MT#59449 fix password validation enabled/disabled, admins

* correctly detect and skip password validation when sip_validatation or web_validation is not enabled respectively * better detect web password for admin users * /api/admins PUT/PATCH now also correctly checks last used passwords Change-Id: I9a6fa9b8e30ae2b81d2852dec0e1f9d858be13ef
1 year ago · e6b29d3e7b
parent 55cf852151
commit e6b29d3e7b
3 changed files with 61 additions and 23 deletions
--- a/lib/NGCP/Panel/Controller/API/AdminsItem.pm
+++ b/lib/NGCP/Panel/Controller/API/AdminsItem.pm
@ -30,6 +30,14 @@ __PACKAGE__->set_config({
    }
 });

+sub PUT :Allow {
+    my ($self, $c, $id) = @_;
+    if (my $item = $self->item_by_id_valid($c, $id)) {
+        $c->stash->{administrator} = $item;
+    }
+    return $self->SUPER::PUT($c, $id);
+}
+
 sub PATCH :Allow {
    my ($self, $c, $id) = @_;

@ -38,6 +46,10 @@ sub PATCH :Allow {
        my $preference = $self->require_preference($c);
        last unless $preference;

+        my $item = $self->item_by_id($c, $id);
+        last unless $self->resource_exists($c, admin => $item);
+        $c->stash->{administrator} = $item;
+
        my $json = $self->get_valid_patch_data(
            c => $c,
            id => $id,
@ -45,8 +57,6 @@ sub PATCH :Allow {
        );
        last unless $json;

-        my $item = $self->item_by_id($c, $id);
-        last unless $self->resource_exists($c, admin => $item);
        my $old_resource = { $item->get_inflated_columns };
        #use saltedpass so we have a password field for applying patch
        #we later check in update_item and if the password field is still
--- a/lib/NGCP/Panel/Form/Administrator/Reseller.pm
+++ b/lib/NGCP/Panel/Form/Administrator/Reseller.pm
@ -88,7 +88,7 @@ sub validate_password {
    my $c = $self->form->ctx;
    return unless $c;

-    NGCP::Panel::Utils::Form::validate_password(c => $c, field => $field, utf8 => 0);
+    NGCP::Panel::Utils::Form::validate_password(c => $c, field => $field, utf8 => 0, admin => 1);
 }

 sub _acl_role_select_options {
--- a/lib/NGCP/Panel/Utils/Form.pm
+++ b/lib/NGCP/Panel/Utils/Form.pm
@ -15,6 +15,26 @@ sub validate_password {
    my $minlen = $pw->{min_length} // 12;
    my $maxlen = $pw->{max_length} // 40;

+    my $is_sip_password = 0;
+    my $is_web_password = 0;
+    my $is_admin_password = 0;
+
+    if ($params{admin}) {
+        $is_admin_password = 1;
+    } elsif ($field->name eq 'password') {
+        $is_sip_password = 1;
+    } elsif ($field->name eq 'webpassword') {
+        $is_web_password = 1;
+    }
+
+    if ($is_sip_password) {
+        return unless $pw->{sip_validate};
+    } elsif ($is_web_password || $is_admin_password) {
+        return unless $pw->{web_validate};
+    } else {
+        return;
+    }
+
    if(length($pass) < $minlen) {
        $field->add_error($c->loc('Must be at minimum [_1] characters long', $minlen));
    }
@ -63,36 +83,29 @@ sub validate_password {

    my $lp_rs;
    my $check_last_passwords = 0;
-    my $prov_sub = $c->stash->{subscriber}
-                    ? $c->stash->{subscriber}->provisioning_voip_subscriber
-                    : undef;
-    my $admin = $c->stash->{administrator} // undef;
-    if($field->name eq "password" && $pw->{sip_validate}) {
+    if ($is_sip_password) {
        my $user;
-        if($field->form->field('username')) {
+        my $prov_sub = $c->stash->{subscriber}
+                        ? $c->stash->{subscriber}->provisioning_voip_subscriber
+                        : undef;
+        if ($field->form->field('username')) {
            $user = $field->form->field('username')->value;
-        } elsif($prov_sub) {
+        } elsif ($prov_sub) {
            $user = $prov_sub->username;
-            if (defined $user && $pass =~ /$user/i) {
-                $field->add_error($c->loc('Must not contain username'));
-            }
-        } elsif($admin) {
-            $user = $admin->login;
-            if (defined $user && $pass =~ /$user/i) {
-                $field->add_error($c->loc('Must not contain login'));
-            }
+        }
+        if (defined $user && $pass =~ /$user/i) {
+            $field->add_error($c->loc('Must not contain username'));
        }
        if ($pass && $prov_sub && $pass ne $prov_sub->password) {
            $lp_rs = $prov_sub->last_passwords;
            $check_last_passwords = 1;
        }
-        if ($pass && $admin) {
-            $lp_rs = $admin->last_passwords;
-            $check_last_passwords = 1;
-        }
    } elsif($field->name eq "webpassword" && $pw->{web_validate}) {
        my $user;
-        if($field->form->field('webusername')) {
+        my $prov_sub = $c->stash->{subscriber}
+                ? $c->stash->{subscriber}->provisioning_voip_subscriber
+                : undef;
+        if ($field->form->field('webusername')) {
            $user = $field->form->field('webusername')->value;
        } elsif($prov_sub) {
            $user = $prov_sub->webusername;
@ -104,6 +117,21 @@ sub validate_password {
            $lp_rs = $prov_sub->last_webpasswords;
            $check_last_passwords = 1;
        }
+    } elsif ($is_admin_password) {
+        my $user;
+        my $admin = $c->stash->{administrator} // undef;
+        if ($field->form->field('login')) {
+            $user = $field->form->field('login')->value;
+        } elsif($admin) {
+            $user = $admin->login;
+        }
+        if (defined $user && $pass =~ /$user/i) {
+            $field->add_error($c->loc('Must not contain login'));
+        }
+        if ($pass && $admin) {
+            $lp_rs = $admin->last_passwords;
+            $check_last_passwords = 1;
+        }
    }
    if ($check_last_passwords) {
        my $bcrypt_cost = 6;