ngcp-panel

Commit Graph

Author	SHA1	Message	Date
Rene Krenn	8a11b8e996	MT#61646 fix phoenbook .csv encoding Change-Id: Iaf7e6a0d13f34459fb00478dc6285875fba52cfb	2 weeks ago
Marco Capetta	1be3f5a257	MT#62546 Fix permanent registration nat flags Due to changes in how kamailio manage the NAT contacts and the corresponding natping, the flags that the API or web interface sets while a permanent registration is created have to be updated. Before: * Default cflag is set to 0 (natping disabled) * If nat option, then cflag is set to 64 New: * Default cflag is set to 256 (netping disabled) * If nat option, then cflag is set to 128 Change-Id: I39b1d7a697ef72267fd8a05edf0552d2c1403733	2 weeks ago
Rene Krenn	0bd2c64b98	MT#53706 OTP: login, show registration info Change-Id: I20e6fba357b6bfed868edb8030009683b8df29ef	1 month ago
Rene Krenn	4bb352e1f8	MT#53706 rail for generating OTP secret QR code png Change-Id: I2d8d4ab1d3967a5c7ac720e09278443c0d098866	1 month ago
Rene Krenn	b0b646db5b	MT#53706 wire OTP secret validation - api, jwt Change-Id: I7f0205323811196eb0e319fcb2c888cf8a314f81	1 month ago
Rene Krenn	c0249eadbc	MT#53706 OTP generate_secret, verify_secret migrate RFC 6238 One-Time-Password (OTP) implementation Change-Id: Iffd50540037a1b502138e69be4ad7ef86aaee519	1 month ago
Rene Krenn	3c497cb52c	MT#62283 fix dbix "for update no lock" patch Change-Id: I51f2bf23c467c9919794548499ae13dd98430370	2 months ago
Rene Krenn	82af5cf518	MT#62283 "for update no lock" logic for GET /subscribers and /contracts to unblock the web UI on heavy loaded systems with call rating enabled, "select .. for update no lock" will no longer wait for acquiring locks when retrieving subscriber or contract contract pages. the contract_balance record creation is will be skipped for such contracts that are locked elsewhere. for rails such as /customerbalances, an explicit contract id row lock timeout is introduced, so it does not depend on the mariadb wait_timeout. Change-Id: I6e96342f3f761279a5876c871d2477977823a39e	2 months ago
Richard Fuchs	015ee893d9	MT#59979 defuse license logs A missing license is allowable on CE systems. Don't log errors if license is missing. Don't die if sysopen() fails. Change-Id: I00c8ecf361548da6452f1b631d308d9aa8901368	2 months ago
Rene Krenn	143bd0dba9	MT#62084 contract_id field for /api/topupcash and /api/topupvoucher so far the topup api rails had just a subscriber_id field. for the AUI migration a contract_id field is required. Change-Id: I2b53971ecd0abe06f7e0ff0e72b9bb83d12a4f6b	2 months ago
Kirill Solomko	d5fd8679fe	MT#62093 return 403 Banned for banned users * add banned user redirect for API requests * Urils/Auth move Redis composed keys into functions to increase consistency and avoid typos. Change-Id: I7a6f9b340ac53ffc2ee921410852e36a49587941	3 months ago
Kirill Solomko	9960cd152d	MT#62093 extend user ban keys in Redis * keys now have named fields separated by :: * admin keys now contain admin_id and reseller_id * subscriber keys now contain subscriber_id and reseller_id * this is to make it in line with API v2 implementation Change-Id: Ic32a173cad9b63e63e7754f02ac2649d142b099f	3 months ago
Richard Fuchs	b2b5600c16	MT#61630 invalidate rtpengine cached files Add class to make RPC calls to rtpengine. Add invokations to clear rtpengine audio cache where appropriate, whenever a file stored in DB is deleted or changed. Change-Id: I3660f9f67dfb0c68c1af80a5439982046be3b6f6	3 months ago
Richard Fuchs	1bcc6430a4	MT#61630 turn XMLDispatch into HTTPDispatcher Make the dispatcher content-type agnostic. Add wrapper class XMLDispatch so that existing code can remain unchanged. Extend serialised data in DB with method and content type. Make sure queued data from the DB remains compatible. Change-Id: I999ff715d6500e27ad60cdb3fa902117fa329c63	3 months ago
Rene Krenn	fc42ca7564	MT#59447 fix admin LDAP uri Change-Id: Ie9be0d5ea8428a8a96ebfbadb0d285f5082474b5	4 months ago
Kirill Solomko	1873193814	MT#61673 /api/calllists fix missing type response field * The 'type' field is now present in the reponse as it's described in the form and also the search params but was not rendered correctly because in the database it is as 'call_type' Change-Id: If7b69a33ed9578be6873462dbab79c9a2079b076	5 months ago
Rene Krenn	de0595c089	MT#59447 admin user LDAP authentication #1 Change-Id: Ic31236d933f022b567c74998959267ef9a549b7e	5 months ago
Rene Krenn	358139edee	MT#59447 admin user LDAP authentication Change-Id: I86005af30dee6285d80fe69f020f4a33cb23a608	5 months ago
Guillem Jover	bdbd12613c	MT#61459 Do not use Perl indirect object syntax This syntax is discouraged, and it is not enabled by default any longer starting with the 5.36 feature bundles. Stop using it so that we can eventually bump our minimum required Perl version. Fixes: Objects::ProhibitIndirectSyntax Warned-by: perlcritic Ref: https://metacpan.org/pod/feature#The-'indirect'-feature Change-Id: I3f89ce74908a896027efa825d90eab3d2e53b1ee	5 months ago
Rene Krenn	1c09e2773a	MT#60197 support deleting call recordings per subscriber admin panel will no longer delete callrecordings for all parties of the call, but the single subscriber only. rest-api, behaves the same way, if the ?subscriber_id= parameter is provided. when a callrecording is deleted by all call parties, the remaining records and recording files will be dropped. Change-Id: I61f667bdb074a935a8a04473a3685b10e5e09222	6 months ago
Marco Capetta	f9a328f83d	MT#61065 Fix 'cli' preference removal In commit `b51c0c9698` the possibility to change the 'cli' preference by subscriber and subscriber_admin was added (under certain limits). On the other hand, the additiona of that part of code broke the possibility to remove the preference using the PATCH api. It is a very uncommon scenario though, but it seems anyway used by some customer. We may think to deprecate this possibility one day, but till then we don't have to create regression to customer. Change-Id: Ie695b567929eb79b1ba63d3c5a31ae5ce7b559bd	7 months ago
Kirill Solomko	a3945269fc	MT#59449 fix perform_auth to send correct realm to ban check * perform_auth $realm is in a form of a subrealm, e.g. api_admin_http api_admin_jwt, etc. where for bans check it's 'admin' realm. Therefore, user_is_banned() is now called from there using explicit 'admin' realm as the argument. Change-Id: I3a10a9b492bf9dbe83ddd34a8851e83b23f90587	8 months ago
Kirill Solomko	bbd44f16fa	MT#60858 add /api/passwordchange endpoint * the new endpoint accepts new_password fields and enables for authenticated user a mechanism to quickly change their password * the global password validation rules are enabled * returns 204 No Content * if user's password is expired, the endpoint is the only accessible for the user to change the password and unlock other endpoints. * a few fixes in validate_password() to correctly fetch provisioning subscriber for password change scenarios and webpassword field Change-Id: I906fcfe5c780b850d322b46b445b54c054767673	8 months ago
Kirill Solomko	e09de1e781	MT#60558 invoke max subscribers/group license check only on POST * max subscribers/group license check is invoked only on POST to enable clients to modify existing entries even if the threshold is reached. Change-Id: I858b42ada5c95c179f901e43837b15358027011b	8 months ago
Kirill Solomko	46d297dec2	MT#60656 improve 403 Password Expired for expired passwords * 403 Password Expired is now correctly returned for POST /login_jwt when a password is expired, instead of returning the token. * 403 Password Expired is now correctly returned for API requests and redirect to /changepassword only happens for non API requests. * improve Utils::Auth::check_max_age() to accept also $auth_user and $ngcp_realm for cases (like /login_jwt) where there is an authenticated user but there is no $c->user. Change-Id: I302ad8654bdf16fe0882625fd6e9a8bba7a8ad42	8 months ago
Kirill Solomko	78dfb7f7d8	MT#60656 do not check max_age if user does not exist * prevent max age check if user does not exist (not logged in) and return 1 instead. Change-Id: I5d1af5f46eec6a3eea6df0d719a35d1fedb19b3e	9 months ago
Kirill Solomko	b041888807	MT#60656 add max_age password validation support * UI: password are now validated against $c->config->{security}{password}{web_max_age_days} (unless it's 0) and if the password is expired the user is redirected automatically to /changepassword page, and after successful password change back to the original page. * API: if password is expired all API requests will be returning 403 Forbidden "Password expired", except PUT/PATCH to /api/admins or /api/subscribers with the new password in place. * successful login on the UI now redirects to /dashboard instead of / (to prevent unintended redirect to v2) Change-Id: I075f8e17cc9b0658d6b3b3d526ca5b379d050ce4	9 months ago
Kirill Solomko	c7ae8c1dcf	MT#60300 fix sound sets list rendering for reseller * fix code typo that prevented correct rendering of the sound sets list for reseller roles Change-Id: I35ea38a37932b8dd563a0b95f7e2481a5c45cdbe	9 months ago
Kirill Solomko	c4c710e7dc	MT#60558 fix max_pbx_groups $c argument typo Change-Id: Id0c4d2078c98d20d236851e977439959624d1491	9 months ago
Kirill Solomko	e2e1776090	MT#60558 move max license checks for POST /api/subscribers * the relevant max license checkes are moved from Controller::API::Subscribers::POST to Utils::Subscribers::prepare_resource because there we fetch customer_id from the pilot subscriber in case of pbx subscriberadmin requests that is neccessary for PBX subscribers max license check. Change-Id: I2d1c212d73fe5b9295d1595b4fffebeb67b61e5a	9 months ago
Kirill Solomko	4a9a632da1	MT#59449 sub auth fix possible username without undef domain * perform_subscriber_auth(): check if domain is undefined and use only $user, otherwise $user . @ . $domain. Change-Id: I3d342fb2c4768c2b7b3e0c08ea41e429b83e9683	9 months ago
Kirill Solomko	2972d3b62d	MT#59449 add progressive user bans support * users are now progressively banned. * ban_min_time is used to ban a user for the first time. * consecutive ban is ban_min_time + ban_increment * ban_increment_stage * ban_max_time is the absolute maximum ban time that is not increased any further. * a successful login resets the ban_increment_stage. Change-Id: I4d7e1a93d7a21d21a0dcf69d856a872d2ed75ea0	9 months ago
Kirill Solomko	e6b29d3e7b	MT#59449 fix password validation enabled/disabled, admins * correctly detect and skip password validation when sip_validatation or web_validation is not enabled respectively * better detect web password for admin users * /api/admins PUT/PATCH now also correctly checks last used passwords Change-Id: I9a6fa9b8e30ae2b81d2852dec0e1f9d858be13ef	9 months ago
Kirill Solomko	cfe0a44b8d	MT#60585 add user ban by IP address, ban JWT invalid attempts * ban users by IP addresses * ban invalid JWT attempts Change-Id: I0c7746aa751ca96cba0ce4d1388646ba4890a422	9 months ago
Kirill Solomko	60fa23cb68	MT#60585 add user ban support * users for admin/subscriber realms are now banned if failed to login X amount of times (UI/API). * rework Redis connection and it's now a Catalyst plugin NGCP::Redis accessed by $c->redis_get_connection({database => 19}), the connection per database, per worker process is established only once and then reused (with auto built-in reconnect support). * remove Utils::Redis.pm as it does not have any code/logic anymore. * ban values are taken from $config->{security}{login} as - ban_enable: 1 - ban_expire_time: 3600 ban expire time in seconds - max_attempts: 5 * if max_attempts set to 0, the ban functionality is disabled as it requires to be at least 1 to work. * upon successful login or ban, the failed attempts counter is removed * the failed attempts counter is also removed automatically with the expire time equals "ban_expire_time" or otherwise 3600 seconds. * user bans are logged into panel.log * banned user receives exactly the same return page/codes as per invalid logic. Change-Id: I05cc68c623ee289488fc64f1af50527004dcaae1	9 months ago
Kirill Solomko	d9f283cbc8	MT#59449 enhance password validation and handling * passwords are now validated based on - minlen - maxlen - min lower case chars - min uppper case chars - min digits - min special chars * Data::Password::zxcvbn is used to calculate password score and reject passwords with score < 3 as weak (this library is ported from the Dropbox password validation) * Add password journals and check last used passwords in the journals * Improve password generator javascript function to generate a password with at least 4 of each of the char group types. * Currently affected are subcriber and admin entry creation or modification via UI/API * NGCP::Utils::Auth add optional bcrypt_cost support as last argument for generate_salted_hash and get_usr_salted_pass Change-Id: I100c25107d91741d5101bc58d29a3fa558b0b017	9 months ago
Kirill Solomko	43d112bd5e	MT#60558 add max subscribers/groups license checks * max_subscribers, max_pbx_subscribers, max_pbx_groups license checks are added for subscriber/group creation in UI/API * new accessor $c->license_meta that returns meta license flags hashref * new accessor $c->license_max_subscribers * new accessor $c->license_max_pbx_subscribers * new accessor $c->license_max_pbx_groups * the new accessors (except license_meta) return -1 instead of 'unlimited' to ease off comprarsion * 403 Forbidden is returned by the API if a license is violated. Change-Id: I3f5a949efc84bf85b76b33404b37b362ec484d5f	9 months ago
Kirill Solomko	9d021be65a	MT#59979 add license control * UI and API parts are now under license control * new Util::License::get_license($c, $name) - fetches license status by name (1 if enabled, and also if /proc/ngcp/check if 'ok') * add Catalyst::Plugins::NGCP::License with license($name) to fetch valid license by name from anywhere using $c->license('pbx') or from the templates using c.license('pbx'). It internally uses Util::License::get_license($c, $name) * License::get_license_status($c) now requires $c as first argument as well logs license status check errors. * new ActionRoles::License that enables usage of :Does(License) RequiresLicense('pbx') LicenseDetachTo('/denied_page') in the Controller chains * Add license control for UI elements and return 403 Forbidden if a resource is covered by licenses and the license is not active * Hide UI elements if a license is not active * API/Entities/Entities new $c->set_config key: - per endpoint: $c->set_config({ required_licenses => [qw/pbx device_provisioning/] } - or per method: $c->set_config({ required_licenses => { POST => [qw/pbx device_provisioning/] } } } * In case if an API endpoint does not have a license: 403 Forbidden "Invalid license" reply is returned. * Add license based restrictions to API endpoints * /api documentation: - completely hide endpoints that do not have an active license - hide only methods that does not have an active license Change-Id: Iba45fc5068b02306a617fed7b5405f2210574b61	9 months ago
Rene Krenn	9c103302c8	MT#60575 dynamically load provisioning templates module Change-Id: Ibff509825f82a75c9b0221505a1673d78b401989	9 months ago
Rene Krenn	0fd36ace55	MT#60520 prov templates: fix lookup of items item (contract, contact, subscriber) lookup will pick the first matching element (an arbitrary one if multiple are matching). ie. when lookup identifiers are too loose (f.ex. subscribers without domain in a multidomain setup) it might pick a wrong item - which is ok (supposed to bail out at a later step) unless that wrong item is a terminated one, causing to proceed checks on a terminated record (which can never happen from API or UI side since those hide terminated items), which produces a misleading 500 error in the end. we prevent this now by ensuring that looked up items are not terminated ones. even if the looked up items is not the desired one, becasue of an inaccurate template. Change-Id: I6691937c2e62b05915c7eac9980224abe2185b2c	9 months ago
Kirill Solomko	10a88cf669	MT#58964 /api/platforminfo add license_meta * new Utils::License::get_license_meta($c) to fetch license meta ({} by default) that contains license related metadata such as current and max amount of subcsribers and license valid until date. currently the following data is fetched from /proc/ngcp check current_calls current_pbx_groups current_pbx_subscribers current_registered_subscribers current_subscribers license_valid_until max_calls max_pbx_groups max_pbx_subscribers max_registered_subscribers max_subscribers valid * Controller::API::Root platforminfo now also returns license_meta Change-Id: I323cdfd646335a408e0150ecd69ad950fa0461ab	9 months ago
Kirill Solomko	522fd97020	MT#58964 /api/platforminfo add licenses info * NGCP::Utils::License new function get_licenses() that reads /proc/ngcp/flags/ and returns all files with content 1. * api/platforminfo.tt template now calls a stashed callback (coderef) that decodes provided json file, includes licenses and returns encoded the json back. * ngcp-panel.service changes # Files + directories not directly associated are made invisible in the /proc/ file system # ProcSubset=pid # Disabled: MT#58964, to be able to read /proc/ngcp/flags/ # Processes owned by other users are hidden from /proc/ # ProtectProc=invisible # Disabled: MT#58964, to be able to read /proc/ngcp/flags/ Change-Id: I84b6707a918e3f4f271e32b9353f320753c5ae68	10 months ago
Kirill Solomko	a46ef5b9e2	MT#60160 improve same primary number detection * consider as the "same number" if old/new primary numbers are empty (undefined in the database as if a primary number exists at least cc and sn are mandatory). * check for new primary number "cc" existence when preparing comparsion to the existing primary number, as some clients may send an object value with null cc+ac+sn. Change-Id: I810cda7d7aa07f2d7e46dbca099bc327ef7b4963	11 months ago
Rene Krenn	941c75ebe1	MT#59078 ?create_primary_acli= query param creating or updating subscriber (-aliases) will modify the allowedcli (acli) preference, if the auto_allow_cli config option is set. the primary number will also be part of the acli list. when specifying ?create_primary_acli=false or ?create_primary_acli=0, the primary alias will no longer be added to acli. Change-Id: I4641e2b973de2afe2e36805140b1546cac2a699a	12 months ago
Donat Zenichev	844a9e5920	MT#59011 Cleanup panel from the reference to "sip:localuser" An outdated and not used implementation for the "sip:localuser" in the ngcp-panel. Change-Id: I7c83bee0da07f7fafe7b1cb669a8c5080bc8565e	1 year ago
Marco Capetta	42f8747a6f	MT#59749 Add use_redirection flag to Call Forwards configuration This new flag controls wether the CF is processed as usual (flag with value 0, default) or generates a 302 redirect message back to the caller (flag with value 1). The implementation cover both the UI and the API. Change-Id: Idf945262e17de0d77bb612101d268fd6ea7a309e	1 year ago
Kirill Solomko	b2a1bc00d1	MT#59806 adapt /api/cfdestinationsets to Entities * Entites logic is used for GET/POST/PUT/PATCH/DELETE * Utils::CallForwards::check_destinations() do not obfuscate destinations that are returned in the response as all logged data is obfuscated anyways Change-Id: Ia79f9e236c966410e2640d719c3a7f5784cc4c2a	1 year ago
Kirill Solomko	9d598d4502	MT#59478 improve MSG, LOG log string data storing * $c->error array now contains the $message as the first element instead, so that it's possible to obtain all the error data in the code when fetching it from @{$c->error}. the first element is not logged in the error log. * api_response $c->response_body part is now stored in MSG= and possible errors / other log data is now stored in LOG= to: - reduce amount of log lines when an API error response occurs from 2 to 1 - the message part usually contains either HTTP response message (e.g. Internal Server Error) or a validation message string, so it belongs to the MSG= part of the log line, where as the internal log data is more related to the LOG= part - both MSG= and LOG= parts are escaped for GDPR related obfuscation * Utils::Messag::info(): $msg is now also obfuscated if it's detected as a reference (also because logging is moved for the API part to $msg), as well as truncated for possible new-line char and white-spaces. Change-Id: I3b670b2251ec3060037ed6863f18d95975120b8d	1 year ago
Rene Krenn	14e5b918b3	MT#59748 drop ngcp-provisioning-template test dbhost Change-Id: I7218ed36cff2f51f5a6f862f41e5da94ff0d464b	1 year ago
Kirill Solomko	205b27a267	MT#59478 API better transaction and error handling * Role/Entities: POST/PUT/PATCH/DELETE methods changes: - support deadlock detection and transaction retry (2 retry attempts at the moment) - improve transaction control, use local $guard instead of saving the ref to $c->stash, as in that case it went out of scope too late and also reported an error message into the log about abnormal $guard out of scope interruption - move all non transaction related code outside of the scope - add error handling when methods such as update_item, and a like do not return the expected data, instead of simply going out of scope and resulting in an uncontrolled reply Role/API: - rework transaction control: + get_transaction_control() is renamed to start_transaction() to better reflect what it does + complete_transaction() is renamed to commit_transaction() + remove unused %params arg + pass $guard into commit_transaction() instead of having it stored as $c->stash->{transaction_guard) that caused the $guard ref to be destroyed much late than expected (there was also a typo as transaction_quard, which is not relevant anymore with the changes + add check_deadlock() that is invoked when an exception is caught or an $c->errors contain an error, and if the error message represents a transaction error, the transaction block is re-invoked via "goto TX_START" - rework error(): + it now accepts args as following: ($self, $c, $code, $message, @errors) # code -> returned as HTTP code in the reply # message -> returned as HTTP message in the reply # errors -> contain errors for internal logging, last element often contains a DBIx exception + populates all @errors into $c->error so they are available on demend in the code via $c->error or $c->last_error + $c->log->error is not invoked now as the errors become printed in log_response() - log_response() now prints collected errors from $c->error correctly as a separate log line, that is alike to the other api logs so that those can be looked up by the request's tx_id, also all errors are now printed only into api.log * Adjust all $self->error() calls in catch($e) to include $e as the last argument, as well as the duplicate $c->log->error is removed from those ocassions * Remove all $c->log->error() calls as they are replaced with either $self->error() (that logs it correctly into api.log) or $c->error('err') that also adds it correctly into api.log * API::CallForwards: rework to use Entities/EntitiesItem * API::Contracts: rework POST to use Entities * API::PeeringGroups: rework POST to use Entities * API::SubscriberRegistrations: rework POST to use Entities * API::RewriteRuleSets: improve create_item() functionality * Utils/Message: add 'api_retry' log type * $c->session->{api_request_tx_id} is changed to $c->stash->{api_request_tx_id} because sometimes the session ref is different and a different tx_id becomes used Change-Id: I633ce7a8047b1bf00a2f6889003088edf0825dcd	1 year ago

1 2 3 4 5 ...

1072 Commits (master)