From 9f4b1bcf315f09fd6d302ad187281ec4ed443f04 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 17 Oct 2013 12:05:26 +0200 Subject: blacklist system logins for aliases and logins We blacklist based on three things: * blacklist in APP_CONFIG[:handle_blacklist] * emails in RFC 2142 * usernames in /etc/passwd The latter two can be allowed by explicitly whitelisting them in APP_CONFIG[:handle_whitelist]. We stick to blocking names that have been configured as both blacklisted and whitelisted - better be save than sorry. --- config/defaults.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index 8d81668..66ec639 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -18,6 +18,11 @@ common: &common pagination_size: 30 auth: token_expires_after: 60 + # handles that will be blocked from being used as logins or email aliases + # in addition to the ones in /etc/passwd and http://tools.ietf.org/html/rfc2142 + handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop] + # handles that will be allowed despite being in /etc/passwd or rfc2142 + handle_whitelist: [] development: <<: *dev_ca @@ -43,4 +48,4 @@ production: admins: [] domain: example.net payment: [] -# logfile: /path/to/your/logs + # logfile: /path/to/your/logs -- cgit v1.2.3 From 1384f6c43dde6a19f270416e34e39130a3d0a53d Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 18 Oct 2013 09:50:37 +0200 Subject: Make download links configurable This way we won't have to redeploy once the new links to the windows and the android version are there. Also this obviously offers more flexibility for providers. --- config/defaults.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index 66ec639..6211e37 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -13,6 +13,23 @@ cert_options: &cert_options limited_cert_prefix: "LIMITED" unlimited_cert_prefix: "UNLIMITED" +downloads: &downloads + client_download_domain: https://downloads.leap.se + available_clients: + - linux32 + - linux64 + - mac + - windows + - android + download_paths: + android: /client/android + linux: /client/linux + linux32: /client/linux/Bitmask-linux32-latest.tar.bz2 + linux64: /client/linux/Bitmask-linux64-latest.tar.bz2 + osx: /client/osx/Bitmask-OSC-latest.dmg + windows: /client/windows + other: /client + common: &common force_ssl: false pagination_size: 30 @@ -24,7 +41,9 @@ common: &common # handles that will be allowed despite being in /etc/passwd or rfc2142 handle_whitelist: [] + development: + <<: *downloads <<: *dev_ca <<: *cert_options <<: *common @@ -34,6 +53,7 @@ development: payment: [] test: + <<: *downloads <<: *dev_ca <<: *cert_options <<: *common @@ -43,6 +63,7 @@ test: payment: [billing] production: + <<: *downloads <<: *cert_options <<: *common admins: [] -- cgit v1.2.3 From 936015afe051c82d5677601f7f58944ed42b4623 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 18 Oct 2013 13:12:50 +0200 Subject: use https sources in Gemfiles and also in the documentation (#4109) --- config/deploy.rb.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/deploy.rb.example b/config/deploy.rb.example index 9e54c22..1fd4b8c 100644 --- a/config/deploy.rb.example +++ b/config/deploy.rb.example @@ -3,7 +3,7 @@ require "bundler/capistrano" set :application, "webapp" set :scm, :git -set :repository, "git://leap.se/leap_web" +set :repository, "https://leap.se/git/leap_web" set :branch, "master" set :deploy_via, :remote_cache -- cgit v1.2.3 From 3389bb0f4e43087ef1bf3073c1cb2e8cf64b60d1 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 21 Oct 2013 11:30:18 +0200 Subject: fix download urls for mac, android and windows They did not point directly to the download. --- config/defaults.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index 6211e37..4d0a8d8 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -22,12 +22,12 @@ downloads: &downloads - windows - android download_paths: - android: /client/android + android: /client/android/Bitmask-Android-latest.apk linux: /client/linux linux32: /client/linux/Bitmask-linux32-latest.tar.bz2 linux64: /client/linux/Bitmask-linux64-latest.tar.bz2 - osx: /client/osx/Bitmask-OSC-latest.dmg - windows: /client/windows + mac: /client/osx/Bitmask-OSX-latest.dmg + windows: /client/windows/Bitmask-win32-latest.zip other: /client common: &common -- cgit v1.2.3 From 23b9c58c4bd2e62ba63064c0e606d84f26fe74fa Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 21 Oct 2013 18:18:13 +0200 Subject: use osx not mac as an identifier for the os. --- config/defaults.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index 4d0a8d8..c7c8502 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -18,7 +18,7 @@ downloads: &downloads available_clients: - linux32 - linux64 - - mac + - osx - windows - android download_paths: @@ -26,7 +26,7 @@ downloads: &downloads linux: /client/linux linux32: /client/linux/Bitmask-linux32-latest.tar.bz2 linux64: /client/linux/Bitmask-linux64-latest.tar.bz2 - mac: /client/osx/Bitmask-OSX-latest.dmg + osx: /client/osx/Bitmask-OSX-latest.dmg windows: /client/windows/Bitmask-win32-latest.zip other: /client -- cgit v1.2.3 From 10be8c0073b67dcfb7925996e81c2e717f8b499e Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 14 Nov 2013 02:19:03 -0800 Subject: added support for easier customizations via "config/customization" directory --- config/application.rb | 6 ++++++ config/customization/README.md | 27 +++++++++++++++++++++++++++ config/initializers/customization.rb | 31 +++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 config/customization/README.md create mode 100644 config/initializers/customization.rb (limited to 'config') diff --git a/config/application.rb b/config/application.rb index 8587ffc..8cf7e30 100644 --- a/config/application.rb +++ b/config/application.rb @@ -85,5 +85,11 @@ module LeapWeb # Set to false in order to see asset requests in the log config.quiet_assets = true + + ## + ## CUSTOMIZATION + ## see initializers/customization.rb + ## + config.paths['app/views'].unshift "config/customization/views" end end diff --git a/config/customization/README.md b/config/customization/README.md new file mode 100644 index 0000000..9c3e434 --- /dev/null +++ b/config/customization/README.md @@ -0,0 +1,27 @@ +Customizing LEAP Webapp +============================================ + +By default, this directory is empty. Any file you place here will override the default files for the application. + +For example: + + stylesheets/ -- overrides files Rails.root/app/assets/stylesheets + tail.scss -- included before all others + head.scss -- included after all others + + public/ -- overrides files in Rails.root/public + favicon.ico -- custom favicon + img/ -- customary directory to put images in + + views/ -- overrides files Rails.root/app/views + home/ + index.html.haml -- this file is what shows up on the home page + + locales/ -- overrides files in Rails.root/config/locales + en.yml -- overrides for English + de.yml -- overrides for German + and so on... + +For most changes, the web application must be restarted after any changes are made to the customization directory. + +Sometimes a `rake tmp:clear` and a rails restart is required to pick up a new stylesheet. diff --git a/config/initializers/customization.rb b/config/initializers/customization.rb new file mode 100644 index 0000000..a2f6f88 --- /dev/null +++ b/config/initializers/customization.rb @@ -0,0 +1,31 @@ +# +# When deploying, common customizations can be dropped in config/customizations. This initializer makes this work. +# +customization_directory = "#{Rails.root}/config/customization" + +# +# Set customization views as the first view path +# +# Rails.application.config.paths['app/views'].unshift "config/customization/views" +# (For some reason, this does not work here. See application.rb for where this is actually called.) + +# +# Set customization stylesheets as the first asset path +# +# (This cannot go in application.rb, because the default paths +# haven't been loaded yet, as far as I can tell) +# +Rails.application.config.assets.paths.unshift "#{customization_directory}/stylesheets" + +# +# Copy files to public +# +if Dir.exists?("#{customization_directory}/public") + require 'fileutils' + FileUtils.cp_r("#{customization_directory}/public/.", "#{Rails.root}/public") +end + +# +# Add I18n path +# +Rails.application.config.i18n.load_path += Dir["#{customization_directory}/locales/*.{rb,yml,yaml}"] -- cgit v1.2.3 From 84682ee6261967935d16fbeae1190af26420563e Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 14 Nov 2013 15:50:22 -0800 Subject: ensure that we only copy files when running restarting the app, not every time a rake task is run (especially since some rake tasks get run as root!) --- config/initializers/customization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/initializers/customization.rb b/config/initializers/customization.rb index a2f6f88..08da518 100644 --- a/config/initializers/customization.rb +++ b/config/initializers/customization.rb @@ -20,7 +20,7 @@ Rails.application.config.assets.paths.unshift "#{customization_directory}/styles # # Copy files to public # -if Dir.exists?("#{customization_directory}/public") +if !defined?(RAKE) && Dir.exists?("#{customization_directory}/public") require 'fileutils' FileUtils.cp_r("#{customization_directory}/public/.", "#{Rails.root}/public") end -- cgit v1.2.3 From 4193a94b4cc5b5cabbace8311562c0ca88a79f74 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 15 Nov 2013 00:25:40 -0800 Subject: fix problem with custom scss files and precompiling assets in production mode. --- config/application.rb | 2 +- config/initializers/customization.rb | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/application.rb b/config/application.rb index 8cf7e30..2c9c55a 100644 --- a/config/application.rb +++ b/config/application.rb @@ -78,7 +78,7 @@ module LeapWeb # Enable the asset pipeline config.assets.enabled = true - config.assets.initialize_on_precompile = false + config.assets.initialize_on_precompile = true # don't change this (see customization.rb) # Version of your assets, change this if you want to expire all your assets config.assets.version = '1.0' diff --git a/config/initializers/customization.rb b/config/initializers/customization.rb index 08da518..bc9c834 100644 --- a/config/initializers/customization.rb +++ b/config/initializers/customization.rb @@ -12,8 +12,13 @@ customization_directory = "#{Rails.root}/config/customization" # # Set customization stylesheets as the first asset path # -# (This cannot go in application.rb, because the default paths -# haven't been loaded yet, as far as I can tell) +# Some notes: +# +# * This cannot go in application.rb, as far as I can tell. In application.rb, the default paths +# haven't been loaded yet, so the path we add will always end up at the end unless we add it here. +# +# * For this to work, config.assets.initialize_on_precompile MUST be set to true, otherwise +# this initializer will never get called in production mode when the assets are precompiled. # Rails.application.config.assets.paths.unshift "#{customization_directory}/stylesheets" -- cgit v1.2.3 From 8e9b65b01bbd9d44d4077d94f2dc4ac375cf8e85 Mon Sep 17 00:00:00 2001 From: jessib Date: Mon, 18 Nov 2013 15:44:54 -0800 Subject: Start of service level code, which will be tweaked * stores desired & effective service level * whenever desired level is changed, effective level will be updated * allows user to set their desired service level * allow admin to update desired & effective service level --- config/defaults.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index c7c8502..c986d01 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -41,12 +41,33 @@ common: &common # handles that will be allowed despite being in /etc/passwd or rfc2142 handle_whitelist: [] +service_levels: &service_levels + service_levels: + 0: + name: anonymous + cert_prefix: "LIMITED" + description: "anonymous account, with rate limited VPN" + 1: + name: free + cert_prefix: "LIMITED" + description: "free account, with rate limited VPN" + cost: 0 + quota: 100 + 2: + name: premium + cert_prefix: "UNLIMITED" + description: "premium account, with unlimited vpn" + cost: + USD: 10 + EUR: 10 + default_service_level: 1 development: <<: *downloads <<: *dev_ca <<: *cert_options <<: *common + <<: *service_levels admins: [blue, admin, admin2] domain: example.org secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' @@ -57,6 +78,7 @@ test: <<: *dev_ca <<: *cert_options <<: *common + <<: *service_levels admins: [admin, admin2] domain: test.me secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' @@ -66,6 +88,7 @@ production: <<: *downloads <<: *cert_options <<: *common + <<: *service_levels admins: [] domain: example.net payment: [] -- cgit v1.2.3 From 6ebf095bc553345a3e0b8c48cadc3e1440c59ca5 Mon Sep 17 00:00:00 2001 From: jessib Date: Thu, 5 Dec 2013 11:11:39 -0800 Subject: We won't want service levels in production mode, and have it so this initial service level code won't break anything if it isn't set in the config. --- config/defaults.yml | 1 - 1 file changed, 1 deletion(-) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index c986d01..4530d47 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -88,7 +88,6 @@ production: <<: *downloads <<: *cert_options <<: *common - <<: *service_levels admins: [] domain: example.net payment: [] -- cgit v1.2.3 From 72087656e5092fd744f4314c9a0e91825399fefc Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 13 Dec 2013 11:16:11 +0100 Subject: proceed even if the couch is unreachable * in case the user has a session id, keep it but proceed without a session * in case we can't initialize the models proceed * if APP_CONFIG[:reraise_errors] is set we'll crash instead in the latter case default to reraise errors in dev and test environments. --- config/defaults.yml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index 4530d47..4bd8eec 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -72,6 +72,7 @@ development: domain: example.org secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' payment: [] + reraise_errors: true test: <<: *downloads @@ -83,6 +84,7 @@ test: domain: test.me secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' payment: [billing] + reraise_errors: true production: <<: *downloads -- cgit v1.2.3 From 5ed00a63ea3da98e8dfaef88752f8afe851c81e9 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 13 Dec 2013 14:10:41 +0100 Subject: make the possible actions for users and admins configurable with tests --- config/defaults.yml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config') diff --git a/config/defaults.yml b/config/defaults.yml index 4530d47..283f406 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -40,6 +40,10 @@ common: &common handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop] # handles that will be allowed despite being in /etc/passwd or rfc2142 handle_whitelist: [] + # actions enabled in the account settings + # see /users/app/views/users/_edit.html.haml for a list. + user_actions: ['destroy_account'] + admin_actions: ['change_pgp_key', 'change_service_level', 'destroy_account'] service_levels: &service_levels service_levels: -- cgit v1.2.3