From 03271187c71cd5297d8a9c2f3520074c84d5a582 Mon Sep 17 00:00:00 2001 From: Oleksandr Duts Date: Wed, 12 Jan 2022 14:25:57 +0200 Subject: [PATCH] TT#157400 API/UI admins fix authorization for "system" role * Users with "system" role can change all items accross the system including the password changing for other users. * Login "system" has persistant "system" role. * "system" login name is restricted for the user input. Change-Id: Ibaecba35a86f71fa8895ce9d9feab8e768b65d14 --- lib/NGCP/Panel/Authentication/Store/System.pm | 2 ++ .../Panel/Authentication/Store/SystemACLRole.pm | 14 ++++++++++++++ lib/NGCP/Panel/Authentication/Store/SystemRole.pm | 5 +++++ lib/NGCP/Panel/Form/Administrator/System.pm | 6 ++++++ lib/NGCP/Panel/Role/API/Admins.pm | 2 +- lib/NGCP/Panel/Utils/UserRole.pm | 1 + 6 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 lib/NGCP/Panel/Authentication/Store/SystemACLRole.pm diff --git a/lib/NGCP/Panel/Authentication/Store/System.pm b/lib/NGCP/Panel/Authentication/Store/System.pm index e068783618..f10a50b2b3 100644 --- a/lib/NGCP/Panel/Authentication/Store/System.pm +++ b/lib/NGCP/Panel/Authentication/Store/System.pm @@ -60,6 +60,8 @@ sub find_user { return unless exists $self->acl->{$username}; + $user->{ctx} = $c; + if (ref($user) eq "HASH") { return $self->user_class->new($user); } elsif (ref($user) && blessed($user) && diff --git a/lib/NGCP/Panel/Authentication/Store/SystemACLRole.pm b/lib/NGCP/Panel/Authentication/Store/SystemACLRole.pm new file mode 100644 index 0000000000..f1ffd8a2bb --- /dev/null +++ b/lib/NGCP/Panel/Authentication/Store/SystemACLRole.pm @@ -0,0 +1,14 @@ +package NGCP::Panel::Authentication::Store::SystemACLRole; +use Sipwise::Base; + +my $instance; + +sub new { + my $class = shift; + $instance ||= bless {}, $class; +} + +sub id {-1}; +sub role {'system'}; + +1; \ No newline at end of file diff --git a/lib/NGCP/Panel/Authentication/Store/SystemRole.pm b/lib/NGCP/Panel/Authentication/Store/SystemRole.pm index 471766ab5e..d487e9ab56 100644 --- a/lib/NGCP/Panel/Authentication/Store/SystemRole.pm +++ b/lib/NGCP/Panel/Authentication/Store/SystemRole.pm @@ -1,6 +1,7 @@ package NGCP::Panel::Authentication::Store::SystemRole; use Sipwise::Base; use parent 'Catalyst::Authentication::User::Hash'; +use NGCP::Panel::Authentication::Store::SystemACLRole; sub roles { my $self = shift; @@ -22,6 +23,10 @@ sub call_data { 1 }; sub billing_data { 1 }; sub lawful_intercept { 0 }; +sub acl_role { + return NGCP::Panel::Authentication::Store::SystemACLRole->new; +} + 1; # vim ts=4 sw=4 et diff --git a/lib/NGCP/Panel/Form/Administrator/System.pm b/lib/NGCP/Panel/Form/Administrator/System.pm index 233edfaa42..6de3bc74f0 100644 --- a/lib/NGCP/Panel/Form/Administrator/System.pm +++ b/lib/NGCP/Panel/Form/Administrator/System.pm @@ -28,6 +28,12 @@ sub validate { $c->log->error($err); $self->field('lawful_intercept')->add_error($err); } + + if (defined $resource->{login} && $resource->{login} eq 'system') { + my $err = 'Restricted login definition: ' . $resource->{login}; + $c->log->error($err); + $self->field('login')->add_error($err); + } } 1; diff --git a/lib/NGCP/Panel/Role/API/Admins.pm b/lib/NGCP/Panel/Role/API/Admins.pm index 9be19b9deb..98bcca0302 100644 --- a/lib/NGCP/Panel/Role/API/Admins.pm +++ b/lib/NGCP/Panel/Role/API/Admins.pm @@ -191,7 +191,7 @@ sub update_item { my $pass = $resource->{password}; delete $resource->{password}; if (defined $pass && $pass ne $old_resource->{saltedpass}) { - if ($c->user->id != $item->id) { + if ($c->user->acl_role->role ne 'system' && $c->user->id != $item->id) { $self->error($c, HTTP_FORBIDDEN, "Only own user can change password"); return; } diff --git a/lib/NGCP/Panel/Utils/UserRole.pm b/lib/NGCP/Panel/Utils/UserRole.pm index 635dfd1078..a74099bf1f 100644 --- a/lib/NGCP/Panel/Utils/UserRole.pm +++ b/lib/NGCP/Panel/Utils/UserRole.pm @@ -108,6 +108,7 @@ sub resolve_resource_role { sub has_permission { my ($c, $own_role_id, $to_role_id) = @_; + return 1 if $own_role_id == -1; # NGCP::API::Client user return 0 unless $own_role_id && $to_role_id; return $c->model('DB')->resultset('acl_role_mappings')->search({