michael
/
liam-linux-account-manager
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial Commit

Browse Source
master
Michael Reber 2 years ago
parent 2e60307261
commit 30b5d7c51b
145 changed files with 21700 additions and 2 deletions
Show Stats Download Patch File Download Diff File

4
.gitignore vendored
Unescape Escape View File

@ -0,0 +1,4 @@
config/config.ini
config/keys-sync
config/keys-sync.pub
extensions/*.php

115
README.md
Unescape Escape View File

@ -1,3 +1,114 @@
# liam-linux-account-manager
LIAM - Linux Account Manager
=======================
A tool for managing user and server SSH access to any number of servers.
Features
--------
* Easily manage SSH key access for all accounts on your servers.
* Manage user access and server-to-server access rules.
* Integrate with your LDAP directory service for user authorization.
* Automatically remove server access from people when they leave your company or team.
* Provides an easy interface for users to upload their own public keys.
* Designate server administrators and let them manage access to their server.
* Create group-based access rules for easy management.
* Specify SSH access options such as `command=`, `nopty` etc on your access rules.
* All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
* Be notified when a server becomes orphaned (has no active administrators).
Requirements
------------
* An LDAP directory service
* Apache 2.4 or higher
* PHP 7.2 or higher
* PHP JSON extension
* PHP LDAP extension
* PHP mbstring (Multibyte String) extension
* PHP MySQL extension
* PHP ssh2 extension
* MySQL (5.5+) or MariaDB database
Installation
------------
1. Clone the repo somewhere outside of your default Apache document root. e.g.(/var/www/liam_core)
2. Add the following directives to your Apache configuration (eg. virtual host config):
DocumentRoot /var/www/liam_core
DirectoryIndex init.php
FallbackResource /init.php
3. Create a MySQL user and database (run in MySQL shell):
CREATE USER 'liam-user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE `liam-db` DEFAULT CHARACTER SET utf8mb4;
GRANT ALL ON `liam-db`.* to 'liam-user'@'localhost';
4. Copy the file `config/config-sample.ini` to `config/config.ini` and edit the settings as required.
5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user
variable to the application).
6. Set `scripts/ldap_update.php` to run on a regular cron job.
7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as `config/keys-sync` and `config/keys-sync.pub`
for the private and public keys respectively. The key must be in `pem` format. The following command will generate the key in the required format:
ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync
8. Install the SSH key synchronization daemon. For systemd:
1. Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
2. Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
3. `systemctl daemon-reload`
4. `systemctl enable keys-sync.service`
Usage
-----
Anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.
Key distribution
----------------
SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:
1. Connecting to the server with SSH, authorizing as the `keys-sync` user.
2. Writing the appropriate authorized keys to named user files in `/var/local/keys-sync/` (eg. all authorized keys for the root user will be written to `/var/local/keys-sync/root`).
This means that your SSH installation will need to be reconfigured to read authorized keys from `/var/local/keys-sync/`.
Please note that doing so will deny access to any existing SSH public key authorized in the default `~/.ssh` directories.
Under OpenSSH, the configuration changes needed are:
AuthorizedKeysFile /var/local/keys-sync/%u
StrictModes no
StrictModes must be disabled because the files will all be owned by the keys-sync user.
The file `/var/local/keys-sync/keys-sync` must exist, with the same contents as the `config/keys-sync.pub` file in order for the synchronization daemon to authenticate.
Screenshots
-----------
### Homepage overview
![Homepage overview](public_html/screenshot-home.png)
### Server listing
![Server listing](public_html/screenshot-servers.png)
### Server account access management
![Server account access management](public_html/screenshot-account.png)
### Activity log
![Activity log](public_html/screenshot-activity.png)
### Getting started guide for new users
![Getting started guide for new users](public_html/screenshot-getting-started.png)
Manage SSH key access for all accounts on your servers with an easy web-interface for users to upload their own public keys.

159
config/config-sample.ini
Unescape Escape View File

@ -0,0 +1,159 @@
; LIAM - Linux Account Manager - config file
[web]
enabled = 1
baseurl = https://liam.example.com
logo = /logo-header.png
; footer may contain HTML. Literal & " < and > should be escaped as &amp;
; &quot; &lt; $gt;
footer = 'Linux Account Manager - <a href="https://code.michu-it.com/michael/liam-linux-account-manager">LIAM</a>.'
[general]
; Use timeout --version to find out the current version
; used on e.g. debian
timeout_util = GNU coreutils
; used on e.g. alpine
; timeout_util = BusyBox
[security]
; It is important that LIAM is able to verify that it has connected to the
; server that it expected to connect to (otherwise it could be tricked into
; syncing the wrong keys to a server). The simplest way to accomplish this is
; through SSH host key verification. Setting either of the 2 options below to
; '0' can weaken the protection that SSH host key verification provides.
; Determine who can reset a server's SSH host key in LIAM:
; 0: Allow server admins to reset the SSH host key for servers that they
; administer
; 1: Full LIAM admin access is required to reset a server's host key
host_key_reset_restriction = 1
; Determine what happens if multiple servers have the same SSH host key:
; 0: Allow sync to proceed
; 1: Abort sync of affected servers and report an error
; It is not recommended to leave this set to '0' indefinitely
host_key_collision_protection = 1
; Hostname verification is a supplement to SSH host key verification for
; making sure that the sync process has connected to the server that it
; expected to.
; Determine how hostname verification is performed:
; 0: Do not perform hostname verification
; 1: Compare with the result of `hostname -f`
; 2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f`
; if the file does not exist
; 3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file
; does not exist
; The last option provides the most solid verification, as a server will only
; be synced to if it has been explicitly allowed on the server itself.
hostname_verification = 0
[defaults]
; This setting will cause new servers to always have a managed account called
; "root" and for that account to be automatically added into the
; "root-accounts" group:
;
; account_groups[root] = "root-accounts"
;
; Any number of these can be specified
account_groups[root] = "root-accounts"
[email]
enabled = 1
; The mail address that outgoing mails will be sent from
from_address = liam@example.com
from_name = "SSH Key Authority system"
; Where to mail security notifications to
report_address = reports@example.com
report_name = "SSH Key Authority reports"
; Where users should contact for help
admin_address = admin@example.com
admin_name = "SSH Key Authority administrators"
; You can use the reroute directive to redirect all outgoing mail to a single
; mail address - typically for temporary testing purposes
;reroute = test@example.com
[database]
; Connection details to the MySQL database
hostname = localhost
port = 3306
username = liam-user
password = password
database = liam-db
[ldap]
; Address to connect to LDAP server
host = ldaps://ldap.example.com:636
; Use StartTLS for connection security (recommended if using ldap:// instead
; of ldaps:// above)
starttls = 0
; LDAP subtree containing USER entries
dn_user = "ou=users,dc=example,dc=com"
; LDAP subtree containing GROUP entries
dn_group = "ou=groups,dc=example,dc=com"
; (Optional) filter for matching user objects
;user_filter = "(objectClass=inetOrgPerson)"
; (Optional) filter for matching group objects
;group_filter = "(objectClass=posixGroup)"
; Set to 1 if the LDAP library should process referrals. In most cases this
; is not needed, and for AD servers it can cause errors when querying the
; whole tree.
follow_referrals = 0
; Leave bind_dn empty if binding is not required
bind_dn =
bind_password =
; User attributes
user_id = uid
user_name = cn
user_email = mail
;user_superior = superioremployee
; If inactive users exist in your LDAP directory, filter with the following
; settings:
; Field to filter on:
;user_active = organizationalstatus
; Use *one* of user_active_true or user_active_false
; user_active_true means user is active if the user_active field equals its
; value
;user_active_true = 'current'
; user_active_false means user is active if the user_active field does not
; equal its value
;user_active_false = 'former'
; Group membership attributes. Examples below are for typical setups:
;
; POSIX groups
; group_member = memberUid
; group_member_value = uid
;
; Group-of-names groups
; group_member = member
; group_member_value = dn
;
; Attribute of group where members are stored
group_member = memberUid
; User attribute to compare with
group_member_value = uid
; Members of admin_group are given full admin access to SSH Key Authority web
; interface
admin_group_cn = liam-administrators
; Other LDAP groups that should have their memberships synced
;sync_groups[] = ldap_group_name
[inventory]
; SSH Key Authority will read the contents of the file /etc/uuid (if it
; exists) when syncing with a server. If a value is found, it can be used as a
; link to an inventory system.
; %s in the url directive will be replaced with the value found in /etc/uuid
;url = "https://inventory.example.com/device/%s"
[gpg]
; SSH Key Authority can GPG sign outgoing emails sent from the
; email.from_address. To do this it needs to know an appropriate key ID to use
;key_id = 0123456789ABCDEF0123456789ABCDEF01234567

228
core.php
Unescape Escape View File

@ -0,0 +1,228 @@
<?php
$base_path = dirname(__FILE__);
chdir($base_path);
mb_internal_encoding('UTF-8');
date_default_timezone_set('UTC');
set_error_handler('exception_error_handler');
spl_autoload_register('autoload_model');
require('pagesection.php');
$config_file = 'config/config.ini';
if(file_exists($config_file)) {
$config = parse_ini_file($config_file, true);
} else {
throw new Exception("Config file $config_file does not exist.");
}
require('router.php');
require('routes.php');
require('ldap.php');
require('email.php');
$ldap_options = array();
$ldap_options[LDAP_OPT_PROTOCOL_VERSION] = 3;
$ldap_options[LDAP_OPT_REFERRALS] = !empty($config['ldap']['follow_referrals']);
$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password'], $ldap_options);
setup_database();
$relative_frontend_base_url = (string)parse_url($config['web']['baseurl'], PHP_URL_PATH);
// Convert all non-fatal errors into exceptions
function exception_error_handler($errno, $errstr, $errfile, $errline) {
throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
}
// Autoload needed model files
function autoload_model($classname) {
global $base_path;
$classname = preg_replace('/[^a-z]/', '', strtolower($classname)); # Prevent directory traversal and sanitize name
$filename = path_join($base_path, 'model', $classname.'.php');
if(file_exists($filename)) {
include($filename);
} else {
eval("class $classname {}");
throw new InvalidArgumentException("Attempted to load a class $classname that did not exist.");
}
}
// Setup database connection and models
function setup_database() {
global $config, $database, $driver, $pubkey_dir, $user_dir, $group_dir, $server_dir, $server_account_dir, $event_dir, $sync_request_dir;
try {
$database = new mysqli($config['database']['hostname'], $config['database']['username'], $config['database']['password'], $config['database']['database'], $config['database']['port']);
} catch(ErrorException $e) {
throw new DBConnectionFailedException($e->getMessage());
}
$database->set_charset('utf8mb4');
$driver = new mysqli_driver();
$driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT;
$migration_dir = new MigrationDirectory;
$pubkey_dir = new PublicKeyDirectory;
$user_dir = new UserDirectory;
$group_dir = new GroupDirectory;
$server_dir = new ServerDirectory;
$server_account_dir = new ServerAccountDirectory;
$event_dir = new EventDirectory;
$sync_request_dir = new SyncRequestDirectory;
}
/**
* Join a sequence of partial paths into a complete path
* e.g. pathJoin("foo", "bar") -> foo/bar
* pathJoin("f/oo", "b/ar") -> f/oo/b/ar
* pathJoin("/foo/b/", "ar") -> "/foo/b/ar"
* @param string part of path
* @return string joined path
*/
function path_join() {
$args = func_get_args();
$parts = array();
foreach($args as $arg) {
$parts = array_merge($parts, explode("/", $arg));
}
$parts = array_filter($parts, function($x) {return (bool)($x);});
$prefix = $args[0][0] == "/" ? "/" : "";
return $prefix . implode("/", $parts);
}
define('ESC_HTML', 1);
define('ESC_URL', 2);
define('ESC_URL_ALL', 3);
define('ESC_NONE', 9);
/**
* Output the given string, HTML-escaped by default
* @param string $string to output
* @param integer $escaping method of escaping to use
*/
function out($string, $escaping = ESC_HTML) {
switch($escaping) {
case ESC_HTML:
echo htmlspecialchars($string);
break;
case ESC_URL:
echo urlencode($string);
break;
case ESC_URL_ALL:
echo rawurlencode($string);
break;
case ESC_NONE:
echo $string;
break;
default:
throw new InvalidArgumentException("Escaping format $escaping not known.");
}
}
/**
* Generate a root-relative URL from the base URL and the given base-relative URL
* @param string $url base-relative URL
* @return string root-relative URL
*/
function rrurl($url) {
global $relative_frontend_base_url;
return $relative_frontend_base_url.$url;
}
/**
* Output a root-relative URL from the base URL and the given base-relative URL
* @param string $url relative URL
*/
function outurl($url) {
out(rrurl($url));
}
/**
* Short-name HTML escape convenience function
* @param string $string string to escape
* @return string HTML-escaped string
*/
function hesc($string) {
return htmlspecialchars($string);
}
function english_list($array) {
if(count($array) == 1) return reset($array);
else return implode(', ', array_slice($array, 0, -1)).' and '.end($array);
}
/**
* Perform an HTTP redirect to the given URL (or the current URL if none given)
* @param string|null $url URL to redirect to
* @param string $type HTTP response code/name to use
*/
function redirect($url = null, $type = '303 See other') {
global $absolute_request_url, $relative_frontend_base_url;
if(is_null($url)) {
// Redirect is to current URL
$url = $absolute_request_url;
} elseif(substr($url, 0, 1) !== '#') {
$url = $relative_frontend_base_url.$url;
}
header("HTTP/1.1 $type");
header("Location: $url");
print("\n");
exit;
}
/**
* Given a set of defaults and an array of querystring data, convert to a simpler
* easy-to-read form and redirect if any conversion was done. Also return array
* combining defaults with any querysting parameters that do not match defaults.
* @param array $defaults associative array of default values
* @param array $values associative array of querystring data
* @return array result of combining defaults and querystring data
*/
function simplify_search($defaults, $values) {
global $relative_request_url;
$simplify = false;
$simplified = array();
foreach($defaults as $key => $default) {
if(!isset($values[$key])) {
// No value provided, use default
$values[$key] = $default;
} elseif(is_array($values[$key])) {
if($values[$key] == $default) {
// Parameter not needed in URL if it matches the default
} else {
// Simplify array to semicolon-separated string in URL
$simplified[] = urlencode($key).'='.implode(';', array_map('urlencode', $values[$key]));
}
$simplify = true;
} elseif($values[$key] == $default) {
// Parameter not needed in URL if it matches the default
$simplify = true;
} else {
// Pass value as-is to simplified array
$simplified[] = urlencode($key).'='.urlencode($values[$key]);
if(is_array($default)) {
// We expect an array; extract array values from semicolon-separated string
$values[$key] = explode(';', $values[$key]);
}
}
}
if($simplify) {
$url = preg_replace('/\?.*$/', '', $relative_request_url);
if(count($simplified) > 0) $url .= '?'.implode('&', $simplified);
redirect($url);
} else {
return $values;
}
}
class OutputFormatter {
public function comment_format($text) {
return hesc($text);
}
}
$output_formatter = new OutputFormatter;
# Include extensions PHP-Files:
foreach(glob("extensions/*.php") as $filename) {
include $filename;
}
class DBConnectionFailedException extends RuntimeException {}

208
email.php
Unescape Escape View File

@ -0,0 +1,208 @@
<?php
class Email {
public $from;
public $subject;
public $body;
public $signature;
private $to = array();
private $cc = array();
private $bcc = array();
private $reply_to = array();
private $headers = array();
private $gpg_sign = true;
public function __construct() {
global $config;
$this->from = array('email' => $config['email']['from_address'], 'name' => $config['email']['from_name']);
$this->signature = $config['web']['baseurl']."\nLIAM system";
}
public function add_recipient($email, $name = null) {
$this->to[] = array('email' => $email, 'name' => $name);
}
public function add_cc($email, $name = null) {
$this->cc[] = array('email' => $email, 'name' => $name);
}
public function add_bcc($email, $name = null) {
$this->bcc[] = array('email' => $email, 'name' => $name);
}
public function add_reply_to($email, $name = null) {
$this->reply_to[] = array('email' => $email, 'name' => $name);
}
public function set_from($email, $name = null) {
$this->from = array('email' => $email, 'name' => $name);
$this->gpg_sign = false;
}
public function send() {
global $config;
if(!empty($config['email']['reroute'])) {
$rcpt_summary = '';
foreach(array('to', 'cc', 'bcc') as $rcpt_type) {
if(count($this->$rcpt_type) > 0) {
$rcpt_summary .= ucfirst($rcpt_type).":\n";
foreach($this->$rcpt_type as $rcpt) {
if(is_null($rcpt['name'])) {
$rcpt_summary .= " $rcpt[email]\n";
} else {
$rcpt_summary .= " $rcpt[name] <$rcpt[email]>\n";
}
}
}
}
$this->body = $rcpt_summary."\n".$this->body;
$this->to = array(array('email' => $config['email']['reroute'], 'name' => null));
$this->cc = array();
$this->bcc = array();
}
$this->headers[] = "MIME-Version: 1.0";
$this->headers[] = "Content-Transfer-Encoding: 8bit";
$this->headers[] = "Auto-Submitted: auto-generated";
$this->headers[] = "Precedence: bulk";
$this->flow();
$this->append_signature();
if(function_exists('gnupg_init') && $this->gpg_sign && isset($config['gpg']['key_id'])) {
$this->sign();
}
if(is_null($this->from['name'])) {
$this->headers[] = "From: {$this->from['email']}";
} else {
$this->headers[] = "From: {$this->from['name']} <{$this->from['email']}>";
}
$to = array();
foreach($this->to as $rcpt) {
if(is_null($rcpt['name'])) {
$to[] = "$rcpt[email]";
} else {
$to[] = "$rcpt[name] <$rcpt[email]>";
}
}
if(count($this->reply_to) > 0) {
$header = 'Reply-To: ';
foreach($this->reply_to as $addr) {
if(is_null($addr['name'])) {
$header .= "$addr[email], ";
} else {
if(strrpos($header, "\n") === false) $indent = strlen($header);
else $indent = strlen($header) - strrpos($header, "\n") - 1;
$header .= $this->header_7bit_safe($addr['name'], $indent)." <$addr[email]>, ";
}
}
$this->headers[] = substr($header, 0, -2);
}
foreach(array('cc', 'bcc') as $rcpt_type) {
foreach($this->$rcpt_type as $rcpt) {
if(is_null($rcpt['name'])) {
$this->headers[] = ucfirst($rcpt_type).": $rcpt[email]";
} else {
$this->headers[] = ucfirst($rcpt_type).": ".$this->header_7bit_safe($rcpt['name'], strlen($rcpt_type) + 2)." <$rcpt[email]>";
}
}
}
if(!empty($config['email']['enabled'])) {
mail(implode(', ', $to), $this->header_7bit_safe($this->subject, 9), $this->body, implode("\n", $this->headers));
}
}
private function flow() {
$message = $this->body;
/* Excerpt from RFC 3676 - 4.2. Generating Format=Flowed
A generating agent SHOULD:
o Ensure all lines (fixed and flowed) are 78 characters or fewer in
length, counting any trailing space as well as a space added as
stuffing, but not counting the CRLF, unless a word by itself
exceeds 78 characters.
o Trim spaces before user-inserted hard line breaks.
A generating agent MUST:
o Space-stuff lines which start with a space, "From ", or ">".
*/
// Trimming spaces before user-inserted hard line breaks, and wrapping.
$lines = explode("\n", $message);
foreach($lines as $ref => $line) {
$lines[$ref] = wordwrap(rtrim($line), 76, " \n", false);
}
$message = implode("\n", $lines);
// Space-stuffing lines which start with a space, "From ", or ">".
$lines = explode("\n", $message);
foreach($lines as $ref => $line) {
if(strpos($line, " ") === 0 || strpos($line, "From ") === 0 || strpos($line, ">") === 0) $lines[$ref] = " ".$line;
}
$message = implode("\n", $lines);
$message = "$message\n\n";
$this->body = $message;
$this->headers[] = "Content-Type: text/plain; charset=utf-8; format=flowed";
}
private function header_7bit_safe($string, $indent = 0) {
if(is_null($string)) return null;
return mb_encode_mimeheader($string, 'UTF-8', 'Q', "\n", $indent);
}
private function append_signature() {
//Add a signature
$this->body .= "-- \n";
$this->body .= $this->signature;
}
private function sign() {
$localheaders = array();
foreach($this->headers as $k => $v) {
if(preg_match('/^Content-Type:/i', $v)) {
$localheaders[] = $v;
unset($this->headers[$k]);
}
}
$localheaders[] = "Content-Transfer-Encoding: quoted-printable";
$lines = explode("\n", $this->body);
foreach($lines as $ref => $line) {
$line = quoted_printable_encode($line);
if(substr($line, -1) == ' ') $line = substr($line, 0, -1).'=20';
$lines[$ref] = $line;
}
$boundary = uniqid(php_uname('n'));
$innerboundary = uniqid(php_uname('n').'1');
$this->headers[] = 'Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="'.$boundary.'"';
$message = "Content-Type: multipart/mixed; boundary=\"{$innerboundary}\";\r\n";
$message .= " protected-headers=\"v1\"\r\n";
$message .= "From: {$this->from['email']}\r\n";
foreach(array('to', 'cc') as $rcpt_type) {
foreach($this->$rcpt_type as $rcpt) {
if(is_null($rcpt['name'])) {
$message .= ucfirst($rcpt_type).": $rcpt[email]\r\n";
} else {
$message .= ucfirst($rcpt_type).": ".$this->header_7bit_safe($rcpt['name'], strlen($rcpt_type) + 2)." <$rcpt[email]>\r\n";
}
}
}
$message .= "Subject: ".$this->header_7bit_safe($this->subject, 9)."\r\n\r\n";
$message .= "--{$innerboundary}\r\n".implode("\r\n", $localheaders)."\r\n\r\n".implode("\r\n", $lines)."\r\n--{$innerboundary}--\r\n";
$signature = $this->get_gpg_signature($message);
$message = "This is an OpenPGP/MIME signed message (RFC 4880 and 3156)\r\n--{$boundary}\r\n{$message}\r\n--{$boundary}\r\n";
$message .= "Content-Type: application/pgp-signature; name=\"signature.asc\"\r\n";
$message .= "Content-Description: OpenPGP digital signature\r\n";
$message .= "Content-Disposition: attachment; filename=\"signature.asc\"\r\n\r\n";
$message .= $signature;
$message .= "\r\n--$boundary--";
$this->body = $message;
}
private function get_gpg_signature($message) {
global $config;
$gpg = new gnupg();
$gpg->addsignkey($config['gpg']['key_id']);
$gpg->setsignmode(GNUPG::SIG_MODE_DETACH);
return $gpg->sign($message);
}
}

2
extensions/README
Unescape Escape View File

@ -0,0 +1,2 @@
For extending or replacing functionality.
All .php files in this directory are automatically included.

77
ldap.php
Unescape Escape View File

@ -0,0 +1,77 @@
<?php
class LDAP {
private $conn;
private $host;
private $starttls;
private $bind_dn;
private $bind_password;
private $options;
public function __construct($host, $starttls, $bind_dn, $bind_password, $options) {
$this->conn = null;
$this->host = $host;
$this->starttls = $starttls;
$this->bind_dn = $bind_dn;
$this->bind_password = $bind_password;
$this->options = $options;
}
private function connect() {
$this->conn = ldap_connect($this->host);
if($this->conn === false) throw new LDAPConnectionFailureException('Invalid LDAP connection settings');
if($this->starttls) {
if(!ldap_start_tls($this->conn)) throw new LDAPConnectionFailureException('Could not initiate TLS connection to LDAP server');
}
foreach($this->options as $option => $value) {
ldap_set_option($this->conn, $option, $value);
}
if(!empty($this->bind_dn)) {
if(!ldap_bind($this->conn, $this->bind_dn, $this->bind_password)) throw new LDAPConnectionFailureException('Could not bind to LDAP server');
}
}
public function search($basedn, $filter, $fields = array(), $sort = array()) {
if(is_null($this->conn)) $this->connect();
if(empty($fields)) $r = @ldap_search($this->conn, $basedn, $filter);
else $r = @ldap_search($this->conn, $basedn, $filter, $fields);
$sort = array_reverse($sort);
foreach($sort as $field) {
@ldap_sort($this->conn, $r, $field);
}
if($r) {
// Fetch entries
$result = @ldap_get_entries($this->conn, $r);
unset($result['count']);
$items = array();
foreach($result as $item) {
unset($item['count']);
$itemResult = array();
foreach($item as $key => $values) {
if(!is_int($key)) {
if(is_array($values)) {
unset($values['count']);
if(count($values) == 1) $values = $values[0];
}
$itemResult[$key] = $values;
}
}
$items[] = $itemResult;
}
return $items;
}
return false;
}
public static function escape($str = '') {
$metaChars = array("\\00", "\\", "(", ")", "*");
$quotedMetaChars = array();
foreach($metaChars as $key => $value) {
$quotedMetaChars[$key] = '\\'. dechex(ord($value));
}
$str = str_replace($metaChars, $quotedMetaChars, $str);
return $str;
}
}
class LDAPConnectionFailureException extends RuntimeException {}

10
migrations/001.php
Unescape Escape View File

@ -0,0 +1,10 @@
<?php
$migration_name = 'Add migration support';
$this->database->query("
CREATE TABLE `migration` (
`id` int(10) unsigned NOT NULL,
`name` text NOT NULL,
`applied` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
");

382
migrations/002.php
Unescape Escape View File

@ -0,0 +1,382 @@
<?php
$migration_name = 'Initial setup, converted to migration';
try {
$this->database->query('SELECT * FROM entity');
} catch(mysqli_sql_exception $e) {
$this->database->query("
CREATE TABLE `access` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`source_entity_id` int(10) unsigned NOT NULL,
`dest_entity_id` int(10) unsigned NOT NULL,
`grant_date` datetime NOT NULL,
`granted_by` int(10) unsigned NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `source_entity_id_dest_entity_id` (`source_entity_id`, `dest_entity_id`),
KEY `FK_access_entity_2` (`dest_entity_id`),
KEY `FK_access_entity_3` (`granted_by`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=COMPACT
");
$this->database->query("
CREATE TABLE `access_option` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`access_id` int(10) unsigned NOT NULL,
`option` enum('command', 'from', 'no-agent-forwarding', 'no-port-forwarding', 'no-pty', 'no-X11-forwarding') NOT NULL,
`value` text,
PRIMARY KEY (`id`),
UNIQUE KEY `access_id_option` (`access_id`, `option`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `access_request` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`source_entity_id` int(10) unsigned NOT NULL,
`dest_entity_id` int(10) unsigned NOT NULL,
`request_date` datetime NOT NULL,
`requested_by` int(10) unsigned NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `source_entity_id_dest_entity_id` (`source_entity_id`, `dest_entity_id`),
KEY `FK_access_request_entity_2` (`dest_entity_id`),
KEY `FK_access_request_entity_3` (`requested_by`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=COMPACT;
");
$this->database->query("
CREATE TABLE `entity` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`type` enum('user','server account', 'group') NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `entity_admin` (
`entity_id` int(10) unsigned NOT NULL,
`admin` int(10) unsigned NOT NULL,
PRIMARY KEY (`entity_id`, `admin`),
KEY `FK_entity_admin_entity_2` (`admin`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=COMPACT;
");
$this->database->query("
CREATE TABLE `entity_event` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`entity_id` int(10) unsigned NOT NULL,
`actor_id` int(10) unsigned NOT NULL,
`date` datetime NOT NULL,
`details` mediumtext NOT NULL,
PRIMARY KEY (`id`),
KEY `FK_entity_event_entity_id` (`entity_id`),
KEY `FK_entity_event_actor_id` (`actor_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `group` (
`entity_id` int(10) unsigned NOT NULL,
`name` varchar(100) NOT NULL,
`active` tinyint(1) unsigned NOT NULL DEFAULT '1',
`system` tinyint(1) unsigned NOT NULL DEFAULT '0',
PRIMARY KEY (`entity_id`),
UNIQUE KEY `name` (`name`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `group_event` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`group` int(10) unsigned NOT NULL,
`entity_id` int(10) unsigned NOT NULL,
`date` datetime NOT NULL,
`details` mediumtext NOT NULL,
PRIMARY KEY (`id`),
KEY `FK_group_event_group` (`group`),
KEY `FK_group_event_entity` (`entity_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=COMPACT;
");
$this->database->query("
CREATE TABLE `group_member` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`group` int(10) unsigned NOT NULL,
`entity_id` int(10) unsigned NOT NULL,
`add_date` datetime NOT NULL,
`added_by` int(10) unsigned NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `group_entity_id` (`group`, `entity_id`),
KEY `FK_group_member_entity` (`entity_id`),
KEY `FK_group_member_entity_2` (`added_by`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=COMPACT;
");
$this->database->query("
CREATE TABLE `public_key` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`entity_id` int(10) unsigned NOT NULL,
`type` varchar(30) NOT NULL,
`keydata` mediumtext NOT NULL,
`comment` mediumtext NOT NULL,
`keysize` int(11) DEFAULT NULL,
`fingerprint_md5` char(47) DEFAULT NULL,
`fingerprint_sha256` varchar(50) DEFAULT NULL,
`randomart_md5` text,
`randomart_sha256` text,
PRIMARY KEY (`id`),
KEY `FK_public_key_entity` (`entity_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `public_key_dest_rule` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`public_key_id` int(10) unsigned NOT NULL,
`account_name_filter` varchar(50) NOT NULL,
`hostname_filter` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `FK_public_key_dest_rule_public_key` (`public_key_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `public_key_signature` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`public_key_id` int(10) unsigned NOT NULL,
`signature` blob NOT NULL,
`upload_date` datetime NOT NULL,
`fingerprint` varchar(50) NOT NULL,
`sign_date` datetime NOT NULL,
PRIMARY KEY (`id`),
KEY `FK_public_key_signature_public_key` (`public_key_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `server` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`uuid` varchar(36) DEFAULT NULL,
`hostname` varchar(150) NOT NULL,
`ip_address` varchar(64) DEFAULT NULL,
`deleted` tinyint(1) unsigned NOT NULL DEFAULT '0',
`key_management` enum('none', 'keys', 'other', 'decommissioned') NOT NULL DEFAULT 'keys',
`authorization` enum('manual', 'automatic LDAP', 'manual LDAP') NOT NULL DEFAULT 'manual',
`use_sync_client` enum('no', 'yes') NOT NULL DEFAULT 'no',
`sync_status` enum('not synced yet', 'sync success', 'sync failure', 'sync warning') NOT NULL DEFAULT 'not synced yet',
`configuration_system` enum('unknown', 'cf-sysadmin', 'puppet-devops', 'puppet-miniops', 'puppet-tvstore', 'none') NOT NULL DEFAULT 'unknown',
`custom_keys` enum('not allowed', 'allowed') NOT NULL DEFAULT 'not allowed',
`rsa_key_fingerprint` char(32) DEFAULT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `hostname` (`hostname`),
KEY `ip_address` (`ip_address`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `server_account` (
`entity_id` int(10) unsigned NOT NULL,
`server_id` int(10) unsigned NOT NULL,
`name` varchar(50) DEFAULT NULL,
`sync_status` enum('not synced yet', 'sync success', 'sync failure', 'sync warning', 'proposed') NOT NULL DEFAULT 'not synced yet',
`active` tinyint(1) unsigned NOT NULL DEFAULT '1',
PRIMARY KEY (`entity_id`),
UNIQUE KEY `server_id_name` (`server_id`, `name`),
KEY `FK_server_account_server` (`server_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `server_admin` (
`server_id` int(10) unsigned NOT NULL,
`entity_id` int(10) unsigned NOT NULL,
PRIMARY KEY (`server_id`,`entity_id`),
KEY `FK_server_admin_entity` (`entity_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `server_event` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`server_id` int(10) unsigned NOT NULL,
`actor_id` int(10) unsigned NOT NULL,
`date` datetime NOT NULL,
`details` mediumtext NOT NULL,
PRIMARY KEY (`id`),
KEY `FK_server_log_server` (`server_id`),
KEY `FK_server_event_actor_id` (`actor_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `server_ldap_access_option` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`server_id` int(10) unsigned NOT NULL,
`option` enum('command', 'from', 'no-agent-forwarding', 'no-port-forwarding', 'no-pty', 'no-X11-forwarding') NOT NULL,
`value` text,
PRIMARY KEY (`id`),
UNIQUE KEY `server_id_option` (`server_id`, `option`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `server_note` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`server_id` int(10) unsigned NOT NULL,
`entity_id` int(10) unsigned NOT NULL,
`date` datetime NOT NULL,
`note` mediumtext NOT NULL,
PRIMARY KEY (`id`),
KEY `FK_server_note_server` (`server_id`),
KEY `FK_server_note_user` (`entity_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `sync_request` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`server_id` int(10) unsigned NOT NULL,
`account_name` varchar(50) DEFAULT NULL,
`processing` tinyint(1) unsigned NOT NULL DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY `server_id_account_name` (`server_id`,`account_name`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `user` (
`entity_id` int(10) unsigned NOT NULL,
`uid` varchar(50) NOT NULL,
`name` varchar(100) NOT NULL,
`email` varchar(100) NOT NULL,
`superior_entity_id` int(10) unsigned DEFAULT NULL,
`auth_realm` enum('LDAP','local','external') NOT NULL DEFAULT 'LDAP',
`active` tinyint(1) unsigned NOT NULL DEFAULT '1',
`admin` tinyint(1) unsigned NOT NULL DEFAULT '0',
`developer` tinyint(1) unsigned NOT NULL DEFAULT '0',
`force_disable` tinyint(1) unsigned NOT NULL DEFAULT '0',
`csrf_token` binary(128) DEFAULT NULL,
PRIMARY KEY (`entity_id`),
UNIQUE KEY `uid` (`uid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
CREATE TABLE `user_alert` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`entity_id` int(10) unsigned NOT NULL,
`class` varchar(15) NOT NULL,
`content` mediumtext NOT NULL,
`escaping` int(10) unsigned NOT NULL DEFAULT '1',
PRIMARY KEY (`id`),
KEY `FK_user_alert_entity` (`entity_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
$this->database->query("
ALTER TABLE `access`
ADD CONSTRAINT `FK_access_entity` FOREIGN KEY (`source_entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_access_entity_2` FOREIGN KEY (`dest_entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_access_entity_3` FOREIGN KEY (`granted_by`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `access_option`
ADD CONSTRAINT `FK_access_option_access` FOREIGN KEY (`access_id`) REFERENCES `access` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `access_request`
ADD CONSTRAINT `FK_access_request_entity` FOREIGN KEY (`source_entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_access_request_entity_2` FOREIGN KEY (`dest_entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_access_request_entity_3` FOREIGN KEY (`requested_by`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `entity_admin`
ADD CONSTRAINT `FK_entity_admin_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_entity_admin_entity_2` FOREIGN KEY (`admin`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `entity_event`
ADD CONSTRAINT `FK_entity_event_actor_id` FOREIGN KEY (`actor_id`) REFERENCES `entity` (`id`),
ADD CONSTRAINT `FK_entity_event_entity_id` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`)
");
$this->database->query("
ALTER TABLE `group`
ADD CONSTRAINT `FK_group_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `group_event`
ADD CONSTRAINT `FK_group_event_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`),
ADD CONSTRAINT `FK_group_event_group` FOREIGN KEY (`group`) REFERENCES `group` (`entity_id`)
");
$this->database->query("
ALTER TABLE `group_member`
ADD CONSTRAINT `FK_group_member_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_group_member_entity_2` FOREIGN KEY (`added_by`) REFERENCES `entity` (`id`),
ADD CONSTRAINT `FK_group_member_group` FOREIGN KEY (`group`) REFERENCES `group` (`entity_id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `public_key`
ADD CONSTRAINT `FK_public_key_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `public_key_dest_rule`
ADD CONSTRAINT `FK_public_key_dest_rule_public_key` FOREIGN KEY (`public_key_id`) REFERENCES `public_key` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `public_key_signature`
ADD CONSTRAINT `FK_public_key_signature_public_key` FOREIGN KEY (`public_key_id`) REFERENCES `public_key` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `server_account`
ADD CONSTRAINT `FK_server_account_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_server_account_server` FOREIGN KEY (`server_id`) REFERENCES `server` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `server_admin`
ADD CONSTRAINT `FK_server_admin_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE,
ADD CONSTRAINT `FK_server_admin_server` FOREIGN KEY (`server_id`) REFERENCES `server` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `server_event`
ADD CONSTRAINT `FK_server_event_actor_id` FOREIGN KEY (`actor_id`) REFERENCES `entity` (`id`),
ADD CONSTRAINT `FK_server_log_server` FOREIGN KEY (`server_id`) REFERENCES `server` (`id`)
");
$this->database->query("
ALTER TABLE `server_ldap_access_option`
ADD CONSTRAINT `FK_server_ldap_access_option_server` FOREIGN KEY (`server_id`) REFERENCES `server` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `server_note`
ADD CONSTRAINT `FK_server_note_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`),
ADD CONSTRAINT `FK_server_note_server` FOREIGN KEY (`server_id`) REFERENCES `server` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `sync_request`
ADD CONSTRAINT `FK_sync_request_server` FOREIGN KEY (`server_id`) REFERENCES `server` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `user`
ADD CONSTRAINT `FK_user_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
$this->database->query("
ALTER TABLE `user_alert`
ADD CONSTRAINT `FK_user_alert_entity` FOREIGN KEY (`entity_id`) REFERENCES `entity` (`id`) ON DELETE CASCADE
");
}

6
migrations/003.php
Unescape Escape View File

@ -0,0 +1,6 @@
<?php
$migration_name = 'Add port number field';
$this->database->query("
ALTER TABLE `server` ADD COLUMN `port` int(10) unsigned NOT NULL DEFAULT 22
");

80
model/access.php
Unescape Escape View File

@ -0,0 +1,80 @@
<?php
/**
* Class that represents an access rule granting access from one entity to another
*/
class Access extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'access';
/**
* Add an SSH access option to the access rule
* Access options include "command", "from", "no-port-forwarding" etc.
* @param AccessOption $option to be added
*/
public function add_option(AccessOption $option) {
if(is_null($this->id)) throw new BadMethodCallException('Access rule must be in directory before options can be added');
$stmt = $this->database->prepare("INSERT INTO access_option SET access_id = ?, `option` = ?, value = ?");
$stmt->bind_param('dss', $this->id, $option->option, $option->value);
$stmt->execute();
$stmt->close();
}
/**
* Remove an SSH option from the access rule
* @param AccessOption $option to be removed
*/
public function delete_option(AccessOption $option) {
if(is_null($this->id)) throw new BadMethodCallException('Access rule must be in directory before options can be deleted');
$stmt = $this->database->prepare("DELETE FROM access_option WHERE access_id = ? AND `option` = ?");
$stmt->bind_param('ds', $this->id, $option->option);
$stmt->execute();
$stmt->close();
}
/**
* Replace the current list of SSH access options with the provided array of options.
* This is a crude implementation - just deletes all existing options and adds new ones, with
* table locking for a small measure of safety.
* @param array $options array of AccessOption objects
*/
public function update_options(array $options) {
$stmt = $this->database->query("LOCK TABLES access_option WRITE");
$oldoptions = $this->list_options();
foreach($oldoptions as $oldoption) {
$this->delete_option($oldoption);
}
foreach($options as $option) {
$this->add_option($option);
}
$stmt = $this->database->query("UNLOCK TABLES");
$this->dest_entity->sync_access();
}
/**
* List all current SSH access options applied to the access rule.
* @return array of AccessOption objects
*/
public function list_options() {
if(is_null($this->id)) throw new BadMethodCallException('Access rule must be in directory before options can be listed');
$stmt = $this->database->prepare("
SELECT *
FROM access_option
WHERE access_id = ?
ORDER BY `option`
");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$options = array();
while($row = $result->fetch_assoc()) {
$options[$row['option']] = new AccessOption($row['option'], $row);
}
$stmt->close();
return $options;
}
}
class AccessNotFoundException extends Exception {}

11
model/accessoption.php
Unescape Escape View File

@ -0,0 +1,11 @@
<?php
/**
* Class that represents an SSH access option on an access rule
*/
class AccessOption extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'access_option';
}

11
model/accessrequest.php
Unescape Escape View File

@ -0,0 +1,11 @@
<?php
/**
* Class that represents a request for access from one entity to another
*/
class AccessRequest extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'access_request';
}

17
model/dbdirectory.php
Unescape Escape View File

@ -0,0 +1,17 @@
<?php
/**
* Basic database directory abstract class. Inherited by most classes that manipulate lists of objects in the database.
*/
abstract class DBDirectory {
protected $database;
/**
* Sets up the local $database object for use by the inheriting classes.
*/
public function __construct() {
global $database;
$this->database = $database;
}
}

401
model/entity.php
Unescape Escape View File

@ -0,0 +1,401 @@
<?php
/**
* Abstract class that represents one of several types of entities (users, server accounts, groups)
* which can have access rules created between them, administrators assigned, or be members of each other.
*/
abstract class Entity extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'entity';
/**
* Write event details to syslog and to entity_event table.
* @param array $details event paramaters to be logged
* @param int $level syslog priority as defined in http://php.net/manual/en/function.syslog.php
*/
public function log($details, $level = LOG_INFO) {
if(is_null($this->id)) throw new BadMethodCallException('Entity must be in directory before log entries can be added');
switch(get_class($this)) {
case 'User':
$scope = "user:{$this->uid}";
break;
case 'ServerAccount':
$scope = "account:{$this->name}@{$this->server->hostname}";
break;
case 'Group':
$scope = "group:{$this->name}";
break;
default:
throw new BadMethodCallException('Unsupported entity type: '.get_class($this));
}
$json = json_encode($details, JSON_UNESCAPED_UNICODE);
$stmt = $this->database->prepare("INSERT INTO entity_event SET entity_id = ?, actor_id = ?, date = UTC_TIMESTAMP(), details = ?");
$stmt->bind_param('dds', $this->id, $this->active_user->entity_id, $json);
$stmt->execute();
$stmt->close();
$text = "KeysScope=\"{$scope}\" KeysRequester=\"{$this->active_user->uid}\"";
foreach($details as $key => $value) {
$text .= ' Keys'.ucfirst($key).'="'.str_replace('"', '', $value).'"';
}
openlog('keys', LOG_ODELAY, LOG_AUTH);
syslog($level, $text);
closelog();
}
/**
* Add the specified user as an administrator of the entity.
* Logging is performed by the inheriting classes.
* @param User $user to add as administrator
*/
public function add_admin(User $user) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before admins can be added');
if(is_null($user->entity_id)) throw new InvalidArgumentException('User must be in directory before it can be made admin');
$entity_id = $user->entity_id;
try {
$stmt = $this->database->prepare("INSERT INTO entity_admin SET entity_id = ?, admin = ?");
$stmt->bind_param('dd', $this->entity_id, $entity_id);
$stmt->execute();
$stmt->close();
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
}
/**
* Remove the specified user as an administrator of the entity.
* @param User $user to remove as administrator
*/
public function delete_admin(User $user) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before admins can be deleted');
if(is_null($user->entity_id)) throw new InvalidArgumentException('User must be in directory before it can be removed as admin');
$entity_id = $user->entity_id;
$stmt = $this->database->prepare("DELETE FROM entity_admin WHERE entity_id = ? AND admin = ?");
$stmt->bind_param('dd', $this->entity_id, $entity_id);
$stmt->execute();
$stmt->close();
}
/**
* List all administrators of this entity.
* @return array of User objects
*/
public function list_admins() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before admins can be listed');
$stmt = $this->database->prepare("SELECT admin FROM entity_admin WHERE entity_id = ?");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$admins = array();
while($row = $result->fetch_assoc()) {
$admins[] = new User($row['admin']);
}
$stmt->close();
return $admins;
}
/**
* Add a public key to this entity for use with any outbound access rules that apply to it.
* Emailing and logging is handled by the inheriting classes.
* @param PublicKey $key to be added
*/
public function add_public_key(PublicKey $key) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before public keys can be added');
$key->get_openssh_info();
$key_type = $key->type;
$key_keydata = $key->keydata;
$key_comment = $key->comment;
$key_size = $key->keysize;
$key_fingerprint_md5 = $key->fingerprint_md5;
$key_fingerprint_sha256 = $key->fingerprint_sha256;
$key_randomart_md5 = $key->randomart_md5;
$key_randomart_sha256 = $key->randomart_sha256;
$stmt = $this->database->prepare("
INSERT INTO public_key SET
entity_id = ?,
type = ?,
keydata = ?,
comment = ?,
keysize = ?,
fingerprint_md5 = ?,
fingerprint_sha256 = ?,
randomart_md5 = ?,
randomart_sha256 = ?
");
$stmt->bind_param('dsssdssss', $this->entity_id, $key_type, $key_keydata, $key_comment, $key_size, $key_fingerprint_md5, $key_fingerprint_sha256, $key_randomart_md5, $key_randomart_sha256);
$stmt->execute();
$key->id = $stmt->insert_id;
$stmt->close();
$this->sync_remote_access();
}
/**
* Delete the specified public key from this entity.
* @param PublicKey $key to be removed
*/
public function delete_public_key(PublicKey $key) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before public keys can be deleted');
$stmt = $this->database->prepare("DELETE FROM public_key WHERE entity_id = ? AND id = ?");
$stmt->bind_param('dd', $this->entity_id, $key->id);
$stmt->execute();
$stmt->close();
$this->sync_remote_access();
}
/**
* Retrieve a specific public key for this entity by its ID.
* @param int $id of public key to retrieve
* @return PublicKey matching the ID
* @throws PublicKeyNotFoundException if no public key exists with that ID
*/
public function get_public_key_by_id($id) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before public keys can be listed');
$stmt = $this->database->prepare("SELECT * FROM public_key WHERE entity_id = ? AND id = ?");
$stmt->bind_param('dd', $this->entity_id, $id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$key = new PublicKey($row['id'], $row);
} else {
throw new PublicKeyNotFoundException('Public key does not exist.');
}
$stmt->close();
return $key;
}
/**
* List all public keys associated with this entity, optionally filtered by account name and hostname
* for any of the keys that have destination rules applied.
* @todo this is perhaps an unintuitive place to do this kind of filtering
* @param string|null $account_name to filter for in the destination rules for each key
* @param string|null $hostname to filter for in the destination rules for each key
* @return array of PublicKey objects
*/
public function list_public_keys($account_name = null, $hostname = null) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before public keys can be listed');
$stmt = $this->database->prepare("
SELECT public_key.*, COUNT(public_key_dest_rule.id) AS dest_rule_count
FROM public_key
LEFT JOIN public_key_dest_rule ON public_key_dest_rule.public_key_id = public_key.id
WHERE entity_id = ?
GROUP BY public_key.id
");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$keys = array();
while($row = $result->fetch_assoc()) {
if((is_null($account_name) && is_null($hostname)) || $row['dest_rule_count'] == 0) {
$include = true;
} else {
$include = false;
$rulestmt = $this->database->prepare("SELECT * FROM public_key_dest_rule WHERE public_key_id = ?");
$rulestmt->bind_param('d', $row['id']);
$rulestmt->execute();
$ruleresult = $rulestmt->get_result();
if($ruleresult->num_rows == 0) {
// Key has no destination rules defined, include it everywhere
$include = true;
} else {
// Apply destination rules
while($rule = $ruleresult->fetch_assoc()) {
$filter1 = '/^'.str_replace('\*', '.*', preg_quote($rule['account_name_filter'], '/')).'$/i';
$filter2 = '/^'.str_replace('\*', '.*', preg_quote($rule['hostname_filter'], '/')).'$/i';
if(preg_match($filter1, $account_name) && preg_match($filter2, $hostname)) {
$include = true;
break;
}
}
}
}
if($include) {
$keys[] = new PublicKey($row['id'], $row);
}
}
$stmt->close();
return $keys;
}
/**
* Retrieve a specific access rule towards this entity by its ID (inbound access).
* @param int $id to retrieve
* @return Access object
* @throws AccessNotFoundException if no access rule exists with this ID
*/
public function get_access_by_id($id) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before access can be listed');
$stmt = $this->database->prepare("
SELECT access.*, entity.type
FROM access
INNER JOIN entity ON entity.id = access.source_entity_id
WHERE access.dest_entity_id = ? AND access.id = ?
");
$stmt->bind_param('dd', $this->entity_id, $id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
switch($row['type']) {
case 'user': $source_entity = new User($row['source_entity_id']); break;
case 'server account': $source_entity = new ServerAccount($row['source_entity_id']); break;
case 'group': $source_entity = new Group($row['source_entity_id']); break;
}
$row['granted_by'] = new User($row['granted_by']);
$row['source_entity'] = $source_entity;
$row['dest_entity'] = $this;
$access = new Access($row['id'], $row);
} else {
throw new AccessNotFoundException('Access rule does not exist.');
}
$stmt->close();
return $access;
}
/**
* List all access rules that grant access to this entity (inbound access).
* @return array of Access objects
*/
public function list_access() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before access can be listed');
$stmt = $this->database->prepare("
SELECT access.*, entity.type
FROM access
INNER JOIN entity ON entity.id = access.source_entity_id
LEFT JOIN user ON user.entity_id = entity.id
LEFT JOIN server_account ON server_account.entity_id = entity.id
LEFT JOIN server ON server.id = server_account.server_id
LEFT JOIN `group` ON `group`.entity_id = entity.id
WHERE dest_entity_id = ?
ORDER BY entity.type, user.uid, server.hostname, server_account.name, `group`.name
");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$access_list = array();
while($row = $result->fetch_assoc()) {
switch($row['type']) {
case 'user': $source_entity = new User($row['source_entity_id']); break;
case 'server account': $source_entity = new ServerAccount($row['source_entity_id']); break;
case 'group': $source_entity = new Group($row['source_entity_id']); break;
}
$row['granted_by'] = new User($row['granted_by']);
$row['source_entity'] = $source_entity;
$access_list[] = new Access($row['id'], $row);
}
$stmt->close();
return $access_list;
}
/**
* List all requests for access to this entity (inbound access).
* @return array of AccessRequest objects
*/
public function list_access_requests() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before access can be listed');
$stmt = $this->database->prepare("
SELECT access_request.*, entity.type
FROM access_request
INNER JOIN entity ON entity.id = access_request.source_entity_id
LEFT JOIN user ON user.entity_id = entity.id
LEFT JOIN server_account ON server_account.entity_id = entity.id
LEFT JOIN server ON server.id = server_account.server_id
LEFT JOIN `group` ON `group`.entity_id = entity.id
WHERE dest_entity_id = ?
ORDER BY entity.type, user.uid, server.hostname, server_account.name, `group`.name
");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$access_requests = array();
while($row = $result->fetch_assoc()) {
switch($row['type']) {
case 'user': $source_entity = new User($row['source_entity_id']); break;
case 'server account': $source_entity = new ServerAccount($row['source_entity_id']); break;
case 'group': $source_entity = new Group($row['source_entity_id']); break;
}
$row['requested_by'] = new User($row['requested_by']);
$row['source_entity'] = $source_entity;
$access_requests[] = new AccessRequest($row['id'], $row);
}
$stmt->close();
return $access_requests;
}
/**
* List all access rules that grant this entity access to other entities (outbound access).
* @return array of Access objects
*/
public function list_remote_access() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Entity must be in directory before remote access can be listed');
$stmt = $this->database->prepare("
SELECT access.*, entity.type
FROM access
INNER JOIN entity ON access.dest_entity_id = entity.id
LEFT JOIN user ON user.entity_id = entity.id
LEFT JOIN server_account ON server_account.entity_id = entity.id
LEFT JOIN server ON server.id = server_account.server_id
LEFT JOIN `group` ON `group`.entity_id = entity.id
WHERE access.source_entity_id = ?
ORDER BY entity.type, user.uid, server.hostname, server_account.name, `group`.name
");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$access_list = array();
while($row = $result->fetch_assoc()) {
switch($row['type']) {
case 'user': $dest_entity = new User($row['dest_entity_id']); break;
case 'server account': $dest_entity = new ServerAccount($row['dest_entity_id']); break;
case 'group': $dest_entity = new Group($row['dest_entity_id']); break;
}
$row['granted_by'] = new User($row['granted_by']);
$row['dest_entity'] = $dest_entity;
$access_list[] = new Access($row['id'], $row);
}
$stmt->close();
return $access_list;
}
/**
* Trigger a sync for this entity - must be implemented by inheriting class.
*/
abstract public function sync_access();
/**
* Trigger a sync for all entities that this entity has access to (and recurse to group members).
* @param $seen used to prevent infinite recursion and double-syncing by tracking all entities seen so far
*/
public function sync_remote_access(&$seen = array()) {
$seen[$this->entity_id] = true;
// Sync whatever this entity has access to
$access_list = $this->list_remote_access();
foreach($access_list as $access) {
$access->dest_entity->sync_access();
}
// Sync whatever groups this entity is a member of
global $group_dir;
$memberships = $group_dir->list_group_membership($this);
foreach($memberships as $group) {
if(!isset($seen[$group->entity_id])) {
$group->sync_remote_access($seen);
}
}
// If this is a user, also sync across LDAP-based servers
global $server_dir;
global $sync_request_dir;
if(get_class($this) == 'User') {
$servers = $server_dir->list_servers(array(), array('authorization' => array('manual LDAP', 'automatic LDAP')));
foreach($servers as $server) {
$sync_request = new SyncRequest;
$sync_request->server_id = $server->id;
$sync_request->account_name = $this->uid;
$sync_request_dir->add_sync_request($sync_request);
}
}
}
}

28
model/entityevent.php
Unescape Escape View File

@ -0,0 +1,28 @@
<?php
/**
* Abstract class that represents a log event that was recorded in relation to an entity
*/
abstract class EntityEvent extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'entity_event';
/**
* Magic getter method - if actor field requested, return User object of the person who triggered
* the logged event.
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
global $user_dir;
switch($field) {
case 'actor':
$actor = new User($this->data['actor_id']);
return $actor;
default:
return parent::__get($field);
}
}
}

75
model/eventdirectory.php
Unescape Escape View File

@ -0,0 +1,75 @@
<?php
/**
* Class for reading from the list of all *Event objects in the database.
*/
class EventDirectory extends DBDirectory {
/**
* List events of all types stored in the database ordered from most recent.
* @param array $include list of extra data to include in response - currently unused
* @param array $filter list of field/value pairs to filter results on
* @param int|null $limit max results to return
* @return array of *Event objects
*/
public function list_events($include = array(), $filter = array(), $limit = 100) {
// WARNING: The search query is not parameterized - be sure to properly escape all input
$fields = array(
'server' => array("se.id", "se.server_id", "NULL as `entity_id`", "se.actor_id", "se.date", "se.details"),
'group' => array("ee.id", "NULL AS server_id", "ee.entity_id", "ee.actor_id", "ee.date", "ee.details")
);
$joins = array('server' => array(), 'group' => array());
$where = array('server' => array(), 'group' => array());
foreach($filter as $field => $value) {
if($value) {
switch($field) {
case 'admin':
// Filter for events from servers that the user is an admin of
$joins['server']['adminsearch'] = "INNER JOIN server_admin AS admin_search ON admin_search.server_id = se.server_id";
$where['server'][] = "admin_search.entity_id = ".intval($value);
// Filter for events from server accounts or groups that the user is an admin of
// (possibly indirectly for the former as a result of being server admin)
$joins['group']['adminsearch'] = "LEFT JOIN entity_admin AS admin_search ON admin_search.entity_id = ee.entity_id";
$joins['group']['account'] = "LEFT JOIN server_account AS sa ON sa.entity_id = ee.entity_id";
$joins['group']['server'] = "LEFT JOIN server AS s ON s.id = sa.server_id";
$joins['group']['parentadminsearch'] = "LEFT JOIN server_admin AS parent_admin_search ON parent_admin_search.server_id = s.id";
$where['group'][] = "admin_search.admin = ".intval($value)." OR parent_admin_search.entity_id = ".intval($value);
break;
}
}
}
$stmt = $this->database->prepare("
(SELECT ".implode(", ", $fields['server']).", 'server' AS event_type
FROM server_event se ".implode(" ", $joins['server'])."
".(count($where['server']) == 0 ? "" : "WHERE (".implode(") AND (", $where['server']).")")."
GROUP BY se.id
ORDER BY se.id DESC)
UNION
(SELECT ".implode(", ", $fields['group']).", e.type AS event_type
FROM entity_event ee ".implode(" ", $joins['group'])."
INNER JOIN entity e ON e.id = ee.entity_id
".(count($where['group']) == 0 ? "" : "WHERE (".implode(") AND (", $where['group']).")")."
GROUP BY ee.id
ORDER BY ee.id DESC)
ORDER BY `date` DESC, id DESC
".(is_null($limit) ? '' : 'LIMIT '.intval($limit))."
");
$stmt->execute();
$result = $stmt->get_result();
$events = array();
while($row = $result->fetch_assoc()) {
if($row['event_type'] == 'server') {
$events[] = new ServerEvent($row['id'], $row);
} elseif($row['event_type'] == 'user') {
$events[] = new UserEvent($row['id'], $row);
} elseif($row['event_type'] == 'server account') {
$events[] = new ServerAccountEvent($row['id'], $row);
} elseif($row['event_type'] == 'group') {
$events[] = new GroupEvent($row['id'], $row);
}
}
$stmt->close();
return $events;
}
}
class EventNotFoundException extends Exception {}

333
model/group.php
Unescape Escape View File

@ -0,0 +1,333 @@
<?php
/**
* Class that represents a grouping of users or server accounts
*/
class Group extends Entity {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'group';
/**
* Defines the field that is the primary key of the table
*/
protected $idfield = 'entity_id';
public function __construct($id = null, $preload_data = array()) {
parent::__construct($id, $preload_data);
if(!isset($this->data['system'])) $this->data['system'] = 0;
}
/**
* Write property changes to database and log the changes.
* Triggers a resync if the group was activated/deactivated.
*/
public function update() {
if($this->data['system']) $this->data['active'] = 1; // Cannot disable system groups
$changes = parent::update();
$resync = false;
foreach($changes as $change) {
$loglevel = LOG_INFO;
switch($change->field) {
case 'active':
$resync = true;
if($change->new_value == 1) $loglevel = LOG_WARNING;
break;
}
$this->log(array('action' => 'Setting update', 'value' => $change->new_value, 'oldvalue' => $change->old_value, 'field' => ucfirst(str_replace('_', ' ', $change->field))), $loglevel);
}
if($resync) {
$this->sync_access();
$this->sync_remote_access();
}
}
/**
* List all log events for this group.
* @return array of GroupEvent objects
*/
public function get_log() {
if(is_null($this->id)) throw new BadMethodCallException('Group must be in directory before log entries can be listed');
$stmt = $this->database->prepare("SELECT * FROM entity_event WHERE entity_id = ? ORDER BY id DESC");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$log = array();
while($row = $result->fetch_assoc()) {
$log[] = new GroupEvent($row['id'], $row);
}
$stmt->close();
return $log;
}
/**
* Add the specified user as an administrator of the group.
* This action is logged with a warning level as it is increasing an access level.
* @param User $user to add as administrator
*/
public function add_admin(User $user) {
global $config;
parent::add_admin($user);
$url = $config['web']['baseurl'].'/groups/'.urlencode($this->name);
$email = new Email;
$email->subject = "Administrator for {$this->name} group";
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->add_recipient($user->email, $user->name);
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has added you as an administrator for the '{$this->name}' group. You can administer this group from <$url>";
$email->send();
$this->log(array('action' => 'Administrator add', 'value' => "user:{$user->uid}"), LOG_WARNING);
}
/**
* Remove the specified user as an administrator of the group.
* This action is logged with a warning level as it means the removed user will no longer
* receive notifications for any changes done to this group.
* @param User $user to remove as administrator
*/
public function delete_admin(User $user) {
parent::delete_admin($user);
$this->log(array('action' => 'Administrator remove', 'value' => "user:{$user->uid}"), LOG_WARNING);
}
/**
* Add the specified entity (User/ServerAccount/Group†) as a member of the group.
* †Adding a Group as a member of a group (nested groups) is no longer allowed by the UI.
* This action is logged with a warning level as it is potentially granting access.
* @todo remove nested group functionality
* @param Entity $entity to add as a group member
*/
public function add_member(Entity $entity) {
global $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before members can be added');
if(is_null($entity->entity_id)) throw new InvalidArgumentException('Entity must be in directory before it can be added to a group');
$entity_id = $entity->entity_id;
switch(get_class($entity)) {
case 'User':
$name = "user {$entity->uid}";
$mailsubject = "{$entity->uid} added to {$this->name} group by {$this->active_user->uid}";
$mailbody = "{$entity->name} ({$entity->uid}) has been added to the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
$logmsg = array('action' => 'Member add', 'value' => "user:{$entity->uid}");
break;
case 'ServerAccount':
// We should not allow adding server accounts to a group if the active user is not an admin of that server or server account
if(!$this->active_user->admin && !$this->active_user->admin_of($entity->server) && !$this->active_user->admin_of($entity)) {
throw new InvalidArgumentException('Active user is not an administrator of the specified server account');
}
$name = "account {$entity->name}@{$entity->server->hostname}";
$mailsubject = "{$entity->name}@{$entity->server->hostname} added to {$this->name} group by {$this->active_user->uid}";
$mailbody = "{$entity->name}@{$entity->server->hostname} has been added to the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
$logmsg = array('action' => 'Member add', 'value' => "account:{$entity->name}@{$entity->server->hostname}");
break;
case 'Group':
// We should not allow adding groups to a group if the active user is not an admin of that group
if(!$this->active_user->admin && !$this->active_user->admin_of($entity)) {
throw new InvalidArgumentException('Active user is not an administrator of the specified group');
}
$name = "group {$entity->name}";
$mailsubject = "{$entity->name} group added to {$this->name} group by {$this->active_user->uid}";
$mailbody = "The {$entity->name} group has been added to the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
$logmsg = array('action' => 'Member add', 'value' => "group:{$entity->name}");
break;
}
try {
$stmt = $this->database->prepare("INSERT INTO group_member SET `group` = ?, entity_id = ?, add_date = UTC_TIMESTAMP(), added_by = ?");
$stmt->bind_param('ddd', $this->entity_id, $entity_id, $this->active_user->entity_id);
$stmt->execute();
$stmt->close();
$this->log($logmsg, LOG_WARNING);
if($this->active_user->uid != 'import-script') {
$email = new Email;
foreach($this->list_admins() as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = $mailsubject;
$email->body = $mailbody;
$email->send();
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
$entity->sync_access(); // This entity is now a member of the group, so any access rules that apply to the group now apply to the entity
$this->sync_remote_access(); // If this group has access to anything, this entity now also has access to it
}
/**
* Remove the specified entity (User/ServerAccount/Group) as a member of the group.
* @todo remove nested group functionality
* @param Entity $entity to remove as a group member
*/
public function delete_member(Entity $entity) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before members can be deleted');
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Member remove', 'value' => "user:{$entity->uid}"));
break;
case 'ServerAccount':
$this->log(array('action' => 'Member remove', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Member remove', 'value' => "group:{$entity->name}"));
break;
}
$stmt = $this->database->prepare("DELETE FROM group_member WHERE `group` = ? AND entity_id = ?");
$stmt->bind_param('ds', $this->entity_id, $entity->entity_id);
$stmt->execute();
$stmt->close();
// Resync both the entity being removed and the group itself
$entity->sync_access();
$this->sync_remote_access();
}
/**
* List all members of the group.
* @todo remove nested group functionality
* @return array of User/ServerAccount/Group objects
*/
public function list_members() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before members can be listed');
$stmt = $this->database->prepare("
SELECT entity.id, entity.type, add_date, added_by
FROM group_member
INNER JOIN entity ON group_member.entity_id = entity.id
LEFT JOIN user ON user.entity_id = entity.id
LEFT JOIN server_account ON server_account.entity_id = entity.id
LEFT JOIN server ON server.id = server_account.server_id
LEFT JOIN `group` ON `group`.entity_id = entity.id
WHERE group_member.group = ?
ORDER BY entity.type, user.uid, server.hostname, server_account.name, `group`.name
");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$members = array();
while($row = $result->fetch_assoc()) {
$row['added_by'] = new User($row['added_by']);
switch($row['type']) {
case 'user': $members[] = new User($row['id'], $row); break;
case 'server account': $members[] = new ServerAccount($row['id'], $row); break;
case 'group': $members[] = new Group($row['id'], $row); break;
}
}
$stmt->close();
return $members;
}
/**
* Grant the specified entity (User/ServerAccount/Group) access to members of this group.
* An email is sent to the group admins and sec-ops to inform them of the change.
* This action is logged with a warning level as it is granting access.
* @param Entity $entity to add as a group member
* @param array $access_options array of AccessOption rules to apply to the granted access
*/
public function add_access(Entity $entity, array $access_options) {
global $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before access can be added');
if(is_null($entity->entity_id)) throw new InvalidArgumentException('Entity must be in directory before it can be granted access to a group');
$access = new Access;
$access->dest_entity_id = $this->entity_id;
$access->source_entity_id = $entity->entity_id;
$access->granted_by = $this->active_user->entity_id;
try {
$stmt = $this->database->prepare("INSERT INTO access SET dest_entity_id = ?, source_entity_id = ?, grant_date = UTC_TIMESTAMP(), granted_by = ?");
$stmt->bind_param('ddd', $access->dest_entity_id, $access->source_entity_id, $access->granted_by);
$stmt->execute();
$access->id = $stmt->insert_id;
$stmt->close();
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access add', 'value' => "user:{$entity->uid}"), LOG_WARNING);
$mailsubject = "{$entity->uid} granted access to {$this->name} group resources by {$this->active_user->uid}";
$mailbody = "{$entity->name} ({$entity->uid}) has been granted access to resources in the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
break;
case 'ServerAccount':
$this->log(array('action' => 'Access add', 'value' => "account:{$entity->name}@{$entity->server->hostname}"), LOG_WARNING);
$mailsubject = "{$entity->name}@{$entity->server->hostname} granted access to {$this->name} group resources by {$this->active_user->uid}";
$mailbody = "{$entity->name}@{$entity->server->hostname} has been granted access to resources in the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
break;
case 'Group':
$this->log(array('action' => 'Access add', 'value' => "group:{$entity->name}"), LOG_WARNING);
$mailsubject = "{$entity->name} group granted access to {$this->name} group resources by {$this->active_user->uid}";
$mailbody = "The {$entity->name} group has been granted access to resources in the {$this->name} group by {$this->active_user->name} ({$this->active_user->uid}).";
break;
}
if($this->active_user->uid != 'import-script') {
$email = new Email;
foreach($this->list_admins() as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = $mailsubject;
$email->body = $mailbody;
$email->send();
}
foreach($access_options as $access_option) {
$access->add_option($access_option);
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
$this->sync_access();
}
/**
* Revoke the specified access rule to members of this group.
* @param Access $access rule to be removed
*/
public function delete_access(Access $access) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Group must be in directory before access can be deleted');
$entity = $access->source_entity;
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access remove', 'value' => "user:{$entity->uid}"));
break;
case 'ServerAccount':
$this->log(array('action' => 'Access remove', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Access remove', 'value' => "group:{$entity->name}"));
break;
}
$stmt = $this->database->prepare("DELETE FROM access WHERE dest_entity_id = ? AND id = ?");
$stmt->bind_param('ds', $this->entity_id, $access->id);
$stmt->execute();
$stmt->close();
$this->sync_access();
}
/**
* List all groups that *this* group is a member of, searched recursively.
* Note: nested groups are no longer allowed by the UI.
* @todo remove nested group functionality
* @return array of Group objects
*/
public function list_group_membership() {
global $group_dir;
return $group_dir->list_group_membership($this);
}
/**
* Trigger a resync for all members of this group, searched recursively†.
* †Nested groups are no longer allowed by the UI.
* @todo remove nested group functionality
* @param array $seen keep track of entities we've already processed to prevent infinite recursion
*/
public function sync_access(&$seen = array()) {
$seen[$this->entity_id] = true;
$members = $this->list_members();
foreach($members as $entity) {
if(!isset($seen[$entity->entity_id])) {
$entity->sync_access($seen);
}
}
}
}

189
model/groupdirectory.php
Unescape Escape View File

@ -0,0 +1,189 @@
<?php
/**
* Class for reading/writing to the list of Group objects in the database.
*/
class GroupDirectory extends DBDirectory {
/**
* Create the new group in the database.
* @param Group $group object to add
* @throws GroupAlreadyExistsException if a group with that name already exists
*/
public function add_group(Group $group) {
$name = $group->name;
$system = $group->system;
$this->database->begin_transaction();
$stmt = $this->database->prepare("INSERT INTO entity SET type = 'group'");
$stmt->execute();
$group->entity_id = $stmt->insert_id;
$stmt->close();
$stmt = $this->database->prepare("INSERT INTO `group` SET entity_id = ?, name = ?, `system` = ?");
$stmt->bind_param('dsd', $group->entity_id, $name, $system);
try {
$stmt->execute();
$stmt->close();
$this->database->commit();
$group->log(array('action' => 'Group add'));
} catch(mysqli_sql_exception $e) {
$this->database->rollback();
if($e->getCode() == 1062) {
// Duplicate entry
throw new GroupAlreadyExistsException("Group {$group->name} already exists");
} else {
throw $e;
}
}
}
/**
* Get a group from the database by its entity ID.
* @param int $entity_id of group
* @return Group with specified entity ID
* @throws GroupNotFoundException if no group with that entity ID exists
*/
public function get_group_by_id($entity_id) {
$stmt = $this->database->prepare("SELECT * FROM `group` WHERE entity_id = ?");
$stmt->bind_param('d', $entity_id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$group = new Group($row['entity_id'], $row);
} else {
throw new GroupNotFoundException('Group does not exist.');
}
$stmt->close();
return $group;
}
/**
* Get a group from the database by its name.
* @param string $name of group
* @return Group with specified name
* @throws GroupNotFoundException if no group with that name exists
*/
public function get_group_by_name($name) {
$stmt = $this->database->prepare("SELECT * FROM `group` WHERE name = ?");
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$group = new Group($row['entity_id'], $row);
} else {
throw new GroupNotFoundException('Group does not exist');
}
$stmt->close();
return $group;
}
/**
* List all groups in the database.
* @param array $include list of extra data to include in response
* @param array $filter list of field/value pairs to filter results on
* @return array of Group objects
*/
public function list_groups($include = array(), $filter = array()) {
// WARNING: The search query is not parameterized - be sure to properly escape all input
$fields = array("`group`.*");
$joins = array();
$where = array();
foreach($filter as $field => $value) {
if($value) {
switch($field) {
case 'name':
$where[] = "`group`.name REGEXP '".$this->database->escape_string($value)."'";
break;
case 'active':
$where[] = "`group`.active IN (".implode(", ", array_map('intval', $value)).")";
break;
case 'admin':
$where[] = "admin_filter.admin = ".intval($value);
$joins['adminfilter'] = "INNER JOIN entity_admin admin_filter ON admin_filter.entity_id = `group`.entity_id";
break;
case 'member':
$where[] = "member_filter.entity_id = ".intval($value);
$joins['memberfilter'] = "INNER JOIN group_member member_filter ON member_filter.group = `group`.entity_id";
break;
}
}
}
foreach($include as $inc) {
switch($inc) {
case 'admins':
$fields[] = "GROUP_CONCAT(DISTINCT user.uid SEPARATOR ', ') AS admins";
$joins['admins'] = "LEFT JOIN entity_admin ON entity_admin.entity_id = `group`.entity_id";
$joins['adminusers'] = "LEFT JOIN user ON user.entity_id = entity_admin.admin AND user.active";
break;
case 'members':
$fields[] = "COUNT(DISTINCT group_member.entity_id) AS member_count";
$joins['members'] = "LEFT JOIN group_member ON group_member.group = `group`.entity_id";
break;
}
}
try {
$stmt = $this->database->prepare("
SELECT ".implode(", ", $fields)."
FROM `group` ".implode(" ", $joins)."
".(count($where) == 0 ? "" : "WHERE (".implode(") AND (", $where).")")."
GROUP BY group.entity_id
ORDER BY `group`.name
");
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1139) {
throw new GroupSearchInvalidRegexpException;
} else {
throw $e;
}
}
$stmt->execute();
$result = $stmt->get_result();
$groups = array();
while($row = $result->fetch_assoc()) {
$groups[] = new Group($row['entity_id'], $row);
}
$stmt->close();
return $groups;
}
/**
* List all groups that the given entity (User/ServerAccount/Group†) is a member of (searched recursively†).
* †Nested groups are no longer allowed by the UI.
* @todo remove nested group functionality
* @param Entity $entity to find in group memberships
* @param array $via keep track of groups we have already searched through to prevent infinite recursion†
* @param array $groups to allow the function to add to the list of groups when recursing†
* @return array of Group objects
*/
public function list_group_membership(Entity $entity, $via = array(), &$groups = array()) {
$stmt = $this->database->prepare("
SELECT `group`.*, add_date, added_by
FROM group_member
INNER JOIN `group` ON `group`.entity_id = group_member.group
WHERE group_member.entity_id = ?
ORDER BY `group`.name
");
$stmt->bind_param('d', $entity->entity_id);
$stmt->execute();
$result = $stmt->get_result();
while($row = $result->fetch_assoc()) {
$row['added_by'] = new User($row['added_by']);
$group = new Group($row['entity_id'], $row);
$groups[] = $group;
$skip = false;
foreach($via as $check) {
if($group->id == $check->id) $skip = true;
}
if(!$skip) {
$thisvia = $via;
$thisvia[] = $group;
$this->list_group_membership($group, $thisvia, $groups);
}
}
$stmt->close();
return $groups;
}
}
class GroupNotFoundException extends Exception {}
class GroupAlreadyExistsException extends Exception {}
class GroupNotDeletableException extends Exception {}
class GroupSearchInvalidRegexpException extends Exception {}

21
model/groupevent.php
Unescape Escape View File

@ -0,0 +1,21 @@
<?php
/**
* Class that represents a log event that was recorded in relation to a group
*/
class GroupEvent extends EntityEvent {
/**
* Magic getter method - if group field requested, return Group object of the affected group.
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
switch($field) {
case 'group':
$group = new Group($this->data['entity_id']);
return $group;
default:
return parent::__get($field);
}
}
}

44
model/migrationdirectory.php
Unescape Escape View File

@ -0,0 +1,44 @@
<?php
/**
* Class for detecting and applying migrations to the database.
*/
class MigrationDirectory extends DBDirectory {
/**
* Increment this constant to activate a new migration from the migrations directory
*/
const LAST_MIGRATION = 3;
public function __construct() {
parent::__construct();
try {
$stmt = $this->database->prepare('SELECT MAX(id) FROM migration');
$stmt->execute();
$result = $stmt->get_result();
list($current_migration) = $result->fetch_row();
} catch(mysqli_sql_exception $e) {
if($e->getCode() === 1146) {
$current_migration = 0;
} else {
throw $e;
}
}
if($current_migration < self::LAST_MIGRATION) {
$this->apply_pending_migrations($current_migration);
}
}
private function apply_pending_migrations($current_migration) {
openlog('dnsui', LOG_ODELAY, LOG_USER);
for($migration_id = $current_migration + 1; $migration_id <= self::LAST_MIGRATION; $migration_id++) {
$filename = str_pad($migration_id, 3, '0', STR_PAD_LEFT).'.php';
syslog(LOG_INFO, "migration={$filename};object=database;action=apply");
$migration_name = $filename;
include('migrations/'.$filename);
$stmt = $this->database->prepare('INSERT INTO migration VALUES (?, ?, NOW())');
$stmt->bind_param('ds', $migration_id, $migration_name);
$stmt->execute();
}
closelog();
}
}

274
model/publickey.php
Unescape Escape View File

@ -0,0 +1,274 @@
<?php
/**
* Class that represents a stored SSH public key
*/
class PublicKey extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'public_key';
/**
* Import all key data from a provided OpenSSH-text-format public key.
* Cope with some possible correctable whitespace data issues.
* @param string $key data to import
* @param string|null $uid if not null, used if key has no comment to generate a standard comment
* @param bool $force if true, enable the use of lower security keys
* @throws InvalidArgumentException if the public key cannot be parsed or is not sufficiently secure
*/
public function import($key, $uid = null, $force = false) {
// Remove newlines (often included by accident) and trim
$key = str_replace(array("\r", "\n"), array(), trim($key));
// Initial sanity check and determine minimum length for algorithm
if(preg_match('|^(ssh-[a-z]{3}) ([A-Za-z0-9+/]+={0,2})(?: (.*))?$|', $key, $matches)) {
$minbits = 4096;
} elseif(preg_match('|^(ecdsa-sha2-nistp[0-9]+) ([A-Za-z0-9+/]+={0,2})(?: (.*))?$|', $key, $matches)) {
$minbits = 384;
} elseif(preg_match('|^(ssh-ed25519) ([A-Za-z0-9+/]+={0,2})(?: (.*))?$|', $key, $matches)) {
$minbits = 256;
} else {
throw new InvalidArgumentException("Public key doesn't look valid");
}
$this->type = $matches[1];
$this->keydata = $matches[2];
if(isset($matches[3])) {
$this->comment = $matches[3];
} elseif(is_null($uid)) {
$this->comment = date('Y-m-d');
} else {
$this->comment = $uid.'-'.date('Y-m-d');
}
$algorithm = $this->get_openssh_info();
$hash_md5 = md5(base64_decode($this->keydata));
$hash_sha256 = hash('sha256', base64_decode($this->keydata), true);
$this->fingerprint_md5 = rtrim(chunk_split($hash_md5, 2, ':'), ':');
$this->fingerprint_sha256 = rtrim(base64_encode($hash_sha256), '=');
$this->randomart_md5 = $this->generate_randomart($hash_md5, "{$algorithm} {$this->keysize}", 'MD5');
$this->randomart_sha256 = $this->generate_randomart(bin2hex($hash_sha256), "{$algorithm} {$this->keysize}", 'SHA256');
if($this->keysize < $minbits && !$force) {
throw new InvalidArgumentException("Insufficient bits in public key");
}
}
/**
* Determine the algorithm and keysize of a key by passing it to OpenSSH's ssh-keygen utility.
* @return string algorithm in use
*/
public function get_openssh_info() {
$filename = tempnam('/tmp', 'key-test-');
$file = fopen($filename, 'w');
fwrite($file, $this->export());
fclose($file);
exec('/usr/bin/ssh-keygen -lf '.escapeshellarg($filename).' 2>/dev/null', $output);
unlink($filename);
if(count($output) == 1 && preg_match('|^([0-9]+) .* \(([A-Z0-9]+)\)$|', $output[0], $matches)) {
$this->keysize = intval($matches[1]);
return $matches[2];
} else {
throw new InvalidArgumentException("Public key doesn't look valid");
}
}
/**
* Generate random art for the key in the same way that OpenSSH does
* OpenSSH random art uses the 'drunken bishop' algorithm as explained at
* https://pthree.org/2013/05/30/openssh-keys-and-the-drunken-bishop/
* @param string $string key hash to generate randomart of
* @param string $keytype string containing text to include at the top of the randomart
* @param string $algo string containing text to include at the bottom of the randomart
* @return string containing generated randomart
*/
function generate_randomart($string, $keytype, $algo) {
// Basic constants
$max_x = 16; // Map size, x dimension
$max_y = 8; // Map size, y dimension
$s_x = 8; // Starting position, x coord
$s_y = 4; // Starting position, y coord
// Character mapping
$char_map = array(' ', '.', 'o', '+', '=', '*', 'B', 'O', 'X', '@', '%', '&', '#', '/', '^');
// Build empty map
$map = array();
for($x = 0; $x <= $max_x; $x++) {
$map[$x] = array();
for($y = 0; $y <= $max_y; $y++) {
$map[$x][$y] = 0;
}
}
// Set the bishop to his starting position
$b_x = $s_x; // Bishop position, x coord
$b_y = $s_y; // Bishop position, y coord
// Let him wander
$chunks = str_split($string, 2);
foreach($chunks as $chunk) {
$binary = str_pad(base_convert($chunk, 16, 2), 8, '0', STR_PAD_LEFT);
foreach(array_reverse(str_split($binary, 2)) as $bit_pair) {
// Work out which diagonal direction he will move based on the bit pair
$dx = ($bit_pair[1] == 0 ? -1 : 1);
$dy = ($bit_pair[0] == 0 ? -1 : 1);
$b_x += $dx;
$b_y += $dy;
// Stop him wandering outside the map
$b_x = min(max($b_x, 0), 16);
$b_y = min(max($b_y, 0), 8);
// Increment count at his new position
$map[$b_x][$b_y]++;
}
}
// Output his path within the map
$output = "+".str_pad('['.$keytype.']', $max_x + 1, '-', STR_PAD_BOTH)."+\n";
for($y = 0; $y <= $max_y; $y++) {
$output .= "|";
for($x = 0; $x <= $max_x; $x++) {
if($x == $b_x && $y == $b_y) {
// End position
$output .= 'E';
} elseif($x == $s_x && $y == $s_y) {
// Start position
$output .= 'S';
} else {
// Output character corresponding to number of passes
if(isset($char_map[$map[$x][$y]])) {
$output .= $char_map[$map[$x][$y]];
} else {
$output .= '^';
}
}
}
$output .= "|\n";
}
$output .= "+".str_pad('['.$algo.']', $max_x + 1, '-', STR_PAD_BOTH)."+";
return $output;
}
/**
* Provide the key in OpenSSH-text-format.
* @return string key in OpenSSH-text-format
*/
public function export() {
return "{$this->type} {$this->keydata} {$this->comment}";
}
/**
* Provide a text summary of details about the key, including hashes, randomart and link to view it.
* @return string text summary
*/
public function summarize_key_information() {
global $config;
$url = $config['web']['baseurl'].'/pubkeys/'.urlencode($this->id);
$output = "The key fingerprint is:\n";
$output .= " MD5:{$this->fingerprint_md5}\n";
$output .= " SHA256:{$this->fingerprint_sha256}\n\n";
$output .= "The key randomart is:\n";
$randomart_md5 = explode("\n", $this->randomart_md5);
$randomart_sha256 = explode("\n", $this->randomart_sha256);
foreach($randomart_md5 as $ref => $line) {
$output .= $line.' '.$randomart_sha256[$ref]."\n";
}
$output .= "\nYou can also view the key at <$url>";
return $output;
}
/**
* Add a GPG signature for this public key.
* @param PublicKeySignature $sig GPG signature to add
*/
public function add_signature(PublicKeySignature $sig) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before signatures can be added');
$sig->validate();
$stmt = $this->database->prepare("INSERT INTO public_key_signature SET public_key_id = ?, signature = ?, upload_date = UTC_TIMESTAMP(), fingerprint = ?, sign_date = ?");
$stmt->bind_param('dsss', $this->id, $sig->signature, $sig->fingerprint, $sig->sign_date);
$stmt->execute();
$sig->id = $stmt->insert_id;
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* Delete a GPG signature for this public key.
* @param PublicKeySignature $sig GPG signature to remove
*/
public function delete_signature(PublicKeySignature $sig) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before signatures can be deleted');
$stmt = $this->database->prepare("DELETE FROM public_key_signature WHERE public_key_id = ? AND id = ?");
$stmt->bind_param('dd', $this->id, $sig->id);
$stmt->execute();
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* List all GPG signatures stored for this public key.
* @return array of PublicKeySignature objects
*/
public function list_signatures() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Public key must be in directory before signatures can be listed');
$stmt = $this->database->prepare("SELECT * FROM public_key_signature WHERE public_key_id = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$sigs = array();
while($row = $result->fetch_assoc()) {
$sig = new PublicKeySignature($row['id'], $row);
$sig->public_key = $this;
$sigs[] = $sig;
}
$stmt->close();
return $sigs;
}
/**
* Add a destination rule specifying where this key is allowed to be synced to.
* @param PublicKeyDestRule $rule destination rule to be added
*/
public function add_destination_rule(PublicKeyDestRule $rule) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before destination rules can be added');
$stmt = $this->database->prepare("INSERT INTO public_key_dest_rule SET public_key_id = ?, account_name_filter = ?, hostname_filter = ?");
$stmt->bind_param('dss', $this->id, $rule->account_name_filter, $rule->hostname_filter);
$stmt->execute();
$rule->id = $stmt->insert_id;
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* Delete a destination rule that specified where this key was allowed to be synced to.
* @param PublicKeyDestRule $rule destination rule to be removed
*/
public function delete_destination_rule(PublicKeyDestRule $rule) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before destination rules can be added');
$stmt = $this->database->prepare("DELETE FROM public_key_dest_rule WHERE public_key_id = ? AND id = ?");
$stmt->bind_param('dd', $this->id, $rule->id);
$stmt->execute();
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* List all destination rule currently applying to this key.
* @return array of PublicKeyDestRule objects
*/
public function list_destination_rules() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Public key must be in directory before destination rules can be listed');
$stmt = $this->database->prepare("SELECT * FROM public_key_dest_rule WHERE public_key_id = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$rules = array();
while($row = $result->fetch_assoc()) {
$rules[] = new PublicKeyDestRule($row['id'], $row);
}
$stmt->close();
return $rules;
}
}

14
model/publickeydestrule.php
Unescape Escape View File

@ -0,0 +1,14 @@
<?php
/**
* Class that represents a destination restriction rule on a public key (based on account name and
* server hostname). Wildcards (*) are possible for use in either or both fields.
* Public keys with one or more PublicKeyDestRule objects associated with them will only be synced
* to a destination if it matches at least one of those rules.
*/
class PublicKeyDestRule extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'public_key_dest_rule';
}

90
model/publickeydirectory.php
Unescape Escape View File

@ -0,0 +1,90 @@
<?php
/**
* Class for reading/writing to the list of PublicKey objects in the database.
*/
class PublicKeyDirectory extends DBDirectory {
/**
* Retrieve a public key matching the specified ID.
* @param int $id of public key to retrieve
* @return PublicKey object with specified ID
* @throws PublicKeyNotFoundException if no key with that ID exists
*/
public function get_public_key_by_id($id) {
$stmt = $this->database->prepare("
SELECT public_key.*, entity.type AS entity_type
FROM public_key
INNER JOIN entity ON entity.id = public_key.entity_id
WHERE public_key.id = ?
");
$stmt->bind_param('d', $id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
switch($row['entity_type']) {
case 'user': $row['owner'] = new User($row['entity_id']); break;
case 'server account': $row['owner'] = new ServerAccount($row['entity_id']); break;
}
$key = new PublicKey($row['id'], $row);
} else {
throw new PublicKeyNotFoundException('Public key does not exist.');
}
$stmt->close();
return $key;
}
/**
* List stored public keys, optionally filtered by various parameters.
* See also Entity::list_public_keys function for retrieving keys belonging to a specific entity.
* @param array $include list of extra data to include in response - currently unused
* @param array $filter list of field/value pairs to filter results on
* @return array of PublicKey objects
*/
public function list_public_keys($include = array(), $filter = array()) {
// WARNING: The search query is not parameterized - be sure to properly escape all input
$fields = array("public_key.*, entity.type AS entity_type");
$joins = array();
$where = array();
foreach($filter as $field => $value) {
if($value) {
switch($field) {
case 'type':
$where[] = "public_key.type = '".$this->database->escape_string($value)."'";
break;
case 'keysize-min':
$where[] = "public_key.keysize >= ".intval($this->database->escape_string($value));
break;
case 'keysize-max':
$where[] = "public_key.keysize <= ".intval($this->database->escape_string($value));
break;
case 'fingerprint':
$where[] = "public_key.fingerprint_md5 = '".$this->database->escape_string($value)."' OR public_key.fingerprint_sha256 = '".$this->database->escape_string($value)."'";
break;
}
}
}
$stmt = $this->database->prepare("
SELECT ".implode(", ", $fields)."
FROM public_key ".implode(" ", $joins)."
INNER JOIN entity ON entity.id = public_key.entity_id
LEFT JOIN user ON user.entity_id = entity.id
LEFT JOIN server_account ON server_account.entity_id = entity.id
LEFT JOIN server ON server.id = server_account.server_id
".(count($where) == 0 ? "" : "WHERE (".implode(") AND (", $where).")")."
ORDER BY entity.type, user.uid, server.hostname, server_account.name
");
$stmt->execute();
$result = $stmt->get_result();
$pubkeys = array();
while($row = $result->fetch_assoc()) {
switch($row['entity_type']) {
case 'user': $row['owner'] = new User($row['entity_id']); break;
case 'server account': $row['owner'] = new ServerAccount($row['entity_id']); break;
}
$pubkeys[] = new PublicKey($row['id'], $row);
}
return $pubkeys;
}
}
class PublicKeyNotFoundException extends Exception {}

34
model/publickeysignature.php
Unescape Escape View File

@ -0,0 +1,34 @@
<?php
/**
* Class that represents a GPG signature that is claimed to sign the associated public key.
*/
class PublicKeySignature extends Record {
protected $table = 'public_key_signature';
/**
* Perform basic validation that the signature at least looks like a valid signature and
* retrieve the fingerprint and signing date.
* We cannot check that the signature is actually a valid signature for the public key since we
* would need to have the signing GPG public key on our keyring to do so.
*/
public function validate() {
$gpg = new gnupg();
// We assume that the pubkey file that was signed is equal to the uploaded pubkey + a single newline
$line_endings = array("\n", "\r\n", "\r", ""); // Endings to try in order of expected likelihood
foreach($line_endings as $line_ending) {
$info = $gpg->verify($this->public_key->export().$line_ending, $this->signature);
if(is_array($info)) {
$sig = reset($info);
if($sig['validity'] > 0) break;
} else {
throw new InvalidArgumentException("Signature doesn't seem valid");
}
}
if($sig['validity'] == 0) {
#throw new InvalidArgumentException("Signature doesn't validate against pubkey");
}
$this->fingerprint = $sig['fingerprint'];
$this->sign_date = gmdate('Y-m-d H:i:s', $sig['timestamp']);
}
}

169
model/record.php
Unescape Escape View File

@ -0,0 +1,169 @@
<?php
/**
* Basic record abstract class. Inherited by most classes whose objects are stored in the database.
* Provides __get, __set and update methods for reading and updating fields.
*/
abstract class Record {
/**
* Database connection object
*/
protected $database;
/**
* User object for the logged-in user
*/
protected $active_user;
/**
* Set to true if any data in this record has been modified
*/
protected $dirty;
/**
* The array of data associated with this record
*/
protected $data;
/**
* Defines the database table that these records are stored in
*/
protected $table;
/**
* Defines the field that is the primary key of the table
*/
protected $idfield = 'id';
/**
* The ID of this record
*/
public $id;
public function __construct($id = null, $preload_data = array()) {
global $database;
global $active_user;
$this->database = &$database;
$this->active_user = &$active_user;
$this->id = $id;
$this->data = array();
foreach($preload_data as $field => $value) {
$this->data[$field] = $value;
}
if(is_null($this->id)) $this->dirty = true;
}
/**
* Magic getter method - return the value of the specified field. Retrieve the row from the
* database if we do not have data for that field yet.
* @param string $field name of field to retrieve
* @return mixed data stored in field
* @throws Exception if the row or the field does not exist in the database
*/
public function &__get($field) {
if(!array_key_exists($field, $this->data)) {
// We don't have a value for this field yet
if(is_null($this->id)) {
// Record is not yet in the database - nothing to retrieve
$result = null;
return $result;
}
// Attempt to get data from database
$stmt = $this->database->prepare("SELECT * FROM `$this->table` WHERE {$this->idfield} = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows != 1) {
throw new Exception("Unexpected number of rows returned ({$result->num_rows}), expected exactly 1. Table:{$this->table}, ID field: {$this->idfield}, ID: {$this->id}");
}
$data = $result->fetch_assoc();
// Populate data array for fields we do not already have a value for
foreach($data as $f => $v) {
if(!isset($this->data[$f])) {
$this->data[$f] = $v;
}
}
$stmt->close();
if(!array_key_exists($field, $this->data)) {
// We still don't have a value, so this field doesn't exist in the database
throw new Exception("Field $field does not exist in {$this->table} table.");
}
}
return $this->data[$field];
}
/**
* Magic setter method - store the updated value and set the record as dirty.
* @param string $field name of field
* @param mixed $value data to store in field
*/
public function __set($field, $value) {
$this->data[$field] = $value;
$this->dirty = true;
if($field == $this->idfield) $this->id = $value;
}
/**
* Update the database with all fields that have been modified.
* @return array of StdClass detailing actual updates that were applied
* @throws UniqueKeyViolationException if the update violated a unique key on the table
*/
public function update() {
$stmt = $this->database->prepare("SELECT * FROM `$this->table` WHERE {$this->idfield} = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
if(!($row = $result->fetch_assoc())) {
throw new Exception("Record not found in database");
}
$stmt->close();
$updates = array();
$fields = array();
$values = array();
$types = '';
foreach($row as $field => $value) {
if(array_key_exists($field, $this->data) && $this->data[$field] != $value) {
$update = new StdClass;
$update->field = $field;
$update->old_value = $value;
$update->new_value = $this->data[$field];
$updates[] = $update;
$fields[] = "`$field` = ?";
$values[] =& $this->data[$field];
$types .= 's';
}
}
if(!empty($updates)) {
try {
$stmt = $this->database->prepare("UPDATE `$this->table` SET ".implode(', ', $fields)." WHERE {$this->idfield} = ?");
$values[] =& $this->id;
$types .= 'd';
array_unshift($values, $types);
$reflection = new ReflectionClass('mysqli_stmt');
$method = $reflection->getMethod("bind_param");
$method->invokeArgs($stmt, $values);
$stmt->execute();
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry
$message = $e->getMessage();
if(preg_match("/^Duplicate entry '(.*)' for key '(.*)'$/", $message, $matches)) {
$ne = new UniqueKeyViolationException($e->getMessage());
$ne->fields = explode(',', $matches[2]);
$ne->values = explode(',', $matches[1]);
throw $ne;
}
}
throw $e;
}
}
$this->dirty = false;
return $updates;
}
}
class UniqueKeyViolationException extends Exception {
/**
* Fields involved in the unique key conflict
*/
public $fields;
/**
* Values that conflicted
*/
public $values;
}

571
model/server.php
Unescape Escape View File

@ -0,0 +1,571 @@
<?php
/**
* Class that represents a server
*/
class Server extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'server';
/**
* Write event details to syslog and to server_event table.
* @param array $details event paramaters to be logged
* @param int $level syslog priority as defined in http://php.net/manual/en/function.syslog.php
*/
public function log($details, $level = LOG_INFO) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before log entries can be added');
$json = json_encode($details, JSON_UNESCAPED_UNICODE);
$stmt = $this->database->prepare("INSERT INTO server_event SET server_id = ?, actor_id = ?, date = UTC_TIMESTAMP(), details = ?");
$stmt->bind_param('dds', $this->id, $this->active_user->entity_id, $json);
$stmt->execute();
$stmt->close();
$text = "KeysScope=\"server:{$this->hostname}\" KeysRequester=\"{$this->active_user->uid}\"";
foreach($details as $key => $value) {
$text .= ' Keys'.ucfirst($key).'="'.str_replace('"', '', $value).'"';
}
openlog('keys', LOG_ODELAY, LOG_AUTH);
syslog($level, $text);
closelog();
}
/**
* Write property changes to database and log the changes.
* Triggers a resync if certain settings are changed.
*/
public function update() {
$changes = parent::update();
$resync = false;
foreach($changes as $change) {
switch($change->field) {
case 'hostname':
case 'key_management':
case 'authorization':
case 'custom_keys':
$resync = true;
break;
case 'rsa_key_fingerprint':
if(empty($change->new_value)) $resync = true;
break;
}
$this->log(array('action' => 'Setting update', 'value' => $change->new_value, 'oldvalue' => $change->old_value, 'field' => ucfirst(str_replace('_', ' ', $change->field))));
}
if($resync) {
$this->sync_access();
}
}
/**
* List all log events for this server.
* @return array of ServerEvent objects
*/
public function get_log() {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before log entries can be listed');
$stmt = $this->database->prepare("
SELECT *
FROM server_event
WHERE server_id = ?
ORDER BY id DESC
");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$log = array();
while($row = $result->fetch_assoc()) {
$log[] = new ServerEvent($row['id'], $row);
}
$stmt->close();
return $log;
}
/**
* List all log events for this server and any accounts on the server.
* @return array of ServerEvent/ServerAccountEvent objects
*/
public function get_log_including_accounts() {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before log entries can be listed');
$stmt = $this->database->prepare("
(SELECT se.id, se.actor_id, se.date, se.details, se.server_id, NULL as entity_id, 'server' as type
FROM server_event se
WHERE se.server_id = ?
ORDER BY id DESC)
UNION
(SELECT ee.id, ee.actor_id, ee.date, ee.details, NULL as server_id, ee.entity_id, 'server account' as type
FROM server_account sa
INNER JOIN entity_event ee ON ee.entity_id = sa.entity_id
WHERE sa.server_id = ?
ORDER BY id DESC)
ORDER BY date DESC, id DESC
");
$stmt->bind_param('dd', $this->id, $this->id);
$stmt->execute();
$result = $stmt->get_result();
$log = array();
while($row = $result->fetch_assoc()) {
if($row['type'] == 'server') {
$log[] = new ServerEvent($row['id'], $row);
} elseif($row['type'] == 'server account') {
$log[] = new ServerAccountEvent($row['id'], $row);
}
}
$stmt->close();
return $log;
}
/**
* Get the more recent log event that recorded a change in sync status.
* @todo In a future change we may want to move the 'action' parameter into its own database field.
* @return ServerEvent last sync status change event
*/
public function get_last_sync_event() {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before log entries can be listed');
$stmt = $this->database->prepare("SELECT * FROM server_event WHERE server_id = ? AND details LIKE '{\"action\":\"Sync status change\"%' ORDER BY id DESC LIMIT 1");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$event = new ServerEvent($row['id'], $row);
} else {
$event = null;
}
$stmt->close();
return $event;
}
/**
* Add the specified user or group as an administrator of the server.
* This action is logged with a warning level as it is increasing an access level.
* @param Entity $entity user or group to add as administrator
*/
public function add_admin(Entity $entity) {
global $config;
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before admins can be added');
if(is_null($entity->entity_id)) throw new InvalidArgumentException('User or group must be in directory before it can be made admin');
$entity_id = $entity->entity_id;
try {
$url = $config['web']['baseurl'].'/servers/'.urlencode($this->hostname);
$email = new Email;
$email->subject = "Administrator for {$this->hostname}";
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
switch(get_class($entity)) {
case 'User':
$email->add_recipient($entity->email, $entity->name);
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has added you as a server administrator for {$this->hostname}. You can administer access to this server from <$url>";
$logmsg = array('action' => 'Administrator add', 'value' => "user:{$entity->uid}");
break;
case 'Group':
foreach($entity->list_members() as $member) {
if(get_class($member) == 'User') {
$email->add_recipient($member->email, $member->name);
}
}
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has added the {$entity->name} group as server administrator for {$this->hostname}. You are a member of the {$entity->name} group, so you can administer access to this server from <$url>";
$logmsg = array('action' => 'Administrator add', 'value' => "group:{$entity->name}");
break;
default:
throw new InvalidArgumentException('Entities of type '.get_class($entity).' cannot be added as server admins');
}
$stmt = $this->database->prepare("INSERT INTO server_admin SET server_id = ?, entity_id = ?");
$stmt->bind_param('dd', $this->id, $entity_id);
$stmt->execute();
$stmt->close();
if($this->active_user->uid != 'import-script') {
$this->log($logmsg, LOG_WARNING);
$email->send();
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
}
/**
* Remove the specified user or group as an administrator of the server.
* This action is logged with a warning level as it means the removed user/group will no longer
* receive notifications for any changes done to this server.
* @param Entity $entity user or group to remove as administrator
*/
public function delete_admin(Entity $entity) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before admins can be deleted');
if(is_null($entity->entity_id)) throw new InvalidArgumentException('User or group must be in directory before it can be removed as admin');
$entity_id = $entity->entity_id;
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Administrator remove', 'value' => "user:{$entity->uid}"), LOG_WARNING);
break;
case 'Group':
$this->log(array('action' => 'Administrator remove', 'value' => "group:{$entity->name}"), LOG_WARNING);
break;
default:
throw new InvalidArgumentException('Entities of type '.get_class($entity).' should not exist as server admins');
}
$stmt = $this->database->prepare("DELETE FROM server_admin WHERE server_id = ? AND entity_id = ?");
$stmt->bind_param('dd', $this->id, $entity_id);
$stmt->execute();
$stmt->close();
}
/**
* List all administrators of this server.
* @return array of User/Group objects
*/
public function list_admins() {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before admins can be listed');
$stmt = $this->database->prepare("SELECT entity_id, type FROM server_admin INNER JOIN entity ON entity.id = server_admin.entity_id WHERE server_id = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$admins = array();
while($row = $result->fetch_assoc()) {
if(strtolower($row['type']) == "user") {
$admins[] = new User($row['entity_id']);
} elseif(strtolower($row['type']) == "group") {
$admins[] = new Group($row['entity_id']);
}
}
$stmt->close();
return $admins;
}
/**
* Return the list of all users who can administrate this server, including
* via group membership of a group that has been made administrator.
* @return array of User objects
*/
public function list_effective_admins() {
$admins = $this->list_admins();
$e_admins = array();
foreach($admins as $admin) {
switch(get_class($admin)) {
case 'Group':
if($admin->active) {
$members = $admin->list_members();
foreach($members as $member) {
if(get_class($member) == 'User') {
$e_admins[] = $member;
}
}
}
break;
case 'User':
$e_admins[] = $admin;
break;
}
}
return $e_admins;
}
/**
* Create any standard accounts that should exist on every server, and add them to the related
* groups.
*/
public function add_standard_accounts() {
global $group_dir, $config;
if(!isset($config['defaults']['account_groups'])) return;
foreach($config['defaults']['account_groups'] as $account_name => $group_name) {
$account = new ServerAccount;
$account->name = $account_name;
$this->add_account($account);
try {
$group = $group_dir->get_group_by_name($group_name);
} catch(GroupNotFoundException $e) {
$group = new Group;
$group->name = $group_name;
$group->system = 1;
$group_dir->add_group($group);
}
$group->add_member($account);
}
}
/**
* Create a new account on the server.
* Reactivates an existing account if one exists with the same name.
* @param ServerAccount $account to be added
* @throws AccountNameInvalid if account name is empty
*/
public function add_account(ServerAccount &$account) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before accounts can be added');
$account_name = $account->name;
if($account_name === '') throw new AccountNameInvalid('Account name cannot be empty');
if(substr($account_name, 0, 1) === '.') throw new AccountNameInvalid('Account name cannot begin with .');
$sync_status = is_null($account->sync_status) ? 'not synced yet' : $account->sync_status;
$this->database->begin_transaction();
$stmt = $this->database->prepare("INSERT INTO entity SET type = 'server account'");
$stmt->execute();
$account->entity_id = $stmt->insert_id;
$stmt->close();
$stmt = $this->database->prepare("INSERT INTO server_account SET entity_id = ?, server_id = ?, name = ?, sync_status = ?");
$stmt->bind_param('ddss', $account->entity_id, $this->id, $account_name, $sync_status);
try {
$stmt->execute();
$stmt->close();
$this->database->commit();
$this->log(array('action' => 'Account add', 'value' => $account_name));
} catch(mysqli_sql_exception $e) {
$this->database->rollback();
if($e->getCode() == 1062) {
// Duplicate entry
$account = $this->get_account_by_name($account_name);
$account->active = 1;
$account->update();
} else {
throw $e;
}
}
}
/**
* Get a server account from the database by its name.
* @param string $name of account
* @return ServerAccount with specified name
* @throws ServerAccountNotFoundException if no account with that name exists
*/
public function get_account_by_name($name) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before accounts can be listed');
$stmt = $this->database->prepare("SELECT entity_id, name FROM server_account WHERE server_id = ? AND name = ?");
$stmt->bind_param('ds', $this->id, $name);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$account = new ServerAccount($row['entity_id'], $row);
} else {
throw new ServerAccountNotFoundException('Account does not exist.');
}
$stmt->close();
return $account;
}
/**
* List accounts stored for this server.
* @param array $include list of extra data to include in response - currently unused
* @param array $filter list of field/value pairs to filter results on
* @return array of ServerAccount objects
*/
public function list_accounts($include = array(), $filter = array()) {
// WARNING: The search query is not parameterized - be sure to properly escape all input
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before accounts can be listed');
$where = array('server_id = '.intval($this->id), 'active = 1');
$joins = array("LEFT JOIN access_request ON access_request.dest_entity_id = server_account.entity_id");
foreach($filter as $field => $value) {
if($value) {
switch($field) {
case 'admin':
$where[] = "admin_filter.admin = ".intval($value);
$joins['adminfilter'] = "INNER JOIN entity_admin admin_filter ON admin_filter.entity_id = server_account.entity_id";
break;
}
}
}
$stmt = $this->database->prepare("
SELECT server_account.entity_id, name,
COUNT(DISTINCT access_request.source_entity_id) AS pending_requests
FROM server_account
".implode("\n", $joins)."
WHERE (".implode(") AND (", $where).")
GROUP BY server_account.entity_id
ORDER BY name
");
$stmt->execute();
$result = $stmt->get_result();
$accounts = array();
while($row = $result->fetch_assoc()) {
$accounts[] = new ServerAccount($row['entity_id'], $row);
}
$stmt->close();
return $accounts;
}
/**
* Add an access option that should be applied to all LDAP accounts on the server.
* Access options include "command", "from", "no-port-forwarding" etc.
* @param ServerLDAPAccessOption $option to be added
*/
public function add_ldap_access_option(ServerLDAPAccessOption $option) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before LDAP access options can be added');
$stmt = $this->database->prepare("INSERT INTO server_ldap_access_option SET server_id = ?, `option` = ?, value = ?");
$stmt->bind_param('dss', $this->id, $option->option, $option->value);
$stmt->execute();
$stmt->close();
}
/**
* Remove an access option from all LDAP accounts on the server.
* Access options include "command", "from", "no-port-forwarding" etc.
* @param ServerLDAPAccessOption $option to be removed
*/
public function delete_ldap_access_option(ServerLDAPAccessOption $option) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before LDAP access options can be deleted');
$stmt = $this->database->prepare("DELETE FROM server_ldap_access_option WHERE server_id = ? AND `option` = ?");
$stmt->bind_param('ds', $this->id, $option->option);
$stmt->execute();
$stmt->close();
}
/**
* Replace the current list of LDAP access options with the provided array of options.
* This is a crude implementation - just deletes all existing options and adds new ones, with
* table locking for a small measure of safety.
* @param array $options array of ServerLDAPAccessOption objects
*/
public function update_ldap_access_options(array $options) {
$stmt = $this->database->query("LOCK TABLES server_ldap_access_option WRITE");
$oldoptions = $this->list_ldap_access_options();
foreach($oldoptions as $oldoption) {
$this->delete_ldap_access_option($oldoption);
}
foreach($options as $option) {
$this->add_ldap_access_option($option);
}
$stmt = $this->database->query("UNLOCK TABLES");
$this->sync_access();
}
/**
* List all current LDAP access options applied to the server.
* @return array of ServerLDAPAccessOption objects
*/
public function list_ldap_access_options() {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before LDAP access options can be listed');
$stmt = $this->database->prepare("
SELECT *
FROM server_ldap_access_option
WHERE server_id = ?
ORDER BY `option`
");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$options = array();
while($row = $result->fetch_assoc()) {
$options[$row['option']] = new ServerLDAPAccessOption($row['option'], $row);
}
$stmt->close();
return $options;
}
/**
* Update the sync status for the server and write a log message if the status details have changed.
* @param string $status "sync success", "sync failure" or "sync warning"
* @param string $logmsg details of the sync attempt's success or failure
*/
public function sync_report($status, $logmsg) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before sync reporting can be done');
$prevlogmsg = $this->get_last_sync_event();
if(is_null($prevlogmsg) || $logmsg != json_decode($prevlogmsg->details)->value) {
$logmsg = array('action' => 'Sync status change', 'value' => $logmsg);
$this->log($logmsg);
}
$this->sync_status = $status;
$this->update();
}
/**
* Add a note to the server. The note is a piece of text with metadata (who added it and when).
* @param ServerNote $note to be added
*/
public function add_note(ServerNote $note) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before notes can be added');
$entity_id = $note->user->entity_id;
$stmt = $this->database->prepare("INSERT INTO server_note SET server_id = ?, entity_id = ?, date = UTC_TIMESTAMP(), note = ?");
$stmt->bind_param('dds', $this->id, $entity_id, $note->note);
$stmt->execute();
$stmt->close();
}
/**
* Delete the specified note from the server.
* @param ServerNote $note to be deleted
*/
public function delete_note(ServerNote $note) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before notes can be deleted');
$stmt = $this->database->prepare("DELETE FROM server_note WHERE server_id = ? AND id = ?");
$stmt->bind_param('dd', $this->id, $note->id);
$stmt->execute();
$stmt->close();
}
/**
* Retrieve a specific note for this server by its ID.
* @param int $id of note to retrieve
* @return ServerNote matching the ID
* @throws ServerNoteNotFoundException if no note exists with that ID
*/
public function get_note_by_id($id) {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before notes can be listed');
$stmt = $this->database->prepare("SELECT * FROM server_note WHERE server_id = ? AND id = ? ORDER BY id");
$stmt->bind_param('dd', $this->id, $id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$note = new ServerNote($row['id'], $row);
} else {
throw new ServerNoteNotFoundException('Note does not exist.');
}
$stmt->close();
return $note;
}
/**
* List all notes associated with this server.
* @return array of ServerNote objects
*/
public function list_notes() {
if(is_null($this->id)) throw new BadMethodCallException('Server must be in directory before notes can be listed');
$stmt = $this->database->prepare("SELECT * FROM server_note WHERE server_id = ? ORDER BY id");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$notes = array();
while($row = $result->fetch_assoc()) {
$notes[] = new ServerNote($row['id'], $row);
}
$stmt->close();
return $notes;
}
/**
* Trigger a sync for all accounts on this server.
*/
public function sync_access() {
global $sync_request_dir;
$sync_request = new SyncRequest;
$sync_request->server_id = $this->id;
$sync_request->account_name = null;
$sync_request_dir->add_sync_request($sync_request);
}
/**
* List all pending sync requests for this server.
* @return array of SyncRequest objects
*/
public function list_sync_requests() {
$stmt = $this->database->prepare("SELECT * FROM sync_request WHERE server_id = ? ORDER BY account_name");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$reqs = array();
while($row = $result->fetch_assoc()) {
$reqs[] = new SyncRequest($row['id'], $row);
}
return $reqs;
}
/**
* Delete all pending sync requests for this server.
*/
public function delete_all_sync_requests() {
$stmt = $this->database->prepare("DELETE FROM sync_request WHERE server_id = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
}
}
class ServerNoteNotFoundException extends Exception {}
class AccountNameInvalid extends InvalidArgumentException {}

437
model/serveraccount.php
Unescape Escape View File

@ -0,0 +1,437 @@
<?php
/**
* Class that represents an account on a server
*/
class ServerAccount extends Entity {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'server_account';
/**
* Defines the field that is the primary key of the table
*/
protected $idfield = 'entity_id';
/**
* Magic getter method - if server field requested, return Server object
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
global $user_dir;
switch($field) {
case 'server':
$server = new Server($this->server_id);
return $server;
default:
return parent::__get($field);
}
}
/**
* Write property changes to database and log the changes.
* Triggers a resync of the server if account is activated/deactivated.
*/
public function update() {
global $config;
// Make it impossible to set default accounts to inactive
if(is_array($config['defaults']['account_groups'])) {
if(array_key_exists($this->data['name'], $config['defaults']['account_groups'])) {
$this->data['active'] = true;
}
}
$changes = parent::update();
$resync = false;
foreach($changes as $change) {
$loglevel = LOG_INFO;
switch($change->field) {
case 'active':
if($this->sync_status != 'proposed') {
$resync = true;
}
if($change->new_value == 1) $loglevel = LOG_WARNING;
break;
}
$this->log(array('action' => 'Setting update', 'value' => $change->new_value, 'oldvalue' => $change->old_value, 'field' => ucfirst(str_replace('_', ' ', $change->field))), $loglevel);
}
if($resync) {
$this->server->sync_access();
$this->sync_remote_access();
}
}
/**
* List all log events for this server account.
* @return array of ServerAccountEvent objects
*/
public function get_log() {
if(is_null($this->id)) throw new BadMethodCallException('Server account must be in directory before log entries can be listed');
$stmt = $this->database->prepare("
SELECT *
FROM entity_event
WHERE entity_id = ?
ORDER BY id DESC
");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$log = array();
while($row = $result->fetch_assoc()) {
$log[] = new ServerAccountEvent($row['id'], $row);
}
$stmt->close();
return $log;
}
/**
* Add the specified user as an administrator of the account.
* This action is logged with a warning level as it is increasing an access level.
* @param User $user to add as administrator
*/
public function add_admin(User $user) {
global $config;
parent::add_admin($user);
$url = $config['web']['baseurl'].'/servers/'.urlencode($this->server->hostname).'/accounts/'.urlencode($this->name);
$email = new Email;
$email->subject = "Administrator for {$this->name}@{$this->server->hostname}";
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->add_recipient($user->email, $user->name);
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has added you as an administrator for the '{$this->name}' account on {$this->server->hostname}. You can administer access to this account from <$url>";
$email->send();
$this->log(array('action' => 'Administrator add', 'value' => "user:{$user->uid}"), LOG_WARNING);
}
/**
* Remove the specified user as an administrator of the account.
* This action is logged with a warning level as it means the removed user will no longer
* receive notifications for any changes done to this account.
* @param User $user to remove as administrator
*/
public function delete_admin(User $user) {
parent::delete_admin($user);
$this->log(array('action' => 'Administrator remove', 'value' => "user:{$user->uid}"), LOG_WARNING);
}
/**
* Add a public key to this account for use with any outbound access rules that apply to it.
* An email is sent to the server admins and sec-ops to inform them of the change.
* This action is logged with a warning level as it is potentially granting SSH access with the key.
* @param PublicKey $key to be added
*/
public function add_public_key(PublicKey $key) {
global $config;
parent::add_public_key($key);
if($this->active_user->uid != 'import-script') {
$url = $config['web']['baseurl'].'/pubkeys/'.urlencode($key->id);
$email = new Email;
$email->add_reply_to($config['email']['admin_address'], $config['email']['admin_name']);
foreach($this->server->list_effective_admins() as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = "A new SSH public key has been added to the account {$this->name}@{$this->server->hostname} by {$this->active_user->uid}";
$email->body = "A new SSH public key has been added to the account {$this->name}@{$this->server->hostname} on SSH Key Authority. The key was added by {$this->active_user->name} ({$this->active_user->uid}).\n\nIf this key was added without your knowledge, please contact {$config['email']['admin_address']} immediately.\n\n".$key->summarize_key_information();
$email->send();
}
$this->log(array('action' => 'Pubkey add', 'value' => $key->fingerprint_md5), LOG_WARNING);
}
/**
* Delete the specified public key from this account.
* @param PublicKey $key to be removed
*/
public function delete_public_key(PublicKey $key) {
parent::delete_public_key($key);
$this->log(array('action' => 'Pubkey remove', 'value' => $key->fingerprint_md5));
}
/**
* Request access for the specified entity (User/ServerAccount/Group) to this account.
* Stores the request and sends an email to the account admins and server admins notifying them of it.
* @param Entity $entity to request access for
*/
public function add_access_request(Entity $entity) {
global $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('Server account must be added to server before access can be requested');
try {
$request = new AccessRequest;
$request->dest_entity_id = $this->entity_id;
$request->source_entity_id = $entity->entity_id;
$request->requested_by = $this->active_user->entity_id;
$stmt = $this->database->prepare("INSERT INTO access_request SET dest_entity_id = ?, source_entity_id = ?, request_date = UTC_TIMESTAMP(), requested_by = ?");
$stmt->bind_param('ddd', $request->dest_entity_id, $request->source_entity_id, $request->requested_by);
$stmt->execute();
$request->id = $stmt->insert_id;
$stmt->close();
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access request', 'value' => "user:{$entity->uid}"));
break;
case 'ServerAccount':
$this->log(array('action' => 'Access request', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Access request', 'value' => "group:{$entity->name}"));
break;
}
$account_admins = $this->list_admins();
$server_admins = $this->server->list_effective_admins();
if($this->active_user->uid != 'import-script') {
$email = new Email;
$email->add_reply_to($this->active_user->email, $this->active_user->name);
if(count($account_admins) == 0) {
foreach($server_admins as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
} else {
foreach($account_admins as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
foreach($server_admins as $admin) {
$email->add_cc($admin->email, $admin->name);
}
}
$url = $config['web']['baseurl'].'/servers/'.urlencode($this->server->hostname).'/accounts/'.urlencode($this->name);
switch(get_class($entity)) {
case 'User':
$email->subject = "{$entity->uid} requests access to {$this->name}@{$this->server->hostname}";
$email->body = "{$entity->name} ({$entity->uid}) has requested access to {$this->name}@{$this->server->hostname}. View this request at <$url>";
break;
case 'ServerAccount':
$email->subject = "{$this->active_user->uid} requests {$entity->name}@{$entity->server->hostname} access to {$this->name}@{$this->server->hostname}";
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has requested that {$entity->name}@{$entity->server->hostname} have server-to-server access to {$this->name}@{$this->server->hostname}. View this request at <$url>";
break;
case 'Group':
$email->subject = "{$this->active_user->uid} requests {$entity->name} group access to {$this->name}@{$this->server->hostname}";
$email->body = "{$this->active_user->name} ({$this->active_user->uid}) has requested that the {$entity->name} group have access to {$this->name}@{$this->server->hostname}. View this request at <$url>";
break;
}
$email->send();
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
}
/**
* Approve a request for access to this account.
* For user access, sends an email to the requester informing them of the approval.
* Triggers add_access() and deletes the request from the DB.
* @todo send emails for all access types
* @param AccessRequest $request details
*/
public function approve_access_request(AccessRequest $request) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Server account must be added to server before access can be approved');
$entity = $request->source_entity;
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access approve', 'value' => "user:{$entity->uid}"));
$email = new Email;
$email->add_recipient($entity->email, $entity->name);
$email->subject = "Your request for access to {$this->name}@{$this->server->hostname} has been approved";
$email->body = "You requested access to {$this->name}@{$this->server->hostname}, and this request has now been approved by {$this->active_user->name} ({$this->active_user->uid}).";
$email->send();
break;
case 'ServerAccount':
$this->log(array('action' => 'Access approve', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Access approve', 'value' => "group:{$entity->name}"));
break;
}
$options = array();
$this->add_access($entity, $options);
$stmt = $this->database->prepare("DELETE FROM access_request WHERE dest_entity_id = ? AND id = ?");
$stmt->bind_param('dd', $this->entity_id, $request->id);
$stmt->execute();
$stmt->close();
}
/**
* Reject a request for access to this account.
* For user access, sends an email to the requester informing them of the rejection.
* Deletes the request from the DB. If the account was created as the result of a request and
* there are no other pending access requests for the account, deactivate the account.
* @todo send emails for all access types
* @param AccessRequest $request details
*/
public function reject_access_request(AccessRequest $request) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Server account must be added to server before access can be rejected');
$entity = $request->source_entity;
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access reject', 'value' => "user:{$entity->uid}"));
$email = new Email;
$email->add_recipient($entity->email, $entity->name);
$email->subject = "Your request for access to {$this->name}@{$this->server->hostname} has been rejected";
$email->body = "You requested access to {$this->name}@{$this->server->hostname}, but this request has been rejected by {$this->active_user->name} ({$this->active_user->uid}).";
$email->send();
break;
case 'ServerAccount':
$this->log(array('action' => 'Access reject', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Access reject', 'value' => "group:{$entity->name}"));
break;
}
$stmt = $this->database->prepare("DELETE FROM access_request WHERE dest_entity_id = ? AND id = ?");
$stmt->bind_param('dd', $this->entity_id, $request->id);
$stmt->execute();
$stmt->close();
if($this->sync_status == 'proposed') {
if(count($this->list_access_requests()) == 0) {
$this->active = 0;
$this->update();
}
}
}
/**
* Grant the specified entity (User/ServerAccount/Group) access to this server account.
* An email is sent to the account admins, server admins and sec-ops to inform them of the change.
* This action is logged with a warning level as it is granting access.
* @param Entity $entity to add as a group member
* @param array $access_options array of AccessOption rules to apply to the granted access
*/
public function add_access(Entity $entity, array $access_options) {
global $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('Server account must be added to server before access can be added');
if($this->sync_status == 'proposed') {
$this->sync_status = 'not synced yet';
$this->update();
}
try {
$access = new Access;
$access->dest_entity_id = $this->entity_id;
$access->source_entity_id = $entity->entity_id;
$access->granted_by = $this->active_user->entity_id;
$stmt = $this->database->prepare("INSERT INTO access SET dest_entity_id = ?, source_entity_id = ?, grant_date = UTC_TIMESTAMP(), granted_by = ?");
$stmt->bind_param('ddd', $access->dest_entity_id, $access->source_entity_id, $access->granted_by);
$stmt->execute();
$access->id = $stmt->insert_id;
$stmt->close();
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access add', 'value' => "user:{$entity->uid}"), LOG_WARNING);
$mailsubject = "Access granted for {$entity->uid} to {$this->name}@{$this->server->hostname} by {$this->active_user->uid}";
$mailbody = "{$entity->name} ({$entity->uid}) has been granted access to {$this->name}@{$this->server->hostname} by {$this->active_user->name} ({$this->active_user->uid}). The changes will be synced to the server within a few seconds.";
break;
case 'ServerAccount':
$this->log(array('action' => 'Access add', 'value' => "account:{$entity->name}@{$entity->server->hostname}"), LOG_WARNING);
$mailsubject = "Access granted for {$entity->name}@{$entity->server->hostname} to {$this->name}@{$this->server->hostname} by {$this->active_user->uid}";
$mailbody = "{$entity->name}@{$entity->server->hostname} has been granted server-to-server access to {$this->name}@{$this->server->hostname} by {$this->active_user->name} ({$this->active_user->uid}). The changes will be synced to the server within a few seconds.";
break;
case 'Group':
$this->log(array('action' => 'Access add', 'value' => "group:{$entity->name}"), LOG_WARNING);
$mailsubject = "Access granted for {$entity->name} group to {$this->name}@{$this->server->hostname} by {$this->active_user->uid}";
$mailbody = "The {$entity->name} group has been granted access to {$this->name}@{$this->server->hostname} by {$this->active_user->name} ({$this->active_user->uid}). The changes will be synced to the server within a few seconds.";
break;
}
if($this->active_user->uid != 'import-script') {
$account_admins = $this->list_admins();
$server_admins = $this->server->list_effective_admins();
$email = new Email;
if(count($account_admins) == 0) {
foreach($server_admins as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
} else {
foreach($account_admins as $admin) {
$email->add_recipient($admin->email, $admin->name);
}
foreach($server_admins as $admin) {
$email->add_cc($admin->email, $admin->name);
}
}
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = $mailsubject;
$email->body = $mailbody;
$email->send();
}
foreach($access_options as $access_option) {
$access->add_option($access_option);
}
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry - ignore
} else {
throw $e;
}
}
$this->sync_access();
}
/**
* Revoke the specified access rule for this account.
* @param Access $access rule to be removed
*/
public function delete_access(Access $access) {
if(is_null($this->entity_id)) throw new BadMethodCallException('Server account must be added to server before access can be deleted');
$entity = $access->source_entity;
switch(get_class($entity)) {
case 'User':
$this->log(array('action' => 'Access remove', 'value' => "user:{$entity->uid}"));
break;
case 'ServerAccount':
$this->log(array('action' => 'Access remove', 'value' => "account:{$entity->name}@{$entity->server->hostname}"));
break;
case 'Group':
$this->log(array('action' => 'Access remove', 'value' => "group:{$entity->name}"));
break;
}
$stmt = $this->database->prepare("DELETE FROM access WHERE dest_entity_id = ? AND id = ?");
$stmt->bind_param('dd', $this->entity_id, $access->id);
$stmt->execute();
$stmt->close();
$this->sync_access();
}
/**
* List all groups that this account is a member of.
* @return array of Group objects
*/
public function list_group_membership() {
global $group_dir;
return $group_dir->list_group_membership($this);
}
/**
* Trigger a sync for this account.
*/
public function sync_access() {
global $sync_request_dir;
$sync_request = new SyncRequest;
$sync_request->server_id = $this->server_id;
$sync_request->account_name = $this->name;
$sync_request_dir->add_sync_request($sync_request);
}
/**
* Determine if a sync is currently pending for this account.
* @return boolean true if a sync is pending
*/
public function sync_is_pending() {
$stmt = $this->database->prepare("SELECT * FROM sync_request WHERE server_id = ? AND (account_name = ? OR account_name IS NULL) ORDER BY account_name");
$stmt->bind_param('ds', $this->server_id, $this->name);
$stmt->execute();
$result = $stmt->get_result();
return $result->num_rows > 0;
}
/**
* Update the sync status for the account.
* @param string $status "sync success", "sync failure" or "sync warning"
*/
public function sync_report($status) {
if(is_null($this->id)) throw new BadMethodCallException('Server account must be in directory before sync reporting can be done');
if($this->sync_status != 'proposed') {
$this->sync_status = $status;
$this->update();
}
}
}

30
model/serveraccountdirectory.php
Unescape Escape View File

@ -0,0 +1,30 @@
<?php
/**
* Class for reading/writing to the list of ServerAccount objects in the database.
* This class has no add or list methods as these will always be invoked from the parent object (Server).
*/
class ServerAccountDirectory extends DBDirectory {
/**
* Get a server account from the database by its entity ID.
* @param int $entity_id of server account
* @return ServerAccount with specified entity ID
* @throws ServerAccountNotFoundException if no server account with that entity ID exists
*/
public function get_server_account_by_id($entity_id) {
$stmt = $this->database->prepare("SELECT * FROM server_account WHERE entity_id = ?");
$stmt->bind_param('d', $entity_id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$account = new ServerAccount($row['entity_id'], $row);
} else {
throw new ServerAccountNotFoundException('Server account does not exist.');
}
$stmt->close();
return $account;
}
}
class ServerAccountNotFoundException extends Exception {}
class ServerAccountNotDeletableException extends Exception {}

18
model/serveraccountevent.php
Unescape Escape View File

@ -0,0 +1,18 @@
<?php
class ServerAccountEvent extends EntityEvent {
/**
* Magic getter method - if account field requested, return ServerAccount object of the affected account.
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
switch($field) {
case 'account':
$group = new ServerAccount($this->data['entity_id']);
return $group;
default:
return parent::__get($field);
}
}
}

178
model/serverdirectory.php
Unescape Escape View File

@ -0,0 +1,178 @@
<?php
/**
* Class for reading/writing to the list of Server objects in the database.
*/
class ServerDirectory extends DBDirectory {
/**
* Create the new server in the database.
* @param Server $server object to add
* @throws ServerAlreadyExistsException if a server with that hostname already exists
*/
public function add_server(Server $server) {
$hostname = $server->hostname;
$port = $server->port;
try {
$stmt = $this->database->prepare("INSERT INTO server SET hostname = ?, port = ?");
$stmt->bind_param('sd', $hostname, $port);
$stmt->execute();
$server->id = $stmt->insert_id;
$stmt->close();
$server->log(array('action' => 'Server add'));
$server->add_standard_accounts();
$server->sync_access();
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1062) {
// Duplicate entry
throw new ServerAlreadyExistsException("Server {$server->hostname} already exists");
} else {
throw $e;
}
}
}
/**
* Get a server from the database by its ID.
* @param int $id of server
* @return Server with specified ID
* @throws ServerNotFoundException if no server with that ID exists
*/
public function get_server_by_id($server_id) {
$stmt = $this->database->prepare("SELECT * FROM server WHERE id = ?");
$stmt->bind_param('d', $server_id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$server = new Server($row['id'], $row);
} else {
throw new ServerNotFoundException('Server does not exist.');
}
$stmt->close();
return $server;
}
/**
* Get a server from the database by its hostname.
* @param string $hostname of server
* @return Server with specified hostname
* @throws ServerNotFoundException if no server with that hostname exists
*/
public function get_server_by_hostname($hostname) {
$stmt = $this->database->prepare("SELECT * FROM server WHERE hostname = ?");
$stmt->bind_param('s', $hostname);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$server = new Server($row['id'], $row);
} else {
throw new ServerNotFoundException('Server does not exist');
}
$stmt->close();
return $server;
}
/**
* Get a server from the database by its uuid.
* @param string $uuid of server
* @return Server with specified uuid
* @throws ServerNotFoundException if no server with that uuid exists
*/
public function get_server_by_uuid($uuid) {
$stmt = $this->database->prepare("SELECT * FROM server WHERE uuid = ?");
$stmt->bind_param('s', $uuid);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$server = new Server($row['id'], $row);
} else {
throw new ServerNotFoundException('Server does not exist');
}
$stmt->close();
return $server;
}
/**
* List all servers in the database.
* @param array $include list of extra data to include in response
* @param array $filter list of field/value pairs to filter results on
* @return array of Server objects
*/
public function list_servers($include = array(), $filter = array()) {
// WARNING: The search query is not parameterized - be sure to properly escape all input
$fields = array("server.*");
$joins = array();
$where = array('!server.deleted');
foreach($filter as $field => $value) {
if($value) {
switch($field) {
case 'hostname':
$where[] = "hostname REGEXP '".$this->database->escape_string($value)."'";
break;
case 'ip_address':
case 'rsa_key_fingerprint':
$where[] = "server.$field = '".$this->database->escape_string($value)."'";
break;
case 'port':
$where[] = "server.$field = ".intval($value);
break;
case 'admin':
$where[] = "admin_search.entity_id = ".intval($value)." OR admin_search_members.entity_id = ".intval($value);
$joins['adminsearch'] = "LEFT JOIN server_admin AS admin_search ON admin_search.server_id = server.id";
$joins['adminsearchmembers'] = "LEFT JOIN group_member AS admin_search_members ON admin_search_members.group = admin_search.entity_id";
break;
case 'authorization':
case 'key_management':
case 'sync_status':
$where[] = "server.$field IN ('".implode("', '", array_map(array($this->database, 'escape_string'), $value))."')";
break;
}
}
}
foreach($include as $inc) {
switch($inc) {
case 'pending_requests':
$fields[] = "COUNT(DISTINCT access_request.source_entity_id) AS pending_requests";
$joins['accounts'] = "LEFT JOIN server_account ON server_account.server_id = server.id";
$joins['requests'] = "LEFT JOIN access_request ON access_request.dest_entity_id = server_account.entity_id";
break;
case 'admins':
$fields[] = "GROUP_CONCAT(DISTINCT IF(user.uid IS NULL, CONCAT('G:', group.name), CONCAT('U:', user.uid)) SEPARATOR ',') AS admins";
$joins['admins'] = "LEFT JOIN server_admin ON server_admin.server_id = server.id";
$joins['adminusers'] = "LEFT JOIN user ON user.entity_id = server_admin.entity_id AND user.active";
$joins['admingroups'] = "LEFT JOIN `group` ON group.entity_id = server_admin.entity_id";
break;
}
}
try {
$stmt = $this->database->prepare("
SELECT ".implode(", ", $fields)."
FROM server ".implode(" ", $joins)."
WHERE (".implode(") AND (", $where).")
GROUP BY server.id
ORDER BY server.hostname
");
} catch(mysqli_sql_exception $e) {
if($e->getCode() == 1139) {
throw new ServerSearchInvalidRegexpException;
} else {
throw $e;
}
}
$stmt->execute();
$result = $stmt->get_result();
$servers = array();
while($row = $result->fetch_assoc()) {
$servers[] = new Server($row['id'], $row);
}
$stmt->close();
usort($servers, function($a, $b) {return strnatcasecmp($a->hostname, $b->hostname);});
# Reverse domain level sort
#usort($servers, function($a, $b) {return strnatcasecmp(implode('.', array_reverse(explode('.', $a->hostname))), implode('.', array_reverse(explode('.', $b->hostname))));});
return $servers;
}
}
class ServerNotFoundException extends Exception {}
class ServerAlreadyExistsException extends Exception {}
class ServerSearchInvalidRegexpException extends Exception {}

31
model/serverevent.php
Unescape Escape View File

@ -0,0 +1,31 @@
<?php
/**
* Class that represents a log event that was recorded in relation to a server
*/
class ServerEvent extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'server_event';
/**
* Magic getter method - if server field requested, return Server object of the affected server;
* if actor field requested, return User object of the person who triggered the logged event.
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
global $user_dir;
switch($field) {
case 'actor':
$actor = new User($this->data['actor_id']);
return $actor;
case 'server':
$server = new Server($this->data['server_id']);
return $server;
default:
return parent::__get($field);
}
}
}

11
model/serverldapaccessoption.php
Unescape Escape View File

@ -0,0 +1,11 @@
<?php
/**
* Class that represents an SSH access option that is applied to all LDAP accounts on a server
*/
class ServerLDAPAccessOption extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'server_ldap_access_option';
}

37
model/servernote.php
Unescape Escape View File

@ -0,0 +1,37 @@
<?php
/**
* Class that represents a note associated with a server
*/
class ServerNote extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'server_note';
public function __construct($id = null, $preload_data = array()) {
parent::__construct($id, $preload_data);
global $active_user;
if(is_null($id)) $this->entity_id = $active_user->entity_id;
}
/**
* Magic getter method - if server field requested, return Server object that note applies to;
* if user field requested, return User object of the person who wrote the note.
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
global $user_dir;
switch($field) {
case 'user':
$user = new User($this->entity_id);
return $user;
case 'server':
$server = new Server($this->server_id);
return $server;
default:
return parent::__get($field);
}
}
}

19
model/syncrequest.php
Unescape Escape View File

@ -0,0 +1,19 @@
<?php
/**
* Class that represents a request for key syncing
*/
class SyncRequest extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'sync_request';
/**
* Mark this request as in progress
*/
public function set_in_progress() {
$this->processing = true;
$this->update();
}
}

53
model/syncrequestdirectory.php
Unescape Escape View File

@ -0,0 +1,53 @@
<?php
/**
* Class for reading/writing to the list of SyncRequest objects in the database.
*/
class SyncRequestDirectory extends DBDirectory {
/**
* Store query as a prepared statement.
*/
private $sync_list_stmt;
/**
* Create the new sync request in the database.
* @param SyncRequest $req object to add
*/
public function add_sync_request(SyncRequest $req) {
$stmt = $this->database->prepare("INSERT IGNORE INTO sync_request SET server_id = ?, account_name = ?");
$stmt->bind_param('ds', $req->server_id, $req->account_name);
$stmt->execute();
$req->id = $stmt->insert_id;
$stmt->close();
}
/**
* Delete the sync request from the database.
* @param SyncRequest $req object to delete
*/
public function delete_sync_request(SyncRequest $req) {
$stmt = $this->database->prepare("DELETE FROM sync_request WHERE id = ?");
$stmt->bind_param('s', $req->id);
$stmt->execute();
$stmt->close();
}
/**
* List the sync requests stored in the database that are not being processed yet.
* @return array of SyncRequest objects
*/
public function list_pending_sync_requests() {
if(!isset($this->sync_list_stmt)) {
$this->sync_list_stmt = $this->database->prepare("SELECT * FROM sync_request WHERE processing = 0 ORDER BY id");
}
$this->sync_list_stmt->execute();
$result = $this->sync_list_stmt->get_result();
$reqs = array();
while($row = $result->fetch_assoc()) {
$reqs[] = new SyncRequest($row['id'], $row);
}
return $reqs;
}
}
class SyncRequestNotFoundException extends Exception {}

404
model/user.php
Unescape Escape View File

@ -0,0 +1,404 @@
<?php
/**
* Class that represents a user of this system
*/
class User extends Entity {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'user';
/**
* Defines the field that is the primary key of the table
*/
protected $idfield = 'entity_id';
/**
* LDAP connection object
*/
private $ldap;
public function __construct($id = null, $preload_data = array()) {
parent::__construct($id, $preload_data);
global $ldap;
$this->ldap = $ldap;
}
/**
* Write property changes to database and log the changes.
* Triggers a resync if the user was activated/deactivated.
*/
public function update() {
$changes = parent::update();
$resync = false;
foreach($changes as $change) {
$loglevel = LOG_INFO;
switch($change->field) {
case 'active':
$resync = true;
if($change->new_value == 1) $loglevel = LOG_WARNING;
break;
case 'admin':
if($change->new_value == 1) $loglevel = LOG_WARNING;
break;
case 'csrf_token':
case 'superior_entity_id':
return;
}
$this->log(array('action' => 'Setting update', 'value' => $change->new_value, 'oldvalue' => $change->old_value, 'field' => ucfirst(str_replace('_', ' ', $change->field))), $loglevel);
}
if($resync) {
$this->sync_remote_access();
}
}
/**
* Magic getter method - if superior field requested, return User object of user's superior
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
global $user_dir;
switch($field) {
case 'superior':
if(is_null($this->superior_entity_id)) $superior = null;
else $superior = new User($this->superior_entity_id);
return $superior;
default:
return parent::__get($field);
}
}
/**
* List all events on entities and servers that this user has administrator access to
* @param array $include list of extra data to include in response
* @return array of *Event objects
*/
public function list_events($include = array()) {
global $event_dir;
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before events can be listed');
return $event_dir->list_events($include, array('admin' => $this->entity_id));
}
/**
* List all servers that are administrated by this user
* @param array $include list of extra data to include in response
* @return array of Server objects
*/
public function list_admined_servers($include = array()) {
global $server_dir;
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before admined servers can be listed');
return $server_dir->list_servers($include, array('admin' => $this->entity_id, 'key_management' => array('none', 'keys', 'other')));
}
/**
* List all groups that are administrated by this user
* @param array $include list of extra data to include in response
* @return array of Group objects
*/
public function list_admined_groups($include = array()) {
global $group_dir;
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before admined group can be listed');
$groups = $group_dir->list_groups($include, array('admin' => $this->entity_id));
return $groups;
}
/**
* List all groups that this user is a member of
* @param array $include list of extra data to include in response
* @return array of Group objects
*/
public function list_group_memberships($include = array()) {
global $group_dir;
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before group memberships can be listed');
$groups = $group_dir->list_groups($include, array('member' => $this->entity_id));
return $groups;
}
/**
* Determine if this user is an administrator of the specified entity or server.
* @param Record $record object to check for administration privileges
* @return bool true if user is an administrator of the object
* @throws InvalidArgumentException if a non-administratable Record is provided
*/
public function admin_of(Record $record) {
switch(get_class($record)) {
case 'Server':
$stmt = $this->database->prepare("
SELECT entity_id
FROM group_member
WHERE (`group` IN (
SELECT entity_id
FROM server_admin
WHERE server_id = ?)
AND entity_id = ?)
UNION (SELECT entity_id
FROM server_admin
WHERE server_id = ?
AND entity_id = ?)");
$stmt->bind_param('dddd', $record->id, $this->entity_id, $record->id, $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
return $result->num_rows >= 1;
break;
case 'Group':
case 'ServerAccount':
$stmt = $this->database->prepare("SELECT * FROM entity_admin WHERE admin = ? AND entity_id = ?");
$stmt->bind_param('dd', $this->entity_id, $record->entity_id);
$stmt->execute();
$result = $stmt->get_result();
return $result->num_rows >= 1;
break;
default:
throw new InvalidArgumentException('Records of type '.get_class($record).' cannot be administered');
}
}
/**
* Determine if this user is a member of the specified group
* @param Group $group to check membership of
* @return bool true if user is an member of the group
*/
public function member_of(Group $group) {
$stmt = $this->database->prepare("SELECT * FROM group_member WHERE entity_id = ? AND `group` = ?");
$stmt->bind_param('dd', $this->entity_id, $group->entity_id);
$stmt->execute();
$result = $stmt->get_result();
return $result->num_rows >= 1;
}
/**
* Add a public key to this user for use with any outbound access rules that apply to them.
* An email is sent to the user and sec-ops to inform them of the change.
* This action is logged with a warning level as it is potentially granting SSH access with the key.
* @param PublicKey $key to be added
*/
public function add_public_key(PublicKey $key) {
global $active_user, $config;
parent::add_public_key($key);
if($active_user->uid != 'import-script') {
$url = $config['web']['baseurl'].'/pubkeys/'.urlencode($key->id);
$email = new Email;
$email->add_reply_to($config['email']['admin_address'], $config['email']['admin_name']);
$email->add_recipient($this->email, $this->name);
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
$email->subject = "A new SSH public key has been added to your account ({$this->uid})";
$email->body = "A new SSH public key has been added to your account on SSH Key Authority.\n\nIf you added this key then all is well. If you do not recall adding this key, please contact {$config['email']['admin_address']} immediately.\n\n".$key->summarize_key_information();
$email->send();
}
$this->log(array('action' => 'Pubkey add', 'value' => $key->fingerprint_md5), LOG_WARNING);
}
/**
* Delete the specified public key from this user.
* @param PublicKey $key to be removed
*/
public function delete_public_key(PublicKey $key) {
global $active_user;
parent::delete_public_key($key);
$this->log(array('action' => 'Pubkey remove', 'value' => $key->fingerprint_md5));
}
/**
* Add an alert to be displayed to this user on their next normal page load.
* @param UserAlert $alert to be displayed
*/
public function add_alert(UserAlert $alert) {
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before alerts can be added');
$stmt = $this->database->prepare("INSERT INTO user_alert SET entity_id = ?, class = ?, content = ?, escaping = ?");
$stmt->bind_param('dssd', $this->entity_id, $alert->class, $alert->content, $alert->escaping);
$stmt->execute();
$alert->id = $stmt->insert_id;
$stmt->close();
}
/**
* List all alerts for this user *and* delete them.
* @return array of UserAlert objects
*/
public function pop_alerts() {
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before alerts can be listed');
$stmt = $this->database->prepare("SELECT * FROM user_alert WHERE entity_id = ?");
$stmt->bind_param('d', $this->entity_id);
$stmt->execute();
$result = $stmt->get_result();
$alerts = array();
$alert_ids = array();
while($row = $result->fetch_assoc()) {
$alerts[] = new UserAlert($row['id'], $row);
$alert_ids[] = $row['id'];
}
$stmt->close();
if(count($alert_ids) > 0) {
$this->database->query("DELETE FROM user_alert WHERE id IN (".implode(", ", $alert_ids).")");
}
return $alerts;
}
/**
* Determine if this user has been granted access to the specified account.
* @param ServerAccount $account to check for access
* @return bool true if user has access to the account
*/
public function has_access(ServerAccount $account) {
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before access can be checked');
$stmt = $this->database->prepare("SELECT * FROM access WHERE source_entity_id = ? AND dest_entity_id = ?");
$stmt->bind_param('dd', $this->entity_id, $account->entity_id);
$stmt->execute();
$result = $stmt->get_result();
return (bool)$result->fetch_assoc();
}
/**
* Return HTML containing the user's CSRF token for inclusion in a POST form.
* Also includes a random string of the same length to help guard against http://breachattack.com/
* @return string HTML
*/
public function get_csrf_field() {
return '<input type="hidden" name="csrf_token" value="'.hesc($this->get_csrf_token()).'"><!-- '.hash("sha512", mt_rand(0, mt_getrandmax())).' -->'."\n";
}
/**
* Return the user's CSRF token. Generate one if they do not yet have one.
* @return string CSRF token
*/
public function get_csrf_token() {
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before CSRF token can be generated');
if(!isset($this->data['csrf_token'])) {
$this->data['csrf_token'] = hash("sha512", mt_rand(0, mt_getrandmax()));
$this->update();
}
return $this->data['csrf_token'];
}
/**
* Check the given string against the user's CSRF token.
* @return bool true on string match
*/
public function check_csrf_token($token) {
return $token === $this->get_csrf_token();
}
/**
* Retrieve the user's details from LDAP.
* @param bool $login true if getting user details as part of login process
* @throws UserNotFoundException if the user is not found in LDAP
*/
public function get_details_from_ldap($login = false) {
global $config, $group_dir, $user_dir, $active_user;
$attributes = array();
$attributes[] = 'dn';
$attributes[] = $config['ldap']['user_id'];
$attributes[] = $config['ldap']['user_name'];
$attributes[] = $config['ldap']['user_email'];
$attributes[] = $config['ldap']['group_member_value'];
if(isset($config['ldap']['user_active'])) {
$attributes[] = $config['ldap']['user_active'];
}
if(isset($config['ldap']['user_filter'])) {
$user_filter = $config['ldap']['user_filter'];
} else {
$user_filter = '';
}
if(isset($config['ldap']['group_filter'])) {
$group_filter = $config['ldap']['group_filter'];
} else {
$group_filter = '';
}
$ldapusers = $this->ldap->search($config['ldap']['dn_user'], '(&('.LDAP::escape($config['ldap']['user_id']).'='.LDAP::escape($this->uid).')'.$user_filter.')', array_keys(array_flip($attributes)));
if($ldapuser = reset($ldapusers)) {
$this->auth_realm = 'LDAP';
$this->uid = $ldapuser[strtolower($config['ldap']['user_id'])];
$this->name = $ldapuser[strtolower($config['ldap']['user_name'])];
$this->email = $ldapuser[strtolower($config['ldap']['user_email'])];
if(isset($config['ldap']['user_active'])) {
$this->active = 0;
if(isset($config['ldap']['user_active_true'])) {
$this->active = intval($ldapuser[strtolower($config['ldap']['user_active'])] == $config['ldap']['user_active_true']);
} elseif(isset($config['ldap']['user_active_false'])) {
$this->active = intval($ldapuser[strtolower($config['ldap']['user_active'])] != $config['ldap']['user_active_false']);
}
} else {
$this->active = 1;
}
$group_member = $ldapuser[strtolower($config['ldap']['group_member_value'])];
$ldapgroups = $this->ldap->search($config['ldap']['dn_group'], '(&('.LDAP::escape($config['ldap']['group_member']).'='.LDAP::escape($group_member).')'.$group_filter.')', array('cn'));
$memberships = array();
foreach($ldapgroups as $ldapgroup) {
$memberships[$ldapgroup['cn']] = true;
}
$this->admin = (int)isset($memberships[$config['ldap']['admin_group_cn']]);
if(isset($this->id)) {
$this->update();
} else {
$user_dir->add_user($this);
if($login) {
$active_user = $this;
}
}
if(isset($config['ldap']['sync_groups']) && is_array($config['ldap']['sync_groups'])) {
$syncgroups = $config['ldap']['sync_groups'];
} else {
$syncgroups = array();
}
$syncgroups[] = $config['ldap']['admin_group_cn'];
foreach($syncgroups as $syncgroup) {
try {
$group = $group_dir->get_group_by_name($syncgroup);
} catch(GroupNotFoundException $e) {
$group = new Group;
$group->name = $syncgroup;
$group->system = 1;
$group_dir->add_group($group);
}
if(isset($memberships[$syncgroup])) {
if(!$this->member_of($group)) {
$group->add_member($this);
}
} else {
if($this->member_of($group)) {
$group->delete_member($this);
}
}
}
} else {
throw new UserNotFoundException('User does not exist.');
}
}
/**
* Retrieve the user's superior from LDAP.
* @throws UserNotFoundException if the user is not found in LDAP
*/
public function get_superior_from_ldap() {
global $user_dir, $config;
if(is_null($this->entity_id)) throw new BadMethodCallException('User must be in directory before superior employee can be looked up');
if(!isset($config['ldap']['user_superior'])) {
throw new BadMethodCallException("Cannot retrieve user's superior if user_superior is not configured");
}
$ldapusers = $this->ldap->search($config['ldap']['dn_user'], LDAP::escape($config['ldap']['user_id']).'='.LDAP::escape($this->uid), array($config['ldap']['user_superior']));
if($ldapuser = reset($ldapusers)) {
$superior = null;
if(isset($ldapuser[strtolower($config['ldap']['user_superior'])]) && $ldapuser[strtolower($config['ldap']['user_superior'])] != $this->uid) {
$superior_uid = $ldapuser[strtolower($config['ldap']['user_superior'])];
try {
$superior = $user_dir->get_user_by_uid($superior_uid);
} catch(UserNotFoundException $e) {
}
}
if(is_null($superior)) {
$this->superior_entity_id = null;
} else {
$this->superior_entity_id = $superior->entity_id;
}
$this->update();
} else {
throw new UserNotFoundException('User does not exist.');
}
}
/**
* Implements the Entity::sync_access as a no-op as it makes no sense to grant access TO a user.
*/
public function sync_access() {
}
}

20
model/useralert.php
Unescape Escape View File

@ -0,0 +1,20 @@
<?php
/**
* Class that represents an alert associated with a user
*/
class UserAlert extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'user_alert';
/**
* Set some default values for the alert, including escaping HTML by default.
*/
public function __construct($id = null, $preload_data = array()) {
parent::__construct($id, $preload_data);
if(!isset($this->data['class'])) $this->data['class'] = 'success';
if(!isset($this->data['escaping'])) $this->data['escaping'] = ESC_HTML;
}
}

135
model/userdirectory.php
Unescape Escape View File

@ -0,0 +1,135 @@
<?php
/**
* Class for reading/writing to the list of User objects in the database.
*/
class UserDirectory extends DBDirectory {
/**
* LDAP connection object
*/
private $ldap;
/**
* Avoid making multiple LDAP lookups on the same person by caching their details here
*/
private $cache_uid;
public function __construct() {
parent::__construct();
global $ldap;
$this->ldap = $ldap;
$this->cache_uid = array();
}
/**
* Create the new user in the database.
* @param User $user object to add
*/
public function add_user(User $user) {
$user_id = $user->uid;
$user_name = $user->name;
$user_active = $user->active;
$user_admin = $user->admin;
$user_email = $user->email;
$stmt = $this->database->prepare("INSERT INTO entity SET type = 'user'");
$stmt->execute();
$user->entity_id = $stmt->insert_id;
$stmt = $this->database->prepare("INSERT INTO user SET entity_id = ?, uid = ?, name = ?, email = ?, active = ?, admin = ?");
$stmt->bind_param('dsssdd', $user->entity_id, $user_id, $user_name, $user_email, $user_active, $user_admin);
$stmt->execute();
$stmt->close();
}
/**
* Get a user from the database by its entity ID.
* @param int $entity_id of user
* @return User with specified entity ID
* @throws UserNotFoundException if no user with that entity ID exists
*/
public function get_user_by_id($id) {
$stmt = $this->database->prepare("SELECT * FROM user WHERE entity_id = ?");
$stmt->bind_param('d', $id);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$user = new User($row['entity_id'], $row);
} else {
throw new UserNotFoundException('User does not exist.');
}
$stmt->close();
return $user;
}
/**
* Get a user from the database by its uid. If it does not exist in the database, retrieve it
* from LDAP and store in the database.
* @param string $uid of user
* @param bool $login true if getting user as part of login process
* @return User with specified entity uid
* @throws UserNotFoundException if no user with that uid exists
*/
public function get_user_by_uid($uid, $login = false) {
if(isset($this->cache_uid[$uid])) {
return $this->cache_uid[$uid];
}
$stmt = $this->database->prepare("SELECT * FROM user WHERE uid = ?");
$stmt->bind_param('s', $uid);
$stmt->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
$user = new User($row['entity_id'], $row);
$this->cache_uid[$uid] = $user;
} else {
$user = new User;
$user->uid = $uid;
$this->cache_uid[$uid] = $user;
$user->get_details_from_ldap($login);
}
$stmt->close();
return $user;
}
/**
* List all users in the database.
* @param array $include list of extra data to include in response - currently unused
* @param array $filter list of field/value pairs to filter results on
* @return array of User objects
*/
public function list_users($include = array(), $filter = array()) {
// WARNING: The search query is not parameterized - be sure to properly escape all input
$fields = array("user.*");
$joins = array();
$where = array();
foreach($filter as $field => $value) {
if($value) {
switch($field) {
case 'uid':
$where[] = "uid = '".$this->database->escape_string($value)."'";
break;
case 'name':
$where[] = "name = '".$this->database->escape_string($value)."'";
break;
case 'admins_servers':
$joins[] = "INNER JOIN server_admin ON server_admin.entity_id = user.entity_id";
$joins[] = "INNER JOIN server ON server.id = server_admin.server_id AND server.key_management <> 'decommissioned'";
break;
}
}
}
$stmt = $this->database->prepare("
SELECT ".implode(", ", $fields)."
FROM user ".implode(" ", $joins)."
".(count($where) == 0 ? "" : "WHERE (".implode(") AND (", $where).")")."
GROUP BY user.entity_id
ORDER BY user.uid
");
$stmt->execute();
$result = $stmt->get_result();
$users = array();
while($row = $result->fetch_assoc()) {
$users[] = new User($row['entity_id'], $row);
}
return $users;
}
}
class UserNotFoundException extends Exception {}

21
model/userevent.php
Unescape Escape View File

@ -0,0 +1,21 @@
<?php
/**
* Class that represents a log event that was recorded in relation to a group
*/
class UserEvent extends EntityEvent {
/**
* Magic getter method - if group field requested, return Group object of the affected group.
* @param string $field to retrieve
* @return mixed data stored in field
*/
public function &__get($field) {
switch($field) {
case 'user':
$user = new User($this->data['entity_id']);
return $user;
default:
return parent::__get($field);
}
}
}

63
pagesection.php
Unescape Escape View File

@ -0,0 +1,63 @@
<?php
class PageSection {
private $template;
private $data;
public function __construct($template) {
global $relative_request_url;
global $active_user;
global $database;
global $config;
$this->template = $template;
$this->data = new StdClass;
$this->data->menu_items = array();
$this->data->menu_items['/'] = 'Home';
$this->data->menu_items['/servers'] = 'Servers';
$this->data->menu_items['/users'] = 'Users';
$this->data->menu_items['/groups'] = 'Groups';
$this->data->menu_items['/pubkeys'] = 'Public keys';
if($active_user && ($active_user->admin || count($active_user->list_admined_servers()) > 0)) {
$this->data->menu_items['/activity'] = 'Activity';
}
if($active_user && $active_user->admin) {
$this->data->menu_items['/tools'] = 'Tools';
}
$this->data->menu_items['/help'] = 'Help';
$this->data->relative_request_url = $relative_request_url;
$this->data->active_user = $active_user;
$this->data->web_config = $config['web'];
$this->data->email_config = $config['email'];
if($active_user && $active_user->developer) {
$this->data->database = $database;
}
}
public function set_by_array($array, $prefix = '') {
foreach($array as $item => $data) {
$this->setData($prefix.$item, $data);
}
}
public function set($item, $data) {
$this->data->$item = $data;
}
public function get($item) {
if(isset($this->data->$item)) {
if(is_object($this->data->$item) && get_class($this->data->$item) == 'PageSection') {
return $this->data->$item->generate();
} else {
return $this->data->$item;
}
} else {
return null;
}
}
public function generate() {
ob_start();
$data = $this->data;
include_once(path_join('templates', 'functions.php'));
include(path_join('templates', $this->template.'.php'));
$output = ob_get_contents();
ob_end_clean();
return $output;
}
}

587
public_html/bootstrap/css/bootstrap-theme.css vendored
Unescape Escape View File

@ -0,0 +1,587 @@
/*!
* Bootstrap v3.3.7 (http://getbootstrap.com)
* Copyright 2011-2016 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
*/
.btn-default,
.btn-primary,
.btn-success,
.btn-info,
.btn-warning,
.btn-danger {
text-shadow: 0 -1px 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, .15), 0 1px 1px rgba(0, 0, 0, .075);
box-shadow: inset 0 1px 0 rgba(255, 255, 255, .15), 0 1px 1px rgba(0, 0, 0, .075);
}
.btn-default:active,
.btn-primary:active,
.btn-success:active,
.btn-info:active,
.btn-warning:active,
.btn-danger:active,
.btn-default.active,
.btn-primary.active,
.btn-success.active,
.btn-info.active,
.btn-warning.active,
.btn-danger.active {
-webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, .125);
box-shadow: inset 0 3px 5px rgba(0, 0, 0, .125);
}
.btn-default.disabled,
.btn-primary.disabled,
.btn-success.disabled,
.btn-info.disabled,
.btn-warning.disabled,
.btn-danger.disabled,
.btn-default[disabled],
.btn-primary[disabled],
.btn-success[disabled],
.btn-info[disabled],
.btn-warning[disabled],
.btn-danger[disabled],
fieldset[disabled] .btn-default,
fieldset[disabled] .btn-primary,
fieldset[disabled] .btn-success,
fieldset[disabled] .btn-info,
fieldset[disabled] .btn-warning,
fieldset[disabled] .btn-danger {
-webkit-box-shadow: none;
box-shadow: none;
}
.btn-default .badge,
.btn-primary .badge,
.btn-success .badge,
.btn-info .badge,
.btn-warning .badge,
.btn-danger .badge {
text-shadow: none;
}
.btn:active,
.btn.active {
background-image: none;
}
.btn-default {
text-shadow: 0 1px 0 #fff;
background-image: -webkit-linear-gradient(top, #fff 0%, #e0e0e0 100%);
background-image: -o-linear-gradient(top, #fff 0%, #e0e0e0 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#e0e0e0));
background-image: linear-gradient(to bottom, #fff 0%, #e0e0e0 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffe0e0e0', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-color: #dbdbdb;
border-color: #ccc;
}
.btn-default:hover,
.btn-default:focus {
background-color: #e0e0e0;
background-position: 0 -15px;
}
.btn-default:active,
.btn-default.active {
background-color: #e0e0e0;
border-color: #dbdbdb;
}
.btn-default.disabled,
.btn-default[disabled],
fieldset[disabled] .btn-default,
.btn-default.disabled:hover,
.btn-default[disabled]:hover,
fieldset[disabled] .btn-default:hover,
.btn-default.disabled:focus,
.btn-default[disabled]:focus,
fieldset[disabled] .btn-default:focus,
.btn-default.disabled.focus,
.btn-default[disabled].focus,
fieldset[disabled] .btn-default.focus,
.btn-default.disabled:active,
.btn-default[disabled]:active,
fieldset[disabled] .btn-default:active,
.btn-default.disabled.active,
.btn-default[disabled].active,
fieldset[disabled] .btn-default.active {
background-color: #e0e0e0;
background-image: none;
}
.btn-primary {
background-image: -webkit-linear-gradient(top, #337ab7 0%, #265a88 100%);
background-image: -o-linear-gradient(top, #337ab7 0%, #265a88 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#337ab7), to(#265a88));
background-image: linear-gradient(to bottom, #337ab7 0%, #265a88 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff337ab7', endColorstr='#ff265a88', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-color: #245580;
}
.btn-primary:hover,
.btn-primary:focus {
background-color: #265a88;
background-position: 0 -15px;
}
.btn-primary:active,
.btn-primary.active {
background-color: #265a88;
border-color: #245580;
}
.btn-primary.disabled,
.btn-primary[disabled],
fieldset[disabled] .btn-primary,
.btn-primary.disabled:hover,
.btn-primary[disabled]:hover,
fieldset[disabled] .btn-primary:hover,
.btn-primary.disabled:focus,
.btn-primary[disabled]:focus,
fieldset[disabled] .btn-primary:focus,
.btn-primary.disabled.focus,
.btn-primary[disabled].focus,
fieldset[disabled] .btn-primary.focus,
.btn-primary.disabled:active,
.btn-primary[disabled]:active,
fieldset[disabled] .btn-primary:active,
.btn-primary.disabled.active,
.btn-primary[disabled].active,
fieldset[disabled] .btn-primary.active {
background-color: #265a88;
background-image: none;
}
.btn-success {
background-image: -webkit-linear-gradient(top, #5cb85c 0%, #419641 100%);
background-image: -o-linear-gradient(top, #5cb85c 0%, #419641 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#5cb85c), to(#419641));
background-image: linear-gradient(to bottom, #5cb85c 0%, #419641 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5cb85c', endColorstr='#ff419641', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-color: #3e8f3e;
}
.btn-success:hover,
.btn-success:focus {
background-color: #419641;
background-position: 0 -15px;
}
.btn-success:active,
.btn-success.active {
background-color: #419641;
border-color: #3e8f3e;
}
.btn-success.disabled,
.btn-success[disabled],
fieldset[disabled] .btn-success,
.btn-success.disabled:hover,
.btn-success[disabled]:hover,
fieldset[disabled] .btn-success:hover,
.btn-success.disabled:focus,
.btn-success[disabled]:focus,
fieldset[disabled] .btn-success:focus,
.btn-success.disabled.focus,
.btn-success[disabled].focus,
fieldset[disabled] .btn-success.focus,
.btn-success.disabled:active,
.btn-success[disabled]:active,
fieldset[disabled] .btn-success:active,
.btn-success.disabled.active,
.btn-success[disabled].active,
fieldset[disabled] .btn-success.active {
background-color: #419641;
background-image: none;
}
.btn-info {
background-image: -webkit-linear-gradient(top, #5bc0de 0%, #2aabd2 100%);
background-image: -o-linear-gradient(top, #5bc0de 0%, #2aabd2 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#5bc0de), to(#2aabd2));
background-image: linear-gradient(to bottom, #5bc0de 0%, #2aabd2 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5bc0de', endColorstr='#ff2aabd2', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-color: #28a4c9;
}
.btn-info:hover,
.btn-info:focus {
background-color: #2aabd2;
background-position: 0 -15px;
}
.btn-info:active,
.btn-info.active {
background-color: #2aabd2;
border-color: #28a4c9;
}
.btn-info.disabled,
.btn-info[disabled],
fieldset[disabled] .btn-info,
.btn-info.disabled:hover,
.btn-info[disabled]:hover,
fieldset[disabled] .btn-info:hover,
.btn-info.disabled:focus,
.btn-info[disabled]:focus,
fieldset[disabled] .btn-info:focus,
.btn-info.disabled.focus,
.btn-info[disabled].focus,
fieldset[disabled] .btn-info.focus,
.btn-info.disabled:active,
.btn-info[disabled]:active,
fieldset[disabled] .btn-info:active,
.btn-info.disabled.active,
.btn-info[disabled].active,
fieldset[disabled] .btn-info.active {
background-color: #2aabd2;
background-image: none;
}
.btn-warning {
background-image: -webkit-linear-gradient(top, #f0ad4e 0%, #eb9316 100%);
background-image: -o-linear-gradient(top, #f0ad4e 0%, #eb9316 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#f0ad4e), to(#eb9316));
background-image: linear-gradient(to bottom, #f0ad4e 0%, #eb9316 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff0ad4e', endColorstr='#ffeb9316', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-color: #e38d13;
}
.btn-warning:hover,
.btn-warning:focus {
background-color: #eb9316;
background-position: 0 -15px;
}
.btn-warning:active,
.btn-warning.active {
background-color: #eb9316;
border-color: #e38d13;
}
.btn-warning.disabled,
.btn-warning[disabled],
fieldset[disabled] .btn-warning,
.btn-warning.disabled:hover,
.btn-warning[disabled]:hover,
fieldset[disabled] .btn-warning:hover,
.btn-warning.disabled:focus,
.btn-warning[disabled]:focus,
fieldset[disabled] .btn-warning:focus,
.btn-warning.disabled.focus,
.btn-warning[disabled].focus,
fieldset[disabled] .btn-warning.focus,
.btn-warning.disabled:active,
.btn-warning[disabled]:active,
fieldset[disabled] .btn-warning:active,
.btn-warning.disabled.active,
.btn-warning[disabled].active,
fieldset[disabled] .btn-warning.active {
background-color: #eb9316;
background-image: none;
}
.btn-danger {
background-image: -webkit-linear-gradient(top, #d9534f 0%, #c12e2a 100%);
background-image: -o-linear-gradient(top, #d9534f 0%, #c12e2a 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#d9534f), to(#c12e2a));
background-image: linear-gradient(to bottom, #d9534f 0%, #c12e2a 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9534f', endColorstr='#ffc12e2a', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-color: #b92c28;
}
.btn-danger:hover,
.btn-danger:focus {
background-color: #c12e2a;
background-position: 0 -15px;
}
.btn-danger:active,
.btn-danger.active {
background-color: #c12e2a;
border-color: #b92c28;
}
.btn-danger.disabled,
.btn-danger[disabled],
fieldset[disabled] .btn-danger,
.btn-danger.disabled:hover,
.btn-danger[disabled]:hover,
fieldset[disabled] .btn-danger:hover,
.btn-danger.disabled:focus,
.btn-danger[disabled]:focus,
fieldset[disabled] .btn-danger:focus,
.btn-danger.disabled.focus,
.btn-danger[disabled].focus,
fieldset[disabled] .btn-danger.focus,
.btn-danger.disabled:active,
.btn-danger[disabled]:active,
fieldset[disabled] .btn-danger:active,
.btn-danger.disabled.active,
.btn-danger[disabled].active,
fieldset[disabled] .btn-danger.active {
background-color: #c12e2a;
background-image: none;
}
.thumbnail,
.img-thumbnail {
-webkit-box-shadow: 0 1px 2px rgba(0, 0, 0, .075);
box-shadow: 0 1px 2px rgba(0, 0, 0, .075);
}
.dropdown-menu > li > a:hover,
.dropdown-menu > li > a:focus {
background-color: #e8e8e8;
background-image: -webkit-linear-gradient(top, #f5f5f5 0%, #e8e8e8 100%);
background-image: -o-linear-gradient(top, #f5f5f5 0%, #e8e8e8 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#f5f5f5), to(#e8e8e8));
background-image: linear-gradient(to bottom, #f5f5f5 0%, #e8e8e8 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff5f5f5', endColorstr='#ffe8e8e8', GradientType=0);
background-repeat: repeat-x;
}
.dropdown-menu > .active > a,
.dropdown-menu > .active > a:hover,
.dropdown-menu > .active > a:focus {
background-color: #2e6da4;
background-image: -webkit-linear-gradient(top, #337ab7 0%, #2e6da4 100%);
background-image: -o-linear-gradient(top, #337ab7 0%, #2e6da4 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#337ab7), to(#2e6da4));
background-image: linear-gradient(to bottom, #337ab7 0%, #2e6da4 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff337ab7', endColorstr='#ff2e6da4', GradientType=0);
background-repeat: repeat-x;
}
.navbar-default {
background-image: -webkit-linear-gradient(top, #fff 0%, #f8f8f8 100%);
background-image: -o-linear-gradient(top, #fff 0%, #f8f8f8 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#f8f8f8));
background-image: linear-gradient(to bottom, #fff 0%, #f8f8f8 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#fff8f8f8', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-radius: 4px;
-webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, .15), 0 1px 5px rgba(0, 0, 0, .075);
box-shadow: inset 0 1px 0 rgba(255, 255, 255, .15), 0 1px 5px rgba(0, 0, 0, .075);
}
.navbar-default .navbar-nav > .open > a,
.navbar-default .navbar-nav > .active > a {
background-image: -webkit-linear-gradient(top, #dbdbdb 0%, #e2e2e2 100%);
background-image: -o-linear-gradient(top, #dbdbdb 0%, #e2e2e2 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#dbdbdb), to(#e2e2e2));
background-image: linear-gradient(to bottom, #dbdbdb 0%, #e2e2e2 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdbdbdb', endColorstr='#ffe2e2e2', GradientType=0);
background-repeat: repeat-x;
-webkit-box-shadow: inset 0 3px 9px rgba(0, 0, 0, .075);
box-shadow: inset 0 3px 9px rgba(0, 0, 0, .075);
}
.navbar-brand,
.navbar-nav > li > a {
text-shadow: 0 1px 0 rgba(255, 255, 255, .25);
}
.navbar-inverse {
background-image: -webkit-linear-gradient(top, #3c3c3c 0%, #222 100%);
background-image: -o-linear-gradient(top, #3c3c3c 0%, #222 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#3c3c3c), to(#222));
background-image: linear-gradient(to bottom, #3c3c3c 0%, #222 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff3c3c3c', endColorstr='#ff222222', GradientType=0);
filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
background-repeat: repeat-x;
border-radius: 4px;
}
.navbar-inverse .navbar-nav > .open > a,
.navbar-inverse .navbar-nav > .active > a {
background-image: -webkit-linear-gradient(top, #080808 0%, #0f0f0f 100%);
background-image: -o-linear-gradient(top, #080808 0%, #0f0f0f 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#080808), to(#0f0f0f));
background-image: linear-gradient(to bottom, #080808 0%, #0f0f0f 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff080808', endColorstr='#ff0f0f0f', GradientType=0);
background-repeat: repeat-x;
-webkit-box-shadow: inset 0 3px 9px rgba(0, 0, 0, .25);
box-shadow: inset 0 3px 9px rgba(0, 0, 0, .25);
}
.navbar-inverse .navbar-brand,
.navbar-inverse .navbar-nav > li > a {
text-shadow: 0 -1px 0 rgba(0, 0, 0, .25);
}
.navbar-static-top,
.navbar-fixed-top,
.navbar-fixed-bottom {
border-radius: 0;
}
@media (max-width: 767px) {
.navbar .navbar-nav .open .dropdown-menu > .active > a,
.navbar .navbar-nav .open .dropdown-menu > .active > a:hover,
.navbar .navbar-nav .open .dropdown-menu > .active > a:focus {
color: #fff;
background-image: -webkit-linear-gradient(top, #337ab7 0%, #2e6da4 100%);
background-image: -o-linear-gradient(top, #337ab7 0%, #2e6da4 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#337ab7), to(#2e6da4));
background-image: linear-gradient(to bottom, #337ab7 0%, #2e6da4 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff337ab7', endColorstr='#ff2e6da4', GradientType=0);
background-repeat: repeat-x;
}
}
.alert {
text-shadow: 0 1px 0 rgba(255, 255, 255, .2);
-webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, .25), 0 1px 2px rgba(0, 0, 0, .05);
box-shadow: inset 0 1px 0 rgba(255, 255, 255, .25), 0 1px 2px rgba(0, 0, 0, .05);
}
.alert-success {
background-image: -webkit-linear-gradient(top, #dff0d8 0%, #c8e5bc 100%);
background-image: -o-linear-gradient(top, #dff0d8 0%, #c8e5bc 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#dff0d8), to(#c8e5bc));
background-image: linear-gradient(to bottom, #dff0d8 0%, #c8e5bc 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdff0d8', endColorstr='#ffc8e5bc', GradientType=0);
background-repeat: repeat-x;
border-color: #b2dba1;
}
.alert-info {
background-image: -webkit-linear-gradient(top, #d9edf7 0%, #b9def0 100%);
background-image: -o-linear-gradient(top, #d9edf7 0%, #b9def0 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#d9edf7), to(#b9def0));
background-image: linear-gradient(to bottom, #d9edf7 0%, #b9def0 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9edf7', endColorstr='#ffb9def0', GradientType=0);
background-repeat: repeat-x;
border-color: #9acfea;
}
.alert-warning {
background-image: -webkit-linear-gradient(top, #fcf8e3 0%, #f8efc0 100%);
background-image: -o-linear-gradient(top, #fcf8e3 0%, #f8efc0 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#fcf8e3), to(#f8efc0));
background-image: linear-gradient(to bottom, #fcf8e3 0%, #f8efc0 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffcf8e3', endColorstr='#fff8efc0', GradientType=0);
background-repeat: repeat-x;
border-color: #f5e79e;
}
.alert-danger {
background-image: -webkit-linear-gradient(top, #f2dede 0%, #e7c3c3 100%);
background-image: -o-linear-gradient(top, #f2dede 0%, #e7c3c3 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#f2dede), to(#e7c3c3));
background-image: linear-gradient(to bottom, #f2dede 0%, #e7c3c3 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff2dede', endColorstr='#ffe7c3c3', GradientType=0);
background-repeat: repeat-x;
border-color: #dca7a7;
}
.progress {
background-image: -webkit-linear-gradient(top, #ebebeb 0%, #f5f5f5 100%);
background-image: -o-linear-gradient(top, #ebebeb 0%, #f5f5f5 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#ebebeb), to(#f5f5f5));
background-image: linear-gradient(to bottom, #ebebeb 0%, #f5f5f5 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffebebeb', endColorstr='#fff5f5f5', GradientType=0);
background-repeat: repeat-x;
}
.progress-bar {
background-image: -webkit-linear-gradient(top, #337ab7 0%, #286090 100%);
background-image: -o-linear-gradient(top, #337ab7 0%, #286090 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#337ab7), to(#286090));
background-image: linear-gradient(to bottom, #337ab7 0%, #286090 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff337ab7', endColorstr='#ff286090', GradientType=0);
background-repeat: repeat-x;
}
.progress-bar-success {
background-image: -webkit-linear-gradient(top, #5cb85c 0%, #449d44 100%);
background-image: -o-linear-gradient(top, #5cb85c 0%, #449d44 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#5cb85c), to(#449d44));
background-image: linear-gradient(to bottom, #5cb85c 0%, #449d44 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5cb85c', endColorstr='#ff449d44', GradientType=0);
background-repeat: repeat-x;
}
.progress-bar-info {
background-image: -webkit-linear-gradient(top, #5bc0de 0%, #31b0d5 100%);
background-image: -o-linear-gradient(top, #5bc0de 0%, #31b0d5 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#5bc0de), to(#31b0d5));
background-image: linear-gradient(to bottom, #5bc0de 0%, #31b0d5 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5bc0de', endColorstr='#ff31b0d5', GradientType=0);
background-repeat: repeat-x;
}
.progress-bar-warning {
background-image: -webkit-linear-gradient(top, #f0ad4e 0%, #ec971f 100%);
background-image: -o-linear-gradient(top, #f0ad4e 0%, #ec971f 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#f0ad4e), to(#ec971f));
background-image: linear-gradient(to bottom, #f0ad4e 0%, #ec971f 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff0ad4e', endColorstr='#ffec971f', GradientType=0);
background-repeat: repeat-x;
}
.progress-bar-danger {
background-image: -webkit-linear-gradient(top, #d9534f 0%, #c9302c 100%);
background-image: -o-linear-gradient(top, #d9534f 0%, #c9302c 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#d9534f), to(#c9302c));
background-image: linear-gradient(to bottom, #d9534f 0%, #c9302c 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9534f', endColorstr='#ffc9302c', GradientType=0);
background-repeat: repeat-x;
}
.progress-bar-striped {
background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);
background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);
background-image: linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);
}
.list-group {
border-radius: 4px;
-webkit-box-shadow: 0 1px 2px rgba(0, 0, 0, .075);
box-shadow: 0 1px 2px rgba(0, 0, 0, .075);
}
.list-group-item.active,
.list-group-item.active:hover,
.list-group-item.active:focus {
text-shadow: 0 -1px 0 #286090;
background-image: -webkit-linear-gradient(top, #337ab7 0%, #2b669a 100%);
background-image: -o-linear-gradient(top, #337ab7 0%, #2b669a 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#337ab7), to(#2b669a));
background-image: linear-gradient(to bottom, #337ab7 0%, #2b669a 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff337ab7', endColorstr='#ff2b669a', GradientType=0);
background-repeat: repeat-x;
border-color: #2b669a;
}
.list-group-item.active .badge,
.list-group-item.active:hover .badge,
.list-group-item.active:focus .badge {
text-shadow: none;
}
.panel {
-webkit-box-shadow: 0 1px 2px rgba(0, 0, 0, .05);
box-shadow: 0 1px 2px rgba(0, 0, 0, .05);
}
.panel-default > .panel-heading {
background-image: -webkit-linear-gradient(top, #f5f5f5 0%, #e8e8e8 100%);
background-image: -o-linear-gradient(top, #f5f5f5 0%, #e8e8e8 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#f5f5f5), to(#e8e8e8));
background-image: linear-gradient(to bottom, #f5f5f5 0%, #e8e8e8 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff5f5f5', endColorstr='#ffe8e8e8', GradientType=0);
background-repeat: repeat-x;
}
.panel-primary > .panel-heading {
background-image: -webkit-linear-gradient(top, #337ab7 0%, #2e6da4 100%);
background-image: -o-linear-gradient(top, #337ab7 0%, #2e6da4 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#337ab7), to(#2e6da4));
background-image: linear-gradient(to bottom, #337ab7 0%, #2e6da4 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff337ab7', endColorstr='#ff2e6da4', GradientType=0);
background-repeat: repeat-x;
}
.panel-success > .panel-heading {
background-image: -webkit-linear-gradient(top, #dff0d8 0%, #d0e9c6 100%);
background-image: -o-linear-gradient(top, #dff0d8 0%, #d0e9c6 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#dff0d8), to(#d0e9c6));
background-image: linear-gradient(to bottom, #dff0d8 0%, #d0e9c6 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdff0d8', endColorstr='#ffd0e9c6', GradientType=0);
background-repeat: repeat-x;
}
.panel-info > .panel-heading {
background-image: -webkit-linear-gradient(top, #d9edf7 0%, #c4e3f3 100%);
background-image: -o-linear-gradient(top, #d9edf7 0%, #c4e3f3 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#d9edf7), to(#c4e3f3));
background-image: linear-gradient(to bottom, #d9edf7 0%, #c4e3f3 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9edf7', endColorstr='#ffc4e3f3', GradientType=0);
background-repeat: repeat-x;
}
.panel-warning > .panel-heading {
background-image: -webkit-linear-gradient(top, #fcf8e3 0%, #faf2cc 100%);
background-image: -o-linear-gradient(top, #fcf8e3 0%, #faf2cc 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#fcf8e3), to(#faf2cc));
background-image: linear-gradient(to bottom, #fcf8e3 0%, #faf2cc 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffcf8e3', endColorstr='#fffaf2cc', GradientType=0);
background-repeat: repeat-x;
}
.panel-danger > .panel-heading {
background-image: -webkit-linear-gradient(top, #f2dede 0%, #ebcccc 100%);
background-image: -o-linear-gradient(top, #f2dede 0%, #ebcccc 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#f2dede), to(#ebcccc));
background-image: linear-gradient(to bottom, #f2dede 0%, #ebcccc 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff2dede', endColorstr='#ffebcccc', GradientType=0);
background-repeat: repeat-x;
}
.well {
background-image: -webkit-linear-gradient(top, #e8e8e8 0%, #f5f5f5 100%);
background-image: -o-linear-gradient(top, #e8e8e8 0%, #f5f5f5 100%);
background-image: -webkit-gradient(linear, left top, left bottom, from(#e8e8e8), to(#f5f5f5));
background-image: linear-gradient(to bottom, #e8e8e8 0%, #f5f5f5 100%);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffe8e8e8', endColorstr='#fff5f5f5', GradientType=0);
background-repeat: repeat-x;
border-color: #dcdcdc;
-webkit-box-shadow: inset 0 1px 3px rgba(0, 0, 0, .05), 0 1px 0 rgba(255, 255, 255, .1);
box-shadow: inset 0 1px 3px rgba(0, 0, 0, .05), 0 1px 0 rgba(255, 255, 255, .1);
}
/*# sourceMappingURL=bootstrap-theme.css.map */

1
public_html/bootstrap/css/bootstrap-theme.css.map
View File

File diff suppressed because one or more lines are too long

6
public_html/bootstrap/css/bootstrap-theme.min.css vendored
View File

File diff suppressed because one or more lines are too long

1
public_html/bootstrap/css/bootstrap-theme.min.css.map
View File

File diff suppressed because one or more lines are too long

6757
public_html/bootstrap/css/bootstrap.css vendored
View File

File diff suppressed because it is too large Load Diff

1
public_html/bootstrap/css/bootstrap.css.map
View File

File diff suppressed because one or more lines are too long

6
public_html/bootstrap/css/bootstrap.min.css vendored
View File

File diff suppressed because one or more lines are too long

1
public_html/bootstrap/css/bootstrap.min.css.map
View File

File diff suppressed because one or more lines are too long

BIN
public_html/bootstrap/fonts/glyphicons-halflings-regular.eot
View File

Binary file not shown.

288
public_html/bootstrap/fonts/glyphicons-halflings-regular.svg
Unescape Escape View File

@ -0,0 +1,288 @@
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
<svg xmlns="http://www.w3.org/2000/svg">
<metadata></metadata>
<defs>
<font id="glyphicons_halflingsregular" horiz-adv-x="1200" >
<font-face units-per-em="1200" ascent="960" descent="-240" />
<missing-glyph horiz-adv-x="500" />
<glyph horiz-adv-x="0" />
<glyph horiz-adv-x="400" />
<glyph unicode=" " />
<glyph unicode="*" d="M600 1100q15 0 34 -1.5t30 -3.5l11 -1q10 -2 17.5 -10.5t7.5 -18.5v-224l158 158q7 7 18 8t19 -6l106 -106q7 -8 6 -19t-8 -18l-158 -158h224q10 0 18.5 -7.5t10.5 -17.5q6 -41 6 -75q0 -15 -1.5 -34t-3.5 -30l-1 -11q-2 -10 -10.5 -17.5t-18.5 -7.5h-224l158 -158 q7 -7 8 -18t-6 -19l-106 -106q-8 -7 -19 -6t-18 8l-158 158v-224q0 -10 -7.5 -18.5t-17.5 -10.5q-41 -6 -75 -6q-15 0 -34 1.5t-30 3.5l-11 1q-10 2 -17.5 10.5t-7.5 18.5v224l-158 -158q-7 -7 -18 -8t-19 6l-106 106q-7 8 -6 19t8 18l158 158h-224q-10 0 -18.5 7.5 t-10.5 17.5q-6 41 -6 75q0 15 1.5 34t3.5 30l1 11q2 10 10.5 17.5t18.5 7.5h224l-158 158q-7 7 -8 18t6 19l106 106q8 7 19 6t18 -8l158 -158v224q0 10 7.5 18.5t17.5 10.5q41 6 75 6z" />
<glyph unicode="+" d="M450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-350h350q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-350v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v350h-350q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5 h350v350q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xa0;" />
<glyph unicode="&#xa5;" d="M825 1100h250q10 0 12.5 -5t-5.5 -13l-364 -364q-6 -6 -11 -18h268q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-100h275q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-174q0 -11 -7.5 -18.5t-18.5 -7.5h-148q-11 0 -18.5 7.5t-7.5 18.5v174 h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h125v100h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h118q-5 12 -11 18l-364 364q-8 8 -5.5 13t12.5 5h250q25 0 43 -18l164 -164q8 -8 18 -8t18 8l164 164q18 18 43 18z" />
<glyph unicode="&#x2000;" horiz-adv-x="650" />
<glyph unicode="&#x2001;" horiz-adv-x="1300" />
<glyph unicode="&#x2002;" horiz-adv-x="650" />
<glyph unicode="&#x2003;" horiz-adv-x="1300" />
<glyph unicode="&#x2004;" horiz-adv-x="433" />
<glyph unicode="&#x2005;" horiz-adv-x="325" />
<glyph unicode="&#x2006;" horiz-adv-x="216" />
<glyph unicode="&#x2007;" horiz-adv-x="216" />
<glyph unicode="&#x2008;" horiz-adv-x="162" />
<glyph unicode="&#x2009;" horiz-adv-x="260" />
<glyph unicode="&#x200a;" horiz-adv-x="72" />
<glyph unicode="&#x202f;" horiz-adv-x="260" />
<glyph unicode="&#x205f;" horiz-adv-x="325" />
<glyph unicode="&#x20ac;" d="M744 1198q242 0 354 -189q60 -104 66 -209h-181q0 45 -17.5 82.5t-43.5 61.5t-58 40.5t-60.5 24t-51.5 7.5q-19 0 -40.5 -5.5t-49.5 -20.5t-53 -38t-49 -62.5t-39 -89.5h379l-100 -100h-300q-6 -50 -6 -100h406l-100 -100h-300q9 -74 33 -132t52.5 -91t61.5 -54.5t59 -29 t47 -7.5q22 0 50.5 7.5t60.5 24.5t58 41t43.5 61t17.5 80h174q-30 -171 -128 -278q-107 -117 -274 -117q-206 0 -324 158q-36 48 -69 133t-45 204h-217l100 100h112q1 47 6 100h-218l100 100h134q20 87 51 153.5t62 103.5q117 141 297 141z" />
<glyph unicode="&#x20bd;" d="M428 1200h350q67 0 120 -13t86 -31t57 -49.5t35 -56.5t17 -64.5t6.5 -60.5t0.5 -57v-16.5v-16.5q0 -36 -0.5 -57t-6.5 -61t-17 -65t-35 -57t-57 -50.5t-86 -31.5t-120 -13h-178l-2 -100h288q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-138v-175q0 -11 -5.5 -18 t-15.5 -7h-149q-10 0 -17.5 7.5t-7.5 17.5v175h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v100h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v475q0 10 7.5 17.5t17.5 7.5zM600 1000v-300h203q64 0 86.5 33t22.5 119q0 84 -22.5 116t-86.5 32h-203z" />
<glyph unicode="&#x2212;" d="M250 700h800q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#x231b;" d="M1000 1200v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-50v-100q0 -91 -49.5 -165.5t-130.5 -109.5q81 -35 130.5 -109.5t49.5 -165.5v-150h50q21 0 35.5 -14.5t14.5 -35.5v-150h-800v150q0 21 14.5 35.5t35.5 14.5h50v150q0 91 49.5 165.5t130.5 109.5q-81 35 -130.5 109.5 t-49.5 165.5v100h-50q-21 0 -35.5 14.5t-14.5 35.5v150h800zM400 1000v-100q0 -60 32.5 -109.5t87.5 -73.5q28 -12 44 -37t16 -55t-16 -55t-44 -37q-55 -24 -87.5 -73.5t-32.5 -109.5v-150h400v150q0 60 -32.5 109.5t-87.5 73.5q-28 12 -44 37t-16 55t16 55t44 37 q55 24 87.5 73.5t32.5 109.5v100h-400z" />
<glyph unicode="&#x25fc;" horiz-adv-x="500" d="M0 0z" />
<glyph unicode="&#x2601;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -206.5q0 -121 -85 -207.5t-205 -86.5h-750q-79 0 -135.5 57t-56.5 137q0 69 42.5 122.5t108.5 67.5q-2 12 -2 37q0 153 108 260.5t260 107.5z" />
<glyph unicode="&#x26fa;" d="M774 1193.5q16 -9.5 20.5 -27t-5.5 -33.5l-136 -187l467 -746h30q20 0 35 -18.5t15 -39.5v-42h-1200v42q0 21 15 39.5t35 18.5h30l468 746l-135 183q-10 16 -5.5 34t20.5 28t34 5.5t28 -20.5l111 -148l112 150q9 16 27 20.5t34 -5zM600 200h377l-182 112l-195 534v-646z " />
<glyph unicode="&#x2709;" d="M25 1100h1150q10 0 12.5 -5t-5.5 -13l-564 -567q-8 -8 -18 -8t-18 8l-564 567q-8 8 -5.5 13t12.5 5zM18 882l264 -264q8 -8 8 -18t-8 -18l-264 -264q-8 -8 -13 -5.5t-5 12.5v550q0 10 5 12.5t13 -5.5zM918 618l264 264q8 8 13 5.5t5 -12.5v-550q0 -10 -5 -12.5t-13 5.5 l-264 264q-8 8 -8 18t8 18zM818 482l364 -364q8 -8 5.5 -13t-12.5 -5h-1150q-10 0 -12.5 5t5.5 13l364 364q8 8 18 8t18 -8l164 -164q8 -8 18 -8t18 8l164 164q8 8 18 8t18 -8z" />
<glyph unicode="&#x270f;" d="M1011 1210q19 0 33 -13l153 -153q13 -14 13 -33t-13 -33l-99 -92l-214 214l95 96q13 14 32 14zM1013 800l-615 -614l-214 214l614 614zM317 96l-333 -112l110 335z" />
<glyph unicode="&#xe001;" d="M700 650v-550h250q21 0 35.5 -14.5t14.5 -35.5v-50h-800v50q0 21 14.5 35.5t35.5 14.5h250v550l-500 550h1200z" />
<glyph unicode="&#xe002;" d="M368 1017l645 163q39 15 63 0t24 -49v-831q0 -55 -41.5 -95.5t-111.5 -63.5q-79 -25 -147 -4.5t-86 75t25.5 111.5t122.5 82q72 24 138 8v521l-600 -155v-606q0 -42 -44 -90t-109 -69q-79 -26 -147 -5.5t-86 75.5t25.5 111.5t122.5 82.5q72 24 138 7v639q0 38 14.5 59 t53.5 34z" />
<glyph unicode="&#xe003;" d="M500 1191q100 0 191 -39t156.5 -104.5t104.5 -156.5t39 -191l-1 -2l1 -5q0 -141 -78 -262l275 -274q23 -26 22.5 -44.5t-22.5 -42.5l-59 -58q-26 -20 -46.5 -20t-39.5 20l-275 274q-119 -77 -261 -77l-5 1l-2 -1q-100 0 -191 39t-156.5 104.5t-104.5 156.5t-39 191 t39 191t104.5 156.5t156.5 104.5t191 39zM500 1022q-88 0 -162 -43t-117 -117t-43 -162t43 -162t117 -117t162 -43t162 43t117 117t43 162t-43 162t-117 117t-162 43z" />
<glyph unicode="&#xe005;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104z" />
<glyph unicode="&#xe006;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429z" />
<glyph unicode="&#xe007;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429zM477 700h-240l197 -142l-74 -226 l193 139l195 -140l-74 229l192 140h-234l-78 211z" />
<glyph unicode="&#xe008;" d="M600 1200q124 0 212 -88t88 -212v-250q0 -46 -31 -98t-69 -52v-75q0 -10 6 -21.5t15 -17.5l358 -230q9 -5 15 -16.5t6 -21.5v-93q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v93q0 10 6 21.5t15 16.5l358 230q9 6 15 17.5t6 21.5v75q-38 0 -69 52 t-31 98v250q0 124 88 212t212 88z" />
<glyph unicode="&#xe009;" d="M25 1100h1150q10 0 17.5 -7.5t7.5 -17.5v-1050q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v1050q0 10 7.5 17.5t17.5 7.5zM100 1000v-100h100v100h-100zM875 1000h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5t17.5 -7.5h550 q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM1000 1000v-100h100v100h-100zM100 800v-100h100v100h-100zM1000 800v-100h100v100h-100zM100 600v-100h100v100h-100zM1000 600v-100h100v100h-100zM875 500h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5 t17.5 -7.5h550q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM100 400v-100h100v100h-100zM1000 400v-100h100v100h-100zM100 200v-100h100v100h-100zM1000 200v-100h100v100h-100z" />
<glyph unicode="&#xe010;" d="M50 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM50 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe011;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM850 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 700h200q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h200 q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5 t35.5 14.5z" />
<glyph unicode="&#xe012;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h700q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe013;" d="M465 477l571 571q8 8 18 8t17 -8l177 -177q8 -7 8 -17t-8 -18l-783 -784q-7 -8 -17.5 -8t-17.5 8l-384 384q-8 8 -8 18t8 17l177 177q7 8 17 8t18 -8l171 -171q7 -7 18 -7t18 7z" />
<glyph unicode="&#xe014;" d="M904 1083l178 -179q8 -8 8 -18.5t-8 -17.5l-267 -268l267 -268q8 -7 8 -17.5t-8 -18.5l-178 -178q-8 -8 -18.5 -8t-17.5 8l-268 267l-268 -267q-7 -8 -17.5 -8t-18.5 8l-178 178q-8 8 -8 18.5t8 17.5l267 268l-267 268q-8 7 -8 17.5t8 18.5l178 178q8 8 18.5 8t17.5 -8 l268 -267l268 268q7 7 17.5 7t18.5 -7z" />
<glyph unicode="&#xe015;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM425 900h150q10 0 17.5 -7.5t7.5 -17.5v-75h75q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5 t-17.5 -7.5h-75v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-75q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v75q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe016;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM325 800h350q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-350q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe017;" d="M550 1200h100q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM800 975v166q167 -62 272 -209.5t105 -331.5q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5 t-184.5 123t-123 184.5t-45.5 224q0 184 105 331.5t272 209.5v-166q-103 -55 -165 -155t-62 -220q0 -116 57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5q0 120 -62 220t-165 155z" />
<glyph unicode="&#xe018;" d="M1025 1200h150q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM725 800h150q10 0 17.5 -7.5t7.5 -17.5v-750q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v750 q0 10 7.5 17.5t17.5 7.5zM425 500h150q10 0 17.5 -7.5t7.5 -17.5v-450q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v450q0 10 7.5 17.5t17.5 7.5zM125 300h150q10 0 17.5 -7.5t7.5 -17.5v-250q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5 v250q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe019;" d="M600 1174q33 0 74 -5l38 -152l5 -1q49 -14 94 -39l5 -2l134 80q61 -48 104 -105l-80 -134l3 -5q25 -44 39 -93l1 -6l152 -38q5 -43 5 -73q0 -34 -5 -74l-152 -38l-1 -6q-15 -49 -39 -93l-3 -5l80 -134q-48 -61 -104 -105l-134 81l-5 -3q-44 -25 -94 -39l-5 -2l-38 -151 q-43 -5 -74 -5q-33 0 -74 5l-38 151l-5 2q-49 14 -94 39l-5 3l-134 -81q-60 48 -104 105l80 134l-3 5q-25 45 -38 93l-2 6l-151 38q-6 42 -6 74q0 33 6 73l151 38l2 6q13 48 38 93l3 5l-80 134q47 61 105 105l133 -80l5 2q45 25 94 39l5 1l38 152q43 5 74 5zM600 815 q-89 0 -152 -63t-63 -151.5t63 -151.5t152 -63t152 63t63 151.5t-63 151.5t-152 63z" />
<glyph unicode="&#xe020;" d="M500 1300h300q41 0 70.5 -29.5t29.5 -70.5v-100h275q10 0 17.5 -7.5t7.5 -17.5v-75h-1100v75q0 10 7.5 17.5t17.5 7.5h275v100q0 41 29.5 70.5t70.5 29.5zM500 1200v-100h300v100h-300zM1100 900v-800q0 -41 -29.5 -70.5t-70.5 -29.5h-700q-41 0 -70.5 29.5t-29.5 70.5 v800h900zM300 800v-700h100v700h-100zM500 800v-700h100v700h-100zM700 800v-700h100v700h-100zM900 800v-700h100v700h-100z" />
<glyph unicode="&#xe021;" d="M18 618l620 608q8 7 18.5 7t17.5 -7l608 -608q8 -8 5.5 -13t-12.5 -5h-175v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v375h-300v-375q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v575h-175q-10 0 -12.5 5t5.5 13z" />
<glyph unicode="&#xe022;" d="M600 1200v-400q0 -41 29.5 -70.5t70.5 -29.5h300v-650q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5h450zM1000 800h-250q-21 0 -35.5 14.5t-14.5 35.5v250z" />
<glyph unicode="&#xe023;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h50q10 0 17.5 -7.5t7.5 -17.5v-275h175q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe024;" d="M1300 0h-538l-41 400h-242l-41 -400h-538l431 1200h209l-21 -300h162l-20 300h208zM515 800l-27 -300h224l-27 300h-170z" />
<glyph unicode="&#xe025;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-450h191q20 0 25.5 -11.5t-7.5 -27.5l-327 -400q-13 -16 -32 -16t-32 16l-327 400q-13 16 -7.5 27.5t25.5 11.5h191v450q0 21 14.5 35.5t35.5 14.5zM1125 400h50q10 0 17.5 -7.5t7.5 -17.5v-350q0 -10 -7.5 -17.5t-17.5 -7.5 h-1050q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h50q10 0 17.5 -7.5t7.5 -17.5v-175h900v175q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe026;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -275q-13 -16 -32 -16t-32 16l-223 275q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z " />
<glyph unicode="&#xe027;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM632 914l223 -275q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5l223 275q13 16 32 16 t32 -16z" />
<glyph unicode="&#xe028;" d="M225 1200h750q10 0 19.5 -7t12.5 -17l186 -652q7 -24 7 -49v-425q0 -12 -4 -27t-9 -17q-12 -6 -37 -6h-1100q-12 0 -27 4t-17 8q-6 13 -6 38l1 425q0 25 7 49l185 652q3 10 12.5 17t19.5 7zM878 1000h-556q-10 0 -19 -7t-11 -18l-87 -450q-2 -11 4 -18t16 -7h150 q10 0 19.5 -7t11.5 -17l38 -152q2 -10 11.5 -17t19.5 -7h250q10 0 19.5 7t11.5 17l38 152q2 10 11.5 17t19.5 7h150q10 0 16 7t4 18l-87 450q-2 11 -11 18t-19 7z" />
<glyph unicode="&#xe029;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM540 820l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
<glyph unicode="&#xe030;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-362q0 -10 -7.5 -17.5t-17.5 -7.5h-362q-11 0 -13 5.5t5 12.5l133 133q-109 76 -238 76q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5h150q0 -117 -45.5 -224 t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117z" />
<glyph unicode="&#xe031;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-361q0 -11 -7.5 -18.5t-18.5 -7.5h-361q-11 0 -13 5.5t5 12.5l134 134q-110 75 -239 75q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5h-150q0 117 45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117zM1027 600h150 q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5q-192 0 -348 118l-134 -134q-7 -8 -12.5 -5.5t-5.5 12.5v360q0 11 7.5 18.5t18.5 7.5h360q10 0 12.5 -5.5t-5.5 -12.5l-133 -133q110 -76 240 -76q116 0 214.5 57t155.5 155.5t57 214.5z" />
<glyph unicode="&#xe032;" d="M125 1200h1050q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-1050q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM1075 1000h-850q-10 0 -17.5 -7.5t-7.5 -17.5v-850q0 -10 7.5 -17.5t17.5 -7.5h850q10 0 17.5 7.5t7.5 17.5v850 q0 10 -7.5 17.5t-17.5 7.5zM325 900h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 900h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 700h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 700h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 500h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 500h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 300h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 300h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe033;" d="M900 800v200q0 83 -58.5 141.5t-141.5 58.5h-300q-82 0 -141 -59t-59 -141v-200h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h900q41 0 70.5 29.5t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5h-100zM400 800v150q0 21 15 35.5t35 14.5h200 q20 0 35 -14.5t15 -35.5v-150h-300z" />
<glyph unicode="&#xe034;" d="M125 1100h50q10 0 17.5 -7.5t7.5 -17.5v-1075h-100v1075q0 10 7.5 17.5t17.5 7.5zM1075 1052q4 0 9 -2q16 -6 16 -23v-421q0 -6 -3 -12q-33 -59 -66.5 -99t-65.5 -58t-56.5 -24.5t-52.5 -6.5q-26 0 -57.5 6.5t-52.5 13.5t-60 21q-41 15 -63 22.5t-57.5 15t-65.5 7.5 q-85 0 -160 -57q-7 -5 -15 -5q-6 0 -11 3q-14 7 -14 22v438q22 55 82 98.5t119 46.5q23 2 43 0.5t43 -7t32.5 -8.5t38 -13t32.5 -11q41 -14 63.5 -21t57 -14t63.5 -7q103 0 183 87q7 8 18 8z" />
<glyph unicode="&#xe035;" d="M600 1175q116 0 227 -49.5t192.5 -131t131 -192.5t49.5 -227v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v300q0 127 -70.5 231.5t-184.5 161.5t-245 57t-245 -57t-184.5 -161.5t-70.5 -231.5v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50 q-10 0 -17.5 7.5t-7.5 17.5v300q0 116 49.5 227t131 192.5t192.5 131t227 49.5zM220 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460q0 8 6 14t14 6zM820 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460 q0 8 6 14t14 6z" />
<glyph unicode="&#xe036;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM900 668l120 120q7 7 17 7t17 -7l34 -34q7 -7 7 -17t-7 -17l-120 -120l120 -120q7 -7 7 -17 t-7 -17l-34 -34q-7 -7 -17 -7t-17 7l-120 119l-120 -119q-7 -7 -17 -7t-17 7l-34 34q-7 7 -7 17t7 17l119 120l-119 120q-7 7 -7 17t7 17l34 34q7 8 17 8t17 -8z" />
<glyph unicode="&#xe037;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6 l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238q-6 8 -4.5 18t9.5 17l29 22q7 5 15 5z" />
<glyph unicode="&#xe038;" d="M967 1004h3q11 -1 17 -10q135 -179 135 -396q0 -105 -34 -206.5t-98 -185.5q-7 -9 -17 -10h-3q-9 0 -16 6l-42 34q-8 6 -9 16t5 18q111 150 111 328q0 90 -29.5 176t-84.5 157q-6 9 -5 19t10 16l42 33q7 5 15 5zM321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5 t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238 q-6 8 -4.5 18.5t9.5 16.5l29 22q7 5 15 5z" />
<glyph unicode="&#xe039;" d="M500 900h100v-100h-100v-100h-400v-100h-100v600h500v-300zM1200 700h-200v-100h200v-200h-300v300h-200v300h-100v200h600v-500zM100 1100v-300h300v300h-300zM800 1100v-300h300v300h-300zM300 900h-100v100h100v-100zM1000 900h-100v100h100v-100zM300 500h200v-500 h-500v500h200v100h100v-100zM800 300h200v-100h-100v-100h-200v100h-100v100h100v200h-200v100h300v-300zM100 400v-300h300v300h-300zM300 200h-100v100h100v-100zM1200 200h-100v100h100v-100zM700 0h-100v100h100v-100zM1200 0h-300v100h300v-100z" />
<glyph unicode="&#xe040;" d="M100 200h-100v1000h100v-1000zM300 200h-100v1000h100v-1000zM700 200h-200v1000h200v-1000zM900 200h-100v1000h100v-1000zM1200 200h-200v1000h200v-1000zM400 0h-300v100h300v-100zM600 0h-100v91h100v-91zM800 0h-100v91h100v-91zM1100 0h-200v91h200v-91z" />
<glyph unicode="&#xe041;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
<glyph unicode="&#xe042;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM800 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-56 56l424 426l-700 700h150zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5 t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
<glyph unicode="&#xe043;" d="M300 1200h825q75 0 75 -75v-900q0 -25 -18 -43l-64 -64q-8 -8 -13 -5.5t-5 12.5v950q0 10 -7.5 17.5t-17.5 7.5h-700q-25 0 -43 -18l-64 -64q-8 -8 -5.5 -13t12.5 -5h700q10 0 17.5 -7.5t7.5 -17.5v-950q0 -10 -7.5 -17.5t-17.5 -7.5h-850q-10 0 -17.5 7.5t-7.5 17.5v975 q0 25 18 43l139 139q18 18 43 18z" />
<glyph unicode="&#xe044;" d="M250 1200h800q21 0 35.5 -14.5t14.5 -35.5v-1150l-450 444l-450 -445v1151q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe045;" d="M822 1200h-444q-11 0 -19 -7.5t-9 -17.5l-78 -301q-7 -24 7 -45l57 -108q6 -9 17.5 -15t21.5 -6h450q10 0 21.5 6t17.5 15l62 108q14 21 7 45l-83 301q-1 10 -9 17.5t-19 7.5zM1175 800h-150q-10 0 -21 -6.5t-15 -15.5l-78 -156q-4 -9 -15 -15.5t-21 -6.5h-550 q-10 0 -21 6.5t-15 15.5l-78 156q-4 9 -15 15.5t-21 6.5h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-650q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h750q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5 t7.5 17.5v650q0 10 -7.5 17.5t-17.5 7.5zM850 200h-500q-10 0 -19.5 -7t-11.5 -17l-38 -152q-2 -10 3.5 -17t15.5 -7h600q10 0 15.5 7t3.5 17l-38 152q-2 10 -11.5 17t-19.5 7z" />
<glyph unicode="&#xe046;" d="M500 1100h200q56 0 102.5 -20.5t72.5 -50t44 -59t25 -50.5l6 -20h150q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5h150q2 8 6.5 21.5t24 48t45 61t72 48t102.5 21.5zM900 800v-100 h100v100h-100zM600 730q-95 0 -162.5 -67.5t-67.5 -162.5t67.5 -162.5t162.5 -67.5t162.5 67.5t67.5 162.5t-67.5 162.5t-162.5 67.5zM600 603q43 0 73 -30t30 -73t-30 -73t-73 -30t-73 30t-30 73t30 73t73 30z" />
<glyph unicode="&#xe047;" d="M681 1199l385 -998q20 -50 60 -92q18 -19 36.5 -29.5t27.5 -11.5l10 -2v-66h-417v66q53 0 75 43.5t5 88.5l-82 222h-391q-58 -145 -92 -234q-11 -34 -6.5 -57t25.5 -37t46 -20t55 -6v-66h-365v66q56 24 84 52q12 12 25 30.5t20 31.5l7 13l399 1006h93zM416 521h340 l-162 457z" />
<glyph unicode="&#xe048;" d="M753 641q5 -1 14.5 -4.5t36 -15.5t50.5 -26.5t53.5 -40t50.5 -54.5t35.5 -70t14.5 -87q0 -67 -27.5 -125.5t-71.5 -97.5t-98.5 -66.5t-108.5 -40.5t-102 -13h-500v89q41 7 70.5 32.5t29.5 65.5v827q0 24 -0.5 34t-3.5 24t-8.5 19.5t-17 13.5t-28 12.5t-42.5 11.5v71 l471 -1q57 0 115.5 -20.5t108 -57t80.5 -94t31 -124.5q0 -51 -15.5 -96.5t-38 -74.5t-45 -50.5t-38.5 -30.5zM400 700h139q78 0 130.5 48.5t52.5 122.5q0 41 -8.5 70.5t-29.5 55.5t-62.5 39.5t-103.5 13.5h-118v-350zM400 200h216q80 0 121 50.5t41 130.5q0 90 -62.5 154.5 t-156.5 64.5h-159v-400z" />
<glyph unicode="&#xe049;" d="M877 1200l2 -57q-83 -19 -116 -45.5t-40 -66.5l-132 -839q-9 -49 13 -69t96 -26v-97h-500v97q186 16 200 98l173 832q3 17 3 30t-1.5 22.5t-9 17.5t-13.5 12.5t-21.5 10t-26 8.5t-33.5 10q-13 3 -19 5v57h425z" />
<glyph unicode="&#xe050;" d="M1300 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM175 1000h-75v-800h75l-125 -167l-125 167h75v800h-75l125 167z" />
<glyph unicode="&#xe051;" d="M1100 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-650q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v650h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM1167 50l-167 -125v75h-800v-75l-167 125l167 125v-75h800v75z" />
<glyph unicode="&#xe052;" d="M50 1100h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe053;" d="M250 1100h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM250 500h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe054;" d="M500 950v100q0 21 14.5 35.5t35.5 14.5h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5zM100 650v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000 q-21 0 -35.5 14.5t-14.5 35.5zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5zM0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5z" />
<glyph unicode="&#xe055;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe056;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 1100h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 800h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 500h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 500h800q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 200h800 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe057;" d="M400 0h-100v1100h100v-1100zM550 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM267 550l-167 -125v75h-200v100h200v75zM550 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe058;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM900 0h-100v1100h100v-1100zM50 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM1100 600h200v-100h-200v-75l-167 125l167 125v-75zM50 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe059;" d="M75 1000h750q31 0 53 -22t22 -53v-650q0 -31 -22 -53t-53 -22h-750q-31 0 -53 22t-22 53v650q0 31 22 53t53 22zM1200 300l-300 300l300 300v-600z" />
<glyph unicode="&#xe060;" d="M44 1100h1112q18 0 31 -13t13 -31v-1012q0 -18 -13 -31t-31 -13h-1112q-18 0 -31 13t-13 31v1012q0 18 13 31t31 13zM100 1000v-737l247 182l298 -131l-74 156l293 318l236 -288v500h-1000zM342 884q56 0 95 -39t39 -94.5t-39 -95t-95 -39.5t-95 39.5t-39 95t39 94.5 t95 39z" />
<glyph unicode="&#xe062;" d="M648 1169q117 0 216 -60t156.5 -161t57.5 -218q0 -115 -70 -258q-69 -109 -158 -225.5t-143 -179.5l-54 -62q-9 8 -25.5 24.5t-63.5 67.5t-91 103t-98.5 128t-95.5 148q-60 132 -60 249q0 88 34 169.5t91.5 142t137 96.5t166.5 36zM652.5 974q-91.5 0 -156.5 -65 t-65 -157t65 -156.5t156.5 -64.5t156.5 64.5t65 156.5t-65 157t-156.5 65z" />
<glyph unicode="&#xe063;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 173v854q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57z" />
<glyph unicode="&#xe064;" d="M554 1295q21 -72 57.5 -143.5t76 -130t83 -118t82.5 -117t70 -116t49.5 -126t18.5 -136.5q0 -71 -25.5 -135t-68.5 -111t-99 -82t-118.5 -54t-125.5 -23q-84 5 -161.5 34t-139.5 78.5t-99 125t-37 164.5q0 69 18 136.5t49.5 126.5t69.5 116.5t81.5 117.5t83.5 119 t76.5 131t58.5 143zM344 710q-23 -33 -43.5 -70.5t-40.5 -102.5t-17 -123q1 -37 14.5 -69.5t30 -52t41 -37t38.5 -24.5t33 -15q21 -7 32 -1t13 22l6 34q2 10 -2.5 22t-13.5 19q-5 4 -14 12t-29.5 40.5t-32.5 73.5q-26 89 6 271q2 11 -6 11q-8 1 -15 -10z" />
<glyph unicode="&#xe065;" d="M1000 1013l108 115q2 1 5 2t13 2t20.5 -1t25 -9.5t28.5 -21.5q22 -22 27 -43t0 -32l-6 -10l-108 -115zM350 1100h400q50 0 105 -13l-187 -187h-368q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v182l200 200v-332 q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM1009 803l-362 -362l-161 -50l55 170l355 355z" />
<glyph unicode="&#xe066;" d="M350 1100h361q-164 -146 -216 -200h-195q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5l200 153v-103q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M824 1073l339 -301q8 -7 8 -17.5t-8 -17.5l-340 -306q-7 -6 -12.5 -4t-6.5 11v203q-26 1 -54.5 0t-78.5 -7.5t-92 -17.5t-86 -35t-70 -57q10 59 33 108t51.5 81.5t65 58.5t68.5 40.5t67 24.5t56 13.5t40 4.5v210q1 10 6.5 12.5t13.5 -4.5z" />
<glyph unicode="&#xe067;" d="M350 1100h350q60 0 127 -23l-178 -177h-349q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v69l200 200v-219q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M643 639l395 395q7 7 17.5 7t17.5 -7l101 -101q7 -7 7 -17.5t-7 -17.5l-531 -532q-7 -7 -17.5 -7t-17.5 7l-248 248q-7 7 -7 17.5t7 17.5l101 101q7 7 17.5 7t17.5 -7l111 -111q8 -7 18 -7t18 7z" />
<glyph unicode="&#xe068;" d="M318 918l264 264q8 8 18 8t18 -8l260 -264q7 -8 4.5 -13t-12.5 -5h-170v-200h200v173q0 10 5 12t13 -5l264 -260q8 -7 8 -17.5t-8 -17.5l-264 -265q-8 -7 -13 -5t-5 12v173h-200v-200h170q10 0 12.5 -5t-4.5 -13l-260 -264q-8 -8 -18 -8t-18 8l-264 264q-8 8 -5.5 13 t12.5 5h175v200h-200v-173q0 -10 -5 -12t-13 5l-264 265q-8 7 -8 17.5t8 17.5l264 260q8 7 13 5t5 -12v-173h200v200h-175q-10 0 -12.5 5t5.5 13z" />
<glyph unicode="&#xe069;" d="M250 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe070;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5 t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe071;" d="M1200 1050v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-492 480q-15 14 -15 35t15 35l492 480q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25z" />
<glyph unicode="&#xe072;" d="M243 1074l814 -498q18 -11 18 -26t-18 -26l-814 -498q-18 -11 -30.5 -4t-12.5 28v1000q0 21 12.5 28t30.5 -4z" />
<glyph unicode="&#xe073;" d="M250 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM650 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800 q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe074;" d="M1100 950v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5z" />
<glyph unicode="&#xe075;" d="M500 612v438q0 21 10.5 25t25.5 -10l492 -480q15 -14 15 -35t-15 -35l-492 -480q-15 -14 -25.5 -10t-10.5 25v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10z" />
<glyph unicode="&#xe076;" d="M1048 1102l100 1q20 0 35 -14.5t15 -35.5l5 -1000q0 -21 -14.5 -35.5t-35.5 -14.5l-100 -1q-21 0 -35.5 14.5t-14.5 35.5l-2 437l-463 -454q-14 -15 -24.5 -10.5t-10.5 25.5l-2 437l-462 -455q-15 -14 -25.5 -9.5t-10.5 24.5l-5 1000q0 21 10.5 25.5t25.5 -10.5l466 -450 l-2 438q0 20 10.5 24.5t25.5 -9.5l466 -451l-2 438q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe077;" d="M850 1100h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10l464 -453v438q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe078;" d="M686 1081l501 -540q15 -15 10.5 -26t-26.5 -11h-1042q-22 0 -26.5 11t10.5 26l501 540q15 15 36 15t36 -15zM150 400h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe079;" d="M885 900l-352 -353l352 -353l-197 -198l-552 552l552 550z" />
<glyph unicode="&#xe080;" d="M1064 547l-551 -551l-198 198l353 353l-353 353l198 198z" />
<glyph unicode="&#xe081;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM650 900h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-150 q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5h150v-150q0 -21 14.5 -35.5t35.5 -14.5h100q21 0 35.5 14.5t14.5 35.5v150h150q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-150v150q0 21 -14.5 35.5t-35.5 14.5z" />
<glyph unicode="&#xe082;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM850 700h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5 t35.5 -14.5h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5z" />
<glyph unicode="&#xe083;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM741.5 913q-12.5 0 -21.5 -9l-120 -120l-120 120q-9 9 -21.5 9 t-21.5 -9l-141 -141q-9 -9 -9 -21.5t9 -21.5l120 -120l-120 -120q-9 -9 -9 -21.5t9 -21.5l141 -141q9 -9 21.5 -9t21.5 9l120 120l120 -120q9 -9 21.5 -9t21.5 9l141 141q9 9 9 21.5t-9 21.5l-120 120l120 120q9 9 9 21.5t-9 21.5l-141 141q-9 9 -21.5 9z" />
<glyph unicode="&#xe084;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM546 623l-84 85q-7 7 -17.5 7t-18.5 -7l-139 -139q-7 -8 -7 -18t7 -18 l242 -241q7 -8 17.5 -8t17.5 8l375 375q7 7 7 17.5t-7 18.5l-139 139q-7 7 -17.5 7t-17.5 -7z" />
<glyph unicode="&#xe085;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM588 941q-29 0 -59 -5.5t-63 -20.5t-58 -38.5t-41.5 -63t-16.5 -89.5 q0 -25 20 -25h131q30 -5 35 11q6 20 20.5 28t45.5 8q20 0 31.5 -10.5t11.5 -28.5q0 -23 -7 -34t-26 -18q-1 0 -13.5 -4t-19.5 -7.5t-20 -10.5t-22 -17t-18.5 -24t-15.5 -35t-8 -46q-1 -8 5.5 -16.5t20.5 -8.5h173q7 0 22 8t35 28t37.5 48t29.5 74t12 100q0 47 -17 83 t-42.5 57t-59.5 34.5t-64 18t-59 4.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
<glyph unicode="&#xe086;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM675 1000h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5 t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5zM675 700h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h75v-200h-75q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h350q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5 t-17.5 7.5h-75v275q0 10 -7.5 17.5t-17.5 7.5z" />
<glyph unicode="&#xe087;" d="M525 1200h150q10 0 17.5 -7.5t7.5 -17.5v-194q103 -27 178.5 -102.5t102.5 -178.5h194q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-194q-27 -103 -102.5 -178.5t-178.5 -102.5v-194q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v194 q-103 27 -178.5 102.5t-102.5 178.5h-194q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h194q27 103 102.5 178.5t178.5 102.5v194q0 10 7.5 17.5t17.5 7.5zM700 893v-168q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v168q-68 -23 -119 -74 t-74 -119h168q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-168q23 -68 74 -119t119 -74v168q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-168q68 23 119 74t74 119h-168q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h168 q-23 68 -74 119t-119 74z" />
<glyph unicode="&#xe088;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM759 823l64 -64q7 -7 7 -17.5t-7 -17.5l-124 -124l124 -124q7 -7 7 -17.5t-7 -17.5l-64 -64q-7 -7 -17.5 -7t-17.5 7l-124 124l-124 -124q-7 -7 -17.5 -7t-17.5 7l-64 64 q-7 7 -7 17.5t7 17.5l124 124l-124 124q-7 7 -7 17.5t7 17.5l64 64q7 7 17.5 7t17.5 -7l124 -124l124 124q7 7 17.5 7t17.5 -7z" />
<glyph unicode="&#xe089;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM782 788l106 -106q7 -7 7 -17.5t-7 -17.5l-320 -321q-8 -7 -18 -7t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l197 197q7 7 17.5 7t17.5 -7z" />
<glyph unicode="&#xe090;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5q0 -120 65 -225 l587 587q-105 65 -225 65zM965 819l-584 -584q104 -62 219 -62q116 0 214.5 57t155.5 155.5t57 214.5q0 115 -62 219z" />
<glyph unicode="&#xe091;" d="M39 582l522 427q16 13 27.5 8t11.5 -26v-291h550q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-550v-291q0 -21 -11.5 -26t-27.5 8l-522 427q-16 13 -16 32t16 32z" />
<glyph unicode="&#xe092;" d="M639 1009l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291h-550q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h550v291q0 21 11.5 26t27.5 -8z" />
<glyph unicode="&#xe093;" d="M682 1161l427 -522q13 -16 8 -27.5t-26 -11.5h-291v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v550h-291q-21 0 -26 11.5t8 27.5l427 522q13 16 32 16t32 -16z" />
<glyph unicode="&#xe094;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-550h291q21 0 26 -11.5t-8 -27.5l-427 -522q-13 -16 -32 -16t-32 16l-427 522q-13 16 -8 27.5t26 11.5h291v550q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe095;" d="M639 1109l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291q-94 -2 -182 -20t-170.5 -52t-147 -92.5t-100.5 -135.5q5 105 27 193.5t67.5 167t113 135t167 91.5t225.5 42v262q0 21 11.5 26t27.5 -8z" />
<glyph unicode="&#xe096;" d="M850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5zM350 0h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249 q8 7 18 7t18 -7l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5z" />
<glyph unicode="&#xe097;" d="M1014 1120l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249q8 7 18 7t18 -7zM250 600h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5z" />
<glyph unicode="&#xe101;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM704 900h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5 t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
<glyph unicode="&#xe102;" d="M260 1200q9 0 19 -2t15 -4l5 -2q22 -10 44 -23l196 -118q21 -13 36 -24q29 -21 37 -12q11 13 49 35l196 118q22 13 45 23q17 7 38 7q23 0 47 -16.5t37 -33.5l13 -16q14 -21 18 -45l25 -123l8 -44q1 -9 8.5 -14.5t17.5 -5.5h61q10 0 17.5 -7.5t7.5 -17.5v-50 q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 -7.5t-7.5 -17.5v-175h-400v300h-200v-300h-400v175q0 10 -7.5 17.5t-17.5 7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5h61q11 0 18 3t7 8q0 4 9 52l25 128q5 25 19 45q2 3 5 7t13.5 15t21.5 19.5t26.5 15.5 t29.5 7zM915 1079l-166 -162q-7 -7 -5 -12t12 -5h219q10 0 15 7t2 17l-51 149q-3 10 -11 12t-15 -6zM463 917l-177 157q-8 7 -16 5t-11 -12l-51 -143q-3 -10 2 -17t15 -7h231q11 0 12.5 5t-5.5 12zM500 0h-375q-10 0 -17.5 7.5t-7.5 17.5v375h400v-400zM1100 400v-375 q0 -10 -7.5 -17.5t-17.5 -7.5h-375v400h400z" />
<glyph unicode="&#xe103;" d="M1165 1190q8 3 21 -6.5t13 -17.5q-2 -178 -24.5 -323.5t-55.5 -245.5t-87 -174.5t-102.5 -118.5t-118 -68.5t-118.5 -33t-120 -4.5t-105 9.5t-90 16.5q-61 12 -78 11q-4 1 -12.5 0t-34 -14.5t-52.5 -40.5l-153 -153q-26 -24 -37 -14.5t-11 43.5q0 64 42 102q8 8 50.5 45 t66.5 58q19 17 35 47t13 61q-9 55 -10 102.5t7 111t37 130t78 129.5q39 51 80 88t89.5 63.5t94.5 45t113.5 36t129 31t157.5 37t182 47.5zM1116 1098q-8 9 -22.5 -3t-45.5 -50q-38 -47 -119 -103.5t-142 -89.5l-62 -33q-56 -30 -102 -57t-104 -68t-102.5 -80.5t-85.5 -91 t-64 -104.5q-24 -56 -31 -86t2 -32t31.5 17.5t55.5 59.5q25 30 94 75.5t125.5 77.5t147.5 81q70 37 118.5 69t102 79.5t99 111t86.5 148.5q22 50 24 60t-6 19z" />
<glyph unicode="&#xe104;" d="M653 1231q-39 -67 -54.5 -131t-10.5 -114.5t24.5 -96.5t47.5 -80t63.5 -62.5t68.5 -46.5t65 -30q-4 7 -17.5 35t-18.5 39.5t-17 39.5t-17 43t-13 42t-9.5 44.5t-2 42t4 43t13.5 39t23 38.5q96 -42 165 -107.5t105 -138t52 -156t13 -159t-19 -149.5q-13 -55 -44 -106.5 t-68 -87t-78.5 -64.5t-72.5 -45t-53 -22q-72 -22 -127 -11q-31 6 -13 19q6 3 17 7q13 5 32.5 21t41 44t38.5 63.5t21.5 81.5t-6.5 94.5t-50 107t-104 115.5q10 -104 -0.5 -189t-37 -140.5t-65 -93t-84 -52t-93.5 -11t-95 24.5q-80 36 -131.5 114t-53.5 171q-2 23 0 49.5 t4.5 52.5t13.5 56t27.5 60t46 64.5t69.5 68.5q-8 -53 -5 -102.5t17.5 -90t34 -68.5t44.5 -39t49 -2q31 13 38.5 36t-4.5 55t-29 64.5t-36 75t-26 75.5q-15 85 2 161.5t53.5 128.5t85.5 92.5t93.5 61t81.5 25.5z" />
<glyph unicode="&#xe105;" d="M600 1094q82 0 160.5 -22.5t140 -59t116.5 -82.5t94.5 -95t68 -95t42.5 -82.5t14 -57.5t-14 -57.5t-43 -82.5t-68.5 -95t-94.5 -95t-116.5 -82.5t-140 -59t-159.5 -22.5t-159.5 22.5t-140 59t-116.5 82.5t-94.5 95t-68.5 95t-43 82.5t-14 57.5t14 57.5t42.5 82.5t68 95 t94.5 95t116.5 82.5t140 59t160.5 22.5zM888 829q-15 15 -18 12t5 -22q25 -57 25 -119q0 -124 -88 -212t-212 -88t-212 88t-88 212q0 59 23 114q8 19 4.5 22t-17.5 -12q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q22 -36 47 -71t70 -82t92.5 -81t113 -58.5t133.5 -24.5 t133.5 24t113 58.5t92.5 81.5t70 81.5t47 70.5q11 18 9 42.5t-14 41.5q-90 117 -163 189zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l35 34q14 15 12.5 33.5t-16.5 33.5q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
<glyph unicode="&#xe106;" d="M592 0h-148l31 120q-91 20 -175.5 68.5t-143.5 106.5t-103.5 119t-66.5 110t-22 76q0 21 14 57.5t42.5 82.5t68 95t94.5 95t116.5 82.5t140 59t160.5 22.5q61 0 126 -15l32 121h148zM944 770l47 181q108 -85 176.5 -192t68.5 -159q0 -26 -19.5 -71t-59.5 -102t-93 -112 t-129 -104.5t-158 -75.5l46 173q77 49 136 117t97 131q11 18 9 42.5t-14 41.5q-54 70 -107 130zM310 824q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q18 -30 39 -60t57 -70.5t74 -73t90 -61t105 -41.5l41 154q-107 18 -178.5 101.5t-71.5 193.5q0 59 23 114q8 19 4.5 22 t-17.5 -12zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l12 11l22 86l-3 4q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
<glyph unicode="&#xe107;" d="M-90 100l642 1066q20 31 48 28.5t48 -35.5l642 -1056q21 -32 7.5 -67.5t-50.5 -35.5h-1294q-37 0 -50.5 34t7.5 66zM155 200h345v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h345l-445 723zM496 700h208q20 0 32 -14.5t8 -34.5l-58 -252 q-4 -20 -21.5 -34.5t-37.5 -14.5h-54q-20 0 -37.5 14.5t-21.5 34.5l-58 252q-4 20 8 34.5t32 14.5z" />
<glyph unicode="&#xe108;" d="M650 1200q62 0 106 -44t44 -106v-339l363 -325q15 -14 26 -38.5t11 -44.5v-41q0 -20 -12 -26.5t-29 5.5l-359 249v-263q100 -93 100 -113v-64q0 -21 -13 -29t-32 1l-205 128l-205 -128q-19 -9 -32 -1t-13 29v64q0 20 100 113v263l-359 -249q-17 -12 -29 -5.5t-12 26.5v41 q0 20 11 44.5t26 38.5l363 325v339q0 62 44 106t106 44z" />
<glyph unicode="&#xe109;" d="M850 1200h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-150h-1100v150q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-50h500v50q0 21 14.5 35.5t35.5 14.5zM1100 800v-750q0 -21 -14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v750h1100zM100 600v-100h100v100h-100zM300 600v-100h100v100h-100zM500 600v-100h100v100h-100zM700 600v-100h100v100h-100zM900 600v-100h100v100h-100zM100 400v-100h100v100h-100zM300 400v-100h100v100h-100zM500 400 v-100h100v100h-100zM700 400v-100h100v100h-100zM900 400v-100h100v100h-100zM100 200v-100h100v100h-100zM300 200v-100h100v100h-100zM500 200v-100h100v100h-100zM700 200v-100h100v100h-100zM900 200v-100h100v100h-100z" />
<glyph unicode="&#xe110;" d="M1135 1165l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-159l-600 -600h-291q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h209l600 600h241v150q0 21 10.5 25t24.5 -10zM522 819l-141 -141l-122 122h-209q-21 0 -35.5 14.5 t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h291zM1135 565l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-241l-181 181l141 141l122 -122h159v150q0 21 10.5 25t24.5 -10z" />
<glyph unicode="&#xe111;" d="M100 1100h1000q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-596l-304 -300v300h-100q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5z" />
<glyph unicode="&#xe112;" d="M150 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM850 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM1100 800v-300q0 -41 -3 -77.5t-15 -89.5t-32 -96t-58 -89t-89 -77t-129 -51t-174 -20t-174 20 t-129 51t-89 77t-58 89t-32 96t-15 89.5t-3 77.5v300h300v-250v-27v-42.5t1.5 -41t5 -38t10 -35t16.5 -30t25.5 -24.5t35 -19t46.5 -12t60 -4t60 4.5t46.5 12.5t35 19.5t25 25.5t17 30.5t10 35t5 38t2 40.5t-0.5 42v25v250h300z" />
<glyph unicode="&#xe113;" d="M1100 411l-198 -199l-353 353l-353 -353l-197 199l551 551z" />
<glyph unicode="&#xe114;" d="M1101 789l-550 -551l-551 551l198 199l353 -353l353 353z" />
<glyph unicode="&#xe115;" d="M404 1000h746q21 0 35.5 -14.5t14.5 -35.5v-551h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v401h-381zM135 984l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-400h385l215 -200h-750q-21 0 -35.5 14.5 t-14.5 35.5v550h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
<glyph unicode="&#xe116;" d="M56 1200h94q17 0 31 -11t18 -27l38 -162h896q24 0 39 -18.5t10 -42.5l-100 -475q-5 -21 -27 -42.5t-55 -21.5h-633l48 -200h535q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-50q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-300v-50 q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-31q-18 0 -32.5 10t-20.5 19l-5 10l-201 961h-54q-20 0 -35 14.5t-15 35.5t15 35.5t35 14.5z" />
<glyph unicode="&#xe117;" d="M1200 1000v-100h-1200v100h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500zM0 800h1200v-800h-1200v800z" />
<glyph unicode="&#xe118;" d="M200 800l-200 -400v600h200q0 41 29.5 70.5t70.5 29.5h300q42 0 71 -29.5t29 -70.5h500v-200h-1000zM1500 700l-300 -700h-1200l300 700h1200z" />
<glyph unicode="&#xe119;" d="M635 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-601h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v601h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
<glyph unicode="&#xe120;" d="M936 864l249 -229q14 -15 14 -35.5t-14 -35.5l-249 -229q-15 -15 -25.5 -10.5t-10.5 24.5v151h-600v-151q0 -20 -10.5 -24.5t-25.5 10.5l-249 229q-14 15 -14 35.5t14 35.5l249 229q15 15 25.5 10.5t10.5 -25.5v-149h600v149q0 21 10.5 25.5t25.5 -10.5z" />
<glyph unicode="&#xe121;" d="M1169 400l-172 732q-5 23 -23 45.5t-38 22.5h-672q-20 0 -38 -20t-23 -41l-172 -739h1138zM1100 300h-1000q-41 0 -70.5 -29.5t-29.5 -70.5v-100q0 -41 29.5 -70.5t70.5 -29.5h1000q41 0 70.5 29.5t29.5 70.5v100q0 41 -29.5 70.5t-70.5 29.5zM800 100v100h100v-100h-100 zM1000 100v100h100v-100h-100z" />
<glyph unicode="&#xe122;" d="M1150 1100q21 0 35.5 -14.5t14.5 -35.5v-850q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v850q0 21 14.5 35.5t35.5 14.5zM1000 200l-675 200h-38l47 -276q3 -16 -5.5 -20t-29.5 -4h-7h-84q-20 0 -34.5 14t-18.5 35q-55 337 -55 351v250v6q0 16 1 23.5t6.5 14 t17.5 6.5h200l675 250v-850zM0 750v-250q-4 0 -11 0.5t-24 6t-30 15t-24 30t-11 48.5v50q0 26 10.5 46t25 30t29 16t25.5 7z" />
<glyph unicode="&#xe123;" d="M553 1200h94q20 0 29 -10.5t3 -29.5l-18 -37q83 -19 144 -82.5t76 -140.5l63 -327l118 -173h17q19 0 33 -14.5t14 -35t-13 -40.5t-31 -27q-8 -4 -23 -9.5t-65 -19.5t-103 -25t-132.5 -20t-158.5 -9q-57 0 -115 5t-104 12t-88.5 15.5t-73.5 17.5t-54.5 16t-35.5 12l-11 4 q-18 8 -31 28t-13 40.5t14 35t33 14.5h17l118 173l63 327q15 77 76 140t144 83l-18 32q-6 19 3.5 32t28.5 13zM498 110q50 -6 102 -6q53 0 102 6q-12 -49 -39.5 -79.5t-62.5 -30.5t-63 30.5t-39 79.5z" />
<glyph unicode="&#xe124;" d="M800 946l224 78l-78 -224l234 -45l-180 -155l180 -155l-234 -45l78 -224l-224 78l-45 -234l-155 180l-155 -180l-45 234l-224 -78l78 224l-234 45l180 155l-180 155l234 45l-78 224l224 -78l45 234l155 -180l155 180z" />
<glyph unicode="&#xe125;" d="M650 1200h50q40 0 70 -40.5t30 -84.5v-150l-28 -125h328q40 0 70 -40.5t30 -84.5v-100q0 -45 -29 -74l-238 -344q-16 -24 -38 -40.5t-45 -16.5h-250q-7 0 -42 25t-66 50l-31 25h-61q-45 0 -72.5 18t-27.5 57v400q0 36 20 63l145 196l96 198q13 28 37.5 48t51.5 20z M650 1100l-100 -212l-150 -213v-375h100l136 -100h214l250 375v125h-450l50 225v175h-50zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe126;" d="M600 1100h250q23 0 45 -16.5t38 -40.5l238 -344q29 -29 29 -74v-100q0 -44 -30 -84.5t-70 -40.5h-328q28 -118 28 -125v-150q0 -44 -30 -84.5t-70 -40.5h-50q-27 0 -51.5 20t-37.5 48l-96 198l-145 196q-20 27 -20 63v400q0 39 27.5 57t72.5 18h61q124 100 139 100z M50 1000h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM636 1000l-136 -100h-100v-375l150 -213l100 -212h50v175l-50 225h450v125l-250 375h-214z" />
<glyph unicode="&#xe127;" d="M356 873l363 230q31 16 53 -6l110 -112q13 -13 13.5 -32t-11.5 -34l-84 -121h302q84 0 138 -38t54 -110t-55 -111t-139 -39h-106l-131 -339q-6 -21 -19.5 -41t-28.5 -20h-342q-7 0 -90 81t-83 94v525q0 17 14 35.5t28 28.5zM400 792v-503l100 -89h293l131 339 q6 21 19.5 41t28.5 20h203q21 0 30.5 25t0.5 50t-31 25h-456h-7h-6h-5.5t-6 0.5t-5 1.5t-5 2t-4 2.5t-4 4t-2.5 4.5q-12 25 5 47l146 183l-86 83zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500 q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe128;" d="M475 1103l366 -230q2 -1 6 -3.5t14 -10.5t18 -16.5t14.5 -20t6.5 -22.5v-525q0 -13 -86 -94t-93 -81h-342q-15 0 -28.5 20t-19.5 41l-131 339h-106q-85 0 -139.5 39t-54.5 111t54 110t138 38h302l-85 121q-11 15 -10.5 34t13.5 32l110 112q22 22 53 6zM370 945l146 -183 q17 -22 5 -47q-2 -2 -3.5 -4.5t-4 -4t-4 -2.5t-5 -2t-5 -1.5t-6 -0.5h-6h-6.5h-6h-475v-100h221q15 0 29 -20t20 -41l130 -339h294l106 89v503l-342 236zM1050 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5 v500q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe129;" d="M550 1294q72 0 111 -55t39 -139v-106l339 -131q21 -6 41 -19.5t20 -28.5v-342q0 -7 -81 -90t-94 -83h-525q-17 0 -35.5 14t-28.5 28l-9 14l-230 363q-16 31 6 53l112 110q13 13 32 13.5t34 -11.5l121 -84v302q0 84 38 138t110 54zM600 972v203q0 21 -25 30.5t-50 0.5 t-25 -31v-456v-7v-6v-5.5t-0.5 -6t-1.5 -5t-2 -5t-2.5 -4t-4 -4t-4.5 -2.5q-25 -12 -47 5l-183 146l-83 -86l236 -339h503l89 100v293l-339 131q-21 6 -41 19.5t-20 28.5zM450 200h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe130;" d="M350 1100h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5zM600 306v-106q0 -84 -39 -139t-111 -55t-110 54t-38 138v302l-121 -84q-15 -12 -34 -11.5t-32 13.5l-112 110 q-22 22 -6 53l230 363q1 2 3.5 6t10.5 13.5t16.5 17t20 13.5t22.5 6h525q13 0 94 -83t81 -90v-342q0 -15 -20 -28.5t-41 -19.5zM308 900l-236 -339l83 -86l183 146q22 17 47 5q2 -1 4.5 -2.5t4 -4t2.5 -4t2 -5t1.5 -5t0.5 -6v-5.5v-6v-7v-456q0 -22 25 -31t50 0.5t25 30.5 v203q0 15 20 28.5t41 19.5l339 131v293l-89 100h-503z" />
<glyph unicode="&#xe131;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM914 632l-275 223q-16 13 -27.5 8t-11.5 -26v-137h-275 q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h275v-137q0 -21 11.5 -26t27.5 8l275 223q16 13 16 32t-16 32z" />
<glyph unicode="&#xe132;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM561 855l-275 -223q-16 -13 -16 -32t16 -32l275 -223q16 -13 27.5 -8 t11.5 26v137h275q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5h-275v137q0 21 -11.5 26t-27.5 -8z" />
<glyph unicode="&#xe133;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM855 639l-223 275q-13 16 -32 16t-32 -16l-223 -275q-13 -16 -8 -27.5 t26 -11.5h137v-275q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v275h137q21 0 26 11.5t-8 27.5z" />
<glyph unicode="&#xe134;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM675 900h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-275h-137q-21 0 -26 -11.5 t8 -27.5l223 -275q13 -16 32 -16t32 16l223 275q13 16 8 27.5t-26 11.5h-137v275q0 10 -7.5 17.5t-17.5 7.5z" />
<glyph unicode="&#xe135;" d="M600 1176q116 0 222.5 -46t184 -123.5t123.5 -184t46 -222.5t-46 -222.5t-123.5 -184t-184 -123.5t-222.5 -46t-222.5 46t-184 123.5t-123.5 184t-46 222.5t46 222.5t123.5 184t184 123.5t222.5 46zM627 1101q-15 -12 -36.5 -20.5t-35.5 -12t-43 -8t-39 -6.5 q-15 -3 -45.5 0t-45.5 -2q-20 -7 -51.5 -26.5t-34.5 -34.5q-3 -11 6.5 -22.5t8.5 -18.5q-3 -34 -27.5 -91t-29.5 -79q-9 -34 5 -93t8 -87q0 -9 17 -44.5t16 -59.5q12 0 23 -5t23.5 -15t19.5 -14q16 -8 33 -15t40.5 -15t34.5 -12q21 -9 52.5 -32t60 -38t57.5 -11 q7 -15 -3 -34t-22.5 -40t-9.5 -38q13 -21 23 -34.5t27.5 -27.5t36.5 -18q0 -7 -3.5 -16t-3.5 -14t5 -17q104 -2 221 112q30 29 46.5 47t34.5 49t21 63q-13 8 -37 8.5t-36 7.5q-15 7 -49.5 15t-51.5 19q-18 0 -41 -0.5t-43 -1.5t-42 -6.5t-38 -16.5q-51 -35 -66 -12 q-4 1 -3.5 25.5t0.5 25.5q-6 13 -26.5 17.5t-24.5 6.5q1 15 -0.5 30.5t-7 28t-18.5 11.5t-31 -21q-23 -25 -42 4q-19 28 -8 58q6 16 22 22q6 -1 26 -1.5t33.5 -4t19.5 -13.5q7 -12 18 -24t21.5 -20.5t20 -15t15.5 -10.5l5 -3q2 12 7.5 30.5t8 34.5t-0.5 32q-3 18 3.5 29 t18 22.5t15.5 24.5q6 14 10.5 35t8 31t15.5 22.5t34 22.5q-6 18 10 36q8 0 24 -1.5t24.5 -1.5t20 4.5t20.5 15.5q-10 23 -31 42.5t-37.5 29.5t-49 27t-43.5 23q0 1 2 8t3 11.5t1.5 10.5t-1 9.5t-4.5 4.5q31 -13 58.5 -14.5t38.5 2.5l12 5q5 28 -9.5 46t-36.5 24t-50 15 t-41 20q-18 -4 -37 0zM613 994q0 -17 8 -42t17 -45t9 -23q-8 1 -39.5 5.5t-52.5 10t-37 16.5q3 11 16 29.5t16 25.5q10 -10 19 -10t14 6t13.5 14.5t16.5 12.5z" />
<glyph unicode="&#xe136;" d="M756 1157q164 92 306 -9l-259 -138l145 -232l251 126q6 -89 -34 -156.5t-117 -110.5q-60 -34 -127 -39.5t-126 16.5l-596 -596q-15 -16 -36.5 -16t-36.5 16l-111 110q-15 15 -15 36.5t15 37.5l600 599q-34 101 5.5 201.5t135.5 154.5z" />
<glyph unicode="&#xe137;" horiz-adv-x="1220" d="M100 1196h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 1096h-200v-100h200v100zM100 796h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 696h-500v-100h500v100zM100 396h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 296h-300v-100h300v100z " />
<glyph unicode="&#xe138;" d="M150 1200h900q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM700 500v-300l-200 -200v500l-350 500h900z" />
<glyph unicode="&#xe139;" d="M500 1200h200q41 0 70.5 -29.5t29.5 -70.5v-100h300q41 0 70.5 -29.5t29.5 -70.5v-400h-500v100h-200v-100h-500v400q0 41 29.5 70.5t70.5 29.5h300v100q0 41 29.5 70.5t70.5 29.5zM500 1100v-100h200v100h-200zM1200 400v-200q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v200h1200z" />
<glyph unicode="&#xe140;" d="M50 1200h300q21 0 25 -10.5t-10 -24.5l-94 -94l199 -199q7 -8 7 -18t-7 -18l-106 -106q-8 -7 -18 -7t-18 7l-199 199l-94 -94q-14 -14 -24.5 -10t-10.5 25v300q0 21 14.5 35.5t35.5 14.5zM850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-199 -199q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l199 199l-94 94q-14 14 -10 24.5t25 10.5zM364 470l106 -106q7 -8 7 -18t-7 -18l-199 -199l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l199 199 q8 7 18 7t18 -7zM1071 271l94 94q14 14 24.5 10t10.5 -25v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -25 10.5t10 24.5l94 94l-199 199q-7 8 -7 18t7 18l106 106q8 7 18 7t18 -7z" />
<glyph unicode="&#xe141;" d="M596 1192q121 0 231.5 -47.5t190 -127t127 -190t47.5 -231.5t-47.5 -231.5t-127 -190.5t-190 -127t-231.5 -47t-231.5 47t-190.5 127t-127 190.5t-47 231.5t47 231.5t127 190t190.5 127t231.5 47.5zM596 1010q-112 0 -207.5 -55.5t-151 -151t-55.5 -207.5t55.5 -207.5 t151 -151t207.5 -55.5t207.5 55.5t151 151t55.5 207.5t-55.5 207.5t-151 151t-207.5 55.5zM454.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38.5 -16.5t-38.5 16.5t-16 39t16 38.5t38.5 16zM754.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38 -16.5q-14 0 -29 10l-55 -145 q17 -23 17 -51q0 -36 -25.5 -61.5t-61.5 -25.5t-61.5 25.5t-25.5 61.5q0 32 20.5 56.5t51.5 29.5l122 126l1 1q-9 14 -9 28q0 23 16 39t38.5 16zM345.5 709q22.5 0 38.5 -16t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16zM854.5 709q22.5 0 38.5 -16 t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16z" />
<glyph unicode="&#xe142;" d="M546 173l469 470q91 91 99 192q7 98 -52 175.5t-154 94.5q-22 4 -47 4q-34 0 -66.5 -10t-56.5 -23t-55.5 -38t-48 -41.5t-48.5 -47.5q-376 -375 -391 -390q-30 -27 -45 -41.5t-37.5 -41t-32 -46.5t-16 -47.5t-1.5 -56.5q9 -62 53.5 -95t99.5 -33q74 0 125 51l548 548 q36 36 20 75q-7 16 -21.5 26t-32.5 10q-26 0 -50 -23q-13 -12 -39 -38l-341 -338q-15 -15 -35.5 -15.5t-34.5 13.5t-14 34.5t14 34.5q327 333 361 367q35 35 67.5 51.5t78.5 16.5q14 0 29 -1q44 -8 74.5 -35.5t43.5 -68.5q14 -47 2 -96.5t-47 -84.5q-12 -11 -32 -32 t-79.5 -81t-114.5 -115t-124.5 -123.5t-123 -119.5t-96.5 -89t-57 -45q-56 -27 -120 -27q-70 0 -129 32t-93 89q-48 78 -35 173t81 163l511 511q71 72 111 96q91 55 198 55q80 0 152 -33q78 -36 129.5 -103t66.5 -154q17 -93 -11 -183.5t-94 -156.5l-482 -476 q-15 -15 -36 -16t-37 14t-17.5 34t14.5 35z" />
<glyph unicode="&#xe143;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104zM896 972q-33 0 -64.5 -19t-56.5 -46t-47.5 -53.5t-43.5 -45.5t-37.5 -19t-36 19t-40 45.5t-43 53.5t-54 46t-65.5 19q-67 0 -122.5 -55.5t-55.5 -132.5q0 -23 13.5 -51t46 -65t57.5 -63t76 -75l22 -22q15 -14 44 -44t50.5 -51t46 -44t41 -35t23 -12 t23.5 12t42.5 36t46 44t52.5 52t44 43q4 4 12 13q43 41 63.5 62t52 55t46 55t26 46t11.5 44q0 79 -53 133.5t-120 54.5z" />
<glyph unicode="&#xe144;" d="M776.5 1214q93.5 0 159.5 -66l141 -141q66 -66 66 -160q0 -42 -28 -95.5t-62 -87.5l-29 -29q-31 53 -77 99l-18 18l95 95l-247 248l-389 -389l212 -212l-105 -106l-19 18l-141 141q-66 66 -66 159t66 159l283 283q65 66 158.5 66zM600 706l105 105q10 -8 19 -17l141 -141 q66 -66 66 -159t-66 -159l-283 -283q-66 -66 -159 -66t-159 66l-141 141q-66 66 -66 159.5t66 159.5l55 55q29 -55 75 -102l18 -17l-95 -95l247 -248l389 389z" />
<glyph unicode="&#xe145;" d="M603 1200q85 0 162 -15t127 -38t79 -48t29 -46v-953q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-41 0 -70.5 29.5t-29.5 70.5v953q0 21 30 46.5t81 48t129 37.5t163 15zM300 1000v-700h600v700h-600zM600 254q-43 0 -73.5 -30.5t-30.5 -73.5t30.5 -73.5t73.5 -30.5t73.5 30.5 t30.5 73.5t-30.5 73.5t-73.5 30.5z" />
<glyph unicode="&#xe146;" d="M902 1185l283 -282q15 -15 15 -36t-14.5 -35.5t-35.5 -14.5t-35 15l-36 35l-279 -267v-300l-212 210l-308 -307l-280 -203l203 280l307 308l-210 212h300l267 279l-35 36q-15 14 -15 35t14.5 35.5t35.5 14.5t35 -15z" />
<glyph unicode="&#xe148;" d="M700 1248v-78q38 -5 72.5 -14.5t75.5 -31.5t71 -53.5t52 -84t24 -118.5h-159q-4 36 -10.5 59t-21 45t-40 35.5t-64.5 20.5v-307l64 -13q34 -7 64 -16.5t70 -32t67.5 -52.5t47.5 -80t20 -112q0 -139 -89 -224t-244 -97v-77h-100v79q-150 16 -237 103q-40 40 -52.5 93.5 t-15.5 139.5h139q5 -77 48.5 -126t117.5 -65v335l-27 8q-46 14 -79 26.5t-72 36t-63 52t-40 72.5t-16 98q0 70 25 126t67.5 92t94.5 57t110 27v77h100zM600 754v274q-29 -4 -50 -11t-42 -21.5t-31.5 -41.5t-10.5 -65q0 -29 7 -50.5t16.5 -34t28.5 -22.5t31.5 -14t37.5 -10 q9 -3 13 -4zM700 547v-310q22 2 42.5 6.5t45 15.5t41.5 27t29 42t12 59.5t-12.5 59.5t-38 44.5t-53 31t-66.5 24.5z" />
<glyph unicode="&#xe149;" d="M561 1197q84 0 160.5 -40t123.5 -109.5t47 -147.5h-153q0 40 -19.5 71.5t-49.5 48.5t-59.5 26t-55.5 9q-37 0 -79 -14.5t-62 -35.5q-41 -44 -41 -101q0 -26 13.5 -63t26.5 -61t37 -66q6 -9 9 -14h241v-100h-197q8 -50 -2.5 -115t-31.5 -95q-45 -62 -99 -112 q34 10 83 17.5t71 7.5q32 1 102 -16t104 -17q83 0 136 30l50 -147q-31 -19 -58 -30.5t-55 -15.5t-42 -4.5t-46 -0.5q-23 0 -76 17t-111 32.5t-96 11.5q-39 -3 -82 -16t-67 -25l-23 -11l-55 145q4 3 16 11t15.5 10.5t13 9t15.5 12t14.5 14t17.5 18.5q48 55 54 126.5 t-30 142.5h-221v100h166q-23 47 -44 104q-7 20 -12 41.5t-6 55.5t6 66.5t29.5 70.5t58.5 71q97 88 263 88z" />
<glyph unicode="&#xe150;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM935 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-900h-200v900h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
<glyph unicode="&#xe151;" d="M1000 700h-100v100h-100v-100h-100v500h300v-500zM400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM801 1100v-200h100v200h-100zM1000 350l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150z " />
<glyph unicode="&#xe152;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 1050l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150zM1000 0h-100v100h-100v-100h-100v500h300v-500zM801 400v-200h100v200h-100z " />
<glyph unicode="&#xe153;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 700h-100v400h-100v100h200v-500zM1100 0h-100v100h-200v400h300v-500zM901 400v-200h100v200h-100z" />
<glyph unicode="&#xe154;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1100 700h-100v100h-200v400h300v-500zM901 1100v-200h100v200h-100zM1000 0h-100v400h-100v100h200v-500z" />
<glyph unicode="&#xe155;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM900 1000h-200v200h200v-200zM1000 700h-300v200h300v-200zM1100 400h-400v200h400v-200zM1200 100h-500v200h500v-200z" />
<glyph unicode="&#xe156;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1200 1000h-500v200h500v-200zM1100 700h-400v200h400v-200zM1000 400h-300v200h300v-200zM900 100h-200v200h200v-200z" />
<glyph unicode="&#xe157;" d="M350 1100h400q162 0 256 -93.5t94 -256.5v-400q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5z" />
<glyph unicode="&#xe158;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-163 0 -256.5 92.5t-93.5 257.5v400q0 163 94 256.5t256 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM440 770l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
<glyph unicode="&#xe159;" d="M350 1100h400q163 0 256.5 -94t93.5 -256v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 163 92.5 256.5t257.5 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM350 700h400q21 0 26.5 -12t-6.5 -28l-190 -253q-12 -17 -30 -17t-30 17l-190 253q-12 16 -6.5 28t26.5 12z" />
<glyph unicode="&#xe160;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -163 -92.5 -256.5t-257.5 -93.5h-400q-163 0 -256.5 94t-93.5 256v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM580 693l190 -253q12 -16 6.5 -28t-26.5 -12h-400q-21 0 -26.5 12t6.5 28l190 253q12 17 30 17t30 -17z" />
<glyph unicode="&#xe161;" d="M550 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h450q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-450q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM338 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
<glyph unicode="&#xe162;" d="M793 1182l9 -9q8 -10 5 -27q-3 -11 -79 -225.5t-78 -221.5l300 1q24 0 32.5 -17.5t-5.5 -35.5q-1 0 -133.5 -155t-267 -312.5t-138.5 -162.5q-12 -15 -26 -15h-9l-9 8q-9 11 -4 32q2 9 42 123.5t79 224.5l39 110h-302q-23 0 -31 19q-10 21 6 41q75 86 209.5 237.5 t228 257t98.5 111.5q9 16 25 16h9z" />
<glyph unicode="&#xe163;" d="M350 1100h400q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-450q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h450q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400 q0 165 92.5 257.5t257.5 92.5zM938 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
<glyph unicode="&#xe164;" d="M750 1200h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -10.5 -25t-24.5 10l-109 109l-312 -312q-15 -15 -35.5 -15t-35.5 15l-141 141q-15 15 -15 35.5t15 35.5l312 312l-109 109q-14 14 -10 24.5t25 10.5zM456 900h-156q-41 0 -70.5 -29.5t-29.5 -70.5v-500 q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v148l200 200v-298q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5h300z" />
<glyph unicode="&#xe165;" d="M600 1186q119 0 227.5 -46.5t187 -125t125 -187t46.5 -227.5t-46.5 -227.5t-125 -187t-187 -125t-227.5 -46.5t-227.5 46.5t-187 125t-125 187t-46.5 227.5t46.5 227.5t125 187t187 125t227.5 46.5zM600 1022q-115 0 -212 -56.5t-153.5 -153.5t-56.5 -212t56.5 -212 t153.5 -153.5t212 -56.5t212 56.5t153.5 153.5t56.5 212t-56.5 212t-153.5 153.5t-212 56.5zM600 794q80 0 137 -57t57 -137t-57 -137t-137 -57t-137 57t-57 137t57 137t137 57z" />
<glyph unicode="&#xe166;" d="M450 1200h200q21 0 35.5 -14.5t14.5 -35.5v-350h245q20 0 25 -11t-9 -26l-383 -426q-14 -15 -33.5 -15t-32.5 15l-379 426q-13 15 -8.5 26t25.5 11h250v350q0 21 14.5 35.5t35.5 14.5zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
<glyph unicode="&#xe167;" d="M583 1182l378 -435q14 -15 9 -31t-26 -16h-244v-250q0 -20 -17 -35t-39 -15h-200q-20 0 -32 14.5t-12 35.5v250h-250q-20 0 -25.5 16.5t8.5 31.5l383 431q14 16 33.5 17t33.5 -14zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
<glyph unicode="&#xe168;" d="M396 723l369 369q7 7 17.5 7t17.5 -7l139 -139q7 -8 7 -18.5t-7 -17.5l-525 -525q-7 -8 -17.5 -8t-17.5 8l-292 291q-7 8 -7 18t7 18l139 139q8 7 18.5 7t17.5 -7zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50 h-100z" />
<glyph unicode="&#xe169;" d="M135 1023l142 142q14 14 35 14t35 -14l77 -77l-212 -212l-77 76q-14 15 -14 36t14 35zM655 855l210 210q14 14 24.5 10t10.5 -25l-2 -599q-1 -20 -15.5 -35t-35.5 -15l-597 -1q-21 0 -25 10.5t10 24.5l208 208l-154 155l212 212zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5 v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
<glyph unicode="&#xe170;" d="M350 1200l599 -2q20 -1 35 -15.5t15 -35.5l1 -597q0 -21 -10.5 -25t-24.5 10l-208 208l-155 -154l-212 212l155 154l-210 210q-14 14 -10 24.5t25 10.5zM524 512l-76 -77q-15 -14 -36 -14t-35 14l-142 142q-14 14 -14 35t14 35l77 77zM50 300h1000q21 0 35.5 -14.5 t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
<glyph unicode="&#xe171;" d="M1200 103l-483 276l-314 -399v423h-399l1196 796v-1096zM483 424v-230l683 953z" />
<glyph unicode="&#xe172;" d="M1100 1000v-850q0 -21 -14.5 -35.5t-35.5 -14.5h-150v400h-700v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200z" />
<glyph unicode="&#xe173;" d="M1100 1000l-2 -149l-299 -299l-95 95q-9 9 -21.5 9t-21.5 -9l-149 -147h-312v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1132 638l106 -106q7 -7 7 -17.5t-7 -17.5l-420 -421q-8 -7 -18 -7 t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l297 297q7 7 17.5 7t17.5 -7z" />
<glyph unicode="&#xe174;" d="M1100 1000v-269l-103 -103l-134 134q-15 15 -33.5 16.5t-34.5 -12.5l-266 -266h-329v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1202 572l70 -70q15 -15 15 -35.5t-15 -35.5l-131 -131 l131 -131q15 -15 15 -35.5t-15 -35.5l-70 -70q-15 -15 -35.5 -15t-35.5 15l-131 131l-131 -131q-15 -15 -35.5 -15t-35.5 15l-70 70q-15 15 -15 35.5t15 35.5l131 131l-131 131q-15 15 -15 35.5t15 35.5l70 70q15 15 35.5 15t35.5 -15l131 -131l131 131q15 15 35.5 15 t35.5 -15z" />
<glyph unicode="&#xe175;" d="M1100 1000v-300h-350q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-500v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM850 600h100q21 0 35.5 -14.5t14.5 -35.5v-250h150q21 0 25 -10.5t-10 -24.5 l-230 -230q-14 -14 -35 -14t-35 14l-230 230q-14 14 -10 24.5t25 10.5h150v250q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe176;" d="M1100 1000v-400l-165 165q-14 15 -35 15t-35 -15l-263 -265h-402v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM935 565l230 -229q14 -15 10 -25.5t-25 -10.5h-150v-250q0 -20 -14.5 -35 t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35v250h-150q-21 0 -25 10.5t10 25.5l230 229q14 15 35 15t35 -15z" />
<glyph unicode="&#xe177;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-150h-1200v150q0 21 14.5 35.5t35.5 14.5zM1200 800v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v550h1200zM100 500v-200h400v200h-400z" />
<glyph unicode="&#xe178;" d="M935 1165l248 -230q14 -14 14 -35t-14 -35l-248 -230q-14 -14 -24.5 -10t-10.5 25v150h-400v200h400v150q0 21 10.5 25t24.5 -10zM200 800h-50q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v-200zM400 800h-100v200h100v-200zM18 435l247 230 q14 14 24.5 10t10.5 -25v-150h400v-200h-400v-150q0 -21 -10.5 -25t-24.5 10l-247 230q-15 14 -15 35t15 35zM900 300h-100v200h100v-200zM1000 500h51q20 0 34.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-34.5 -14.5h-51v200z" />
<glyph unicode="&#xe179;" d="M862 1073l276 116q25 18 43.5 8t18.5 -41v-1106q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v397q-4 1 -11 5t-24 17.5t-30 29t-24 42t-11 56.5v359q0 31 18.5 65t43.5 52zM550 1200q22 0 34.5 -12.5t14.5 -24.5l1 -13v-450q0 -28 -10.5 -59.5 t-25 -56t-29 -45t-25.5 -31.5l-10 -11v-447q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v447q-4 4 -11 11.5t-24 30.5t-30 46t-24 55t-11 60v450q0 2 0.5 5.5t4 12t8.5 15t14.5 12t22.5 5.5q20 0 32.5 -12.5t14.5 -24.5l3 -13v-350h100v350v5.5t2.5 12 t7 15t15 12t25.5 5.5q23 0 35.5 -12.5t13.5 -24.5l1 -13v-350h100v350q0 2 0.5 5.5t3 12t7 15t15 12t24.5 5.5z" />
<glyph unicode="&#xe180;" d="M1200 1100v-56q-4 0 -11 -0.5t-24 -3t-30 -7.5t-24 -15t-11 -24v-888q0 -22 25 -34.5t50 -13.5l25 -2v-56h-400v56q75 0 87.5 6.5t12.5 43.5v394h-500v-394q0 -37 12.5 -43.5t87.5 -6.5v-56h-400v56q4 0 11 0.5t24 3t30 7.5t24 15t11 24v888q0 22 -25 34.5t-50 13.5 l-25 2v56h400v-56q-75 0 -87.5 -6.5t-12.5 -43.5v-394h500v394q0 37 -12.5 43.5t-87.5 6.5v56h400z" />
<glyph unicode="&#xe181;" d="M675 1000h375q21 0 35.5 -14.5t14.5 -35.5v-150h-105l-295 -98v98l-200 200h-400l100 100h375zM100 900h300q41 0 70.5 -29.5t29.5 -70.5v-500q0 -41 -29.5 -70.5t-70.5 -29.5h-300q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5zM100 800v-200h300v200 h-300zM1100 535l-400 -133v163l400 133v-163zM100 500v-200h300v200h-300zM1100 398v-248q0 -21 -14.5 -35.5t-35.5 -14.5h-375l-100 -100h-375l-100 100h400l200 200h105z" />
<glyph unicode="&#xe182;" d="M17 1007l162 162q17 17 40 14t37 -22l139 -194q14 -20 11 -44.5t-20 -41.5l-119 -118q102 -142 228 -268t267 -227l119 118q17 17 42.5 19t44.5 -12l192 -136q19 -14 22.5 -37.5t-13.5 -40.5l-163 -162q-3 -1 -9.5 -1t-29.5 2t-47.5 6t-62.5 14.5t-77.5 26.5t-90 42.5 t-101.5 60t-111 83t-119 108.5q-74 74 -133.5 150.5t-94.5 138.5t-60 119.5t-34.5 100t-15 74.5t-4.5 48z" />
<glyph unicode="&#xe183;" d="M600 1100q92 0 175 -10.5t141.5 -27t108.5 -36.5t81.5 -40t53.5 -37t31 -27l9 -10v-200q0 -21 -14.5 -33t-34.5 -9l-202 34q-20 3 -34.5 20t-14.5 38v146q-141 24 -300 24t-300 -24v-146q0 -21 -14.5 -38t-34.5 -20l-202 -34q-20 -3 -34.5 9t-14.5 33v200q3 4 9.5 10.5 t31 26t54 37.5t80.5 39.5t109 37.5t141 26.5t175 10.5zM600 795q56 0 97 -9.5t60 -23.5t30 -28t12 -24l1 -10v-50l365 -303q14 -15 24.5 -40t10.5 -45v-212q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v212q0 20 10.5 45t24.5 40l365 303v50 q0 4 1 10.5t12 23t30 29t60 22.5t97 10z" />
<glyph unicode="&#xe184;" d="M1100 700l-200 -200h-600l-200 200v500h200v-200h200v200h200v-200h200v200h200v-500zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5 t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe185;" d="M700 1100h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-1000h300v1000q0 41 -29.5 70.5t-70.5 29.5zM1100 800h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-700h300v700q0 41 -29.5 70.5t-70.5 29.5zM400 0h-300v400q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-400z " />
<glyph unicode="&#xe186;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
<glyph unicode="&#xe187;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 300h-100v200h-100v-200h-100v500h100v-200h100v200h100v-500zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
<glyph unicode="&#xe188;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-300h200v-100h-300v500h300v-100zM900 700h-200v-300h200v-100h-300v500h300v-100z" />
<glyph unicode="&#xe189;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 400l-300 150l300 150v-300zM900 550l-300 -150v300z" />
<glyph unicode="&#xe190;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM900 300h-700v500h700v-500zM800 700h-130q-38 0 -66.5 -43t-28.5 -108t27 -107t68 -42h130v300zM300 700v-300 h130q41 0 68 42t27 107t-28.5 108t-66.5 43h-130z" />
<glyph unicode="&#xe191;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 300h-100v400h-100v100h200v-500z M700 300h-100v100h100v-100z" />
<glyph unicode="&#xe192;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM300 700h200v-400h-300v500h100v-100zM900 300h-100v400h-100v100h200v-500zM300 600v-200h100v200h-100z M700 300h-100v100h100v-100z" />
<glyph unicode="&#xe193;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 500l-199 -200h-100v50l199 200v150h-200v100h300v-300zM900 300h-100v400h-100v100h200v-500zM701 300h-100 v100h100v-100z" />
<glyph unicode="&#xe194;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700h-300v-200h300v-100h-300l-100 100v200l100 100h300v-100z" />
<glyph unicode="&#xe195;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700v-100l-50 -50l100 -100v-50h-100l-100 100h-150v-100h-100v400h300zM500 700v-100h200v100h-200z" />
<glyph unicode="&#xe197;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -207t-85 -207t-205 -86.5h-128v250q0 21 -14.5 35.5t-35.5 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-250h-222q-80 0 -136 57.5t-56 136.5q0 69 43 122.5t108 67.5q-2 19 -2 37q0 100 49 185 t134 134t185 49zM525 500h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -244q-13 -16 -32 -16t-32 16l-223 244q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe198;" d="M502 1089q110 0 201 -59.5t135 -156.5q43 15 89 15q121 0 206 -86.5t86 -206.5q0 -99 -60 -181t-150 -110l-378 360q-13 16 -31.5 16t-31.5 -16l-381 -365h-9q-79 0 -135.5 57.5t-56.5 136.5q0 69 43 122.5t108 67.5q-2 19 -2 38q0 100 49 184.5t133.5 134t184.5 49.5z M632 467l223 -228q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5q199 204 223 228q19 19 31.5 19t32.5 -19z" />
<glyph unicode="&#xe199;" d="M700 100v100h400l-270 300h170l-270 300h170l-300 333l-300 -333h170l-270 -300h170l-270 -300h400v-100h-50q-21 0 -35.5 -14.5t-14.5 -35.5v-50h400v50q0 21 -14.5 35.5t-35.5 14.5h-50z" />
<glyph unicode="&#xe200;" d="M600 1179q94 0 167.5 -56.5t99.5 -145.5q89 -6 150.5 -71.5t61.5 -155.5q0 -61 -29.5 -112.5t-79.5 -82.5q9 -29 9 -55q0 -74 -52.5 -126.5t-126.5 -52.5q-55 0 -100 30v-251q21 0 35.5 -14.5t14.5 -35.5v-50h-300v50q0 21 14.5 35.5t35.5 14.5v251q-45 -30 -100 -30 q-74 0 -126.5 52.5t-52.5 126.5q0 18 4 38q-47 21 -75.5 65t-28.5 97q0 74 52.5 126.5t126.5 52.5q5 0 23 -2q0 2 -1 10t-1 13q0 116 81.5 197.5t197.5 81.5z" />
<glyph unicode="&#xe201;" d="M1010 1010q111 -111 150.5 -260.5t0 -299t-150.5 -260.5q-83 -83 -191.5 -126.5t-218.5 -43.5t-218.5 43.5t-191.5 126.5q-111 111 -150.5 260.5t0 299t150.5 260.5q83 83 191.5 126.5t218.5 43.5t218.5 -43.5t191.5 -126.5zM476 1065q-4 0 -8 -1q-121 -34 -209.5 -122.5 t-122.5 -209.5q-4 -12 2.5 -23t18.5 -14l36 -9q3 -1 7 -1q23 0 29 22q27 96 98 166q70 71 166 98q11 3 17.5 13.5t3.5 22.5l-9 35q-3 13 -14 19q-7 4 -15 4zM512 920q-4 0 -9 -2q-80 -24 -138.5 -82.5t-82.5 -138.5q-4 -13 2 -24t19 -14l34 -9q4 -1 8 -1q22 0 28 21 q18 58 58.5 98.5t97.5 58.5q12 3 18 13.5t3 21.5l-9 35q-3 12 -14 19q-7 4 -15 4zM719.5 719.5q-49.5 49.5 -119.5 49.5t-119.5 -49.5t-49.5 -119.5t49.5 -119.5t119.5 -49.5t119.5 49.5t49.5 119.5t-49.5 119.5zM855 551q-22 0 -28 -21q-18 -58 -58.5 -98.5t-98.5 -57.5 q-11 -4 -17 -14.5t-3 -21.5l9 -35q3 -12 14 -19q7 -4 15 -4q4 0 9 2q80 24 138.5 82.5t82.5 138.5q4 13 -2.5 24t-18.5 14l-34 9q-4 1 -8 1zM1000 515q-23 0 -29 -22q-27 -96 -98 -166q-70 -71 -166 -98q-11 -3 -17.5 -13.5t-3.5 -22.5l9 -35q3 -13 14 -19q7 -4 15 -4 q4 0 8 1q121 34 209.5 122.5t122.5 209.5q4 12 -2.5 23t-18.5 14l-36 9q-3 1 -7 1z" />
<glyph unicode="&#xe202;" d="M700 800h300v-380h-180v200h-340v-200h-380v755q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM700 300h162l-212 -212l-212 212h162v200h100v-200zM520 0h-395q-10 0 -17.5 7.5t-7.5 17.5v395zM1000 220v-195q0 -10 -7.5 -17.5t-17.5 -7.5h-195z" />
<glyph unicode="&#xe203;" d="M700 800h300v-520l-350 350l-550 -550v1095q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM862 200h-162v-200h-100v200h-162l212 212zM480 0h-355q-10 0 -17.5 7.5t-7.5 17.5v55h380v-80zM1000 80v-55q0 -10 -7.5 -17.5t-17.5 -7.5h-155v80h180z" />
<glyph unicode="&#xe204;" d="M1162 800h-162v-200h100l100 -100h-300v300h-162l212 212zM200 800h200q27 0 40 -2t29.5 -10.5t23.5 -30t7 -57.5h300v-100h-600l-200 -350v450h100q0 36 7 57.5t23.5 30t29.5 10.5t40 2zM800 400h240l-240 -400h-800l300 500h500v-100z" />
<glyph unicode="&#xe205;" d="M650 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM1000 850v150q41 0 70.5 -29.5t29.5 -70.5v-800 q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-1 0 -20 4l246 246l-326 326v324q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM412 250l-212 -212v162h-200v100h200v162z" />
<glyph unicode="&#xe206;" d="M450 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM800 850v150q41 0 70.5 -29.5t29.5 -70.5v-500 h-200v-300h200q0 -36 -7 -57.5t-23.5 -30t-29.5 -10.5t-40 -2h-600q-41 0 -70.5 29.5t-29.5 70.5v800q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM1212 250l-212 -212v162h-200v100h200v162z" />
<glyph unicode="&#xe209;" d="M658 1197l637 -1104q23 -38 7 -65.5t-60 -27.5h-1276q-44 0 -60 27.5t7 65.5l637 1104q22 39 54 39t54 -39zM704 800h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM500 300v-100h200 v100h-200z" />
<glyph unicode="&#xe210;" d="M425 1100h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM825 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM25 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5zM425 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5 v150q0 10 7.5 17.5t17.5 7.5zM25 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe211;" d="M700 1200h100v-200h-100v-100h350q62 0 86.5 -39.5t-3.5 -94.5l-66 -132q-41 -83 -81 -134h-772q-40 51 -81 134l-66 132q-28 55 -3.5 94.5t86.5 39.5h350v100h-100v200h100v100h200v-100zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100 h-950l138 100h-13q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe212;" d="M600 1300q40 0 68.5 -29.5t28.5 -70.5h-194q0 41 28.5 70.5t68.5 29.5zM443 1100h314q18 -37 18 -75q0 -8 -3 -25h328q41 0 44.5 -16.5t-30.5 -38.5l-175 -145h-678l-178 145q-34 22 -29 38.5t46 16.5h328q-3 17 -3 25q0 38 18 75zM250 700h700q21 0 35.5 -14.5 t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-150v-200l275 -200h-950l275 200v200h-150q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe213;" d="M600 1181q75 0 128 -53t53 -128t-53 -128t-128 -53t-128 53t-53 128t53 128t128 53zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13 l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe214;" d="M600 1300q47 0 92.5 -53.5t71 -123t25.5 -123.5q0 -78 -55.5 -133.5t-133.5 -55.5t-133.5 55.5t-55.5 133.5q0 62 34 143l144 -143l111 111l-163 163q34 26 63 26zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45 zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe215;" d="M600 1200l300 -161v-139h-300q0 -57 18.5 -108t50 -91.5t63 -72t70 -67.5t57.5 -61h-530q-60 83 -90.5 177.5t-30.5 178.5t33 164.5t87.5 139.5t126 96.5t145.5 41.5v-98zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100 h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe216;" d="M600 1300q41 0 70.5 -29.5t29.5 -70.5v-78q46 -26 73 -72t27 -100v-50h-400v50q0 54 27 100t73 72v78q0 41 29.5 70.5t70.5 29.5zM400 800h400q54 0 100 -27t72 -73h-172v-100h200v-100h-200v-100h200v-100h-200v-100h200q0 -83 -58.5 -141.5t-141.5 -58.5h-400 q-83 0 -141.5 58.5t-58.5 141.5v400q0 83 58.5 141.5t141.5 58.5z" />
<glyph unicode="&#xe218;" d="M150 1100h900q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM125 400h950q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-283l224 -224q13 -13 13 -31.5t-13 -32 t-31.5 -13.5t-31.5 13l-88 88h-524l-87 -88q-13 -13 -32 -13t-32 13.5t-13 32t13 31.5l224 224h-289q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM541 300l-100 -100h324l-100 100h-124z" />
<glyph unicode="&#xe219;" d="M200 1100h800q83 0 141.5 -58.5t58.5 -141.5v-200h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100v200q0 83 58.5 141.5t141.5 58.5zM100 600h1000q41 0 70.5 -29.5 t29.5 -70.5v-300h-1200v300q0 41 29.5 70.5t70.5 29.5zM300 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200zM1100 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200z" />
<glyph unicode="&#xe221;" d="M480 1165l682 -683q31 -31 31 -75.5t-31 -75.5l-131 -131h-481l-517 518q-32 31 -32 75.5t32 75.5l295 296q31 31 75.5 31t76.5 -31zM108 794l342 -342l303 304l-341 341zM250 100h800q21 0 35.5 -14.5t14.5 -35.5v-50h-900v50q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe223;" d="M1057 647l-189 506q-8 19 -27.5 33t-40.5 14h-400q-21 0 -40.5 -14t-27.5 -33l-189 -506q-8 -19 1.5 -33t30.5 -14h625v-150q0 -21 14.5 -35.5t35.5 -14.5t35.5 14.5t14.5 35.5v150h125q21 0 30.5 14t1.5 33zM897 0h-595v50q0 21 14.5 35.5t35.5 14.5h50v50 q0 21 14.5 35.5t35.5 14.5h48v300h200v-300h47q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-50z" />
<glyph unicode="&#xe224;" d="M900 800h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-375v591l-300 300v84q0 10 7.5 17.5t17.5 7.5h375v-400zM1200 900h-200v200zM400 600h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-650q-10 0 -17.5 7.5t-7.5 17.5v950q0 10 7.5 17.5t17.5 7.5h375v-400zM700 700h-200v200z " />
<glyph unicode="&#xe225;" d="M484 1095h195q75 0 146 -32.5t124 -86t89.5 -122.5t48.5 -142q18 -14 35 -20q31 -10 64.5 6.5t43.5 48.5q10 34 -15 71q-19 27 -9 43q5 8 12.5 11t19 -1t23.5 -16q41 -44 39 -105q-3 -63 -46 -106.5t-104 -43.5h-62q-7 -55 -35 -117t-56 -100l-39 -234q-3 -20 -20 -34.5 t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l12 70q-49 -14 -91 -14h-195q-24 0 -65 8l-11 -64q-3 -20 -20 -34.5t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l26 157q-84 74 -128 175l-159 53q-19 7 -33 26t-14 40v50q0 21 14.5 35.5t35.5 14.5h124q11 87 56 166l-111 95 q-16 14 -12.5 23.5t24.5 9.5h203q116 101 250 101zM675 1000h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h250q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5t-17.5 7.5z" />
<glyph unicode="&#xe226;" d="M641 900l423 247q19 8 42 2.5t37 -21.5l32 -38q14 -15 12.5 -36t-17.5 -34l-139 -120h-390zM50 1100h106q67 0 103 -17t66 -71l102 -212h823q21 0 35.5 -14.5t14.5 -35.5v-50q0 -21 -14 -40t-33 -26l-737 -132q-23 -4 -40 6t-26 25q-42 67 -100 67h-300q-62 0 -106 44 t-44 106v200q0 62 44 106t106 44zM173 928h-80q-19 0 -28 -14t-9 -35v-56q0 -51 42 -51h134q16 0 21.5 8t5.5 24q0 11 -16 45t-27 51q-18 28 -43 28zM550 727q-32 0 -54.5 -22.5t-22.5 -54.5t22.5 -54.5t54.5 -22.5t54.5 22.5t22.5 54.5t-22.5 54.5t-54.5 22.5zM130 389 l152 130q18 19 34 24t31 -3.5t24.5 -17.5t25.5 -28q28 -35 50.5 -51t48.5 -13l63 5l48 -179q13 -61 -3.5 -97.5t-67.5 -79.5l-80 -69q-47 -40 -109 -35.5t-103 51.5l-130 151q-40 47 -35.5 109.5t51.5 102.5zM380 377l-102 -88q-31 -27 2 -65l37 -43q13 -15 27.5 -19.5 t31.5 6.5l61 53q19 16 14 49q-2 20 -12 56t-17 45q-11 12 -19 14t-23 -8z" />
<glyph unicode="&#xe227;" d="M625 1200h150q10 0 17.5 -7.5t7.5 -17.5v-109q79 -33 131 -87.5t53 -128.5q1 -46 -15 -84.5t-39 -61t-46 -38t-39 -21.5l-17 -6q6 0 15 -1.5t35 -9t50 -17.5t53 -30t50 -45t35.5 -64t14.5 -84q0 -59 -11.5 -105.5t-28.5 -76.5t-44 -51t-49.5 -31.5t-54.5 -16t-49.5 -6.5 t-43.5 -1v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-100v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-175q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v600h-75q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5h175v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h100v75q0 10 7.5 17.5t17.5 7.5zM400 900v-200h263q28 0 48.5 10.5t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-263zM400 500v-200h363q28 0 48.5 10.5 t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-363z" />
<glyph unicode="&#xe230;" d="M212 1198h780q86 0 147 -61t61 -147v-416q0 -51 -18 -142.5t-36 -157.5l-18 -66q-29 -87 -93.5 -146.5t-146.5 -59.5h-572q-82 0 -147 59t-93 147q-8 28 -20 73t-32 143.5t-20 149.5v416q0 86 61 147t147 61zM600 1045q-70 0 -132.5 -11.5t-105.5 -30.5t-78.5 -41.5 t-57 -45t-36 -41t-20.5 -30.5l-6 -12l156 -243h560l156 243q-2 5 -6 12.5t-20 29.5t-36.5 42t-57 44.5t-79 42t-105 29.5t-132.5 12zM762 703h-157l195 261z" />
<glyph unicode="&#xe231;" d="M475 1300h150q103 0 189 -86t86 -189v-500q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
<glyph unicode="&#xe232;" d="M475 1300h96q0 -150 89.5 -239.5t239.5 -89.5v-446q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
<glyph unicode="&#xe233;" d="M1294 767l-638 -283l-378 170l-78 -60v-224l100 -150v-199l-150 148l-150 -149v200l100 150v250q0 4 -0.5 10.5t0 9.5t1 8t3 8t6.5 6l47 40l-147 65l642 283zM1000 380l-350 -166l-350 166v147l350 -165l350 165v-147z" />
<glyph unicode="&#xe234;" d="M250 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM650 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM1050 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
<glyph unicode="&#xe235;" d="M550 1100q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 700q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 300q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
<glyph unicode="&#xe236;" d="M125 1100h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM125 700h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM125 300h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
<glyph unicode="&#xe237;" d="M350 1200h500q162 0 256 -93.5t94 -256.5v-500q0 -165 -93.5 -257.5t-256.5 -92.5h-500q-165 0 -257.5 92.5t-92.5 257.5v500q0 165 92.5 257.5t257.5 92.5zM900 1000h-600q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h600q41 0 70.5 29.5 t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5zM350 900h500q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-500q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 14.5 35.5t35.5 14.5zM400 800v-200h400v200h-400z" />
<glyph unicode="&#xe238;" d="M150 1100h1000q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe239;" d="M650 1187q87 -67 118.5 -156t0 -178t-118.5 -155q-87 66 -118.5 155t0 178t118.5 156zM300 800q124 0 212 -88t88 -212q-124 0 -212 88t-88 212zM1000 800q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM300 500q124 0 212 -88t88 -212q-124 0 -212 88t-88 212z M1000 500q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM700 199v-144q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v142q40 -4 43 -4q17 0 57 6z" />
<glyph unicode="&#xe240;" d="M745 878l69 19q25 6 45 -12l298 -295q11 -11 15 -26.5t-2 -30.5q-5 -14 -18 -23.5t-28 -9.5h-8q1 0 1 -13q0 -29 -2 -56t-8.5 -62t-20 -63t-33 -53t-51 -39t-72.5 -14h-146q-184 0 -184 288q0 24 10 47q-20 4 -62 4t-63 -4q11 -24 11 -47q0 -288 -184 -288h-142 q-48 0 -84.5 21t-56 51t-32 71.5t-16 75t-3.5 68.5q0 13 2 13h-7q-15 0 -27.5 9.5t-18.5 23.5q-6 15 -2 30.5t15 25.5l298 296q20 18 46 11l76 -19q20 -5 30.5 -22.5t5.5 -37.5t-22.5 -31t-37.5 -5l-51 12l-182 -193h891l-182 193l-44 -12q-20 -5 -37.5 6t-22.5 31t6 37.5 t31 22.5z" />
<glyph unicode="&#xe241;" d="M1200 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM500 450h-25q0 15 -4 24.5t-9 14.5t-17 7.5t-20 3t-25 0.5h-100v-425q0 -11 12.5 -17.5t25.5 -7.5h12v-50h-200v50q50 0 50 25v425h-100q-17 0 -25 -0.5t-20 -3t-17 -7.5t-9 -14.5t-4 -24.5h-25v150h500v-150z" />
<glyph unicode="&#xe242;" d="M1000 300v50q-25 0 -55 32q-14 14 -25 31t-16 27l-4 11l-289 747h-69l-300 -754q-18 -35 -39 -56q-9 -9 -24.5 -18.5t-26.5 -14.5l-11 -5v-50h273v50q-49 0 -78.5 21.5t-11.5 67.5l69 176h293l61 -166q13 -34 -3.5 -66.5t-55.5 -32.5v-50h312zM412 691l134 342l121 -342 h-255zM1100 150v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5z" />
<glyph unicode="&#xe243;" d="M50 1200h1100q21 0 35.5 -14.5t14.5 -35.5v-1100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5zM611 1118h-70q-13 0 -18 -12l-299 -753q-17 -32 -35 -51q-18 -18 -56 -34q-12 -5 -12 -18v-50q0 -8 5.5 -14t14.5 -6 h273q8 0 14 6t6 14v50q0 8 -6 14t-14 6q-55 0 -71 23q-10 14 0 39l63 163h266l57 -153q11 -31 -6 -55q-12 -17 -36 -17q-8 0 -14 -6t-6 -14v-50q0 -8 6 -14t14 -6h313q8 0 14 6t6 14v50q0 7 -5.5 13t-13.5 7q-17 0 -42 25q-25 27 -40 63h-1l-288 748q-5 12 -19 12zM639 611 h-197l103 264z" />
<glyph unicode="&#xe244;" d="M1200 1100h-1200v100h1200v-100zM50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 1000h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM700 900v-300h300v300h-300z" />
<glyph unicode="&#xe245;" d="M50 1200h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 700h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM700 600v-300h300v300h-300zM1200 0h-1200v100h1200v-100z" />
<glyph unicode="&#xe246;" d="M50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-350h100v150q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-150h100v-100h-100v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v150h-100v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM700 700v-300h300v300h-300z" />
<glyph unicode="&#xe247;" d="M100 0h-100v1200h100v-1200zM250 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM300 1000v-300h300v300h-300zM250 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe248;" d="M600 1100h150q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-100h450q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h350v100h-150q-21 0 -35.5 14.5 t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h150v100h100v-100zM400 1000v-300h300v300h-300z" />
<glyph unicode="&#xe249;" d="M1200 0h-100v1200h100v-1200zM550 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM600 1000v-300h300v300h-300zM50 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
<glyph unicode="&#xe250;" d="M865 565l-494 -494q-23 -23 -41 -23q-14 0 -22 13.5t-8 38.5v1000q0 25 8 38.5t22 13.5q18 0 41 -23l494 -494q14 -14 14 -35t-14 -35z" />
<glyph unicode="&#xe251;" d="M335 635l494 494q29 29 50 20.5t21 -49.5v-1000q0 -41 -21 -49.5t-50 20.5l-494 494q-14 14 -14 35t14 35z" />
<glyph unicode="&#xe252;" d="M100 900h1000q41 0 49.5 -21t-20.5 -50l-494 -494q-14 -14 -35 -14t-35 14l-494 494q-29 29 -20.5 50t49.5 21z" />
<glyph unicode="&#xe253;" d="M635 865l494 -494q29 -29 20.5 -50t-49.5 -21h-1000q-41 0 -49.5 21t20.5 50l494 494q14 14 35 14t35 -14z" />
<glyph unicode="&#xe254;" d="M700 741v-182l-692 -323v221l413 193l-413 193v221zM1200 0h-800v200h800v-200z" />
<glyph unicode="&#xe255;" d="M1200 900h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300zM0 700h50q0 21 4 37t9.5 26.5t18 17.5t22 11t28.5 5.5t31 2t37 0.5h100v-550q0 -22 -25 -34.5t-50 -13.5l-25 -2v-100h400v100q-4 0 -11 0.5t-24 3t-30 7t-24 15t-11 24.5v550h100q25 0 37 -0.5t31 -2 t28.5 -5.5t22 -11t18 -17.5t9.5 -26.5t4 -37h50v300h-800v-300z" />
<glyph unicode="&#xe256;" d="M800 700h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-100v-550q0 -22 25 -34.5t50 -14.5l25 -1v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v550h-100q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h800v-300zM1100 200h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300z" />
<glyph unicode="&#xe257;" d="M701 1098h160q16 0 21 -11t-7 -23l-464 -464l464 -464q12 -12 7 -23t-21 -11h-160q-13 0 -23 9l-471 471q-7 8 -7 18t7 18l471 471q10 9 23 9z" />
<glyph unicode="&#xe258;" d="M339 1098h160q13 0 23 -9l471 -471q7 -8 7 -18t-7 -18l-471 -471q-10 -9 -23 -9h-160q-16 0 -21 11t7 23l464 464l-464 464q-12 12 -7 23t21 11z" />
<glyph unicode="&#xe259;" d="M1087 882q11 -5 11 -21v-160q0 -13 -9 -23l-471 -471q-8 -7 -18 -7t-18 7l-471 471q-9 10 -9 23v160q0 16 11 21t23 -7l464 -464l464 464q12 12 23 7z" />
<glyph unicode="&#xe260;" d="M618 993l471 -471q9 -10 9 -23v-160q0 -16 -11 -21t-23 7l-464 464l-464 -464q-12 -12 -23 -7t-11 21v160q0 13 9 23l471 471q8 7 18 7t18 -7z" />
<glyph unicode="&#xf8ff;" d="M1000 1200q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM450 1000h100q21 0 40 -14t26 -33l79 -194q5 1 16 3q34 6 54 9.5t60 7t65.5 1t61 -10t56.5 -23t42.5 -42t29 -64t5 -92t-19.5 -121.5q-1 -7 -3 -19.5t-11 -50t-20.5 -73t-32.5 -81.5t-46.5 -83t-64 -70 t-82.5 -50q-13 -5 -42 -5t-65.5 2.5t-47.5 2.5q-14 0 -49.5 -3.5t-63 -3.5t-43.5 7q-57 25 -104.5 78.5t-75 111.5t-46.5 112t-26 90l-7 35q-15 63 -18 115t4.5 88.5t26 64t39.5 43.5t52 25.5t58.5 13t62.5 2t59.5 -4.5t55.5 -8l-147 192q-12 18 -5.5 30t27.5 12z" />
<glyph unicode="&#x1f511;" d="M250 1200h600q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-500l-255 -178q-19 -9 -32 -1t-13 29v650h-150q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM400 1100v-100h300v100h-300z" />
<glyph unicode="&#x1f6aa;" d="M250 1200h750q39 0 69.5 -40.5t30.5 -84.5v-933l-700 -117v950l600 125h-700v-1000h-100v1025q0 23 15.5 49t34.5 26zM500 525v-100l100 20v100z" />
</font>
</defs></svg>
Side by Side

After

Width:  |  Height:  |  Size: 106 KiB

BIN
public_html/bootstrap/fonts/glyphicons-halflings-regular.ttf
View File

Binary file not shown.

BIN
public_html/bootstrap/fonts/glyphicons-halflings-regular.woff
View File

Binary file not shown.

BIN
public_html/bootstrap/fonts/glyphicons-halflings-regular.woff2
View File

Binary file not shown.

2377
public_html/bootstrap/js/bootstrap.js vendored
View File

File diff suppressed because it is too large Load Diff

7
public_html/bootstrap/js/bootstrap.min.js vendored
View File

File diff suppressed because one or more lines are too long

13
public_html/bootstrap/js/npm.js
Unescape Escape View File

@ -0,0 +1,13 @@
// This file is autogenerated via the `commonjs` Grunt task. You can require() this file in a CommonJS environment.
require('../../js/transition.js')
require('../../js/alert.js')
require('../../js/button.js')
require('../../js/carousel.js')
require('../../js/collapse.js')
require('../../js/dropdown.js')
require('../../js/modal.js')
require('../../js/tooltip.js')
require('../../js/popover.js')
require('../../js/scrollspy.js')
require('../../js/tab.js')
require('../../js/affix.js')

404
public_html/extra.js
Unescape Escape View File

@ -0,0 +1,404 @@
/*
*/
'use strict';
// Handle 'navigate-back' links
$(function() {
$('a.navigate-back').on('click', function(e) {
window.history.back();
event.stopPropagation();
});
});
// Remember the last-selected tab in a tab group
$(function() {
if(sessionStorage) {
$('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
//save the latest tab
sessionStorage.setItem('lastTab' + location.pathname, $(e.target).attr('href'));
});
//go to the latest tab, if it exists:
var lastTab = sessionStorage.getItem('lastTab' + location.pathname);
if (lastTab) {
$('a[href="' + lastTab + '"]').tab('show');
} else {
$('a[data-toggle="tab"]:first').tab('show');
}
}
get_tab_from_location();
window.onpopstate = function(event) {
get_tab_from_location();
}
function get_tab_from_location() {
// Javascript to enable link to tab
var url = document.location.toString();
if(url.match('#')) {
$('.nav-tabs a[href="#'+url.split('#')[1]+'"]').tab('show');
}
}
// Do the location modifying code after all other setup, since we don't want the initial loading to trigger this
$('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
if(history) {
history.replaceState(null, null, e.target.href);
} else {
window.location.hash = e.target.hash;
}
});
});
// Remember the expanded-state of a collapsible section
$(function() {
get_section_from_location();
window.onpopstate = function(event) {
get_section_from_location();
}
function get_section_from_location() {
// Javascript to enable link to section
var url = document.location.toString();
if(url.match('#')) {
var fragment = url.split('#')[1];
} else {
var fragment = '';
}
$(".collapse").each(function(){
if(this.id == fragment) $(this).addClass("in");
else $(this).removeClass("in");
});
}
// Do the location modifying code after all other setup, since we don't want the initial loading to trigger this
$('.panel-collapse').on('show.bs.collapse', function (e) {
if(history) {
history.replaceState(null, null, '#' + e.target.id);
} else {
window.location.hash = e.target.id;
}
});
});
// Show only chosen fingerprint hash format in list views
$(function() {
$('table th.fingerprint').first().each(function() {
$(this).append(' ');
var select = $('<select>');
var options = ['MD5', 'SHA256'];
for(var i = 0, option; option = options[i]; i++) {
select.append($('<option>').text(option).val(option));
}
if(localStorage) {
var fingerprint_hash = localStorage.getItem('preferred_fingerprint_hash');
if(fingerprint_hash) {
select.val(fingerprint_hash);
}
}
$(this).append(select);
select.on('change', function() {
if(this.value == 'SHA256') {
$('span.fingerprint_md5').hide();
$('span.fingerprint_sha256').show();
} else {
$('span.fingerprint_sha256').hide();
$('span.fingerprint_md5').show();
}
if(localStorage) {
localStorage.setItem('preferred_fingerprint_hash', this.value);
}
});
});
});
// Add confirmation dialog to all submit buttons with data-confirm attribute
$(function() {
$('button[type="submit"][data-confirm]').each(function() {
$(this).on('click', function() { return confirm($(this).data('confirm')); });
});
});
// Add "clear field" button functionality
$(function() {
$('button[data-clear]').each(function() {
$(this).on('click', function() { this.form[$(this).data('clear')].value = ''; });
});
});
// Home page dynamic add pubkey form
$(function() {
$('#add_key_button').on('click', function() {
$('#help').hide().removeClass('hidden');
$('#add_key_form').hide().removeClass('hidden');
$('#add_key_form').show('fast');
$('#add_key_button').hide();
$('#add_public_key').focus();
});
$('#add_key_form button[type=button].btn-info').on('click', function() {
$('#help').toggle('fast');
});
$('#add_key_form button[type=button].btn-default').on('click', function() {
$('#add_key_form').hide('fast');
$('#add_key_button').show();
});
});
// Show/hide appropriate sections of the server settings form
$(function() {
var form = $('#server_settings');
form.each(function() {
$('#authorization.hide').hide().removeClass('hide');
$('#ldap_access_options.hide').hide().removeClass('hide');
$("input[name='key_management']", form).on('click', function() {display_relevant_options()});
$("input[name='authorization']", form).on('click', function() {display_relevant_options()});
function display_relevant_options() {
if($("input[name='key_management']:checked").val() == 'keys') {
$('#authorization').show('fast');
if($("input[name='authorization']:checked").val() == 'manual') {
$('#ldap_access_options').hide('fast');
} else {
$('#ldap_access_options').show('fast');
}
} else {
$('#authorization').hide('fast');
$('#ldap_access_options').hide('fast');
}
}
var ao_command_enabled = $("input[name='access_option[command][enabled]']", form);
var ao_command_value = $("input[name='access_option[command][value]']", form);
var ao_from_enabled = $("input[name='access_option[from][enabled]']", form);
var ao_from_value = $("input[name='access_option[from][value]']", form);
ao_command_enabled.on('click', function() {ao_update_disabled()});
ao_from_enabled.on('click', function() {ao_update_disabled()});
ao_update_disabled();
function ao_update_disabled() {
ao_command_value.prop('disabled', !ao_command_enabled.prop('checked'));
ao_command_value.prop('required', ao_command_enabled.prop('checked'));
ao_from_value.prop('disabled', !ao_from_enabled.prop('checked'));
ao_from_value.prop('required', ao_from_enabled.prop('checked'));
}
});
});
// Enable/disable relevant sections of the access options form
$(function() {
var form = $('#access_options');
form.each(function() {
var ao_command_enabled = $("input[name='access_option[command][enabled]']", form);
var ao_command_value = $("input[name='access_option[command][value]']", form);
var ao_from_enabled = $("input[name='access_option[from][enabled]']", form);
var ao_from_value = $("input[name='access_option[from][value]']", form);
var ao_noportfwd_enabled = $("input[name='access_option[no-port-forwarding][enabled]']", form);
var ao_nox11fwd_enabled = $("input[name='access_option[no-X11-forwarding][enabled]']", form);
var ao_nopty_enabled = $("input[name='access_option[no-pty][enabled]']", form);
ao_command_enabled.on('click', function() {ao_update_disabled()});
ao_from_enabled.on('click', function() {ao_update_disabled()});
$("button[type='button']", form).on('click', function(e) {
var preset
if(preset = $(e.target).attr('data-preset')) {
$('input:checkbox', form).val([]);
ao_command_value.val('');
ao_from_value.val('');
if(preset == 'command' || preset == 'dbbackup') {
ao_command_enabled.prop('checked', true);
ao_command_value.focus();
ao_noportfwd_enabled.prop('checked', true);
ao_nox11fwd_enabled.prop('checked', true);
ao_nopty_enabled.prop('checked', true);
}
if(preset == 'dbbackup') {
ao_command_value.val('/usr/bin/innobackupex --slave-info --defaults-file=/etc/mysql/my.cnf /var/tmp');
}
}
ao_update_disabled();
});
ao_update_disabled();
function ao_update_disabled() {
ao_command_value.prop('disabled', !ao_command_enabled.prop('checked'));
ao_command_value.prop('required', ao_command_enabled.prop('checked'));
ao_from_value.prop('disabled', !ao_from_enabled.prop('checked'));
ao_from_value.prop('required', ao_from_enabled.prop('checked'));
}
});
});
// Provide dynamic reassign form on user page
$(function() {
$('button[data-reassign]').on('click', function() {
var id = $(this).data('reassign');
var table = $('#' + id);
var cell = document.createElement('th');
var checkbox = document.createElement('input');
checkbox.type = 'checkbox';
$(checkbox).on('click', function() {$("input[type='checkbox']", table).prop('checked', this.checked)});
cell.appendChild(checkbox);
table.children('thead').children('tr').prepend(cell);
table.children('tbody').children('tr').each(function() {
var hostname = $(this).children('td:first-child').text().trim();
var cell = document.createElement('td');
var checkbox = document.createElement('input');
checkbox.type = 'checkbox';
checkbox.name = 'servers[]';
checkbox.value = hostname;
cell.appendChild(checkbox);
$(this).prepend(cell);
});
$(this).parent().append('<div class="form-group"><label>Reassign to <input type="text" name="reassign_to" class="form-control"></label></div>');
$(this).parent().append('<div class="form-group"><button type="submit" name="reassign_servers" class="btn btn-primary">Reassign selected servers</button></div>');
$(this).remove();
});
});
// Server sync status
$(function() {
var status_div = $('#server_sync_status');
status_div.each(function() {
if(status_div.data('class')) {
update_server_sync_status(status_div.data('class'), status_div.data('message'));
$('span.server_account_sync_status').each(function() {
update_server_account_sync_status(this.id, $(this).data('class'), $(this).data('message'));
});
} else {
$('span', status_div).addClass('text-warning');
$('span', status_div).text('Pending');
$('span.server_account_sync_status').addClass('text-warning');
$('span.server_account_sync_status').text('Pending');
var timeout = 1000;
var max_timeout = 10000;
get_server_sync_status();
}
function get_server_sync_status() {
var xhr = $.ajax({
url: window.location.pathname + '/sync_status',
dataType: 'json'
});
xhr.done(function(status) {
if(status.pending) {
timeout = Math.min(timeout * 1.5, max_timeout);
setTimeout(get_server_sync_status, timeout);
} else {
var classname;
if(status.sync_status == 'sync success') classname = 'success';
if(status.sync_status == 'sync failure') classname = 'danger';
if(status.sync_status == 'sync warning') classname = 'warning';
update_server_sync_status(classname, status.last_sync.details);
}
$.each(status.accounts, function(index, item) {
if(!item.pending) {
var classname;
var message;
if(item.sync_status == 'proposed') { classname = 'info'; message = 'Requested'; }
if(item.sync_status == 'sync success') { classname = 'success'; message = 'Synced'; }
if(item.sync_status == 'sync failure') { classname = 'danger'; message = 'Failed'; }
if(item.sync_status == 'sync warning') { classname = 'warning'; message = 'Not synced'; }
update_server_account_sync_status('server_account_sync_status_' + item.name, classname, message);
}
});
});
}
function update_server_sync_status(classname, message) {
$('span', status_div).removeClass('text-success text-warning text-danger');
$('span', status_div).addClass('text-' + classname);
$('span', status_div).text(message);
if(classname == 'success') {
$('a', status_div).addClass('hidden');
} else {
$('a', status_div).removeClass('hidden');
if(classname == 'warning') $('a', status_div).prop('href', '/help#sync_warning');
if(classname == 'danger') $('a', status_div).prop('href', '/help#sync_error');
}
$('div.spinner', status_div).remove();
$('button[name=sync]', status_div).removeClass('invisible');
}
function update_server_account_sync_status(id, classname, message) {
$('#' + id).removeClass('text-success text-warning text-danger');
$('#' + id).addClass('text-' + classname);
$('#' + id).text(message);
}
});
});
// Server account sync status
$(function() {
var status_div = $('#server_account_sync_status');
status_div.each(function() {
if(status_div.data('class')) {
update_server_account_sync_status(status_div.data('class'), status_div.data('message'));
} else {
$('span', status_div).addClass('text-warning');
$('span', status_div).text('Pending');
var timeout = 1000;
var max_timeout = 10000;
get_server_account_sync_status();
}
function get_server_account_sync_status() {
var xhr = $.ajax({
url: window.location.pathname + '/sync_status',
dataType: 'json'
});
xhr.done(function(status) {
console.debug(status);
if(status.pending) {
timeout = Math.min(timeout * 1.5, max_timeout);
setTimeout(get_server_account_sync_status, timeout);
} else {
var classname;
var message;
if(status.sync_status == 'sync success') { classname = 'success'; message = 'Synced'; }
if(status.sync_status == 'sync failure') { classname = 'danger'; message = 'Failed'; }
if(status.sync_status == 'sync warning') { classname = 'warning'; message = 'Not synced'; }
update_server_account_sync_status(classname, message);
}
});
}
function update_server_account_sync_status(classname, message) {
$('span', status_div).removeClass('text-success text-warning text-danger');
$('span', status_div).addClass('text-' + classname);
$('span', status_div).text(message);
$('div.spinner', status_div).remove();
}
});
});
// Server add form - multiple admin autocomplete
$(function() {
var server_admin = $('input#server_admin');
server_admin.each(function() {
server_admin.on('keydown', function(event) {
var keycode = (event.keyCode ? event.keyCode : event.which);
if((keycode == 13 || keycode == 32 || keycode == 188) && $("#server_admin").val() != '') { // Enter, space, comma
appendAdmin();
// Reset focus to remove <datalist> autocomplete dialog
$("#server_admin").blur();
$("#server_admin").focus();
return false;
}
});
server_admin.on('blur', function(event) {
if($("#server_admin").val()) {
appendAdmin();
}
});
function appendAdmin() {
if($("#server_admins").val()) {
$("#server_admins").val($("#server_admins").val() + ', ' + $("#server_admin").val());
} else {
$("#server_admins").val($("#server_admin").val());
}
$("#server_admin").val("");
$("#server_admins").removeClass('hidden');
}
$('input#server_admins').on('blur', function(event) {
if(!$("#server_admins").val()) {
$("#server_admins").addClass('hidden');
}
});
if($("#server_admins").val()) {
$("#server_admins").removeClass('hidden');
}
});
});

16
public_html/header.js
Unescape Escape View File

@ -0,0 +1,16 @@
/*
*/
'use strict';
// Lightweight things to do before the page is displayed
// This should not rely on any JQuery or other libraries
// Hide the key fingerprints that we are not interested in
var sheet = document.styleSheets[0];
var fingerprint_hash;
if(localStorage && localStorage.getItem('preferred_fingerprint_hash') == 'SHA256') {
sheet.insertRule('span.fingerprint_md5 {display:none}', 0)
} else {
sheet.insertRule('span.fingerprint_sha256 {display:none}', 0)
}

3
public_html/init.php
Unescape Escape View File

@ -0,0 +1,3 @@
<?php
require('../requesthandler.php');

4
public_html/jquery/jquery-3.2.1.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
public_html/jquery/jquery-3.2.1.min.map
View File

File diff suppressed because one or more lines are too long

BIN
public_html/key.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 612 B

BIN
public_html/logo-header.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
public_html/logo-header.psd
View File

Binary file not shown.

BIN
public_html/putty-key-generator.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

175
public_html/style.css
Unescape Escape View File

@ -0,0 +1,175 @@
/*
*/
html,
body {
height: 100%;
/* The html and body elements cannot have any padding or margin. */
}
/* Wrapper for page content to push down footer */
#wrap {
min-height: 100%;
height: auto;
/* Negative indent footer by its height */
margin: 0 auto -60px;
/* Pad bottom by footer height */
padding: 0 0 60px;
}
#wrap > .container {
padding: 60px 15px 0;
}
#content *:first-child {
margin-top: 0;
}
.nav-tabs {
margin-bottom: 20px;
}
#footer {
height: 60px;
background-color: #f5f5f5;
}
#footer > .container {
padding: 20px 15px 0 15px;
}
.navbar-brand img {
height: 100%;
float: left;
margin-right: 1em;
}
.panel-group + p {
margin-top: 1em;
}
a.group, a.server, a.serveraccount, a.user {
white-space: nowrap;
}
a.group::before {
content: "\e032";
/*content: "\e056";*/
display: inline-block;
font-family: "Glyphicons Halflings";
font-style: normal;
font-weight: 400;
line-height: 1;
position: relative;
top: 1px;
padding-right: 0.4em;
}
a.server::before {
content: "\e121";
display: inline-block;
font-family: "Glyphicons Halflings";
font-style: normal;
font-weight: 400;
line-height: 1;
position: relative;
top: 1px;
padding-right: 0.4em;
}
a.serveraccount::before {
content: "\e161";
display: inline-block;
font-family: "Glyphicons Halflings";
font-style: normal;
font-weight: 400;
line-height: 1;
position: relative;
top: 1px;
padding-right: 0.4em;
}
a.user::before {
content: "\e008";
display: inline-block;
font-family: "Glyphicons Halflings";
font-style: normal;
font-weight: 400;
line-height: 1;
position: relative;
top: 1px;
padding-right: 0.4em;
}
.input-group-addon label {
margin: 0;
}
.indented {
padding-left: 2em !important;
}
dl.oneline dt::before {
content: '\A';
white-space: pre;
}
dl.oneline dt:first-child::before {
white-space: normal;
}
dl.oneline dt {
display: inline;
}
dl.oneline dd {
display: inline;
padding-left: 0.5em;
}
dl.spaced dd {
margin-bottom: 1em;
}
ul.compact {
margin: 0;
padding: 0;
list-style-type: none;
}
pre {
white-space: pre-wrap;
}
pre.ascii-art {
line-height: 1;
}
.pre-formatted {
word-break: break-all;
word-wrap: break-word;
white-space: pre-wrap;
}
span.date {
white-space: nowrap;
}
.nowrap {
white-space: nowrap;
}
.spinner {
display: inline-block;
width: 12px;
height: 12px;
-webkit-animation: spinner 1s infinite linear;
animation: spinner 1s infinite linear;
border-radius:7px;
border-left:2px solid gray;
border-bottom:2px solid gray;
}
@-webkit-keyframes spinner {
to {
-webkit-transform: rotate(360deg);
}
}
@keyframes spinner {
to {
transform: rotate(360deg);
}
}
.monospace {
font-family: monospace;
}
td.date {
width: 11em;
}
/* Now with 100% more pink! */
div.navbar-default {
background-color: #fff1f9;
border-color: #f7e7f6;
}
.navbar-default .navbar-nav>.active>a, .navbar-default .navbar-nav>.active>a:focus, .navbar-default .navbar-nav>.active>a:hover {
background-color: #ffdfef;
}
a {
color: #af3578;
}
a:focus, a:hover {
color: #611d42;
}

84
requesthandler.php
Unescape Escape View File

@ -0,0 +1,84 @@
<?php
##
## Copyright 2013-2017 Opera Software AS
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
chdir(dirname(__FILE__));
require('core.php');
ob_start();
set_exception_handler('exception_handler');
if(isset($_SERVER['PHP_AUTH_USER'])) {
$active_user = $user_dir->get_user_by_uid($_SERVER['PHP_AUTH_USER'], true);
} else {
throw new Exception("Not logged in.");
}
// Work out where we are on the server
$base_url = dirname($_SERVER['SCRIPT_NAME']);
$request_url = $_SERVER['REQUEST_URI'];
$relative_request_url = preg_replace('/^'.preg_quote($base_url, '/').'/', '/', $request_url);
$absolute_request_url = 'http'.(isset($_SERVER['HTTPS']) ? 's' : '').'://'.$_SERVER['HTTP_HOST'].$request_url;
if(empty($config['web']['enabled'])) {
require('views/error503.php');
die;
}
if(!$active_user->active) {
require('views/error403.php');
}
if(!empty($_POST)) {
// Check CSRF token
if(isset($_SERVER['HTTP_X_BYPASS_CSRF_PROTECTION']) && $_SERVER['HTTP_X_BYPASS_CSRF_PROTECTION'] == 1) {
// This is being called from script, not a web browser
} elseif(!$active_user->check_csrf_token($_POST['csrf_token'])) {
require('views/csrf.php');
die;
}
}
// Route request to the correct view
$router = new Router;
foreach($routes as $path => $service) {
$public = array_key_exists($path, $public_routes);
$router->add_route($path, $service, $public);
}
$router->handle_request($relative_request_url);
if(isset($router->view)) {
$view = path_join($base_path, 'views', $router->view.'.php');
if(file_exists($view)) {
if($active_user->auth_realm == 'LDAP' || $router->public) {
require($view);
} else {
require('views/error403.php');
}
} else {
throw new Exception("View file $view missing.");
}
}
// Handler for uncaught exceptions
function exception_handler($e) {
global $active_user, $config;
$error_number = time();
error_log("$error_number: ".str_replace("\n", "\n$error_number: ", $e));
while(ob_get_length()) {
ob_end_clean();
}
require('views/error500.php');
die;
}

59
router.php
Unescape Escape View File

@ -0,0 +1,59 @@
<?php
##
## Copyright 2013-2017 Opera Software AS
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
class Router {
private $routes = array();
private $route_vars;
public $view = null;
public $public = null;
public $vars = array();
public function add_route($path, $view, $public) {
$this->route_vars = array();
$path = preg_replace_callback('|\\\{([a-z]+)\\\}|', array($this, 'parse_route_variable'), preg_quote($path, '|'));
$route = new StdClass;
$route->view = $view;
$route->vars = $this->route_vars;
$route->public = $public;
$this->routes[$path] = $route;
}
private function parse_route_variable($matches) {
$this->route_vars[] = $matches[1];
return '([^/]*)';
}
public function handle_request($request_path) {
$request_path = preg_replace('|\?.*$|', '', $request_path);
foreach($this->routes as $path => $route) {
if(preg_match('|^'.$path.'$|', $request_path, $matches)) {
$this->view = $route->view;
$this->public = $route->public;
$i = 0;
foreach($route->vars as $var) {
$i++;
if(isset($matches[$i])) {
$this->vars[$var] = urldecode($matches[$i]);
}
}
}
}
if(is_null($this->view)) {
$this->view = 'error404';
}
}
}

58
routes.php
Unescape Escape View File

@ -0,0 +1,58 @@
<?php
##
## Copyright 2013-2017 Opera Software AS
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
$routes = array(
'/' => 'home',
'/activity' => 'activity',
'/bulk_mail' => 'bulk_mail',
'/bulk_mail/{recipients}' => 'bulk_mail',
'/groups' => 'groups',
'/groups/{group}' => 'group',
'/groups/{group}/members.{format}' => 'group',
'/groups/{group}/access_rules/{access}' => 'access_options',
'/help' => 'help',
'/pubkeys' => 'pubkeys',
'/pubkeys.{format}' => 'pubkeys',
'/pubkeys/{key}' => 'pubkey',
'/pubkeys/{key}.{format}' => 'pubkey',
'/servers' => 'servers',
'/servers.{format}' => 'servers',
'/servers/{hostname}' => 'server',
'/servers/{hostname}/accounts/{account}' => 'serveraccount',
'/servers/{hostname}/accounts/{account}/access_rules/{access}' => 'access_options',
'/servers/{hostname}/accounts/{account}/pubkeys.{format}' => 'serveraccount_pubkeys',
'/servers/{hostname}/accounts/{account}/sync_status' => 'serveraccount_sync_status',
'/servers/{hostname}/status.{format}' => 'server',
'/servers/{hostname}/sync_status' => 'server_sync_status',
'/tools' => 'tools',
'/users' => 'users',
'/users/{username}' => 'user',
'/users/{username}/pubkeys' => 'user_pubkeys',
'/users/{username}/pubkeys.{format}' => 'user_pubkeys',
'/users/{username}/pubkeys/{key}' => 'pubkey',
'/users/{username}/pubkeys/{key}.{format}' => 'pubkey',
);
$public_routes = array(
'/groups/{group}/members.{format}' => true,
'/pubkeys.{format}' => true,
'/pubkeys/{key}.{format}' => true,
'/servers/{hostname}/accounts/{account}/pubkeys.{format}' => true,
'/users/{username}' => true,
'/users/{username}/pubkeys.{format}' => true,
'/users/{username}/pubkeys/{key}.{format}' => true,
);

69
scripts/ldap_update.php
Unescape Escape View File

@ -0,0 +1,69 @@
#!/usr/bin/php
<?php
chdir(__DIR__);
require('../core.php');
$users = $user_dir->list_users();
// Use 'keys-sync' user as the active user (create if it does not yet exist)
try {
$active_user = $user_dir->get_user_by_uid('keys-sync');
} catch(UserNotFoundException $e) {
$active_user = new User;
$active_user->uid = 'keys-sync';
$active_user->name = 'Synchronization script';
$active_user->email = '';
$active_user->active = 1;
$active_user->admin = 1;
$active_user->developer = 0;
$user_dir->add_user($active_user);
}
foreach($users as $user) {
if($user->auth_realm == 'LDAP') {
$active = $user->active;
try {
$user->get_details_from_ldap();
if(isset($config['ldap']['user_superior'])) {
$user->get_superior_from_ldap();
}
} catch(UserNotFoundException $e) {
$user->active = 0;
}
if($active && !$user->active) {
// Check for servers that will now be admin-less
$servers = $user->list_admined_servers();
foreach($servers as $server) {
$server_admins = $server->list_effective_admins();
$total_server_admins = 0;
foreach($server_admins as $server_admin) {
if($server_admin->active) $total_server_admins++;
}
if($total_server_admins == 0) {
if(isset($config['ldap']['user_superior'])) {
$rcpt = $user->superior;
while(!is_null($rcpt) && !$rcpt->active) {
$rcpt = $rcpt->superior;
}
}
$email = new Email;
$email->subject = "Server {$server->hostname} has been orphaned";
$email->body = "{$user->name} ({$user->uid}) was an administrator for {$server->hostname}, but they have now been marked as a former employee and there are no active administrators remaining for this server.\n\n";
$email->body .= "Please find a replacement owner for this server and inform {$config['email']['admin_address']} ASAP, otherwise the server will be registered for decommissioning.";
$email->add_reply_to($config['email']['admin_address'], $config['email']['admin_name']);
if(is_null($rcpt)) {
$email->subject .= " - NO SUPERIOR EMPLOYEE FOUND";
$email->body .= "\n\nWARNING: No suitable superior employee could be found!";
$email->add_recipient($config['email']['report_address'], $config['email']['report_name']);
} else {
$email->add_recipient($rcpt->email, $rcpt->name);
$email->add_cc($config['email']['report_address'], $config['email']['report_name']);
}
$email->send();
}
}
}
$user->update();
}
}

15
scripts/pubkey_update.php
Unescape Escape View File

@ -0,0 +1,15 @@
#!/usr/bin/php
<?php
chdir(__DIR__);
require('../core.php');
$pubkeys = $pubkey_dir->list_public_keys();
foreach($pubkeys as $pubkey) {
try {
$pubkey->import($pubkey->export(), null, true);
$pubkey->update();
} catch(InvalidArgumentException $e) {
echo "Invalid public key {$pubkey->id}\n";
}
}

76
scripts/sync-common.php
Unescape Escape View File

@ -0,0 +1,76 @@
<?php
/**
* Synchronization child process object
*/
class SyncProcess {
private $handle;
private $pipes;
private $output;
private $errors;
private $request;
/**
* Create a new sync process
* @param string $command command to run
* @param array $args arguments
* @param Request $request object that triggered this sync
*/
public function __construct($command, $args, $request = null) {
global $config;
$timeout_util = $config['general']['timeout_util'];
$this->request = $request;
$this->output = '';
$descriptorspec = array(
0 => array("pipe", "r"), // stdin
1 => array("pipe", "w"), // stdout
2 => array("pipe", "w"), // stderr
3 => array("pipe", "w") //
);
switch ($timeout_util) {
case "BusyBox":
$commandline = '/usr/bin/timeout -t 60 '.$command.' '.implode(' ', array_map('escapeshellarg', $args));
break;
default:
$commandline = '/usr/bin/timeout 60s '.$command.' '.implode(' ', array_map('escapeshellarg', $args));
}
$this->handle = proc_open($commandline, $descriptorspec, $this->pipes);
stream_set_blocking($this->pipes[1], 0);
stream_set_blocking($this->pipes[2], 0);
}
/**
* Get data from the child process
* @return string output from the child process
*/
public function get_data() {
if(isset($this->handle) && is_resource($this->handle)) {
$out = fread($this->pipes[1], 4096);
$this->output .= $out;
$this->errors .= fread($this->pipes[2], 4096);
if(feof($this->pipes[1]) && feof($this->pipes[2])) {
foreach($this->pipes as $ref => $pipe) {
fclose($this->pipes[$ref]);
}
unset($this->handle);
if($this->errors) {
echo $this->errors;
$this->output = '';
}
return array('done' => true, 'output' => $this->output);
}
}
}
/**
* Delete the request that triggered this sync
*/
public function __destruct() {
global $sync_request_dir;
if(!is_null($this->request)) {
$sync_request_dir->delete_sync_request($this->request);
}
}
}

584
scripts/sync.php
Unescape Escape View File

@ -0,0 +1,584 @@
#!/usr/bin/php
<?php
chdir(__DIR__);
require('../core.php');
require('sync-common.php');
$required_files = array('config/keys-sync', 'config/keys-sync.pub');
foreach($required_files as $file) {
if(!file_exists($file)) die("Sync cannot start - $file not found.\n");
}
// Parse the command-line arguments
$options = getopt('h:i:au:p', array('help', 'host:', 'id:', 'all', 'user:', 'preview'));
if(isset($options['help'])) {
show_help();
exit(0);
}
$short_to_long = array(
'h' => 'host',
'i' => 'id',
'a' => 'all',
'u' => 'user',
'p' => 'preview'
);
foreach($short_to_long as $short => $long) {
if(isset($options[$short]) && isset($options[$long])) {
echo "Error: short form -$short and long form --$long both specified\n";
show_help();
exit(1);
}
if(isset($options[$short])) $options[$long] = $options[$short];
}
$hostopts = 0;
if(isset($options['host'])) $hostopts++;
if(isset($options['id'])) $hostopts++;
if(isset($options['all'])) $hostopts++;
if($hostopts != 1) {
echo "Error: must specify exactly one of --host, --id, or --all\n";
show_help();
exit(1);
}
if(isset($options['user'])) {
$username = $options['user'];
} else {
$username = null;
}
$preview = isset($options['preview']);
// Use 'keys-sync' user as the active user (create if it does not yet exist)
try {
$active_user = $user_dir->get_user_by_uid('keys-sync');
} catch(UserNotFoundException $e) {
$active_user = new User;
$active_user->uid = 'keys-sync';
$active_user->name = 'Synchronization script';
$active_user->email = '';
$active_user->active = 1;
$active_user->admin = 1;
$active_user->developer = 0;
$user_dir->add_user($active_user);
}
// Build list of servers to sync
if(isset($options['all'])) {
$servers = $server_dir->list_servers();
} elseif(isset($options['host'])) {
$servers = array();
$hostnames = explode(",", $options['host']);
foreach($hostnames as $hostname) {
$hostname = trim($hostname);
try {
$servers[] = $server_dir->get_server_by_hostname($hostname);
} catch(ServerNotFoundException $e) {
echo "Error: hostname '$hostname' not found\n";
exit(1);
}
}
} elseif(isset($options['id'])) {
sync_server($options['id'], $username, $preview);
exit(0);
}
$pending_syncs = array();
foreach($servers as $server) {
if($server->key_management != 'keys') {
continue;
}
$pending_syncs[$server->hostname] = $server;
}
$sync_procs = array();
define('MAX_PROCS', 20);
while(count($sync_procs) > 0 || count($pending_syncs) > 0) {
while(count($sync_procs) < MAX_PROCS && count($pending_syncs) > 0) {
$server = reset($pending_syncs);
$hostname = key($pending_syncs);
$args = array();
$args[] = '--id';
$args[] = $server->id;
if(!is_null($username)) {
$args[] = '--user';
$args[] = $username;
}
if($preview) {
$args[] = '--preview';
}
$sync_procs[] = new SyncProcess(__FILE__, $args);
unset($pending_syncs[$hostname]);
}
foreach($sync_procs as $ref => $sync_proc) {
$data = $sync_proc->get_data();
if(!empty($data)) {
echo $data['output'];
unset($sync_procs[$ref]);
}
}
usleep(200000);
}
function show_help() {
?>
Usage: sync.php [OPTIONS]
Syncs public keys to the specified hosts.
Mandatory arguments to long options are mandatory for short options too.
-a, --all sync with all active hosts in the database
-h, --host=HOSTNAME sync only the specified host(s)
(specified by name, comma-separated)
-i, --id=ID sync only the specified single host
(specified by id)
-u, --user sync only the specified user account
-p, --preview perform no changes, display content of all
keyfiles
--help display this help and exit
<?php
}
function sync_server($id, $only_username = null, $preview = false) {
global $config;
global $server_dir;
global $user_dir;
$keydir = '/var/local/keys-sync';
$header = "## Auto generated keys file for %s
## Do not edit this file! Modify at %s
";
$header_no_link = "## Auto generated keys file for %s
## Do not edit this file!
";
$liam_key = file_get_contents('config/keys-sync.pub');
$server = $server_dir->get_server_by_id($id);
$hostname = $server->hostname;
echo date('c')." {$hostname}: Preparing sync.\n";
$server->ip_address = gethostbyname($hostname);
$server->update();
if($server->key_management != 'keys') return;
$accounts = $server->list_accounts();
$keyfiles = array();
$sync_warning = false;
// Generate keyfiles for each account
foreach($accounts as $account) {
if($account->active == 0 || $account->sync_status == 'proposed') continue;
$username = str_replace('/', '', $account->name);
$keyfile = sprintf($header, "account '{$account->name}'", $config['web']['baseurl']."/servers/".urlencode($hostname)."/accounts/".urlencode($account->name));
// Collect a set of all groups that the account is a member of (directly or indirectly) and the account itself
$sets = $account->list_group_membership();
$sets[] = $account;
foreach($sets as $set) {
if(get_class($set) == 'Group') {
if($set->active == 0) continue; // Rules for inactive groups should be ignored
$keyfile .= "# === Start of rules applied due to membership in {$set->name} group ===\n";
}
$access_rules = $set->list_access();
$keyfile .= get_keys($access_rules, $account->name, $hostname);
if(get_class($set) == 'Group') {
$keyfile .= "# === End of rules applied due to membership in {$set->name} group ===\n\n";
}
}
$keyfiles[$username] = array('keyfile' => $keyfile, 'check' => false, 'account' => $account);
}
if($server->authorization == 'automatic LDAP' || $server->authorization == 'manual LDAP') {
// Generate keyfiles for LDAP users
$optiontext = array();
foreach($server->list_ldap_access_options() as $option) {
$optiontext[] = $option->option.(is_null($option->value) ? '' : '="'.str_replace('"', '\\"', $option->value).'"');
}
$prefix = implode(',', $optiontext);
if($prefix !== '') $prefix .= ' ';
$users = $user_dir->list_users();
foreach($users as $user) {
$username = str_replace('/', '', $user->uid);
if(is_null($only_username) || $username == $only_username) {
if(!isset($keyfiles[$username])) {
$keyfile = sprintf($header, "LDAP user '{$user->uid}'", $config['web']['baseurl']);
$keys = $user->list_public_keys($username, $hostname);
if(count($keys) > 0) {
if($user->active) {
foreach($keys as $key) {
$keyfile .= $prefix.$key->export()."\n";
}
} else {
$keyfile .= "# Inactive account\n";
}
$keyfiles[$username] = array('keyfile' => $keyfile, 'check' => ($server->authorization == 'manual LDAP'));
}
}
}
}
}
if(array_key_exists('keys-sync', $keyfiles)) {
// keys-sync account should never be synced
unset($keyfiles['keys-sync']);
}
if($preview) {
foreach($keyfiles as $username => $keyfile) {
echo date('c')." {$hostname}: account '$username':\n\n\033[1;34m{$keyfile['keyfile']}\033[0m\n\n";
}
return;
}
// IP address check
echo date('c')." {$hostname}: Checking IP address {$server->ip_address}:{$server->port}.\n";
$matching_servers = $server_dir->list_servers(array(), array('ip_address' => $server->ip_address, 'port' => $server->port, 'key_management' => array('keys')));
if(count($matching_servers) > 1) {
echo date('c')." {$hostname}: Multiple hosts with same IP address.\n";
$server->sync_report('sync failure', 'Multiple hosts with same IP address');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
// This is working around deficiencies in the ssh2 library. In some cases, ssh connection attempts will fail, and
// the socket timeout of 60 seconds is somehow not triggered. Script execution timeout is also not triggered.
// Reproducing this problem is not easy - dropping packets to port 22 is not sufficient (it will timeout correctly).
// To workaround, we wrap calls to this script with 'timeout' shell command, and from this point on until we have
// established a connection, catch SIGTERM and report server sync failure if received
declare(ticks = 1);
pcntl_signal(SIGTERM, function($signal) use($server, $hostname, $keyfiles) {
echo date('c')." {$hostname}: SSH connection timed out.\n";
$server->sync_report('sync failure', 'SSH connection timed out');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
exit(1);
});
echo date('c')." {$hostname}: Attempting to connect.\n";
$legacy = false;
$attempts = array('keys-sync', 'root');
foreach($attempts as $attempt) {
try {
$connection = ssh2_connect($hostname, $server->port);
} catch(ErrorException $e) {
echo date('c')." {$hostname}: Failed to connect.\n";
$server->sync_report('sync failure', 'SSH connection failed');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
$fingerprint = ssh2_fingerprint($connection, SSH2_FINGERPRINT_MD5 | SSH2_FINGERPRINT_HEX);
if(is_null($server->rsa_key_fingerprint)) {
$server->rsa_key_fingerprint = $fingerprint;
$server->update();
} else {
if(strcmp($server->rsa_key_fingerprint, $fingerprint) !== 0) {
echo date('c')." {$hostname}: RSA key validation failed.\n";
$server->sync_report('sync failure', 'SSH host key verification failed');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
}
if(!isset($config['security']) || !isset($config['security']['host_key_collision_protection']) || $config['security']['host_key_collision_protection'] == 1) {
$matching_servers = $server_dir->list_servers(array(), array('rsa_key_fingerprint' => $server->rsa_key_fingerprint, 'key_management' => array('keys')));
if(count($matching_servers) > 1) {
echo date('c')." {$hostname}: Multiple hosts with same host key.\n";
$server->sync_report('sync failure', 'Multiple hosts with same host key');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
}
try {
ssh2_auth_pubkey_file($connection, $attempt, 'config/keys-sync.pub', 'config/keys-sync');
echo date('c')." {$hostname}: Logged in as $attempt.\n";
break;
} catch(ErrorException $e) {
$legacy = true;
if($attempt == 'root') {
echo date('c')." {$hostname}: Public key authentication failed.\n";
$server->sync_report('sync failure', 'SSH authentication failed');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
}
}
try {
$sftp = ssh2_sftp($connection);
} catch(ErrorException $e) {
echo date('c')." {$hostname}: SFTP subsystem setup failed.\n";
$server->sync_report('sync failure', 'SFTP subsystem failed');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
try {
$dir = ssh2_sftp_stat($sftp, $keydir);
} catch(ErrorException $e) {
echo date('c')." {$hostname}: Key directory does not exist.\n";
$dir = null;
$sync_warning = 'Key directory does not exist';
}
if($legacy && !$sync_warning) {
$sync_warning = 'Using legacy sync method';
}
// From this point on, catch SIGTERM and ignore. SIGINT or SIGKILL is required to stop, so timeout wrapper won't
// cause a partial sync
pcntl_signal(SIGTERM, SIG_IGN);
$account_errors = 0;
$cleanup_errors = 0;
if(isset($config['security']) && isset($config['security']['hostname_verification']) && $config['security']['hostname_verification'] >= 1) {
// Verify that we have mutual agreement with the server that we sync to it with this hostname
$allowed_hostnames = null;
if($config['security']['hostname_verification'] >= 2) {
// 2+ = Compare with /var/local/keys-sync/.hostnames
try {
$allowed_hostnames = array_map('trim', file("ssh2.sftp://$sftp/var/local/keys-sync/.hostnames"));
} catch(ErrorException $e) {
if($config['security']['hostname_verification'] >= 3) {
// 3+ = Abort if file does not exist
echo date('c')." {$hostname}: Hostnames file missing.\n";
$server->sync_report('sync failure', 'Hostnames file missing');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
} else {
$allowed_hostnames = null;
}
}
}
if(is_null($allowed_hostnames)) {
$stream = ssh2_exec($connection, '/bin/hostname -f');
stream_set_blocking($stream, true);
$allowed_hostnames = array(trim(stream_get_contents($stream)));
fclose($stream);
}
if(!in_array($hostname, $allowed_hostnames)) {
echo date('c')." {$hostname}: Hostname check failed (allowed: ".implode(", ", $allowed_hostnames).").\n";
$server->sync_report('sync failure', 'Hostname check failed');
$server->delete_all_sync_requests();
report_all_accounts_failed($keyfiles);
return;
}
}
if($legacy && isset($keyfiles['root'])) {
// Legacy sync (only if using root account)
$keyfile = $keyfiles['root'];
try {
$local_filename = tempnam('/tmp', 'syncfile');
$fh = fopen($local_filename, 'w');
fwrite($fh, $keyfile['keyfile']."# LIAM system key\n".$liam_key);
fclose($fh);
ssh2_scp_send($connection, $local_filename, '/root/.ssh/authorized_keys2', 0600);
unlink($local_filename);
if(isset($keyfile['account'])) {
$keyfile['account']->sync_report('sync success');
}
} catch(ErrorException $e) {
echo date('c')." {$hostname}: Sync command execution failed for legacy root.\n";
$account_errors++;
if(isset($keyfile['account'])) {
$keyfile['account']->sync_report('sync failure');
}
}
}
// New sync
if($dir) {
$stream = ssh2_exec($connection, '/usr/bin/sha1sum '.escapeshellarg($keydir).'/*');
stream_set_blocking($stream, true);
$entries = explode("\n", stream_get_contents($stream));
$sha1sums = array();
foreach($entries as $entry) {
if(preg_match('|^([0-9a-f]{40}) '.preg_quote($keydir, '|').'/(.*)$|', $entry, $matches)) {
$sha1sums[$matches[2]] = $matches[1];
}
}
fclose($stream);
foreach($keyfiles as $username => $keyfile) {
if(is_null($only_username) || $username == $only_username) {
try {
$remote_filename = "$keydir/$username";
$remote_entity = "ssh2.sftp://" . intval($sftp) . $remote_filename;
$create = true;
if($keyfile['check']) {
$stream = ssh2_exec($connection, 'id '.escapeshellarg($username));
stream_set_blocking($stream, 1);
$output = stream_get_contents($stream);
fclose($stream);
if(empty($output)) $create = false;
}
if($create) {
if(isset($sha1sums[$username]) && $sha1sums[$username] == sha1($keyfile['keyfile'])) {
echo date('c')." {$hostname}: No changes required for {$username}\n";
} else {
file_put_contents($remote_entity, $keyfile['keyfile']);
ssh2_exec($connection, 'chown keys-sync: '.escapeshellarg($remote_filename));
echo date('c')." {$hostname}: Updated {$username}\n";
}
if(isset($sha1sums[$username])) {
unset($sha1sums[$username]);
}
} else {
ssh2_sftp_unlink($sftp, $remote_filename);
}
if(isset($keyfile['account'])) {
if($sync_warning && $username != 'root') {
// File was synced, but will not work due to configuration on server
$keyfile['account']->sync_report('sync warning');
} else {
$keyfile['account']->sync_report('sync success');
}
}
} catch(ErrorException $e) {
$account_errors++;
echo "{$hostname}: Sync command execution failed for $username, ".$e->getMessage()."\n";
if(isset($keyfile['account'])) {
$keyfile['account']->sync_report('sync failure');
}
}
}
}
if(is_null($only_username)) {
// Clean up directory
foreach($sha1sums as $file => $sha1sum) {
if($file != '' && $file != 'keys-sync' && $file != '.hostnames') {
try {
if(ssh2_sftp_unlink($sftp, "$keydir/$file")) {
echo date('c')." {$hostname}: Removed unknown file: {$file}\n";
} else {
$cleanup_errors++;
echo date('c')." {$hostname}: Couldn't remove unknown file: {$file}\n";
}
} catch(ErrorException $e) {
$cleanup_errors++;
echo date('c')." {$hostname}: Couldn't remove unknown file: {$file}, ".$e->getMessage().".\n";
}
}
}
}
}
try {
$uuid = trim(file_get_contents("ssh2.sftp://$sftp/etc/uuid"));
$server->uuid = $uuid;
$server->update();
} catch(ErrorException $e) {
// If the /etc/uuid file does not exist, silently ignore
}
if($cleanup_errors > 0) {
$server->sync_report('sync failure', 'Failed to clean up '.$cleanup_errors.' file'.($cleanup_errors == 1 ? '' : 's'));
} elseif($account_errors > 0) {
$server->sync_report('sync failure', $account_errors.' account'.($account_errors == 1 ? '' : 's').' failed to sync');
} elseif($sync_warning) {
$server->sync_report('sync warning', $sync_warning);
} else {
$server->sync_report('sync success', 'Synced successfully');
}
echo date('c')." {$hostname}: Sync finished\n";
}
function get_keys($access_rules, $account_name, $hostname) {
$keyfile = '';
foreach($access_rules as $access) {
$grant_date = new DateTime($access->grant_date);
$grant_date_full = $grant_date->format('c');
$entity = $access->source_entity;
$optiontext = array();
foreach($access->list_options() as $option) {
$optiontext[] = $option->option.(is_null($option->value) ? '' : '="'.str_replace('"', '\\"', $option->value).'"');
}
$prefix = implode(',', $optiontext);
if($prefix !== '') $prefix .= ' ';
switch(get_class($entity)) {
case 'User':
$keyfile .= "# {$entity->uid}";
$keyfile .= " granted access by {$access->granted_by->uid} on {$grant_date_full}";
$keyfile .= "\n";
if($entity->active) {
$keys = $entity->list_public_keys($account_name, $hostname);
foreach($keys as $key) {
$keyfile .= $prefix.$key->export()."\n";
}
} else {
$keyfile .= "# Inactive account\n";
}
break;
case 'ServerAccount':
$keyfile .= "# {$entity->name}@{$entity->server->hostname}";
$keyfile .= " granted access by {$access->granted_by->uid} on {$grant_date_full}";
$keyfile .= "\n";
if($entity->server->key_management != 'decommissioned') {
$keys = $entity->list_public_keys($account_name, $hostname);
foreach($keys as $key) {
$keyfile .= $prefix.$key->export()."\n";
}
} else {
$keyfile .= "# Decommissioned server\n";
}
break;
case 'Group':
// Recurse!
$seen = array($entity->name => true);
$keyfile .= "# {$entity->name} group";
$keyfile .= " granted access by {$access->granted_by->uid} on {$grant_date_full}";
$keyfile .= "\n";
if($entity->active) {
$keyfile .= "# == Start of {$entity->name} group members ==\n";
$keyfile .= get_group_keys($entity->list_members(), $account_name, $hostname, $prefix, $seen);
$keyfile .= "# == End of {$entity->name} group members ==\n";
} else {
$keyfile .= "# Inactive group\n";
}
break;
}
}
return $keyfile;
}
function get_group_keys($entities, $account_name, $hostname, $prefix, &$seen) {
$keyfile = '';
foreach($entities as $entity) {
switch(get_class($entity)) {
case 'User':
$keyfile .= "# {$entity->uid}";
$keyfile .= "\n";
if($entity->active) {
$keys = $entity->list_public_keys($account_name, $hostname);
foreach($keys as $key) {
$keyfile .= $prefix.$key->export()."\n";
}
} else {
$keyfile .= "# Inactive account\n";
}
break;
case 'ServerAccount':
$keyfile .= "# {$entity->name}@{$entity->server->hostname}";
$keyfile .= "\n";
if($entity->server->key_management != 'decommissioned') {
$keys = $entity->list_public_keys($account_name, $hostname);
foreach($keys as $key) {
$keyfile .= $prefix.$key->export()."\n";
}
} else {
$keyfile .= "# Decommissioned server\n";
}
break;
case 'Group':
// Recurse!
if(!isset($seen[$entity->name])) {
$seen[$entity->name] = true;
$keyfile .= "# {$entity->name} group";
$keyfile .= "\n";
$keyfile .= "# == Start of {$entity->name} group members ==\n";
$keyfile .= get_group_keys($entity->list_members(), $account_name, $hostname, $prefix, $seen);
$keyfile .= "# == End of {$entity->name} group members ==\n";
}
break;
}
}
return $keyfile;
}
function report_all_accounts_failed($keyfiles) {
foreach($keyfiles as $keyfile) {
if(isset($keyfile['account'])) {
$keyfile['account']->sync_report('sync failure');
}
}
}

157
scripts/syncd.php
Unescape Escape View File

@ -0,0 +1,157 @@
#!/usr/bin/php
<?php
$options = getopt('', array('systemd', 'user:'));
/**
* Handle process control signals
*/
function sig_handler($signo) {
global $signal;
$signal = $signo;
}
/**
* Daemon log - write log message
*/
function dlog($txt) {
global $options;
if(isset($options['systemd'])) {
echo "{$txt}\n";
} else {
echo date('c')." {$txt}\n";
}
}
chdir(__DIR__);
error_reporting(E_ALL);
ini_set('display_errors', 1);
cli_set_process_title('keys-sync');
umask(027);
if(!isset($options['systemd'])) {
$pidfile = '/var/run/keys-sync.pid';
$lockfile = '/var/run/keys-sync.lock';
$logfile = '/var/log/keys/sync.log';
if(!isset($options['user'])) {
fwrite(STDERR, "--user parameter must be provided");
exit(1);
}
$username = $options['user'];
if(posix_getuid() !== 0) {
fwrite(STDERR, "This command must be run as root\n");
exit(1);
}
if(!$user = posix_getpwnam($username)) {
fwrite(STDERR, "Could not find $username user details\n");
exit(1);
}
// Attempt to establish lock
$lock = fopen($lockfile, 'w+');
if(!flock($lock, LOCK_EX | LOCK_NB)) {
fwrite(STDERR, "Could not establish lock, process already running?\n");
exit(0);
}
// Fork process
$pid = pcntl_fork();
if($pid == -1) {
// Something went wrong
fwrite(STDERR, "Failed to fork\n");
exit(1);
} elseif($pid == 0) {
// This is the child process
} else {
// This is the parent process
// Write pidfile and exit
$fh = fopen($pidfile, 'w');
fwrite($fh, "$pid\n");
fclose($fh);
exit();
}
// We have now forked
// Close STDIN/STDOUT/STDERR and redirect output to logfile
fclose(STDIN);
fclose(STDOUT);
fclose(STDERR);
$stdin = fopen('/dev/null', 'r');
$stdout = fopen($logfile, 'a');
$stderr = fopen('php://stdout', 'a');
// Change user/group that we are running as
posix_setgid($user['gid']);
posix_setuid($user['uid']);
if(!isset($options['systemd'])) {
// Make the current process a session leader
if(posix_setsid() == -1) {
die("Could not detach from terminal.");
}
}
}
// Set up signal handling
declare(ticks = 1);
$signal = null;
pcntl_signal(SIGTERM, "sig_handler");
pcntl_signal(SIGINT, "sig_handler");
require('../core.php');
require('sync-common.php');
dlog("Daemon started");
$sync_procs = array();
define('MAX_PROCS', 20);
// Primary loop
while(is_null($signal)) {
try {
$reqs = $sync_request_dir->list_pending_sync_requests();
foreach($reqs as $req) {
$args = array();
$args[] = '--id';
$args[] = $req->server_id;
if(!is_null($req->account_name)) {
$args[] = '--user';
$args[] = $req->account_name;
}
if(count($sync_procs) > MAX_PROCS) break;
$req->set_in_progress();
dlog("Sync process spawning for: {$req->server_id}/{$req->account_name}");
$sync_procs[] = new SyncProcess(__DIR__.'/sync.php', $args, $req);
}
} catch(mysqli_sql_exception $e) {
if($e->getMessage() == 'MySQL server has gone away') {
dlog("MySQL server has gone away");
$connected = false;
while(!$connected) {
try {
setup_database();
$connected = true;
dlog("MySQL connection re-established");
} catch(mysqli_sql_exception $e2) {
dlog("Attempt to reconnect failed: ".$e2->getMessage());
sleep(5);
}
}
}
}
foreach($sync_procs as $ref => &$sync_proc) {
$data = $sync_proc->get_data();
if(!empty($data)) {
dlog($data['output']);
unset($sync_proc);
unset($sync_procs[$ref]);
}
}
sleep(1);
}
dlog("Received exit signal");
if(!isset($options['systemd'])) {
// Release lock
flock($lock, LOCK_UN);
fclose($lock);
}

8
systemd-service/README
Unescape Escape View File

@ -0,0 +1,8 @@
To install the sync service
===========================
Systemd:
1) Copy the systemd/keys-sync.service file to /etc/systemd/system/
2) Modify ExecStart path and User as necessary. If SSH Key Authority is installed under /home, disable ProtectHome.
3) Run: systemctl daemon-reload
4) Run: systemctl enable keys-sync.service

17
systemd-service/keys-sync.service
Unescape Escape View File

@ -0,0 +1,17 @@
[Unit]
Description=SSH Key synchronization daemon
Requires=mysql.service
[Service]
Type=simple
ExecStart=/opt/liam/scripts/syncd.php --systemd
User=keys-sync
StandardOutput=journal
StandardError=journal
PrivateDevices=on
PrivateTmp=on
ProtectHome=on
ProtectSystem=on
[Install]
WantedBy=multi-user.target

112
templates/access_options.php
Unescape Escape View File

@ -0,0 +1,112 @@
<?php
$entity = $this->get('entity');
switch(get_class($entity)) {
case 'ServerAccount': $account = $entity; $server = $entity->server; break;
case 'Group': $group = $entity; break;
}
$remote_entity = $this->get('remote_entity');
$mode = $this->get('mode');
$options = $this->get('options');
switch(get_class($remote_entity)) {
case 'User': $remote_entity_name = $remote_entity->uid; break;
case 'ServerAccount': $remote_entity_name = $remote_entity->name.'@'.$remote_entity->server->hostname; break;
case 'Group': $remote_entity_name = $remote_entity->name; break;
}
?>
<h1><?php if($mode == 'create') out('Grant'); else out('Modify')?> access</h1>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>" id="access_options">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<?php
switch(get_class($remote_entity)) {
case 'User':
$re_url = '/users/'.urlencode($remote_entity->uid);
?>
<input type="hidden" name="username" value="<?php out($remote_entity->uid)?>">
<?php
break;
case 'ServerAccount':
$re_url = '/servers/'.urlencode($remote_entity->server->hostname).'/accounts/'.urlencode($remote_entity->name);
?>
<input type="hidden" name="account" value="<?php out($remote_entity->name)?>">
<input type="hidden" name="hostname" value="<?php out($remote_entity->server->hostname)?>">
<?php
break;
case 'Group':
$re_url = '/groups/'.urlencode($remote_entity->name);
?>
<input type="hidden" name="group" value="<?php out($remote_entity->name)?>">
<?php
break;
}
?>
<p>
You are <?php if($mode == 'create') out('granting'); else out('modifying the')?> SSH access to
<?php if(isset($server)) { ?>
<a href="<?php outurl('/servers/'.urlencode($server->hostname).'/accounts/'.urlencode($account->name))?>" class="serveraccount"><?php out($account->name.'@'.$server->hostname)?></a>
<?php } elseif(isset($group)) { ?>
resources in the <a href="<?php outurl('/groups/'.urlencode($group->name))?>"><?php out($group->name)?></a> group
<?php } ?>
for
<a href="<?php outurl($re_url)?>" class="<?php out(strtolower(get_class($remote_entity)))?>"><?php out($remote_entity_name)?></a>.
</p>
<?php if($mode == 'create') { ?>
<div class="form-group">
<div class="panel-group">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" href="#advanced_options">
Advanced options <span class="caret"></span>
</a>
</h3>
</div>
<div id="advanced_options" class="collapse">
<?php } ?>
<div class="panel-body">
<p>
Presets:
<button type="button" class="btn btn-default btn-xs" data-preset="default">Default</button>
<button type="button" class="btn btn-default btn-xs" data-preset="command">Command</button>
<button type="button" class="btn btn-default btn-xs" data-preset="dbbackup">DB backup</button>
</p>
<div class="checkbox">
<label><input type="checkbox" name="access_option[command][enabled]"<?php if(isset($options['command'])) out(' checked'); ?>> Specify command (<code>command=&quot;command&quot;</code>)</label>
</div>
<div class="form-group">
<input type="text" id="command_value" name="access_option[command][value]" value="<?php if(isset($options['command'])) out($options['command']->value); ?>" class="form-control">
</div>
<div class="checkbox">
<label><input type="checkbox" name="access_option[from][enabled]"<?php if(isset($options['from'])) out(' checked'); ?>> Restrict source address (<code>from=&quot;<abbr title="A pattern-list is a comma-separated list of patterns. Each pattern can be either a hostname or an IP address, with wildcards (* and ?) allowed.">pattern-list</abbr>&quot;</code>)</label>
</div>
<div class="form-group">
<input type="text" id="from_value" name="access_option[from][value]" value="<?php if(isset($options['from'])) out($options['from']->value); ?>" class="form-control">
</div>
<div class="checkbox">
<label><input type="checkbox" name="access_option[no-port-forwarding][enabled]"<?php if(isset($options['no-port-forwarding'])) out(' checked'); ?>> Disallow port forwarding (<code>no-port-forwarding</code>)</label>
</div>
<div class="checkbox">
<label><input type="checkbox" name="access_option[no-X11-forwarding][enabled]"<?php if(isset($options['no-X11-forwarding'])) out(' checked'); ?>> Disallow X11 forwarding (<code>no-X11-forwarding</code>)</label>
</div>
<div class="checkbox">
<label><input type="checkbox" name="access_option[no-pty][enabled]"<?php if(isset($options['no-pty'])) out(' checked'); ?>> Disable terminal (<code>no-pty</code>)</label>
</div>
</div>
<?php if($mode == 'create') { ?>
</div>
</div>
</div>
</div>
<?php } ?>
<div class="form-group row">
<div class="col-md-8">
<button type="submit" name="<?php if($mode == 'create') out('add_access'); else out('update_access')?>" value="2" class="btn btn-primary btn-block"><?php if($mode == 'create') out('Confirm'); else out('Modify')?> access</button>
</div>
<div class="col-md-4">
<?php if(isset($server)) { ?>
<a href="<?php outurl('/servers/'.urlencode($server->hostname).'/accounts/'.urlencode($account->name))?>" class="btn btn-default btn-block">Cancel</a>
<?php } elseif(isset($group)) { ?>
<a href="<?php outurl('/groups/'.urlencode($group->name))?>" class="btn btn-default btn-block">Cancel</a>
<?php } ?>
</div>
</div>
</form>

24
templates/activity.php
Unescape Escape View File

@ -0,0 +1,24 @@
<?php
?>
<h1>Activity</h1>
<table class="table">
<col></col>
<col></col>
<col></col>
<col class="date"></col>
<thead>
<tr>
<th>Entity</th>
<th>User</th>
<th>Activity</th>
<th>Date (<abbr title="Coordinated Universal Time">UTC</abbr>)</th>
</tr>
</thead>
<tbody>
<?php
foreach($this->get('events') as $event) {
show_event($event);
}
?>
</tbody>
</table>

60
templates/base.php
Unescape Escape View File

@ -0,0 +1,60 @@
<?php
$web_config = $this->get('web_config');
header('X-Frame-Options: DENY');
header("Content-Security-Policy: default-src 'self'");
?>
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title><?php out($this->get('title'))?></title>
<link rel="stylesheet" href="<?php outurl('/bootstrap/css/bootstrap.min.css')?>">
<link rel="stylesheet" href="<?php outurl('/style.css?'.filemtime('public_html/style.css'))?>">
<link rel="icon" href="<?php outurl('/key.png')?>">
<script src="<?php outurl('/header.js?'.filemtime('public_html/header.js'))?>"></script>
<?php out($this->get('head'), ESC_NONE) ?>
<div id="wrap">
<a href="#content" class="sr-only">Skip to main content</a>
<div class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<?php if(!empty($web_config['logo'])) { ?>
<a class="navbar-brand" href="/">
<img src="<?php out($web_config['logo'])?>">
SSH Key Authority
</a>
<?php } ?>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<?php foreach($this->get('menu_items') as $url => $name) { ?>
<li<?php if($url == $this->get('relative_request_url')) out(' class="active"', ESC_NONE); ?>><a href="<?php outurl($url)?>"><?php out($name)?></a></li>
<?php } ?>
</ul>
</div>
</div>
</div>
<div class="container" id="content">
<?php foreach($this->get('alerts') as $alert) { ?>
<div class="alert alert-<?php out($alert->class)?> alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">&times;</button>
<?php out($alert->content, $alert->escaping)?>
</div>
<?php } ?>
<?php out($this->get('content'), ESC_NONE) ?>
</div>
</div>
<div id="footer">
<div class="container">
<p class="text-muted credit"><?php out($web_config['footer'], ESC_NONE)?></p>
<?php if($this->get('active_user') && $this->get('active_user')->developer) { ?>
<?php } ?>
</div>
</div>
<script src="<?php outurl('/jquery/jquery-3.2.1.min.js')?>"></script>
<script src="<?php outurl('/bootstrap/js/bootstrap.min.js')?>"></script>
<script src="<?php outurl('/extra.js?'.filemtime('public_html/extra.js'))?>"></script>

18
templates/bulk_mail.php
Unescape Escape View File

@ -0,0 +1,18 @@
<?php
?>
<h1>Bulk mail <?php out(str_replace('_', ' ', $this->get('recipients')))?></h1>
<div class="alert alert-warning">This form will send a mail to <strong>all</strong> <?php out($this->get('rcpt_desc'))?> the SSH Key Authority system!</div>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<div class="form-group">
<label for="subject">Subject</label>
<input type="text" class="form-control" id="subject" name="subject" required value="">
</div>
<div class="form-group">
<label for="body">Body</label>
<textarea class="form-control monospace" rows="20" id="body" name="body" required>You are being sent this mail as a <?php out($this->get('rcpt_role'))?> the SSH Key Authority system.
</textarea>
</div>
<div class="form-group"><button type="submit" data-confirm="Send mail? Are you sure?" class="btn btn-primary btn-lg btn-block">Send bulk mail to <?php out(str_replace('_', ' ', $this->get('recipients')))?></button></div>
</form>

8
templates/bulk_mail_choose.php
Unescape Escape View File

@ -0,0 +1,8 @@
<?php
?>
<h1>Bulk mail</h1>
<p>Choose recipients:</p>
<ul>
<li><a href="<?php outurl('/bulk_mail/all_users')?>">All users</a></li>
<li><a href="<?php outurl('/bulk_mail/server_admins')?>">All server administrators</a></li>
</ul>

4
templates/csrf.php
Unescape Escape View File

@ -0,0 +1,4 @@
<?php
?>
<h1>Form submission failed</h1>
<p>Your request was missing the required security token. Please try submitting your request again.</p>

6
templates/entity_pubkeys_json.php
Unescape Escape View File

@ -0,0 +1,6 @@
<?php
$json = array();
foreach($this->get('pubkeys') as $pubkey) {
$json[] = pubkey_json($pubkey, true, false);
}
out(json_encode($json), ESC_NONE);

4
templates/entity_pubkeys_txt.php
Unescape Escape View File

@ -0,0 +1,4 @@
<?php
foreach($this->get('pubkeys') as $pubkey) {
out($pubkey->export()."\n", ESC_NONE);
}

4
templates/error403.php
Unescape Escape View File

@ -0,0 +1,4 @@
<?php
?>
<h1>Access denied</h1>
<p>Sorry, but you don't have permission to view this page.</p>

5
templates/error404.php
Unescape Escape View File

@ -0,0 +1,5 @@
<?php
?>
<h1>Page not found</h1>
<p>Sorry, but the address you've given doesn't seem to point to a valid page.</p>
<p>If you got here by following a link, please <a href="mailto:<?php out($this->get('admin_address'))?>?subject=<?php out('Broken link to '.$this->get('fulladdress').(empty($this->get('referrer')) ? '' : ' from '.$this->get('referrer')), ESC_URL_ALL)?>">report it to us</a>. Otherwise, please make sure that you have typed the address correctly, or just start browsing from the <a href="/">keys home page</a>.</p>

39
templates/error500.php
Unescape Escape View File

@ -0,0 +1,39 @@
<?php
?>
<?php if($this->get('error_details')) { ?>
<h1>Error</h1>
<p><?php out($this->get('exception_class')) ?> "<span class="text-danger"><?php out($this->get('error_details')->getMessage()) ?></span>"</p>
<p>Occurred in <?php out($this->get('error_details')->getFile().' line '.$this->get('error_details')->getLine()) ?></p>
<h2>Stack trace</h2>
<table class="table">
<thead>
<tr>
<th>Function</th>
<th>Arguments</th>
<th>Location</th>
</tr>
</thead>
<tbody>
<?php foreach($this->get('error_details')->getTrace() as $stack_line) { ?>
<?php if($stack_line['function'] != 'exception_error_handler') { ?>
<tr>
<td><?php out($stack_line['function'])?></td>
<td>
<?php if(!empty($stack_line['args'])) { ?>
<ul>
<?php foreach($stack_line['args'] as $arg) { ?>
<li><?php out(print_r($arg, 1)) ?></li>
<?php } ?>
</ul>
<?php } ?>
</td>
<td><?php out($stack_line['file'].' line '.$stack_line['line'])?></td>
</tr>
<?php } ?>
<?php } ?>
</tbody>
</table>
<?php } else { ?>
<h1>Oops! Something went wrong!</h1>
<p>Sorry, but it looks like something needs fixing on the system. The problem has been automatically reported to the administrators, but if you wish, you can also <a href="mailto:<?php out($this->get('admin_address'))?>?subject=<?php out('SSH Key Authority error number '.$this->get('error_number'), ESC_URL_ALL)?>">provide additional information</a> about what you were doing that may have triggered the error.</p>
<?php } ?>

4
templates/error503.php
Unescape Escape View File

@ -0,0 +1,4 @@
<?php
?>
<h1>System is down for maintenance</h1>
<p>Sorry for the inconvenience. We should be back soon though, so press the reload button in your browser in a few minutes to try again.</p>

177
templates/functions.php
Unescape Escape View File

@ -0,0 +1,177 @@
<?php
function show_event($event) {
$json = json_decode($event->details);
$details = hesc($event->details);
switch($json->action) {
case 'Server add':
$details = 'Added server to key management';
break;
case 'Group add':
$details = 'Created group';
break;
case 'Account add':
$details = 'Added account '.hesc($json->value);
break;
case 'Account remove':
// Legacy event type
$details = 'Removed account '.hesc($json->value);
break;
case 'Access request':
$details = 'Requested access for '.show_event_participant($json->value);
break;
case 'Access approve':
$details = 'Approved access for '.show_event_participant($json->value);
break;
case 'Access reject':
$details = 'Rejected access for '.show_event_participant($json->value);
break;
case 'Access add':
$details = 'Added access for '.show_event_participant($json->value);
break;
case 'Access remove':
$details = 'Removed access for '.show_event_participant($json->value);
break;
case 'Administrator add':
$details = 'Added administrator '.show_event_participant($json->value);
break;
case 'Administrator remove':
$details = 'Removed administrator '.show_event_participant($json->value);
break;
case 'Member add':
$details = 'Added member '.show_event_participant($json->value);
break;
case 'Member remove':
$details = 'Removed member '.show_event_participant($json->value);
break;
case 'Pubkey add':
$details = 'Added public key '.hesc($json->value);
break;
case 'Pubkey remove':
$details = 'Removed public key '.hesc($json->value);
break;
case 'Setting update':
$details = hesc($json->field).' changed from <q>'.hesc($json->oldvalue).'</q> to <q>'.hesc($json->value).'</q>';
break;
case 'Sync status change':
$details = 'Sync status: '.hesc($json->value);
break;
}
?>
<tr>
<td>
<?php if(get_class($event) == 'ServerEvent') { ?>
<a href="<?php outurl('/servers/'.urlencode($event->server->hostname))?>" class="server"><?php out($event->server->hostname) ?></a>
<?php } elseif(get_class($event) == 'UserEvent') { ?>
<a href="<?php outurl('/users/'.urlencode($event->user->uid))?>" class="user"><?php out($event->user->uid) ?></a>
<?php } elseif(get_class($event) == 'ServerAccountEvent') { ?>
<a href="<?php outurl('/servers/'.urlencode($event->account->server->hostname).'/accounts/'.urlencode($event->account->name))?>" class="serveraccount"><?php out($event->account->name.'@'.$event->account->server->hostname) ?></a>
<?php } elseif(get_class($event) == 'GroupEvent') { ?>
<a href="<?php outurl('/groups/'.urlencode($event->group->name))?>" class="group"><?php out($event->group->name) ?></a>
<?php } ?>
</td>
<td><a href="<?php outurl('/users/'.urlencode($event->actor->uid))?>" class="user"><?php out($event->actor->uid) ?></a></td>
<td><?php out($details, ESC_NONE) ?></td>
<td class="nowrap"><?php out($event->date) ?></td>
</tr>
<?php
}
function show_event_participant($participant) {
list($type, $name) = explode(':', $participant, 2);
if($type == 'user') {
return '<a href="'.rrurl('/users/'.urlencode($name)).'" class="user">'.hesc($name).'</a>';
} elseif($type == 'account') {
list($account, $server) = explode('@', $name, 2);
return '<a href="'.rrurl('/servers/'.urlencode($server).'/accounts/'.urlencode($account)).'" class="serveraccount">'.hesc($name).'</a>';
} elseif($type == 'group') {
return '<a href="'.rrurl('/groups/'.urlencode($name)).'" class="group">'.hesc($name).'</a>';
} else {
return hesc($participant);
}
}
function keygen_help($box_position) {
?>
<ul class="nav nav-tabs">
<li><a href="#windows_instructions" data-toggle="tab">Windows</a></li>
<li><a href="#mac_instructions" data-toggle="tab">Mac</a></li>
<li><a href="#linux_instructions" data-toggle="tab">Linux</a></li>
</ul>
<div class="tab-content clearfix">
<div class="tab-pane fade" id="windows_instructions">
<aside class="pull-right"><img src="/putty-key-generator.png" class="img-rounded"></aside>
<p>On Windows you will typically use the <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html">PuTTYgen</a> application to generate your key pair.</p>
<ol>
<li>Download and run the latest Windows installer from the <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html">PuTTY download page</a>.
<li>Start PuTTYgen.
<li>Select the type of key to generate. RSA, ECDSA or ED25519 are good choices.
<li>For RSA, enter "4096" as the number of bits in the generated key. For ECDSA, use either the nistp384 or nistp521 curve.
<li>Click the Generate button.
<li>Provide a comment for the key: it is a very good idea to include your user name and the current date in the comment to make the key easier to identify.
<li><strong>Provide a key passphrase.</strong>
<li>Save the private key to your local machine.
<li>Select and copy the contents of the "Public key for pasting into OpenSSH authorized_keys file" section at the top of the window (scrollable, make sure to select all).
<?php if(!is_null($box_position)) { ?>
<li>Paste the public key that you just copied into the box <?php out($box_position)?> and click the "Add public key" button.
<?php } ?>
</ol>
<div class="alert alert-info">
<strong>Note:</strong> if you are not using PuTTY to connect, you may need to export your private key into OpenSSH format to use it. You can do this from the Conversions menu.
</div>
<div class="alert alert-info">
<strong>Note:</strong> if you are using Cygwin or MSYS bash, the instructions for Linux can be used instead.
</div>
</div>
<div class="tab-pane fade" id="mac_instructions">
<p>On Mac you can generate a key pair with the ssh-keygen command.</p>
<ol>
<li>Start the "Terminal" program.
<li>Run the following command: <code>ssh-keygen -t rsa -b 4096 -C '<var>comment</var>'</code>, replacing '<var>comment</var>' with your own comment - a good idea is to include your user name and the current date in the comment to make the key easier to identify.
<li><strong>Make sure that you give the key a passphrase when prompted.</strong>
<li>A new text file will have been created in a <code>.ssh</code> directory called <code>id_rsa.pub</code>. Copy the contents of that file into your clipboard.
<?php if(!is_null($box_position)) { ?>
<li>Paste the public key that you just copied into the box <?php out($box_position)?> and click the "Add public key" button.
<?php } ?>
</ol>
</div>
<div class="tab-pane fade" id="linux_instructions">
<p>On Linux you can generate a key pair with the ssh-keygen command.</p>
<ol>
<li>Open a terminal on your machine
<li>
Run the following command: <code>ssh-keygen -t rsa -b 4096 -C '<var>comment</var>'</code>, replacing '<var>comment</var>' with your own comment - a good idea is to include your user name and the current date in the comment to make the key easier to identify.
<div class="alert alert-info">
Note: if this command fails with a message of "ssh-keygen: command not found", you need to install the openssh-client package: <code>sudo apt-get install openssh-client</code> on Debian-based systems.
</div>
<li><strong>Make sure that you give the key a passphrase when prompted.</strong>
<li>Run <code>cat ~/.ssh/id_rsa.pub</code>. The output is your public key. Copy it into your clipboard.
<?php if(!is_null($box_position)) { ?>
<li>Paste the public key that you just copied into the box <?php out($box_position)?> and click the "Add public key" button.
<?php } ?>
</ol>
</div>
</div>
<?php
}
function pubkey_json($pubkey, $include_keydata = true, $include_owner = true) {
$json = new StdClass;
if($include_keydata) {
$json->keydata = $pubkey->export();
}
$json->type = $pubkey->type;
$json->keysize = $pubkey->keysize;
$json->fingerprint = $pubkey->fingerprint_md5;
$json->fingerprint_md5 = $pubkey->fingerprint_md5;
$json->fingerprint_sha256 = $pubkey->fingerprint_sha256;
if($include_owner) {
$json->owner = new StdClass;
$json->owner->type = get_class($pubkey->owner);
if(get_class($pubkey->owner) == 'User') {
$json->owner->uid = $pubkey->owner->uid;
} elseif(get_class($pubkey->owner) == 'ServerAccount') {
$json->owner->hostname = $pubkey->owner->server->hostname;
}
$json->owner->name = $pubkey->owner->name;
}
return $json;
}

421
templates/group.php
Unescape Escape View File

@ -0,0 +1,421 @@
<?php
$membercounts = array('User' => 0, 'ServerAccount' => 0, 'Group' => 0);
foreach($this->get('group_members') as $member) {
$membercounts[get_class($member)]++;
}
?>
<h1><span class="glyphicon glyphicon-list-alt" title="Group"></span> <?php out($this->get('group')->name)?><?php if($this->get('group')->active == 0) out(' <span class="label label-default">Inactive</span>', ESC_NONE) ?></h1>
<?php if($this->get('admin') || $this->get('group_admin')) { ?>
<ul class="nav nav-tabs">
<li><a href="#members" data-toggle="tab">Members</a></li>
<li><a href="#access" data-toggle="tab">Access</a></li>
<li><a href="#outbound" data-toggle="tab">Outbound access</a></li>
<li><a href="#admins" data-toggle="tab">Administrators</a></li>
<?php if($this->get('admin')) { ?>
<li><a href="#settings" data-toggle="tab">Settings</a></li>
<?php } ?>
<li><a href="#log" data-toggle="tab">Log</a></li>
</ul>
<!-- Tab panes -->
<div class="tab-content">
<div class="tab-pane fade" id="members">
<h2 class="sr-only">Group members</h2>
<?php if(count($this->get('group_members')) == 0) { ?>
<p>No members have been added to this group yet.</p>
<?php } else { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<?php if($this->get('group')->system) { ?>
<div class="alert alert-info">
This is a system group. Its membership list cannot be edited.
</div>
<?php } ?>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th colspan="2">Member</th>
<th>Status</th>
<?php if(!$this->get('group')->system) { ?>
<th>Actions</th>
<?php } ?>
</tr>
</thead>
<tbody>
<?php foreach($this->get('group_members') as $member) { ?>
<tr>
<?php
switch(get_class($member)) {
case 'User':
?>
<td><a href="<?php outurl('/users/'.urlencode($member->uid))?>" class="user"><?php out($member->uid)?></a></td>
<td><?php out($member->name); if(!$member->active) out(' <span class="label label-default">Inactive</span>', ESC_NONE)?></td>
<?php
break;
case 'ServerAccount':
?>
<td><a href="<?php outurl('/servers/'.urlencode($member->server->hostname).'/accounts/'.urlencode($member->name))?>" class="serveraccount"><?php out($member->name.'@'.$member->server->hostname)?></a></td>
<td><em>Server account</em><?php if($member->server->key_management == 'decommissioned') out(' <span class="label label-default">Inactive</span>', ESC_NONE) ?></td>
<?php
break;
case 'Group':
?>
<td><a href="<?php outurl('/groups/'.urlencode($member->name))?>" class="group"><?php out($member->name)?></a></td>
<td><em>Group</em></td>
<?php
break;
}
?>
<td>Added on <?php out($member->add_date) ?> by <a href="<?php outurl('/users/'.urlencode($member->added_by->uid))?>" class="user"><?php out($member->added_by->uid) ?></a></td>
<?php if(!$this->get('group')->system) { ?>
<td>
<button type="submit" name="delete_member" value="<?php out($member->entity_id)?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-ban-circle"></span> Remove from group</button>
</td>
<?php } ?>
<?php } ?>
</tr>
</tbody>
</table>
</form>
<?php } ?>
<?php if(!$this->get('group')->system) { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<h3>Add user</h3>
<div class="row">
<div class="form-group col-md-9">
<div class="input-group">
<span class="input-group-addon"><label for="username"><span class="glyphicon glyphicon-user" title="User"></span><span class="sr-only">User name</span></label></span>
<input type="text" id="username" name="username" class="form-control" placeholder="User name" required list="userlist">
</div>
</div>
<div class="form-group col-md-3">
<button type="submit" name="add_member" value="1" class="btn btn-primary btn-block">Add user to group</button>
</div>
</div>
</form>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<h3>Add server account</h3>
<div class="row">
<div class="form-group col-md-2">
<div class="input-group">
<span class="input-group-addon"><label for="account"><span class="glyphicon glyphicon-log-in" title="Server account"></span><span class="sr-only">Account</span></label></span>
<input type="text" id="account" name="account" class="form-control" placeholder="Account name" required>
</div>
</div>
<div class="form-group col-md-7">
<div class="input-group">
<span class="input-group-addon"><label for="hostname">@</label></span>
<input type="text" id="hostname" name="hostname" class="form-control" placeholder="Hostname" required list="<?php out($this->get('admin') ? 'serverlist' : 'adminedserverlist')?>">
</div>
</div>
<div class="form-group col-md-3">
<button type="submit" name="add_member" value="1" class="btn btn-primary btn-block">Add server account to group</button>
</div>
</div>
</form>
<?php } ?>
</div>
<div class="tab-pane fade" id="access">
<h2 class="sr-only">Access</h2>
<?php if(count($this->get('group_access')) == 0) { ?>
<?php if($membercounts['ServerAccount'] > 0 || $membercounts['Group'] > 0) { ?>
<p>No access has been granted to this group's resources.</p>
<?php } ?>
<?php } else { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th colspan="2">Access for</th>
<th>Status</th>
<th>Options</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
<?php foreach($this->get('group_access') as $access) { ?>
<?php $entity = $access->source_entity; ?>
<tr>
<?php
$options = $access->list_options();
switch(get_class($entity)) {
case 'User':
?>
<td><a href="<?php outurl('/users/'.urlencode($entity->uid))?>" class="user"><?php out($entity->uid)?></a></td>
<td><?php out($entity->name); if(!$entity->active) out(' <span class="label label-default">Inactive</span>', ESC_NONE)?></td>
<?php
break;
case 'ServerAccount':
?>
<td><a href="<?php outurl('/servers/'.urlencode($entity->server->hostname).'/accounts/'.urlencode($entity->name))?>" class="serveraccount"><?php out($entity->name.'@'.$entity->server->hostname)?></a></td>
<td><em>Server account</em><?php if($entity->server->key_management == 'decommissioned') out(' <span class="label label-default">Inactive</span>', ESC_NONE) ?></td>
<?php
break;
case 'Group':
?>
<td><a href="<?php outurl('/groups/'.urlencode($entity->name))?>" class="group"><?php out($entity->name)?></a></td>
<td><em>Group</em></td>
<?php
break;
}
?>
<td>Added on <?php out($access->grant_date) ?> by <a href="<?php outurl('/users/'.urlencode($access->granted_by->uid))?>" class="user"><?php out($access->granted_by->uid) ?></a></td>
<td>
<?php if(count($options) > 0) { ?>
<ul class="compact">
<?php foreach($options as $option) { ?>
<li>
<code>
<?php
out($option->option);
if(!is_null($option->value)) {
?>=&quot;<abbr title="<?php out($option->value)?>"></abbr>&quot;<?php
}
?>
</code>
</li>
<?php } ?>
</ul>
<?php } ?>
</td>
<td>
<a href="<?php outurl('/groups/'.urlencode($this->get('group')->name).'/access_rules/'.urlencode($access->id))?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-cog"></span> Configure access</a>
<button type="submit" name="delete_access" value="<?php out($access->id)?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-ban-circle"></span> Remove access</button>
</td>
<?php } ?>
</tr>
</tbody>
</table>
</form>
<?php } ?>
<?php if($membercounts['ServerAccount'] == 0 && $membercounts['Group'] == 0) { ?>
<p>This group does not contain any resources (server accounts or groups containing server accounts) to grant access to.</p>
<?php } else { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<h3>Grant user access</h3>
<div class="row">
<div class="form-group col-md-8">
<div class="input-group">
<span class="input-group-addon"><label for="access-username"><span class="glyphicon glyphicon-user" title="User"></span><span class="sr-only">User name</span></label></span>
<input type="text" id="access-username" name="username" class="form-control" placeholder="User name" required list="userlist">
</div>
</div>
<div class="form-group col-md-4">
<button type="submit" name="add_access" value="1" class="btn btn-primary btn-block">Grant user access to group resources</button>
</div>
</div>
</form>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<h3>Grant server account access</h3>
<div class="row">
<div class="form-group col-md-2">
<div class="input-group">
<span class="input-group-addon"><label for="access-account"><span class="glyphicon glyphicon-log-in" title="Server account"></span><span class="sr-only">Account</span></label></span>
<input type="text" id="access-account" name="account" class="form-control" placeholder="Account name" required>
</div>
</div>
<div class="form-group col-md-6">
<div class="input-group">
<span class="input-group-addon"><label for="access-hostname">@</label></span>
<input type="text" id="access-hostname" name="hostname" class="form-control" placeholder="Hostname" required list="serverlist">
</div>
</div>
<div class="form-group col-md-4">
<button type="submit" name="add_access" value="1" class="btn btn-primary btn-block">Grant server account access to group resources</button>
</div>
</div>
</form>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<h3>Grant group access</h3>
<div class="row">
<div class="form-group col-md-8">
<div class="input-group">
<span class="input-group-addon"><label for="access-group"><span class="glyphicon glyphicon-list-alt" title="Group"></span><span class="sr-only">Group name</span></label></span>
<input type="text" id="access-group" name="group" class="form-control" placeholder="Group name" required list="grouplist">
</div>
</div>
<div class="form-group col-md-4">
<button type="submit" name="add_access" value="1" class="btn btn-primary btn-block">Grant a group access to this group's resources</button>
</div>
</div>
</form>
<?php } ?>
</div>
<div class="tab-pane fade" id="outbound">
<h2 class="sr-only">Outbound access</h2>
<?php if(count($this->get('group_remote_access')) == 0) { ?>
<p>This group has not been granted access to other resources.</p>
<?php } else { ?>
<p>This group has access to the following resources:</p>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th colspan="2">Access to</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<?php foreach($this->get('group_remote_access') as $access) { ?>
<?php $entity = $access->dest_entity; ?>
<tr>
<?php
switch(get_class($entity)) {
case 'User':
?>
<td><a href="<?php outurl('/users/'.urlencode($entity->uid))?>" class="user"><?php out($entity->uid)?></a></td>
<td><?php out($entity->name); if(!$entity->active) out(' <span class="label label-default">Inactive</span>', ESC_NONE)?></td>
<?php
break;
case 'ServerAccount':
?>
<td><a href="<?php outurl('/servers/'.urlencode($entity->server->hostname).'/accounts/'.urlencode($entity->name))?>" class="serveraccount"><?php out($entity->name.'@'.$entity->server->hostname)?></a></td>
<td><em>Server account</em><?php if($entity->server->key_management == 'decommissioned') out(' <span class="label label-default">Inactive</span>', ESC_NONE) ?></td>
<?php
break;
case 'Group':
?>
<td><a href="<?php outurl('/groups/'.urlencode($entity->name))?>" class="group"><?php out($entity->name)?></a></td>
<td><em>Group</em></td>
<?php
break;
}
?>
<td>Added on <?php out($access->grant_date) ?> by <a href="<?php outurl('/users/'.urlencode($access->granted_by->uid))?>" class="user"><?php out($access->granted_by->uid) ?></a></td>
<?php } ?>
</tr>
</tbody>
</table>
<?php } ?>
</div>
<div class="tab-pane fade" id="admins">
<h2 class="sr-only">Group administrators</h2>
<?php if(count($this->get('group_admins')) == 0) { ?>
<p class="alert alert-danger">This group does not have any administrators assigned.</p>
<?php } else { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th>User ID</th>
<th>Name</th>
<?php if($this->get('admin')) { ?>
<th>Actions</th>
<?php } ?>
</tr>
</thead>
<tbody>
<?php foreach($this->get('group_admins') as $admin) { ?>
<tr>
<td><a href="<?php outurl('/users/'.urlencode($admin->uid))?>" class="user"><?php out($admin->uid) ?></a></td>
<td><?php out($admin->name); if(!$admin->active) out(' <span class="label label-default">Inactive</span>', ESC_NONE) ?></td>
<?php if($this->get('admin')) { ?>
<td>
<button type="submit" name="delete_admin" value="<?php out($admin->id) ?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-trash"></span> Remove admin</button>
</td>
<?php } ?>
</tr>
<?php } ?>
</tbody>
</table>
</form>
<?php } ?>
<?php if($this->get('admin')) { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>" class="form-inline">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<h3>Add administrator</h3>
<div class="form-group">
<label for="user_name" class="sr-only">User name</label>
<input type="text" id="user_name" name="user_name" class="form-control" placeholder="User name" required list="userlist">
</div>
<button type="submit" name="add_admin" value="1" class="btn btn-primary">Add administrator to group</button>
</form>
<?php } ?>
</div>
<?php if($this->get('admin')) { ?>
<div class="tab-pane fade" id="settings">
<h2 class="sr-only">Settings</h2>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>" class="form-horizontal">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<div class="form-group">
<label for="name" class="col-sm-2 control-label">Name</label>
<div class="col-sm-10">
<input type="text" id="name" name="name" value="<?php out($this->get('group')->name)?>" required class="form-control">
</div>
</div>
<div class="form-group">
<label class="col-sm-2 control-label">Group status</label>
<div class="col-sm-10">
<div class="radio">
<label class="text-success">
<input type="radio" name="active" value="1"<?php if($this->get('group')->active == 1) out(' checked') ?>>
Enabled
</label>
</div>
<div class="radio">
<label class="text-danger">
<input type="radio" name="active" value="0"<?php if($this->get('group')->active == 0) out(' checked') ?>>
Disabled
</label>
</div>
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-2 col-sm-10">
<button type="submit" name="edit_group" value="1" class="btn btn-primary">Change settings</button>
</div>
</div>
</form>
</div>
<?php } ?>
<div class="tab-pane fade" id="log">
<h2 class="sr-only">Log</h2>
<table class="table">
<thead>
<tr>
<th>Entity</th>
<th>User</th>
<th>Activity</th>
<th>Date (<abbr title="Coordinated Universal Time">UTC</abbr>)</th>
</tr>
</thead>
<tbody>
<?php
foreach($this->get('group_log') as $event) {
show_event($event);
}
?>
</tbody>
</table>
</div>
</div>
<datalist id="userlist">
<?php foreach($this->get('all_users') as $user) { ?>
<option value="<?php out($user->uid)?>" label="<?php out($user->name)?>">
<?php } ?>
</datalist>
<datalist id="grouplist">
<?php foreach($this->get('all_groups') as $group) { ?>
<option value="<?php out($group->name)?>">
<?php } ?>
</datalist>
<datalist id="adminedserverlist">
<?php foreach($this->get('admined_servers') as $server) { ?>
<option value="<?php out($server->hostname)?>">
<?php } ?>
</datalist>
<datalist id="serverlist">
<?php foreach($this->get('all_servers') as $server) { ?>
<option value="<?php out($server->hostname)?>">
<?php } ?>
</datalist>
<?php } else { ?>
<p>You do not have access to manage this group.</p>
<?php } ?>

17
templates/group_json.php
Unescape Escape View File

@ -0,0 +1,17 @@
<?php
$json = new StdClass;
$json->users = array();
$json->server_accounts = array();
foreach($this->get('group_members') as $member) {
$group_member = new StdClass;
if(get_class($member) == 'User') {
$group_member->uid = $member->uid;
$group_member->email = $member->email;
$json->users[] = $group_member;
} elseif(get_class($member) == 'ServerAccount') {
$group_member->name = $member->name;
$group_member->hostname = $member->server->hostname;
$json->server_accounts[] = $group_member;
}
}
out(json_encode($json), ESC_NONE);

6
templates/group_not_found.php
Unescape Escape View File

@ -0,0 +1,6 @@
<?php
?>
<h1>Group not found</h1>
<div class="alert alert-danger">
<p>The group name you entered isn't yet known by the keys management server. Please <a href="" class="navigate-back">go back</a> and try again.</p>
</div>

105
templates/groups.php
Unescape Escape View File

@ -0,0 +1,105 @@
<?php
?>
<h1>Groups</h1>
<?php if($this->get('admin')) { ?>
<ul class="nav nav-tabs">
<li><a href="#list" data-toggle="tab">Group list</a></li>
<li><a href="#add" data-toggle="tab">Add group</a></li>
</ul>
<?php } ?>
<!-- Tab panes -->
<div class="tab-content">
<div class="tab-pane fade<?php if(!$this->get('admin')) out(' in active') ?>" id="list">
<h2 class="sr-only">Group list</h2>
<div class="panel-group">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
Filter options
</h3>
</div>
<div class="panel-body">
<form>
<div class="row">
<div class="col-sm-4">
<div class="form-group">
<label for="name-search">Name (<a href="https://mariadb.com/kb/en/mariadb/regular-expressions-overview/">regexp</a>)</label>
<input type="text" id="name-search" name="name" class="form-control" value="<?php out($this->get('filter')['name'])?>" autofocus>
</div>
</div>
<div class="col-sm-3">
<h4>Status</h4>
<?php
$options = array();
$options['1'] = 'Active';
$options['0'] = 'Inactive';
foreach($options as $value => $label) {
$checked = in_array($value, $this->get('filter')['active']) ? ' checked' : '';
?>
<div class="checkbox"><label><input type="checkbox" name="active[]" value="<?php out($value)?>"<?php out($checked) ?>> <?php out($label) ?></label></div>
<?php } ?>
</div>
</div>
<button type="submit" class="btn btn-primary">Display results</button>
</form>
</div>
</div>
</div>
<?php if(count($this->get('groups')) == 0) { ?>
<p>No groups found.</p>
<?php } else { ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>" class="form-inline">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<table class="table table-striped">
<thead>
<tr>
<th>Group</th>
<th>Members</th>
<th>Admins</th>
<?php if($this->get('admin')) { ?>
<th>Actions</th>
<?php } ?>
</tr>
</thead>
<tbody>
<?php foreach($this->get('groups') as $group) { ?>
<tr<?php if(!$group->active) out(' class="text-muted"', ESC_NONE) ?>>
<td><a href="<?php outurl('/groups/'.urlencode($group->name)) ?>" class="group<?php if(!$group->active) out(' text-muted') ?>"><?php out($group->name) ?></a></td>
<td><?php out(number_format($group->member_count))?></td>
<td><?php out($group->admins)?></td>
<?php if($this->get('admin')) { ?>
<td>
<a href="<?php outurl('/groups/'.urlencode($group->name))?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-cog"></span> Manage group</a>
</td>
<?php } ?>
</tr>
<?php } ?>
</tbody>
</table>
</form>
<?php } ?>
</div>
<?php if($this->get('admin')) { ?>
<div class="tab-pane fade" id="add">
<h2 class="sr-only">Add group</h2>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>" class="form-inline">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<div class="form-group">
<label for="name" class="sr-only">Group name</label>
<input type="text" id="name" name="name" class="form-control" placeholder="Group name" required>
</div>
<div class="form-group">
<label for="admin_uid" class="sr-only">Administrator</label>
<input type="text" size="40" id="admin_uid" name="admin_uid" class="form-control" placeholder="Administrator" required list="userlist">
<datalist id="userlist">
<?php foreach($this->get('all_users') as $user) { ?>
<option value="<?php out($user->uid)?>" label="<?php out($user->name)?>">
<?php } ?>
</datalist>
</div>
<button type="submit" name="add_group" value="1" class="btn btn-primary">Create group</button>
</form>
</div>
<?php } ?>
</div>

233
templates/help.php
Unescape Escape View File

@ -0,0 +1,233 @@
<?php
$admin_mail = $this->get('admin_mail');
$baseurl = $this->get('baseurl');
$security_config = $this->get('security_config');
?>
<div class="panel-group" id="help">
<h1>Help</h1>
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#getting_started">
Getting started
</a>
</h2>
</div>
<div id="getting_started" class="panel-collapse collapse">
<div class="panel-body">
<h3>Generating an SSH keypair</h3>
<?php keygen_help(null) ?>
<h3>Uploading a public key</h3>
<p>You can upload a new public key to your account from the <a href="<?php outurl('/')?>">home</a> page.</p>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#concepts">
Concepts
</a>
</h2>
</div>
<div id="concepts" class="panel-collapse collapse">
<div class="panel-body">
<h3>Iconography</h3>
<p>Most objects that are known by SSH Key Authority are represented by icons:</p>
<h4><span class="glyphicon glyphicon-hdd"></span> Servers</h4>
<p>Physical or virtual servers.</p>
<h4><span class="glyphicon glyphicon-log-in"></span> Server accounts</h4>
<p>Accounts on servers (eg. root@myserver is a server account).</p>
<h4><span class="glyphicon glyphicon-user"></span> Users</h4>
<p>Users of SSH Key Authority.</p>
<h4><span class="glyphicon glyphicon-list-alt"></span> Groups</h4>
<p>Collections of users or server accounts.</p>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#getting_access">
Getting access to a server
</a>
</h4>
</div>
<div id="getting_access" class="panel-collapse collapse">
<div class="panel-body">
<p>Begin by browsing the <a href="<?php outurl('/servers')?>">server list</a>. Click on the server that you need access to.</p>
<p>You should see a "request access" form, in which you will need to enter the name of the account on the server that you are requesting access for. For example, if you need access to the <i>root</i> account, then that is what you should enter in this field.</p>
<p>Once you have successfully requested access, the designated server administators will be sent a mail informing them of your request and you will need to wait for one of them to grant your access.</p>
<p class="alert alert-info">You will need to have a public key uploaded for your access to work. See the <a data-toggle="collapse" data-parent="#help" href="#getting_started" class="alert-link">getting started guide</a>.</p>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#add_server">
Adding a server to SSH Key Authority
</a>
</h2>
</div>
<div id="add_server" class="panel-collapse collapse">
<div class="panel-body">
<p>Contact <a href="mailto:<?php out($admin_mail)?>"><?php out($admin_mail)?></a> to have your server(s) added to SSH Key Authority.</p>
</div>
</div>
</div>
<h2>Frequently asked questions</h2>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#sync_error">
What does this sync error for my server mean?
</a>
</h3>
</div>
<div id="sync_error" class="panel-collapse collapse">
<div class="panel-body">
<dl class="spaced">
<dt>SSH connection failed</dt>
<dd>SSH key authority was unable to establish an SSH connection to your server. This could indicate that the server is offline or otherwise unreachable, or that the SSH server is not running.</dd>
<dt>SSH host key verification failed</dt>
<dd>SSH key authority was able to open an SSH connection to your server, but the host key no longer matches the one that is on record for your server. If this is expected (eg. your server has been migrated to a new host), you can reset the host key on the "Settings" page of your server. Press the "Clear" button for the host key fingerprint and then "Save changes".</dd>
<?php if(!isset($security_config['host_key_collision_protection']) || $security_config['host_key_collision_protection'] == 1) { ?>
<dt>SSH host key collision</dt>
<dd>Your server has the same SSH host key as another server. This should be corrected by regenerating the SSH host keys on one or both of the affected servers.</dd>
<?php } ?>
<dt>SSH authentication failed</dt>
<dd>Although SSH key authority was able to connect to your server via SSH, it failed to log in. See the guides for setting up <a data-toggle="collapse" data-parent="#help" href="#sync_setup">full account syncing</a> or <a data-toggle="collapse" data-parent="#help" href="#legacy_sync_setup">legacy root account syncing</a>.</dd>
<dt>SFTP subsystem failed</dt>
<dd>SSH key authority currently relies on SFTP in order to determine if an account's key file needs updating or not. We are hoping to remove this dependency at some point, but for now your server needs to support SFTP (which openssh does by default) for key synchronization to work.</dd>
<dt><em>x</em> account(s) failed to sync</dt>
<dt>Failed to clean up <em>x</em> file(s)</dt>
<dd>
SSH key authority could not write to at least one of the files in <code>/var/local/keys-sync</code> (or <code>/root/.ssh/authorized_keys2</code> for legacy sync). This is typically caused by one of 3 possibilities:
<ul>
<li>Issues with file ownership - this directory and all files in it must be owned by the keys-sync user</li>
<li>Read-only filesystem</li>
<li>Disk full</li>
</ul>
</dd>
<dt>Multiple hosts with same IP address</dt>
<dd>At least one other host managed by SSH Key Authority resolves to the same IP address as your server. SSH Key Authority will refuse to sync to either server until this is resolved.</dd>
<?php if(isset($security_config['hostname_verification']) && $security_config['hostname_verification'] >= 3) { ?>
<dt>Hostnames file missing</dt>
<dd>The <code>/var/local/keys-sync/.hostnames</code> file does not exist on the server. SSH Key Authority uses the contents of this file to verify that it is allowed to sync to your server.</dd>
<dt>Hostname check failed</dt>
<dd>The server name was not found in <code>/var/local/keys-sync/.hostnames</code> when SSH Key Authority tried to sync to your server.</dd>
<?php } ?>
</dl>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#sync_warning">
What does this sync warning for my server mean?
</a>
</h3>
</div>
<div id="sync_warning" class="panel-collapse collapse">
<div class="panel-body">
<dl class="spaced">
<dt>Key directory does not exist</dt>
<dd>Your server has not been set up for <a data-toggle="collapse" data-parent="#help" href="#sync_setup">full account syncing</a>. The <i>root</i> account <strong>is</strong> being synced, but other accounts are not.</dd>
<dt>Using legacy sync method</dt>
<dd>Your server <strong>has</strong> been set up for <a data-toggle="collapse" data-parent="#help" href="#sync_setup">full account syncing</a> (stage 1), but the authentication on your server has not been switched over to keys control (stage 2). Legacy syncing is still being used, so only the <i>root</i> account sync is taking effect.</dd>
</dl>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#sync_setup">
How do I set up my server to sync access for all accounts?
</a>
</h3>
</div>
<div id="sync_setup" class="panel-collapse collapse">
<div class="panel-body">
<h5>Stage 1</h5>
<p>If SSH Key Authority is reporting "Key directory does not exist" for your server, then Stage 1 is required.</p>
<ol>
<li>Create keys-sync account: <code>adduser --system --disabled-password --home /var/local/keys-sync --shell /bin/sh keys-sync</code>
<li>Change the permissions of <code>/var/local/keys-sync</code> to 711: <code>chmod 0711 /var/local/keys-sync</code>
<li>Create <code>/var/local/keys-sync/keys-sync</code> file (owned by keys-sync, permissions 0644) with the following SSH key in it:
<pre><?php out($this->get('keys-sync-pubkey'))?></pre>
</li>
<?php if(isset($security_config['hostname_verification']) && $security_config['hostname_verification'] >= 3) { ?>
<li>Create <code>/var/local/keys-sync/.hostnames</code> text file (owned by keys-sync, permissions 0644) with the server's hostname in it</li>
<?php } ?>
</ol>
<h5>Verify Stage 1 success</h5>
<p>Once Stage 1 has been deployed to your server, trigger a resync from SSH Key Authority. The server should no longer have the "Key directory does not exist" warning after syncing (the "Using legacy sync method" warning is expected at this point instead). You can check the contents of the <code>/var/local/keys-sync</code> directory to make sure that the access looks right.</p>
<h5>Stage 2</h5>
<ol>
<li>
Reconfigure SSH (<code>/etc/ssh/sshd_config</code>) to use:
<ul>
<li>"<code>AuthorizedKeysFile /var/local/keys-sync/%u</code>"
<li>"<code>StrictModes no</code>"
</ul>
<li>Restart SSH server
</ol>
<p>This stage stops any .ssh/authorized_keys* files from having any effect and transfers login authentication authority over to the /var/local/keys-sync directory.</p>
<p>After triggering a resync from SSH Key Authority, your server should be listed as "Synced successfully".</p>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#legacy_sync_setup">
How do I set up my server for legacy (root-only) sync?
</a>
</h3>
</div>
<div id="legacy_sync_setup" class="panel-collapse collapse">
<div class="panel-body">
<p class="alert alert-warning">While this sync method is simpler to set up, we recommend setting up <a data-toggle="collapse" data-parent="#help" href="#sync_setup">full account syncing</a> where possible.</p>
<p>Add the following to the <code>/root/.ssh/authorized_keys</code> file (create it if it does not exist):</p>
<pre><?php out($this->get('keys-sync-pubkey'))?></pre>
<p>The <code>/root</code> and <code>/root/.ssh</code> directories must be accessible <em>only by root</em>.</p>
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#help" href="#grant_access">
How do I grant access to an account on my server?
</a>
</h3>
</div>
<div id="grant_access" class="panel-collapse collapse">
<div class="panel-body">
<p>For access to accounts by employees:</p>
<ol>
<li>Go to your server's page (ie. <code><?php out($baseurl)?>/servers/&lt;hostname&gt;</code>).</li>
<li>If the account is not listed yet, add it with the "Create account" form.</li>
<li>Click "Manage account" for the relevant account.</li>
<li>In the "Add user to account" form, enter the user's intranet account name and submit.</li>
</ol>
<p>For server-to-server access, assuming that both of the servers involved are managed by SSH Key Authority:</p>
<p>Example: <code>foo@source.example.com</code> needs SSH access to <code>bar@destination.example.com</code></p>
<ol>
<li>Go to the admin page for source.example.com (ie. <code><?php out($baseurl)?>/servers/source.example.com</code>).</li>
<li>Add the "foo" account to keys ("Manage this account with SSH Key Authority") if it is not already listed.</li>
<li>Go to the manage account page for "foo".</li>
<li>On the Public keys tab, add the SSH public key for the foo@source.example.com account.</li>
<li>Go to the admin page for destination.example.com (ie. <code><?php out($baseurl)?>/servers/destination.example.com</code>).</li>
<li>Add the "bar" account to keys ("Manage this account with SSH Key Authority") if it is not already listed.</li>
<li>Go to the manage account page for "bar".</li>
<li>On the Access tab, add server-to-server access for foo@source.example.com.</li>
</ol>
<p>In the above example if source.example.com is not yet known by SSH Key Authority, please contact <a href="mailto:<?php out($admin_mail)?>"><?php out($admin_mail)?></a> to add it to the system.</p>
</div>
</div>
</div>
</div>

182
templates/home.php
Unescape Escape View File

@ -0,0 +1,182 @@
<?php
?>
<h1>Keys management</h1>
<p>Welcome to the SSH Key Authority server.</p>
<?php if(count($this->get('user_keys')) == 0) { ?>
<h2>Getting started</h2>
<p>To start using the key management system, you must first generate a "key pair". The instructions for doing this vary based on your computer's Operating System (OS).</p>
<?php keygen_help('below') ?>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<div class="form-group">
<label for="public_key">Public key</label>
<textarea class="form-control" rows="4" id="add_public_key" name="add_public_key" required></textarea>
</div>
<div class="form-group"><button class="btn btn-primary btn-lg btn-block">Add public key</button></div>
</form>
<?php } else { ?>
<h2>Your public keys</h2>
<form method="post" action="<?php out($this->data->relative_request_url)?>">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<table class="table">
<thead>
<tr>
<th>Type</th>
<th class="fingerprint">Fingerprint</th>
<th></th>
<th>Size</th>
<th>Comment</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
<?php foreach($this->get('user_keys') as $key) { ?>
<tr>
<td><?php out($key->type) ?></td>
<td>
<a href="<?php outurl('/users/'.urlencode($this->get('uid')).'/pubkeys/'.urlencode($key->id).'#info')?>">
<span class="fingerprint_md5"><?php out($key->fingerprint_md5) ?></span>
<span class="fingerprint_sha256"><?php out($key->fingerprint_sha256) ?></span>
</a>
</td>
<td>
<?php if(count($key->list_signatures()) > 0) { ?><a href="<?php outurl('/users/'.urlencode($this->get('uid')).'/pubkeys/'.urlencode($key->id).'#sig')?>"><span class="glyphicon glyphicon-pencil" title="Signed key"></span></a><?php } ?>
<?php if(count($key->list_destination_rules()) > 0) { ?><a href="<?php outurl('/users/'.urlencode($this->get('uid')).'/pubkeys/'.urlencode($key->id).'#dest')?>"><span class="glyphicon glyphicon-pushpin" title="Destination-restricted"></span></a><?php } ?>
</td>
<td><?php out($key->keysize) ?></td>
<td><?php out($key->comment) ?></td>
<td>
<a href="<?php outurl('/users/'.urlencode($this->get('uid')).'/pubkeys/'.urlencode($key->id))?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-cog"></span> Manage public key</a>
<button type="submit" name="delete_public_key" value="<?php out($key->id) ?>" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-trash"></span> Delete public key</button>
</td>
</tr>
<?php } ?>
</tbody>
</table>
</form>
<p><button id="add_key_button" class="btn btn-default">Add another public key</button></p>
<form method="post" action="<?php outurl($this->data->relative_request_url)?>" class="hidden" id="add_key_form">
<?php out($this->get('active_user')->get_csrf_field(), ESC_NONE) ?>
<div class="form-group">
<label for="add_public_key">Public key</label>
<textarea class="form-control" rows="4" id="add_public_key" name="add_public_key" required></textarea>
</div>
<div class="form-group row">
<div class="col-md-8">
<button type="submit" class="btn btn-primary btn-lg btn-block">Add public key</button>
</div>
<div class="col-md-2">
<button type="button" class="btn btn-info btn-lg btn-block">Help</button>
</div>
<div class="col-md-2">
<button type="button" class="btn btn-default btn-lg btn-block">Cancel</button>
</div>
</div>
<div id="help" class="hidden">
<?php keygen_help('above') ?>
</div>
</form>
<?php if(count($this->get('admined_servers')) > 0) { ?>
<h2>Your servers</h2>
<p>You are listed as an administrator for the following servers:</p>
<table class="table">
<thead>
<tr>
<th>Hostname</th>
<th>Config</th>
<th>Admins</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<?php
foreach($this->get('admined_servers') as $server) {
if($server->key_management != 'keys') {
$class = '';
} else {
switch($server->sync_status) {
case 'not synced yet': $class = 'warning'; break;
case 'sync failure': $class = 'danger'; break;
case 'sync success': $class = 'success'; break;
case 'sync warning': $class = 'warning'; break;
}
}
if($last_sync = $server->get_last_sync_event()) {
$sync_details = json_decode($last_sync->details)->value;
} else {
$sync_details = ucfirst($server->sync_status);
}
?>
<tr>
<td rowspan="2">
<a href="<?php outurl('/servers/'.urlencode($server->hostname)) ?>" class="server"><?php out($server->hostname) ?></a>
<?php if($server->pending_requests > 0) { ?>
<a href="<?php outurl('/servers/'.urlencode($server->hostname).'#requests') ?>"><span class="badge" title="Pending requests"><?php out(number_format($server->pending_requests)) ?></span></a>
<?php } ?>
</td>
<td>
<?php
switch($server->key_management) {
case 'keys':
switch($server->authorization) {
case 'manual': out('Manual account management'); break;
case 'automatic LDAP': out('LDAP accounts - automatic'); break;
case 'manual LDAP': out('LDAP accounts - manual'); break;
}
break;
case 'other': out('Managed by another system'); break;
case 'none': out('Unmanaged'); break;
case 'decommissioned': out('Decommissioned'); break;
}
?>
</td>
<td>
<?php
$admins = explode(',', $server->admins);
$admin_list = '';
foreach($admins as $admin) {
$type = substr($admin, 0, 1);
$name = substr($admin, 2);
if($type == 'G') {
$admin_list .= '<span class="glyphicon glyphicon-list-alt"></span> ';
}
$admin_list .= hesc($name).', ';
}
$admin_list = substr($admin_list, 0, -2);
out($admin_list, ESC_NONE);
?>
</td>
<td rowspan="2" class="<?php out($class)?>"><?php out($sync_details) ?></td>
</tr>
<tr>
<td colspan="2" class="indented">
<dl class="oneline">
<?php foreach($server->list_accounts() as $server_account) { ?>
<dt><a href="<?php outurl('/servers/'.urlencode($server->hostname).'/accounts/'.urlencode($server_account->name))?>" class="serveraccount"><?php out($server_account->name) ?></a>:</dt>
<?php
$list = array();
foreach($server_account->list_access() as $access) {
$entity = $access->source_entity;
switch(get_class($entity)) {
case 'User':
$list[] = hesc($entity->uid);
break;
case 'ServerAccount':
$list[] = hesc($entity->name.'@'.$entity->server->hostname);
break;
case 'Group':
$list[] = '<span class="glyphicon glyphicon-list-alt"></span> '.hesc($entity->name);
break;
}
}
?>
<dd><?php out(implode(', ', $list), ESC_NONE)?></dd>
<?php } ?>
</dl>
</td>
</tr>
<?php } ?>
</tbody>
</table>
<?php } ?>
<?php } ?>

6
templates/invalid_group_name.php
Unescape Escape View File

@ -0,0 +1,6 @@
<?php
?>
<h1>Invalid project name</h1>
<div class="alert alert-danger">
<p>"<?php out($this->get('project_name'))?>" doesn't look like a valid project name. Forward slashes (/) are not allowed in the project name. Please <a href="" class="navigate-back">go back</a> and try again.</p>
</div>

6
templates/invalid_hostname.php
Unescape Escape View File

@ -0,0 +1,6 @@
<?php
?>
<h1>Invalid hostname</h1>
<div class="alert alert-danger">
<p>"<?php out($this->get('hostname'))?>" doesn't look like a valid hostname. Please <a href="" class="navigate-back">go back</a> and try again.</p>
</div>

6
templates/key_upload_fail.php
Unescape Escape View File

@ -0,0 +1,6 @@
<?php
?>
<h1>Public key upload failed</h1>
<div class="alert alert-danger">
<p><?php out($this->get('message')) ?> Please <a href="" class="navigate-back">go back</a> and try again.</p>
</div>

4
templates/not_admin.php
Unescape Escape View File

@ -0,0 +1,4 @@
<?php
?>
<h1>Unable to fulfill request</h1>
<p>Your request cannot be fulfilled because you are not an administrator of the target entity.</p>

Some files were not shown because too many files have changed in this diff Show More

Write Preview
Loading…
Cancel
Save