From 6be408a2b328483c8e7b56f9a6cbeb17af5fc70c Mon Sep 17 00:00:00 2001
From: Aidaho12 <buffoon2001@mail.ru>
Date: Thu, 5 Apr 2018 09:34:17 +0600
Subject: [PATCH] 1.10

Improved security
---
 README.md            | 13 ++++++---
 cgi-bin/add.py       |  7 +++--
 cgi-bin/config.py    |  3 +-
 cgi-bin/configver.py |  3 +-
 cgi-bin/delver.py    |  4 ++-
 cgi-bin/edit.py      | 11 ++++----
 cgi-bin/funct.py     | 65 ++++++++++++++++++++++++++++----------------
 cgi-bin/login.py     |  8 +++++-
 index.html           |  2 +-
 9 files changed, 75 insertions(+), 41 deletions(-)

diff --git a/README.md b/README.md
index 50ab69db..646c34ed 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,9 @@ A simple web interface(user-frendly web GUI) for managing Haproxy servers. Leave
 12. Telegram notification
 
 # Install
-Can be used as a service, or via fastaci apache + fastCGI(recommend, because it works faster), how to use the service:
+Can be used as a service, or via fastaci apache + fastCGI(recommend, because it works faster).
+
+How to use the service:
 
 For install just dowload archive and untar somewhere:
 ```
@@ -29,12 +31,15 @@ $ cd /opt/haproxy-wi
 $ chmod +x install.sh
 $ sudo ./install.sh
 ```
-Edit listserv.py, add your HAproxy servers. 
+
+For Apache just do virtualhost with cgi-bin.
 
 ![alt text](image/7.jpeg "Overview page")
 
 # Settings
-Edit haproxy-webintarface.config with your env
+Edit $HOME_HAPROXY-WI/cgi-bin/listserv.py, add your HAproxy servers.
+
+Edit $HOME_HAPROXY-WI/cgi-bin/haproxy-webintarface.config with your env
 
 Copy ssh key on all HAproxy servers
 
@@ -47,7 +52,7 @@ For Runtime API enable state file on HAproxt servers and need install socat on a
    ```
 ![alt text](image/4.jpeg "View logs page")
 
-# Start and auto start
+# Start and autostart if service
 ```
 systemctl enable haproxy-wi.service
 systemctl start haproxy-wi.service
diff --git a/cgi-bin/add.py b/cgi-bin/add.py
index 77e0e0d6..51282b88 100644
--- a/cgi-bin/add.py
+++ b/cgi-bin/add.py
@@ -18,6 +18,7 @@ funct.check_login()
 path_config = "haproxy-webintarface.config"
 config = configparser.ConfigParser()
 config.read(path_config)
+funct.page_for_admin(level = 1)
 
 haproxy_configs_server = config.get('configs', 'haproxy_configs_server')
 hap_configs_dir = config.get('configs', 'haproxy_save_configs_dir')
@@ -242,7 +243,7 @@ print('</select>'
 		'</tr>'
 		'<tr>'
 			'<td class="addButton">')
-funct.mode_admin("Add Listen")
+funct.get_button("Add Listen")
 print('</td>'
 		'</tr>'
 		'</form>'
@@ -325,7 +326,7 @@ print('</select>'
 		'</tr>'
 		'<tr>'
 			'<td class="addButton">')
-funct.mode_admin("Add Frontend")
+funct.get_button("Add Frontend")
 print('</td>'
 		'</tr>'
 		'</form></table>'
@@ -438,7 +439,7 @@ print('</select>'
 		'</tr>'
 		'<tr>'
 			'<td class="addButton">')
-funct.mode_admin("Add Backend")
+funct.get_button("Add Backend")
 print('</td>'
 		'</tr>'
 		'</form></div></table>'
diff --git a/cgi-bin/config.py b/cgi-bin/config.py
index d82192b5..446c1f9a 100644
--- a/cgi-bin/config.py
+++ b/cgi-bin/config.py
@@ -18,6 +18,7 @@ servNew = form.getvalue('serNew')
 funct.head("Edit HAproxy config")
 funct.check_config()
 funct.check_login()
+funct.page_for_admin(level = 1)
 
 path_config = "haproxy-webintarface.config"
 config = configparser.ConfigParser()
@@ -46,7 +47,7 @@ if form.getvalue('serv') is not None and form.getvalue('open') is not None :
 	print('<input type="hidden" value="%s.old" name="oldconfig">' % cfg)
 	print('<textarea name="config" rows="35" cols="100">%s</textarea>' % conf.read())
 	print('<p>')
-	funct.mode_admin("Save and restart")
+	funct.get_button("Save and restart")
 	print('</p></form>')
 	conf.close
 
diff --git a/cgi-bin/configver.py b/cgi-bin/configver.py
index 721cb8be..75aba567 100644
--- a/cgi-bin/configver.py
+++ b/cgi-bin/configver.py
@@ -18,6 +18,7 @@ configver = form.getvalue('configver')
 funct.head("Old Versions HAproxy config")
 funct.check_config()
 funct.check_login()
+funct.page_for_admin(level = 1)
 
 path_config = "haproxy-webintarface.config"
 config = configparser.ConfigParser()
@@ -67,7 +68,7 @@ if serv is not None and form.getvalue('open') is not None:
 		print('<a name="conf"></a></center>')
 		funct.show_config(configver)
 		print('<center><p>')
-		funct.mode_admin("Upload and restart")
+		funct.get_button("Upload and restart")
 		print('</p></form></center>')
 
 
diff --git a/cgi-bin/delver.py b/cgi-bin/delver.py
index ad1feb83..7d471f73 100644
--- a/cgi-bin/delver.py
+++ b/cgi-bin/delver.py
@@ -18,6 +18,8 @@ config.read(path_config)
 
 hap_configs_dir = config.get('configs', 'haproxy_save_configs_dir')
 
+funct.page_for_admin(level = 2)
+	
 funct.chooseServer("delver.py#conf", "Delete Versions HAproxy config", "n")
 
 if serv is not None and form.getvalue('open') is not None:
@@ -40,7 +42,7 @@ if serv is not None and form.getvalue('open') is not None:
 	print('<input type="hidden" value="open" name="open">')
 	print('<input type="hidden" value="del" name="del">')
 	print('<p>')
-	funct.mode_admin("Delete", level="admin")
+	funct.get_button("Delete")
 	print('</p></form>') 
 
 	Select = form.getvalue('del')
diff --git a/cgi-bin/edit.py b/cgi-bin/edit.py
index 96e74505..e09d8a9c 100644
--- a/cgi-bin/edit.py
+++ b/cgi-bin/edit.py
@@ -81,17 +81,18 @@ print('</select></td>'
 	'<td style="width: 30%;">'
 		'<select required name="servaction">'
 			'<option disabled selected>Choose action</option>')
-print('<option value="disable" %s>Disable</option>' % selected1)
-print('<option value="enable" %s>Enable</option>' % selected2)
-print('<option value="set" %s>Set</option>' % selected3)
+if funct.is_admin():
+	print('<option value="disable" %s>Disable</option>' % selected1)
+	print('<option value="enable" %s>Enable</option>' % selected2)
+	print('<option value="set" %s>Set</option>' % selected3)
 print('<option value="show" %s>Show</option>' % selected4)
 print('</select></td>')
 print('<td><input type="text" name="servbackend" size=35 title="Frontend, backend/server, show: info, pools or help" required class="form-control" value="%s" %s>' % (backend, autofocus))
 
 print('</td><td>'
-		'<input type="checkbox" name="save" title="Save changes after restart">'
+			'<input type="checkbox" name="save" title="Save changes after restart">'
 		'</td><td>')
-funct.mode_admin("Enter")
+funct.get_button("Enter")
 print('</td></form>'
 		'</tr></table>')
 
diff --git a/cgi-bin/funct.py b/cgi-bin/funct.py
index 0fdcf9ab..5d1d66fc 100644
--- a/cgi-bin/funct.py
+++ b/cgi-bin/funct.py
@@ -62,7 +62,7 @@ def check_login(**kwargs):
 	role = cookie.get('role')
 	ref = os.environ.get("SCRIPT_NAME")
 	
-	if kwargs.get("admins_area") == "1" and role.value != "admin":
+	if kwargs.get("admins_area") == "1" and role.value != "2":
 		print('<meta http-equiv="refresh" content="0; url=/">')
 		
 	if login is None:
@@ -77,31 +77,45 @@ def show_login_links():
 	else:
 		print('<li><a href=/cgi-bin/login.py?logout=logout title="Logout, user name: %s">Logout</a></li>' % login.value)
 		
-def is_admin():
+def is_admin(**kwargs):
 	cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE"))
-	role = cookie.get('role')	
+	role = cookie.get('role')
+	level = kwargs.get("level")
 	
+	if role is None:
+		role = 0
+	else:
+		role = int(role.value)
+		
+	if level is None:
+		level = 2
+		
 	try:
-		if role.value == "admin":
+		if level <= role:
 			return True
 		else:
 			return False
 	except:
 		return False
 		pass
-	
-def mode_admin(button, **kwargs):
-	cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE"))
-	role = cookie.get('role')	
-	level = kwargs.get("level")
 
-	if level is None:
-		level = "editor"
+def page_for_admin(**kwargs):
+	give_level = kwargs.get("level")
+	
+	if give_level is None:
+		give_level = 1
+	
+	if not is_admin(level = give_level):
+		print('<center><h3 style="color: red">How did you get here?! O_o You do not have need permissions</h>')
+		print('<meta http-equiv="refresh" content="10; url=/">')
+		import sys
+		sys.exit()
 		
-	if role.value == "admin" and level == "admin":
-		print('<button type="submit" class="btn btn-default">%s</button>' % button)
-	elif role.value == "admin" or role.value == "editor" and level == "editor":
-		print('<button type="submit" class="btn btn-default">%s</button>' % button)
+def get_button(button, **kwargs):
+	value = kwargs.get("value")
+	if value is None:
+		value = ""
+	print('<button type="submit" value="%s" name="%s" class="btn btn-default">%s</button>' % (value, value, button))
 
 def head(title):
 	print('Content-type: text/html\n')
@@ -155,20 +169,22 @@ def links():
 				'<li><a href="#">Configs</a>'
 					'<ul>'
 						'<li><a href=/cgi-bin/configshow.py title="Show Config">Show</a></li> '
-						'<li><a href=/cgi-bin/diff.py title="Compare Configs">Compare</a></li>'
-						'<li><a href=/cgi-bin/add.py#listner title="Add single listen">Add listen</a></li>'
+						'<li><a href=/cgi-bin/diff.py title="Compare Configs">Compare</a></li>')
+	if is_admin(level = 1):
+		print('<li><a href=/cgi-bin/add.py#listner title="Add single listen">Add listen</a></li>'
 						'<li><a href=/cgi-bin/add.py#frontend title="Add single frontend">Add frontend</a></li>'
 						'<li><a href=/cgi-bin/add.py#backend title="Add single backend">Add backend</a></li>'
-						'<li><a href=/cgi-bin/config.py title="Edit Config">Edit</a> </li>'
-					'</ul>'
-				'</li>'
-				'<li><a href="#">Versions</a>'
+						'<li><a href=/cgi-bin/config.py title="Edit Config">Edit</a> </li>')
+	print('</ul></li>')
+	if is_admin(level = 1):
+		print('<li><a href="#">Versions</a>'
 					'<ul>'
 						'<li><a href=/cgi-bin/configver.py title="Upload old versions configs">Upload</a></li>')
 	if is_admin():
 		print('<li><a href=/cgi-bin/delver.py title="Delete old versions configs">Delete</a></li>')
-	print('</ul>'
-			'</li>')
+	if is_admin(level = 1):
+		print('</ul>'
+				'</li>')
 	show_login_links()
 	print('</ul>'
 		  '</nav>')	
@@ -450,7 +466,8 @@ def chooseServer(formName, title, note):
 	choose_only_select(serv, servNew=servNew)
 
 	print('</select>')
-	print('<button type="submit" value="open" name="open" class="btn btn-default">Open</button></p></form>')
+	get_button("Open", value="open")
+	print('</p></form>')
 	if note == "y":
 		print('<p><b>Note:</b> If you reconfigure First server, second will reconfigured automatically</p>')
 		
diff --git a/cgi-bin/login.py b/cgi-bin/login.py
index 38b36261..5824274b 100644
--- a/cgi-bin/login.py
+++ b/cgi-bin/login.py
@@ -52,11 +52,17 @@ if login is not None and password is not None:
 	for f in open(USERS, 'r'):
 		users = json.loads(f)	
 		if login in users['login'] and password == users['password']:
+			if users['role'] == "admin":
+				role = 2
+			elif users['role'] == "editor":
+				role = 1
+			else:
+				role = 0
 			c = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE"))
 			c["login"] = login
 			c["login"]["path"] = "/cgi-bin/"
 			c["login"]["expires"] = "Wed May 18 03:33:20 2033"
-			c["role"] = users['role']
+			c["role"] = role
 			c["role"]["path"] = "/cgi-bin/"
 			c["role"]["expires"] = "Wed May 18 03:33:20 2033"
 			c["group"] = users['group']
diff --git a/index.html b/index.html
index 2f5d4714..e4223f91 100644
--- a/index.html
+++ b/index.html
@@ -24,7 +24,7 @@
 			<a href="cgi-bin/configver.py" title="Upload old config">Upload old config</a> <br />
 			<a href="cgi-bin/delver.py" title="Upload old config">Delete old config</a> <br />
 			<div class="copyright">
-				HAproxy Web Interface v1.9.1
+				HAproxy Web Interface v1.10
 			</div>
 		</div>
 </body>