* regular subscribers should not be able to use POST as they are
not allowed to create other subscribers, nor other PBX groups.
resource.
* they should not be able to use DELETE as they cannot delete themselves
nor other subscribers, nor PBX groups.
Change-Id: Idaacb344b65ff8c5da9f4c3649a9b4089938a82c
* passwords are now validated based on
- minlen
- maxlen
- min lower case chars
- min uppper case chars
- min digits
- min special chars
* Data::Password::zxcvbn is used to calculate
password score and reject passwords with score < 3 as weak
(this library is ported from the Dropbox password validation)
* Add password journals and check last used passwords in the journals
* Improve password generator javascript function to generate a password
with at least 4 of each of the char group types.
* Currently affected are subcriber and admin entry creation or
modification via UI/API
* NGCP::Utils::Auth add optional bcrypt_cost support as last argument
for generate_salted_hash and get_usr_salted_pass
Change-Id: I100c25107d91741d5101bc58d29a3fa558b0b017
* webpassword field was unconditionally deleted
in API GET and DELETE methods, it now relies
on resource_from_item for the common approach
Change-Id: I703158fd2022b49a49470db28cb22f37e613f841
* PATCH: password fields are not removed when
resource is created for apply_patch(), they
are removed under the same condititions later
when hal is generated, that is to ensure that
admin users without the 'show_passwords' flag
as well as subscribers will not run into situation
when they use PATCH and cannot apply it for
"path": "/password" or/and "path": "/webpassword",
as they were removed before apply_patch()
* rework encrypted webpassword detection.
webpasword is detected as encrypted if its length
is 54 or 56 and it contains at least one '$' char,
there is a chance for false positive detection when
a user provides with a plain-text password with the
same pattern but it's very unlikely, as well as
since mr8.5 webpasswords are expected to be encrypted,
and moreover worth case scenario is that the
plain-text password will not be returned to the user
Change-Id: I8ea739cbf728b2134f3ce00cee29da42ab3fb4a3
* Change the way webpassword is handled accross
NGCP Panel UI/API to comply with new password
encryption
* At login, if password is not encrypted with
high cost due to the ngcp-bcrypt-webpassword
script, encrypt it with proper cost
* Accept old password format as well until all
webpasswords are encrypted
Change-Id: Iefa9584a62ab4b7d2a224d10bdd415e9cbb8dfb5
when there are other subscribers
* Deleting the pilot subscriber and then editing
other subscribers would result in error, as
details from the pilot are needed
* Added code to makde the deletion of the PBX
pilot subscriber impossible if there are
other subscribers
Change-Id: I46da3e0e3726a8b9e3811fd879869988aa01adff
* ccareadmin and ccare roles have full access to
Customers, Subscribers and their preferences/settings,
and read-only access to BillingProfiles,InvoceTemplates,
EmailTemplates
* ccare role is restricted to the related reseller
Change-Id: I6cf7d3adf912f0fa98d1ef5c02abea2f4331ec4b
with the previous commit, there is no need anymore to specify form
exceptions manually. validate_form will now automatically consider fields
in the correct format with and without "_id"
Change-Id: I70afae4003c6407c7a37396630110736f1fb13f8
This patch reuses existing forms by clearing them, rather than
re-instantiating them again and again.
Also, panel start time should be better due to less package
pre-loading.
Change-Id: Ia3e64fd4b4084bb5ec35a669c5840c9fc3c58f2e
* Implement r/o access to /api/customers for subadmin
* Implement r/o access to /api/subscribers for subs
* Implement create access to /api/subscribers for subadmins
* Implement /api/numbers to re-assign a number
* Implement CF endpoints access for subs
* Implement new test framework to simplify testing
* Fix updating number by using Utils to make sure allowed_clis etc
are handled correctly
* Install missing docker dependencies for new test framework
* Add edr handling on /api/numbers/xx update
Change-Id: I678da16cfb1361b2809780cba8c204ac90bb1736
the factory Catalyst::ActionRole::HTTPMethods action role
is set for any action, and in race with our own
NGCP::Panel::Role::HTTPMethods. the testcase could have
been misleading ever since, as it uses DELETE /api/customers,
which was present when implemting the method override initially,
but dropped on the road to 4.5.
the issue is resolved by overriding
Catalyst::Controller::gather_default_action_roles.
until the class hierachy refactoring is completed, only
consistent way is to add the override to each api controller.
the action_roles config attribute can therefore be
removed.
using Plack::Middleware::MethodOverride as an alternative from
upstream has the drawback to work only with POST. but a required
usecase is to also support translation DELETE requests to PATCH.
Change-Id: I204ba59869a8327bdd5db8a867fbbb061d1c9e7c
which implies, among others, strict and warnings. these should never
be omitted and are one of the most frequent complaints of perlcritic
currently.
as a result TryCatch can be removed (imported by Sipwise::Base).
also, "no Moose" is removed (has no effect).
Change-Id: I901b6a9f0f6d426f62b73e68f2c5ad6365c1eeef
Switch from the discouraged base module to the light-weight parent module.
Also remove some surrounding BEGIN blocks from 'use parent' which are
completely unnecessary.
Change-Id: I3a669e8024f098819be45030ca9d1afa8756105c
-enhanced test detail: did not detect missing CRUD operations yet
-query param 'operation' didn't work for 'recent' yournal entry of all API resources so far
-fix of several copy paste errors in existing rest api code
-...
Change-Id: I71b54212d8126b0280fcad2e568fad52a673cbf0
the journal module introduces a change history of
resources modified by api invocations. the history of
the 'customer' resource demo is accessible at
/api/customers/x/journal.
Change-Id: I4d5d11bc3e35160feed587ce4c1db565991866b2
- let custom roles "derive" from main api role
- have an item_rs in each role
- call search logic after each item_rs call automatically
- render search query doc dynamically
Cleanup unnecessary realms.
Use roles instead of realms for authz.
HTTP basic auth for api access.
Use admin/reseller roles instead of api_admin/api_reseller.
Fix API::Root invalid_user detaching.
Kirill Solomko
Flaviu Mates
Andreas Granig
Alexander Lutay
Irina Peshinskaya
Gerhard Jungwirth
Rene Krenn
Guillem Jover