HCoop / hcoop / portal.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fix stray tag
[hcoop/portal.git] / sec.mlt
CommitLineData
dfb0d0d7
AC		 1<% val you = Init.getUserId ();
2val yourname = Init.getUserName ();
3
3d2ed222 4val nodeNum = case $"node" of
2f3afc4b 5 "" => 4
3d2ed222
AC		 6 | node => Web.stoi node;
7val nodeName = Init.nodeName nodeNum;
8
dfb0d0d7
AC		 9val uname = case $"uname" of
10 "" => yourname
11 | uname => uname;
12
3d2ed222
AC		 13val socks = Sec.socketPerms {node = nodeNum, uname = uname};
14val tpe = Sec.isTpe {node = nodeNum, uname = uname};
15val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
dfb0d0d7
AC		 16
17ref showNormal = true;
18
19@header [("title", ["Security settings"])];
20
21if $"cmd" = "socks" then
22 showNormal := false;
23 val socks = $"socks";
3d2ed222
AC		 24 %>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
25 <a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
dfb0d0d7 26elseif $"cmd" = "socks2" then
3d2ed222 27 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
dfb0d0d7 28 if not (Sec.Req.notifyNew id) then
b6dd1aaf 29 %><h3>Error sending e-mail notification</h3><%
dfb0d0d7 30 end
b6dd1aaf 31 %><h3>Request added</h3><%
dfb0d0d7
AC		 32
33elseif $"cmd" = "tpe" then
34 showNormal := false;
35 val tpe = iff $"tpe" = "yes" then "on" else "off";
3d2ed222
AC		 36 %>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
37 <a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
dfb0d0d7 38elseif $"cmd" = "tpe2" then
3d2ed222 39 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
dfb0d0d7 40 if not (Sec.Req.notifyNew id) then
b6dd1aaf 41 %><h3>Error sending e-mail notification</h3><%
dfb0d0d7 42 end
b6dd1aaf 43 %><h3>Request added</h3><%
dfb0d0d7 44
e510b9bd
AC		 45elseif $"cmd" = "cron" then
46 showNormal := false;
47 val cron = iff $"cron" = "yes" then "enabled" else "disabled";
3d2ed222
AC		 48 %>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
49 <a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd
AC		 50elseif $"cmd" = "cron2" then
51 val cron = iff $"cron" = "enabled" then "enable" else "disable";
3d2ed222 52 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
e510b9bd 53 if not (Sec.Req.notifyNew id) then
b6dd1aaf 54 %><h3>Error sending e-mail notification</h3><%
e510b9bd 55 end
b6dd1aaf 56 %><h3>Request added</h3><%
e510b9bd
AC		 57elseif $"cmd" = "rule" then
58 showNormal := false;
59 val rule = $"rule";
308f44e7
AC		 60
61 if Sec.validRule rule then
62 %>Are you sure you want to request the firewall rule <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
3d2ed222 63 <a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
308f44e7
AC		 64 else
65 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
66 end
67
e510b9bd 68elseif $"cmd" = "rule2" then
308f44e7
AC		 69 val rule = $"rule";
70
71 if Sec.validRule rule then
5c6d7637 72 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", nodeName, " ", uname, " ", rule, "\""], msg = $"msg"};
308f44e7
AC		 73 if not (Sec.Req.notifyNew id) then
74 %><h3>Error sending e-mail notification</h3><%
75 end
76 %><h3>Request added</h3><%
77 else
78 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
e510b9bd 79 end
e510b9bd
AC		 80
81elseif $"modRule" <> "" then
82 showNormal := false;
83 val oldRule = $"modRule";
84 val rule = $"rule"
85 if oldRule = rule then
86 %>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
87 else
3d2ed222
AC		 88 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> be replaced by <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
89 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd
AC		 90 end
91elseif $"modRule2" <> "" then
3d2ed222 92 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
e510b9bd 93 if not (Sec.Req.notifyNew id) then
b6dd1aaf 94 %><h3>Error sending e-mail notification</h3><%
e510b9bd 95 end
b6dd1aaf 96 %><h3>Request added</h3><%
e510b9bd
AC		 97
98elseif $"delRule" <> "" then
99 showNormal := false;
100 val oldRule = $"delRule";
3d2ed222
AC		 101 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
102 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd 103elseif $"delRule2" <> "" then
3d2ed222 104 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
e510b9bd 105 if not (Sec.Req.notifyNew id) then
b6dd1aaf 106 %><h3>Error sending e-mail notification</h3><%
e510b9bd 107 end
b6dd1aaf 108 %><h3>Request added</h3><%
e510b9bd 109
dfb0d0d7
AC		 110elseif $"cmd" = "open" then
111 showNormal := false;
112 Group.requireGroupName "server";
b6dd1aaf 113 %><h3>Open requests</h3>
dfb0d0d7
AC		 114 <a href="sec?cmd=list">List all requests</a><%
115
116 foreach (name, req) in Sec.Req.listOpen () do %>
117<br><hr><br>
b6dd1aaf
AC		 118<table class="blanks">
119<tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
6b8b767b 120<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
3d2ed222 121<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
b6dd1aaf
AC		 122<tr> <td>Request:</td> <td><% #data req %></td> </tr>
123<tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
dfb0d0d7
AC		 124</table>
125
126<br>
127<a href="sec?mod=<% #id req %>">[Modify]</a>
128<a href="sec?del=<% #id req %>">[Delete]</a><br>
129
130<% end
131
132elseif $"cmd" = "list" then
133 showNormal := false;
134 Group.requireGroupName "server"
b6dd1aaf 135 %><h3>All requests</h3><%
dfb0d0d7
AC		 136
137 foreach (name, req) in Sec.Req.list () do %>
138<br><hr><br>
b6dd1aaf
AC		 139<table class="blanks">
140<tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
6b8b767b 141<tr> <td>Time:</td> <td colspan="2"><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
3d2ed222 142<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
b6dd1aaf
AC		 143<tr> <td>Request:</td> <td><% #data req %></td> </tr>
144<tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
dfb0d0d7
AC		 145</table>
146
147<br>
148<a href="sec?mod=<% #id req %>">[Modify]</a>
149<a href="sec?del=<% #id req %>">[Delete]</a>
150
151<% end
152
153elseif $"mod" <> "" then
154 showNormal := false;
155 Group.requireGroupName "server";
156 val id = Web.stoi ($"mod");
157 val req = Sec.Req.lookup id;
158 val user = Init.lookupUser (#usr req) %>
b6dd1aaf 159<h3>Handle request</h3>
dfb0d0d7
AC		 160
161<form action="sec" method="post">
162<input type="hidden" name="save" value="<% id %>">
b6dd1aaf
AC		 163<table class="blanks">
164<tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
6b8b767b 165<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
b6dd1aaf 166<tr> <td>Status:</td> <td><select name="status">
dfb0d0d7
AC		 167 <option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
168 <option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
169 <option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
170</select></td> </tr>
3d2ed222
AC		 171<tr> <td>Node:</td> <td><select name="node">
172<% foreach node in Init.listNodes () do %>
7e839f2f 173 <option value="<% #id node %>"<% if #id node = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
3d2ed222 174<% end %></select></td> </tr>
daaa0de7 175<tr> <td>Request:</td> <td><input name="req" value="<% Web.html (#data req) %>"></td> </tr>
b6dd1aaf 176<tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
dfb0d0d7
AC		 177<tr> <td><input type="submit" value="Save"></td> </tr>
178</table>
179</form>
180
181<% elseif $"save" <> "" then
182 showNormal := false;
183 Group.requireGroupName "server";
184 val id = Web.stoi ($"save");
185 val req = Sec.Req.lookup id;
186 val oldStatus = #status req;
187 val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
3d2ed222 188 Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
8812fb4d
AC		 189 if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
190 %><h3>Error sending e-mail notification</h3><%
dfb0d0d7 191 end
b6dd1aaf 192 %><h3>Request modified</h3>
dfb0d0d7
AC		 193 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
194
195<% elseif $"del" <> "" then
196 showNormal := false;
197 Group.requireGroupName "server";
198 val id = Web.stoi ($"del");
199 val req = Sec.Req.lookup id;
200 val user = Init.lookupUser (#usr req)
3d2ed222 201 %><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
dfb0d0d7
AC		 202 <a href="sec?del2=<% id %>">Yes, I'm sure!</a>
203
204<% elseif $"del2" <> "" then
205 showNormal := false;
206 Group.requireGroupName "server";
207 val id = Web.stoi ($"del2");
208 Sec.Req.delete id
b6dd1aaf 209 %><h3>Request deleted</b><h3>
dfb0d0d7
AC		 210 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
211
212<% end;
213
214if showNormal then %>
215
3d2ed222
AC		 216<table class="blanks">
217<form action="sec" method="post">
218<input type="hidden" name="uname" value="<% Web.html uname %>">
219<tr> <td>Machines:</td> <td><select name="node">
220<% foreach node in Init.listNodes () do %>
221 <option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
222<% end %></select></td>
223<td><input type="submit" value="Switch"></td> </tr>
224</form>
dfb0d0d7 225<form action="sec" method="post">
3d2ed222
AC		 226<input type="hidden" name="node" value="<% nodeNum %>">
227<tr> <td>Your users:</td> <td><select name="uname">
dfb0d0d7
AC		 228<% foreach name in (yourname :: Sec.findSubusers yourname) do %>
229 <option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
3d2ed222
AC		 230<% end %></select></td>
231<td><input type="submit" value="Switch"></td> </tr>
232</form>
233</table>
dfb0d0d7 234
a4adbfb9 235<!--h3>Request socket permissions change</h3>
dfb0d0d7 236
2d7faa73
AC		 237<p>You need to request socket permissions before you are able to open any network connections. While you will be limited by firewall rules even then, any requests for firewall rules you enter in the "Reason" blank here <b>will be ignored</b>. Please use the separate form at the bottom of this page for that. There is no need to wait until a request for socket permissions has been granted before starting to request firewall rules.</p>
238
4d46d3eb
AC		 239<p>Keep in mind that, if your request is granted, it will never apply to existing log-in sessions. Close them and re-connect to take advantage of your new privileges.</p>
240
dfb0d0d7 241<form action="sec" method="post">
3d2ed222 242<input type="hidden" name="node" value="<% nodeNum %>">
dfb0d0d7
AC		 243<input type="hidden" name="uname" value="<% uname %>">
244<input type="hidden" name="cmd" value="socks">
b6dd1aaf
AC		 245<table class="blanks">
246<tr> <td>New permissions:</td> <td><select name="socks">
dfb0d0d7
AC		 247 <option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
248 <option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
249 <option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
250 <option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
251</select></td> </tr>
b6dd1aaf 252<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
dfb0d0d7
AC		 253<tr> <td><input type="submit" value="Request"></td> </tr>
254</table>
255</form>
256
b6dd1aaf 257<h3>Request change to your execute permissions</h3>
dfb0d0d7
AC		 258
259<form action="sec" method="post">
3d2ed222 260<input type="hidden" name="node" value="<% nodeNum %>">
dfb0d0d7
AC		 261<input type="hidden" name="uname" value="<% uname %>">
262<input type="hidden" name="cmd" value="tpe">
b6dd1aaf
AC		 263<table class="blanks">
264<tr> <td>Trusted path executables only?</td> <td><select name="tpe">
dfb0d0d7
AC		 265 <option value="no"<% if not tpe then %> selected<% end %>>No</option>
266 <option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
267</select></td> </tr>
b6dd1aaf 268<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
dfb0d0d7
AC		 269<tr> <td><input type="submit" value="Request"></td> </tr>
270</table>
a4adbfb9 271</form-->
dfb0d0d7 272
b6dd1aaf 273<h3>Request change to your <tt>cron</tt> permissions</h3>
e510b9bd
AC		 274
275<form action="sec" method="post">
3d2ed222 276<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd
AC		 277<input type="hidden" name="uname" value="<% uname %>">
278<input type="hidden" name="cmd" value="cron">
b6dd1aaf
AC		 279<table class="blanks">
280<tr> <td>Allowed to use cron?</td> <td><select name="cron">
18eeb749 281 <option value="no"<% if not cron then %> selected<% end %>>No</option>
e510b9bd
AC		 282 <option value="yes"<% if cron then %> selected<% end %>>Yes</option>
283</select></td> </tr>
b6dd1aaf 284<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
e510b9bd
AC		 285<tr> <td><input type="submit" value="Request"></td> </tr>
286</table>
287</form>
288
3d2ed222 289<% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
e510b9bd
AC		 290switch rules of
291 _::_ => %>
b6dd1aaf 292<h3>Your firewall rules</h3>
e510b9bd
AC		 293
294<% foreach rule in rules do %>
295<form action="sec" method="post">
3d2ed222 296<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd
AC		 297<input type="hidden" name="uname" value="<% uname %>">
298<input type="hidden" name="modRule" value="<% Web.html rule %>">
e2fec46e 299<label>Node: <% nodeName %> <input name="rule" value="<% Web.html rule %>"></label>
e510b9bd
AC		 300<a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
301<input type="submit" value="Request change">
302</form><br>
303<% end
304end%>
305
1bb18394
AC		 306<h3>Request a new firewall rule</h3>
307
d5cb549c 308<p>You can find a description of rule formats <a href="http://wiki.hcoop.net/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion. We also <a href="http://wiki.hcoop.net/FirewallRules#Common_Rules">allow all members access to some services</a> if they are commonly requested.</p>
e510b9bd 309
e510977b 310<p>When requesting a <tt>Server</tt> or <tt>ProxiedServer</tt> rule, use a port above <tt>50000</tt> (there is a list of <a href="http://wiki.hcoop.net/AllocatedFirewallPorts">allocated ports</a>). We may grant <tt>Server</tt> requests for ports under <tt>50000</tt> if it can be justified, but never for a <tt>ProxiedServer</tt>.</p>
18eeb749 311
b986395e
AC		 312<p>We very rarely grant requests for Client rules that don't include remote host whitelists. For example, important security concerns make it a bad idea for us to give anybody blanket IRC permissions. Instead, request specific servers. We will refuse such requests that include networks that are popularly considered fronts for illegal activity.</p>
313
e510b9bd 314<form action="sec" method="post">
3d2ed222 315<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd
AC		 316<input type="hidden" name="uname" value="<% uname %>">
317<input type="hidden" name="cmd" value="rule">
b6dd1aaf
AC		 318<table class="blanks">
319<tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
320<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
e510b9bd
AC		 321<tr> <td><input type="submit" value="Request"></td> </tr>
322</table>
1bb18394 323</form>
e510b9bd 324
dfb0d0d7
AC		 325<% end %>
326
327<% @footer[] %>
Unnamed repository; edit this file 'description' to name the repository.