Feature Update: OAuth Settings Management / Dual-Schema Support (#1515)

This commit is contained in:
Matt Scott 2023-04-10 20:03:28 -04:00 committed by GitHub
commit 4e54a2bb3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 2399 additions and 2029 deletions

View File

@ -1,3 +1,8 @@
# import everything from environment variables
import os
import sys
import json
# Defaults for Docker image
BIND_ADDRESS = '0.0.0.0'
PORT = 80
@ -23,6 +28,7 @@ legal_envvars = (
'OIDC_OAUTH_EMAIL',
'BIND_ADDRESS',
'PORT',
'SERVER_EXTERNAL_SSL',
'LOG_LEVEL',
'SALT',
'SQLALCHEMY_TRACK_MODIFICATIONS',
@ -97,21 +103,18 @@ legal_envvars_bool = (
'SESSION_COOKIE_SECURE',
'CSRF_COOKIE_SECURE',
'CAPTCHA_ENABLE',
'SERVER_EXTERNAL_SSL',
)
legal_envvars_dict = (
'SQLALCHEMY_ENGINE_OPTIONS',
)
# import everything from environment variables
import os
import sys
import json
def str2bool(v):
return v.lower() in ("true", "yes", "1")
def dictfromstr(v,ret):
def dictfromstr(v, ret):
try:
return json.loads(ret)
except Exception as e:
@ -119,10 +122,11 @@ def dictfromstr(v,ret):
print(e)
raise ValueError
for v in legal_envvars:
ret = None
# _FILE suffix will allow to read value from file, usefull for Docker's
# _FILE suffix will allow to read value from file, useful for Docker containers.
# secrets feature
if v + '_FILE' in os.environ:
if v in os.environ:

View File

@ -1,64 +1,65 @@
# Supported environment variables
| Variable | Description | Required | Default value |
| ---------| ----------- | -------- | ------------- |
| BIND_ADDRESS |
| CSRF_COOKIE_SECURE |
| SESSION_TYPE | null|filesystem|sqlalchemy | | filesystem |
| LDAP_ENABLED |
| LOCAL_DB_ENABLED |
| LOG_LEVEL |
| MAIL_DEBUG |
| MAIL_DEFAULT_SENDER |
| MAIL_PASSWORD |
| MAIL_PORT |
| MAIL_SERVER |
| MAIL_USERNAME |
| MAIL_USE_SSL |
| MAIL_USE_TLS |
| OFFLINE_MODE |
| OIDC_OAUTH_API_URL | | | |
| OIDC_OAUTH_AUTHORIZE_URL |
| OIDC_OAUTH_TOKEN_URL | | | |
| OIDC_OAUTH_METADATA_URL | | | |
| PORT |
| REMOTE_USER_COOKIES |
| REMOTE_USER_LOGOUT_URL |
| SALT |
| SAML_ASSERTION_ENCRYPTED |
| SAML_ATTRIBUTE_ACCOUNT |
| SAML_ATTRIBUTE_ADMIN |
| SAML_ATTRIBUTE_EMAIL |
| SAML_ATTRIBUTE_GIVENNAME |
| SAML_ATTRIBUTE_GROUP |
| SAML_ATTRIBUTE_NAME |
| SAML_ATTRIBUTE_SURNAME |
| SAML_ATTRIBUTE_USERNAME |
| SAML_CERT |
| SAML_DEBUG |
| SAML_ENABLED |
| SAML_GROUP_ADMIN_NAME |
| SAML_GROUP_TO_ACCOUNT_MAPPING |
| SAML_IDP_SSO_BINDING |
| SAML_IDP_ENTITY_ID |
| SAML_KEY |
| SAML_LOGOUT |
| SAML_LOGOUT_URL |
| SAML_METADATA_CACHE_LIFETIME |
| SAML_METADATA_URL |
| SAML_NAMEID_FORMAT |
| SAML_PATH |
| SAML_SIGN_REQUEST |
| SAML_SP_CONTACT_MAIL |
| SAML_SP_CONTACT_NAME |
| SAML_SP_ENTITY_ID |
| SAML_WANT_MESSAGE_SIGNED |
| SECRET_KEY | Flask secret key [^1] | Y | no default |
| SESSION_COOKIE_SECURE |
| SIGNUP_ENABLED |
| SQLALCHEMY_DATABASE_URI | SQL Alchemy URI to connect to database | N | no default |
| Variable | Description | Required | Default value |
|--------------------------------|--------------------------------------------------------------------------|------------|---------------|
| BIND_ADDRESS |
| CSRF_COOKIE_SECURE |
| SESSION_TYPE | null | filesystem | sqlalchemy | | filesystem |
| LDAP_ENABLED |
| LOCAL_DB_ENABLED |
| LOG_LEVEL |
| MAIL_DEBUG |
| MAIL_DEFAULT_SENDER |
| MAIL_PASSWORD |
| MAIL_PORT |
| MAIL_SERVER |
| MAIL_USERNAME |
| MAIL_USE_SSL |
| MAIL_USE_TLS |
| OFFLINE_MODE |
| OIDC_OAUTH_API_URL | | | |
| OIDC_OAUTH_AUTHORIZE_URL |
| OIDC_OAUTH_TOKEN_URL | | | |
| OIDC_OAUTH_METADATA_URL | | | |
| PORT |
| SERVER_EXTERNAL_SSL | Forceful override of URL schema detection when using the url_for method. | False | None |
| REMOTE_USER_COOKIES |
| REMOTE_USER_LOGOUT_URL |
| SALT |
| SAML_ASSERTION_ENCRYPTED |
| SAML_ATTRIBUTE_ACCOUNT |
| SAML_ATTRIBUTE_ADMIN |
| SAML_ATTRIBUTE_EMAIL |
| SAML_ATTRIBUTE_GIVENNAME |
| SAML_ATTRIBUTE_GROUP |
| SAML_ATTRIBUTE_NAME |
| SAML_ATTRIBUTE_SURNAME |
| SAML_ATTRIBUTE_USERNAME |
| SAML_CERT |
| SAML_DEBUG |
| SAML_ENABLED |
| SAML_GROUP_ADMIN_NAME |
| SAML_GROUP_TO_ACCOUNT_MAPPING |
| SAML_IDP_SSO_BINDING |
| SAML_IDP_ENTITY_ID |
| SAML_KEY |
| SAML_LOGOUT |
| SAML_LOGOUT_URL |
| SAML_METADATA_CACHE_LIFETIME |
| SAML_METADATA_URL |
| SAML_NAMEID_FORMAT |
| SAML_PATH |
| SAML_SIGN_REQUEST |
| SAML_SP_CONTACT_MAIL |
| SAML_SP_CONTACT_NAME |
| SAML_SP_ENTITY_ID |
| SAML_WANT_MESSAGE_SIGNED |
| SECRET_KEY | Flask secret key [^1] | Y | no default |
| SESSION_COOKIE_SECURE |
| SIGNUP_ENABLED |
| SQLALCHEMY_DATABASE_URI | SQL Alchemy URI to connect to database | N | no default |
| SQLALCHEMY_TRACK_MODIFICATIONS |
| SQLALCHEMY_ENGINE_OPTIONS | json string. e.g. '{"pool_recycle":600,"echo":1}' [^2] |
| SQLALCHEMY_ENGINE_OPTIONS | json string. e.g. '{"pool_recycle":600,"echo":1}' [^2] |
[^1]: Flask secret key (see https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY for how to generate)
[^2]: See Flask-SQLAlchemy Documentation for all engine options.

View File

@ -11,7 +11,9 @@
"jquery-sparkline": "^2.4.0",
"jquery-ui-dist": "^1.13.2",
"jquery.quicksearch": "^2.4.0",
"jquery-validation": "^1.19.5",
"jtimeout": "^3.2.0",
"knockout": "^3.5.1",
"multiselect": "^0.9.12"
},
"resolutions": {

View File

@ -20,6 +20,7 @@ js_login = Bundle(
'node_modules/jquery/dist/jquery.js',
'node_modules/bootstrap/dist/js/bootstrap.js',
'node_modules/icheck/icheck.js',
'node_modules/knockout/build/output/knockout-latest.js',
'custom/js/custom.js',
filters=(ConcatFilter, 'rjsmin'),
output='generated/login.js')
@ -47,6 +48,7 @@ js_main = Bundle(
'node_modules/datatables.net-bs4/js/dataTables.bootstrap4.js',
'node_modules/jquery-sparkline/jquery.sparkline.js',
'node_modules/jquery-slimscroll/jquery.slimscroll.js',
'node_modules/jquery-validation/dist/jquery.validate.js',
'node_modules/icheck/icheck.js',
'node_modules/fastclick/lib/fastclick.js',
'node_modules/moment/moment.js',
@ -55,6 +57,8 @@ js_main = Bundle(
'node_modules/datatables.net-plugins/sorting/natural.js',
'node_modules/jtimeout/src/jTimeout.js',
'node_modules/jquery.quicksearch/src/jquery.quicksearch.js',
'node_modules/knockout/build/output/knockout-latest.js',
'custom/js/app-authentication-settings-editor.js',
'custom/js/custom.js',
'node_modules/bootstrap-datepicker/dist/js/bootstrap-datepicker.js',
filters=(ConcatFilter, 'rjsmin'),

View File

@ -8,6 +8,7 @@ SECRET_KEY = 'e951e5a1f4b94151b360f47edf596dd2'
BIND_ADDRESS = '0.0.0.0'
PORT = 9191
HSTS_ENABLED = False
SERVER_EXTERNAL_SSL = None
SESSION_TYPE = 'sqlalchemy'
SESSION_COOKIE_SAMESITE = 'Lax'

View File

@ -15,6 +15,7 @@ class Setting(db.Model):
value = db.Column(db.Text())
defaults = {
# General Settings
'maintenance': False,
'fullscreen_layout': True,
'record_helper': True,
@ -42,56 +43,82 @@ class Setting(db.Model):
'pdns_api_timeout': 30,
'pdns_version': '4.1.1',
'verify_ssl_connections': True,
'verify_user_email': False,
'enforce_api_ttl': False,
'ttl_options': '1 minute,5 minutes,30 minutes,60 minutes,24 hours',
'otp_field_enabled': True,
'custom_css': '',
'otp_force': False,
'max_history_records': 1000,
'deny_domain_override': False,
'account_name_extra_chars': False,
'gravatar_enabled': False,
# Local Authentication Settings
'local_db_enabled': True,
'signup_enabled': True,
'autoprovisioning': False,
'urn_value': '',
'autoprovisioning_attribute': '',
'purge': False,
'verify_user_email': False,
'pwd_enforce_characters': False,
'pwd_min_len': 10,
'pwd_min_lowercase': 3,
'pwd_min_uppercase': 2,
'pwd_min_digits': 2,
'pwd_min_special': 1,
'pwd_enforce_complexity': False,
'pwd_min_complexity': 11,
# LDAP Authentication Settings
'ldap_enabled': False,
'ldap_type': 'ldap',
'ldap_uri': '',
'ldap_base_dn': '',
'ldap_admin_username': '',
'ldap_admin_password': '',
'ldap_domain': '',
'ldap_filter_basic': '',
'ldap_filter_group': '',
'ldap_filter_username': '',
'ldap_filter_group': '',
'ldap_filter_groupname': '',
'ldap_sg_enabled': False,
'ldap_admin_group': '',
'ldap_operator_group': '',
'ldap_user_group': '',
'ldap_domain': '',
'autoprovisioning': False,
'autoprovisioning_attribute': '',
'urn_value': '',
'purge': False,
# Google OAuth2 Settings
'google_oauth_enabled': False,
'google_oauth_client_id': '',
'google_oauth_client_secret': '',
'google_oauth_scope': 'openid email profile',
'google_base_url': 'https://www.googleapis.com/oauth2/v3/',
'google_oauth_auto_configure': True,
'google_oauth_metadata_url': 'https://accounts.google.com/.well-known/openid-configuration',
'google_token_url': 'https://oauth2.googleapis.com/token',
'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth',
# GitHub OAuth2 Settings
'github_oauth_enabled': False,
'github_oauth_key': '',
'github_oauth_secret': '',
'github_oauth_scope': 'email',
'github_oauth_api_url': 'https://api.github.com/user',
'github_oauth_token_url':
'https://github.com/login/oauth/access_token',
'github_oauth_authorize_url':
'https://github.com/login/oauth/authorize',
'github_oauth_auto_configure': False,
'github_oauth_metadata_url': '',
'google_oauth_enabled': False,
'google_oauth_client_id': '',
'google_oauth_client_secret': '',
'google_token_url': 'https://oauth2.googleapis.com/token',
'google_oauth_scope': 'openid email profile',
'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth',
'google_oauth_metadata_url': '',
'google_base_url': 'https://www.googleapis.com/oauth2/v3/',
'github_oauth_token_url': 'https://github.com/login/oauth/access_token',
'github_oauth_authorize_url': 'https://github.com/login/oauth/authorize',
# Azure OAuth2 Settings
'azure_oauth_enabled': False,
'azure_oauth_key': '',
'azure_oauth_secret': '',
'azure_oauth_scope': 'User.Read openid email profile',
'azure_oauth_api_url': 'https://graph.microsoft.com/v1.0/',
'azure_oauth_token_url':
'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token',
'azure_oauth_authorize_url':
'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize',
'azure_oauth_auto_configure': True,
'azure_oauth_metadata_url': '',
'azure_oauth_token_url': '',
'azure_oauth_authorize_url': '',
'azure_sg_enabled': False,
'azure_admin_group': '',
'azure_operator_group': '',
@ -101,22 +128,26 @@ class Setting(db.Model):
'azure_group_accounts_name_re': '',
'azure_group_accounts_description': 'description',
'azure_group_accounts_description_re': '',
# OIDC OAuth2 Settings
'oidc_oauth_enabled': False,
'oidc_oauth_key': '',
'oidc_oauth_secret': '',
'oidc_oauth_scope': 'email',
'oidc_oauth_api_url': '',
'oidc_oauth_auto_configure': True,
'oidc_oauth_metadata_url': '',
'oidc_oauth_token_url': '',
'oidc_oauth_authorize_url': '',
'oidc_oauth_metadata_url': '',
'oidc_oauth_logout_url': '',
'oidc_oauth_username': 'preferred_username',
'oidc_oauth_email': 'email',
'oidc_oauth_firstname': 'given_name',
'oidc_oauth_last_name': 'family_name',
'oidc_oauth_email': 'email',
'oidc_oauth_account_name_property': '',
'oidc_oauth_account_description_property': '',
'enforce_api_ttl': False,
# Zone Record Settings
'forward_records_allow_edit': {
'A': True,
'AAAA': True,
@ -193,22 +224,103 @@ class Setting(db.Model):
'TXT': True,
'URI': False
},
'ttl_options': '1 minute,5 minutes,30 minutes,60 minutes,24 hours',
'otp_field_enabled': True,
'custom_css': '',
'otp_force': False,
'max_history_records': 1000,
'deny_domain_override': False,
'account_name_extra_chars': False,
'gravatar_enabled': False,
'pwd_enforce_characters': False,
'pwd_min_len': 10,
'pwd_min_lowercase': 3,
'pwd_min_uppercase': 2,
'pwd_min_digits': 2,
'pwd_min_special': 1,
'pwd_enforce_complexity': False,
'pwd_min_complexity': 11
}
groups = {
'authentication': [
# Local Authentication Settings
'local_db_enabled',
'signup_enabled',
'pwd_enforce_characters',
'pwd_min_len',
'pwd_min_lowercase',
'pwd_min_uppercase',
'pwd_min_digits',
'pwd_min_special',
'pwd_enforce_complexity',
'pwd_min_complexity',
# LDAP Authentication Settings
'ldap_enabled',
'ldap_type',
'ldap_uri',
'ldap_base_dn',
'ldap_admin_username',
'ldap_admin_password',
'ldap_domain',
'ldap_filter_basic',
'ldap_filter_username',
'ldap_filter_group',
'ldap_filter_groupname',
'ldap_sg_enabled',
'ldap_admin_group',
'ldap_operator_group',
'ldap_user_group',
'autoprovisioning',
'autoprovisioning_attribute',
'urn_value',
'purge',
# Google OAuth2 Settings
'google_oauth_enabled',
'google_oauth_client_id',
'google_oauth_client_secret',
'google_oauth_scope',
'google_base_url',
'google_oauth_auto_configure',
'google_oauth_metadata_url',
'google_token_url',
'google_authorize_url',
# GitHub OAuth2 Settings
'github_oauth_enabled',
'github_oauth_key',
'github_oauth_secret',
'github_oauth_scope',
'github_oauth_api_url',
'github_oauth_auto_configure',
'github_oauth_metadata_url',
'github_oauth_token_url',
'github_oauth_authorize_url',
# Azure OAuth2 Settings
'azure_oauth_enabled',
'azure_oauth_key',
'azure_oauth_secret',
'azure_oauth_scope',
'azure_oauth_api_url',
'azure_oauth_auto_configure',
'azure_oauth_metadata_url',
'azure_oauth_token_url',
'azure_oauth_authorize_url',
'azure_sg_enabled',
'azure_admin_group',
'azure_operator_group',
'azure_user_group',
'azure_group_accounts_enabled',
'azure_group_accounts_name',
'azure_group_accounts_name_re',
'azure_group_accounts_description',
'azure_group_accounts_description_re',
# OIDC OAuth2 Settings
'oidc_oauth_enabled',
'oidc_oauth_key',
'oidc_oauth_secret',
'oidc_oauth_scope',
'oidc_oauth_api_url',
'oidc_oauth_auto_configure',
'oidc_oauth_metadata_url',
'oidc_oauth_token_url',
'oidc_oauth_authorize_url',
'oidc_oauth_logout_url',
'oidc_oauth_username',
'oidc_oauth_email',
'oidc_oauth_firstname',
'oidc_oauth_last_name',
'oidc_oauth_account_name_property',
'oidc_oauth_account_description_property',
]
}
def __init__(self, id=None, name=None, value=None):
@ -306,6 +418,28 @@ class Setting(db.Model):
else:
current_app.logger.error('Unknown setting queried: {0}'.format(setting))
def get_group(self, group):
if isinstance(group, str):
group = self.groups[group]
result = {}
records = self.query.all()
for record in records:
if record.name in group:
value = record.value
if value in ['True', 'False']:
value = strtobool(value)
elif value.isdecimal() and '.' in value:
value = float(value)
elif value.isnumeric():
value = int(value)
result[record.name] = value
return result
def get_records_allow_to_edit(self):
return list(
set(self.get_forward_records_allow_to_edit() +

View File

@ -72,8 +72,8 @@ def get_record_changes(del_rrset, add_rrset):
"""For the given record, return the state dict."""
return {
"disabled": record['disabled'],
"content": record['content'],
"comment": record.get('comment', ''),
"content": record['content'],
"comment": record.get('comment', ''),
}
add_records = get_records(add_rrset)
@ -149,8 +149,8 @@ def extract_changelogs_from_a_history_entry(out_changes, history_entry, change_n
# Sort them by the record name
if change_num in out_changes:
out_changes[change_num].sort(key=lambda change:
change.del_rrset['name'] if change.del_rrset else change.add_rrset['name']
)
change.del_rrset['name'] if change.del_rrset else change.add_rrset['name']
)
# only used for changelog per record
if record_name != None and record_type != None: # then get only the records with the specific (record_name, record_type) tuple
@ -897,7 +897,8 @@ class DetailedHistory():
description=DetailedHistory.get_key_val(detail_dict,
"description"))
elif any(msg in history.msg for msg in ['Change zone','Change domain']) and 'access control' in history.msg: # added or removed a user from a zone
elif any(msg in history.msg for msg in ['Change zone',
'Change domain']) and 'access control' in history.msg: # added or removed a user from a zone
users_with_access = DetailedHistory.get_key_val(detail_dict, "user_has_access")
self.detailed_msg = render_template_string("""
<table class="table table-bordered table-striped">
@ -942,7 +943,7 @@ class DetailedHistory():
linked_domains=DetailedHistory.get_key_val(detail_dict,
"domains"))
elif any(msg in history.msg for msg in ['Update type for zone','Update type for domain']):
elif any(msg in history.msg for msg in ['Update type for zone', 'Update type for domain']):
self.detailed_msg = render_template_string("""
<table class="table table-bordered table-striped">
<tr><td>Zone: </td><td>{{ domain }}</td></tr>
@ -977,7 +978,8 @@ class DetailedHistory():
'status'),
history_msg=DetailedHistory.get_key_val(detail_dict, 'msg'))
elif any(msg in history.msg for msg in ['Update zone','Update domain']) and 'associate account' in history.msg: # When an account gets associated or dissociate with zones
elif any(msg in history.msg for msg in ['Update zone',
'Update domain']) and 'associate account' in history.msg: # When an account gets associated or dissociate with zones
self.detailed_msg = render_template_string('''
<table class="table table-bordered table-striped">
<tr><td>Associate: </td><td>{{ history_assoc_account }}</td></tr>
@ -1231,8 +1233,10 @@ def history_table(): # ajax call data
.filter(
db.and_(
db.or_(
History.msg.like("%domain " + domain_name) if domain_name != "*" else History.msg.like("%domain%"),
History.msg.like("%zone " + domain_name) if domain_name != "*" else History.msg.like("%zone%"),
History.msg.like("%domain " + domain_name) if domain_name != "*" else History.msg.like(
"%domain%"),
History.msg.like("%zone " + domain_name) if domain_name != "*" else History.msg.like(
"%zone%"),
History.msg.like(
"%domain " + domain_name + " access control") if domain_name != "*" else History.msg.like(
"%domain%access control"),
@ -1540,287 +1544,34 @@ def has_an_auth_method(local_db_enabled=None,
oidc_oauth_enabled = Setting().get('oidc_oauth_enabled')
if azure_oauth_enabled is None:
azure_oauth_enabled = Setting().get('azure_oauth_enabled')
return local_db_enabled or ldap_enabled or google_oauth_enabled or github_oauth_enabled or oidc_oauth_enabled or azure_oauth_enabled
return local_db_enabled or ldap_enabled or google_oauth_enabled or github_oauth_enabled or oidc_oauth_enabled \
or azure_oauth_enabled
@admin_bp.route('/setting/authentication', methods=['GET', 'POST'])
@login_required
@admin_role_required
def setting_authentication():
if request.method == 'GET':
return render_template('admin_setting_authentication.html')
elif request.method == 'POST':
conf_type = request.form.get('config_tab')
result = None
return render_template('admin_setting_authentication.html')
if conf_type == 'general':
local_db_enabled = True if request.form.get(
'local_db_enabled') else False
signup_enabled = True if request.form.get(
'signup_enabled') else False
pwd_enforce_characters = True if request.form.get('pwd_enforce_characters') else False
pwd_min_len = safe_cast(request.form.get('pwd_min_len', Setting().defaults["pwd_min_len"]), int,
Setting().defaults["pwd_min_len"])
pwd_min_lowercase = safe_cast(request.form.get('pwd_min_lowercase', Setting().defaults["pwd_min_lowercase"]), int,
Setting().defaults["pwd_min_lowercase"])
pwd_min_uppercase = safe_cast(request.form.get('pwd_min_uppercase', Setting().defaults["pwd_min_uppercase"]), int,
Setting().defaults["pwd_min_uppercase"])
pwd_min_digits = safe_cast(request.form.get('pwd_min_digits', Setting().defaults["pwd_min_digits"]), int,
Setting().defaults["pwd_min_digits"])
pwd_min_special = safe_cast(request.form.get('pwd_min_special', Setting().defaults["pwd_min_special"]), int,
Setting().defaults["pwd_min_special"])
@admin_bp.route('/setting/authentication/api', methods=['POST'])
@login_required
@admin_role_required
def setting_authentication_api():
result = {'status': 1, 'messages': [], 'data': {}}
pwd_enforce_complexity = True if request.form.get('pwd_enforce_complexity') else False
pwd_min_complexity = safe_cast(request.form.get('pwd_min_complexity', Setting().defaults["pwd_min_complexity"]), int,
Setting().defaults["pwd_min_complexity"])
if request.form.get('commit') == '1':
model = Setting()
data = json.loads(request.form.get('data'))
if not has_an_auth_method(local_db_enabled=local_db_enabled):
result = {
'status':
False,
'msg':
'Must have at least one authentication method enabled.'
}
else:
Setting().set('local_db_enabled', local_db_enabled)
Setting().set('signup_enabled', signup_enabled)
for key, value in data.items():
if key in model.groups['authentication']:
model.set(key, value)
Setting().set('pwd_enforce_characters', pwd_enforce_characters)
Setting().set('pwd_min_len', pwd_min_len)
Setting().set('pwd_min_lowercase', pwd_min_lowercase)
Setting().set('pwd_min_uppercase', pwd_min_uppercase)
Setting().set('pwd_min_digits', pwd_min_digits)
Setting().set('pwd_min_special', pwd_min_special)
result['data'] = Setting().get_group('authentication')
Setting().set('pwd_enforce_complexity', pwd_enforce_complexity)
Setting().set('pwd_min_complexity', pwd_min_complexity)
result = {'status': True, 'msg': 'Saved successfully'}
elif conf_type == 'ldap':
ldap_enabled = True if request.form.get('ldap_enabled') else False
if not has_an_auth_method(ldap_enabled=ldap_enabled):
result = {
'status':
False,
'msg':
'Must have at least one authentication method enabled.'
}
else:
Setting().set('ldap_enabled', ldap_enabled)
Setting().set('ldap_type', request.form.get('ldap_type'))
Setting().set('ldap_uri', request.form.get('ldap_uri'))
Setting().set('ldap_base_dn', request.form.get('ldap_base_dn'))
Setting().set('ldap_admin_username',
request.form.get('ldap_admin_username'))
Setting().set('ldap_admin_password',
request.form.get('ldap_admin_password'))
Setting().set('ldap_filter_basic',
request.form.get('ldap_filter_basic'))
Setting().set('ldap_filter_group',
request.form.get('ldap_filter_group'))
Setting().set('ldap_filter_username',
request.form.get('ldap_filter_username'))
Setting().set('ldap_filter_groupname',
request.form.get('ldap_filter_groupname'))
Setting().set(
'ldap_sg_enabled', True
if request.form.get('ldap_sg_enabled') == 'ON' else False)
Setting().set('ldap_admin_group',
request.form.get('ldap_admin_group'))
Setting().set('ldap_operator_group',
request.form.get('ldap_operator_group'))
Setting().set('ldap_user_group',
request.form.get('ldap_user_group'))
Setting().set('ldap_domain', request.form.get('ldap_domain'))
Setting().set(
'autoprovisioning', True
if request.form.get('autoprovisioning') == 'ON' else False)
Setting().set('autoprovisioning_attribute',
request.form.get('autoprovisioning_attribute'))
if request.form.get('autoprovisioning') == 'ON':
if validateURN(request.form.get('urn_value')):
Setting().set('urn_value',
request.form.get('urn_value'))
else:
return render_template('admin_setting_authentication.html',
error="Invalid urn")
else:
Setting().set('urn_value',
request.form.get('urn_value'))
Setting().set('purge', True
if request.form.get('purge') == 'ON' else False)
result = {'status': True, 'msg': 'Saved successfully'}
elif conf_type == 'google':
google_oauth_enabled = True if request.form.get(
'google_oauth_enabled') else False
if not has_an_auth_method(google_oauth_enabled=google_oauth_enabled):
result = {
'status':
False,
'msg':
'Must have at least one authentication method enabled.'
}
else:
Setting().set('google_oauth_enabled', google_oauth_enabled)
Setting().set('google_oauth_client_id',
request.form.get('google_oauth_client_id'))
Setting().set('google_oauth_client_secret',
request.form.get('google_oauth_client_secret'))
Setting().set('google_oauth_metadata_url',
request.form.get('google_oauth_metadata_url'))
Setting().set('google_token_url',
request.form.get('google_token_url'))
Setting().set('google_oauth_scope',
request.form.get('google_oauth_scope'))
Setting().set('google_authorize_url',
request.form.get('google_authorize_url'))
Setting().set('google_base_url',
request.form.get('google_base_url'))
result = {
'status': True,
'msg':
'Saved successfully. Please reload PDA to take effect.'
}
elif conf_type == 'github':
github_oauth_enabled = True if request.form.get(
'github_oauth_enabled') else False
if not has_an_auth_method(github_oauth_enabled=github_oauth_enabled):
result = {
'status':
False,
'msg':
'Must have at least one authentication method enabled.'
}
else:
Setting().set('github_oauth_enabled', github_oauth_enabled)
Setting().set('github_oauth_key',
request.form.get('github_oauth_key'))
Setting().set('github_oauth_secret',
request.form.get('github_oauth_secret'))
Setting().set('github_oauth_scope',
request.form.get('github_oauth_scope'))
Setting().set('github_oauth_api_url',
request.form.get('github_oauth_api_url'))
Setting().set('github_oauth_metadata_url',
request.form.get('github_oauth_metadata_url'))
Setting().set('github_oauth_token_url',
request.form.get('github_oauth_token_url'))
Setting().set('github_oauth_authorize_url',
request.form.get('github_oauth_authorize_url'))
result = {
'status': True,
'msg':
'Saved successfully. Please reload PDA to take effect.'
}
elif conf_type == 'azure':
azure_oauth_enabled = True if request.form.get(
'azure_oauth_enabled') else False
if not has_an_auth_method(azure_oauth_enabled=azure_oauth_enabled):
result = {
'status':
False,
'msg':
'Must have at least one authentication method enabled.'
}
else:
Setting().set('azure_oauth_enabled', azure_oauth_enabled)
Setting().set('azure_oauth_key',
request.form.get('azure_oauth_key'))
Setting().set('azure_oauth_secret',
request.form.get('azure_oauth_secret'))
Setting().set('azure_oauth_scope',
request.form.get('azure_oauth_scope'))
Setting().set('azure_oauth_api_url',
request.form.get('azure_oauth_api_url'))
Setting().set('azure_oauth_metadata_url',
request.form.get('azure_oauth_metadata_url'))
Setting().set('azure_oauth_token_url',
request.form.get('azure_oauth_token_url'))
Setting().set('azure_oauth_authorize_url',
request.form.get('azure_oauth_authorize_url'))
Setting().set(
'azure_sg_enabled', True
if request.form.get('azure_sg_enabled') == 'ON' else False)
Setting().set('azure_admin_group',
request.form.get('azure_admin_group'))
Setting().set('azure_operator_group',
request.form.get('azure_operator_group'))
Setting().set('azure_user_group',
request.form.get('azure_user_group'))
Setting().set(
'azure_group_accounts_enabled', True
if request.form.get('azure_group_accounts_enabled') == 'ON' else False)
Setting().set('azure_group_accounts_name',
request.form.get('azure_group_accounts_name'))
Setting().set('azure_group_accounts_name_re',
request.form.get('azure_group_accounts_name_re'))
Setting().set('azure_group_accounts_description',
request.form.get('azure_group_accounts_description'))
Setting().set('azure_group_accounts_description_re',
request.form.get('azure_group_accounts_description_re'))
result = {
'status': True,
'msg':
'Saved successfully. Please reload PDA to take effect.'
}
elif conf_type == 'oidc':
oidc_oauth_enabled = True if request.form.get(
'oidc_oauth_enabled') else False
if not has_an_auth_method(oidc_oauth_enabled=oidc_oauth_enabled):
result = {
'status':
False,
'msg':
'Must have at least one authentication method enabled.'
}
else:
Setting().set(
'oidc_oauth_enabled',
True if request.form.get('oidc_oauth_enabled') else False)
Setting().set('oidc_oauth_key',
request.form.get('oidc_oauth_key'))
Setting().set('oidc_oauth_secret',
request.form.get('oidc_oauth_secret'))
Setting().set('oidc_oauth_scope',
request.form.get('oidc_oauth_scope'))
Setting().set('oidc_oauth_api_url',
request.form.get('oidc_oauth_api_url'))
Setting().set('oidc_oauth_metadata_url',
request.form.get('oidc_oauth_metadata_url'))
Setting().set('oidc_oauth_token_url',
request.form.get('oidc_oauth_token_url'))
Setting().set('oidc_oauth_authorize_url',
request.form.get('oidc_oauth_authorize_url'))
Setting().set('oidc_oauth_logout_url',
request.form.get('oidc_oauth_logout_url'))
Setting().set('oidc_oauth_username',
request.form.get('oidc_oauth_username'))
Setting().set('oidc_oauth_firstname',
request.form.get('oidc_oauth_firstname'))
Setting().set('oidc_oauth_last_name',
request.form.get('oidc_oauth_last_name'))
Setting().set('oidc_oauth_email',
request.form.get('oidc_oauth_email'))
Setting().set('oidc_oauth_account_name_property',
request.form.get('oidc_oauth_account_name_property'))
Setting().set('oidc_oauth_account_description_property',
request.form.get('oidc_oauth_account_description_property'))
result = {
'status': True,
'msg':
'Saved successfully. Please reload PDA to take effect.'
}
else:
return abort(400)
return render_template('admin_setting_authentication.html',
result=result)
return result
@admin_bp.route('/templates', methods=['GET', 'POST'])
@ -2097,16 +1848,16 @@ def global_search():
results = server.global_search(object_type='all', query=query)
# Filter results to domains to which the user has access permission
if current_user.role.name not in [ 'Administrator', 'Operator' ]:
if current_user.role.name not in ['Administrator', 'Operator']:
allowed_domains = db.session.query(Domain) \
.outerjoin(DomainUser, Domain.id == DomainUser.domain_id) \
.outerjoin(Account, Domain.account_id == Account.id) \
.outerjoin(AccountUser, Account.id == AccountUser.account_id) \
.filter(
db.or_(
DomainUser.user_id == current_user.id,
AccountUser.user_id == current_user.id
)) \
db.or_(
DomainUser.user_id == current_user.id,
AccountUser.user_id == current_user.id
)) \
.with_entities(Domain.name) \
.all()
allowed_domains = [value for value, in allowed_domains]

View File

@ -45,6 +45,7 @@ index_bp = Blueprint('index',
template_folder='templates',
url_prefix='/')
@index_bp.before_app_first_request
def register_modules():
global google
@ -68,7 +69,7 @@ def before_request():
# Check site is in maintenance mode
maintenance = Setting().get('maintenance')
if maintenance and current_user.is_authenticated and current_user.role.name not in [
'Administrator', 'Operator'
'Administrator', 'Operator'
]:
return render_template('maintenance.html')
@ -98,7 +99,11 @@ def google_login():
)
abort(400)
else:
redirect_uri = url_for('google_authorized', _external=True)
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
redirect_uri = url_for('google_authorized', **params)
return google.authorize_redirect(redirect_uri)
@ -110,7 +115,11 @@ def github_login():
)
abort(400)
else:
redirect_uri = url_for('github_authorized', _external=True)
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
redirect_uri = url_for('github_authorized', **params)
return github.authorize_redirect(redirect_uri)
@ -122,9 +131,11 @@ def azure_login():
)
abort(400)
else:
redirect_uri = url_for('azure_authorized',
_external=True,
_scheme='https')
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
redirect_uri = url_for('azure_authorized', **params)
return azure.authorize_redirect(redirect_uri)
@ -136,7 +147,11 @@ def oidc_login():
)
abort(400)
else:
redirect_uri = url_for('oidc_authorized', _external=True)
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
redirect_uri = url_for('oidc_authorized', **params)
return oidc.authorize_redirect(redirect_uri)
@ -149,18 +164,18 @@ def login():
if 'google_token' in session:
user_data = json.loads(google.get('userinfo').text)
first_name = user_data['given_name']
surname = user_data['family_name']
email = user_data['email']
user = User.query.filter_by(username=email).first()
google_first_name = user_data['given_name']
google_last_name = user_data['family_name']
google_email = user_data['email']
user = User.query.filter_by(username=google_email).first()
if user is None:
user = User.query.filter_by(email=email).first()
user = User.query.filter_by(email=google_email).first()
if not user:
user = User(username=email,
firstname=first_name,
lastname=surname,
user = User(username=google_email,
firstname=google_first_name,
lastname=google_last_name,
plain_text_password=None,
email=email)
email=google_email)
result = user.create_local_user()
if not result['status']:
@ -172,10 +187,18 @@ def login():
return authenticate_user(user, 'Google OAuth')
if 'github_token' in session:
me = json.loads(github.get('user').text)
github_username = me['login']
github_name = me['name']
github_email = me['email']
user_data = json.loads(github.get('user').text)
github_username = user_data['login']
github_first_name = user_data['name']
github_last_name = ''
github_email = user_data['email']
# If the user's full name from GitHub contains at least two words, use the first word as the first name and
# the rest as the last name.
github_name_parts = github_first_name.split(' ')
if len(github_name_parts) > 1:
github_first_name = github_name_parts[0]
github_last_name = ' '.join(github_name_parts[1:])
user = User.query.filter_by(username=github_username).first()
if user is None:
@ -183,8 +206,8 @@ def login():
if not user:
user = User(username=github_username,
plain_text_password=None,
firstname=github_name,
lastname='',
firstname=github_first_name,
lastname=github_last_name,
email=github_email)
result = user.create_local_user()
@ -198,8 +221,8 @@ def login():
if 'azure_token' in session:
azure_info = azure.get('me?$select=displayName,givenName,id,mail,surname,userPrincipalName').text
current_app.logger.info('Azure login returned: '+azure_info)
me = json.loads(azure_info)
current_app.logger.info('Azure login returned: ' + azure_info)
user_data = json.loads(azure_info)
azure_info = azure.post('me/getMemberGroups',
json={'securityEnabledOnly': False}).text
@ -211,15 +234,15 @@ def login():
else:
mygroups = []
azure_username = me["userPrincipalName"]
azure_givenname = me["givenName"]
azure_familyname = me["surname"]
if "mail" in me:
azure_email = me["mail"]
azure_username = user_data["userPrincipalName"]
azure_first_name = user_data["givenName"]
azure_last_name = user_data["surname"]
if "mail" in user_data:
azure_email = user_data["mail"]
else:
azure_email = ""
if not azure_email:
azure_email = me["userPrincipalName"]
azure_email = user_data["userPrincipalName"]
# Handle foreign principals such as guest users
azure_email = re.sub(r"#.*$", "", azure_email)
@ -229,8 +252,8 @@ def login():
if not user:
user = User(username=azure_username,
plain_text_password=None,
firstname=azure_givenname,
lastname=azure_familyname,
firstname=azure_first_name,
lastname=azure_last_name,
email=azure_email)
result = user.create_local_user()
@ -250,30 +273,30 @@ def login():
if Setting().get('azure_sg_enabled'):
if Setting().get('azure_admin_group') in mygroups:
current_app.logger.info('Setting role for user ' +
azure_username +
' to Administrator due to group membership')
azure_username +
' to Administrator due to group membership')
user.set_role("Administrator")
else:
if Setting().get('azure_operator_group') in mygroups:
current_app.logger.info('Setting role for user ' +
azure_username +
' to Operator due to group membership')
azure_username +
' to Operator due to group membership')
user.set_role("Operator")
else:
if Setting().get('azure_user_group') in mygroups:
current_app.logger.info('Setting role for user ' +
azure_username +
' to User due to group membership')
azure_username +
' to User due to group membership')
user.set_role("User")
else:
current_app.logger.warning('User ' +
azure_username +
' has no relevant group memberships')
azure_username +
' has no relevant group memberships')
session.pop('azure_token', None)
return render_template('login.html',
saml_enabled=SAML_ENABLED,
error=('User ' + azure_username +
' is not in any authorised groups.'))
saml_enabled=SAML_ENABLED,
error=('User ' + azure_username +
' is not in any authorised groups.'))
# Handle account/group creation, if enabled
if Setting().get('azure_group_accounts_enabled') and mygroups:
@ -369,23 +392,23 @@ def login():
return authenticate_user(user, 'Azure OAuth')
if 'oidc_token' in session:
me = json.loads(oidc.get('userinfo').text)
oidc_username = me[Setting().get('oidc_oauth_username')]
oidc_givenname = me[Setting().get('oidc_oauth_firstname')]
oidc_familyname = me[Setting().get('oidc_oauth_last_name')]
oidc_email = me[Setting().get('oidc_oauth_email')]
user_data = json.loads(oidc.get('userinfo').text)
oidc_username = user_data[Setting().get('oidc_oauth_username')]
oidc_first_name = user_data[Setting().get('oidc_oauth_firstname')]
oidc_last_name = user_data[Setting().get('oidc_oauth_last_name')]
oidc_email = user_data[Setting().get('oidc_oauth_email')]
user = User.query.filter_by(username=oidc_username).first()
if not user:
user = User(username=oidc_username,
plain_text_password=None,
firstname=oidc_givenname,
lastname=oidc_familyname,
firstname=oidc_first_name,
lastname=oidc_last_name,
email=oidc_email)
result = user.create_local_user()
else:
user.firstname = oidc_givenname
user.lastname = oidc_familyname
user.firstname = oidc_first_name
user.lastname = oidc_last_name
user.email = oidc_email
user.plain_text_password = None
result = user.update_local_user()
@ -394,20 +417,22 @@ def login():
session.pop('oidc_token', None)
return redirect(url_for('index.login'))
#This checks if the account_name_property and account_description property were included in settings.
if Setting().get('oidc_oauth_account_name_property') and Setting().get('oidc_oauth_account_description_property'):
# This checks if the account_name_property and account_description property were included in settings.
if Setting().get('oidc_oauth_account_name_property') and Setting().get(
'oidc_oauth_account_description_property'):
#Gets the name_property and description_property.
# Gets the name_property and description_property.
name_prop = Setting().get('oidc_oauth_account_name_property')
desc_prop = Setting().get('oidc_oauth_account_description_property')
account_to_add = []
#If the name_property and desc_property exist in me (A variable that contains all the userinfo from the IdP).
if name_prop in me and desc_prop in me:
accounts_name_prop = [me[name_prop]] if type(me[name_prop]) is not list else me[name_prop]
accounts_desc_prop = [me[desc_prop]] if type(me[desc_prop]) is not list else me[desc_prop]
# If the name_property and desc_property exist in me (A variable that contains all the userinfo from the
# IdP).
if name_prop in user_data and desc_prop in user_data:
accounts_name_prop = [user_data[name_prop]] if type(user_data[name_prop]) is not list else user_data[name_prop]
accounts_desc_prop = [user_data[desc_prop]] if type(user_data[desc_prop]) is not list else user_data[desc_prop]
#Run on all groups the user is in by the index num.
# Run on all groups the user is in by the index num.
for i in range(len(accounts_name_prop)):
description = ''
if i < len(accounts_desc_prop):
@ -417,7 +442,7 @@ def login():
account_to_add.append(account)
user_accounts = user.get_accounts()
# Add accounts
# Add accounts
for account in account_to_add:
if account not in user_accounts:
account.add_user(user)
@ -426,7 +451,7 @@ def login():
if Setting().get('delete_sso_accounts'):
for account in user_accounts:
if account not in account_to_add:
account.remove_user(user)
account.remove_user(user)
session['user_id'] = user.id
session['authentication_type'] = 'OAuth'
@ -490,34 +515,36 @@ def login():
saml_enabled=SAML_ENABLED,
error='Token required')
if Setting().get('autoprovisioning') and auth_method!='LOCAL':
urn_value=Setting().get('urn_value')
Entitlements=user.read_entitlements(Setting().get('autoprovisioning_attribute'))
if len(Entitlements)==0 and Setting().get('purge'):
if Setting().get('autoprovisioning') and auth_method != 'LOCAL':
urn_value = Setting().get('urn_value')
Entitlements = user.read_entitlements(Setting().get('autoprovisioning_attribute'))
if len(Entitlements) == 0 and Setting().get('purge'):
user.set_role("User")
user.revoke_privilege(True)
elif len(Entitlements)!=0:
elif len(Entitlements) != 0:
if checkForPDAEntries(Entitlements, urn_value):
user.updateUser(Entitlements)
else:
current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
current_app.logger.warning(
'Not a single powerdns-admin record was found, possibly a typo in the prefix')
if Setting().get('purge'):
user.set_role("User")
user.revoke_privilege(True)
current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' )
current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.')
return authenticate_user(user, auth_method, remember_me)
def checkForPDAEntries(Entitlements, urn_value):
"""
Run through every record located in the ldap attribute given and determine if there are any valid powerdns-admin records
"""
urnArguments=[x.lower() for x in urn_value.split(':')]
urnArguments = [x.lower() for x in urn_value.split(':')]
for Entitlement in Entitlements:
entArguments=Entitlement.split(':powerdns-admin')
entArguments=[x.lower() for x in entArguments[0].split(':')]
if (entArguments==urnArguments):
entArguments = Entitlement.split(':powerdns-admin')
entArguments = [x.lower() for x in entArguments[0].split(':')]
if (entArguments == urnArguments):
return True
return False
@ -553,14 +580,15 @@ def signin_history(username, authenticator, success):
# Write history
History(msg='User {} authentication {}'.format(username, str_success),
detail = json.dumps({
'username': username,
'authenticator': authenticator,
'ip_address': request_ip,
'success': 1 if success else 0
}),
detail=json.dumps({
'username': username,
'authenticator': authenticator,
'ip_address': request_ip,
'success': 1 if success else 0
}),
created_by='System').add()
# Get a list of Azure security groups the user is a member of
def get_azure_groups(uri):
azure_info = azure.get(uri).text
@ -576,30 +604,33 @@ def get_azure_groups(uri):
mygroups = []
return mygroups
# Handle user login, write history and, if set, handle showing the register_otp QR code.
# if Setting for OTP on first login is enabled, and OTP field is also enabled,
# but user isn't using it yet, enable OTP, get QR code and display it, logging the user out.
def authenticate_user(user, authenticator, remember=False):
login_user(user, remember=remember)
signin_history(user.username, authenticator, True)
if Setting().get('otp_force') and Setting().get('otp_field_enabled') and not user.otp_secret and session['authentication_type'] not in ['OAuth']:
if Setting().get('otp_force') and Setting().get('otp_field_enabled') and not user.otp_secret \
and session['authentication_type'] not in ['OAuth']:
user.update_profile(enable_otp=True)
user_id = current_user.id
prepare_welcome_user(user_id)
return redirect(url_for('index.welcome'))
return redirect(url_for('index.login'))
# Prepare user to enter /welcome screen, otherwise they won't have permission to do so
def prepare_welcome_user(user_id):
logout_user()
session['welcome_user_id'] = user_id
@index_bp.route('/logout')
def logout():
if current_app.config.get(
'SAML_ENABLED'
) and 'samlSessionIndex' in session and current_app.config.get(
'SAML_LOGOUT'):
) and 'samlSessionIndex' in session and current_app.config.get('SAML_LOGOUT'):
req = saml.prepare_flask_request(request)
auth = saml.init_saml_auth(req)
if current_app.config.get('SAML_LOGOUT_URL'):
@ -651,13 +682,12 @@ def logout():
def password_policy_check(user, password):
def check_policy(chars, user_password, setting):
lenreq = int(Setting().get(setting))
setting_as_int = int(Setting().get(setting))
test_string = user_password
for c in chars:
test_string = test_string.replace(c, '')
return (lenreq, len(user_password) - len(test_string))
return (setting_as_int, len(user_password) - len(test_string))
def matches_policy(item, policy_fails):
return "*" if item in policy_fails else ""
@ -704,12 +734,14 @@ def password_policy_check(user, password):
(pwd_min_lowercase_setting, pwd_lowercase) = check_policy(string.digits, password, 'pwd_min_lowercase')
if pwd_lowercase < pwd_min_lowercase_setting:
policy_fails["lowercase"] = True
policy.append(f"{matches_policy('lowercase', policy_fails)}lowercase={pwd_lowercase}/{pwd_min_lowercase_setting}")
policy.append(
f"{matches_policy('lowercase', policy_fails)}lowercase={pwd_lowercase}/{pwd_min_lowercase_setting}")
# Uppercase
(pwd_min_uppercase_setting, pwd_uppercase) = check_policy(string.digits, password, 'pwd_min_uppercase')
if pwd_uppercase < pwd_min_uppercase_setting:
policy_fails["uppercase"] = True
policy.append(f"{matches_policy('uppercase', policy_fails)}uppercase={pwd_uppercase}/{pwd_min_uppercase_setting}")
policy.append(
f"{matches_policy('uppercase', policy_fails)}uppercase={pwd_uppercase}/{pwd_min_uppercase_setting}")
# Special
(pwd_min_special_setting, pwd_special) = check_policy(string.digits, password, 'pwd_min_special')
if pwd_special < pwd_min_special_setting:
@ -728,7 +760,8 @@ def password_policy_check(user, password):
pwd_complexity = result['guesses_log10']
if pwd_complexity < pwd_min_complexity_setting:
policy_fails["complexity"] = True
policy.append(f"{matches_policy('complexity', policy_fails)}complexity={pwd_complexity:.0f}/{pwd_min_complexity_setting}")
policy.append(
f"{matches_policy('complexity', policy_fails)}complexity={pwd_complexity:.0f}/{pwd_min_complexity_setting}")
policy_str = {"password": f"Fails policy: {', '.join(policy)}. Items prefixed with '*' failed."}
@ -738,77 +771,78 @@ def password_policy_check(user, password):
@index_bp.route('/register', methods=['GET', 'POST'])
def register():
CAPTCHA_ENABLE = current_app.config.get('CAPTCHA_ENABLE')
if Setting().get('signup_enabled'):
if current_user.is_authenticated:
return redirect(url_for('index.index'))
if request.method == 'GET':
return render_template('register.html', captcha_enable=CAPTCHA_ENABLE)
elif request.method == 'POST':
username = request.form.get('username', '').strip()
password = request.form.get('password', '')
firstname = request.form.get('firstname', '').strip()
lastname = request.form.get('lastname', '').strip()
email = request.form.get('email', '').strip()
rpassword = request.form.get('rpassword', '')
CAPTCHA_ENABLE = current_app.config.get('CAPTCHA_ENABLE')
if Setting().get('signup_enabled'):
if current_user.is_authenticated:
return redirect(url_for('index.index'))
if request.method == 'GET':
return render_template('register.html', captcha_enable=CAPTCHA_ENABLE)
elif request.method == 'POST':
username = request.form.get('username', '').strip()
password = request.form.get('password', '')
firstname = request.form.get('firstname', '').strip()
lastname = request.form.get('lastname', '').strip()
email = request.form.get('email', '').strip()
rpassword = request.form.get('rpassword', '')
is_valid_email = re.compile(r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$')
is_valid_email = re.compile(r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$')
error_messages = {}
if not firstname:
error_messages['firstname'] = 'First Name is required'
if not lastname:
error_messages['lastname'] = 'Last Name is required'
if not username:
error_messages['username'] = 'Username is required'
if not password:
error_messages['password'] = 'Password is required'
if not rpassword:
error_messages['rpassword'] = 'Password confirmation is required'
if not email:
error_messages['email'] = 'Email is required'
if not is_valid_email.match(email):
error_messages['email'] = 'Invalid email address'
if password != rpassword:
error_messages['password'] = 'Password confirmation does not match'
error_messages['rpassword'] = 'Password confirmation does not match'
error_messages = {}
if not firstname:
error_messages['firstname'] = 'First Name is required'
if not lastname:
error_messages['lastname'] = 'Last Name is required'
if not username:
error_messages['username'] = 'Username is required'
if not password:
error_messages['password'] = 'Password is required'
if not rpassword:
error_messages['rpassword'] = 'Password confirmation is required'
if not email:
error_messages['email'] = 'Email is required'
if not is_valid_email.match(email):
error_messages['email'] = 'Invalid email address'
if password != rpassword:
error_messages['password'] = 'Password confirmation does not match'
error_messages['rpassword'] = 'Password confirmation does not match'
if not captcha.validate():
return render_template(
'register.html', error='Invalid CAPTCHA answer', error_messages=error_messages, captcha_enable=CAPTCHA_ENABLE)
if not captcha.validate():
return render_template(
'register.html', error='Invalid CAPTCHA answer', error_messages=error_messages,
captcha_enable=CAPTCHA_ENABLE)
if error_messages:
return render_template('register.html', error_messages=error_messages, captcha_enable=CAPTCHA_ENABLE)
if error_messages:
return render_template('register.html', error_messages=error_messages, captcha_enable=CAPTCHA_ENABLE)
user = User(username=username,
plain_text_password=password,
firstname=firstname,
lastname=lastname,
email=email
)
user = User(username=username,
plain_text_password=password,
firstname=firstname,
lastname=lastname,
email=email
)
(password_policy_pass, password_policy) = password_policy_check(user, password)
if not password_policy_pass:
return render_template('register.html', error_messages=password_policy, captcha_enable=CAPTCHA_ENABLE)
(password_policy_pass, password_policy) = password_policy_check(user, password)
if not password_policy_pass:
return render_template('register.html', error_messages=password_policy, captcha_enable=CAPTCHA_ENABLE)
try:
result = user.create_local_user()
if result and result['status']:
if Setting().get('verify_user_email'):
send_account_verification(email)
if Setting().get('otp_force') and Setting().get('otp_field_enabled'):
user.update_profile(enable_otp=True)
prepare_welcome_user(user.id)
return redirect(url_for('index.welcome'))
else:
return redirect(url_for('index.login'))
try:
result = user.create_local_user()
if result and result['status']:
if Setting().get('verify_user_email'):
send_account_verification(email)
if Setting().get('otp_force') and Setting().get('otp_field_enabled'):
user.update_profile(enable_otp=True)
prepare_welcome_user(user.id)
return redirect(url_for('index.welcome'))
else:
return redirect(url_for('index.login'))
else:
return render_template('register.html',
error=result['msg'], captcha_enable=CAPTCHA_ENABLE)
except Exception as e:
return render_template('register.html', error=e, captcha_enable=CAPTCHA_ENABLE)
else:
return render_template('register.html',
error=result['msg'], captcha_enable=CAPTCHA_ENABLE)
except Exception as e:
return render_template('register.html', error=e, captcha_enable=CAPTCHA_ENABLE)
else:
return render_template('errors/404.html'), 404
return render_template('errors/404.html'), 404
# Show welcome page on first login if otp_force is enabled
@ -827,12 +861,15 @@ def welcome():
if otp_token and otp_token.isdigit():
good_token = user.verify_totp(otp_token)
if not good_token:
return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user, error="Invalid token")
return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user,
error="Invalid token")
else:
return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user, error="Token required")
return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user,
error="Token required")
session.pop('welcome_user_id')
return redirect(url_for('index.index'))
@index_bp.route('/confirm/<token>', methods=['GET'])
def confirm_email(token):
email = confirm_token(token)
@ -919,10 +956,10 @@ def dyndns_update():
.outerjoin(Account, Domain.account_id == Account.id) \
.outerjoin(AccountUser, Account.id == AccountUser.account_id) \
.filter(
db.or_(
DomainUser.user_id == current_user.id,
AccountUser.user_id == current_user.id
)).all()
db.or_(
DomainUser.user_id == current_user.id,
AccountUser.user_id == current_user.id
)).all()
except Exception as e:
current_app.logger.error('DynDNS Error: {0}'.format(e))
current_app.logger.debug(traceback.format_exc())
@ -982,13 +1019,13 @@ def dyndns_update():
if result['status'] == 'ok':
history = History(
msg='DynDNS update: updated {} successfully'.format(hostname),
detail = json.dumps({
'domain': domain.name,
'record': hostname,
'type': rtype,
'old_value': oldip,
'new_value': str(ip)
}),
detail=json.dumps({
'domain': domain.name,
'record': hostname,
'type': rtype,
'old_value': oldip,
'new_value': str(ip)
}),
created_by=current_user.username,
domain_id=domain.id)
history.add()
@ -999,7 +1036,7 @@ def dyndns_update():
elif r.is_allowed_edit():
ondemand_creation = DomainSetting.query.filter(
DomainSetting.domain == domain).filter(
DomainSetting.setting == 'create_via_dyndns').first()
DomainSetting.setting == 'create_via_dyndns').first()
if (ondemand_creation is not None) and (strtobool(
ondemand_creation.value) == True):
@ -1024,11 +1061,11 @@ def dyndns_update():
msg=
'DynDNS update: created record {0} in zone {1} successfully'
.format(hostname, domain.name, str(ip)),
detail = json.dumps({
'domain': domain.name,
'record': hostname,
'value': str(ip)
}),
detail=json.dumps({
'domain': domain.name,
'record': hostname,
'value': str(ip)
}),
created_by=current_user.username,
domain_id=domain.id)
history.add()
@ -1088,7 +1125,7 @@ def saml_authorized():
req = saml.prepare_flask_request(request)
auth = saml.init_saml_auth(req)
auth.process_response()
current_app.logger.debug( auth.get_attributes() )
current_app.logger.debug(auth.get_attributes())
errors = auth.get_errors()
if len(errors) == 0:
session['samlUserdata'] = auth.get_attributes()
@ -1097,7 +1134,7 @@ def saml_authorized():
self_url = OneLogin_Saml2_Utils.get_self_url(req)
self_url = self_url + req['script_name']
if 'RelayState' in request.form and self_url != request.form[
'RelayState']:
'RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']))
if current_app.config.get('SAML_ATTRIBUTE_USERNAME', False):
username = session['samlUserdata'][
@ -1129,7 +1166,7 @@ def saml_authorized():
admin_group_name = current_app.config.get('SAML_GROUP_ADMIN_NAME',
None)
operator_group_name = current_app.config.get('SAML_GROUP_OPERATOR_NAME',
None)
None)
group_to_account_mapping = create_group_to_account_mapping()
if email_attribute_name in session['samlUserdata']:
@ -1170,13 +1207,13 @@ def saml_authorized():
account.add_user(user)
history = History(msg='Adding {0} to account {1}'.format(
user.username, account.name),
created_by='SAML Assertion')
created_by='SAML Assertion')
history.add()
for account in user_accounts - saml_accounts:
account.remove_user(user)
history = History(msg='Removing {0} from account {1}'.format(
user.username, account.name),
created_by='SAML Assertion')
created_by='SAML Assertion')
history.add()
if admin_attribute_name and 'true' in session['samlUserdata'].get(
admin_attribute_name, []):
@ -1190,7 +1227,7 @@ def saml_authorized():
user.role_id = Role.query.filter_by(name='User').first().id
history = History(msg='Demoting {0} to user'.format(
user.username),
created_by='SAML Assertion')
created_by='SAML Assertion')
history.add()
user.plain_text_password = None
user.update_profile()
@ -1234,15 +1271,16 @@ def uplift_to_admin(user):
user.role_id = Role.query.filter_by(name='Administrator').first().id
history = History(msg='Promoting {0} to administrator'.format(
user.username),
created_by='SAML Assertion')
created_by='SAML Assertion')
history.add()
def uplift_to_operator(user):
if user.role.name != 'Operator':
user.role_id = Role.query.filter_by(name='Operator').first().id
history = History(msg='Promoting {0} to operator'.format(
user.username),
created_by='SAML Assertion')
created_by='SAML Assertion')
history.add()

View File

@ -20,8 +20,6 @@ def azure_oauth():
'client_secret': Setting().get('azure_oauth_secret'),
'api_base_url': Setting().get('azure_oauth_api_url'),
'request_token_url': None,
'access_token_url': Setting().get('azure_oauth_token_url'),
'authorize_url': Setting().get('azure_oauth_authorize_url'),
'client_kwargs': {'scope': Setting().get('azure_oauth_scope')},
'fetch_token': fetch_azure_token,
}
@ -30,6 +28,9 @@ def azure_oauth():
if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
authlib_params['server_metadata_url'] = server_metadata_url
else:
authlib_params['access_token_url'] = Setting().get('azure_oauth_token_url')
authlib_params['authorize_url'] = Setting().get('azure_oauth_authorize_url')
azure = authlib_oauth_client.register(
'azure',
@ -38,14 +39,16 @@ def azure_oauth():
@current_app.route('/azure/authorized')
def azure_authorized():
session['azure_oauthredir'] = url_for('.azure_authorized',
_external=True,
_scheme='https')
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
session['azure_oauthredir'] = url_for('.azure_authorized', **params)
token = azure.authorize_access_token()
if token is None:
return 'Access denied: reason=%s error=%s' % (
request.args['error'], request.args['error_description'])
session['azure_token'] = (token)
return redirect(url_for('index.login', _external=True, _scheme='https'))
return redirect(url_for('index.login', **params))
return azure

View File

@ -21,8 +21,6 @@ def github_oauth():
'request_token_params': {'scope': Setting().get('github_oauth_scope')},
'api_base_url': Setting().get('github_oauth_api_url'),
'request_token_url': None,
'access_token_url': Setting().get('github_oauth_token_url'),
'authorize_url': Setting().get('github_oauth_authorize_url'),
'client_kwargs': {'scope': Setting().get('github_oauth_scope')},
'fetch_token': fetch_github_token,
'update_token': update_token
@ -32,6 +30,9 @@ def github_oauth():
if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
authlib_params['server_metadata_url'] = server_metadata_url
else:
authlib_params['access_token_url'] = Setting().get('github_oauth_token_url')
authlib_params['authorize_url'] = Setting().get('github_oauth_authorize_url')
github = authlib_oauth_client.register(
'github',
@ -40,13 +41,16 @@ def github_oauth():
@current_app.route('/github/authorized')
def github_authorized():
session['github_oauthredir'] = url_for('.github_authorized',
_external=True)
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
session['github_oauthredir'] = url_for('.github_authorized', **params)
token = github.authorize_access_token()
if token is None:
return 'Access denied: reason=%s error=%s' % (
request.args['error'], request.args['error_description'])
session['github_token'] = (token)
return redirect(url_for('index.login'))
session['github_token'] = token
return redirect(url_for('index.login', **params))
return github

View File

@ -20,8 +20,6 @@ def google_oauth():
'client_secret': Setting().get('google_oauth_client_secret'),
'api_base_url': Setting().get('google_base_url'),
'request_token_url': None,
'access_token_url': Setting().get('google_token_url'),
'authorize_url': Setting().get('google_authorize_url'),
'client_kwargs': {'scope': Setting().get('google_oauth_scope')},
'fetch_token': fetch_google_token,
'update_token': update_token
@ -31,6 +29,9 @@ def google_oauth():
if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
authlib_params['server_metadata_url'] = server_metadata_url
else:
authlib_params['access_token_url'] = Setting().get('google_token_url')
authlib_params['authorize_url'] = Setting().get('google_authorize_url')
google = authlib_oauth_client.register(
'google',
@ -39,16 +40,18 @@ def google_oauth():
@current_app.route('/google/authorized')
def google_authorized():
session['google_oauthredir'] = url_for(
'.google_authorized', _external=True)
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
session['google_oauthredir'] = url_for('.google_authorized', **params)
token = google.authorize_access_token()
if token is None:
return 'Access denied: reason=%s error=%s' % (
request.args['error_reason'],
request.args['error_description']
)
session['google_token'] = (token)
return redirect(url_for('index.login'))
session['google_token'] = token
return redirect(url_for('index.login', **params))
return google

View File

@ -20,8 +20,6 @@ def oidc_oauth():
'client_secret': Setting().get('oidc_oauth_secret'),
'api_base_url': Setting().get('oidc_oauth_api_url'),
'request_token_url': None,
'access_token_url': Setting().get('oidc_oauth_token_url'),
'authorize_url': Setting().get('oidc_oauth_authorize_url'),
'client_kwargs': {'scope': Setting().get('oidc_oauth_scope')},
'fetch_token': fetch_oidc_token,
'update_token': update_token
@ -31,6 +29,9 @@ def oidc_oauth():
if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
authlib_params['server_metadata_url'] = server_metadata_url
else:
authlib_params['access_token_url'] = Setting().get('oidc_oauth_token_url')
authlib_params['authorize_url'] = Setting().get('oidc_oauth_authorize_url')
oidc = authlib_oauth_client.register(
'oidc',
@ -39,13 +40,16 @@ def oidc_oauth():
@current_app.route('/oidc/authorized')
def oidc_authorized():
session['oidc_oauthredir'] = url_for('.oidc_authorized',
_external=True)
use_ssl = current_app.config.get('SERVER_EXTERNAL_SSL')
params = {'_external': True}
if isinstance(use_ssl, bool):
params['_scheme'] = 'https' if use_ssl else 'http'
session['oidc_oauthredir'] = url_for('.oidc_authorized', **params)
token = oidc.authorize_access_token()
if token is None:
return 'Access denied: reason=%s error=%s' % (
request.args['error'], request.args['error_description'])
session['oidc_token'] = (token)
return redirect(url_for('index.login'))
session['oidc_token'] = token
return redirect(url_for('index.login', **params))
return oidc
return oidc

View File

@ -0,0 +1,801 @@
let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, selector) {
let self = this;
let target = null;
self.api_url = api_url;
self.csrf_token = csrf_token;
self.selector = selector;
self.loading = false;
self.saving = false;
self.saved = false;
self.save_failed = false;
self.messages = [];
self.messages_class = 'info';
self.tab_active = '';
self.tab_default = 'local';
let defaults = {
// Local Authentication Settings
local_db_enabled: 1,
signup_enabled: 1,
pwd_enforce_characters: 0,
pwd_min_len: 10,
pwd_min_lowercase: 3,
pwd_min_uppercase: 2,
pwd_min_digits: 2,
pwd_min_special: 1,
pwd_enforce_complexity: 0,
pwd_min_complexity: 11,
// LDAP Authentication Settings
ldap_enabled: 0,
ldap_type: 'ldap',
ldap_uri: '',
ldap_base_dn: '',
ldap_admin_username: '',
ldap_admin_password: '',
ldap_domain: '',
ldap_filter_basic: '',
ldap_filter_username: '',
ldap_filter_group: '',
ldap_filter_groupname: '',
ldap_sg_enabled: 0,
ldap_admin_group: '',
ldap_operator_group: '',
ldap_user_group: '',
autoprovisioning: 0,
autoprovisioning_attribute: '',
urn_value: '',
purge: 0,
// Google OAuth2 Settings
google_oauth_enabled: 0,
google_oauth_client_id: '',
google_oauth_client_secret: '',
google_oauth_scope: '',
google_base_url: '',
google_oauth_auto_configure: 1,
google_oauth_metadata_url: '',
google_token_url: '',
google_authorize_url: '',
// GitHub OAuth2 Settings
github_oauth_enabled: 0,
github_oauth_key: '',
github_oauth_secret: '',
github_oauth_scope: '',
github_oauth_api_url: '',
github_oauth_auto_configure: 0,
github_oauth_metadata_url: '',
github_oauth_token_url: '',
github_oauth_authorize_url: '',
// Azure AD OAuth2 Settings
azure_oauth_enabled: 0,
azure_oauth_key: '',
azure_oauth_secret: '',
azure_oauth_scope: '',
azure_oauth_api_url: '',
azure_oauth_auto_configure: 1,
azure_oauth_metadata_url: '',
azure_oauth_token_url: '',
azure_oauth_authorize_url: '',
azure_sg_enabled: 0,
azure_admin_group: '',
azure_operator_group: '',
azure_user_group: '',
azure_group_accounts_enabled: 0,
azure_group_accounts_name: '',
azure_group_accounts_name_re: '',
azure_group_accounts_description: '',
azure_group_accounts_description_re: '',
// OIDC OAuth2 Settings
oidc_oauth_enabled: 0,
oidc_oauth_key: '',
oidc_oauth_secret: '',
oidc_oauth_scope: '',
oidc_oauth_api_url: '',
oidc_oauth_auto_configure: 1,
oidc_oauth_metadata_url: '',
oidc_oauth_token_url: '',
oidc_oauth_authorize_url: '',
oidc_oauth_logout_url: '',
oidc_oauth_username: '',
oidc_oauth_email: '',
oidc_oauth_firstname: '',
oidc_oauth_last_name: '',
oidc_oauth_account_name_property: '',
oidc_oauth_account_description_property: '',
}
self.init = function (autoload) {
self.loading = ko.observable(self.loading);
self.saving = ko.observable(self.saving);
self.saved = ko.observable(self.saved);
self.save_failed = ko.observable(self.save_failed);
self.messages = ko.observableArray(self.messages);
self.messages_class = ko.observable(self.messages_class);
self.tab_active = ko.observable(self.tab_active);
self.tab_default = ko.observable(self.tab_default);
self.update(user_data);
let el = null;
if (typeof selector !== 'undefined') {
el = $(selector)
}
if (el !== null && el.length > 0) {
target = el;
ko.applyBindings(self, el[0]);
} else {
ko.applyBindings(self);
}
if (self.hasHash()) {
self.activateTab(self.getHash());
} else {
self.activateDefaultTab();
}
self.setupListeners();
self.setupValidation();
if (autoload) {
self.load();
}
}
self.load = function () {
self.loading(true);
$.ajax({
url: self.api_url,
type: 'POST',
data: {_csrf_token: csrf_token},
dataType: 'json',
success: self.onDataLoaded
});
}
self.save = function () {
if (!target.valid()) {
return false;
}
self.saving(true);
$.ajax({
url: self.api_url,
type: 'POST',
data: {_csrf_token: csrf_token, commit: 1, data: ko.toJSON(self)},
dataType: 'json',
success: self.onDataSaved
});
}
self.update = function (instance) {
for (const [key, value] of Object.entries($.extend(defaults, instance))) {
if (ko.isObservable(self[key])) {
self[key](value);
} else {
self[key] = ko.observable(value);
}
}
}
self.setupListeners = function () {
if ('onhashchange' in window) {
$(window).bind('hashchange', self.onHashChange);
}
}
self.destroyListeners = function () {
if ('onhashchange' in window) {
$(window).unbind('hashchange', self.onHashChange);
}
}
self.setupValidation = function () {
let uuidRegExp = /^([0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})|[0-9]+$/i;
let footerErrorElements = [
'input#local_db_enabled',
];
let errorCheckSelectors = [
'input.error:not([disabled])',
'select.error:not([disabled])',
'textarea.error:not([disabled])',
];
let errorCheckQuery = errorCheckSelectors.join(',');
let tabs = target.find('.tab-content > *[data-tab]')
let onElementChanged = function (event) {
target.valid();
}
let auth_enabled = function (value, element, params) {
let enabled = 0;
if (self.local_db_enabled()) {
enabled++;
}
if (self.ldap_enabled()) {
enabled++;
}
if (self.google_oauth_enabled()) {
enabled++;
}
if (self.github_oauth_enabled()) {
enabled++;
}
if (self.azure_oauth_enabled()) {
enabled++;
}
if (self.oidc_oauth_enabled()) {
enabled++;
}
return enabled > 0;
};
let ldap_exclusive = function (value, element, params) {
let enabled = 0;
if (self.ldap_sg_enabled() === 1) {
enabled++;
}
if (self.autoprovisioning() === 1) {
enabled++;
}
return enabled < 2;
}
let uuid = function (value, element, params) {
return uuidRegExp.test(value);
}
let local_enabled = function (element) {
return self.local_db_enabled();
};
let ldap_enabled = function (element) {
return self.ldap_enabled();
};
let google_oauth_enabled = function (element) {
return self.google_oauth_enabled();
};
let github_oauth_enabled = function (element) {
return self.github_oauth_enabled();
};
let azure_oauth_enabled = function (element) {
return self.azure_oauth_enabled();
};
let oidc_oauth_enabled = function (element) {
return self.oidc_oauth_enabled();
};
let enforce_characters = function (element) {
return self.local_db_enabled() === 1 && self.pwd_enforce_characters() === 1;
};
let enforce_complexity = function (element) {
return self.local_db_enabled() === 1 && self.pwd_enforce_complexity() === 1;
};
let ldap_type_openldap = function (element) {
return self.ldap_enabled() && self.ldap_type() === 'ldap';
};
let ldap_type_ad = function (element) {
return self.ldap_enabled() && self.ldap_type() === 'ad';
};
let ldap_sg_enabled = function (element) {
return self.ldap_enabled() === 1 && self.ldap_sg_enabled() === 1;
}
let ldap_ap_enabled = function (element) {
return self.ldap_enabled() === 1 && self.autoprovisioning() === 1;
}
let azure_gs_enabled = function (element) {
return self.azure_oauth_enabled() === 1 && self.azure_sg_enabled() === 1;
}
let azure_gas_enabled = function (element) {
return self.azure_oauth_enabled() && self.azure_group_accounts_enabled();
}
let google_oauth_auto_configure_enabled = function (element) {
return self.google_oauth_enabled() && self.google_oauth_auto_configure();
}
let google_oauth_auto_configure_disabled = function (element) {
return self.google_oauth_enabled() && !self.google_oauth_auto_configure();
}
let github_oauth_auto_configure_enabled = function (element) {
return self.github_oauth_enabled() && self.github_oauth_auto_configure();
}
let github_oauth_auto_configure_disabled = function (element) {
return self.github_oauth_enabled() && !self.github_oauth_auto_configure();
}
let azure_oauth_auto_configure_enabled = function (element) {
return self.azure_oauth_enabled() && self.azure_oauth_auto_configure();
}
let azure_oauth_auto_configure_disabled = function (element) {
return self.azure_oauth_enabled() && !self.azure_oauth_auto_configure();
}
let oidc_oauth_auto_configure_enabled = function (element) {
return self.oidc_oauth_enabled() && self.oidc_oauth_auto_configure();
}
let oidc_oauth_auto_configure_disabled = function (element) {
return self.oidc_oauth_enabled() && !self.oidc_oauth_auto_configure();
}
jQuery.validator.addMethod('auth_enabled', auth_enabled, 'At least one authentication method must be enabled.');
jQuery.validator.addMethod('ldap_exclusive', ldap_exclusive, 'The LDAP group security and role auto-provisioning features are mutually exclusive.');
jQuery.validator.addMethod('uuid', uuid, 'A valid UUID is required.');
target.validate({
ignore: '',
errorPlacement: function (error, element) {
let useFooter = false;
for (let i = 0; i < footerErrorElements.length; i++) {
if (element.is(footerErrorElements[i])) {
useFooter = true;
}
}
if (useFooter) {
target.find('.card-footer > .error').append(error);
} else if (element.is('input[type=radio]')) {
error.insertAfter(element.parents('div.radio'));
} else {
element.after(error);
}
},
showErrors: function (errorMap, errorList) {
this.defaultShowErrors();
tabs.each(function (index, tab) {
tab = $(tab);
let tabId = tab.data('tab');
let tabLink = target.find('.nav-tabs > li > a[data-tab="' + tabId + '"]');
if (tab.find(errorCheckQuery).length > 0) {
tabLink.addClass('error');
} else {
tabLink.removeClass('error');
}
});
},
rules: {
local_db_enabled: 'auth_enabled',
ldap_enabled: 'auth_enabled',
google_oauth_enabled: 'auth_enabled',
github_oauth_enabled: 'auth_enabled',
azure_oauth_enabled: 'auth_enabled',
oidc_oauth_enabled: 'auth_enabled',
pwd_min_len: {
required: enforce_characters,
digits: true,
min: 1,
max: 64,
},
pwd_min_lowercase: {
required: enforce_characters,
digits: true,
min: 0,
max: 64,
},
pwd_min_uppercase: {
required: enforce_characters,
digits: true,
min: 0,
max: 64,
},
pwd_min_digits: {
required: enforce_characters,
digits: true,
min: 0,
max: 64,
},
pwd_min_special: {
required: enforce_characters,
digits: true,
min: 0,
max: 64,
},
pwd_min_complexity: {
required: enforce_complexity,
digits: true,
min: 1,
max: 1000,
},
ldap_type: ldap_enabled,
ldap_uri: {
required: ldap_enabled,
minlength: 11,
maxlength: 255,
},
ldap_base_dn: {
required: ldap_enabled,
minlength: 4,
maxlength: 255,
},
ldap_admin_username: {
required: ldap_type_openldap,
minlength: 4,
maxlength: 255,
},
ldap_admin_password: {
required: ldap_type_openldap,
minlength: 1,
maxlength: 255,
},
ldap_domain: {
required: ldap_type_ad,
minlength: 1,
maxlength: 255,
},
ldap_filter_basic: {
required: ldap_enabled,
minlength: 3,
maxlength: 1000,
},
ldap_filter_username: {
required: ldap_enabled,
minlength: 1,
maxlength: 100,
},
ldap_filter_group: {
required: ldap_type_openldap,
minlength: 3,
maxlength: 100,
},
ldap_filter_groupname: {
required: ldap_type_openldap,
minlength: 1,
maxlength: 100,
},
ldap_sg_enabled: {
required: ldap_enabled,
ldap_exclusive: true,
},
ldap_admin_group: {
required: ldap_sg_enabled,
minlength: 3,
maxlength: 100,
},
ldap_operator_group: {
required: ldap_sg_enabled,
minlength: 3,
maxlength: 100,
},
ldap_user_group: {
required: ldap_sg_enabled,
minlength: 3,
maxlength: 100,
},
autoprovisioning: {
required: ldap_enabled,
ldap_exclusive: true,
},
autoprovisioning_attribute: {
required: ldap_ap_enabled,
minlength: 1,
maxlength: 100,
},
urn_value: {
required: ldap_ap_enabled,
minlength: 1,
maxlength: 100,
},
purge: ldap_enabled,
google_oauth_client_id: {
required: google_oauth_enabled,
minlength: 1,
maxlength: 255,
},
google_oauth_client_secret: {
required: google_oauth_enabled,
minlength: 1,
maxlength: 255,
},
google_oauth_scope: {
required: google_oauth_enabled,
minlength: 1,
maxlength: 255,
},
google_base_url: {
required: google_oauth_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
google_oauth_metadata_url: {
required: google_oauth_auto_configure_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
google_token_url: {
required: google_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
google_authorize_url: {
required: google_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
github_oauth_key: {
required: github_oauth_enabled,
minlength: 1,
maxlength: 255,
},
github_oauth_secret: {
required: github_oauth_enabled,
minlength: 1,
maxlength: 255,
},
github_oauth_scope: {
required: github_oauth_enabled,
minlength: 1,
maxlength: 255,
},
github_oauth_api_url: {
required: github_oauth_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
github_oauth_metadata_url: {
required: github_oauth_auto_configure_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
github_oauth_token_url: {
required: github_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
github_oauth_authorize_url: {
required: github_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
azure_oauth_key: {
required: azure_oauth_enabled,
minlength: 1,
maxlength: 255,
uuid: true,
},
azure_oauth_secret: {
required: azure_oauth_enabled,
minlength: 1,
maxlength: 255,
},
azure_oauth_scope: {
required: azure_oauth_enabled,
minlength: 1,
maxlength: 255,
},
azure_oauth_api_url: {
required: azure_oauth_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
azure_oauth_metadata_url: {
required: azure_oauth_auto_configure_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
azure_oauth_token_url: {
required: azure_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
azure_oauth_authorize_url: {
required: azure_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
azure_sg_enabled: azure_oauth_enabled,
azure_admin_group: {
uuid: azure_gs_enabled,
},
azure_operator_group: {
uuid: azure_gs_enabled,
},
azure_user_group: {
uuid: azure_gs_enabled,
},
azure_group_accounts_enabled: azure_oauth_enabled,
azure_group_accounts_name: {
required: azure_gas_enabled,
minlength: 1,
maxlength: 255,
},
azure_group_accounts_name_re: {
required: azure_gas_enabled,
minlength: 1,
maxlength: 255,
},
azure_group_accounts_description: {
required: azure_gas_enabled,
minlength: 1,
maxlength: 255,
},
azure_group_accounts_description_re: {
required: azure_gas_enabled,
minlength: 1,
maxlength: 255,
},
oidc_oauth_key: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
},
oidc_oauth_secret: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
},
oidc_oauth_scope: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
},
oidc_oauth_api_url: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
oidc_oauth_metadata_url: {
required: oidc_oauth_auto_configure_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
oidc_oauth_token_url: {
required: oidc_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
oidc_oauth_authorize_url: {
required: oidc_oauth_auto_configure_disabled,
minlength: 1,
maxlength: 255,
url: true,
},
oidc_oauth_logout_url: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
url: true,
},
oidc_oauth_username: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
},
oidc_oauth_email: {
required: oidc_oauth_enabled,
minlength: 1,
maxlength: 255,
},
oidc_oauth_firstname: {
minlength: 0,
maxlength: 255,
},
oidc_oauth_last_name: {
minlength: 0,
maxlength: 255,
},
oidc_oauth_account_name_property: {
minlength: 0,
maxlength: 255,
},
oidc_oauth_account_description_property: {
minlength: 0,
maxlength: 255,
},
},
messages: {
ldap_sg_enabled: {
ldap_exclusive: 'The LDAP group security feature is mutually exclusive with the LDAP role auto-provisioning feature.',
},
autoprovisioning: {
ldap_exclusive: 'The LDAP role auto-provisioning feature is mutually exclusive with the LDAP group security feature.',
},
},
});
target.find('input, select, textarea, label').on('change,keyup,blur,click', onElementChanged);
target.valid();
}
self.activateTab = function (tab) {
$('[role="tablist"] a.nav-link').blur();
self.tab_active(tab);
window.location.hash = tab;
}
self.activateDefaultTab = function () {
self.activateTab(self.tab_default());
}
self.getHash = function () {
return window.location.hash.substring(1);
}
self.hasHash = function () {
return window.location.hash.length > 1;
}
self.onDataLoaded = function (result) {
if (result.status == 0) {
self.messages_class('danger');
self.messages(result.messages);
self.loading(false);
return false;
}
self.update(result.data);
self.messages_class('info');
self.messages(result.messages);
self.loading(false);
}
self.onDataSaved = function (result) {
if (result.status == 0) {
self.saved(false);
self.save_failed(true);
self.messages_class('danger');
self.messages(result.messages);
self.saving(false);
return false;
}
self.update(result.data);
self.saved(true);
self.save_failed(false);
self.messages_class('info');
self.messages(result.messages);
self.saving(false);
}
self.onHashChange = function (event) {
let hash = window.location.hash.trim();
if (hash.length > 1) {
self.activateTab(hash.substring(1));
} else {
self.activateDefaultTab();
}
}
self.onSaveClick = function (model, event) {
self.save();
return false;
}
self.onTabClick = function (model, event) {
self.activateTab($(event.target).data('tab'));
return false;
}
}

File diff suppressed because it is too large Load Diff

View File

@ -228,7 +228,7 @@
<footer class="main-footer">
<strong><a href="https://github.com/PowerDNS-Admin/PowerDNS-Admin">PowerDNS-Admin</a></strong> - A PowerDNS web
interface with advanced features.
<span class="float-right">Version 0.4.0</span>
<span class="float-right">Version 0.4.1</span>
</footer>
</div>
<!-- ./wrapper -->

View File

@ -42,7 +42,7 @@
resolved "https://registry.yarnpkg.com/@foliojs-fork/restructure/-/restructure-2.0.2.tgz#73759aba2aff1da87b7c4554e6839c70d43c92b4"
integrity sha512-59SgoZ3EXbkfSX7b63tsou/SDGzwUEK6MuB5sKqgVK1/XE0fxmpsOb9DQI8LXW3KfGnAjImCGhhEb7uPPAUVNA==
"@fortawesome/fontawesome-free@6.3.0":
"@fortawesome/fontawesome-free@6.3.0", "@fortawesome/fontawesome-free@^5.15.4":
version "6.3.0"
resolved "https://registry.yarnpkg.com/@fortawesome/fontawesome-free/-/fontawesome-free-6.3.0.tgz#b5877182692a6f7a39d1108837bec24247ba4bd7"
integrity sha512-qVtd5i1Cc7cdrqnTWqTObKQHjPWAiRwjUPaXObaeNPcy7+WKxJumGBx66rfSFgK6LNpIasVKkEgW8oyf0tmPLA==
@ -1026,7 +1026,7 @@ jquery-ui-dist@^1.13.0, jquery-ui-dist@^1.13.2:
dependencies:
jquery ">=1.8.0 <4.0.0"
jquery-validation@^1.19.3:
jquery-validation@^1.19.3, jquery-validation@^1.19.5:
version "1.19.5"
resolved "https://registry.yarnpkg.com/jquery-validation/-/jquery-validation-1.19.5.tgz#557495b7cad79716897057c4447ad3cd76fda811"
integrity sha512-X2SmnPq1mRiDecVYL8edWx+yTBZDyC8ohWXFhXdtqFHgU9Wd4KHkvcbCoIZ0JaSaumzS8s2gXSkP8F7ivg/8ZQ==
@ -1081,6 +1081,11 @@ jtimeout@^3.2.0:
dependencies:
jquery ">=1.7.1 <4.0.0"
knockout@^3.5.1:
version "3.5.1"
resolved "https://registry.yarnpkg.com/knockout/-/knockout-3.5.1.tgz#62c81e81843bea2008fd23c575edd9ca978e75cf"
integrity sha512-wRJ9I4az0QcsH7A4v4l0enUpkS++MBx0BnL/68KaLzJg7x1qmbjSlwEoCNol7KTYZ+pmtI7Eh2J0Nu6/2Z5J/Q==
levn@~0.3.0:
version "0.3.0"
resolved "https://registry.yarnpkg.com/levn/-/levn-0.3.0.tgz#3b09924edf9f083c0490fdd4c0bc4421e04764ee"