ngcp-panel

Commit Graph

Author	SHA1	Message	Date
Alexander Lutay	6263f167e2	TT#130659 Stop calling systemd openvpn status twice on every HTTP request The ngcp-panel<=>openvpn functionality has never been finished but on every HTTP requset ngcp-panel was asking systemd about openvpn status. Twice! From /var/log/ngcp/panel-debug.log : > Jul 19 09:36:32 sp1 ngcp-panel: DEBUG: Path: dashboard > Jul 19 09:36:32 sp1 ngcp-panel: DEBUG: systemctl list-unit-files openvpn.service > Jul 19 09:36:32 sp1 ngcp-panel: DEBUG: systemctl is-enabled openvpn@ovpn > ... > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: Path: dashboard/ajax/peering_sum > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl list-unit-files openvpn.service > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl is-enabled openvpn@ovpn > ... > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: Path: dashboard/ajax/emergency_mode > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl list-unit-files openvpn.service > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl is-enabled openvpn@ovpn It is unnecessary load, moreover for not-yet finished feature. Let's move openvpn WIP functionality into 'NGCP Support Status' page and finish it there one day. The goal of this commit is to stop DOS'ing systemd. Change-Id: I6c9ba9e1b218e58b5adffe741f4490b3729d17e7	4 years ago
Kirill Solomko	fc9c71a88e	TT#130203 unify admin and subscriber JWT tokens * /login_jwt is now the only endpoint to issue JWT tokens * JWT token admin/subscriber is provided based on the NGCP_REALM/NGCP_API_REALM fcgi env values (e.g.: https://localhost:1443/login_jwt = admin JWT token and https://localhost/login_jwt = subscriber JWT token) * Authorization: Bearer a= prefix is deprecated * Clients cannot use subscriber JWT token to access admin NGCP_API_REALM https://localhost:1443/api/... and vice-versa Change-Id: I46edf4c7aaf7bb835dc4ac6b7535aa2d6b5ac136	4 years ago
Kirill Solomko	53408c2e94	TT#130750 do not pack() jwt secret * the extra packing of the secret key during encode/decode conflicts with the API v2 implementation * move JWT "typ" from the payload to the header Change-Id: Ica5822d810d6eaf7b3ae017f7037f25637b6f861	4 years ago
Kirill Solomko	a4bf25a43d	TT#130203 add typ=JWT into the JWT payload * the 'typ' key is required for API v2 to accept the JWT Change-Id: I184a8acfeab6c66617ccaf0a46a28771f68bfa8f	4 years ago
Flaviu Mates	9b422ddabf	TT#126601 Implement /api/authtokens endpoint * the endpoint will receive "type" (expires\|onetime) and "expires" (positive integer representing seconds) * type will define the expiray method for the token; onetime: the token expires as soon as it's used, or after "expires" seconds if not used expires: the token can be used multiple times until it expires according to the "expires" param value * login_jwt endpoint for generating the JWT token for subscribers has been enhanced to accept the "token" param, containing the token generated using the /api/authtokens endpoint * admin_login_jwt endpoint for generating the JWT token for admins has been enhanced to accept the "token" param, containing the token generated using the /api/authtokens endpoint * login_jwt and amin_login_jwt will respond with 403 "Forbidden" if the token role stored in Redis does not match the role of the user that generated it * /api/authtokens is hidden from documentation for now Change-Id: I4eb76c2b08f2e24774fa84ba0ccf7412ce8670e8	4 years ago
Kirill Solomko	407490c101	TT#129162 respect framed setting for root default Change-Id: Ibced32326b213ba2d8cce90cc5d915e464b56027	4 years ago
Kirill Solomko	f4597b6ed7	TT#129162 add bcrypt password characters check Change-Id: I08723d02a7e4bc042351444b201d1f96cc986af3	4 years ago
Kirill Solomko	20e77c7b54	TT#129162 tighten user access checks * add additional centralised checks for inactive and read_only users. * use_userdata_from_session=0 now for all auth realms to cause the data re-fetched from the database, to avoid scenarios when a user is set as inactive or read_only and UI keeps using the cached data. the change only affects cookie and JWT subscriber based sessions as in all other cases, the auth data is fetched from the storage regardless. * add is_active=1 flag for the internal 'system' role, as otherwise access would be permanently denied for it. * default 403 error for denied api requests is changed to "Forbidden" instead of "Forbidden path". Change-Id: I1d6d3c765ca8e017e11845c1f5260243a3963c3b	4 years ago
Rene Krenn	40c4ade6ea	TT#118802 log raw perl catalyst request time (cherry picked from commit 05f2f1137d6d3ce1deb1880eb1427b94e409c691) Change-Id: I6bda815d2ccf2800a0a352c0d44aaee8039ee8d5	4 years ago
Kirill Solomko	85c7d7c071	TT#123550 add /api/platforminfo virtual endpoint * /api/platforminfo does not have its own endpoint file and therefore, does not appear in the rendered documentation. it only supports GET method and renders the template file. the endpoint is designed to provide with the prerendered JSON data containing the current platform configuration. * /api/platforminfo supports both authenticated and anonymous requests, where based on that, the template provides with the corresponding info withing the current scope. Change-Id: Idc8138595eda2c14e7f8dc7ed97cc50039fd1adc	4 years ago
Alexander Lutay	131e79fba6	TT#88903 Reset 'framed' session state if user open v1 as URL in browser If user is typing URL directly in the browser window, the request has no 'referer' header and we should reset the 'framed' session state to prevent corrupted 'framed=1' output which confuses endusers a lot. Change-Id: I8f381daec80dfd95fab6ecbaecfa66438f5d53f0	4 years ago
Alexander Lutay	a7d718cc28	TT#113765 AUI: Remove v1_auth from v1->v2 URL It is no longer necessary there (c) Hans-Peter. Change-Id: I7cbb3e18d2f82eec24f9ba4355a3192c7cbf5477	4 years ago
Flaviu Mates	654bb1aabe	TT#92550 - Implement /api/passwordrecovery * The new endpoint will only accept POSTs * The request body should have two parameters called 'new_password' and 'token' * First, look for the token in redis (for admins), if not found, look for it in DB (for subscribers), if neither is found, return Change-Id: I4163a0d5bd886961317b21aeca20c8ccfdeab0dd	5 years ago
Flaviu Mates	be14a9242e	TT#84337 - Implement /api/passwordreset * The new endpoint will only accept POSTs * The request body should have two parameters called 'type', 'username' and 'domain' * 'type' will accept either 'administrator', in which case only 'username' is needed, or 'subscriber', in which case 'username' and 'domain' will be needed * The regular password reset email will be sent to either the admin or the subscriber Change-Id: If1457c8c625a95295e5e93b6637927e3905698d9	5 years ago
Hans-Peter Herzog	0ce823b822	TT#88512 Fix redirection in order to login v2 automatically Change-Id: I153c8f9e8c23fff393628b327652251016bde7d7	5 years ago
Flaviu Mates	adcfc4f775	TT#88209 - Create ajax_logout endpoint * this endpoint will be used to logout from v1 automatically when logging out of v2 * allow unauthenticated acces to it Change-Id: Ia40cb624f618ef0b0cada8f22dc2cc68f234af53	5 years ago
Flaviu Mates	4aac77b2af	TT#87801 - Remember previous page when switching to new admin UI Change-Id: Id6ef7b631b90669ae7aa14f68d8f6f51c1113e60	5 years ago
Flaviu Mates	0b10a86e9b	TT#80301 - Implement login_to_v2 endpoint * The endpoint generates a jwt token and stores it in Redis, then redirects to /v2/#/?v1_auth={token} * Also added an id in DOM to indentify the Panel V1 login page Change-Id: I307a3f457f88bbba04bb7735d60fa51bdc5d0438	5 years ago
Kirill Solomko	7862a87639	TT#76111 add lintercept role * new c.users.role 'lintercept', that set to when an admin user has enabled 'lawful_intercept' flag * only Administrator page /api/admins and /api/interceptions are available for the role * 'lintercept' role can only see own user and only change password and email Change-Id: Iadcb022a124afbd77b224e734026f380af0170e8	5 years ago
Flaviu Mates	9907936d47	TT#76108 - Implement password reset mechanism for admins * Introduce endopint '/resetpassword' for asking for password reset using admin username * Create form for introducing username * Create url with unique token pointing to '/recoverpassword' where admin user can introduce new password and email said url to admin's email address * Create form for setting new password * Store username and unique token in Redis expiring in 5 minutes to store password reset attempt and identify it when user accesses url in email * Limit admin access to be able to only change own password due to new password reset possibility as requested in TT#76110 Change-Id: Ie3acb961444398afa5b2fdc85e3ca8ceccf9244a	5 years ago
Flaviu Mates	d31797c674	TT#81185 - Return only body when parameter 'framed' is sent * Remove headers, menu, site title and footer if parameter 'framed' is sent * Persist 'framed' in the session once it's sent and only restore header/footer once 'framed' is sent again with the value 0 Change-Id: Ie1dcc698b901ea3c659a05391ffcdc882113ef13	5 years ago
Kirill Solomko	cf51166170	TT#80550 enable admin jwt token for the whole UI * add admin_jwt realm * admin JWT tokens are now used to access all non /api content Change-Id: I711d6419f0b624b02b53876a8c9171ab638b5d09 (cherry picked from commit dc4d9ec84b5b1199f17631e9e1f9a39ab1996807)	5 years ago
Flaviu Mates	707067d40d	TT#80305 - Change Utils::Admin to Utils::Auth * Utils::Admin was renamed to Utils::Auth in the commit that introduced support for bcrypted subscribers webpasswords Change-Id: I61a90bb135f218e9a0854e9ccdda9e83ffd4ba83	5 years ago
Andreas Granig	8f8e1d5fc9	TT#78557 - Use bcrypt to hash webpassword * Change the way webpassword is handled accross NGCP Panel UI/API to comply with new password encryption * At login, if password is not encrypted with high cost due to the ngcp-bcrypt-webpassword script, encrypt it with proper cost * Accept old password format as well until all webpasswords are encrypted Change-Id: Iefa9584a62ab4b7d2a224d10bdd415e9cbb8dfb5	5 years ago
Kirill Solomko	ac7c50332a	TT#80550 enable admin JWT auth for ajax requests * non-API requests with "ajax" in the path can now be authenticated with the admin JWT token Change-Id: Ide7f092b62cf36deb5a2e99599fbfaac0b751747	5 years ago
Kirill Solomko	2c8a11029a	TT#80305 add JWT authentication for admin users * /admin_login_jwt now returns a JWT token for admin users and also the JWT token is supported in the authorization process for the admin requests Change-Id: I987640d46bd8a339a959a6b2efb65b6dce06bf8c	5 years ago
Guillem Jover	467084705d	TT#71950 Fix typos Warned-by: codespell Change-Id: If7e52bf2fbf013586e802e5ebb77a272599d9c38	5 years ago
Kirill Solomko	ce664263b2	TT#65101 add ccareadmin ccare roles * ccareadmin and ccare roles have full access to Customers, Subscribers and their preferences/settings, and read-only access to BillingProfiles,InvoceTemplates, EmailTemplates * ccare role is restricted to the related reseller Change-Id: I6cf7d3adf912f0fa98d1ef5c02abea2f4331ec4b	6 years ago
Rene Krenn	f20d419335	TT#60116 accept leading / in cert DN Change-Id: If28150102607222e00f94b8476f1c116a00821e4	6 years ago
Rene Krenn	e237a479ce	TT#60116 don't gdpr-quote cert DN in logs Change-Id: Ie0c4602684a7a9c3c0b150e2bed526e4677b7753	6 years ago
Rene Krenn	cae5270af5	TT#56340 panel logline obfuscation adds gdpr obfuscation quoting for: + subscriber numbers + subscriber ip addresses + subscriber usernames + any logmessage "DATA": query parameters, form data, response data + subscriber uuid's + call id's + callforward sip uri's the quoting is centralized by $c->qs() ("quote sensitive"), using catalyst plugin mechanism. escape symbols are set to « (\x{ab}) and » (\x{bb}). generate_logfile_data_inventory.pl was modified to mark loglines with "gdpr affected" status, if $c->qs() was used in a log message. Change-Id: I0f42d7992594232ae33e5666b0a64009211c5b76	6 years ago
Rene Krenn	76b88062a1	TT#56411 honor use_session => 0 for bcrypt auth Revert "Revert "TT#56411 honor use_session => 0 for bcrypt auth WIP"" This reverts commit `1cfc524f80`. Change-Id: I7eb0842bd61a4aaddbe50206fb974110ead8efb6	6 years ago
Rene Krenn	1cfc524f80	Revert "TT#56411 honor use_session => 0 for bcrypt auth WIP" This reverts commit `4789f6b61f`. Change-Id: I6b514443afe9e2a8dbc1ae4a527a38fd3fc1d1c6	6 years ago
Rene Krenn	4789f6b61f	TT#56411 honor use_session => 0 for bcrypt auth WIP Change-Id: I549c4e6fc18b7cb738e99b3a6e254a47db3af0cf	6 years ago
Irina Peshinskaya	86a2ae7cad	TT#50907 Don't use form caching in WEB UI Change-Id: I10a7d3f9ace3928a2918d0f16dfeabd2a0aa720b	6 years ago
Irina Peshinskaya	335a09bc8d	TT#49552 Use Log::Log4perl->warn instead of waning Change-Id: I5a4dd2df8a87604d40750f232f88b20a08d501dd (cherry picked from commit 2b9b53e1d4e34213896c58955ad059586c392617)	6 years ago
Irina Peshinskaya	b27e4c5b87	TT#46856 Add openvpn toggle from admin panel Change-Id: I128e49117bd211edc44e2bf286c80cfc5a677b6a	6 years ago
Rene Krenn	29a8ca6918	TT#43654 datatable rowcount clipping to prevent long-running count query in case of mio. of items, it is done on a limited set, ie. select count(1) from (select id from cdr where .. limit 1000) the method determines if there are more than eg. 1000 rows, in which case the UI datatable will simply render a "+" "Showing 1 to 5 of 1000+ records" it is only enabled for the topical call history datatable for now. Change-Id: I1ca6d22c69784f20ec39c74e3db989c43f1a6918	7 years ago
Gerhard Jungwirth	f916bdcf3f	TT#37104 fix Subroutines::ProhibitBuiltinHomonyms perlcritic error to fix sipwise TAP tests. Change-Id: I622eb8063694a0056d55796001ff35242b0ea847	7 years ago
Gerhard Jungwirth	2b89431cca	TT#36404 restructure form-translation translate forms in NGCP::Panel::Form (the caching module) instead of in the templates. This gives us better control to avoid translating cached forms multiple times. Multiple translations lead to errors due to escaping of special symbols and simply fails from one (non-english) language to another. Change-Id: I234b22cb70dc068530e4a9f241cb9bb5653e1959	7 years ago
Gerhard Jungwirth	001474fd7f	TT#34800 inflate/deflate DateTime for timestamps inflate/deflate DateTime for simple (complete) timestamps considering the correct timezone at the latest possible point in the action chains: on form-level as well as in the DataTables json output. Change-Id: Icfe94d6d5a9ac02d9fca0f4b8d048d86cf66cffa	7 years ago
Gerhard Jungwirth	38aa85d065	TT#32986 remove remaining parts of kibana Change-Id: I06a4f316f9319ba64ba4bf8d9c282912c140c9f2	7 years ago
Gerhard Jungwirth	cbf8fd68f1	TT#21112 remove Moose from some modules some simple refactorings, the Formhandler Fields are mostly cosmetic Change-Id: I71fe5540a326e53d8bbf769c0f2f85540df71b58	8 years ago
Andreas Granig	0d3bf6b1ce	TT#22827 Implement form factory This patch reuses existing forms by clearing them, rather than re-instantiating them again and again. Also, panel start time should be better due to less package pre-loading. Change-Id: Ia3e64fd4b4084bb5ec35a669c5840c9fc3c58f2e	8 years ago
Andreas Granig	a52558b411	TT#22422 Implement capabilities endpoint Used to fetch whether pbx, faxserver, rtcengine etc is enabled. * Fix rtcengine reseller creation: - Refuse to create reseller if rtcengine part fails - Use proper auto-generated rtcengine values (pass, domain) to not fail on reseller names which are not forming valid hostnames. * Implement /api/admins/id to support testing - add test - fix creating admins with overly long login - fix various ACL bugs handling /api/admins/ - fix creating /api/admincerts/ as r/o user * Fix test framework - use proper client cert when switching API user Change-Id: I602fdd8181c0b3f23e76e3eab0df90a1ff9e986f (cherry picked from commit 0d376bd8b59db65296090d26f2c84d704129beef)	8 years ago
Andreas Granig	dc0bd38e73	TT#4333 Fix CF issues for subscribers * Fix syntax errors and internal errors * Pass set ids back in mappings * Allow updates of mappings both via name and ids Change-Id: I26fdfe96d67563c11040a6c1e87f13a835bb793f	8 years ago
Gerhard Jungwirth	ba3548d825	TT#16003 implement JWT auth - read key from specific config file - key is hex encoded + fix: add libcryptx-perl as dependency (actually dep of libcrypt-jwt-perl) + fix: typo in perl (comma instead of assignment) + fix: chomp any preceeding newlines from jwt_secret Change-Id: I6c6bd4dc0d7fa7fa43868afb13b4d8d838d90564	8 years ago
Andreas Granig	5918c162e1	TT#12601 API must implement bcrypt auth/migration Not only the web login must support bcrypt auth, but also the API access. Change-Id: Iee7c5b7a073000e797725919a5752f9eaf77c958	8 years ago
Andreas Granig	e458985238	TT#1678 Implement SOAP Intercept API as transition Until all LI vendors have migrated to REST later this year, re-introduce a SOAP API for interceptions. Change-Id: Ie8ef28e745b9f240547c3b6eb99fae4871287308	8 years ago
Gerhard Jungwirth	6a23a76f8d	TT#2370 add internal interface for incoming sms Change-Id: I8e994e9bde930e2756b7492afcb7760181fac858	9 years ago

1 2 3

121 Commits (6263f167e2c4ab2897af888c20e963db48a2427a)