Modified roles, logon, and authenticator

git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1095 ab2d0c66-481e-0410-8bed-d214d4d58bed

11 files changed, 173 insertions, 134 deletions

diff --git a/app/Makefile b/app/Makefile
index cdd42bb..f7e42dc 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -6,9 +6,8 @@ APP_DIST= \
 	acf-util/logon-model.lua \
 	acf-util/logon-status-html.lsp \
 	acf-util/roles-controller.lua \
-	acf-util/roles-getlist-html.lsp \
 	acf-util/roles-model.lua \
-	acf-util/roles-read-html.lsp \
+	acf-util/roles-html.lsp \
 	acf-util/password-controller.lua \
 	acf-util/password-html.lsp \
 	acf-util/password-model.lua \
diff --git a/app/acf-util/logon-html.lsp b/app/acf-util/logon-html.lsp
index f503a9b..c4d4bd3 100644
--- a/app/acf-util/logon-html.lsp
+++ b/app/acf-util/logon-html.lsp
@@ -4,11 +4,6 @@
        io.write(html.cfe_unpack(form))
    --]] ?>
 
-<? if form.errtxt then ?>
-<h1>Command Result</h1>
-<p class='error'> <?= form.errtxt ?></p>
-<? end ?>
-
 <h1><?= form.label ?></h1>
 <?
    form.action = "logon"
diff --git a/app/acf-util/logon-model.lua b/app/acf-util/logon-model.lua
index 16e9f7f..8fa9e12 100644
--- a/app/acf-util/logon-model.lua
+++ b/app/acf-util/logon-model.lua
@@ -42,8 +42,7 @@ logon = function (self, clientdata, ip_addr, sessiondir, sessiondata)
 	end
 
 	if false == countevent and clientdata.userid and clientdata.password then
-		local password_user_md5 = fs.md5sum_string(clientdata.password)
-		if auth.authenticate (self, clientdata.userid, password_user_md5) then
+		if auth.authenticate (self, clientdata.userid, clientdata.password) then
 			-- We have a successful login, change sessiondata
 			-- for some reason, can't call this function or it skips rest of logon
 			-- logout(sessiondir, sessiondata)
diff --git a/app/acf-util/roles-controller.lua b/app/acf-util/roles-controller.lua
index b868924..4363cb6 100644
--- a/app/acf-util/roles-controller.lua
+++ b/app/acf-util/roles-controller.lua
@@ -2,12 +2,41 @@
 
 module (..., package.seeall)
 
+auth = require("authenticator-plaintext")
+roll = require("roles")
+
 default_action = "read"
 
+-- Return your own roles/permissions
 read = function(self)
-	return ( { userid = self.sessiondata.userinfo.userid, roles = self.sessiondata.userinfo.roles, permissions = self.sessiondata.permissions } )
+	userid = cfe({ value=self.sessiondata.userinfo.userid, label="User Id" })
+	roles = cfe({ type="list", value=self.sessiondata.userinfo.roles, label="Roles" })
+	permissions = cfe({ type="table", value = self.sessiondata.permissions, label="Permissions" })
+	return cfe({ type="group", value={userid=userid, roles=roles, permissions=permissions} })
+end
+
+-- Return roles/permissions for specified user
+viewroles = function(self)
+	if not (self.clientdata.userid) then
+		redirect(self)
+	end
+	userid = cfe({ value=self.clientdata.userid, label="User Id" })
+	roles = cfe({ type="list", value=auth.get_userinfo_roles(self, userid.value), label="Roles" })
+	permissions = cfe({ type="table", value=roll.get_roles_perm(self.conf.appdir, roles.value), label="Permissions" })
+	return cfe({ type="group", value={userid=userid, roles=roles, permissions=permissions} })
+end
+
+-- Return permissions for specified role
+viewperms = function(self)
+	if not (self.clientdata.role) then
+		redirect(self, "getlist")
+	end
+	role = cfe({ value=self.clientdata.role, label="Role" })
+	permissions = cfe({ type="table", value=roll.get_role_perm(self.conf.appdir, role.value), label="Permissions" })
+	return cfe({ type="group", value={role=role, permissions=permissions} })
 end
 
+-- Return list of all permissions
 getlist = function(self)
-	return( { contlist = self.model:getcont(self)})
+	return cfe({ type="group", value={permissions=self.model:getcont(self)} })
 end
diff --git a/app/acf-util/roles-getlist-html.lsp b/app/acf-util/roles-getlist-html.lsp
deleted file mode 100644
index 25d8d62..0000000
--- a/app/acf-util/roles-getlist-html.lsp
+++ /dev/null
@@ -1,13 +0,0 @@
-<? local view= ... ?> 
-<? --[[
-       io.write(html.cfe_unpack(view))
---]] ?>
-
-<h1>Controller Status</h1>
-<? ---[[
-for a,b in pairs(view.contlist) do 
-	print("<b>",a,"</b>")
-	for k,v in pairs(b) do print(v) end
-	print("<br>")
-end
---]] ?>
diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp
new file mode 100644
index 0000000..4a23c25
--- /dev/null
+++ b/app/acf-util/roles-html.lsp
@@ -0,0 +1,38 @@
+<? local view= ... ?> 
+<? --[[
+	io.write(html.cfe_unpack(view))
+--]] ?>
+
+<? ---[[ ?>
+<? if view.value.userid then ?>
+	<H1>Roles/Permission list for <?= view.value.userid.value ?>:</H1>
+<? elseif view.value.role then ?>
+	<H1>Permission list for <?= view.value.role.value ?>:</H1>
+<? else ?>
+	<H1>Complete permission list:</H1>
+<? end ?>
+
+<? if view.value.roles then ?>
+	<H2><?= view.value.userid.value ?> is valid in these roles</H2>
+	<? for a,b in pairs(view.value.roles.value) do
+		print("<li>",b,"</li>")
+	end ?>
+<? end ?>
+<? --]] ?>
+
+<? ---[[ ?>
+<? if view.value.permissions then ?>
+	<? if view.value.userid then ?>
+		<H2><?= view.value.userid.value ?>'s full permissions are</H2>
+	<? elseif view.value.role then ?>
+		<H2><?= view.value.role.value ?>'s full permissions are</H2>
+	<? end ?>
+	<? for x,cont in pairs(view.value.permissions.value) do
+		print("<b>",x,"</b>")
+		for y,act in pairs(cont) do
+			print(y)
+		end
+		print("<br>")
+	end ?>
+<? end ?>
+<? --]] ?>
diff --git a/app/acf-util/roles-model.lua b/app/acf-util/roles-model.lua
index c3ce2c7..b6e95fd 100644
--- a/app/acf-util/roles-model.lua
+++ b/app/acf-util/roles-model.lua
@@ -9,9 +9,12 @@ getcont = function(self)
 	controllers = roles.get_controllers(self)
 	local table_m = {}
 	for a,b in pairs(controllers) do
-	temp = roles.get_controllers_func(self,b)
-	table_m[b.sname] = temp
+		table_m[b.sname] = {}
+		temp = roles.get_controllers_func(self,b)
+		for x,y in ipairs(temp) do
+			table_m[b.sname][y] = {}
+		end
 	end
 
-	return (table_m)
+	return cfe({ type="table", value=table_m, label="All permissions" })
 end
diff --git a/app/acf-util/roles-read-html.lsp b/app/acf-util/roles-read-html.lsp
deleted file mode 100644
index ddda93a..0000000
--- a/app/acf-util/roles-read-html.lsp
+++ /dev/null
@@ -1,28 +0,0 @@
-<? local view= ... ?> 
-<? --[[
-	io.write(html.cfe_unpack(view))
---]] ?>
-
-<? ---[[ ?>
-<H1>Roles/Permission list for <?= view.userid ?>:</H1>
-
-<? if view.roles then ?>
-	<H2>You are valid in these roles</H2>
-	<? for a,b in pairs(view.roles) do
-		print("<li>",b,"</li>")
-	end ?>
-<? end ?>
-<? --]] ?>
-
-<? ---[[ ?>
-<? if view.permissions then ?>
-	<H2>Your full permissions are</H2>
-	<? for x,cont in pairs(view.permissions) do
-		print("<b>",x,"</b>")
-		for y,act in pairs(cont) do
-			print(y)
-		end
-		print("<br>")
-	end ?>
-<? end ?>
-<? --]] ?>
diff --git a/lib/authenticator-plaintext.lua b/lib/authenticator-plaintext.lua
index b8cf598..c68ec2b 100644
--- a/lib/authenticator-plaintext.lua
+++ b/lib/authenticator-plaintext.lua
@@ -57,39 +57,6 @@ pvt.get_id = function(userid, authstruct)
 	return nil
 end
 
---- public methods
-	
--- This function returns true or false, and
--- if false:  the reason for failure
-authenticate = function ( self, userid, password )
-		password = password or ""
-		userid = userid or ""
-
-		local t = pvt.parse_authfile(self.conf.confdir .. "/passwd")
-
-		if t == false then
-			return false, "password file is missing"
-		else
-		  if userid ~= nil then
-			local id = pvt.get_id (userid, t)
-			if id == false or id == nil then
-				return false, "Userid not found"
-			end
-			if id.password ~= password then
-				return false, "Invalid password"
-			end
-		  else 
-		  return false
-		  end
-		return true
-		end
-end
-
-pvt.permission_to_change = function()
-	--FIXME: Check if user is allowed to change things
-	return true
-end
-
 pvt.weak_password = function(password)
 	-- If password is too short, return false
 	if (#password < 4) then
@@ -149,6 +116,35 @@ local validate_settings = function (self, userid, username, password, password_c
 	return true, errormessage
 end
 
+--- public methods
+	
+-- This function returns true or false, and
+-- if false:  the reason for failure
+authenticate = function ( self, userid, password )
+	password = password or ""
+	userid = userid or ""
+
+	local t = pvt.parse_authfile(self.conf.confdir .. "/passwd")
+
+	if t == false then
+		return false, "password file is missing"
+	end
+	
+	if userid ~= nil then
+		local id = pvt.get_id (userid, t)
+		if id == false or id == nil then
+			return false, "Userid not found"
+		end
+		if id.password ~= fs.md5sum_string(password) then
+			return false, "Invalid password"
+		end
+	else 
+		return false
+	end
+
+	return true
+end
+
 -- This function returns the username and roles 
 -- or false on an error 
 get_userinfo = function ( self, userid )
@@ -183,18 +179,27 @@ list_users = function (self)
 
 	end
 end
+
 list_roles = function (self)
 	local output = {"CREATE","UPDATE","DELETE","READ"}
 	return output
 end
 
-change_settings = function (self, userid, parameter, value) 
+change_setting = function (self, userid, parameter, value) 
+	local result = true
 	local errormessage = {}
-	local passwd_path = self.conf.confdir .. "/passwd"
 
-	-- We start by checking if user is allowed to do changes
-	if not (pvt.permission_to_change) then
-		errormessage.permissions = "No permission to change!"
+	-- Get the current user info
+	local userinfo = get_userinfo(self, userid)
+	if userinfo == nil then
+		errormessage.userid = "This userid does not exist!"
+		result = false
+	end
+
+	-- Check if user entered available commands
+	if not (userid) or not (parameter) or not (pvt.availablefields(parameter)) or not (value) then
+		errormessage.userid = "You need to enter valid userid, parameter and value!"
+		result = false
 	end
 
 	-- Check if userid already used
@@ -202,52 +207,34 @@ change_settings = function (self, userid, parameter, value)
 		for k,v in pairs(list_users(self)) do
 			if (v == value) then
 				errormessage.userid = "This userid already exists!"
+				result = false
 			end
 		end
 	end
 
-	-- Check if user entered available commands
-	if not (userid) or not (parameter) or not (pvt.availablefields(parameter)) then
-		errormessage.userid = "You need to enter valid userid, parameter and value!"
-	end
-
-	-- Check if password is weak
-	if (parameter == "password") then
-		local weak_password_result, weak_password_errormessage = pvt.weak_password(value)
-		if (weak_password_result) then
-			errormessage.password = weak_password_errormessage
+	if result == true then
+		-- Validate parameter
+		userinfo[parameter] = value
+		local password, password_confirm
+		if (parameter == "password") then
+			userinfo.password = fs.md5sum_string(value)
+			password = value
+			password_confirm = value
 		end
+		result, errormessage = validate_settings(self, username.userid, userinfo.username, password, password_confirm, userinfo.roles)
 	end
 
-	-- Return false if some errormessages is set
-	for k,v in pairs(errormessage) do
-		return false, errormessage
-	end
-
-	-- If the parameter is password, then scramble the password
-	if (parameter == "password") then
-		value = fs.md5sum_string(value)
-	end
+	-- Write the updated user
+	if (result == true) then
+		delete_user(self, userid)
 
-	local passwdfilecontent = fs.read_file_as_array(passwd_path)
-	local changes
-	for k,v in pairs(passwdfilecontent) do
-		if ( string.match(v, "^".. userid .. ":") ) then
-			changes = {}
-			-- Get current values
-			changes.userid, changes.password, changes.username, changes.roles =
-				string.match(v, "([^:]*):([^:]*):([^:]*):(.*)")
-			-- Actually change the value (remove all ':')
-			changes[parameter] = string.gsub(value, ":", "")
-			-- Update the table with the new values
-			passwdfilecontent[k] = changes.userid .. ":" .. changes.password .. ":".. changes.username .. ":" .. changes.roles
-		end
+		-- Set path to passwordfile
+		local passwd_path = self.conf.confdir .. "/passwd"
+		-- Write the newline into the file
+		fs.write_line_file(passwd_path, userinfo.userid .. ":" .. userinfo.password .. ":" .. userinfo.username .. ":" .. table.concat(userinfo.roles,",") )
 	end
-	
 
-	--Write changes to file
-	fs.write_file(passwd_path, table.concat(passwdfilecontent,"\n"))
-	return true
+	return result, errormessage
 end
 
 -- For an existing user, change the settings that are non-nil
@@ -278,7 +265,7 @@ change_settings = function (self, userid, username, password, password_confirm,
 			end
 			userinfo.roles = roles or userinfo.roles
 
-			-- write the updated user
+			-- Write the updated user
 			delete_user(self, userid)
 
 			-- Set path to passwordfile
diff --git a/lib/roles.lua b/lib/roles.lua
index 806be67..768e96f 100644
--- a/lib/roles.lua
+++ b/lib/roles.lua
@@ -48,7 +48,7 @@ get_controllers_func = function(self,controller_info)
 	temp1 = {}
 	for a,b in pairs(temp) do 
 		local c = string.match(a,"mvc") or string.match(a,"^_") 
-		if c == nil then
+		if c == nil and type(temp[a])=="function" then
 			temp1[#temp1 +1] = a
 		end
 	end
@@ -106,3 +106,34 @@ get_roles_perm = function(startdir,roles)
 	return permissions
 end
 
+-- Go through the roles files and determine the permissions for the specified role
+get_role_perm = function(startdir,role)
+	permissions = {}
+
+	-- find all of the roles files and add in the master file
+	local rolesfiles = get_roles_candidates(startdir)
+	rolesfiles[#rolesfiles + 1]  = "/etc/acf/roles"
+
+	for x,file in ipairs(rolesfiles) do
+		f = fs.read_file_as_array(file)
+		for y,line in pairs(f) do
+			if role == string.match(line,"^[%a]+") then
+				temp = format.string_to_table(string.match(line,"[,%a:]+$"),",")
+				for z,perm in pairs(temp) do
+					local control,action = string.match(perm,"(%a+):(%a+)")
+					if control then
+						if nil == permissions[control] then
+							permissions[control] = {}
+						end
+						if action and nil == permissions[control][action] then
+							permissions[control][action] = {}
+						end
+					end
+				end
+			end
+		end
+	end
+	
+	return permissions
+end
+
diff --git a/roles b/roles
index 0eadd69..e4300cf 100644
--- a/roles
+++ b/roles
@@ -1,4 +1,3 @@
 ALL=welcome:read,logon:logon,logon:logout,logon:status
-CREATE=password:status,password:edituser,password:newuser,password:deleteuser
-READ=password:editme
-NONE=roles:read,roles:getlist
+CREATE=password:status,password:edituser,password:newuser,password:deleteuser,roles:getlist,roles:viewroles,roles:viewperms
+READ=password:editme,roles:read