Provide a possibility to regularly review the permissions in the system
This commit is contained in:
parent
a697caab01
commit
eea8ed0d51
2 changed files with 214 additions and 28 deletions
|
@ -21,19 +21,71 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|||
require_once(dirname(__FILE__).'/../../includes/mysql.php');
|
||||
|
||||
$BOARD_PRIVATE = 'cacert-board-private@lists.cacert.org';
|
||||
$ASSURANCE_OFFICER = 'ao@cacert.org';
|
||||
$ORGANISATION_ASSURANCE_OFFICER = 'oao@cacert.org';
|
||||
|
||||
|
||||
//defines to whom to send the lists
|
||||
$flags = array(
|
||||
'admin' => 'Support Engineer',
|
||||
'orgadmin' => 'Organisation Assurer',
|
||||
'board' => 'Board Member',
|
||||
'ttpadmin' => 'Trusted Third Party Admin',
|
||||
'tverify' => 'Tverify Admin',
|
||||
'locadmin' => 'Location Admin'
|
||||
'admin' => array(
|
||||
'name' => 'Support Engineer',
|
||||
'own' => false, //Don't send twice
|
||||
'board' => true,
|
||||
'support' => true,
|
||||
'ao' => false,
|
||||
'oao' => false
|
||||
),
|
||||
|
||||
'orgadmin' => array(
|
||||
'name' => 'Organisation Assurer',
|
||||
'own' => true,
|
||||
'board' => true,
|
||||
'support' => true,
|
||||
'ao' => true,
|
||||
'oao' => true
|
||||
),
|
||||
|
||||
'board' => array(
|
||||
'name' => 'Board Member',
|
||||
'own' => false,
|
||||
'board' => true,
|
||||
'support' => true,
|
||||
'ao' => true,
|
||||
'oao' => false
|
||||
),
|
||||
|
||||
'ttpadmin' => array(
|
||||
'name' => 'Trusted Third Party Admin',
|
||||
'own' => true,
|
||||
'board' => true,
|
||||
'support' => true,
|
||||
'ao' => true,
|
||||
'oao' => true
|
||||
),
|
||||
|
||||
'tverify' => array(
|
||||
'name' => 'Tverify Admin',
|
||||
'own' => false,
|
||||
'board' => true,
|
||||
'support' => true,
|
||||
'ao' => true,
|
||||
'oao' => false
|
||||
),
|
||||
|
||||
'locadmin' => array(
|
||||
'name' => 'Location Admin',
|
||||
'own' => false,
|
||||
'board' => true,
|
||||
'support' => true,
|
||||
'ao' => false,
|
||||
'oao' => false
|
||||
),
|
||||
);
|
||||
|
||||
$adminlist = array();
|
||||
|
||||
foreach ($flags as $flag => $description) {
|
||||
// Build up list of various admins
|
||||
$adminlist = array();
|
||||
foreach ($flags as $flag => $flag_properties) {
|
||||
$query = "select `fname`, `lname`, `email` from `users` where `$flag` = 1";
|
||||
if(! $res = mysql_query($query) ) {
|
||||
fwrite(STDERR,
|
||||
|
@ -45,52 +97,64 @@ foreach ($flags as $flag => $description) {
|
|||
continue;
|
||||
}
|
||||
|
||||
$admins = array();
|
||||
$adminlist[$flag] = "";
|
||||
$adminlist[$flag] = array();
|
||||
|
||||
while ($row = mysql_fetch_assoc($res)) {
|
||||
$admins[] = $row;
|
||||
$adminlist[$flag] .= "$row[fname] $row[lname] $row[email]\n";
|
||||
$adminlist[$flag][] = $row;
|
||||
}
|
||||
|
||||
foreach ($admins as $admin) {
|
||||
$message = <<<EOF
|
||||
|
||||
// Send mail to admins of this group if 'own' is set
|
||||
if ($flag_properties['own']) {
|
||||
foreach ($adminlist[$flag] as $admin) {
|
||||
$message = <<<EOF
|
||||
Hello $admin[fname],
|
||||
|
||||
you get this message, because you are listed as $description on
|
||||
you get this message, because you are listed as $flag_properties[name] on
|
||||
CAcert.org. Please review the following list of persons with the same privilege
|
||||
and report to the responsible team leader or board
|
||||
($BOARD_PRIVATE) if you spot any errors.
|
||||
|
||||
$adminlist[$flag]
|
||||
|
||||
EOF;
|
||||
|
||||
foreach ($adminlist[$flag] as $colleague) {
|
||||
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
|
||||
}
|
||||
|
||||
$message .= <<<EOF
|
||||
|
||||
|
||||
Best Regards,
|
||||
CAcert Support
|
||||
EOF;
|
||||
sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
|
||||
|
||||
sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
// Send to support engineers
|
||||
$message = <<<EOF
|
||||
Dear Board Members,
|
||||
Dear Support Engineers,
|
||||
|
||||
it's time for the permission review again. Here is the list of privileged users
|
||||
in the CAcert web application. Please review them and also ask the persons
|
||||
responsible for an up-to-date copy of access lists not directly recorded in the
|
||||
web application (critical admins, software assessors etc.)
|
||||
in the CAcert web application. Please review them.
|
||||
|
||||
|
||||
EOF;
|
||||
|
||||
foreach ($flags as $flag => $description) {
|
||||
$message .= <<<EOF
|
||||
List of ${description}s:
|
||||
$adminlist[$flag]
|
||||
|
||||
EOF;
|
||||
foreach ($flags as $flag => $flag_properties) {
|
||||
if ($flag_properties['support']) {
|
||||
$message .= "List of $flag_properties[name]s:\n\n";
|
||||
foreach ($adminlist[$flag] as $colleague) {
|
||||
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
|
||||
}
|
||||
|
||||
$message .= "\n\n";
|
||||
}
|
||||
}
|
||||
|
||||
$message .= <<<EOF
|
||||
|
@ -99,4 +163,55 @@ Best Regards,
|
|||
CAcert Support
|
||||
EOF;
|
||||
|
||||
sendmail($BOARD_PRIVATE, "Permissions Review", $message, 'support@cacert.org');
|
||||
foreach ($adminlist['admin'] as $support_engineer) {
|
||||
sendmail(
|
||||
$support_engineer['email'],
|
||||
"Permissions Review",
|
||||
$message,
|
||||
'support@cacert.org');
|
||||
}
|
||||
|
||||
|
||||
// Send to one-email addresses
|
||||
foreach (array(
|
||||
'ao' => array(
|
||||
'description' => 'Assurance Officer',
|
||||
'email' => $ASSURANCE_OFFICER),
|
||||
'oao' => array(
|
||||
'description' => 'Organisation Assurance Officer',
|
||||
'email' => $ORGANISATION_ASSURANCE_OFFICER),
|
||||
'board' => array(
|
||||
'description' => 'Board Members',
|
||||
'email' => $BOARD_PRIVATE)
|
||||
) as $key => $values) {
|
||||
$message = <<<EOF
|
||||
Dear $values[description],
|
||||
|
||||
it's time for the permission review again. Here is the list of privileged users
|
||||
in the CAcert web application. Please review them and also ask the persons
|
||||
responsible for an up-to-date copy of access lists not directly recorded in the
|
||||
web application (critical admins, software assessors etc.)
|
||||
|
||||
|
||||
|
||||
EOF;
|
||||
|
||||
foreach ($flags as $flag => $flag_properties) {
|
||||
if ($flag_properties[$key]) {
|
||||
$message .= "List of $flag_properties[name]s:\n\n";
|
||||
foreach ($adminlist[$flag] as $colleague) {
|
||||
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
|
||||
}
|
||||
$message .= "\n\n";
|
||||
}
|
||||
}
|
||||
|
||||
$message .= <<<EOF
|
||||
|
||||
|
||||
Best Regards,
|
||||
CAcert Support
|
||||
EOF;
|
||||
|
||||
sendmail($values['email'], "Permissions Review", $message, 'support@cacert.org');
|
||||
}
|
||||
|
|
71
scripts/resetpermissions.php
Normal file
71
scripts/resetpermissions.php
Normal file
|
@ -0,0 +1,71 @@
|
|||
#!/usr/bin/php -q
|
||||
<?php
|
||||
/*
|
||||
LibreSSL - CAcert web application
|
||||
Copyright (C) 2004-2012 CAcert Inc.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; version 2 of the License.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
|
||||
require_once(dirname(__FILE__).'/../includes/mysql.php');
|
||||
|
||||
$flags = array('board', 'tverify');
|
||||
|
||||
foreach ($flags as $flag) {
|
||||
echo "Resetting $flag flag:\n";
|
||||
$query = "select `id`, `fname`, `lname`, `email` from `users`
|
||||
where `$flag` = 1";
|
||||
if(! $res = mysql_query($query) ) {
|
||||
fwrite(STDERR,
|
||||
"MySQL query for flag $flag failed:\n".
|
||||
"\"$query\"\n".
|
||||
mysql_error()
|
||||
);
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
while ($row = mysql_fetch_assoc($res)) {
|
||||
echo "$row[fname] $row[lname] $row[email]";
|
||||
|
||||
$update = "update `users` set `$flag` = 0 where `id` = $row[id]";
|
||||
if(! $res2 = mysql_query($update) ) {
|
||||
echo " NOT RESET!!!\n";
|
||||
fwrite(STDERR,
|
||||
"MySQL query for $flag flag reset on user $row[id] failed:\n".
|
||||
"\"$update\"\n".
|
||||
mysql_error()
|
||||
);
|
||||
|
||||
} else {
|
||||
|
||||
$message = <<<EOF
|
||||
Hi $row[fname],
|
||||
|
||||
As per Arbitration a20110118.1 [1] the $flag permission has been removed
|
||||
from your account.
|
||||
|
||||
[1] https://wiki.cacert.org/Arbitrations/a20110118.1
|
||||
|
||||
Best Regards,
|
||||
CAcert Support
|
||||
EOF;
|
||||
sendmail($row['email'], "Permissions have been reset", $message, 'support@cacert.org');
|
||||
|
||||
echo " reset.\n";
|
||||
}
|
||||
}
|
||||
|
||||
echo "\n\n";
|
||||
}
|
Loading…
Reference in a new issue