feature(auth): check restrictions may be end with last

when the last field is enabled, no more restrictions are checked issue #916

feature(auth): check restrictions may be end with last
when the last field is enabled, no more restrictions are checked issue #916
235966c8 · Francesc Guasch · 39458184 · 235966c8 · 235966c8 · 235966c8
Commit 235966c8 authored Nov 06, 2018 by Francesc Guasch
--- a/lib/Ravada/Auth/User.pm
+++ b/lib/Ravada/Auth/User.pm
@@ -324,17 +324,17 @@ sub _load_allowed {

    return if !$self->external_auth || $self->external_auth ne 'ldap';

-    my $ldap_entry = $self->ldap_entry;
-
-    my $sth = $$CONNECTOR->dbh->prepare(
-        "SELECT id_domain, attribute, value, allowed "
-        ." FROM access_ldap_attribute"
-    );
-    $sth->execute();
-    while ( my ($id_domain, $attribute, $value, $allowed) = $sth->fetchrow) {
-        if ($ldap_entry && defined $ldap_entry->get_value($attribute)
-                && $ldap_entry->get_value($attribute) eq $value ) {
-            $self->{_allowed}->{$id_domain} = $allowed;
+    for my $id_domain ( @domains ) {
+        my $sth = $$CONNECTOR->dbh->prepare(
+            "SELECT attribute, value, allowed, last "
+            ." FROM access_ldap_attribute"
+            ." WHERE id_domain=?"
+            ." ORDER BY n_order "
+        );
+        $sth->execute($id_domain);
+
+        my ($n_allowed, $n_denied) = ( 0,0 );
+        while ( my ($attribute, $value, $allowed, $last) = $sth->fetchrow) {
            $n_allowed++ if $allowed;
            $n_denied++ if !$allowed;

@@ -347,7 +347,7 @@ sub _load_allowed {

                $self->{_allowed}->{$id_domain} = $allowed;

-                last if !$allowed;
+                last if !$allowed || $last;
            }
        }
        $sth->finish;

--- a/lib/Ravada/Domain.pm
+++ b/lib/Ravada/Domain.pm
@@ -3022,18 +3022,20 @@ Example:

 =cut

-sub allow_ldap_access($self, $attribute, $value, $allowed=1 ) {
+sub allow_ldap_access($self, $attribute, $value, $allowed=1, $last=0 ) {
    my $sth = $$CONNECTOR->dbh->prepare(
-        "SELECT * from access_ldap_attribute"
+        "SELECT max(n_order) from access_ldap_attribute"
        ." WHERE id_domain = ? "
-        ." ORDER BY n_order"
    );
    $sth->execute($self->id);
-    my @list;
-    while (my $row = $sth->fetchrow_hashref) {
-        push @list,($row) if keys %$row;
-    }
-    return @list;
+    my ($n_order) = ($sth->fetchrow or 0);
+    $sth->finish;
+
+    $sth = $$CONNECTOR->dbh->prepare(
+        "INSERT INTO access_ldap_attribute "
+        ."(id_domain, attribute, value, allowed, n_order, last) "
+        ."VALUES(?,?,?,?,?,?)");
+    $sth->execute($self->id, $attribute, $value, $allowed, $n_order+1, $last);
 }

 #TODO: check something has been deleted
@@ -3053,6 +3055,7 @@ sub list_ldap_access($self) {
    $sth->execute($self->id);
    my @list;
    while (my $row = $sth->fetchrow_hashref) {
+        $row->{last} = 1 if !$row->{allowed} && !$row->{last};
        push @list,($row) if keys %$row;
    }
    return @list;
@@ -3123,9 +3126,10 @@ sub move_ldap_access($self, $id_access, $position) {
    $self->_set_access_order($id_access2, $n_order);
 }

-sub set_ldap_access($self, $id_access, $allowed) {
-    my $sth = $$CONNECTOR->dbh->prepare("UPDATE access_ldap_attribute SET allowed=?"
+sub set_ldap_access($self, $id_access, $allowed, $last) {
+    my $sth = $$CONNECTOR->dbh->prepare("UPDATE access_ldap_attribute "
+        ." SET allowed=?, last=?"
        ." WHERE id=?");
-    $sth->execute($allowed, $id_access);
+    $sth->execute($allowed, $last, $id_access);
 }
 1;
--- a/public/js/ravada.js
+++ b/public/js/ravada.js
@@ -344,7 +344,8 @@
          };
          $scope.add_ldap_access = function() {
              $http.get('/add_ldap_access/'+$scope.showmachine.id+'/'+$scope.ldap_attribute+'/'
-                            +$scope.ldap_attribute_value+"/"+$scope.ldap_attribute_allowed)
+                            +$scope.ldap_attribute_value+"/"+$scope.ldap_attribute_allowed
+                            +'/'+$scope.ldap_attribute_last)
                    .then(function(response) {
                        $scope.init_ldap_access();
                    });
@@ -361,8 +362,9 @@
                        $scope.init_ldap_access();
                    });
          };
-          $scope.set_ldap_access = function(id_access, allowed) {
-              $http.get('/set_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+allowed)
+          $scope.set_ldap_access = function(id_access, allowed, last) {
+              $http.get('/set_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+allowed
+                        +'/'+last)
                    .then(function(response) {
                        $scope.init_ldap_access();
                    });

--- a/rvd_front.pl
+++ b/rvd_front.pl
@@ -671,7 +671,7 @@ get '/count_ldap_entries/(#attribute)/(#value)' => sub {
    return $c->render(json => { entries => scalar @entries });
 };

-get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)' => sub {
+get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)/(#last)' => sub {
    my $c = shift;

    return _access_denied($c) if !$USER->is_admin;
@@ -685,8 +685,13 @@ get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)' => sub {
    if ($c->stash('allowed') eq 'false') {
        $allowed = 0;
    }
+    my $last = 1;
+    if ($c->stash('last') eq 'false') {
+        $last = 0;
+    }
+    $last = 1 if !$allowed;

-    eval { $domain->allow_ldap_access($attribute => $value, $allowed ) };
+    eval { $domain->allow_ldap_access($attribute => $value, $allowed, $last ) };
    _fix_default_ldap_access($c, $domain, $allowed) if !$@;
    return $c->render(json => { error => $@ }) if $@;
    return $c->render(json => { ok => 1 });
@@ -753,7 +758,7 @@ get '/move_ldap_access/(#id_domain)/(#id_access)/(#count)' => sub {
    return $c->render(json => { ok => 1});
 };

-get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)' => sub {
+get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)/(#last)' => sub {
    my $c = shift;

    return _access_denied($c) if !$USER->is_admin;
@@ -767,8 +772,15 @@ get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)' => sub {
    } else {
        $allowed = 1;
    }
+    my $last= $c->stash('last');
+    if ($last=~ /false/ || !$last) {
+        $last= 0;
+    } else {
+        $last= 1;
+    }
+    warn "last = $last";

-    $domain->set_ldap_access($c->stash('id_access'), $allowed);
+    $domain->set_ldap_access($c->stash('id_access'), $allowed, $last);
    return $c->render(json => { ok => 1});
 };
 ##############################################

--- a/sql/mysql/access_ldap_attribute.sql
+++ b/sql/mysql/access_ldap_attribute.sql
@@ -4,7 +4,8 @@ CREATE TABLE `access_ldap_attribute` (
  `attribute` varchar(64),
  `value` varchar(64),
  `allowed` int not null default 1,
-  PRIMARY KEY (`id`),
-  UNIQUE KEY `id_base` (`id_domain`,`attribute`,`value`)
+  `n_order` int not null default 1,
+  `last` int not null default 1,
+  PRIMARY KEY (`id`)
 );

--- a/templates/bootstrap/user_settings.html.ep
+++ b/templates/bootstrap/user_settings.html.ep
@@ -58,6 +58,7 @@
 %   }
 %   if ($_user->external_auth eq 'ldap') {
 %       for my $attribute (sort $_user->ldap_entry->attributes ) {
+%           next if $attribute =~ /assword|Pwd/i;
 <b><%= $attribute %></b>: <%= $_user->ldap_entry->get_value($attribute) %><br/>
 %       }
 % }

--- a/templates/main/machine_access.html.ep
+++ b/templates/main/machine_access.html.ep
-Type a typical LDAP user name to fetch the attribute list
-<input type="text" ng-model="cn" ng-change="list_ldap_attributes()"
-    ng-init="cn='<%= $ldap_attributes_cn %>';list_ldap_attributes()"
->
-<span ng-hide="ldap_attributes || !cn">User name <b>{{cn}}</b> not found in LDAP server</span>
-
-<div class="row">
-    <div class="col-md-2">
-        <b>Attribute</b>
-    </div>
-    <div class="col-md-3">
-        <b>Value</b>
-    </div>
-    <div class="col-md-1">
-        <b>Allowed</b>
+<div class="panel panel-default">
+    <div class="panel-body">
+        Type a typical LDAP user name to fetch the attribute list
+        <input type="text" ng-model="cn" ng-change="list_ldap_attributes()"
+        ng-init="cn='<%= $ldap_attributes_cn %>';list_ldap_attributes()">
+        <span ng-hide="ldap_attributes || !cn">
+            User name <b>{{cn}}</b> not found in LDAP server
+        </span>
    </div>
 </div>

-<div class="row" ng-repeat="attribute in ldap_attributes_domain">
-    <div class="col-md-2">
-        {{attribute.attribute}}
-    </div>
-    <div class="col-md-3">
-        {{attribute.value}}
-    </div>
-    <div class="col-md-1">
-        <input type="checkbox" ng-checked="attribute.allowed"
-            ng-click="set_ldap_access(attribute.id, !attribute.allowed)"
-        >
-    </div>
-    <div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
-        <button class="btn" ng-hide="$index == ldap_attributes_domain.length-1"
-            ng-click="move_ldap_access(attribute.id, +1);"
-            ><i class="fa fa-arrow-down"></i></button>
-    </div>
-    <div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
-        <button class="btn" ng-show="$index" ng-click="move_ldap_access(attribute.id,-1)"
-            ><i class="fa fa-arrow-up" ></i></button>
-    </div>
-    <div class="col-md-1">
-        <button class="btn" 
-            ng-click="delete_ldap_access(attribute.id)"><i class="fas fa-times"></i></button>
-    </div>
-</div>
+<div class="panel panel-default">
+    <div class="panel-heading">

-<div class="row" ng-show="ldap_attributes_default.id">
-    <div class="col-md-2">
-        <i>Default</i>
-    </div>
-    <div class="col-md-3"></div>
-    <div class="col-md-1">
-        <input type="checkbox"
-            ng-checked="ldap_attributes_default.allowed"
-            ng-click="set_ldap_access(ldap_attributes_default.id, !ldap_attributes_default.allowed)">
-    </div>
-    <div class="col-md-4">
-        <span ng-show="ldap_attributes_default.allowed">If none of the previous match,
-            access is allowed.</span>
-        <span ng-show="!ldap_attributes_default.allowed">If none of the previous match,
-            access is denied.</span>
-    </div>
-</div>
-<h3>New access restriction</h3>
-<div class="row">
-    <div class="col-md-2">
-        <select ng-model="ldap_attribute"  ng-change="ldap_entries=0;ldap_verified=false">
-        <option ng-repeat="attribute in ldap_attributes" value="{{attribute}}">
-            {{attribute}}
-        </option>
-        </select>
-    </div>
+        <div class="row">
+            <div class="col-md-2">
+                <b>Attribute</b>
+            </div>
+            <div class="col-md-3">
+                <b>Value</b>
+            </div>
+            <div class="col-md-1">
+                <b>Allowed</b>
+            </div>
+            <div class="col-md-1">
+                <b>Last</b>
+            </div>
+        </div>
+    </div><!-- of panel heading -->

-    <div class="col-md-3">
-        <input ng-model="ldap_attribute_value" type="text"
-            ng-change="ldap_entries=0;ldap_verified=false">
+    <div class="panel-body">
+%=      include "/main/machine_access_list"
    </div>

-    <div class="col-md-1">
-        <input ng-model="ldap_attribute_allowed" type="checkbox">
-    </div>
-
-    <div class="col-md-2">
-        <button
-            ng-show="ldap_attribute && ldap_attribute_value"
-            ng-disabled="ldap_verifying"
-            ng-click="count_ldap_entries()"
-            class="btn"
-            >verify</button>
-        <button ng-show="ldap_attribute && ldap_attribute_value"
-            ng-disabled="ldap_verifying"
-            ng-click="add_ldap_access()"
-            class="btn"
-            >save</button>
-    </div>
-    <div class="col-md-3">
-        <span ng-show="ldap_verifying">Verifying {{ldap_attribute}} ...</span>
-        <span ng-show="ldap_verified && !ldap_entries">No entries found</span>
-        <span ng-show="ldap_verified && ldap_entries">{{ldap_attribute}} = {{ldap_attribute_value}} has at least {{ldap_entries}} entries. </span>
+    <div class="panel-footer">
+%=      include "/main/machine_access_new"
    </div>
 </div>

-
--- a/templates/main/machine_access_list.html.ep
+++ b/templates/main/machine_access_list.html.ep
+<div class="row" ng-repeat="attribute in ldap_attributes_domain">
+    <div class="col-md-2">
+        {{attribute.attribute}}
+    </div>
+    <div class="col-md-3">
+        {{attribute.value}}
+    </div>
+    <div class="col-md-1">
+        <input type="checkbox" ng-checked="attribute.allowed"
+            ng-click="set_ldap_access(attribute.id, !attribute.allowed, attribute.last)"
+        >
+    </div>
+    <div class="col-md-1">
+        <input type="checkbox" ng-checked="attribute.last"
+            ng-disabled="!attribute.allowed"
+            ng-click="set_ldap_access(attribute.id, attribute.allowed, !attribute.last)"
+        >
+    </div>
+    <div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
+        <button class="btn" ng-hide="$index == ldap_attributes_domain.length-1"
+            ng-click="move_ldap_access(attribute.id, +1);"
+            ><i class="fa fa-arrow-down"></i></button>
+    </div>
+    <div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
+        <button class="btn" ng-show="$index" ng-click="move_ldap_access(attribute.id,-1)"
+            ><i class="fa fa-arrow-up" ></i></button>
+    </div>
+    <div class="col-md-1">
+        <button class="btn" 
+            ng-click="delete_ldap_access(attribute.id)"><i class="fas fa-times"></i></button>
+    </div>
+</div>
+
+<div class="row" ng-show="ldap_attributes_default.id">
+    <div class="col-md-2">
+        <i>Default</i>
+    </div>
+    <div class="col-md-3"></div>
+    <div class="col-md-1">
+        <input type="checkbox"
+            ng-checked="ldap_attributes_default.allowed"
+            ng-click="set_ldap_access(ldap_attributes_default.id, !ldap_attributes_default.allowed)">
+    </div>
+    <div class="col-md-4">
+        <span ng-show="ldap_attributes_default.allowed">If none of the previous match,
+            access is allowed.</span>
+        <span ng-show="!ldap_attributes_default.allowed">If none of the previous match,
+            access is denied.</span>
+    </div>
+</div>
+
--- a/templates/main/machine_access_new.html.ep
+++ b/templates/main/machine_access_new.html.ep
+<div class="row">
+    <div class="col-md-2">
+        <select ng-model="ldap_attribute"  ng-change="ldap_entries=0;ldap_verified=false">
+        <option ng-repeat="attribute in ldap_attributes" value="{{attribute}}">
+            {{attribute}}
+        </option>
+        </select>
+    </div>
+
+    <div class="col-md-3">
+        <input ng-model="ldap_attribute_value" type="text"
+            ng-change="ldap_entries=0;ldap_verified=false">
+    </div>
+
+    <div class="col-md-1">
+        <input ng-model="ldap_attribute_allowed" type="checkbox">
+    </div>
+
+    <div class="col-md-1">
+        <input ng-model="ldap_attribute_last" type="checkbox"
+            title="Finish checking permission when this matches"
+        >
+    </div>
+    <div class="col-md-2">
+        <button
+            ng-show="ldap_attribute && ldap_attribute_value"
+            ng-disabled="ldap_verifying"
+            ng-click="count_ldap_entries()"
+            >verify</button>
+        <button ng-show="ldap_attribute && ldap_attribute_value"
+            ng-disabled="ldap_verifying || (!ldap_attribute_allowed && ! ldap_attribute_last)"
+            ng-click="add_ldap_access()"
+            >save</button>
+    </div>
+    <div class="col-md-3">
+        <span ng-show="ldap_verifying">Verifying {{ldap_attribute}} ...</span>
+        <span ng-show="ldap_verified && !ldap_entries">No entries found</span>
+        <span ng-show="ldap_verified && ldap_entries">{{ldap_attribute}} = {{ldap_attribute_value}} has at least {{ldap_entries}} entries. </span>
+        <span ng-show="!ldap_attribute_allowed && !ldap_attribute_last">
+            Enable last for not allowed restrictions.
+        </span>
+    </div>
+</div>
+