path: root/modules-available/usblockoff/page.inc.php

<?php
class Page_usblockoff extends Page
{

	/**
	 * Called before any page rendering happens - early hook to check parameters etc.
	 */
	protected function doPreprocess()
	{
		User::load();

		if (!User::isLoggedIn()) {
			Message::addError('main.no-permission');
			Util::redirect('?do=Main'); // does not return
		}

		$this->action = Request::any('action');

		if ($this->action === 'updateConfig') {
			$this->updateConfig();
		} elseif ($this->action === 'addDevices') {
			$this->addDevices();
		} elseif ($this->action === 'deleteConfig') {
			$this->deleteConfig();
		} elseif ($this->action === 'deleteRule') {
			$this->deleteRule();
		} elseif ($this->action === 'editRule') {
			$this->editRule();
		}
	}

	/**
	 * Menu etc. has already been generated, now it's time to generate page content.
	 */
	protected function doRender()
	{
		$show = Request::get("show", "config-table");
		if ($show === "config-table") {
			$this->loadConfigChooser();
		} else if ($show === "edit-config") {
			$configid = Request::get("configid", "");
			$dbquery = Database::queryFirst("SELECT configname, configdesc FROM `usb_configs` WHERE configid=:id", array(
				'id' => $configid
			));

			$rulesConfigHtml = $this->loadRulesConfig($configid);
			$daemonConfigHtml = $this->loadDaemonConfig($configid);

			Render::addTemplate('usb-edit-config', array(
				'configid' => $configid,
				'configName' => $dbquery['configname'],
				'configDesc' => $dbquery['configdesc'],
				'rulesConfigHtml' => $rulesConfigHtml,
				'daemonConfigHtml' => $daemonConfigHtml
			));
		} else if ($show === "add-devices") {
			$this->deviceList();
		} else if ($show === "add-generic-rule") {
			$this->addGenericRule();
		} else if ($show === "edit-rule") {
			$ruleid = Request::get("ruleid", 0, "int");
			if ($ruleid === 0) {
				Message::addError('invalid-rule-id');
				return;
			}
			$configid = Request::get("configid", "");
			$this->showEditRule($configid, $ruleid);
		}
	}

	private function editRule() {
		$ruleid = Request::post('ruleid', 0, 'int');
		$configid = Request::post('configid', 0, 'int');

		$attributes = json_decode(Request::post('attributes', '', 'string'), true);

		if ($ruleid != 0) {
			Database::exec("DELETE FROM `usb_rule_prop` WHERE ruleid=:ruleid", array('ruleid' => $ruleid));
		}

		// Prepare array for the insert. prop- has to be cut and vid:pid = id
		$a = array();
		foreach ($attributes as $att) {
			// SPECIAL CASE: PID AND VID needs to put together to VID:PID = ID
			if (substr($att['prop'], 5) === "vid") {
				if (!array_key_exists('id', $a)) {
					$a['id'] = "";
				}
				$a['id'] = $att['value'] . ':' . $a['id'];
			} else if (substr($att['prop'], 5) === "pid") {
				if (!array_key_exists('id', $a)) {
					$a['id'] = "";
				}
				$a['id'] = $a['id'] . $att['value'];
			} else {
				$a[substr($att['prop'], 5)] = $att['value'];
			}
		}

		foreach ($a as $key => $value) {
			// TODO: Better in one query?
			Database::exec("INSERT INTO `usb_rule_prop` (ruleid, prop, value) VALUES (:ruleid, :prop, :val)", array(
				'ruleid' => $ruleid,
				'prop' => $key,
				'val' => $value
			));
		}

		Message::addSuccess('rule-edited');
		Util::redirect('?do=usblockoff&show=edit-config&configid=' . $configid);
	}

	private function addDevices()
	{
		$configid = Request::any('configid', 0, 'int');

		$rules = json_decode(Request::post('rules', '', 'string'), true);

		foreach ($rules as $rule) {
			$rid = (int)$rule['id'];
			if($rid == 0) {
				// New entry so insert only with new id.
				$rid = Database::queryFirst("SELECT MAX(ruleid) AS ID FROM `usb_rule_prop`");
				$rid = $rid['ID'];
				if ($rid == null) $rid = 1;
				else $rid += 1;
			} else {
				// Old entry so delete all old ones and insert new ones.
				Database::exec("DELETE FROM `usb_rule_prop` WHERE ruleid=:ruleid", array('ruleid' => $rid));
			}

			Database::exec("INSERT INTO `usb_rule_prop` (ruleid, prop, value) VALUES (:ruleid, :prop, :val)", array(
				'ruleid' => $rid,
				'prop' => 'target',
				'val' => $rule['target']
			));

			foreach ($rule['attributes'] as $attribute) {
				// TODO: Better in one query?
				Database::exec("INSERT INTO `usb_rule_prop` (ruleid, prop, value) VALUES (:ruleid, :prop, :val)", array(
					'ruleid' => $rid,
					'prop' => $attribute['prop'],
					'val' => $attribute['value']
				));
			}

			// TODO: Add id at the end of the config entry.
			$config = Database::queryFirst("SELECT rulesconfig FROM `usb_configs` WHERE configid=:configid", array(
				'configid' => $configid
			));
			$rulesconfig = json_decode($config['rulesconfig'], true);
			$rulesconfig[] = $rid;
			Database::exec("UPDATE `usb_configs` SET rulesconfig = :rulesconfig WHERE configid=:configid", array(
				'configid' => $configid,
				'rulesconfig' => json_encode($rulesconfig)
			));
			//$result['rules'][] = $rid;
		}

		Util::redirect('?do=usblockoff&show=edit-config&configid=' . $configid);
	}

	private function deviceList()
	{
		$configid = Request::get("configid", 0, 'int');
		$usbdevices = $this->getUsbDeviceList();

		// TODO: Translate Operator Action etc..

		$settings = array();
		$setting = array();
		$setting['title'] = "Action";
		$setting['select_list'] = array(
			array(
				'option' => 'allow',
				'active' => true,
				'value' => 'allow',
			),
			array(
				'option' => 'block',
				'active' => false,
				'value' => 'block',
			),
			array(
				'option' => 'reject',
				'active' => false,
				'value' => 'reject',
			));
		$setting['helptext'] = array('helptext' => Dictionary::translateFile('rule', 'target_helptext'));
		$setting['property'] = 'action';
		$setting['settingHtml'] = Render::parse('server-prop-dropdown', (array)$setting);
		$settings[] = $setting;

		$ruleValues = array('id' => true,
			'serial' => true,
			'name' => true,
			//'hash' => false,
			//'parent-hash' => false,
			'via-port' => false,
			'with-interface' => false);
		foreach ($ruleValues as $key => $value) {
			$settings[] = array(
				'settingHtml' => Render::parse('server-prop-bool', array(
					'title' => Dictionary::translateFile('rule', $key),
					'helptext' => array('helptext' => Dictionary::translateFile('rule', $key . "_helptext")),
					'property' => $key,
					'currentvalue' => $value)),
			);
		}
		Render::addTemplate('usb-device-list', array(
			'list' => array_values($usbdevices),
			'settings' => array_values($settings),
			'configid' => $configid
		));
	}

	private function showEditRule($configid, $ruleid) {
		$attributes = array();

		$query = Database::simpleQuery("SELECT * FROM `usb_rule_prop` WHERE ruleid=:ruleid", array(
			'ruleid' => $ruleid
		));
		$idList = json_decode($this->getIDList(), true);

		while ($attribute = $query->fetch(PDO::FETCH_ASSOC)) {
			$attributesHtml = '';
			$attr = array(
				'title' => Dictionary::translateFile('rule', $attribute['prop']),
				'property' => $attribute['prop'],
				'currentvalue' => $attribute['value'],
				'helptext' => Dictionary::translateFile('rule', $attribute['prop'] . "_helptext"),
			);

			if ($attribute['prop'] === 'target') {
				$attr['select_list'] = array(
					array(
						'option' => 'allow',
						'active' => ($attribute['value'] === 'allow' ? true : false),
						'value' => 'allow',
					),
					array(
						'option' => 'block',
						'active' => ($attribute['value'] === 'block' ? true : false),
						'value' => 'block',
					),
					array(
						'option' => 'reject',
						'active' => ($attribute['value'] === 'reject' ? true : false),
						'value' => 'reject',
					));

				$attributesHtml = Render::parse('server-prop-dropdown', (array)$attr);
			} else if ($attribute['prop'] === 'id') {

				$id = explode(':', $attribute['value']);
				$vid = $id[0];
				$pid = $id[1];

				// Vendor ID
				$attr['title'] = Dictionary::translateFile('rule', 'vid');
				$attr['select_list'] = array();
				$attr['toTextButton'] = true;
				$attr['property'] = 'vid';
				$attr['helptext'] = Dictionary::translateFile('rule', "vid_helptext");

				if (array_key_exists($vid, $idList)) {
					$attr['select_list'][] = array(
						'option' => $idList[$vid]['name'],
						'active' => true,
						'value' => $vid,
					);
				} else {
					$attr['inputtype'] = 'text';
					$attr['value'] = $vid;
					$attr['select_list'][] = array(
						'option' => "unknown",
						'active' => true,
						'value' => $vid,
					);
				}
				$attributesHtml = Render::parse('server-prop-dropdown', (array)$attr);
				$attributes[] = array(
					'attributesHtml' => $attributesHtml
				);

				// Product ID
				$attr['title'] = Dictionary::translateFile('rule', 'pid');
				$attr['select_list'] = array();
				$attr['property'] = 'pid';
				$attr['helptext'] = Dictionary::translateFile('rule', "pid_helptext");

				if (array_key_exists($pid, $idList)) {
					$attr['select_list'][] = array(
						'option' => $idList[$vid]['products'][$pid],
						'active' => true,
						'value' => $pid,
					);
				} else {
					$attr['select_list'][] = array(
						'option' => "unknown",
						'active' => true,
						'value' => $pid,
					);
				}
				$attributesHtml = Render::parse('server-prop-dropdown', (array)$attr);
			} else {
				$attr['inputtype'] = 'text';
				$attributesHtml = Render::parse('server-prop-generic', (array)$attr);
			}
			$attributes[] = array(
				'attributesHtml' => $attributesHtml
			);
		}

		Render::addTemplate('usb-edit-rule', array(
			'configid' => $configid,
			'attributes' => $attributes,
			'ruleid' => $ruleid,
			'usbJson' => json_encode($idList),
		));
	}

	/**
	 * Return a sorted list with all vendor / id information as JSON
	 */
	function getIDList() {
		$usblist = array();

		// TODO: Online version takes a bit longer to load but is more accurate. (2018 instead of 2015)
		//$lines = file('http://www.linux-usb.org/usb.ids');
		$lines = file('/var/lib/usbutils/usb.ids');
		$currentVendor = '';
		$br = false;
		foreach ($lines as $line) {
			if ($line === "\n" && $br) {
				// If its the first part (vid - name / pid - name) skip comments else break because the part we needed is finished.
				break;
			} else if ($line[0] === '#' || $line === "\n") {
				continue;
			} else if (!ctype_space($line[0])) {
				$br = true;
				// It's a vendor id.
				$l = explode('  ', preg_replace('~[\r\n\t]+~', '', $line));
				$vendor = array();
				$vendor['name'] = $l[1];
				$vendor['products'] = array();
				$currentVendor = $l[0];
				$usblist[$l[0]] = $vendor;
			} else if (!ctype_space($line[1])) {
				// It's a product id.
				$l = explode('  ', preg_replace('~[\r\n\t]+~', '', $line));
				$usblist[$currentVendor]['products'][$l[0]] = $l[1];
			} else {
				// It's a interface
				continue;
			}
		}

		$sortVendorName = [];
		$sortVendorId = [];
		foreach ($usblist as $key => $value) {
			$sortVendorName[] = (string)$value['name'];
			$sortVendorId[] = (string)$key;

			$sortProductName = [];
			$sortProductId = [];
			$tmp = $value['products'];
			$keys2 = array_keys($tmp);
			foreach ($tmp as $k => $v) {
				$sortProductName[] = $v;
				$sortProductId[] = $k;
			}
			// TODO: SORT_FLAG_CASE
			array_multisort($sortProductName, SORT_ASC, $sortProductId, SORT_ASC, $tmp, $keys2);
			$usblist[$key]['products'] = array_combine($keys2, $tmp);
		}

		$keys = array_keys($usblist);
		// TODO: SORT_FLAG_CASE
		array_multisort($sortVendorName, SORT_ASC, $sortVendorId, SORT_ASC, $usblist, $keys);
		return json_encode(array_combine($keys, $usblist), JSON_HEX_APOS);
	}

	private function addGenericRule($target = 'allow') {
		$settings = array();
		$configid = Request::get("configid", "");

		// TODO: Translate Operator Action etc..

		$setting = array();
		$setting['title'] = "Action";
		$setting['select_list'] = array(array(
			'option' => 'allow',
			'active' => ($target == 'allow' ? true : false),
			'value' => 'allow',
		),
			array(
				'option' => 'block',
				'active' => ($target == 'block' ? true : false),
				'value' => 'block',
			),
			array(
				'option' => 'reject',
				'active' => ($target == 'reject' ? true : false),
				'value' => 'reject',
			));
		$setting['helptext'] = array('helptext' => Dictionary::translateFile('rule', 'target_helptext'));
		$setting['property'] = 'action';
		$setting['settingHtml'] = Render::parse('server-prop-dropdown', (array)$setting);
		$settings[] = $setting;

		Render::addTemplate('usb-add-generic-rule', array(
			'settings' => array_values($settings),
			'configid' => $configid
		));
	}

	protected function loadConfigChooser()
	{
		$dbquery = Database::simpleQuery("SELECT configid, configname, configdesc FROM `usb_configs`");
		$configs = array();
		while ($dbentry = $dbquery->fetch(PDO::FETCH_ASSOC)) {
			$config['config_id'] = $dbentry['configid'];
			$config['config_name'] = $dbentry['configname'];
			$config['config_desc'] = $dbentry['configdesc'];
			$configs[] = $config;
		}
		Render::addTemplate('usb-configuration-table', array('config_list' => array_values($configs)));
	}

	protected function deleteConfig()
	{
		$configID = Request::any('id', 0, 'int');
		if ($configID != 0) {
			Database::exec("DELETE FROM `usb_configs` WHERE configid=:configid", array('configid' => $configID));
		}

		Message::addSuccess('config-deleted');
		Util::redirect('?do=usblockoff');
	}

	protected function deleteRule()
	{
		$configid = Request::any('configid', 0, 'int');
		$ruleid = Request::any('id', 0, 'int');
		if ($ruleid != 0) {
			Database::exec("DELETE FROM `usb_rule_prop` WHERE ruleid=:ruleid", array('ruleid' => $ruleid));
		}

		Message::addSuccess('rule-deleted');
		Util::redirect('?do=usblockoff&show=edit-config&configid=' . $configid);
	}


	protected function updateConfig()
	{
		$result['saveAsNewConfig'] = Request::post('saveAsNewConfig', false, 'bool');
		// Add new settings in usbguard-daemon.conf here:
		$result['RuleFile'] = Request::post('RuleFile', '', 'string');
		$result['ImplicitPolicyTarget'] = Request::post('ImplicitPolicyTarget', '', 'string');
		$result['PresentDevicePolicy'] = Request::post('PresentDevicePolicy', '', 'string');
		$result['PresentControllerPolicy'] = Request::post('PresentControllerPolicy', '', 'string');
		$result['InsertedDevicePolicy'] = Request::post('InsertedDevicePolicy', '', 'string');
		$result['RestoreControllerDeviceState'] = Request::post('RestoreControllerDeviceState', '', 'string');
		$result['DeviceManagerBackend'] = Request::post('DeviceManagerBackend', '', 'string');
		$result['IPCAllowedUsers'] = Request::post('IPCAllowedUsers', '', 'string');
		$result['IPCAllowedGroups'] = Request::post('IPCAllowedGroups', '', 'string');
		$result['IPCAccessControlFiles'] = Request::post('IPCAccessControlFiles', '', 'string');
		$result['DeviceRulesWithPort'] = Request::post('DeviceRulesWithPort', '', 'string');
		$result['AuditFilePath'] = Request::post('AuditFilePath', '', 'string');
		$result['rules'] = json_decode(Request::post('rules', '', 'string'), true);

		$id = Request::post('id', 0, 'int');
		$configname = Request::post('configName', '', 'string');
		$configdesc = Request::post('configDesc', '', 'string');
		$dbquery = Database::queryFirst("SELECT * FROM `usb_configs` WHERE configid=:id", array('id' => $id));

		// Load daemon.conf from db else load default
		if ($dbquery !== false) {
			$daemonConf = explode("\r\n", $dbquery['daemonconfig']);
		} else {
			$currentdir = getcwd();
			$file = $currentdir . '/modules/usblockoff/inc/default-configs/usbguard-daemon.conf';
			$daemonConf = file($file);
		}
		$newDaemonConf = array();

		foreach ($daemonConf as $line) {
			$t_line = trim($line, "\r\n");
			if ($t_line == '' || $t_line[0] == '#') {
				$newDaemonConf[] = $line . "\r\n";
				continue;
			} else {
				$splitstr = explode('=', $line);

				$splitstr[1] = $result[$splitstr[0]];
				$newDaemonConf[] = implode('=', $splitstr) . "\r\n";
			}
		}

		// INSERT IN DB
		if ($id == '0' || $result['saveAsNewConfig']) {
			$dbquery = Database::exec("INSERT INTO `usb_configs` (configname, rulesconfig, daemonconfig, configdesc) VALUES (:configname, :rulesconfig, :daemonconfig, :configdesc)",
				array('configname' => $configname,
					'rulesconfig' => json_encode($result['rules']),
					'daemonconfig' => implode($newDaemonConf),
					'configdesc' => $configdesc));
		} else {
			$dbquery = Database::exec("UPDATE `usb_configs` SET configname=:configname, rulesconfig=:rulesconfig, daemonconfig=:daemonconfig, configdesc=:configdesc WHERE configid=:configid",
				array('configid' => $id,
					'configname' => $configname,
					'rulesconfig' => json_encode($result['rules']),
					'daemonconfig' => implode($newDaemonConf),
					'configdesc' => $configdesc));
		}
		Message::addSuccess('config-saved');
	}

	private function loadRulesConfig($configid) {
		$rulesConf = null;

		if ($configid == 0) {
			$currentdir = getcwd();
			// TODO: No need for that with the new rule db structure.
			$rulesConf = file_get_contents($currentdir . '/modules/usblockoff/inc/default-configs/rules.conf');
		} else {
			$dbquery = Database::queryFirst("SELECT * FROM `usb_configs` WHERE configid=:id", array('id' => $configid));
			$ruleIds = json_decode($dbquery['rulesconfig'], true);
		}


		$rulesArray = [];
		foreach ($ruleIds as $id) {
			// TODO: Query rule and prepare array for the html file.
			$dbq = Database::simpleQuery("SELECT * FROM `usb_rule_prop` WHERE ruleid=:id", array('id' => $id));
			$rule = [];
			$rule['id'] = $id;
			$rule['hasoverload'] = false;
			$rule['num_overload'] = 0;
			$rule['attributes'] = array();
			$rule['attributes_overload'] = "";
			while ($entry = $dbq->fetch(PDO::FETCH_ASSOC)) {
				if ($entry['prop'] == "target") {
					$rule['target'] = $entry['value'];
				} else if ($entry['prop'] == "id") {
					$idList = json_decode($this->getIDList(), true);
					$id = explode(":", $entry['value']);

					if (array_key_exists($id[0], $idList)) {
						$vendor = $idList[$id[0]]['name'];
						$attributes = [];
						$attributes['prop'] = Dictionary::translateFile('rule', 'vendor');
						$attributes['value'] = $vendor;
						$rule['attributes'][] = $attributes;

						if (array_key_exists($id[1], $idList[$id[0]]['products'])) {
							$product = $idList[$id[0]]['products'][$id[1]];
							$attributes = [];
							$attributes['prop'] = Dictionary::translateFile('rule', 'product');
							$attributes['value'] = $product;
							$rule['attributes'][] = $attributes;
						}
					} else {
						$attributes = [];
						$attributes['prop'] = $entry['prop'];
						$attributes['value'] = $entry['value'];
						$rule['attributes'][] = $attributes;
					}

				} else {
					$attributes = [];
					$attributes['prop'] = $entry['prop'];
					$attributes['value'] = $entry['value'];

					if(sizeof($rule['attributes']) >= 5) {
						$rule['hasoverload'] = true;
						$rule['num_overload'] += 1;
						$rule['attributes_overload'] .= $attributes['prop'] . ': ' . $attributes['value'] . "<br>";
					} else {
						$rule['attributes'][] = $attributes;
					}
				}
			}

			if (!empty($rule['target'])) {
				$rulesArray[] = $rule;
			}
		}

		if ($configid == "new-default") {
			$newConfig = true;
		} else {
			$newConfig = false;
		}

		return Render::parse('usb-rules-config', array(
			'rules' => (array)$rulesArray,
			'configid' => $configid,
			'newConfig' => $newConfig
		));
	}

	private function loadDaemonConfig($id)
	{
		$form = array();
		$rulesConf = null;

		if ($id == 0) {
			$currentdir = getcwd();

			$daemonConf = file($currentdir . '/modules/usblockoff/inc/default-configs/usbguard-daemon.conf');
		} else {
			$dbquery = Database::queryFirst("SELECT * FROM `usb_configs` WHERE configid=:id", array('id' => $id));
			$daemonConf = explode("\r\n", $dbquery['daemonconfig']);
		}
		$element = array();
		$hlptxt = '';

		foreach ($daemonConf as $line) {
			$t_line = trim($line, "\r\n");
			if ($t_line == '#' || $t_line == '' || strpos($t_line, '#!!!') !== false) {
				continue;
			} elseif ($t_line[0] == '#') {
				$ttxt = trim($line, "#");
				$hlptxt .= $ttxt . '<br>';
			} else {
				$splitstr = explode('=', $t_line);
				$element['name'] = $splitstr[0];
				$element['value'] = $splitstr[1];
				$element['helptext'] = $hlptxt;

				$form[] = $element;
				$hlptxt = '';
			}
		}

		return Render::parse('usb-daemon-config', array(
			'list' => array_values($form),
		));
	}

	/**
	 * AJAX
	 */
	protected function doAjax()
	{
		User::load();
		if (!User::isLoggedIn()) {
			die('Unauthorized');
		}
		$action = Request::any('action');

		// TODO: Removed if not needed anymore.
		if ($action === '') {
			//$this->ajaxDeviceList();
		}
	}

	private function getUsbDeviceList() {
		$usbdevices = array();

		// TODO: Per USB Device 3 querys are executed.. better build a more complex sql query?
		$uid = 0;
		$dbquery = Database::simpleQuery("SELECT * FROM `usblockoff_hw`");
		while ($entry = $dbquery->fetch(PDO::FETCH_ASSOC)) {

			$device = array();

			// Get all props from the hw table.
			$dbquery2 = Database::simpleQuery("SELECT * FROM `statistic_hw_prop` WHERE hwid=:hwid", array(
				'hwid' => $entry['hwid']
			));

			while ($prop = $dbquery2->fetch(PDO::FETCH_ASSOC)) {
				$device[$prop['prop']] = $prop['value'];
			}

			// Get all props from the device table.
			$dbquery3 = Database::simpleQuery("SELECT * FROM `usblockoff_hw_prop` WHERE hwid=:hwid AND serial=:serial", array(
				'hwid' => $entry['hwid'],
				'serial' => $entry['serial']
			));

			while ($prop = $dbquery3->fetch(PDO::FETCH_ASSOC)) {
				$device[$prop['prop']] = $prop['value'];
			}
			if (!empty($device['machineuuid'])) {
				$locationquery = Database::queryFirst("SELECT l.locationname AS 'name', m.clientip AS 'ip' FROM machine AS m JOIN location AS l ON l.locationid=m.locationid
				 WHERE m.machineuuid=:machineuuid", array('machineuuid' => $entry['machineuuid']));
				$device['clientip'] = $locationquery['ip'];
				$device['location'] = $locationquery['name'];
			}

			$device['uid'] = ++$uid;
			$device['id'] = $device['vendorid'] . ":" . $device['productid'];
			$device['serial'] = $entry['serial'];
			$device['date'] = date('d.m.Y', $device['lastseen']);
			$device['time'] = date('G:i', $device['lastseen']);
			$usbdevices[] = $device;
		}

		return $usbdevices;
	}
}