/*************************************************************************** * Copyright (C) 2012 by Timothy Pearson * * kb9vqf@pearsoncomputing.net * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the * * Free Software Foundation, Inc., * * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ldapmgr.h" #include "userconfigdlg.h" UserConfigDialog::UserConfigDialog(LDAPUserInfo user, LDAPConfig* parent, const char* name) : KDialogBase(parent, name, true, i18n("LDAP User Properties"), Ok|Cancel, Ok, true), m_user(user), m_ldapconfig(parent) { m_base = new LDAPUserConfigBase(this); setMainWidget(m_base); TQStringList availableShells = TQStringList::split(" ", AVAILABLE_SHELLS); for ( TQStringList::Iterator it = availableShells.begin(); it != availableShells.end(); ++it ) { m_base->shell->insertItem(*it, -1); } if (user.distinguishedName != "") { m_base->loginName->setEnabled(false); } m_base->lastChanged->setEnabled(false); m_base->detailsIcon->setPixmap(SmallIcon("personal.png")); m_base->enabledIcon->setPixmap(SmallIcon("decrypted.png")); m_base->disabledIcon->setPixmap(SmallIcon("encrypted.png")); m_base->userIcon->setPixmap(SmallIcon("personal.png")); m_base->groupsIcon->setPixmap(SmallIcon("tdmconfig.png")); m_base->passwordIcon->setPixmap(SmallIcon("password.png")); m_base->certificateIcon->setPixmap(SmallIcon("password.png")); connect(m_base->loginName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->realName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->surName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->homeDirectory, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->passwordExpireEnabled, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->passwordExpireDisabled, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->requirePasswordAging, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->requirePasswordMinAge, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->primaryGroup, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->certGenPrivateKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->certPrivateKeyFileName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->certPublicCertFileName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->enableAutoPIN, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->autoPIN, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts())); connect(m_base->createCertificate, TQT_SIGNAL(clicked()), this, TQT_SLOT(createPKICertificate())); connect(m_base->revokeCertificate, TQT_SIGNAL(clicked()), this, TQT_SLOT(revokePKICertificate())); connect(m_base->downloadCertificate, TQT_SIGNAL(clicked()), this, TQT_SLOT(downloadPKICertificate())); connect(m_base->certPKIDatabaseList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts())); connect(m_base->certPKIDatabaseList, TQT_SIGNAL(executed(TQListViewItem*)), this, TQT_SLOT(downloadPKICertificate())); if (m_user.status == KRB5_DISABLED_ACCOUNT) { m_base->userStatusEnabled->setChecked(false); m_base->userStatusDisabled->setChecked(true); } else { m_base->userStatusEnabled->setChecked(true); m_base->userStatusDisabled->setChecked(false); } m_base->loginName->setText(m_user.name); m_base->realName->setText(m_user.commonName); m_base->UID->setValue(m_user.uid); LDAPGroupInfoList groupList = m_ldapconfig->groupList(); LDAPGroupInfoList::Iterator it; for (it = groupList.begin(); it != groupList.end(); ++it) { m_base->primaryGroup->insertItem((*it).name, -1); } m_base->primaryGroup->setCurrentItem(m_ldapconfig->findGroupInfoByGID(TQString("%1").arg(m_user.primary_gid)).name, false, -1); m_prevPrimaryGroup = m_base->primaryGroup->currentText(); m_base->homeDirectory->setURL(m_user.homedir); m_base->shell->setEditText(m_user.shell); for (it = groupList.begin(); it != groupList.end(); ++it) { LDAPGroupInfo group = *it; TQCheckListItem* item = new TQCheckListItem(m_base->secondary_group_list, group.name, TQCheckListItem::CheckBox); item->setOn(group.userlist.contains(m_user.distinguishedName)); } m_base->lastChanged->setText(m_user.password_last_changed.toString(TQt::TextDate)); if (m_user.password_expires) { m_base->passwordExpireEnabled->setChecked(true); m_base->passwordExpireDisabled->setChecked(false); } else { m_base->passwordExpireEnabled->setChecked(false); m_base->passwordExpireDisabled->setChecked(true); } m_base->expirationDate->setDateTime(m_user.password_expiration); m_base->requirePasswordAging->setChecked(m_user.password_ages); m_base->requirePasswordInterval->setValue(m_user.new_password_interval/24); m_base->warnPasswordExpireInterval->setValue(m_user.new_password_warn_interval/24); m_base->disablePasswordDelay->setValue(m_user.new_password_lockout_delay/24); m_base->requirePasswordMinAge->setChecked(m_user.password_has_minimum_age); m_base->passwordMinAge->setValue(m_user.password_minimum_age/24); // User information m_base->givenName->setText(m_user.givenName); m_base->surName->setText(m_user.surName); m_base->initials->setText(m_user.initials); m_base->title->setText(m_user.title); m_base->description->setText(m_user.description); m_base->office->setText(m_user.deliveryOffice); m_base->telephoneNumber->setText(m_user.telephoneNumber); m_base->faxNumber->setText(m_user.faxNumber); m_base->email->setText(m_user.email); // Certificate generation information TQDateTime suggestedExpiration = TQDateTime::currentDateTime().addDays(KERBEROS_PKI_KRB_EXPIRY_DAYS); m_base->certificateExpirationDate->setDate(suggestedExpiration.date()); m_base->certPKIDatabaseList->setAllColumnsShowFocus(true); m_base->certPKIDatabaseList->setFullWidth(true); updatePKICertificateList(); processLockouts(); } void UserConfigDialog::slotOk() { // Update data if (m_base->userStatusEnabled->isOn() == true) { m_user.status = KRB5_ACTIVE_DEFAULT; } else { m_user.status = KRB5_DISABLED_ACCOUNT; } m_user.commonName = m_base->realName->text(); m_user.uid = m_base->UID->value(); m_user.primary_gid = m_ldapconfig->findGroupInfoByName(m_base->primaryGroup->currentText()).gid; m_user.homedir = m_base->homeDirectory->url(); m_user.shell = m_base->shell->currentText(); m_user.new_password = m_base->passwordEntry->password(); if (m_base->passwordExpireEnabled->isOn() == true) { m_user.password_expires = true; } else { m_user.password_expires = false; } m_user.password_expiration = m_base->expirationDate->dateTime(); m_user.password_ages = m_base->requirePasswordAging->isOn(); m_user.new_password_interval = m_base->requirePasswordInterval->value()*24; m_user.new_password_warn_interval = m_base->warnPasswordExpireInterval->value()*24; m_user.new_password_lockout_delay = m_base->disablePasswordDelay->value()*24; m_user.password_has_minimum_age = m_base->requirePasswordMinAge->isOn(); m_user.password_minimum_age = m_base->passwordMinAge->value()*24; selectedGroups.clear(); TQListViewItemIterator it(m_base->secondary_group_list); while ( it.current() ) { TQCheckListItem* itm = dynamic_cast(it.current()); if (itm) { if (itm->isOn()) { selectedGroups.append(itm->text()); } } ++it; } // User information m_user.givenName = m_base->givenName->text(); m_user.surName = m_base->surName->text(); m_user.initials = m_base->initials->text(); m_user.title = m_base->title->text(); m_user.description = m_base->description->text(); m_user.deliveryOffice = m_base->office->text(); m_user.telephoneNumber = m_base->telephoneNumber->text(); m_user.faxNumber = m_base->faxNumber->text(); m_user.email = m_base->email->text(); // Special handler for new group if (m_user.distinguishedName == "") { m_user.name = m_base->loginName->text(); } accept(); } void UserConfigDialog::processLockouts() { if (m_base->passwordExpireEnabled->isChecked()) { m_base->expirationDate->setEnabled(true); } else { m_base->expirationDate->setEnabled(false); } if (m_base->requirePasswordAging->isChecked()) { m_base->requirePasswordInterval->setEnabled(true); m_base->warnPasswordExpireInterval->setEnabled(true); m_base->disablePasswordDelay->setEnabled(true); } else { m_base->requirePasswordInterval->setEnabled(false); m_base->warnPasswordExpireInterval->setEnabled(false); m_base->disablePasswordDelay->setEnabled(false); } if (m_base->requirePasswordMinAge->isChecked()) { m_base->passwordMinAge->setEnabled(true); } else { m_base->passwordMinAge->setEnabled(false); } if (m_base->enableAutoPIN->isChecked()) { m_base->autoPIN->setEnabled(true); } else { m_base->autoPIN->setEnabled(false); } // Disable the primary group checkbox in the group list TQListViewItemIterator it(m_base->secondary_group_list); while (it.current()) { if (it.current()->text(0) == m_base->primaryGroup->currentText()) { dynamic_cast(it.current())->setOn(true); it.current()->setEnabled(false); } else { it.current()->setEnabled(true); if (it.current()->text(0) == m_prevPrimaryGroup) { dynamic_cast(it.current())->setOn(false); } } ++it; } bool ok_enabled = true; // Special handler for new group if ((m_user.distinguishedName == "") && (m_base->loginName->text() == "")) { ok_enabled = false; } if (m_base->realName->text() == "") { ok_enabled = false; } if (m_base->surName->text() == "") { ok_enabled = false; } if (m_base->homeDirectory->url() == "") { ok_enabled = false; } enableButton(KDialogBase::Ok, ok_enabled); if (m_base->certPrivateKeyFileName->url() == "") { ok_enabled = false; } if (m_base->certPublicCertFileName->url() == "") { ok_enabled = false; } if (!m_base->certGenPrivateKey->isChecked()) { if (!TQFile(m_base->certPrivateKeyFileName->url()).exists()) { ok_enabled = false; } } if (m_base->enableAutoPIN->isChecked()) { if (m_base->autoPIN->text() == "") { ok_enabled = false; } } m_base->createCertificate->setEnabled(ok_enabled); TQListViewItem* lvi = m_base->certPKIDatabaseList->selectedItem(); if (lvi) { if (lvi->text(1) != i18n("Revoked")) { m_base->revokeCertificate->setEnabled(true); m_base->downloadCertificate->setEnabled(true); } else { m_base->revokeCertificate->setEnabled(false); m_base->downloadCertificate->setEnabled(true); } } else { m_base->revokeCertificate->setEnabled(false); m_base->downloadCertificate->setEnabled(false); } m_prevPrimaryGroup = m_base->primaryGroup->currentText(); } void UserConfigDialog::createPKICertificate() { int ret; TQString errorstring; LDAPRealmConfigList realms = LDAPManager::fetchAndReadTDERealmList(); int expirydays = TQDate::currentDate().daysTo(m_base->certificateExpirationDate->date()); if (m_base->certGenPrivateKey->isChecked()) { // Generate new private key // FIXME // Make RSA private key length user-configurable (currently locked to 2048 bits) if (LDAPManager::generateClientCertificatePrivateKey(m_base->certPrivateKeyFileName->url(), 2048, &errorstring) != 0) { KMessageBox::sorry(this, i18n("Unable to generate new private key

Details: %1").arg(errorstring), i18n("Unable to Obtain Certificate")); return; } } // Get the CA root private key from LDAP // WARNING // Anyone with access to this key would be able to create accounts that could access any resource on the realm! // Secure the key file accordingly... KTempFile caPrivateKeyTempFile(locateLocal("tmp", "krbcakey"), ".key.pem", 0600); caPrivateKeyTempFile.setAutoDelete(true); TQFile* caPrivateKeyFile = caPrivateKeyTempFile.file(); if (!caPrivateKeyFile) { KMessageBox::sorry(this, i18n("Unable to obtain root certificate for realm %1!

Details: %2").arg(realms[m_ldapconfig->m_ldapmanager->realm()].name.upper()).arg(i18n("Unable to create or open temporary file '%s'").arg(caPrivateKeyTempFile.name())), i18n("Unable to Obtain Certificate")); return; } if (m_ldapconfig->m_ldapmanager->getTDECertificate("privateRootCertificateKey", caPrivateKeyFile, &errorstring) != 0) { KMessageBox::sorry(this, i18n("Unable to obtain root certificate for realm %1!

Details: %2").arg(realms[m_ldapconfig->m_ldapmanager->realm()].name.upper()).arg(errorstring), i18n("Unable to Obtain Certificate")); return; } caPrivateKeyTempFile.sync(); if (m_base->enableAutoPIN->isChecked()) { ret = LDAPManager::generateClientCertificatePublicCertificate(expirydays, m_user, realms[m_ldapconfig->m_ldapmanager->realm()], caPrivateKeyTempFile.name(), m_base->certPrivateKeyFileName->url(), m_base->certPublicCertFileName->url(), m_base->autoPIN->text()); } else { ret = LDAPManager::generateClientCertificatePublicCertificate(expirydays, m_user, realms[m_ldapconfig->m_ldapmanager->realm()], caPrivateKeyTempFile.name(), m_base->certPrivateKeyFileName->url(), m_base->certPublicCertFileName->url()); } // Delete the private key as soon as possible after certificate signing caPrivateKeyTempFile.unlink(); if (ret != 0) { KMessageBox::sorry(this, i18n("Unable to generate or sign certificate

Details: %1").arg(errorstring), i18n("Unable to Create Certificate")); } // Upload new certificate to LDAP server PKICertificateEntry certEntry; certEntry.first = PKICertificateStatus::Valid; TQFile certfile(m_base->certPublicCertFileName->url()); if (certfile.open(IO_ReadOnly)) { certEntry.second = certfile.readAll(); m_user.pkiCertificates.append(certEntry); if (m_ldapconfig->m_ldapmanager->writePKICertificateFilesIntoDirectory(m_user, "pkiCertificate", &errorstring) != 0) { m_user.pkiCertificates.remove(certEntry); KMessageBox::sorry(this, i18n("Unable to upload certificate to server

Details: %1").arg(errorstring), i18n("Unable to Upload Certificate")); } } else { KMessageBox::sorry(this, i18n("Unable to upload certificate to server

Details: %1").arg(i18n("Unable to open certificate file")), i18n("Unable to Upload Certificate")); } updatePKICertificateList(); } void UserConfigDialog::downloadPKICertificate() { TQString errorstring; PKICertificateEntryList originalCertList = m_user.pkiCertificates; TQListViewItem* lvi = m_base->certPKIDatabaseList->selectedItem(); if (lvi) { TQString fileName = KFileDialog::getSaveFileName(TQString::null, "*.pem", 0, i18n("Save Certificate")); if (fileName != "") { // Find the certificate PKICertificateEntryList::Iterator it; for (it = m_user.pkiCertificates.begin(); it != m_user.pkiCertificates.end(); ++it) { PKICertificateEntry certificateData = *it; // Don't attempt to load empty certificates if (certificateData.second.size() < 1) continue; TQCString ssldata(certificateData.second); ssldata[certificateData.second.size()] = 0; ssldata.replace("-----BEGIN CERTIFICATE-----", ""); ssldata.replace("-----END CERTIFICATE-----", ""); ssldata.replace("\n", ""); KSSLCertificate* cert = KSSLCertificate::fromString(ssldata); if (cert) { if ((cert->getSerialNumber() == lvi->text(0)) && (cert->getQDTNotBefore().toString() == lvi->text(2)) && (cert->getQDTNotAfter().toString() == lvi->text(3))) { TQFile certfile(fileName); if (certfile.open(IO_WriteOnly)) { certfile.writeBlock(certificateData.second); } else { KMessageBox::sorry(this, i18n("Unable to download certificate

Details: %1").arg(i18n("Could not open file '%s' for writing").arg(fileName)), i18n("Unable to Download Certificate")); } break; } } } } } } void UserConfigDialog::revokePKICertificate() { int ret; TQString errorstring; PKICertificateEntryList originalCertList = m_user.pkiCertificates; LDAPRealmConfigList realms = LDAPManager::fetchAndReadTDERealmList(); KTempDir tempDir = KTempDir(locateLocal("tmp", "tdekrb")); tempDir.setAutoDelete(true); TQListViewItem* lvi = m_base->certPKIDatabaseList->selectedItem(); if (lvi) { if (KMessageBox::warningYesNo(this, i18n("You are about to revoke the certificate with serial number %1
This action cannot be undone

Are you sure you want to proceed?").arg(lvi->text(0)), i18n("Confirmation Required")) == KMessageBox::Yes) { // Find the certificate PKICertificateEntryList::Iterator it; for (it = m_user.pkiCertificates.begin(); it != m_user.pkiCertificates.end(); ++it) { PKICertificateEntry certificateData = *it; // Don't attempt to load empty certificates if (certificateData.second.size() < 1) continue; TQCString ssldata(certificateData.second); ssldata[certificateData.second.size()] = 0; ssldata.replace("-----BEGIN CERTIFICATE-----", ""); ssldata.replace("-----END CERTIFICATE-----", ""); ssldata.replace("\n", ""); KSSLCertificate* cert = KSSLCertificate::fromString(ssldata); if (cert) { if ((cert->getSerialNumber() == lvi->text(0)) && (cert->getQDTNotBefore().toString() == lvi->text(2)) && (cert->getQDTNotAfter().toString() == lvi->text(3))) { (*it).first = PKICertificateStatus::Revoked; break; } } } // Commit updates to the LDAP database if (m_ldapconfig->m_ldapmanager->writePKICertificateFilesIntoDirectory(m_user, "pkiCertificate", &errorstring) == 0) { // Get the configured CRL validity duration from LDAP int expiryDays; TQString expiryString; if (m_ldapconfig->m_ldapmanager->getLdapCertificateStoreAttribute("publicRootCRLIntervalDays", &expiryString, &errorstring) == 0) { expiryDays = expiryString.toInt(); if (expiryDays < 1) { expiryDays = KERBEROS_PKI_CRL_EXPIRY_DAYS; } // Get the CA root private key from LDAP // WARNING // Anyone with access to this key would be able to create accounts that could access any resource on the realm! // Secure the key file accordingly... KTempFile caPrivateKeyTempFile(locateLocal("tmp", "krbcakey"), ".key.pem", 0600); caPrivateKeyTempFile.setAutoDelete(true); TQFile* caPrivateKeyFile = caPrivateKeyTempFile.file(); if (!caPrivateKeyFile) { KMessageBox::sorry(this, i18n("Unable to obtain root certificate for realm %1!

Details: %2").arg(realms[m_ldapconfig->m_ldapmanager->realm()].name.upper()).arg(i18n("Unable to create or open temporary file '%s'").arg(caPrivateKeyTempFile.name())), i18n("Unable to Obtain Certificate")); return; } if (m_ldapconfig->m_ldapmanager->getTDECertificate("privateRootCertificateKey", caPrivateKeyFile, &errorstring) != 0) { KMessageBox::sorry(this, i18n("Unable to obtain root certificate for realm %1!

Details: %2").arg(realms[m_ldapconfig->m_ldapmanager->realm()].name.upper()).arg(errorstring), i18n("Unable to Obtain Certificate")); return; } caPrivateKeyTempFile.sync(); // Regenerate CRL ret = m_ldapconfig->m_ldapmanager->generatePKICRL(expiryDays, realms[m_ldapconfig->m_ldapmanager->realm()], tempDir.name() + "crl.pem", caPrivateKeyTempFile.name(), tempDir.name() + "ca.db", &errorstring); // Delete the private key as soon as possible after certificate signing caPrivateKeyTempFile.unlink(); if (ret != 0) { KMessageBox::error(this, i18n("Unable to regenerate CRL
The revoked certificate may still be able to access resources on the realm

Details: %1").arg(errorstring), i18n("Unable to Regenerate CRL")); } } else { KMessageBox::error(this, i18n("Unable to regenerate CRL
The revoked certificate may still be able to access resources on the realm

Details: %1").arg(errorstring), i18n("Unable to Regenerate CRL")); } } else { m_user.pkiCertificates = originalCertList; KMessageBox::sorry(this, i18n("Unable to modify certificate status on server

Details: %1").arg(errorstring), i18n("Unable to Modify Certificate Status")); } } } updatePKICertificateList(); } void UserConfigDialog::updatePKICertificateList() { m_base->certPKIDatabaseList->clear(); PKICertificateEntryList::Iterator it; for (it = m_user.pkiCertificates.begin(); it != m_user.pkiCertificates.end(); ++it) { PKICertificateEntry certificateData = *it; // Don't attempt to load empty certificates if (certificateData.second.size() < 1) continue; TQCString ssldata(certificateData.second); ssldata[certificateData.second.size()] = 0; ssldata.replace("-----BEGIN CERTIFICATE-----", ""); ssldata.replace("-----END CERTIFICATE-----", ""); ssldata.replace("\n", ""); KSSLCertificate* cert = KSSLCertificate::fromString(ssldata); if (cert) { TQString status = i18n("Invalid"); if (certificateData.first == PKICertificateStatus::Valid) { if (TQDateTime::currentDateTime(Qt::UTC) > cert->getQDTNotAfter()) { status = i18n("Expired"); } else { if (TQDateTime::currentDateTime(Qt::UTC) < cert->getQDTNotBefore()) { status = i18n("Future Valid"); } else { status = i18n("Valid"); } } } if (certificateData.first == PKICertificateStatus::Revoked) { status = i18n("Revoked"); } new TQListViewItem(m_base->certPKIDatabaseList, cert->getSerialNumber(), status, cert->getQDTNotBefore().toString(), cert->getQDTNotAfter().toString()); delete cert; } } processLockouts(); } LDAPUserInfo UserConfigDialog::userProperties() { return m_user; } #include "userconfigdlg.moc"