Add account types (testing or trusted)

2022-11-07 19:40:40 +01:00 · 2022-11-07 19:40:40 +01:00 · 78f76ea9d0
parent 068dc82a54
commit 78f76ea9d0
10 changed files with 85 additions and 27 deletions
--- a/config.ini
+++ b/config.ini
@ -23,7 +23,6 @@ kdig_path = "/usr/bin/kdig"

 [ht]
 enabled = true
-letsencrypt_use_production = false

 ; Path were user's sites will be stored
 ht_path = "/srv/niver/ht"
@ -61,4 +60,5 @@ ipv6_listen_address = "::1"
 ipv4_listen_address = "127.0.0.1"
 internal_onion_http_port = 9080

-user_quota = 20971520
+user_quota_testing = 20971520
+user_quota_trusted = 209715200
--- a/db/migrations/003-add-account-type.sql
+++ b/db/migrations/003-add-account-type.sql
@ -0,0 +1,21 @@
+BEGIN TRANSACTION;
+
+-- Add column
+ALTER TABLE "users" ADD COLUMN "type" TEXT NOT NULL DEFAULT "testing";
+
+-- Remove it's default value
+CREATE TABLE "users_temp" (
+	"id"                 INTEGER NOT NULL UNIQUE,
+	"username"           TEXT    NOT NULL UNIQUE,
+	"password"           TEXT    NOT NULL,
+	"registration_date"  TEXT    NOT NULL,
+	"bucket_tokens"      INTEGER NOT NULL,
+	"bucket_last_update" INTEGER NOT NULL,
+	"type"               TEXT    NOT NULL,
+	PRIMARY KEY("id" AUTOINCREMENT)
+);
+INSERT INTO "users_temp" SELECT "id","username","password","registration_date","bucket_tokens","bucket_last_update","type" FROM "users";
+DROP TABLE "users";
+ALTER TABLE "users_temp" RENAME TO "users";
+
+COMMIT;
--- a/db/schema.sql
+++ b/db/schema.sql
@ -1,38 +1,39 @@
 BEGIN TRANSACTION;
 CREATE TABLE IF NOT EXISTS "params" (
-	"name"	TEXT NOT NULL UNIQUE,
-	"value"	TEXT NOT NULL
+	"name"  TEXT NOT NULL UNIQUE,
+	"value" TEXT NOT NULL
 );
 CREATE TABLE IF NOT EXISTS "registry" (
-	"id"	INTEGER NOT NULL UNIQUE,
-	"domain"	TEXT NOT NULL UNIQUE,
-	"username"	TEXT NOT NULL,
-	"last_renewal"	TEXT NOT NULL,
+	"id"           INTEGER NOT NULL UNIQUE,
+	"domain"       TEXT    NOT NULL UNIQUE,
+	"username"     TEXT    NOT NULL,
+	"last_renewal" TEXT    NOT NULL,
 	PRIMARY KEY("id" AUTOINCREMENT)
 );
 CREATE TABLE IF NOT EXISTS "zones" (
-	"id"	INTEGER NOT NULL UNIQUE,
-	"zone"	TEXT NOT NULL UNIQUE,
-	"username"	TEXT NOT NULL,
+	"id"       INTEGER NOT NULL UNIQUE,
+	"zone"     TEXT    NOT NULL UNIQUE,
+	"username" TEXT    NOT NULL,
 	PRIMARY KEY("id" AUTOINCREMENT)
 );
 CREATE TABLE IF NOT EXISTS "users" (
-	"id"	INTEGER NOT NULL UNIQUE,
-	"username"	TEXT NOT NULL UNIQUE,
-	"password"	TEXT NOT NULL,
-	"registration_date"	TEXT NOT NULL,
-	"bucket_tokens" INTEGER NOT NULL,
+	"id"                 INTEGER NOT NULL UNIQUE,
+	"username"           TEXT    NOT NULL UNIQUE,
+	"password"           TEXT    NOT NULL,
+	"registration_date"  TEXT    NOT NULL,
+	"bucket_tokens"      INTEGER NOT NULL,
 	"bucket_last_update" INTEGER NOT NULL,
+	"type"               TEXT    NOT NULL,
 	PRIMARY KEY("id" AUTOINCREMENT)
 );
 CREATE TABLE IF NOT EXISTS "sites" (
-	"id"	INTEGER NOT NULL UNIQUE,
-	"username"	TEXT NOT NULL,
-	"site_dir"	TEXT NOT NULL,
-	"domain"	TEXT NOT NULL UNIQUE,
-	"domain_type"	TEXT NOT NULL,
-	"protocol"	TEXT NOT NULL,
-	"creation_date"	TEXT NOT NULL,
+	"id"            INTEGER NOT NULL UNIQUE,
+	"username"      TEXT    NOT NULL,
+	"site_dir"      TEXT    NOT NULL,
+	"domain"        TEXT    NOT NULL UNIQUE,
+	"domain_type"   TEXT    NOT NULL,
+	"protocol"      TEXT    NOT NULL,
+	"creation_date" TEXT    NOT NULL,
 	PRIMARY KEY("id" AUTOINCREMENT)
 );
 INSERT INTO "params"("name", "value") VALUES("instance_bucket_tokens", "0");
--- a/pages/auth/index.php
+++ b/pages/auth/index.php
@ -1 +1,30 @@
 <?php displayIndex(); ?>
+<p>
+<?php if (isset($_SESSION['username'])) { ?>
+	Vous utilisez actuellement un compte <?= (($_SESSION['type'] === 'trusted') ? 'confiancé' : 'de test') ?>.
+<?php } else { ?>
+	Vous n'utilisez actuellement aucun compte.
+<?php } ?>
+</p>
+
+<h2>Types de comptes</h2>
+
+<dl>
+	<dt>De test</dt>
+	<dd>
+		C'est le type de compte par défaut, avec des fonctionnalités limitées pour éviter les abus&nbsp;:
+		<ul>
+			<li>Peut être supprimé n'importe quand</li>
+			<li><?= ((CONF['ht']['user_quota_testing'] >> 30) >= 1) ? CONF['ht']['user_quota_testing'] >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : CONF['ht']['user_quota_testing'] >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>') ?> de SFTP</li>
+			<li>Certificat Let's Encrypt de test</li>
+		</ul>
+	</dd>
+	<dt>Confiancé</dt>
+	<dd>
+		C'est originellement un compte de test mais qui a été confiancé par ane administrataire, et qui a pour but d'être utilisé de façon stable&nbsp;:
+		<ul>
+			<li><?= ((CONF['ht']['user_quota_trusted'] >> 30) >= 1) ? CONF['ht']['user_quota_trusted'] >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : CONF['ht']['user_quota_trusted'] >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>') ?> de SFTP</li>
+			<li>Vrai certificat Let's Encrypt</li>
+		</ul>
+	</dd>
+</dl>
--- a/pages/auth/login.php
+++ b/pages/auth/login.php
@ -12,6 +12,7 @@ if (processForm(false)) {
 		output(403, 'Connexion impossible : clé de passe invalide.');

 	$_SESSION['username'] = $_POST['username'];
+	$_SESSION['type'] = query('select', 'users', ['username' => $_POST['username']], 'type')[0];

 	if (outdatedPasswordHash($_SESSION['username']))
 		changePassword($_SESSION['username'], $_POST['password']);
--- a/pages/auth/register.php
+++ b/pages/auth/register.php
@ -16,6 +16,7 @@ if (processForm(false)) {
 		'registration_date' => date("Y-m-d H:i:s"),
 		'bucket_tokens' => 0,
 		'bucket_last_update' => 0,
+		'type' => 'testing',
 	]);

 	// Setup SFTP directory
@ -36,6 +37,7 @@ if (processForm(false)) {
 		output(500, 'Can\'t create Tor keys directory.');

 	$_SESSION['username'] = $_POST['username'];
+	$_SESSION['type'] = 'testing';

 	redir();
 }
--- a/pages/ht/add-http-dns.php
+++ b/pages/ht/add-http-dns.php
@ -38,7 +38,7 @@ if (processForm()) {

 	addSite($_SESSION['username'], $_POST['dir'], $_POST['domain'], "dns", "http");

-	exec('2>&1 ' . CONF['ht']['sudo_path'] . ' ' . CONF['ht']['certbot_path'] . ' certonly' . (CONF['ht']['letsencrypt_use_production'] ? '' : ' --test-cert') . ' --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/niver/acme --domain ' . $_POST['domain'], $output, $returnCode);
+	exec('2>&1 ' . CONF['ht']['sudo_path'] . ' ' . CONF['ht']['certbot_path'] . ' certonly' . (($_SESSION['type'] === 'trusted') ? '' : ' --test-cert') . ' --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/niver/acme --domain ' . $_POST['domain'], $output, $returnCode);
 	if ($returnCode !== 0)
 		output(500, 'Certbot failed to get a Let\'s Encrypt certificate.', $output);

--- a/pages/ht/index.php
+++ b/pages/ht/index.php
@ -34,7 +34,10 @@ else {
 	<h2>SFTP</h2>

 	<p>
-		Vous avez accès à un espace <abbr title="SSH File Transfert Protocol">SFTP</abbr>, limité à <?= ((CONF['ht']['user_quota'] >> 30) >= 1) ? CONF['ht']['user_quota'] >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : CONF['ht']['user_quota'] >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>') ?>. Vous pouvez téléverser vos sites dans <code>/&lt;nom du site&gt;/*</code>. Indiquez les données ci-dessous à votre client <abbr title="SSH File Transfert Protocol">SFTP</abbr> pour y accéder.
+		Vous avez accès à un espace <abbr title="SSH File Transfert Protocol">SFTP</abbr>, limité à <?php
+$quotaSize = ($_SESSION['type'] === 'trusted') ? CONF['ht']['user_quota_trusted'] : CONF['ht']['user_quota_testing'];
+echo (($quotaSize >> 30) >= 1) ? $quotaSize >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : $quotaSize >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>')
+?>. Vous pouvez téléverser vos sites dans <code>/&lt;nom du site&gt;/*</code>. Indiquez les données ci-dessous à votre client <abbr title="SSH File Transfert Protocol">SFTP</abbr> pour y accéder.
 	</p>

 	<section>
--- a/router.php
+++ b/router.php
@ -91,7 +91,7 @@ foreach (glob('css/*.css') as $cssPath)
 		<header>
 			<p>
 <?php if (isset($_SESSION['username'])) { ?>
-				🆔 <strong><?= $_SESSION['username'] ?></strong> <a class='auth' href='<?= CONF['common']['prefix'] ?>/auth/logout'>Se déconnecter</a>
+				<?= ($_SESSION['type'] === 'trusted') ? '<span title="Compte confiancé">👤</span>' : '<span title="Compte de test">⏳</span>' ?> <strong><?= $_SESSION['username'] ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
 <?php } else { ?>
 				<span aria-hidden="true">👻 </span><em>Anonyme</em> <a class="auth" href="<?= redirUrl('auth/login') ?>">Se connecter</a>
 <?php } ?>
--- a/sftpgo-auth.php
+++ b/sftpgo-auth.php
@ -5,11 +5,12 @@ require "router.php";
 $authData = json_decode(file_get_contents("php://input"), true);

 if (userExist($authData['username']) === true AND checkPassword($authData['username'], $authData['password']) === true) {
+	$quotaSize = (query('select', 'users', ['username' => $authData['username']], 'type')[0] === 'trusted') ? CONF['ht']['user_quota_trusted'] : CONF['ht']['user_quota_testing'];
 	echo '
 	{
 		"status": 1,
 		"username": "' . $authData['username'] . '",
-		"quota_size": ' . CONF['ht']['user_quota'] . ',
+		"quota_size": ' . $quotaSize . ',
 		"permissions": {
 			"/": [
 				"*"