Provide a possibility to regularly review the permissions in the system
This commit is contained in:
Wytze van der Raay 2012-06-21 15:24:46 +00:00
parent a697caab01
commit eea8ed0d51
2 changed files with 214 additions and 28 deletions

View file

@ -21,19 +21,71 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
require_once(dirname(__FILE__).'/../../includes/mysql.php');
$BOARD_PRIVATE = 'cacert-board-private@lists.cacert.org';
$ASSURANCE_OFFICER = 'ao@cacert.org';
$ORGANISATION_ASSURANCE_OFFICER = 'oao@cacert.org';
//defines to whom to send the lists
$flags = array(
'admin' => 'Support Engineer',
'orgadmin' => 'Organisation Assurer',
'board' => 'Board Member',
'ttpadmin' => 'Trusted Third Party Admin',
'tverify' => 'Tverify Admin',
'locadmin' => 'Location Admin'
'admin' => array(
'name' => 'Support Engineer',
'own' => false, //Don't send twice
'board' => true,
'support' => true,
'ao' => false,
'oao' => false
),
'orgadmin' => array(
'name' => 'Organisation Assurer',
'own' => true,
'board' => true,
'support' => true,
'ao' => true,
'oao' => true
),
'board' => array(
'name' => 'Board Member',
'own' => false,
'board' => true,
'support' => true,
'ao' => true,
'oao' => false
),
'ttpadmin' => array(
'name' => 'Trusted Third Party Admin',
'own' => true,
'board' => true,
'support' => true,
'ao' => true,
'oao' => true
),
'tverify' => array(
'name' => 'Tverify Admin',
'own' => false,
'board' => true,
'support' => true,
'ao' => true,
'oao' => false
),
'locadmin' => array(
'name' => 'Location Admin',
'own' => false,
'board' => true,
'support' => true,
'ao' => false,
'oao' => false
),
);
$adminlist = array();
foreach ($flags as $flag => $description) {
// Build up list of various admins
$adminlist = array();
foreach ($flags as $flag => $flag_properties) {
$query = "select `fname`, `lname`, `email` from `users` where `$flag` = 1";
if(! $res = mysql_query($query) ) {
fwrite(STDERR,
@ -45,52 +97,64 @@ foreach ($flags as $flag => $description) {
continue;
}
$admins = array();
$adminlist[$flag] = "";
$adminlist[$flag] = array();
while ($row = mysql_fetch_assoc($res)) {
$admins[] = $row;
$adminlist[$flag] .= "$row[fname] $row[lname] $row[email]\n";
$adminlist[$flag][] = $row;
}
foreach ($admins as $admin) {
// Send mail to admins of this group if 'own' is set
if ($flag_properties['own']) {
foreach ($adminlist[$flag] as $admin) {
$message = <<<EOF
Hello $admin[fname],
you get this message, because you are listed as $description on
you get this message, because you are listed as $flag_properties[name] on
CAcert.org. Please review the following list of persons with the same privilege
and report to the responsible team leader or board
($BOARD_PRIVATE) if you spot any errors.
$adminlist[$flag]
EOF;
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
}
$message .= <<<EOF
Best Regards,
CAcert Support
EOF;
sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
}
}
}
// Send to support engineers
$message = <<<EOF
Dear Board Members,
Dear Support Engineers,
it's time for the permission review again. Here is the list of privileged users
in the CAcert web application. Please review them and also ask the persons
responsible for an up-to-date copy of access lists not directly recorded in the
web application (critical admins, software assessors etc.)
in the CAcert web application. Please review them.
EOF;
foreach ($flags as $flag => $description) {
$message .= <<<EOF
List of ${description}s:
$adminlist[$flag]
foreach ($flags as $flag => $flag_properties) {
if ($flag_properties['support']) {
$message .= "List of $flag_properties[name]s:\n\n";
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
}
EOF;
$message .= "\n\n";
}
}
$message .= <<<EOF
@ -99,4 +163,55 @@ Best Regards,
CAcert Support
EOF;
sendmail($BOARD_PRIVATE, "Permissions Review", $message, 'support@cacert.org');
foreach ($adminlist['admin'] as $support_engineer) {
sendmail(
$support_engineer['email'],
"Permissions Review",
$message,
'support@cacert.org');
}
// Send to one-email addresses
foreach (array(
'ao' => array(
'description' => 'Assurance Officer',
'email' => $ASSURANCE_OFFICER),
'oao' => array(
'description' => 'Organisation Assurance Officer',
'email' => $ORGANISATION_ASSURANCE_OFFICER),
'board' => array(
'description' => 'Board Members',
'email' => $BOARD_PRIVATE)
) as $key => $values) {
$message = <<<EOF
Dear $values[description],
it's time for the permission review again. Here is the list of privileged users
in the CAcert web application. Please review them and also ask the persons
responsible for an up-to-date copy of access lists not directly recorded in the
web application (critical admins, software assessors etc.)
EOF;
foreach ($flags as $flag => $flag_properties) {
if ($flag_properties[$key]) {
$message .= "List of $flag_properties[name]s:\n\n";
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
}
$message .= "\n\n";
}
}
$message .= <<<EOF
Best Regards,
CAcert Support
EOF;
sendmail($values['email'], "Permissions Review", $message, 'support@cacert.org');
}

View file

@ -0,0 +1,71 @@
#!/usr/bin/php -q
<?php
/*
LibreSSL - CAcert web application
Copyright (C) 2004-2012 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
require_once(dirname(__FILE__).'/../includes/mysql.php');
$flags = array('board', 'tverify');
foreach ($flags as $flag) {
echo "Resetting $flag flag:\n";
$query = "select `id`, `fname`, `lname`, `email` from `users`
where `$flag` = 1";
if(! $res = mysql_query($query) ) {
fwrite(STDERR,
"MySQL query for flag $flag failed:\n".
"\"$query\"\n".
mysql_error()
);
continue;
}
while ($row = mysql_fetch_assoc($res)) {
echo "$row[fname] $row[lname] $row[email]";
$update = "update `users` set `$flag` = 0 where `id` = $row[id]";
if(! $res2 = mysql_query($update) ) {
echo " NOT RESET!!!\n";
fwrite(STDERR,
"MySQL query for $flag flag reset on user $row[id] failed:\n".
"\"$update\"\n".
mysql_error()
);
} else {
$message = <<<EOF
Hi $row[fname],
As per Arbitration a20110118.1 [1] the $flag permission has been removed
from your account.
[1] https://wiki.cacert.org/Arbitrations/a20110118.1
Best Regards,
CAcert Support
EOF;
sendmail($row['email'], "Permissions have been reset", $message, 'support@cacert.org');
echo " reset.\n";
}
}
echo "\n\n";
}