $dbh->quote($userid); + $dbh->do($cmd); + $cmd = "delete from users where uid=" . $dbh->quote($userid); + $dbh->do($cmd); +} + +sub add_user_to_group { + my ($self, $gid, $userid) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $cmd = "insert into roles (" . + "gid" . "," . + "uid" . + ") values (" . + $dbh->quote($gid) . "," . + $dbh->quote($userid) . + ")"; + $dbh->do($cmd); +} + +sub delete_user_from_group { + my ($self, $gid, $userid) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $cmd = "delete from roles where " . + "gid=" . $dbh->quote($gid) . " AND " . + "uid=" . $dbh->quote($userid); + $dbh->do($cmd); +} + +sub add_user { + my ($self, $userid, $name, $email, $certificate) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $cmd = "insert into users (" . + "uid" . "," . + "name" . "," . + "email" . "," . + "certificate" . "," . + "created_at" . + ") values (" . + $dbh->quote($userid) . "," . + $dbh->quote($name) . "," . + $dbh->quote($email) . "," . + $dbh->quote($certificate) . "," . + $dbh->quote($now) . + ")"; +REDO_ADD_USER: + eval { + $dbh->do($cmd); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_ADD_USER; + } +} + +sub add_group { + my ($self, $gid, $name) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $cmd = "insert into groups (" . + "gid" . "," . + "name" . "," . + "created_at" . + ") values (" . + $dbh->quote($gid) . "," . + $dbh->quote($name) . "," . + $dbh->quote($now) . + ")"; +REDO_ADD_GROUP: + eval { + $dbh->do($cmd); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_ADD_GROUP; + } +} + +sub delete_group { + my ($self, $gid) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $cmd = "delete from roles where gid=" . $dbh->quote($gid); + $dbh->do($cmd); + $cmd = "delete from groups where gid=" . $dbh->quote($gid); + $dbh->do($cmd); +} + +sub list_users { + my ($self, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from users " . + "order by uid desc " . + "limit $startpos, $maxcount"; + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +sub list_groups { + my ($self, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + my $select = "select * from groups " . + "order by gid desc " . + "limit $startpos, $maxcount"; + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} +####################################### +# Closes this store +####################################### +sub close { + my ($self) = @_; + my $dbh = $self->{dbh}; + $dbh->disconnect(); +} + +1; diff --git a/base/ra/lib/perl/PKI/Base/Util.pm b/base/ra/lib/perl/PKI/Base/Util.pm new file mode 100755 index 000000000..f01062e42 --- /dev/null +++ b/base/ra/lib/perl/PKI/Base/Util.pm @@ -0,0 +1,155 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Base::Util; + +use Time::Local; + +use DBI; +use HTML::Entities; + +####################################### +# Constructs a util +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub get_val() +{ + my ($self, $s) = @_; + return $s; +} + +sub get_integer_val() +{ + my ($self, $s) = @_; + return $s; +} + +sub get_string_val() +{ + my ($self, $s) = @_; + return $s; +} + +sub get_alphanum_val() +{ + my ($self, $s) = @_; + $s =~ s/[^A-Za-z0-9 ]*//g; + return $s; +} + +sub normalize_csr() +{ + my ($self, $s) = @_; + $s =~ s/-----BEGIN CERTIFICATE REQUEST-----//g; + $s =~ s/-----END CERTIFICATE REQUEST-----//g; + $s =~ s/-----BEGIN NEW CERTIFICATE REQUEST-----//g; + $s =~ s/-----END NEW CERTIFICATE REQUEST-----//g; + $s =~ s/\s//g; + return $s; +} + +sub breakline() +{ + my ($self, $s, $maxlen) = @_; + + my $new_s; + my $i = 0; + foreach my $c (split(//, $s)) { + if ($i == $maxlen) { + $i = 0; + $new_s = $new_s . "<br/>"; + } + $new_s = $new_s . $c; + $i++; + } + return $new_s; +} + +sub nv_to_hash() +{ + my ($self, $s) = @_; + my %hash; + my @pairs = split(/;/, $s); + foreach $pair (@pairs) { + my $i = index('=', $pair); + my $n = substr($pair, 0, $i-1); + my $v = substr($pair, $i); + $hash{$n} = $v; + } + return \%hash; +} + +sub nv_to_str() +{ + my ($self, $hash) = @_; + my $s = ""; + foreach $k (keys %$hash) { + if ($s eq "") { + $s = $k . "=" . $$hash{$k}; + } else { + $s = $s . ";" . $k . "=" . $$hash{$k}; + } + } + return $s; +} + +sub test() +{ + my %h; + $h{'x'} = 'y'; + $h{'z'} = 'y'; + my $o = PKI::Base::NameValueUtil->new(); + print $o->to_str(\%h) . "\n"; + print $o->to_str($o->to_hash("5=1;c=2")) . "\n"; +} + +sub html_encode() +{ + my ($self, $s) = @_; + return HTML::Entities::encode($s); +} + +sub html_encode_and_break() +{ + my ($self, $s, $maxlen) = @_; + my $new_s = ''; + my $i = 0; + foreach my $c (split(//, $s)) { + if ($i == $maxlen) { + $i = 0; + $new_s = $new_s . '***'; + } + $new_s = $new_s . $c; + $i++; + } + $s = HTML::Entities::encode($new_s); + $s =~ s/\*\*\*/<br\/>/g; + return $s; +} + +1; diff --git a/base/ra/lib/perl/PKI/Conn/CA.pm b/base/ra/lib/perl/PKI/Conn/CA.pm new file mode 100644 index 000000000..f3c8834ed --- /dev/null +++ b/base/ra/lib/perl/PKI/Conn/CA.pm @@ -0,0 +1,390 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Conn::CA; + +use URI::URL; +use URI::Escape; +use XML::Simple; +use Data::Dumper; +use DBI; +use PKI::Base::TimeTool; +use PKI::Base::CertStore; +use PKI::Base::Util; +use PKI::Request::Queue; + +####################################### +# Constructs a request queue +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Opens request queue +####################################### +sub open { + my ($self, $cfg) = @_; + $self->{cfg} = $cfg; + my $certstore = PKI::Base::CertStore->new(); + $certstore->open($cfg); + $self->{certstore} = $certstore; +} + +####################################### +# Enrolls +####################################### +sub enroll { + my ($self, $rid, $con_id, $profile_id, $cert_request_type, $cert_request) = @_; + + my $cfg = $self->{cfg}; + my $instdir = $cfg->get("service.instanceDir"); + my $db_password; + + my $nickname = $cfg->get("conn." . $con_id . ".clientNickname"); + my $cahostport = $cfg->get("conn." . $con_id . ".hostport"); + my ($host, $port) = split(/:/, $cahostport); + + if ($nickname =~ /(.*):(.*)/) { + $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`; + } else { + $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`; + } + $db_password =~ s/\n$//g; + + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $req = $queue->read_request($rid); + if ($req->{'subject_dn'} ne "unavailable") { + $subject = $req->{'subject_dn'}; + } + + my $tmpfile = "/tmp/tmp-$rid-$$"; + my $params = "profileId=" . $profile_id . "&" . + "requestor_name=" . + URI::Escape::uri_escape("$requestor_name") . "&" . + "cert_request_type=" . $cert_request_type . "&" . + "subject=" . + URI::Escape::uri_escape("$subject") . "&" . + "cert_request=" . + URI::Escape::uri_escape("$cert_request") . "&" . + "xmlOutput=true"; + + system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile"); + + my $content = `cat $tmpfile`; + if ($content eq "") { + $queue->set_request($rid, "errorString", "CA Connection Error"); + $queue->set_request($rid, "status", "ERROR"); + $queue->close(); + + $queue->close(); + return ""; + } + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + $content =~ s/\n//g; + + my $xmlparser = XML::Simple->new(); + my $response = $xmlparser->XMLin($content); + + my $status = $response->{Status}; + if ($status ne "0") { + my $errorString = $response->{Error}; + + $queue->set_request($rid, "errorString", "CA: ".$errorString); + $queue->set_request($rid, "status", "ERROR"); + + $queue->close(); + return ""; + } + + #reset to 0 in case of re-approval + $queue->set_request($rid, "errorString", "0"); + my $req = $queue->read_request($rid); + my $approved_by = $req->{'processed_by'}; + my $serialno = $response->{Requests}->{Request}->{serialno}; + $queue->set_request($rid, "serialno", $serialno); + my $subject_dn = $response->{Requests}->{Request}->{SubjectDN}; + $queue->set_request($rid, "subject_dn", $subject_dn); + my $cert = $response->{Requests}->{Request}->{b64}; + $queue->close(); + + my $util = PKI::Base::Util->new(); + my $csr = $cert_request; + $csr = $util->normalize_csr($csr); + + $self->{certstore}->add_certificate($serialno, $csr, $subject_dn, $cert, $rid, $approved_by); + + system("rm $tmpfile"); + + return $cert; +} + +sub get_http_content +{ + my ($self, $filename) = @_; + my $data = ""; + my $count = `grep -a Content-Length $filename | cut -d' ' -f2`; + chomp($count); + my $file_size = -s $filename; + my $offset = $file_size - $count; + + open(FP, "<$filename"); + binmode(FP); + seek(FP, $offset-1, 0); + read(FP, $data, $count); + close(FP); + return $data; +} + +####################################### +# Revoke +####################################### +sub revoke { + my ($self, $rid, $con_id, $serialno, $reason) = @_; + + my $cfg = $self->{cfg}; + my $instdir = $cfg->get("service.instanceDir"); + my $db_password; + + my $nickname = $cfg->get("conn." . $con_id . ".clientNickname"); + my $cahostport = $cfg->get("conn." . $con_id . ".hostagentport"); + + if ($nickname =~ /(.*):(.*)/) { + $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`; + } else { + $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`; + } + $db_password =~ s/\n$//g; + + my $tmpfile = "/tmp/tmp-revoke-$serialno-$$"; + my ($host, $port) = split(/:/, $cahostport); + my $params = "op=" . "revoke" . "&" . + "revocationReason=" .$reason . "&" . + "revokeAll=(certRecordId=" ."0x".$serialno . ")&" . + "totalRecordCount=" ."1" . "&" . + "xml=true"; + system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/agent/ca/doRevoke\" $host:$port > $tmpfile"); + + my $content = `cat $tmpfile`; + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + if ($content eq "") { + $queue->set_request($rid, "errorString", "CA Connection Error"); +# $queue->set_request($rid, "status", "ERROR"); + $queue->close(); + + $queue->close(); + return ""; + } + $content =~ s/\000//; + $content =~ /(\<xml\>.*\<\/xml\>)/s; + $content = $1; + $content =~ s/\n//g; + + my $req = $queue->read_request($rid); + + my $xmlparser = XML::Simple->new(NormalizeSpace => 2); + my $response = $xmlparser->XMLin($content); + + my $errorString = $response->{fixed}->{errorDetails}; + my $revoked = $response->{header}->{revoked}; + + if ($revoked ne "yes") { + $queue->set_request($rid, "errorString", "CA:".$errorString); + } else { + $queue->set_request($rid, "errorString", "0"); + } + system("rm $tmpfile"); + + $queue->close(); + return; +} + +####################################### +# Get Certificate Status +####################################### +sub getCertStatus { + my ($self, $con_id, $serialno) = @_; + + my $cfg = $self->{cfg}; + my $instdir = $cfg->get("service.instanceDir"); + my $db_password; + + my $nickname = $cfg->get("conn." . $con_id . ".clientNickname"); + my $cahostport = $cfg->get("conn." . $con_id . ".hostport"); + my ($host, $port) = split(/:/, $cahostport); + + if ($nickname =~ /(.*):(.*)/) { + $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`; + } else { + $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`; + } + $db_password =~ s/\n$//g; + + + my $tmpfile = "/tmp/tmp-$serialno-$$"; + my $params = "serialNumber=" . "0x".$serialno . "&" . + "xml=true"; + system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/displayBySerial\" $host:$port > $tmpfile"); + + my $content = `cat $tmpfile`; + system("rm $tmpfile"); + if ($content eq "") { + return "CA: Connection Error"; + system("rm $tmpfile"); + } + + $content =~ /(\<xml\>.*\<\/xml\>)/s; + $content = $1; + $content =~ s/\n//g; + + my $xmlparser = XML::Simple->new(NormalizeSpace => 2); + my $response = $xmlparser->XMLin($content); + + my $errorString = $response->{fixed}->{errorDetails}; + my $revokeReason = $response->{header}->{revocationReason}; + + if ($revokeReason eq "") { + if ($errorString eq "") { + return "not revoked"; + } else { + return "CA:".$errorString; + } + } else { + return "revoked:".$revokeReason; + } +} + +####################################### +# SCEP +####################################### +sub scep_get_ca_cert { + my ($self, $con_id, $operation, $message) = @_; + + my $cfg = $self->{cfg}; + my $instdir = $cfg->get("service.instanceDir"); + my $db_password; + + my $nickname = $cfg->get("conn." . $con_id . ".clientNickname"); + my $cahostport = $cfg->get("conn." . $con_id . ".hostport"); + my ($host, $port) = split(/:/, $cahostport); + + if ($nickname =~ /(.*):(.*)/) { + $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`; + } else { + $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`; + } + $db_password =~ s/\n$//g; + + my $tmpfile = "/tmp/tmp-$$"; + my $params = "operation=" . $operation . "&" . + "message=" . $message; + system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -n \"$nickname\" -r \"/ca/ee/ca/pkiclient\" $host:$port > $tmpfile"); + + + my $content = $self->get_http_content($tmpfile); + + system("rm $tmpfile"); + + return $content; +} + +# decode PKI Message +sub scep_decode { + my ($self, $con_id, $operation, $message) = @_; + + my $cfg = $self->{cfg}; + my $instdir = $cfg->get("service.instanceDir"); + my $db_password; + + my $nickname = $cfg->get("conn." . $con_id . ".clientNickname"); + my $cahostport = $cfg->get("conn." . $con_id . ".hostport"); + my ($host, $port) = split(/:/, $cahostport); + + if ($nickname =~ /(.*):(.*)/) { + $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`; + } else { + $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`; + } + $db_password =~ s/\n$//g; + + my $tmpfile = "/tmp/tmp-$$"; + my $params = "operation=" . $operation . "&" . + "message=" . $message . "&" . + "decode=true"; + system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -n \"$nickname\" -r \"/ca/ee/ca/pkiclient\" $host:$port > $tmpfile"); + + + my $content = $self->get_http_content($tmpfile); + + system("rm $tmpfile"); + + return $content; +} + +sub scep_pki_message { + my ($self, $con_id, $operation, $message) = @_; + + my $cfg = $self->{cfg}; + my $instdir = $cfg->get("service.instanceDir"); + my $db_password; + + my $nickname = $cfg->get("conn." . $con_id . ".clientNickname"); + my $cahostport = $cfg->get("conn." . $con_id . ".hostport"); + my ($host, $port) = split(/:/, $cahostport); + + if ($nickname =~ /(.*):(.*)/) { + $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`; + } else { + $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`; + } + $db_password =~ s/\n$//g; + + my $tmpfile = "/tmp/tmp-$$"; + my $params = "operation=" . $operation . "&" . + "message=" . $message; + system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -n \"$nickname\" -r \"/ca/ee/ca/pkiclient\" $host:$port > $tmpfile"); + + + my $content = $self->get_http_content($tmpfile); + + system("rm $tmpfile"); + + return $content; +} + + +####################################### +# Closes connection +####################################### +sub close { + my ($self) = @_; + $self->{certstore}->close(); +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm b/base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm new file mode 100755 index 000000000..656dc2d5e --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm @@ -0,0 +1,86 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::AdminAuthPanel; +$PKI::RA::AdminAuthPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(8); + $self->{"getName"} = &PKI::RA::Common::r("Admin Authentication"); + $self->{"vmfile"} = "adminauthenticatepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AdminAuthPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AdminAuthPanel: update"); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AdminAuthPanel: display"); + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/AdminPanel.pm b/base/ra/lib/perl/PKI/RA/AdminPanel.pm new file mode 100755 index 000000000..a5538ef54 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/AdminPanel.pm @@ -0,0 +1,227 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; +use URI::Escape; +use DBI; + +package PKI::RA::AdminPanel; +$PKI::RA::AdminPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(14); + $self->{"getName"} = &PKI::RA::Common::r("Administrator"); + $self->{"vmfile"} = "adminpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AdminPanel: validate"); + return 1; +} + + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AdminPanel: update"); + + my $uid = $q->param("uid"); + my $name = $q->param("name"); + my $email = $q->param("email"); + my $password = $q->param("__pwd"); + my $password_again = $q->param("__admin_password_again"); + + my $cert_request = $q->param("cert_request"); + my $subject = $q->param("subject"); + my $profile_id = $q->param("profileId"); + my $cert_request_type = $q->param("cert_request_type"); + + $cert_request =~ s/%0D%0A//g; # remove carraige return + + # submit request to CA + + # Admin Certificate should be obtained from the ca selected in the + # name panel. If name panel use External CA, the admin certificate + # will be issued by the security domain CA. + my $cainfo = $::config->get("preop.ca.url"); + &PKI::RA::Wizard::debug_log("AdminPanel: preop.ca.url=$cainfo"); + if ($cainfo eq "" || $cainfo =~ /:$/) { + $cainfo = $::config->get("config.sdomainEEURL"); + &PKI::RA::Wizard::debug_log("AdminPanel: config.sdomainEEURL=$cainfo"); + } + &PKI::RA::Wizard::debug_log("AdminPanel: Connecting to CA: $cainfo"); + my $cainfo_url = new URI::URL($cainfo); + my $sdom = $::config->get("config.sdomainEEURL"); + my $sdom_url = new URI::URL($sdom); + + my $machineName = $::config->get("service.machineName"); + my $securePort = $::config->get("service.securePort"); + my $session_id = $::config->get("preop.sessionID"); + + my $tokenname = $::config->get("preop.module.token"); + my $token_pwd = $::pwdconf->get($tokenname); + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $requestor_name = "RA-" . $machineName . "-" . $securePort; + + my $params = "profileId=" . $profile_id . "&" . + "requestor_name=" . $requestor_name . "&" . + "cert_request_type=" . $cert_request_type . "&" . + "subject=" . $subject . "&" . + "cert_request=" . + URI::Escape::uri_escape("$cert_request") . "&" . + "xmlOutput=true" . "&" . + "sessionID=" . $session_id . "&" . + "auth_hostname=" . $sdom_url->host . "&" . + "auth_port=" . $sdom_url->port; + + my $ca_host = $cainfo_url->host; + my $https_ee_port = $cainfo_url->port; + my $content = ""; + my $tmpfile = "/tmp/admin-$$"; + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile"); + $content = `cat $tmpfile`; + } else { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile"); + $content = `cat $tmpfile`; + } + system("rm $tmpfile"); + &PKI::RA::Wizard::debug_log("req = " . $content); + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + # create user in internal database + &PKI::RA::Wizard::debug_log("AdminPanel: Creating user in internal database"); + # use scripts/addAgents.ldif + + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $admincert = $response->{Requests}->{Request}->{b64}; + &PKI::RA::Wizard::debug_log("AdminPanel: admincert " . $admincert); + + # create local database + my $dbh = DBI->connect( + "dbi:SQLite:dbname=$instanceDir/conf/dbfile","",""); + my $insert = "insert into users (" . + "uid" . "," . + "name" . "," . + "password" . "," . + "email" . "," . + "certificate" . + ") values (" . + $dbh->quote($uid) . "," . + $dbh->quote($name) . "," . + $dbh->quote($password) . "," . + $dbh->quote($email) . "," . + $dbh->quote($admincert) . + ")"; + $dbh->do($insert); + $insert = "insert into roles (" . + "uid" . "," . + "gid" . + ") values (" . + $dbh->quote($uid) . "," . + $dbh->quote("administrators") . + ")"; + $dbh->do($insert); + $insert = "insert into roles (" . + "uid" . "," . + "gid" . + ") values (" . + $dbh->quote($uid) . "," . + $dbh->quote("agents") . + ")"; + $dbh->do($insert); + $dbh->disconnect(); + + my $reqid = $response->{Requests}->{Request}->{Id}; + $::config->put("preop.admincert.requestId.0", $reqid); + my $sn = $response->{Requests}->{Request}->{serialno}; + $::config->put("preop.admincert.serialno.0", $sn); + + # update email address + $::config->put("request.agent.create_request.1.mailTo", $email); + $::config->put("request.scep.create_request.1.mailTo", $email); + $::config->put("request.server.create_request.1.mailTo", $email); + $::config->put("request.user.create_request.1.mailTo", $email); + + $::config->commit(); + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AdminPanel: display"); + $::symbol{admin_uid} = "admin"; + $::symbol{admin_name} = "RA Administrator"; + $::symbol{admin_email} = ""; + $::symbol{admin_pwd} = ""; + $::symbol{admin_pwd_again} = ""; + $::symbol{import} = "true"; + my $domain_name = $::config->get("preop.securitydomain.name"); + $::symbol{securityDomain} = $domain_name; + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm b/base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm new file mode 100755 index 000000000..1ada5ad54 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm @@ -0,0 +1,86 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::AgentAuthPanel; +$PKI::RA::AgentAuthPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(7); + $self->{"getName"} = &PKI::RA::Common::r("Agent Authentication"); + $self->{"vmfile"} = "agentauthenticatepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AgentAuthPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AgentAuthPanel: update"); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("AgentAuthPanel: display"); + return 1; +} + + +1; diff --git a/base/ra/lib/perl/PKI/RA/BasePanel.pm b/base/ra/lib/perl/PKI/RA/BasePanel.pm new file mode 100755 index 000000000..5cb4d7697 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/BasePanel.pm @@ -0,0 +1,40 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::BasePanel; +$PKI::RA::BasePanel::VERSION = '1.00'; + +sub new { + my ($class) = @_; + my $self = {}; + bless $self, $class; + return $self; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm b/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm new file mode 100755 index 000000000..4cc65e5cf --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm @@ -0,0 +1,289 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; + +package PKI::RA::CAInfoPanel; +$PKI::RA::CAInfoPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +our $cert_header="-----BEGIN CERTIFICATE-----"; +our $cert_footer="-----END CERTIFICATE-----"; + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(4); + $self->{"getName"} = &PKI::RA::Common::r("CA Information"); + $self->{"vmfile"} = "cainfopanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CAInfoPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CAInfoPanel: update"); + + my $count = $q->param('urls'); + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - got urls = $count"); + + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - selected ca= $count"); + + my $instanceID = $::config->get("service.instanceID"); + my $host = ""; + my $https_ee_port = ""; + my $https_agent_port = ""; + my $https_admin_port = ""; + my $domain_xml = ""; + + if ($count =~ /http/) { + my $info = new URI::URL($count); + $host = $info->host; + $https_ee_port = $info->port; + $domain_xml = get_domain_xml($host, $https_ee_port); + if ($domain_xml eq "") { + $::symbol{errorString} = "missing security domain. CA must be installed prior to RA installation"; + return 0; + } + + $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $host, $https_ee_port); + $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $host, $https_ee_port); + + if(($https_admin_port eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "missing secure CA admin or agent port. CA must be installed prior to RA installation"; + return 0; + } + } else { + $host = $::config->get("preop.securitydomain.ca$count.host"); + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + $https_agent_port = $::config->get("preop.securitydomain.ca$count.secureagentport"); + $https_admin_port = $::config->get("preop.securitydomain.ca$count.secureadminport"); + } + + if (($host eq "") || ($https_ee_port eq "") || ($https_admin_port eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "no CA found. CA must be installed prior to RA installation"; + return 0; + } + + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port"); + + $::config->put("preop.cainfo.select", "https://$host:$https_admin_port"); + my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname"); + + my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); + $::config->put("conn.ca1.clientNickname", $subsystemCertNickName); + $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port); + $::config->put("conn.ca1.hostagentport", $host . ":" . $https_agent_port); + $::config->put("conn.ca1.hostadminport", $host . ":" . $https_admin_port); + + $::config->commit(); + + # connect to the CA, and retrieve the CA certificate + &PKI::RA::Wizard::debug_log("CAInfoPanel: update connecting to CA and retrieve cert chain"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + my $tmpfile = "/tmp/ca-$$"; + system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile"); + my $cmd = `cat $tmpfile`; + system("rm $tmpfile"); + my $caCert; + if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) { + $caCert = $1; + &PKI::RA::Wizard::debug_log("CAInfoPanel: ca= $caCert"); + } + if ($caCert eq "") { + &PKI::RA::Wizard::debug_log("CAInfoPanel: update no cert chain found"); + return 0; + } + open(F, ">$instanceDir/conf/caCertChain2.txt"); + print F $cert_header."\n".$caCert."\n".$cert_footer; + close(F); + + &PKI::RA::Wizard::debug_log("CAInfoPanel: update retrieve cert chain done"); + + #import cert chain + system("p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt"); + my $r = $? >> 8; + my $failed = $? & 127; + if (($r > 0) && ($r < 10) && !$failed) { + my $i = 0; + while ($i ne $r) { + my $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA c2cert$i"`; + $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA c2cert$i" -t "CT,C,C" -i $instanceDir/conf/chain2cert$i.der`; + $i++; + } + } + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CAInfoPanel: display"); + + $::symbol{urls} = []; +# unshift(@{$::symbol{urls}}, "External CA"); + my $count = 0; + my $first = 1; + my $list = ""; + while (1) { + my $host = $::config->get("preop.securitydomain.ca$count.host"); + if ($host eq "") { + goto DONE; + } + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); + my $item = $name . " - https://" . $host . ":" . $https_ee_port; +# my $item = "https://" . $host . ":" . $https_ee_port; +# unshift(@{$::symbol{urls}}, $item); + $::symbol{urls}[$count++] = $item; + if ($first eq 1) { + $list = $item; + $first = 0; + } else { + $list = $list.",".$item; + } + } +DONE: +# $list = $list.",External CA"; + $::config->put("preop.ca.list", $list); + + $::symbol{urls_size} = $count; + if ($count eq 0) { + $::symbol{errorString} = "no CA found. CA, TKS, and optionally DRM must be installed prior to RA installation"; + return 0; + } + return 1; +} + +sub get_domain_xml +{ + my $host = $1; + my $https_ee_port = $2; + + # get the domain xml + # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML + + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $sd_host = $::config->get("securitydomain.host"); + my $sd_admin_port = $::config->get("securitydomain.httpsadminport"); + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + return $content; +} + +sub get_secure_admin_port_from_domain_xml +{ + my $content = $1; + my $host = $2; + my $https_ee_port = $3; + + # Retrieve the secure admin port corresponding + # to the selected host and secure ee port. + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $xml = $parser->XMLin( $response->{'DomainInfo'}, + ForceArray => 1 ); + my $https_admin_port = ""; + my $count = 0; + foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { + if( ( $host eq $c->{'Host'}[0] ) && + ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { + $https_admin_port = https_$c->{'SecureAdminPort'}[0]; + } + + $count++; + } + + return $https_admin_port; +} + +sub get_secure_agent_port_from_domain_xml +{ + my $content = $1; + my $host = $2; + my $https_ee_port = $3; + + # Retrieve the secure agent port corresponding + # to the selected host and secure ee port. + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $xml = $parser->XMLin( $response->{'DomainInfo'}, + ForceArray => 1 ); + my $https_agent_port = ""; + my $count = 0; + foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { + if( ( $host eq $c->{'Host'}[0] ) && + ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { + $https_agent_port = https_$c->{'SecureAgentPort'}[0]; + } + + $count++; + } + + return $https_agent_port; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/CertInfo.pm b/base/ra/lib/perl/PKI/RA/CertInfo.pm new file mode 100755 index 000000000..d1a8c3817 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/CertInfo.pm @@ -0,0 +1,133 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::CertInfo; +$PKI::RA::CertInfo::VERSION = '1.00'; + +sub new { + my ($class, $name, $dn, $tag) = @_; + my $self = {}; + + &PKI::RA::Wizard::debug_log("CertInfo: start new"); + $self->{"getUserFriendlyName"} = \&get_user_friendly_name; + $self->{"getCertTag"} = \&get_cert_tag; + $self->{"getDN"} = \&get_dn; + $self->{"getNickname"} = \&get_nickname; + $self->{"useDefaultKey"} = \&use_default_key; + $self->{"getCustomKeysize"} = \&get_custom_keysize; + $self->{"keyOption"} = \&get_key_option; + &PKI::RA::Wizard::debug_log("CertInfo: end new"); + + $self->{name} = $name; + $self->{dn} = $dn; + $self->{tag} = $tag; + + bless $self, $class; + return $self; +} + +sub get_user_friendly_name +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: get_user_friendly_name"); + return $self->{name}; +} + +sub get_cert_tag +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: get_cert_tag"); + return $self->{tag}; +} + +sub get_dn +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: get_cert_dn"); + return $self->{dn}; +} + +sub use_default_key +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: use_default_key"); + my $option = $::config->get("preop.cert.$self->{tag}.keysize.select"); + if (($option ne "") && ($option ne "default")) { + return 0; + } + return 1; +} + +sub get_nickname +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: get_nickname"); + my $nickname = $::config->get("preop.cert.$self->{tag}.nickname"); + + my $flavor = "pki"; + $flavor =~ s/\n//g; + + if ($nickname ne "") { + return $nickname; + } else { + return $self->{tag}."cert cert-$flavor-ra"; + } +} + +sub get_key_option +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: get_key_option"); + my $option = $::config->get("preop.cert.$self->{tag}.keysize.select"); + + if ($option ne "") { + &PKI::RA::Wizard::debug_log("CertInfo: get_key_option from config = $option"); + return $option; + } else { + &PKI::RA::Wizard::debug_log("CertInfo: get_key_option not from config"); + return "default"; + } +} + +sub get_custom_keysize +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize"); + my $size = $::config->get("preop.cert.$self->{tag}.keysize.customsize"); + &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize for preop.cert.$self->{tag}.keysize.customsize is $size"); + if ($size ne "") { + &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize from config is $size"); + return $size; + } else { + &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize not from config"); + return 2048; + } +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm b/base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm new file mode 100755 index 000000000..cf58d2327 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm @@ -0,0 +1,85 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::CertPrettyPrintPanel; +$PKI::RA::CertPrettyPrintPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(13); + $self->{"getName"} = &PKI::RA::Common::r("Certificates"); + $self->{"vmfile"} = "certprettyprintpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CertPrettyPrintPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CertPrettyPrintPanel: update"); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CertPrettyPrintPanel: display"); + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm b/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm new file mode 100755 index 000000000..51eb1d400 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm @@ -0,0 +1,301 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use PKI::RA::ReqCertInfo; +use FileHandle; + +package PKI::RA::CertRequestPanel; +$PKI::RA::CertRequestPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +our $cert_req_header="-----BEGIN NEW CERTIFICATE REQUEST-----"; +our $cert_req_footer="-----END NEW CERTIFICATE REQUEST-----"; +our $cert_header="-----BEGIN CERTIFICATE-----"; +our $cert_footer="-----END CERTIFICATE-----"; + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(13); + $self->{"getName"} = &PKI::RA::Common::r("Certificate Requests"); + $self->{"vmfile"} = "certrequestpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CertRequestPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CertRequestPanel: update"); + + my $i = 0; + + my $instanceDir = $::config->get("service.instanceDir"); + + my $useExternalCA = $::config->get("preop.certenroll.useExternalCA"); + if ($useExternalCA eq "on") { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: useExternalCA is on"); + } else { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: useExternalCA is off"); + &PKI::RA::Wizard::debug_log("CertRequestPanel: update auto enrollment should have been done, no more action needed"); + return 1; + } + + &PKI::RA::Wizard::debug_log("CertRequestPanel: update External CA selected, retrieve/process user input"); + + my $tokenname = $::config->get("preop.module.token"); + &PKI::RA::Wizard::debug_log("CertRequestPanel: update got token name = $tokenname"); + my $token_pwd = $::pwdconf->get($tokenname); + $token_pwd =~ s/\n//g; + open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); + print FILE $token_pwd; + close FILE; + + my $hw; + my $tk; + + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + $hw = ""; + $tk = ""; + } else { + $hw = "-h $tokenname"; + $tk = $tokenname.":"; + } + + foreach my $certtag (@PKI::RA::Wizard::certtags) { + if ($certtag eq "subsystem") { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: subsystem cert is pre-generated by the security domain"); + return 1; + } + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: for certag= $certtag"); + my $ccert = $::config->get("preop.cert.$certtag.cert"); + if ($ccert ne "") { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: cert already exists in CS.cfg, go to next"); + next; + } + my $certchain = $q->param($certtag.'_cc'); + if ($certchain ne "") { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: $certtag certchain is $certchain"); + my $cc_fn = "$instanceDir/conf/caCertChain.txt"; + my $tmp = `echo "$certchain" > $cc_fn`; + # remove existing one + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: try to delete existing certchain, if any....ok if it fails"); +# XXX remove should not be done lightly... + $tmp = `p7tool -d $instanceDir/alias -p $instanceDir/conf/chain1cert -a -i $cc_fn -o $instanceDir/conf/CAchain_pp.txt`; + my $r = $? >> 8; + my $failed = $? & 127; + if (($r > 0) && ($r < 10) && !$failed) { + my $i = 0; + while ($i ne $r) { + $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA $certtag cert$i"`; + $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA $certtag cert$i" -t "CT,C,C" -i $instanceDir/conf/chain1cert$i.der`; +# $tmp = `rm $cc_fn`; + $i++ + } + } + } else { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: no certchain included for certtag $certtag"); + } + + my $cert = $q->param($certtag); + if ($cert ne "") { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: $certtag cert is $cert"); + my $nickname = $::config->get("preop.cert.$certtag.nickname"); + if ($nickname eq "") { + $nickname = "RA ".$certtag." cert"; + $::config->put("preop.cert.$certtag.nickname", $nickname); + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: $certtag cert nickname not found in CS.cfg, generating one= $nickname"); + } + #remove existing one + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: try to delete existing cert $nickname, if any....ok if it fails"); +#XXX remove should not be done lightly... + my $tmp = `certutil -d $instanceDir/alias -D -n "$nickname"`; + $tmp = `certutil -d $instanceDir/alias -D $hw -f $instanceDir/conf/.pwfile -n "$tk$nickname"`; + #now import the cert + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: try to import cert"); + my $cert_fn = "$instanceDir/conf/$certtag"."_cert.txt"; + $tmp = `echo "$cert" > $cert_fn`; + +# $cert = extract_cert_from_file_sans_header_and_footer($cert_fn); + my $certa =""; + my $save_line = 0; + my @cert_a = split "\n", $cert; + foreach my $line (@cert_a) { + chomp( $line ); + $line =~ s/\r//g; + if ($line eq $cert_header) { + $save_line = 1; + } elsif( $line eq $cert_footer ) { + $save_line = 0; + last; + } elsif( $save_line == 1 ) { + $certa .= "$line"; + } + } + + &PKI::RA::Wizard::debug_log("CertRequestPanel: update putting cert in CS.cfg: $certa"); + + $::config->put("preop.cert.$certtag.cert", $certa); + + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: about to certutil -d $instanceDir/alias $hw -A -f $instanceDir/conf/.pwfile -n $nickname -t u,u,u -a -i $cert_fn"); + $tmp = `certutil -d $instanceDir/alias $hw -A -f $instanceDir/conf/.pwfile -n "$nickname" -t "u,u,u" -a -i $cert_fn`; + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: done certutil: $tmp"); + $tmp = `rm $cert_fn`; + + # changed the cert, need to change nickname too, if necessary + if ($hw ne "") { + $::config->put("preop.cert.$certtag.nickname", "$tk$nickname"); + if ($certtag eq "subsystem") { + $::config->put("conn.ca1.clientNickname","$tk$nickname"); + $::config->put("conn.drm1.clientNickname","$tk$nickname"); + $::config->put("conn.tks1.clientNickname","$tk$nickname"); + } + } + + } else { + &PKI::RA::Wizard::debug_log("CertRequestPanel: update: no cert"); + } + } + +DONE: + $::config->commit(); + my $tmp = `rm $instanceDir/conf/.pwfile`; + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CertRequestPanel: display"); + + my $domain_name = $::config->get("preop.securitydomain.name"); + if ($domain_name eq "") { + $domain_name = "RA Domain"; + } + my $machine_name = $::config->get("service.machineName"); + my $instance_id = $::config->get("service.instanceID"); + + my $i = 0; + foreach my $certtag (@PKI::RA::Wizard::certtags) { + my $cert_dn = $::config->get("preop.cert.".$certtag.".dn"); + if ($cert_dn eq "") { + if ($certtag eq "subsystem") { + $cert_dn = "CN=RA Subsystem, " . + "OU=" . $instance_id . ", " . + "O=" . $domain_name; + } elsif ($certtag eq "sslserver") { + $cert_dn ="CN=" . $machine_name . ", " . + "OU=" . $instance_id . ", " . + "O=" . $domain_name; + } else { + $cert_dn = $certtag; + } + } + + my $name = $::config->get("preop.cert.".$certtag.".userfriendlyname"); + if ($name eq "") { + $name = $certtag."Cert ".$instance_id; + } + + my $reqcert = new PKI::RA::ReqCertInfo($name, + $cert_dn, $certtag); + $::symbol{reqscerts}[$i++] = $reqcert; + } + + $::symbol{errorString} = ""; + $::symbol{showApplyButton} = "true"; + + return 1; +} + +# arg0 message containing certificate +# return certificate sans header and footer +# -- all in a one-liner +sub extract_cert_from_file_sans_header_and_footer +{ + my $filename = $_[0]; + my $save_line = 0; + + my $fd = new FileHandle; + + my $cert = ""; + + $fd->open( "<$filename" ) or die "Could not open '$filename'!\n"; + + while( <$fd> ) + { + my $line = $_; + chomp( $line ); + $line =~ s/^M//g; + + if( $line eq $cert_header ) { + $save_line = 1; + } elsif( $line eq $cert_footer ) { + $save_line = 0; + last; + } elsif( $save_line == 1 ) { + $cert .= "$line"; + } + } + + $fd->close(); + + return $cert; +} + + +1; diff --git a/base/ra/lib/perl/PKI/RA/Common.pm b/base/ra/lib/perl/PKI/RA/Common.pm new file mode 100755 index 000000000..8deab8c6c --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/Common.pm @@ -0,0 +1,50 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package PKI::RA::Common; + +use strict; +use warnings; +use Exporter; + +use vars qw(@ISA @EXPORT @EXPORT_OK); +@ISA = qw(Exporter Autoloader); +@EXPORT = qw(r yes no); + +$PKI::RA::Common::VERSION = '1.00'; + +sub yes { + return sub {1}; +} + +sub no { + return sub {0}; +} + +sub r { + my $a = shift; + return sub { $a; } +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/Config.pm b/base/ra/lib/perl/PKI/RA/Config.pm new file mode 100755 index 000000000..f1ace5b03 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/Config.pm @@ -0,0 +1,170 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package PKI::RA::Config; + +use strict; +use warnings; +use Exporter; + +$PKI::RA::Config::VERSION = '1.00'; + +####################################################### +# Configuration Store +####################################################### +sub new { + my $class = shift; + my $self = {}; + my %hash = (); + $self->{filename} = ""; + $self->{hash} = \%hash; + bless $self,$class; + return $self; +} + +sub load_file +{ + my ($self, $filename) = @_; + + $self->{filename} = $filename; + if (-e $filename) { + open(CF, "<$filename"); + if (defined fileno CF) { + while (<CF>) { + if (/^#/) { + # comments + } elsif (/([^=]+)=(.*)$/) { + # print "$1 = $2\n"; + $self->{hash}{$1} = $2; + } else { + # preserve comments + } + } + } + close(CF); + } +} + +sub get_filename +{ + my ($self) = @_; + return $self->{filename}; +} + +sub get +{ + my ($self, $n) = @_; + return $self->{hash}{$n}; +} + +sub put +{ + my ($self, $n, $v) = @_; + $self->{hash}{$n} = $v; +} + +sub deleteSubstore +{ + my ($self, $n) = @_; + foreach my $xkey (keys %{$self->{hash}}) { + if ($xkey =~ /^\Q$n\E/) { + delete $self->{hash}{$xkey}; + } + } +} + +sub commit +{ + my ($self) = @_; + + # write stuff back to the file +# print $self->{filename} . "\n"; + my $hash = $self->{hash}; + my $suffix = time(); + + if (-e $self->{filename}) { + # Create a copy of the original file which + # preserves the original file permissions + system("cp -p \"" . $self->{filename} . "\" \"" . + $self->{filename} . "." . $suffix . "\""); + } + + # Overwrite the contents of the original file + # to preserve the original file permissions + open(F, ">" . $self->{filename}); + foreach my $k (sort keys %{$hash}) { + print F "$k=$self->{hash}{$k}\n"; + } + close(F); + + if (-e $self->{filename} . "." . $suffix) { + system("rm \"" . $self->{filename} . "." . $suffix . "\""); + } +} + +sub commit_with_backup +{ + my ($self) = @_; + + # write stuff back to the file +# print $self->{filename} . "\n"; + my $hash = $self->{hash}; + my $suffix = time(); + # Create a copy of the original file which + # preserves the original file permissions + system("cp -p \"" . $self->{filename} . "\" \"" . + $self->{filename} . "." . $suffix . "\""); + + # Overwrite the contents of the original file + # to preserve the original file permissions + open(F, ">" . $self->{filename}); + foreach my $k (sort keys %{$hash}) { + print F "$k=$self->{hash}{$k}\n"; + } + close(F); +} + +1; + +####################################################### +# Test Program +####################################################### +#my $config = PKI::RA::Config->new(); +#$config->load_file("/tmp/CS.cfg"); +#print $config->get("tokendb.indexAdminTemplate") . "\n"; +#$config->put("tokendb.indexAdminTemplate", "Testing"); +#print $config->get("tokendb.indexAdminTemplate") . "\n"; +#$config->commit(); + +1; + +####################################################### +# Test Program +####################################################### +#my $config = PKI::RA::Config->new(); +#$config->load_file("/tmp/CS.cfg"); +#print $config->get("tokendb.indexAdminTemplate") . "\n"; +#$config->put("tokendb.indexAdminTemplate", "Testing"); +#print $config->get("tokendb.indexAdminTemplate") . "\n"; +#$config->commit(); diff --git a/base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm b/base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm new file mode 100755 index 000000000..bf74890cc --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm @@ -0,0 +1,104 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::ConfigHSMLoginPanel; +$PKI::RA::ConfigHSMLoginPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(9); + $self->{"getName"} = &PKI::RA::Common::r("Security Modules Login"); + $self->{"vmfile"} = "config_hsmloginpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 1; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel: update"); + my $uTokName = $q->param('uTokName'); + my $uPasswd = $q->param('__uPasswd'); + +# &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel: update tokname= $uTokName pwd =$uPasswd"); + + $::pwdconf->put($uTokName, $uPasswd); + $::pwdconf->commit(); + + return 1; +} + +sub display +{ + my ($q) = @_; + use Data::Dumper; + $Data::Dumper::Indent = 1; +# &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> dump of q= ". Dumper($q)); + $::symbol{SecToken} = $q->param('SecToken'); +# &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> display has ".$q->param('SecToken')); + + &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> display retrieving $q->param('SecToken') "); + my $pwd = $::pwdconf->get( $q->param('SecToken')); + if ($pwd ne "") { + &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> display retrieved pwd from pwdconf"); + } + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm b/base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm new file mode 100755 index 000000000..095ed5879 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm @@ -0,0 +1,72 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::ConfigHSMPanel; +$PKI::RA::ConfigHSMPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&PKI::RA::Common::no; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(12); + $self->{"getName"} = &PKI::RA::Common::r("ConfigHSMLogin"); + $self->{"vmfile"} = "config_hsm.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ConfigHSMPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ConfigHSMPanel: update"); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ConfigHSMPanel: display"); + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm b/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm new file mode 100755 index 000000000..fadd7727c --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm @@ -0,0 +1,140 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; + +package PKI::RA::DRMInfoPanel; +$PKI::RA::DRMInfoPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(6); + $self->{"getName"} = &PKI::RA::Common::r("DRM Information"); + $self->{"vmfile"} = "drminfopanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DRMInfoPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DRMInfoPanel: update"); + + my $choice = $q->param('choice'); + $::config->put("preop.krainfo.keygen", $choice); + + if ($choice eq "keygen") { + my $count = $q->param('urls'); + my $instanceID = $::config->get("service.instanceID"); + my $host = ""; + my $https_agent_port = ""; + if ($count =~ /http/) { + my $info = new URI::URL($count); + $host = $info->host; + $https_agent_port = $info->port; + } else { + $host = $::config->get("preop.securitydomain.kra$count.host"); + $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport"); + } + if (($host eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "no DRM found. CA, TKS and DRM must be installed prior to RA installation"; + return 0; + } + + $::config->put("preop.krainfo.select", "https://$host:$https_agent_port"); + my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); + $::config->put("conn.drm1.clientNickname", $subsystemCertNickName); + $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port); + $::config->put("conn.tks1.serverKeygen", "true"); + $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true"); + $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); + } else { + # no keygen + $::config->put("conn.tks1.serverKeygen", "false"); + $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "false"); + $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "false"); + $::config->put("conn.drm1.clientNickname", ""); + $::config->put("conn.drm1.hostport", ""); + } + $::config->commit(); + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DRMInfoPanel: display"); + + $::symbol{urls} = []; + my $count = 0; + while (1) { + my $host = $::config->get("preop.securitydomain.kra$count.host"); + if ($host eq "") { + goto DONE; + } + my $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport"); + my $name = $::config->get("preop.securitydomain.kra$count.subsystemname"); + $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; + } +DONE: + $::symbol{urls_size} = $count; + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/DatabasePanel.pm b/base/ra/lib/perl/PKI/RA/DatabasePanel.pm new file mode 100755 index 000000000..e469e51f8 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/DatabasePanel.pm @@ -0,0 +1,109 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +use DBI; +package PKI::RA::DatabasePanel; +$PKI::RA::DatabasePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(8); + $self->{"getName"} = &PKI::RA::Common::r("Internal Database"); + $self->{"vmfile"} = "databasepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DatabasePanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DatabasePanel: update"); + my $instDir = $::config->get("service.instanceDir"); + + # create local database + my $dbh = DBI->connect( + "dbi:SQLite:dbname=$instDir/conf/dbfile","",""); + + # create database lockfile + system("touch $instDir/conf/dblock"); + + open(F, "/usr/share/pki/ra/scripts/schema.sql"); + while (<F>) { + if (!($_ =~ /^#/)) { + $dbh->do($_); + } + } + close(F); + + $dbh->disconnect(); + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DatabasePanel: display"); + + my $machineName = $::config->get("service.machineName"); + my $instanceId = $::config->get("service.instanceID"); + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm b/base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm new file mode 100755 index 000000000..46c8a2902 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm @@ -0,0 +1,179 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use FileHandle; + +package PKI::RA::DisplayCertChain2Panel; +$PKI::RA::DisplayCertChain2Panel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +our $cert_header="-----BEGIN CERTIFICATE-----"; +our $cert_footer="-----END CERTIFICATE-----"; + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(7); + $self->{"getName"} = &PKI::RA::Common::r("Display Certificate Chain"); + $self->{"vmfile"} = "displaycertchain2panel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub readFile +{ + my $fn = $_[0]; + open FILE, "< $fn" or return ""; + my $content = join "",<FILE>; + close FILE; + + return $content; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: update"); + + my $instanceDir = $::config->get("service.instanceDir"); + +# my $caCert = readFile("$instanceDir/conf/caCertChain2.txt"); + my $caCert = extract_cert_from_file_sans_header_and_footer("$instanceDir/conf/caCertChain2.txt"); + + #store in config + $::config->put("preop.ca.certchain", $caCert); + $::config->commit(); + # import it into the security database + my $tmp = `p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt`; + my $r = $? >> 8; + my $failed = $? & 127; + if (($r > 0) && ($r < 10) && !$failed) { + my $i = 0; + while ($i ne $r) { + $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA c2cert$i"`; + $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA c2cert$i" -t "CT,C,C" -i $instanceDir/conf/chain2cert$i.der`; + $i++ + } + } + + # clean up +# my $tmp = `rm $instanceDir/conf/caCertChain2.txt`; +# $tmp = `rm $instanceDir/conf/CAchain2_pp.txt`; + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display"); + my $instanceDir = $::config->get("service.instanceDir"); + + my $found = -e "$instanceDir/conf/caCertChain2.txt"; + my $certpp = ""; + if ($found) { + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display found caCertChain2.txt"); + my $tmp = `p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt`; + + $certpp = readFile("$instanceDir/conf/CAchain2_pp.txt"); + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display read CAchain2_pp.txt"); + $certpp =~ s/"//g; + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: certpp2= $certpp"); + } + +# $symbol{certchain} = [ "cert1", "cert2" ]; +# $symbol{certchain_size} = 2; + $::symbol{certchain} = "$certpp"; + $::symbol{certchain_size} = 1; + + &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display done"); + return 1; +} + +# return certificate sans header and footer +# -- all in a one-liner +sub extract_cert_from_file_sans_header_and_footer +{ + my $filename = $_[0]; + my $save_line = 0; + + my $fd = new FileHandle; + + my $cert = ""; + + $fd->open( "<$filename" ) or die "Could not open '$filename'!\n"; + + while( <$fd> ) + { + my $line = $_; + chomp( $line ); + $line =~ s/^M//g; + + if( $line eq $cert_header ) { + $save_line = 1; + } elsif( $line eq $cert_footer ) { + $save_line = 0; + last; + } elsif( $save_line == 1 ) { + $cert .= "$line"; + } + } + + $fd->close(); + + return $cert; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm b/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm new file mode 100755 index 000000000..dd991a917 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm @@ -0,0 +1,348 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; +use MIME::Base64; + +package PKI::RA::DisplayCertChainPanel; +$PKI::RA::DisplayCertChainPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(2); + $self->{"getName"} = &PKI::RA::Common::r("Display Certificate Chain"); + $self->{"vmfile"} = "displaycertchainpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 1; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: validate"); + return 1; +} + +sub readFile +{ + my $fn = $_[0]; + open FILE, "< $fn" or return ""; + my $content = join "",<FILE>; + close FILE; + + return $content; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update"); + + my $instanceDir = $::config->get("service.instanceDir"); + + my $caCert = readFile("$instanceDir/conf/caCert.txt"); + + #store in config + $::config->put("preop.ca.certchain", $caCert); + $::config->commit(); + + # import it into the security database +# my $cmd1 = `/usr/bin/AtoB $instanceDir/conf/caCert.txt $instanceDir/conf/caCert.der`; + my $cmd2 = `/usr/bin/certutil -A -d \"$instanceDir/alias\" -t \"CT,CT,CT\" -n \"caCert\" -i $instanceDir/conf/caCert.der`; + + # clean up + my $tmp = `rm $instanceDir/conf/caCert.txt`; + $tmp = `rm $instanceDir/conf/caCert.der`; + $tmp = `rm $instanceDir/conf/caCert_pp.txt`; + + # complete the SecurityDomain task + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + if ($sdomainAdminURL eq "") { + return 2; + } + + my $machineName = $::config->get("service.machineName"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); + my $unsecurePort = $::config->get("service.unsecurePort"); + + # check if url is accessible + # redirect to the security domain authentication + if ($ENV{'SERVER_PORT'} eq $unsecurePort) { + $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA"; + } else { + $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $non_clientauth_securePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA"; + } + + get_domain_xml($sdomainAdminURL); + + + return 3; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: display"); + + # connect to the CA, and retrieve the CA certificate + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update connecting to CA and retrieve cert chain"); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + if ($sdomainAdminURL eq "") { + return 2; + } + + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $url_info = new URI::URL($sdomainAdminURL); + my $sd_host = $url_info->host; + my $sd_admin_port = $url_info->port; + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getCertChain\" $sd_host:$sd_admin_port`; + + my $caCert = ""; + if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) { + $caCert = $1; + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: ca= $caCert"); + } + + my $certpp = ""; + if ($caCert ne "") { + open(F, ">$instanceDir/conf/caCert.txt"); + print F $caCert; + close(F); + + # test to see if tmp directory exists, if not, create + my $found = -e "$instanceDir/conf/tmp"; + if (! $found) { + my $tmp = `mkdir $instanceDir/conf/tmp`; + } + + # import it into a temporary security database +# my $cmd1 = `/usr/bin/AtoB $instanceDir/conf/caCert.txt $instanceDir/conf/caCert.der`; + # my $cmd1 = `/usr/bin/openssl base64 -d -A -in $instanceDir/conf/caCert.txt -out $instanceDir/conf/caCert.der`; + + my $txt = `cat $instanceDir/conf/caCert.txt`; + open(OUT, ">$instanceDir/conf/caCert.der"); + print OUT MIME::Base64::decode($txt); + close(OUT); + + my $cmd2 = `/usr/bin/certutil -A -d \"$instanceDir/conf/tmp\" -t \"CT,CT,CT\" -n \"caCert\" -i $instanceDir/conf/caCert.der`; + + # get pretty print from temp db + my $tmp = `certutil -d $instanceDir/conf/tmp -n "caCert" -L > $instanceDir/conf/caCert_pp.txt`; + $certpp = readFile("$instanceDir/conf/caCert_pp.txt"); + $certpp =~ s/"//g; + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: certpp= $certpp"); + # clean up temp db + $tmp = `certutil -d $instanceDir/alias/tmp -D -n "caCert"`; + } else { + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update no certchain found"); + } + + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: display certchain=$caCert"); + +# $symbol{certchain} = [ "cert1", "cert2" ]; +# $symbol{certchain_size} = 2; + $::symbol{certchain} = "$certpp"; +# This certchain_size does not matter + $::symbol{certchain_size} = 1; + + return 1; +} + +sub get_domain_xml +{ + my ($sdomainAdminURL) = @_; + + my $sdom_info = new URI::URL($sdomainAdminURL); + # get the domain xml + # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML + + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $sd_host = $sdom_info->host; + my $sd_admin_port = $sdom_info->port; + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + &PKI::RA::Wizard::debug_log("content = " . $content); + + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $xml = $parser->XMLin($response->{'DomainInfo'}, + ForceArray => 1); + + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: security domain '" . + $xml->{'Name'}[0] . "'"); + $::config->put("preop.securitydomain.name", $xml->{'Name'}[0]); + $::config->put("securitydomain.name", $xml->{'Name'}[0]); + + # parse xml and store information in CS.cfg + my $count = 0; + $count = 0; + foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found CA '" . + $c->{'SubsystemName'}[0] . "'"); + $::config->put("preop.securitydomain.ca" . $count . ".subsystemname", + $c->{'SubsystemName'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureport", + $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".host", + $c->{'Host'}[0]); + + # The user previously specified the CA Security Domain's + # SSL Admin URL in the "Security Domain Panel"; + # now retrieve this specified CA Security Domain's + # non-SSL EE, SSL Agent, and SSL EE URLs: + if( $sd_admin_port eq $c->{'SecureAdminPort'}[0] ) { + # Build the URLs + my $http_ee_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'UnSecurePort'}[0]; + my $https_agent_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'SecureAgentPort'}[0]; + my $https_ee_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'SecurePort'}[0]; + + # Store the URLs + $::config->put( "config.sdomainHttpURL", $http_ee_port ); + $::config->put( "config.sdomainAgentURL", $https_agent_port ); + $::config->put( "config.sdomainEEURL", $https_ee_port ); + + # Store additional values necessary for 'pkiremove' . . . + $::config->put( "securitydomain.httpport", + $c->{'UnSecurePort'}[0] ); + $::config->put( "securitydomain.httpsagentport", + $c->{'SecureAgentPort'}[0] ); + $::config->put( "securitydomain.httpseeport", + $c->{'SecurePort'}[0] ); + } + + $count++; + } + + $count = 0; + foreach my $c (@{$xml->{'TKSList'}[0]->{'TKS'}}) { + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found TKS '" . + $c->{'SubsystemName'}[0] . "'"); + $::config->put("preop.securitydomain.tks" . $count . ".subsystemname", + $c->{'SubsystemName'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureport", + $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".host", + $c->{'Host'}[0]); + $count++; + } + + $count = 0; + foreach my $c (@{$xml->{'KRAList'}[0]->{'KRA'}}) { + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found KRA '" . + $c->{'SubsystemName'}[0] . "'"); + $::config->put("preop.securitydomain.kra" . $count . ".subsystemname", + $c->{'SubsystemName'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureport", + $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".host", + $c->{'Host'}[0]); + $count++; + } + + $count = 0; + foreach my $c (@{$xml->{'RAList'}[0]->{'RA'}}) { + &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found RA '" . + $c->{'SubsystemName'}[0] . "'"); + $::config->put("preop.securitydomain.ra" . $count . ".subsystemname", + $c->{'SubsystemName'}[0]); + $::config->put("preop.securitydomain.ra" . $count . ".secureport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.ra" . $count . ".non_clientauth_secure_port", + $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.ra" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); + $::config->put("preop.securitydomain.ra" . $count . ".host", + $c->{'Host'}[0]); + $count++; + } + $::config->commit(); +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/DonePanel.pm b/base/ra/lib/perl/PKI/RA/DonePanel.pm new file mode 100755 index 000000000..4a32a8270 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -0,0 +1,399 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; +use XML::Simple; + +package PKI::RA::DonePanel; +$PKI::RA::DonePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(16); + $self->{"getName"} = &PKI::RA::Common::r("Done"); + $self->{"vmfile"} = "donepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DonePanel: validate"); + return 1; +} +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("DonePanel: update"); + return 1; +} + +sub register_ra +{ + my ($sdom, $url, $uri, $xname) = @_; + + &PKI::RA::Wizard::debug_log("DonePanel: register_ra at $url"); + &PKI::RA::Wizard::debug_log("DonePanel: subsystem $xname uri=$uri"); + + my $url_info = new URI::URL($url); + my $sdom_info = new URI::URL($sdom); + + # register RA to Security Domain + # submit request to CA + &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain"); + + my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); + my $session_id = $::config->get("preop.sessionID"); + + &PKI::RA::Wizard::debug_log("DonePanel: Security Domain Info " . $url); + + # add service.securityDomainPort to the config file in case pkiremove + # needs to remove system reference from the security domain + $::config->put("service.securityDomainPort", $securePort); + $::config->commit(); + + my $uid = "RA-" . $machineName . "-" . $securePort; + my $name = "Registration Authority Subsystem"; + + my $instDir = $::config->get("service.instanceDir"); + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + + my $hw; + my $tk; + my $tokenname = $::config->get("preop.module.token"); + &PKI::RA::Wizard::debug_log("ReqCertInfo: update got token name = $tokenname"); + + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + $hw = ""; + $tk = ""; + } else { + $hw = "-h $tokenname"; + $tk = $tokenname.":"; + } + + my $token_pwd = $::pwdconf->get($tokenname); + open FILE, ">$instDir/conf/.pwfile"; + system( "chmod 00660 $instDir/conf/.pwfile" ); + $token_pwd =~ s/\n//g; + print FILE $token_pwd; + close FILE; + + my $subsystemNickname = $::config->get("preop.cert.subsystem.nickname"); + my $certificate = `/usr/bin/certutil -d "$instDir/alias" -L $hw -f "$instDir/conf/.pwfile" -n "$subsystemNickname" -a`; + $certificate =~ s/-----BEGIN CERTIFICATE-----//g; + $certificate =~ s/-----END CERTIFICATE-----//g; + $certificate =~ s/\n$//g; + + + &PKI::RA::Wizard::debug_log("DonePanel: Connecting"); + + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $params = "uid=" . $uid . "&" . + "name=" . $name . "&" . + "certificate=" . + URI::Escape::uri_escape("$certificate") . "&" . + "xmlOutput=true" . "&" . + "sessionID=" . $session_id . "&" . + "auth_hostname=" . $sdom_info->host . "&" . + "auth_port=" . $sdom_info->port; + + my $host = $url_info->host; + my $port = $url_info->port; + my $tmpfile = "/tmp/donepanel-$$"; + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"$uri\" $host:$port > $tmpfile"); + } else { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"$uri\" $host:$port > $tmpfile"); + } + my $content = `cat $tmpfile`; + system("rm $tmpfile"); + + &PKI::RA::Wizard::debug_log("req = " . $content); + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + &PKI::RA::Wizard::debug_log("DonePanel: result " . $content); + my $tmp = `rm $instDir/conf/.pwfile`; +} + +sub get_kra_transport_cert +{ + my ($sdom) = @_; + + my $sdom_info = new URI::URL($sdom); + + # register RA to Security Domain + # submit request to CA + &PKI::RA::Wizard::debug_log("DonePanel: Connecting to KRA"); + + my $krainfo = $::config->get("preop.krainfo.select"); + my $krainfo_url = new URI::URL($krainfo); + + my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); + my $session_id = $::config->get("preop.sessionID"); + + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $tokenname = $::config->get("preop.module.token"); + my $token_pwd = $::pwdconf->get($tokenname); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $params = "sessionID=" . $session_id . "&" . + "auth_hostname=" . $sdom_info->host . "&" . + "auth_port=" . $sdom_info->port; + + my $host = $krainfo_url->host; + my $port = $krainfo_url->port; + my $tmpfile = "/tmp/donepanel-$$"; + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/kra/admin/kra/getTransportCert\" $host:$port > $tmpfile"); + } else { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -r \"/kra/admin/kra/getTransportCert\" $host:$port > $tmpfile"); + } + my $content = `cat $tmpfile`; + system("rm $tmpfile"); + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $transportCert = $response->{TransportCert}; + + &PKI::RA::Wizard::debug_log("DonePanel: TransportCert " . $transportCert); + + return $transportCert; +} + +sub send_kra_transport_cert +{ + my ($sdom, $certificate) = @_; + + my $sdom_info = new URI::URL($sdom); + + # register RA to Security Domain + # submit request to CA + &PKI::RA::Wizard::debug_log("DonePanel: Connecting to TKS"); + my $tksinfo = $::config->get("preop.tksinfo.select"); + my $tksinfo_url = new URI::URL($tksinfo); + + my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); + my $session_id = $::config->get("preop.sessionID"); + + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $tokenname = $::config->get("preop.module.token"); + my $token_pwd = $::pwdconf->get($tokenname); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $name = "transportCert-" . $machineName . "-" . $securePort; + my $params = "name=" . $name . "&" . + "certificate=" . + URI::Escape::uri_escape("$certificate") . "&" . + "xmlOutput=true" . "&" . + "sessionID=" . $session_id . "&" . + "auth_hostname=" . $sdom_info->host . "&" . + "auth_port=" . $sdom_info->port; + + my $host = $tksinfo_url->host; + my $port = $tksinfo_url->port; + my $tmpfile = "/tmp/donepanel-$$"; + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/tks/admin/tks/importTransportCert\" $host:$port > $tmpfile"); + } else { + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -r \"/tks/admin/tks/importTransportCert\" $host:$port > $tmpfile"); + } + + my $content = `cat $tmpfile`; + system("rm $tmpfile"); + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + &PKI::RA::Wizard::debug_log("DonePanel: Response from TKS " . $content); +} + +sub display +{ + my ($q) = @_; + # $symbol{systemType} = "ra"; + # $symbol{host} = "chico"; + # $symbol{port} = "443"; + &PKI::RA::Wizard::debug_log("DonePanel: display"); + + my $status = $::config->get("preop.done.status"); + if ($status eq "done") { + return 1; + } + + my $instDir = $::config->get("service.instanceDir"); + my $tokenname = $::config->get("preop.module.token"); + my $token_pwd = $::pwdconf->get($tokenname); + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + if (($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) { + open(PWD_CONF, ">>$instDir/conf/password.conf"); + print PWD_CONF "$tokenname:$token_pwd\n"; + close (PWD_CONF); + } + + # Add this RA's server certificate to the subsystems + my $sdom = $::config->get("config.sdomainEEURL"); + my $cainfo = $::config->get("preop.cainfo.select"); + $cainfo =~ s/.* - //g; + ®ister_ra($sdom, $cainfo, $::config->get("conn.ca1.servlet.addagent"), "CA"); + + $::config->put("preop.done.status", "done"); + $::config->commit(); + + # update httpd.conf + open(TMP_HTTPD_CONF, ">$instDir/conf/httpd.conf.tmp"); + system( "chmod 00660 $instDir/conf/httpd.conf.tmp" ); + open(HTTPD_CONF, "<$instDir/conf/httpd.conf"); + while (<HTTPD_CONF>) { + if (/^#\[ErrorDocument_404\]/) { + print TMP_HTTPD_CONF "ErrorDocument 404 /404.html\n"; + } elsif (/^#\[ErrorDocument_500\]/) { + print TMP_HTTPD_CONF "ErrorDocument 500 /500.html\n"; + } else { + print TMP_HTTPD_CONF $_; + } + } + close(HTTPD_CONF); + close(TMP_HTTPD_CONF); + + # Create a copy of the original file which + # preserves the original file permissions + system( "cp -p $instDir/conf/httpd.conf.tmp $instDir/conf/httpd.conf" ); + + # Remove the original file only if the backup copy was successful + if( -e "$instDir/conf/httpd.conf" ) { + system( "rm $instDir/conf/httpd.conf.tmp" ); + } + + # update nss.conf + open(TMP_NSS_CONF, ">$instDir/conf/nss.conf.tmp"); + system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); + open(NSS_CONF, "<$instDir/conf/nss.conf"); + while (<NSS_CONF>) { + if (/^NSSNickname/) { + print TMP_NSS_CONF "NSSNickname \"$nickname\"\n"; + } else { + print TMP_NSS_CONF $_; + } + } + close(NSS_CONF); + close(TMP_NSS_CONF); + + # Create a copy of the original file which + # preserves the original file permissions + system( "cp -p $instDir/conf/nss.conf.tmp $instDir/conf/nss.conf" ); + + # Remove the original file only if the backup copy was successful + if( -e "$instDir/conf/nss.conf" ) { + system( "rm $instDir/conf/nss.conf.tmp" ); + } + + &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain"); + + my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); + my $instanceID = $::config->get("service.instanceID"); + + my $initDaemon = "pki-rad"; + my $initCommand = ""; + if( $^O eq "linux" ) { + $initCommand = "/sbin/service $initDaemon"; + } else { + ## default case: e. g. - ( $^O eq "solaris" ) + $initCommand = "/etc/init.d/$initDaemon"; + } + + $::symbol{host} = $machineName; + $::symbol{unsecurePort} = $unsecurePort; + $::symbol{port} = $securePort; + $::symbol{non_clientauth_port} = $non_clientauth_securePort; + $::symbol{initCommand} = $initCommand; + $::symbol{instanceID} = $instanceID; + + $::config->deleteSubstore("preop."); + $::config->commit(); + + ## Create an empty file that designates the fact that although + ## this server instance has been configured, it has NOT yet + ## been restarted! + my $restart_server = "$instDir/conf/restart_server_after_configuration"; + system( "touch $restart_server" ); + system( "chmod 00660 $restart_server" ); + + system("rm $instDir/conf/*.txt $instDir/conf/*.der"); + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/GlobalVar.pm b/base/ra/lib/perl/PKI/RA/GlobalVar.pm new file mode 100755 index 000000000..388a41349 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/GlobalVar.pm @@ -0,0 +1,42 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; + +package PKI::RA::GlobalVar; +$PKI::RA::GlobalVar::VERSION = '1.00'; + +sub new { + my $class = shift; + my $self = {}; + my %args = (@_); + foreach my $q (keys %args) { + $self->{$q} = $args{$q}; + } + bless $self,$class; + return $self; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm b/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm new file mode 100755 index 000000000..9f9bef94a --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm @@ -0,0 +1,142 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; + +package PKI::RA::ImportAdminCertPanel; +$PKI::RA::ImportAdminCertPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(15); + $self->{"getName"} = &PKI::RA::Common::r("Import Administrator Certificate"); + $self->{"vmfile"} = "importadmincertpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: update"); + + # register to Security Domain + my $sdom = $::config->get("config.sdomainAgentURL"); + my $sdom_url = new URI::URL($sdom); + + # + # we need to authenticate to the security domain with the subsystem + # certificate + # + my $machineName = $::config->get("service.machineName"); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $securePort = $::config->get("service.securePort"); + my $subsystemName = $::config->get("preop.subsystem.name"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + my $name = $subsystemName; + my $subCertNickName = $::config->get("preop.cert.subsystem.nickname"); + + $db_password =~ s/\n$//g; + + my $params = "list=" . "RAList" . "&" . + "type=" . "RA" . "&" . + "host=" . $machineName . "&" . + "name=" . $name . "&" . + "sport=" . $securePort . "&" . + "dm=false"; # domain manager or not + + my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$subCertNickName\" -r \"/ca/agent/ca/updateDomainXML?$params\" $sdom_url->host:$sdom_url->port`; + + # Fetch the "updated" security domain and display it + &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: Dump contents of updated Security Domain . . ."); + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + my $sdom_info = new URI::URL($sdomainAdminURL); + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $sd_host = $sdom_info->host; + my $sd_admin_port = $sdom_info->port; + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + &PKI::RA::Wizard::debug_log($content); + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: display"); + + my $cainfo = $::config->get("preop.cainfo.select"); + + my $cainfo_url = new URI::URL($cainfo); + my $serialNumber = $::config->get("preop.admincert.serialno.0"); + + $::symbol{info} = ""; + $::symbol{errorString} = ""; + $::symbol{import} = "true"; + $::symbol{ca} = "false"; + $::symbol{caType} = "ca"; + $::symbol{caHost} = $cainfo_url->host; + $::symbol{caPort} = $cainfo_url->port; + $::symbol{serialNumber} = $serialNumber; + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/Login.pm b/base/ra/lib/perl/PKI/RA/Login.pm new file mode 100755 index 000000000..d248e5481 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/Login.pm @@ -0,0 +1,466 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +# wizard - +# Fedora Certificate System - Registration Authority System configuration wizard + + +# This script is run as a 'mod_perl' CGI. Configure mod_perl by adding +# the following to /etc/httpd/conf.d/perl.conf +# +# PerlModule ModPerl::Registry +# PerlModule Apache::compat +# PerlModule PKI::RA::Wizard +# PerlSetEnv PKI_DOCROOT /u/sparkins/t/cs_tip/certsystem/prj/common/ui +# <Location /wizard> +# SetHandler perl-script +# PerlHandler PKI::RA::Wizard +# Order deny,allow +# Allow from all +# </Location> + + +# Note: The Velocity parser is not very helpful when it comes to +# errors right now. Here are some common errors, and what they mean: +# +# ERROR: +# [Mon Apr 03 13:57:33 2006] [error] [client 172.16.24.26] +# Can't use string ("0") as an ARRAY ref while "strict refs" +# in use at /usr/lib/perl5/site_perl/5.8.5/Template/Velocity.pm +# line 423.\n, referer: http://chico/wizard?p=2 +# MEANING +# This probably means that your *.vm file refers to an array +# variable in a foreach statement that is not defined +# Check your foreach array variables. + +use warnings; +use ModPerl::Registry; +use Template::Velocity; +use Getopt::Std; +use Data::Dumper; +use CGI::Carp qw(fatalsToBrowser); +use CGI; +use APR::Const -compile => qw(:error SUCCESS); +use PKI::RA::GlobalVar; +use PKI::RA::WelcomePanel; +use PKI::RA::SecurityDomainPanel; +use PKI::RA::DisplayCertChainPanel; +use PKI::RA::SubsystemTypePanel; +use PKI::RA::CAInfoPanel; +use PKI::RA::TKSInfoPanel; +use PKI::RA::DRMInfoPanel; +use PKI::RA::DisplayCertChain2Panel; +use PKI::RA::AdminAuthPanel; +use PKI::RA::AgentAuthPanel; +use PKI::RA::DatabasePanel; +use PKI::RA::ModulePanel; +use PKI::RA::SizePanel; +use PKI::RA::NamePanel; +use PKI::RA::ConfigHSMLoginPanel; +use PKI::RA::CertRequestPanel; +use PKI::RA::AdminPanel; +use PKI::RA::ImportAdminCertPanel; +use PKI::RA::LoginPanel; +use PKI::RA::DonePanel; +use PKI::RA::Config; + +use PKI::RA::Common qw(yes no r); + +package PKI::RA::Login; +$PKI::RA::Login::VERSION = '1.00'; + +# read configuration file +my $flavor = "pki"; +$flavor =~ s/\n//g; + +my $pkiroot = $ENV{PKI_ROOT}; + +my $config = PKI::RA::Config->new(); +$config->load_file("$pkiroot/conf/CS.cfg"); +# read password cache file +my $pwdconf = PKI::RA::Config->new(); +$pwdconf->load_file("$pkiroot/conf/pwcache.conf"); +# SELinux disallows performing a "chmod" on this file +if( $^O ne "linux" ) { + system( "chmod 00660 $pkiroot/conf/pwcache.conf" ); +} + +# create cfg debug log +my $logfile = $config->get("service.instanceDir") . "/logs/debug"; +open( DEBUG, ">>" . $logfile ) || +warn( "Could not open '" . $logfile . "': $!" ); + +# apache server + +our $debug; + +my $STATUS_OK = 1; +my $STATUS_ERROR = 2; +my $STATUS_REDIRECT = 3; + +&debug_log("RA wizard: starting up"); + +my $docroot = $ENV{PKI_DOCROOT}; + +if (! $docroot) { + &debug_log("RA wizard: ERROR: PKI_DOCROOT is null"); + return 0; +} + +our $parser = new Template::Velocity($docroot); +our $symbol; +our @certtags; + +makepanels(); + +&debug_log("RA wizard: start up complete"); + +1; + +sub debug_log +{ + my ($msg) = @_; + my $date = `date`; + chomp($date); + if( -w $logfile ) { + print DEBUG "$date - $msg\n"; + } +} + + # initializes entries in parser's global symbol table for panels +sub makepanels +{ + #REAL PANELS BELOW + my $login = new PKI::RA::LoginPanel(); + + $symbol{panels} = [ + $login, # com.netscape.cms.servlet.csadmin.WelcomePanel + ]; +}; + +sub render_panel +{ + my ($panelnum, $q) = @_; + + $symbol{errorString} = ""; + + my $currentpanel; + + if ($q->param('op') && $q->param('op') eq "next") { + $currentpanel = $symbol{panels}[$panelnum]; + # validate variables for panel + if ($currentpanel->{validate}) { + $currentpanel->{validate}($q); + } + # execute current panel + my $status = "0"; + + if ($currentpanel->{update}) { + $status = $currentpanel->{update}($q); + &debug_log("RA wizard: update returns status '" . + $status . "'"); + if ($status == $STATUS_REDIRECT) { + return $STATUS_REDIRECT; + } + + } + + &debug_log("RA wizard: about to find out about sub panel"); + if ($status eq "1") { + if ($currentpanel->{hasSubPanel} && &{$currentpanel->{hasSubPanel}}($q)) { + &debug_log("RA wizard: has sub panel"); + $panelnum = $panelnum + 2; + } elsif ($currentpanel->{isSubPanel} && &{$currentpanel->{isSubPanel}}($q)) { + &debug_log("RA wizard: is sub panel"); + $panelnum = $panelnum - 1; + } else { + &debug_log("RA wizard: no sub panel and is not subpanel"); + $panelnum = $panelnum + 1; + } + } + } elsif ($q->param('op') && $q->param('op') eq "back") { + $panelnum = $panelnum - 1; + #check if this a subpanel, if so, go back to it's parent. + #only handles one-deep at this point + my $panel = $symbol{panels}[$panelnum]; + if (&{$panel->{isSubPanel}}($q)) { + $panelnum = $panelnum - 1; + } + } elsif ($q->param('op') && $q->param('op') eq "apply") { + &debug_log("RA wizard: update : apply button pressed"); + $currentpanel = $symbol{panels}[$panelnum]; + # validate variables for panel + if ($currentpanel->{validate}) { + $currentpanel->{validate}($q); + } + # execute current panel + if ($currentpanel->{update}) { + my $status = $currentpanel->{update}($q); + &debug_log("RA wizard: update returns status '" . + $status . "'"); + if ($status == $STATUS_REDIRECT) { + return $STATUS_REDIRECT; + } + + } + } + + &debug_log("RA wizard: after looking into about sub panel"); + + # advance to next panel + $currentpanel = $symbol{panels}[$panelnum]; + + # initialize symbol table values + $symbol{showApplyButton} = "false"; + + # fill in variables for new panel + if ($currentpanel->{panelvars}) { + $Data::Dumper::Indent = 1; + # The '&debug_log("q=".Dumper($q));' call must be commented out to fix + # Bugzilla Bug #249923: Incorrect file permissions on + # various files and/or directories + # &debug_log("q=".Dumper($q)); + $currentpanel->{panelvars}($q); + } + + $symbol{panel} = "ra/admin/console/config/".$currentpanel->{vmfile}; + + #wizard.vm: + $symbol{name} = "Registration Authority System"; + $symbol{title} = $currentpanel->{getName}(); + if ($panelnum == 0) { + $symbol{firstpanel} = "1"; + } else { + $symbol{firstpanel} = "0"; + } + if ($panelnum == 17) { + $symbol{lastpanel} = "1"; + } else { + $symbol{lastpanel} = "0"; + } + $symbol{p} = $panelnum; + $symbol{subpanelno} = $panelnum+1; + $symbol{csstate} = "1"; + +# $symbol{urls} = [ "cert1", "cert2" ]; #createsubsystem +# $symbol{urls_size} = 2; +# $symbol{instanceId} = "ra"; +# $symbol{errorString} = ""; + + #modulepanel +# $symbol{certs} = [ ]; +# $symbol{reqscerts} = [ ]; + $symbol{ppcerts} = [ ]; + + return $STATUS_OK; +} + + + +sub dbg { + my $msg = shift; + $::symbol{dbg} .= "$msg\n"; +} + +sub handler { + my $r = shift; + + *::symbol = \%symbol; + *::s = \$s; + *::config = \$config; + *::pwdconf = \$pwdconf; + + &debug_log("RA wizard: in handler"); + if ($#ARGV == -1) { + $r->send_http_header('text/html'); + } + + my $q = new CGI; + + # check cookie + my $pin = $q->param('pin'); + if (defined($pin)) { + my $cookie = $q->cookie( + -name=>'pin', + -value=> $pin, + -expires=>'+1y', + -path=>'/'); + print $q->redirect(-location => "wizard", -cookie => $cookie); + return; + } + + # output http parameters + &debug_log("RA wizard: uri='" . $ENV{REQUEST_URI} . "'"); + my @pnames = $q->param(); + foreach $pn (@pnames) { + # added this facility so that password can be hidden, + # all sensitive parameters should be prefixed with + # __ (double underscores); however, in the event that + # a security parameter slips through, we perform multiple + # additional checks to insure that it is NOT displayed + if( $pn =~ /^__/ || + $pn =~ /password$/ || + $pn =~ /passwd$/ || + $pn =~ /pwd$/ || + $pn =~ /admin_password_again/i || + $pn =~ /directoryManagerPwd/i || + $pn =~ /bindpassword/i || + $pn =~ /bindpwd/i || + $pn =~ /passwd/i || + $pn =~ /password/i || + $pn =~ /pin/i || + $pn =~ /pwd/i || + $pn =~ /pwdagain/i || + $pn =~ /uPasswd/i ) { + &debug_log("RA wizard: http parameter name='" . $pn . "' value='(sensitive)'"); + } else { + &debug_log("RA wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'"); + } + } + + my $panelnum = $q->param('p'); + if (!defined($panelnum) || $panelnum eq "") { + # Apache fails to pick up the p parameter after + # redirecting from the security domain. This is + # a quick hack to solve the issue. + if ($ENV{'QUERY_STRING'} ne "") { + $ENV{'QUERY_STRING'} =~ /p=([0-9]+)&/; + $panelnum = $1; + } + } + + use subs qw(debug); + *debug = \&Template::Velocity::Executor::debug; + + $::symbol{dbg} = ""; + + &debug_log("RA wizard: before argparsing"); + if ($#ARGV == -1) { + $Data::Dumper::Maxdepth = 7; + $startfile = "ra/admin/console/config/login.vm"; + } + + &debug_log("RA wizard: setting up test objects"); + + #initialize from config file + my $certlist = $::config->get("preop.cert.list"); + if ($certlist eq "") { + $certlist = "sslserver,subsystem"; + } + @certtags = split(/,/, $certlist); + $numtags = @certtags; + if ($numtags eq 0) { + @certtags = ("sslserver", "subsystem"); + } + &debug_log("RA wizard: found $numtags certtags"); + + if (! $panelnum) { + $panelnum = 0; + } + + my $status = render_panel($panelnum, $q); + if ($status == 3) { + $r->header_out(Location => $symbol{redirect}); + $r->status(301); + $r->send_http_header(); + return; + } + + use Data::Dumper; + &debug_log("RA wizard: executing file $startfile"); + foreach $q (sort keys %symbol) { + &debug_log("RA wizard:/config/wizard?p=9&SecToken=NSS%20Generic%20Crypto%20Services sym{$q}=".$symbol{$q}); + } + + my $result; + if ($q->param("xml") eq "true") { + $r->send_http_header('text/xml'); + $result = "<xml>"; + foreach $s (sort keys %symbol) { + if ($s =~ /^__/) { + next; + } + $result .= "<" . $s . ">"; + my $v = $symbol{$s}; + $result .= &get_xml($s, $v); + $result .= "</" . $s . ">"; + } + $result .= "</xml>"; + } else { + $result = $parser->execute_file($startfile); + if (!defined $result) { + die("Couldn't execute template file: $docroot/$startfile"); + } + } + + print "$result\n"; + return $STATUS_OK; +} + +sub get_xml +{ + my ($s, $v) = @_; + + my $result; + if (ref($v) eq "HASH") { + foreach my $xkey (keys %$v) { + $result .= "<" . $xkey . ">"; + $result .= &get_xml($xkey, $v{$xkey}); + # $result .= "-" . ref($xkey); + $result .= "</" . $xkey . ">"; + } + } elsif (ref($v) eq "PKI::RA::CertInfo") { + my $certinfo = $v; + $result .= "<certinfo>"; + $result .= "<dn>" . $certinfo->get_dn() ."</dn>"; + $result .= "<tag>" . $certinfo->get_cert_tag() . "</tag>"; + $result .= "<friendly>" . $certinfo->get_user_friendly_name() . + "</friendly>"; + $result .= "</certinfo>"; + } elsif (ref($v) eq "PKI::RA::ReqCertInfo") { + my $reqcertinfo = $v; + $result .= "<reqcertinfo>"; + $result .= "<name>" . $reqcertinfo->get_user_friendly_name() ."</name>"; + $result .= "<req>" . $reqcertinfo->get_request() ."</req>"; + $result .= "<cert>" . $reqcertinfo->get_cert() ."</cert>"; + $result .= "<certpp>" . $reqcertinfo->get_cert_pp() ."</certpp>"; + $result .= "<tag>" . $reqcertinfo->get_cert_tag() ."</tag>"; + $result .= "<dn>" . $reqcertinfo->get_cert_tag() ."</dn>"; + $result .= "</reqcertinfo>"; + } elsif (ref($v) eq "ARRAY") { + my $pos = 0; + foreach my $item (@$v) { + $result .= "<element>"; + $result .= &get_xml("p" . $pos, $item); + # $result .= "-" . ref($item); + $result .= "</element>"; + $pos++; + } + } else { + $result .= $v; + } + return $result; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/LoginPanel.pm b/base/ra/lib/perl/PKI/RA/LoginPanel.pm new file mode 100755 index 000000000..66f40acfe --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/LoginPanel.pm @@ -0,0 +1,91 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::LoginPanel; +$PKI::RA::LoginPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(0); + $self->{"getName"} = &PKI::RA::Common::r("Welcome"); + $self->{"vmfile"} = "login.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("WelcomePanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("WelcomePanel: update"); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log($ENV{'SERVER_PORT'}); + &PKI::RA::Wizard::debug_log("Debug=" . $::config->get("logging.debug.enable")); + &PKI::RA::Wizard::debug_log("WelcomePanel: display"); + $::symbol{wizardname} = "RA Configuration Wizard"; + $::symbol{systemname} = "RA"; + $::symbol{fullsystemname} = "Registration Authority"; + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/ModulePanel.pm b/base/ra/lib/perl/PKI/RA/ModulePanel.pm new file mode 100755 index 000000000..87ce056bc --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/ModulePanel.pm @@ -0,0 +1,273 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use PKI::RA::Modutil; + +package PKI::RA::ModulePanel; +$PKI::RA::ModulePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +our $modutil; + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(9); + $self->{"getName"} = &PKI::RA::Common::r("Security Modules"); + $self->{"vmfile"} = "modulepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + + my $flavor = "pki"; + $flavor =~ s/\n//g; + + my $pkiroot = $ENV{PKI_ROOT}; + $modutil = new PKI::RA::Modutil("$pkiroot/alias"); + + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 1; +} + +sub validate +{ + my ($q) = @_; + return 1; +} + +sub update +{ + my ($q) = @_; + my $defTok = $::config->get("preop.module.token"); + my $select = $q->param('choice'); + if ($select eq "") { + &PKI::RA::Wizard::debug_log("ModulePanel -> update no selection found"); + $::symbol{errorString} = "No selection found"; + return 0; + } elsif ($defTok ne $select) { + &PKI::RA::Wizard::debug_log("ModulePanel -> update changing defTok to $select"); + $::config->put("preop.module.token", $select); + $::config->put("preop.ModulePanel.done", "true"); + } else { + # this is not an error...just information + &PKI::RA::Wizard::debug_log("ModulePanel -> update defTok not changed"); + } + + $::config->commit(); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("ModulePanel -> display"); + getModules(); + my $defTok = $::config->get("preop.module.token"); + + $::symbol{defTok} = $defTok; + + return 1; +} + +use Data::Dumper; +sub getTokens { + my $modulename = shift; + + &PKI::RA::Wizard::debug_log("ModulePanel -> getTokens"); + +#$Data::Dumper::Indent = 0; +#PKI::RA::Wizard::dbg("in gettokens. modutil = ".Dumper($modutil)); + my @tokens; + my $mod = $modutil->getmodule($modulename); + foreach my $tokenname (keys %{$mod->{tokens}}) { + #PKI::RA::Wizard::dbg("found token $tokenname"); + if ($tokenname ne "NSS Generic Crypto Services") { + my $token = $modutil->gettoken($tokenname); + my $t = new PKI::RA::GlobalVar( + getNickName => sub { return $tokenname; }, + isLoggedIn => sub { return isLoggedIn($tokenname); }, + isPresent => sub { return 1; }, + ); + push @tokens, $t; + } else { + &PKI::RA::Wizard::debug_log("ModulePanel -> getTokens token NSS Generic Crypto Services not available for key generation"); + + } + } + + return \@tokens; +} + +# if password is found, then it's considered "logged in" +# otherwise it is "not logged in" +sub Login { + my $tokenname = $_[0]; + my $pwd = $::pwdconf->get($tokenname); + if ($pwd ne "") { + &PKI::RA::Wizard::debug_log("ModulePanel -> isLoggedIn retrieved pwd from pwdconf"); + return 1; + } + &PKI::RA::Wizard::debug_log("ModulePanel -> isLoggedIn pwd not found from pwdconf for token: $tokenname"); + + if ($tokenname eq "NSS Certificate DB") { + my $instanceDir = $::config->get("service.instanceDir"); + &PKI::RA::Wizard::debug_log("ModulePanel -> isLoggedIn get internal password for $tokenname"); + # these are referred as "internal" in password.conf + $pwd = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $pwd =~ s/\n//g; + $::pwdconf->put($tokenname, $pwd); + $::pwdconf->commit(); + + return 1; + } + return 0; +} + +sub isLoggedIn { + my $tokenname = $_[0]; + return &Login($tokenname); +} + +sub getModules { + my $count; + my $i; + my @supportedModules; + + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules"); + $count = $::config->get("preop.configModules.count"); + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules count =$count"); + + my @modules = $modutil->getmodules(); + # $::symbol{steve} = join ",Module:", @modules; + # $::symbol{steve}.= "\n"; + + my $x = " + preop.configModules.count=3 + preop.configModules.module0.commonName=NSS Internal PKCS #11 Module + preop.configModules.module0.imagePath=../img/mozilla.png + preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module + preop.configModules.module1.commonName=nfast + preop.configModules.module1.imagePath=../img/ncipher.png + preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module + preop.configModules.module2.commonName=lunasa + preop.configModules.module2.imagePath=../img/safenet.png + preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module + "; + + my %supmodules; + for ($i=0; $i <$count; $i++) { + my $cn; + my $pn; + my $img; +# &PKI::RA::Wizard::debug_log("ModulePanel -> getModules look for cn=","preop.configModules.module" , $i , ".commonName"); + $cn = $::config->get("preop.configModules.module$i.commonName"); + $supmodules{$cn} = 1; + + $pn = $::config->get("preop.configModules.module$i.userFriendlyName"); + $img = $::config->get("preop.configModules.module$i.imagePath"); + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: got module $cn from config"); + + my $module = $modutil->getmodule($cn); + my $file = $module->{detail}->{"Library file"}; + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules Library file = $file"); + my $found = 0; + if ($file) { + $found = ($file =~ /Internal ONLY module/) || -e $file; + } + + my $name = $module->{detail}->{Name}; +# PKI::RA::Wizard::dbg("name: $name"); + + $supportedModules[$i] = new PKI::RA::GlobalVar( + getImagePath => sub { return $img; }, + getUserFriendlyName => sub { return $pn; }, + isFound => sub { return $found; }, + getTokens => sub { return getTokens($name); }, + ); + + # login to tokens + &PKI::RA::Wizard::debug_log("Ready to login to tokens for $name"); + my $mod = $modutil->getmodule($name); + foreach my $tokenname (keys %{$mod->{tokens}}) { + &PKI::RA::Wizard::debug_log("Logging in Module $name Token " . $tokenname); + &Login($tokenname); + } + + } + + my @otherModules; + #compile the "others" modules + + foreach my $modname (@modules) { + #is this modname in the supported modules list? + if ($supmodules{$modname}) { + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: found module $modname supported"); + # does not belong to "others" + } else { + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: found module $modname unsupported"); + #add the module to "others" list + my $m = $modutil->getmodule($modname); + my $mod = new PKI::RA::GlobalVar( + getImagePath => sub { return ""; }, + getUserFriendlyName => sub { return $m->{modulename}; }, + isFound => sub { return 1; }, + getTokens => sub { return getTokens($m->{detail}->{Name});} + ); + + push @otherModules, $mod; + + &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: module $modname added to otherModules list"); + } + } + + $::symbol{sms} = \@supportedModules; + $::symbol{oms} = \@otherModules; +# PKI::RA::Wizard::dbg("oms: ". Dumper([@otherModules])); +# PKI::RA::Wizard::dbg("sms: ". Dumper([@supportedModules])); + + &PKI::RA::Wizard::debug_log("ModulePanel -> set sms, oms"); +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/Modutil.pm b/base/ra/lib/perl/PKI/RA/Modutil.pm new file mode 100755 index 000000000..82c66e87d --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/Modutil.pm @@ -0,0 +1,262 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package PKI::RA::Modutil; + + +sub new { + my $class = shift; + my ($dir) = @_; + + if (! $dir) { die "no module directory provided\n"; } + + my $self = {}; + + $self->{dir} = $dir; + $self->{modules} = makemodules($self); + + bless $self, $class; + return $self; +} + +sub exists { + my $self = shift; + + return -e "$self->{dir}/secmod.db"; +} + +sub create { + my $self = shift; + + my $mods = `modutil -force -dbdir '$self->{dir}' -nocertdb -create`; + return $mods; +} + +use Data::Dumper; + +sub makemodules { + my $self = shift; + my $modules = {}; + + my $mods = `modutil -force -dbdir '$self->{dir}' -nocertdb -list`; + #my $mods = join "",<::DATA>; + + #print "raw mods = $mods"; + + my (@modules) = ( + $mods =~ / + ^ #beginning of a line + \s+ #some spaces + \d+\.\s* #some digits + (.*?) #lots of text + ((?=^\s*\d+)|(?=------)) #if we would next match some spaces and digits + /msxg ); + + @modules = grep /.+/ms, @modules; + + foreach $module (@modules) { + #print "Module #$i:$module --\n"; + $module = "modulename:$module"; + my ($moduleheader, $rest) = ( + $module =~ / + (.*status: .*?\n) # moduleheader + (\s*slot:.*) # slot + (?=\n(\n|$)) #empty line + /msxg ); + #print "moduleheader: $moduleheader\n"; + my $m = makehash($moduleheader); + $modules->{$m->{modulename}} = $m; + $m->{tokens} = {}; + + my @tokens = split "\n\n", $rest; + + + +# get summary slot info with: -list + foreach my $token (@tokens) { + #print "slottext: $slot\n"; + my $slh = makehash($token); + $m->{tokens}->{$slh->{token}} = $slh; + } + +# get detailed slot info with: -list "modulename" + + my $moduledetail = `modutil -force -dbdir '$self->{dir}' -nocertdb -list "$m->{modulename}" 2> /dev/null`; + my @details= split "\n\n", $moduledetail; + while ($details[0] !~ /.*Name:.*/) { + shift @details; + }; + $m->{detail} = makehash(shift @details); + foreach $d (@details) { + my $sdh = makehash($d); + my $tokenname = $sdh->{"Token Name"}; + $tokenname =~ s/\s+$//; # remove trailing spaces + if ($tokenname) { + $m->{tokens}->{$tokenname}->{detail} = $sdh; + } + } + $i++; + + } + return $modules; +} + +# input: a multi-list string with nv/pairs +# return a hashtable reference +sub makehash { + my $str = shift; + my $ht = { }; + my @lines = split "\n", $str; + my $line; +LINE: + foreach $line (@lines) { + if ($line =~ /Using database directory/) { next LINE; } + if ($line =~ /--------------/) { next LINE; } + my ($name, $value) = ($line =~ /^\s*(.*?):\s*(.*?)\s*$/); + if ($name) { + #print "name:$name\n"; + #print "value:$value\n"; + $ht->{$name} = $value; + } + } + return $ht; +} + +sub getmodules { + my $self = shift; + #print "modules: ".$self->{modules}. "\n"; + #print "keys: ".(join ",",keys %{$self->{modules}})."\n"; + return keys %{$self->{modules}}; +} + +sub getmodule { + my $self = shift; + my $modulename = shift; + + #print Dumper($self->{modules}); + return $self->{modules}->{$modulename}; +} + + +sub gettokens { + my $self = shift; + my $module = shift; + + return keys %{$module->{tokens}}; +} + +sub gettoken { + my $self = shift; + my $token= shift; + foreach my $m (values %{$self->{modules}}) { + foreach $t (values %{$m->{tokens}}) { + #print join ",", keys %{$t}; + #print Dumper($t->{detail}); + if ($t->{detail}->{"Token Name"} eq $token) { + return $t; + } + } + } +} + + + +package main; + +sub ::test { + +# initialize + my $modutil = new PKI::RA::Modutil("."); + +#make database if it doesn't exist + if (! $modutil->exists()) { + $modutil->create(); + } + +#get an array of module names + my @mods = $modutil->getmodules(); + + print "Found ".@mods." pkcs#11 modules\n"; + +#for each module... + foreach my $modname (@mods) { + my $module = $modutil->getmodule($modname); + + print "Module: $modname\n"; + print "Library: ".$module->{detail}->{"Library file"}."\n"; + print "Other keys: ".(join ",", keys %{$module->{detail}})."\n"; + +#find all the tokens in a module, e.g. each partition for a lunasa + foreach my $tokenname ($modutil->gettokens($module)) { + print " token: $tokenname\n"; + my $token = $modutil->gettoken($tokenname); + +#dump out the information we have on the token + foreach my $key (keys %{$token}) { + print " token keys/values: $key: ".$token->{$key}."\n"; + } + my @detailkeys = (keys %{$token->{detail}}) ; + print " token detail keys:". (join ",", @detailkeys)."\n"; + print " token detail Manufacturer:". $token->{detail}->{Manufacturer}."\n"; + print "\n"; + } + print "\n"; + } + +} + +# this is where 'main' starts + +if ($ARGV[0] eq "--test") { + ::test(); +} + +1; + +__DATA__ +Listing of PKCS #11 Modules +----------------------------------------------------------- + 1. NSS Internal PKCS #11 Module + slots: 2 slots attached + status: loaded + + slot: NSS Internal Cryptographic Services + token: NSS Generic Crypto Services + + slot: NSS User Private Key and Certificate Services + token: NSS Certificate DB + + 2. lunasa + library name: /usr/lunasa/lib/libCryptoki2.so + slots: 2 slots attached + status: loaded + + slot: LunaNet Slot + token: lunasa1-ca + + slot: LunaNet Slot + token: lunasa2-ca +----------------------------------------------------------- + + diff --git a/base/ra/lib/perl/PKI/RA/NamePanel.pm b/base/ra/lib/perl/PKI/RA/NamePanel.pm new file mode 100755 index 000000000..c30715aa2 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/NamePanel.pm @@ -0,0 +1,570 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use FileHandle; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use PKI::RA::CertInfo; +use URI::URL; +use URI::Escape; + +package PKI::RA::NamePanel; +$PKI::RA::NamePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); +our $cert_req_header="-----BEGIN NEW CERTIFICATE REQUEST-----"; +our $cert_req_footer="-----END NEW CERTIFICATE REQUEST-----"; +our $cert_header="-----BEGIN CERTIFICATE-----"; +our $cert_footer="-----END CERTIFICATE-----"; + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(12); + $self->{"getName"} = &PKI::RA::Common::r("Subject Names"); + $self->{"vmfile"} = "namepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("NamePanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("NamePanel: update"); + my $instanceDir = $::config->get("service.instanceDir"); + + my $count = $q->param('urls'); + + &PKI::RA::Wizard::debug_log("NamePanel: update - selected ca= $count"); + + my $host = ""; + my $https_ee_port = ""; + + my $useExternalCA = "off"; + if ($count =~ /http/) { + my $info = new URI::URL($count); + $host = $info->host; + $https_ee_port = $info->port; + } else { + $host = $::config->get("preop.securitydomain.ca$count.host"); + if ($host eq "") { + $useExternalCA = "on"; + } else { + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port"); + } + } + $::config->put("preop.certenroll.useExternalCA", $useExternalCA); + + $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port); + + my $tokenname = $::config->get("preop.module.token"); + &PKI::RA::Wizard::debug_log("NamePanel: update got token name = $tokenname"); + my $hw; + my $tk; + + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + $hw = ""; + $tk = ""; + } else { + $hw = "-h $tokenname"; + $tk = $tokenname.":"; + } + + # is nickname changed because of token (hardware) selection? + my $changed = "false"; + foreach my $certtag (@PKI::RA::Wizard::certtags) { + &PKI::RA::Wizard::debug_log("NamePanel: update begins for certag= $certtag"); + my $cert_dn = $q->param($certtag); + $::config->put("preop.cert.".$certtag.".dn", $cert_dn); + $::config->commit(); + + my $sslnickname = $::config->get("preop.cert.sslserver.nickname"); + my $nickname = $q->param($certtag . "_nick"); + if ($nickname ne "") { + &PKI::RA::Wizard::debug_log("NamePanel: update nickname for $certtag set to $nickname"); + &PKI::RA::Wizard::debug_log("NamePanel: update nickname for $certtag being updated in config file"); + $::config->put("preop.cert.".$certtag.".nickname", $nickname); + $::config->commit(); + } else { + $nickname = $::config->get("preop.cert.$certtag.nickname"); + if ($nickname eq "") { + $nickname = "RA ".$certtag." cert"; + &PKI::RA::Wizard::debug_log("NamePanel: update nickname not found for $certtag -- try $nickname"); + } + } + + my $cert_request = $::config->get("preop.cert.$certtag.certreq"); + if ($cert_request ne "") { + &PKI::RA::Wizard::debug_log("NamePanel: update do not generate new keys"); + goto GEN_CERT; + } + &PKI::RA::Wizard::debug_log("NamePanel: update generate new keys"); + + # =====generate requests======== + # getting new request should void old cert + + my $file= "$instanceDir/conf/".$certtag."_cert.txt"; + my $tmp = `rm $file`; + + &PKI::RA::Wizard::debug_log("NamePanel: retrieving $tokenname from pwdconf"); + my $token_pwd = $::pwdconf->get($tokenname); + &PKI::RA::Wizard::debug_log("NamePanel: creating pwfile"); + open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); + $token_pwd =~ s/\n//g; + print FILE $token_pwd; + close FILE; + + my $keytype = $::config->get("preop.cert.$certtag.keytype"); + if ($keytype eq "") { + $keytype = "rsa"; + } + + my $select = $::config->get("preop.cert.$certtag.keysize.select"); + + my $keysize; + + if ($keytype eq "rsa") { + $keysize = 2048; + } elsif ($keytype eq "ecc") { + $keysize = 256; + } + + if (($select eq "") || ($select eq "default")) { + my $size = $::config->get("preop.cert.$certtag.keysize.size"); + if ($size ne "") { + $keysize = $size; + } + } else { + my $size = $::config->get("preop.cert.$certtag.keysize.customsize"); + if ($size ne "") { + $keysize = $size; + } + if (($keytype eq "ecc") && ($keysize ne 256)) { + &PKI::RA::Wizard::debug_log("NamePanel: update got keysize from config= $keysize changing to 256, the only supported ECC strength"); + $keysize = 256; + } + } + + &PKI::RA::Wizard::debug_log("NamePanel: update got key type $keytype"); + my $req; + my $debug_req; + my $filename = "/tmp/random.$$"; + `dd if\=/dev/urandom of\=\"$filename\" count\=256 bs\=1`; + if ($keytype eq "rsa") { + #XXX temporary + &PKI::RA::Wizard::debug_log("NamePanel: update "."certutil -R -s $cert_dn -k $keytype -g $keysize -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -a -z $filename"); + my $tmpfile = "/tmp/req$$"; + system("certutil -R -s \"$cert_dn\" -k $keytype -g $keysize -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -a -z $filename > $tmpfile"); + $req = `cat $tmpfile`; + system("rm $tmpfile"); + } elsif ($keytype eq "ecc") { + #only support curve nistp256 for now + my $tmpfile = "/tmp/req$$"; + system("certutil -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -R -s \"$cert_dn\" -k ec -q nistp256 -a -z $filename> $tmpfile"); + $req = `cat $tmpfile`; + system("rm $tmpfile"); + } else { + &PKI::RA::Wizard::debug_log("NamePanel: update unsupported keytype $keytype"); + } + system("rm $filename"); + + my $save_line = 0; + my @req_a = split "\n", $req; + foreach my $line (@req_a) { + chomp( $line ); + $line =~ s/
//g; + if ($line eq $cert_req_header) { + $save_line = 1; + } elsif( $line eq $cert_req_footer ) { + $save_line = 0; + last; + } elsif( $save_line == 1 ) { + $cert_request .= "$line"; + } + } + &PKI::RA::Wizard::debug_log("NamePanel: update putting cert_request in CS.cfg: $cert_request"); + $::config->put("preop.cert.$certtag.certreq", $cert_request); + $::config->commit(); + +GEN_CERT: +# =====request for certs======== +# see if there is an existing cert + + my $cert = $::config->get("preop.cert.$certtag.cert"); + my $sdom = $::config->get("config.sdomainEEURL"); + my $sdom_url = new URI::URL($sdom); + + if (($useExternalCA eq "on") && ($certtag ne "subsystem")) { + &PKI::RA::Wizard::debug_log("NamePanel: update External CA selected"); + if ($cert eq "") { + &PKI::RA::Wizard::debug_log("NamePanel: update no cert found...need manual enrollment"); + } + } else { + if ($cert eq "") { + &PKI::RA::Wizard::debug_log("NamePanel: update External CA not selected...need automatic enrollment"); + + my $machineName = $::config->get("service.machineName"); + my $securePort = $::config->get("service.securePort"); + my $session_id = $::config->get("preop.sessionID"); + + if ($cert_request ne "") { + &PKI::RA::Wizard::debug_log("NamePanel: update found existing request: $cert_request"); + } else { + &PKI::RA::Wizard::debug_log("NamePanel: update existing request not found"); + #something is wrong...no request, no cert + goto DONE; + return $cert; + } + + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = ""; + &PKI::RA::Wizard::debug_log("NamePanel: greping password"); + + my $tmpfile = "/tmp/grep$$"; + system ("grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10- > $tmpfile"); + $db_password = `cat $tmpfile`; + $db_password =~ s/\n$//g; + system("rm $tmpfile"); + + my $profile_id = $::config->get("preop.cert.$certtag.profile"); + &PKI::RA::Wizard::debug_log("NamePanel: profileId=" . $profile_id); + my $requestor_name = "RA-" . $machineName . "-" . $securePort; + my $params = "profileId=" . $profile_id . "&" . + "cert_request_type=" . "pkcs10" . "&" . + "requestor_name=" . $requestor_name . "&" . + "cert_request=" . + URI::Escape::uri_escape("$cert_request") . "&" . + "xmlOutput=true" . "&" . + "sessionID=" . $session_id . "&" . + "auth_hostname=" . $sdom_url->host . "&" . + "auth_port=" . $sdom_url->port; + + if ($certtag eq "subsystem") { + $host = $sdom_url->host; + $https_ee_port = $sdom_url->port; + } + if ($changed eq "true") { +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; + } else { +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; + } + + &PKI::RA::Wizard::debug_log("debug_req = " . $debug_req); + my $content = `$req`; + &PKI::RA::Wizard::debug_log("content = " . $content); + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + if ($content eq "") { + $::symbol{errorString} = "CA returned no response. Please check that the CA is available and also check the host's firewall settings."; + return 0; + } + + my $parser = XML::Simple->new(); + &PKI::RA::Wizard::debug_log("NamePanel: response content= " . $content); + my $response = $parser->XMLin($content); + my $status = $response->{Status}; + if ($status ne "0") { + my $error = $response->{Error}; + &PKI::RA::Wizard::debug_log("NamePanel: Error = $error"); + $::symbol{errorString} = "CA response: $error. Please check previous related panels." . " Please check that the CA is available and also check the host's firewall settings."; + return 0; + } + $cert = $response->{Requests}->{Request}->{b64}; + &PKI::RA::Wizard::debug_log("NamePanel: new cert generated= " . $cert); + +# my $reqid = $response->{Requests}->{Request}->{Id}; +# $::config->put("preop.admincert.requestId.0", $reqid); +# my $sn = $response->{Requests}->{Request}->{serialno}; +# $::config->put("preop.admincert.serialno.0", $sn); +# $::config->commit(); + + &PKI::RA::Wizard::debug_log("NamePanel: update putting cert in CS.cfg: $cert"); + $::config->put("preop.cert.$certtag.cert", $cert); + $::config->commit(); + + } else { + # cert is not null + &PKI::RA::Wizard::debug_log("NamePanel: update External CA not selected. Cert found...no need for enrollment"); + } + +# write cert to file so certutil can import + my $cert_fn = "$instanceDir/conf/".$certtag."_cert.txt"; + open FILE, "> $cert_fn"; + print FILE $cert_header."\n".$cert."\n".$cert_footer; + close FILE; + + # import cert, whether it was imported before or not + my $nickname = $::config->get("preop.cert.$certtag.nickname"); + if ($nickname eq "") { + #XXX + $nickname = "RA ".$certtag." cert"; + &PKI::RA::Wizard::debug_log("NamePanel: update nickname not found for $certtag -- try $nickname"); + } + + if ($certtag ne "sslserver") { + &PKI::RA::Wizard::debug_log("NamePanel: update: try to delete existing cert $nickname, if any....ok if it fails"); + $tmp = `certutil -d $instanceDir/alias -D -n "$nickname"`; + $tmp = `certutil -d $instanceDir/alias -D $hw -f $instanceDir/conf/.pwfile -n "$tk$nickname"`; + } else { + &PKI::RA::Wizard::debug_log("NamePanel: update: try to delete existing cert $sslnickname, if any....ok if it fails"); + $tmp = `certutil -d $instanceDir/alias -D -n "$sslnickname"`; + $tmp = `certutil -d $instanceDir/alias -D $hw -f $instanceDir/conf/.pwfile -n "$tk$sslnickname"`; + } + + &PKI::RA::Wizard::debug_log("NamePanel: update: try to import cert from $cert_fn"); + $tmp = `certutil -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -A -n "$nickname" -t "u,u,u" -a -i $cert_fn`; + # changed the cert, need to change nickname too, if necessary + if ($hw ne "") { + if ($certtag eq "sslserver") { + if ($changed eq "false") { + $::config->put("preop.cert.$certtag.nickname", "$tk$nickname"); + } + $changed = "true"; + } elsif ($certtag eq "subsystem") { + &PKI::RA::Wizard::debug_log("NamePanel: update: subsystem nickname changed"); + $::config->put("preop.cert.$certtag.nickname", "$tk$nickname"); + $::config->put("conn.ca1.clientNickname", "$tk$nickname"); + $::config->put("conn.drm1.clientNickname", "$tk$nickname"); + $::config->put("conn.tks1.clientNickname", "$tk$nickname"); + $::config->put( "ra.cert.subsystem.nickname", "$tk$nickname"); + } else { + &PKI::RA::Wizard::debug_log("NamePanel: update: $certtag nickname changed"); + $::config->put("preop.cert.$certtag.nickname", "$tk$nickname"); + } + $::config->commit(); + } else { + if ($certtag eq "subsystem") { + # setting these just in case the subsystem nickname changed. + &PKI::RA::Wizard::debug_log("NamePanel: update: setting in case the subsystem nickname changed"); + $::config->put("conn.ca1.clientNickname", "$nickname"); + $::config->put("conn.drm1.clientNickname", "$nickname"); + $::config->put("conn.tks1.clientNickname", "$nickname"); + $::config->put("ra.cert.subsystem.nickname", "$nickname"); + } + $::config->commit(); + } + + &PKI::RA::Wizard::debug_log("NamePanel: update: done importing cert: $tk$nickname"); + $tmp = `rm $cert_fn`; + } + } + +DONE: + &PKI::RA::Wizard::debug_log("NamePanel: removing pwfile"); + my $tmp = `rm $instanceDir/conf/.pwfile`; + return 1; +} + +sub readFile +{ + my $fn = $_[0]; + open FILE, "< $fn" or return ""; + my $content = join "",<FILE>; + close FILE; + + return $content; +} + +use Data::Dumper; + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("NamePanel: display"); + + my $domain_name = $::config->get("preop.securitydomain.name"); + if ($domain_name eq "") { + $domain_name = "RA Domain"; + } + my $machine_name = $::config->get("service.machineName"); + my $instance_id = $::config->get("service.instanceID"); + + my $i = 0; + foreach my $certtag (@PKI::RA::Wizard::certtags) { + &PKI::RA::Wizard::debug_log("NamePanel: display certtag=$certtag"); + my $cert_dn = $::config->get("preop.cert.".$certtag.".dn"); + if ($cert_dn eq "") { + if ($certtag eq "subsystem") { + $cert_dn = "CN=RA Subsystem, " . + "OU=" . $instance_id . ", " . + "O=" . $domain_name; + } elsif ($certtag eq "sslserver") { + $cert_dn ="CN=" . $machine_name . ", " . + "OU=" . $instance_id . ", " . + "O=" . $domain_name; + } else { + &PKI::RA::Wizard::debug_log("NamePanel: display other certtag=$certtag"); + $cert_dn = $certtag; + } + $::config->put("preop.cert.".$certtag.".dn", $cert_dn); + $::config->commit(); + } else { + if (!($cert_dn =~ /O=/)) { + $cert_dn .= ", O=" . $domain_name; + $::config->put("preop.cert.".$certtag.".dn", $cert_dn); + $::config->commit(); + } + } + + my $name = $::config->get("preop.cert.".$certtag.".userfriendlyname"); + if ($name eq "") { + $name = $certtag."Cert ".$instance_id; + $::config->put("preop.cert.".$certtag.".userfriendlyname", $name); + $::config->commit(); + } + + my $cert = new PKI::RA::CertInfo($name, + $cert_dn, $certtag); + $::symbol{certs}[$i++] = $cert; + } + + &PKI::RA::Wizard::debug_log("NamePanel: getting CA info"); + $::symbol{urls} = []; + my $count = 0; + + while (1) { + my $host = $::config->get("preop.securitydomain.ca$count.host"); + if ($host eq "") { + goto DONE; + } + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); + my $item = $name . " - https://" . $host . ":" . $https_ee_port; + $::symbol{urls}[$count++] = $item; + + } +DONE: + + $::symbol{urls}[$count++] = "External CA"; + $::symbol{urls_size} = $count+1; + + return 1; +} + + +# arg0 filename containing certificate request +# return certificate request plus header and footer +sub extract_cert_req_from_file +{ + my $save_line = 0; + + my $filename = $_[0]; + + my $fd = new FileHandle; + + my $cert_request = ""; + + $fd->open( "<$filename" ) or die "Could not open '$filename'!\n"; + + while( <$fd> ) + { + my $line = $_; + chomp( $line ); + + if( $line eq $cert_req_header ) { + $save_line = 1; + $cert_request .= "$line\n"; + } elsif( $line eq $cert_req_footer ) { + $cert_request .= "$line\n"; + $save_line = 0; + last; + } elsif( $save_line == 1 ) { + $cert_request .= "$line\n"; + } + } + + $fd->close(); + + return $cert_request; +} + +# arg0 message containing certificate request +# return certificate request sans header and footer +sub extract_cert_req_from_file_sans_header_and_footer +{ + my $filename = $_[0]; + my $save_line = 0; + + my $fd = new FileHandle; + + my $cert_request = ""; + + $fd->open( "<$filename" ) or die "Could not open '$filename'!\n"; + + while( <$fd> ) + { + my $line = $_; + chomp( $line ); + + if( $line eq $cert_req_header ) { + $save_line = 1; + } elsif( $line eq $cert_req_footer ) { + $save_line = 0; + last; + } elsif( $save_line == 1 ) { + $cert_request .= "$line\n"; + } + } + + $fd->close(); + + return $cert_request; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm b/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm new file mode 100755 index 000000000..51c22cd24 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm @@ -0,0 +1,235 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::ReqCertInfo; +$PKI::RA::ReqCertInfo::VERSION = '1.00'; + +our $cert_req_header="-----BEGIN NEW CERTIFICATE REQUEST-----"; +our $cert_req_footer="-----END NEW CERTIFICATE REQUEST-----"; +our $cert_header="-----BEGIN CERTIFICATE-----"; +our $cert_footer="-----END CERTIFICATE-----"; + +sub new { + my ($class, $name, $dn, $tag) = @_; + my $self = {}; + &PKI::RA::Wizard::debug_log("ReqCertInfo: start new"); + &PKI::RA::Wizard::debug_log("ReqCertInfo: creating name: $name, dn: $dn, tag: $tag"); + + $self->{"getUserFriendlyName"} = \&get_user_friendly_name; + $self->{"getCertTag"} = \&get_cert_tag; + $self->{"getCert"} = \&get_cert; + $self->{"getCertpp"} = \&get_cert_pp; + $self->{"getRequest"} = \&get_request; + $self->{"getDN"} = \&get_dn; + $self->{"useDefaultKey"} = \&use_default_key; + $self->{"getCustomKeysize"} = \&get_custom_keysize; + &PKI::RA::Wizard::debug_log("ReqCertInfo: end new"); + + $self->{name} = $name; + $self->{dn} = $dn; + $self->{tag} = $tag; + + bless $self, $class; + return $self; +} + +sub get_user_friendly_name +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_user_friendly_name"); + return $self->{name}; +} + +sub readFile +{ + my $fn = $_[0]; + open FILE, "< $fn" or return ""; + my $content = join "",<FILE>; + close FILE; + + return $content; +} + +sub wrap_lines +{ + my $lines = shift; + my $temp ; + foreach my $line (split "\n", $lines) { + if (length $line > 59) { + $line =~ s/(.{0,60})/$1\n/g; + } + # get rid of a line that is just an empty newline + $line =~ s/^\n$//gms; + $temp .= $line; + } + # collapse multiple newlines into one + $temp =~ s/\n+/\n/gms; + $temp =~ s/\n$//gms; + $temp; + +} + +sub get_request +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_request"); + # first, try to see if request has been made before +# my $req = readFile( "/var/lib/pki-ra/conf/$self->{tag}_cert_request.txt"); + + my $req = $::config->get("preop.cert.$self->{tag}.certreq"); + + $req = wrap_lines($req); + + if ($req ne "") { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_request found existing request"); + return $cert_req_header."\n".$req."\n".$cert_req_footer;; + } else { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_request existing request not found"); + } + + return $req; +} + +sub get_cert +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert"); +# see if there is an existing cert +# my $cert = readFile("/var/lib/pki-ra/conf/".$self->{tag}."_cert.txt"); + my $cert = $::config->get("preop.cert.$self->{tag}.cert"); + + $cert = wrap_lines($cert); + if ($cert ne "") { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert found existing cert"); + return $cert_header."\n".$cert."\n".$cert_footer;; + } else { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert existing cert not found"); + } + if ($cert eq "") { + $cert = "...paste certificate here..."; + } + + + return $cert; +} + +sub get_cert_pp +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp"); + my $instanceDir = $::config->get("service.instanceDir"); + + my $hw; + my $tokenname = $::config->get("preop.module.token"); + &PKI::RA::Wizard::debug_log("ReqCertInfo: update got token name = $tokenname"); + + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + $hw = ""; + } else { + $hw = "-h $tokenname"; + } + + my $token_pwd = $::pwdconf->get($tokenname); + open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); + $token_pwd =~ s/\n//g; + print FILE $token_pwd; + close FILE; + + my $nickname = $::config->get("preop.cert.$self->{tag}.nickname"); + if ($nickname eq "") { +#XXX + $nickname = "RA ".$self->{tag}." cert"; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp nickname not found for $self->{tag} -- try $nickname"); + } + my $certpp=""; +# my $found = -e "/var/lib/pki-ra/conf/$self->{tag}_cert.txt"; + my $cert = $::config->get("preop.cert.$self->{tag}.cert"); + + if ($cert ne "") { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp found request, ready to get prettyprint"); + my $tmp = `certutil -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -n "$nickname" -L > $instanceDir/conf/$self->{tag}_cert_pp.txt`; + $certpp = readFile("$instanceDir/conf/$self->{tag}_cert_pp.txt"); + $certpp =~ s/"//g; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp pp=$certpp"); + $tmp =`rm $instanceDir/conf/$self->{tag}_cert_pp.txt`; + } else { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp cert not found, will not get prettyprint"); + } + my $tmp = `rm $instanceDir/conf/.pwfile`; + + return $certpp; +} + +sub get_cert_tag +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_tag"); + return $self->{tag}; +} + +sub get_dn +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_dn"); + return $self->{dn}; +} + +sub use_default_key +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: use_default_key"); + my $select = $::config->get("preop.cert.$self->{tag}.keysize.select"); + if ($select ne "") { + if ($select eq "custom") { + &PKI::RA::Wizard::debug_log("ReqCertInfo: use_default_key from config = $select returning 0"); + return 0; + } + } + + &PKI::RA::Wizard::debug_log("ReqCertInfo: use_default_key returning 1"); + return 1; +} + +sub get_custom_keysize +{ + my ($self) = @_; + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_custom_keysize"); + my $keysize = $::config->get("preop.cert.$self->{tag}.keysize.customsize"); + if ($keysize ne "") { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_custom_keysize from config = $keysize"); + return $keysize; + } else { + &PKI::RA::Wizard::debug_log("ReqCertInfo: get_custom_keysize not from config"); + } + return 2048; +} + + +1; diff --git a/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm b/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm new file mode 100755 index 000000000..114b19ef0 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm @@ -0,0 +1,199 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; +use XML::Simple; +use Data::Dumper; + +package PKI::RA::SecurityDomainPanel; +$PKI::RA::SecurityDomainPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(1); + $self->{"getName"} = &PKI::RA::Common::r("Security Domain"); + $self->{"vmfile"} = "securitydomainpanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SecurityPanel: validate"); + + return 1; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub pingCS +{ + my( $instanceDir ) = $_[0]; + my( $db_password ) = $_[1]; + my( $nickname ) = $_[2]; + my( $hostname ) = $_[3]; + my( $port ) = $_[4]; + + my $content = `/usr/bin/sslget -d $instanceDir/alias -p $db_password -v -r "/ca/admin/ca/getStatus" $hostname:$port`; + if( "$content" eq "" ) { + return 0; + } else { + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $state = $response->{State}; + + if( "$state" eq "1" ) { + return 1; + } else { + return 0; + } + } +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SecurityPanel: display"); + $::symbol{panelname} = "Security Domain"; + $::symbol{sdomainName} = "Security Domain"; + + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $hostname = $::config->get("service.machineName"); + my $default_https_admin_port = 9445; + + # check to see if "default" security domain exists on local machine + my $status = pingCS( $instanceDir, + $db_password, + $nickname, + $hostname, + $default_https_admin_port ); + if( "$status" eq "1" ) { + # "default" security domain exists on local machine; + # fill "sdomainURL" in with "default" security domain + # as an initial "guess" + $::symbol{sdomainURL} = "https://" . $hostname . ":" + . $default_https_admin_port; + } else { + # "default" security domain does NOT exist on local machine; + # leave "sdomainURL" blank + $::symbol{sdomainURL} = ""; + } + + $::symbol{sdomainAdminURL} = "https://" . $hostname . ":" + . $default_https_admin_port; + + my $initDaemon = "pki-cad"; + my $initCommand = ""; + my $instanceID ="<security_domain_instance_name> "; + if( $^O eq "linux" ) { + $initCommand = "/sbin/service $initDaemon"; + } else { + ## default case: e. g. - ( $^O eq "solaris" ) + $initCommand = "/etc/init.d/$initDaemon"; + } + $::symbol{initCommand} = $initCommand; + $::symbol{instanceID} = $instanceID; + return 1; +} + + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SecurityPanel: update"); + my $sdomainURL = $q->param("sdomainURL"); + + if ($sdomainURL eq "") { + &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL has not been specified!"); + $::symbol{errorString} = "Security Domain HTTPS has not been specified!"; + return 0; + } + + my $sdomainURL_info = new URI::URL($sdomainURL); + + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $hostname = $sdomainURL_info->host; + my $https_admin_port = $sdomainURL_info->port; + + # check to see if "default" security domain exists on local machine + my $status = pingCS( $instanceDir, + $db_password, + $nickname, + $hostname, + $https_admin_port ); + if( "$status" ne "1" ) { + # invalid security domain specified + &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL not found"); + $::symbol{errorString} = "Security Domain HTTPS Admin URL not found"; + return 0; + } + + # save urls in CS.cfg + &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL=" . $sdomainURL); + $::config->put("config.sdomainAdminURL", $sdomainURL); + + # Add values necessary for 'pkiremove' . . . + $::config->put("securitydomain.select", "existing"); + $::config->put("securitydomain.host", $sdomainURL_info->host); + $::config->put("securitydomain.httpsadminport", $sdomainURL_info->port); + $::config->commit(); + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/SizePanel.pm b/base/ra/lib/perl/PKI/RA/SizePanel.pm new file mode 100755 index 000000000..f55dc41e9 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/SizePanel.pm @@ -0,0 +1,245 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use PKI::RA::CertInfo; + +package PKI::RA::SizePanel; +$PKI::RA::SizePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(11); + $self->{"getName"} = &PKI::RA::Common::r("Key Pairs"); + $self->{"vmfile"} = "sizepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SizePanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SizePanel: update"); + + my $instanceDir = $::config->get("service.instanceDir"); + my $done = $::config->get("preop.SizePanel.done"); + my $genKeyPair = $q->param('generateKeyPair'); + &PKI::RA::Wizard::debug_log("SizePanel: update generateKeyPair value=$genKeyPair"); + if ($done eq "true") { + if ($genKeyPair eq "") { + &PKI::RA::Wizard::debug_log("SizePanel: update generateKeyPair value not found, turn to off"); + $genKeyPair = "off"; + } + } else { + # firstime should always generate keys + $genKeyPair = "on"; + } + + foreach my $certtag (@PKI::RA::Wizard::certtags) { + my $select = $q->param($certtag.'_choice'); + my $keytype = $q->param($certtag.'_keytype'); + my $size = $q->param($certtag.'_custom_size'); + + &PKI::RA::Wizard::debug_log("SizePanel: update $certtag _choice=$select $certtag _keytype=$keytype customsize= $size"); + + $::config->put("preop.keysize.select", $select); + $::config->put("preop.cert.".$certtag.".keysize.select", $select); + + if (! isSupportedSize($keytype, $size)) { + &PKI::RA::Wizard::debug_log("SizePanel: update size $size not supported"); + return 0; + } + $::config->put("preop.cert.".$certtag.".keysize.customsize", $size); + $::config->put("preop.cert.".$certtag.".keytype", $keytype); + + if ($select eq "default") { + my $defaultSize = getDefaultSize($keytype); + &PKI::RA::Wizard::debug_log("SizePanel: update in default, defaultsize = $defaultSize"); + $::config->put("preop.keysize.customsize", $defaultSize); + $::config->put("preop.keysize.size", $defaultSize); + $::config->put("preop.cert.".$certtag.".keysize.size", $defaultSize); + + } elsif ($select eq "custom") { + &PKI::RA::Wizard::debug_log("SizePanel: update in custom, customsize = $size"); + $::config->put("preop.keysize.size", $size); + $::config->put("preop.cert.".$certtag.".keysize.size", $size); + } + + if ($genKeyPair eq "on") { + $::config->put("preop.cert.".$certtag.".certreq", ""); + $::config->put("preop.cert.".$certtag.".cert", ""); + } + } +#XXX should have better error checking to work better + $done = $::config->put("preop.SizePanel.done", "true"); + $::config->commit(); + + return 1; +} + +sub getDefaultSize { + my $keytype = $_[0]; + + if ($keytype eq "ecc") { + return 256; + } elsif ($keytype eq "rsa") { + return 2048; + } + + $::symbol{errorString} = "Unsupported keytype $keytype"; + return 0; +} + +sub isSupportedSize { + my $keytype = $_[0]; + my $size = $_[1]; + + if (($keytype eq "ecc") && ($size ne "256")) { + &PKI::RA::Wizard::debug_log("SizePanel: isSupportedSize ECC only supports size 256"); + $::symbol{errorString} = "Unsupported Size $size. ECC only supports size 256"; + return 0; + } + + if (($size eq "256") || ($size eq "512") || ($size eq "1024") || + ($size eq "2048") || ($size eq "4096")) { + return 1; + } + # wrong size + $::symbol{errorString} = "Unsupported Size $size. RSA only supports sizes 256, 512, 1024, 2048, and 4096"; + return 0; +} + +sub display +{ + my ($q) = @_; + + &PKI::RA::Wizard::debug_log("SizePanel: display"); + + my $done = $::config->get("preop.SizePanel.done"); + &PKI::RA::Wizard::debug_log("SizePanel: display is panel done? $done"); + if ($done eq "true") { + $::symbol{firsttime} = "false"; + } else { + $::symbol{firsttime} = "true"; + } + + my $domain_name = $::config->get("preop.securitydomain.name"); + if ($domain_name eq "") { + $domain_name = "RA Domain"; + } + + my $machine_name = $::config->get("service.machineName"); + my $instance_id = $::config->get("service.instanceID"); + + my $i = 0; + foreach my $certtag (@PKI::RA::Wizard::certtags) { + my $cert_dn = $::config->get("preop.cert.".$certtag.".dn"); + if ($cert_dn eq "") { + if ($certtag eq "subsystem") { + $cert_dn = "CN=RA Subsystem, " . + "OU=" . $instance_id . ", " . + "O=" . $domain_name; + } elsif ($certtag eq "sslserver") { + $cert_dn ="CN=" . $machine_name . ", " . + "OU=" . $instance_id . ", " . + "O=" . $domain_name; + } else { + $cert_dn = $certtag; + } + } + my $name = $::config->get("preop.cert.".$certtag.".userfriendlyname"); + if ($name eq "") { + $name = $certtag."Cert ".$instance_id; + } + my $cert = new PKI::RA::CertInfo($name, + $cert_dn, $certtag); + $::symbol{certs}[$i++] = $cert; + } + + #for "common key settings" + my $select = $::config->get("preop.keysize.select"); + if (($select eq "") || ($select eq "default")) { + $::symbol{select} = "default"; + } else { + &PKI::RA::Wizard::debug_log("SizePanel: display keysize select= $select"); + $::symbol{select} = $select; + } + my $default_size = $::config->get("preop.keysize.size"); + if ($default_size eq "") { + $::symbol{default_keysize} = 2048; + } else { + $::symbol{default_keysize} = $default_size; + } + + my $default_ecc_size = $::config->get("preop.keysize.ecc.size"); + if ($default_ecc_size eq "") { + $::symbol{default_ecc_keysize} = 256; + } else { + $::symbol{default_ecc_keysize} = $default_ecc_size; + } + + my $custom_size = $::config->get("preop.keysize.customsize"); + if ($custom_size eq "") { + $::symbol{custom_size} = 2048; + } else { + $::symbol{custom_size} = $default_size; + } + + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm b/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm new file mode 100755 index 000000000..3d946bca0 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm @@ -0,0 +1,142 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::SubsystemTypePanel; +$PKI::RA::SubsystemTypePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(3); + $self->{"getName"} = &PKI::RA::Common::r("Subsystem Type"); + $self->{"vmfile"} = "createsubsystempanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SubsystemTypePanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SubsystemTypePanel: update"); + $::symbol{systemname} = "Registration Authority "; + $::symbol{subsystemName} = "Registration Authority"; + $::symbol{fullsystemname} = "Registration Authority"; + $::symbol{machineName} = "localhost"; + $::symbol{http_port} = "12888"; + $::symbol{https_port} = "12889"; + $::symbol{non_clientauth_https_port} = "12890"; + $::symbol{check_clonesubsystem} = " "; + $::symbol{check_newsubsystem} = " "; + $::symbol{disableClone} = 1; + + my $subsystemName = $q->param('subsystemName'); + $::config->put("preop.subsystem.name", $subsystemName); + $::config->commit(); + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("SubsystemTypePanel: display"); + $::symbol{systemname} = "Registration Authority "; + $::symbol{subsystemName} = "Registration Authority"; + $::symbol{fullsystemname} = "Registration Authority "; + + my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); + + + $::symbol{machineName} = $machineName; + $::symbol{http_port} = $unsecurePort; + $::symbol{https_port} = $securePort; + $::symbol{non_clientauth_https_port} = $non_clientauth_securePort; + $::symbol{check_clonesubsystem} = ""; + $::symbol{check_newsubsystem} = "checked "; + + my $session_id = $q->param("session_id"); + $::config->put("preop.sessionID", $session_id); + $::config->commit(); + + $::symbol{urls} = []; + my $count = 0; + while (1) { + my $host = $::config->get("preop.securitydomain.ra$count.host"); + if ($host eq "") { + goto DONE; + } + my $port = $::config->get("preop.securitydomain.ra$count.non_clientauth_secure_port"); + my $name = $::config->get("preop.securitydomain.ra$count.subsystemname"); + unshift(@{$::symbol{urls}}, "https://" . $host . ":" . $port); + $count++; + } +DONE: + $::symbol{urls_size} = $count; + +# if ($count == 0) { + $::symbol{disableClone} = 1; +# } + + # XXX - how to deal with urls + return 1; +} + + +1; diff --git a/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm b/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm new file mode 100755 index 000000000..ddf1124a9 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm @@ -0,0 +1,134 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; + +package PKI::RA::TKSInfoPanel; +$PKI::RA::TKSInfoPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(5); + $self->{"getName"} = &PKI::RA::Common::r("TKS Information"); + $self->{"vmfile"} = "tksinfopanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("TKSInfoPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("TKSInfoPanel: update"); + + my $count = $q->param('urls'); + + my $instanceID = $::config->get("service.instanceID"); + + my $host = ""; + my $https_agent_port = ""; + if ($count =~ /http/) { + my $info = new URI::URL($count); + $host = $info->host; + $https_agent_port = $info->port; + if (($host eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation"; + return 0; + } + $::config->put("preop.tksinfo.select", $count); + } else { + $host = $::config->get("preop.securitydomain.tks$count.host"); + $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport"); + if (($host eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation"; + return 0; + } + $::config->put("preop.tksinfo.select", "https://$host:$https_agent_port"); + } + my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); + $::config->put("conn.tks1.clientNickname", $subsystemCertNickName); + $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port); + $::config->commit(); + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("TKSInfoPanel: display"); + $::symbol{urls} = []; + my $count = 0; + while (1) { + my $host = $::config->get("preop.securitydomain.tks$count.host"); + if ($host eq "") { + goto DONE; + } + my $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport"); + my $name = $::config->get("preop.securitydomain.tks$count.subsystemname"); + $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; + } +DONE: + $::symbol{urls_size} = $count; + if ($count eq 0) { + $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation"; + return 0; + } + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/WelcomePanel.pm b/base/ra/lib/perl/PKI/RA/WelcomePanel.pm new file mode 100755 index 000000000..c88c138be --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/WelcomePanel.pm @@ -0,0 +1,90 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; + +package PKI::RA::WelcomePanel; +$PKI::RA::WelcomePanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(0); + $self->{"getName"} = &PKI::RA::Common::r("Welcome"); + $self->{"vmfile"} = "welcomepanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("WelcomePanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("WelcomePanel: update"); + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("XXX " . $::config->get("logging.debug.enable")); + &PKI::RA::Wizard::debug_log("WelcomePanel: display"); + $::symbol{wizardname} = "RA Configuration Wizard"; + $::symbol{systemname} = "RA"; + $::symbol{fullsystemname} = "Registration Authority"; + + return 1; +} + +1; diff --git a/base/ra/lib/perl/PKI/RA/wizard.pm b/base/ra/lib/perl/PKI/RA/wizard.pm new file mode 100755 index 000000000..5fe1e7536 --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/wizard.pm @@ -0,0 +1,502 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +# wizard - +# Fedora Certificate System - Registration Authority System configuration wizard + + +# This script is run as a 'mod_perl' CGI. Configure mod_perl by adding +# the following to /etc/httpd/conf.d/perl.conf +# +# PerlModule ModPerl::Registry +# PerlModule Apache::compat +# PerlModule PKI::RA::Wizard +# PerlSetEnv PKI_DOCROOT /u/sparkins/t/cs_tip/certsystem/prj/common/ui +# <Location /wizard> +# SetHandler perl-script +# PerlHandler PKI::RA::Wizard +# Order deny,allow +# Allow from all +# </Location> + + +# Note: The Velocity parser is not very helpful when it comes to +# errors right now. Here are some common errors, and what they mean: +# +# ERROR: +# [Mon Apr 03 13:57:33 2006] [error] [client 172.16.24.26] +# Can't use string ("0") as an ARRAY ref while "strict refs" +# in use at /usr/lib/perl5/site_perl/5.8.5/Template/Velocity.pm +# line 423.\n, referer: http://chico/wizard?p=2 +# MEANING +# This probably means that your *.vm file refers to an array +# variable in a foreach statement that is not defined +# Check your foreach array variables. + +use warnings; +use ModPerl::Registry; +use Template::Velocity; +use Getopt::Std; +use Data::Dumper; +use CGI::Carp qw(fatalsToBrowser); +use CGI; +use APR::Const -compile => qw(:error SUCCESS); +use PKI::RA::GlobalVar; +use PKI::RA::WelcomePanel; +use PKI::RA::SecurityDomainPanel; +use PKI::RA::DisplayCertChainPanel; +use PKI::RA::SubsystemTypePanel; +use PKI::RA::CAInfoPanel; +use PKI::RA::DisplayCertChain2Panel; +use PKI::RA::AdminAuthPanel; +use PKI::RA::AgentAuthPanel; +use PKI::RA::DatabasePanel; +use PKI::RA::ModulePanel; +use PKI::RA::SizePanel; +use PKI::RA::NamePanel; +use PKI::RA::ConfigHSMLoginPanel; +use PKI::RA::CertRequestPanel; +use PKI::RA::AdminPanel; +use PKI::RA::ImportAdminCertPanel; +use PKI::RA::DonePanel; +use PKI::RA::Config; + +use PKI::RA::Common qw(yes no r); + +package PKI::RA::Wizard; +$PKI::RA::Wizard::VERSION = '1.00'; + +# read configuration file +my $flavor = "pki"; +$flavor =~ s/\n//g; + +my $pkiroot = $ENV{PKI_ROOT}; + +my $config = PKI::RA::Config->new(); +$config->load_file("$pkiroot/conf/CS.cfg"); +# read password cache file +my $pwdconf = PKI::RA::Config->new(); +$pwdconf->load_file("$pkiroot/conf/pwcache.conf"); +# SELinux disallows performing a "chmod" on this file +if( $^O ne "linux" ) { + system( "chmod 00660 $pkiroot/conf/pwcache.conf" ); +} + +# create cfg debug log +my $logfile = $config->get("service.instanceDir") . "/logs/debug"; +system( "touch $logfile" ); +system( "chmod 00640 $logfile" ); +open( DEBUG, ">>" . $logfile ) || +warn( "Could not open '" . $logfile . "': $!" ); + +# apache server + +our $debug; + +my $HTTP_OK = 0; + +my $STATUS_OK = 0; # Apache 2 needs this to be zero +my $STATUS_ERROR = 2; +my $STATUS_REDIRECT = 3; + +&debug_log("RA wizard: starting up"); + +my $docroot = $ENV{PKI_DOCROOT}; + +if (! $docroot) { + &debug_log("RA wizard: ERROR: PKI_DOCROOT is null"); + return 0; +} + +our $parser = new Template::Velocity($docroot); +our $symbol; +our @certtags; + +makepanels(); + +&debug_log("RA wizard: start up complete"); + +1; + +sub debug_log +{ + my ($msg) = @_; + my $date = `date`; + chomp($date); + if( -w $logfile ) { + print DEBUG "$date - $msg\n"; + } +} + + # initializes entries in parser's global symbol table for panels +sub makepanels +{ + #REAL PANELS BELOW + my $welcome = new PKI::RA::WelcomePanel(); + my $securitydomain = new PKI::RA::SecurityDomainPanel(); + my $displaycertchain = new PKI::RA::DisplayCertChainPanel(); + my $subsystem = new PKI::RA::SubsystemTypePanel(); + my $cainfopanel = new PKI::RA::CAInfoPanel(); +# my $displaycertchain2 = new PKI::RA::DisplayCertChain2Panel(); + my $databasepanel = new PKI::RA::DatabasePanel(); + my $modulepanel = new PKI::RA::ModulePanel(); + my $confighsmloginpanel = new PKI::RA::ConfigHSMLoginPanel(); + my $sizepanel = new PKI::RA::SizePanel(); + my $namepanel = new PKI::RA::NamePanel(); + my $certrequestpanel = new PKI::RA::CertRequestPanel(); + my $adminpanel = new PKI::RA::AdminPanel(); + my $importadmincertpanel = new PKI::RA::ImportAdminCertPanel(); + my $donepanel = new PKI::RA::DonePanel(); + + $symbol{panels} = [ + $welcome, # com.netscape.cms.servlet.csadmin.WelcomePanel + $securitydomain, # com.netscape.cms.servlet.csadmin.SecurityDomainPanel + $displaycertchain, # com.netscape.cms.servlet.csadmin.DisplayCertChainPanel + $subsystem, # com.netscape.cms.servlet.csadmin.CreateSubsystemPanel + $cainfopanel, # com.netscape.cms.servlet.csadmin.CAInfoPanel +# $displaycertchain2, # com.netscape.cms.servlet.csadmin.DisplayCertChain2Panel + $databasepanel, # com.netscape.cms.servlet.csadmin.DatabasePanel + $modulepanel, # com.netscape.cms.servlet.csadmin.ModulePanel + $confighsmloginpanel, # com.netscape.cms.servlet.csadmin.ConfigHSMLoginPanel + $sizepanel, # com.netscape.cms.servlet.csadmin.SizePanel + $namepanel, # com.netscape.cms.servlet.csadmin.NamePanel + $certrequestpanel, # com.netscape.cms.servlet.csadmin.CertRequestPanel + $adminpanel, # com.netscape.cms.servlet.csadmin.AdminPanel + $importadmincertpanel, # com.netscape.cms.servlet.csadmin.ImportAdminCertPanel + $donepanel, # com.netscape.cms.servlet.csadmin.DonePanel</param-value> + ]; +}; + +sub render_panel +{ + my ($panelnum, $q) = @_; + + $symbol{errorString} = ""; + + my $currentpanel; + + if ($q->param('op') && $q->param('op') eq "next") { + $currentpanel = $symbol{panels}[$panelnum]; + # validate variables for panel + if ($currentpanel->{validate}) { + $currentpanel->{validate}($q); + } + # execute current panel + my $status = "0"; + + if ($currentpanel->{update}) { + $status = $currentpanel->{update}($q); + &debug_log("RA wizard: update returns status '" . + $status . "'"); + if ($status == $STATUS_REDIRECT) { + return $STATUS_REDIRECT; + } + + } + + &debug_log("RA wizard: about to find out about sub panel"); + if ($status eq "1") { + if ($currentpanel->{hasSubPanel} && &{$currentpanel->{hasSubPanel}}($q)) { + &debug_log("RA wizard: has sub panel"); + $panelnum = $panelnum + 2; + } elsif ($currentpanel->{isSubPanel} && &{$currentpanel->{isSubPanel}}($q)) { + &debug_log("RA wizard: is sub panel"); + $panelnum = $panelnum - 1; + } else { + &debug_log("RA wizard: no sub panel and is not subpanel"); + $panelnum = $panelnum + 1; + } + } + } elsif ($q->param('op') && $q->param('op') eq "back") { + $panelnum = $panelnum - 1; + #check if this a subpanel, if so, go back to it's parent. + #only handles one-deep at this point + my $panel = $symbol{panels}[$panelnum]; + if (&{$panel->{isSubPanel}}($q)) { + $panelnum = $panelnum - 1; + } + } elsif ($q->param('op') && $q->param('op') eq "apply") { + &debug_log("RA wizard: update : apply button pressed"); + $currentpanel = $symbol{panels}[$panelnum]; + # validate variables for panel + if ($currentpanel->{validate}) { + $currentpanel->{validate}($q); + } + # execute current panel + if ($currentpanel->{update}) { + my $status = $currentpanel->{update}($q); + &debug_log("RA wizard: update returns status '" . + $status . "'"); + if ($status == $STATUS_REDIRECT) { + return $STATUS_REDIRECT; + } + + } + } + + &debug_log("RA wizard: after looking into about sub panel"); + + # advance to next panel + $currentpanel = $symbol{panels}[$panelnum]; + + # initialize symbol table values + $symbol{showApplyButton} = "false"; + + # fill in variables for new panel + if ($currentpanel->{panelvars}) { + $Data::Dumper::Indent = 1; + # The '&debug_log("q=".Dumper($q));' call must be commented out to fix + # Bugzilla Bug #249923: Incorrect file permissions on + # various files and/or directories + # &debug_log("q=".Dumper($q)); + $currentpanel->{panelvars}($q); + } + + $symbol{panel} = "ra/admin/console/config/".$currentpanel->{vmfile}; + + #wizard.vm: + $symbol{name} = "Registration Authority"; + $symbol{title} = $currentpanel->{getName}(); + if ($panelnum == 0) { + $symbol{firstpanel} = "1"; + } else { + $symbol{firstpanel} = "0"; + } + if ($panelnum == 13) { + $symbol{lastpanel} = "1"; + } else { + $symbol{lastpanel} = "0"; + } + $symbol{p} = $panelnum; + $symbol{subpanelno} = $panelnum+1; + $symbol{productversion} = $::config->get("preop.product.version"); + $symbol{csstate} = "1"; + +# $symbol{urls} = [ "cert1", "cert2" ]; #createsubsystem +# $symbol{urls_size} = 2; +# $symbol{instanceId} = "ra"; +# $symbol{errorString} = ""; + + #modulepanel +# $symbol{certs} = [ ]; +# $symbol{reqscerts} = [ ]; + $symbol{ppcerts} = [ ]; + + return $STATUS_OK; +} + + + +sub dbg { + my $msg = shift; + $::symbol{dbg} .= "$msg\n"; +} + +sub handler { + my $r = shift; + + *::symbol = \%symbol; + *::s = \$s; + *::config = \$config; + *::pwdconf = \$pwdconf; + + &debug_log("RA wizard: in handler"); + + my $q = new CGI; + + # check cookie + my $cookie = $q->cookie('pin'); + my $pin = $::config->get("preop.pin"); + if ($cookie ne $pin) { + print $q->redirect("login"); + return; + } + + # output http parameters + &debug_log("RA wizard: uri='" . $ENV{REQUEST_URI} . "'"); + my @pnames = $q->param(); + foreach $pn (@pnames) { + # added this facility so that password can be hidden, + # all sensitive parameters should be prefixed with + # __ (double underscores); however, in the event that + # a security parameter slips through, we perform multiple + # additional checks to insure that it is NOT displayed + if( $pn =~ /^__/ || + $pn =~ /password$/ || + $pn =~ /passwd$/ || + $pn =~ /pwd$/ || + $pn =~ /admin_password_again/i || + $pn =~ /directoryManagerPwd/i || + $pn =~ /bindpassword/i || + $pn =~ /bindpwd/i || + $pn =~ /passwd/i || + $pn =~ /password/i || + $pn =~ /pin/i || + $pn =~ /pwd/i || + $pn =~ /pwdagain/i || + $pn =~ /uPasswd/i ) { + &debug_log("RA wizard: http parameter name='" . $pn . "' value='(sensitive)'"); + } else { + &debug_log("RA wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'"); + } + } + + my $panelnum = $q->param('p'); + if (!defined($panelnum) || $panelnum eq "") { + # Apache fails to pick up the p parameter after + # redirecting from the security domain. This is + # a quick hack to solve the issue. + if ($ENV{'QUERY_STRING'} ne "") { + $ENV{'QUERY_STRING'} =~ /p=([0-9]+)&/; + $panelnum = $1; + } + } + + use subs qw(debug); + *debug = \&Template::Velocity::Executor::debug; + + $::symbol{dbg} = ""; + + &debug_log("RA wizard: before argparsing"); + if ($#ARGV == -1) { + $Data::Dumper::Maxdepth = 7; + $startfile = "ra/admin/console/config/wizard.vm"; + } + + &debug_log("RA wizard: setting up test objects"); + + #initialize from config file + my $certlist = $::config->get("preop.cert.list"); + if ($certlist eq "") { + $certlist = "sslserver,subsystem"; + } + @certtags = split(/,/, $certlist); + $numtags = @certtags; + if ($numtags eq 0) { + @certtags = ("sslserver", "subsystem"); + } + &debug_log("RA wizard: found $numtags certtags"); + + if (! $panelnum) { + $panelnum = 0; + } + + my $status = render_panel($panelnum, $q); + if ($status == 3) { + $r->header_out(Location => $symbol{redirect}); + $r->status(301); + $r->send_http_header(); + return; + } + + use Data::Dumper; + &debug_log("RA wizard: executing file $startfile"); + foreach $q (sort keys %symbol) { + &debug_log("RA wizard:/config/wizard?p=9&SecToken=NSS%20Generic%20Crypto%20Services sym{$q}=".$symbol{$q}); + } + + my $result; + if ($q->param('xml') && $q->param('xml') eq "true") { + $r->send_http_header('text/xml'); + $result = "<xml>"; + foreach $s (sort keys %symbol) { + if ($s =~ /^__/) { + next; + } + $result .= "<" . $s . ">"; + my $v = $symbol{$s}; + $result .= &get_xml($s, $v); + $result .= "</" . $s . ">"; + } + $result .= "</xml>"; + } else { + $result = $parser->execute_file($startfile); + if (!defined $result) { + die("Couldn't execute template file: $docroot/$startfile"); + } + } + + $r->send_http_header('text/html'); + print "$result\n"; + + return $HTTP_OK; +} + +sub escape_xml +{ + my ($v) = @_; + $v =~ s/\"/"/g; + $v =~ s/\'/'/g; + $v =~ s/\&/&/g; + $v =~ s/</</g; + $v =~ s/>/>/g; + return $v; +} + +sub get_xml +{ + my ($s, $v) = @_; + + my $result; + if (ref($v) eq "HASH") { + foreach my $xkey (keys %$v) { + $result .= "<" . $xkey . ">"; + $result .= &get_xml($xkey, $v{$xkey}); + # $result .= "-" . ref($xkey); + $result .= "</" . $xkey . ">"; + } + } elsif (ref($v) eq "PKI::RA::CertInfo") { + my $certinfo = $v; + $result .= "<certinfo>"; + $result .= "<dn>" . $certinfo->get_dn() ."</dn>"; + $result .= "<tag>" . $certinfo->get_cert_tag() . "</tag>"; + $result .= "<friendly>" . $certinfo->get_user_friendly_name() . + "</friendly>"; + $result .= "</certinfo>"; + } elsif (ref($v) eq "PKI::RA::ReqCertInfo") { + my $reqcertinfo = $v; + $result .= "<reqcertinfo>"; + $result .= "<name>" . $reqcertinfo->get_user_friendly_name() ."</name>"; + $result .= "<req>" . $reqcertinfo->get_request() ."</req>"; + $result .= "<cert>" . $reqcertinfo->get_cert() ."</cert>"; + $result .= "<certpp>" . &escape_xml($reqcertinfo->get_cert_pp()) ."</certpp>"; + $result .= "<tag>" . $reqcertinfo->get_cert_tag() ."</tag>"; + $result .= "<dn>" . $reqcertinfo->get_cert_tag() ."</dn>"; + $result .= "</reqcertinfo>"; + } elsif (ref($v) eq "ARRAY") { + my $pos = 0; + foreach my $item (@$v) { + $result .= "<element>"; + $result .= &get_xml("p" . $pos, $item); + # $result .= "-" . ref($item); + $result .= "</element>"; + $pos++; + } + } else { + $result .= &escape_xml($v); + } + return $result; +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm b/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm new file mode 100644 index 000000000..671f2418d --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm @@ -0,0 +1,52 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins assigns a request to a group. +####################################### +package PKI::Request::Plugin::AutoAssign; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Instantiate this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + + my $assignTo = $cfg->get($prefix . ".assignTo"); + $queue->set_request($req->{'rowid'}, "assigned_to", $assignTo); +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm b/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm new file mode 100644 index 000000000..b90096664 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm @@ -0,0 +1,75 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins creates a one time pin. +####################################### +package PKI::Request::Plugin::CreatePin; + +use DBI; +use PKI::Base::TimeTool; +use PKI::Base::PinStore; + +####################################### +# Instantiates this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + + my $pin_store = PKI::Base::PinStore->new(); + $pin_store->open($cfg); + + + my $pin_format = $cfg->get($prefix . ".pinFormat"); + + my $client_id = ""; + my $site_id = ""; + + my $data = $req->{'data'}; + foreach $nv (split(/;/, $data)) { + my ($n, $v) = split(/=/, $nv); + $pin_format =~ s/\$$n/$v/g; + } + my $created_by = "admin"; + my $pin = $pin_store->create_pin($pin_format, $req->{'rowid'}, $created_by); + + # save pin to output + $output = "pin=" . $pin; + $queue->set_request_output($req->{'rowid'}, $output); + + $req->{'output'} = $output; + + $pin_store->close(); +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm b/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm new file mode 100644 index 000000000..95274bfa7 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm @@ -0,0 +1,100 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins mails a notification +# to an email specified in the request. +####################################### +package PKI::Request::Plugin::EmailNotification; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Instantiate this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub substitute { + my ($self, $cfg, $queue, $prefix, $req, $line) = @_; + + my $mail_to = $cfg->get($prefix . ".mailTo"); + + # if mail_to starts with $, retrieve value from request + if ($mail_to =~ /^\$/) { + $mail_to =~ s/\$//g; + $mail_to = $req->{$mail_to}; + } + my $machineName = $cfg->get("service.machineName"); + my $securePort = $cfg->get("service.securePort"); + my $unsecurePort = $cfg->get("service.unsecurePort"); + my $nonClientAuthSecurePort = $cfg->get("service.non_clientauth_securePort"); + my $subject_dn = $req->{'subject_dn'}; + + $line =~ s/\$mail_to/$mail_to/g; + $line =~ s/\$request_id/$req->{'rowid'}/g; + $line =~ s/\$machineName/$machineName/g; + $line =~ s/\$securePort/$securePort/g; + $line =~ s/\$unsecurePort/$unsecurePort/g; + $line =~ s/\$subject_dn/$subject_dn/g; + $line =~ s/\$nonClientAuthSecurePort/$nonClientAuthSecurePort/g; + return $line; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + my $queue = PKI::Request::Queue->new(); + $queue->open($cfg); + my $ref = $queue->read_request($req->{rowid}); + + my $req_err = $ref->{errorString}; + if ($req_err ne "0") { + return; + } + + my $mail_to = $cfg->get($prefix . ".mailTo"); + if ($mail_to eq "") { + return; + } + + my $template_dir = $cfg->get($prefix . ".templateDir"); + my $template_file = $cfg->get($prefix . ".templateFile"); + + open(SENDMAIL, "|/usr/sbin/sendmail -t"); + open(F,"$template_dir/$template_file"); + while (<F>) { + print SENDMAIL $self->substitute($cfg, $queue, $prefix, $ref, $_); + } + close(F); + close(SENDMAIL); +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm b/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm new file mode 100644 index 000000000..1c5b7d6b2 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm @@ -0,0 +1,89 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +####################################### +# This plugins mails a notification +# to an email specified in the request. +####################################### +package PKI::Request::Plugin::RequestToCA; + +use DBI; +use PKI::Base::TimeTool; +use PKI::Conn::CA; + +####################################### +# Instantiate this plugin +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Processes plugin +####################################### +sub process { + my ($self, $cfg, $queue, $prefix, $req) = @_; + + my $ca = $cfg->get($prefix . ".ca"); + my $profile_id = $cfg->get($prefix . ".profileId"); + my $req_type = $cfg->get($prefix . ".reqType"); + + my $server_id = ""; + my $site_id = ""; + my $csr = ""; + my $csr_type = ""; + + my $data = $req->{'data'}; + foreach $nv (split(/;/, $data)) { + my ($n, $v) = split(/=/, $nv); + if ($n eq "server_id") { + $server_id = $v; + } + if ($n eq "site_id") { + $site_id = $v; + } + if ($n eq "csr") { + $csr = $v; + } + if ($n eq "csr_type") { + $csr_type = $v; + } + } + + if ($csr_type ne "") { + $req_type = $csr_type; + } + + my $ca_conn = PKI::Conn::CA->new(); + $ca_conn->open($cfg); + my $cert = $ca_conn->enroll($req->{'rowid'}, $ca, $profile_id, $req_type, $csr); + $queue->set_request($req->{'rowid'}, "output", $cert); + $req->{'output'} = $cert; + $ca_conn->close(); + +} + +1; diff --git a/base/ra/lib/perl/PKI/Request/Queue.pm b/base/ra/lib/perl/PKI/Request/Queue.pm new file mode 100644 index 000000000..dc8418d22 --- /dev/null +++ b/base/ra/lib/perl/PKI/Request/Queue.pm @@ -0,0 +1,387 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# +package PKI::Request::Queue; + +use DBI; +use PKI::Base::TimeTool; + +####################################### +# Constructs a request queue +####################################### +sub new { + my $self = {}; + bless ($self); + return $self; +} + +####################################### +# Opens request queue +####################################### +sub open { + my ($self, $cfg) = @_; + $self->{cfg} = $cfg; + my $dbfile = $cfg->get("database.dbfile"); + $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","",""); + my $timeout = $self->{dbh}->func("busy_timeout"); + $self->{dbh}->func($timeout * 10, "busy_timeout"); +} + +####################################### +# Creates a new request +####################################### +sub invoke_plugins { + my ($self, $prefix, $type, $ref) = @_; + + my $num_plugins = $self->{cfg}->get($prefix . ".num_plugins"); + for (my $i = 0; $i < $num_plugins; $i++) { + my $plugin = $self->{cfg}->get($prefix . "." . $i . ".plugin"); + eval("require $plugin"); + my $p = $plugin->new(); + $p->process($self->{cfg}, $self, $prefix . "." . $i, $ref); + } +} + +####################################### +# Creates a new request +####################################### +sub create_request { + my ($self, $type, $data, $meta_info, $created_by) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + + my $insert = "insert into requests (" . + "type" . "," . + "status" . "," . + "errorString" . "," . + "ip" . "," . + "data" . "," . + "serialno" . "," . + "subject_dn" . "," . + "meta_info" . "," . + "created_by" . "," . + "updated_at" . "," . + "created_at" . + ") values (" . + $dbh->quote($type) . "," . + $dbh->quote("OPEN") . "," . + $dbh->quote("0") . "," . + $dbh->quote($ENV{REMOTE_ADDR}) . "," . + $dbh->quote($data) . "," . + $dbh->quote("unavailable") . "," . + $dbh->quote("unavailable") . "," . + $dbh->quote($meta_info) . "," . + $dbh->quote($created_by) . "," . + $dbh->quote($now) . "," . + $dbh->quote($now) . + ")"; +REDO_CREATE_REQUEST: + eval { + $dbh->do($insert); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_CREATE_REQUEST; + } + my $rid = $dbh->func('last_insert_rowid'); + + my $ref = $self->read_request($rid); + + # call plugins + my $prefix = "request." . $type . ".create_request"; + $self->invoke_plugins($prefix, $type, $ref); + + return $rid; +} + +####################################### +# Reads a request +####################################### +sub read_request { + my ($self, $reqid) = @_; + my $dbh = $self->{dbh}; + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +sub read_request_by_roles { + my ($self, $roles, $reqid) = @_; + my $dbh = $self->{dbh}; + + my $select; + if (grep /^administrators/, @$roles) { + # administrator see all requests + $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + } else { + my $filter = $self->get_role_filter($roles); + $select = "select *,rowid from requests where " . + "(" . $filter . ")" . " AND " . + "rowid=" . $dbh->quote($reqid); + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref; +} + +####################################### +# Sets request attributes +####################################### +sub set_request { + my ($self, $reqid, $name, $value) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update requests set " . + $name . "=" . $dbh->quote($value) . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where rowid=" . $dbh->quote($reqid); +REDO_SET_REQUEST: + eval { + $dbh->do($update); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_SET_REQUEST; + } + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +####################################### +# Sets output +####################################### +sub set_request_output { + my ($self, $reqid, $output) = @_; + + return $self->set_request($reqid, "output", $output); +} + +####################################### +# Approves a request +####################################### +sub approve_request { + my ($self, $reqid, $processed_by) = @_; + my $dbh = $self->{dbh}; + + # XXX - check assigned_to + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update requests set " . + "processed_by=" . $dbh->quote($processed_by) . "," . + "status='APPROVED' " . "," . + "errorString='0' " . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where rowid=" . $dbh->quote($reqid); +REDO_APPROVE_REQUEST: + eval { + $dbh->do($update); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_APPROVE_REQUEST; + } + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + # call plugins + my $prefix = "request." . $ref->{'type'} . ".approve_request"; + $self->invoke_plugins($prefix, $ref->{'type'}, $ref); + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +####################################### +# Rejects a request +####################################### +sub reject_request { + my ($self, $reqid, $processed_by) = @_; + my $dbh = $self->{dbh}; + + my $timet = PKI::Base::TimeTool->new(); + my $now = $timet->get_time(); + my $update = "update requests set " . + "processed_by=" . $dbh->quote($processed_by) . "," . + "status='REJECTED' " . "," . + "updated_at=" . $dbh->quote($now) . " " . + "where rowid=" . $dbh->quote($reqid); +REDO_REJECT_REQUEST: + eval { + $dbh->do($update); + }; + if ($dbh->err == 5) { + sleep(1); + goto REDO_REJECT_REQUEST; + } + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + # call plugins + my $prefix = "request." . $ref->{'type'} . ".reject_request"; + $self->invoke_plugins($prefix, $ref->{'type'}, $ref); + + my $select = "select *,rowid from requests " . + "where rowid=" . $dbh->quote($reqid); + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + + return $ref; +} + +sub get_role_filter { + my ($self, $roles) = @_; + my $dbh = $self->{dbh}; + + my $filter = ""; + foreach $rr (@$roles) { + if ($filter eq "") { + $filter = "assigned_to=" . $dbh->quote($rr); + } else { + $filter = $filter . " OR " . "assigned_to=" . $dbh->quote($rr); + } + } + return $filter; +} + +####################################### +# Lists requests +####################################### +sub list_requests { + my ($self, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + my $select = "select *,rowid from requests " . + "order by rowid desc " . + "limit $startpos, $maxcount"; + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +sub count_requests_by_roles { + my ($self, $roles, $status) = @_; + my $dbh = $self->{dbh}; + + my $select; + + if (grep /^administrators$/, @$roles) { + # administrator sees everything + $select = "select count(*) from requests where " . + "status like '$status%' "; + } else { + # shows requests that are owned by the groups + my $filter = $self->get_role_filter($roles); + $select = "select count(*) from requests where " . + "status like '$status%' AND " . + "(" . $filter . ") "; + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my $ref = $sth->fetchrow_hashref(); + $sth->finish(); + return $ref->{'count(*)'}; +} + +sub list_requests_by_roles { + my ($self, $roles, $status, $startpos, $maxcount) = @_; + my $dbh = $self->{dbh}; + + my $select; + +# if ($roles =~ /administrators/) { + if (grep /^administrators$/, @$roles) { + # administrator sees everything + $select = "select *,rowid from requests where " . + "status like '$status%' " . + "order by rowid desc " . + "limit $startpos, $maxcount"; + } else { + # shows requests that are owned by the groups + my $filter = $self->get_role_filter($roles); + $select = "select *,rowid from requests where " . + "status like '$status%' AND " . + "(" . $filter . ") " . + "order by rowid desc " . + "limit $startpos, $maxcount"; + } + my $sth = $dbh->prepare($select); + $sth->execute(); + my @reqs; + while (my $ref = $sth->fetchrow_hashref()) { + push(@reqs, $ref); + } + $sth->finish(); + return @reqs; +} + +####################################### +# Closes request queue +####################################### +sub close { + my ($self) = @_; + my $dbh = $self->{dbh}; + $dbh->disconnect(); +} + +1; diff --git a/base/ra/lib/perl/PKI/Service/Op.pm b/base/ra/lib/perl/PKI/Service/Op.pm new file mode 100644 index 000000000..602f1a29f --- /dev/null +++ b/base/ra/lib/perl/PKI/Service/Op.pm @@ -0,0 +1,290 @@ +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +package PKI::Service::Op; + +use PKI::Base::UserStore; +use PKI::Base::CertStore; + +sub new { + my $self = {}; + bless ($self); + return $self; +} + +sub debug_log() +{ + my ($self, $cfg, $msg) = @_; + + my $date = `date`; + chomp($date); + open(DEBUG, ">>" . $cfg->get("logging.debug.filename")); + print DEBUG "$date - $msg\n"; + close(DEBUG); +} + +sub debug_params() +{ + my ($self, $cfg, $q) = @_; + + my $date = `date`; + chomp($date); + $self->debug_log($cfg, "$date - URL '" . $ENV{REQUEST_URI} . "'"); + my @names = $q->param(); + foreach my $k (@names) { + $self->debug_log($cfg, "$date - Param $k='" . $q->param($k) . "'"); + } +} + +sub get_client_certificate() +{ + my ($self) = @_; + + my $user_cert = $ENV{"SSL_CLIENT_CERT"}; + $user_cert =~ s/-----BEGIN CERTIFICATE-----//g; + $user_cert =~ s/-----END CERTIFICATE-----//g; + $user_cert =~ s/\n//g; + + return $user_cert; +} + +sub get_current_uid() +{ + my ($self, $cfg) = @_; + + my $user_cert = $self->get_client_certificate(); + + my $us = PKI::Base::UserStore->new(); + $us->open($cfg); + my $ref = $us->map_user($user_cert); + if (!defined($ref)) { + return ""; + } + $us->close(); + + return $ref->{'uid'}; +} + +sub get_csr_by_cert() +{ + my ($self, $cfg) = @_; + + my $user_cert = $self->get_client_certificate(); + my $cs = PKI::Base::CertStore->new(); + $cs->open($cfg); + my $ref = $cs->map_certificate($user_cert); + if (!defined($ref)) { + return ""; + } + $us->close(); + + return $ref->{'csr'}; +} + +sub get_cert_record() +{ + my ($self, $cfg) = @_; + +$self->debug_log( $cfg, "in get_cert_record"); + my $user_cert = $self->get_client_certificate(); + my $cs = PKI::Base::CertStore->new(); + $cs->open($cfg); + my $ref = $cs->map_certificate($user_cert); + if (!defined($ref)) { +$self->debug_log( $cfg, "in get_cert_record: map_certificate ref none"); + return ""; + } +$self->debug_log( $cfg, "in get_cert_record: got map_certificate ref"); + $cs->close(); + + return $ref; +} + +sub get_current_roles() +{ + my ($self, $cfg) = @_; + + my $uid = $self->get_current_uid($cfg); + my $us = PKI::Base::UserStore->new(); + $us->open($cfg); + my @roles = $us->get_roles($uid); + $us->close(); + + return @roles; +} + +sub get_roles_of() +{ + my ($self, $cfg, $uid) = @_; + + my $us = PKI::Base::UserStore->new(); + $us->open($cfg); + my @roles = $us->get_roles($uid); + $us->close(); + + return @roles; +} + +sub admin_auth() +{ + my ($self, $cfg) = @_; + + my $user_cert = $self->get_client_certificate(); + + # authentication + my $us = PKI::Base::UserStore->new(); + $us->open($cfg); + my $ref = $us->map_user($user_cert); + if (!defined($ref)) { + return 0; + } + my @roles = $us->get_roles($ref->{'uid'}); + $us->close(); + + # authorization + my $authorized_groups = $cfg->get("admin.authorized_groups"); + $self->debug_log( $cfg, "in admin_auth: authorized groups are: $authorized_groups"); + my @authorizedGroups = split(/,/, $authorized_groups); + my $authorized = 0; + foreach my $role (@roles) { + $self->debug_log( $cfg, "in admin_auth: user has group $role"); + if (grep /^$role$/, @authorizedGroups) { + $self->debug_log( $cfg, "in admin_auth: group matched"); + $authorized = 1; + } + } + if (!$authorized) { + $self->debug_log( $cfg, "in admin_auth: no group matched"); + return 0; + } + return 1; +} + +sub agent_auth() +{ + my ($self, $cfg) = @_; + + my $user_cert = $self->get_client_certificate(); + + # authentication + my $us = PKI::Base::UserStore->new(); + $us->open($cfg); + my $ref = $us->map_user($user_cert); + if (!defined($ref)) { + return 0; + } + my @roles = $us->get_roles($ref->{'uid'}); + my $j = join(",", @roles); + $self->debug_log( $cfg, "in agent_auth: $ref->{'uid'} has roles: $j"); + $us->close(); + + # authorization + my $authorized_groups = $cfg->get("agent.authorized_groups"); + $self->debug_log( $cfg, "in agent_auth: authorized groups are: $authorized_groups"); + my @authorizedGroups = split(/,/, $authorized_groups); + my $authorized = 0; + foreach $role (@roles) { + if (grep /^$role$/, @authorizedGroups) { + $self->debug_log( $cfg, "in agent_auth: group matched"); + $authorized = 1; + } + } + if (!$authorized) { + $self->debug_log( $cfg, "in agent_auth: no group matched"); + return 0; + } + return 1; +} + +sub process { + my ($self) = @_; +} + +sub escape_xml +{ + my ($v) = @_; + $v =~ s/\"/"/g; + $v =~ s/\'/'/g; + $v =~ s/\&/&/g; + $v =~ s/</</g; + $v =~ s/>/>/g; + return $v; +} + +sub get_xml +{ + my ($s, $v) = @_; + + my $result; + if (ref($v) eq "HASH") { + foreach my $xkey (keys %$v) { + $result .= "<" . $xkey . ">"; + $result .= &get_xml($xkey, $v{$xkey}); + # $result .= "-" . ref($xkey); + $result .= "</" . $xkey . ">"; + } + } elsif (ref($v) eq "PKI::RA::GlobalVar") { + foreach my $xkey (keys %$v) { + $result .= "<" . $xkey . ">"; + $result .= &get_xml($xkey, $$v{$xkey}->()); + # $result .= "-" . ref($xkey); + $result .= "</" . $xkey . ">"; + } + } elsif (ref($v) eq "ARRAY") { + my $pos = 0; + foreach my $item (@$v) { + $result .= "<element>"; + $result .= &get_xml("p" . $pos, $item); + # $result .= "-" . ref($item); + $result .= "</element>"; + $pos++; + } + } else { + $result .= &escape_xml($v); + } + return $result; +} + +sub xml_output { + my ($self, $c) = @_; + + my $result = "<xml>"; + foreach $s (sort keys %$c) { + if ($s =~ /^__/) { + next; + } + $result .= "<" . $s . ">"; + my $v = $$c{$s}; + $result .= &get_xml($s, $v); + $result .= "</" . $s . ">"; + } + $result .= "</xml>"; + return "$result\n"; +} + +sub execute { + my ($self) = @_; + $self->process(); +} + +1; diff --git a/base/ra/lib/perl/Template/Velocity.pm b/base/ra/lib/perl/Template/Velocity.pm new file mode 100755 index 000000000..848de65fd --- /dev/null +++ b/base/ra/lib/perl/Template/Velocity.pm @@ -0,0 +1,1099 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; + +package Template::Velocity::Executor; +sub new; + +package Template::Velocity; + + +# The Template::Velocity package implements a Template execution +# engine similar to the Java Velocity package. + +use Parse::RecDescent; +use Data::Dumper; +use Thread::Semaphore; + + +$Template::Velocity::parser; + +our $docroot="docroot"; +our $parser; +my %parsetrees = (); +my $debugflag = 0; +my $semaphore; + + +#GRAMMAR defined here + +my $vmgrammar = q{ + + { + use Data::Dumper; + sub Dumper + { + $::debugdumper = undef; + if ($::debugflag && $::debugdumper ) { return Data::Dumper(@_); } + else {""}; + } + + } + + +# Template is the top-level object + template: <skip:'[ \t]*'> section(s) /\Z/ + + section: blockdirective + | nonblockdirective + | plainline + + blockdirective: ifblock + | foreachblock + + plainline : <skip:''> /[ \t]*/ ...!'#' linecomp(s?) /\n*/ + + HASH: '#' + +# HMM - this doesn't handle multiple variables on one line? + linecomp: variable + | <skip:'[ \t]*'> /[^\$\n]*/ + + nonblockdirective: '#' 'include' <commit> includeargs /\n*/ { $item[4] ; } + | '#' 'parse' <commit> parseargs /\n*/ { $item[4] ; } + | '#' 'set' <commit> setargs /\n*/ { $item[4] ; } + | <error:unknown command $text> + + + ifblock: ifdirective section(s) elseclause(?) enddirective + + +# this bubbles up the result of the expression inside the if() +# which is from the 'ifargs' rule + ifdirective: '#' 'if' <skip:'[ \t]*'> ifargs /\n/ + + enddirective: <skip:'[ \t]*'> '#' 'end' "\n" + + elseclause: elsedirective section(s) + + elsedirective: '#' 'else' "\n" + + foreachblock: foreachdirective section(s) enddirective + + foreachdirective: '#' 'foreach' foreachargs "\n" + + ifargs: '(' expression ')' + | <error:Argument to if must be an expression: $text> + + foreachargs: '(' variablename 'in' variable ')' + | <error:Arguments to 'foreach' must be of form \$a in \$b: $text> + + includeargs: '(' string ')' + | <error:invalid argument to include: $text> + + parseargs: '(' expression ')' + | <error:invalid argument to parsearges: $text> + + + setargs: <skip:'[ \t]*'> '(' assignment ')' + | <error:Argument to set must be an assignment : $text> + + +# expression evaluation + +# this goes roughly in order of precendence: +# == +# &&, || +# +, - +# * +# ! + +# does not properly distinguish between lvalues and rvalues + + + expression: boolean + | <error> + + + assignment: variablename '=' boolean + + boolean: equality (boolean_operator equality)(?) + + boolean_operator: ( '&&' | '||' ) + + equality: summation (equality_operator summation)(?) + + + equality_operator: ( '==' | '!=' ) + + summation: product (summation_operator summation)(?) + + summation_operator: ( '+' | '-' ) + + +# must parenthesize operator '*' to get it to appear in the $item array + + product: negation ('*' product)(?) + +#XXX need to implement + negation: notoperator(?) factor + + notoperator: "!" + + factor: number + | string + | variable + + + +# These rules deal with variables +# handles $process +# $file.executablename +# $process.getpid() +# $person.getparent().getbrother().slap() +# $fred.getchildren() + +# You'd make a dependency on the 'variable' rule if you want the value +# of the variable. +# You'd make a dependency on the 'variablename' rule if you want the +# name of the variable. +# (There's no real difference here - the expression evaluation is +# in the variable() subroutine) + + variable: variablename { ["variable", $item[1][1] ]; } + + variablename: '$' identifier subfield(s?) + { + my $variableinfo = { + top => $item{identifier}, + fields => $item{'subfield(s?)'} + }; + $return = [ "variablename", \$variableinfo ]; + } + + subfield: '.' identifier arglist(?) + { + my $d; + my $a = $item{"arglist(?)"}; + my $args; + + #::debug "arglist = ".Dumper($a)."\n"; + if ($a) { + + my ($argcount, $al, $alpresent); + + #$args = @{$a}->[2]; + $args = $a->[0][2]; + #::debug "arglist args=".Dumper($args)."\n"; + $alpresent = $args; + $argcount = $#$args; + if ($alpresent && $argcount == -1) { + $args->[0] = [ ]; + } + } + + #::debug "arglist identifier=".$item{identifier}."\n"; + $return = [ "subfield", { + fieldname => $item{identifier}, + arglist => $args->[0], + } ]; + } + + arglist: '(' list(?) ')' + + list: expression (',' list)(s?) + + +# Basic data types +# identifiers, numbers and strings + + identifier: /[A-Za-z0-9_]+/ { $item[1]; } + + number: /\d+/ {$item[1]; } + + #XXX skip is all wrong here... should be in [] + string: <skip:'[ \t]'> '"' <skip:""> /[^"]*/ '"' { $return = ["string",$item[4]]; } + | <skip:'[ \t]'> "'" <skip:""> /[^']*/ "'" { $return = ["string",$item[4]]; } + + +# other literals + whitespace: /\s*/ + + +}; + + +# Get a parser object (transforming the built-in text grammar into RecDescent +# data structure). This object can be reused for parsing multiple velocity files +sub new +{ + #$::debugflag = 0; + my $class = shift; + $docroot = shift; + undef $::RD_HINT; + undef $::RD_WARN; + #$::RD_TRACE = 1; + $parser = new Parse::RecDescent($vmgrammar) or die "Bad Grammar\n"; + $semaphore = new Thread::Semaphore; + $Data::Dumper::Maxdepth = 1;; + my $self = {}; + $self->{parser} = $parser; + # ugly - :-( + $Template::Velocity::parser = $parser; + bless $self, $class; + return $self; +} + + +# Execute a template. Given a text string and a parser object, will return +# a parse tree, useful for feeding into the executor. +sub execute_string +{ + my $self = shift; + my $string = shift; + my $rule = shift; + if (! $rule ) { $rule = "template"; } + #print Dumper($self); + + my $parser = $self->{parser}; + my $parsetree = $parser->$rule($string); + my $executor = new Template::Velocity::Executor($parsetree, $parser ); + + my @value = $executor->run(); + #my @value = Template::Velocity::Executor::execute($parsetree, $parser); + my $value = shift @value; + return $value; +} + +sub execute_file_with_context +{ + + my $self = shift; + my $filename = shift; + my $hash = shift; + + # This perl Velocity implementation uses global variable to + # store values that go to the template. This is not thread + # safe and should be fixed in near future. + # + # For this release, we just a lock to prevent the global + # variable (i.e. symbol) being changed by multiple threads + # at the same time. + + $semaphore->down; + my %c = %$hash; + foreach my $h (keys %c) { + $::symbol{$h} = $c{$h}; + } + + my $rule; + my $tree = $parsetrees{$filename}; + + if (! $tree) { + $rule = "template"; + open my $fh, "<$docroot/$filename" or return undef; + my $string = join "",<$fh>; + close $fh; + $tree = $parser->$rule($string); + $parsetrees{$filename} = $tree; + } + + my $executor = new Template::Velocity::Executor($tree, $parser ); + + my @value = $executor->run(); + my $value = shift @value; + + $semaphore->up; + + return $value; + + +} + +sub execute_file +{ + + my $self = shift; + my $filename = shift; + + my $rule; + my $tree = $parsetrees{$filename}; + + if (! $tree) { + $rule = "template"; + open my $fh, "<$docroot/$filename" or return undef; + my $string = join "",<$fh>; + close $fh; + $tree = $parser->$rule($string); + $parsetrees{$filename} = $tree; + } + + my $executor = new Template::Velocity::Executor($tree, $parser ); + + my @value = $executor->run(); + my $value = shift @value; + return $value; + + +} + + + + + + + + +sub Dumper +{ + return ""; + if ($::debugflag && $::debugdumper) { + return Data::Dumper->Dump([@_]); + } + else {""}; +} + + + + +# This autoaction returns an array of each parse element +# The net result is a parse tree +# I couldn't use <autotree> because I wanted to preserve +# the order of the elements, and <autotree> returns a +# hashtable, not an array + +$::RD_AUTOACTION = q{ + [@item]; +}; + +# debug flags set here + + + + + + +######### EXECUTE FUNCTIONS + + +# These functions deal with executing the velocity parse tree +{ + package Template::Velocity::Executor::Rules; + use Data::Dumper; + + # this imports symbols from these other packages, so + # we don't have to always use the fully-qualified names + *exe_all = \&Template::Velocity::Executor::exe_all; + *exe_optional = \&Template::Velocity::Executor::exe_optional; + *execute = \&Template::Velocity::Executor::execute; + *debug = \&Template::Velocity::Executor::debug; + *indent = \&Template::Velocity::Executor::indent; + *deindent = \&Template::Velocity::Executor::deindent; +#XXX probably should be $, not & + *docroot = \&Template::Velocity::docroot; + + sub Dumper + { + return ""; + if ($::debugflag && $::debugdumper) { return Dumper(@_); } + else {""}; + } + + #template: <skip:'[ \t]*'> section(s) /\Z/ + sub template { + my $f = "template"; + my @item = exe_all(@_); + debug ("$::level $f - sections should be an array of text: .".Dumper($item[2])."\n"); + my $sections = $item[2]; + debug ("sections is a: ".(ref $sections)." - it should be an array\n"); + my $r= ( join "", @{$item[2]}); + return $r; + } + + + #linecomp: variable + # | <skip:'[ \t]*'> /[^\$\n]*/ + sub linecomp { + my $item; + debug ("linecomp: _[2] = '".$_[2]."'\n"); + if ($_[2]) { + debug ("linecomp: inside if\n"); + $item = $_[1].$_[2]; + } else { + debug ("linecomp: inside else{\n"); + ($item) = exe_all($_[1]); + debug ("linecomp: end of else}\n"); + debug ("linecomp: item =\n".Dumper($item)."\n"); + } + debug ("linecomp: returning $item\n"); + return $item; + } + + # plainline : <skip:''> /[ \t]*/ ...!'#' linecomp(s?) /\n+/ + sub plainline { + my @item = exe_all(@_); + debug ("$::level in plainline - linecomps should be an array of text: .".Dumper($item[4])."\n"); + my $r = join "", @{$item[4]}; + debug ("$::level in plainline - joined as: $r\n"); + $r = $item[2] . $r. $item[5]; + debug ("$::level in plainline - returning : $r\n"); + return $r; + } + + sub expression { + debug ("$::level expression = ".Dumper($_[1])."\n"); + my ($item) = exe_all($_[1]); + debug ("$::level expression returning $item\n"); + return $item; + } + + #foreachblock: foreachdirective section(s) enddirective + sub foreachblock { + my $f = "foreachblock"; + debug ("$::level $f started!\n"); + my ($directive) = exe_all($_[1]); + debug ("$::level $f directive = \n".Dumper($directive)."\n"); + my ($variable, $list) = @{$directive}; + my $variablename = $$variable->{top}; + debug ("$::level $f variable = $variablename\n"); + debug ("$::level $f list = \n".Dumper($list)."\n"); + + my $result = ""; + foreach my $q (@{$list}) { + debug ("$::level $f q=$q\n"); + $::symbol{$variablename} = $q; + debug ("$::level $f setting variable $variablename = $q\n"); + + my ($sections) = exe_all($_[2]); + debug ("$::level $f sections was: ".Dumper($sections)."\n"); + $result .= join "",@{$sections}; + } + return $result; + } + + #foreachdirective: '#' 'foreach' foreachargs "\n" + sub foreachdirective { + my ($item) = exe_all($_[3]); + return $item; + } + + #foreachargs: '(' variablename 'in' expression ')' + sub foreachargs { + my $f = "foreachargs"; + my ($variable, $list) = exe_all($_[2], $_[4]); + debug ("$::level $f variable = \n".Dumper($variable)."\n"); + debug ("$::level $f list = \n".Dumper($list)."\n"); + return [$variable, $list]; + } + + # XXX if block should only execute section(s) if if arg is positve) + # likewise for else + #ifblock: ifdirective section(s) elseclause(?) enddirective + sub ifblock { + my $f = "ifblock"; + my @item = exe_all(@_); + debug ("$::level $f - sections should be an array of text: .".Dumper($item[2])."\n"); + my $sections = $item[2]; + my $else = $item[3]; + debug ("$::level $f sections is a: ".(ref $sections)." - it should be an array\n"); + debug ("$::level item1: if expression = ".$item[1]."\n"); + debug ("$::level $f elseclause is a: ".(ref $else)." - it should be an scalar\n"); + my $r= ( + $item[1]>0 ? # if expression + (join "", @{$item[2]}) : + ($item[3] ? join "",@{$item[3]} : "") + ); + # this is not quite right ... elseclause returns a scalar (it joins the sections) + # so why do I have to join again here? possibly because it's a '?' + return $r; + } + + #elseclause: elsedirective section(s) + sub elseclause { + my $f = "elseclause"; + my ($sections) = exe_all($_[2]); + debug ("$::level $f sections is a: ".(ref $sections)." - it should be an array\n"); + my $return = join "", @{$sections}; + debug ("$::level $f returning: $return\n"); + return $return; + } + + sub ifargs { + debug ("$::level ifargs [2] = ".Dumper($_[2])."\n"); + my ($item) = exe_all($_[2]); + debug ("$::level item = ".Dumper($item)."\n"); + my $r = $item>0 ? 1 : 0; + debug ("$::level ifargs returning $r\n"); + return $r; + } + + #ifdirective: '#' 'if' <skip:'[ \t]*'> ifargs /\n/ + sub ifdirective { + my ($item) = exe_all($_[4]); + my $r = $item>0 ? 1 : 0; + debug ("$::level ifdirective returning $r\n"); + return $r; + } + + #boolean: equality (boolean_operator equality)(?) + sub boolean { + my $f = "boolean"; + my ($equality, $alt) = ( execute($_[1]), $_[2]); + my $r = $equality; + if (scalar @$alt) { + my ($op, $equality2) = exe_optional($alt, 1,2); + + if ($op eq '&&') { + $r = $equality && $equality2; + } + if ($op eq '||') { + $r = $equality || $equality2; + } + } + + return $r; + } + + + #summation: product (summation_operator summation)(?) + sub summation { + #my @item = exe_all(@_); + my $f = "summation"; + my ($product, $alt) = ( execute($_[1]), $_[2]); + debug("$::level $f - product = $product, alternation = $alt\n"); + debug("$::level $f - alternation = \n".Dumper($alt)."\n"); + + if (scalar @$alt) { + if (0) { + debug("$::level $f - alt1= \n".Dumper($alt->[0][1])."\n"); + debug("$::level $f - alt2= \n".Dumper($alt->[0][2])."\n"); + my ($operator, $summation) = ( execute($alt->[0][1]), execute($alt->[0][2]),); + } + my ($operator, $summation) = exe_optional($alt, 1,2); + + if ($operator eq '+') { return $product + $summation; + } else { return $product - $summation; } + } else { + return $product; + } + } + + + + #equality: summation (equality_operator summation)(?) + sub equality { + my $f = "equality"; + my ($summation, $alt) = ( execute($_[1]), $_[2] ); + + if (scalar @$alt) { + my ($operator, $summation2) = exe_optional($alt, 1,2); + + # string comparison used, so (0.0) is NOT equal to (0) + if ($operator eq '==') { return ($summation eq $summation2) ? 1:0; } + else { return ($summation eq $summation2) ? 0:1; } + } else { + return $summation; + } + } + + + sub product { + my $f = "product"; + my ($negation, $alt) = ( execute($_[1]), $_[2]); + debug("$::level $f negation = $negation, alternation = $alt\n"); + debug("$::level $f - alternation = ".Dumper($alt)."\n"); + + if (scalar @$alt) { + if (0) { + debug("$::level $f - alt1= \n".Dumper($alt->[0][1])."\n"); + debug("$::level $f - alt2= \n".Dumper($alt->[0][2])."\n"); + my ($operator, $product) = ( execute($alt->[0][1]), execute($alt->[0][2]),); + } + my ($operator, $product) = exe_optional($alt,1,2); + return ($negation * $product); + } else { + return $negation; + } + } + + sub factor { + my ($value) = exe_all($_[1]); + return $value; + } + + #negation: notoperator(?) factor + sub negation { + debug ("$::level in negation... input = ".(join ",",@_)."\n"); + #my @item = exe_all(@_); + my ($alt, $value) = ( $_[1], execute($_[2]) ); + debug ("$::level negation: alternation= $alt\n"); + debug ("$::level negation: value = $value\n"); + my $operator = execute($alt->[0][1]); + + my $r; + if ($operator && $operator eq '!') { + if ($value ) { $r = 0; } + else { $r = 1; } + debug ("$::level negation: inverting\n"); + } else { + debug ("$::level negation: not inverting\n"); + $r = $value; + } + debug ("$::level negation: returning $r\n"); + return $r; + } + + #setargs: <skip:'[ \t]*'> '(' assignment ')' + sub setargs { + my $f = "setargs"; + my ($args) = exe_all($_[3]); + debug("$::level $f args = \n".Dumper($args)."\n"); + my ($variable, $value) = @{$args}; + debug("$::level $f variable type =".(ref $variable)."\n"); + debug("$::level $f variable = \n".Dumper($variable)."\n"); + my $symbolname = $$variable->{top}; + debug("$::level $f setting variable '$symbolname' = $value\n"); + $::symbol{$symbolname} = $value; + return ""; + } + + #assignment: variablename '=' boolean + sub assignment { + my $f = "assignment"; + my ($variable, $value) = exe_all($_[1],$_[3]); + debug("$::level $f variable = \n".Dumper($variable)."\n"); + my $r = [ $variable, $value ]; + debug("$::level $f returning: \n".Dumper($r)."\n"); + return $r; + } + + #includeargs: '(' string ')' + sub includeargs { + my $f = "includeargs"; + my ($filename ) = execute($_[2]); + + debug("including file: $filename\n"); + open my $fh, "<$docroot/$filename" or return "filenotfound $docroot/$filename!\n"; + my $file = join "", <$fh>; + close FILE; + + return $file; + } + + sub parseargs { + my $f = "parseargs"; + my ($filename ) = execute($_[2]); + + debug("parsing file: $filename\n"); + + #open my $fh, "<$docroot/$filename" or return "filenotfound $docroot/$filename!\n"; + #my $file = join "", <$fh>; + #close FILE; + + #my $parsetree = $Template::Velocity::parser->template($file); + #my @value = execute($parsetree); + #my $value = shift @value; + + my @value = Template::Velocity::execute_file(undef,$filename); + my $value = shift @value; + + return $value; + } + +# variables + +# variables +# this rule converts a variable name/identifier into its value +# $main.subfield(argument1,argument2).subfield2(arg1,arg2) +# There are two data structures at work here. +# 1. the data structure specifying the variable name to be queried +# this represents $a.b.c(100,9,5,4) +#{ +# 'top' => 'a' +# 'fields' => [ +# { 'fieldname' => 'b', 'arglist' => undef }, +# { 'fieldname' => 'c', 'arglist' => [ '100', 9, 5, '4', ], } +# ], +#} +# 2. Data structure specifying the symbol table + +# return value could be: +# a scalar: either a string/number value or reference to an array of values +# an array + + sub variable { +# look up the root object in the symbol table + my $f = "variable"; + debug("$::level $f: input\n".Dumper(\@_)."\n"); + my $var = $_[1]; + debug("$::level $f var=\n".Dumper($var)."\n"); +# $$var works with # 27: '#set (\$a=1+3)\n\$a\n' +#0 REF(0x8fa0510) +# -> HASH(0x8fa1454) +# 'fields' => ARRAY(0x8fa8c08) +# empty array +# 'top' => 'a' + +# $var works with # 25: '$employee.add(100,4+5,2+3,4,4,5,6)' +#DB<2> x $var +#0 HASH(0x9c7a340) +# 'fields' => ARRAY(0xa06e7d8) +# 0 ARRAY(0xa06e9ac) +# 0 'subfield' +# 1 HASH(0xa06e880) +# 'arglist' => ARRAY(0xa074184) + + my $top = $$var->{top}; # name of the root object + debug("$::level $f top=\n".Dumper($top)."\n"); + my $fields = $$var->{fields}; # array of the subidentifiers + my $val = ""; + + debug("$::level $f - top_id = $top\n"); + debug("$::level $f : var: \n".Dumper($var)."\n"); + debug("$::level $f - fields = \n".Dumper($fields)."\n"); + + + debug("$::level $f : top = ".$top."\n"); + if (! defined $::symbol{$top} ) { +# XXX + debug ("symbol table = ",(join ",",sort keys %::symbol)."\n"); + debug ("undefined variable: $top\n"); + return 0; + } + debug("$::level $f symbol table: \n".Dumper(\%::symbol)."\n"); + $val = $::symbol{$top}; + debug("$::level $f val before: \n".Dumper($val)."\n"); + + debug("$::level $f - fields = \n".Dumper($fields)."\n"); + my $pass = 1; + foreach my $field (@$fields) { + my $args; + + my ($fieldname, $values); + { + debug("$::level $f pass $pass \@_=\n".Dumper(\@_)."\n"); + debug("$::level $f before strip field = \n".Dumper($field)."\n"); +#shift @$fn; # 'subfield' string +#$fn = $fn->[0]; +#$fn = [ (@{$fn}) ]; +#shift @$fn; + debug("$::level $f after strip fn = \n".Dumper($field)."\n"); + + $fieldname = $field->[1]->{fieldname}; + debug("$::level $f processing field: $fieldname\n"); + $args= $field->[1]->{arglist}; + + +# convert the argument list (which could be expressions, other +# variables, etc) into raw values + if ($args) { + debug("$::level $f executing $fieldname with args:\n".Dumper($args)."\n"); + ($values) = execute($args); + debug("$::level $f returned values:\n".Dumper($values)."\n"); + } + } + + debug("$::level $f after execute, \@_=\n".Dumper(\@_)."\n"); + +#call the function + if (ref $val) { + debug("$::level $f : inside loop(before) {\n".Dumper($val)."\n"); + debug("$::level $f : inside loop(before) {\n".Dumper($val)."\n"); + if ($args) { + debug("$::level $f: function call\n"); +#$val = $$val->$fieldname ($args); # method call + my $func = $val->{$fieldname}; # method call + debug("$::level $f: $fieldname func=\n ".Dumper($func)."\n"); + no strict; + $val = &$func($val, @$values); + debug("$::level $f: $fieldname result=$val\n"); + debug("$::level $f: $fieldname result=\n".Dumper($val)."\n"); + + } else { + &::debug("$::level $f: plain field access\n"); + if (ref $val eq "REF") { + $val = $$val->{$fieldname}; # field access + } else { + $val = $val->{$fieldname}; # field access + } + } + debug("$::level $f } inside loop(after val retrieval) val=\n".Dumper($val)."\n"); + } + $pass++; + + } + + return $val; + } + + #$return = [ "variablename", \$variableinfo ]; + sub variablename { + my $f = "variablename"; + debug("$::level $f: input\n".Dumper(\@_)."\n"); + my $var = $_[1]; + return $var; + } + + #arglist: '(' list(?) ')' + sub arglist { + my ($list) = exe_all($_[2]); + debug("$::level list: ".Dumper($list)."\n"); + if ($list) { + my $ll = $list->[0]; + debug("$::level ll \n".Dumper($ll)."\n"); + debug("$::level \$\$list: \n"); + return $ll; + } + return undef; + } + + #list: expression (',' list)(s?) + sub list { + my ($expr, $alt) = ( execute($_[1]), $_[2] ); + + if (scalar @$alt) { + my ($list) = exe_optional($alt, 2); + + debug("$::level list: expr: $expr\n"); + debug("$::level list: list: $list\n:"); + debug("$::level list ".Dumper($list)."\n"); + my $r = [ $expr, (@$list) ]; + return $r; + } + debug("$::level returning simple expression: $expr\n:"); + return [$expr]; + } + + + + sub _default { + debug ("$::level default rule {\n"); + indent(); + debug ("$::level parsing parameters\n"); + my @item = exe_all(@_); + debug ("$::level default rule - last item in array is: ".$item[$#item]."\n"); + my $r = join "",@item[1..$#item]; + debug ("$::level default rule - returning: $r\n"); + deindent(); + debug ("$::level }\n"); + return $r; + + } + + +} + + +package Template::Velocity::Executor; + +use Data::Dumper; + + + +sub new +{ + my $class = shift; + + my $parsetree = shift; + my $parser = shift; + + my $self = {}; + $self->{parser} = $parser; + $self->{parsetree} = $parsetree; + bless $self, $class; + return $self; +} + + +sub run { + my $self = shift; + + return (execute($self->{parsetree})); +} + + + +my $level = " "; + +sub debug { + if ($::debugflag) { + print @_; + } +} + +# This basically all works calling execute($parsetree). +# Execute will look the Parsetree, which is built by a special autoaction +# +# It will call top-down, into functions called 'Executor::XXX', (where XXX is +# the name of the production) +# +# Additional trees, representing child productions, will be passed in +# as arguments to the Executor::XXX function. These arguments be processed +# before the Executor::XXX function can proceed. +# +# If no such function is present, Executor:_default will be run +# +# To process the arguments, use this in the Executor function: +# my @item = exe(@_); +# Which will give you an @item array similar to that in the RD rules, one +# exception being that productions which return arrays are flattened into +# the @item array. (bad idea?) +# + + + +# executes a parsetree (gotten as a result of calling recdescent $parser->rule() +# and returns the string value of the result. + +sub Dumper { + ""; +} + +sub execute { + my $result; + my $tree = shift; # a reference to a tree is passed in + debug "$level execute: {\n"; + indent(); + debug ("$level tree = \n".Dumper($tree)."\n"); + +# there are 3 possible things this tree could be: + +# 1 a scalar .. in which case this rule represents a literal, and the +# the literal is just returned +# +# 2 an array of the form (array, ...) - in which case this is the result of a production +# which returned an array of trees. This happens +# if you specify (s), (?), etc, in a production. +# 3 an array of the form (scalar, ...) - in which case this refers to a subrule +# + +# case 1... + my $type = ref $tree; + if ($type) { + debug "\n$level tree type: ".(ref $tree)." \n"; + } else { + debug "\n$level tree type: scalar \n"; + } + if ($type ne "ARRAY") { + debug "$level returning literal: '$tree'\n"; + deindent(); + debug "$level }\n\n"; + return $tree; + } + + my @result; + +# if this tree is the result of a auto-generated rule (e.g. alternation) +# then tree[0] is not a name.. it is an array. just call the default action with +# the arguments + + my $rule = @{$tree}->[0]; # rule name is first + + if ($rule && ref $rule eq "ARRAY") { # case 2 + debug "$level element[0] is an array (case 2) \n"; + debug "$level contents of input: \n".Dumper(\@{$tree})."\n"; + #@result = exe(@{$rule}); + debug "$level running exe on the array..\n"; + # not sure about this... + @result = (exe_all(@{$tree})); + debug "$level contents of output: \n".Dumper(\@result)."\n"; + #shift @result; # get rid of function name + $result = \@result; + + } else { # case 3 + my @args = @{$tree}; + + debug "$level rule is a function to execute (case 3): '$rule'\n"; + indent(); + my $qr = "Template::Velocity::Executor::Rules::$rule"; + if (defined &$qr) { + no strict ; + $result = (&$qr(@args)); + } else { + debug "$level no function defined for: '$rule' - calling default action\n"; + $result = Template::Velocity::Executor::Rules::_default(@args); + } + } + deindent(); + debug "$level function: $rule returned=\n".Dumper($result)."\n"; + + debug "$level }\n"; + return $result; + + } + +# these hold and set the current indent level. It's only used for nested debug messages +sub indent { + if (!$debugflag) { return; } + $level .= " "; + $Data::Dumper::Pad = $level." "; +} +sub deindent { + if (!$debugflag) { return; } + $level = substr ($level,0,-2); + $Data::Dumper::Pad = $level." "; +} + + +sub exe_optional { + my @r; + my $f = shift; + foreach my $q (@_) { + debug("$level: getting arg# $q\n"); + push @r, execute($f->[0][$q]); + } + return @r; +} + +# exe: for each argument, run the 'execute' function +# + +sub exe_all { + my $d = $Data::Dumper::Maxdepth; + $Data::Dumper::Maxdepth = 9; + debug "\n$level exe_all (".$_[0].") arguments: {\n".Dumper(\@_)." \n"; + my @r; + indent(); + + foreach my $i (@_) { + push @r, execute($i); + } + deindent(); + debug "$level exe_all: returning: \n".Dumper(\@r)."$level}\n\n"; + $Data::Dumper::Maxdepth = $d; + return @r; +} + + + + + +#package PKI::RA::GlobalVar; + +#sub new { my $self = {}; bless $self; return $self; } + + +1; + diff --git a/base/ra/scripts/nss_pcache b/base/ra/scripts/nss_pcache new file mode 100755 index 000000000..bf978b48b --- /dev/null +++ b/base/ra/scripts/nss_pcache @@ -0,0 +1,66 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit 255 +fi + +OS=`uname -s` + +if [ $OS = "Linux" ]; then + PLATFORM=`uname -i` + if [ $PLATFORM = "i386" ]; then + # 32-bit Linux + LD_LIBRARY_PATH=/usr/lib/dirsec:/usr/lib:$LD_LIBRARY_PATH + elif [ $PLATFORM = "x86_64" ]; then + # 64-bit Linux + LD_LIBRARY_PATH=/usr/lib64/dirsec:/usr/lib64:/usr/lib:$LD_LIBRARY_PATH + fi + export LD_LIBRARY_PATH +elif [ $OS = "SunOS" ]; then + PLATFORM=`uname -p` + if [ "${PLATFORM}" = "sparc" ] && + [ -d "/usr/lib/sparcv9/" ] ; then + PLATFORM="sparcv9" + fi + if [ $PLATFORM = "sparc" ]; then + # 32-bit Solaris + LD_LIBRARY_PATH=/usr/lib/dirsec:/usr/lib:$LD_LIBRARY_PATH + elif [ $PLATFORM = "sparcv9" ]; then + # 64-bit Solaris + LD_LIBRARY_PATH=/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib:$LD_LIBRARY_PATH + fi + export LD_LIBRARY_PATH +fi + +FORTITUDE_DIR=/usr/sbin +if [ $OS = "SunOS" ]; then + FORTITUDE_DIR=/opt/fortitude/bin +fi + +$FORTITUDE_DIR/nss_pcache $@ diff --git a/base/ra/scripts/schema.sql b/base/ra/scripts/schema.sql new file mode 100644 index 000000000..18fd8a39c --- /dev/null +++ b/base/ra/scripts/schema.sql @@ -0,0 +1,33 @@ +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# sql schema +# +CREATE TABLE requests ( type TEXT, ip TEXT, note TEXT, data TEXT, output TEXT, serialno TEXT, subject_dn TEXT, meta_info TEXT, status TEXT, errorString TEXT, processed_by TEXT, assigned_to TEXT, updated_at TEXT, created_at TEXT, created_by TEXT ) +CREATE TABLE users ( uid TEXT, name TEXT, password TEXT, email TEXT, certificate TEXT, created_at TEXT, created_by TEXT ) +CREATE TABLE groups ( gid TEXT, name TEXT, created_at TEXT, created_by TEXT ) +CREATE TABLE roles ( uid TEXT, gid TEXT ) +CREATE TABLE pins ( key TEXT, pin TEXT, rid TEXT, created_at TEXT, created_by TEXT ) +CREATE TABLE certificates ( rid TEXT, csr TEXT, subject_dn TEXT, certificate TEXT, serialno TEXT, approved_by TEXT, created_at TEXT ) +# +# add defaults +# +INSERT INTO groups (gid, name) values ('administrators','Administrators'); +INSERT INTO groups (gid, name) values ('agents','Agents'); diff --git a/base/ra/setup/CMakeLists.txt b/base/ra/setup/CMakeLists.txt new file mode 100644 index 000000000..f5f069cdb --- /dev/null +++ b/base/ra/setup/CMakeLists.txt @@ -0,0 +1,8 @@ +set(VERSION ${APPLICATION_VERSION}) + +install( + FILES + registry_instance + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup +) diff --git a/base/ra/setup/registry_instance b/base/ra/setup/registry_instance new file mode 100644 index 000000000..64a73197f --- /dev/null +++ b/base/ra/setup/registry_instance @@ -0,0 +1,116 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_HTTPD_CONF=[HTTPD_CONF] +export PKI_HTTPD_CONF + +PKI_SERVER_ROOT=[SERVER_ROOT] +export PKI_SERVER_ROOT + +PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES] +export PKI_SYSTEM_USER_LIBRARIES + +PKI_FORTITUDE_DIR=[FORTITUDE_DIR] +export PKI_FORTITUDE_DIR + +PKI_NSS_CONF=[NSS_CONF] +export PKI_NSS_CONF + +PKI_SERVER_NAME=[SERVER_NAME] +export PKI_SERVER_NAME + +PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_LOCK_FILE + +PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_PID_FILE + +PKI_SELINUX_TYPE="pki_ra_t" +export PKI_SELINUX_TYPE + +pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration +export RESTART_SERVER + +######################################################################## +# This section contains modified content of "/etc/sysconfig/httpd" # +######################################################################## +# Configuration file for the ${PKI_INSTANCE_ID} service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker +export PKI_HTTPD + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set PKI_OPTIONS here. +# +PKI_OPTIONS="-f ${PKI_HTTPD_CONF}" +export PKI_OPTIONS + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the PKI_HTTPD_LANG +# variable can be set. +# +PKI_HTTPD_LANG=C +export PKI_HTTPD_LANG +######################################################################## +# # +######################################################################## + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +PKI_INITLOG_ARGS="" +export PKI_INITLOG_ARGS + +# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the server binary and short-form for messages. +httpd=${PKI_HTTPD} +export httpd + +pki_logs_directory=${PKI_SERVER_ROOT}/logs +export pki_logs_directory + +# see if httpd is linked with the openldap libraries - we need to override +# their use of OpenSSL +if [ ${OS} = "Linux" ]; then + hasopenldap=0 + + /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 + + if [ ${hasopenldap} -eq 1 ] ; then + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}" + export LD_PRELOAD + fi +elif [ ${OS} = "SunOS" ]; then + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}" + export LD_PRELOAD_64 +fi |