whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From curc...@apache.org
Subject [whimsy] branch master updated: Refactor auth code and display better warnings about private access
Date Tue, 21 May 2019 21:49:44 GMT
This is an automated email from the ASF dual-hosted git repository.

curcuru pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new 27d9985  Refactor auth code and display better warnings about private access
27d9985 is described below

commit 27d99850939582751e8e35c1247310022bf6858d
Author: Shane Curcuru <asf@shanecurcuru.org>
AuthorDate: Tue May 21 17:47:57 2019 -0400

    Refactor auth code and display better warnings about private access
---
 tools/wwwdocs.rb         | 45 ++++++++++++++++++++++++++++++++++++---------
 www/members/repo-use.cgi | 15 +++++++++++++--
 2 files changed, 49 insertions(+), 11 deletions(-)

diff --git a/tools/wwwdocs.rb b/tools/wwwdocs.rb
index 9036739..d18e663 100755
--- a/tools/wwwdocs.rb
+++ b/tools/wwwdocs.rb
@@ -18,6 +18,7 @@ AUTHPUBLIC = 'glyphicon-eye-open'
 IS_PRIVATE = /\A(private|infra\/infrastructure)/
 ASFSVN = 'ASF::SVN'
 SCANDIRSVN = "../"
+WWWAUTH = /WWW-Authenticate: Basic realm/
 
 # Output ul of key of AUTHMAP for use in helpblock
 def emit_authmap
@@ -34,7 +35,20 @@ def emit_authmap
     end
   end
 end
-# Return [PAGETITLE, [cat,egories] ] after WVisible; or same as !Bogosity error
+
+# Output a span with the auth level
+def emit_auth_level(level)
+  if level
+    _span class: level, aria_label: "#{AUTHMAP.key(level)}" do
+      _span.glyphicon.glyphicon_lock :aria_hidden
+    end
+  else
+    _span.glyphicon :aria_hidden, class: "#{AUTHPUBLIC}"
+  end
+end
+
+# Scan single file for PAGETITLE and categories when WVisible
+# @return [PAGETITLE, [cat,egories] ] or ["!Bogosity error", "stacktrace"]
 def scan_file(f)
   begin
     File.open(f).each_line.map(&:chomp).each do |line|
@@ -49,6 +63,7 @@ def scan_file(f)
 end
 
 # Return data only about WVisible cgis, plus any errors
+# @return [ [PAGETITLE, [cat,egories] ], ... ]
 def scan_dir(dir)
   links = {}
   Dir["#{dir}/**/*.cgi".untaint].each do |f|
@@ -59,6 +74,7 @@ def scan_dir(dir)
 end
 
 # Process authldap so we can annotate links with access hints
+# @return { "/path" => "auth realm",... }
 def get_auth()
     node = ASF::Git.find('infrastructure-puppet')
     if node
@@ -78,7 +94,10 @@ def get_auth()
     return auth
 end
 
-# Annotate scan entries with hints only for paths that require auth
+# Annotate scan_dir entries with hints only for paths that require auth
+# Side Effects:
+#   - REMOVES any error scan entries
+#   - Adds array element of auth realm if login required
 def annotate_scan(scan, auth)
   annotated = scan.reject{ |k, v| v[1] =~ /\A#{ISERR}/ }
   annotated.each do |path, ary|
@@ -118,13 +137,15 @@ def build_regexp(list)
   return Regexp.union(r)
 end
 
-# Scan file for use of ASF::SVN (private or public)
-# @return [["x = ASF::SVN['Meetings'] # Whole line private repo", ...], [] ]
+# Scan file for use of ASF::SVN symbolic names like apmail_bin
+# @return [["x = ASF::SVN['Meetings'] # Whole line of code accessing private repo", ...],
[<public repos same>], 'WWW-Authenticate code line' ]
 def scan_file_svn(f, regexs)
-  repos = [[], []]
+  repos = [[], [], []]
   begin
     File.open(f).each_line.map(&:chomp).each do |line|
-      if line =~ regexs[0] then
+      if line =~ WWWAUTH then # Fastest compare first
+        repos[2] << line.strip
+      elsif line =~ regexs[0] then
         repos[0] << line.strip
       elsif line =~ regexs[1] then
         repos[1] << line.strip
@@ -137,13 +158,19 @@ def scan_file_svn(f, regexs)
 end
 
 # Scan directory for use of ASF::SVN (private or public)
-# @return { file: [['private line'], []] }
-def scan_dir_svn(dir, regexs)
+# @return { "file" => [['private line', ...], ['public svn', ...], 'WWW-Authenticate code
line' (, 'authrealm')] }
+def scan_dir_svn(dir, regexs, auth = get_auth())
   links = {}
+  auth = get_auth()
   Dir["#{dir}/**/*.{cgi,rb}".untaint].each do |f|
     l = scan_file_svn(f.untaint, regexs)
     if (l[0].length + l[1].length) > 0
-      links[f.sub(dir, '')] = l
+      fbase = f.sub(dir, '')
+      realm = auth.select { |k, v| fbase.sub('/www', '').match(/\A#{k}/) }
+      if realm.values.first
+        l << AUTHMAP[realm.values.first]
+      end
+      links[fbase] = l
     end
   end
   return links
diff --git a/www/members/repo-use.cgi b/www/members/repo-use.cgi
index 8dd792d..d6c1180 100755
--- a/www/members/repo-use.cgi
+++ b/www/members/repo-use.cgi
@@ -19,7 +19,10 @@ _html do
         "https://github.com/apache/whimsy/blob/master/www#{ENV['SCRIPT_NAME']}" => 'See
This Source Code'
       },
       helpblock: -> {
-        _p 'This scans the whimsy repo for uses of ASF::SVN, either public or private repos.'
+        _p.pull_right do
+          _ 'This scans the whimsy repo for uses of ASF::SVN, either public or private repos.
 It also shows the httpd auth level required to run a script: the graphical key shows which
authentication realm is needed.'
+        end
+        emit_authmap
       }
     ) do
       priv, pub = read_repository(File.expand_path('../../../repository.yml', __FILE__))
@@ -33,11 +36,15 @@ _html do
               _th 'Private repos used'
               _th 'Public repos used'
             end
-            scan.each do |file, (privlines, publines)|
+            scan.each do |file, (privlines, publines, wwwauth, authrealm)|
               _tbody do
                 _tr_ do
                   _td :colspan => '2' do
+                    emit_auth_level(authrealm)
                     _code file
+                    if authrealm.nil? && (privlines.length > 0) && (wwwauth.length
== 0)
+                      _span.text_warning ' NOTE! Script accesses private repo without apparent
auth!'
+                    end
                   end
                 end
                 _tr do
@@ -46,6 +53,10 @@ _html do
                       _ l
                       _br
                     end
+                    wwwauth.each do |w|
+                      _ w
+                      _br
+                    end
                   end
                   _td do
                     publines.each do |l|


Mime
View raw message