MT#3927 custom auth

12 years ago · f6e01fdbd6
parent aba646f59b
commit f6e01fdbd6
4 changed files with 37 additions and 10 deletions
--- a/lib/NGCP/Panel.pm
+++ b/lib/NGCP/Panel.pm
@ -123,6 +123,18 @@ __PACKAGE__->config(
                store_user_class => 'NGCP::Panel::AuthenticationStore::RoleFromRealm',
            }
        },
+        api_admin => {
+            credential => {
+                class => 'NoPassword',
+            },
+            store => {
+                class => 'DBIx::Class',
+                user_model => 'DB::admins',
+                id_field => 'ssl_client_m_serial',
+                store_user_class => 'NGCP::Panel::AuthenticationStore::RoleFromRealm',
+            },
+            use_session => 0,
+        },
        subscriber => {
            credential => {
                class => 'Password',
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@ -18,19 +18,25 @@ sub auto :Private {

    $c->log->debug("*** Root::auto called");

-    if($c->controller =~ /::Root\b/
-        or $c->controller =~ /::Login\b/) {
-        
-        $c->log->debug("*** Root::auto grant access to " . $c->request->path);
-        return 1;
-    } elsif($c->req->uri->path =~ /^\/device\/autoprov\/.+/) {
-        $c->log->debug("*** Root::auto grant access to " . $c->request->path);
+    if (
+        __PACKAGE__ eq $c->controller->catalyst_component_name
+        or 'NGCP::Panel::Controller::Login' eq $c->controller->catalyst_component_name
+        or $c->req->uri->path =~ m|^/device/autoprov/.+|
+    ) {
+        $c->log->debug("*** Root::auto skip authn, grant access to " . $c->request->path);
        return 1;
    }
-    
    unless($c->user_exists) {
        $c->log->debug("*** Root::auto user not authenticated");
-        
+        if (
+            exists $c->request->env->{SSL_CLIENT_M_SERIAL}
+            && 0 == index $c->controller->catalyst_component_name, 'NGCP::Panel::Controller::API'
+        ) {
+            my $ssl_client_m_serial = hex $c->request->env->{SSL_CLIENT_M_SERIAL};
+            $c->authenticate({ ssl_client_m_serial => $ssl_client_m_serial }, 'api_admin');
+            $c->detach(qw(API::Root invalid_user), [$ssl_client_m_serial]) unless $c->user_exists;
+            return 1;
+        }
        # don't redirect to login page for ajax uris
        if($c->request->path =~ /\/ajax$/) {
            $c->response->body("403 - Permission denied");
--- a/share/layout/wrapper.tt
+++ b/share/layout/wrapper.tt
@ -1,5 +1,5 @@
 [%
-    IF template.name.match('(\.html$|\.css$|\.js$|\.txt$)');
+    IF template.name.match('^api|(\.html$|\.css$|\.js$|\.txt$)');
        content;
    ELSIF template.name.match('^login\/login\.tt$');
       content WRAPPER html.tt;
--- a/share/templates/api/invalid_user.tt
+++ b/share/templates/api/invalid_user.tt
@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+    <head>
+        <title>Invalid certificate serial number</title>
+    </head>
+    <body>
+        <p>Invalid certificate serial number <var>[% ssl_client_m_serial %]</var></p>
+    </body>
+</html>