ngcp-panel

Commit Graph

Author	SHA1	Message	Date
Kirill Solomko	0a9fb5d28b	MT#59449 fix subscriber auth attempts without username * subscriber login attempts without Basic Auth are now correctly intercepted and returned as 403 Forbidden Change-Id: I3deb60d8ac4f107bccd6422d27426e39a39e50f1	9 months ago
Kirill Solomko	2972d3b62d	MT#59449 add progressive user bans support * users are now progressively banned. * ban_min_time is used to ban a user for the first time. * consecutive ban is ban_min_time + ban_increment * ban_increment_stage * ban_max_time is the absolute maximum ban time that is not increased any further. * a successful login resets the ban_increment_stage. Change-Id: I4d7e1a93d7a21d21a0dcf69d856a872d2ed75ea0	9 months ago
Kirill Solomko	cfe0a44b8d	MT#60585 add user ban by IP address, ban JWT invalid attempts * ban users by IP addresses * ban invalid JWT attempts Change-Id: I0c7746aa751ca96cba0ce4d1388646ba4890a422	9 months ago
Kirill Solomko	60fa23cb68	MT#60585 add user ban support * users for admin/subscriber realms are now banned if failed to login X amount of times (UI/API). * rework Redis connection and it's now a Catalyst plugin NGCP::Redis accessed by $c->redis_get_connection({database => 19}), the connection per database, per worker process is established only once and then reused (with auto built-in reconnect support). * remove Utils::Redis.pm as it does not have any code/logic anymore. * ban values are taken from $config->{security}{login} as - ban_enable: 1 - ban_expire_time: 3600 ban expire time in seconds - max_attempts: 5 * if max_attempts set to 0, the ban functionality is disabled as it requires to be at least 1 to work. * upon successful login or ban, the failed attempts counter is removed * the failed attempts counter is also removed automatically with the expire time equals "ban_expire_time" or otherwise 3600 seconds. * user bans are logged into panel.log * banned user receives exactly the same return page/codes as per invalid logic. Change-Id: I05cc68c623ee289488fc64f1af50527004dcaae1	9 months ago
Rene Krenn	65b5c62e48	TT#188950 ignore domain for subscriber authentication when ignore_auth_realm is "yes", it should no longer be required to provide the domain part for subscriber logins. Change-Id: I346f94278c9b0d9a598858c24d797b03217123d4	3 years ago
Kirill Solomko	6e5721c434	TT#186950 check db connection * 503 HTTP status code is returned if the main db connection is not available Change-Id: Iac2eebfb900ceb0f696264f29c7a27e46877ecaf	3 years ago
Kirill Solomko	1fe438294b	TT#154353 add JWT token renewal * /login_jwt now accepts "jwt" key with an existing valid JWT as the value * upon successful authentication with the token a new token with prolonged expiration time is issued for the authenticated user and returned in the JSON response * add "expires" value in the JSON response that contains a timestamp integer when the issued token expires * fix encode_json() calls formatting * most of JWT related error messages are now appear in the log as INFO instead of ERROR as they are not related to the system errors Change-Id: Ie8e04534c8819dc756b3c64ebc4432ce442a1d31	3 years ago
Rene Krenn	599dd0613b	TT#151751 fix plaintext sippassword no longer returned this fix addresses regression reported by dominik: * $resource{_password}/{_webpassword} cannot be set before the form validation as they are effectively removed by it, causing /api/susbcribers returning no passwords at all for 'subscriber' roles * Having them after the patch makes no sense either as next resource_from_item call will effectively remove them again (in PATCH) (cherry picked from commit `5e9066c4fb`) Change-Id: I88c9ec40843f1e9a6983952b96c0b0e70fbb1bb1	3 years ago
Kirill Solomko	81ebdb8dcf	Revert "TT#151751 refactor persisting subscriber webpassword" This reverts commit `5e9066c4fb`. This implementation breaks: * $resource{_password}/{_webpassword} cannot be set before the form validation as they are effectively removed by it, causing /api/susbcribers returning no passwords at all for 'subscriber' roles * Having them after the patch makes no sense either as next resource_from_item call will effectively remove them again (in PATCH) Change-Id: I0e8389e8ab34ad72f1b87a684daba77f1030f8ba	3 years ago
Rene Krenn	5e9066c4fb	TT#151751 refactor persisting subscriber webpassword a multitude of issues popped after introducing bcrypted webpasswords in the database. most recently the PATCH /api/susbcribers rail was reported to reset the webpassword unintentionally. subscriber login fails afterwards, which is a severe issue. the bugs are adressed by this refactorings. the change also introduces a global variable $NGCP::Panel::Utils::Auth::ENCRYPT_SUBSCRIBER_WEBPASSWORDS to control encrypting webpasswords. it is still enabled as of now, but it's worth to consider disabling it. there other ways to have a "cost" for an authentication request, eg. adding a simple sleep(1sec). Change-Id: I2d47d54a2d83568546ffdd2b211337a5f56be3a2	3 years ago
Oleksandr Duts	ad6467561f	TT#149650 UI language handling * Change UI language workaround. Priority: 1. Parameter "lang". 2. Cookie "ngcp_panel_lang". 3. Default english - "i-default". * Add parameter "lang_save" - save the "lang" value at "ngcp_panel_lang" cookie. Change-Id: I0abc9e3ab564ba56d2e3f9b0dee47d32c27e0049	4 years ago
Oleksandr Duts	ddb7412d85	TT#134102 API language handling * Fix for language solving for API requests. Changed the sequence of language choosing: 1. Request parameter "lang" for API and UI. 2. Cookie value "ngcp_panel_lang" for UI only. 3. User agent/browser language for API and UI. Change-Id: Id5d814deead22eb7e2908fdc742b0c8474314d49	4 years ago
Alexander Lutay	3cc01922e7	TT#142402 Improve 'framed' session behaviour when users are using v1 and v2 in parallel The modern browsers (except Safari) supports 'Sec-Fetch-Dest': https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest In theory we can remove the current 'framed session' storage completely, but Safari will not be supported. Let's expand the current logic to provide extra protection here to backport the commit to mr9.5+. Change-Id: I9c070f77f427c81581f4d9ceeb1a57b274d77819	4 years ago
Kirill Solomko	cc10506b2e	TT#129162 fix subscriber webpassword field validation * 'webpassword' field is now also validated for invalid (non-ascii) characters * Fix multiple APP input field validation erros to comma joined. * Adjust 'webpassword' field validation errors to have better readability when there are multiple validation errors Change-Id: I21536f97a4da78cc5192a3abd8cd5adef1b819ec	4 years ago
Kirill Solomko	1cdae0b1e0	TT#125902 add Login CSC v2 support * Login CSC v2 button is shown on the subscriber's master data page if www_admin.http_csc.csc_js_enable == 1 or 2 * When the login is triggered an auth token is generated internally followed by a redirect to CSC as /?a=auth_token * move generate_auth_token() into Utils/Auth * improve generate_auth_token() arguments support * add /api/authtokens error handling Change-Id: Idd65400bf8ce6ce48979c736f6a199fb567ffaa4	4 years ago
Alexander Lutay	12c2911fe4	TT#130659 Improve path debug output in panel-debug.log It is much more usable to see the debug information as URLs: > Jul 22 08:24:53 sp1 ngcp-panel: DEBUG: * New GET request on path: / > Jul 22 08:24:53 sp1 ngcp-panel: DEBUG: * New GET request on path: /subscriber > Jul 22 08:24:53 sp1 ngcp-panel: DEBUG: * New GET request on path: /subscriber/ajax Instead of Catalyst oriented way: > Jul 22 08:24:53 sp1 ngcp-panel: DEBUG: * New GET request on path: > Jul 22 08:24:53 sp1 ngcp-panel: DEBUG: * New GET request on path: subscriber > Jul 22 08:24:53 sp1 ngcp-panel: DEBUG: * New GET request on path: subscriber/ajax Change-Id: I38699152e232c5f5aa2ef218db9bf61c692bbf33	4 years ago
Alexander Lutay	6fbf99e461	TT#130659 Improve debug log layout (common style, removing plus/star markers) It was close to impossible to read ngcp-panel debug log due to: * missing clear marker of the start reuqest processing, use '**' once only some personal markers (like '+++++++') have been removed as they have no meaning for other developers. Let's remove the personal markers and work to make the panel debug log well readable for all developers. Change-Id: I69faff3ab2258fc156e88c7b8da0edfef14c3e6e	4 years ago
Alexander Lutay	6263f167e2	TT#130659 Stop calling systemd openvpn status twice on every HTTP request The ngcp-panel<=>openvpn functionality has never been finished but on every HTTP requset ngcp-panel was asking systemd about openvpn status. Twice! From /var/log/ngcp/panel-debug.log : > Jul 19 09:36:32 sp1 ngcp-panel: DEBUG: Path: dashboard > Jul 19 09:36:32 sp1 ngcp-panel: DEBUG: systemctl list-unit-files openvpn.service > Jul 19 09:36:32 sp1 ngcp-panel: DEBUG: systemctl is-enabled openvpn@ovpn > ... > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: Path: dashboard/ajax/peering_sum > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl list-unit-files openvpn.service > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl is-enabled openvpn@ovpn > ... > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: Path: dashboard/ajax/emergency_mode > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl list-unit-files openvpn.service > Jul 19 09:36:33 sp1 ngcp-panel: DEBUG: systemctl is-enabled openvpn@ovpn It is unnecessary load, moreover for not-yet finished feature. Let's move openvpn WIP functionality into 'NGCP Support Status' page and finish it there one day. The goal of this commit is to stop DOS'ing systemd. Change-Id: I6c9ba9e1b218e58b5adffe741f4490b3729d17e7	4 years ago
Kirill Solomko	fc9c71a88e	TT#130203 unify admin and subscriber JWT tokens * /login_jwt is now the only endpoint to issue JWT tokens * JWT token admin/subscriber is provided based on the NGCP_REALM/NGCP_API_REALM fcgi env values (e.g.: https://localhost:1443/login_jwt = admin JWT token and https://localhost/login_jwt = subscriber JWT token) * Authorization: Bearer a= prefix is deprecated * Clients cannot use subscriber JWT token to access admin NGCP_API_REALM https://localhost:1443/api/... and vice-versa Change-Id: I46edf4c7aaf7bb835dc4ac6b7535aa2d6b5ac136	4 years ago
Kirill Solomko	53408c2e94	TT#130750 do not pack() jwt secret * the extra packing of the secret key during encode/decode conflicts with the API v2 implementation * move JWT "typ" from the payload to the header Change-Id: Ica5822d810d6eaf7b3ae017f7037f25637b6f861	4 years ago
Kirill Solomko	a4bf25a43d	TT#130203 add typ=JWT into the JWT payload * the 'typ' key is required for API v2 to accept the JWT Change-Id: I184a8acfeab6c66617ccaf0a46a28771f68bfa8f	4 years ago
Flaviu Mates	9b422ddabf	TT#126601 Implement /api/authtokens endpoint * the endpoint will receive "type" (expires\|onetime) and "expires" (positive integer representing seconds) * type will define the expiray method for the token; onetime: the token expires as soon as it's used, or after "expires" seconds if not used expires: the token can be used multiple times until it expires according to the "expires" param value * login_jwt endpoint for generating the JWT token for subscribers has been enhanced to accept the "token" param, containing the token generated using the /api/authtokens endpoint * admin_login_jwt endpoint for generating the JWT token for admins has been enhanced to accept the "token" param, containing the token generated using the /api/authtokens endpoint * login_jwt and amin_login_jwt will respond with 403 "Forbidden" if the token role stored in Redis does not match the role of the user that generated it * /api/authtokens is hidden from documentation for now Change-Id: I4eb76c2b08f2e24774fa84ba0ccf7412ce8670e8	4 years ago
Kirill Solomko	407490c101	TT#129162 respect framed setting for root default Change-Id: Ibced32326b213ba2d8cce90cc5d915e464b56027	4 years ago
Kirill Solomko	f4597b6ed7	TT#129162 add bcrypt password characters check Change-Id: I08723d02a7e4bc042351444b201d1f96cc986af3	4 years ago
Kirill Solomko	20e77c7b54	TT#129162 tighten user access checks * add additional centralised checks for inactive and read_only users. * use_userdata_from_session=0 now for all auth realms to cause the data re-fetched from the database, to avoid scenarios when a user is set as inactive or read_only and UI keeps using the cached data. the change only affects cookie and JWT subscriber based sessions as in all other cases, the auth data is fetched from the storage regardless. * add is_active=1 flag for the internal 'system' role, as otherwise access would be permanently denied for it. * default 403 error for denied api requests is changed to "Forbidden" instead of "Forbidden path". Change-Id: I1d6d3c765ca8e017e11845c1f5260243a3963c3b	4 years ago
Rene Krenn	40c4ade6ea	TT#118802 log raw perl catalyst request time (cherry picked from commit 05f2f1137d6d3ce1deb1880eb1427b94e409c691) Change-Id: I6bda815d2ccf2800a0a352c0d44aaee8039ee8d5	4 years ago
Kirill Solomko	85c7d7c071	TT#123550 add /api/platforminfo virtual endpoint * /api/platforminfo does not have its own endpoint file and therefore, does not appear in the rendered documentation. it only supports GET method and renders the template file. the endpoint is designed to provide with the prerendered JSON data containing the current platform configuration. * /api/platforminfo supports both authenticated and anonymous requests, where based on that, the template provides with the corresponding info withing the current scope. Change-Id: Idc8138595eda2c14e7f8dc7ed97cc50039fd1adc	4 years ago
Alexander Lutay	131e79fba6	TT#88903 Reset 'framed' session state if user open v1 as URL in browser If user is typing URL directly in the browser window, the request has no 'referer' header and we should reset the 'framed' session state to prevent corrupted 'framed=1' output which confuses endusers a lot. Change-Id: I8f381daec80dfd95fab6ecbaecfa66438f5d53f0	4 years ago
Alexander Lutay	a7d718cc28	TT#113765 AUI: Remove v1_auth from v1->v2 URL It is no longer necessary there (c) Hans-Peter. Change-Id: I7cbb3e18d2f82eec24f9ba4355a3192c7cbf5477	4 years ago
Flaviu Mates	654bb1aabe	TT#92550 - Implement /api/passwordrecovery * The new endpoint will only accept POSTs * The request body should have two parameters called 'new_password' and 'token' * First, look for the token in redis (for admins), if not found, look for it in DB (for subscribers), if neither is found, return Change-Id: I4163a0d5bd886961317b21aeca20c8ccfdeab0dd	5 years ago
Flaviu Mates	be14a9242e	TT#84337 - Implement /api/passwordreset * The new endpoint will only accept POSTs * The request body should have two parameters called 'type', 'username' and 'domain' * 'type' will accept either 'administrator', in which case only 'username' is needed, or 'subscriber', in which case 'username' and 'domain' will be needed * The regular password reset email will be sent to either the admin or the subscriber Change-Id: If1457c8c625a95295e5e93b6637927e3905698d9	5 years ago
Hans-Peter Herzog	0ce823b822	TT#88512 Fix redirection in order to login v2 automatically Change-Id: I153c8f9e8c23fff393628b327652251016bde7d7	5 years ago
Flaviu Mates	adcfc4f775	TT#88209 - Create ajax_logout endpoint * this endpoint will be used to logout from v1 automatically when logging out of v2 * allow unauthenticated acces to it Change-Id: Ia40cb624f618ef0b0cada8f22dc2cc68f234af53	5 years ago
Flaviu Mates	4aac77b2af	TT#87801 - Remember previous page when switching to new admin UI Change-Id: Id6ef7b631b90669ae7aa14f68d8f6f51c1113e60	5 years ago
Flaviu Mates	0b10a86e9b	TT#80301 - Implement login_to_v2 endpoint * The endpoint generates a jwt token and stores it in Redis, then redirects to /v2/#/?v1_auth={token} * Also added an id in DOM to indentify the Panel V1 login page Change-Id: I307a3f457f88bbba04bb7735d60fa51bdc5d0438	5 years ago
Kirill Solomko	7862a87639	TT#76111 add lintercept role * new c.users.role 'lintercept', that set to when an admin user has enabled 'lawful_intercept' flag * only Administrator page /api/admins and /api/interceptions are available for the role * 'lintercept' role can only see own user and only change password and email Change-Id: Iadcb022a124afbd77b224e734026f380af0170e8	5 years ago
Flaviu Mates	9907936d47	TT#76108 - Implement password reset mechanism for admins * Introduce endopint '/resetpassword' for asking for password reset using admin username * Create form for introducing username * Create url with unique token pointing to '/recoverpassword' where admin user can introduce new password and email said url to admin's email address * Create form for setting new password * Store username and unique token in Redis expiring in 5 minutes to store password reset attempt and identify it when user accesses url in email * Limit admin access to be able to only change own password due to new password reset possibility as requested in TT#76110 Change-Id: Ie3acb961444398afa5b2fdc85e3ca8ceccf9244a	5 years ago
Flaviu Mates	d31797c674	TT#81185 - Return only body when parameter 'framed' is sent * Remove headers, menu, site title and footer if parameter 'framed' is sent * Persist 'framed' in the session once it's sent and only restore header/footer once 'framed' is sent again with the value 0 Change-Id: Ie1dcc698b901ea3c659a05391ffcdc882113ef13	5 years ago
Kirill Solomko	cf51166170	TT#80550 enable admin jwt token for the whole UI * add admin_jwt realm * admin JWT tokens are now used to access all non /api content Change-Id: I711d6419f0b624b02b53876a8c9171ab638b5d09 (cherry picked from commit dc4d9ec84b5b1199f17631e9e1f9a39ab1996807)	5 years ago
Flaviu Mates	707067d40d	TT#80305 - Change Utils::Admin to Utils::Auth * Utils::Admin was renamed to Utils::Auth in the commit that introduced support for bcrypted subscribers webpasswords Change-Id: I61a90bb135f218e9a0854e9ccdda9e83ffd4ba83	5 years ago
Andreas Granig	8f8e1d5fc9	TT#78557 - Use bcrypt to hash webpassword * Change the way webpassword is handled accross NGCP Panel UI/API to comply with new password encryption * At login, if password is not encrypted with high cost due to the ngcp-bcrypt-webpassword script, encrypt it with proper cost * Accept old password format as well until all webpasswords are encrypted Change-Id: Iefa9584a62ab4b7d2a224d10bdd415e9cbb8dfb5	5 years ago
Kirill Solomko	ac7c50332a	TT#80550 enable admin JWT auth for ajax requests * non-API requests with "ajax" in the path can now be authenticated with the admin JWT token Change-Id: Ide7f092b62cf36deb5a2e99599fbfaac0b751747	5 years ago
Kirill Solomko	2c8a11029a	TT#80305 add JWT authentication for admin users * /admin_login_jwt now returns a JWT token for admin users and also the JWT token is supported in the authorization process for the admin requests Change-Id: I987640d46bd8a339a959a6b2efb65b6dce06bf8c	5 years ago
Guillem Jover	467084705d	TT#71950 Fix typos Warned-by: codespell Change-Id: If7e52bf2fbf013586e802e5ebb77a272599d9c38	5 years ago
Kirill Solomko	ce664263b2	TT#65101 add ccareadmin ccare roles * ccareadmin and ccare roles have full access to Customers, Subscribers and their preferences/settings, and read-only access to BillingProfiles,InvoceTemplates, EmailTemplates * ccare role is restricted to the related reseller Change-Id: I6cf7d3adf912f0fa98d1ef5c02abea2f4331ec4b	6 years ago
Rene Krenn	f20d419335	TT#60116 accept leading / in cert DN Change-Id: If28150102607222e00f94b8476f1c116a00821e4	6 years ago
Rene Krenn	e237a479ce	TT#60116 don't gdpr-quote cert DN in logs Change-Id: Ie0c4602684a7a9c3c0b150e2bed526e4677b7753	6 years ago
Rene Krenn	cae5270af5	TT#56340 panel logline obfuscation adds gdpr obfuscation quoting for: + subscriber numbers + subscriber ip addresses + subscriber usernames + any logmessage "DATA": query parameters, form data, response data + subscriber uuid's + call id's + callforward sip uri's the quoting is centralized by $c->qs() ("quote sensitive"), using catalyst plugin mechanism. escape symbols are set to « (\x{ab}) and » (\x{bb}). generate_logfile_data_inventory.pl was modified to mark loglines with "gdpr affected" status, if $c->qs() was used in a log message. Change-Id: I0f42d7992594232ae33e5666b0a64009211c5b76	6 years ago
Rene Krenn	76b88062a1	TT#56411 honor use_session => 0 for bcrypt auth Revert "Revert "TT#56411 honor use_session => 0 for bcrypt auth WIP"" This reverts commit `1cfc524f80`. Change-Id: I7eb0842bd61a4aaddbe50206fb974110ead8efb6	6 years ago
Rene Krenn	1cfc524f80	Revert "TT#56411 honor use_session => 0 for bcrypt auth WIP" This reverts commit `4789f6b61f`. Change-Id: I6b514443afe9e2a8dbc1ae4a527a38fd3fc1d1c6	6 years ago

1 2 3

138 Commits (a2a01d4690e8962fdf2c069563a4ce81a290c956)