TT#76111 add lintercept role

* new c.users.role 'lintercept', that set to when an admin user has enabled 'lawful_intercept' flag * only Administrator page /api/admins and /api/interceptions are available for the role * 'lintercept' role can only see own user and only change password and email Change-Id: Iadcb022a124afbd77b224e734026f380af0170e8
6 years ago · 7862a87639
parent 9411eb6998
commit 7862a87639
13 changed files with 110 additions and 25 deletions
--- a/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm
+++ b/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm
@ -8,7 +8,9 @@ sub roles {
    if ($self->auth_realm) {
        for my $auth_type (qw/admin_bcrypt admin admin_jwt api_admin_cert api_admin_http api_admin api_admin_bcrypt api_admin_jwt/) {
            if ($auth_type eq $self->auth_realm) {
-                if ($self->_user->is_ccare) {
+                if ($self->_user->lawful_intercept) {
+                    return "lintercept";
+                } elsif ($self->_user->is_ccare) {
                    $self->_user->is_superuser ? return "ccareadmin"
                                               : return "ccare";
                } else {
--- a/lib/NGCP/Panel/Controller/API/Admins.pm
+++ b/lib/NGCP/Panel/Controller/API/Admins.pm
@ -7,8 +7,6 @@ use parent qw/NGCP::Panel::Role::Entities NGCP::Panel::Role::API::Admins/;

 use HTTP::Status qw(:constants);

-__PACKAGE__->set_config();
-
 sub api_description {
    return 'Defines admins to log into the system via panel or api.';
 }
@ -17,6 +15,10 @@ sub allowed_methods{
    return [qw/GET POST OPTIONS HEAD/];
 }

+__PACKAGE__->set_config({
+    allowed_roles => [qw/admin reseller lintercept/],
+});
+
 sub query_params {
    return [
        {
@ -34,6 +36,10 @@ sub query_params {

 sub create_item {
    my ($self, $c, $resource, $form, $process_extras) = @_;
+    if ($c->user->roles eq 'lintercept') {
+        $self->error($c, HTTP_FORBIDDEN, "Cannot create admin users");
+        return;
+    }
    unless($c->user->is_master) {
        $self->error($c, HTTP_FORBIDDEN, "Cannot create admin without master permissions");
        return;
--- a/lib/NGCP/Panel/Controller/API/AdminsItem.pm
+++ b/lib/NGCP/Panel/Controller/API/AdminsItem.pm
@ -21,7 +21,9 @@ sub get_journal_methods{
    return [qw/handle_item_base_journal handle_journals_get handle_journalsitem_get handle_journals_options handle_journalsitem_options handle_journals_head handle_journalsitem_head/];
 }   

-__PACKAGE__->set_config();
+__PACKAGE__->set_config({
+    allowed_roles => [qw/admin reseller lintercept/],
+});

 sub PATCH :Allow {
    my ($self, $c, $id) = @_;
--- a/lib/NGCP/Panel/Controller/API/Interceptions.pm
+++ b/lib/NGCP/Panel/Controller/API/Interceptions.pm
@ -61,7 +61,7 @@ sub relation{
 }

 __PACKAGE__->set_config({
-    allowed_roles => [qw/admin reseller/],
+    allowed_roles => [qw/lintercept/],
 });

 sub auto :Private {
--- a/lib/NGCP/Panel/Controller/API/Root.pm
+++ b/lib/NGCP/Panel/Controller/API/Root.pm
@ -29,7 +29,7 @@ __PACKAGE__->config(
    action => {
        map { $_ => {
            ACLDetachTo => 'invalid_user',
-            AllowedRole => [qw/admin reseller ccareadmin ccare subscriberadmin subscriber/],
+            AllowedRole => [qw/admin reseller ccareadmin ccare lintercept subscriberadmin subscriber/],
            Args => 0,
            Does => [qw(ACL CheckTrailingSlash RequireSSL)],
            Method => $_,
--- a/lib/NGCP/Panel/Controller/Administrator.pm
+++ b/lib/NGCP/Panel/Controller/Administrator.pm
@ -9,7 +9,7 @@ use NGCP::Panel::Utils::Message;
 use NGCP::Panel::Utils::Navigation;
 use NGCP::Panel::Utils::Auth;

-sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRole(reseller) {
+sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRole(reseller) :AllowedRole(lintercept) {
    my ($self, $c) = @_;
    $c->log->debug(__PACKAGE__ . '::auto');
    NGCP::Panel::Utils::Navigation::check_redirect_chain(c => $c);
@ -27,22 +27,24 @@ sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) {
    my $cols = [
        { name => "id", search => 1, title => $c->loc("#") },
    ];
-    if($c->user->is_superuser) {
+    if($c->user->is_superuser && $c->user->roles ne 'lintercept') {
        @{ $cols } =  (@{ $cols }, { name => "reseller.name", search => 1, title => $c->loc("Reseller") });
    }
    @{ $cols } =  (@{ $cols },
        { name => "login", search => 1, title => $c->loc("Login") },
        { name => "email", search => 1, title => $c->loc("Email") },
-        { name => "is_master", title => $c->loc("Master") },
-        { name => "is_ccare", title => $c->loc("Customer Care") },
-        { name => "is_active", title => $c->loc("Active") },
-        { name => "read_only", title => $c->loc("Read Only") },
-        { name => "show_passwords", title => $c->loc("Show Passwords") },
-        { name => "call_data", title => $c->loc("Show CDRs") },
-        { name => "billing_data", title => $c->loc("Show Billing Info") },
-        { name => "can_reset_password", title => $c->loc("Can Reset Password") },
+        $c->user->roles eq 'admin' || $c->user->roles eq 'reseller' ?
+        ({ name => "is_master", title => $c->loc("Master") },
+         { name => "is_ccare", title => $c->loc("Customer Care") },
+         { name => "is_active", title => $c->loc("Active") },
+         { name => "read_only", title => $c->loc("Read Only") },
+         { name => "show_passwords", title => $c->loc("Show Passwords") },
+         { name => "call_data", title => $c->loc("Show CDRs") },
+         { name => "billing_data", title => $c->loc("Show Billing Info") },
+         { name => "can_reset_password", title => $c->loc("Can Reset Password") },
+        ) : ()
    );
-    if($c->user->is_superuser) {
+    if($c->user->is_superuser && $c->user->roles ne 'lintercept') {
        @{ $cols } =  (@{ $cols },  { name => "lawful_intercept", title => $c->loc("Lawful Intercept") });
    }
    $c->stash->{admin_dt_columns} = NGCP::Panel::Utils::Datatables::set_columns($c, $cols);
@ -62,6 +64,13 @@ sub _admin_resultset_reseller {
    });
 }

+sub _admin_resultset_lintercept {
+    my ($self, $c) = @_;
+    return $c->model('DB')->resultset('admins')->search({
+        login => $c->user->login
+    });
+}
+
 sub root :Chained('list_admin') :PathPart('') :Args(0) {
    my ($self, $c) = @_;
    return;
@ -75,7 +84,7 @@ sub ajax :Chained('list_admin') :PathPart('ajax') :Args(0) {
    return;
 }

-sub create :Chained('list_admin') :PathPart('create') :Args(0) {
+sub create :Chained('list_admin') :PathPart('create') :Args(0) :AllowedRole(admin) :AllowedRole(reseller) {
    my ($self, $c) = @_;

    $c->detach('/denied_page')
@ -165,9 +174,11 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) {
    my $params = { $c->stash->{administrator}->get_inflated_columns };
    $params->{reseller}{id} = delete $params->{reseller_id};
    $params = merge($params, $c->session->{created_objects});
-    if($c->stash->{administrator}->login eq NGCP::Panel::Utils::Auth::get_special_admin_login()){
+    if ($c->user->roles eq 'lintercept') {
+       $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::LIntercept", $c);
+    } elsif ($c->stash->{administrator}->login eq NGCP::Panel::Utils::Auth::get_special_admin_login()){
       $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::AdminSpecial", $c);
-    }elsif($c->user->is_superuser) {
+    } elsif($c->user->is_superuser) {
        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Admin", $c);
    } else {
        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Reseller", $c);
@ -241,7 +252,7 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) {
    );
 }

-sub delete_admin :Chained('base') :PathPart('delete') :Args(0) {
+sub delete_admin :Chained('base') :PathPart('delete') :Args(0) :AllowedRole(admin) :AllowedRole(reseller) {
    my ($self, $c) = @_;

    if($c->stash->{administrator}->id == $c->user->id) {
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@ -103,6 +103,10 @@ sub auto :Private {
            my $reseller_id = $c->user->reseller_id;
            my $tz_row = $c->model('DB')->resultset('reseller_timezone')->find({reseller_id => $reseller_id});
            _set_session_tz_from_row($c, $tz_row, 'reseller', $reseller_id);
+        } elsif($c->user->roles eq 'lintercept') {
+            my $reseller_id = $c->user->reseller_id;
+            my $tz_row = $c->model('DB')->resultset('reseller_timezone')->find({reseller_id => $reseller_id});
+            _set_session_tz_from_row($c, $tz_row, 'reseller', $reseller_id);
        } else {
            # this should not happen
        }
--- a/lib/NGCP/Panel/Form/Administrator/LIntercept.pm
+++ b/lib/NGCP/Panel/Form/Administrator/LIntercept.pm
@ -0,0 +1,32 @@
+package NGCP::Panel::Form::Administrator::LIntercept;
+use HTML::FormHandler::Moose;
+use HTML::FormHandler::Widget::Block::Bootstrap;
+use NGCP::Panel::Utils::Form;
+extends 'HTML::FormHandler';
+
+has '+widget_wrapper' => (default => 'Bootstrap');
+has_field 'submitid' => ( type => 'Hidden' );
+sub build_render_list {[qw/submitid fields actions/]}
+sub build_form_element_class {[qw(form-horizontal)]}
+
+has_field 'password' => (type => 'Password', required => 1, label => 'Password');
+has_field 'email' => (type => 'Email', required => 0, label => 'Email', maxlength => 255);
+has_field 'save' => (type => 'Submit', element_class => [qw(btn btn-primary)],);
+has_block 'fields' => (
+    tag => 'div',
+    class => [qw(modal-body)],
+    render_list => [qw(
+        password email
+    )],
+);
+has_block 'actions' => (tag => 'div', class => [qw(modal-footer)], render_list => [qw(save)],);
+
+sub validate_password {
+    my ($self, $field) = @_;
+    my $c = $self->form->ctx;
+    return unless $c;
+
+    NGCP::Panel::Utils::Form::validate_password(c => $c, field => $field);
+}
+
+1;
--- a/lib/NGCP/Panel/Role/API/Admins.pm
+++ b/lib/NGCP/Panel/Role/API/Admins.pm
@ -38,7 +38,7 @@ sub _item_rs {
        });
    }

-    if($c->user->is_master || $c->user->is_superuser) {
+    if ($c->user->roles ne 'lintercept' && ($c->user->is_master || $c->user->is_superuser)) {
        # return all (or all of reseller) admins
    } else {
        # otherwise, only return the own admin if master is not set
@ -52,7 +52,9 @@ sub _item_rs {
 sub get_form {
    my ($self, $c) = @_;
    my $form;
-    if($c->user->roles eq "admin") {
+    if ($c->user->roles eq "lintercept") {
+        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::LIntercept", $c);
+    } elsif ($c->user->roles eq "admin") {
        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Admin", $c);
    } else {
        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Reseller", $c);
--- a/lib/NGCP/Panel/Utils/API.pm
+++ b/lib/NGCP/Panel/Utils/API.pm
@ -36,6 +36,8 @@ sub apply_resource_reseller_id {
         }
    } elsif($c->user->roles eq "reseller") {
        $reseller_id = $c->user->reseller_id;
+    } elsif($c->user->roles eq "lintercept") {
+        $reseller_id = $c->user->reseller_id;
    }
    $resource->{reseller_id} = $reseller_id;
    return $resource;
--- a/share/layout/body.tt
+++ b/share/layout/body.tt
@ -24,7 +24,7 @@
                <ul class="pull-right">
                    <li>
                      [% IF c.user -%]
-                        [%- IF c.user.roles == 'admin' || c.user.roles == 'reseller' || c.user.roles == 'ccareadmin' || c.user.roles == 'ccare' -%]
+                        [%- IF c.user.roles == 'admin' || c.user.roles == 'reseller' || c.user.roles == 'ccareadmin' || c.user.roles == 'ccare' || c.user.roles == 'lintercept' -%]
                          [% login_name = c.user.login _ ' (' _ c.user.roles _ ')' %]
                        [%- ELSE -%]
                          [% login_name = c.user.webusername _'@'_ c.user.domain.domain %]
--- a/share/templates/administrator/list.tt
+++ b/share/templates/administrator/list.tt
@ -14,7 +14,7 @@
    helper.form_object = form;
    helper.ajax_uri = c.uri_for( c.controller.action_for('ajax') );

-    IF c.user.is_master;
+    IF c.user.is_master && (c.user.roles ==  'admin' || c.user.roles == 'reseller');
        helper.dt_buttons = [
            { name = c.loc('Edit'), uri = "/administrator/'+full[\"id\"]+'/edit", class = 'btn-small btn-primary', icon = 'icon-edit' },
            { name = c.loc('Delete'), uri = "/administrator/'+full[\"id\"]+'/delete", class = 'btn-small btn-secondary', icon = 'icon-trash', condition = 'full[\'login\'] != \'' _ special_admin_login _ '\'' },
--- a/share/templates/widgets/lintercept_topmenu_settings.tt
+++ b/share/templates/widgets/lintercept_topmenu_settings.tt
@ -0,0 +1,24 @@
+<li class="dropdown">
+    <a href="javascript:;" class="dropdown-toggle" data-toggle="dropdown">
+        <i class="icon-question-sign"></i>
+        <span>[% c.loc('Documentation') | html %]</span>
+        <b class="caret"></b>
+    </a>
+    <ul class="dropdown-menu">
+        <li><a href="[% c.uri_for('/handbook/') %]" class="ngcp-noback-link">[% c.loc('Handbook') %]</a></li>
+        [% FOR l IN c.config.external_documentation.link -%]
+            <li><a href="[% l.url %]" class="ngcp-noback-link">[% l.name | html %]</a></li>
+        [% END; -%]
+    </ul>
+</li>
+<li class="dropdown">
+    <a href="javascript:;" class="dropdown-toggle" data-toggle="dropdown">
+        <i class="icon-th"></i>
+        <span>[% c.loc('Settings') %]</span>
+        <b class="caret"></b>
+    </a>
+    <ul class="dropdown-menu">
+        <li><a href="[% c.uri_for('/administrator') %]">[% c.loc('Administrator') %]</a></li>
+    </ul>
+</li>
+[% # vim: set tabstop=4 syntax=html expandtab: -%]