sipwise
/
ngcp-panel
mirror of https://github.com/sipwise/ngcp-panel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

MT#5599 Rework auth/authz for pwd-based API access

Browse Source 
Cleanup unnecessary realms.
Use roles instead of realms for authz.
HTTP basic auth for api access.
Use admin/reseller roles instead of api_admin/api_reseller.
Fix API::Root invalid_user detaching.
agranig/auth-refactoring
Andreas Granig 12 years ago
parent 0fd10e018a
commit 71658e12a7
41 changed files with 181 additions and 159 deletions
Show Stats Download Patch File Download Diff File

40
lib/NGCP/Panel.pm
Unescape View File

@ -88,19 +88,8 @@ __PACKAGE__->config(
},
'Plugin::Authentication' => {
default => {
credential => {
class => 'Password',
password_field => 'password',
password_type => 'clear'
},
store => {
class => 'Minimal',
users => {
}
}
},
reseller => {
default_realm => 'subscriber',
admin => {
credential => {
class => 'Password',
password_field => 'md5pass',
@ -115,27 +104,30 @@ __PACKAGE__->config(
use_userdata_from_session => 1,
}
},
admin => {
api_admin_cert => {
# TODO: should be NoPassword, but it's not available in our catalyst version yet
credential => {
class => 'Password',
password_field => 'md5pass',
password_type => 'hashed',
password_hash_type => 'MD5'
password_field => 'is_active',
password_type => 'clear',
},
store => {
class => 'DBIx::Class',
user_model => 'DB::admins',
id_field => 'id',
store_user_class => 'NGCP::Panel::AuthenticationStore::RoleFromRealm',
use_userdata_from_session => 1,
}
},
use_session => 0,
},
api_admin => {
# TODO: should be NoPassword, but it's not available in our catalyst version yet
api_admin_http => {
credential => {
class => 'Password',
password_field => 'is_superuser',
password_type => 'clear',
class => 'HTTP',
#type => 'digest',
type => 'basic',
username_field => 'login',
password_field => 'md5pass',
password_type => 'hashed',
password_hash_type => 'MD5'
},
store => {
class => 'DBIx::Class',

22
lib/NGCP/Panel/AuthenticationStore/RoleFromRealm.pm
Unescape View File

@ -5,8 +5,24 @@ extends 'Catalyst::Authentication::Store::DBIx::Class::User';
sub roles {
my ($self) = @_;
if($self->auth_realm eq "subscriber" && $self->_user->admin) {
return "subscriberadmin";
given($self->auth_realm) {
when([qw/admin api_admin_cert api_admin_http/]) {
if($self->_user->is_superuser) {
return "admin";
} else {
return "reseller";
}
}
when([qw/subscriber api_subscriber/]) {
if($self->_user->admin) {
return "subscriberadmin";
} else {
return "subscriber";
}
}
default {
return "invalid";
}
}
return $self->auth_realm;
}
# vim: set tabstop=4 expandtab:

12
lib/NGCP/Panel/Controller/API/BillingFees.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -56,8 +56,8 @@ sub GET :Allow {
});
};
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$fees = $fees->search({
'billing_profile.reseller_id' => $c->user->reseller_id
}, {
@ -155,8 +155,8 @@ sub POST :Allow {
last unless $resource;
my $reseller_id;
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$reseller_id = $c->user->reseller_id;
} else {
$reseller_id = $c->user->contract->contact->reseller_id;
@ -203,7 +203,7 @@ sub POST :Allow {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'.");
last;
}
if($c->user->roles ne "api_admin" && $profile->reseller_id != $reseller_id) {
if($c->user->roles ne "admin" && $profile->reseller_id != $reseller_id) {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'.");
last;
}

2
lib/NGCP/Panel/Controller/API/BillingFeesItem.pm
Unescape View File

@ -25,7 +25,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

10
lib/NGCP/Panel/Controller/API/BillingProfiles.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -50,8 +50,8 @@ sub GET :Allow {
my $rows = $c->request->params->{rows} // 10;
{
my $profiles = $c->model('DB')->resultset('billing_profiles');
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$profiles = $profiles->search({ reseller_id => $c->user->reseller_id });
} else {
$profiles = $profiles->search({ reseller_id => $c->user->contract->contact->reseller_id});
@ -140,8 +140,8 @@ sub POST :Allow {
);
last unless $resource;
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$resource->{reseller_id} = $c->user->reseller_id;
} else {
$resource->{reseller_id} = $c->user->contract->contact->reseller_id;

2
lib/NGCP/Panel/Controller/API/BillingProfilesItem.pm
Unescape View File

@ -25,7 +25,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

12
lib/NGCP/Panel/Controller/API/BillingZones.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -56,8 +56,8 @@ sub GET :Allow {
});
};
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$zones = $zones->search({
'billing_profile.reseller_id' => $c->user->reseller_id
}, {
@ -155,8 +155,8 @@ sub POST :Allow {
last unless $resource;
my $reseller_id;
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$reseller_id = $c->user->reseller_id;
} else {
$reseller_id = $c->user->contract->contact->reseller_id;
@ -176,7 +176,7 @@ sub POST :Allow {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'.");
last;
}
if($c->user->roles ne "api_admin" && $profile->reseller_id != $reseller_id) {
if($c->user->roles ne "admin" && $profile->reseller_id != $reseller_id) {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'.");
last;
}

2
lib/NGCP/Panel/Controller/API/BillingZonesItem.pm
Unescape View File

@ -25,7 +25,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/Contracts.pm
Unescape View File

@ -28,7 +28,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/ContractsItem.pm
Unescape View File

@ -28,7 +28,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/CustomerContacts.pm
Unescape View File

@ -28,7 +28,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/CustomerContactsItem.pm
Unescape View File

@ -25,7 +25,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

6
lib/NGCP/Panel/Controller/API/Customers.pm
Unescape View File

@ -28,7 +28,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -70,8 +70,8 @@ sub GET :Allow {
'+as' => 'bmid',
});
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$customers = $customers->search({
'contact.reseller_id' => $c->user->reseller_id,
});

2
lib/NGCP/Panel/Controller/API/CustomersItem.pm
Unescape View File

@ -28,7 +28,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/DomainPreferenceDefs.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/DomainPreferences.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/DomainPreferencesItem.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

6
lib/NGCP/Panel/Controller/API/Domains.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => [qw/admin reseller/],
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -163,9 +163,9 @@ sub POST :Allow {
domain => $resource->{domain}
});
my $reseller_id;
if($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
$reseller_id = $resource->{reseller_id};
} elsif($c->user->roles eq "api_reseller") {
} elsif($c->user->roles eq "reseller") {
$reseller_id = $c->user->reseller_id;
}
$billing_domain->create_related('domain_resellers', {

6
lib/NGCP/Panel/Controller/API/DomainsItem.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,
@ -93,8 +93,8 @@ sub DELETE :Allow {
my $domain = $self->item_by_id($c, $id);
last unless $self->resource_exists($c, domain => $domain);
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
unless($domain->domain_resellers->reseller_id == $c->user->reseller_id) {
$self->error($c, HTTP_FORBIDDEN, "Domain does not belong to reseller");
last;

2
lib/NGCP/Panel/Controller/API/Resellers.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/ResellersItem.pm
Unescape View File

@ -25,7 +25,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

9
lib/NGCP/Panel/Controller/API/Root.pm
Unescape View File

@ -20,8 +20,8 @@ class_has('dispatch_path', is => 'ro', default => '/api/');
__PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => [qw(API::Root invalid_user)],
AllowedRole => 'api_admin',
ACLDetachTo => 'invalid_user',
AllowedRole => [qw/admin reseller/],
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -103,14 +103,15 @@ sub collections_link_headers : Private {
sub invalid_user : Private {
my ($self, $c, $ssl_client_m_serial) = @_;
$self->error($c, HTTP_FORBIDDEN, "Invalid certificate serial number '$ssl_client_m_serial'.");
#$self->error($c, HTTP_FORBIDDEN, "Invalid certificate serial number '$ssl_client_m_serial'.");
$self->error($c, HTTP_FORBIDDEN, "Invalid user");
return;
}
sub end : Private {
my ($self, $c) = @_;
$self->log_response($c);
#$self->log_response($c);
}
# vim: set tabstop=4 expandtab:

14
lib/NGCP/Panel/Controller/API/Subscribers.pm
Unescape View File

@ -30,7 +30,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,
@ -139,8 +139,8 @@ sub POST :Allow {
if($resource->{domain}) {
$domain = $c->model('DB')->resultset('domains')
->search({ domain => $resource->{domain} });
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$domain = $domain->search({
'domain_resellers.reseller_id' => $c->user->reseller_id,
}, {
@ -170,8 +170,8 @@ sub POST :Allow {
unless($domain) {
$domain = $c->model('DB')->resultset('domains')->search($resource->{domain_id});
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$domain = $domain->search({
'domain_resellers.reseller_id' => $c->user->reseller_id,
}, {
@ -205,8 +205,8 @@ sub POST :Allow {
'+select' => 'billing_mappings.id',
'+as' => 'bmid',
});
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$customer = $customer->search({
'contact.reseller_id' => $c->user->reseller_id,
});

6
lib/NGCP/Panel/Controller/API/SubscribersItem.pm
Unescape View File

@ -27,7 +27,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,
@ -93,8 +93,8 @@ sub DELETE :Allow {
my $subscriber = $self->item_by_id($c, $id);
last unless $self->resource_exists($c, subscriber => $subscriber);
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
unless($subscriber->subscriber_resellers->reseller_id == $c->user->reseller_id) {
$self->error($c, HTTP_FORBIDDEN, "subscriber does not belong to reseller");
last;

2
lib/NGCP/Panel/Controller/API/SystemContacts.pm
Unescape View File

@ -28,7 +28,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 0,
Does => [qw(ACL CheckTrailingSlash RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/API/SystemContactsItem.pm
Unescape View File

@ -25,7 +25,7 @@ __PACKAGE__->config(
action => {
map { $_ => {
ACLDetachTo => '/api/root/invalid_user',
AllowedRole => 'api_admin',
AllowedRole => 'admin',
Args => 1,
Does => [qw(ACL RequireSSL)],
Method => $_,

2
lib/NGCP/Panel/Controller/Administrator.pm
Unescape View File

@ -20,7 +20,7 @@ sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRol
sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) {
my ($self, $c) = @_;
my $dispatch_to = '_admin_resultset_' . $c->user->auth_realm;
my $dispatch_to = '_admin_resultset_' . $c->user->roles;
$c->stash(
admins => $self->$dispatch_to($c),
template => 'administrator/list.tt',

2
lib/NGCP/Panel/Controller/Billing.pm
Unescape View File

@ -30,7 +30,7 @@ sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRol
sub profile_list :Chained('/') :PathPart('billing') :CaptureArgs(0) {
my ( $self, $c ) = @_;
my $dispatch_to = '_profile_resultset_' . $c->user->auth_realm;
my $dispatch_to = '_profile_resultset_' . $c->user->roles;
my $profiles_rs = $self->$dispatch_to($c);
$c->stash(profiles_rs => $profiles_rs);
$c->stash->{profile_dt_columns} = NGCP::Panel::Utils::Datatables::set_columns($c, [

2
lib/NGCP/Panel/Controller/Domain.pm
Unescape View File

@ -22,7 +22,7 @@ sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRol
sub dom_list :Chained('/') :PathPart('domain') :CaptureArgs(0) {
my ($self, $c) = @_;
my $dispatch_to = '_dom_resultset_' . $c->user->auth_realm;
my $dispatch_to = '_dom_resultset_' . $c->user->roles;
my $dom_rs = $self->$dispatch_to($c);
$c->stash->{domain_dt_columns} = NGCP::Panel::Utils::Datatables::set_columns($c, [

17
lib/NGCP/Panel/Controller/Login.pm
Unescape View File

@ -53,23 +53,6 @@ sub index :Path Form {
-and => [
login => $user,
is_active => 1,
is_superuser => 1,
],
}],
}
},
$realm);
} elsif($realm eq 'reseller') {
$res = $c->authenticate(
{
login => $user,
md5pass => $pass,
'dbix_class' => {
searchargs => [{
-and => [
login => $user,
is_active => 1,
is_superuser => 0,
],
}],
}

2
lib/NGCP/Panel/Controller/NCOS.pm
Unescape View File

@ -21,7 +21,7 @@ sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRol
sub levels_list :Chained('/') :PathPart('ncos') :CaptureArgs(0) {
my ( $self, $c ) = @_;
my $dispatch_to = '_levels_resultset_' . $c->user->auth_realm;
my $dispatch_to = '_levels_resultset_' . $c->user->roles;
my $levels_rs = $self->$dispatch_to($c);
$c->stash(levels_rs => $levels_rs);

70
lib/NGCP/Panel/Controller/Root.pm
Unescape View File

@ -27,33 +27,57 @@ sub auto :Private {
return 1;
}
if($c->user_exists && $c->user->roles ne "api_admin" &&
0 == index $c->controller->catalyst_component_name, 'NGCP::Panel::Controller::API') {
$c->log->debug("*** Root::auto invalidate authenticated non-api-admin user for api access");
$c->logout;
}
unless($c->user_exists) {
$c->log->debug("*** Root::auto user not authenticated");
if (
exists $c->request->env->{SSL_CLIENT_M_SERIAL}
&& 0 == index $c->controller->catalyst_component_name, 'NGCP::Panel::Controller::API'
) {
my $ssl_client_m_serial = hex $c->request->env->{SSL_CLIENT_M_SERIAL};
my $res = $c->authenticate({
ssl_client_m_serial => $ssl_client_m_serial,
is_superuser => 1, # TODO: abused as password until NoPassword handler is available
}, 'api_admin');
unless($c->user_exists) {
use Data::Printer; p $res;
$c->log->debug("+++++ invalid api login");
$c->detach(qw(API::Root invalid_user), [$ssl_client_m_serial]) unless $c->user_exists;
if(index($c->controller->catalyst_component_name, 'NGCP::Panel::Controller::API') == 0) {
$c->log->debug("++++++ Root::auto unauthenticated API request");
my $ssl_dn = $c->request->env->{SSL_CLIENT_M_DN} // "";
my $ssl_sn = hex $c->request->env->{SSL_CLIENT_M_SERIAL} // 0;
if($ssl_sn) {
$c->log->debug("++++++ Root::auto API request with client auth sn '$ssl_sn'");
unless($ssl_dn eq "/CN=Sipwise NGCP API client certificate") {
$c->log->error("++++++ Root::auto API request with invalid client DN '$ssl_dn'");
$c->res->status(403);
$c->res->body(JSON::to_json({
message => "Invalid client certificate DN '$ssl_dn'",
code => 403,
}));
return;
}
my $res = $c->authenticate({
ssl_client_m_serial => $ssl_sn,
is_active => 1, # TODO: abused as password until NoPassword handler is available
}, 'api_admin_cert');
unless($c->user_exists) {
$c->log->debug("+++++ invalid api login");
$c->detach(qw(API::Root invalid_user), [$ssl_sn]) unless $c->user_exists;
} else {
$c->log->debug("++++++ admin '".$c->user->login."' authenticated via api_admin_cert");
}
return 1;
} else {
$c->log->debug("api_admin '".$c->user->login."' authenticated");
$c->log->debug("++++++ Root::auto API request with http auth");
my $realm = "api_admin_http";
my $res = $c->authenticate({}, $realm);
unless($c->user_exists && $c->user->is_active) {
$c->user->logout if($c->user);
$c->log->debug("+++++ invalid api admin http login");
my $r = $c->get_auth_realm($realm);
$r->credential->authorization_required_response($c, $r);
return;
} else {
$c->log->debug("++++++ admin '".$c->user->login."' authenticated via api_admin_http");
}
return 1;
}
return 1;
}
# don't redirect to login page for ajax uris
if($c->request->path =~ /\/ajax$/) {
$c->response->body("403 - Permission denied");

18
lib/NGCP/Panel/Role/API.pm
Unescape View File

@ -369,15 +369,21 @@ sub log_request {
my $params = join(', ', map { "'".$_."'='".($c->request->query_params->{$_} // '')."'" }
keys %{ $c->request->query_params }
);
my $user;
if($c->user->roles eq "api_admin" || $c->user->roles eq "api_reseller") {
$user = $c->user->login;
my ($user, $roles);
if($c->user_exists) {
if($c->user->roles eq "admin" || $c->user->roles eq "reseller") {
$user = $c->user->login;
} else {
$user = $c->user->username . '@' . $c->user->domain;
}
$roles = $c->user->roles;
} else {
$user = $c->user->username . '@' . $c->user->domain;
$user = "<unknown>";
$roles = "<unknown>";
}
$c->log->info("API function '".$c->request->path."' called by '" . $user .
"' ('" . $c->user->roles . "') from host '".$c->request->address."' with method '" . $c->request->method . "' and params " .
"' ('" . $roles . "') from host '".$c->request->address."' with method '" . $c->request->method . "' and params " .
(length $params ? $params : "''") .
" and body '" . $c->stash->{body} . "'");
}
@ -398,7 +404,7 @@ sub log_response {
}
$c->log->info("API function '".$c->request->path."' generated response with code '" .
$c->response->code . "' and body '" .
$c->response->body . "'");
($c->response->body // '') . "'");
}
1;

10
lib/NGCP/Panel/Role/API/BillingFees.pm
Unescape View File

@ -51,8 +51,8 @@ sub fee_by_id {
my ($self, $c, $id) = @_;
my $fees = $c->model('DB')->resultset('billing_fees');
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$fees = $fees->search({
'billing_profile.reseller_id' => $c->user->reseller_id,
}, {
@ -73,8 +73,8 @@ sub update_fee {
my ($self, $c, $fee, $old_resource, $resource, $form) = @_;
my $reseller_id;
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "admin") {
$reseller_id = $c->user->reseller_id;
} else {
$reseller_id = $c->user->contract->contact->reseller_id;
@ -125,7 +125,7 @@ sub update_fee {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'");
return;
}
if($c->user->roles ne "api_admin" && $profile->reseller->id != $reseller_id) {
if($c->user->roles ne "admin" && $profile->reseller->id != $reseller_id) {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'");
return;
}

4
lib/NGCP/Panel/Role/API/BillingProfiles.pm
Unescape View File

@ -54,8 +54,8 @@ sub profile_by_id {
my ($self, $c, $id) = @_;
my $profiles = $c->model('DB')->resultset('billing_profiles');
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$profiles = $profiles->search({
reseller_id => $c->user->reseller_id,
});

10
lib/NGCP/Panel/Role/API/BillingZones.pm
Unescape View File

@ -51,8 +51,8 @@ sub zone_by_id {
my ($self, $c, $id) = @_;
my $zones = $c->model('DB')->resultset('billing_zones');
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$zones = $zones->search({
'billing_profile.reseller_id' => $c->user->reseller_id,
}, {
@ -73,8 +73,8 @@ sub update_zone {
my ($self, $c, $zone, $old_resource, $resource, $form) = @_;
my $reseller_id;
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "admin") {
$reseller_id = $c->user->reseller_id;
} else {
$reseller_id = $c->user->contract->contact->reseller_id;
@ -96,7 +96,7 @@ sub update_zone {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'");
return;
}
if($c->user->roles ne "api_admin" && $profile->reseller->id != $reseller_id) {
if($c->user->roles ne "admin" && $profile->reseller->id != $reseller_id) {
$self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'billing_profile_id'");
return;
}

4
lib/NGCP/Panel/Role/API/Customers.pm
Unescape View File

@ -104,8 +104,8 @@ sub customer_by_id {
'+as' => 'bmid',
});
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$customers = $customers->search({
'contact.reseller_id' => $c->user->reseller_id,
});

8
lib/NGCP/Panel/Role/API/DomainPreferences.pm
Unescape View File

@ -13,9 +13,9 @@ use NGCP::Panel::Utils::Prosody;
sub get_form {
my ($self, $c) = @_;
if($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
return NGCP::Panel::Form::Domain::Admin->new;
} elsif($c->user->roles eq "api_reseller") {
} elsif($c->user->roles eq "reseller") {
return NGCP::Panel::Form::Domain::Reseller->new;
}
return;
@ -155,9 +155,9 @@ sub item_rs {
# we actually return the domain rs here, as we can easily
# go to dom_preferences from there
my $item_rs;
if($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
$item_rs = $c->model('DB')->resultset('domains');
} elsif($c->user->roles eq "api_reseller") {
} elsif($c->user->roles eq "reseller") {
$item_rs = $c->model('DB')->resultset('admins')->find(
{ id => $c->user->id, } )
->reseller

12
lib/NGCP/Panel/Role/API/Domains.pm
Unescape View File

@ -15,9 +15,9 @@ use NGCP::Panel::Utils::Prosody;
sub get_form {
my ($self, $c) = @_;
if($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
return NGCP::Panel::Form::Domain::Admin->new;
} elsif($c->user->roles eq "api_reseller") {
} elsif($c->user->roles eq "reseller") {
return NGCP::Panel::Form::Domain::Reseller->new;
}
return;
@ -54,11 +54,11 @@ sub hal_from_item {
);
$resource{id} = int($item->id);
if($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
$resource{reseller_id} =
int($item->domain_resellers->first->reseller_id)
if($item->domain_resellers->first);
} elsif($c->user->roles eq "api_reseller") {
} elsif($c->user->roles eq "reseller") {
}
=pod
@ -104,9 +104,9 @@ sub item_rs {
my ($self, $c) = @_;
my $item_rs;
if($c->user->roles eq "api_admin") {
if($c->user->roles eq "admin") {
$item_rs = $c->model('DB')->resultset('domains');
} elsif($c->user->roles eq "api_reseller") {
} elsif($c->user->roles eq "reseller") {
$item_rs = $c->model('DB')->resultset('admins')->find(
{ id => $c->user->id, } )
->reseller

4
lib/NGCP/Panel/Role/API/Subscribers.pm
Unescape View File

@ -66,8 +66,8 @@ sub item_rs {
my $item_rs;
$item_rs = $c->model('DB')->resultset('voip_subscribers')
->search({ status => { '!=' => 'terminated' } });
if($c->user->roles eq "api_admin") {
} elsif($c->user->roles eq "api_reseller") {
if($c->user->roles eq "admin") {
} elsif($c->user->roles eq "reseller") {
$item_rs = $item_rs->search({
'contact.reseller_id' => $c->user->reseller_id,
}, {

2
share/templates/login/login.tt
Unescape View File

@ -9,7 +9,7 @@
<div class="login-extra">
Go to
[%
realms = ['subscriber', 'admin', 'reseller'];
realms = ['subscriber', 'admin'];
links = [];
FOREACH r IN realms;
UNLESS realm == r;

Write Preview
Loading…
Cancel
Save