Validate user role and DNSSEC_ADMINS_ONLY config on DNSSEC related routes

This commit is contained in:
Khanh Ngo 2018-06-07 09:28:14 +07:00
parent 6f54b1a9de
commit 2958ae663c
No known key found for this signature in database
GPG Key ID: B9AE3BAF6D5A7B22
4 changed files with 18 additions and 3 deletions

View File

@ -26,3 +26,13 @@ def can_access_domain(f):
return f(*args, **kwargs)
return decorated_function
def can_configure_dnssec(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if g.user.role.name != 'Administrator' and app.config['DNSSEC_ADMINS_ONLY']:
return redirect(url_for('error', code=401))
return f(*args, **kwargs)
return decorated_function

View File

@ -849,7 +849,7 @@ class Domain(db.Model):
try:
jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys'.format(domain.name)), headers=headers, method='POST',data=post_data)
if 'error' in jdata:
return {'status': 'error', 'msg': 'DNSSEC is not enabled for this domain', 'jdata' : jdata}
return {'status': 'error', 'msg': 'Cannot enable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
else:
return {'status': 'ok'}
except:
@ -871,7 +871,7 @@ class Domain(db.Model):
try:
jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + url), headers=headers, method='DELETE')
if 'error' in jdata:
return {'status': 'error', 'msg': 'DNSSEC is not disabled for this domain', 'jdata' : jdata}
return {'status': 'error', 'msg': 'Cannot disable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
else:
return {'status': 'ok'}
except:

View File

@ -20,7 +20,7 @@ from werkzeug.security import gen_salt
from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting, DomainTemplate, DomainTemplateRecord
from app import app, login_manager, github, google
from app.lib import utils
from app.decorators import admin_role_required, can_access_domain
from app.decorators import admin_role_required, can_access_domain, can_configure_dnssec
if app.config['SAML_ENABLED']:
from onelogin.saml2.auth import OneLogin_Saml2_Auth
@ -807,6 +807,7 @@ def domain_dnssec(domain_name):
@app.route('/domain/<path:domain_name>/dnssec/enable', methods=['GET'])
@login_required
@can_access_domain
@can_configure_dnssec
def domain_dnssec_enable(domain_name):
domain = Domain()
dnssec = domain.enable_domain_dnssec(domain_name)
@ -816,6 +817,7 @@ def domain_dnssec_enable(domain_name):
@app.route('/domain/<path:domain_name>/dnssec/disable', methods=['GET'])
@login_required
@can_access_domain
@can_configure_dnssec
def domain_dnssec_disable(domain_name):
domain = Domain()
dnssec = domain.get_domain_dnssec(domain_name)

View File

@ -115,5 +115,8 @@ RECORDS_ALLOW_EDIT = ['SOA', 'A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'S
FORWARD_RECORDS_ALLOW_EDIT = ['A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'SRV', 'TXT', 'LOC' 'NS']
REVERSE_RECORDS_ALLOW_EDIT = ['SOA', 'TXT', 'LOC', 'NS', 'PTR']
# ALLOW DNSSEC CHANGES FOR ADMINS ONLY
DNSSEC_ADMINS_ONLY = True
# EXPERIMENTAL FEATURES
PRETTY_IPV6_PTR = False