diff options
-rw-r--r-- | modules/private/websites/tools/tools/landing/ldap_ssh_keys.php | 348 | ||||
-rw-r--r-- | nix/sources.json | 2 | ||||
m--------- | nixops/secrets | 0 |
3 files changed, 349 insertions, 1 deletions
diff --git a/modules/private/websites/tools/tools/landing/ldap_ssh_keys.php b/modules/private/websites/tools/tools/landing/ldap_ssh_keys.php new file mode 100644 index 0000000..259e28d --- /dev/null +++ b/modules/private/websites/tools/tools/landing/ldap_ssh_keys.php | |||
@@ -0,0 +1,348 @@ | |||
1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> | ||
2 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr"> | ||
3 | <head> | ||
4 | <title>ImmaeEu Account</title> | ||
5 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> | ||
6 | <meta name="viewport" content="width=device-width, initial-scale=1" /> | ||
7 | <link rel="stylesheet" href="https://assets.immae.eu/skeleton/2.0.4/skeleton.min.css" integrity="sha256-2YQRJMXD7pIAPHiXr0s+vlRWA7GYJEK0ARns7k2sbHY=" crossorigin="anonymous" /> | ||
8 | <style type="text/css"> | ||
9 | body { | ||
10 | font-family: Verdana,Arial,Courier New; | ||
11 | margin: auto; | ||
12 | } | ||
13 | table#ssh_keys_list textarea { | ||
14 | width: 100%; | ||
15 | height: 100%; | ||
16 | } | ||
17 | table#ssh_keys_list tbody tr.sshkeyrow { | ||
18 | height: 130px; | ||
19 | } | ||
20 | table#ssh_keys_list tbody tr.headrow th { | ||
21 | border-bottom: 0px !important; | ||
22 | padding-bottom: 0px !important; | ||
23 | } | ||
24 | table#ssh_keys_list tbody tr.mainrow td:not(.delete-button) { | ||
25 | border-bottom: 0px !important; | ||
26 | padding-bottom: 0px !important; | ||
27 | } | ||
28 | table#ssh_keys_list td.sshkey { | ||
29 | min-width: 600px; | ||
30 | height: 100%; | ||
31 | padding-top: 0px !important; | ||
32 | } | ||
33 | |||
34 | table#ssh_keys_list td.comment { | ||
35 | min-width: 160px; | ||
36 | } | ||
37 | |||
38 | </style> | ||
39 | </head> | ||
40 | <body> | ||
41 | <div class="container"> | ||
42 | <h1>Gestion des clés SSH</h1> | ||
43 | <?php | ||
44 | |||
45 | $connection = NULL; | ||
46 | |||
47 | session_start(); | ||
48 | |||
49 | // Liste des applications gérées | ||
50 | const apps = [ | ||
51 | 'git', | ||
52 | 'pub', | ||
53 | 'ftp', | ||
54 | 'ssh', | ||
55 | 'forward', | ||
56 | ]; | ||
57 | |||
58 | function checkSshKey($sshKey) | ||
59 | { | ||
60 | $exploded = explode(' ', $sshKey); | ||
61 | if (count($exploded) != 2) { | ||
62 | return false; | ||
63 | } | ||
64 | if (!in_array($exploded[0], array('ssh-rsa', 'ssh-ed25519'))) { | ||
65 | return false; | ||
66 | } | ||
67 | $decoded = base64_decode($exploded[1], true); | ||
68 | if ($decoded === FALSE) { | ||
69 | return false; | ||
70 | } | ||
71 | $decoded = preg_replace("/[^\w\-]/","", (string) $decoded); | ||
72 | if (substr($decoded, 0, strlen($exploded[0])) !== $exploded[0]) { | ||
73 | return false; | ||
74 | } | ||
75 | |||
76 | return true; | ||
77 | } | ||
78 | |||
79 | function isUserLogged() | ||
80 | { | ||
81 | return (isset($_SESSION["login"]) && doConnect() !== NULL); | ||
82 | } | ||
83 | |||
84 | function doConnect() | ||
85 | { | ||
86 | global $connection; | ||
87 | $server = "ldaps://ldap.immae.eu"; | ||
88 | |||
89 | if ($connection === NULL) { | ||
90 | $connection = ldap_connect($server); | ||
91 | ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3); | ||
92 | if (isset($_SESSION["user_dn"]) && isset($_SESSION["password"])) { | ||
93 | if (ldap_bind($connection, $_SESSION["user_dn"], $_SESSION["password"]) === false) { | ||
94 | $connection = NULL; | ||
95 | unset($_SESSION["user_dn"]); | ||
96 | unset($_SESSION["password"]); | ||
97 | unset($_SESSION["login"]); | ||
98 | } | ||
99 | } | ||
100 | } | ||
101 | |||
102 | return $connection; | ||
103 | } | ||
104 | |||
105 | function checkLogin($user, $password) | ||
106 | { | ||
107 | $con = doConnect(); | ||
108 | |||
109 | $user_dn = "uid=$user,ou=users,dc=immae,dc=eu"; | ||
110 | |||
111 | if (ldap_bind($con, $user_dn, $password) === false) { | ||
112 | return false; | ||
113 | } | ||
114 | $_SESSION["user_dn"] = $user_dn; | ||
115 | $_SESSION["password"] = $password; | ||
116 | |||
117 | $user_search = ldap_search($con,"dc=immae,dc=eu","(uid=$user)"); | ||
118 | $auth_entry = ldap_first_entry($con, $user_search); | ||
119 | |||
120 | return true; | ||
121 | } | ||
122 | |||
123 | function getLdapInfo() | ||
124 | { | ||
125 | $con = doConnect(); | ||
126 | if (!isset($_SESSION["user_dn"])) { | ||
127 | $sortieLdap = []; | ||
128 | } else { | ||
129 | $user_read = ldap_read($con, $_SESSION["user_dn"], "(objectclass=*)", array("uid","immaeSshKey")); | ||
130 | $user_entry = ldap_first_entry($con, $user_read); | ||
131 | $sortieLdap = ldap_get_values($con, $user_entry, "immaeSshKey"); | ||
132 | unset($sortieLdap["count"]); | ||
133 | } | ||
134 | |||
135 | $keys = []; | ||
136 | foreach ($sortieLdap as $line) { | ||
137 | $exploded = explode(' ', $line); | ||
138 | |||
139 | $apps = explode('|', $exploded[0]); | ||
140 | $publicKey = $exploded[1] . ' ' . $exploded[2]; | ||
141 | |||
142 | unset($exploded[0]); | ||
143 | unset($exploded[1]); | ||
144 | unset($exploded[2]); | ||
145 | |||
146 | $comment = implode(' ', $exploded); | ||
147 | |||
148 | $keys[] = [ | ||
149 | 'apps' => $apps, | ||
150 | 'public_key' => $publicKey, | ||
151 | 'comment' => $comment, | ||
152 | ]; | ||
153 | } | ||
154 | |||
155 | return $keys; | ||
156 | } | ||
157 | |||
158 | function pushLdapInfos($keys) | ||
159 | { | ||
160 | $con = doConnect(); | ||
161 | if (!isset($_SESSION["user_dn"])) | ||
162 | return false; | ||
163 | |||
164 | return ldap_mod_replace($con, $_SESSION["user_dn"], array("immaeSshKey" => $keys)); | ||
165 | } | ||
166 | |||
167 | |||
168 | // Script | ||
169 | if (isset($_POST['deconnexion'])) { | ||
170 | $_SESSION = []; | ||
171 | } | ||
172 | |||
173 | if (isset($_POST['sauvegarder'])) { | ||
174 | $editedKeys = []; | ||
175 | $errors = false; | ||
176 | $keysToSave = []; | ||
177 | foreach($_POST['keys'] as $id => $key) { | ||
178 | $editedKeys[$id] = $key; | ||
179 | if (!checkSshKey($key['public_key'])) { | ||
180 | $editedKeys[$id]['error'] = true; | ||
181 | $errors = true; | ||
182 | } | ||
183 | |||
184 | if (!isset($key['apps'])) { | ||
185 | $editedKeys[$id]['apps'] = $key['apps'] = []; | ||
186 | |||
187 | } | ||
188 | foreach ($key['apps'] as $app) { | ||
189 | if (!in_array($app, apps)) { | ||
190 | die("integrity"); | ||
191 | } | ||
192 | } | ||
193 | |||
194 | if (!isset($editedKeys[$id]['error']) || $editedKeys[$id]['error'] !== true) { | ||
195 | $keysToSave[] = implode('|', $key['apps']) . ' ' . $key['public_key'] . ' ' . $key['comment']; | ||
196 | } | ||
197 | } | ||
198 | |||
199 | if (!$errors) { | ||
200 | $successSave = pushLdapInfos($keysToSave); | ||
201 | } | ||
202 | } | ||
203 | |||
204 | $loginErrors = ""; | ||
205 | if (isset($_POST['login'])) { | ||
206 | if (empty($_POST['username']) || empty($_POST['password'])) { | ||
207 | $loginErrors = "Le nom d'utilisateur et le mot de passe sont requis."; | ||
208 | } elseif (!checkLogin($_POST['username'], $_POST['password'])) { | ||
209 | $loginErrors = "Identifiants incorrects."; | ||
210 | } else { | ||
211 | $_SESSION['login'] = $_POST['username']; | ||
212 | } | ||
213 | } | ||
214 | |||
215 | if (isUserLogged()) : | ||
216 | $keys = isset($editedKeys) ? $editedKeys : getLdapInfo(); | ||
217 | ?> | ||
218 | <p>Connecté en tant que <b><?= $_SESSION['login']; ?></b></p> | ||
219 | |||
220 | <form method="post"> | ||
221 | <input type="submit" name="deconnexion" value="Déconnexion"> | ||
222 | </form> | ||
223 | |||
224 | <?php if (isset($successSave) && $successSave === true) : ?> | ||
225 | <p style="color: green;">Clés enregistrées avec succès.</p> | ||
226 | <?php endif; ?> | ||
227 | |||
228 | <form method="post"> | ||
229 | <table id="ssh_keys_list"> | ||
230 | <tbody> | ||
231 | <?php | ||
232 | foreach ($keys as $id => $sshKey) : | ||
233 | ?> | ||
234 | <tr class="headrow"> | ||
235 | <th>Description</th> | ||
236 | <?php foreach (apps as $app) : ?> | ||
237 | <th><?= $app ?></th> | ||
238 | <?php endforeach; ?> | ||
239 | <th></th> | ||
240 | </tr> | ||
241 | <tr class="mainrow"> | ||
242 | <td class="comment"><textarea name="keys[<?= $id ?>][comment]"><?= $sshKey['comment'] ?></textarea></td> | ||
243 | <?php | ||
244 | foreach (apps as $app) : | ||
245 | $checked = in_array($app, $sshKey['apps']); | ||
246 | ?> | ||
247 | <td><input type="checkbox" name="keys[<?= $id ?>][apps][]" value="<?= $app ?>"<?= $checked ? ' checked' : '' ?>></td> | ||
248 | <?php endforeach; ?> | ||
249 | <td class="delete-button" rowspan="2"><button class="delete">Suppr.</button></td> | ||
250 | </tr> | ||
251 | <tr class="sshkeyrow"> | ||
252 | <td colspan="<?php echo 1+count(apps); ?>" class="sshkey"><textarea name="keys[<?= $id ?>][public_key]" <?php if (isset($sshKey['error']) && $sshKey['error'] === true) :?>style="color: red"<?php endif; ?>><?= $sshKey['public_key'] ?></textarea></td> | ||
253 | </tr> | ||
254 | <?php | ||
255 | endforeach; | ||
256 | ?> | ||
257 | </tbody> | ||
258 | </table> | ||
259 | |||
260 | <button id="add">Ajouter</button> | ||
261 | |||
262 | <hr> | ||
263 | |||
264 | <input type="submit" value="Sauvegarder" name="sauvegarder"> | ||
265 | </form> | ||
266 | <script> | ||
267 | function deleteLine(element) { | ||
268 | element.addEventListener('click', function(e) { | ||
269 | e.preventDefault(); | ||
270 | e.target.closest('tr').remove(); | ||
271 | }, false); | ||
272 | } | ||
273 | |||
274 | var suppr = document.getElementsByClassName('delete'); | ||
275 | var add = document.getElementById('add'); | ||
276 | var list = document.querySelector('#ssh_keys_list > tbody'); | ||
277 | |||
278 | for (var i = 0; i < suppr.length; i++) { | ||
279 | deleteLine(suppr[i]); | ||
280 | } | ||
281 | |||
282 | add.addEventListener('click', function (e) { | ||
283 | e.preventDefault(); | ||
284 | i++; | ||
285 | |||
286 | var newLine = ` | ||
287 | <tr class="headrow"> | ||
288 | <th>Description</th> | ||
289 | <?php foreach (apps as $app) : ?> | ||
290 | <th><?= $app ?></th> | ||
291 | <?php endforeach; ?> | ||
292 | <th></th> | ||
293 | </tr> | ||
294 | <tr class="mainrow"> | ||
295 | <td class="comment"><textarea name="keys[${i}][comment]"></textarea></td> | ||
296 | `; | ||
297 | |||
298 | |||
299 | <?php | ||
300 | foreach (apps as $app) : | ||
301 | ?> | ||
302 | newLine += `<td><input type="checkbox" name="keys[${i}][apps][]" value="<?= $app ?>"></td>`; | ||
303 | <?php endforeach; ?> | ||
304 | |||
305 | newLine += `<td class="delete-button" rowspan="2"><button class="delete" id="delete-${i}">Suppr.</button></td> | ||
306 | </tr>`; | ||
307 | |||
308 | newLine += `<tr class="sshkeyrow"> | ||
309 | <td colspan="<?php echo 1+count(apps); ?>" class="sshkey"><textarea name="keys[$[i}][public_key]"></textarea></td> | ||
310 | </tr>`; | ||
311 | |||
312 | |||
313 | list.insertAdjacentHTML('beforeend', newLine); | ||
314 | |||
315 | deleteLine(document.getElementById("delete-" + i)); | ||
316 | |||
317 | }, false) | ||
318 | </script> | ||
319 | <?php | ||
320 | else: | ||
321 | ?> | ||
322 | <form action="" method="post"> | ||
323 | <h2>Login</h2> | ||
324 | |||
325 | <?php | ||
326 | if (!empty($loginErrors)): | ||
327 | ?> | ||
328 | <p style="color: red;"><?= $loginErrors; ?></p> | ||
329 | <?php | ||
330 | endif; | ||
331 | ?> | ||
332 | |||
333 | <label for="username">Utilisateur :</label> | ||
334 | <input type="text" id="username" name="username"/> | ||
335 | |||
336 | <label for="password">Mot de passe :</label> | ||
337 | <input type="password" id="password" name="password"/> | ||
338 | |||
339 | <input type="submit" value="OK" name="login" /> | ||
340 | </form> | ||
341 | <?php | ||
342 | endif; | ||
343 | ?> | ||
344 | </div> | ||
345 | </body> | ||
346 | </html> | ||
347 | |||
348 | |||
diff --git a/nix/sources.json b/nix/sources.json index 961d378..1a1cf5a 100644 --- a/nix/sources.json +++ b/nix/sources.json | |||
@@ -132,7 +132,7 @@ | |||
132 | "webapps-landing": { | 132 | "webapps-landing": { |
133 | "ref": "gitolite_local/local_changes", | 133 | "ref": "gitolite_local/local_changes", |
134 | "repo": "https://git.immae.eu/github/bastienwirtz/homer.git", | 134 | "repo": "https://git.immae.eu/github/bastienwirtz/homer.git", |
135 | "rev": "49b6104e9d0059b7990b3dcd53cca664d5cce7af", | 135 | "rev": "bb60c5b869931f305f15c5bfa9cdb3f68702f01f", |
136 | "type": "git", | 136 | "type": "git", |
137 | "version": "e0a72b7-local" | 137 | "version": "e0a72b7-local" |
138 | }, | 138 | }, |
diff --git a/nixops/secrets b/nixops/secrets | |||
Subproject 0b9f489a7e2e01208d4285c26348b4fa09607e1 | Subproject 39f3c2c33c57df2a502b3cdf45635d0afe27273 | ||