Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Projets publics
Ravada-Mirror
Commits
24829f7b
Commit
24829f7b
authored
Nov 05, 2018
by
Francesc Guasch
Browse files
feature(frontend): manage LDAP access restrictions
issue #916
parent
7a8ad2f8
Changes
3
Hide whitespace changes
Inline
Side-by-side
lib/Ravada/Auth/LDAP.pm
View file @
24829f7b
...
@@ -142,6 +142,7 @@ sub search_user {
...
@@ -142,6 +142,7 @@ sub search_user {
my
$field
=
(
delete
$args
{
field
}
or
'
uid
');
my
$field
=
(
delete
$args
{
field
}
or
'
uid
');
my
$ldap
=
(
delete
$args
{
ldap
}
or
_init_ldap_admin
());
my
$ldap
=
(
delete
$args
{
ldap
}
or
_init_ldap_admin
());
my
$base
=
(
delete
$args
{
base
}
or
_dc_base
());
my
$base
=
(
delete
$args
{
base
}
or
_dc_base
());
my
$typesonly
=
(
delete
$args
{
typesonly
}
or
0
);
confess
"
ERROR: Unknown fields
"
.
Dumper
(
\
%args
)
if
keys
%args
;
confess
"
ERROR: Unknown fields
"
.
Dumper
(
\
%args
)
if
keys
%args
;
confess
"
ERROR: I can't connect to LDAP
"
if
!
$ldap
;
confess
"
ERROR: I can't connect to LDAP
"
if
!
$ldap
;
...
@@ -152,12 +153,14 @@ sub search_user {
...
@@ -152,12 +153,14 @@ sub search_user {
base
=>
$base
,
base
=>
$base
,
scope
=>
'
sub
',
scope
=>
'
sub
',
filter
=>
"
(
$field
=
$username
)
",
filter
=>
"
(
$field
=
$username
)
",
typesonly
=>
$typesonly
,
attrs
=>
['
*
']
attrs
=>
['
*
']
);
);
warn
"
LDAP retry
"
.
$mesg
->
code
.
"
"
.
$mesg
->
error
if
$retry
>
1
;
warn
"
LDAP retry
"
.
$mesg
->
code
.
"
"
.
$mesg
->
error
if
$retry
>
1
;
if
(
$retry
<=
3
&&
$mesg
->
code
)
{
if
(
$retry
<=
3
&&
$mesg
->
code
&&
$mesg
->
code
!=
4
)
{
warn
"
LDAP error
"
.
$mesg
->
code
.
"
"
.
$mesg
->
error
.
"
.
"
warn
"
LDAP error
"
.
$mesg
->
code
.
"
"
.
$mesg
->
error
.
"
.
"
.
"
Retrying ! [
$retry
]
"
if
$retry
;
.
"
Retrying ! [
$retry
]
"
if
$retry
;
$LDAP_ADMIN
=
undef
;
$LDAP_ADMIN
=
undef
;
...
@@ -167,6 +170,7 @@ sub search_user {
...
@@ -167,6 +170,7 @@ sub search_user {
name
=>
$username
name
=>
$username
,
field
=>
$field
,
field
=>
$field
,
retry
=>
++
$retry
,
retry
=>
++
$retry
,
typesonly
=>
$typesonly
);
);
}
}
...
...
public/js/ravada.js
View file @
24829f7b
...
@@ -168,6 +168,7 @@
...
@@ -168,6 +168,7 @@
$scope
.
new_name
=
$scope
.
showmachine
.
name
+
"
-2
"
;
$scope
.
new_name
=
$scope
.
showmachine
.
name
+
"
-2
"
;
$scope
.
validate_new_name
(
$scope
.
showmachine
.
name
);
$scope
.
validate_new_name
(
$scope
.
showmachine
.
name
);
$scope
.
refresh_machine
();
$scope
.
refresh_machine
();
$scope
.
init_ldap_access
();
});
});
};
};
$scope
.
domain_remove
=
0
;
$scope
.
domain_remove
=
0
;
...
@@ -323,6 +324,59 @@
...
@@ -323,6 +324,59 @@
}
}
});
});
};
$scope
.
list_ldap_attributes
=
function
()
{
$scope
.
ldap_entries
=
0
;
$scope
.
ldap_verified
=
0
;
console
.
log
(
$scope
.
cn
);
$http
.
get
(
'
/list_ldap_attributes/
'
+
$scope
.
cn
).
then
(
function
(
response
)
{
$scope
.
ldap_attributes
=
response
.
data
.
attributes
;
});
};
$scope
.
count_ldap_entries
=
function
()
{
$scope
.
ldap_verifying
=
true
;
$http
.
get
(
'
/count_ldap_entries/
'
+
$scope
.
ldap_attribute
+
'
/
'
+
$scope
.
ldap_attribute_value
)
.
then
(
function
(
response
)
{
$scope
.
ldap_entries
=
response
.
data
.
entries
;
$scope
.
ldap_verified
=
true
;
$scope
.
ldap_verifying
=
false
;
});
};
$scope
.
add_ldap_access
=
function
()
{
$http
.
get
(
'
/add_ldap_access/
'
+
$scope
.
showmachine
.
id
+
'
/
'
+
$scope
.
ldap_attribute
+
'
/
'
+
$scope
.
ldap_attribute_value
+
"
/
"
+
$scope
.
ldap_attribute_allowed
)
.
then
(
function
(
response
)
{
$scope
.
init_ldap_access
();
});
};
$scope
.
delete_ldap_access
=
function
(
id_access
)
{
$http
.
get
(
'
/delete_ldap_access/
'
+
$scope
.
showmachine
.
id
+
'
/
'
+
id_access
)
.
then
(
function
(
response
)
{
$scope
.
init_ldap_access
();
});
};
$scope
.
move_ldap_access
=
function
(
id_access
,
count
)
{
$http
.
get
(
'
/move_ldap_access/
'
+
$scope
.
showmachine
.
id
+
'
/
'
+
id_access
+
'
/
'
+
count
)
.
then
(
function
(
response
)
{
$scope
.
init_ldap_access
();
});
};
$scope
.
set_ldap_access
=
function
(
id_access
,
allowed
)
{
$http
.
get
(
'
/set_ldap_access/
'
+
$scope
.
showmachine
.
id
+
'
/
'
+
id_access
+
'
/
'
+
allowed
)
.
then
(
function
(
response
)
{
$scope
.
init_ldap_access
();
});
};
$scope
.
init_ldap_access
=
function
()
{
$scope
.
ldap_entries
=
0
;
$scope
.
ldap_verified
=
0
;
$scope
.
ldap_attribute
=
''
;
$scope
.
ldap_attribute_value
=
''
;
$scope
.
ldap_attribute_allowed
=
true
;
$http
.
get
(
'
/list_ldap_access/
'
+
$scope
.
showmachine
.
id
).
then
(
function
(
response
)
{
$scope
.
ldap_attributes_domain
=
response
.
data
.
list
;
$scope
.
ldap_attributes_default
=
response
.
data
.
default
;
});
};
};
$scope
.
removed_hardware
=
[];
$scope
.
removed_hardware
=
[];
$scope
.
pending_before
=
10
;
$scope
.
pending_before
=
10
;
...
...
rvd_front.pl
View file @
24829f7b
...
@@ -637,6 +637,140 @@ any '/admin/user/(:id).(:type)' => sub {
...
@@ -637,6 +637,140 @@ any '/admin/user/(:id).(:type)' => sub {
return
$c
->
render
(
template
=>
'
main/manage_user
');
return
$c
->
render
(
template
=>
'
main/manage_user
');
};
};
get
'
/list_ldap_attributes/(#cn)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
$cn
=
$c
->
stash
('
cn
');
my
$user
;
eval
{
(
$user
)
=
Ravada::Auth::LDAP::
search_user
(
$cn
);
};
return
$c
->
render
(
json
=>
{
error
=>
$@
})
if
$@
;
return
$c
->
render
(
json
=>
[]
)
if
!
$user
;
$c
->
session
(
ldap_attributes_cn
=>
$cn
)
if
$user
;
return
$c
->
render
(
json
=>
{
attributes
=>
[
$user
->
attributes
]});
};
get
'
/count_ldap_entries/(#attribute)/(#value)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
@entries
;
eval
{
@entries
=
Ravada::Auth::LDAP::
search_user
(
field
=>
$c
->
stash
('
attribute
')
,
name
=>
$c
->
stash
('
value
')
,
typesonly
=>
1
);
};
@entries
=
[
'
too many
'
]
if
$@
=~
/Sizelimit exceeded/
;
return
$c
->
render
(
json
=>
{
entries
=>
scalar
@entries
});
};
get
'
/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
$domain_id
=
$c
->
stash
('
id_domain
');
my
$domain
=
Ravada::Front::
Domain
->
open
(
$domain_id
);
my
$attribute
=
$c
->
stash
('
attribute
');
my
$value
=
$c
->
stash
('
value
');
my
$allowed
=
1
;
if
(
$c
->
stash
('
allowed
')
eq
'
false
')
{
$allowed
=
0
;
}
eval
{
$domain
->
allow_ldap_access
(
$attribute
=>
$value
,
$allowed
)
};
_fix_default_ldap_access
(
$c
,
$domain
,
$allowed
)
if
!
$@
;
return
$c
->
render
(
json
=>
{
error
=>
$@
})
if
$@
;
return
$c
->
render
(
json
=>
{
ok
=>
1
});
};
sub
_fix_default_ldap_access
($c, $domain, $allowed) {
my
@list
=
$domain
->
list_ldap_access
();
my
$default_found
;
for
(
@list
)
{
if
(
$_
->
{
value
}
eq
'
*
'
)
{
$default_found
=
$_
->
{
id
};
}
}
if
(
$default_found
)
{
$domain
->
move_ldap_access
(
$default_found
,
+
1
);
return
;
}
my
$allowed_default
=
0
;
$allowed_default
=
1
if
!
$allowed
;
eval
{
$domain
->
allow_ldap_access
('
DEFAULT
'
=>
'
*
',
$allowed_default
)
};
warn
$@
if
$@
;
}
get
'
/delete_ldap_access/(#id_domain)/(#id_access)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
$domain_id
=
$c
->
stash
('
id_domain
');
my
$domain
=
Ravada::Front::
Domain
->
open
(
$domain_id
);
$domain
->
delete_ldap_access
(
$c
->
stash
('
id_access
'));
return
$c
->
render
(
json
=>
{
ok
=>
1
});
};
get
'
/list_ldap_access/(#id_domain)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
$domain_id
=
$c
->
stash
('
id_domain
');
my
$domain
=
Ravada::Front::
Domain
->
open
(
$domain_id
);
my
@ldap_access
=
$domain
->
list_ldap_access
();
my
$default
=
{};
if
(
$ldap_access
[
-
1
]
->
{
value
}
eq
'
*
')
{
$default
=
pop
@ldap_access
;
}
return
$c
->
render
(
json
=>
{
list
=>
\
@ldap_access
,
default
=>
$default
}
);
};
get
'
/move_ldap_access/(#id_domain)/(#id_access)/(#count)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
$domain_id
=
$c
->
stash
('
id_domain
');
my
$domain
=
Ravada::Front::
Domain
->
open
(
$domain_id
);
$domain
->
move_ldap_access
(
$c
->
stash
('
id_access
'),
$c
->
stash
('
count
'));
return
$c
->
render
(
json
=>
{
ok
=>
1
});
};
get
'
/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)
'
=>
sub
{
my
$c
=
shift
;
return
_access_denied
(
$c
)
if
!
$USER
->
is_admin
;
my
$domain_id
=
$c
->
stash
('
id_domain
');
my
$domain
=
Ravada::Front::
Domain
->
open
(
$domain_id
);
my
$allowed
=
$c
->
stash
('
allowed
');
if
(
$allowed
=~
/false/
||
!
$allowed
)
{
$allowed
=
0
;
}
else
{
$allowed
=
1
;
}
$domain
->
set_ldap_access
(
$c
->
stash
('
id_access
'),
$allowed
);
return
$c
->
render
(
json
=>
{
ok
=>
1
});
};
##############################################
##############################################
...
@@ -1432,6 +1566,7 @@ sub manage_machine {
...
@@ -1432,6 +1566,7 @@ sub manage_machine {
$c
->
stash
(
domain
=>
$domain
);
$c
->
stash
(
domain
=>
$domain
);
$c
->
stash
(
USER
=>
$USER
);
$c
->
stash
(
USER
=>
$USER
);
$c
->
stash
(
list_users
=>
$RAVADA
->
list_users
);
$c
->
stash
(
list_users
=>
$RAVADA
->
list_users
);
$c
->
stash
(
ldap_attributes_cn
=>
(
$c
->
session
('
ldap_attributes_cn
')
or
$USER
->
name
or
''));
$c
->
stash
(
ram
=>
int
(
$domain
->
get_info
()
->
{
max_mem
}
/
1024
));
$c
->
stash
(
ram
=>
int
(
$domain
->
get_info
()
->
{
max_mem
}
/
1024
));
$c
->
stash
(
cram
=>
int
(
$domain
->
get_info
()
->
{
memory
}
/
1024
));
$c
->
stash
(
cram
=>
int
(
$domain
->
get_info
()
->
{
memory
}
/
1024
));
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment