Commit 235966c8 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

feature(auth): check restrictions may be end with last

when the last field is enabled, no more restrictions are checked

issue #916
parent 39458184
......@@ -324,17 +324,17 @@ sub _load_allowed {
return if !$self->external_auth || $self->external_auth ne 'ldap';
my $ldap_entry = $self->ldap_entry;
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT id_domain, attribute, value, allowed "
." FROM access_ldap_attribute"
);
$sth->execute();
while ( my ($id_domain, $attribute, $value, $allowed) = $sth->fetchrow) {
if ($ldap_entry && defined $ldap_entry->get_value($attribute)
&& $ldap_entry->get_value($attribute) eq $value ) {
$self->{_allowed}->{$id_domain} = $allowed;
for my $id_domain ( @domains ) {
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT attribute, value, allowed, last "
." FROM access_ldap_attribute"
." WHERE id_domain=?"
." ORDER BY n_order "
);
$sth->execute($id_domain);
my ($n_allowed, $n_denied) = ( 0,0 );
while ( my ($attribute, $value, $allowed, $last) = $sth->fetchrow) {
$n_allowed++ if $allowed;
$n_denied++ if !$allowed;
......@@ -347,7 +347,7 @@ sub _load_allowed {
$self->{_allowed}->{$id_domain} = $allowed;
last if !$allowed;
last if !$allowed || $last;
}
}
$sth->finish;
......
......@@ -3022,18 +3022,20 @@ Example:
=cut
sub allow_ldap_access($self, $attribute, $value, $allowed=1 ) {
sub allow_ldap_access($self, $attribute, $value, $allowed=1, $last=0 ) {
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT * from access_ldap_attribute"
"SELECT max(n_order) from access_ldap_attribute"
." WHERE id_domain = ? "
." ORDER BY n_order"
);
$sth->execute($self->id);
my @list;
while (my $row = $sth->fetchrow_hashref) {
push @list,($row) if keys %$row;
}
return @list;
my ($n_order) = ($sth->fetchrow or 0);
$sth->finish;
$sth = $$CONNECTOR->dbh->prepare(
"INSERT INTO access_ldap_attribute "
."(id_domain, attribute, value, allowed, n_order, last) "
."VALUES(?,?,?,?,?,?)");
$sth->execute($self->id, $attribute, $value, $allowed, $n_order+1, $last);
}
#TODO: check something has been deleted
......@@ -3053,6 +3055,7 @@ sub list_ldap_access($self) {
$sth->execute($self->id);
my @list;
while (my $row = $sth->fetchrow_hashref) {
$row->{last} = 1 if !$row->{allowed} && !$row->{last};
push @list,($row) if keys %$row;
}
return @list;
......@@ -3123,9 +3126,10 @@ sub move_ldap_access($self, $id_access, $position) {
$self->_set_access_order($id_access2, $n_order);
}
sub set_ldap_access($self, $id_access, $allowed) {
my $sth = $$CONNECTOR->dbh->prepare("UPDATE access_ldap_attribute SET allowed=?"
sub set_ldap_access($self, $id_access, $allowed, $last) {
my $sth = $$CONNECTOR->dbh->prepare("UPDATE access_ldap_attribute "
." SET allowed=?, last=?"
." WHERE id=?");
$sth->execute($allowed, $id_access);
$sth->execute($allowed, $last, $id_access);
}
1;
......@@ -344,7 +344,8 @@
};
$scope.add_ldap_access = function() {
$http.get('/add_ldap_access/'+$scope.showmachine.id+'/'+$scope.ldap_attribute+'/'
+$scope.ldap_attribute_value+"/"+$scope.ldap_attribute_allowed)
+$scope.ldap_attribute_value+"/"+$scope.ldap_attribute_allowed
+'/'+$scope.ldap_attribute_last)
.then(function(response) {
$scope.init_ldap_access();
});
......@@ -361,8 +362,9 @@
$scope.init_ldap_access();
});
};
$scope.set_ldap_access = function(id_access, allowed) {
$http.get('/set_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+allowed)
$scope.set_ldap_access = function(id_access, allowed, last) {
$http.get('/set_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+allowed
+'/'+last)
.then(function(response) {
$scope.init_ldap_access();
});
......
......@@ -671,7 +671,7 @@ get '/count_ldap_entries/(#attribute)/(#value)' => sub {
return $c->render(json => { entries => scalar @entries });
};
get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)' => sub {
get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)/(#last)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
......@@ -685,8 +685,13 @@ get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)' => sub {
if ($c->stash('allowed') eq 'false') {
$allowed = 0;
}
my $last = 1;
if ($c->stash('last') eq 'false') {
$last = 0;
}
$last = 1 if !$allowed;
eval { $domain->allow_ldap_access($attribute => $value, $allowed ) };
eval { $domain->allow_ldap_access($attribute => $value, $allowed, $last ) };
_fix_default_ldap_access($c, $domain, $allowed) if !$@;
return $c->render(json => { error => $@ }) if $@;
return $c->render(json => { ok => 1 });
......@@ -753,7 +758,7 @@ get '/move_ldap_access/(#id_domain)/(#id_access)/(#count)' => sub {
return $c->render(json => { ok => 1});
};
get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)' => sub {
get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)/(#last)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
......@@ -767,8 +772,15 @@ get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)' => sub {
} else {
$allowed = 1;
}
my $last= $c->stash('last');
if ($last=~ /false/ || !$last) {
$last= 0;
} else {
$last= 1;
}
warn "last = $last";
$domain->set_ldap_access($c->stash('id_access'), $allowed);
$domain->set_ldap_access($c->stash('id_access'), $allowed, $last);
return $c->render(json => { ok => 1});
};
##############################################
......
......@@ -4,7 +4,8 @@ CREATE TABLE `access_ldap_attribute` (
`attribute` varchar(64),
`value` varchar(64),
`allowed` int not null default 1,
PRIMARY KEY (`id`),
UNIQUE KEY `id_base` (`id_domain`,`attribute`,`value`)
`n_order` int not null default 1,
`last` int not null default 1,
PRIMARY KEY (`id`)
);
......@@ -58,6 +58,7 @@
% }
% if ($_user->external_auth eq 'ldap') {
% for my $attribute (sort $_user->ldap_entry->attributes ) {
% next if $attribute =~ /assword|Pwd/i;
<b><%= $attribute %></b>: <%= $_user->ldap_entry->get_value($attribute) %><br/>
% }
% }
......
Type a typical LDAP user name to fetch the attribute list
<input type="text" ng-model="cn" ng-change="list_ldap_attributes()"
ng-init="cn='<%= $ldap_attributes_cn %>';list_ldap_attributes()"
>
<span ng-hide="ldap_attributes || !cn">User name <b>{{cn}}</b> not found in LDAP server</span>
<div class="row">
<div class="col-md-2">
<b>Attribute</b>
</div>
<div class="col-md-3">
<b>Value</b>
</div>
<div class="col-md-1">
<b>Allowed</b>
<div class="panel panel-default">
<div class="panel-body">
Type a typical LDAP user name to fetch the attribute list
<input type="text" ng-model="cn" ng-change="list_ldap_attributes()"
ng-init="cn='<%= $ldap_attributes_cn %>';list_ldap_attributes()">
<span ng-hide="ldap_attributes || !cn">
User name <b>{{cn}}</b> not found in LDAP server
</span>
</div>
</div>
<div class="row" ng-repeat="attribute in ldap_attributes_domain">
<div class="col-md-2">
{{attribute.attribute}}
</div>
<div class="col-md-3">
{{attribute.value}}
</div>
<div class="col-md-1">
<input type="checkbox" ng-checked="attribute.allowed"
ng-click="set_ldap_access(attribute.id, !attribute.allowed)"
>
</div>
<div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
<button class="btn" ng-hide="$index == ldap_attributes_domain.length-1"
ng-click="move_ldap_access(attribute.id, +1);"
><i class="fa fa-arrow-down"></i></button>
</div>
<div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
<button class="btn" ng-show="$index" ng-click="move_ldap_access(attribute.id,-1)"
><i class="fa fa-arrow-up" ></i></button>
</div>
<div class="col-md-1">
<button class="btn"
ng-click="delete_ldap_access(attribute.id)"><i class="fas fa-times"></i></button>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<div class="row" ng-show="ldap_attributes_default.id">
<div class="col-md-2">
<i>Default</i>
</div>
<div class="col-md-3"></div>
<div class="col-md-1">
<input type="checkbox"
ng-checked="ldap_attributes_default.allowed"
ng-click="set_ldap_access(ldap_attributes_default.id, !ldap_attributes_default.allowed)">
</div>
<div class="col-md-4">
<span ng-show="ldap_attributes_default.allowed">If none of the previous match,
access is allowed.</span>
<span ng-show="!ldap_attributes_default.allowed">If none of the previous match,
access is denied.</span>
</div>
</div>
<h3>New access restriction</h3>
<div class="row">
<div class="col-md-2">
<select ng-model="ldap_attribute" ng-change="ldap_entries=0;ldap_verified=false">
<option ng-repeat="attribute in ldap_attributes" value="{{attribute}}">
{{attribute}}
</option>
</select>
</div>
<div class="row">
<div class="col-md-2">
<b>Attribute</b>
</div>
<div class="col-md-3">
<b>Value</b>
</div>
<div class="col-md-1">
<b>Allowed</b>
</div>
<div class="col-md-1">
<b>Last</b>
</div>
</div>
</div><!-- of panel heading -->
<div class="col-md-3">
<input ng-model="ldap_attribute_value" type="text"
ng-change="ldap_entries=0;ldap_verified=false">
<div class="panel-body">
%= include "/main/machine_access_list"
</div>
<div class="col-md-1">
<input ng-model="ldap_attribute_allowed" type="checkbox">
</div>
<div class="col-md-2">
<button
ng-show="ldap_attribute && ldap_attribute_value"
ng-disabled="ldap_verifying"
ng-click="count_ldap_entries()"
class="btn"
>verify</button>
<button ng-show="ldap_attribute && ldap_attribute_value"
ng-disabled="ldap_verifying"
ng-click="add_ldap_access()"
class="btn"
>save</button>
</div>
<div class="col-md-3">
<span ng-show="ldap_verifying">Verifying {{ldap_attribute}} ...</span>
<span ng-show="ldap_verified && !ldap_entries">No entries found</span>
<span ng-show="ldap_verified && ldap_entries">{{ldap_attribute}} = {{ldap_attribute_value}} has at least {{ldap_entries}} entries. </span>
<div class="panel-footer">
%= include "/main/machine_access_new"
</div>
</div>
<div class="row" ng-repeat="attribute in ldap_attributes_domain">
<div class="col-md-2">
{{attribute.attribute}}
</div>
<div class="col-md-3">
{{attribute.value}}
</div>
<div class="col-md-1">
<input type="checkbox" ng-checked="attribute.allowed"
ng-click="set_ldap_access(attribute.id, !attribute.allowed, attribute.last)"
>
</div>
<div class="col-md-1">
<input type="checkbox" ng-checked="attribute.last"
ng-disabled="!attribute.allowed"
ng-click="set_ldap_access(attribute.id, attribute.allowed, !attribute.last)"
>
</div>
<div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
<button class="btn" ng-hide="$index == ldap_attributes_domain.length-1"
ng-click="move_ldap_access(attribute.id, +1);"
><i class="fa fa-arrow-down"></i></button>
</div>
<div class="col-md-1" ng-show="ldap_attributes_domain.length>1">
<button class="btn" ng-show="$index" ng-click="move_ldap_access(attribute.id,-1)"
><i class="fa fa-arrow-up" ></i></button>
</div>
<div class="col-md-1">
<button class="btn"
ng-click="delete_ldap_access(attribute.id)"><i class="fas fa-times"></i></button>
</div>
</div>
<div class="row" ng-show="ldap_attributes_default.id">
<div class="col-md-2">
<i>Default</i>
</div>
<div class="col-md-3"></div>
<div class="col-md-1">
<input type="checkbox"
ng-checked="ldap_attributes_default.allowed"
ng-click="set_ldap_access(ldap_attributes_default.id, !ldap_attributes_default.allowed)">
</div>
<div class="col-md-4">
<span ng-show="ldap_attributes_default.allowed">If none of the previous match,
access is allowed.</span>
<span ng-show="!ldap_attributes_default.allowed">If none of the previous match,
access is denied.</span>
</div>
</div>
<div class="row">
<div class="col-md-2">
<select ng-model="ldap_attribute" ng-change="ldap_entries=0;ldap_verified=false">
<option ng-repeat="attribute in ldap_attributes" value="{{attribute}}">
{{attribute}}
</option>
</select>
</div>
<div class="col-md-3">
<input ng-model="ldap_attribute_value" type="text"
ng-change="ldap_entries=0;ldap_verified=false">
</div>
<div class="col-md-1">
<input ng-model="ldap_attribute_allowed" type="checkbox">
</div>
<div class="col-md-1">
<input ng-model="ldap_attribute_last" type="checkbox"
title="Finish checking permission when this matches"
>
</div>
<div class="col-md-2">
<button
ng-show="ldap_attribute && ldap_attribute_value"
ng-disabled="ldap_verifying"
ng-click="count_ldap_entries()"
>verify</button>
<button ng-show="ldap_attribute && ldap_attribute_value"
ng-disabled="ldap_verifying || (!ldap_attribute_allowed && ! ldap_attribute_last)"
ng-click="add_ldap_access()"
>save</button>
</div>
<div class="col-md-3">
<span ng-show="ldap_verifying">Verifying {{ldap_attribute}} ...</span>
<span ng-show="ldap_verified && !ldap_entries">No entries found</span>
<span ng-show="ldap_verified && ldap_entries">{{ldap_attribute}} = {{ldap_attribute_value}} has at least {{ldap_entries}} entries. </span>
<span ng-show="!ldap_attribute_allowed && !ldap_attribute_last">
Enable last for not allowed restrictions.
</span>
</div>
</div>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment