Phase 1 of adding security

lattera · Feb 7, 2012 · 232531b · 232531b
1 parent 504a119
commit 232531b
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 11 deletions.
diff --git a/jailadmin.module b/jailadmin.module
@@ -1,18 +1,39 @@
 <?php
 
+require_once('classes/Jail.php');
+require_once('classes/Network.php');
+require_once('classes/NetworkDevice.php');
+require_once('classes/Service.php');
+require_once('classes/Mount.php');
+
 /**
  * Implements hook_permission().
  */
 function jailadmin_permission() {
+    $jails = Jail::LoadAll();
+
     $perms = array(
         'administer jails' => array(
             'title' => t('Administer Wayfair Jail Admin'),
         ),
         'start jails' => array(
             'title' => t('Start/Stop jails'),
         ),
+        'view jails' => array(
+            'title' => t('View jails'),
+        ),
     );
 
+    foreach ($jails as $jail) {
+        $perms['config ' . $jail->name] = array(
+            'title' => t('Configure jail @jail', array('@jail' => $jail->name))
+        );
+
+        $perms['view ' . $jail->name . ' config'] = array(
+            'title' => t('View @jail\'s config', array('@jail' => $jail->name))
+        );
+    }
+
     return $perms;
 }
 
@@ -56,7 +77,7 @@ function jailadmin_menu() {
         'page arguments' => array('jailadmin_status'),
         'file' => 'jailstatus.inc',
         'access callback' => 'user_access',
-        'access arguments' => array('adminster jails'),
+        'access arguments' => array('view jails'),
         'type' => MENU_NORMAL_ITEM,
     );
 
@@ -65,10 +86,17 @@ function jailadmin_menu() {
         'page callback' => 'drupal_get_form',
         'page arguments' => array('jailadmin_config', 1),
         'file' => 'jailconfig.inc',
-        'access callback' => 'user_access',
+        'access callback' => 'jail_config_access',
-        'access arguments' => array('administer jails'),
+        'access arguments' => array(1),
         'type' => MENU_NORMAL_ITEM,
     );
 
     return $items;
 }
+
+function jail_config_access($jail) {
+    if (user_access('view ' . $jail . ' config') || user_access('config ' . $jail))
+        return TRUE;
+
+    return FALSE;
+}
diff --git a/jailconfig.inc b/jailconfig.inc
@@ -12,6 +12,20 @@ function jailadmin_config($form, &$form_state) {
     $network_devices = get_all_network_devices_for_select($jail);
     $services = get_all_services_for_select($jail);
     $mounts = get_all_mounts_for_select($jail);
+    $readonly = FALSE;
+
+    if (user_access('config ' . $jail->name) == FALSE)
+        $readonly = TRUE;
+
+    if ($readonly) {
+        if (user_access('view ' . $jail->name . ' config') == FALSE) {
+            drupal_set_message(t('Access denied'), 'error');
+            return;
+        }
+    }
+
+    if ($jail->IsOnline())
+        drupal_set_message(t('NOTE: Jail is online. All settings are read-only.'), 'status');
 
     $form['base'] = array(
         '#type' => 'fieldset',
@@ -24,23 +38,23 @@ function jailadmin_config($form, &$form_state) {
         '#type' => 'textfield',
         '#title' => t('ZFS Dataset'),
         '#size' => 60,
-        '#disabled' => $jail->IsOnline(),
+        '#disabled' => $jail->IsOnline() || $readonly,
         '#default_value' => $jail->dataset,
     );
 
     $form['base']['path'] = array(
         '#type' => 'textfield',
         '#title' => t('Path'),
         '#size' => 60,
-        '#disabled' => $jail->IsOnline(),
+        '#disabled' => $jail->IsOnline() || $readonly,
         '#default_value' => $jail->path,
     );
 
     $form['base']['route'] = array(
         '#type' => 'textfield',
         '#title' => t('Default Route'),
         '#size' => 60,
-        '#disabled' => $jail->IsOnline(),
+        '#disabled' => $jail->IsOnline() || $readonly,
         '#default_value' => $jail->route,
     );
 
@@ -58,6 +72,7 @@ function jailadmin_config($form, &$form_state) {
             '#multiple' => TRUE,
             '#options' => get_all_network_devices_for_select($jail),
             '#description' => t('Select one or more to delete'),
+            '#disabled' => $jail->IsOnline() || $readonly,
         );
     }
 
@@ -66,19 +81,22 @@ function jailadmin_config($form, &$form_state) {
         '#title' => t('New Device Name'),
         '#size' => 60,
         '#description' => t('e.g. epair0'),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['network_devices']['new_network_ip'] = array(
         '#type' => 'textfield',
         '#title' => t('New IP'),
         '#size' => 60,
         '#description' => t('IPv4 or IPv6 IP'),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['network_devices']['new_network_network'] = array(
         '#type' => 'select',
         '#title' => 'Network',
         '#options' => get_all_networks_for_select(),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['services'] = array(
@@ -94,13 +112,15 @@ function jailadmin_config($form, &$form_state) {
             '#multiple' => TRUE,
             '#description' => t('Select one or more to delete'),
             '#options' => $services,
+            '#disabled' => $jail->IsOnline() || $readonly,
         );
     }
 
     $form['services']['new_service'] = array(
         '#type' => 'textfield',
         '#title' => t('New Service'),
         '#size' => 60,
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['mounts'] = array(
@@ -117,33 +137,38 @@ function jailadmin_config($form, &$form_state) {
             '#description' => t('Select one or more to delete'),
             '#multiple' => TRUE,
             '#options' => $mounts,
+            '#disabled' => $jail->IsOnline() || $readonly,
         );
     }
 
     $form['mounts']['new_mount_source'] = array(
         '#type' => 'textfield',
         '#title' => t('New mount source'),
         '#size' => 60,
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['mounts']['new_mount_target'] = array(
         '#type' => 'textfield',
         '#title' => t('New mount target'),
         '#description' => t('Without jail path prefix. (e.g. /mnt)'),
         '#size' => 60,
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['mounts']['new_mount_driver'] = array(
         '#type' => 'textfield',
         '#title' => t('New mount driver'),
         '#description' => t('Driver for -t argument. (e.g. nullfs)'),
         '#size' => 60,
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['mounts']['new_mount_options'] = array(
         '#type' => 'textfield',
         '#title' => t('Extra options'),
         '#size' => 60,
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['jail_actions'] = array(
@@ -155,39 +180,41 @@ function jailadmin_config($form, &$form_state) {
         '#type' => 'submit',
         '#value' => t('Start Jail'),
         '#submit' => array('jail_actions_start'),
-        '#disabled' => $jail->IsOnline(),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['jail_actions']['stop'] = array(
         '#type' => 'submit',
         '#value' => t('Stop Jail'),
         '#submit' => array('jail_actions_stop'),
-        '#disabled' => !$jail->IsOnline(),
+        '#disabled' => !$jail->IsOnline() || $readonly,
     );
 
     $form['jail_actions']['snapshot'] = array(
         '#type' => 'submit',
         '#value' => t('Snapshot'),
         '#submit' => array('jail_actions_snapshot'),
+        '#disabled' => $readonly,
     );
 
     $form['jail_actions']['upgrade'] = array(
         '#type' => 'submit',
         '#value' => t('Upgrade World'),
         '#submit' => array('jail_actions_upgrade'),
-        '#disabled' => $jail->IsOnline(),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['jail_actions']['setup_services'] = array(
         '#type' => 'submit',
         '#value' => t('Setup Services'),
         '#submit' => array('jail_actions_setup_services'),
-        '#disabled' => $jail->IsOnline(),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     $form['submit'] = array(
         '#type' => 'submit',
         '#value' => t('Save Configuration'),
+        '#disabled' => $jail->IsOnline() || $readonly,
     );
 
     return $form;
@@ -197,6 +224,12 @@ function jailadmin_config_submit($form, &$form_state) {
     $jail = Jail::Load($form_state['build_info']['args'][0]);
     $dirty = FALSE;
 
+    if (user_access('config ' . $jail->name) == FALSE) {
+        drupal_set_message(t('Access denied'), 'error');
+        $form_state['rebuild'] = TRUE;
+        return;
+    }
+
     if (isset($form_state['values']['route']) && strcmp($jail->route, $form_state['values']['route'])) {
         $jail->route = $form_state['values']['route'];
         $dirty = TRUE;

diff --git a/jailstatus.inc b/jailstatus.inc
@@ -13,7 +13,11 @@ function jailadmin_status($form, &$form_state) {
     $header = array('Jail Name', 'Status', 'Network Status');
     $rows = array();
     foreach ($jails as $jail) {
-        $name = l(t($jail->name), 'jailadmin/' . $jail->name . '/config');
+        if (user_access('config ' . $jail->name) || user_access('view ' . $jail->name . ' config'))
+            $name = l(t($jail->name), 'jailadmin/' . $jail->name . '/config');
+        else
+            $name = t('@name', array('@name' => $jail->name));
+
         $rows[] = array($name, $jail->IsOnlineString(), $jail->NetworkStatus());
     }