mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-08 22:50:26 +00:00
Validate user role and DNSSEC_ADMINS_ONLY config on DNSSEC related routes
This commit is contained in:
parent
6f54b1a9de
commit
2958ae663c
@ -26,3 +26,13 @@ def can_access_domain(f):
|
|||||||
|
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
return decorated_function
|
return decorated_function
|
||||||
|
|
||||||
|
|
||||||
|
def can_configure_dnssec(f):
|
||||||
|
@wraps(f)
|
||||||
|
def decorated_function(*args, **kwargs):
|
||||||
|
if g.user.role.name != 'Administrator' and app.config['DNSSEC_ADMINS_ONLY']:
|
||||||
|
return redirect(url_for('error', code=401))
|
||||||
|
|
||||||
|
return f(*args, **kwargs)
|
||||||
|
return decorated_function
|
||||||
|
@ -849,7 +849,7 @@ class Domain(db.Model):
|
|||||||
try:
|
try:
|
||||||
jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys'.format(domain.name)), headers=headers, method='POST',data=post_data)
|
jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys'.format(domain.name)), headers=headers, method='POST',data=post_data)
|
||||||
if 'error' in jdata:
|
if 'error' in jdata:
|
||||||
return {'status': 'error', 'msg': 'DNSSEC is not enabled for this domain', 'jdata' : jdata}
|
return {'status': 'error', 'msg': 'Cannot enable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
|
||||||
else:
|
else:
|
||||||
return {'status': 'ok'}
|
return {'status': 'ok'}
|
||||||
except:
|
except:
|
||||||
@ -871,7 +871,7 @@ class Domain(db.Model):
|
|||||||
try:
|
try:
|
||||||
jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + url), headers=headers, method='DELETE')
|
jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + url), headers=headers, method='DELETE')
|
||||||
if 'error' in jdata:
|
if 'error' in jdata:
|
||||||
return {'status': 'error', 'msg': 'DNSSEC is not disabled for this domain', 'jdata' : jdata}
|
return {'status': 'error', 'msg': 'Cannot disable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
|
||||||
else:
|
else:
|
||||||
return {'status': 'ok'}
|
return {'status': 'ok'}
|
||||||
except:
|
except:
|
||||||
|
@ -20,7 +20,7 @@ from werkzeug.security import gen_salt
|
|||||||
from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting, DomainTemplate, DomainTemplateRecord
|
from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting, DomainTemplate, DomainTemplateRecord
|
||||||
from app import app, login_manager, github, google
|
from app import app, login_manager, github, google
|
||||||
from app.lib import utils
|
from app.lib import utils
|
||||||
from app.decorators import admin_role_required, can_access_domain
|
from app.decorators import admin_role_required, can_access_domain, can_configure_dnssec
|
||||||
|
|
||||||
if app.config['SAML_ENABLED']:
|
if app.config['SAML_ENABLED']:
|
||||||
from onelogin.saml2.auth import OneLogin_Saml2_Auth
|
from onelogin.saml2.auth import OneLogin_Saml2_Auth
|
||||||
@ -807,6 +807,7 @@ def domain_dnssec(domain_name):
|
|||||||
@app.route('/domain/<path:domain_name>/dnssec/enable', methods=['GET'])
|
@app.route('/domain/<path:domain_name>/dnssec/enable', methods=['GET'])
|
||||||
@login_required
|
@login_required
|
||||||
@can_access_domain
|
@can_access_domain
|
||||||
|
@can_configure_dnssec
|
||||||
def domain_dnssec_enable(domain_name):
|
def domain_dnssec_enable(domain_name):
|
||||||
domain = Domain()
|
domain = Domain()
|
||||||
dnssec = domain.enable_domain_dnssec(domain_name)
|
dnssec = domain.enable_domain_dnssec(domain_name)
|
||||||
@ -816,6 +817,7 @@ def domain_dnssec_enable(domain_name):
|
|||||||
@app.route('/domain/<path:domain_name>/dnssec/disable', methods=['GET'])
|
@app.route('/domain/<path:domain_name>/dnssec/disable', methods=['GET'])
|
||||||
@login_required
|
@login_required
|
||||||
@can_access_domain
|
@can_access_domain
|
||||||
|
@can_configure_dnssec
|
||||||
def domain_dnssec_disable(domain_name):
|
def domain_dnssec_disable(domain_name):
|
||||||
domain = Domain()
|
domain = Domain()
|
||||||
dnssec = domain.get_domain_dnssec(domain_name)
|
dnssec = domain.get_domain_dnssec(domain_name)
|
||||||
|
@ -115,5 +115,8 @@ RECORDS_ALLOW_EDIT = ['SOA', 'A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'S
|
|||||||
FORWARD_RECORDS_ALLOW_EDIT = ['A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'SRV', 'TXT', 'LOC' 'NS']
|
FORWARD_RECORDS_ALLOW_EDIT = ['A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'SRV', 'TXT', 'LOC' 'NS']
|
||||||
REVERSE_RECORDS_ALLOW_EDIT = ['SOA', 'TXT', 'LOC', 'NS', 'PTR']
|
REVERSE_RECORDS_ALLOW_EDIT = ['SOA', 'TXT', 'LOC', 'NS', 'PTR']
|
||||||
|
|
||||||
|
# ALLOW DNSSEC CHANGES FOR ADMINS ONLY
|
||||||
|
DNSSEC_ADMINS_ONLY = True
|
||||||
|
|
||||||
# EXPERIMENTAL FEATURES
|
# EXPERIMENTAL FEATURES
|
||||||
PRETTY_IPV6_PTR = False
|
PRETTY_IPV6_PTR = False
|
||||||
|
Loading…
Reference in New Issue
Block a user