[GT-184] Add support for renewing API credentials

GOCDB · Aug 18, 2023 · 6259cc5 · 6259cc5
1 parent a8d8285
commit 6259cc5
Show file tree

Hide file tree

Showing 11 changed files with 690 additions and 137 deletions.
diff --git a/htdocs/web_portal/controllers/site/edit_api_auth.php b/htdocs/web_portal/controllers/site/edit_api_auth.php
@@ -21,24 +21,47 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
 /*======================================================*/
-require_once __DIR__.'/../../../web_portal/components/Get_User_Principle.php';
-require_once __DIR__.'/../utils.php';
-require_once __DIR__.'/../../../../lib/Gocdb_Services/Factory.php';
+require_once __DIR__ . '/../../../web_portal/components/Get_User_Principle.php';
+require_once __DIR__ . '/../utils.php';
+require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
+
+use Exception;
 
 /**
- * Controller to edit authentication entity request
+ * Controller to either edit authentication entity request or renewal request.
+ *
  * @global array $_POST only set if the browser has POSTed data
  * @return null
  */
-function edit_entity() {
-    $dn = Get_User_Principle();
-    $user = \Factory::getUserService()->getUserByPrinciple($dn);
+function edit_entity()
+{
+    list($user, $authEnt, $site, $serv) = initialize();
+
+    if ($_POST) {
+        submit($user, $authEnt, $site, $serv);
+    } else {
+        draw($user, $authEnt, $site);
+    }
+}
 
-    //Check the portal is not in read only mode, returns exception if it is and user is not an admin
+function initialize()
+{
+    $identifier = Get_User_Principle();
+    $user = \Factory::getUserService()->getUserByPrinciple($identifier);
+
+    /**
+     * Check the portal is not in read only mode,
+     * returns exception if it is and user is not an admin.
+     */
     checkPortalIsNotReadOnlyOrUserIsAdmin($user);
 
-    if (!isset($_REQUEST['authentityid']) || !is_numeric($_REQUEST['authentityid']) ){
-        throw new Exception("A authentication entity id must be specified in the url");
+    if (
+        !isset($_REQUEST['authentityid']) ||
+        !is_numeric($_REQUEST['authentityid'])
+    ) {
+        throw new Exception(
+            "An authentication entity ID must be specified in the URL."
+        );
     }
 
     $serv = \Factory::getSiteService();
@@ -47,48 +70,85 @@ function edit_entity() {
 
     // Validate the user has permission to edit properties
     if (!$serv->userCanEditSite($user, $site)) {
-        throw new \Exception("Permission denied: a site role is required to edit authentication entities at " . $site->getShortName());
+        throw new \Exception(
+            "Permission denied: A site role is required " .
+            "to edit authentication entities at " .
+            $site->getShortName()
+        );
     }
 
-    if($_POST) {     // If we receive a POST request it's to edit an authentication entity
-        submit($user, $authEnt, $site, $serv);
-    } else { // If there is no post data, draw the edit authentication entity form
-        draw($user, $authEnt, $site);
-    }
+    return [$user, $authEnt, $site, $serv];
 }
 
-function draw(\User $user = null, \APIAuthentication $authEnt = null, \Site $site = null) {
-    if(is_null($user)){
-        throw new Exception("Unregistered users can't edit authentication credentials");
+/**
+ * Helper to draw either the edit or renewal authentication entity form.
+ *
+ * @param \User|null $user
+ * @param \APIAuthentication|null $authEntity
+ * @param \Site|null $site
+ * @throws \Exception
+ */
+function draw(
+    \User $user = null,
+    \APIAuthentication $authEnt = null,
+    \Site $site = null
+) {
+    if (is_null($user)) {
+        throw new Exception(
+            "Unregistered users can't edit authentication credentials."
+        );
     }
 
     $params = array();
     $params['site'] = $site;
     $params['authEnt'] = $authEnt;
     $params['authTypes'] = array();
-    $params['authTypes'][]='X.509';
-    $params['authTypes'][]='OIDC Subject';
+    $params['authTypes'][] = 'X.509';
+    $params['authTypes'][] = 'OIDC Subject';
     $params['user'] = $user;
 
+    if ($_REQUEST['isRenewalRequest']) {
+        $params['isRenewalRequest'] = true;
+    }
+
     show_view("site/edit_api_auth.php", $params);
     die();
 }
 
-function submit(\User $user, \APIAuthentication $authEnt, \Site $site, org\gocdb\services\Site $serv) {
-    $newValues = getAPIAuthenticationFromWeb();
+/**
+ * If this receives a POST request,
+ * it can be either to edit an API authentication entity or
+ * to update the `$lastRenewTime` in `APIAuthentication`.
+ *
+ * @param \User $user
+ * @param \APIAuthentication $authEntity
+ * @param \Site $site
+ * @param org\gocdb\services\Site $service
+ */
+function submit(
+    \User $user,
+    \APIAuthentication $authEnt,
+    \Site $site,
+    org\gocdb\services\Site $serv
+) {
+    $params = array();
+
+    if ($_REQUEST['isRenewalRequest']) {
+        $newValues['isRenewalRequest'] = $params['isRenewalRequest'] = true;
+    } else {
+        $newValues = getAPIAuthenticationFromWeb();
+    }
 
     try {
         $authEnt = $serv->editAPIAuthEntity($authEnt, $user, $newValues);
-    } catch(Exception $e) {
+    } catch (Exception $e) {
         show_view('error.php', $e->getMessage());
         die();
     }
 
-    $params = array();
     $params['apiAuthenticationEntity'] = $authEnt;
     $params['site'] = $site;
+
     show_view("site/edited_api_auth.php", $params);
     die();
-
-
 }
diff --git a/htdocs/web_portal/views/site/edit_api_auth.php b/htdocs/web_portal/views/site/edit_api_auth.php
@@ -4,12 +4,16 @@
     $user = $params['user'];
     $entUser = $params['authEnt']->getUser();
 
-    echo('<h1>Edit API credential for ');
+    echo('<h1>');
+    if ($params['isRenewalRequest']) {
+        echo('Renew API credential for ');
+    } else {
+        echo('Edit API credential for ');
+    }
     xecho($params['site']->getName());
     echo('</h1>');
 
     if (!is_null($entUser)) {
-
         echo('<h4>This credential is linked to GOCDB user ');
         echo('<a href="');
         xecho(\GocContextPath::getPath());
@@ -22,14 +26,24 @@
         // entities created prior to GOCDB5.8 have a null owning user
         if ($entUser->getId() != $user->getId()) {
             echo('<div class="input_warning">');
-            echo("WARNING: editing will change the linked user from '");
+            if ($params['isRenewalRequest']) {
+                echo(
+                    "WARNING: Renewing this will change the linked user from '"
+                );
+            } else {
+                echo("WARNING: Editing will change the linked user from '");
+            }
             xecho($entUser->getFullname());
             echo("' to '");
             xecho($user->getFullname());
-            echo("'. Click the browser Back button to cancel the edit.</div>");
+            echo("'. Click the browser Back button to cancel the");
+            if ($params['isRenewalRequest']) {
+                echo(' renewal.</div>');
+            } else {
+                echo(' edit.</div>');
             }
-
-        } else {
+        }
+    } else {
             // This clause should be deleted or replaced with exception after all
             // authentication entities are assigned a user.
             echo('<div class="input_warning">');
@@ -41,23 +55,39 @@
     <form class="inputForm" method="post" action="index.php?Page_Type=Edit_API_Authentication_Entity&parentid=<?php echo($params['site']->getId())?>&authentityid=<?php xecho($params['authEnt']->getId())?>" name="addAPIAuthenticationEntity">
         <div style="margin-bottom: 0.5em;">
             <span class="input_name">Identifier (e.g. Certificate DN or OIDC Subject)*</span>
-            <input type="text" value="<?php xecho($params['authEnt']->getIdentifier()) ?>" name="IDENTIFIER" class="input_input_text">
+            <input
+                type="text"
+                value="<?php xecho($params['authEnt']->getIdentifier()) ?>"
+                name="IDENTIFIER"
+                class="input_input_text"
+                <?php echo $params['isRenewalRequest'] ? 'disabled' : ''; ?>
+            >
         </div>
+
         <div style="margin-bottom: 0.5em;">
             <span class="input_name">Credential type*</span>
-            <select name="TYPE" class="input_input_text">
+            <select
+                name="TYPE"
+                class="input_input_text"
+                <?php echo $params['isRenewalRequest'] ? 'disabled' : ''; ?>
+            >
                 <?php foreach($params['authTypes'] as $authType) {?>
                     <option value="<?php xecho($authType) ?>"<?php if ($params['authEnt']->getType() == $authType) {echo " selected=\"selected\"";} ?>>
                         <?php xecho($authType) ?>
                     </option>
                 <?php } ?>
             </select>
         </div>
+        <?php if (!($params['isRenewalRequest'])) {?>
         <div style="margin-bottom: 1em">
             <div class="input_warning">
-                WARNING: it is possible to delete information using the write functionality of the API. Leave Allow API write unchecked if
-                you do not need to write data.
+                <p>
+                    WARNING: It is possible to delete information using
+                    the write functionality of the API. Leave Allow API write
+                    unchecked if you do not need to write data.
+                </p>
             </div>
+
             <div class="input_checkbox">
                 <input type="checkbox" name="ALLOW_WRITE" id="ALLOW_WRITE" value="checked"
                     <?php
@@ -67,6 +97,28 @@
                 <label class="input_label" for="ALLOW_WRITE">Allow API write</label>
             </div>
         </div>
-        <input type="submit" value="Edit credential" class="input_button">
+        <?php } ?>
+
+        <br><p> Are you sure you want to continue? </P>
+
+        <div>
+            <?php if ($params['isRenewalRequest']) { ?>
+                <input
+                    class="input_input_hidden"
+                    type="hidden"
+                    name="isRenewalRequest"
+                    value=true />
+            <?php } ?>
+            <input
+                type="submit"
+                class="input_button"
+                value="<?php
+                if ($params['isRenewalRequest']) {
+                    echo 'Renew credential';
+                } else {
+                    echo 'Edit credential';
+                } ?>"
+            >
+        </div>
     </form>
 </div>
diff --git a/htdocs/web_portal/views/site/edited_api_auth.php b/htdocs/web_portal/views/site/edited_api_auth.php
@@ -1,6 +1,16 @@
 <div class="rightPageContainer">
     <h1 class="Success">Success</h1><br />
-    The API authenication credential has now been updated. Type:<?php xecho($params['apiAuthenticationEntity']->getType()) ?>, identifier: <?php xecho($params['apiAuthenticationEntity']->getIdentifier()) ?>.
+    The API authenication credential has now been
+    <?php if ($params['isRenewalRequest']) {
+        echo 'renewed,';
+    } else {
+        echo 'updated. Type: ';
+        xecho($params['apiAuthenticationEntity']->getType());
+        echo ',';
+    }
+    ?>
+    identifier:
+    <?php xecho($params['apiAuthenticationEntity']->getIdentifier()) ?>.
     <br />
     <a href="index.php?Page_Type=Site&amp;id=<?php echo $params['site']->getID(); ?>">
         View site</a>

diff --git a/htdocs/web_portal/views/site/view_site.php b/htdocs/web_portal/views/site/view_site.php
@@ -607,8 +607,12 @@ class="header"
                         <th>Type</th>
                         <th>Identifier</th>
                         <th>User</th>
+                        <th style="text-align:center;white-space: nowrap">
+                            <p>Last Renewed<p>
+                        </th>
                         <th style="text-align:center;white-space: nowrap">Last Used</th>
                         <th style="text-align:center">Write</th>
+                        <th style="text-align:center;">Renew</th>
                         <th style="text-align:center;">Edit</th>
                         <th style="text-align:center">Delete</th>
                     </tr>
@@ -649,6 +653,17 @@ class="header"
                             }
                             ?>
                         </td>
+                        <td style="text-align:center">
+                            <?php
+                            $useTime = $APIAuthEnt->getLastRenewTime();
+                            $titleStr = 'Last renewed ' .
+                                        $useTime->format('d-m-Y H:iTP');
+
+                            echo '<div title="' . $titleStr . '">';
+                                echo $useTime->format('d-m-y');
+                            echo '</div>';
+                            ?>
+                        </td>
                         <td style="text-align:center">
                             <?php
                             $useTime = $APIAuthEnt->getLastUseTime();
@@ -672,6 +687,19 @@ class="header"
                                 } ?>
                             />
                         </td>
+                        <td style="width: 8%; text-align: center;">
+                            <?php if (!$portalIsReadOnly) :?>
+                                <form
+                                    action="index.php
+                                     ?Page_Type=Edit_API_Authentication_Entity&amp;
+                                     authentityid=<?= $APIAuthEnt->getId();?>&amp;
+                                     isRenewalRequest=true"
+                                    method="post"
+                                >
+                                    <button type="submit">Renew</button>
+                                </form>
+                            <?php endif;?>
+                        </td>
                         <td style="width: 8%;"align = "center">
                             <?php if (!$portalIsReadOnly) :?>
                                 <form action="index.php?Page_Type=Edit_API_Authentication_Entity&amp;