TT#22496 TT#22495 Disable "sipwise" admin edit and delete

Change-Id: I33341247220c389f997ca02104ccfa6028e76ebb
8 years ago · d7c6689b93
parent 09d5589f75
commit d7c6689b93
8 changed files with 108 additions and 17 deletions
--- a/lib/NGCP/Panel/Controller/API/AdminCerts.pm
+++ b/lib/NGCP/Panel/Controller/API/AdminCerts.pm
@ -53,7 +53,11 @@ sub create_item {
    # a. you're doing it for yourself
    # b. you're a master
    # c. you're a superuser
-    unless($c->user->login eq $login || $c->user->is_master || $c->user->is_superuser) {
+    unless($c->user->login eq $login 
+        || $c->user->is_master 
+        || $c->user->is_superuser
+        || NGCP::Panel::Utils::Admin::get_special_admin_login() ne $login
+    ) {
        $c->log->warn("Admin " . $c->user->login . " trying to create certs for user $login, reject");
        $self->error($c, HTTP_FORBIDDEN, "Insufficient privileges to create certificate for this administrator");
        return;
--- a/lib/NGCP/Panel/Controller/API/AdminsItem.pm
+++ b/lib/NGCP/Panel/Controller/API/AdminsItem.pm
@ -3,6 +3,8 @@ use NGCP::Panel::Utils::Generic qw(:all);

 use Sipwise::Base;

+use NGCP::Panel::Utils::Admin;
+
 use boolean qw(true);
 use NGCP::Panel::Utils::DataHal qw();
 use NGCP::Panel::Utils::DataHalLink qw();
@ -115,6 +117,12 @@ sub DELETE :Allow {
        last unless $self->resource_exists($c, admin => $admin);

        $c->log->error("++++++ trying to delete admin #$id as #" . $c->user->id);
+        
+        my $special_user_login = NGCP::Panel::Utils::Admin::get_special_admin_login();
+        if($admin->login eq $special_user_login) {
+            $self->error($c, HTTP_FORBIDDEN, "Cannot delete special user '$special_user_login'");
+            last;
+        }
        if($c->user->id == $id) {
            $self->error($c, HTTP_FORBIDDEN, "Cannot delete own user");
            last;
--- a/lib/NGCP/Panel/Controller/Administrator.pm
+++ b/lib/NGCP/Panel/Controller/Administrator.pm
@ -30,7 +30,7 @@ sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) {
    if($c->user->is_superuser) {
        @{ $cols } =  (@{ $cols }, { name => "reseller.name", search => 1, title => $c->loc("Reseller") });
    }
-    @{ $cols } =  (@{ $cols }, 
+    @{ $cols } =  (@{ $cols },
        { name => "login", search => 1, title => $c->loc("Login") },
        { name => "is_master", title => $c->loc("Master") },
        { name => "is_active", title => $c->loc("Active") },
@ -43,6 +43,7 @@ sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) {
        @{ $cols } =  (@{ $cols },  { name => "lawful_intercept", title => $c->loc("Lawful Intercept") });
    }
    $c->stash->{admin_dt_columns} = NGCP::Panel::Utils::Datatables::set_columns($c, $cols);
+    $c->stash->{special_admin_login} = NGCP::Panel::Utils::Admin::get_special_admin_login();
    return;
 }

@ -75,7 +76,7 @@ sub create :Chained('list_admin') :PathPart('create') :Args(0) {
    my ($self, $c) = @_;

    $c->detach('/denied_page')
-    	unless($c->user->is_master);
+        unless($c->user->is_master);

    my $form;
    my $params = {};
@ -134,7 +135,7 @@ sub base :Chained('list_admin') :PathPart('') :CaptureArgs(1) {
    my ($self, $c, $administrator_id) = @_;

    $c->detach('/denied_page')
-    	unless($c->user->is_master);
+        unless($c->user->is_master);

    unless ($administrator_id && is_int($administrator_id)) {
        NGCP::Panel::Utils::Message::error(
@ -161,12 +162,16 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) {
    my $params = { $c->stash->{administrator}->get_inflated_columns };
    $params->{reseller}{id} = delete $params->{reseller_id};
    $params = merge($params, $c->session->{created_objects});
-    if($c->user->is_superuser) {
+    if($c->stash->{administrator}->login eq NGCP::Panel::Utils::Admin::get_special_admin_login()){
+       $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::AdminSpecial", $c);
+    }elsif($c->user->is_superuser) {
        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Admin", $c);
    } else {
        $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Reseller", $c);
    }
-    $form->field('password')->{required} = 0;
+    if($form->field('password')){
+        $form->field('password')->{required} = 0;
+    }

    $form->process(
        posted => $posted,
@ -198,6 +203,16 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) {
                $form->values->{md5pass} = undef;
                $form->values->{saltedpass} = NGCP::Panel::Utils::Admin::generate_salted_hash(delete $form->values->{password});
            }
+            #should be after other fields, to remove all added values, e.g. reseller_id
+            if($c->stash->{administrator}->login eq NGCP::Panel::Utils::Admin::get_special_admin_login()) {
+                foreach my $field ($form->fields){
+                    if($field ne 'is_active'){
+                        delete $form->values->{$field};
+                    }
+                }
+                delete $form->values->{reseller_id};
+            }
+
            $c->stash->{administrator}->update($form->values);
            delete $c->session->{created_objects}->{reseller};
            NGCP::Panel::Utils::Message::info(
@ -225,6 +240,24 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) {
 sub delete :Chained('base') :PathPart('delete') :Args(0) {
    my ($self, $c) = @_;

+    if($c->stash->{administrator}->id == $c->user->id) {
+        NGCP::Panel::Utils::Message::error(
+            c => $c,
+            data => { $c->stash->{administrator}->get_inflated_columns },
+            desc => $c->loc('Cannot delete myself'),
+        );
+        NGCP::Panel::Utils::Navigation::back_or($c, $c->uri_for('/administrator'));
+    }
+    my $special_user_login = NGCP::Panel::Utils::Admin::get_special_admin_login();
+    if($c->stash->{administrator}->login eq $special_user_login) {
+        NGCP::Panel::Utils::Message::error(
+            c => $c,
+            data => { $c->stash->{administrator}->get_inflated_columns },
+            desc => $c->loc('Cannot delete "'.$special_user_login.'" administrator. Use "Edit" to disable it.'),
+        );
+        NGCP::Panel::Utils::Navigation::back_or($c, $c->uri_for('/administrator'));
+    }
+
    if($c->stash->{administrator}->id == $c->user->id) {
        NGCP::Panel::Utils::Message::error(
            c => $c,
@ -253,6 +286,17 @@ sub delete :Chained('base') :PathPart('delete') :Args(0) {

 sub api_key :Chained('base') :PathPart('api_key') :Args(0) {
    my ($self, $c) = @_;
+
+    my $special_user_login = NGCP::Panel::Utils::Admin::get_special_admin_login();
+    if($c->stash->{administrator}->login eq $special_user_login) {
+        NGCP::Panel::Utils::Message::error(
+            c => $c,
+            data => { $c->stash->{administrator}->get_inflated_columns },
+            desc => $c->loc('Cannot change api key of the "'.$special_user_login.'" administrator'),
+        );
+        NGCP::Panel::Utils::Navigation::back_or($c, $c->uri_for('/administrator'));
+    }
+
    my $serial = $c->stash->{administrator}->ssl_client_m_serial;
    my ($pem, $p12);
    if ($c->req->body_parameters->{'gen.generate'}) {
@ -296,7 +340,7 @@ sub api_key :Chained('base') :PathPart('api_key') :Args(0) {
        }
        NGCP::Panel::Utils::Navigation::back_or($c, $c->uri_for('/administrator'));
    } elsif ($c->req->body_parameters->{'del.delete'}) {
-        $c->stash->{administrator}->update({ 
+        $c->stash->{administrator}->update({
            ssl_client_m_serial => undef,
            ssl_client_certificate => undef,
        });
--- a/lib/NGCP/Panel/Form/Administrator/Admin.pm
+++ b/lib/NGCP/Panel/Form/Administrator/Admin.pm
@ -3,6 +3,8 @@ use HTML::FormHandler::Moose;
 use HTML::FormHandler::Widget::Block::Bootstrap;
 extends 'NGCP::Panel::Form::Administrator::Reseller';

+use NGCP::Panel::Utils::Admin;
+
 for (qw(is_superuser lawful_intercept)) {
    has_field $_ => (type => 'Boolean',);
 }
--- a/lib/NGCP/Panel/Form/Administrator/AdminSpecial.pm
+++ b/lib/NGCP/Panel/Form/Administrator/AdminSpecial.pm
@ -0,0 +1,21 @@
+package NGCP::Panel::Form::Administrator::AdminSpecial;
+use HTML::FormHandler::Moose;
+use HTML::FormHandler::Widget::Block::Bootstrap;
+use NGCP::Panel::Utils::Form;
+extends 'HTML::FormHandler';
+
+has '+widget_wrapper' => (default => 'Bootstrap');
+has_field 'submitid' => ( type => 'Hidden' );
+sub build_render_list {[qw/submitid fields actions/]}
+sub build_form_element_class {[qw(form-horizontal)]}
+
+has_field 'is_active' => (type => 'Boolean', default => 1);
+has_field 'save' => (type => 'Submit', element_class => [qw(btn btn-primary)],);
+has_block 'fields' => (
+    tag => 'div',
+    class => [qw(modal-body)],
+    render_list => [qw(is_active)],
+);
+has_block 'actions' => (tag => 'div', class => [qw(modal-footer)], render_list => [qw(save)],);
+
+1;
--- a/lib/NGCP/Panel/Role/API/Admins.pm
+++ b/lib/NGCP/Panel/Role/API/Admins.pm
@ -10,6 +10,7 @@ use NGCP::Panel::Utils::DataHal qw();
 use NGCP::Panel::Utils::DataHalLink qw();
 use HTTP::Status qw(:constants);
 use NGCP::Panel::Utils::DateTime;
+use NGCP::Panel::Utils::Admin;

 sub _item_rs {
    my ($self, $c) = @_;
@ -90,6 +91,7 @@ sub item_by_id {
    return $rs->find($id);
 }

+#we don't use update_item for the admins now.
 sub update_item {
    my ($self, $c, $item, $old_resource, $resource, $form) = @_;

@ -107,6 +109,12 @@ sub update_item {
        $resource->{saltedpass} = NGCP::Panel::Utils::Admin::generate_salted_hash($pass);
    }

+    if($old_resource->{login} eq NGCP::Panel::Utils::Admin::get_special_admin_login()) {
+        my $active = $resource->{is_active};
+        $resource = $old_resource;
+        $resource->{is_active} = $active;
+    }
+
    if($c->user->roles eq "reseller" && $resource->{reseller_id} != $c->user->reseller_id) {
        $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'reseller_id'");
        return;
--- a/lib/NGCP/Panel/Utils/Admin.pm
+++ b/lib/NGCP/Panel/Utils/Admin.pm
@ -5,6 +5,10 @@ use Crypt::Eksblowfish::Bcrypt qw/bcrypt_hash en_base64 de_base64/;
 use Data::Entropy::Algorithms qw/rand_bits/;
 use IO::Compress::Zip qw/zip/;

+sub get_special_admin_login {
+    return 'sipwise';
+}
+
 sub get_bcrypt_cost {
    return 13;
 }
@ -12,14 +16,14 @@ sub get_bcrypt_cost {
 sub generate_salted_hash {
    my $pass = shift;

-	my $salt = rand_bits(128);
-	my $b64salt = en_base64($salt);
-	my $b64hash = en_base64(bcrypt_hash({
-	    key_nul => 1,
-	    cost => get_bcrypt_cost(),
-	    salt => $salt,
-	}, $pass));
-	return $b64salt . '$' . $b64hash;
+    my $salt = rand_bits(128);
+    my $b64salt = en_base64($salt);
+    my $b64hash = en_base64(bcrypt_hash({
+        key_nul => 1,
+        cost => get_bcrypt_cost(),
+        salt => $salt,
+    }, $pass));
+    return $b64salt . '$' . $b64hash;
 }

 sub perform_auth {
--- a/share/templates/administrator/list.tt
+++ b/share/templates/administrator/list.tt
@ -17,8 +17,8 @@
    IF c.user.is_master;
        helper.dt_buttons = [
            { name = c.loc('Edit'), uri = "/administrator/'+full[\"id\"]+'/edit", class = 'btn-small btn-primary', icon = 'icon-edit' },
-            { name = c.loc('Delete'), uri = "/administrator/'+full[\"id\"]+'/delete", class = 'btn-small btn-secondary', icon = 'icon-trash' },
-            { name = c.loc('API key'), uri = "/administrator/'+full[\"id\"]+'/api_key", class = 'btn-small btn-info', icon = 'icon-lock' },
+            { name = c.loc('Delete'), uri = "/administrator/'+full[\"id\"]+'/delete", class = 'btn-small btn-secondary', icon = 'icon-trash', condition = 'full[\'login\'] != \'' _ special_admin_login _ '\'' },
+            { name = c.loc('API key'), uri = "/administrator/'+full[\"id\"]+'/api_key", class = 'btn-small btn-info', icon = 'icon-lock', condition = 'full[\'login\'] != \'' _ special_admin_login _ '\'' },
        ];

        helper.top_buttons = [