enforce a 'deny all' default rule

Indemnity83 · Indemnity83 · commit e2ee2cbf2db5 · 2020-04-13T23:31:54.000-07:00
this ensures that an access list is 'secure by default' and requires the user to create exceptions or holes in the proection instead of building the wall entirely. This also means that we no longer require the user to input any username/passwords or client addressses and can avoid internal errors which generate unhelpful user errors.
diff --git a/backend/internal/access-list.js b/backend/internal/access-list.js
@@ -25,10 +25,6 @@ const internalAccessList = {
 	create: (access, data) => {
 		return access.can('access_lists:create', data)
 			.then((/*access_data*/) => {
-				if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
-					throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
-				}
-
 				return accessListModel
 					.query()
 					.omit(omissions())
@@ -114,10 +110,6 @@ const internalAccessList = {
 	update: (access, data) => {
 		return access.can('access_lists:update', data.id)
 			.then((/*access_data*/) => {
-				if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
-					throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
-				}
-				
 				return internalAccessList.get(access, {id: data.id});
 			})
 			.then((row) => {
diff --git a/frontend/js/app/nginx/access/form.ejs b/frontend/js/app/nginx/access/form.ejs
@@ -55,6 +55,18 @@
                 <!-- Access -->
                 <div class="tab-pane" id="access">
                     <div class="clients"><!-- clients --></div>
+                    <div class="row">
+                        <div class="col-sm-3 col-md-3">
+                            <div class="form-group">
+                                <input type="text" class="form-control disabled" value="deny" disabled>
+                            </div>
+                        </div>
+                        <div class="col-sm-9 col-md-9">
+                            <div class="form-group">
+                                <input type="text" class="form-control disabled" value="all" disabled>
+                            </div>
+                        </div>
+                    </div>
                     <div class="text-muted">Note that the <code>allow</code> and <code>deny</code> directives will be applied in the order they are defined.</div>
                 </div>
 
diff --git a/frontend/js/app/nginx/access/form.js b/frontend/js/app/nginx/access/form.js
@@ -119,7 +119,7 @@ module.exports = Mn.View.extend({
             }
         }
 
-        let clients_to_add = 5 - clients.length;
+        let clients_to_add = 4 - clients.length;
         if (clients_to_add) {
             for (let i = 0; i < clients_to_add; i++) {
                 clients.push({});

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ module.exports = Mn.View.extend({`
`119`	`119`	`}`
`120`	`120`	`}`
`121`	`121`
`122`		`- let clients_to_add = 5 - clients.length;`
	`122`	`+ let clients_to_add = 4 - clients.length;`
`123`	`123`	`if (clients_to_add) {`
`124`	`124`	`for (let i = 0; i < clients_to_add; i++) {`
`125`	`125`	`clients.push({});`