Modified ipsectools to add ability to manage certificates.

git-svn-id: svn://svn.alpinelinux.org/acf/ipsec-tools/trunk@1608 ab2d0c66-481e-0410-8bed-d214d4d58bed

6 files changed, 157 insertions, 2 deletions

diff --git a/ipsectools-controller.lua b/ipsectools-controller.lua
index 3ce1896..937830f 100644
--- a/ipsectools-controller.lua
+++ b/ipsectools-controller.lua
@@ -30,3 +30,15 @@ end
 function editipsec (self)
 	return controllerfunctions.handle_form(self, self.model.get_ipsecfiledetails, self.model.update_ipsecfiledetails, self.clientdata, "Save", "Edit IPSec Config", "Configuration Set")
 end
+
+function listcerts(self)
+	return self.model.list_certs()
+end
+
+function deletecert(self)
+	return self:redirect_to_referrer(self.model.delete_cert(self.clientdata.cert))
+end
+
+function uploadcert (self)
+	return controllerfunctions.handle_form(self, self.model.new_upload_cert, self.model.upload_cert, self.clientdata, "Upload", "Upload Certificate", "Certificate Uploaded")
+end
diff --git a/ipsectools-listcerts-html.lsp b/ipsectools-listcerts-html.lsp
new file mode 100644
index 0000000..2388d3c
--- /dev/null
+++ b/ipsectools-listcerts-html.lsp
@@ -0,0 +1,27 @@
+<% local view, viewlibrary, page_info, session = ... %>
+<% require("viewfunctions") %>
+
+<% displaycommandresults({"deletecert"}, session) %>
+<% displaycommandresults({"uploadcert"}, session, true) %>
+
+<H1><%= view.label %></H1>
+
+<DL>
+<TABLE>
+	<TR style="background:#eee;font-weight:bold;">
+	<TD style="padding-right:20px;white-space:nowrap;text-align:left;" class="header">Action</TD>
+	<TD style="white-space:nowrap;text-align:left;" class="header">Certificate</TD>
+	</TR>
+<% for i,cert in ipairs(view.value) do %>
+	<TR>
+		<TD style="padding-right:20px;white-space:nowrap;">
+		<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/deletecert?cert="..cert.."&redir="..page_info.orig_action, label="Delete "} %>
+		</TD>
+		<TD style="white-space:nowrap;"><%= cert %></TD>
+	</TR>
+<% end %>
+</TABLE>
+
+<% if viewlibrary.dispatch_component and session.permissions.ipsectools.uploadcert then
+	viewlibrary.dispatch_component("uploadcert")
+end %>
diff --git a/ipsectools-model.lua b/ipsectools-model.lua
index 978125e..5497bd0 100644
--- a/ipsectools-model.lua
+++ b/ipsectools-model.lua
@@ -12,6 +12,8 @@ local processname = "racoon"
 local packagename = "ipsec-tools"
 local baseurl = "/etc/racoon/"
 
+local path = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin "
+
 local descr = {
 	state={
 	['9']="Established",
@@ -145,3 +147,100 @@ end
 function update_ipsecfiledetails(filedetails)
 	return modelfunctions.setfiledetails(filedetails, {configfile2})
 end
+
+function list_certs()
+	local list = {}
+	for file in fs.find(".*%.pem", baseurl) do
+		list[#list+1] = basename(file)
+	end
+	return cfe({ type="list", value=list, label="IPSEC Certificates" })
+end
+
+function delete_cert(certname)
+	local list = list_certs()
+	local retval = cfe({ label="Delete Certificate result", errtxt="Invalid cert name" })
+	for i,cert in ipairs(list.value) do
+		if cert == certname then
+			os.remove(baseurl..certname)
+			retval.value = "Certificate deleted"
+			retval.errtxt = nil
+			break
+		end
+	end
+	return retval
+end
+
+function new_upload_cert()
+	local value = {}
+	value.cert = cfe({ type="raw", value=0, label="Certificate", descr='File must be a password protected ".pfx" file' })
+	value.password = cfe({ label="Certificate Password" })
+	value.name = cfe({ label="Certificate Local Name" })
+	return cfe({ type="group", value=value })
+end
+
+function upload_cert(newcert)
+	local success = true
+	-- Trying to upload a cert/key
+	-- The way haserl works, cert contains the temporary file name
+	-- First, get the cert
+	local cmd = path .. "openssl pkcs12 -in "..newcert.value.cert.value.." -out "..newcert.value.cert.value.."cert.pem -password pass:"..newcert.value.password.value.." -nokeys -clcerts 2>&1"
+	local f = io.popen(cmd)
+	local cmdresult = f:read("*a")
+	f:close()
+	local filestats = posix.stat(newcert.value.cert.value.."cert.pem")
+	if not filestats or filestats.size == 0 then
+		newcert.value.cert.errtxt = "Could not open certificate\n"..cmdresult
+		success = false
+	end
+
+	-- Now, get the key and the ca certs
+	if success then
+		cmd = path .. "openssl pkcs12 -in "..newcert.value.cert.value.." -out "..newcert.value.cert.value.."key.pem -password pass:"..newcert.value.password.value.." -nocerts -nodes 2>&1"
+		f = io.popen(cmd)
+		cmdresult = f:read("*a")
+		f:close()
+		filestats = posix.stat(newcert.value.cert.value.."key.pem")
+		if not filestats or filestats.size == 0 then
+			newcert.value.cert.errtxt = "Could not find key\n"..cmdresult
+			success = false
+		end
+
+		cmd = path .. "openssl pkcs12 -in "..newcert.value.cert.value.." -out "..newcert.value.cert.value.."ca.pem -password pass:"..newcert.value.password.value.." -nokeys -cacerts 2>&1"
+		f = io.popen(cmd)
+		cmdresult = f:read("*a")
+		f:close()
+		filestats = posix.stat(newcert.value.cert.value.."ca.pem")
+		if not filestats or filestats.size == 0 then
+			newcert.value.cert.errtxt = "Could not find CA certs\n"..cmdresult
+			success = false
+		end
+	end
+
+	if newcert.value.name.value == "" then
+		newcert.value.name.errtxt = "Cannot be blank"
+		success = false
+	elseif posix.stat(baseurl..newcert.value.name.value.."-cert.pem") or posix.stat(baseurl..newcert.value.name.value.."-key.pem") or posix.stat(baseurl..newcert.value.name.value.."-ca.pem") then
+		newcert.value.name.errtxt = "Certificate of this name already exists"
+		success = false
+	end
+
+	if success then
+		if not posix.stat(baseurl) then
+			posix.mkdir(baseurl)
+		end
+		-- copy the keys
+		os.rename(newcert.value.cert.value.."cert.pem", baseurl..newcert.value.name.value.."-cert.pem")
+		os.rename(newcert.value.cert.value.."key.pem", baseurl..newcert.value.name.value.."-key.pem")
+		os.rename(newcert.value.cert.value.."ca.pem", baseurl..newcert.value.name.value.."-ca.pem")
+		posix.chmod(baseurl..newcert.value.name.value.."-key.pem", "rw-------")
+	else
+		newcert.errtxt = "Failed to upload certificate"
+	end
+
+	-- Delete the temporary files
+	cmd = "rm "..newcert.value.cert.value.."*"
+	f = io.popen(cmd)
+	f:close()
+
+	return newcert
+end
diff --git a/ipsectools-uploadcert-html.lsp b/ipsectools-uploadcert-html.lsp
new file mode 100644
index 0000000..a3e88ba
--- /dev/null
+++ b/ipsectools-uploadcert-html.lsp
@@ -0,0 +1,16 @@
+<% local form, viewlibrary, page_info = ... %>
+<% require("viewfunctions") %>
+
+<% --[[ DEBUG INFORMATION
+io.write(html.cfe_unpack(form))
+--]] %>
+
+<H1><%= form.label %></H1>
+<%
+	-- This is a kludge to get file upload working
+	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action .. '" enctype="multipart/form-data'
+	form.value.cert.type="file"
+	form.value.password.type="password"
+	local order = {"cert", "password"}
+	displayform(form, order)
+%>
diff --git a/ipsectools.menu b/ipsectools.menu
index a1df99e..46ca3e0 100644
--- a/ipsectools.menu
+++ b/ipsectools.menu
@@ -1,5 +1,6 @@
 #CAT  		GROUP/DESC		TAB		ACTION
 Networking 	45IPsec			Status		details
+Networking 	45IPsec			Certificates	listcerts
 Networking 	45IPsec			Expert		expert
 Networking 	45IPsec			Logfile		logfile
 
diff --git a/ipsectools.roles b/ipsectools.roles
index a00916f..ac183cd 100644
--- a/ipsectools.roles
+++ b/ipsectools.roles
@@ -1,3 +1,3 @@
 USER=ipsectools:status,ipsectools:logfile,ipsectools:details,ipsectools:startstop
-EXPERT=ipsectools:editracoon,ipsectools:editipsec,ipsectools:expert
-ADMIN=ipsectools:status,ipsectools:logfile,ipsectools:details,ipsectools:startstop,ipsectools:editracoon,ipsectools:editipsec,ipsectools:expert
+EXPERT=ipsectools:editracoon,ipsectools:editipsec,ipsectools:expert,ipsectools:listcerts,ipsectools:deletecert,ipsectools:uploadcert
+ADMIN=ipsectools:status,ipsectools:logfile,ipsectools:details,ipsectools:startstop,ipsectools:editracoon,ipsectools:editipsec,ipsectools:expert,ipsectools:listcerts,ipsectools:deletecert,ipsectools:uploadcert