cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Fix for https://bugs.cacert.org/view.php?id=1003

Browse source 
Provide a possibility to regularly review the permissions in the system
This commit is contained in:
Wytze van der Raay 2012-06-21 15:24:46 +00:00
parent a697caab01
commit eea8ed0d51
2 changed files with 214 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

171
scripts/cron/permissionreview.php
View file

@ -21,19 +21,71 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
require_once(dirname(__FILE__).'/../../includes/mysql.php'); require_once(dirname(__FILE__).'/../../includes/mysql.php');
$BOARD_PRIVATE = 'cacert-board-private@lists.cacert.org'; $BOARD_PRIVATE = 'cacert-board-private@lists.cacert.org';
$ASSURANCE_OFFICER = 'ao@cacert.org';
$ORGANISATION_ASSURANCE_OFFICER = 'oao@cacert.org';
//defines to whom to send the lists
$flags = array( $flags = array(
'admin' => 'Support Engineer', 'admin' => array(
'orgadmin' => 'Organisation Assurer', 'name' => 'Support Engineer',
'board' => 'Board Member', 'own' => false, //Don't send twice
'ttpadmin' => 'Trusted Third Party Admin', 'board' => true,
'tverify' => 'Tverify Admin', 'support' => true,
'locadmin' => 'Location Admin' 'ao' => false,
'oao' => false
),
'orgadmin' => array(
'name' => 'Organisation Assurer',
'own' => true,
'board' => true,
'support' => true,
'ao' => true,
'oao' => true
),
'board' => array(
'name' => 'Board Member',
'own' => false,
'board' => true,
'support' => true,
'ao' => true,
'oao' => false
),
'ttpadmin' => array(
'name' => 'Trusted Third Party Admin',
'own' => true,
'board' => true,
'support' => true,
'ao' => true,
'oao' => true
),
'tverify' => array(
'name' => 'Tverify Admin',
'own' => false,
'board' => true,
'support' => true,
'ao' => true,
'oao' => false
),
'locadmin' => array(
'name' => 'Location Admin',
'own' => false,
'board' => true,
'support' => true,
'ao' => false,
'oao' => false
),
); );
$adminlist = array();
foreach ($flags as $flag => $description) { // Build up list of various admins
$adminlist = array();
foreach ($flags as $flag => $flag_properties) {
$query = "select `fname`, `lname`, `email` from `users` where `$flag` = 1"; $query = "select `fname`, `lname`, `email` from `users` where `$flag` = 1";
if(! $res = mysql_query($query) ) { if(! $res = mysql_query($query) ) {
fwrite(STDERR, fwrite(STDERR,
@ -45,52 +97,64 @@ foreach ($flags as $flag => $description) {
continue; continue;
} }
$admins = array(); $adminlist[$flag] = array();
$adminlist[$flag] = "";
while ($row = mysql_fetch_assoc($res)) { while ($row = mysql_fetch_assoc($res)) {
$admins[] = $row; $adminlist[$flag][] = $row;
$adminlist[$flag] .= "$row[fname] $row[lname] $row[email]\n";
} }
foreach ($admins as $admin) {
$message = <<<EOF // Send mail to admins of this group if 'own' is set
if ($flag_properties['own']) {
foreach ($adminlist[$flag] as $admin) {
$message = <<<EOF
Hello $admin[fname], Hello $admin[fname],
you get this message, because you are listed as $description on you get this message, because you are listed as $flag_properties[name] on
CAcert.org. Please review the following list of persons with the same privilege CAcert.org. Please review the following list of persons with the same privilege
and report to the responsible team leader or board and report to the responsible team leader or board
($BOARD_PRIVATE) if you spot any errors. ($BOARD_PRIVATE) if you spot any errors.
$adminlist[$flag]
EOF;
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
}
$message .= <<<EOF
Best Regards, Best Regards,
CAcert Support CAcert Support
EOF; EOF;
sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
}
} }
} }
// Send to support engineers
$message = <<<EOF $message = <<<EOF
Dear Board Members, Dear Support Engineers,
it's time for the permission review again. Here is the list of privileged users it's time for the permission review again. Here is the list of privileged users
in the CAcert web application. Please review them and also ask the persons in the CAcert web application. Please review them.
responsible for an up-to-date copy of access lists not directly recorded in the
web application (critical admins, software assessors etc.)
EOF; EOF;
foreach ($flags as $flag => $description) { foreach ($flags as $flag => $flag_properties) {
$message .= <<<EOF if ($flag_properties['support']) {
List of ${description}s: $message .= "List of $flag_properties[name]s:\n\n";
$adminlist[$flag] foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
EOF; }
$message .= "\n\n";
}
} }
$message .= <<<EOF $message .= <<<EOF
@ -99,4 +163,55 @@ Best Regards,
CAcert Support CAcert Support
EOF; EOF;
sendmail($BOARD_PRIVATE, "Permissions Review", $message, 'support@cacert.org'); foreach ($adminlist['admin'] as $support_engineer) {
sendmail(
$support_engineer['email'],
"Permissions Review",
$message,
'support@cacert.org');
}
// Send to one-email addresses
foreach (array(
'ao' => array(
'description' => 'Assurance Officer',
'email' => $ASSURANCE_OFFICER),
'oao' => array(
'description' => 'Organisation Assurance Officer',
'email' => $ORGANISATION_ASSURANCE_OFFICER),
'board' => array(
'description' => 'Board Members',
'email' => $BOARD_PRIVATE)
) as $key => $values) {
$message = <<<EOF
Dear $values[description],
it's time for the permission review again. Here is the list of privileged users
in the CAcert web application. Please review them and also ask the persons
responsible for an up-to-date copy of access lists not directly recorded in the
web application (critical admins, software assessors etc.)
EOF;
foreach ($flags as $flag => $flag_properties) {
if ($flag_properties[$key]) {
$message .= "List of $flag_properties[name]s:\n\n";
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
}
$message .= "\n\n";
}
}
$message .= <<<EOF
Best Regards,
CAcert Support
EOF;
sendmail($values['email'], "Permissions Review", $message, 'support@cacert.org');
}

71
scripts/resetpermissions.php Normal file
View file

@ -0,0 +1,71 @@
#!/usr/bin/php -q
<?php
/*
LibreSSL - CAcert web application
Copyright (C) 2004-2012 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
require_once(dirname(__FILE__).'/../includes/mysql.php');
$flags = array('board', 'tverify');
foreach ($flags as $flag) {
echo "Resetting $flag flag:\n";
$query = "select `id`, `fname`, `lname`, `email` from `users`
where `$flag` = 1";
if(! $res = mysql_query($query) ) {
fwrite(STDERR,
"MySQL query for flag $flag failed:\n".
"\"$query\"\n".
mysql_error()
);
continue;
}
while ($row = mysql_fetch_assoc($res)) {
echo "$row[fname] $row[lname] $row[email]";
$update = "update `users` set `$flag` = 0 where `id` = $row[id]";
if(! $res2 = mysql_query($update) ) {
echo " NOT RESET!!!\n";
fwrite(STDERR,
"MySQL query for $flag flag reset on user $row[id] failed:\n".
"\"$update\"\n".
mysql_error()
);
} else {
$message = <<<EOF
Hi $row[fname],
As per Arbitration a20110118.1 [1] the $flag permission has been removed
from your account.
[1] https://wiki.cacert.org/Arbitrations/a20110118.1
Best Regards,
CAcert Support
EOF;
sendmail($row['email'], "Permissions have been reset", $message, 'support@cacert.org');
echo " reset.\n";
}
}
echo "\n\n";
}