[Netpass-devel] NetPass/www/htdocs/Admin gencfg.mhtml,1.9,1.10 greset.mhtml,1.2,1.3 index.mhtml,1.7,
Brought to you by:
jeffmurphy
Menu
▾
▴
[Netpass-devel] NetPass/www/htdocs/Admin gencfg.mhtml,1.9,1.10 greset.mhtml,1.2,1.3 index.mhtml,1.7,1.8 lockcfg.mhtml,1.2,1.3 mr.mhtml,1.7,1.8 qc.mhtml,1.16,1.17 urlfilter.mhtml,1.1,1.2
|
From: jeff m. <jef...@us...> - 2005-04-27 03:54:21
|
Update of /cvsroot/netpass/NetPass/www/htdocs/Admin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26183/www/htdocs/Admin Modified Files: gencfg.mhtml greset.mhtml index.mhtml lockcfg.mhtml mr.mhtml qc.mhtml urlfilter.mhtml Log Message: working thru forms, making sure per-network admin functionality is implemented Index: lockcfg.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/lockcfg.mhtml,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- lockcfg.mhtml 25 Apr 2005 19:15:03 -0000 1.2 +++ lockcfg.mhtml 27 Apr 2005 03:54:07 -0000 1.3 @@ -28,7 +28,7 @@ -user => $m->session->{'username'}); if ($rv) { # fail - print "NOK lock $rv\n"; + print "NOK lock force err=$rv\n"; } else { # success print "OK lock\n"; @@ -45,7 +45,7 @@ } elsif ($lstat) { # an error occurred - print "NOK lock $lstat\n"; + print "NOK lock isConfigLockedErr $lstat\n"; } else { # config is not locked, lock it @@ -54,7 +54,7 @@ -user => $m->session->{'username'}); if ($rv) { # fail - print "NOK lock $rv\n"; + print "NOK lock err=$rv\n"; } else { # success print "OK lock\n"; Index: mr.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/mr.mhtml,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- mr.mhtml 24 Apr 2005 03:42:03 -0000 1.7 +++ mr.mhtml 27 Apr 2005 03:54:07 -0000 1.8 @@ -26,25 +26,31 @@ Fill in <B>all</B> of the fields. -In the event that someone is <code>multi_mac</code> quarantined (e.g. due to linksys) or +In the event that someone is <code>multi_mac</code> quarantined (e.g. due to using a mini-switch) or for any other reasonable circumstances, you can: <ol> -<li> determine the mac/ip that needs to be registered -<LI> enter those (along with the end users username) into the manual -registration page -<LI> click 'register'. the record will be entered with a default status of -quarantined. -<LI> click 'quar control' (left side) -<LI> search for the record you just made and change its status to -something reasonable (e.g. unquar or punquar) +<li> Determine the mac/ip that needs to be registered, +<LI> Enter those (along with the end user's username) into the manual +registration page, +<LI> Click 'Register'. The record will be entered with a default status of +quarantined, +<LI> Click 'Quar Control' (left side), +<LI> Search for the record you just made and change its status to +something reasonable (e.g. UNQUAR or PUNQUAR). </ol> <%perl> -if (! $m->comp('/Admin/MemberOf', 'group' => [ 'Admin', 'QuarAdmin' ]) ) { - print $q->p({-class=>'error'}, "Sorry, permission denied.<BR>(You must be an Admin or in the QuarAdmin group)"); + +my @rwGroups = ('Admin', 'QuarAdmin'); + +my ($isRW, $rwGroups) = $m->comp('/Admin/MemberOf', 'acl' => [ @rwGroups ]); +my ($isRoot, $junk) = $m->comp('/Admin/MemberOf', 'acl' => [ 'Admin' ], 'group' => 'default'); + +if (! $isRW ) { + print $q->p({-class=>'error'}, "Sorry, you don't have access to this form.<P>"); return; } @@ -77,8 +83,7 @@ $q->textfield( -name => "mac", -value => $mac, - -filter => '/^\w{2}:{0,1}\w{2}:{0,1}\w{2}:{0,1}\w{2}:{ -0,1}\w{2}:{0,1}\w{2}$/', + -filter => '/^\w{2}:{0,1}\w{2}:{0,1}\w{2}:{0,1}\w{2}:{0,1}\w{2}:{0,1}\w{2}$/', -error => 'Please format the MAC Address in the forma t specified.' ). @@ -113,10 +118,29 @@ return if(!$register); if ($register) { - my $err = saveReg($np->db->{'dbh'}, NetPass::padMac($mac), $ip, $uid); + # enforce IP address restrictions + + my $nw = $np->cfg->getMatchingNetwork(-ip => $ip); + my $err = ''; + + if (!defined($nw) || ($nw eq "none")) { + $err = "The network ($nw) that the address ($ip) is a part of, is not managed by NetPass."; + } + + if ( ! $isRoot ) { + my $netgroup = $np->cfg->getNetgroup($nw); + if ( !grep(/^$nw$/, @$rwGroups) && !grep(/^$netgroup$/, @$rwGroups) ) { + $err = "You don't have permission to register an IP address on the $nw network."; + } + } + + $err = saveReg($np->db->{'dbh'}, NetPass::padMac($mac), $ip, $uid) if ($err eq ""); + + $err = "This MAC address (".NetPass::padMac($mac).") is already registered." + if ($err =~ /duplicate/i); + if ($err ne "") { print $q->p({-class => "error"}, $err); - print "Anything that mentions 'duplicate entry' means that this mac address is already registered.<P>\n"; } else { </%perl> Registration successful for <PRE><%$uid%> <%$mac%> <%$ip%></PRE> Index: index.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/index.mhtml,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- index.mhtml 25 Apr 2005 05:52:26 -0000 1.7 +++ index.mhtml 27 Apr 2005 03:54:07 -0000 1.8 @@ -16,7 +16,7 @@ <%perl> my $comma = ""; foreach my $grp (sort keys %{$m->session->{'my_groups'}}) { - print "$grp (".join(', ', @{$m->session->{'my_groups'}->{$grp}}).")$comma "; + print "$grp (".join(', ', sort @{$m->session->{'my_groups'}->{$grp}}).")$comma "; $comma = ","; } } else { Index: qc.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/qc.mhtml,v retrieving revision 1.16 retrieving revision 1.17 diff -u -d -r1.16 -r1.17 --- qc.mhtml 24 Apr 2005 03:42:03 -0000 1.16 +++ qc.mhtml 27 Apr 2005 03:54:08 -0000 1.17 @@ -30,14 +30,19 @@ my $readOnly = "disabled"; my @aclGroups = (); -if (@aclGroups = $m->comp('/Admin/MemberOf', 'acl' => [ @rwGroups ])) { +my ($isRW, $rwGroups) = $m->comp('/Admin/MemberOf', 'acl' => [ @rwGroups ]); +my ($isRO, $roGroups) = $m->comp('/Admin/MemberOf', 'acl' => [ @roGroups ]); +my ($isRoot, $junk) = $m->comp('/Admin/MemberOf', 'acl' => [ 'Admin' ], 'group' => 'default'); + +if ( $isRW ) { $readOnly = ""; -} elsif (@aclGroups = $m->comp('/Admin/MemberOf', 'acl' => [ @roGroups ])) { +} +elsif ( $isRO ) { $readOnly = "disabled"; -} else { +} +else { print $q->p({-class=>'error'}, - "Sorry, permission denied.<BR>You must be in one of these groups: ", - join(',', @rwGroups, @roGroups)); + "Sorry, you don't have permission to access this form.<P>"); return; } @@ -50,12 +55,18 @@ The "IP Address" field is the address that the client had <I>when they first registered</I>. It is <B>not necessarily</B> the address they have right now. So when quarantining a host, you -should really be searching by MAC Address. To translate a currently assigned IP Address +should really be searching by MAC Address. + +% use Sys::Hostname; +% if (hostname =~ /buffalo\.edu$/) { +To translate a currently assigned IP Address into a MAC address, you can use some of the other tools available until we are able to better integrate them into UB NetPass. <P> These tools might require additional access. If you get an access denied, click on the "Apply for an account" link and apply for a "Network Documentation" account. <P> +%} + <ul> @@ -169,7 +180,7 @@ if($submit) { if ($readOnly eq "") { - my $sqr = saveQuarChanges($np->db->{'dbh'},\%ARGS, $ids); + my $sqr = saveQuarChanges($np->db->{'dbh'}, \%ARGS, $ids, $isRoot, $rwGroups, $roGroups); if ($sqr ne "") { print $q->p({-class=>"error"}, $sqr); } @@ -433,6 +444,10 @@ my $dbh = shift; my $args = shift; my $ids = shift; + my $isRoot = shift; + my $rwGroups = shift; + my $roGroups = shift; + my $D = 0; if(!(ref($ids) =~ /ARRAY/) ) { @@ -510,6 +525,22 @@ print "</UL>\n" if $D; next if ( $m_unc && $s_unc && $u_unc ); + # we're being somewhat trusting here. to be thorough, refetch IP from + # db based on mac + + my $nw = $np->cfg->getMatchingNetwork(-ip => $args->{"ipAddr:$mac"}); + my $netgroup = $np->cfg->getNetgroup($nw); + + if ($nw eq "none") { + print qq{<p class='error'>Update failed for $mac because it's network is unknown to NetPass.</P>}; + next; + } + + if ( !$isRoot && !grep(/^$nw$/, @$rwGroups) && !grep(/^$netgroup$/, @$rwGroups) ) { + print qq{<P class='error'>Update failed for $mac because you don't have the proper permissions for it's network ($nw)</P>}; + next; + } + if($D) { print "<PRE>[debugging output - ignore this]\n"; print "mac ".$mac."\n"; @@ -545,7 +576,8 @@ } else { push @params, $args->{"message:$mac"}; $resultsRV = $np->db->addResult(-mac => $mac, -type => 'manual', - -id => $args->{"message:$mac"}); + -force => 1, + -id => $args->{"message:$mac"}); } } @@ -610,20 +642,20 @@ if($rv) { $rv = ""; my $ipAddr = $args->{"ipAddr:$mac"}; - print qq{Database update succeeded for mac address "$mac" ($ipAddr)<P>}; + print qq{<P class='error'>Database update succeeded for mac address "$mac" ($ipAddr)</P>}; _log("DEBUG", "$mac $ipAddr record updated.\n"); my ($sw, $po, $m2p, $p2m) = $np->findOurSwitchPort($mac, $ipAddr); if (!defined($sw) || !defined($po)) { - $rv = "not found on network. port reset failed."; + $rv = "not found on network. Port reset failed."; _log("DEBUG", "$mac $ipAddr $rv\n"); $np->db->audit(-mac => $mac, -ip => $args->{'ip'}, -user => $m->session->{'username'}, -msg => [ "QC: $rv " ]); - $rv = qq{mac address "$mac" $rv}; + $rv = qq{MAC address "$mac" $rv}; } else { _log("DEBUG", "$mac $ipAddr found. quarantining $sw $po\n"); if (! $np->db->requestMovePort(-switch => $sw, Index: gencfg.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/gencfg.mhtml,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- gencfg.mhtml 25 Apr 2005 02:52:48 -0000 1.9 +++ gencfg.mhtml 27 Apr 2005 03:54:07 -0000 1.10 @@ -5,6 +5,16 @@ # (c) 2004 University at Buffalo. # Available under the "Artistic License" # http://www.gnu.org/licenses/license-list.html#ArtisticLicense + +NAME + + General Configuration + +PERMISSIONS + + RO: NONE + RW: Must be member of default/Admin + </%doc> <%args> Index: greset.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/greset.mhtml,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- greset.mhtml 12 Apr 2005 16:17:28 -0000 1.2 +++ greset.mhtml 27 Apr 2005 03:54:07 -0000 1.3 @@ -39,20 +39,22 @@ <%perl> -if (! $m->comp('/Admin/MemberOf', 'group' => [ 'Admin' ]) ) { - print $q->p({-class=>'error'}, "Sorry, permission denied.<BR>(You must be an Admin)"); +my ($isRoot, $junk) = $m->comp('/Admin/MemberOf', 'acl' => [ 'Admin' ], 'group' => 'default'); + +if (! $isRoot ) { + print $q->p({-class=>'error'}, "Sorry, you don't have access to this form.<P>"); return; } if ($ARGS{'quarantineall'}) { $np->db->reqAppAction('quarall', 'start', ''); - $np->db->audit( -user => $m->session->{'logged_in'}, + $np->db->audit( -user => $m->session->{'username'}, -severity => "ALERT", -msg => [ "Activated Quarantine All Global Reset" ]); } elsif ($ARGS{'unquarantineall'}) { $np->db->reqAppAction('unquarall', 'start', ''); - $np->db->audit( -user => $m->session->{'logged_in'}, + $np->db->audit( -user => $m->session->{'username'}, -severity => "ALERT", -msg => [ "Activated Unquarantine All Global Reset" ]); } Index: urlfilter.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/urlfilter.mhtml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- urlfilter.mhtml 21 Apr 2005 16:33:01 -0000 1.1 +++ urlfilter.mhtml 27 Apr 2005 03:54:08 -0000 1.2 @@ -5,217 +5,31 @@ # Available under the "Artistic License" # http://www.gnu.org/licenses/license-list.html#ArtisticLicense -</%doc> +NAME + + URL Filter (SquidGuard Config) +PERMISSIONS + + RO: */Reports + RW: */Admin */ScanAdmin + +</%doc> <%args> </%args> - <script><!-- -setWhereAmI('Squid Config'); - -function deleteEntry (item, index) { - item.options[index] = null; -} - -function addEntry (item, text) { - var val = text.value - if (val != "") { - var opt = new Option(val, val) - item.options[item.options.length] = opt - text.value = ""; - } -} - -function gatherList(item, variable) { - var str = "" - - for (var i = 0; i < item.options.length; i++) { - str += "|"+item[i].value - } - variable.value = str - return true -} - +setWhereAmI('URL Filter'); --> </script> - <%perl> -use FileHandle; - -my $npcfg = $np->cfg(); -my $squidbasedir = $npcfg->{'cfg'}->obj('squid')->value('BASE_DIR'); - -my $SQUIDCONFFILE = "$squidbasedir/SquidGuard.conf"; -my $ALLOWEDURLS = "$squidbasedir/allowed_urls"; -my $ALLOWEDDOMAINS = "$squidbasedir/allowed_domains"; - -if ($ARGS{'action'}) { - writeConf($SQUIDCONFFILE, $ALLOWEDURLS, $ALLOWEDDOMAINS, \%ARGS); - $np->db->reqAppAction('squid', 'restart', '') -} - -my $data = readConf($SQUIDCONFFILE, $ALLOWEDURLS, $ALLOWEDDOMAINS); - -if (! $m->comp('/Admin/MemberOf', 'group' => [ 'Admin' ]) ) { - print $q->p({-class=>'error'}, "Sorry, permission denied.<BR>(You must be an Admin)"); - return; -} - -print $q->start_form(-name => 'form', -method => "POST"); -print "<h2>SquidGuard Configuration</h2>"; -print "<TABLE CLASS='gray' CELLSPACING=2 CELLPADDING=2 WIDTH=400 BORDER=0>"; -print "<TR><TH COLSPAN=2>Allowed Urls</TH>"; -print "<TH COLSPAN=2>Allowed Domains</TH></TR>"; - -print "<TR><TD CLASS='gray' ROWSPAN=6>"; -print $q->textfield ( - -name => 'newurl', - -size => '30', - ); -print $q->scrolling_list ( - -name => 'allowedurls', - -values => [sort @{$data->{allowed_urls}}], - -size => 9, - -style => 'width:223px;' - ); -print "</TD><TD CLASS='gray'>"; -print $q->button ( - -name => 'addurl', - -value => 'Add', - -onClick => "addEntry(document.form.allowedurls, - document.form.newurl); - return false;", - ); -print "</TD><TD ROWSPAN=6 CLASS='gray'>"; -print $q->textfield ( - -name => 'newdomain', - -size => '30', - ); -print "<BR>"; -print $q->scrolling_list ( - -name => 'alloweddomains', - -values => [sort @{$data->{allowed_domains}}], - -size => 9, - -style => 'width:223px;' - ); -print "</TD><TD CLASS='gray'>"; -print $q->button ( - -name => 'adddom', - -value => 'Add', - -onClick => "addEntry(document.form.alloweddomains, - document.form.newdomain); - return false;", - ); -print "</TD></TR>"; -print "<TR><TD CLASS='gray'> </TD><TD CLASS='gray'> </TD></TR>"; -print "<TR><TD CLASS='gray'> </TD><TD CLASS='gray'> </TD></TR>"; -print "<TR><TD CLASS='gray'> </TD><TD CLASS='gray'> </TD></TR>"; -print "<TR><TD CLASS='gray'> </TD><TD CLASS='gray'> </TD></TR>"; -print "<TR><TD CLASS='gray'>"; -print $q->button ( - -name => 'delurl', - -value => 'Del', - -onClick => "deleteEntry(document.form.allowedurls, - document.form.allowedurls.selectedIndex); - return false;", - ); -print "</TD><TD CLASS='gray'>"; -print $q->button ( - -name => 'deldom', - -value => 'Del', - -onClick => "deleteEntry(document.form.alloweddomains, - document.form.alloweddomains.selectedIndex); - return false;", - ); -print "</TD></TR><TR><TD CLASS='gray' COLSPAN=4> </TD></TR>"; -print "<TR><TD CLASS='gray' COLSPAN=4><B>Redirect</B><BR>"; -print $q->textfield ( - -name => 'redirect', - -value => $data->{redirect}, - -size => '40', - ); -print "</TD></TR>"; -print "</TABLE>"; -print "<input TYPE=\"hidden\" NAME=\"listad\" VALUE=\"$ARGS{'listad'}\">"; -print "<input TYPE=\"hidden\" NAME=\"listau\" VALUE=\"$ARGS{'listau'}\">"; -print $q->submit( - -name => 'action', - -value => 'Commit Changes', - -onClick => "return ( - gatherList(document.form.allowedurls, - document.form.listau) && - gatherList(document.form.alloweddomains, - document.form.listad));" - ); -print $q->end_form(); - -sub writeConf { - - use File::Copy; - - my($cf, $au, $ad, $args) = @_; - - my $AD = new FileHandle; - my $AU = new FileHandle; - my $CF = new FileHandle; - my @t; - - $AU->open("> $au"); - foreach (split(/\|/, $args->{'listau'})) { - next unless (/^\w+\.\w+\.{0,1}\w*\.{0,1}\w*$/); - print $AU $_."\n"; - } - $AU->close; - - $AD->open("> $ad"); - foreach (split(/\|/, $args->{'listad'})) { - next unless (/^\w+\.\w+\.{0,1}\w*\.{0,1}\w*$/); - print $AD $_."\n"; - } - $AD->close; - - $CF->open($cf); - @t = <$CF>; - $CF->close; - - $CF->open("> $cf"); - foreach (@t) { - if (/^\s+redirect\s302\:.+$/) { - print $CF "\tredirect 302:".$args->{'redirect'}."\n"; - next; - } - print $CF $_; - } - $CF->close; -} - -sub readConf { - my($cf, $au, $ad) = @_; - my $data = {}; - - my $AD = new FileHandle; - my $AU = new FileHandle; - my $CF = new FileHandle; - - $AD->open($ad); - while (<$AD>) { chomp; push @{$data->{allowed_domains}}, $_; } - $AD->close; +my ($isRO, $roGroups) = $m->comp('/Admin/MemberOf', 'acl' => [ 'Reports' ]); +my ($isRW, $rwGroups) = $m->comp('/Admin/MemberOf', 'acl' => [ 'Admin', 'ScanAdmin' ]); - $AU->open($au); - while (<$AU>) { chomp; push @{$data->{allowed_urls}}, $_; } - $AU->close; +if ( !$isRO && !$isRW ) { + print qq{<P class='error'>Sorry, you don't have access to this form.</P>}; + return; +} - $CF->open($cf); - while (<$CF>) { - if (/^\s+redirect\s302\:(.+)$/) { - $data->{redirect} = $1; - last; - } - } - $CF->close; - - return $data; -} </%perl> |
