From f052b1e4fcec837f819fe05dbd38a0ed87e39333 Mon Sep 17 00:00:00 2001
From: PiBa-NL <pba_2k3@yahoo.com>
Date: Sun, 14 Sep 2014 16:47:39 +0200
Subject: haproxy-devel improvements -server certificate check options
 -client-certificate support -logging options -unix sockets for faster
 backend>frontend communication

---
 config/haproxy-devel/haproxy_utils.inc | 110 +++++++++++++++++++--------------
 1 file changed, 65 insertions(+), 45 deletions(-)

(limited to 'config/haproxy-devel/haproxy_utils.inc')

diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc
index 03bd434f..a5fb7c64 100644
--- a/config/haproxy-devel/haproxy_utils.inc
+++ b/config/haproxy-devel/haproxy_utils.inc
@@ -33,6 +33,10 @@
 
 require_once("config.inc");
 
+function haproxy_compareByName($a, $b) {
+	return strcasecmp($a['name'], $b['name']);
+}
+
 function haproxy_interface_ip($interfacebindname,$userfriendly=false){
 	$list = haproxy_get_bindable_interfaces();
 	$item = $list[$interfacebindname];
@@ -203,20 +207,11 @@ function haproxy_cert_signed_by($cert, $signedbycert) {
 	return $authoritykeyid == $subjectid;
 }
 
-function haproxy_get_certificates(){
-	global $config;
-	$allcerts = array();
-	foreach($config['cert'] as &$cert)
-		$allcerts[] = &$cert;
-	foreach($config['ca'] as &$cert)
-		$allcerts[] = &$cert;
-	return $allcerts;
-}
 function haproxy_recalculate_certifcate_chain(){
 	// and set "selfsigned" for certificates that where used to sign themselves
 	// recalculate the "caref" for all certificates where it is currently unkown.
 	
-	$allcertificates = haproxy_get_certificates();
+	$allcertificates = haproxy_get_certificates('ca,server,user',true);
 	$items_recalculated = 0;
 	foreach($allcertificates as &$cert){
 		$recalculate=false;
@@ -251,7 +246,7 @@ function get_certificat_usage($refid) {
 	$usage = array();
 	$cert = lookup_cert($refid);
 	if (is_cert_revoked($cert))
-		$usage[] = "Revoked";
+		$usage[] = "*Revoked";
 	if (is_webgui_cert($refid))
 		$usage[] = "webConfigurator";
 	if (is_user_cert($refid))
@@ -260,56 +255,81 @@ function get_certificat_usage($refid) {
 		$usage[] = "OpenVPN Server";
 	if (is_openvpn_client_cert($refid))
 		$usage[] = "OpenVPN Client";
-	if (is_ipsec_cert($cert['refid']))
+	if (is_ipsec_cert($refid))
 		$usage[] = "IPsec Tunnel";
 	if (function_exists("is_captiveportal_cert"))
 		if (is_captiveportal_cert($refid))
 			$usage[] = "Captive Portal";
-	
 	return $usage;
 }
-function get_certificates_server($get_includeWebCert=false) {
+
+function haproxy_get_certificate_descriptivename($cert) {
+	$usage = get_certificat_usage($cert['crt']);
+	foreach($usage as $use){
+		$usagestr .= " " . $use;
+	}		
+	if ($usagestr != "")
+		$usagestr = " (".trim($usagestr).")";
+
+	$purpose = cert_get_purpose($cert['crt']);
+	$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : "";
+		
+	$caname = "";
+	$ca = lookup_ca($cert['caref']);
+	if ($ca)
+		$caname = " (CA: {$ca['descr']})";
+	
+	return $cert['descr'] . $caname . $certserverpurpose . $usagestr;
+}
+
+function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) {
+	// $type one or multiple of these separated by a comma:  ca,server,user
+	// $get_includeWebCert if the webgui certificate may be included.
+
 	// This function (is intended to) provide a uniform way to retrieve a list of server certificates
 	global $config;
-	$certificates=array();
-	$a_cert = &$config['cert'];
-	foreach ($a_cert as $cert)
-	{
-		if ($get_ca == false && is_webgui_cert($cert['refid']))
-			continue;
-
-		$purpose = cert_get_purpose($cert['crt']);
-		//$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : "";
-		$certserverpurpose = "";
+	$type = ",$type,";
+	$certificates = array();
+	if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) {
+		$a_cert = &$config['cert'];
+		foreach ($a_cert as $cert) {
+			$purpose = cert_get_purpose($cert['crt']);
+			
+			$ok = false;
+			$ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
+			$ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
+			if (!$ok)
+				continue;
+			if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
+				continue;
+			$certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+		}
+	}
+	if (strpos($type,',ca,') !== false) {
+		$a_cert = &$config['ca'];
+		foreach ($a_cert as $cert) {
+			$certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+		}
+	}
+	uasort($certificates, haproxy_compareByName);
+	return $certificates;
+}
 
-		$selected = "";
+function haproxy_get_crls() {
+	global $config;
+	$certificates=array();
+	foreach ($config['crl'] as $crl) {
 		$caname = "";
-		$inuse = "";
-		$revoked = "";
-		$ca = lookup_ca($cert['caref']);
+		$ca = lookup_ca($crl['caref']);
 		if ($ca)
 			$caname = " (CA: {$ca['descr']})";
-		if ($pconfig['certref'] == $cert['refid'])
-			$selected = "selected";
-		if (cert_in_use($cert['refid']))
-			$inuse = " *In Use";
-		if (is_cert_revoked($cert))
-		$revoked = " *Revoked";
-		
-		$usagestr="";
-		$usage = get_certificat_usage($cert['refid']);
-		foreach($usage as $use){
-			$usagestr .= " " . $use;
-		}		
-		if ($usagestr != "")
-			$usagestr = " (".trim($usagestr).")";
-		
-		$certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr;
+	
+		$certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
 	}
+	uasort($certificates, haproxy_compareByName);
 	return $certificates;
 }
 
-
 function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) {
 	$offset = str_repeat('  ',$nestID);
 	$itemName = "item$nestID";
-- 
cgit v1.2.3