/php-voms-admin-0.6/modules/sql_functions.php
PHP | 2302 lines | 1735 code | 183 blank | 384 comment | 526 complexity | 39be226d97c265e53cfe0b34a5e69179 MD5 | raw file
Possible License(s): Apache-2.0
Large files files are truncated, but you can click here to view the full file
- <?php
- // Copyright 2010 Andrii Salnikov
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- //
- /////////////////////////////////////////////////////////////////////
- // Transaction handling wrappers
- /////////////////////////////////////////////////////////////////////
- /* Invoke specified function and log transaction to database ( admin_id, function_name, arguments )
- return invoked function return code */
- function _invoke_transactional_sql ( ) {
- global $db_connection, $USER_DN;
- global $enable_transactions_log;
- if ( ! isset($enable_transactions_log) ) $enable_transactions_log = false;
- // check author and function name specified
- if ( func_num_args() < 3 ) return 0;
- if ( $USER_DN === 0 ) return 0;
- // get function parameters
- $argv = func_get_args();
- $updator = array_shift($argv);
- $f_name = array_shift($argv);
- // begin transaction in SQL
- mysql_query("START TRANSACTION",$db_connection);
- // invoke function
- unset($GLOBALS['pva_id2uuid_arr']);
- if ( $argv ) $f_result = call_user_func_array($f_name, $argv);
- else $f_result = call_user_func($f_name);
- if ( $enable_transactions_log ) {
- if ( $f_result === 1 ) {
- // add uuids array to the end of the function args before saving to transaction table
- if ( isset($GLOBALS['pva_id2uuid_arr']) ) $argv[] = $GLOBALS['pva_id2uuid_arr'];
- // write to transactions table
- $sql = sprintf("INSERT INTO pva_transactions(adminid, uuid, fname, args, source_id)
- VALUES ('%s',UUID(),'%s','%s',%d)",
- $USER_DN, $f_name,
- base64_encode(serialize($argv)),
- $updator);
- if ( ! mysql_query($sql, $db_connection) ) {
- $f_result = 0;
- printf("<p class=\"error\">ERROR: Failed to write transaction log. Performing transaction rollback. </p>");
- }
- }
- }
- if ( $f_result === 1 ) mysql_query("COMMIT",$db_connection);
- else mysql_query("ROLLBACK",$db_connection);
- return $f_result;
- }
- // invoke function inside transaction (operation source is authorized updator)
- function _invoke_transactional_sql_update ( $updator, $admid, $uuid, $f_name, $base64args, $status, $nt_stamp ) {
- global $db_connection;
- // begin transaction in SQL
- mysql_query("START TRANSACTION",$db_connection);
- $f_result = 1;
- $invoke_error = false;
- // write to transactions table (and check if transaction already exists)
- $sql = sprintf("INSERT INTO pva_transactions(adminid, uuid, fname, args, source_id)
- VALUES ('%s','%s','%s','%s',%d)",
- $admid,
- $uuid,
- $f_name,
- $base64args,
- $updator);
- if ( ! mysql_query($sql, $db_connection) ) {
- $op_errno = mysql_errno($db_connection);
- if ( $op_errno !== 1062 ) {
- //log_pva_error
- $invoke_error = array ( 1, 4, array($op_errno));
- $f_result = 0;
- } else $f_result = 2; // do not ROLLBACK transaction time update on duplicate
- }
-
- // invoke function on success
- if ( $f_result === 1 ) {
- $fargv = unserialize(base64_decode($base64args));
- if ( $fargv ) $f_result = call_user_func_array($f_name, $fargv);
- else $f_result = call_user_func($f_name);
- }
- // update last transaction time in updator
- if ( $f_result ) {
- $sql = sprintf("UPDATE pva_authorized_updators
- SET status=2, t_stamp=FROM_UNIXTIME('%s'), sync_time = CURRENT_TIMESTAMP
- WHERE pva_authorized_updators.au_id = %d",
- $nt_stamp, $updator );
- if ( ! mysql_query($sql, $db_connection) ) {
- $f_result = 0;
- }
- } else {
- // log_pva_error
- $invoke_error = array (1, 3, array ($f_name, var_export($fargv,true)));
- }
- if ( $f_result ) mysql_query("COMMIT",$db_connection);
- else mysql_query("ROLLBACK",$db_connection);
- if ( $invoke_error ) call_user_func_array('storeLogRecord',$invoke_error);
- return $f_result;
- }
- // get transactions filtered by limits
- function get_transaction_log ( $limit = 0 ) {
- global $db_connection;
- global $items_per_page;
- $sql = "SELECT pva_transactions.t_stamp, pva_transactions.adminid, pva_transactions.fname,
- pva_transactions.args, pva_authorized_updators.dn
- FROM pva_transactions INNER JOIN pva_authorized_updators
- ON pva_transactions.source_id = pva_authorized_updators.au_id
- ORDER BY pva_transactions.t_stamp DESC";
- $sql .= " LIMIT ". $limit .", ". $items_per_page;
- $result = array();
- $query = mysql_query($sql, $db_connection);
- if ( $query ) if ( mysql_num_rows($query) ) while ( $row = mysql_fetch_assoc($query)) {
- $result[] = array (
- 'time' => $row['t_stamp'],
- 'admdn' => $row['adminid'],
- 'fname' => $row['fname'],
- 'fargs' => unserialize(base64_decode($row['args'])),
- 'upddn' => $row['dn']
- );
- }
- return $result;
- }
- // update last sync time with updator
- function update_transactions_sync_time ($updator) {
- global $db_connection;
- $sql = sprintf("UPDATE pva_authorized_updators SET sync_time = CURRENT_TIMESTAMP, status=2
- WHERE pva_authorized_updators.au_id = %d", $updator );
- return mysql_query($sql, $db_connection);
- }
- // create autorized updators and transactions table
- function createTransactionsTables () {
- global $db_connection;
- $sql = "CREATE TABLE IF NOT EXISTS `pva_authorized_updators` (
- `au_id` smallint(6) NOT NULL AUTO_INCREMENT,
- `status` tinyint(4) NOT NULL,
- `dn` varchar(255) NOT NULL,
- `cahash` varchar(10) NOT NULL,
- `ip` varchar(16) NOT NULL,
- `endpoint` varchar(128) NOT NULL,
- `auth_key` varchar(64) NOT NULL,
- `foreign_key` varchar(64) NOT NULL,
- `t_stamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
- `sync_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
- PRIMARY KEY (`au_id`)
- ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2;";
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $sql = "INSERT INTO `pva_authorized_updators` (`au_id`, `status`, `dn`, `cahash`, `ip`, `endpoint`, `auth_key`, `foreign_key`, `t_stamp`, `sync_time`) VALUES (1, 9, '/O=VOMS/O=System/CN=Local PHP VOMS-Admin', '', '', '', '', '', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP);";
- if ( ! mysql_query($sql, $db_connection) ) {
- // if already exists - does not report error
- if ( mysql_errno($db_connection) !== 1062 ) return 0;
- }
- $sql = "CREATE TABLE IF NOT EXISTS `pva_transactions` (
- `t_stamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
- `uuid` char(36) NOT NULL,
- `adminid` varchar(255) NOT NULL,
- `fname` varchar(32) NOT NULL,
- `args` text NOT NULL,
- `source_id` int(11) NOT NULL,
- KEY `t_stamp` (`t_stamp`),
- UNIQUE KEY `uuid` (`uuid`)
- ) ENGINE=InnoDB DEFAULT CHARSET=latin1;";
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- return saveSettingsToDB('transactions_tables_created',1);
- }
- // create table to map autoincremented id to uuid and vice versa
- function create_id2uuid_table () {
- global $db_connection;
- $sql = "CREATE TABLE IF NOT EXISTS `pva_id2uuid_map` (
- `id` int(11) NOT NULL,
- `table` varchar(36) NOT NULL,
- `uuid` varchar(36) NOT NULL,
- PRIMARY KEY (`uuid`),
- KEY `id` (`id`),
- KEY `table` (`table`)
- ) ENGINE=InnoDB DEFAULT CHARSET=latin1;";
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- return 1;
- }
- // assing uuid map for already existent database ids
- function create_id2uuid_data () {
- global $db_connection;
- $autoincrement_keys = array (
- "acl2" => "acl_id",
- "admins" => "adminid",
- "attributes" => "a_id",
- "ca" => "cid",
- "capabilities" => "cid",
- "groups" => "gid",
- "m" => "mapping_id",
- "memb_req" => "id",
- "roles" => "rid",
- "usr" => "userid"
- );
- foreach ( $autoincrement_keys as $table_name => $key_name ) {
- $sql = sprintf("SELECT `%s` FROM `%s`", $key_name, $table_name);
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( ! mysql_num_rows($query) ) continue;
- while ( $row = mysql_fetch_row($query)) UUID4id($row[0],$table_name);
- }
- return 1;
- }
- // return UUID value for specified $id in $table
- // if map does not exists - function will create it
- // if optional $uuid parameter specified - it value will be used on new map creation
- function UUID4id($id, $table, $uuid = 0) {
- global $db_connection, $id2uuid_map_created;
- // if id2uuid mapping is not activated - do not execute function and return 0;
- if ( ! isset($id2uuid_map_created) ) return 0;
- // check if already exists
- $sql = sprintf("SELECT `uuid` FROM pva_id2uuid_map WHERE `id` = %d AND `table` = '%s'", $id, $table);
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( mysql_num_rows($query) ) {
- $row = mysql_fetch_row($query);
- return $row[0];
- } else { // record does not exists
- // set uuid
- if ( $uuid ) $sql = sprintf("SET @UD='%s'",$uuid);
- else $sql = "SET @UD=UUID()";
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- // insert uuid to id map
- $sql = sprintf("INSERT INTO pva_id2uuid_map(`id`,`table`,`uuid`)
- VALUES (%d, '%s', @UD)", $id, $table);
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- // return uuid value
- $sql = "SELECT @UD";
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( ! mysql_num_rows($query) ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- }
- // return id for specified uuid
- function id4UUID($uuid) {
- global $db_connection;
- if ( ! $uuid ) return 0;
- $sql = sprintf("SELECT id FROM pva_id2uuid_map WHERE `uuid` = '%s'", $uuid );
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( ! mysql_num_rows($query) ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- // set id by uuid (if specified) or set uuid for id
- function id2uuid_convert ($table, &$id, &$uuids) {
- global $id2uuid_map_created;
- // if id2uuid mapping is not activated - do not execute function and return 1;
- if ( ! isset($id2uuid_map_created) ) return 1;
- if ( isset($uuids[$table]) ) $id = id4UUID($uuids[$table]);
- else $uuids[$table] = UUID4id($id, $table);
- if ( ! $id ) return 0;
- if ( ! $uuids[$table] ) return 0;
- return 1;
- }
- /////////////////////////////////////////////////////////////////////
- // VO settings in database
- /////////////////////////////////////////////////////////////////////
- function getSettingFromDB () {
- global $db_connection;
- $sql = "SELECT * FROM pva_variables";
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- while ( $row = mysql_fetch_row($query)) {
- $var = $row[0];
- $GLOBALS[$var] = $row[1];
- }
- }
- function getVariableFromDB ($var) {
- global $db_connection;
- $sql = sprintf("SELECT pva_variables.value FROM pva_variables WHERE pva_variables.var = '%s'", $var);
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return NULL;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- function saveSettingsToDB ($var, $value) {
- global $db_connection;
- if ( getVariableFromDB($var) === NULL ) {
- $sql = sprintf("INSERT INTO pva_variables(var,value) VALUES ('%s', '%s')", $var, $value);
- } else {
- $sql = sprintf("UPDATE pva_variables SET pva_variables.value = '%s' WHERE pva_variables.var = '%s'", $value, $var);
- }
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- return 1;
- }
- function createSettingTable () {
- global $db_connection;
- $sql = "CREATE TABLE pva_variables (var VARCHAR(128) NOT NULL, value VARCHAR(255) NOT NULL, UNIQUE KEY var (var)) ENGINE = InnoDB";
- return mysql_query($sql,$db_connection);
- }
- /////////////////////////////////////////////////////////////////////
- // SQL for SOAP requests -- VOMSCompatibility.php
- /////////////////////////////////////////////////////////////////////
- /* Convert request container to array (group, capability, role)
- return NULL instead text value of group, capability or role if not present */
- function getGroupCapabilityRole ( $container ) {
- global $regex_name_set, $regex_name_sset;
- $matches = array ();
- if ( preg_match("/^((\/".$regex_name_set.")+)(\/Role=".$regex_name_set.")?(\/Capability=".$regex_name_sset.")?$/", $container, $matches ) ) {
- // Parse container
- $group = $matches[1];
- unset($matches[0]);
- unset($matches[1]);
- unset($matches[2]);
- $matchrole = array (); $matchcap = array ();
- foreach( $matches as $mv ) {
- if ( preg_match("/^\/Role=(".$regex_name_set.")$/", $mv, $matchrole ) ) {
- $role = $matchrole[1];
- };
- if ( preg_match("/^\/Capability=(".$regex_name_sset.")$/", $mv, $matchcap) ) {
- $capability = $matchcap[1];
- };
- }
- }
- $group = isset($group) ? $group : NULL;
- $capability = isset($capability) ? $capability : NULL;
- $role = isset($role) ? $role : NULL;
-
- return array($group, $capability, $role);
- }
- /* get VO members DN list
- return (array) array of DN */
- function getVOMembers () {
- global $db_connection;
- $sql = "SELECT usr.dn FROM usr";
- $query = mysql_query($sql, $db_connection);
- $result = array();
- while ( $row = mysql_fetch_row($query)) {
- $result[] = $row[0];
- }
- return $result;
- }
- /* get number of VO member corresponting specified criterias:
- name patern, group ID, role ID
- return (int) members count */
- function getVOMembersCount ( $like = null, $gid = 0, $rid = 0) {
- global $db_connection;
- if ( ( $gid !== 0 ) && ( is_numeric($gid)) ) {
- if ( ( $rid !== 0 ) && ( is_numeric($rid)) )
- $sql_count = "SELECT COUNT(usr.cn) AS cncount FROM usr, m
- WHERE m.userid = usr.userid AND m.rid = ".$rid." AND m.cid IS NULL AND m.gid = " . $gid;
- else
- $sql_count = "SELECT COUNT(usr.cn) AS cncount FROM usr, m
- WHERE m.userid = usr.userid AND m.rid IS NULL AND m.cid IS NULL AND m.gid = " . $gid;
- } else $sql_count = "SELECT COUNT(usr.cn) AS cncount FROM usr";
- if ( $like != null ) $sql_count .= " WHERE usr.cn LIKE '%".mysql_real_escape_string($like)."%'";
- $result = mysql_query($sql_count,$db_connection);
- if ( ! $result ) return 0;
- $count_arr = mysql_fetch_array($result);
- return $count_arr["cncount"];
- }
- /* get VO members DN list coresponding specified criterias:
- group name, role name, capability name
- return (array) array of DN */
- function getVOContainerMembers( $group, $role, $capability ) {
- global $db_connection;
- $sql = "SELECT usr.dn FROM m, usr, groups";
- if ( $role !== NULL ) $sql .= ", roles";
- if ( $capability !== NULL ) $sql .= ", capabilities";
- $sql .= " WHERE m.userid = usr.userid AND m.gid = groups.gid AND groups.dn = '" . mysql_real_escape_string($group) ."' ";
- if ( $role !== NULL ) $sql .= "AND m.rid = roles.rid AND roles.role = '" . mysql_real_escape_string($role) . "' ";
- if ( $capability !== NULL ) $sql .= "AND m.cid = capabilities.cid AND capabilities.capability = '" . mysql_real_escape_string($capability) . "' ";
-
- $query = mysql_query($sql, $db_connection);
- $result = array();
- while ( $row = mysql_fetch_row($query)) {
- $result[] = $row[0];
- }
- return $result;
- }
- /* return (int) VOMS version from database */
- function getVersion() {
- global $db_connection;
- $sql = "SELECT version.version FROM version";
- $query = mysql_query($sql, $db_connection);
- $res = mysql_fetch_row($query);
- $result = isset($res[0]) ? $res[0] : 0;
- return $result;
- }
- ////////////////////////////////////////////////////////////////
- // Non-SQL operations with access rights
- // (required before functions inport for SQL operation with ACL
- ////////////////////////////////////////////////////////////////
- /* Decode permissions intenger to hash
- return (hash) of permissions flags */
- function decodeACLPermissions ( $permissions ) {
- $pstring = sprintf("%021b", $permissions);
- $parr["container"]["r"] = $pstring[20];
- $parr["container"]["w"] = $pstring[19];
- $parr["membership"]["r"] = $pstring[18];
- $parr["membership"]["w"] = $pstring[17];
- $parr["acl"]["r"] = $pstring[16];
- $parr["acl"]["w"] = $pstring[15];
- $parr["acl"]["d"] = $pstring[14];
- $parr["requests"]["r"] = $pstring[13];
- $parr["requests"]["w"] = $pstring[12];
- $parr["attributes"]["r"] = $pstring[11];
- $parr["attributes"]["w"] = $pstring[10];
- $parr["preferences"]["r"] = $pstring[9];
- $parr["preferences"]["w"] = $pstring[8];
- return $parr;
- }
- /* Encode permissions hash to database integer
- return (int) permissions db value */
- function constructACLPermissions( $perm_arr ) {
- $perm = 0;
- if ( isset( $perm_arr["containerr"] ) ) $perm += 1;
- if ( isset( $perm_arr["containerw"] ) ) $perm += 2;
- if ( isset( $perm_arr["membershipr"] ) ) $perm += 4;
- if ( isset( $perm_arr["membershipw"] ) ) $perm += 8;
- if ( isset( $perm_arr["aclr"] ) ) $perm += 16;
- if ( isset( $perm_arr["aclw"] ) ) $perm += 32;
- if ( isset( $perm_arr["acld"] ) ) $perm += 64;
- if ( isset( $perm_arr["requestsr"] ) ) $perm += 128;
- if ( isset( $perm_arr["requestsw"] ) ) $perm += 256;
- if ( isset( $perm_arr["attributesr"] ) ) $perm += 512;
- if ( isset( $perm_arr["attributesw"] ) ) $perm += 1024;
- if ( isset( $perm_arr["preferencesr"] ) ) $perm += 2048;
- if ( isset( $perm_arr["preferencesw"] ) ) $perm += 4096;
- return $perm;
- }
- //////////////////////////////////////////////////////////////////////////
- // SQL operations for PVA web frontend
- //////////////////////////////////////////////////////////////////////////
- /* get $items_per_page number of VO members coresponding specified parameters:
- number of first shown user, user name patern, group ID, role ID
- return (array of hash) array of userinfo (cn, ca, database id, dn) */
- function getVOMembersCA ($limit = 0, $like = null, $gid = 0, $rid = 0 ) {
- global $db_connection;
- global $items_per_page;
- if ( ( $gid !== 0 ) && ( is_numeric($gid)) ) {
- if ( ( $rid !== 0 ) && ( is_numeric($rid)) )
- $sql = "SELECT usr.cn, ca.ca, usr.userid, usr.dn FROM usr, ca, m WHERE usr.ca = ca.cid
- AND m.userid = usr.userid AND m.rid = ". $rid ." AND m.cid IS NULL AND m.gid = " . $gid;
- else
- $sql = "SELECT usr.cn, ca.ca, usr.userid, usr.dn FROM usr, ca, m WHERE usr.ca = ca.cid
- AND m.userid = usr.userid AND m.rid IS NULL AND m.cid IS NULL AND m.gid = " . $gid;
- } else $sql = "SELECT usr.cn, ca.ca, usr.userid, usr.dn FROM usr, ca WHERE usr.ca = ca.cid";
- if ( $like != null ) $sql .= " AND usr.cn LIKE '%". mysql_real_escape_string($like) . "%'";
- $sql .= " LIMIT ". $limit .", ". $items_per_page;
- $query = mysql_query($sql, $db_connection);
- $result = array();
- if ( ! $query ) return 0;
- while ( $row = mysql_fetch_row($query)) {
- $cacn = CNfromDN ( $row[1] );
- $result[] = array ( "cn" => $row[0], "ca" => $cacn, "id" => $row[2], "dn" => $row[3] );
- }
- return $result;
- }
- /* Check if the user have specified attributes in VO:
- database user id, group ID, role ID, capability ID
- return (bool) check result */
- function checkMembership ( $userid, $gid, $role = NULL, $cid = NULL ) {
- global $db_connection;
- $sql = sprintf("SELECT m.userid FROM m WHERE m.userid = %d AND m.gid = %d AND m.rid %s AND m.cid %s", $userid, $gid, (( $role ) ? "= ".$role : "IS NULL"), (( $cid ) ? "= ".$cid : "IS NULL") );
- $query = mysql_query($sql, $db_connection);
- if ( $query == null ) return 0;
- return mysql_num_rows($query);
- }
- /* get access permissions for specified user:
- user DN, user CA, membership flag, group ID
- return (int) access permissions */
- function getProperUserACL ( $dn, $ca, $member = 0, $gid = 1 ) {
- global $db_connection, $lastresort_permissions;
- $groupn = getGroupById ( $gid );
- $caid = getCAId ( $ca );
-
- // First directly check dn
- $sql = sprintf("SELECT admins.adminid FROM admins WHERE admins.dn = '%s' AND admins.ca = %d ", mysql_real_escape_string($dn), $caid );
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
-
- if ( mysql_num_rows($query) ) {
- $row = mysql_fetch_row($query);
- $perm = getAdminPermissions($gid, $row[0]);
- if ( $perm ) return $perm;
- }
- if ( $member ) {
- // Check Role
- $roleca = getCAId ( "/O=VOMS/O=System/CN=VOMS Role" );
- $sql = sprintf("SELECT admins.dn, admins.adminid
- FROM admins
- WHERE admins.ca = %d
- ORDER BY admins.dn ASC", $roleca );
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) )
- while ( $row = mysql_fetch_row($query) ) {
- list($group, $capability, $role) = getGroupCapabilityRole( $row[0] );
- //print_r(getGroupCapabilityRole($row[0]));
- if ( $group != $groupn ) continue;
- if ( checkMembership($member, $gid, getRoleId($role), $capability)) {
- $perm = getAdminPermissions($gid, $row[1]);
- if ( $perm ) return $perm;
- }
- }
- // Check group
- $groupca = getCAId ( "/O=VOMS/O=System/CN=VOMS Group" );
- $sql = sprintf("SELECT admins.dn, admins.adminid
- FROM admins
- WHERE admins.ca = %d
- ORDER BY admins.dn ASC", $groupca );
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) )
- while ( $row = mysql_fetch_row($query) ) {
- list($group, $capability, $role) = getGroupCapabilityRole( $row[0] );
- if ( $group != $groupn ) continue;
- if ( checkMembership($member, $gid ) ) {
- $perm = getAdminPermissions($gid, $row[1]);
- if ( $perm ) return $perm;
- }
- }
- }
- // Check any authenticated
- if ( ( $dn ) && ( $caid ) ) {
- $sql = "SELECT admins.adminid FROM admins WHERE admins.dn = '/O=VOMS/O=System/CN=Any Authenticated User'";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) ) {
- $row = mysql_fetch_row($query);
- $perm = getAdminPermissions($gid, $row[0]);
- if ( $perm ) return $perm;
- }
- }
- // If nothing of above -- any user
- $sql = "SELECT admins.adminid FROM admins WHERE admins.dn = '/O=VOMS/O=System/CN=Absolutely Anyone'";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) ) {
- $row = mysql_fetch_row($query);
- $perm = getAdminPermissions($gid, $row[0]);
- if ( $perm ) return $perm;
- }
- // Hope this never happened but no permissions if nothing
- if ( $gid == 1 ) return $lastresort_permissions;
- else return 0;
- }
- /* check if specified user is a member of VO:
- user DN, user CA
- return (bool) check result */
- function checkMember ( $dn, $ca = 0 ) {
- global $db_connection;
- $caid = getCAId ( $ca );
- // Check membership
- if ( $ca === 0 ) $sql = sprintf("SELECT usr.userid FROM usr WHERE usr.dn = '%s'", mysql_real_escape_string($dn));
- else $sql = sprintf("SELECT usr.userid FROM usr WHERE usr.dn = '%s' AND usr.ca = %d", mysql_real_escape_string($dn), $caid );
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( mysql_num_rows($query) ) {
- $row = mysql_fetch_row($query);
- return $row[0];
- } else return 0;
- }
- /* get list of supported CA
- return (array) list of [ca database id] = [ca name] */
- function getCAList () {
- global $db_connection;
- $sql = "SELECT ca.ca, ca.cid FROM ca ";
- $query = mysql_query($sql, $db_connection);
- $result = array();
- while ( $row = mysql_fetch_row($query)) {
- $result[$row[1]] = $row[0];
- }
- return $result;
- }
- /* function checks for CA .0 files on disk and insert CA record to database on success
- return (int) CA database ID */
- function addCA ( $cadn, $uuids = array() ) {
- global $db_connection, $ca_certificates_path;
- if ( ! isset($uuids['ca']) ) {
- $checkcert_exec = sprintf("for i in `ls -1 %s/*.0`; do openssl x509 -in \$i -noout -subject | sed 's/subject= //' ; done | grep %s", $ca_certificates_path, escapeshellarg($cadn) );
- // if not exists in trusted return 0
- if ( shell_exec($checkcert_exec) == "" ) return -1;
- }
- // add to database
- $sql = "INSERT INTO ca(ca) VALUES ('". mysql_real_escape_string($cadn) ."')";
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $ca_ins_id = mysql_insert_id();
- $uuids['ca'] = UUID4id($ca_ins_id, 'ca', isset($uuids['ca'])?$uuids['ca']:0);
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return $ca_ins_id;
- }
- /* get CA database ID for CA DN:
- CA DN
- return (int) CA database ID */
- function getCAId ( $cadn ) {
- global $db_connection;
- if ( ! $cadn ) return 0;
- // Get CA ID by DN
- $sql = "SELECT ca.cid FROM ca WHERE ca.ca = '".mysql_real_escape_string($cadn)."'";
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( mysql_num_rows($query) !== 0 ) {
- $ca_arr = mysql_fetch_row($query);
- return $ca_arr[0];
- } else return 0;
- }
- /* get CA name for database ID:
- CA database ID
- return (string) CA DN */
- function getCAName ( $caid ) {
- global $db_connection;
- if ( ! is_numeric($caid) ) return 0;
- $sql = sprintf("SELECT ca.ca FROM ca WHERE ca.cid = %d", $caid);
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( mysql_num_rows($query) !== 0 ) {
- $ca_arr = mysql_fetch_row($query);
- return $ca_arr[0];
- } else return 0;
- }
- /* create new VO member with:
- user DN, CA DN, user CN, user e-mail, VO name
- and add membership to root group /voname
- return (bool) operation status */
- function createUser ( $dn, $cadn, $cn, $email, $vo, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if ( ! isset($uuids['usr']) ) $uuids['usr'] = 0;
- if ( ! isset($uuids['m']) ) $uuids['m'] = 0;
- $ca = getCAId( $cadn );
- if ( ! $ca ) {
- $ca = addCA($cadn, $uuids);
- $uuids = $GLOBALS['pva_id2uuid_arr'];
- }
- if ( $ca <= 0 ) return $ca;
- if ( ! checkMember( $dn ) ) {
- $sql = sprintf("INSERT INTO usr(dn,ca,cn,mail) VALUES ('%s',%d,'%s','%s')",
- mysql_real_escape_string($dn), $ca, mysql_real_escape_string($cn), mysql_real_escape_string($email));
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $usrid = mysql_insert_id();
- $uuids['usr'] = UUID4id($usrid,'usr',$uuids['usr']);
- $sql = sprintf("INSERT INTO m(userid, gid) SELECT %d, groups.gid FROM groups WHERE groups.dn = '/%s'",
- $usrid, mysql_real_escape_string($vo));
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $mid = mysql_insert_id();
- if ( $mid ) $uuids['m'] = UUID4id($mid, 'm', $uuids['m']);
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- } else return 0;
- }
- /* create new role and handle its ACL permissions
- role name, VO name
- return (bool) operation status */
- function createRole ( $crrole, $vo, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if ( empty($uuids) ) {
- $uuids['roles'] = 0;
- $empty_uuids = 1;
- } else $uuids_empty = 0;
- // Check if not exists
- $sql = sprintf("SELECT roles.rid FROM roles WHERE roles.role = '%s'", mysql_real_escape_string($crrole) );
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) return -1;
- // Get all ACLs to clone
- $sql = "SELECT acl2.acl_id, acl2.group_id FROM acl2 WHERE acl2.defaultACL = 0 AND acl2.role_id IS NULL";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- while ( $row = mysql_fetch_row($query) ) {
- $gacls[$row[1]] = $row[0];
- if ( isset($empty_uuids) ) $uuids["acltc".$row[0]] = 0;
- }
- // Add record to roles table
- $sql = sprintf("INSERT INTO roles(role) VALUES ('%s');", mysql_real_escape_string($crrole));
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $roleid = mysql_insert_id();
- $uuids['roles'] = UUID4id($roleid, 'roles', $uuids['roles']);
- foreach ( $gacls as $groupid => $acltoclone ) {
- $sql = sprintf("INSERT INTO acl2(group_id, defaultACL, role_id) VALUES ( %d, 0, %d);", $groupid, $roleid);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $aclid = mysql_insert_id();
- $uuids["acltc".$acltoclone] = UUID4id($aclid, 'acl2', $uuids["acltc".$acltoclone]);
- $sql2 = sprintf("SELECT acl2_permissions.permissions, acl2_permissions.admin_id
- FROM acl2_permissions WHERE acl2_permissions.acl_id = %d", $acltoclone);
- $query2 = mysql_query($sql2, $db_connection);
- if ( ! $query2 ) return 0;
- if ( mysql_num_rows($query2) == 0 ) return 0;
- while ( $row2 = mysql_fetch_row($query2) ) {
- $sql = sprintf("INSERT INTO acl2_permissions(acl_id, permissions, admin_id)
- VALUES (%d, %d, %d);", $aclid, $row2[0], $row2[1]);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- }
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* create new group and handle it ACL permissions (including "default" permissions)
- group name, parent group name, vo name
- return (bool) operation status */
- function createGroup ( $crgrp, $crpgrp, $vo, $uuids = array()) {
- global $db_connection;
- // id2uuid
- if ( empty($uuids) ) {
- $uuids['groups'] = 0;
- $uuids['acl2'] = 0;
- $empty_uuids = 1;
- }
- // Get parent group name
- $sql = "SELECT groups.dn FROM groups WHERE groups.gid = " . $crpgrp;
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) {
- $row = mysql_fetch_row($query);
- $parent_name = $row[0];
- } else return 0;
- // New group full name
- $group_name = $parent_name . "/" . $crgrp;
- $uuids['group_name'] = $group_name;
- // Check if not allready exists
- $sql = "SELECT groups.gid FROM groups WHERE groups.dn = '".mysql_real_escape_string($group_name)."' AND groups.parent = " . $crpgrp . " AND groups.must = 1";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) return 0;
- // Get VO roles ID array ( I really dont understand why Roles in permission table is important and what functionality is represented with this row - so I use this Roles only to recopy instances of NULL-role ACL to it. Maybe this is bug. Looking forward to hearing from you, please write any propositions to manf@grid.org.ua )
- $roles_array = array ( );
- $sql = "SELECT roles.rid, roles.role FROM roles";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) {
- while ( $row = mysql_fetch_row($query) ) {
- $roles_array[$row[1]] = $row[0];
- if ( isset($empty_uuids) ) $uuids[$row[1]] = 0;
- }
- }
- // Get ACL for creation
- $group_permissions = array ();
- // --if exists default ACL for parrent - use it
- $sql = "SELECT acl2.acl_id FROM acl2 WHERE acl2.group_id = " . $crpgrp . " AND acl2.defaultACL = 1";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) {
- $row = mysql_fetch_row($query);
- $aclid = $row[0];
- } else { // -- default not exists - copy from parent NULL (this is a part of "Roles" question: default ACL is without Role recopiing to all roles, I suppose that normal acl has the same behaviour )
- $sql = "SELECT acl2.acl_id FROM acl2 WHERE acl2.group_id = " . $crpgrp . " AND acl2.defaultACL = 0 AND acl2.role_id IS NULL";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $row = mysql_fetch_row($query);
- $aclid = $row[0];
- }
- // get stored ACL permissions to apply
- $sql = "SELECT acl2_permissions.permissions, acl2_permissions.admin_id FROM acl2_permissions WHERE acl2_permissions.acl_id = " . $aclid;
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- while ( $row = mysql_fetch_row($query) )
- $group_permissions[$row[1]] = $row[0];
- // Ok, now we have all information required to crete group and all it's acl statemnts -- inserting
- // -- insert into group table
- $sql = sprintf("INSERT INTO groups(dn, parent, must) VALUES ('%s', %d, 1 );",
- mysql_real_escape_string($group_name), $crpgrp);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $groupid = mysql_insert_id();
- $uuids['groups'] = UUID4id($groupid, 'groups', $uuids['groups']);
- // -- create acl without group
- $sql = sprintf("INSERT INTO acl2(group_id, defaultACL, role_id) VALUES( %d, 0, NULL );", $groupid);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $aclid = mysql_insert_id();
- $uuids['acl2'] = UUID4id($aclid, 'acl2', $uuids['acl2']);
- foreach ( $group_permissions as $gpadmid => $gpp ) {
- $asql = sprintf("INSERT INTO acl2_permissions(acl_id, permissions, admin_id)
- VALUES ( %d, %d, %d );",$aclid,$gpp,$gpadmid);
- if ( ! mysql_query($asql, $db_connection) ) return 0;
- }
-
- // -- create acl for each role
- foreach ( $roles_array as $rolename => $role ) {
- $sql = sprintf("INSERT INTO acl2(group_id, defaultACL, role_id) VALUES( %d, 0, %s );", $groupid, $role );
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $aclid = mysql_insert_id();
- $uuids[$rolename] = UUID4id($aclid, 'acl2', $uuids[$rolename]);
- foreach ( $group_permissions as $gpadmid => $gpp ) {
- $asql = sprintf("INSERT INTO acl2_permissions(acl_id, permissions, admin_id)
- VALUES ( %d, %d, %d );",$aclid,$gpp,$gpadmid);
- if ( ! mysql_query($asql, $db_connection) ) return 0;
- }
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* delete user by user ID
- return (bool) operation status */
- function deleteUser ($userid, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if (! id2uuid_convert ('usr', $userid, $uuids) ) return 0;
- // function description handling
- if (! isset($uuids['userdn']) ) $uuids['userdn'] = getUserDN($userid);
- // perform delete user
- $sql = array (
- "DELETE FROM usr WHERE usr.userid = " . $userid . ";",
- "DELETE FROM m WHERE m.userid = " . $userid . ";",
- "DELETE FROM usr_attrs WHERE usr_attrs.u_id = " . $userid . ";"
- );
- foreach ( $sql as $ssql ) {
- $result = mysql_query($ssql, $db_connection);
- if ( ! $result ) return 0;
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* delete group by group ID
- group ID, VO name
- return (int) operation status:
- 0 on failure
- -1 on child exist
- 1 on success */
- function deleteGroup ($gid, $vo, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if (! id2uuid_convert ('groups', $gid, $uuids) ) return 0;
- // function description handling
- if (! isset($uuids['group_name']) ) $uuids['group_name'] = getGroupById($gid);
- // Check for top group
- $sql = "SELECT groups.gid FROM groups WHERE groups.gid = ". $gid." AND groups.dn = '/".mysql_real_escape_string($vo)."'";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) return 0;
- // Check for child
- $sql = "SELECT groups.gid FROM groups WHERE groups.parent = " . $gid;
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) !== 0 ) return -1;
- // Get ACL Ids for group
- $sql = "SELECT acl2.acl_id FROM acl2 WHERE acl2.group_id = " . $gid;
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $sql = array ( "DELETE FROM role_attrs WHERE role_attrs.g_id = " . $gid . ";" );
- while ( $row = mysql_fetch_row($query) )
- $sql[] = "DELETE FROM acl2_permissions WHERE acl_id = " . $row[0];
- $sql[] = "DELETE FROM acl2 WHERE acl2.group_id = " . $gid . ";";
- $sql[] = "DELETE FROM groups WHERE groups.gid = " . $gid . ";";
- $sql[] = "DELETE FROM group_attrs WHERE group_attrs.g_id = " . $gid . ";";
- $sql[] = "DELETE FROM m WHERE m.gid = " . $gid . ";";
- foreach ( $sql as $ssql ) {
- $result = mysql_query($ssql, $db_connection);
- if ( ! $result ) return 0;
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* delete role by role ID
- role ID, VO name
- return (bool) operation status */
- function deleteRole ($rid, $vo, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if (! id2uuid_convert ('roles', $rid, $uuids) ) return 0;
- // function description handling
- if (! isset($uuids['role_name']) ) $uuids['role_name'] = getRoleName($rid);
- // Get ACL Ids for role
- $sql = "SELECT acl2.acl_id FROM acl2 WHERE acl2.role_id = " . $rid;
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $sql = array ( "DELETE FROM role_attrs WHERE role_attrs.r_id = " . $rid . ";" );
- while ( $row = mysql_fetch_row($query) )
- $sql[] = "DELETE FROM acl2_permissions WHERE acl_id = " . $row[0];
- $sql[] = "DELETE FROM acl2 WHERE acl2.role_id = " . $rid . ";";
- $sql[] = "DELETE FROM m WHERE m.rid = " . $rid . ";";
- $sql[] = "DELETE FROM roles WHERE roles.rid = " . $rid . ";";
- foreach ( $sql as $ssql ) {
- $result = mysql_query($ssql, $db_connection);
- if ( ! $result ) return 0;
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* get user DN by user ID
- return (string) user DN */
- function getUserDN ( $id ) {
- global $db_connection;
- $sql = "SELECT usr.dn FROM usr WHERE usr.userid = " . $id;
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( ! mysql_num_rows($query) ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- /* get user information by user ID
- return (array) array of (user DN, user CN, CA DN, user e-mail, CA database ID) */
- function getUserInfo( $id ) {
- global $db_connection;
- $sql = "SELECT usr.dn, usr.cn, ca.ca, usr.mail, ca.cid FROM usr, ca WHERE ca.cid = usr.ca AND usr.userid = " . $id;
- $query = mysql_query($sql, $db_connection);
- $row = mysql_fetch_row($query);
- return array( $row[0], $row[1], $row[2], $row[3], $row[4] );
- }
- /* get information about all users
- return (array of hash) */
- function getAllUsersInfo( ) {
- global $db_connection;
- $sql = "SELECT usr.dn, usr.cn, ca.ca, usr.mail, usr.cauri FROM usr, ca WHERE ca.cid = usr.ca";
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- $result = array();
- while ( $row = mysql_fetch_row($query) ){
- $result[] = array( "CA" => $row[2], "CN" => $row[1], "DN" => $row[0], "certUri" => $row[4], "mail" => $row[3] );
- }
- return $result;
- }
- /* update user CN and e-mail
- user ID, new user CN, new user e-mail
- return (bool) operation status */
- function updateUserInfo( $id , $cn, $mail, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if (! id2uuid_convert ('usr', $id, $uuids) ) return 0;
- // function description handling
- if (! isset($uuids['user_dn'])) $uuids['user_dn'] = getUserDN($id);
- // perform update
- $sql = sprintf("UPDATE usr SET usr.cn = '%s', usr.mail = '%s'
- WHERE usr.userid = %s", mysql_real_escape_string($cn), mysql_real_escape_string($mail), $id);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* get $items_per_page number of groups
- start from group, name patern
- return (array) [group name] = group ID */
- function getGroups ( $limit = 0, $like = null ) {
- global $db_connection;
- global $items_per_page;
- $groups = array();
- $sql = "SELECT groups.gid, groups.dn FROM groups";
- if ( $like !== null ) $sql .= " WHERE groups.dn LIKE '%".mysql_real_escape_string($like)."%'";
- $sql .= " LIMIT ". $limit .", ". $items_per_page;
- $query = mysql_query($sql, $db_connection);
- while ( $row = mysql_fetch_row($query) ){
- $groups[$row[1]] = $row[0];
- };
- return $groups;
- }
- /* get group name by ID
- return (string) group name */
- function getGroupById ( $id ) {
- global $db_connection;
- $sql = sprintf("SELECT groups.dn FROM groups WHERE groups.gid = %d", $id );
- $query = mysql_query($sql, $db_connection);
- if ( ! $query ) return 0;
- if ( mysql_num_rows($query) == 0 ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- /* get $items_per_page number of roles
- start from role, role name patern
- return (array) [role name] = role ID */
- function getRoles ( $limit = 0, $like = null ) {
- global $db_connection;
- global $items_per_page;
- $roles = array();
- $sql = "SELECT roles.rid, roles.role FROM roles";
- if ( $like !== null ) $sql .= " WHERE roles.role LIKE '%".mysql_real_escape_string($like)."%'";
- $sql .= " LIMIT ". $limit .", ". $items_per_page;
- $query = mysql_query($sql, $db_connection);
- while ( $row = mysql_fetch_row($query) ){
- $roles[$row[1]] = $row[0];
- };
- return $roles;
- }
- /* get number of groups corresponding:
- group name pattern
- return (int) number of groups */
- function getGroupsCount ( $like = null ) {
- global $db_connection;
- $sql_count = "SELECT COUNT(groups.gid) AS gcount FROM groups";
- if ( $like !== null ) $sql_count .= " WHERE groups.dn LIKE '%".mysql_real_escape_string($like)."%'";
- $count_arr = mysql_fetch_array(mysql_query($sql_count,$db_connection));
- return $count_arr["gcount"];
- }
- /* get number of roles corresponding:
- role name pattern
- return (int) number of roles */
- function getRolesCount ( $like = null ) {
- global $db_connection;
- $sql_count = "SELECT COUNT(roles.rid) AS rcount FROM roles";
- if ( $like !== null ) $sql_count .= " WHERE roles.role LIKE '%".mysql_real_escape_string($like)."%'";
- $count_arr = mysql_fetch_array(mysql_query($sql_count,$db_connection));
- return $count_arr["rcount"];
- }
- /* get role name by ID
- return (string) role name */
- function getRoleName ( $id ) {
- global $db_connection;
- if ( ! is_numeric($id) ) return 0;
- $sql = "SELECT roles.role FROM roles WHERE roles.rid = " . $id;
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- /* get role ID by Name
- return (int) role ID */
- function getRoleId ( $name ) {
- global $db_connection;
- $sql = "SELECT roles.rid FROM roles WHERE roles.role = '" . mysql_real_escape_string($name) . "'";
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- /* get ACL id for specified:
- group ID, role ID, default flag
- return (int) ACL id, 0 if false */
- function getACLid ( $gid, $rid, $default ) {
- global $db_connection;
- if ( ! is_numeric($gid) ) return 0;
- if ( $rid !== NULL ) if ( ! is_numeric($rid) ) return 0;
- if ( ! is_numeric($default) ) return 0;
- $sql = sprintf("SELECT acl2.acl_id FROM acl2 WHERE acl2.group_id = %d AND acl2.defaultACL = %d AND acl2.role_id %s", $gid, $default, ( $rid === NULL ) ? "IS NULL" : "= ".$rid );
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $row = mysql_fetch_row($query);
- return $row[0];
- }
- /* get all ACL values for specified ACL id (group and role actually)
- returning set of permissions for each user or role/group having special permissions for this ACL ID
- return (hash of array) [admin CN] = array of (ca, admid, [array of permission categoty] = permissions in human readable format) */
- function getACLvalues ( $id ) {
- global $db_connection;
- if ( ! is_numeric($id) ) return 0;
- $sql = sprintf("SELECT acl2_permissions.permissions, admins.dn, ca.ca, admins.adminid FROM acl2_permissions, admins, ca
- WHERE acl2_permissions.acl_id = %d
- AND acl2_permissions.admin_id = admins.adminid
- AND admins.ca = ca.cid ", $id );
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $result = array ();
- while ( $row = mysql_fetch_row($query) ) {
- // If Groups and Roles permissions - just print it, otherwise get CN
- $adm_ca = CNfromDN($row[2]);
- if (( $adm_ca === "VOMS Role" ) || ( $adm_ca === "VOMS Group" ) ) $adm_cn = $row[1];
- else $adm_cn = CNfromDN($row[1]);
- // Not listed in interface of original Java-based VOMS-Admin, but present in database
- if ( $adm_cn === "Internal VOMS Process" ) continue;
- if ( $adm_cn === "Local Database Administrator" ) continue;
- if ( $adm_cn === "Absolutely Anyone" ) continue;
- $result[$adm_cn]["ca"] = $adm_ca;
- $result[$adm_cn]["admid"] = $row[3];
- // Decode permissions
- $parr = decodeACLPermissions($row[0]);
- foreach ( $parr as $pcat => $ppa ) {
- $result[$adm_cn][$pcat] = "";
- if ( $ppa["r"] == 1 ) $result[$adm_cn][$pcat] .= "r";
- if ( $ppa["w"] == 1 ) $result[$adm_cn][$pcat] .= "w";
- if (isset($ppa["d"])) if ( $ppa["d"] == 1 ) $result[$adm_cn][$pcat] .= "d";
- }
- }
- return $result;
- }
- /* find all child groups with permission ids for this groups;
- recursive function, that handle information via reference parameters
- processed_parents -- array of allready processed parents (must be empty at first call)
- to_process -- array of [gid] = 1 to processed. To emulate set of elements and quckly check if in set
- acl_ids -- array of ACL ids of all child groups
- */
- function getAllChildren ( &$processed_parents, &$to_process, &$acl_ids ) {
- global $db_connection;
- $pgid = key($to_process);
- $sql = sprintf("SELECT acl2.acl_id, acl2.group_id FROM groups, acl2 WHERE acl2.group_id = groups.gid AND groups.parent = %d", $pgid);
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- while ( $row = mysql_fetch_row($query) ) {
- $acl_ids[] = $row[0];
- if ( ! isset($processed_parents[$row[1]]) ) $to_process[$row[1]] = 1;
- }
- unset($to_process[$pgid]);
- $processed_parents[$pgid] = 1;
- if ( empty($to_process) ) return 0;
- getAllChildren ( $processed_parents, $to_process, $acl_ids );
- }
- /* update ACL permissions for specified
- ACL ID, admin ID, permissions value, propagate to all child flags, group ID, default ACL flag
- return (bool) operation status */
- function updateACLPermissions($aclid, $admid, $perm, $propagate = 0, $gid = 0, $default_acl = 0, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if (! id2uuid_convert ('acl2', $aclid, $uuids) ) return 0;
- if (! id2uuid_convert ('admins', $admid, $uuids) ) return 0;
- // group id and defaultACL flag
- if ($aclid) {
- // for existed ACL
- $sql = sprintf("SELECT acl2.group_id, acl2.defaultACL FROM acl2 WHERE acl2.acl_id = %d", $aclid);
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) == 0 ) return 0;
- $row = mysql_fetch_row($query);
- $group_id = $row[0];
- $defaultACL = $row[1];
- } else {
- // for new ACL
- $group_id = $gid;
- $defaultACL = $default_acl;
- }
- // function description handling
- if (! isset($uuids['group_name'])) $uuids['group_name'] = getGroupById($group_id);
- if (! isset($uuids['admin_cn'])){
- $adm_info = getAdminInfo($admid);
- $uuids['admin_cn'] = $adm_info['cn'];
- }
-
- // find ACL (normal/default) for this group
- $acl_ids = array ();
- $sql = sprintf("SELECT acl2.acl_id FROM acl2 WHERE acl2.group_id = %s",$group_id);
- if ( $default_acl ) $sql .= " AND acl2.defaultACL = 1 AND acl2.role_id IS NULL";
- $query = mysql_query($sql, $db_connection);
- // if ACL not found, then create new one
- // store ACL id(s) to array
- if ( mysql_num_rows($query) == 0 ) {
- if ( $default_acl ) {
- $sql = sprintf("INSERT INTO acl2(group_id, defaultACL, role_id) VALUES (%d, 1, NULL)", $group_id);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- // id2uuid for new ACL
- $acl_ins_id = mysql_insert_id();
- $uuids['acl2_def'] = UUID4id($acl_ins_id, 'acl2', isset($uuids['acl2_def']) ? $uuids['acl2_def'] : 0);
- $acl_ids[] = $acl_ins_id;
- } else return 0;
- } else while ( $row = mysql_fetch_row($query) ) $acl_ids[] = $row[0];
- // get all child group ACLs for this parent when propagate requested
- if ( ( $propagate ) && ( ! $defaultACL ) ) {
- $processed_parents = array ();
- if ($aclid) $to_process[$propagate] = 1; else $to_process[$gid] = 1;
- // add child ACLs to ids array
- getAllChildren ( $processed_parents, $to_process, $acl_ids );
- }
- // create(update) ACL_permissions for every ACL in array for requested admin
- foreach ( array_unique($acl_ids) as $acl_id ) {
- // using UPDATE, MySQL will not update columns where the new value is the same as the old value
- // so SELECT first
- $sql = sprintf("SELECT acl2_permissions.acl_id FROM acl2_permissions
- WHERE acl2_permissions.permissions = %d
- AND acl2_permissions.acl_id = %d
- AND acl2_permissions.admin_id = %d", $perm, $acl_id, $admid);
- $query = mysql_query($sql, $db_connection);
- if ( mysql_num_rows($query) != 0 ) continue;
- // same permissions record not found, trying to update
- $sql = sprintf("UPDATE acl2_permissions
- SET acl2_permissions.permissions = %d
- WHERE acl2_permissions.acl_id = %d
- AND acl2_permissions.admin_id = %d", $perm, $acl_id, $admid);
- mysql_query($sql, $db_connection);
- // if update does not succeed then insert new value
- if ( ! mysql_affected_rows() ) {
- $sql = sprintf("INSERT INTO acl2_permissions(acl_id, permissions, admin_id)
- VALUES (%d, %d, %d)",$acl_id, $perm, $admid);
- if ( ! mysql_query($sql, $db_connection) ) return 0;
- }
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 1;
- }
- /* delete an ACL with specified
- ACL ID, admin ID, remove from all child flag, default ACL flag
- return (bool) operation status */
- function deleteACLentry($aclid, $admid, $propagate = 0, $default = 0, $uuids = array() ) {
- global $db_connection;
- // id2uuid
- if (! id2uuid_convert ('acl2', $aclid, $uuids) ) return 0;
- if (! id2uuid_convert ('admins', $admid, $uuids) ) return 0;
- // function description handling
- if (! isset($uuids['admin_cn'])){
- $adm_info = getAdminInfo($admid);
- $uuids['admin_cn'] = $adm_info['cn'];
- }
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- // when remove from child requested ( $propagate contain parent group identifier )
- if ( $propagate ) {
- if (! isset($uuids['group_name'])) $uuids['group_name'] = getGroupById($propagate);
- $sql = sprintf("DELETE FROM acl2_permissions
- USING acl2_permissions INNER JOIN acl2 INNER JOIN groups
- WHERE acl2_permissions.acl_id = acl2.acl_id
- AND acl2.group_id = groups.gid
- AND ( groups.parent = %d OR groups.gid = %d )
- AND acl2_permissions.admin_id = %d", $propagate, $propagate, $admid);
- if ( ! mysql_query($sql, $db_connection)) {
- $GLOBALS['pva_id2uuid_arr'] = $uuids;
- return 0;
- } else return 1;
- …
Large files files are truncated, but you can click here to view the full file