From 476f93778b97a7deab36355e4904de1ccbeec19d Mon Sep 17 00:00:00 2001 From: Kirill Solomko Date: Fri, 17 Sep 2021 12:52:06 +0200 Subject: [PATCH] TT#133800 fix webpassword, change subadmin expose password * webpassword is not correctly removed based on length, and remain visible when in plain-text or empty (unset) * config->security->password_(sip|web)_expose_subadmin now only affects subscribers under the same customer that are not this subscriber admin Change-Id: I329e0f1ad97dd513a33e3652ed03b4a43a95ed04 (cherry picked from commit 535c38cd93a28896d984adfb792f652c51fad743) --- lib/NGCP/Panel/Role/API/Subscribers.pm | 43 ++++++++++++++------------ 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/lib/NGCP/Panel/Role/API/Subscribers.pm b/lib/NGCP/Panel/Role/API/Subscribers.pm index 2d4d1d0b16..27eff86eea 100644 --- a/lib/NGCP/Panel/Role/API/Subscribers.pm +++ b/lib/NGCP/Panel/Role/API/Subscribers.pm @@ -55,15 +55,16 @@ sub resource_from_item { delete $prov_resource->{domain_id}; delete $prov_resource->{account_id}; my %resource = %{ merge($bill_resource, $prov_resource) }; - my $delete_passwords = 1; + my $change_passwords = 1; $resource{administrative} = delete $resource{admin}; - if ($c->request->method eq 'PATCH' && !$resource{pre_patch_resource}) { - $delete_passwords = 0; - $resource{pre_patch_resource} = 1; - } else { - $delete_passwords = 1; - delete $resource{pre_patch_resource}; + if ($c->request->method eq 'PATCH') { + if ($resource{pre_patch_resource}) { + delete $resource{pre_patch_resource}; + } else { + $change_passwords = 0; + $resource{pre_patch_resource} = 1; + } } unless($customer->product->class eq 'pbxaccount') { @@ -94,8 +95,8 @@ sub resource_from_item { # - all webpasswords from mr8.5+ are meant to be encrypted # - in case of the false positive result, the worse that happens # the password is not returned to the user in plain-text - if ($delete_passwords && - $resource{webpassword} && length $resource{webpassword} =~ /^(54|56)$/ && + if ($change_passwords && + $resource{webpassword} && (length $resource{webpassword}) =~ /^(54|56)$/ && $resource{webpassword} =~ /\$/) { delete $resource{webpassword}; } @@ -198,18 +199,18 @@ sub resource_from_item { if ($c->user->show_passwords) { foreach my $k(qw/password webpassword/) { eval { - if ($resource{$k}) { + if ($resource{$k} && $change_passwords) { $resource{$k} = NGCP::Panel::Utils::Encryption::encrypt_rsa($c,$resource{$k}); } }; if ($@) { - $c->log->error("Failed to encrypt $k '$resource{$k}': " . $@); - delete $resource{$k} if $delete_passwords; + $c->log->error("Failed to encrypt $k: " . $@); + delete $resource{$k} if $change_passwords; } } } else { foreach my $k(qw/password webpassword/) { - delete $resource{$k} if $delete_passwords; + delete $resource{$k} if $change_passwords; } } } else { @@ -221,16 +222,18 @@ sub resource_from_item { # TODO: make custom filtering configurable! foreach my $k(qw/password webpassword/) { - delete $resource{$k} if $delete_passwords; + delete $resource{$k} if $change_passwords; } } - if($c->user->roles eq "subscriberadmin") { + if ($c->user->roles eq "subscriberadmin") { $resource{customer_id} = $contract_id; - if(!$c->config->{security}->{password_sip_expose_subadmin}) { - delete $resource{password} if $delete_passwords; - } - if(!$c->config->{security}->{password_web_expose_subadmin}) { - delete $resource{webpassword} if $delete_passwords; + if ($item->id != $c->user->voip_subscriber->id) { + if (!$c->config->{security}->{password_sip_expose_subadmin}) { + delete $resource{password} if $change_passwords; + } + if (!$c->config->{security}->{password_web_expose_subadmin}) { + delete $resource{webpassword} if $change_passwords; + } } } }