Modified tinydns to remove dnsfiles from session and replace with calls to authenticator. Added in pages for managing tinydns permissions.

git-svn-id: svn://svn.alpinelinux.org/acf/tinydns/trunk@1318 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 90 insertions, 25 deletions

diff --git a/tinydns-model.lua b/tinydns-model.lua
index 9f73000..f623851 100644
--- a/tinydns-model.lua
+++ b/tinydns-model.lua
@@ -6,9 +6,11 @@ require("getopts")
 require("fs")
 require("format")
 require("validator")
+require("authenticator")
 
 -- Set variables
 local configfiles = {}
+local configuser
 local packagename = "tinydns"
 local processname = "tinydns"
 local configfile = "/etc/conf.d/" .. processname
@@ -91,12 +93,25 @@ local function split_config_items(orgitem)
 	return output
 end
 
--- Feed the configfiles table with list of all available and allowed configfiles
-local function searchforconfigfiles(allowedlist)
-	if #configfiles > 0 then return configfiles end
+local function getallowedlist(self, userid)
+	local allowedlist = {}
+	local entry = authenticator.read_userentry(self, "tinydns", userid) or ""
+	for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end
+	-- FIXME also check to see if there are allowed files for this user's roles
+--	local roles = authenticator.get_userinfo_roles(self, userid)
+	return allowedlist
+end
+
+-- Feed the configfiles table with list of all configfiles that are available and allowed
+-- Default to allowing all files if no userid or allowed list
+local function searchforconfigfiles(self, userid)
+	if #configfiles > 0 and configuser == userid then
+		return configfiles
+	end
 	local cnffile = {}
 	recursedir(configdir, cnffile)
-	if allowedlist then
+	local allowedlist = getallowedlist(self, userid)
+	if allowedlist and #allowedlist > 0 then
 		local reverseallowed = {}
 		for x,name in ipairs(allowedlist) do reverseallowed[name] = x end
 		for k,v in pairs(cnffile) do
@@ -107,6 +122,7 @@ local function searchforconfigfiles(allowedlist)
 	else
 		configfiles = cnffile
 	end
+	configuser = userid
 	return configfiles
 end
 
@@ -171,8 +187,8 @@ end
 
 -- If you enter 'filter_type' (this should be one of the options found in local function check_signs() ) then
 -- the output will be filtered to only contain this type of data.
-function getconfigobjects(file_name, allowedfiles, filter_type)
-	configfiles = searchforconfigfiles(allowedfiles)
+function getconfigobjects(self, file_name, userid, filter_type)
+	configfiles = searchforconfigfiles(self, userid)
 	local configobjects = {}
 	--Loop through all available configfiles
 	for i,filename in pairs(configfiles) do
@@ -229,13 +245,13 @@ function getconfigobjects(file_name, allowedfiles, filter_type)
 	return cfe({ type="structure", value=configobjects, label="DNS Entries", filename=file_name, fieldlabels=descr.fieldlabels })
 end
 
-function getfilelist(allowedfiles)
-	configfiles = searchforconfigfiles(allowedfiles)
+function getfilelist(self, userid)
+	configfiles = searchforconfigfiles(self, userid)
 	return cfe({ type="list", value=configfiles, label="List of config files" })
 end
 
-function get_filedetails(path, allowedfiles)
-	configfiles = searchforconfigfiles(allowedfiles)
+function get_filedetails(self, path, userid)
+	configfiles = searchforconfigfiles(self, userid)
 	if not validfilename(path) then
 		local result = modelfunctions.getfiledetails("")
 		result.value.filename.value = path
@@ -245,8 +261,8 @@ function get_filedetails(path, allowedfiles)
 	end
 end
 
-function set_filedetails (filedetails, allowedfiles)
-	configfiles = searchforconfigfiles(allowedfiles)
+function set_filedetails (self, filedetails, userid)
+	configfiles = searchforconfigfiles(self, userid)
 	filedetails.value.filecontent.value = string.gsub(format.dostounix(filedetails.value.filecontent.value), "\n+$", "")
 	local success, errtxt = validfilename(filedetails.value.filename.value)
 	if success then
@@ -266,7 +282,7 @@ function getnewconfigfile()
 	return cfe({ type="group", value=options, label="New config file" })
 end
 
-function createconfigfile(self, configfile, allowedfiles)
+function createconfigfile(self, configfile, userid)
 	configfile.errtxt = "Failed to create file"
 	local path = configfile.value.filename.value
 	local validfilepath, filepatherror = validator.is_valid_filename(path,configdir)
@@ -278,16 +294,12 @@ function createconfigfile(self, configfile, allowedfiles)
 			file:close()
 			configfile.errtxt = nil
 
-			-- We have to add this file to the allowed list
-			local found = false
-			for i,name in ipairs(allowedfiles) do
-				if name == configfile.value.filename.value then found = true break end
-			end
-			if not found then
-				-- this modifies the session
-				allowedfiles[#allowedfiles + 1] = configfile.value.filename.value
-				require("authenticator")
-				authenticator.change_setting(self, self.sessiondata.userinfo.userid, "dnsfiles", allowedfiles)
+			-- We have to add this file to the allowed list, if there is one
+			-- FIXME - what do we do here when there is role support?
+			local perm = getuserpermissions(self, userid)
+			if #perm.value.allowed.value then
+				perm.value.allowed.value[#perm.value.allowed.value + 1] = path
+				setuserpermissions(self, perm)
 			end
 		end
 	else
@@ -297,8 +309,8 @@ function createconfigfile(self, configfile, allowedfiles)
 	return configfile
 end
 
-function remove_file(path, allowedfiles)
-	configfiles = searchforconfigfiles(allowedfiles)
+function remove_file(self, path, userid)
+	configfiles = searchforconfigfiles(self, userid)
 	local success = "Failed to delete file"
 	local errtxt
 	if not (fs.is_file(path)) then
@@ -313,3 +325,56 @@ function remove_file(path, allowedfiles)
 	end
 	return cfe({ value=success, label="Delete config file result", errtxt=errtxt })
 end
+
+function getpermissionslist(self)
+	local users = authenticator.list_users(self)
+	local output = {}
+	for i,user in ipairs(users) do
+		local allowedlist = {}
+		local entry = authenticator.read_userentry(self, "tinydns", user) or ""
+		for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end
+		output[#output + 1] = {id=user, allowed=allowedlist}
+	end
+	table.sort(output, function(a,b) return a.id < b.id end)
+	-- FIXME - need to check for roles as well as users
+	return cfe({ type="structure", value=output, label="TinyDNS Permissions" })
+end
+
+local function validateuserpermissions(self, userpermissions)
+	local success = false
+	userpermissions.value.userid.errtxt = "Invalid user"
+	local users = authenticator.list_users(self)
+	for i,user in ipairs(users) do
+		if userpermissions.value.userid.value == user then
+			userpermissions.value.userid.errtxt = nil
+			success = true
+			break
+		end
+	end
+	success = success and modelfunctions.validatemulti(userpermissions.value.allowed)
+	return success, userpermissions
+end
+
+function getuserpermissions(self, userid)
+	local allowedlist = {}
+	local entry = authenticator.read_userentry(self, "tinydns", userid) or ""
+	for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end
+	local cnffile = {}
+	recursedir(configdir, cnffile)
+	local allowed = cfe({ type="multi", value=allowedlist, label="TinyDNS Permissions", option=cnffile, descr="If no permissions are defined, then all are allowed" })
+	local user = cfe({ value=userid, label="User Name" })
+	local output = cfe({ type="group", value={userid=user, allowed=allowed}, label="TinyDNS Permissions" })
+	validateuserpermissions(self, output)
+	return output
+end
+
+function setuserpermissions(self, userpermissions)
+	local success, userpermissions = validateuserpermissions(self, userpermissions)
+
+	if success then
+		authenticator.write_userentry(self, "tinydns", userpermissions.value.userid.value, table.concat(userpermissions.value.allowed.value, ","))
+	else
+		userpermissions.errtxt = "Failed to set user permissions"
+	end
+	return userpermissions
+end