Obsolete
/
dnsmanagerv1
Archived
3
0
Fork 0
Code

prise en compte de la sécurité dans le développement

master
Philippe Pittoli 2014-02-07 23:56:45 +01:00
parent 318b11e7f3
commit 6d75a31f88
3 changed files with 468 additions and 407 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
app/app.pm
View File

@ -116,7 +116,8 @@ sub delete_domain {
} }
sub update_domain_raw { sub update_domain_raw {
my ($self, $login, $zone, $domain) = @_; my ($self, $zone, $domain) = @_;
my $ze = app::zone::edit->new(zname => $domain my $ze = app::zone::edit->new(zname => $domain
, zdir => $self->zdir , zdir => $self->zdir
, host => $self->sshhost , host => $self->sshhost
@ -125,7 +126,7 @@ sub update_domain_raw {
} }
sub update_domain { sub update_domain {
my ($self, $login, $zone, $domain) = @_; my ($self, $zone, $domain) = @_;
my $ze = app::zone::edit->new(zname => $domain my $ze = app::zone::edit->new(zname => $domain
, zdir => $self->zdir , zdir => $self->zdir
, host => $self->sshhost , host => $self->sshhost
@ -134,7 +135,7 @@ sub update_domain {
} }
sub get_domain { sub get_domain {
my ($self, $login, $domain) = @_; my ($self, $domain) = @_;
my $ze = app::zone::edit->new(zname => $domain my $ze = app::zone::edit->new(zname => $domain
, zdir => $self->zdir , zdir => $self->zdir
, host => $self->sshhost , host => $self->sshhost
@ -160,7 +161,7 @@ sub get_all_users {
} }
sub new_tmp { sub new_tmp {
my ($self, $login, $domain) = @_; my ($self, $domain) = @_;
my $ze = app::zone::edit->new(zname => $domain my $ze = app::zone::edit->new(zname => $domain
, zdir => $self->zdir , zdir => $self->zdir
, host => $self->sshhost , host => $self->sshhost
@ -169,7 +170,7 @@ sub new_tmp {
} }
sub _mod_entry { sub _mod_entry {
my ($self, $login, $domain, $entryToDelete, $action, $newEntry) = @_; my ($self, $domain, $entryToDelete, $action, $newEntry) = @_;
my $name = $entryToDelete->{'name'}; my $name = $entryToDelete->{'name'};
my $type = $entryToDelete->{'type'}; my $type = $entryToDelete->{'type'};
@ -185,7 +186,7 @@ sub _mod_entry {
# say "in _mod_entry : $action"; # say "in _mod_entry : $action";
# say "in _mod_entry : $new_name"; # say "in _mod_entry : $new_name";
my $zone = $self->get_domain($login , $domain); my $zone = $self->get_domain($domain);
my $dump = $zone->dump; my $dump = $zone->dump;
my $record; my $record;
@ -258,18 +259,17 @@ sub _mod_entry {
} }
$self->update_domain( $login, $zone, $domain ); $self->update_domain( $zone, $domain );
} }
sub delete_entry { sub delete_entry {
my ($self, $login, $domain, $entryToDelete) = @_; my ($self, $domain, $entryToDelete) = @_;
$self->_mod_entry( $login, $domain, $entryToDelete, 'del' ); $self->_mod_entry( $domain, $entryToDelete, 'del' );
} }
sub modify_entry { sub modify_entry {
my ($self, $login, $domain, $entryToDelete, $newEntry) = @_; my ($self, $domain, $entryToDelete, $newEntry) = @_;
$self->_mod_entry( $login, $domain, $entryToDelete, 'mod', $newEntry ); $self->_mod_entry( $domain, $entryToDelete, 'mod', $newEntry );
} }
1; 1;

323
www/lib/DNSManager.pm Normal file → Executable file
View File

@ -9,9 +9,11 @@ use Data::Dump qw( dump );
use Data::Structure::Util qw ( unbless ); use Data::Structure::Util qw ( unbless );
use File::Basename; use File::Basename;
use Config::Simple; use Config::Simple;
use Crypt::Digest::SHA256 qw( sha256_hex ) ;
use Storable qw( freeze thaw ); use Storable qw( freeze thaw );
$Storable::Deparse = true; $Storable::Deparse = true;
$Storable::Eval=true; $Storable::Eval=true;
use encoding 'utf-8'; # TODO check if this works well
# Include other libs relative to current path # Include other libs relative to current path
use Find::Lib '../../'; # TODO remove it when it won't be usefull anymore use Find::Lib '../../'; # TODO remove it when it won't be usefull anymore
@ -19,6 +21,13 @@ use app::app;
our $VERSION = '0.1'; our $VERSION = '0.1';
# TODO we can check if dn matches our domain name
sub is_domain_name {
my ($dn) = @_;
my $ndd = qr/^([a-zA-Z0-9]+[a-zA-Z0-9-]*[a-zA-Z0-9]*.)*[a-zA-Z0-9]+[a-zA-Z0-9-]*[a-zA-Z0-9]$/;
return $dn =~ $ndd;
}
# eventually change place # eventually change place
sub initco { sub initco {
@ -45,6 +54,7 @@ sub get_errmsg {
$err; $err;
} }
# TODO check if the referer was from our website
sub get_route { sub get_route {
my $route = '/'; my $route = '/';
$route = request->referer if (defined request->referer); $route = request->referer if (defined request->referer);
@ -81,47 +91,6 @@ get '/' => sub {
} }
}; };
get '/home' => sub {
unless( session('login') )
{
redirect '/';
}
else
{
my $app = initco();
my ($success, @domains) = $app->get_domains( session('login') );
if( $success ) {
my (%zone_properties, %domains);
my $cs = session('creationSuccess');
my $dn = session('domainName');
session creationSuccess => '';
session domainName => '';
template home => {
login => session('login')
, admin => session('admin')
, domains => [@domains]
, zones_domains => \%domains
, zone_properties => \%zone_properties
, creationSuccess => $cs
, errmsg => get_errmsg
, domainName => $dn };
}
else {
session->destroy;
redirect '/ ';
}
}
};
prefix '/domain' => sub { prefix '/domain' => sub {
any ['post', 'get'] => '/updateraw/:domain' => sub { any ['post', 'get'] => '/updateraw/:domain' => sub {
@ -135,25 +104,38 @@ prefix '/domain' => sub {
{ {
my $app = initco(); my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(param('login'), my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
param('password') ); session('password') );
my $success = $app->update_domain_raw(session('login') if($auth_ok && ($isadmin || grep { $_ eq param('domain') }
, param('zoneupdated') @{$user->domains}) ) {
my $success = $app->update_domain_raw( param('zoneupdated')
, param('domain')); , param('domain'));
unless($success) {
session errmsg => q{Problème de mise à jour du domaine.};
}
redirect '/domain/details/' . param('domain'); redirect '/domain/details/' . param('domain');
} }
else {
session errmsg => q{Donnée privée, petit coquin. ;) };
redirect '/';
}
}
}; };
any ['post', 'get'] => '/update/:domain' => sub { any ['post', 'get'] => '/update/:domain' => sub {
unless( session('login') && param('domain') ) unless( session('login') && param('domain') )
{ {
redirect '/'; redirect '/';
} }
else else
{ {
my $type = param('type'); my $type = param('type');
my $name = param('name'); my $name = param('name');
my $value = param('value'); my $value = param('value');
@ -161,9 +143,18 @@ prefix '/domain' => sub {
my $priority = param('priority'); my $priority = param('priority');
my $app = initco(); my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(param('login'), my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
param('password') ); session('password') );
my $zone = $app->get_domain( session('login') , param('domain') );
unless($auth_ok && ($isadmin || grep { $_ eq param('domain') }
@{$user->domains}) ) {
session errmsg => q{Donnée privée, petit coquin. ;) };
redirect '/';
return;
}
my $zone = $app->get_domain( param('domain') );
given( $type ) given( $type )
{ {
@ -226,12 +217,11 @@ prefix '/domain' => sub {
} }
$zone->new_serial(); $zone->new_serial();
$app->update_domain( session('login') dump($zone);
, $zone
, param('domain')); $app->update_domain( $zone , param('domain'));
redirect '/domain/details/' . param('domain'); redirect '/domain/details/' . param('domain');
} }
}; };
@ -245,15 +235,26 @@ prefix '/domain' => sub {
else else
{ {
my $app = initco(); my $app = initco();
# my ($auth_ok, $user, $isadmin) = $app->auth(param('login'),
# param('password') );
my $zone = $app->get_domain(session('login') , param('domain')); my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') );
unless ( $auth_ok && ( $isadmin
|| grep { $_ =~ param('domain') } @{$user->domains})) {
session errmsg => q{Auth non OK.};
redirect '/ ';
return;
}
my $zone = $app->get_domain(param('domain'));
if( param( 'expert' ) ) if( param( 'expert' ) )
{ {
template details => { template details => {
login => session('login') login => session('login')
, admin => session('admin')
, domain => param('domain') , domain => param('domain')
, domain_zone => $zone->output() , domain_zone => $zone->output()
, expert => true }; , expert => true };
@ -263,6 +264,7 @@ prefix '/domain' => sub {
# say dump( $zone->cname()); # say dump( $zone->cname());
template details => { template details => {
login => session('login') login => session('login')
, admin => session('admin')
, domain => param('domain') , domain => param('domain')
, domain_zone => $zone->output() , domain_zone => $zone->output()
, a => $zone->a() , a => $zone->a()
@ -313,7 +315,7 @@ prefix '/domain' => sub {
session creationSuccess => $creationSuccess; session creationSuccess => $creationSuccess;
session domainName => param('domain'); session domainName => param('domain');
redirect '/home'; redirect '/user/home';
} }
@ -321,53 +323,68 @@ prefix '/domain' => sub {
get '/del/:domain' => sub { get '/del/:domain' => sub {
my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') );
unless ( $auth_ok && ( $isadmin
|| grep { $_ =~ param('domain') } @{$user->domains})) {
session errmsg => q{Auth non OK.};
redirect '/ ';
return;
}
unless( defined param('domain') ) { unless( defined param('domain') ) {
session errmsg => q<Domaine non renseigné.>; session errmsg => q<Domaine non renseigné.>;
redirect get_route; redirect get_route;
return;
} }
else {
my $app = initco();
# TODO tests des droits if( ! is_domain_name(param('domain'))) {
if( session('login') ) { session errmsg => q<Domaine non conforme.>;
redirect get_route;
return;
}
if($app->delete_domain(session('login'), param('domain'))) { my $success = $app->delete_domain(session('login'), param('domain'));
unless($success) {
session errmsg => q{Impossible de supprimer le domaine.};
}
if( request->referer =~ "/domain/details" ) { if( request->referer =~ "/domain/details" ) {
redirect '/home'; redirect '/user/home';
} }
else { else {
redirect request->referer; redirect request->referer;
} }
}
else {
session errmsg => "Impossible de supprimer le domaine "
. param('domain')
. '.' ;
redirect request->referer;
}
}
}
}; };
get '/del/:domain/:name/:type/:host/:ttl' => sub { get '/del/:domain/:name/:type/:host/:ttl' => sub {
# Load :domain and search for corresponding data
my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') );
unless ( $auth_ok && ( $isadmin
|| grep { $_ =~ param('domain') } @{$user->domains})) {
session errmsg => q{Auth non OK.};
redirect '/ ';
return;
}
unless( session( 'user' ) and defined param('domain') ) { unless( session( 'user' ) and defined param('domain') ) {
session errmsg => q<Domaine non renseigné.>; session errmsg => q<Domaine non renseigné.>;
redirect get_route; redirect get_route;
return;
} }
else {
# Load :domain and search for corresponding data
my $app = initco();
# my ($auth_ok, $user, $isadmin) = $app->auth(param('login'),
# param('password') );
$app->delete_entry( session('login'), $app->delete_entry( param('domain'),
param('domain'),
{ {
type => param('type'), type => param('type'),
name => param('name'), name => param('name'),
@ -376,23 +393,29 @@ prefix '/domain' => sub {
}); });
redirect '/domain/details/'. param('domain'); redirect '/domain/details/'. param('domain');
}
}; };
get '/mod/:domain/:name/:type/:host/:ttl' => sub { get '/mod/:domain/:name/:type/:host/:ttl' => sub {
my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') );
unless ( $auth_ok && ( $isadmin
|| grep { $_ =~ param('domain') } @{$user->domains})) {
session errmsg => q{Auth non OK.};
redirect '/ ';
return;
}
unless( session( 'user' ) and defined param('domain') ) { unless( session( 'user' ) and defined param('domain') ) {
session errmsg => q<Domaine non renseigné.>; session errmsg => q<Domaine non renseigné.>;
redirect get_route; redirect get_route;
return;
} }
else {
# Load :domain and search for corresponding data
my $app = initco();
# my ($auth_ok, $user, $isadmin) = $app->auth(param('login'),
# param('password') );
$app->modify_entry( session('login'), $app->modify_entry( param('domain'),
param('domain'),
{ {
type => param('type'), type => param('type'),
name => param('name'), name => param('name'),
@ -408,7 +431,6 @@ prefix '/domain' => sub {
}); });
redirect '/domain/details/'. param('domain'); redirect '/domain/details/'. param('domain');
}
}; };
}; };
@ -417,17 +439,18 @@ any ['get', 'post'] => '/admin' => sub {
unless( session('login') ) unless( session('login') )
{ {
redirect '/'; redirect '/';
return;
} }
else
{
my $app = initco(); my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'), my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') ); session('password') );
unless ( $auth_ok && $isadmin ) { unless ( $auth_ok && $isadmin ) {
session errmsg => q{Donnée privée, petit coquin. ;) };
redirect '/ '; redirect '/ ';
return;
} }
else {
my %alldomains = $app->get_all_domains; my %alldomains = $app->get_all_domains;
my %allusers = $app->get_all_users; my %allusers = $app->get_all_users;
@ -440,31 +463,75 @@ any ['get', 'post'] => '/admin' => sub {
, domains => [ @domains ] , domains => [ @domains ]
, alldomains => { %alldomains } , alldomains => { %alldomains }
, allusers => { %allusers } }; , allusers => { %allusers } };
}
}
}; };
prefix '/user' => sub { prefix '/user' => sub {
get '/home' => sub {
unless( session('login') ) {
redirect '/';
return;
}
my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') );
unless( $auth_ok ) {
session errmsg => q/problème de connexion à votre compte/;
redirect '/';
return;
}
my ($success, @domains) = $app->get_domains( session('login') );
if( $success ) {
my $cs = session('creationSuccess');
my $dn = session('domainName');
session creationSuccess => '';
session domainName => '';
template home => {
login => session('login')
, admin => session('admin')
, domains => [@domains]
, creationSuccess => $cs
, errmsg => get_errmsg
, domainName => $dn };
}
else {
session->destroy;
redirect '/ ';
}
};
get '/logout' => sub { get '/logout' => sub {
session->destroy; session->destroy;
redirect '/'; redirect '/';
}; };
# add a user => registration
post '/add/' => sub { post '/add/' => sub {
if ( param('login') && param('password') ) if ( param('login') && param('password') ) {
{
my $pass = sha256_hex(param('password'));
my $app = initco(); my $app = initco();
my ($success) = $app->register_user(param('login') my ($success) = $app->register_user(param('login')
, param('password')); , $pass);
if($success) { if($success) {
session login => param('login'); session login => param('login');
session password => param('password'); session password => $pass;
redirect '/home'; redirect '/user/home';
} }
else { else {
session errmsg => q/Ce pseudo est déjà pris./; session errmsg => q/Ce pseudo est déjà pris./;
@ -481,14 +548,14 @@ prefix '/user' => sub {
get '/subscribe' => sub { get '/subscribe' => sub {
if( defined session('login') ) if( defined session('login') ) {
{ redirect '/user/home';
redirect '/home';
} }
else { else {
template subscribe => { template subscribe => {
errmsg => get_errmsg errmsg => get_errmsg
, admin => session('admin')
}; };
} }
@ -496,33 +563,31 @@ prefix '/user' => sub {
get '/unsetadmin/:user' => sub { get '/unsetadmin/:user' => sub {
unless( defined param('user') ) unless( defined param('user') ) {
{
# TODO ajouter une erreur à afficher
session errmsg => "L'administrateur n'est pas défini." ; session errmsg => "L'administrateur n'est pas défini." ;
redirect request->referer; redirect request->referer;
return;
} }
elsif(! defined session('login') )
{ if(! defined session('login') ) {
session errmsg => "Vous n'êtes pas connecté." ; session errmsg => "Vous n'êtes pas connecté." ;
redirect '/'; redirect '/';
return;
} }
else {
my $app = initco(); my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'), my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') ); session('password') );
if ( $auth_ok && $isadmin ) { unless ( $auth_ok && $isadmin ) {
$app->set_admin(param('user'), 0); session errmsg => q/Vous n'êtes pas administrateur./;
} }
else { else {
session errmsg => q/Vous n'êtes pas administrateur./; $app->set_admin(param('user'), 0);
} }
if( request->referer =~ "/admin" ) { if( request->referer =~ "/admin" ) {
@ -532,35 +597,33 @@ prefix '/user' => sub {
redirect '/'; redirect '/';
} }
}
}; };
get '/setadmin/:user' => sub { get '/setadmin/:user' => sub {
unless( defined param('user') ) unless( defined param('user') ) {
{
# TODO ajouter une erreur à afficher
session errmsg => "L'utilisateur n'est pas défini." ; session errmsg => "L'utilisateur n'est pas défini." ;
redirect request->referer; redirect request->referer;
return;
} }
elsif(! defined session('login') )
{ if(! defined session('login') ) {
session errmsg => "Vous n'êtes pas connecté." ; session errmsg => "Vous n'êtes pas connecté." ;
redirect '/'; redirect '/';
return;
} }
else {
my $app = initco(); my $app = initco();
my ($auth_ok, $user, $isadmin) = $app->auth(session('login'), my ($auth_ok, $user, $isadmin) = $app->auth(session('login'),
session('password') ); session('password') );
if ( $auth_ok && $isadmin ) { unless ( $auth_ok && $isadmin ) {
session errmsg => q/Vous n'êtes pas administrateur./;
}
else {
$app->set_admin(param('user'), 1); $app->set_admin(param('user'), 1);
} }
@ -571,8 +634,6 @@ prefix '/user' => sub {
redirect '/'; redirect '/';
} }
}
}; };
get '/del/:user' => sub { get '/del/:user' => sub {
@ -615,15 +676,15 @@ prefix '/user' => sub {
{ {
my $app = initco(); my $app = initco();
my $pass = sha256_hex(param('password'));
my ($auth_ok, $user, $isadmin) = $app->auth(param('login'), my ($auth_ok, $user, $isadmin) = $app->auth(param('login'),
param('password') ); $pass );
if( $auth_ok ) if( $auth_ok )
{ {
session login => param('login'); session login => param('login');
# TODO : change password storage… session password => $pass;
session password => param('password');
session user => freeze( $user ); session user => freeze( $user );
session admin => $isadmin; session admin => $isadmin;
@ -643,7 +704,7 @@ prefix '/user' => sub {
} }
} }
redirect '/home'; redirect '/user/home';
}; };
}; };

2
www/views/sidebar.tt
View File

@ -14,7 +14,7 @@
<div class="list-group"> <div class="list-group">
<a href="/user/logout" class="list-group-item active">Déconnexion</a> <a href="/user/logout" class="list-group-item active">Déconnexion</a>
<a href='/home' class="list-group-item active">Ma page</a> <a href='/user/home' class="list-group-item active">Ma page</a>
<% IF admin == 1 %> <% IF admin == 1 %>
<a href='/admin' class="list-group-item ">Administration</a> <a href='/admin' class="list-group-item ">Administration</a>