Author: jsmeix Date: Thu Oct 30 13:59:45 2008 New Revision: 52734 URL: http://svn.opensuse.org/viewcvs/yast?rev=52734&view=rev Log: Added Firewall Settings to the Share Printers dialog. Modified: trunk/printer/src/Printer.ycp trunk/printer/src/sharing.ycp Modified: trunk/printer/src/Printer.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/src/Printer.ycp?rev=52734&r1=52733&r2=52734&view=diff ============================================================================== --- trunk/printer/src/Printer.ycp (original) +++ trunk/printer/src/Printer.ycp Thu Oct 30 13:59:45 2008 @@ -43,6 +43,7 @@ import "Mode"; import "Stage"; import "Service"; +import "SuSEFirewall"; /** * Prototypes @@ -222,6 +223,31 @@ */ global list< map< string, any > > driver_options = []; +/** + * Firewall configuration: + * Determined and set at runtime in the "Print via Network" and "Sharing" dialogs + * by calling Printer::FirewallConfig("read") and Printer::FirewallConfig("write") + * which calls SuSEFirewall functions to fill in the map @ref firewall_config + * except "ui_browsing_from_int", "ui_access_from_int", and "ui_deny_from_ext" + * which are the user settings in the dialog or change the SuSEFirewall settings + * according to "ui_browsing_from_int", "ui_access_from_int", and "ui_deny_from_ext". + * The entries are such that "true" is the default, reasonable and intended setting. + * In particular it is reasonable to deny CUPS Browsing packages (port 631 UDP) from the EXT zone + * to avoid "print job phishing" by announcing local queue names from a malicious external host, + * see http://www.cups.org/newsgroups.php?gcups.general+T+Q"print+job+phishing" + * @struct firewall_config + * $[ "suse_firewall_used":"true if Suse Firewall and no other firewall is used", + * "firewall_active":"true if Suse Firewall is actually running", + * "no_firewall_for_int":"true if Suse Firewall does not potect the INT zone", + * "browsing_from_int":"true if Suse Firewall does not deny CUPS Browsing (port 631 UDP) from the INT zone", + * "ui_browsing_from_int":"true if user has set in dialog not to deny CUPS Browsing from the INT zone", + * "access_from_int":"true if Suse Firewall does not deny CUPS access (port 631 TCP) from the INT zone", + * "ui_access_from_int":"true if user has set in dialog not to deny CUPS access from the INT zone", + * "deny_from_ext":"true if any CUPS access (port 631 UDP and TCP) is denied from the EXT zone", + * "ui_deny_from_ext":"true if user has set in dialog to deny any CUPS access from the EXT zone" + * ] + */ +global map< string, boolean > firewall_config = $[]; /* * Local variables: @@ -1768,6 +1794,198 @@ } /** + * Determined and set at runtime in the "Print via Network" and "Sharing" dialogs + * by calling Printer::FirewallConfig("read") and Printer::FirewallConfig("write") + * @param "read" to fill in the firewall_config map + * "write" change the SuSEFirewall settings according to the firewall_config map + * @return true on success + */ +global boolean FirewallConfig( string action ) +{ if( "read" == action ) + { // SuSEFirewall::Read shows a Progress. + // Save previous Progress state and disable showing Progress: + boolean progress_previous_state = Progress::set( false ); + if( ! SuSEFirewall::Read() ) + { // If firewall_config is the empty map, the user + // cannot change a firewall setting in the "Print via Network" and "Sharing" dialogs + // so that noting will be committed regarding the Suse Firewall. + y2milestone( "SuSEFirewall::Read failed." ); + firewall_config = $[]; + // Restore previous Progress state: + Progress::set( progress_previous_state ); + return true; + } + // Restore previous Progress state: + Progress::set( progress_previous_state ); + // Preset the firewall_config map with the defaults after a default system installation + // to have a reasonable fallback if the actual values cannot be determined: + firewall_config = $[ "suse_firewall_used":true, + "firewall_active":true, + "no_firewall_for_int":true, + "browsing_from_int":true, + "ui_browsing_from_int":true, + "access_from_int":true, + "ui_access_from_int":true, + "deny_from_ext":true, + "ui_deny_from_ext":true + ]; + // Determine whether the Suse Firewall is used: + if( SuSEFirewall::IsOtherFirewallRunning() ) + { // If not the Suse Firewall is used, the dialogs will not show + // any firewall settings and therefore the user cannot change them. + firewall_config["suse_firewall_used"] = false; + y2milestone( "Not the Suse Firewall is used, i.e. another firewall is running." ); + return true; + } + // Determine whether the Suse Firewall is active: + if( ! SuSEFirewall::IsStarted() + || ! SuSEFirewall::GetStartService() + ) + { // If the Suse Firewall is not active, the dialogs will not show + // any firewall settings because it is useless and confusing + // to let the user change firewall settings + // when the user had decided to have no firewall currently running + // or if the firewall would not be started in SuSEFirewall::Write() + firewall_config["firewall_active"] = false; + y2milestone( "The Suse Firewall is not active or would not be started in SuSEFirewall::Write." ); + return true; + } + // Determine the actual settings regarding IPP (port 631 UDB and TCP) + // and preset the user interface settings with the actual settings: + if( SuSEFirewall::GetProtectFromInternalZone() ) + { firewall_config["no_firewall_for_int"] = false; + if( ! SuSEFirewall::HaveService( "631", "UDP", "INT" ) ) + { firewall_config["browsing_from_int"] = false; + firewall_config["ui_browsing_from_int"] = false; + } + if( ! SuSEFirewall::HaveService( "631", "TCP", "INT" ) ) + { firewall_config["access_from_int"] = false; + firewall_config["ui_access_from_int"] = false; + } + } + if( SuSEFirewall::HaveService( "631", "TCP", "EXT" ) + || SuSEFirewall::HaveService( "631", "UDP", "EXT" ) + ) + { firewall_config["deny_from_ext"] = false; + firewall_config["ui_deny_from_ext"] = false; + } + y2milestone( "FirewallConfig read result: %1", firewall_config ); + } + if( "write" == action ) + { y2milestone( "FirewallConfig write using: %1", firewall_config ); + // If the Suse Firewall is used and + // if the Suse Firewall is active and + // if firewall settings have been changed by the user, + // then set and commit the new firewall settings. + // Use safe fallback values (i.e. deny access as fallback). + // Those fallback values makes the code look confusing + // for example in conditions like if(firewall_config["..."]:false) + // because the actual value is often the opposite of the fallback value. + if( firewall_config["suse_firewall_used"]:false + && firewall_config["firewall_active"]:false + && ( firewall_config["ui_browsing_from_int"]:false != firewall_config["browsing_from_int"]:true + || firewall_config["ui_access_from_int"]:false != firewall_config["access_from_int"]:true + || firewall_config["ui_deny_from_ext"]:false != firewall_config["deny_from_ext"]:true + ) + ) + { // Set new firewall settings in SuSEFirewall: + boolean write_firewall_settings_failed = false; + y2milestone( "FirewallConfig commit new firewall config: %1", firewall_config ); + if( firewall_config["ui_browsing_from_int"]:false != firewall_config["browsing_from_int"]:true ) + { if( firewall_config["ui_browsing_from_int"]:false ) + { // The user has set in dialog not to deny CUPS Browsing from the INT zone: + if( ! firewall_config["no_firewall_for_int"]:true ) + { // The Suse Firewall does potect the INT zone: + if( ! SuSEFirewall::AddService( "631", "UDP", "INT" ) ) + { y2milestone( "FirewallConfig: SuSEFirewall::AddService(631,UDP,INT) failed." ); + write_firewall_settings_failed = true; + } + } + } + else + { // The user has set in dialog to deny CUPS Browsing from the INT zone: + if( ! firewall_config["no_firewall_for_int"]:true ) + { // The Suse Firewall does potect the INT zone: + if( ! SuSEFirewall::RemoveService( "631", "UDP", "INT" ) ) + { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,UDP,INT) failed." ); + write_firewall_settings_failed = true; + } + } + else + { // The Suse Firewall does not potect the INT zone: + y2milestone( "FirewallConfig: Cannot deny CUPS Browsing from the INT zone because the Suse Firewall does not potect the INT zone." ); + write_firewall_settings_failed = true; + } + } + } + if( firewall_config["ui_access_from_int"]:false != firewall_config["access_from_int"]:true ) + { if( firewall_config["ui_access_from_int"]:false ) + { // The user has set in dialog not to deny CUPS access from the INT zone: + if( ! firewall_config["no_firewall_for_int"]:true ) + { // The Suse Firewall does potect the INT zone: + if( ! SuSEFirewall::AddService( "631", "TCP", "INT" ) ) + { y2milestone( "FirewallConfig: SuSEFirewall::AddService(631,TCP,INT) failed." ); + write_firewall_settings_failed = true; + } + } + } + else + { // The user has set in dialog to deny CUPS access from the INT zone: + if( ! firewall_config["no_firewall_for_int"]:true ) + { // The Suse Firewall does potect the INT zone: + if( ! SuSEFirewall::RemoveService( "631", "TCP", "INT" ) ) + { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,TCP,INT) failed." ); + write_firewall_settings_failed = true; + } + } + else + { // The Suse Firewall does not potect the INT zone: + y2milestone( "FirewallConfig: Cannot deny CUPS access from the INT zone because the Suse Firewall does not potect the INT zone." ); + write_firewall_settings_failed = true; + } + } + } + if( firewall_config["ui_deny_from_ext"]:false != firewall_config["deny_from_ext"]:true ) + { if( firewall_config["ui_deny_from_ext"]:false ) + { // The user has set in dialog to deny any CUPS access from the EXT zone: + if( ! SuSEFirewall::RemoveService( "631", "TCP", "EXT" ) ) + { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,TCP,EXT) failed." ); + write_firewall_settings_failed = true; + } + if( ! SuSEFirewall::RemoveService( "631", "UDP", "EXT" ) ) + { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,UDP,EXT) failed." ); + write_firewall_settings_failed = true; + } + } + else + { // The user has set in dialog not to deny deny any CUPS access from the EXT zone: + y2milestone( "FirewallConfig: Ignored to allow CUPS access from the EXT zone because it is insecure." ); + write_firewall_settings_failed = true; + } + } + // Commit the new firewall settings: + // SuSEFirewall::Write shows a Progress. + // Save previous Progress state and disable showing Progress: + boolean progress_previous_state = Progress::set( false ); + if( ! SuSEFirewall::Write() ) + { y2milestone( "FirewallConfig: SuSEFirewall::Write failed to commit firewall settings." ); + write_firewall_settings_failed = true; + } + // Restore previous Progress state: + Progress::set( progress_previous_state ); + if( write_firewall_settings_failed ) + { Popup::Error( // Message of a Popup::Error. + // Only a simple message because this error does not happen on a normal system. + _("Failed to set up the firewall settings.\nUse the specific YaST Firewall module.") + ); + return false; + } + } + } + return true; +} + +/** * Get all printer settings from the first parameter * (For use by autoinstallation.) * @param settings The YCP structure to be imported. Modified: trunk/printer/src/sharing.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/src/sharing.ycp?rev=52734&r1=52733&r2=52734&view=diff ============================================================================== --- trunk/printer/src/sharing.ycp (original) +++ trunk/printer/src/sharing.ycp Thu Oct 30 13:59:45 2008 @@ -49,6 +49,8 @@ list< term > initial_interface_table_items = []; string initial_allow_input_value = ""; string initial_browse_address_input_value = ""; +boolean firewall_first_widget_is_checkbox = false; +boolean firewall_second_widget_is_checkbox = false; term widgetSharing = `VBox ( `VSpacing( 1 ), @@ -195,6 +197,35 @@ ) ) ), + `VSpacing( 1 ), + `Left + ( `Label + ( `id(`firewall_settings_label), + // A caption to make Firewall settings to allow remote access to CUPS: + _("Firewall Settings") + ) + ), + `HBox + ( `HSpacing( 2 ), + `VBox + ( `Left + ( `ReplacePoint + ( `id(`firewall_first_replace_point), + `Empty + ( `id(`firewall_first_widget) + ) + ) + ), + `Left + ( `ReplacePoint + ( `id(`firewall_second_replace_point), + `Empty + ( `id(`firewall_second_widget) + ) + ) + ) + ) + ), `VSpacing( 1 ) ); @@ -246,6 +277,30 @@ boolean ApplySharingSettings() { sharing_has_changed = false; + // Do the Firewall stuff first of all: + boolean firewall_allow_from_int = true; + boolean firewall_deny_from_ext = true; + if( firewall_first_widget_is_checkbox ) + { firewall_allow_from_int = (boolean)UI::QueryWidget( `firewall_first_widget, `Value ); + y2milestone( "firewall_allow_from_int value: '%1'", firewall_allow_from_int ); + Printer::firewall_config["ui_access_from_int"] = firewall_allow_from_int; + } + if( firewall_second_widget_is_checkbox ) + { firewall_deny_from_ext = (boolean)UI::QueryWidget( `firewall_second_widget, `Value ); + y2milestone( "firewall_deny_from_ext value: '%1'", firewall_deny_from_ext ); + Printer::firewall_config["ui_deny_from_ext"] = firewall_deny_from_ext; + } + if( Printer::firewall_config["access_from_int"]:false != firewall_allow_from_int + || Printer::firewall_config["deny_from_ext"]:false != firewall_deny_from_ext + ) + { // The user has changed a Firewall setting: + sharing_has_changed = true; + if( ! Printer::FirewallConfig( "write" ) ) + { // No error message here because Printer::FirewallConfig shows already error messages: + return false; + } + } + // Do the CUPS sharing stuff after the Firewall stuff. // Get the actual settings and values from the dialog. // It does not work well to query the RadioButtonGroup with something like // UI::QueryWidget(`deny_or_allow_remote_access,`CurrentButton)) @@ -542,6 +597,9 @@ UI::ChangeWidget( `allow_input_label, `Enabled, false ); UI::ChangeWidget( `browse_address_input, `Enabled, false ); UI::ChangeWidget( `browse_address_input_label, `Enabled, false ); + UI::ChangeWidget( `firewall_settings_label, `Enabled, false ); + UI::ChangeWidget( `firewall_first_widget, `Enabled, false ); + UI::ChangeWidget( `firewall_second_widget, `Enabled, false ); } // Regardless whether or not the "Share Printers" dialog is useless, // fill in the values of the current settings in the system: @@ -748,6 +806,95 @@ UI::ChangeWidget( `id(`allow_input), `Value, initial_allow_input_value ); y2milestone( "Initial initial_browse_address_input_value: %1", initial_browse_address_input_value ); UI::ChangeWidget( `id(`browse_address_input), `Value, initial_browse_address_input_value ); + y2milestone( "Initial browse_address_values: %1", browse_address_values ); + // Determine the Firewall settings. + // Ignore errors because Printer::FirewallConfig results a firewall_config fallback map. + Printer::FirewallConfig( "read" ); + // Set the content and values for the firewall related widgets in the dialog: + if( ! Printer::firewall_config["suse_firewall_used"]:true ) + { // Not the Suse Firewall but another firewall is used: + UI::ReplaceWidget( `firewall_first_replace_point, + `Label + ( `id(`firewall_first_widget), + // Label when not the Suse Firewall but another firewall is used: + _("Not the Suse Firewall but another firewall is used") + ) + ); + UI::ReplaceWidget( `firewall_second_replace_point, + `Empty + ( `id(`firewall_second_widget) + ) + ); + } + else + { // The Suse Firewall is used: + if( ! Printer::firewall_config["firewall_active"]:true ) + { // The Suse Firewall is not running: + UI::ReplaceWidget( `firewall_first_replace_point, + `Label + ( `id(`firewall_first_widget), + // Label when the Suse Firewall is not running: + _("The Suse Firewall is not active") + ) + ); + UI::ReplaceWidget( `firewall_second_replace_point, + `Empty + ( `id(`firewall_second_widget) + ) + ); + } + else + { // The Suse Firewall is running: + if( ! Printer::firewall_config["no_firewall_for_int"]:true ) + { // The Suse Firewall does potect the INT zone: + // Let the user deny or allow CUPS access from the INT zone here: + UI::ReplaceWidget( `firewall_first_replace_point, + `CheckBox + ( `id(`firewall_first_widget), + // CheckBox whether or not the Suse Firewall allows CUPS access from the INT zone: + _("Allow access from the internal network zone"), + Printer::firewall_config["access_from_int"]:true + ) + ); + firewall_first_widget_is_checkbox = true; + } + else + { // The Suse Firewall does not potect the INT zone: + UI::ReplaceWidget( `firewall_first_replace_point, + `Label + ( `id(`firewall_first_widget), + // Label when the Suse Firewall does not potect the internal network zone + // which means that CUPS access from the INT zone is allowed: + _("Access from the internal network zone is allowed") + ) + ); + } + if( ! Printer::firewall_config["deny_from_ext"]:true ) + { // The Suse Firewall does not deny CUPS access from the EXT zone. + // Let the user deny CUPS access from the EXT zone here: + UI::ReplaceWidget( `firewall_second_replace_point, + `CheckBox + ( `id(`firewall_second_widget), + // CheckBox whether or not the Suse Firewall denies CUPS access from the EXT zone: + _("Deny access from the external network zone"), + false + ) + ); + firewall_second_widget_is_checkbox = true; + } + else + { // The Suse Firewall denies CUPS access from the EXT zone. + // Do not let the user allow CUPS access from the EXT zone here: + UI::ReplaceWidget( `firewall_second_replace_point, + `Label + ( `id(`firewall_second_widget), + // Label when the Suse Firewall denies CUPS access from the external network zone: + _("Access from the external network zone is denied") + ) + ); + } + } + } y2milestone( "leaving initSharing" ); } -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org