* passwords are now validated based on
- minlen
- maxlen
- min lower case chars
- min uppper case chars
- min digits
- min special chars
* Data::Password::zxcvbn is used to calculate
password score and reject passwords with score < 3 as weak
(this library is ported from the Dropbox password validation)
* Add password journals and check last used passwords in the journals
* Improve password generator javascript function to generate a password
with at least 4 of each of the char group types.
* Currently affected are subcriber and admin entry creation or
modification via UI/API
* NGCP::Utils::Auth add optional bcrypt_cost support as last argument
for generate_salted_hash and get_usr_salted_pass
Change-Id: I100c25107d91741d5101bc58d29a3fa558b0b017
* UI and API parts are now under license control
* new Util::License::get_license($c, $name)
- fetches license status by name (1 if enabled, and also if
/proc/ngcp/check if 'ok')
* add Catalyst::Plugins::NGCP::License with license($name)
to fetch valid license by name from anywhere using
$c->license('pbx') or from the templates using c.license('pbx').
It internally uses Util::License::get_license($c, $name)
* License::get_license_status($c) now requires $c as first argument
as well logs license status check errors.
* new ActionRoles::License that enables usage of
:Does(License) RequiresLicense('pbx') LicenseDetachTo('/denied_page')
in the Controller chains
* Add license control for UI elements and return 403 Forbidden
if a resource is covered by licenses and the license is not active
* Hide UI elements if a license is not active
* API/Entities/Entities new $c->set_config key:
- per endpoint:
$c->set_config({
required_licenses => [qw/pbx device_provisioning/]
}
- or per method:
$c->set_config({
required_licenses => {
POST => [qw/pbx device_provisioning/]
}
}
}
* In case if an API endpoint does not have a license:
403 Forbidden "Invalid license" reply is returned.
* Add license based restrictions to API endpoints
* /api documentation:
- completely hide endpoints that do not have an active license
- hide only methods that does not have an active license
Change-Id: Iba45fc5068b02306a617fed7b5405f2210574b61
This new flag controls wether the CF is processed as usual
(flag with value 0, default) or generates a 302 redirect message
back to the caller (flag with value 1).
The implementation cover both the UI and the API.
Change-Id: Idf945262e17de0d77bb612101d268fd6ea7a309e
* NCOS Levels and NCOS Sets now have expose_to_customer
option (boolean). If enabled, the NCOS Level/Set can
be seen and used by Customers in their and their subscribers'
preferences
* NCOS Levels and NCOS Sets with expose_to_customer = 0 (default)
are not visible anymore to subscribers.
* API GET /api/ncoslevels is now accessible by 'subscriberadmin' role
and returns a list of NCOS Levels that belong to the same reseller
and with expose_to_customer = 1 (fields are limited to
id,name,description).
* When NCOS Level is expose_to_customer is set from 1 to 0, all
assigned ncos preferences for contracts and subscribers are that
contain the NCOS Level are removed.
Change-Id: Id7c444b4a0834939a128179ded6670705258519b
From the very origin of the AA module the link used in panel
to create/edit the AA slots were '/preferences/speeddial/edit'.
This is wrong and most probably coming from a copy and paste of
the speeddial feature.
The commit fix the link and it is now chaged to the following
'/preferences/autoattendant/edit'.
Change-Id: I095b433cad78fb0175b0551fcfdea85815f73cdf
* $c->user->id was wrongly used in the advanced cfs selection and
now changed to $prov_subscriber->id to filter it regardless of the
user editing the cfs
Change-Id: I8fa65bbce625d4b21dbb620a1f92919ed7fe2a88
* sound sets can now use other sound sets as parents, in this
case if a sound is missing for a sound set, it's taken from
the parent one if it exists there, chained parents are also
supported with the available sound files "accumulated" across
them.
* add "expose_to_customer" field to sound sets, it enables exposing
system sound sets to customers so they can be used as a parent or
assigned to the 'sound_set' preference by 'subscriberadmin'.
* add "use_parent" field to sound set files, it's true by default
(for existing or missing sound files) and if set to 0, then parents
are not used for this particular sound file.
* use_parent column is hidden on the UI if a sound set does not have a
parent assigned
* improve sound set handles list on the UI
- Upload is renamed to Add
- empty record are shown in the filename column as localised "(empty)"
and Edit/Delete action buttons
* API /api/soundsets new 'parent_id' field, default null
* API /api/soundfiles new 'use_parent' field, default 1
* API /api/soundsets new 'expose_to_customer' field, default 0
* API /api/soundsets customer_id field now contains the customer id
for 'subscriberadmin' role and 'null' if it's a system sound set
* system sound sets with expose_to_customer == 1 and within the same
reseller are now visible to 'subscriberadmin' on the UI and via the
API in read-only mode, same with the sound files that belong to the
sound set. If a system sound set expose_to_customer is set back to 0,
this sound set is automatically removed from all contract sound sets
where it was assigned as a parent as well as from all subscriber
'sound_set' preferences.
* contract_sound_set|sound_set preference API updates now have tigher
checks for contract_id and also if the system sound set is exposed
to the customer and belongs to the same reseller
Change-Id: I4908fd15e9c224d4c30794ceb8dae1b444bbf56a
* API: GET collection returns only distinct cf sets
* UI: inherited cf sets are now shown in the advanced view
and having suffix '(inherited)' to distinguish them from the
own ones as they are not available in the "Manage Sets" edit
dialog.
Change-Id: Ifd8c1a46fcb4c2c66f8f63268a1e91b80792c216
* as_admin param is no longer needed as get_usr_preference()
fetches actually set preference for a susbcriber and used
only by the code (not exposed directly to 'subscriber',
'subscriberadmin' roles
* with the aforedescribed, get_usr_preference() no longer
filters by expose_to_customer, expose_to_subscriber for
'subscriber' and 'subscriberadmin' roles
* refactor get_usr_preferences() to be simple and in line
with the other get_*_preferences() as it's mainly responsible
for fetching the preference as requested by the internal
code
Change-Id: Ia52d8f4ebfd854901bf446e29fb475dea1fba866
* fix customer_view role name typo so that it's correctly limited
to for 'subscriberadmin' role
* revert behaviour of get_usr_preference_rs() to return undef if
no preference is found (no access)
* get_usr_preference_rs() now also fetches all internal preferences
for internal work for 'subscriber' and 'subscriberadmin' roles but
they remain invisible for them and not accesible for direct changes
(only when requested by internal logic)
* new get_usr_preference_rs() 'as_admin' parameter that enables
for internal requests to return the preference value for
'subscriberadmin' and 'subscriber' roles, currently used to
show 'lock' status and 'display_name', which are otherwise
inaccessible as those preferences do not have expose_to_customer,
expose_to_subscriber flags
* fix api_prference_defs() correct filtering of preferences for
'subscriber' and 'subscriberadmin' roles
Change-Id: I1a0e51ace1c649f9061deaccb7d6e9f8459f0ed8
* expose_to_subscriber is a new preferences flag that
indicates that the preference can be read/modified by
'subscriber' role
* expose_to_customer now only does the same as expose_to_subscriber
but for 'subscriberadmin' role
* get_usr_preference() not expects $params{$c} to be passed as an argument
* fix update_voicemail_number() behaviour, it correctly updates number
for subscribers of a subscriberadmin as well as no longer fails
with an error if echo_voicemail_number or cli are not available
(not set or not visible)
Change-Id: I95fade92efb541146e9e56ba4f517af79fa71b5a
the search field of admin-panel datatables was tuned/configured
over time to allow fastest possible search, "as-you-type".
for large tabels it eg. will only include indexed columns, which
never was transparent to the users.
the UI will now display tooltip texts with detailed hints about
included columns, wildcard support, etc.
Change-Id: I737732a55003d50068236bb0150a2f47d06deaf5
* rtcengine related logic and apps is now removed
* remove /api/rtcapps endpoint
* remove /api/rtcnetworks endpoint
* remove rtcengine relations from resellers such as
enable_rtc flags
* remove rtcengine related API tests
* remove rtcengine and comx related libraries
* remove csc webphone ui app
* remove webrtc related selenium tests
* remove rtcengine flags from /api/capabilities
Change-Id: I83a4b0457fac2e0df23d267f8dbc82841dfb3001
for deployments that expose panel/csc via a proxy,
the auto-generated base url printed in emails can
be unreachable. we therefore introduce the option
to explicitly specify a base url to use.
it will support an sprintf pattern with individual
params for eg.:
- protocol scheme
- domain part
- port
- base url path
Change-Id: I6a9ca23126c669d249ef7f3e092cae0161235ebe
* Call forwardings related internal usr preferences are now
distinct per call forward type (maximum 1 record per call
forward type, if at least one forwarding for this type exists).
This change is meant to address the issue when there are >1000
call forwardings per subscriber, which leads to performance
issues. Other components (kamailio) only uses this preference
as a boolean to check if there are call forwardings at all per
type, therefore, more than one preference, per type, per subscriber
is not needed.
Change-Id: Iffa475700a74f56eff67400ce9b57092018a14a0
* The succesful password recovering redirects to https://<host>/ which is translated to /#/login on CSC page.
Change-Id: If4e7ae510396e3852319c7e5c9d4915fdd214e95
* 'location' field is now optional, if not filled it it will always
default to an empty string instead of null. This is required for the
new mode 'forward' that has no use for this field. If the field
is empty in any other mode like 'add' or 'replace', the entry
will be skiped by the logic.
Change-Id: Ia964c3bb272c9772c51b836ac2418ee4cd7b7f42
WHAT: This fix allows the options: (a) Voicemail greeting "temp", and (b) Voicemail greeting "greet" to be displayed within Subscriber Preferences -> "Voicemail and Voicebox" on Admin Panel (Perl-based). Hence, an Admin can load 'greet' and 'temp' prompts via Admin Panel, similarly as 'unavail' and 'busy' options.
WHY: 'greet' and 'temp' options were added to be managed via API, but they were not available on Admin Panel.
Change-Id: Ie2d18f4d9a8e8369f3bbcb8593848ce6ee4b7d32
this fix addresses regression reported by dominik:
* $resource{_password}/{_webpassword} cannot be set before the
form validation as they are effectively removed by it,
causing /api/susbcribers returning no passwords at
all for 'subscriber' roles
* Having them after the patch makes no sense either as next
resource_from_item call will effectively remove them again (in PATCH)
(cherry picked from commit 5e9066c4fb)
Change-Id: I88c9ec40843f1e9a6983952b96c0b0e70fbb1bb1
This reverts commit 5e9066c4fb.
This implementation breaks:
* $resource{_password}/{_webpassword} cannot be set before the
form validation as they are effectively removed by it,
causing /api/susbcribers returning no passwords at
all for 'subscriber' roles
* Having them after the patch makes no sense either as next
resource_from_item call will effectively remove them again (in PATCH)
Change-Id: I0e8389e8ab34ad72f1b87a684daba77f1030f8ba
a multitude of issues popped after introducing bcrypted
webpasswords in the database. most recently the PATCH /api/susbcribers
rail was reported to reset the webpassword unintentionally.
subscriber login fails afterwards, which is a severe issue.
the bugs are adressed by this refactorings. the change also
introduces a global variable
$NGCP::Panel::Utils::Auth::ENCRYPT_SUBSCRIBER_WEBPASSWORDS
to control encrypting webpasswords. it is still enabled as of now,
but it's worth to consider disabling it. there other ways to have
a "cost" for an authentication request, eg. adding a simple
sleep(1sec).
Change-Id: I2d47d54a2d83568546ffdd2b211337a5f56be3a2
query refactoring an rowcount clipping for UI datatables
that are slow when using millions of subscribers:
contacts
customers
contracts
subscribers
billing profiles
billing networks
billing profile packages
Change-Id: Ia50e3aa52684772548569b6908f0cbc08395a5a7
* vmnotify() now accepts cli and uuid arguments
* API handling of voicemails is now improved to:
- send a notify if the item's INBOX/Old has been changed
- correctly process DELETE to send vmnotify after the
item's removal
Change-Id: Ic00ae825cf091bce273e55aa37cd0a7ac80d8b0f
We need to add an improvement, which fulfills the work of the
registration mechanism for SIP peerings.
Not only do we add here a registration tirggering for peerings,
but also a 'type' is introduced, which is mostly needed for XMLRPC
commands being sent towards SEMS, to let it understand to whom the $sid is related to.
Plus a list of improvements:
- de-register peering host on deletion ;
- de-register peering host on disable / register of peering host on enable ;
Change-Id: I035dfadf6709acb4d106a70f6124f024e719044f
* Login CSC v2 button is shown on the subscriber's master
data page if www_admin.http_csc.csc_js_enable == 1 or 2
* When the login is triggered an auth token
is generated internally followed by a redirect to
CSC as /?a=auth_token
* move generate_auth_token() into Utils/Auth
* improve generate_auth_token() arguments support
* add /api/authtokens error handling
Change-Id: Idd65400bf8ce6ce48979c736f6a199fb567ffaa4
* upon pressing the button, a new session object
with selected subscriber's details will be inserted
in Redis, and also a new ngcp-panel_subscriber
cookie will be created containing the session id
of the previously created session object; then
the user will be redirected to CSC v1 address
where the selected subscriber will be authenticated
based on the cookie and Redis info
* the new button will be available for admin,
reseller, ccare and ccareadmin roles
Change-Id: I03952efe4abe18e61884859c466d700a7885ead4
The fix has been created by Gerhard Jungwirth three years ago for
branch 'mr5.5' and was not merged into branch 'master'.
It is a follow up master commit to address customer ticket TT#82306.
The cherry-pick has been done AS IS, with one small trivial resolution:
> + my $is_pbx_customer = $c->stash->{billing_mapping}->product->class eq "pbxaccount";
> my $base_number;
>
> ++<<<<<<< HEAD
> + if($subscriber->contract->product->class eq "pbxaccount") {
> ++=======
> + if($is_pbx_customer) {
> ++>>>>>>> 239d4a385... TT#44168 create additional form for subadmin non-pbx subscriber edit
Change-Id: Ie242c4ad44fc21319cdaa29dcca423fe241aab20
(cherry picked from commit 239d4a3859)
* deleting a registration would fail when the domain
of the registrations would not exist due to the
fact that multidomain is not enabled
Change-Id: If512c0c9ce6c8f7a72deaa5b6a8ebe6737404f2a
* Create upload and content type form fields for 'blob'
type preferences
* Implement blob preference upload/download to database
* Show blob content in read only text area if content
is text
Change-Id: Ic4b800f84324eab0aadbf8eeb55c03c770ecc94f
* Limit subscriber's extension to a predefined
customer extension range preference (both AP and api)
Change-Id: I0b6ac5c24b3838f07cc561e7ee6b7cfabe69385e
* Registration entries are now removed by
registration username + registration domain
instead of subscriber username + subscriber domain.
That is to account registrations by the device.
Change-Id: I86a0d97fabc2dcd0eda6042a018ed35f64c3f031
* if there are no more *enabled* CFT left after editing
callforwards (simple/advanced) or if CFT is deleted,
the ringtimeout has to be removed.
Change-Id: Icfa2fb1db281a5a5b4b2edce28ad7b0d69ddf47c
* Change the way webpassword is handled accross
NGCP Panel UI/API to comply with new password
encryption
* At login, if password is not encrypted with
high cost due to the ngcp-bcrypt-webpassword
script, encrypt it with proper cost
* Accept old password format as well until all
webpasswords are encrypted
Change-Id: Iefa9584a62ab4b7d2a224d10bdd415e9cbb8dfb5
Kirill Solomko
Marco Capetta
Rene Krenn
Oleksandr Duts
Javier Rodriguez
Donat Zenichev
Flaviu Mates
Gerhard Jungwirth
Andreas Granig