HCoop / bpt / portal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add syntax checking of proposed firewall rules
[bpt/portal.git] / sec.mlt
1 <% val you = Init.getUserId ();
2 val yourname = Init.getUserName ();
3
4 val nodeNum = case $"node" of
5 "" => 2
6 | node => Web.stoi node;
7 val nodeName = Init.nodeName nodeNum;
8
9 val uname = case $"uname" of
10 "" => yourname
11 | uname => uname;
12
13 val socks = Sec.socketPerms {node = nodeNum, uname = uname};
14 val tpe = Sec.isTpe {node = nodeNum, uname = uname};
15 val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
16 val ftp = Sec.ftpAllowed {node = nodeNum, uname = uname};
17
18 ref showNormal = true;
19
20 @header [("title", ["Security settings"])];
21
22 if $"cmd" = "socks" then
23 showNormal := false;
24 val socks = $"socks";
25 %>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
26 <a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
27 elseif $"cmd" = "socks2" then
28 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
29 if not (Sec.Req.notifyNew id) then
30 %><h3>Error sending e-mail notification</h3><%
31 end
32 %><h3>Request added</h3><%
33
34 elseif $"cmd" = "tpe" then
35 showNormal := false;
36 val tpe = iff $"tpe" = "yes" then "on" else "off";
37 %>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
38 <a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
39 elseif $"cmd" = "tpe2" then
40 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
41 if not (Sec.Req.notifyNew id) then
42 %><h3>Error sending e-mail notification</h3><%
43 end
44 %><h3>Request added</h3><%
45
46 elseif $"cmd" = "cron" then
47 showNormal := false;
48 val cron = iff $"cron" = "yes" then "enabled" else "disabled";
49 %>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
50 <a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
51 elseif $"cmd" = "cron2" then
52 val cron = iff $"cron" = "enabled" then "enable" else "disable";
53 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
54 if not (Sec.Req.notifyNew id) then
55 %><h3>Error sending e-mail notification</h3><%
56 end
57 %><h3>Request added</h3><%
58
59 elseif $"cmd" = "ftp" then
60 showNormal := false;
61 val ftp = iff $"ftp" = "yes" then "enabled" else "disabled";
62 %>Are you sure you want to request that FTP permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% ftp %></b>?<br>
63 <a href="sec?cmd=ftp2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&ftp=<% ftp %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
64 elseif $"cmd" = "ftp2" then
65 val ftp = iff $"ftp" = "enabled" then "enable" else "disable";
66 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", ftp, " FTP access"], msg = $"msg"};
67 if not (Sec.Req.notifyNew id) then
68 %><h3>Error sending e-mail notification</h3><%
69 end
70 %><h3>Request added</h3><%
71
72 elseif $"cmd" = "rule" then
73 showNormal := false;
74 val rule = $"rule";
75
76 if Sec.validRule rule then
77 %>Are you sure you want to request the firewall rule <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
78 <a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
79 else
80 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
81 end
82
83 elseif $"cmd" = "rule2" then
84 val rule = $"rule";
85
86 if Sec.validRule rule then
87 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", uname, " ", rule, "\""], msg = $"msg"};
88 if not (Sec.Req.notifyNew id) then
89 %><h3>Error sending e-mail notification</h3><%
90 end
91 %><h3>Request added</h3><%
92 else
93 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
94 end
95
96 elseif $"modRule" <> "" then
97 showNormal := false;
98 val oldRule = $"modRule";
99 val rule = $"rule"
100 if oldRule = rule then
101 %>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
102 else
103 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> be replaced by <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
104 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
105 end
106 elseif $"modRule2" <> "" then
107 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
108 if not (Sec.Req.notifyNew id) then
109 %><h3>Error sending e-mail notification</h3><%
110 end
111 %><h3>Request added</h3><%
112
113 elseif $"delRule" <> "" then
114 showNormal := false;
115 val oldRule = $"delRule";
116 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
117 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
118 elseif $"delRule2" <> "" then
119 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
120 if not (Sec.Req.notifyNew id) then
121 %><h3>Error sending e-mail notification</h3><%
122 end
123 %><h3>Request added</h3><%
124
125 elseif $"cmd" = "open" then
126 showNormal := false;
127 Group.requireGroupName "server";
128 %><h3>Open requests</h3>
129 <a href="sec?cmd=list">List all requests</a><%
130
131 foreach (name, req) in Sec.Req.listOpen () do %>
132 <br><hr><br>
133 <table class="blanks">
134 <tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
135 <tr> <td>Time:</td> <td><% #stamp req %></td> </tr>
136 <tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
137 <tr> <td>Request:</td> <td><% #data req %></td> </tr>
138 <tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
139 </table>
140
141 <br>
142 <a href="sec?mod=<% #id req %>">[Modify]</a>
143 <a href="sec?del=<% #id req %>">[Delete]</a><br>
144
145 <% end
146
147 elseif $"cmd" = "list" then
148 showNormal := false;
149 Group.requireGroupName "server"
150 %><h3>All requests</h3><%
151
152 foreach (name, req) in Sec.Req.list () do %>
153 <br><hr><br>
154 <table class="blanks">
155 <tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
156 <tr> <td>Time:</td> <td colspan="2"><% #stamp req %></td> </tr>
157 <tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
158 <tr> <td>Request:</td> <td><% #data req %></td> </tr>
159 <tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
160 </table>
161
162 <br>
163 <a href="sec?mod=<% #id req %>">[Modify]</a>
164 <a href="sec?del=<% #id req %>">[Delete]</a>
165
166 <% end
167
168 elseif $"mod" <> "" then
169 showNormal := false;
170 Group.requireGroupName "server";
171 val id = Web.stoi ($"mod");
172 val req = Sec.Req.lookup id;
173 val user = Init.lookupUser (#usr req) %>
174 <h3>Handle request</h3>
175
176 <form action="sec" method="post">
177 <input type="hidden" name="save" value="<% id %>">
178 <table class="blanks">
179 <tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
180 <tr> <td>Time:</td> <td><% #stamp req %></td> </tr>
181 <tr> <td>Status:</td> <td><select name="status">
182 <option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
183 <option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
184 <option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
185 </select></td> </tr>
186 <tr> <td>Node:</td> <td><select name="node">
187 <% foreach node in Init.listNodes () do %>
188 <option value="<% #id node %>"<% if nodeNum = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
189 <% end %></select></td> </tr>
190 <tr> <td>Request:</td> <td><input name="req" value="<% #data req %>"></td> </tr>
191 <tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
192 <tr> <td><input type="submit" value="Save"></td> </tr>
193 </table>
194 </form>
195
196 <% elseif $"save" <> "" then
197 showNormal := false;
198 Group.requireGroupName "server";
199 val id = Web.stoi ($"save");
200 val req = Sec.Req.lookup id;
201 val oldStatus = #status req;
202 val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
203 Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
204 if oldStatus <> newStatus then
205 if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
206 %><h3>Error sending e-mail notification</h3><%
207 end
208 end
209 %><h3>Request modified</h3>
210 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
211
212 <% elseif $"del" <> "" then
213 showNormal := false;
214 Group.requireGroupName "server";
215 val id = Web.stoi ($"del");
216 val req = Sec.Req.lookup id;
217 val user = Init.lookupUser (#usr req)
218 %><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
219 <a href="sec?del2=<% id %>">Yes, I'm sure!</a>
220
221 <% elseif $"del2" <> "" then
222 showNormal := false;
223 Group.requireGroupName "server";
224 val id = Web.stoi ($"del2");
225 Sec.Req.delete id
226 %><h3>Request deleted</b><h3>
227 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
228
229 <% end;
230
231 if showNormal then %>
232
233 <table class="blanks">
234 <form action="sec" method="post">
235 <input type="hidden" name="uname" value="<% Web.html uname %>">
236 <tr> <td>Machines:</td> <td><select name="node">
237 <% foreach node in Init.listNodes () do %>
238 <option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
239 <% end %></select></td>
240 <td><input type="submit" value="Switch"></td> </tr>
241 </form>
242 <form action="sec" method="post">
243 <input type="hidden" name="node" value="<% nodeNum %>">
244 <tr> <td>Your users:</td> <td><select name="uname">
245 <% foreach name in (yourname :: Sec.findSubusers yourname) do %>
246 <option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
247 <% end %></select></td>
248 <td><input type="submit" value="Switch"></td> </tr>
249 </form>
250 </table>
251
252 <h3>Request socket permissions change</h3>
253
254 <form action="sec" method="post">
255 <input type="hidden" name="node" value="<% nodeNum %>">
256 <input type="hidden" name="uname" value="<% uname %>">
257 <input type="hidden" name="cmd" value="socks">
258 <table class="blanks">
259 <tr> <td>New permissions:</td> <td><select name="socks">
260 <option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
261 <option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
262 <option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
263 <option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
264 </select></td> </tr>
265 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
266 <tr> <td><input type="submit" value="Request"></td> </tr>
267 </table>
268 </form>
269
270 <h3>Request change to your execute permissions</h3>
271
272 <form action="sec" method="post">
273 <input type="hidden" name="node" value="<% nodeNum %>">
274 <input type="hidden" name="uname" value="<% uname %>">
275 <input type="hidden" name="cmd" value="tpe">
276 <table class="blanks">
277 <tr> <td>Trusted path executables only?</td> <td><select name="tpe">
278 <option value="no"<% if not tpe then %> selected<% end %>>No</option>
279 <option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
280 </select></td> </tr>
281 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
282 <tr> <td><input type="submit" value="Request"></td> </tr>
283 </table>
284 </form>
285
286 <h3>Request change to your <tt>cron</tt> permissions</h3>
287
288 <form action="sec" method="post">
289 <input type="hidden" name="node" value="<% nodeNum %>">
290 <input type="hidden" name="uname" value="<% uname %>">
291 <input type="hidden" name="cmd" value="cron">
292 <table class="blanks">
293 <tr> <td>Allowed to use cron?</td> <td><select name="cron">
294 <option value="no"<% if not cron then %> selected<% end %>>No</option>
295 <option value="yes"<% if cron then %> selected<% end %>>Yes</option>
296 </select></td> </tr>
297 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
298 <tr> <td><input type="submit" value="Request"></td> </tr>
299 </table>
300 </form>
301
302 <h3>Request change to your FTP permissions</h3>
303
304 <p>Please read <a href="http://wiki.hcoop.net/wiki/FileTransfer">our wiki instructions on file transfer</a> before requesting FTP access. Almost everyone should use alternative protocols to FTP that provide superior security benefits.</p>
305
306 <form action="sec" method="post">
307 <input type="hidden" name="node" value="<% nodeNum %>">
308 <input type="hidden" name="uname" value="<% uname %>">
309 <input type="hidden" name="cmd" value="ftp">
310 <table class="blanks">
311 <tr> <td>Allowed to use FTP?</td> <td><select name="ftp">
312 <option value="no"<% if not ftp then %> selected<% end %>>No</option>
313 <option value="yes"<% if ftp then %> selected<% end %>>Yes</option>
314 </select></td> </tr>
315 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
316 <tr> <td><input type="submit" value="Request"></td> </tr>
317 </table>
318 </form>
319
320 <% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
321 switch rules of
322 _::_ => %>
323 <h3>Your firewall rules</h3>
324
325 <% foreach rule in rules do %>
326 <form action="sec" method="post">
327 <input type="hidden" name="node" value="<% nodeNum %>">
328 <input type="hidden" name="uname" value="<% uname %>">
329 <input type="hidden" name="modRule" value="<% Web.html rule %>">
330 <input name="rule" value="<% Web.html rule %>">
331 <a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
332 <input type="submit" value="Request change">
333 </form><br>
334 <% end
335 end%>
336
337 <h3>Request a new firewall rule</h3>
338
339 <p>You can find a description of rule formats <a href="http://wiki.hcoop.net/wiki/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion.</p>
340
341 <p>Please note that <b>your firewall rule will be useless</b> if you don't first request the corresponding socket privileges at the top of this page.</p>
342
343 <form action="sec" method="post">
344 <input type="hidden" name="node" value="<% nodeNum %>">
345 <input type="hidden" name="uname" value="<% uname %>">
346 <input type="hidden" name="cmd" value="rule">
347 <table class="blanks">
348 <tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
349 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
350 <tr> <td><input type="submit" value="Request"></td> </tr>
351 </table>
352 </form>
353
354 <% end %>
355
356 <% @footer[] %>
Unnamed repository; edit this file 'description' to name the repository.