From 9f4b1bcf315f09fd6d302ad187281ec4ed443f04 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 17 Oct 2013 12:05:26 +0200 Subject: blacklist system logins for aliases and logins We blacklist based on three things: * blacklist in APP_CONFIG[:handle_blacklist] * emails in RFC 2142 * usernames in /etc/passwd The latter two can be allowed by explicitly whitelisting them in APP_CONFIG[:handle_whitelist]. We stick to blocking names that have been configured as both blacklisted and whitelisted - better be save than sorry. --- config/defaults.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index 8d81668..66ec639 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -18,6 +18,11 @@ common: &common pagination_size: 30 auth: token_expires_after: 60 + # handles that will be blocked from being used as logins or email aliases + # in addition to the ones in /etc/passwd and http://tools.ietf.org/html/rfc2142 + handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop] + # handles that will be allowed despite being in /etc/passwd or rfc2142 + handle_whitelist: [] development: <<: *dev_ca @@ -43,4 +48,4 @@ production: admins: [] domain: example.net payment: [] -# logfile: /path/to/your/logs + # logfile: /path/to/your/logs -- cgit v1.2.3 From 1384f6c43dde6a19f270416e34e39130a3d0a53d Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 18 Oct 2013 09:50:37 +0200 Subject: Make download links configurable This way we won't have to redeploy once the new links to the windows and the android version are there. Also this obviously offers more flexibility for providers. --- config/defaults.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index 66ec639..6211e37 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -13,6 +13,23 @@ cert_options: &cert_options limited_cert_prefix: "LIMITED" unlimited_cert_prefix: "UNLIMITED" +downloads: &downloads + client_download_domain: https://downloads.leap.se + available_clients: + - linux32 + - linux64 + - mac + - windows + - android + download_paths: + android: /client/android + linux: /client/linux + linux32: /client/linux/Bitmask-linux32-latest.tar.bz2 + linux64: /client/linux/Bitmask-linux64-latest.tar.bz2 + osx: /client/osx/Bitmask-OSC-latest.dmg + windows: /client/windows + other: /client + common: &common force_ssl: false pagination_size: 30 @@ -24,7 +41,9 @@ common: &common # handles that will be allowed despite being in /etc/passwd or rfc2142 handle_whitelist: [] + development: + <<: *downloads <<: *dev_ca <<: *cert_options <<: *common @@ -34,6 +53,7 @@ development: payment: [] test: + <<: *downloads <<: *dev_ca <<: *cert_options <<: *common @@ -43,6 +63,7 @@ test: payment: [billing] production: + <<: *downloads <<: *cert_options <<: *common admins: [] -- cgit v1.2.3 From 3389bb0f4e43087ef1bf3073c1cb2e8cf64b60d1 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 21 Oct 2013 11:30:18 +0200 Subject: fix download urls for mac, android and windows They did not point directly to the download. --- config/defaults.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index 6211e37..4d0a8d8 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -22,12 +22,12 @@ downloads: &downloads - windows - android download_paths: - android: /client/android + android: /client/android/Bitmask-Android-latest.apk linux: /client/linux linux32: /client/linux/Bitmask-linux32-latest.tar.bz2 linux64: /client/linux/Bitmask-linux64-latest.tar.bz2 - osx: /client/osx/Bitmask-OSC-latest.dmg - windows: /client/windows + mac: /client/osx/Bitmask-OSX-latest.dmg + windows: /client/windows/Bitmask-win32-latest.zip other: /client common: &common -- cgit v1.2.3 From 23b9c58c4bd2e62ba63064c0e606d84f26fe74fa Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 21 Oct 2013 18:18:13 +0200 Subject: use osx not mac as an identifier for the os. --- config/defaults.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index 4d0a8d8..c7c8502 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -18,7 +18,7 @@ downloads: &downloads available_clients: - linux32 - linux64 - - mac + - osx - windows - android download_paths: @@ -26,7 +26,7 @@ downloads: &downloads linux: /client/linux linux32: /client/linux/Bitmask-linux32-latest.tar.bz2 linux64: /client/linux/Bitmask-linux64-latest.tar.bz2 - mac: /client/osx/Bitmask-OSX-latest.dmg + osx: /client/osx/Bitmask-OSX-latest.dmg windows: /client/windows/Bitmask-win32-latest.zip other: /client -- cgit v1.2.3 From 8e9b65b01bbd9d44d4077d94f2dc4ac375cf8e85 Mon Sep 17 00:00:00 2001 From: jessib Date: Mon, 18 Nov 2013 15:44:54 -0800 Subject: Start of service level code, which will be tweaked * stores desired & effective service level * whenever desired level is changed, effective level will be updated * allows user to set their desired service level * allow admin to update desired & effective service level --- config/defaults.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index c7c8502..c986d01 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -41,12 +41,33 @@ common: &common # handles that will be allowed despite being in /etc/passwd or rfc2142 handle_whitelist: [] +service_levels: &service_levels + service_levels: + 0: + name: anonymous + cert_prefix: "LIMITED" + description: "anonymous account, with rate limited VPN" + 1: + name: free + cert_prefix: "LIMITED" + description: "free account, with rate limited VPN" + cost: 0 + quota: 100 + 2: + name: premium + cert_prefix: "UNLIMITED" + description: "premium account, with unlimited vpn" + cost: + USD: 10 + EUR: 10 + default_service_level: 1 development: <<: *downloads <<: *dev_ca <<: *cert_options <<: *common + <<: *service_levels admins: [blue, admin, admin2] domain: example.org secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' @@ -57,6 +78,7 @@ test: <<: *dev_ca <<: *cert_options <<: *common + <<: *service_levels admins: [admin, admin2] domain: test.me secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' @@ -66,6 +88,7 @@ production: <<: *downloads <<: *cert_options <<: *common + <<: *service_levels admins: [] domain: example.net payment: [] -- cgit v1.2.3 From 6ebf095bc553345a3e0b8c48cadc3e1440c59ca5 Mon Sep 17 00:00:00 2001 From: jessib Date: Thu, 5 Dec 2013 11:11:39 -0800 Subject: We won't want service levels in production mode, and have it so this initial service level code won't break anything if it isn't set in the config. --- config/defaults.yml | 1 - 1 file changed, 1 deletion(-) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index c986d01..4530d47 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -88,7 +88,6 @@ production: <<: *downloads <<: *cert_options <<: *common - <<: *service_levels admins: [] domain: example.net payment: [] -- cgit v1.2.3 From 72087656e5092fd744f4314c9a0e91825399fefc Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 13 Dec 2013 11:16:11 +0100 Subject: proceed even if the couch is unreachable * in case the user has a session id, keep it but proceed without a session * in case we can't initialize the models proceed * if APP_CONFIG[:reraise_errors] is set we'll crash instead in the latter case default to reraise errors in dev and test environments. --- config/defaults.yml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index 4530d47..4bd8eec 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -72,6 +72,7 @@ development: domain: example.org secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' payment: [] + reraise_errors: true test: <<: *downloads @@ -83,6 +84,7 @@ test: domain: test.me secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' payment: [billing] + reraise_errors: true production: <<: *downloads -- cgit v1.2.3 From 5ed00a63ea3da98e8dfaef88752f8afe851c81e9 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 13 Dec 2013 14:10:41 +0100 Subject: make the possible actions for users and admins configurable with tests --- config/defaults.yml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config/defaults.yml') diff --git a/config/defaults.yml b/config/defaults.yml index 4530d47..283f406 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -40,6 +40,10 @@ common: &common handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop] # handles that will be allowed despite being in /etc/passwd or rfc2142 handle_whitelist: [] + # actions enabled in the account settings + # see /users/app/views/users/_edit.html.haml for a list. + user_actions: ['destroy_account'] + admin_actions: ['change_pgp_key', 'change_service_level', 'destroy_account'] service_levels: &service_levels service_levels: -- cgit v1.2.3