Commit 24829f7b authored by Francesc Guasch's avatar Francesc Guasch
Browse files

feature(frontend): manage LDAP access restrictions

issue #916
parent 7a8ad2f8
...@@ -142,6 +142,7 @@ sub search_user { ...@@ -142,6 +142,7 @@ sub search_user {
my $field = (delete $args{field} or 'uid'); my $field = (delete $args{field} or 'uid');
my $ldap = (delete $args{ldap} or _init_ldap_admin()); my $ldap = (delete $args{ldap} or _init_ldap_admin());
my $base = (delete $args{base} or _dc_base()); my $base = (delete $args{base} or _dc_base());
my $typesonly= (delete $args{typesonly} or 0);
confess "ERROR: Unknown fields ".Dumper(\%args) if keys %args; confess "ERROR: Unknown fields ".Dumper(\%args) if keys %args;
confess "ERROR: I can't connect to LDAP " if!$ldap; confess "ERROR: I can't connect to LDAP " if!$ldap;
...@@ -152,12 +153,14 @@ sub search_user { ...@@ -152,12 +153,14 @@ sub search_user {
base => $base, base => $base,
scope => 'sub', scope => 'sub',
filter => "($field=$username)", filter => "($field=$username)",
typesonly => $typesonly,
attrs => ['*'] attrs => ['*']
); );
warn "LDAP retry ".$mesg->code." ".$mesg->error if $retry > 1; warn "LDAP retry ".$mesg->code." ".$mesg->error if $retry > 1;
if ( $retry <= 3 && $mesg->code ) { if ( $retry <= 3 && $mesg->code && $mesg->code != 4 ) {
warn "LDAP error ".$mesg->code." ".$mesg->error."." warn "LDAP error ".$mesg->code." ".$mesg->error."."
."Retrying ! [$retry]" if $retry; ."Retrying ! [$retry]" if $retry;
$LDAP_ADMIN = undef; $LDAP_ADMIN = undef;
...@@ -167,6 +170,7 @@ sub search_user { ...@@ -167,6 +170,7 @@ sub search_user {
name => $username name => $username
,field => $field ,field => $field
,retry => ++$retry ,retry => ++$retry
,typesonly => $typesonly
); );
} }
......
...@@ -168,6 +168,7 @@ ...@@ -168,6 +168,7 @@
$scope.new_name=$scope.showmachine.name+"-2"; $scope.new_name=$scope.showmachine.name+"-2";
$scope.validate_new_name($scope.showmachine.name); $scope.validate_new_name($scope.showmachine.name);
$scope.refresh_machine(); $scope.refresh_machine();
$scope.init_ldap_access();
}); });
}; };
$scope.domain_remove = 0; $scope.domain_remove = 0;
...@@ -323,6 +324,59 @@ ...@@ -323,6 +324,59 @@
} }
}); });
};
$scope.list_ldap_attributes= function() {
$scope.ldap_entries = 0;
$scope.ldap_verified = 0;
console.log($scope.cn);
$http.get('/list_ldap_attributes/'+$scope.cn).then(function(response) {
$scope.ldap_attributes = response.data.attributes;
});
};
$scope.count_ldap_entries = function() {
$scope.ldap_verifying = true;
$http.get('/count_ldap_entries/'+$scope.ldap_attribute+'/'+$scope.ldap_attribute_value)
.then(function(response) {
$scope.ldap_entries = response.data.entries;
$scope.ldap_verified = true;
$scope.ldap_verifying = false;
});
};
$scope.add_ldap_access = function() {
$http.get('/add_ldap_access/'+$scope.showmachine.id+'/'+$scope.ldap_attribute+'/'
+$scope.ldap_attribute_value+"/"+$scope.ldap_attribute_allowed)
.then(function(response) {
$scope.init_ldap_access();
});
};
$scope.delete_ldap_access= function(id_access) {
$http.get('/delete_ldap_access/'+$scope.showmachine.id+'/'+id_access)
.then(function(response) {
$scope.init_ldap_access();
});
};
$scope.move_ldap_access= function(id_access, count) {
$http.get('/move_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+count)
.then(function(response) {
$scope.init_ldap_access();
});
};
$scope.set_ldap_access = function(id_access, allowed) {
$http.get('/set_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+allowed)
.then(function(response) {
$scope.init_ldap_access();
});
};
$scope.init_ldap_access = function() {
$scope.ldap_entries = 0;
$scope.ldap_verified = 0;
$scope.ldap_attribute = '';
$scope.ldap_attribute_value = '';
$scope.ldap_attribute_allowed=true;
$http.get('/list_ldap_access/'+$scope.showmachine.id).then(function(response) {
$scope.ldap_attributes_domain = response.data.list;
$scope.ldap_attributes_default = response.data.default;
});
}; };
$scope.removed_hardware = []; $scope.removed_hardware = [];
$scope.pending_before = 10; $scope.pending_before = 10;
......
...@@ -637,6 +637,140 @@ any '/admin/user/(:id).(:type)' => sub { ...@@ -637,6 +637,140 @@ any '/admin/user/(:id).(:type)' => sub {
return $c->render(template => 'main/manage_user'); return $c->render(template => 'main/manage_user');
}; };
get '/list_ldap_attributes/(#cn)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my $cn = $c->stash('cn');
my $user;
eval {
($user) = Ravada::Auth::LDAP::search_user($cn);
};
return $c->render(json => { error => $@ }) if $@;
return $c->render(json => []) if !$user;
$c->session(ldap_attributes_cn => $cn) if $user;
return $c->render(json => {attributes => [$user->attributes]});
};
get '/count_ldap_entries/(#attribute)/(#value)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my @entries;
eval {
@entries = Ravada::Auth::LDAP::search_user(
field => $c->stash('attribute')
,name => $c->stash('value')
,typesonly => 1
);
};
@entries = [ 'too many' ] if $@ =~ /Sizelimit exceeded/;
return $c->render(json => { entries => scalar @entries });
};
get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my $domain_id = $c->stash('id_domain');
my $domain = Ravada::Front::Domain->open($domain_id);
my $attribute = $c->stash('attribute');
my $value = $c->stash('value');
my $allowed = 1;
if ($c->stash('allowed') eq 'false') {
$allowed = 0;
}
eval { $domain->allow_ldap_access($attribute => $value, $allowed ) };
_fix_default_ldap_access($c, $domain, $allowed) if !$@;
return $c->render(json => { error => $@ }) if $@;
return $c->render(json => { ok => 1 });
};
sub _fix_default_ldap_access($c, $domain, $allowed) {
my @list = $domain->list_ldap_access();
my $default_found;
for ( @list ) {
if ( $_->{value} eq '*' ) {
$default_found = $_->{id};
}
}
if ( $default_found ) {
$domain->move_ldap_access($default_found, +1);
return;
}
my $allowed_default = 0;
$allowed_default = 1 if !$allowed;
eval { $domain->allow_ldap_access('DEFAULT' => '*', $allowed_default ) };
warn $@ if $@;
}
get '/delete_ldap_access/(#id_domain)/(#id_access)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my $domain_id = $c->stash('id_domain');
my $domain = Ravada::Front::Domain->open($domain_id);
$domain->delete_ldap_access($c->stash('id_access'));
return $c->render(json => { ok => 1 });
};
get '/list_ldap_access/(#id_domain)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my $domain_id = $c->stash('id_domain');
my $domain = Ravada::Front::Domain->open($domain_id);
my @ldap_access = $domain->list_ldap_access();
my $default = {};
if ($ldap_access[-1]->{value} eq '*') {
$default = pop @ldap_access;
}
return $c->render(json => {list => \@ldap_access, default => $default} );
};
get '/move_ldap_access/(#id_domain)/(#id_access)/(#count)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my $domain_id = $c->stash('id_domain');
my $domain = Ravada::Front::Domain->open($domain_id);
$domain->move_ldap_access($c->stash('id_access'), $c->stash('count'));
return $c->render(json => { ok => 1});
};
get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)' => sub {
my $c = shift;
return _access_denied($c) if !$USER->is_admin;
my $domain_id = $c->stash('id_domain');
my $domain = Ravada::Front::Domain->open($domain_id);
my $allowed = $c->stash('allowed');
if ($allowed =~ /false/ || !$allowed) {
$allowed = 0;
} else {
$allowed = 1;
}
$domain->set_ldap_access($c->stash('id_access'), $allowed);
return $c->render(json => { ok => 1});
};
############################################## ##############################################
...@@ -1432,6 +1566,7 @@ sub manage_machine { ...@@ -1432,6 +1566,7 @@ sub manage_machine {
$c->stash(domain => $domain); $c->stash(domain => $domain);
$c->stash(USER => $USER); $c->stash(USER => $USER);
$c->stash(list_users => $RAVADA->list_users); $c->stash(list_users => $RAVADA->list_users);
$c->stash(ldap_attributes_cn => ( $c->session('ldap_attributes_cn') or $USER->name or ''));
$c->stash( ram => int( $domain->get_info()->{max_mem} / 1024 )); $c->stash( ram => int( $domain->get_info()->{max_mem} / 1024 ));
$c->stash( cram => int( $domain->get_info()->{memory} / 1024 )); $c->stash( cram => int( $domain->get_info()->{memory} / 1024 ));
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment