liam-linux-account-manager/model/group.php

334 lines
14 KiB
PHP
Raw Permalink Normal View History

2021-11-16 15:11:32 +01:00
<?php
/**
* Class that represents a grouping of users or server accounts
*/
class Group extends Entity {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'group';
/**
* Defines the field that is the primary key of the table
*/
protected $idfield = 'entity_id';
public function __construct($id = null, $preload_data = array()) {
parent::__construct($id, $preload_data);
if(!isset($this->data['system'])) $this->data['system'] = 0;
}
/**
* Write property changes to database and log the changes.
* Triggers a resync if the group was activated/deactivated.
*/
public function update() {
if($this->data['system']) $this->data['active'] = 1; // Cannot disable system groups
$changes = parent::update();
$resync = false;
foreach($changes as $change) {
$loglevel = LOG_INFO;
switch($change->field) {
case 'active':
$resync = true;
if($change->new_value == 1) $loglevel = LOG_WARNING;
break;
}
$this->log(array('action' => 'Setting update', 'value' => $change->new_value, 'oldvalue' => $change->old_value, 'field' => ucfirst(str_replace('_', ' ', $change->field))), $loglevel);
}
if($resync) {
$this->sync_access();
$this->sync_remote_access();
}
}
/**
* List all log events for this group.
* @return array of GroupEvent objects
*/
public function get_log() {
if(is_null($this->id)) throw new BadMethodCallException('Group must be in directory before log entries can be listed');
$stmt = $this->database->prepare("SELECT * FROM entity_event WHERE entity_id = ? ORDER BY id DESC");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$log = array();
while($row = $result->fetch_assoc()) {
$log[] = new GroupEvent($row['id'], $row);
}
$stmt->close();
return $log;
}
/**
* Add the specified user as an administrator of the group.
* This action is logged with a warning level as it is increasing an access level.
* @param User $user to add as administrator
*/
public function add_admin(User $user) {
global $config;
parent::add_admin($user);
$url = $config['web']['baseurl'].'/groups/'.urlencode($this->name);
$email = new Email;
$email->subject = "Administrator for {$this->name} group";
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->add_recipient($user->email, $user->name);
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has added you as an administrator for the '{$this->name}' group. You can administer this group from <$url>";
$email->send();
$this->log(array('action' => 'Administrator add', 'value' => "user:{$user->uid}"), LOG_WARNING);
}
/**
* Remove the specified user as an administrator of the group.
* This action is logged with a warning level as it means the removed user will no longer
* receive notifications for any changes done to this group.
* @param User $user to remove as administrator
*/
public function delete_admin(User $user) {
parent::delete_admin($user);
$this->log(array('action' => 'Administrator remove', 'value' => "user:{$user->uid}"), LOG_WARNING);
}
/**
* Add the specified entity (User/ServerAccount/Group†) as a member of the group.
* †Adding a Group as a member of a group (nested groups) is no longer allowed by the UI.
* This action is logged with a warning level as it is potentially granting access.
* @todo remove nested group functionality
* @param Entity $entity to add as a group member
*/
public function add_member(Entity $entity) {
global $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before members can be added');
if(is_null($entity->entity_id)) throw new InvalidArgumentException('Entity must be in directory before it can be added to a group');
$entity_id = $entity->entity_id;
switch(get_class($entity)) {
case 'User':
$name = "user {$entity->uid}";
$mailsubject = "{$entity->uid} added to {$this->name} group by {$this->active_user->uid}";
$mailbody = "{$entity->name} ({$entity->uid}) has been added to the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
$logmsg = array('action' => 'Member add', 'value' => "user:{$entity->uid}");
break;
case 'ServerAccount':
// We should not allow adding server accounts to a group if the active user is not an admin of that server or server account
if(!$this->active_user->admin && !$this->active_user->admin_of($entity->server) && !$this->active_user->admin_of($entity)) {
throw new InvalidArgumentException('Active user is not an administrator of the specified server account');
}
$name = "account {$entity->name}@{$entity->server->hostname}";
$mailsubject = "{$entity->name}@{$entity->server->hostname} added to {$this->name} group by {$this->active_user->uid}";
$mailbody = "{$entity->name}@{$entity->server->hostname} has been added to the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
$logmsg = array('action' => 'Member add', 'value' => "account:{$entity->name}@{$entity->server->hostname}");
break;
case 'Group':
// We should not allow adding groups to a group if the active user is not an admin of that group
if(!$this->active_user->admin && !$this->active_user->admin_of($entity)) {
throw new InvalidArgumentException('Active user is not an administrator of the specified group');
}
$name = "group {$entity->name}";
$mailsubject = "{$entity->name} group added to {$this->name} group by {$this->active_user->uid}";
$mailbody = "The {$entity->name} group has been added to the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
$logmsg = array('action' => 'Member add', 'value' => "group:{$entity->name}");
break;
}
try {
$stmt = $this->database->prepare("INSERT INTO group_member SET `group` = ?, entity_id = ?, add_date = UTC_TIMESTAMP(), added_by = ?");
$stmt->bind_param('ddd', $this->entity_id, $entity_id, $this->active_user->entity_id);
$stmt->execute();
$stmt->close();
$this->log($logmsg, LOG_WARNING);
if($this->active_user->uid != 'import-script') {
$email = new Email;
foreach($this->list_admins() as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = $mailsubject;
$email->body = $mailbody;
$email->send();
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
$entity->sync_access(); // This entity is now a member of the group, so any access rules that apply to the group now apply to the entity
$this->sync_remote_access(); // If this group has access to anything, this entity now also has access to it
}
/**
* Remove the specified entity (User/ServerAccount/Group) as a member of the group.
* @todo remove nested group functionality
* @param Entity $entity to remove as a group member
*/
public function delete_member(Entity $entity) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before members can be deleted');
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Member remove', 'value' => "user:{$entity->uid}"));
break;
case 'ServerAccount':
$this->log(array('action' => 'Member remove', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Member remove', 'value' => "group:{$entity->name}"));
break;
}
$stmt = $this->database->prepare("DELETE FROM group_member WHERE `group` = ? AND entity_id = ?");
$stmt->bind_param('ds', $this->entity_id, $entity->entity_id);
$stmt->execute();
$stmt->close();
// Resync both the entity being removed and the group itself
$entity->sync_access();
$this->sync_remote_access();
}
/**
* List all members of the group.
* @todo remove nested group functionality
* @return array of User/ServerAccount/Group objects
*/
public function list_members() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before members can be listed');
$stmt = $this->database->prepare("
SELECT entity.id, entity.type, add_date, added_by
FROM group_member
INNER JOIN entity ON group_member.entity_id = entity.id
LEFT JOIN user ON user.entity_id = entity.id
LEFT JOIN server_account ON server_account.entity_id = entity.id
LEFT JOIN server ON server.id = server_account.server_id
LEFT JOIN `group` ON `group`.entity_id = entity.id
WHERE group_member.group = ?
ORDER BY entity.type, user.uid, server.hostname, server_account.name, `group`.name
");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$members = array();
while($row = $result->fetch_assoc()) {
$row['added_by'] = new User($row['added_by']);
switch($row['type']) {
case 'user': $members[] = new User($row['id'], $row); break;
case 'server account': $members[] = new ServerAccount($row['id'], $row); break;
case 'group': $members[] = new Group($row['id'], $row); break;
}
}
$stmt->close();
return $members;
}
/**
* Grant the specified entity (User/ServerAccount/Group) access to members of this group.
* An email is sent to the group admins and sec-ops to inform them of the change.
* This action is logged with a warning level as it is granting access.
* @param Entity $entity to add as a group member
* @param array $access_options array of AccessOption rules to apply to the granted access
*/
public function add_access(Entity $entity, array $access_options) {
global $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before access can be added');
if(is_null($entity->entity_id)) throw new InvalidArgumentException('Entity must be in directory before it can be granted access to a group');
$access = new Access;
$access->dest_entity_id = $this->entity_id;
$access->source_entity_id = $entity->entity_id;
$access->granted_by = $this->active_user->entity_id;
try {
$stmt = $this->database->prepare("INSERT INTO access SET dest_entity_id = ?, source_entity_id = ?, grant_date = UTC_TIMESTAMP(), granted_by = ?");
$stmt->bind_param('ddd', $access->dest_entity_id, $access->source_entity_id, $access->granted_by);
$stmt->execute();
$access->id = $stmt->insert_id;
$stmt->close();
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access add', 'value' => "user:{$entity->uid}"), LOG_WARNING);
$mailsubject = "{$entity->uid} granted access to {$this->name} group resources by {$this->active_user->uid}";
$mailbody = "{$entity->name} ({$entity->uid}) has been granted access to resources in the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
break;
case 'ServerAccount':
$this->log(array('action' => 'Access add', 'value' => "account:{$entity->name}@{$entity->server->hostname}"), LOG_WARNING);
$mailsubject = "{$entity->name}@{$entity->server->hostname} granted access to {$this->name} group resources by {$this->active_user->uid}";
$mailbody = "{$entity->name}@{$entity->server->hostname} has been granted access to resources in the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
break;
case 'Group':
$this->log(array('action' => 'Access add', 'value' => "group:{$entity->name}"), LOG_WARNING);
$mailsubject = "{$entity->name} group granted access to {$this->name} group resources by {$this->active_user->uid}";
$mailbody = "The {$entity->name} group has been granted access to resources in the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
break;
}
if($this->active_user->uid != 'import-script') {
$email = new Email;
foreach($this->list_admins() as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = $mailsubject;
$email->body = $mailbody;
$email->send();
}
foreach($access_options as $access_option) {
$access->add_option($access_option);
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
$this->sync_access();
}
/**
* Revoke the specified access rule to members of this group.
* @param Access $access rule to be removed
*/
public function delete_access(Access $access) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before access can be deleted');
$entity = $access->source_entity;
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access remove', 'value' => "user:{$entity->uid}"));
break;
case 'ServerAccount':
$this->log(array('action' => 'Access remove', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Access remove', 'value' => "group:{$entity->name}"));
break;
}
$stmt = $this->database->prepare("DELETE FROM access WHERE dest_entity_id = ? AND id = ?");
$stmt->bind_param('ds', $this->entity_id, $access->id);
$stmt->execute();
$stmt->close();
$this->sync_access();
}
/**
* List all groups that *this* group is a member of, searched recursively.
* Note: nested groups are no longer allowed by the UI.
* @todo remove nested group functionality
* @return array of Group objects
*/
public function list_group_membership() {
global $group_dir;
return $group_dir->list_group_membership($this);
}
/**
* Trigger a resync for all members of this group, searched recursively†.
* †Nested groups are no longer allowed by the UI.
* @todo remove nested group functionality
* @param array $seen keep track of entities we've already processed to prevent infinite recursion
*/
public function sync_access(&$seen = array()) {
$seen[$this->entity_id] = true;
$members = $this->list_members();
foreach($members as $entity) {
if(!isset($seen[$entity->entity_id])) {
$entity->sync_access($seen);
}
}
}
}