Mod openssl to restrict users to only see and delete their own requests.

Moved apk to apk-tools.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1179 ab2d0c66-481e-0410-8bed-d214d4d58bed

5 files changed, 72 insertions, 42 deletions

diff --git a/openssl-controller.lua b/openssl-controller.lua
index 59918c1..af92ec5 100644
--- a/openssl-controller.lua
+++ b/openssl-controller.lua
@@ -104,6 +104,13 @@ deleterequest = function(self)
 	redirect_to_referrer(self)
 end
 
+-- Delete the specified request
+deletemyrequest = function(self)
+	local cmdresult = self.model.deleterequest(self.clientdata.request, self.sessiondata.userinfo.userid)
+	self.sessiondata.cmdresult = cmdresult
+	redirect_to_referrer(self)
+end
+
 -- View certificate details
 viewcert = function(self)
 	return self.model.viewcert(self.clientdata.cert)
diff --git a/openssl-html.lsp b/openssl-html.lsp
index 9c61259..d8244b9 100644
--- a/openssl-html.lsp
+++ b/openssl-html.lsp
@@ -32,6 +32,8 @@ io.write(html.cfe_unpack(view))
 		end ?>
 		<? if session.permissions.openssl.deleterequest then
 			io.write(html.link{value="deleterequest?request="..request.name, label="Delete "})
+		elseif session.permissions.openssl.deletemyrequest then
+			io.write(html.link{value="deletemyrequest?request="..request.name, label="Delete "})
 		end ?>
 		</TD>
 		<TD><?= request.user ?></TD>
@@ -43,14 +45,25 @@ io.write(html.cfe_unpack(view))
 <? end ?>
 
 <? local reverserevoked = {}
-if view.value.revoked then
+local approved = {}
+local revoked = {}
+if view.value.revoked and #view.value.revoked.value > 0 then
 	for i,serial in ipairs(view.value.revoked.value) do
 		reverserevoked[serial] = i
 	end
+	for i,cert in ipairs(view.value.approved.value) do
+		if reverserevoked[cert.serial] then
+			revoked[#revoked + 1] = cert
+		else
+			approved[#approved + 1] = cert
+		end
+	end
+else
+	approved = view.value.approved.value
 end ?>
 	
 <H1>Approved certificate requests<? if view.value.user then?> for <?= view.value.user.value ?><? end ?></H1>
-<? if not view.value.approved or #view.value.approved.value == 0 then ?>
+<? if #approved == 0 then ?>
 	No certificates approved
 <? else ?>
 <TABLE>
@@ -60,35 +73,33 @@ end ?>
 		<TD style="padding-right:20px;white-space:nowrap;" class="header">Cert Type</TD>
 		<TD style="padding-right:20px;white-space:nowrap;" class="header">Common Name</TD>
 		<TD style="white-space:nowrap;" class="header">Serial Num</TD>
-	<? for i,cert in ipairs(view.value.approved.value) do ?>
-		<? if not reverserevoked[cert.serial] then ?>
-			<TR>
-			<TD>
-			<? if session.permissions.openssl.viewcert then ?>
-				<?= html.link{value="viewcert?cert="..cert.name, label="View "} ?>
-			<? end ?>
-			<? if session.permissions.openssl.getcert then ?>
-				<?= html.link{value="getcert?cert="..cert.name, label="Download "} ?>
-			<? end ?>
-			<? if session.permissions.openssl.revoke then ?>
-				<?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?>
-			<? end ?>
-			<? if session.permissions.openssl.deletecert then ?>
-				<?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?>
-			<? end ?>
-			</TD>
-			<TD><?= cert.user ?></TD>
-			<TD><?= cert.certtype ?></TD>
-			<TD><?= cert.commonName ?></TD>
-			<TD><?= cert.serial ?></TD>
-			</TR>
+	<? for i,cert in ipairs(approved) do ?>
+		<TR>
+		<TD>
+		<? if session.permissions.openssl.viewcert then ?>
+			<?= html.link{value="viewcert?cert="..cert.name, label="View "} ?>
+		<? end ?>
+		<? if session.permissions.openssl.getcert then ?>
+			<?= html.link{value="getcert?cert="..cert.name, label="Download "} ?>
+		<? end ?>
+		<? if session.permissions.openssl.revoke then ?>
+			<?= html.link{value="revoke?cert="..cert.name, label="Revoke "} ?>
+		<? end ?>
+		<? if session.permissions.openssl.deletecert then ?>
+			<?= html.link{value="deletecert?cert="..cert.name, label="Delete "} ?>
 		<? end ?>
+		</TD>
+		<TD><?= cert.user ?></TD>
+		<TD><?= cert.certtype ?></TD>
+		<TD><?= cert.commonName ?></TD>
+		<TD><?= cert.serial ?></TD>
+		</TR>
 	<? end ?>
 </TABLE>
 <? end ?>
 
 <H1>Revoked certificates<? if view.value.user then?> for <?= view.value.user.value ?><? end ?></H1>
-<? if not view.value.revoked or #view.value.revoked.value == 0 then ?>
+<? if #revoked == 0 then ?>
 	No certificates revoked
 <? else ?>
 <TABLE>
@@ -97,15 +108,13 @@ end ?>
 		<TD style="padding-right:20px;white-space:nowrap;" class="header">Cert Type</TD>
 		<TD style="padding-right:20px;white-space:nowrap;" class="header">Common Name</TD>
 		<TD style="white-space:nowrap;" class="header">Serial Num</TD>
-	<? for i,cert in ipairs(view.value.approved.value) do ?>
-		<? if reverserevoked[cert.serial] then ?>
-			<TR>
-			<TD><?= cert.user ?></TD>
-			<TD><?= cert.certtype ?></TD>
-			<TD><?= cert.commonName ?></TD>
-			<TD><?= cert.serial ?></TD>
-			</TR>
-		<? end ?>
+	<? for i,cert in ipairs(revoked) do ?>
+		<TR>
+		<TD><?= cert.user ?></TD>
+		<TD><?= cert.certtype ?></TD>
+		<TD><?= cert.commonName ?></TD>
+		<TD><?= cert.serial ?></TD>
+		</TR>
 	<? end ?>
 </TABLE>
 <? end ?>
diff --git a/openssl-model.lua b/openssl-model.lua
index ef2218e..29a9b5f 100644
--- a/openssl-model.lua
+++ b/openssl-model.lua
@@ -164,22 +164,31 @@ getstatus = function()
 	local version = cfe({ value=value, errtxt=errtxt, label="Program version" })
 	local conffile = cfe({ value=configfile, label="Configuration file" })
 	local cacert = cfe({ label="CA Certificate" })
+	local cacertcontents = cfe({ type="longtext", label="CA Certificate contents" })
 	if not fs.is_file(configfile) then
 		conffile.errtxt="File not found"
 		cacert.errtxt="File not defined"
+		cacertcontents.errtxt=""
 	else
 		config = config or getopts.getoptsfromfile(configfile)
 		if (not config) or (not config.ca) or (not config.ca.default_ca) then
 			conffile.errtxt="Invalid config file"
 			cacert.errtxt="File not defined"
+			cacertcontents.errtxt=""
 		else
-			cacert.value = getconfigpath(config.ca.default_ca, "private_key")
+			--cacert.value = getconfigpath(config.ca.default_ca, "private_key")
+			cacert.value = getconfigpath(config.ca.default_ca, "certificate")
 			if not fs.is_file(cacert.value) then
 				cacert.errtxt="File not found"
+			else
+				local cmd = "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin openssl x509 -in "..cacert.value.." -noout -text"
+				local f = io.popen(cmd)
+				cacertcontents.value = f:read("*a")
+				f:close()
 			end
 		end
 	end
-	return cfe({ type="group", value={version=version, conffile=conffile, cacert=cacert}, label="openssl status" })
+	return cfe({ type="group", value={version=version, conffile=conffile, cacert=cacert, cacertcontents=cacertcontents}, label="openssl status" })
 end
 
 getreqdefaults = function()
@@ -280,9 +289,9 @@ submitrequest = function(clientdata, user)
 end
 
 listrequests = function(user)
-	user = user or ""
+	user = user or "*"
 	local list={}
-	local fh = io.popen('find ' .. requestdir .. ' -name "'..user..'*.csr" -maxdepth 1')
+	local fh = io.popen('find ' .. requestdir .. ' -name "'..user..'.*.csr" -maxdepth 1')
 	for x in fh:lines() do
 		local name = basename(x,".csr")
 		local a,b,c = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*)")
@@ -340,7 +349,11 @@ approverequest = function(request)
 	return cmdresult
 end
 
-deleterequest = function(request)
+deleterequest = function(request, user)
+	user = user or ".*"
+	if (not fs.is_file(requestdir..request..".csr")) or (not string.find(request, "^"..user.."%.")) then
+		return cfe({ value="Request not found", label="Delete result" })
+	end
 	cmd = "rm "..requestdir..request..".*"
 	f = io.popen(cmd)
 	f:close()
@@ -348,9 +361,9 @@ deleterequest = function(request)
 end
 
 listcerts = function(user)
-	user = user or ""
+	user = user or "*"
 	local list={}
-	local fh = io.popen('find ' .. certdir .. ' -name "'..user..'*.pfx" -maxdepth 1')
+	local fh = io.popen('find ' .. certdir .. ' -name "'..user..'.*.pfx" -maxdepth 1')
 	for x in fh:lines() do
 		local name = basename(x,".pfx")
 		local a,b,c,d = string.match(name, "([^%.]*)%.([^%.]*)%.([^%.]*).([^%.]*)")
diff --git a/openssl-status-html.lsp b/openssl-status-html.lsp
index 8603bf4..a49b7ac 100644
--- a/openssl-status-html.lsp
+++ b/openssl-status-html.lsp
@@ -10,4 +10,5 @@ io.write(html.cfe_unpack(view))
 <? displayitem(view.value.version) ?>
 <? displayitem(view.value.conffile) ?>
 <? displayitem(view.value.cacert) ?>
+<? displayitem(view.value.cacertcontents) ?>
 </DL>
diff --git a/openssl.roles b/openssl.roles
index 47b3bc9..43ebed8 100644
--- a/openssl.roles
+++ b/openssl.roles
@@ -1,2 +1,2 @@
-READ=openssl:status,openssl:read,openssl:request,openssl:viewrequest,openssl:viewcert,openssl:getcert,openssl:getrevoked
+READ=openssl:status,openssl:read,openssl:request,openssl:viewrequest,openssl:deletemyrequest,openssl:viewcert,openssl:getcert,openssl:getrevoked
 UPDATE=openssl:editdefaults,openssl:readall,openssl:approve,openssl:deleterequest,openssl:revoke,openssl:deletecert,openssl:putcacert,openssl:editconfigfile