From b21069b07582b7828edd781dfbcab72fbddc9c55 Mon Sep 17 00:00:00 2001
From: PiBa-NL <pba_2k3@yahoo.com>
Date: Sat, 21 Feb 2015 19:25:53 +0100
Subject: haproxy-devel, move files to subfolders

---
 config/haproxy-devel/pkg/haproxy_utils.inc | 459 +++++++++++++++++++++++++++++
 1 file changed, 459 insertions(+)
 create mode 100644 config/haproxy-devel/pkg/haproxy_utils.inc

(limited to 'config/haproxy-devel/pkg/haproxy_utils.inc')

diff --git a/config/haproxy-devel/pkg/haproxy_utils.inc b/config/haproxy-devel/pkg/haproxy_utils.inc
new file mode 100644
index 00000000..4b945c06
--- /dev/null
+++ b/config/haproxy-devel/pkg/haproxy_utils.inc
@@ -0,0 +1,459 @@
+<?php
+/*
+	haproxy_utils.php
+	part of pfSense (https://www.pfsense.org/)
+	Copyright (C) 2013-2015 PiBa-NL
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+*/
+/*
+  This file contains functions which are NOT specific to HAProxy and may/could/should 
+  be moved to the general pfSense php library for possible easy use by other parts of pfSense
+*/
+
+require_once("config.inc");
+
+class haproxy_utils {
+	public static $pf_version;
+
+	public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") {
+		$result = array();
+		$host = trim($host, " \t\n\r\0\x0B[];\"'");
+		$host_esc = escapeshellarg($host);
+		$types = explode(',',$querytype);
+		foreach($types as $type){
+			$resolved = gethostbyname($host);
+			if($resolved) {
+				$resolved = array();
+				if (haproxy_utils::$pf_version < '2.2')
+					exec("/usr/bin/dig   {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
+				else
+					exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
+				foreach($resolved as $item) {
+					$newitem = array();
+					$newitem["typeid"] = $type;
+					$newitem["data"] = $item;
+					$result[] = $newitem;
+				}
+			}
+		}
+		return $result;
+	}
+}
+haproxy_utils::$pf_version = substr(trim(file_get_contents("/etc/version")),0,3);
+
+if(!function_exists('ifset')){
+	function ifset(&$var, $default = ''){
+		return isset($var) ? $var : $default;
+	};
+}
+
+if(!function_exists('is_arrayset')){
+	function is_arrayset(&$array, $items){
+		if (!isset($array))
+			return false;
+		$item = $array;
+		$arg = func_get_args();
+		for($i = 1; $i < count($arg); $i++) {
+
+			$itemindex = $arg[$i];
+			if (!isset($item[$itemindex]) || !is_array($item[$itemindex]))
+				return false;
+			$item = $item[$itemindex];
+
+		}
+		return true;
+	}
+}
+
+function haproxy_compareByName($a, $b) {
+	return strcasecmp($a['name'], $b['name']);
+}
+
+function haproxy_interface_ip($interfacebindname,$userfriendly=false){
+	$list = haproxy_get_bindable_interfaces();
+	$item = $list[$interfacebindname];
+	$result = $item['ip'];
+	if ($userfriendly && !$result)
+		$result = $item['name'];
+	return $result;
+}
+
+function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,localhost,real,carp,ipalias"){
+	// returns a list of ALL interface/IPs that can be used to bind a service to.
+	// filtered by the conditions given in the two filter parameters.
+	// result array includes:
+	// $bindable[key]                can be stored and compared with previous setings
+	// $bindable[key]['ip']          the current IP (possibly changes for dhcp enabled interfaces..)
+	// $bindable[key]['description'] can be shown to user in a selection box
+
+	global $config;
+	$ipverions = split(',',$ipv);
+	$interfacetypes= split(',',$interfacetype);
+
+	$bindable = array();
+	if (in_array("ipv4",$ipverions)){
+		if (in_array('any',$interfacetypes)){
+			$item = array();
+			$item[ip] = '0.0.0.0';
+			$item[name] = 'any (IPv4)';
+			$bindable['any_ipv4'] = $item;
+		}
+		if (in_array('localhost',$interfacetypes)){
+			$item = array();
+			$item[ip] = '127.0.0.1';
+			$item[name] = 'localhost (IPv4)';
+			$bindable['localhost_ipv4'] = $item;
+		}
+		if (in_array('real',$interfacetypes)){
+			foreach($config['interfaces'] as $if => $ifdetail) {
+				if (!isset($ifdetail['enable']))
+					continue;
+				if (!isset($ifdetail['ipaddr']))
+					continue;
+				$descr = $ifdetail['descr'];
+				if (!$descr){
+					if ($if == "wan" && !$ifdetail['descr'])
+						$descr = "WAN";
+					else if ($if == "lan" && !$ifdetail['descr'])
+						$descr = "LAN";
+					else
+						$descr = $if;
+				}
+				$item = array();
+				$item['ip'] = get_interface_ip($if);
+				$item['name'] = "$descr address (IPv4)";
+				$bindable[$if.'_ipv4'] = $item;
+			}
+		}
+		if (in_array('carp',$interfacetypes)){
+			$carplist = get_configured_carp_interface_list();
+			foreach ($carplist as $carpif => $carpip){
+				if (is_ipaddrv4($carpip)){
+					$item = array();
+					$item['ip'] = $carpip;
+					$item['name'] = $carpip." (".get_vip_descr($carpip).")";
+					$bindable[$carpip] = $item;
+				}
+			}
+
+		}
+		if (in_array('ipalias',$interfacetypes)){
+			$aliaslist = get_configured_ip_aliases_list();
+			foreach ($aliaslist as $aliasip => $aliasif){
+				if (is_ipaddrv4($aliasip)){
+					$item = array();
+					$item['ip'] = $aliasip;
+					$item['name'] = $aliasip." (".get_vip_descr($aliasip).")";
+					$bindable[$aliasip.'_ipv4'] = $item;	
+				}
+			}
+		}
+	}
+	if (!isset($config['system']['ipv6allow']))
+		return $bindable;// skip adding the IPv6 addresses if those are not 'allowed'
+	
+	if (in_array("ipv6",$ipverions)){
+		if (in_array('any',$interfacetypes)){
+			$item = array();
+			$item[ip] = '::';
+			$item[name] = 'any (IPv6)';
+			$bindable['any_ipv6'] = $item;
+		}
+		if (in_array('localhost',$interfacetypes)){
+			$item = array();
+			$item[ip] = '::1';
+			$item[name] = 'localhost (IPv6)';
+			$bindable['localhost_ipv6'] = $item;
+		}
+		if (in_array('real',$interfacetypes)){
+			foreach($config['interfaces'] as $if => $ifdetail) {
+				if (!isset($ifdetail['enable']))
+					continue;
+				if (!isset($ifdetail['ipaddrv6']))
+					continue;
+				$descr = $ifdetail['descr'];
+				if (!$descr){
+					if ($if == "wan" && !$ifdetail['descr'])
+						$descr = "WAN";
+					else if ($if == "lan" && !$ifdetail['descr'])
+						$descr = "LAN";
+					else
+						$descr = $if;
+				}
+				$item = array();
+				$item['ip'] = get_interface_ipv6($if);
+				$item['name'] = "$descr  address (IPv6)";
+				$bindable[$if.'_ipv6'] = $item;
+			}
+		}		
+		if (in_array('carp',$interfacetypes)){
+			$carplist = get_configured_carp_interface_list();
+			foreach ($carplist as $carpif => $carpip){
+				if (is_ipaddrv6($carpip)){
+					$item = array();
+					$item['ip'] = $carpip;
+					$item['name'] = $carpip." (".get_vip_descr($carpip).")";
+					$bindable[$carpip] = $item;
+				}
+			}
+
+		}
+		if (in_array('ipalias',$interfacetypes)){
+			$aliaslist = get_configured_ip_aliases_list();
+			foreach ($aliaslist as $aliasip => $aliasif){
+				if (is_ipaddrv6($aliasip)){
+					$item = array();
+					$item['ip'] = $aliasip;
+					$item['name'] = $aliasip." (".get_vip_descr($aliasip).")";
+					$bindable[$aliasip] = $item;	
+				}
+			}
+		}
+	}
+	return $bindable;
+}
+
+function haproxy_get_cert_extensions($crt){
+	$cert = openssl_x509_parse(base64_decode($crt['crt']));
+	return $cert['extensions'];
+}
+
+function haproxy_get_cert_authoritykeyidentifier($cert)
+{
+	$certextension = haproxy_get_cert_extensions($cert);
+	$lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']);
+	return substr($lines[0],6);// cut off the starting string 'keyid:'
+}
+function haproxy_get_cert_subjectKeyIdentifier($cert)
+{
+	$certextension = haproxy_get_cert_extensions($cert);
+	$lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']);
+	return $lines[0];
+}
+
+function haproxy_cert_signed_by($cert, $signedbycert) {
+	// checks if $cert was signed by $signedbycert
+	// this does NOT validate a proper signature but only checks if the extension properties match.
+	$authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert);
+	$subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert);
+	return $authoritykeyid == $subjectid;
+}
+
+function haproxy_recalculate_certifcate_chain(){
+	// and set "selfsigned" for certificates that where used to sign themselves
+	// recalculate the "caref" for all certificates where it is currently unkown.
+	
+	$allcertificates = haproxy_get_certificates('ca,server,user',true);
+	$items_recalculated = 0;
+	foreach($allcertificates as &$cert){
+		$recalculate=false;
+		if (!isset($cert['selfsigned'])){
+			if (!isset($cert['caref']))
+				$recalculate=true;
+			else {		
+				$ca = lookup_ca($cert['caref']);
+				if (!$ca)	
+					$recalculate=true;
+			}
+		}
+		if ($recalculate){
+			foreach($allcertificates as &$signedbycert){
+				if(haproxy_cert_signed_by($cert, $signedbycert)){
+					if ($cert['refid'] == $signedbycert['refid']){
+						$cert['selfsigned'] = true;
+					} else {					
+						$cert['caref'] = $signedbycert['refid'];
+					}
+					$items_recalculated++;
+				}
+			}
+		}
+	}
+	if ($items_recalculated > 0)
+		write_config("Services: HAProxy: Recalculated $items_recalculated certificate chains.");
+	return $items_recalculated;
+}
+
+function get_certificat_usage($refid) {
+	$usage = array();
+	$cert = lookup_cert($refid);
+	if (is_cert_revoked($cert))
+		$usage[] = "*Revoked";
+	if (is_webgui_cert($refid))
+		$usage[] = "webConfigurator";
+	if (is_user_cert($refid))
+		$usage[] = "User Cert";
+	if (is_openvpn_server_cert($refid))
+		$usage[] = "OpenVPN Server";
+	if (is_openvpn_client_cert($refid))
+		$usage[] = "OpenVPN Client";
+	if (is_ipsec_cert($refid))
+		$usage[] = "IPsec Tunnel";
+	if (function_exists("is_captiveportal_cert"))
+		if (is_captiveportal_cert($refid))
+			$usage[] = "Captive Portal";
+	return $usage;
+}
+
+function haproxy_get_certificate_descriptivename($cert) {
+	$usage = get_certificat_usage($cert['crt']);
+	foreach($usage as $use){
+		$usagestr .= " " . $use;
+	}		
+	if ($usagestr != "")
+		$usagestr = " (".trim($usagestr).")";
+
+	$purpose = cert_get_purpose($cert['crt']);
+	$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : "";
+		
+	$caname = "";
+	$ca = lookup_ca($cert['caref']);
+	if ($ca)
+		$caname = " (CA: {$ca['descr']})";
+	
+	return $cert['descr'] . $caname . $certserverpurpose . $usagestr;
+}
+
+function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) {
+	// $type one or multiple of these separated by a comma:  ca,server,user
+	// $get_includeWebCert if the webgui certificate may be included.
+
+	// This function (is intended to) provide a uniform way to retrieve a list of server certificates
+	global $config;
+	$type = ",$type,";
+	$certificates = array();
+	if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) {
+		if (is_array($config['cert'])) {
+			$a_cert = &$config['cert'];
+			foreach ($a_cert as $cert) {
+				$purpose = cert_get_purpose($cert['crt']);
+				
+				$ok = false;
+				$ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
+				$ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
+				if (!$ok)
+					continue;
+				if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
+					continue;
+				$certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+			}
+		}
+	}
+	if (strpos($type,',ca,') !== false) {
+		if (is_array($config['ca'])) {
+			$a_cert = &$config['ca'];
+			foreach ($a_cert as $cert) {
+				$certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+			}
+		}
+	}
+	uasort($certificates, haproxy_compareByName);
+	return $certificates;
+}
+
+function haproxy_get_crls() {
+	global $config;
+	$certificates=array();
+	if (is_array($config['crl'])) {
+		foreach ($config['crl'] as $crl) {
+			$caname = "";
+			$ca = lookup_ca($crl['caref']);
+			if ($ca)
+				$caname = " (CA: {$ca['descr']})";
+		
+			$certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
+		}
+	}
+	uasort($certificates, haproxy_compareByName);
+	return $certificates;
+}
+
+function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) {
+	$offset = str_repeat('  ',$nestID);
+	$itemName = "item$nestID";
+	echo "{$offset}$nodeName = {};\n";
+	if (is_array($items))
+		foreach ($items as $key => $item)
+		{
+			if (in_array($path.'/'.$key, $includeitems))
+				$subpath = $path.'/'.$key;
+			else
+				$subpath = $path.'/*';
+			if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) {
+				if (is_array($item)) {
+					$subNodeName = "item$nestID";
+					phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems);
+					echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n";
+				} else {
+					$item = json_encode($item);
+					echo "{$offset}{$nodeName}['$key'] = $item;\n";
+				}
+			}
+		}
+}
+function phparray_to_javascriptarray($items, $javaMapName, $includeitems) {
+	phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems);
+}
+
+function haproxy_html_select_options($keyvaluelist, $selected="") {
+	$result = "";
+	foreach($keyvaluelist as $key => $desc){
+		$selectedhtml = $key == $selected ? "selected" : "";
+		if ($desc['deprecated'] && $key != $selected){
+			continue;
+		}
+		$name = htmlspecialchars($desc['name']);
+		$result .= "<option value='{$key}' {$selectedhtml}>{$name}</option>";
+	}
+	return $result;
+}
+
+function haproxy_js_select_options($keyvaluelist, $selected="") {
+	$result = "";
+	foreach($keyvaluelist as $key => $desc){
+		$selectedhtml = $key == $selected ? "selected" : "";
+		if ($desc['deprecated'] && $key != $selected){
+			continue;
+		}
+		$name = htmlspecialchars($desc['name']);
+		$result .= "<option value='{$key}' {$selectedhtml}>{$name}<\/option>";
+	}
+	return $result;
+}
+
+function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="", $style="") {
+	if (count($keyvaluelist)>0){
+		if ($onchangeEvent != "")
+			$onchangeEvent = " onchange='$onchangeEvent'";
+		if ($style != "")
+			$style = " style='$style'";
+		echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent$style>";
+		echo haproxy_html_select_options($keyvaluelist, $selected);
+		echo "</select>";
+	} else {
+		echo $listEmptyMessage;
+	}
+}
+
+?>
\ No newline at end of file
-- 
cgit v1.2.3