Changeset 223 for branches

Timestamp:

04/13/05 17:23:47 (20 years ago)

Author:

Kris Deugau

Message:

/branches/acl

All access to add new records should be ACL-ified. Users without
the "a" ACL option cannot add a new master block, or click the
"Add new assignment" link; the links aren't there to click.
They cannot assign existing free blocks; the link has been
removed. Checks are also done later in the processing to make
sure that a crafted URL can't get around the restrictions.

printHeader() in CommonWeb.pm has been updated to allow replacement
of arbitrary elements in the header.inc file. It is now called
*once* at the beginning of main.cgi to allow the "Add new assignment"
link to be disabled.

A new sub, exitError(), has been added to deal with the (rare)
case where the code must exit with an error before anything (like
HTTP headers, as required for CGI) has been printed.

Location:

branches/acl

Files:

• addmaster.html (modified) (2 diffs)
• cgi-bin/CommonWeb.pm (modified) (1 diff)
• cgi-bin/main.cgi (modified) (20 diffs)
• header.inc (modified) (1 diff)
• index.shtml (modified) (1 diff)

branches/acl/addmaster.html

@@ -1 @@
-<!--#include virtual="header.inc" -->
 <div class="indent">
 <div class="heading">Add new master IP block</div><br>
@@ -11 +10 @@
 </table>
 </div>
-<!--#include virtual="footer.inc" -->

branches/acl/cgi-bin/CommonWeb.pm

@@ -53 +53 @@
 }
 
-sub printHeader($) #(cgiurl)
-{
-        my $cgiURL = $_[0];
-        print "Content-type: text/html\n\n";
-        open(FILE, "../header.inc") || die $!;
-        while (<FILE>) 
-        {
-                $_ =~ s/\$\$CGIURL\$\$/$cgiURL/g;
-                print $_;
-        }
-        close(FILE);
+
+sub printHeader {
+  my $title = shift;
+  print "Content-type: text/html\n\n";
+# This doesn't work well.  Must investigate.
+#  my $realm = shift;
+#  print qq(WWW-Authenticate: Basic realm="$realm"\n) if $realm;
+  open FILE, "../header.inc"
+        or carp $!;
+  my $html = join('',<FILE>);
+  close FILE;
+
+  $html =~ s/\$\$TITLE\$\$/$title/;
+# Necessary for mangling arbitrary bits of the header
+  my $i=0;
+  while (defined(my $param = shift)) {
+    $html =~ s/\$\$EXTRA$i\$\$/$param/g;
+    $i++;
+  }
+  print $html;
 }
 

branches/acl/cgi-bin/main.cgi

@@ -22 +22 @@
 openlog "IPDB","pid","local2";
 
-# Present HTTP AUTH headers, as well as opening content-type.
-#print 'WWW-Authenticate: Basic realm="ViaNet IP Database"\n';
-# Collect the username from HTTP auth.  If undefined, we're in a test environment.
+# Collect the username from HTTP auth.  If undefined, we're in
+# a test environment, or called without a username.
 my $authuser;
 if (!defined($ENV{'REMOTE_USER'})) {
@@ -41 +40 @@
 ($ip_dbh,$errstr) = connectDB_My;
 if (!$ip_dbh) {
-  printAndExit("Database error: $errstr\n");
+  exitError("Database error: $errstr\n");
 }
 initIPDBGlobals($ip_dbh);
+
+# Headerize!  Make sure we replace the $$EXTRA0$$ bit as needed.
+printHeader('', ($IPDBacl{$authuser} =~ /a/ ?
+        '<a href="/ip/cgi-bin/main.cgi?action=assign">Add new assignment</a>' : ''
+        ));
+
 
 #prototypes
@@ -66 +71 @@
 if($webvar{action} eq 'index') {
   showSummary();
+} elsif ($webvar{action} eq 'addmaster') {
+  if ($IPDBacl{$authuser} !~ /a/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+  } else {
+    open HTML, "<../addmaster.html";
+    print while <HTML>;
+  }
 } elsif ($webvar{action} eq 'newmaster') {
-  printHeader('');
-
-  my $cidr = new NetAddr::IP $webvar{cidr};
-
-  print "<div type=heading align=center>Adding $cidr as master block....</div>\n";
-
-  # Allow transactions, and raise an exception on errors so we can catch it later.
-  # Use local to make sure these get "reset" properly on exiting this block
-  local $ip_dbh->{AutoCommit} = 0;
-  local $ip_dbh->{RaiseError} = 1;
-
-  # Wrap the SQL in a transaction
-  eval {
-    $sth = $ip_dbh->prepare("insert into masterblocks values ('$webvar{cidr}')");
-    $sth->execute;
+
+  if ($IPDBacl{$authuser} !~ /a/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+  } else {
+
+    my $cidr = new NetAddr::IP $webvar{cidr};
+
+    print "<div type=heading align=center>Adding $cidr as master block....</div>\n";
+
+    # Allow transactions, and raise an exception on errors so we can catch it later.
+    # Use local to make sure these get "reset" properly on exiting this block
+    local $ip_dbh->{AutoCommit} = 0;
+    local $ip_dbh->{RaiseError} = 1;
+
+    # Wrap the SQL in a transaction
+    eval {
+      $sth = $ip_dbh->prepare("insert into masterblocks values ('$webvar{cidr}')");
+      $sth->execute;
 
 # Unrouted blocks aren't associated with a city (yet).  We don't rely on this
@@ -87 +102 @@
 # Thus the "routed" flag.
 
-    $sth = $ip_dbh->prepare("insert into freeblocks (cidr,maskbits,city,routed)".
+      $sth = $ip_dbh->prepare("insert into freeblocks (cidr,maskbits,city,routed)".
         " values ('$webvar{cidr}',".$cidr->masklen.",'<NULL>','n')");
-    $sth->execute;
-
-    # If we get here, everything is happy.  Commit changes.
-    $ip_dbh->commit;
-  }; # end eval
-
-  if ($@) {
-    carp "Transaction aborted because $@";
-    eval { $ip_dbh->rollback; };
-    syslog "err", "Could not add master block '$webvar{cidr}' to database: '$@'";
-    printError("Could not add master block $webvar{cidr} to database: $@");
-  } else {
-    print "<div type=heading align=center>Success!</div>\n";
-    syslog "info", "$authuser added master block $webvar{cidr}";
-  }
+      $sth->execute;
+
+      # If we get here, everything is happy.  Commit changes.
+      $ip_dbh->commit;
+    }; # end eval
+
+    if ($@) {
+      carp "Transaction aborted because $@";
+      eval { $ip_dbh->rollback; };
+      syslog "err", "Could not add master block '$webvar{cidr}' to database: '$@'";
+      printError("Could not add master block $webvar{cidr} to database: $@");
+    } else {
+      print "<div type=heading align=center>Success!</div>\n";
+      syslog "info", "$authuser added master block $webvar{cidr}";
+    }
+
+  } # ACL check
 
 } # end add new master
@@ -117 +134 @@
 }
 elsif($webvar{action} eq 'search') {
-  printHeader('');
   if (!$webvar{input}) {
     # No search term.  Display everything.
@@ -155 +171 @@
 # which is not in any way guaranteed to provide anything useful.
 else {
-  printHeader('');
   my $rnd = rand 500;
   my $boing = sprintf("%.2f", rand 500);
@@ -394 +409 @@
 # Initial display:  Show master blocks with total allocated subnets, total free subnets
 sub showSummary {
-  # this is horrible-ugly-bad and will Go Away real soon now(TM)
-  print "Content-type: text/html\n\n";
 
   startTable('Master netblock', 'Routed netblocks', 'Allocated netblocks',
@@ -451 +464 @@
   print "</table>\n";
   if ($IPDBacl{$authuser} =~ /a/) {
-    print qq(<a href="/ip/addmaster.shtml">Add new master block</a><br><br>\n);
+    print qq(<a href="/ip/cgi-bin/main.cgi?action=addmaster">Add new master block</a><br><br>\n);
   }
   print "Note:  Free blocks noted here include both routed and unrouted blocks.\n";
@@ -464 +477 @@
 # else should follow.  YMMV.)
 sub showMaster {
-  printHeader('');
 
   print qq(<center><div class="heading">Summarizing routed blocks for ).
@@ -577 +589 @@
 # not have anything useful to spew.
 sub showRBlock {
-  printHeader('');
 
   my $master = new NetAddr::IP $webvar{block};
@@ -649 +660 @@
     # Include some HairyPerl(TM) to prefix subblocks with "Sub "
     my @row = ((($data[1] ne 'y' && $data[1] ne 'n') ? 'Sub ' : '').
-        qq(<a href="/ip/cgi-bin/main.cgi?action=assign&block=$cidr&fbtype=$data[1]">$cidr</a>),
+        ($IPDBacl{$authuser} =~ /a/ ? qq(<a href="/ip/cgi-bin/main.cgi?action=assign&block=$cidr&fbtype=$data[1]">$cidr</a>) : $cidr),
         $cidr->range);
     printRow(\@row, 'color1') if ($count%2 == 0);
@@ -662 +673 @@
 # List the IPs used in a pool
 sub listPool {
-  printHeader('');
 
   my $cidr = new NetAddr::IP $webvar{pool};
@@ -725 +735 @@
 # be one of two templates, and the lists come from the database.
 sub assignBlock {
-  printHeader('');
+
+  if ($IPDBacl{$authuser} !~ /a/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+    return;
+  }
 
   my $html;
@@ -803 +817 @@
 # Take info on requested IP assignment and see what we can provide.
 sub confirmAssign {
-  printHeader('');
+  if ($IPDBacl{$authuser} !~ /a/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+    return;
+  }
 
   my $cidr;
@@ -962 +979 @@
 # Do the work of actually inserting a block in the database.
 sub insertAssign {
+  if ($IPDBacl{$authuser} !~ /a/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+    return;
+  }
   # Some things are done more than once.
-  printHeader('');
   return if !validateInput();
 
@@ -1061 +1081 @@
 # action=edit
 sub edit {
-  printHeader('');
 
   my $sql;
@@ -1137 +1156 @@
 # action=update
 sub update {
-  printHeader('');
 
   # Make sure incoming data is in correct format - custID among other things.
@@ -1198 +1216 @@
 # Delete an allocation.
 sub remove {
-  printHeader('');
   #show confirm screen.
   open HTML, "../confirmRemove.html"
@@ -1288 +1305 @@
 # Remove IPs from pool listing if necessary
 sub finalDelete {
-  printHeader('');
 
   my ($code,$msg) = deleteBlock($ip_dbh, $webvar{block}, $webvar{alloctype});
@@ -1311 +1327 @@
 
 
+sub exitError {
+  my $errStr = $_[0];
+  printHeader('','');
+  print qq(<center><p class="regular"> $errStr </p>
+<input type="button" value="Back" onclick="history.go(-1)">
+</center>
+);
+  printFooter();
+  exit;
+} # errorExit
+
+
 # Just in case we manage to get here.
 exit 0;

branches/acl/header.inc

@@ -51 +51 @@
 <input type="button" value=" Help? " onclick="openHelp()" class="regular">
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
-<a href="/ip/cgi-bin/main.cgi?action=assign">Add new assignment</a>
+$$EXTRA0$$
 </td>
 </form>

branches/acl/index.shtml

@@ -1 @@
-<!--#include file="header.inc"-->
 <!--#include virtual="/ip/cgi-bin/main.cgi?action=index" -->