mirror of
https://github.com/webmin/webmin.git
synced 2026-06-04 20:30:22 +01:00
Fix to use direct ACL checks in Kea DHCP module
*Note: Removes Kea-specific ACL wrapper helpers and switches ACL editor/runtime checks to standard Webmin handling with direct supplied ACL values and get_module_acl checks.
This commit is contained in:
Ilia Ross
@@ -18,13 +18,13 @@ my ($o) = @_;
|
||||
print ui_table_span(&ui_tag('b', &html_escape($text{'acl_section_view'})));
|
||||
foreach my $a (qw(dhcp4 dhcp6 ddns services runtime)) {
|
||||
print ui_table_row($text{'acl_'.$a},
|
||||
ui_yesno_radio($a, kea_check_acl($a, $o)), 3);
|
||||
ui_yesno_radio($a, $o->{$a}), 3);
|
||||
}
|
||||
print ui_table_hr();
|
||||
print ui_table_span(&ui_tag('b', &html_escape($text{'acl_section_change'})));
|
||||
foreach my $a (qw(edit4 edit6 editddns manual apply install)) {
|
||||
print ui_table_row($text{'acl_'.$a},
|
||||
ui_yesno_radio($a, kea_check_acl($a, $o)), 3);
|
||||
ui_yesno_radio($a, $o->{$a}), 3);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -34,7 +34,8 @@ sub acl_security_save
|
||||
{
|
||||
my ($o) = @_;
|
||||
|
||||
foreach my $a (kea_acl_keys()) {
|
||||
foreach my $a (qw(dhcp4 dhcp6 ddns services runtime edit4 edit6 editddns
|
||||
manual apply install)) {
|
||||
$o->{$a} = $in{$a} || 0;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
|
||||
|
||||
@@ -7,7 +7,9 @@ require './kea-dhcp-lib.pl'; ## no critic
|
||||
&ReadParse();
|
||||
our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('editddns');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_peditddns'}")
|
||||
if (!$access{'editddns'});
|
||||
|
||||
my $c = &kea_component('ddns');
|
||||
my ($root, $err) = &kea_read_component_config($c);
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
my $shareds = &kea_shared_networks($root);
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
my $sidx = defined($in{'sidx'}) ? $in{'sidx'} : "";
|
||||
|
||||
@@ -7,7 +7,8 @@ require './kea-dhcp-lib.pl'; ## no critic
|
||||
&ReadParse();
|
||||
our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('manual');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pmanual'}") if (!$access{'manual'});
|
||||
|
||||
my @files = &kea_manual_edit_files();
|
||||
&error($text{'edit_enofile'}) if (!@files);
|
||||
|
||||
@@ -7,11 +7,13 @@ require './kea-dhcp-lib.pl'; ## no critic
|
||||
&ReadParse();
|
||||
our (%in, %text);
|
||||
our $module_name;
|
||||
my %access = &kea_effective_acl();
|
||||
my %access = &get_module_acl();
|
||||
my $delete_formno;
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&error("$text{'eacl_np'} $text{'eacl_penter'}")
|
||||
unless &kea_can_enter_module(\%access);
|
||||
unless grep { $access{$_} } qw(dhcp4 dhcp6 ddns services runtime
|
||||
edit4 edit6 editddns manual apply
|
||||
install);
|
||||
|
||||
# If the Kea daemons cannot be found, keep the index page focused on the
|
||||
# repair path. Leftover config files are not enough to run the module safely.
|
||||
|
||||
@@ -12,51 +12,6 @@ our $module_root_directory;
|
||||
&init_config();
|
||||
&load_kea_defaults();
|
||||
|
||||
# kea_acl_keys()
|
||||
# Returns the supported Kea DHCP ACL capabilities.
|
||||
sub kea_acl_keys
|
||||
{
|
||||
return qw(dhcp4 dhcp6 ddns services runtime edit4 edit6 editddns manual apply install);
|
||||
}
|
||||
|
||||
# kea_effective_acl([&raw-acl])
|
||||
# Returns normalized ACL settings for the current Webmin user.
|
||||
sub kea_effective_acl
|
||||
{
|
||||
my ($rawacl) = @_;
|
||||
my %raw = $rawacl ? %$rawacl : &get_module_acl();
|
||||
return map { $_ => $raw{$_} ? 1 : 0 } &kea_acl_keys();
|
||||
}
|
||||
|
||||
# kea_check_acl(action, [&raw-acl])
|
||||
# Returns true when an effective ACL permits the requested action.
|
||||
sub kea_check_acl
|
||||
{
|
||||
my ($action, $rawacl) = @_;
|
||||
my %acl = &kea_effective_acl($rawacl);
|
||||
return $acl{$action} ? 1 : 0;
|
||||
}
|
||||
|
||||
# kea_assert_acl(action)
|
||||
# Fails if the current Webmin user cannot perform an action.
|
||||
sub kea_assert_acl
|
||||
{
|
||||
my ($action) = @_;
|
||||
&kea_check_acl($action) ||
|
||||
&error("$text{'eacl_np'} $text{'eacl_p'.$action}");
|
||||
}
|
||||
|
||||
# kea_can_enter_module(&acl)
|
||||
# Returns true if a user has at least one useful module capability.
|
||||
sub kea_can_enter_module
|
||||
{
|
||||
my ($acl) = @_;
|
||||
foreach my $a (&kea_acl_keys()) {
|
||||
return 1 if ($acl->{$a});
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
# kea_can_view_dhcp(&acl, version)
|
||||
# Structured edit access implies read access to that DHCP version.
|
||||
sub kea_can_view_dhcp
|
||||
|
||||
@@ -387,19 +387,19 @@ acl_manual=Edit config files manually
|
||||
acl_apply=Start, stop, or restart Kea services
|
||||
acl_install=Install Kea packages
|
||||
eacl_aviol=Kea DHCP access denied
|
||||
eacl_np=You do not have permission to
|
||||
eacl_penter=access the Kea DHCP module
|
||||
eacl_pdhcp4=view DHCPv4 configuration
|
||||
eacl_pdhcp6=view DHCPv6 configuration
|
||||
eacl_pddns=view DHCP-DDNS configuration
|
||||
eacl_pservices=view Kea service status
|
||||
eacl_pruntime=view runtime status
|
||||
eacl_pedit4=edit DHCPv4 configuration
|
||||
eacl_pedit6=edit DHCPv6 configuration
|
||||
eacl_peditddns=edit DHCP-DDNS configuration
|
||||
eacl_pmanual=edit Kea config files manually
|
||||
eacl_papply=start, stop, or restart Kea services
|
||||
eacl_pinstall=install Kea packages
|
||||
eacl_np=Access denied:
|
||||
eacl_penter=Access to the Kea DHCP module is not permitted.
|
||||
eacl_pdhcp4=Viewing DHCPv4 configuration is not permitted.
|
||||
eacl_pdhcp6=Viewing DHCPv6 configuration is not permitted.
|
||||
eacl_pddns=Viewing DHCP-DDNS configuration is not permitted.
|
||||
eacl_pservices=Viewing Kea service status is not permitted.
|
||||
eacl_pruntime=Viewing runtime status is not permitted.
|
||||
eacl_pedit4=Editing DHCPv4 configuration is not permitted.
|
||||
eacl_pedit6=Editing DHCPv6 configuration is not permitted.
|
||||
eacl_peditddns=Editing DHCP-DDNS configuration is not permitted.
|
||||
eacl_pmanual=Editing Kea config files manually is not permitted.
|
||||
eacl_papply=Starting, stopping, or restarting Kea services is not permitted.
|
||||
eacl_pinstall=Installing Kea packages is not permitted.
|
||||
log_start=Started Kea services
|
||||
log_stop=Stopped Kea services
|
||||
log_apply=Reloaded Kea services
|
||||
|
||||
@@ -6,7 +6,8 @@ use warnings;
|
||||
require './kea-dhcp-lib.pl'; ## no critic
|
||||
our %text;
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('apply');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_papply'}") if (!$access{'apply'});
|
||||
|
||||
# Restart/reload applies the saved configuration for all Kea services.
|
||||
&error_setup($text{'restart_fail'});
|
||||
|
||||
@@ -7,7 +7,8 @@ require './kea-dhcp-lib.pl'; ## no critic
|
||||
&ReadParse();
|
||||
our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('runtime');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pruntime'}") if (!$access{'runtime'});
|
||||
|
||||
&ui_print_header(undef, $text{'runtime_title'}, "", undef, 1, 1);
|
||||
|
||||
|
||||
@@ -7,7 +7,9 @@ require './kea-dhcp-lib.pl'; ## no critic
|
||||
&ReadParse();
|
||||
our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('editddns');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_peditddns'}")
|
||||
if (!$access{'editddns'});
|
||||
|
||||
my $c = &kea_component('ddns');
|
||||
my ($root, $err, $data) = &kea_read_component_config($c);
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
my $shareds = &kea_shared_networks($root);
|
||||
|
||||
@@ -9,7 +9,9 @@ our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
|
||||
my $ver = $in{'version'} == 6 ? 6 : 4;
|
||||
&kea_assert_acl('edit'.$ver);
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pedit'.$ver}")
|
||||
if (!$access{'edit'.$ver});
|
||||
my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
|
||||
&error($err) if ($err);
|
||||
|
||||
|
||||
@@ -7,7 +7,8 @@ require './kea-dhcp-lib.pl'; ## no critic
|
||||
&ReadParseMime();
|
||||
our (%in, %text);
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('manual');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_pmanual'}") if (!$access{'manual'});
|
||||
|
||||
my $info = &kea_manual_edit_file($in{'file'});
|
||||
&error($text{'save_efile'}) if (!$info);
|
||||
|
||||
@@ -6,7 +6,8 @@ use warnings;
|
||||
require './kea-dhcp-lib.pl'; ## no critic
|
||||
our %text;
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('apply');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_papply'}") if (!$access{'apply'});
|
||||
|
||||
# The header action buttons operate on all configured Kea components together.
|
||||
&error_setup($text{'start_fail'});
|
||||
|
||||
@@ -6,7 +6,8 @@ use warnings;
|
||||
require './kea-dhcp-lib.pl'; ## no critic
|
||||
our %text;
|
||||
&error_setup($text{'eacl_aviol'});
|
||||
&kea_assert_acl('apply');
|
||||
my %access = &get_module_acl();
|
||||
&error("$text{'eacl_np'} $text{'eacl_papply'}") if (!$access{'apply'});
|
||||
|
||||
# The header action buttons operate on all configured Kea components together.
|
||||
&error_setup($text{'stop_fail'});
|
||||
|
||||
Reference in New Issue
Block a user