From dbc88f9c1b0daa0397b94f4372b52e36cac8b1c6 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Wed, 22 Nov 2017 14:33:04 +0100
Subject: [PATCH] Implement hook for TLS client identities locking

refs #3016
---
 .../TlsclientidentityController.php           | 12 +++++
 .../Config/Tls/ClientIdentity/EditForm.php    | 31 +++++++++++
 .../Hook/TlsClientIdentityHook.php            | 52 +++++++++++++++++++
 3 files changed, 95 insertions(+)
 create mode 100644 library/Icinga/Application/Hook/TlsClientIdentityHook.php

diff --git a/application/controllers/TlsclientidentityController.php b/application/controllers/TlsclientidentityController.php
index 01d9b6b84..55c01e29c 100644
--- a/application/controllers/TlsclientidentityController.php
+++ b/application/controllers/TlsclientidentityController.php
@@ -4,6 +4,7 @@
 namespace Icinga\Controllers;
 
 use Exception;
+use Icinga\Application\Hook;
 use Icinga\File\Storage\LocalFileStorage;
 use Icinga\Forms\Config\Tls\ClientIdentity\CreateForm;
 use Icinga\Forms\Config\Tls\ClientIdentity\EditForm;
@@ -88,6 +89,17 @@ class TlsclientidentityController extends Controller
 
         $this->view->form = $form = new ConfirmRemovalForm();
         $form->setOnSuccess(function (ConfirmRemovalForm $form) use ($name, $fileName, $clientIdentities) {
+                foreach (Hook::all('TlsClientIdentity') as $hook) {
+                    /** @var Hook\TlsClientIdentityHook $hook */
+
+                    try {
+                        $hook->beforeRemove($name);
+                    } catch (Exception $e) {
+                        $form->error($e->getMessage());
+                        return false;
+                    }
+                }
+
                 try {
                     $clientIdentities->delete($fileName);
                 } catch (Exception $e) {
diff --git a/application/forms/Config/Tls/ClientIdentity/EditForm.php b/application/forms/Config/Tls/ClientIdentity/EditForm.php
index b79425071..3c3eab319 100644
--- a/application/forms/Config/Tls/ClientIdentity/EditForm.php
+++ b/application/forms/Config/Tls/ClientIdentity/EditForm.php
@@ -4,6 +4,7 @@
 namespace Icinga\Forms\Config\Tls\ClientIdentity;
 
 use Exception;
+use Icinga\Application\Hook;
 use Icinga\File\Storage\LocalFileStorage;
 use Icinga\Web\Form;
 
@@ -54,6 +55,29 @@ class EditForm extends Form
         $name = $this->getElement('name')->getValue();
 
         if ($name !== $this->oldName) {
+            /** @var Hook\TlsClientIdentityHook[] $succeededCascades */
+            $succeededCascades = array();
+
+            foreach (Hook::all('TlsClientIdentity') as $hook) {
+                /** @var Hook\TlsClientIdentityHook $hook */
+
+                try {
+                    $hook->beforeRename($this->oldName, $name);
+                } catch (Exception $e) {
+                    foreach ($succeededCascades as $succeededCascade) {
+                        try {
+                            $succeededCascade->beforeRename($name, $this->oldName);
+                        } catch (Exception $_) {
+                        }
+                    }
+
+                    $this->error($e->getMessage());
+                    return false;
+                }
+
+                $succeededCascades[] = $hook;
+            }
+
             try {
                 $clientIdentities = LocalFileStorage::common('tls/clientidentities');
                 $oldFileName = bin2hex($this->oldName) . '.pem';
@@ -61,6 +85,13 @@ class EditForm extends Form
                 $clientIdentities->create(bin2hex($name) . '.pem', $clientIdentities->read($oldFileName));
                 $clientIdentities->delete($oldFileName);
             } catch (Exception $e) {
+                foreach ($succeededCascades as $succeededCascade) {
+                    try {
+                        $succeededCascade->beforeRename($name, $this->oldName);
+                    } catch (Exception $_) {
+                    }
+                }
+
                 $this->error($e->getMessage());
                 return false;
             }
diff --git a/library/Icinga/Application/Hook/TlsClientIdentityHook.php b/library/Icinga/Application/Hook/TlsClientIdentityHook.php
new file mode 100644
index 000000000..7a67d6501
--- /dev/null
+++ b/library/Icinga/Application/Hook/TlsClientIdentityHook.php
@@ -0,0 +1,52 @@
+<?php
+/* Icinga Web 2 | (c) 2017 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Application\Hook;
+
+/**
+ * TLS client identity hook base class
+ *
+ * Extend this class if you want to prevent TLS client identities used by your module from being removed.
+ */
+abstract class TlsClientIdentityHook
+{
+    /**
+     * Constructor
+     */
+    final public function __construct()
+    {
+        $this->init();
+    }
+
+    /**
+     * Overwrite this function if you want to do some initialization stuff
+     *
+     * @return void
+     */
+    protected function init()
+    {
+    }
+
+    /**
+     * Called before the given client identity is removed
+     *
+     * If an exception is thrown, the removal fails.
+     *
+     * @param   string      $clientIdentityName
+     *
+     * @throws  \Exception
+     */
+    abstract public function beforeRemove($clientIdentityName);
+
+    /**
+     * Called before a client identity is renamed as given
+     *
+     * If an exception is thrown, the renaming fails.
+     *
+     * @param   string      $oldClientIdentityName
+     * @param   string      $newClientIdentityName
+     *
+     * @throws  \Exception
+     */
+    abstract public function beforeRename($oldClientIdentityName, $newClientIdentityName);
+}