<?php
/****************************************************************************** 
 * Copyright 1991-2012 by Quantum Corporation.  All rights reserved.
 * No part of this work may be reproduced or transmitted in any
 * form or by any means, electronic or mechanical, including
 * photocopying and recording, or by any information storage
 * or retrieval system, except as may be expressly permitted by
 * the 17 U.S.C. section 101, et. seq., or in writing by
 * Quantum Corporation.
 *******************************************************************************/
include('common_admin_inc.htm');

// Determine if encryption is licensed
$hasEKMLic = is_ibm_encryption_licensed($user);
$hasSNWLic = is_dps_licensed($user);

// Get system encryption type
$ekmType = get_ekm_type($user);

class EkmData
{
   var $libGuid;
   var $method;
   var $policy;
   var $density;
   var $key_path;
   var $method_not_used;
   var $policy_not_used;
   var $fips_mode;
   var $key_reuse;
      
   function EkmData( $libGuid, $method, $fips_mode, $key_reuse)
   {
      global $ekmType;

      $this->libGuid            = $libGuid;
      $this->method             = $method;
      $this->policy             = $method == 4 && ($ekmType == 1 || $ekmType == 5) ? 0x2 : 0xFF;
      $this->density            = 0xFF;
      $this->key_path           = 0xFF;
      $this->method_not_used    = 0;
      $this->policy_not_used    = 0;
      $this->fips_mode          = $fips_mode;
      $this->key_reuse          = $key_reuse;
   }
};


$akmResult = akm_get_error_codes();

$ekmServerTypeMap = array(1=> "Q-EKM", 2 => "SKM", 4 => "KMIP", 5 => "TKLM/SKLM");

function DoSkmSetup()
{
   global $akmResult;
   global $user;

   $res = @akm_setup_servers($user);

   if( $res != $akmResult->SUCCEEDED )
   {
      error_log("akm_setup_servers failed with a ". $res);
      return $res;
   }

   set_time_limit(0);   // Turn off time limit or php will complain with large amounts of data
   do
   {
      sleep(60);
      @reset_inactive_timer($user);
      $akmStatus = @akm_setup_progress($user, 0);
 
      if( $akmStatus->result == 0x10 /* TimeOut */ )
      {
         $akmStatus->status = 0x55003;
         break;
      }
      else if( $akmStatus->result == 0x2c /* BadSerialNumber */ )
      {
         $akmStatus->status = 0x55000;
         break;
      }
      else if( $akmStatus->result == 0x7F000013 /* SetupDuplicateSerialNumber */ )
      {
         $akmStatus->status = 0x7F000013;
         break;
      }
   } while( $akmStatus->status != $akmResult->StatusFinished );

   set_time_limit(300);  // Set back to the default

   if( $akmStatus->result == $akmResult->SUCCEEDED || $akmStatus->result == $akmResult->SetupSucceededKeysGenerated)
   {
      error_log("akm_setup_progress returned succeeded");
   }

   return $akmStatus->result;
}

function hasLoadedDrive($libGuid)
{
   global $user, $sortCriteria;
   $drives = get_all_drives_by_library($user, $libGuid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY);
   foreach($drives as $drive)
   {
      if(strlen($drive->barcode) > 0)
      {
         return true;
      }
   }
   return false;
}

function libSupportsEkmType($lib, $type)
{
   global $user, $sortCriteria;
   $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY);
   foreach($drives as $drive)
   {
      if(!$drive->encryptionSupported) return false;
      if($drive->vendor == "IBM" && getDriveGeneration($drive) < 5 && ($type != 1 && $type != 5)) return false;
      if($drive->vendor == "IBM" && getDriveGeneration($drive) > 6 && ($type == 1)) return false;
      if($drive->vendor == "HP" && ($type == 1 || $type == 5)) return false;
   }

   return true;
}

function libSupportsFIPS($lib)
{
   // Must have only HP LTO5+ FC drives
   global $user, $sortCriteria, $ekmType;
   // FIPS only works on SKM and KMIP
   if($ekmType != 2 && $ekmType != 4) return false;

   $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY);
   foreach($drives as $drive)
   {
      if(!$drive->encryptionSupported) return false;
      if($drive->vendor == "IBM") return false;
      if(getDriveGeneration($drive) < 5) return false;
      //57620 - Allow HP SAS Drives
      //if($drive->interfaceType != "Fibre") return false;
   }

   return true;
}

function libSupportsKeyReuse($lib)
{
   // Must have only HP LTO4+ drives
   global $user, $sortCriteria, $ekmType;
   // KR only works on SKM and KMIP
   if($ekmType != 2 && $ekmType != 4) return false;

   $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY);
   foreach($drives as $drive)
   {
      if(!$drive->encryptionSupported) return false;
      if($drive->vendor == "IBM") return false;
   }

   return true;
}

$qekmDefaults = get_ekm_multi($user, 1);
$akmDefaults = get_ekm_multi($user, 2);
$kmipDefaults = get_ekm_multi($user, 4);
$tklmDefaults = get_ekm_multi($user, 5);

$akmResult = akm_get_error_codes();

if ($_SERVER[REQUEST_METHOD] == "POST")
{
   $keysGenerated = false;
   $operationInProgress = true;
   $status = new ReturnStatus();

   $enableLME = strlen($_POST["enableLME"]) > 0 ? explode(":", $_POST["enableLME"]) : array();
   $disableLME = strlen($_POST["disableLME"]) > 0 ? explode(":", $_POST["disableLME"]) : array();

   $enableKR = strlen($_POST["enableKR"]) > 0 ? explode(":", $_POST["enableKR"]) : array();
   $disableKR = strlen($_POST["disableKR"]) > 0 ? explode(":", $_POST["disableKR"]) : array();

   $enableFIPS = strlen($_POST["enableFIPS"]) > 0 ? explode(":", $_POST["enableFIPS"]) : array();
   $disableFIPS = strlen($_POST["disableFIPS"]) > 0 ? explode(":", $_POST["disableFIPS"]) : array();

   $allToChange = array_merge($enableLME, $disableLME, $enableKR, $disableKR, $enableFIPS, $disableFIPS);

   // Double-check drives are unloaded
   foreach($allToChange as $libGuid)
   {
      if(hasLoadedDrive($libGuid))
      {
         $status->setErrorCode(0x50021);
         print $status->out();
         return;
      }
   }

   // Take partitions to be modified offline
   foreach($allToChange as $libGuid)
   {
      change_library_mode($user, $libGuid, 0);
   }

   // Perform SKM setup if necessary
   if($ekmType == 2 && count($enableLME) > 0)
   {
      if(akm_servers_available($user, true))
      {
         $result = DoSkmSetup();
         if($result != $akmResult->SUCCEEDED && $result != $akmResult->SetupSucceededKeysGenerated)
         {
            // SKM setup failed, so we have to stop here.
            error_log("skm setup failed: ".$result);
            $status->setErrorCode( $result );
            print $status->out();
            return;
         }
         else if($result == $akmResult->SetupSucceededKeysGenerated)
         {
            $keysGenerated = true;
         }
      }
      else
      {
         // Do nothing else & set error condition.  Partitions will
         // remain offline.
         $status->setErrorCode( 1 ); // TODO determine proper error code
         print $status->out();
         return;
      }

   }

   foreach($allToChange as $libGuid)
   {
      // Get current settings for this partition
      $ekm = get_partition_enryption($user, $libGuid);

      $method = $ekm->method;
      $reuseKeys = $ekm->reuse_keys;
      $fips = $ekm->fips_mode;

      // Determine new method based on presence in LME arrays
      if(in_array($libGuid, $enableLME)) $method = 4;
      if(in_array($libGuid, $disableLME)) $method = 3;
      if(in_array($libGuid, $enableKR)) $reuseKeys = true;
      if(in_array($libGuid, $disableKR)) $reuseKeys = false;
      if(in_array($libGuid, $enableFIPS)) $fips = true;
      if(in_array($libGuid, $disableFIPS)) $fips = false;

      // If LME is off, FIPS must also be off
      if($method != 4) $fips = false;

      $data = new EkmData($libGuid, $method, $fips, $reuseKeys);

      set_partition_enryption($user, $data);

      // Setup SNW license for each drive
      $drives = get_all_drives_by_library($user, $libGuid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY);
      foreach($drives as $drive)
      {
         $license = get_dps_license($user, $drive->guid);
         // PCR57620 - SNW licenses no longer needed for FIPS, always pass in false for FIPS to not consume licenses.
         submit_dps_license($user, $drive->guid, $license->CPFEnabled, $license->LMEnabled, $license->DPFEnabled, false);
      }
   }

   foreach($allToChange as $libGuid)
   {
      change_library_mode($user, $libGuid, 1);
   }

   if($keysGenerated)
   {
      print $status->closeMsg(4, "akm_setup_servers was run" );
   }
   else
   {
      print $status->out();
   }
   return;
}

// Determine if certificates are installed for the current EKM type
$hasCerts = (($ekmType == 1) or 
             ($ekmType == 5) or
             ($ekmType == 2 and has_certs_installed($user, 0, 4, 6) == 1) or 
             ($ekmType == 4 and has_certs_installed($user, 8, 9) == 1));

// Determine if there are valid settings for the selected ekm type
$hasValidDefaults = (($ekmType == 2 and count($akmDefaults->managers) >= 2) or 
                     ($ekmType == 4 and count($kmipDefaults->managers) >= 2) or 
                     ($ekmType == 1 and count($qekmDefaults->managers) >= 1) or 
                     ($ekmType == 5 and count($tklmDefaults->managers) >= 1));

// Get partition info
$libs = get_logical_libraries($user, $sortCriteria);
error_log("libs : ".print_r($libs,true));

foreach($libs as $k => $lib)
{
   // Add info for FIPS and EKM support
   $libs[$k]->ekmSupported = libSupportsEkmType($lib, $ekmType);
   $libs[$k]->fipsSupported = libSupportsFIPS($lib);

   // Add info for Key Reuse support (not supported by IBM drives)
   $libs[$k]->krSupported = libSupportsKeyReuse($lib);

   // Add DPS license count
   $libs[$k]->snwUsed = get_dps_used_count_for_partition($user, $lib->guid);
}

// Collect a list of partitions with loaded drives
$withLoadedDrives = array();
foreach($libs as $lib)
{
   if(hasLoadedDrive($lib->guid)) array_push($withLoadedDrives, $lib->guid);
}

// Determine if SKM setup is in-progress
$akmStatus = @akm_setup_progress($user, 0);
$libBusy = !($akmStatus->status == $akmResult->StatusFinished || $akmStatus->status == $akmResult->StatusNotStarted);

$ekmLicAvailable = get_ekm_drive_cnt($user);
$snwLicAvailable = get_max_dps_drive_cnt($user);

?>
<html lang="en">
<head>
<title>Setup - Partition Encryption Key Server Access Configuration</title>

<?
css("style");
js("common");
js("loading");
js("validate");
?>

<script type="text/javascript">

var launchProgressWindowDo = "progressWindowIndex.htm";
var progressWindowDo = "progressWindow.htm";
var operation = "";

<? convertToJs($libs, "libs") ?>

function applyChanges()
{
   // Loop through partitions & get new EKM settings.  Compile into lists of
   // partitions whose settings need to be modified.
   var lmeCount = 0;
   var snwCount = 0;
   var enableLME = "";
   var disableLME = "";
   for(var i = 0; i < libs.length; i++)
   {
      //PCR57087 - Do not consume encyrption drive licenses for drives in edlm partitions
      if(($("lib" + i + "_lme").checked) && (libs[i]["libraryManaged"] != 1)) lmeCount += libs[i]["totalDrives"];

      if($("lib" + i + "_lme").checked && libs[i]["method"] != 4)
      {
         enableLME = enableLME + libs[i]["guid"] + ":";
      }
      else if(!$("lib" + i + "_lme").checked && libs[i]["method"] == 4)
      {
         disableLME = disableLME + libs[i]["guid"] + ":";
      }

      if($("lib" + i + "_fips").checked) snwCount += libs[i]["totalDrives"];
      else
      {
         // Also need to count drives in other partitions that are using other SNW
         // features - CPF, DPF and Lun Mapping.
         snwCount += libs[i]["snwUsed"];
      }
   }

   if(enableLME.length > 0) enableLME = enableLME.slice(0, -1);
   if(disableLME.length > 0) disableLME = disableLME.slice(0, -1);

   $("post_enable_lme").value = enableLME;
   $("post_disable_lme").value = disableLME;

   // Validate that we have enough licenses for the number of
   // drives set for LME.
   if(lmeCount > <?= $ekmLicAvailable ?>)
   {
      alert("The library has insufficient EKM licenses installed to perform the selected configuration." + 
            "  Please install more licenses, or select fewer partitions for Library Managed Encryption.");
      return;
   }

   // Validate that we have enough licenses for the number of
   // drives set for FIPS.
   // PCR57620 - removes the requirement for SNW licenses for FIPs.

   if(disableLME.length > 0)
   {
      var conf = confirm( "If you disable Library Managed Encryption on a partition, the data that was " +
                       "written to the tapes while the partition was configured for Library Managed Encryption " +
                       "can no longer be read until you re-enable Library Managed Encryption.\n" +
                       "Are you sure you wish to continue?");
      if(!conf) return;
   }

   var enableKR = "";
   var disableKR = "";
   for(var i = 0; i < libs.length; i++)
   {
      if($("lib" + i + "_kr").checked && libs[i]["keyReuse"] != true)
      {
         enableKR = enableKR + libs[i]["guid"] + ":";
      }
      else if(!$("lib" + i + "_kr").checked && libs[i]["keyReuse"] == true)
      {
         disableKR = disableKR + libs[i]["guid"] + ":";
      }
   }

   if(enableKR.length > 0) enableKR = enableKR.slice(0, -1);
   if(disableKR.length > 0) disableKR = disableKR.slice(0, -1);

   $("post_enable_kr").value = enableKR;
   $("post_disable_kr").value = disableKR;

   var fipsCount = 0;
   var enableFIPS = "";
   var disableFIPS = "";
   for(var i = 0; i < libs.length; i++)
   {
      if($("lib" + i + "_fips").checked && libs[i]["fipsEnabled"] != true)
      {
         enableFIPS = enableFIPS + libs[i]["guid"] + ":";
      }
      else if(!$("lib" + i + "_fips").checked && libs[i]["fipsEnabled"] == true)
      {
         disableFIPS = disableFIPS + libs[i]["guid"] + ":";
      }
   }

   if(enableFIPS.length > 0) enableFIPS = enableFIPS.slice(0, -1);
   if(disableFIPS.length > 0) disableFIPS = disableFIPS.slice(0, -1);

   $("post_enable_fips").value = enableFIPS;
   $("post_disable_fips").value = disableFIPS;

   if(enableLME == "" && disableLME == "" && 
      enableKR == "" && disableKR == "" && 
      enableFIPS == "" && disableFIPS == "")
   {
      alert("No changes were made.");
      return;
   }

   if(!cautionLibOffline()) return;

   openProgressWindow("Setting Partition Encryption", "MainForm");
}

function registerEvents()
{
   // Bind events to LME checkboxes to disable or enable key reuse & fips checkbox as required.
<? foreach($libs as $k => $lib) { ?>
   addEventHandler($("lib<?= $k ?>_lme"), "click", 
                   function() {
                      $("lib<?= $k ?>_kr").disabled = !($("lib<?= $k ?>_lme").checked) || <?= !$lib->krSupported ? "true" : "false" ?>; 
                      $("lib<?= $k ?>_kr_state_text").className = $("lib<?= $k ?>_lme").checked && <?= $lib->krSupported ? "true" : "false" ?> ? "" : "disable"; 
                      $("lib<?= $k ?>_type").className = $("lib<?= $k ?>_lme").checked ? "" : "disable";
                      $("lib<?= $k ?>_fips").disabled = !($("lib<?= $k ?>_lme").checked) || <?= !$lib->fipsSupported ? "true" : "false" ?>; 
                      $("lib<?= $k ?>_fips_state_text").className = $("lib<?= $k ?>_lme").checked && <?= $lib->fipsSupported ? "true" : "false" ?> ? "" : "disable"; 
                      } 
   );
<? if($lib->method != 4) { ?>
   $("lib<?= $k ?>_kr").disabled = true;
   $("lib<?= $k ?>_kr_state_text").className = "disable";
   $("lib<?= $k ?>_fips").disabled = true;
   $("lib<?= $k ?>_fips_state_text").className = "disable";
<? } else { ?>
   $("lib<?= $k ?>_kr").disabled = !($("lib<?= $k ?>_lme").checked) || <?= !$lib->krSupported ? "true" : "false" ?>; 
   $("lib<?= $k ?>_kr_state_text").className = $("lib<?= $k ?>_lme").checked && <?= $lib->krSupported ? "true" : "false" ?> ? "" : "disable"; 
   $("lib<?= $k ?>_type").className = $("lib<?= $k ?>_lme").checked ? "" : "disable";
   $("lib<?= $k ?>_fips").disabled = !($("lib<?= $k ?>_lme").checked) || <?= !$lib->fipsSupported ? "true" : "false" ?>; 
   $("lib<?= $k ?>_fips_state_text").className = $("lib<?= $k ?>_lme").checked && <?= $lib->fipsSupported ? "true" : "false" ?> ? "" : "disable"; 
<? } } ?>
}

</script>

<style type="text/css">

.noteIndicator {
   display: inline-block;
   float: left;
   width: 50px;
}

#partitionTable {
   margin: 0 auto;
   text-align: center;
   width: 600px;
   white-space: nowrap;
}

#partitionTable th {
   font-size: 11pt;
}

.noteBody {
   display: inline-block;
}

#diag_link {
   text-align: center;
}

.disable {
   color: #999;
}

</style>

</head>

<body onload="javascript:{if(parent.frames[1]&&parent.frames['topFrame'].Go)parent.frames['topFrame'].Go();}IsPageLoaded();registerEvents();">
<input type="hidden" id="<?=ROBOHELP_ID?>" value="<?=SetupEKMPar?>" />

<a name="topPage"></a>

<!-- BEGIN SESSION SELECTION DIV -->

<div id="sessionDiv" class="visibleDiv"><center>

<div class="mainContent">
   <h1 class="pageTitle">Setup - Encryption Partition Configuration</h1>
   <p class="headingText">
      Set up EKM encryption for library partitions.
   </p>

<? if(!$hasEKMLic) { ?>

<p class="headingText">
   An Encryption Key Management license must be installed on the library in order to use this feature.<br/>
   Please <a href="license.htm" title="Load the License page" target="_self">click here</a> to add a license key.
</p>

<? } else if (!$hasValidDefaults) { ?>

<p class="headingText">
    The Encryption Key Servers are not set up. Please make sure they are configured properly to view this page.<br>
    Please <a href="setupEKM.htm" title="EKM System Configuration page" target="_self">click here</a> to go the &quot;Setup - Encryption System Configuration&quot; page and set up your EKM servers. 
</p>

<? } else if (!$hasCerts) { ?>

<p class="headingText">
    No encryption certificates are installed for the currently configured encryption key server type.<br>
    Please <a href="tlsCertImport.htm" title="Import Encryption Certificates page" target="_self">click here</a> to go the &quot;Import Encryption Certificates&quot; page and install the certificates.
</p>

<? } else { ?>

<? if($withLoadedDrives) { ?>
   <p class="headingText warning">
      You cannot edit the Encryption Method of a partition with a tape cartridge loaded in a drive.
   </p>
<? } ?>

   <table id="partitionTable">
      <thead>
      <tr>
         <th width="17%">Partition</th>
         <th>Type</th>
         <th width="50%">Library Managed Encryption</th>
         <th width="17%">Key Reuse</th>
         <th width="16%">FIPS</th>
         <th>&nbsp;</th>
      </tr>
      </thead>
      <tbody>
<? foreach($libs as $k => $lib) { 
      $canChange = !in_array($lib->guid, $withLoadedDrives);
      ?>
      <tr>
         <td><?= $lib->name ?></td>
         <td id="<?= "lib".$k."_type" ?>" class="<?=$lib->method == 4 ? "" : "disable"?>"><?= $ekmServerTypeMap[$ekmType] ?></td>
         <td><? generateCheckBox("lib".$k."_lme", "lib".$k."_lme", $lib->method == 4, $canChange && $lib->ekmSupported); ?></td>
         <td><? generateCheckBox("lib".$k."_kr", "lib".$k."_kr", $lib->keyReuse, $canChange && $ekmType != 1 && $ekmType != 5); ?></td>
         <td><? generateCheckBox("lib".$k."_fips", "lib".$k."_fips", $lib->fipsEnabled, $canChange && $ekmType != 1 && $ekmType != 5 && $lib->fipsSupported); ?></td>
         <td class="warning">
            <? if(!$canChange) { ?>
               <div style="width: 125px;">(Cannot edit when a drive is loaded)</div>
            <? } ?>
         </td>
      </tr>
<? } ?>
      </tbody>
   </table>

   <p id="diag_link">
      <a href="EKMTest.htm">Click here</a> to run EKM Path Diagnostics.
   </p>

<? } // END check pre-conditions ?>

<div id="NAVDiv" style="position:relative; width:100%;">
   <br>
   <table class="navbar" id="button" align=center><tr>
      <td>
         <br>
         <a href="javascript:loadHomePage();"
            onMouseOver="changeImage(1,'cancel');window.status='Return to home page'; return true;"
            onMouseOut="changeImage(0,'cancel');window.status=''; return true;">
         <img name=cancel title='Return to home page' src="images/buttons/cancel.gif" border=0></a>

<? if($hasEKMLic && $hasValidDefaults && $hasCerts) { ?>
         <a href="javascript:applyChanges();"
            onMouseOver="changeImage(1,'apply');window.status='Apply the Changes'; return true;"
            onMouseOut="changeImage(0,'apply');window.status=''; return true;">
         <img name=apply src="images/buttons/apply.gif" border=0></a>
<? } ?>
      </td>
   </tr></table>
</div>
</center></div>

<form name="MainForm" method="post" action="<? echo $_SERVER[PHP_SELF] ?>" target="returnStatus">
   <input type="hidden" id="post_enable_lme" name="enableLME"/>   
   <input type="hidden" id="post_disable_lme" name="disableLME"/>   
   <input type="hidden" id="post_enable_kr" name="enableKR"/>   
   <input type="hidden" id="post_disable_kr" name="disableKR"/>   
   <input type="hidden" id="post_enable_fips" name="enableFIPS"/>   
   <input type="hidden" id="post_disable_fips" name="disableFIPS"/>   
</form>

<?php
include('progressWin_inc.htm');
?>

</body></html>