Maj terminée. Pour consulter la release notes associée voici le lien :
https://about.gitlab.com/releases/2021/07/07/critical-security-release-gitlab-14-0-4-released/

Commit 40c11088 authored by Stephane Glondu's avatar Stephane Glondu
Browse files

Allow only one submission of public credentials

parent b71d90c6
...@@ -203,7 +203,6 @@ let uuid = ...@@ -203,7 +203,6 @@ let uuid =
type setup_voter = { type setup_voter = {
sv_id : string; sv_id : string;
mutable sv_credential : bool;
mutable sv_password : bool; mutable sv_password : bool;
} }
...@@ -215,6 +214,7 @@ type setup_election = { ...@@ -215,6 +214,7 @@ type setup_election = {
mutable se_public_keys : (string * string ref) list; mutable se_public_keys : (string * string ref) list;
mutable se_metadata : metadata; mutable se_metadata : metadata;
mutable se_public_creds : string; mutable se_public_creds : string;
mutable se_public_creds_received : bool;
} }
let b58_digits = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" let b58_digits = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
......
...@@ -98,7 +98,6 @@ val uuid : ...@@ -98,7 +98,6 @@ val uuid :
type setup_voter = { type setup_voter = {
sv_id : string; sv_id : string;
mutable sv_credential : bool;
mutable sv_password : bool; mutable sv_password : bool;
} }
...@@ -110,6 +109,7 @@ type setup_election = { ...@@ -110,6 +109,7 @@ type setup_election = {
mutable se_public_keys : (string * string ref) list; mutable se_public_keys : (string * string ref) list;
mutable se_metadata : metadata; mutable se_metadata : metadata;
mutable se_public_creds : string; mutable se_public_creds : string;
mutable se_public_creds_received : bool;
} }
val generate_token : unit -> string Lwt.t val generate_token : unit -> string Lwt.t
......
...@@ -361,6 +361,7 @@ let create_new_election owner cred auth = ...@@ -361,6 +361,7 @@ let create_new_election owner cred auth =
se_public_keys = []; se_public_keys = [];
se_metadata; se_metadata;
se_public_creds = token; se_public_creds = token;
se_public_creds_received = false;
} in } in
lwt () = Ocsipersist.add election_stable uuid_s se in lwt () = Ocsipersist.add election_stable uuid_s se in
lwt () = Ocsipersist.add election_credtokens token uuid_s in lwt () = Ocsipersist.add election_credtokens token uuid_s in
...@@ -650,7 +651,7 @@ let () = ...@@ -650,7 +651,7 @@ let () =
with Not_found -> () with Not_found -> ()
in in
se.se_voters <- se.se_voters @ List.map (fun sv_id -> se.se_voters <- se.se_voters @ List.map (fun sv_id ->
{sv_id; sv_credential=false; sv_password=false} {sv_id; sv_password=false}
) xs; ) xs;
return (redir_preapply election_setup_voters uuid))) return (redir_preapply election_setup_voters uuid)))
...@@ -734,6 +735,7 @@ let wrap_handler f = ...@@ -734,6 +735,7 @@ let wrap_handler f =
let handle_credentials_post token creds = let handle_credentials_post token creds =
lwt uuid = Ocsipersist.find election_credtokens token in lwt uuid = Ocsipersist.find election_credtokens token in
lwt se = Ocsipersist.find election_stable uuid in lwt se = Ocsipersist.find election_stable uuid in
if se.se_public_creds_received then forbidden () else
let module G = (val Group.of_string se.se_group : GROUP) in let module G = (val Group.of_string se.se_group : GROUP) in
let fname = !spool_dir / uuid ^ ".public_creds.txt" in let fname = !spool_dir / uuid ^ ".public_creds.txt" in
Lwt_mutex.with_lock Lwt_mutex.with_lock
...@@ -757,6 +759,8 @@ let handle_credentials_post token creds = ...@@ -757,6 +759,8 @@ let handle_credentials_post token creds =
(Lwt_io.lines_of_file fname) (Lwt_io.lines_of_file fname)
in in
let () = se.se_metadata <- {se.se_metadata with e_cred_authority = None} in let () = se.se_metadata <- {se.se_metadata with e_cred_authority = None} in
let () = se.se_public_creds_received <- true in
Ocsipersist.add election_stable uuid se >>
T.generic_page ~title:"Success" T.generic_page ~title:"Success"
"Credentials have been received and checked!" () >>= Html5.send "Credentials have been received and checked!" () >>= Html5.send
...@@ -843,6 +847,7 @@ let () = ...@@ -843,6 +847,7 @@ let () =
Any.register Any.register
~service:election_setup_credentials_server ~service:election_setup_credentials_server
(handle_setup (fun se () _ uuid -> (handle_setup (fun se () _ uuid ->
if se.se_public_creds_received then forbidden () else
let () = se.se_metadata <- {se.se_metadata with let () = se.se_metadata <- {se.se_metadata with
e_cred_authority = Some "server" e_cred_authority = Some "server"
} in } in
...@@ -868,7 +873,6 @@ let () = ...@@ -868,7 +873,6 @@ let () =
let body = Printf.sprintf template_credential title login cred url in let body = Printf.sprintf template_credential title login cred url in
let subject = "Your credential for election " ^ title in let subject = "Your credential for election " ^ title in
lwt () = send_email "noreply@belenios.org" email subject body in lwt () = send_email "noreply@belenios.org" email subject body in
v.sv_credential <- true;
return @@ S.add pub_cred accu return @@ S.add pub_cred accu
) S.empty se.se_voters ) S.empty se.se_voters
in in
...@@ -881,6 +885,7 @@ let () = ...@@ -881,6 +885,7 @@ let () =
(fun oc -> (fun oc ->
Lwt_list.iter_s (Lwt_io.write_line oc) creds) Lwt_list.iter_s (Lwt_io.write_line oc) creds)
in in
se.se_public_creds_received <- true;
return (fun () -> return (fun () ->
T.generic_page ~title:"Success" T.generic_page ~title:"Success"
"Credentials have been generated and mailed!" () >>= Html5.send))) "Credentials have been generated and mailed!" () >>= Html5.send)))
......
...@@ -438,15 +438,21 @@ let election_setup uuid se () = ...@@ -438,15 +438,21 @@ let election_setup uuid se () =
let div_credentials = let div_credentials =
div [ div [
h2 [pcdata "Credentials"]; h2 [pcdata "Credentials"];
if has_credentials then ( if se.se_public_creds_received then (
post_form ~service:election_setup_credentials_server
(fun () ->
[string_input ~input_type:`Submit ~value:"Generate on server" ()]
) uuid
) else (
div [ div [
a ~service:election_setup_credential_authority [pcdata "Credential management"] uuid; pcdata "Credentials have already been generated!"
] ]
) else (
if has_credentials then (
post_form ~service:election_setup_credentials_server
(fun () ->
[string_input ~input_type:`Submit ~value:"Generate on server" ()]
) uuid
) else (
div [
a ~service:election_setup_credential_authority [pcdata "Credential management"] uuid;
]
)
) )
] ]
in in
...@@ -608,10 +614,6 @@ let election_setup_voters uuid se () = ...@@ -608,10 +614,6 @@ let election_setup_voters uuid se () =
] ]
) uuid ) uuid
in in
let has_credentials = match se.se_metadata.e_cred_authority with
| None -> false
| Some _ -> true
in
let has_passwords = match se.se_metadata.e_auth_config with let has_passwords = match se.se_metadata.e_auth_config with
| Some [{auth_system = "password"; _}] -> true | Some [{auth_system = "password"; _}] -> true
| _ -> false | _ -> false
...@@ -621,7 +623,6 @@ let election_setup_voters uuid se () = ...@@ -621,7 +623,6 @@ let election_setup_voters uuid se () =
List.map (fun v -> List.map (fun v ->
tr ( tr (
[td [pcdata v.sv_id]] @ [td [pcdata v.sv_id]] @
(if has_credentials then [td [pcdata (to_string v.sv_credential)]] else []) @
(if has_passwords then [td [pcdata (to_string v.sv_password)]] else []) @ (if has_passwords then [td [pcdata (to_string v.sv_password)]] else []) @
[td [mk_remove_button v.sv_id]] [td [mk_remove_button v.sv_id]]
) )
...@@ -634,7 +635,6 @@ let election_setup_voters uuid se () = ...@@ -634,7 +635,6 @@ let election_setup_voters uuid se () =
table table
(tr ( (tr (
[th [pcdata "Identity"]] @ [th [pcdata "Identity"]] @
(if has_credentials then [th [pcdata "Credential"]] else []) @
(if has_passwords then [th [pcdata "Password"]] else []) @ (if has_passwords then [th [pcdata "Password"]] else []) @
[th [pcdata "Remove"]] [th [pcdata "Remove"]]
)) ))
...@@ -725,11 +725,18 @@ let election_setup_credentials token uuid se () = ...@@ -725,11 +725,18 @@ let election_setup_credentials token uuid se () =
] ]
in in
let div_textarea = div [group; voters; interactivity; form_textarea; disclaimer] in let div_textarea = div [group; voters; interactivity; form_textarea; disclaimer] in
let content = [ let content =
div_download; if se.se_public_creds_received then (
div_textarea; [
form_file; div [pcdata "Credentials have already been generated!"];
] in ]
) else (
[
div_download;
div_textarea;
form_file;
]
) in
let login_box = pcdata "" in let login_box = pcdata "" in
base ~title ~login_box ~content () base ~title ~login_box ~content ()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment