From 4383c337d4085ed485372d83876d50f9bd50ef6c Mon Sep 17 00:00:00 2001 From: Melchior NOGUES Date: Wed, 27 Jul 2022 11:35:47 +0200 Subject: [PATCH 01/77] fix: ldap type ad search user group when nested groups --- powerdnsadmin/models/user.py | 92 ++++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 41 deletions(-) diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py index 2f8b87c..cb857c8 100644 --- a/powerdnsadmin/models/user.py +++ b/powerdnsadmin/models/user.py @@ -5,6 +5,7 @@ import bcrypt import pyotp import ldap import ldap.filter +from collections import OrderedDict from flask import current_app from flask_login import AnonymousUserMixin from sqlalchemy import orm @@ -282,53 +283,62 @@ class User(db.Model): LDAP_USER_GROUP)) return False elif LDAP_TYPE == 'ad': - ldap_admin_group_filter, ldap_operator_group, ldap_user_group = "", "", "" - if LDAP_ADMIN_GROUP: - ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP) - if LDAP_OPERATOR_GROUP: - ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP) - if LDAP_USER_GROUP: - ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP) - searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username, - ldap_admin_group_filter, - ldap_operator_group, ldap_user_group) - ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN) - user_ad_member_of = ldap_result[0][0][1].get( - 'memberOf') + ldap_group_security_roles = OrderedDict( + Administrator=LDAP_ADMIN_GROUP, + Operator=LDAP_OPERATOR_GROUP, + User=LDAP_USER_GROUP, + ) + user_dn = ldap_result[0][0][0] + sf_groups = "" - if not user_ad_member_of: + for group in ldap_group_security_roles.values(): + if not group: + continue + + sf_groups += f"(distinguishedName={group})" + + sf_member_user = f"(member:1.2.840.113556.1.4.1941:={user_dn})" + search_filter = f"(&(|{sf_groups}){sf_member_user})" + current_app.logger.debug(f"LDAP groupSearchFilter '{search_filter}'") + + ldap_user_groups = [ + group[0][0] + for group in self.ldap_search( + search_filter, + LDAP_BASE_DN + ) + ] + + if not ldap_user_groups: current_app.logger.error( - 'User {0} does not belong to any group while LDAP_GROUP_SECURITY_ENABLED is ON' - .format(self.username)) + f"User '{self.username}' " + "does not belong to any group " + "while LDAP_GROUP_SECURITY_ENABLED is ON" + ) return False - user_ad_member_of = [g.decode("utf-8") for g in user_ad_member_of] + current_app.logger.debug( + "LDAP User security groups " + f"for user '{self.username}': " + " ".join(ldap_user_groups) + ) - if (LDAP_ADMIN_GROUP in user_ad_member_of): - role_name = 'Administrator' + for role, ldap_group in ldap_group_security_roles.items(): + # Continue when groups is not defined or + # user is'nt member of LDAP group + if not ldap_group or not ldap_group in ldap_user_groups: + continue + + role_name = role current_app.logger.info( - 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' - .format(self.username, - LDAP_ADMIN_GROUP)) - elif (LDAP_OPERATOR_GROUP in user_ad_member_of): - role_name = 'Operator' - current_app.logger.info( - 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' - .format(self.username, - LDAP_OPERATOR_GROUP)) - elif (LDAP_USER_GROUP in user_ad_member_of): - current_app.logger.info( - 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' - .format(self.username, - LDAP_USER_GROUP)) - else: - current_app.logger.error( - 'User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin' - .format(self.username, - LDAP_ADMIN_GROUP, - LDAP_OPERATOR_GROUP, - LDAP_USER_GROUP)) - return False + f"User '{self.username}' member of " + f"the '{ldap_group}' group that allows " + f"'{role}' access to to PowerDNS-Admin" + ) + + # Stop loop on first found + break + else: current_app.logger.error('Invalid LDAP type') return False From fd30e3ff497f6bd6984ef329e0e62592da085af8 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 11 Mar 2023 14:46:58 -0500 Subject: [PATCH 02/77] Added new JWKS URL setting for each OAuth provider and updated the associated authorization service to use the setting during the initialization of the authlib. --- powerdnsadmin/models/setting.py | 18 ++++--- powerdnsadmin/routes/admin.py | 8 +++ powerdnsadmin/services/azure.py | 1 + powerdnsadmin/services/github.py | 1 + powerdnsadmin/services/google.py | 1 + powerdnsadmin/services/oidc.py | 1 + .../admin_setting_authentication.html | 52 +++++++++++++++++-- 7 files changed, 71 insertions(+), 11 deletions(-) diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index e820af9..331898a 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -28,7 +28,7 @@ class Setting(db.Model): 'allow_user_create_domain': False, 'allow_user_remove_domain': False, 'allow_user_view_history': False, - 'delete_sso_accounts': False, + 'delete_sso_accounts': False, 'bg_domain_updates': False, 'enable_api_rr_history': True, 'preserve_history': False, @@ -44,7 +44,7 @@ class Setting(db.Model): 'local_db_enabled': True, 'signup_enabled': True, 'autoprovisioning': False, - 'urn_value':'', + 'urn_value': '', 'autoprovisioning_attribute': '', 'purge': False, 'verify_user_email': False, @@ -69,15 +69,17 @@ class Setting(db.Model): 'github_oauth_scope': 'email', 'github_oauth_api_url': 'https://api.github.com/user', 'github_oauth_token_url': - 'https://github.com/login/oauth/access_token', + 'https://github.com/login/oauth/access_token', 'github_oauth_authorize_url': - 'https://github.com/login/oauth/authorize', + 'https://github.com/login/oauth/authorize', + 'github_oauth_jwks_url': '', 'google_oauth_enabled': False, 'google_oauth_client_id': '', 'google_oauth_client_secret': '', 'google_token_url': 'https://oauth2.googleapis.com/token', 'google_oauth_scope': 'openid email profile', 'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth', + 'google_oauth_jwks_url': '', 'google_base_url': 'https://www.googleapis.com/oauth2/v3/', 'azure_oauth_enabled': False, 'azure_oauth_key': '', @@ -85,9 +87,10 @@ class Setting(db.Model): 'azure_oauth_scope': 'User.Read openid email profile', 'azure_oauth_api_url': 'https://graph.microsoft.com/v1.0/', 'azure_oauth_token_url': - 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token', + 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token', 'azure_oauth_authorize_url': - 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize', + 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize', + 'azure_oauth_jwks_url': '', 'azure_sg_enabled': False, 'azure_admin_group': '', 'azure_operator_group': '', @@ -104,6 +107,7 @@ class Setting(db.Model): 'oidc_oauth_api_url': '', 'oidc_oauth_token_url': '', 'oidc_oauth_authorize_url': '', + 'oidc_oauth_jwks_url': '', 'oidc_oauth_metadata_url': '', 'oidc_oauth_logout_url': '', 'oidc_oauth_username': 'preferred_username', @@ -284,7 +288,7 @@ class Setting(db.Model): result = self.query.filter(Setting.name == setting).first() if result is not None: - if hasattr(result,'value'): + if hasattr(result, 'value'): result = result.value return strtobool(result) if result in [ 'True', 'False' diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 0d85d29..5aea1d2 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1642,6 +1642,8 @@ def setting_authentication(): request.form.get('google_oauth_scope')) Setting().set('google_authorize_url', request.form.get('google_authorize_url')) + Setting().set('google_oauth_jwks_url', + request.form.get('google_oauth_jwks_url')) Setting().set('google_base_url', request.form.get('google_base_url')) result = { @@ -1673,6 +1675,8 @@ def setting_authentication(): request.form.get('github_oauth_token_url')) Setting().set('github_oauth_authorize_url', request.form.get('github_oauth_authorize_url')) + Setting().set('github_oauth_jwks_url', + request.form.get('github_oauth_jwks_url')) result = { 'status': True, 'msg': @@ -1702,6 +1706,8 @@ def setting_authentication(): request.form.get('azure_oauth_token_url')) Setting().set('azure_oauth_authorize_url', request.form.get('azure_oauth_authorize_url')) + Setting().set('azure_oauth_jwks_url', + request.form.get('azure_oauth_jwks_url')) Setting().set( 'azure_sg_enabled', True if request.form.get('azure_sg_enabled') == 'ON' else False) @@ -1753,6 +1759,8 @@ def setting_authentication(): request.form.get('oidc_oauth_token_url')) Setting().set('oidc_oauth_authorize_url', request.form.get('oidc_oauth_authorize_url')) + Setting().set('oidc_oauth_jwks_url', + request.form.get('oidc_oauth_jwks_url')) Setting().set('oidc_oauth_metadata_url', request.form.get('oidc_oauth_metadata_url')) Setting().set('oidc_oauth_logout_url', diff --git a/powerdnsadmin/services/azure.py b/powerdnsadmin/services/azure.py index 46fb1af..691b153 100644 --- a/powerdnsadmin/services/azure.py +++ b/powerdnsadmin/services/azure.py @@ -23,6 +23,7 @@ def azure_oauth(): request_token_url=None, access_token_url=Setting().get('azure_oauth_token_url'), authorize_url=Setting().get('azure_oauth_authorize_url'), + jwks_url=Setting().get('azure_oauth_jwks_url'), client_kwargs={'scope': Setting().get('azure_oauth_scope')}, fetch_token=fetch_azure_token, ) diff --git a/powerdnsadmin/services/github.py b/powerdnsadmin/services/github.py index cf615e8..8bcbe87 100644 --- a/powerdnsadmin/services/github.py +++ b/powerdnsadmin/services/github.py @@ -24,6 +24,7 @@ def github_oauth(): request_token_url=None, access_token_url=Setting().get('github_oauth_token_url'), authorize_url=Setting().get('github_oauth_authorize_url'), + jwks_url=Setting().get('github_oauth_jwks_url'), client_kwargs={'scope': Setting().get('github_oauth_scope')}, fetch_token=fetch_github_token, update_token=update_token) diff --git a/powerdnsadmin/services/google.py b/powerdnsadmin/services/google.py index 68775a2..0a62463 100644 --- a/powerdnsadmin/services/google.py +++ b/powerdnsadmin/services/google.py @@ -23,6 +23,7 @@ def google_oauth(): request_token_url=None, access_token_url=Setting().get('google_token_url'), authorize_url=Setting().get('google_authorize_url'), + jwks_url=Setting().get('google_oauth_jwks_url'), client_kwargs={'scope': Setting().get('google_oauth_scope')}, fetch_token=fetch_google_token, update_token=update_token) diff --git a/powerdnsadmin/services/oidc.py b/powerdnsadmin/services/oidc.py index b5da89e..432457f 100644 --- a/powerdnsadmin/services/oidc.py +++ b/powerdnsadmin/services/oidc.py @@ -23,6 +23,7 @@ def oidc_oauth(): request_token_url=None, access_token_url=Setting().get('oidc_oauth_token_url'), authorize_url=Setting().get('oidc_oauth_authorize_url'), + jwks_url=Setting().get('oidc_oauth_jwks_url'), server_metadata_url=Setting().get('oidc_oauth_metadata_url'), client_kwargs={'scope': Setting().get('oidc_oauth_scope')}, fetch_token=fetch_oidc_token, diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index 26d9a72..5750d89 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -663,6 +663,17 @@ value="{{ SETTING.get('google_authorize_url') }}"> +
+ + + +
+
+ + + +
@@ -915,6 +937,17 @@ value="{{ SETTING.get('azure_oauth_authorize_url') }}"> +
+ + + +
GROUP SECURITY @@ -1206,10 +1239,21 @@ name="oidc_oauth_authorize_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/authorize" - data-error="Plesae input Authorize URL" + data-error="Please input Authorize URL" value="{{ SETTING.get('oidc_oauth_authorize_url') }}"> +
+ + + +
@@ -1217,7 +1261,7 @@ name="oidc_oauth_metadata_url" id="oidc_oauth_metadata_url" placeholder="e.g. https://oidc.com/login/oauth/.well-known/openid-configuration" - data-error="Plesae input Metadata URL" + data-error="Please input Metadata URL" value="{{ SETTING.get('oidc_oauth_metadata_url') }}">
@@ -1270,7 +1314,7 @@ From 369188e80e95a8896b6e61326ece8acc706fb1dc Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 11 Mar 2023 14:50:02 -0500 Subject: [PATCH 03/77] Disabled MegaLinter workflow for all branches currently. --- .github/workflows/mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 4c005da..943d3a3 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -6,6 +6,7 @@ name: MegaLinter on: push: branches-ignore: + - "*" - "dev" - "main" - "master" From c61489adfc2c1d7cc8aab384b17846ded6347edc Mon Sep 17 00:00:00 2001 From: Stefan Ubbink Date: Sun, 12 Mar 2023 13:11:20 +0100 Subject: [PATCH 04/77] Improve things for using PostgreSQL --- configs/development.py | 10 ++++++++++ docker-test/Dockerfile | 1 + docker/Dockerfile | 1 + docs/wiki/database-setup/Setup-PostgreSQL.md | 13 ++++--------- ...ning-PowerDNS-Admin-on-Ubuntu-or-Debian.md | 19 +++++++++++++++---- requirements.txt | 1 + 6 files changed, 32 insertions(+), 13 deletions(-) diff --git a/configs/development.py b/configs/development.py index 6d1dd0d..e92ac72 100644 --- a/configs/development.py +++ b/configs/development.py @@ -27,6 +27,7 @@ CAPTCHA_SESSION_KEY = 'captcha_image' SESSION_TYPE = 'sqlalchemy' ### DATABASE - MySQL +## Don't forget to uncomment the import in the top #SQLALCHEMY_DATABASE_URI = 'mysql://{}:{}@{}/{}'.format( # urllib.parse.quote_plus(SQLA_DB_USER), # urllib.parse.quote_plus(SQLA_DB_PASSWORD), @@ -34,6 +35,15 @@ SESSION_TYPE = 'sqlalchemy' # SQLA_DB_NAME #) +### DATABASE - PostgreSQL +## Don't forget to uncomment the import in the top +#SQLALCHEMY_DATABASE_URI = 'postgres://{}:{}@{}/{}'.format( +# urllib.parse.quote_plus(SQLA_DB_USER), +# urllib.parse.quote_plus(SQLA_DB_PASSWORD), +# SQLA_DB_HOST, +# SQLA_DB_NAME +#) + ### DATABASE - SQLite SQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(basedir, 'pdns.db') diff --git a/docker-test/Dockerfile b/docker-test/Dockerfile index 17f934f..7191825 100644 --- a/docker-test/Dockerfile +++ b/docker-test/Dockerfile @@ -11,6 +11,7 @@ RUN apt-get update -y \ libffi-dev \ libldap2-dev \ libmariadb-dev-compat \ + libpq-dev \ libsasl2-dev \ libssl-dev \ libxml2-dev \ diff --git a/docker/Dockerfile b/docker/Dockerfile index b553998..55ccdfd 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -2,6 +2,7 @@ FROM alpine:3.17 AS builder ARG BUILD_DEPENDENCIES="build-base \ libffi-dev \ + libpq-dev \ libxml2-dev \ mariadb-connector-c-dev \ openldap-dev \ diff --git a/docs/wiki/database-setup/Setup-PostgreSQL.md b/docs/wiki/database-setup/Setup-PostgreSQL.md index a6e3364..197aae5 100644 --- a/docs/wiki/database-setup/Setup-PostgreSQL.md +++ b/docs/wiki/database-setup/Setup-PostgreSQL.md @@ -15,10 +15,9 @@ The below will create a database called powerdnsadmindb and a user of powerdnsad ``` $ sudo su - postgres $ createuser powerdnsadmin -$ createdb powerdnsadmindb +$ createdb -E UTF8 -l en_US.UTF-8 -O powerdnsadmin -T template0 powerdnsadmindb 'The database for PowerDNS-Admin' $ psql -postgres=# alter user powerdnsadmin with encrypted password 'powerdnsadmin'; -postgres=# grant all privileges on database powerdnsadmindb to powerdnsadmin; +postgres=# ALTER ROLE powerdnsadmin WITH PASSWORD 'powerdnsadmin_password'; ``` Note: @@ -51,18 +50,14 @@ On debian based systems these files are located in: ## Install required packages: ### Red-hat based systems: +TODO: confirm this is correct ``` sudo yum install postgresql-libs ``` ### Debian based systems: ``` -apt install libpq-dev python-dev -``` - -### Install python packages: -``` -pip3 install psycopg2 +apt install python3-psycopg2 ``` ## Known Issues: diff --git a/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md b/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md index d3bc834..ad51c2b 100644 --- a/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md +++ b/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md @@ -7,19 +7,30 @@ First setup your database accordingly: ### Install required packages for building python libraries from requirements.txt file +For Debian 11 (bullseye) and above: ```bash -sudo apt install -y python3-dev git libsasl2-dev libldap2-dev libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev pkg-config apt-transport-https virtualenv build-essential curl +sudo apt install -y python3-dev git libsasl2-dev libldap2-dev python3-venv libmariadb-dev pkg-config build-essential curl libpq-dev +``` +Older systems might also need the following: +```bash +sudo apt install -y libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev apt-transport-https virtualenv ``` ### Install NodeJs ```bash -curl -sL https://deb.nodesource.com/setup_14.x | bash - -apt install -y nodejs +curl -sL https://deb.nodesource.com/setup_14.x | sudo bash - +sudo apt install -y nodejs ``` ### Install yarn to build asset files - +For Debian 11 (bullseye) and above: +```bash +curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null +echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list +sudo apt update && sudo apt install -y yarn +``` +For older Debian systems: ```bash sudo curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list diff --git a/requirements.txt b/requirements.txt index 9753bf0..839c004 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,3 +43,4 @@ webcolors==1.12 werkzeug==2.1.2 zipp==3.11.0 rcssmin==1.1.1 +psycopg2==2.9.5 From 1afe9b490866f8afb951acddecbc53b0fbdefb8e Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 12 Mar 2023 09:13:54 -0400 Subject: [PATCH 05/77] Finished adding new OAuth Server Metadata URL setting to Google, GitHub, and Microsoft OAuth service configuration features. --- powerdnsadmin/models/setting.py | 3 + powerdnsadmin/routes/admin.py | 10 ++- powerdnsadmin/services/azure.py | 1 + powerdnsadmin/services/github.py | 1 + powerdnsadmin/services/google.py | 1 + .../admin_setting_authentication.html | 65 ++++++++++++------- 6 files changed, 57 insertions(+), 24 deletions(-) diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index 331898a..bef6897 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -73,6 +73,7 @@ class Setting(db.Model): 'github_oauth_authorize_url': 'https://github.com/login/oauth/authorize', 'github_oauth_jwks_url': '', + 'github_oauth_metadata_url': '', 'google_oauth_enabled': False, 'google_oauth_client_id': '', 'google_oauth_client_secret': '', @@ -80,6 +81,7 @@ class Setting(db.Model): 'google_oauth_scope': 'openid email profile', 'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth', 'google_oauth_jwks_url': '', + 'google_oauth_metadata_url': '', 'google_base_url': 'https://www.googleapis.com/oauth2/v3/', 'azure_oauth_enabled': False, 'azure_oauth_key': '', @@ -91,6 +93,7 @@ class Setting(db.Model): 'azure_oauth_authorize_url': 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize', 'azure_oauth_jwks_url': '', + 'azure_oauth_metadata_url': '', 'azure_sg_enabled': False, 'azure_admin_group': '', 'azure_operator_group': '', diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 5aea1d2..900e70c 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1636,6 +1636,8 @@ def setting_authentication(): request.form.get('google_oauth_client_id')) Setting().set('google_oauth_client_secret', request.form.get('google_oauth_client_secret')) + Setting().set('google_oauth_metadata_url', + request.form.get('google_oauth_metadata_url')) Setting().set('google_token_url', request.form.get('google_token_url')) Setting().set('google_oauth_scope', @@ -1671,6 +1673,8 @@ def setting_authentication(): request.form.get('github_oauth_scope')) Setting().set('github_oauth_api_url', request.form.get('github_oauth_api_url')) + Setting().set('github_oauth_metadata_url', + request.form.get('github_oauth_metadata_url')) Setting().set('github_oauth_token_url', request.form.get('github_oauth_token_url')) Setting().set('github_oauth_authorize_url', @@ -1702,6 +1706,8 @@ def setting_authentication(): request.form.get('azure_oauth_scope')) Setting().set('azure_oauth_api_url', request.form.get('azure_oauth_api_url')) + Setting().set('azure_oauth_metadata_url', + request.form.get('azure_oauth_metadata_url')) Setting().set('azure_oauth_token_url', request.form.get('azure_oauth_token_url')) Setting().set('azure_oauth_authorize_url', @@ -1755,14 +1761,14 @@ def setting_authentication(): request.form.get('oidc_oauth_scope')) Setting().set('oidc_oauth_api_url', request.form.get('oidc_oauth_api_url')) + Setting().set('oidc_oauth_metadata_url', + request.form.get('oidc_oauth_metadata_url')) Setting().set('oidc_oauth_token_url', request.form.get('oidc_oauth_token_url')) Setting().set('oidc_oauth_authorize_url', request.form.get('oidc_oauth_authorize_url')) Setting().set('oidc_oauth_jwks_url', request.form.get('oidc_oauth_jwks_url')) - Setting().set('oidc_oauth_metadata_url', - request.form.get('oidc_oauth_metadata_url')) Setting().set('oidc_oauth_logout_url', request.form.get('oidc_oauth_logout_url')) Setting().set('oidc_oauth_username', diff --git a/powerdnsadmin/services/azure.py b/powerdnsadmin/services/azure.py index 691b153..c1fb626 100644 --- a/powerdnsadmin/services/azure.py +++ b/powerdnsadmin/services/azure.py @@ -24,6 +24,7 @@ def azure_oauth(): access_token_url=Setting().get('azure_oauth_token_url'), authorize_url=Setting().get('azure_oauth_authorize_url'), jwks_url=Setting().get('azure_oauth_jwks_url'), + server_metadata_url=Setting().get('azure_oauth_metadata_url'), client_kwargs={'scope': Setting().get('azure_oauth_scope')}, fetch_token=fetch_azure_token, ) diff --git a/powerdnsadmin/services/github.py b/powerdnsadmin/services/github.py index 8bcbe87..13c2f00 100644 --- a/powerdnsadmin/services/github.py +++ b/powerdnsadmin/services/github.py @@ -25,6 +25,7 @@ def github_oauth(): access_token_url=Setting().get('github_oauth_token_url'), authorize_url=Setting().get('github_oauth_authorize_url'), jwks_url=Setting().get('github_oauth_jwks_url'), + server_metadata_url=Setting().get('github_oauth_metadata_url'), client_kwargs={'scope': Setting().get('github_oauth_scope')}, fetch_token=fetch_github_token, update_token=update_token) diff --git a/powerdnsadmin/services/google.py b/powerdnsadmin/services/google.py index 0a62463..fc9af12 100644 --- a/powerdnsadmin/services/google.py +++ b/powerdnsadmin/services/google.py @@ -24,6 +24,7 @@ def google_oauth(): access_token_url=Setting().get('google_token_url'), authorize_url=Setting().get('google_authorize_url'), jwks_url=Setting().get('google_oauth_jwks_url'), + server_metadata_url=Setting().get('google_oauth_metadata_url'), client_kwargs={'scope': Setting().get('google_oauth_scope')}, fetch_token=fetch_google_token, update_token=update_token) diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index 5750d89..7675797 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -630,9 +630,16 @@ value="{{ SETTING.get('google_oauth_client_secret') }}"> -
-
- ADVANCE +
+ + + +
-
-
- ADVANCE
+
+ + + +
@@ -893,9 +907,6 @@ value="{{ SETTING.get('azure_oauth_secret') }}">
-
-
- ADVANCED
+
+ + + +
+
+ + + +
-
- - - -
@@ -1278,7 +1299,7 @@
- CLAIMS + Claims
- ADVANCE + Advanced
From ee68b18e278fb18b152bdac306c1f53d67ceeb09 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 12 Mar 2023 13:36:30 +0000 Subject: [PATCH 06/77] Added custom header in created_by segment option --- powerdnsadmin/models/setting.py | 3 ++- powerdnsadmin/routes/admin.py | 1 + powerdnsadmin/routes/api.py | 16 ++++++++++++---- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index e820af9..6b46817 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -28,7 +28,8 @@ class Setting(db.Model): 'allow_user_create_domain': False, 'allow_user_remove_domain': False, 'allow_user_view_history': False, - 'delete_sso_accounts': False, + 'delete_sso_accounts': False, + 'custom_history_header': '', 'bg_domain_updates': False, 'enable_api_rr_history': True, 'preserve_history': False, diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 0d85d29..759316f 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1391,6 +1391,7 @@ def setting_basic(): 'default_domain_table_size', 'default_record_table_size', 'delete_sso_accounts', + 'custom_history_header', 'deny_domain_override', 'dnssec_admins_only', 'enable_api_rr_history', diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py index 2c9a2cc..e764f91 100644 --- a/powerdnsadmin/routes/api.py +++ b/powerdnsadmin/routes/api.py @@ -48,6 +48,12 @@ user_detailed_schema = UserDetailedSchema() account_schema = AccountSchema(many=True) account_single_schema = AccountSchema() +def is_custom_header_api(): + custom_header_setting = Setting().get('custom_history_header') + if custom_header_setting != '' and custom_header_setting in request.headers: + return request.headers[custom_header_setting] + else: + return g.apikey.description def get_user_domains(): domains = db.session.query(Domain) \ @@ -1104,6 +1110,7 @@ def api_zone_forward(server_id, zone_id): domain = Domain() domain.update() status = resp.status_code + created_by_value=is_custom_header_api() if 200 <= status < 300: current_app.logger.debug("Request to powerdns API successful") if Setting().get('enable_api_rr_history'): @@ -1116,19 +1123,19 @@ def api_zone_forward(server_id, zone_id): 'add_rrsets': list(filter(lambda r: r['changetype'] == "REPLACE", data['rrsets'])), 'del_rrsets': list(filter(lambda r: r['changetype'] == "DELETE", data['rrsets'])) }), - created_by=g.apikey.description, + created_by=created_by_value, domain_id=Domain().get_id_by_name(zone_id.rstrip('.'))) history.add() elif request.method == 'DELETE': history = History(msg='Deleted zone {0}'.format(zone_id.rstrip('.')), detail='', - created_by=g.apikey.description, + created_by=created_by_value, domain_id=Domain().get_id_by_name(zone_id.rstrip('.'))) history.add() elif request.method != 'GET': history = History(msg='Updated zone {0}'.format(zone_id.rstrip('.')), detail='', - created_by=g.apikey.description, + created_by=created_by_value, domain_id=Domain().get_id_by_name(zone_id.rstrip('.'))) history.add() return resp.content, resp.status_code, resp.headers.items() @@ -1152,6 +1159,7 @@ def api_create_zone(server_id): if resp.status_code == 201: current_app.logger.debug("Request to powerdns API successful") + created_by_value=is_custom_header_api() data = request.get_json(force=True) if g.apikey.role.name not in ['Administrator', 'Operator']: @@ -1166,7 +1174,7 @@ def api_create_zone(server_id): history = History(msg='Add domain {0}'.format( data['name'].rstrip('.')), detail=json.dumps(data), - created_by=g.apikey.description, + created_by=created_by_value, domain_id=domain.get_id_by_name(data['name'].rstrip('.'))) history.add() From 84cfd165b4d3e34d15b024b9cbcc651b66aa8d8e Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 12 Mar 2023 10:27:04 -0400 Subject: [PATCH 07/77] Re-arranged side navigation to include the "Global Search" feature regardless of user role as the global search feature is now accessible to all users. Also moved the "Activity" feature link higher in the menu to remove duplicate code from the navigation code base. --- powerdnsadmin/templates/base.html | 34 +++++++++++++------------------ 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/powerdnsadmin/templates/base.html b/powerdnsadmin/templates/base.html index 5a47bd2..408f4be 100644 --- a/powerdnsadmin/templates/base.html +++ b/powerdnsadmin/templates/base.html @@ -101,14 +101,22 @@ {% endif %} - {% if current_user.role.name in ['Administrator', 'Operator'] %} -
  • Administration
    • -
  • - - -

    Global Search

    +
  • Administration
    • +
  • + + +

    Global Search

    +     +
    • + {% if current_user.role.name in ['Administrator', 'Operator'] or SETTING.get('allow_user_view_history') %} +
  • + + +

    Activity
    • + {% endif %} + {% if current_user.role.name in ['Administrator', 'Operator'] %}
  • @@ -121,12 +129,6 @@

    Server Configuration
    • -
  • - - -

    Activity

    -     -
  • @@ -189,14 +191,6 @@ {% endif %}
    • - {% elif SETTING.get('allow_user_view_history') %} -
  • Administration
    • -
  • - - -

    History

    -     -
    • {% endif %} {% endif %} From 0ac7a5a4537cb32b6aa22f4ca110a7dd27427171 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 12 Mar 2023 15:00:32 +0000 Subject: [PATCH 08/77] Added some explanation about some of the 'basic' settings in the admin --- docs/basic_settings.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/basic_settings.md diff --git a/docs/basic_settings.md b/docs/basic_settings.md new file mode 100644 index 0000000..6a47d6a --- /dev/null +++ b/docs/basic_settings.md @@ -0,0 +1,17 @@ +### PowerDNSAdmin basic settings + +PowerDNSAdmin has many features and settings available to be turned either off or on. +In this docs those settings will be explain. +To find the settings in the the dashboard go to settings>basic. + +allow_user_create_domain: This setting is used to allow users with the `user` role to create a domain, not possible by +default. + +allow_user_remove_domain: Same as `allow_user_create_domain` but for removing a domain. + +allow_user_view_history: Allow a user with the role `user` to view and access the history. + +custom_history_header: This is a string type variable, when inputting an header name, if exists in the request it will +be in the created_by column in the history, if empty or not mentioned will default to the api_key description. + +site_name: This will be the site name. From 695d7462958812ad3a3f411077988b2efae51bbe Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 12 Mar 2023 15:32:32 +0000 Subject: [PATCH 09/77] Changed basic_settings.md path --- docs/{ => wiki/configuration}/basic_settings.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/{ => wiki/configuration}/basic_settings.md (100%) diff --git a/docs/basic_settings.md b/docs/wiki/configuration/basic_settings.md similarity index 100% rename from docs/basic_settings.md rename to docs/wiki/configuration/basic_settings.md From 3e9e73fb3a50bf9fbf149924b8b03d9abeb80836 Mon Sep 17 00:00:00 2001 From: Stefan Ubbink Date: Sun, 12 Mar 2023 20:40:19 +0100 Subject: [PATCH 10/77] Change domain(s) to zone(s) in the templates --- .../templates/admin_edit_account.html | 14 +++++++------- powerdnsadmin/templates/admin_edit_key.html | 18 +++++++++--------- powerdnsadmin/templates/admin_edit_user.html | 4 ++-- .../templates/admin_global_search.html | 2 +- powerdnsadmin/templates/admin_history.html | 8 ++++---- .../templates/admin_manage_account.html | 2 +- powerdnsadmin/templates/admin_manage_keys.html | 2 +- powerdnsadmin/templates/admin_manage_user.html | 2 +- .../admin_setting_authentication.html | 4 ++-- powerdnsadmin/templates/dashboard.html | 2 +- powerdnsadmin/templates/domain_add.html | 6 +++--- powerdnsadmin/templates/domain_changelog.html | 6 +++--- powerdnsadmin/templates/domain_remove.html | 4 ++-- powerdnsadmin/templates/domain_setting.html | 18 +++++++++--------- 14 files changed, 46 insertions(+), 46 deletions(-) diff --git a/powerdnsadmin/templates/admin_edit_account.html b/powerdnsadmin/templates/admin_edit_account.html index 4894df8..ca08ab7 100644 --- a/powerdnsadmin/templates/admin_edit_account.html +++ b/powerdnsadmin/templates/admin_edit_account.html @@ -96,7 +96,7 @@
    -

    Users on the right have access to manage records in all domains +

    Users on the right have access to manage records in all zones associated with the account.

    Click on users to move between columns.

    @@ -113,12 +113,12 @@
    -

    Domains on the right are associated with the account. Red marked domain names are +

    Zones on the right are associated with the account. Red marked zone names are already associated with other accounts. - Moving already associated domains to this account will overwrite the previous + Moving already associated zones to this account will overwrite the previous associated account.

    -

    Hover over the red domain names to show the associated account. Click on domains to +

    Hover over the red zone names to show the associated account. Click on zones to move between columns.

    From 1cea4b7ce324590a4ae1c8f675f432cd389d114b Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Fri, 17 Mar 2023 03:44:08 +0000 Subject: [PATCH 21/77] feat(authentication): added password policy checker function --- powerdnsadmin/routes/index.py | 88 +++++++++++++++++++++++++++++++++++ requirements.txt | 1 + 2 files changed, 89 insertions(+) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 72305a6..79768c7 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -5,6 +5,8 @@ import traceback import datetime import ipaddress import base64 +import string +from zxcvbn import zxcvbn from distutils.util import strtobool from yaml import Loader, load from flask import Blueprint, render_template, make_response, url_for, current_app, g, session, request, redirect, abort @@ -649,6 +651,92 @@ def logout(): return redirect(redirect_uri) +def password_policy_check(user, password): + + def check_policy(chars, user_password, setting): + lenreq = int(Setting().get(setting)) + test_string = user_password + for c in chars: + test_string = test_string.replace(c, '') + return (lenreq, len(user_password) - len(test_string)) + + def matches_policy(item, policy_fails): + return "*" if item in policy_fails else "" + + policy = [] + policy_fails = {} + + # If either policy is enabled check basics first ... this is obvious! + if Setting().get('pwd_enforce_characters') or Setting().get('pwd_enforce_complexity'): + # Cannot contain username + if user.username in password: + policy_fails["username"] = True + policy.append(f"{matches_policy('username', policy_fails)}cannot contain username") + + # Cannot contain password + if user.firstname in password: + policy_fails["firstname"] = True + policy.append(f"{matches_policy('firstname', policy_fails)}cannot contain firstname") + + # Cannot contain lastname + if user.lastname in password: + policy_fails["lastname"] = True + policy.append(f"{matches_policy('lastname', policy_fails)}cannot contain lastname") + + # Cannot contain email + if user.email in password: + policy_fails["email"] = True + policy.append(f"{matches_policy('email', policy_fails)}cannot contain email") + + # Check if we're enforcing character requirements + if Setting().get('pwd_enforce_characters'): + # Length + pwd_min_len_setting = int(Setting().get('pwd_min_len')) + pwd_len = len(password) + if pwd_len < pwd_min_len_setting: + policy_fails["length"] = True + policy.append(f"{matches_policy('length', policy_fails)}length={pwd_len}/{pwd_min_len_setting}") + # Digits + (pwd_min_digits_setting, pwd_digits) = check_policy(string.digits, password, 'pwd_min_digits') + if pwd_digits < pwd_min_digits_setting: + policy_fails["digits"] = True + policy.append(f"{matches_policy('digits', policy_fails)}digits={pwd_digits}/{pwd_min_digits_setting}") + # Lowercase + (pwd_min_lowercase_setting, pwd_lowercase) = check_policy(string.digits, password, 'pwd_min_lowercase') + if pwd_lowercase < pwd_min_lowercase_setting: + policy_fails["lowercase"] = True + policy.append(f"{matches_policy('lowercase', policy_fails)}lowercase={pwd_lowercase}/{pwd_min_lowercase_setting}") + # Uppercase + (pwd_min_uppercase_setting, pwd_uppercase) = check_policy(string.digits, password, 'pwd_min_uppercase') + if pwd_uppercase < pwd_min_uppercase_setting: + policy_fails["uppercase"] = True + policy.append(f"{matches_policy('uppercase', policy_fails)}uppercase={pwd_uppercase}/{pwd_min_uppercase_setting}") + # Special + (pwd_min_special_setting, pwd_special) = check_policy(string.digits, password, 'pwd_min_special') + if pwd_special < pwd_min_special_setting: + policy_fails["special"] = True + policy.append(f"{matches_policy('special', policy_fails)}special={pwd_special}/{pwd_min_special_setting}") + + if Setting().get('pwd_enforce_complexity'): + # Complexity checking + zxcvbn_inputs = [] + for input in (user.firstname, user.lastname, user.username, user.email): + if len(input): + zxcvbn_inputs.append(input) + + result = zxcvbn(password, user_inputs=zxcvbn_inputs) + pwd_min_complexity_setting = int(Setting().get('pwd_min_complexity')) + pwd_complexity = result['guesses_log10'] + if pwd_complexity < pwd_min_complexity_setting: + policy_fails["complexity"] = True + policy.append(f"{matches_policy('complexity', policy_fails)}complexity={pwd_complexity:.0f}/{pwd_min_complexity_setting}") + + policy_str = {"password": f"Fails policy: {', '.join(policy)}. Items prefixed with '*' failed."} + + # NK: the first item in the tuple indicates a PASS, so, we check for any True's and negate that + return (not any(policy_fails.values()), policy_str) + + @index_bp.route('/register', methods=['GET', 'POST']) def register(): CAPTCHA_ENABLE = current_app.config.get('CAPTCHA_ENABLE') diff --git a/requirements.txt b/requirements.txt index 83d1011..b8256b2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,3 +43,4 @@ webcolors==1.12 werkzeug==2.1.2 zipp==3.11.0 rcssmin==1.1.1 +zxcvbn==4.4.28 \ No newline at end of file From fc14e9189d9b26c383384e5bf62095fe114650db Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Fri, 17 Mar 2023 03:45:09 +0000 Subject: [PATCH 22/77] feat(authentication): check password policy during registration of new users --- powerdnsadmin/routes/index.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 79768c7..a21ad31 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -788,6 +788,10 @@ def register(): email=email ) + (password_policy_pass, password_policy) = password_policy_check(user, password) + if not password_policy_pass: + return render_template('register.html', error_messages=password_policy, captcha_enable=CAPTCHA_ENABLE) + try: result = user.create_local_user() if result and result['status']: From 64017195da56b5fcefce23e37367b83e2a404707 Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Fri, 17 Mar 2023 03:45:37 +0000 Subject: [PATCH 23/77] feat(authentication): check password policy during user profile password change --- powerdnsadmin/routes/user.py | 13 +++++++++++++ powerdnsadmin/templates/user_profile.html | 19 ++++++++++++++----- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/powerdnsadmin/routes/user.py b/powerdnsadmin/routes/user.py index 65d7e08..adba502 100644 --- a/powerdnsadmin/routes/user.py +++ b/powerdnsadmin/routes/user.py @@ -9,6 +9,8 @@ from flask_login import current_user, login_required, login_manager from ..models.user import User, Anonymous from ..models.setting import Setting +from .index import password_policy_check + user_bp = Blueprint('user', __name__, @@ -79,12 +81,23 @@ def profile(): .format(current_user.username) }), 400) + (password_policy_pass, password_policy) = password_policy_check(current_user.get_user_info_by_username(), new_password) + if not password_policy_pass: + if request.data: + return make_response( + jsonify({ + 'status': 'error', + 'msg': password_policy['password'], + }), 400) + return render_template('user_profile.html', error_messages=password_policy) + user = User(username=current_user.username, plain_text_password=new_password, firstname=firstname, lastname=lastname, email=email, reload_info=False) + user.update_profile() return render_template('user_profile.html') diff --git a/powerdnsadmin/templates/user_profile.html b/powerdnsadmin/templates/user_profile.html index 3bb9971..ee161bb 100644 --- a/powerdnsadmin/templates/user_profile.html +++ b/powerdnsadmin/templates/user_profile.html @@ -34,13 +34,13 @@
    • - + Personal Info
      • {% if session['authentication_type'] == 'LOCAL' %}
    • - + Change Password
      • @@ -57,7 +57,8 @@
      -
      +
      @@ -91,7 +92,8 @@ {% if session['authentication_type'] == 'LOCAL' %} -
      +
      {% if not current_user.password %} Your account password is managed via LDAP which isn't supported to change here. @@ -101,8 +103,15 @@ value="{{ csrf_token() }}">
      - + {% if 'password' in error_messages %} +
      + + {{ error_messages['password'] }} +
      + {% endif %}
      From a25dda8ac14546ba8a72dec206513fc3949050bb Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 15:50:08 -0400 Subject: [PATCH 24/77] Made some formatting tweaks to the authentication settings view to unify section header styling. Corrected improper markup introduced by recent PR for password complexity requirements. --- .../admin_setting_authentication.html | 199 ++++++++++-------- 1 file changed, 115 insertions(+), 84 deletions(-) diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index 9ae899b..a4c0288 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -78,89 +78,99 @@

      Basic Settings

      -
      -
      -
      - - -
      -
      - - -
      +
      +
      + +
      +
      + +
      -
      -
      - PASSWORD REQUIREMENTS -
      +
      + + +
      +
      + Password Requirements
      + name="pwd_enforce_characters" + class="checkbox" + {% if SETTING.get('pwd_enforce_characters') %}checked{% endif %}>
      - + + name="pwd_min_len" id="pwd_min_len" + data-error="Please enter a minimum password length" + value="{{ SETTING.get('pwd_min_len') }}">
      - + + name="pwd_min_lowercase" + id="pwd_min_lowercase" + data-error="Please enter the minimum number of lowercase letters required" + value="{{ SETTING.get('pwd_min_lowercase') }}">
      - + + name="pwd_min_uppercase" + id="pwd_min_uppercase" + data-error="Please enter the minimum number of uppercase letters required" + value="{{ SETTING.get('pwd_min_uppercase') }}">
      - + + name="pwd_min_digits" id="pwd_min_digits" + data-error="Please enter the minimum number of digits required" + value="{{ SETTING.get('pwd_min_digits') }}">
      - + + name="pwd_min_special" id="pwd_min_special" + data-error="Please enter the minimum number of special characters required" + value="{{ SETTING.get('pwd_min_special') }}">
      + name="pwd_enforce_complexity" + class="checkbox" + {% if SETTING.get('pwd_enforce_complexity') %}checked{% endif %}>
      - + + name="pwd_min_complexity" + id="pwd_min_complexity" + data-error="Please enter the minimum password complexity required" + value="{{ SETTING.get('pwd_min_complexity') }}">
      -
      -
      + +
      - ADMINISTRATOR INFO + Administrator Info
      - FILTERS + Filters
      - GROUP SECURITY + Group Security
      @@ -738,7 +766,8 @@
      - +
      - +
      - +
      - GROUP SECURITY + Group Security
      @@ -1129,7 +1160,7 @@
      - AZURE GROUP ACCOUNT SYNC/CREATION + Azure Group Account Sync / Creation
      From 5c6cf77996266987480ac7b7331f8a6b28b21cce Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 16:42:05 -0400 Subject: [PATCH 25/77] Updated project README to include references to the new security policy. Moved the project's code of conduct out of the contributions guide and into the appropriate policy file. Updated the contribution guide to follow the NetBox project format. Added various issue templates based on the NetBox project formats but updated for PDA. Added additional GitHub workflows to handle stale and closed issue and PR management. Removed legacy stale issue workflow that was not in use. --- .github/ISSUE_TEMPLATE/bug_report.yaml | 78 ++++++++++ .github/ISSUE_TEMPLATE/config.yml | 12 ++ .../ISSUE_TEMPLATE/documentation_change.yaml | 40 +++++ .github/ISSUE_TEMPLATE/feature_request.yaml | 71 +++++++++ .github/ISSUE_TEMPLATE/housekeeping.yaml | 24 +++ .github/PULL_REQUEST_TEMPLATE.md | 14 ++ .github/stale.yml | 20 --- .github/workflows/lock.yml | 21 +++ .github/workflows/stale.yml | 45 ++++++ README.md | 8 +- docs/CODE_OF_CONDUCT.md | 74 +++++++++ docs/CONTRIBUTING.md | 145 ++++++++++-------- docs/SECURITY.md | 31 ++++ 13 files changed, 496 insertions(+), 87 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yaml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/documentation_change.yaml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yaml create mode 100644 .github/ISSUE_TEMPLATE/housekeeping.yaml create mode 100644 .github/PULL_REQUEST_TEMPLATE.md delete mode 100644 .github/stale.yml create mode 100644 .github/workflows/lock.yml create mode 100644 .github/workflows/stale.yml create mode 100644 docs/CODE_OF_CONDUCT.md create mode 100644 docs/SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml new file mode 100644 index 0000000..5bacd4e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -0,0 +1,78 @@ +--- +name: 🐛 Bug Report +description: Report a reproducible bug in the current release of PDA +labels: ["type: bug"] +body: + - type: markdown + attributes: + value: > + **NOTE:** This form is only for reporting _reproducible bugs_ in a current PDA + installation. If you're having trouble with installation or just looking for + assistance with using PDA, please visit our + [discussion forum](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions) instead. + - type: input + attributes: + label: PDA version + description: What version of PDA are you currently running? + options: + - "0.4.0" + - "0.3.0" + - "0.2.5" + - "0.2.4" + - "0.2.3" + - "0.2.2" + - "0.2.1" + - "0.2" + - "0.1" + - "I'm Not Sure" + validations: + required: true + - type: dropdown + attributes: + label: Python version + description: What version of Python are you currently running? + options: + - "3.0" + - "3.1" + - "3.2" + - "3.3" + - "3.4" + - "3.5" + - "3.6" + - "3.7" + - "3.8" + - "3.9" + - "3.10" + - "3.11" + validations: + required: true + - type: textarea + attributes: + label: Steps to Reproduce + description: > + Describe in detail the exact steps that someone else can take to + reproduce this bug using the current stable release of PDA. Begin with the + creation of any necessary database objects and call out every operation being + performed explicitly. If reporting a bug in the REST API, be sure to reconstruct + the raw HTTP request(s) being made. Additionally, **do not rely on the demo instance** for reproducing + suspected bugs, as its data is prone to modification or deletion at any time. + placeholder: | + 1. Click on "create widget" + 2. Set foo to 12 and bar to G + 3. Click the "create" button + validations: + required: true + - type: textarea + attributes: + label: Expected Behavior + description: What did you expect to happen? + placeholder: A new zone record should have been created with the specified values + validations: + required: true + - type: textarea + attributes: + label: Observed Behavior + description: What happened instead? + placeholder: A TypeError exception was raised + validations: + required: true \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..98109af --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,12 @@ +# Reference: https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository#configuring-the-template-chooser +blank_issues_enabled: false +contact_links: + - name: 📖 Contributing Policy + url: https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/docs/CONTRIBUTING.md + about: "Please read through our contributing policy before opening an issue or pull request" + - name: ❓ Discussion + url: https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions + about: "If you're just looking for help, try starting a discussion instead" + - name: 💬 Project Chat + url: https://mattermost.powerdnsadmin.org/ + about: "Join our Mattermost chat to discuss the project with other users and developers" \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/documentation_change.yaml b/.github/ISSUE_TEMPLATE/documentation_change.yaml new file mode 100644 index 0000000..584d4b4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/documentation_change.yaml @@ -0,0 +1,40 @@ +--- +name: 📖 Documentation Change +description: Suggest an addition or modification to the PDA documentation +labels: ["type: documentation"] +body: + - type: dropdown + attributes: + label: Change Type + description: What type of change are you proposing? + options: + - Addition + - Correction + - Removal + - Cleanup (formatting, typos, etc.) + validations: + required: true + - type: dropdown + attributes: + label: Area + description: To what section of the documentation does this change primarily pertain? + options: + - Features + - Installation/upgrade + - Getting started + - Configuration + - Customization + - Database Setup + - Debug + - Integrations/API + - Administration + - Development + - Other + validations: + required: true + - type: textarea + attributes: + label: Proposed Changes + description: Describe the proposed changes and why they are necessary. + validations: + required: true \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/feature_request.yaml b/.github/ISSUE_TEMPLATE/feature_request.yaml new file mode 100644 index 0000000..b2e1934 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yaml @@ -0,0 +1,71 @@ +--- +name: ✨ Feature Request +description: Propose a new PDA feature or enhancement +labels: ["type: feature"] +body: + - type: markdown + attributes: + value: > + **NOTE:** This form is only for submitting well-formed proposals to extend or modify + PDA in some way. If you're trying to solve a problem but can't figure out how, or if + you still need time to work on the details of a proposed new feature, please start a + [discussion](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions) instead. + - type: input + attributes: + label: PDA version + description: What version of PDA are you currently running? + options: + - "0.4.0" + - "0.3.0" + - "0.2.5" + - "0.2.4" + - "0.2.3" + - "0.2.2" + - "0.2.1" + - "0.2" + - "0.1" + - "I'm Not Sure" + validations: + required: true + - type: dropdown + attributes: + label: Feature type + options: + - Data model modification + - App Setting Addition + - Default App Setting Change + - New functionality + - Change to existing functionality + validations: + required: true + - type: textarea + attributes: + label: Proposed functionality + description: > + Describe in detail the new feature or behavior you are proposing. Include any specific changes + to work flows, data models, and/or the user interface. The more detail you provide here, the + greater chance your proposal has of being discussed. Feature requests which don't include an + actionable implementation plan will be rejected. + validations: + required: true + - type: textarea + attributes: + label: Use case + description: > + Explain how adding this functionality would benefit PDA users. What need does it address? + validations: + required: true + - type: textarea + attributes: + label: Database changes + description: > + Note any changes to the database schema necessary to support the new feature. For example, + does the proposal require adding a new model or field? (Not all new features require database + changes.) + - type: textarea + attributes: + label: External dependencies + description: > + List any new dependencies on external libraries or services that this new feature would + introduce. For example, does the proposal require the installation of a new Python package? + (Not all new features introduce new dependencies.) \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/housekeeping.yaml b/.github/ISSUE_TEMPLATE/housekeeping.yaml new file mode 100644 index 0000000..dba7e3c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/housekeeping.yaml @@ -0,0 +1,24 @@ +--- +name: 🏡 Housekeeping +description: A change pertaining to the codebase itself (developers only) +labels: ["type: housekeeping"] +body: + - type: markdown + attributes: + value: > + **NOTE:** This template is for use by maintainers only. Please do not submit + an issue using this template unless you have been specifically asked to do so. + - type: textarea + attributes: + label: Proposed Changes + description: > + Describe in detail the new feature or behavior you'd like to propose. + Include any specific changes to work flows, data models, or the user interface. + validations: + required: true + - type: textarea + attributes: + label: Justification + description: Please provide justification for the proposed change(s). + validations: + required: true \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..05a6611 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,14 @@ + +### Fixes: #1234 + + \ No newline at end of file diff --git a/.github/stale.yml b/.github/stale.yml deleted file mode 100644 index 0c0b1c3..0000000 --- a/.github/stale.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Number of days of inactivity before an issue becomes stale -daysUntilStale: 60 -# Number of days of inactivity before a stale issue is closed -daysUntilClose: 7 -# Issues with these labels will never be considered stale -exemptLabels: - - pinned - - bug / broken-feature - - bug / security-vulnerability - - feature / request - - mod / help-wanted -# Label to use when marking an issue as stale -staleLabel: mod / stale -# Comment to post when marking an issue as stale. Set to `false` to disable -markComment: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. -# Comment to post when closing a stale issue. Set to `false` to disable -closeComment: true diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml new file mode 100644 index 0000000..9385024 --- /dev/null +++ b/.github/workflows/lock.yml @@ -0,0 +1,21 @@ +# lock-threads (https://github.com/marketplace/actions/lock-threads) +name: 'Lock threads' + +on: + schedule: + - cron: '0 3 * * *' + workflow_dispatch: + +permissions: + issues: write + pull-requests: write + +jobs: + lock: + runs-on: ubuntu-latest + steps: + - uses: dessant/lock-threads@v3 + with: + issue-inactive-days: 90 + pr-inactive-days: 30 + issue-lock-reason: 'resolved' \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..66fd367 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,45 @@ +# close-stale-issues (https://github.com/marketplace/actions/close-stale-issues) +name: 'Close stale issues/PRs' + +on: + schedule: + - cron: '0 4 * * *' + workflow_dispatch: + +permissions: + issues: write + pull-requests: write + +jobs: + stale: + + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v6 + with: + close-issue-message: > + This issue has been automatically closed due to lack of activity. In an + effort to reduce noise, please do not comment any further. Note that the + core maintainers may elect to reopen this issue at a later date if deemed + necessary. + close-pr-message: > + This PR has been automatically closed due to lack of activity. + days-before-stale: 90 + days-before-close: 30 + exempt-issue-labels: 'status: accepted,status: blocked,status: needs milestone' + operations-per-run: 100 + remove-stale-when-updated: false + stale-issue-label: 'mod / stale' + stale-issue-message: > + This issue has been automatically marked as stale because it has not had + recent activity. It will be closed if no further activity occurs. PDA + is governed by a small group of core maintainers which means not all opened + issues may receive direct feedback. **Do not** attempt to circumvent this + process by "bumping" the issue; doing so will result in its immediate closure + and you may be barred from participating in any future discussions. Please see + our [contributing guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/docs/CONTRIBUTING.md). + stale-pr-label: 'mod / stale' + stale-pr-message: > + This PR has been automatically marked as stale because it has not had + recent activity. It will be closed automatically if no further action is + taken. \ No newline at end of file diff --git a/README.md b/README.md index 5d07f93..1cc644c 100644 --- a/README.md +++ b/README.md @@ -74,9 +74,13 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ## Contributing -Please see our [contributing guidelines](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/docs/CONTRIBUTING.md). +Please see our [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/docs/CONTRIBUTING.md). + +## Code of Conduct + +Please see our [Code of Conduct Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/docs/CODE_OF_CONDUCT.md). ## License This project is released under the MIT license. For additional -information, [see here](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/LICENSE) +information, [see the full license](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/LICENSE). diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..54b10d7 --- /dev/null +++ b/docs/CODE_OF_CONDUCT.md @@ -0,0 +1,74 @@ +# Code of Conduct + +# Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or +advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at [admin@powerdnsadmin.org](mailto:admin@powerdnsadmin.org). All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index df50ba2..8c82a80 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -1,88 +1,103 @@ -# Contributing +# Contribution Guide -Before submitting new contributions to this repository, it is a good idea to start a discussion with the repository -maintainers on GitHub through the use of issues or discussions. This will help to ensure that your efforts don't get -wasted if the submission is not desirable for the project. +**Looking for help?** PDA has a somewhat active community of fellow users that may be able to provide assistance. Just [start a discussion](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions/new) right here on GitHub! -This is not to say that all contributions that have been discussed will be accepted either. As part of an ongoing -effort to clean up the codebase, some contributions may be rejected if they do not meet the standards of the project -which have not been fully defined yet. This is a work in progress. +
      +

      + :bug: Report a bug · + :bulb: Suggest a feature · + :arrow_heading_up: Submit a pull request +

      +

      + :rescue_worker_helmet: Become a maintainer · + :heart: Other ideas +

      +
      +

      -Please note we have a code of conduct, please follow it in all your interactions with the project. +Some general tips for engaging here on GitHub: -All pull requests should be based on the `dev` branch of this repository and not the `master` branch! +* Register for a free [GitHub account](https://github.com/signup) if you haven't already. +* You can use [GitHub Markdown](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax) for formatting text and adding images. +* To help mitigate notification spam, please avoid "bumping" issues with no activity. (To vote an issue up or down, use a :thumbsup: or :thumbsdown: reaction.) +* Please avoid pinging members with `@` unless they've previously expressed interest or involvement with that particular issue. -## Code of Conduct +## :bug: Reporting Bugs -### Our Pledge +* First, ensure that you're running the [latest stable version](https://github.com/PowerDNS-Admin/PowerDNS-Admin/releases) of PDA. If you're running an older version, there's a chance that the bug has already been fixed. -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, gender identity and expression, level of experience, -nationality, personal appearance, race, religion, or sexual identity and -orientation. +* Next, search our [issues list](https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues?q=is%3Aissue) to see if the bug you've found has already been reported. If you come across a bug report that seems to match, please click "add a reaction" in the top right corner of the issue and add a thumbs up (:thumbsup:). This will help draw more attention to it. Any comments you can add to provide additional information or context would also be much appreciated. -### Our Standards +* If you can't find any existing issues (open or closed) that seem to match yours, you're welcome to [submit a new bug report](https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/new?label=type%3A+bug&template=bug_report.yaml). Be sure to complete the entire report template, including detailed steps that someone triaging your issue can follow to confirm the reported behavior. (If we're not able to replicate the bug based on the information provided, we'll ask for additional detail.) -Examples of behavior that contributes to creating a positive environment -include: +* Some other tips to keep in mind: + * Error messages and screenshots are especially helpful. + * Don't prepend your issue title with a label like `[Bug]`; the proper label will be assigned automatically. + * Verify that you have GitHub notifications enabled and are subscribed to your issue after submitting. + * We appreciate your patience as bugs are prioritized by their severity, impact, and difficulty to resolve. -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members +## :bulb: Feature Requests -Examples of unacceptable behavior by participants include: +* First, check the GitHub [issues list](https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues?q=is%3Aissue) to see if the feature you have in mind has already been proposed. If you happen to find an open feature request that matches your idea, click "add a reaction" in the top right corner of the issue and add a thumbs up (:thumbsup:). This ensures that the issue has a better chance of receiving attention. Also feel free to add a comment with any additional justification for the feature. -* The use of sexualized language or imagery and unwelcome sexual attention or -advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting +* If you have a rough idea that's not quite ready for formal submission yet, start a [GitHub discussion](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions) instead. This is a great way to test the viability and narrow down the scope of a new feature prior to submitting a formal proposal, and can serve to generate interest in your idea from other community members. -### Our Responsibilities +* Once you're ready, submit a feature request [using this template](https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/new?label=type%3A+feature&template=feature_request.yaml). Be sure to provide sufficient context and detail to convey exactly what you're proposing and why. The stronger your use case, the better chance your proposal has of being accepted. -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. +* Some other tips to keep in mind: + * Don't prepend your issue title with a label like `[Feature]`; the proper label will be assigned automatically. + * Try to anticipate any likely questions about your proposal and provide that information proactively. + * Verify that you have GitHub notifications enabled and are subscribed to your issue after submitting. + * You're welcome to volunteer to implement your FR, but don't submit a pull request until it has been approved. -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. +## :arrow_heading_up: Submitting Pull Requests -### Scope +* [Pull requests](https://docs.github.com/en/pull-requests) (a feature of GitHub) are used to propose changes to NetBox's code base. Our process generally goes like this: + * A user opens a new issue (bug report or feature request) + * A maintainer triages the issue and may mark it as needing an owner + * The issue's author can volunteer to own it, or someone else can + * A maintainer assigns the issue to whomever volunteers + * The issue owner submits a pull request that will resolve the issue + * A maintainer reviews and merges the pull request, closing the issue -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. +* It's very important that you not submit a pull request until a relevant issue has been opened **and** assigned to you. Otherwise, you risk wasting time on work that may ultimately not be needed. -### Enforcement +* New pull requests should generally be based off of the `dev` branch, rather than `master`. The `dev` branch is used for ongoing development, while `master` is used for tracking stable releases. -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at [admin@powerdnsadmin.org](mailto:admin@powerdnsadmin.org). All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. +* In most cases, it is not necessary to add a changelog entry: A maintainer will take care of this when the PR is merged. (This helps avoid merge conflicts resulting from multiple PRs being submitted simultaneously.) -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. +* All code submissions should meet the following criteria (CI will eventually enforce these checks): + * Python syntax is valid + * PEP 8 compliance is enforced, with the exception that lines may be + greater than 80 characters in length -### Attribution +* Some other tips to keep in mind: + * If you'd like to volunteer for someone else's issue, please post a comment on that issue letting us know. (This will allow the maintainers to assign it to you.) + * All new functionality must include relevant tests where applicable. -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at [http://contributor-covenant.org/version/1/4][version] +## :rescue_worker_helmet: Become a Maintainer -[homepage]: http://contributor-covenant.org -[version]: http://contributor-covenant.org/version/1/4/ +We're always looking for motivated individuals to join the maintainers team and help drive PDA's long-term development. Some of our most sought-after skills include: + +* Python development with a strong focus on the [Flask](https://flask.palletsprojects.com/) and [Django](https://www.djangoproject.com/) frameworks +* Expertise working with SQLite, MySQL, and/or PostgreSQL databases +* Javascript & TypeScript proficiency +* A knack for web application design (HTML & CSS) +* Familiarity with git and software development best practices +* Excellent attention to detail +* Working experience in the field of network operations as it relates to the use of DNS (Domain Name System) servers. + +We generally ask that maintainers dedicate around four hours of work to the project each week on average, which includes both hands-on development and project management tasks such as issue triage. + +We do maintain an active Mattermost instance for internal communication, but we also use GitHub issues for project management. + +Some maintainers petition their employer to grant some of their paid time to work on PDA. + +Interested? You can contact our lead maintainer, Matt Scott, at admin@powerdnsadmin.org. We'd love to have you on the team! + +## :heart: Other Ways to Contribute + +You don't have to be a developer to contribute to PDA: There are plenty of other ways you can add value to the community! Below are just a few examples: + +* Help answer questions and provide feedback in our [GitHub discussions](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions). +* Write a blog article or record a YouTube video demonstrating how PDA is used at your organization. diff --git a/docs/SECURITY.md b/docs/SECURITY.md new file mode 100644 index 0000000..bd91d36 --- /dev/null +++ b/docs/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy + +## No Warranty + +Per the terms of the MIT license, PDA is offered "as is" and without any guarantee or warranty pertaining to its operation. While every reasonable effort is made by its maintainers to ensure the product remains free of security vulnerabilities, users are ultimately responsible for conducting their own evaluations of each software release. + +## Recommendations + +Administrators are encouraged to adhere to industry best practices concerning the secure operation of software, such as: + +* Do not expose your PDA installation to the public Internet +* Do not permit multiple users to share an account +* Enforce minimum password complexity requirements for local accounts +* Prohibit access to your database from clients other than the PDA application +* Keep your deployment updated to the most recent stable release + +## Reporting a Suspected Vulnerability + +If you believe you've uncovered a security vulnerability and wish to report it confidentially, you may do so via email. Please note that any reported vulnerabilities **MUST** meet all the following conditions: + +* Affects the most recent stable release of PDA, or a current beta release +* Affects a PDA instance installed and configured per the official documentation +* Is reproducible following a prescribed set of instructions + +Please note that we **DO NOT** accept reports generated by automated tooling which merely suggest that a file or file(s) _may_ be vulnerable under certain conditions, as these are most often innocuous. + +If you believe that you've found a vulnerability which meets all of these conditions, please [submit a draft security advisory](https://github.com/PowerDNS-Admin/PowerDNS-Admin/security/advisories/new) on GitHub, or email a brief description of the suspected bug and instructions for reproduction to **admin@powerdnsadmin.org**. + +### Bug Bounties + +As PDA is provided as free open source software, we do not offer any monetary compensation for vulnerability or bug reports, however your contributions are greatly appreciated. \ No newline at end of file From 4b3759d140a3a16de1ba191658203481676fe64f Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 16:46:34 -0400 Subject: [PATCH 26/77] Relocated new security policy to the project root to meet GitHub feature expectations. --- docs/SECURITY.md => SECURITY.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/SECURITY.md => SECURITY.md (100%) diff --git a/docs/SECURITY.md b/SECURITY.md similarity index 100% rename from docs/SECURITY.md rename to SECURITY.md From 23d6dd1fde02ff6cd117a354bae58a7c43fda271 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 16:48:11 -0400 Subject: [PATCH 27/77] Updated project README to include reference to new security policy. --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 1cc644c..ea2c1a1 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,10 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ![dashboard](docs/screenshots/dashboard.png) +## Security Issues / Reports + +Please see our [Security Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/SECURITY.md). + ## Contributing Please see our [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/docs/CONTRIBUTING.md). From fc6d8505b7c7ecc0272d16125e9770f05d85d491 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 17:29:05 -0400 Subject: [PATCH 28/77] Corrected an input type mistake in the bug report and feature request templates. Corrected URL mistake in the issue template config.yml file. Updated project README policy reference URLs to use master branch. --- .github/ISSUE_TEMPLATE/bug_report.yaml | 2 +- .github/ISSUE_TEMPLATE/config.yml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yaml | 2 +- README.md | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 5bacd4e..640cff8 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -10,7 +10,7 @@ body: installation. If you're having trouble with installation or just looking for assistance with using PDA, please visit our [discussion forum](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions) instead. - - type: input + - type: dropdown attributes: label: PDA version description: What version of PDA are you currently running? diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 98109af..1ecb2e9 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -2,7 +2,7 @@ blank_issues_enabled: false contact_links: - name: 📖 Contributing Policy - url: https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/docs/CONTRIBUTING.md + url: https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md about: "Please read through our contributing policy before opening an issue or pull request" - name: ❓ Discussion url: https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions diff --git a/.github/ISSUE_TEMPLATE/feature_request.yaml b/.github/ISSUE_TEMPLATE/feature_request.yaml index b2e1934..fa1db00 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yaml +++ b/.github/ISSUE_TEMPLATE/feature_request.yaml @@ -10,7 +10,7 @@ body: PDA in some way. If you're trying to solve a problem but can't figure out how, or if you still need time to work on the details of a proposed new feature, please start a [discussion](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions) instead. - - type: input + - type: dropdown attributes: label: PDA version description: What version of PDA are you currently running? diff --git a/README.md b/README.md index ea2c1a1..c16bbca 100644 --- a/README.md +++ b/README.md @@ -74,15 +74,15 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ## Security Issues / Reports -Please see our [Security Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/SECURITY.md). +Please see our [Security Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/SECURITY.md). ## Contributing -Please see our [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/docs/CONTRIBUTING.md). +Please see our [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). ## Code of Conduct -Please see our [Code of Conduct Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/dev/docs/CODE_OF_CONDUCT.md). +Please see our [Code of Conduct Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CODE_OF_CONDUCT.md). ## License From ae16e9868ae3555c4a6c2185229a6b42b8b072fc Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 17:48:07 -0400 Subject: [PATCH 29/77] Corrected project name reference mistake in contribution guide. --- docs/CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 8c82a80..8acf50c 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -52,7 +52,7 @@ Some general tips for engaging here on GitHub: ## :arrow_heading_up: Submitting Pull Requests -* [Pull requests](https://docs.github.com/en/pull-requests) (a feature of GitHub) are used to propose changes to NetBox's code base. Our process generally goes like this: +* [Pull requests](https://docs.github.com/en/pull-requests) (a feature of GitHub) are used to propose changes to PDA's code base. Our process generally goes like this: * A user opens a new issue (bug report or feature request) * A maintainer triages the issue and may mark it as needing an owner * The issue's author can volunteer to own it, or someone else can From 687571101f52dde9d662c1c34edb2b07f68bc375 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 17:56:59 -0400 Subject: [PATCH 30/77] Updated stale issue / PR workflow to include proper exceptions. --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 66fd367..d0a3e0d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -26,7 +26,7 @@ jobs: This PR has been automatically closed due to lack of activity. days-before-stale: 90 days-before-close: 30 - exempt-issue-labels: 'status: accepted,status: blocked,status: needs milestone' + exempt-issue-labels: 'mod / announcement, mod / accepted, mod / reviewing, mod / testing' operations-per-run: 100 remove-stale-when-updated: false stale-issue-label: 'mod / stale' From 3294ed80f3d16fe62408569064ecbecde91a57d9 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 18:03:18 -0400 Subject: [PATCH 31/77] Updated labels for the issue templates. --- .github/ISSUE_TEMPLATE/bug_report.yaml | 2 +- .github/ISSUE_TEMPLATE/documentation_change.yaml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yaml | 2 +- .github/ISSUE_TEMPLATE/housekeeping.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 640cff8..0c5a2d7 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -1,7 +1,7 @@ --- name: 🐛 Bug Report description: Report a reproducible bug in the current release of PDA -labels: ["type: bug"] +labels: ["bug / broken-feature"] body: - type: markdown attributes: diff --git a/.github/ISSUE_TEMPLATE/documentation_change.yaml b/.github/ISSUE_TEMPLATE/documentation_change.yaml index 584d4b4..0b34991 100644 --- a/.github/ISSUE_TEMPLATE/documentation_change.yaml +++ b/.github/ISSUE_TEMPLATE/documentation_change.yaml @@ -1,7 +1,7 @@ --- name: 📖 Documentation Change description: Suggest an addition or modification to the PDA documentation -labels: ["type: documentation"] +labels: ["docs / request"] body: - type: dropdown attributes: diff --git a/.github/ISSUE_TEMPLATE/feature_request.yaml b/.github/ISSUE_TEMPLATE/feature_request.yaml index fa1db00..e649c61 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yaml +++ b/.github/ISSUE_TEMPLATE/feature_request.yaml @@ -1,7 +1,7 @@ --- name: ✨ Feature Request description: Propose a new PDA feature or enhancement -labels: ["type: feature"] +labels: ["feature / request"] body: - type: markdown attributes: diff --git a/.github/ISSUE_TEMPLATE/housekeeping.yaml b/.github/ISSUE_TEMPLATE/housekeeping.yaml index dba7e3c..2d8e5df 100644 --- a/.github/ISSUE_TEMPLATE/housekeeping.yaml +++ b/.github/ISSUE_TEMPLATE/housekeeping.yaml @@ -1,7 +1,7 @@ --- name: 🏡 Housekeeping description: A change pertaining to the codebase itself (developers only) -labels: ["type: housekeeping"] +labels: ["mod / change-request"] body: - type: markdown attributes: From 763f06a830bae24ce16b8580a09323bac3c79f80 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 18:16:06 -0400 Subject: [PATCH 32/77] Corrected URL mistake in stale issue / PR workflow. --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index d0a3e0d..2c6284c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -37,7 +37,7 @@ jobs: issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see - our [contributing guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/docs/CONTRIBUTING.md). + our [contributing guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). stale-pr-label: 'mod / stale' stale-pr-message: > This PR has been automatically marked as stale because it has not had From 2ca712af4951b3a5f9729ec424414203c495a6da Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 17 Mar 2023 18:25:05 -0400 Subject: [PATCH 33/77] Updated the stale issue / PR workflow to include better verbiage for the contribution guide. Also updated the stale issue / PR workflow to exclude security vulnerabilities. --- .github/workflows/stale.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 2c6284c..666cab7 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -26,7 +26,7 @@ jobs: This PR has been automatically closed due to lack of activity. days-before-stale: 90 days-before-close: 30 - exempt-issue-labels: 'mod / announcement, mod / accepted, mod / reviewing, mod / testing' + exempt-issue-labels: 'bug / security-vulnerability, mod / announcement, mod / accepted, mod / reviewing, mod / testing' operations-per-run: 100 remove-stale-when-updated: false stale-issue-label: 'mod / stale' @@ -37,7 +37,7 @@ jobs: issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see - our [contributing guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). + our [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). stale-pr-label: 'mod / stale' stale-pr-message: > This PR has been automatically marked as stale because it has not had From d716f8cc880e8048d89618509d964cd6dac8b6c3 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 18 Mar 2023 08:48:07 -0400 Subject: [PATCH 34/77] Updated various yaml files to include proper opening lines. Tweaked the name of the stale threads workflow. --- .github/ISSUE_TEMPLATE/config.yml | 1 + .github/dependabot.yml | 1 + .github/labels.yml | 4 ++++ .github/workflows/build-and-publish.yml | 2 +- .github/workflows/codeql-analysis.yml | 1 + .github/workflows/lock.yml | 1 + .github/workflows/stale.yml | 2 +- 7 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 1ecb2e9..6aba80c 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,3 +1,4 @@ +--- # Reference: https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository#configuring-the-template-chooser blank_issues_enabled: false contact_links: diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 68dd932..898c594 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,4 @@ +--- version: 2 updates: - package-ecosystem: npm diff --git a/.github/labels.yml b/.github/labels.yml index c113abb..e17cd97 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -1,3 +1,4 @@ +--- labels: - name: bug / broken-feature description: Existing feature malfunctioning or broken @@ -38,6 +39,9 @@ labels: - name: mod / announcement description: This is an admin announcement color: 'e5ef23' + - name: mod / change-request + description: Used by internal developers to indicate a change-request. + color: 'e5ef23' - name: mod / changes-requested description: Changes have been requested before proceeding color: 'e5ef23' diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index f76ed98..74085f0 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -1,3 +1,4 @@ +--- name: 'Docker Image' on: @@ -42,7 +43,6 @@ jobs: - name: Docker Image Build uses: docker/build-push-action@v2 - #if: github.ref == 'refs/heads/master' with: context: ./ file: ./docker/Dockerfile diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7f2f148..b54abf1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,3 +1,4 @@ +--- # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 9385024..2005b45 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -1,3 +1,4 @@ +--- # lock-threads (https://github.com/marketplace/actions/lock-threads) name: 'Lock threads' diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 666cab7..b14dc66 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,5 +1,5 @@ # close-stale-issues (https://github.com/marketplace/actions/close-stale-issues) -name: 'Close stale issues/PRs' +name: 'Close Stale Threads' on: schedule: From 340e84ab893f671ac1b46f18d1b7a7e0351e9f9c Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 18 Mar 2023 08:52:39 -0400 Subject: [PATCH 35/77] Updated MegaLinter workflow to include a manual dispatch option. --- .github/workflows/mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 943d3a3..fec231e 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -4,6 +4,7 @@ name: MegaLinter on: + workflow_dispatch: push: branches-ignore: - "*" From f44ff7d26149f14524afebec28aa41e9893c7ced Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Sat, 18 Mar 2023 19:14:58 +0000 Subject: [PATCH 36/77] fix: fixed session clearing and let logout_user take care of cleanup It seems when logging in and logging out, then logging back in, setting the session timeout to 5 minutes, then waiting for expiry can cause a situation when using SQLA-based sessions which results in a NULL field in the database and causes a persistent 500 Internal Server Error. As per issue 1439 here is a fix found by @raunz. Resolves #1439. Tested for about 8 hours and tons and tons of expired sessions, could not reproduce with the fix applied. --- powerdnsadmin/routes/index.py | 1 - 1 file changed, 1 deletion(-) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index a21ad31..19fd277 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -528,7 +528,6 @@ def clear_session(): session.pop('google_token', None) session.pop('authentication_type', None) session.pop('remote_user', None) - session.clear() logout_user() From 138532fb95ed803a26299ad4da43be245d05519b Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Sat, 18 Mar 2023 20:27:02 +0000 Subject: [PATCH 37/77] fix: allow the specification of any combination of groups in LDAP group security configuration Previous behavior required the specification of all three group security groups before the "Save Settings" button would be enabled. This adds a check into users.py which checks that the group is set before searching and removes the javascript preventing the specification of any combination of groups. Tested: - Tested all combinations on AD after MR 1238 - Tested all combinations on OpenLDAP - Tested enabling the Group Security with no groups set which correctly prevents login Resolves #1462 --- powerdnsadmin/models/user.py | 25 ++++++------------- .../admin_setting_authentication.html | 6 ----- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py index 24b43e9..e989aa0 100644 --- a/powerdnsadmin/models/user.py +++ b/powerdnsadmin/models/user.py @@ -255,33 +255,24 @@ class User(db.Model): if LDAP_TYPE == 'ldap': groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP) current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter)) - if (self.ldap_search(groupSearchFilter, - LDAP_ADMIN_GROUP)): + if (LDAP_ADMIN_GROUP and self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)): role_name = 'Administrator' current_app.logger.info( 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' - .format(self.username, - LDAP_ADMIN_GROUP)) - elif (self.ldap_search(groupSearchFilter, - LDAP_OPERATOR_GROUP)): + .format(self.username, LDAP_ADMIN_GROUP)) + elif (LDAP_OPERATOR_GROUP and self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)): role_name = 'Operator' current_app.logger.info( 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' - .format(self.username, - LDAP_OPERATOR_GROUP)) - elif (self.ldap_search(groupSearchFilter, - LDAP_USER_GROUP)): + .format(self.username, LDAP_OPERATOR_GROUP)) + elif (LDAP_USER_GROUP and self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)): current_app.logger.info( 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' - .format(self.username, - LDAP_USER_GROUP)) + .format(self.username, LDAP_USER_GROUP)) else: current_app.logger.error( - 'User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin' - .format(self.username, - LDAP_ADMIN_GROUP, - LDAP_OPERATOR_GROUP, - LDAP_USER_GROUP)) + 'User {0} is not part of any security groups that allow access to PowerDNS-Admin' + .format(self.username)) return False elif LDAP_TYPE == 'ad': ldap_group_security_roles = OrderedDict( diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index a4c0288..c545958 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -1772,12 +1772,6 @@ $('#ldap_filter_username').prop('required', true); $('#ldap_filter_groupname').prop('required', true); - if ($('#ldap_sg_on').is(":checked")) { - $('#ldap_admin_group').prop('required', true); - $('#ldap_operator_group').prop('required', true); - $('#ldap_user_group').prop('required', true); - } - if ($('#autoprovisioning_on').is(":checked")) { $('#autoprovisioning_attribute').prop('required', true); $('#urn_value').prop('required', true); From 33614ae1028932bdda8913bb8c3b8dd8071e72a0 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 18 Mar 2023 19:20:36 -0400 Subject: [PATCH 38/77] Updated invalid value in dependabot workflow. --- .github/dependabot.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 898c594..29095aa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,7 +8,8 @@ updates: ignore: - dependency-name: "*" update-types: [ "version-update:semver-major" ] - labels: feature / dependency + labels: + - 'feature / dependency' - package-ecosystem: pip directory: / schedule: @@ -16,4 +17,5 @@ updates: ignore: - dependency-name: "*" update-types: [ "version-update:semver-major" ] - labels: feature / dependency + labels: + - 'feature / dependency' From 78e8d9950dc7a52d6eb656dba02b7c00e12e0690 Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Sat, 18 Mar 2023 23:22:01 +0000 Subject: [PATCH 39/77] fix: upgrade setuptools to fix CVE-2022-40897 --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index c6fcaf4..a802163 100644 --- a/requirements.txt +++ b/requirements.txt @@ -44,4 +44,5 @@ werkzeug==2.1.2 zipp==3.11.0 rcssmin==1.1.1 zxcvbn==4.4.28 -psycopg2==2.9.5 \ No newline at end of file +psycopg2==2.9.5 +setuptools==65.5.1 # fixes CVE-2022-40897 \ No newline at end of file From e7547ff8d3c0e4570c6d8b0d43c3c17a0ef10613 Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Sat, 18 Mar 2023 23:43:51 +0000 Subject: [PATCH 40/77] fix: fix for CVE-2023-0286 & CVE-2023-23931 - cryptography update to 39.0.2 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a802163..0db7b16 100644 --- a/requirements.txt +++ b/requirements.txt @@ -17,7 +17,7 @@ bravado-core==5.17.1 certifi==2022.12.7 cffi==1.15.1 configobj==5.0.8 -cryptography==36.0.2 +cryptography==39.0.2 # fixes CVE-2023-0286, CVE-2023-23931 cssmin==0.2.0 dnspython>=2.3.0 flask_session_captcha==1.3.0 From 522705a52bfe4fb3e2e6cf03223671778da6cf87 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 18 Mar 2023 20:49:01 -0400 Subject: [PATCH 41/77] Updated dependabot configuration to target the dev branch. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 29095aa..482207e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,6 +2,7 @@ version: 2 updates: - package-ecosystem: npm + target-branch: dev directory: / schedule: interval: daily @@ -11,6 +12,7 @@ updates: labels: - 'feature / dependency' - package-ecosystem: pip + target-branch: dev directory: / schedule: interval: daily From 5acbabaed5e7ee7d4886eefac87881e08d09ac65 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 18 Mar 2023 20:55:20 -0400 Subject: [PATCH 42/77] Updated project README to include donation section. --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index c16bbca..94d0133 100644 --- a/README.md +++ b/README.md @@ -88,3 +88,9 @@ Please see our [Code of Conduct Policy](https://github.com/PowerDNS-Admin/PowerD This project is released under the MIT license. For additional information, [see the full license](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/LICENSE). + +## Donate + +Like my work? + +Buy Me A Coffee \ No newline at end of file From 506a75300abf8f3b30106769b7751e32fc8c01e0 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 18 Mar 2023 21:45:28 -0400 Subject: [PATCH 43/77] Added GitHub sponsors configuration. --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..18e85f0 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +github: [AzorianSolutions] \ No newline at end of file From e11f55523d7c2d6158f9cca6e0ad3c996e71a7ba Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 19 Mar 2023 12:36:44 -0400 Subject: [PATCH 44/77] Corrected minor formatting issue with project's Code of Conduct policy. --- docs/CODE_OF_CONDUCT.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md index 54b10d7..ed3cb47 100644 --- a/docs/CODE_OF_CONDUCT.md +++ b/docs/CODE_OF_CONDUCT.md @@ -1,6 +1,6 @@ # Code of Conduct -# Our Pledge +## Our Pledge In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and From 6b9638ca19aa984eff861a667368a95903e7b32c Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 19 Mar 2023 12:39:44 -0400 Subject: [PATCH 45/77] Updated Security section header of the project README. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 94d0133..b9f9da5 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ![dashboard](docs/screenshots/dashboard.png) -## Security Issues / Reports +## Security Policy Please see our [Security Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/SECURITY.md). From ba19943c64eccacfbf0a00c72d97a75af783e69d Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 19 Mar 2023 15:09:52 -0400 Subject: [PATCH 46/77] Updated stale thread workflow with updated message verbiage. Updated lock thread workflow to properly exclude threads with specific labels. --- .github/workflows/lock.yml | 4 +++- .github/workflows/stale.yml | 7 ++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 2005b45..cf6f0b3 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -19,4 +19,6 @@ jobs: with: issue-inactive-days: 90 pr-inactive-days: 30 - issue-lock-reason: 'resolved' \ No newline at end of file + issue-lock-reason: 'resolved' + exclude-any-issue-labels: 'bug / security-vulnerability, mod / announcement, mod / accepted, mod / reviewing, mod / testing' + exclude-any-pr-labels: 'bug / security-vulnerability, mod / announcement, mod / accepted, mod / reviewing, mod / testing' \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b14dc66..9b565ec 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -36,10 +36,11 @@ jobs: is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure - and you may be barred from participating in any future discussions. Please see - our [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). + and you may be barred from participating in any future discussions. Please see our + [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). stale-pr-label: 'mod / stale' stale-pr-message: > This PR has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further action is - taken. \ No newline at end of file + taken. Please see our + [Contribution Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/docs/CONTRIBUTING.md). \ No newline at end of file From f6009ba47b7e26984c4a44b2c0feb7f761d31ded Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 19 Mar 2023 17:02:45 -0400 Subject: [PATCH 47/77] Updated CodeQL workflow to exclude non-relevant project paths. --- .github/workflows/codeql-analysis.yml | 64 ++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b54abf1..9f4b66f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,10 +15,70 @@ name: "CodeQL" on: workflow_dispatch: push: - branches: [ dev, master ] + branches: + - 'dev' + - 'main' + - 'master' + - 'dependabot/**' + - 'feature/**' + - 'issue/**' + paths-ignore: + - .github/** + - deploy/** + - docker/** + - docker-test/** + - docs/** + - powerdnsadmin/static/assets/** + - powerdnsadmin/static/custom/css/** + - powerdnsadmin/static/img/** + - powerdnsadmin/swagger-spec.yaml + - .dockerignore + - .gitattributes + - .gitignore + - .lgtm.yml + - .whitesource + - .yarnrc + - docker-compose.yml + - docker-compose-test.yml + - LICENSE + - package.json + - README.md + - requirements.txt + - SECURITY.md + - yarn.lock pull_request: # The branches below must be a subset of the branches above - branches: [ dev, master ] + branches: + - 'dev' + - 'main' + - 'master' + - 'dependabot/**' + - 'feature/**' + - 'issue/**' + paths-ignore: + - .github/** + - deploy/** + - docker/** + - docker-test/** + - docs/** + - powerdnsadmin/static/assets/** + - powerdnsadmin/static/custom/css/** + - powerdnsadmin/static/img/** + - powerdnsadmin/swagger-spec.yaml + - .dockerignore + - .gitattributes + - .gitignore + - .lgtm.yml + - .whitesource + - .yarnrc + - docker-compose.yml + - docker-compose-test.yml + - LICENSE + - package.json + - README.md + - requirements.txt + - SECURITY.md + - yarn.lock schedule: - cron: '45 2 * * 2' From 419bf358921a0fad157f0f00f107deb8e132ed9f Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 19 Mar 2023 17:05:30 -0400 Subject: [PATCH 48/77] Updated build-and-publish workflow to exclude non-relevant project paths. --- .github/workflows/build-and-publish.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 74085f0..9eb0fff 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -9,6 +9,22 @@ on: - 'master' tags: - 'v*.*.*' + paths-ignore: + - .github/** + - deploy/** + - docker-test/** + - docs/** + - .dockerignore + - .gitattributes + - .gitignore + - .lgtm.yml + - .whitesource + - .yarnrc + - docker-compose.yml + - docker-compose-test.yml + - LICENSE + - README.md + - SECURITY.md jobs: build-and-push-docker-image: From 271f48306253401acd786edc95201fbe2284fd2d Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Tue, 21 Mar 2023 19:09:48 -0400 Subject: [PATCH 49/77] Updated project README to include organization sponsorship reference. --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b9f9da5..cd0c3dd 100644 --- a/README.md +++ b/README.md @@ -89,8 +89,10 @@ Please see our [Code of Conduct Policy](https://github.com/PowerDNS-Admin/PowerD This project is released under the MIT license. For additional information, [see the full license](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/LICENSE). -## Donate +## [Donate](https://www.buymeacoffee.com/AzorianMatt) Like my work? -Buy Me A Coffee \ No newline at end of file +Buy Me A Coffee + +**Want to sponsor me?** Please visit my organization's [sponsorship page](https://github.com/sponsors/AzorianSolutions). From a9548008691e033279062489d2e52bbb537ea867 Mon Sep 17 00:00:00 2001 From: Nigel Kukard Date: Wed, 22 Mar 2023 01:27:52 +0000 Subject: [PATCH 50/77] fix(api): fixed internal server error being generated from invalid UTF-8 encoded X-API-KEY --- powerdnsadmin/decorators.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py index c6905ba..cfa5f9d 100644 --- a/powerdnsadmin/decorators.py +++ b/powerdnsadmin/decorators.py @@ -460,10 +460,8 @@ def apikey_auth(f): if auth_header: try: apikey_val = str(base64.b64decode(auth_header), 'utf-8') - except binascii.Error as e: - current_app.logger.error( - 'Invalid base64-encoded of credential. Error {0}'.format( - e)) + except (binascii.Error, UnicodeDecodeError) as e: + current_app.logger.error('Invalid base64-encoded X-API-KEY. Error {0}'.format(e)) abort(401) except TypeError as e: current_app.logger.error('Error: {0}'.format(e)) From 15e29b6771741a2b2b25e76845d99dcb28a817e1 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Fri, 24 Mar 2023 19:42:35 -0400 Subject: [PATCH 51/77] Added references to the project's discord server. --- .github/SUPPORT.md | 15 +++++++++++++++ README.md | 6 ++++++ docs/CONTRIBUTING.md | 4 +++- 3 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 .github/SUPPORT.md diff --git a/.github/SUPPORT.md b/.github/SUPPORT.md new file mode 100644 index 0000000..e0df5a6 --- /dev/null +++ b/.github/SUPPORT.md @@ -0,0 +1,15 @@ +# PowerDNS Admin + +## Project Support + +**Looking for help?** PDA has a somewhat active community of fellow users that may be able to provide assistance. +Just [start a discussion](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions/new) right here on GitHub! + +Looking to chat with someone? Join our [Discord Server](https://discord.powerdnsadmin.org). + +Some general tips for engaging here on GitHub: + +* Register for a free [GitHub account](https://github.com/signup) if you haven't already. +* You can use [GitHub Markdown](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax) for formatting text and adding images. +* To help mitigate notification spam, please avoid "bumping" issues with no activity. (To vote an issue up or down, use a :thumbsup: or :thumbsdown: reaction.) +* Please avoid pinging members with `@` unless they've previously expressed interest or involvement with that particular issue. diff --git a/README.md b/README.md index cd0c3dd..6070d5f 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,12 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ![dashboard](docs/screenshots/dashboard.png) +## Support + +**Looking for help?** Try taking a look at the project's +[Support Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/.github/SUPPORT.md) or joining +our [Discord Server](https://discord.powerdnsadmin.org). + ## Security Policy Please see our [Security Policy](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/SECURITY.md). diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 8acf50c..d4fb25f 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -1,6 +1,8 @@ # Contribution Guide -**Looking for help?** PDA has a somewhat active community of fellow users that may be able to provide assistance. Just [start a discussion](https://github.com/PowerDNS-Admin/PowerDNS-Admin/discussions/new) right here on GitHub! +**Looking for help?** Try taking a look at the project's +[Support Guide](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/.github/SUPPORT.md) or joining +our [Discord Server](https://discord.powerdnsadmin.org).

      From e0dffff325d3d887c8c5d283bb7d385061d82981 Mon Sep 17 00:00:00 2001 From: Rauno Tuul Date: Sat, 25 Mar 2023 11:47:58 +0200 Subject: [PATCH 52/77] Fix activity search form structure --- powerdnsadmin/templates/admin_history.html | 119 ++++++++++----------- 1 file changed, 59 insertions(+), 60 deletions(-) diff --git a/powerdnsadmin/templates/admin_history.html b/powerdnsadmin/templates/admin_history.html index 51009a2..5ce6e4c 100644 --- a/powerdnsadmin/templates/admin_history.html +++ b/powerdnsadmin/templates/admin_history.html @@ -39,8 +39,8 @@

      {% endif %}
      -
      - + +
      - +
      -
      -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Filters
      -
      - -
      -
      - - - -
      - - - -
       
       
      - - - -
      - -
      +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Filters
      +
      + +
      +
      + + + +
      + + + +
       
       
      + + + +
      +
      +
      From 0d0339a3166409d6f84c677e4453f80332a137b2 Mon Sep 17 00:00:00 2001 From: Jan Koppe Date: Wed, 29 Mar 2023 14:52:00 +0200 Subject: [PATCH 53/77] fix #1485: allow more than 100 rows default in dashboard The dashboard.domains_custom route was hardcoded to either return all the domains, or at most 100, regardless of default_domain_table_size setting. Make this limit be dependent on default_domain_table_size instead. The API will now limit to 100 or default_domain_table_size, whichever one is higher. This is done to not break any seconday use-cases that might depend on the hardcoded setting. --- powerdnsadmin/routes/dashboard.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powerdnsadmin/routes/dashboard.py b/powerdnsadmin/routes/dashboard.py index 14a8ae3..e517207 100644 --- a/powerdnsadmin/routes/dashboard.py +++ b/powerdnsadmin/routes/dashboard.py @@ -141,7 +141,7 @@ def domains_custom(tab_id): filtered_count = domains.count() start = int(request.args.get("start", 0)) - length = min(int(request.args.get("length", 0)), 100) + length = min(int(request.args.get("length", 0)), max(100, int(Setting().get('default_domain_table_size')))) if length != -1: domains = domains[start:start + length] From 19335439bdee97331f2e8627686c1a927e5abd74 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 2 Apr 2023 09:19:05 -0400 Subject: [PATCH 54/77] Completed the removal of the OAuth JWKS URL setting as well as the update of how the existing metadata URL settings are being used. For additional information, reference GitHub issue #1499. --- powerdnsadmin/models/setting.py | 4 -- powerdnsadmin/routes/admin.py | 8 ---- powerdnsadmin/services/azure.py | 27 +++++++----- powerdnsadmin/services/github.py | 32 +++++++++----- powerdnsadmin/services/google.py | 30 ++++++++----- powerdnsadmin/services/oidc.py | 30 ++++++++----- .../admin_setting_authentication.html | 44 ------------------- 7 files changed, 75 insertions(+), 100 deletions(-) diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index 48f929f..dedaaab 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -73,7 +73,6 @@ class Setting(db.Model): 'https://github.com/login/oauth/access_token', 'github_oauth_authorize_url': 'https://github.com/login/oauth/authorize', - 'github_oauth_jwks_url': '', 'github_oauth_metadata_url': '', 'google_oauth_enabled': False, 'google_oauth_client_id': '', @@ -81,7 +80,6 @@ class Setting(db.Model): 'google_token_url': 'https://oauth2.googleapis.com/token', 'google_oauth_scope': 'openid email profile', 'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth', - 'google_oauth_jwks_url': '', 'google_oauth_metadata_url': '', 'google_base_url': 'https://www.googleapis.com/oauth2/v3/', 'azure_oauth_enabled': False, @@ -93,7 +91,6 @@ class Setting(db.Model): 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token', 'azure_oauth_authorize_url': 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize', - 'azure_oauth_jwks_url': '', 'azure_oauth_metadata_url': '', 'azure_sg_enabled': False, 'azure_admin_group': '', @@ -111,7 +108,6 @@ class Setting(db.Model): 'oidc_oauth_api_url': '', 'oidc_oauth_token_url': '', 'oidc_oauth_authorize_url': '', - 'oidc_oauth_jwks_url': '', 'oidc_oauth_metadata_url': '', 'oidc_oauth_logout_url': '', 'oidc_oauth_username': 'preferred_username', diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 3e44fd6..eedabdc 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1680,8 +1680,6 @@ def setting_authentication(): request.form.get('google_oauth_scope')) Setting().set('google_authorize_url', request.form.get('google_authorize_url')) - Setting().set('google_oauth_jwks_url', - request.form.get('google_oauth_jwks_url')) Setting().set('google_base_url', request.form.get('google_base_url')) result = { @@ -1715,8 +1713,6 @@ def setting_authentication(): request.form.get('github_oauth_token_url')) Setting().set('github_oauth_authorize_url', request.form.get('github_oauth_authorize_url')) - Setting().set('github_oauth_jwks_url', - request.form.get('github_oauth_jwks_url')) result = { 'status': True, 'msg': @@ -1748,8 +1744,6 @@ def setting_authentication(): request.form.get('azure_oauth_token_url')) Setting().set('azure_oauth_authorize_url', request.form.get('azure_oauth_authorize_url')) - Setting().set('azure_oauth_jwks_url', - request.form.get('azure_oauth_jwks_url')) Setting().set( 'azure_sg_enabled', True if request.form.get('azure_sg_enabled') == 'ON' else False) @@ -1803,8 +1797,6 @@ def setting_authentication(): request.form.get('oidc_oauth_token_url')) Setting().set('oidc_oauth_authorize_url', request.form.get('oidc_oauth_authorize_url')) - Setting().set('oidc_oauth_jwks_url', - request.form.get('oidc_oauth_jwks_url')) Setting().set('oidc_oauth_logout_url', request.form.get('oidc_oauth_logout_url')) Setting().set('oidc_oauth_username', diff --git a/powerdnsadmin/services/azure.py b/powerdnsadmin/services/azure.py index c1fb626..65f3bf3 100644 --- a/powerdnsadmin/services/azure.py +++ b/powerdnsadmin/services/azure.py @@ -15,18 +15,25 @@ def azure_oauth(): session['azure_token'] = token return token + authlib_params = { + 'client_id': Setting().get('azure_oauth_key'), + 'client_secret': Setting().get('azure_oauth_secret'), + 'api_base_url': Setting().get('azure_oauth_api_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('azure_oauth_token_url'), + 'authorize_url': Setting().get('azure_oauth_authorize_url'), + 'client_kwargs': {'scope': Setting().get('azure_oauth_scope')}, + 'fetch_token': fetch_azure_token, + } + + server_metadata_url = Setting().get('azure_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + azure = authlib_oauth_client.register( 'azure', - client_id=Setting().get('azure_oauth_key'), - client_secret=Setting().get('azure_oauth_secret'), - api_base_url=Setting().get('azure_oauth_api_url'), - request_token_url=None, - access_token_url=Setting().get('azure_oauth_token_url'), - authorize_url=Setting().get('azure_oauth_authorize_url'), - jwks_url=Setting().get('azure_oauth_jwks_url'), - server_metadata_url=Setting().get('azure_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('azure_oauth_scope')}, - fetch_token=fetch_azure_token, + **authlib_params ) @current_app.route('/azure/authorized') diff --git a/powerdnsadmin/services/github.py b/powerdnsadmin/services/github.py index 13c2f00..ff4a20f 100644 --- a/powerdnsadmin/services/github.py +++ b/powerdnsadmin/services/github.py @@ -15,20 +15,28 @@ def github_oauth(): session['github_token'] = token return token + authlib_params = { + 'client_id': Setting().get('github_oauth_key'), + 'client_secret': Setting().get('github_oauth_secret'), + 'request_token_params': {'scope': Setting().get('github_oauth_scope')}, + 'api_base_url': Setting().get('github_oauth_api_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('github_oauth_token_url'), + 'authorize_url': Setting().get('github_oauth_authorize_url'), + 'client_kwargs': {'scope': Setting().get('github_oauth_scope')}, + 'fetch_token': fetch_github_token, + 'update_token': update_token + } + + server_metadata_url = Setting().get('github_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + github = authlib_oauth_client.register( 'github', - client_id=Setting().get('github_oauth_key'), - client_secret=Setting().get('github_oauth_secret'), - request_token_params={'scope': Setting().get('github_oauth_scope')}, - api_base_url=Setting().get('github_oauth_api_url'), - request_token_url=None, - access_token_url=Setting().get('github_oauth_token_url'), - authorize_url=Setting().get('github_oauth_authorize_url'), - jwks_url=Setting().get('github_oauth_jwks_url'), - server_metadata_url=Setting().get('github_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('github_oauth_scope')}, - fetch_token=fetch_github_token, - update_token=update_token) + **authlib_params + ) @current_app.route('/github/authorized') def github_authorized(): diff --git a/powerdnsadmin/services/google.py b/powerdnsadmin/services/google.py index fc9af12..5604819 100644 --- a/powerdnsadmin/services/google.py +++ b/powerdnsadmin/services/google.py @@ -15,19 +15,27 @@ def google_oauth(): session['google_token'] = token return token + authlib_params = { + 'client_id': Setting().get('google_oauth_client_id'), + 'client_secret': Setting().get('google_oauth_client_secret'), + 'api_base_url': Setting().get('google_base_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('google_token_url'), + 'authorize_url': Setting().get('google_authorize_url'), + 'client_kwargs': {'scope': Setting().get('google_oauth_scope')}, + 'fetch_token': fetch_google_token, + 'update_token': update_token + } + + server_metadata_url = Setting().get('google_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + google = authlib_oauth_client.register( 'google', - client_id=Setting().get('google_oauth_client_id'), - client_secret=Setting().get('google_oauth_client_secret'), - api_base_url=Setting().get('google_base_url'), - request_token_url=None, - access_token_url=Setting().get('google_token_url'), - authorize_url=Setting().get('google_authorize_url'), - jwks_url=Setting().get('google_oauth_jwks_url'), - server_metadata_url=Setting().get('google_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('google_oauth_scope')}, - fetch_token=fetch_google_token, - update_token=update_token) + **authlib_params + ) @current_app.route('/google/authorized') def google_authorized(): diff --git a/powerdnsadmin/services/oidc.py b/powerdnsadmin/services/oidc.py index 432457f..7b0cd46 100644 --- a/powerdnsadmin/services/oidc.py +++ b/powerdnsadmin/services/oidc.py @@ -15,19 +15,27 @@ def oidc_oauth(): session['oidc_token'] = token return token + authlib_params = { + 'client_id': Setting().get('oidc_oauth_key'), + 'client_secret': Setting().get('oidc_oauth_secret'), + 'api_base_url': Setting().get('oidc_oauth_api_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('oidc_oauth_token_url'), + 'authorize_url': Setting().get('oidc_oauth_authorize_url'), + 'client_kwargs': {'scope': Setting().get('oidc_oauth_scope')}, + 'fetch_token': fetch_oidc_token, + 'update_token': update_token + } + + server_metadata_url = Setting().get('oidc_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + oidc = authlib_oauth_client.register( 'oidc', - client_id=Setting().get('oidc_oauth_key'), - client_secret=Setting().get('oidc_oauth_secret'), - api_base_url=Setting().get('oidc_oauth_api_url'), - request_token_url=None, - access_token_url=Setting().get('oidc_oauth_token_url'), - authorize_url=Setting().get('oidc_oauth_authorize_url'), - jwks_url=Setting().get('oidc_oauth_jwks_url'), - server_metadata_url=Setting().get('oidc_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('oidc_oauth_scope')}, - fetch_token=fetch_oidc_token, - update_token=update_token) + **authlib_params + ) @current_app.route('/oidc/authorized') def oidc_authorized(): diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index c545958..cbe6800 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -806,17 +806,6 @@ value="{{ SETTING.get('google_authorize_url') }}">
      -
      - - - -
      -
      - - - -
      @@ -1096,17 +1074,6 @@ value="{{ SETTING.get('azure_oauth_authorize_url') }}">
    -
    - - - -
    Group Security @@ -1413,17 +1380,6 @@ value="{{ SETTING.get('oidc_oauth_authorize_url') }}"> -
    - - - -
    From a2429ad9d6fe0b7e7c5dce8433b3afe722757806 Mon Sep 17 00:00:00 2001 From: Stefan Ubbink Date: Sun, 2 Apr 2023 20:46:32 +0200 Subject: [PATCH 55/77] Make it possible again to use a different Zone Type than 'native', fixes #1501 --- powerdnsadmin/routes/domain.py | 6 +++--- powerdnsadmin/templates/domain_add.html | 18 +++++++++--------- powerdnsadmin/templates/domain_setting.html | 16 ++++++++-------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/powerdnsadmin/routes/domain.py b/powerdnsadmin/routes/domain.py index 593e91d..bcf91cc 100644 --- a/powerdnsadmin/routes/domain.py +++ b/powerdnsadmin/routes/domain.py @@ -66,7 +66,7 @@ def domain(domain_name): current_app.logger.debug("Fetched rrsets: \n{}".format(pretty_json(rrsets))) # API server might be down, misconfigured - if not rrsets and domain.type != 'Slave': + if not rrsets and domain.type != 'slave': abort(500) quick_edit = Setting().get('record_quick_edit') @@ -206,7 +206,7 @@ def changelog(domain_name): current_app.logger.debug("Fetched rrsets: \n{}".format(pretty_json(rrsets))) # API server might be down, misconfigured - if not rrsets and domain.type != 'Slave': + if not rrsets and domain.type != 'slave': abort(500) records_allow_to_edit = Setting().get_records_allow_to_edit() @@ -294,7 +294,7 @@ def record_changelog(domain_name, record_name, record_type): current_app.logger.debug("Fetched rrsets: \n{}".format(pretty_json(rrsets))) # API server might be down, misconfigured - if not rrsets and domain.type != 'Slave': + if not rrsets and domain.type != 'slave': abort(500) # get all changelogs for this domain, in descening order diff --git a/powerdnsadmin/templates/domain_add.html b/powerdnsadmin/templates/domain_add.html index c568210..8be5817 100644 --- a/powerdnsadmin/templates/domain_add.html +++ b/powerdnsadmin/templates/domain_add.html @@ -76,11 +76,16 @@
    +
    -
    @@ -228,10 +228,10 @@ diff --git a/powerdnsadmin/templates/domain_setting.html b/powerdnsadmin/templates/domain_setting.html index bc9470e..f59f4a9 100644 --- a/powerdnsadmin/templates/domain_setting.html +++ b/powerdnsadmin/templates/domain_setting.html @@ -220,12 +220,12 @@
    -
    + Secret
    +
    + + + +
    +
    + + + +
    @@ -785,16 +804,6 @@ value="{{ SETTING.get('google_token_url') }}">
    -
    - - - -
    @@ -806,15 +815,6 @@ value="{{ SETTING.get('google_authorize_url') }}">
    -
    - - - -
    @@ -870,26 +870,26 @@ -
    - +
    + Secret
    @@ -1311,21 +1311,21 @@ OAuth
    - +
    - +
    From 9168dd99e074709e2d1cc7f6dd357f25c4aa9e8b Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 8 Apr 2023 18:11:55 -0400 Subject: [PATCH 60/77] Updated the OAuth login handlers to utilize uniform user naming variables. Updated the GitHub login process to split the user's full name based on spaces so that first and last name are filled in on PDA profile. --- powerdnsadmin/routes/index.py | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 4351a54..706d0b9 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -189,17 +189,25 @@ def login(): if 'github_token' in session: me = json.loads(github.get('user').text) github_username = me['login'] - github_name = me['name'] + github_first_name = me['name'] + github_last_name = '' github_email = me['email'] + # If the user's full name from GitHub contains at least two words, use the first word as the first name and + # the rest as the last name. + github_name_parts = github_first_name.split(' ') + if len(github_name_parts) > 1: + github_first_name = github_name_parts[0] + github_last_name = ' '.join(github_name_parts[1:]) + user = User.query.filter_by(username=github_username).first() if user is None: user = User.query.filter_by(email=github_email).first() if not user: user = User(username=github_username, plain_text_password=None, - firstname=github_name, - lastname='', + firstname=github_first_name, + lastname=github_last_name, email=github_email) result = user.create_local_user() @@ -227,8 +235,8 @@ def login(): mygroups = [] azure_username = me["userPrincipalName"] - azure_givenname = me["givenName"] - azure_familyname = me["surname"] + azure_first_name = me["givenName"] + azure_last_name = me["surname"] if "mail" in me: azure_email = me["mail"] else: @@ -244,8 +252,8 @@ def login(): if not user: user = User(username=azure_username, plain_text_password=None, - firstname=azure_givenname, - lastname=azure_familyname, + firstname=azure_first_name, + lastname=azure_last_name, email=azure_email) result = user.create_local_user() @@ -386,21 +394,21 @@ def login(): if 'oidc_token' in session: me = json.loads(oidc.get('userinfo').text) oidc_username = me[Setting().get('oidc_oauth_username')] - oidc_givenname = me[Setting().get('oidc_oauth_firstname')] - oidc_familyname = me[Setting().get('oidc_oauth_last_name')] + oidc_first_name = me[Setting().get('oidc_oauth_firstname')] + oidc_last_name = me[Setting().get('oidc_oauth_last_name')] oidc_email = me[Setting().get('oidc_oauth_email')] user = User.query.filter_by(username=oidc_username).first() if not user: user = User(username=oidc_username, plain_text_password=None, - firstname=oidc_givenname, - lastname=oidc_familyname, + firstname=oidc_first_name, + lastname=oidc_last_name, email=oidc_email) result = user.create_local_user() else: - user.firstname = oidc_givenname - user.lastname = oidc_familyname + user.firstname = oidc_first_name + user.lastname = oidc_last_name user.email = oidc_email user.plain_text_password = None result = user.update_local_user() From ece96262124985143467534394c64a35b7b35cda Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sat, 8 Apr 2023 18:14:40 -0400 Subject: [PATCH 61/77] Updated the OAuth login handlers to utilize uniform user naming variables. Updated the GitHub login process to split the user's full name based on spaces so that first and last name are filled in on PDA profile. --- powerdnsadmin/routes/index.py | 59 ++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 706d0b9..2636cf1 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -164,18 +164,18 @@ def login(): if 'google_token' in session: user_data = json.loads(google.get('userinfo').text) - first_name = user_data['given_name'] - surname = user_data['family_name'] - email = user_data['email'] - user = User.query.filter_by(username=email).first() + google_first_name = user_data['given_name'] + google_last_name = user_data['family_name'] + google_email = user_data['email'] + user = User.query.filter_by(username=google_email).first() if user is None: - user = User.query.filter_by(email=email).first() + user = User.query.filter_by(email=google_email).first() if not user: - user = User(username=email, - firstname=first_name, - lastname=surname, + user = User(username=google_email, + firstname=google_first_name, + lastname=google_last_name, plain_text_password=None, - email=email) + email=google_email) result = user.create_local_user() if not result['status']: @@ -187,11 +187,11 @@ def login(): return authenticate_user(user, 'Google OAuth') if 'github_token' in session: - me = json.loads(github.get('user').text) - github_username = me['login'] - github_first_name = me['name'] + user_data = json.loads(github.get('user').text) + github_username = user_data['login'] + github_first_name = user_data['name'] github_last_name = '' - github_email = me['email'] + github_email = user_data['email'] # If the user's full name from GitHub contains at least two words, use the first word as the first name and # the rest as the last name. @@ -222,7 +222,7 @@ def login(): if 'azure_token' in session: azure_info = azure.get('me?$select=displayName,givenName,id,mail,surname,userPrincipalName').text current_app.logger.info('Azure login returned: ' + azure_info) - me = json.loads(azure_info) + user_data = json.loads(azure_info) azure_info = azure.post('me/getMemberGroups', json={'securityEnabledOnly': False}).text @@ -234,15 +234,15 @@ def login(): else: mygroups = [] - azure_username = me["userPrincipalName"] - azure_first_name = me["givenName"] - azure_last_name = me["surname"] - if "mail" in me: - azure_email = me["mail"] + azure_username = user_data["userPrincipalName"] + azure_first_name = user_data["givenName"] + azure_last_name = user_data["surname"] + if "mail" in user_data: + azure_email = user_data["mail"] else: azure_email = "" if not azure_email: - azure_email = me["userPrincipalName"] + azure_email = user_data["userPrincipalName"] # Handle foreign principals such as guest users azure_email = re.sub(r"#.*$", "", azure_email) @@ -392,11 +392,11 @@ def login(): return authenticate_user(user, 'Azure OAuth') if 'oidc_token' in session: - me = json.loads(oidc.get('userinfo').text) - oidc_username = me[Setting().get('oidc_oauth_username')] - oidc_first_name = me[Setting().get('oidc_oauth_firstname')] - oidc_last_name = me[Setting().get('oidc_oauth_last_name')] - oidc_email = me[Setting().get('oidc_oauth_email')] + user_data = json.loads(oidc.get('userinfo').text) + oidc_username = user_data[Setting().get('oidc_oauth_username')] + oidc_first_name = user_data[Setting().get('oidc_oauth_firstname')] + oidc_last_name = user_data[Setting().get('oidc_oauth_last_name')] + oidc_email = user_data[Setting().get('oidc_oauth_email')] user = User.query.filter_by(username=oidc_username).first() if not user: @@ -426,10 +426,11 @@ def login(): desc_prop = Setting().get('oidc_oauth_account_description_property') account_to_add = [] - # If the name_property and desc_property exist in me (A variable that contains all the userinfo from the IdP). - if name_prop in me and desc_prop in me: - accounts_name_prop = [me[name_prop]] if type(me[name_prop]) is not list else me[name_prop] - accounts_desc_prop = [me[desc_prop]] if type(me[desc_prop]) is not list else me[desc_prop] + # If the name_property and desc_property exist in me (A variable that contains all the userinfo from the + # IdP). + if name_prop in user_data and desc_prop in user_data: + accounts_name_prop = [user_data[name_prop]] if type(user_data[name_prop]) is not list else user_data[name_prop] + accounts_desc_prop = [user_data[desc_prop]] if type(user_data[desc_prop]) is not list else user_data[desc_prop] # Run on all groups the user is in by the index num. for i in range(len(accounts_name_prop)): From 737e104912af07d07bdf2daf7242fae94adcba45 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 9 Apr 2023 10:11:00 -0400 Subject: [PATCH 62/77] Added KnockoutJS NPM package. Re-formatted and re-organized settings model. Working on Knockout model integration into existing authentication settings editor view. --- package.json | 1 + powerdnsadmin/assets.py | 2 + powerdnsadmin/models/setting.py | 95 +++-- powerdnsadmin/routes/admin.py | 50 ++- .../js/app-authentication-settings-editor.js | 273 +++++++++++++ .../admin_setting_authentication.html | 381 ++++++++---------- yarn.lock | 7 +- 7 files changed, 541 insertions(+), 268 deletions(-) create mode 100644 powerdnsadmin/static/custom/js/app-authentication-settings-editor.js diff --git a/package.json b/package.json index 42f866d..3aaac1d 100644 --- a/package.json +++ b/package.json @@ -12,6 +12,7 @@ "jquery-ui-dist": "^1.13.2", "jquery.quicksearch": "^2.4.0", "jtimeout": "^3.2.0", + "knockout": "^3.5.1", "multiselect": "^0.9.12" }, "resolutions": { diff --git a/powerdnsadmin/assets.py b/powerdnsadmin/assets.py index 5e17d7f..8f9192f 100644 --- a/powerdnsadmin/assets.py +++ b/powerdnsadmin/assets.py @@ -20,6 +20,7 @@ js_login = Bundle( 'node_modules/jquery/dist/jquery.js', 'node_modules/bootstrap/dist/js/bootstrap.js', 'node_modules/icheck/icheck.js', + 'node_modules/knockout/build/output/knockout-latest.js', 'custom/js/custom.js', filters=(ConcatFilter, 'rjsmin'), output='generated/login.js') @@ -55,6 +56,7 @@ js_main = Bundle( 'node_modules/datatables.net-plugins/sorting/natural.js', 'node_modules/jtimeout/src/jTimeout.js', 'node_modules/jquery.quicksearch/src/jquery.quicksearch.js', + 'node_modules/knockout/build/output/knockout-latest.js', 'custom/js/custom.js', 'node_modules/bootstrap-datepicker/dist/js/bootstrap-datepicker.js', filters=(ConcatFilter, 'rjsmin'), diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index dedaaab..1ef3166 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -15,6 +15,7 @@ class Setting(db.Model): value = db.Column(db.Text()) defaults = { + # General Settings 'maintenance': False, 'fullscreen_layout': True, 'record_helper': True, @@ -42,56 +43,79 @@ class Setting(db.Model): 'pdns_api_timeout': 30, 'pdns_version': '4.1.1', 'verify_ssl_connections': True, + 'verify_user_email': False, + 'enforce_api_ttl': False, + 'ttl_options': '1 minute,5 minutes,30 minutes,60 minutes,24 hours', + 'otp_field_enabled': True, + 'custom_css': '', + 'otp_force': False, + 'max_history_records': 1000, + 'deny_domain_override': False, + 'account_name_extra_chars': False, + 'gravatar_enabled': False, + + # Local Authentication Settings 'local_db_enabled': True, 'signup_enabled': True, - 'autoprovisioning': False, - 'urn_value': '', - 'autoprovisioning_attribute': '', - 'purge': False, - 'verify_user_email': False, + 'pwd_enforce_characters': False, + 'pwd_min_len': 10, + 'pwd_min_lowercase': 3, + 'pwd_min_uppercase': 2, + 'pwd_min_digits': 2, + 'pwd_min_special': 1, + 'pwd_enforce_complexity': False, + 'pwd_min_complexity': 11, + + # LDAP Authentication Settings 'ldap_enabled': False, 'ldap_type': 'ldap', 'ldap_uri': '', 'ldap_base_dn': '', 'ldap_admin_username': '', 'ldap_admin_password': '', + 'ldap_domain': '', 'ldap_filter_basic': '', - 'ldap_filter_group': '', 'ldap_filter_username': '', + 'ldap_filter_group': '', 'ldap_filter_groupname': '', 'ldap_sg_enabled': False, 'ldap_admin_group': '', 'ldap_operator_group': '', 'ldap_user_group': '', - 'ldap_domain': '', + 'autoprovisioning': False, + 'autoprovisioning_attribute': '', + 'urn_value': '', + 'purge': False, + + # Google OAuth2 Settings + 'google_oauth_enabled': False, + 'google_oauth_client_id': '', + 'google_oauth_client_secret': '', + 'google_oauth_scope': 'openid email profile', + 'google_base_url': 'https://www.googleapis.com/oauth2/v3/', + 'google_oauth_metadata_url': 'https://accounts.google.com/.well-known/openid-configuration', + 'google_token_url': 'https://oauth2.googleapis.com/token', + 'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth', + + # GitHub OAuth2 Settings 'github_oauth_enabled': False, 'github_oauth_key': '', 'github_oauth_secret': '', 'github_oauth_scope': 'email', 'github_oauth_api_url': 'https://api.github.com/user', - 'github_oauth_token_url': - 'https://github.com/login/oauth/access_token', - 'github_oauth_authorize_url': - 'https://github.com/login/oauth/authorize', 'github_oauth_metadata_url': '', - 'google_oauth_enabled': False, - 'google_oauth_client_id': '', - 'google_oauth_client_secret': '', - 'google_token_url': 'https://oauth2.googleapis.com/token', - 'google_oauth_scope': 'openid email profile', - 'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth', - 'google_oauth_metadata_url': '', - 'google_base_url': 'https://www.googleapis.com/oauth2/v3/', + 'github_oauth_token_url': 'https://github.com/login/oauth/access_token', + 'github_oauth_authorize_url': 'https://github.com/login/oauth/authorize', + + # Azure OAuth2 Settings 'azure_oauth_enabled': False, 'azure_oauth_key': '', 'azure_oauth_secret': '', 'azure_oauth_scope': 'User.Read openid email profile', 'azure_oauth_api_url': 'https://graph.microsoft.com/v1.0/', - 'azure_oauth_token_url': - 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token', - 'azure_oauth_authorize_url': - 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize', 'azure_oauth_metadata_url': '', + 'azure_oauth_token_url': '', + 'azure_oauth_authorize_url': '', 'azure_sg_enabled': False, 'azure_admin_group': '', 'azure_operator_group': '', @@ -101,22 +125,25 @@ class Setting(db.Model): 'azure_group_accounts_name_re': '', 'azure_group_accounts_description': 'description', 'azure_group_accounts_description_re': '', + + # OIDC OAuth2 Settings 'oidc_oauth_enabled': False, 'oidc_oauth_key': '', 'oidc_oauth_secret': '', 'oidc_oauth_scope': 'email', 'oidc_oauth_api_url': '', + 'oidc_oauth_metadata_url': '', 'oidc_oauth_token_url': '', 'oidc_oauth_authorize_url': '', - 'oidc_oauth_metadata_url': '', 'oidc_oauth_logout_url': '', 'oidc_oauth_username': 'preferred_username', + 'oidc_oauth_email': 'email', 'oidc_oauth_firstname': 'given_name', 'oidc_oauth_last_name': 'family_name', - 'oidc_oauth_email': 'email', 'oidc_oauth_account_name_property': '', 'oidc_oauth_account_description_property': '', - 'enforce_api_ttl': False, + + # Zone Record Settings 'forward_records_allow_edit': { 'A': True, 'AAAA': True, @@ -193,22 +220,6 @@ class Setting(db.Model): 'TXT': True, 'URI': False }, - 'ttl_options': '1 minute,5 minutes,30 minutes,60 minutes,24 hours', - 'otp_field_enabled': True, - 'custom_css': '', - 'otp_force': False, - 'max_history_records': 1000, - 'deny_domain_override': False, - 'account_name_extra_chars': False, - 'gravatar_enabled': False, - 'pwd_enforce_characters': False, - 'pwd_min_len': 10, - 'pwd_min_lowercase': 3, - 'pwd_min_uppercase': 2, - 'pwd_min_digits': 2, - 'pwd_min_special': 1, - 'pwd_enforce_complexity': False, - 'pwd_min_complexity': 11 } def __init__(self, id=None, name=None, value=None): diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index eedabdc..7ec669d 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -72,8 +72,8 @@ def get_record_changes(del_rrset, add_rrset): """For the given record, return the state dict.""" return { "disabled": record['disabled'], - "content": record['content'], - "comment": record.get('comment', ''), + "content": record['content'], + "comment": record.get('comment', ''), } add_records = get_records(add_rrset) @@ -149,8 +149,8 @@ def extract_changelogs_from_a_history_entry(out_changes, history_entry, change_n # Sort them by the record name if change_num in out_changes: out_changes[change_num].sort(key=lambda change: - change.del_rrset['name'] if change.del_rrset else change.add_rrset['name'] - ) + change.del_rrset['name'] if change.del_rrset else change.add_rrset['name'] + ) # only used for changelog per record if record_name != None and record_type != None: # then get only the records with the specific (record_name, record_type) tuple @@ -897,7 +897,8 @@ class DetailedHistory(): description=DetailedHistory.get_key_val(detail_dict, "description")) - elif any(msg in history.msg for msg in ['Change zone','Change domain']) and 'access control' in history.msg: # added or removed a user from a zone + elif any(msg in history.msg for msg in ['Change zone', + 'Change domain']) and 'access control' in history.msg: # added or removed a user from a zone users_with_access = DetailedHistory.get_key_val(detail_dict, "user_has_access") self.detailed_msg = render_template_string(""" @@ -942,7 +943,7 @@ class DetailedHistory(): linked_domains=DetailedHistory.get_key_val(detail_dict, "domains")) - elif any(msg in history.msg for msg in ['Update type for zone','Update type for domain']): + elif any(msg in history.msg for msg in ['Update type for zone', 'Update type for domain']): self.detailed_msg = render_template_string("""
    @@ -977,7 +978,8 @@ class DetailedHistory(): 'status'), history_msg=DetailedHistory.get_key_val(detail_dict, 'msg')) - elif any(msg in history.msg for msg in ['Update zone','Update domain']) and 'associate account' in history.msg: # When an account gets associated or dissociate with zones + elif any(msg in history.msg for msg in ['Update zone', + 'Update domain']) and 'associate account' in history.msg: # When an account gets associated or dissociate with zones self.detailed_msg = render_template_string('''
    Zone: {{ domain }}
    @@ -1231,8 +1233,10 @@ def history_table(): # ajax call data .filter( db.and_( db.or_( - History.msg.like("%domain " + domain_name) if domain_name != "*" else History.msg.like("%domain%"), - History.msg.like("%zone " + domain_name) if domain_name != "*" else History.msg.like("%zone%"), + History.msg.like("%domain " + domain_name) if domain_name != "*" else History.msg.like( + "%domain%"), + History.msg.like("%zone " + domain_name) if domain_name != "*" else History.msg.like( + "%zone%"), History.msg.like( "%domain " + domain_name + " access control") if domain_name != "*" else History.msg.like( "%domain%access control"), @@ -1540,7 +1544,8 @@ def has_an_auth_method(local_db_enabled=None, oidc_oauth_enabled = Setting().get('oidc_oauth_enabled') if azure_oauth_enabled is None: azure_oauth_enabled = Setting().get('azure_oauth_enabled') - return local_db_enabled or ldap_enabled or google_oauth_enabled or github_oauth_enabled or oidc_oauth_enabled or azure_oauth_enabled + return local_db_enabled or ldap_enabled or google_oauth_enabled or github_oauth_enabled or oidc_oauth_enabled \ + or azure_oauth_enabled @admin_bp.route('/setting/authentication', methods=['GET', 'POST']) @@ -1562,17 +1567,20 @@ def setting_authentication(): pwd_enforce_characters = True if request.form.get('pwd_enforce_characters') else False pwd_min_len = safe_cast(request.form.get('pwd_min_len', Setting().defaults["pwd_min_len"]), int, Setting().defaults["pwd_min_len"]) - pwd_min_lowercase = safe_cast(request.form.get('pwd_min_lowercase', Setting().defaults["pwd_min_lowercase"]), int, - Setting().defaults["pwd_min_lowercase"]) - pwd_min_uppercase = safe_cast(request.form.get('pwd_min_uppercase', Setting().defaults["pwd_min_uppercase"]), int, - Setting().defaults["pwd_min_uppercase"]) + pwd_min_lowercase = safe_cast( + request.form.get('pwd_min_lowercase', Setting().defaults["pwd_min_lowercase"]), int, + Setting().defaults["pwd_min_lowercase"]) + pwd_min_uppercase = safe_cast( + request.form.get('pwd_min_uppercase', Setting().defaults["pwd_min_uppercase"]), int, + Setting().defaults["pwd_min_uppercase"]) pwd_min_digits = safe_cast(request.form.get('pwd_min_digits', Setting().defaults["pwd_min_digits"]), int, Setting().defaults["pwd_min_digits"]) pwd_min_special = safe_cast(request.form.get('pwd_min_special', Setting().defaults["pwd_min_special"]), int, Setting().defaults["pwd_min_special"]) pwd_enforce_complexity = True if request.form.get('pwd_enforce_complexity') else False - pwd_min_complexity = safe_cast(request.form.get('pwd_min_complexity', Setting().defaults["pwd_min_complexity"]), int, + pwd_min_complexity = safe_cast(request.form.get('pwd_min_complexity', + Setting().defaults["pwd_min_complexity"]), int, Setting().defaults["pwd_min_complexity"]) if not has_an_auth_method(local_db_enabled=local_db_enabled): @@ -1585,14 +1593,12 @@ def setting_authentication(): else: Setting().set('local_db_enabled', local_db_enabled) Setting().set('signup_enabled', signup_enabled) - Setting().set('pwd_enforce_characters', pwd_enforce_characters) Setting().set('pwd_min_len', pwd_min_len) Setting().set('pwd_min_lowercase', pwd_min_lowercase) Setting().set('pwd_min_uppercase', pwd_min_uppercase) Setting().set('pwd_min_digits', pwd_min_digits) Setting().set('pwd_min_special', pwd_min_special) - Setting().set('pwd_enforce_complexity', pwd_enforce_complexity) Setting().set('pwd_min_complexity', pwd_min_complexity) @@ -2097,16 +2103,16 @@ def global_search(): results = server.global_search(object_type='all', query=query) # Filter results to domains to which the user has access permission - if current_user.role.name not in [ 'Administrator', 'Operator' ]: + if current_user.role.name not in ['Administrator', 'Operator']: allowed_domains = db.session.query(Domain) \ .outerjoin(DomainUser, Domain.id == DomainUser.domain_id) \ .outerjoin(Account, Domain.account_id == Account.id) \ .outerjoin(AccountUser, Account.id == AccountUser.account_id) \ .filter( - db.or_( - DomainUser.user_id == current_user.id, - AccountUser.user_id == current_user.id - )) \ + db.or_( + DomainUser.user_id == current_user.id, + AccountUser.user_id == current_user.id + )) \ .with_entities(Domain.name) \ .all() allowed_domains = [value for value, in allowed_domains] diff --git a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js new file mode 100644 index 0000000..104b3e9 --- /dev/null +++ b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js @@ -0,0 +1,273 @@ +let model; + +let AuthenticationSettingsModel = function (user_data, csrf_token, selector) { + let self = this; + + let defaults = { + tab_active: '', + tab_default: 'local', + + // Local Authentication Settings + local_db_enabled: true, + signup_enabled: true, + pwd_enforce_characters: false, + pwd_min_len: 10, + pwd_min_lowercase: 3, + pwd_min_uppercase: 2, + pwd_min_digits: 2, + pwd_min_special: 1, + pwd_enforce_complexity: false, + pwd_min_complexity: 11, + + // LDAP Authentication Settings + ldap_enabled: false, + ldap_type: 'ldap', + ldap_uri: '', + ldap_base_dn: '', + ldap_admin_username: '', + ldap_admin_password: '', + ldap_domain: '', + ldap_filter_basic: '', + ldap_filter_username: '', + ldap_filter_group: '', + ldap_filter_groupname: '', + ldap_sg_enabled: false, + ldap_admin_group: '', + ldap_operator_group: '', + ldap_user_group: '', + autoprovisioning: false, + autoprovisioning_attribute: '', + urn_value: '', + purge: false, + + // Google OAuth2 Settings + google_oauth_enabled: false, + google_oauth_client_id: '', + google_oauth_client_secret: '', + google_oauth_scope: '', + google_base_url: '', + google_oauth_auto_configure: false, + google_oauth_metadata_url: '', + google_token_url: '', + google_authorize_url: '', + + // GitHub OAuth2 Settings + github_oauth_enabled: false, + github_oauth_key: '', + github_oauth_secret: '', + github_oauth_scope: '', + github_oauth_api_url: '', + github_oauth_auto_configure: false, + github_oauth_metadata_url: '', + github_oauth_token_url: '', + github_oauth_authorize_url: '', + + // Azure AD OAuth2 Settings + azure_oauth_enabled: false, + azure_oauth_key: '', + azure_oauth_secret: '', + azure_oauth_scope: '', + azure_oauth_api_url: '', + azure_oauth_auto_configure: false, + azure_oauth_metadata_url: '', + azure_oauth_token_url: '', + azure_oauth_authorize_url: '', + azure_sg_enabled: false, + azure_admin_group: '', + azure_operator_group: '', + azure_user_group: '', + azure_group_accounts_enabled: false, + azure_group_accounts_name: '', + azure_group_accounts_name_re: '', + azure_group_accounts_description: '', + azure_group_accounts_description_re: '', + + // OIDC OAuth2 Settings + oidc_oauth_enabled: false, + oidc_oauth_key: '', + oidc_oauth_secret: '', + oidc_oauth_scope: '', + oidc_oauth_api_url: '', + oidc_oauth_auto_configure: false, + oidc_oauth_metadata_url: '', + oidc_oauth_token_url: '', + oidc_oauth_authorize_url: '', + oidc_oauth_logout_url: '', + oidc_oauth_username: '', + oidc_oauth_email: '', + oidc_oauth_firstname: '', + oidc_oauth_last_name: '', + oidc_oauth_account_name_property: '', + oidc_oauth_account_description_property: '', + } + + self.data = {}; + + self.setupObservables = function () { + self.tab_active = ko.observable(self.data.tab_active); + self.tab_default = ko.observable(self.data.tab_default); + + // Local Authentication Settings + self.local_db_enabled = ko.observable(self.data.local_db_enabled); + self.signup_enabled = ko.observable(self.data.signup_enabled); + self.pwd_enforce_characters = ko.observable(self.data.pwd_enforce_characters); + self.pwd_min_len = ko.observable(self.data.pwd_min_len); + self.pwd_min_lowercase = ko.observable(self.data.pwd_min_lowercase); + self.pwd_min_uppercase = ko.observable(self.data.pwd_min_uppercase); + self.pwd_min_digits = ko.observable(self.data.pwd_min_digits); + self.pwd_min_special = ko.observable(self.data.pwd_min_special); + self.pwd_enforce_complexity = ko.observable(self.data.pwd_enforce_complexity); + self.pwd_min_complexity = ko.observable(self.data.pwd_min_complexity); + + // LDAP Authentication Settings + self.ldap_enabled = ko.observable(self.data.ldap_enabled); + self.ldap_type = ko.observable(self.data.ldap_type); + self.ldap_uri = ko.observable(self.data.ldap_uri); + self.ldap_base_dn = ko.observable(self.data.ldap_base_dn); + self.ldap_admin_username = ko.observable(self.data.ldap_admin_username); + self.ldap_admin_password = ko.observable(self.data.ldap_admin_password); + self.ldap_domain = ko.observable(self.data.ldap_domain); + self.ldap_filter_basic = ko.observable(self.data.ldap_filter_basic); + self.ldap_filter_username = ko.observable(self.data.ldap_filter_username); + self.ldap_filter_group = ko.observable(self.data.ldap_filter_group); + self.ldap_filter_groupname = ko.observable(self.data.ldap_filter_groupname); + self.ldap_sg_enabled = ko.observable(self.data.ldap_sg_enabled); + self.ldap_admin_group = ko.observable(self.data.ldap_admin_group); + self.ldap_operator_group = ko.observable(self.data.ldap_operator_group); + self.ldap_user_group = ko.observable(self.data.ldap_user_group); + self.autoprovisioning = ko.observable(self.data.autoprovisioning); + self.autoprovisioning_attribute = ko.observable(self.data.autoprovisioning_attribute); + self.urn_value = ko.observable(self.data.urn_value); + self.purge = ko.observable(self.data.purge); + + // Google OAuth2 Settings + self.google_oauth_enabled = ko.observable(self.data.google_oauth_enabled); + self.google_oauth_client_id = ko.observable(self.data.google_oauth_client_id); + self.google_oauth_client_secret = ko.observable(self.data.google_oauth_client_secret); + self.google_oauth_scope = ko.observable(self.data.google_oauth_scope); + self.google_base_url = ko.observable(self.data.google_base_url); + self.google_oauth_auto_configure = ko.observable(self.data.google_oauth_auto_configure); + self.google_oauth_metadata_url = ko.observable(self.data.google_oauth_metadata_url); + self.google_token_url = ko.observable(self.data.google_token_url); + self.google_authorize_url = ko.observable(self.data.google_authorize_url); + + // GitHub OAuth2 Settings + self.github_oauth_enabled = ko.observable(self.data.github_oauth_enabled); + self.github_oauth_key = ko.observable(self.data.github_oauth_key); + self.github_oauth_secret = ko.observable(self.data.github_oauth_secret); + self.github_oauth_scope = ko.observable(self.data.github_oauth_scope); + self.github_oauth_api_url = ko.observable(self.data.github_oauth_api_url); + self.github_oauth_auto_configure = ko.observable(self.data.github_oauth_auto_configure); + self.github_oauth_metadata_url = ko.observable(self.data.github_oauth_metadata_url); + self.github_oauth_token_url = ko.observable(self.data.github_oauth_token_url); + self.github_oauth_authorize_url = ko.observable(self.data.github_oauth_authorize_url); + + // Azure AD OAuth2 Settings + self.azure_oauth_enabled = ko.observable(self.data.azure_oauth_enabled); + self.azure_oauth_key = ko.observable(self.data.azure_oauth_key); + self.azure_oauth_secret = ko.observable(self.data.azure_oauth_secret); + self.azure_oauth_scope = ko.observable(self.data.azure_oauth_scope); + self.azure_oauth_api_url = ko.observable(self.data.azure_oauth_api_url); + self.azure_oauth_auto_configure = ko.observable(self.data.azure_oauth_auto_configure); + self.azure_oauth_metadata_url = ko.observable(self.data.azure_oauth_metadata_url); + self.azure_oauth_token_url = ko.observable(self.data.azure_oauth_token_url); + self.azure_oauth_authorize_url = ko.observable(self.data.azure_oauth_authorize_url); + self.azure_sg_enabled = ko.observable(self.data.azure_sg_enabled); + self.azure_admin_group = ko.observable(self.data.azure_admin_group); + self.azure_operator_group = ko.observable(self.data.azure_operator_group); + self.azure_user_group = ko.observable(self.data.azure_user_group); + self.azure_group_accounts_enabled = ko.observable(self.data.azure_group_accounts_enabled); + self.azure_group_accounts_name = ko.observable(self.data.azure_group_accounts_name); + self.azure_group_accounts_name_re = ko.observable(self.data.azure_group_accounts_name_re); + self.azure_group_accounts_description = ko.observable(self.data.azure_group_accounts_description); + self.azure_group_accounts_description_re = ko.observable(self.data.azure_group_accounts_description_re); + + // OIDC OAuth2 Settings + self.oidc_oauth_enabled = ko.observable(self.data.oidc_oauth_enabled); + self.oidc_oauth_key = ko.observable(self.data.oidc_oauth_key); + self.oidc_oauth_secret = ko.observable(self.data.oidc_oauth_secret); + self.oidc_oauth_scope = ko.observable(self.data.oidc_oauth_scope); + self.oidc_oauth_api_url = ko.observable(self.data.oidc_oauth_api_url); + self.oidc_oauth_auto_configure = ko.observable(self.data.oidc_oauth_auto_configure); + self.oidc_oauth_metadata_url = ko.observable(self.data.oidc_oauth_metadata_url); + self.oidc_oauth_token_url = ko.observable(self.data.oidc_oauth_token_url); + self.oidc_oauth_authorize_url = ko.observable(self.data.oidc_oauth_authorize_url); + self.oidc_oauth_logout_url = ko.observable(self.data.oidc_oauth_logout_url); + self.oidc_oauth_username = ko.observable(self.data.oidc_oauth_username); + self.oidc_oauth_email = ko.observable(self.data.oidc_oauth_email); + self.oidc_oauth_firstname = ko.observable(self.data.oidc_oauth_firstname); + self.oidc_oauth_last_name = ko.observable(self.data.oidc_oauth_last_name); + self.oidc_oauth_account_name_property = ko.observable(self.data.oidc_oauth_account_name_property); + self.oidc_oauth_account_description_property = ko.observable(self.data.oidc_oauth_account_description_property); + } + + self.updateWithDefaults = function (instance) { + self.data = $.extend(defaults, instance) + } + + self.activateTab = function (tab) { + $('[role="tablist"] a.nav-link').blur(); + self.tab_active(tab); + window.location.hash = tab; + } + + self.activateDefaultTab = function () { + self.activateTab(self.tab_default()); + } + + self.initTabs = function() { + if (self.hasHash()) { + self.activateTab(self.getHash()); + } else { + self.activateDefaultTab(); + } + } + + self.getHash = function () { + return window.location.hash.substring(1); + } + + self.hasHash = function () { + return window.location.hash.length > 1; + } + + self.setupListeners = function () { + if ('onhashchange' in window) { + $(window).bind('hashchange', self.onHashChange); + } + } + + self.destroyListeners = function () { + if ('onhashchange' in window) { + $(window).unbind('hashchange', self.onHashChange); + } + } + + self.onTabClick = function (model, event) { + self.activateTab($(event.target).data('tab')); + return false; + } + + self.onHashChange = function (event) { + let hash = window.location.hash.trim(); + if (hash.length > 1) { + self.activateTab(hash.substring(1)); + } else { + self.activateDefaultTab(); + } + } + + self.updateWithDefaults(user_data); + self.setupObservables(); + + ko.applyBindings(self); + + self.initTabs(); + self.setupListeners(); +} + +$(function () { + // TODO: Load the data from the server and pass it to the model instantiation + loaded_data = {}; + model = new AuthenticationSettingsModel(loaded_data, CSRF_TOKEN, '#settings-editor'); +}) \ No newline at end of file diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index ca8baa5..73d305d 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -25,7 +25,7 @@
    -
    +

    Settings Editor

    @@ -43,31 +43,43 @@
    -
    +
    @@ -75,18 +87,15 @@
    -

    Basic Settings

    +

    Local Authentication Settings

    -
    - -
    + data-bind="checked: local_db_enabled">
    @@ -94,7 +103,7 @@ + data-bind="enable: local_db_enabled, checked: signup_enabled">
    @@ -104,7 +113,7 @@ + data-bind="enable: local_db_enabled, checked: pwd_enforce_characters"> @@ -115,7 +124,7 @@ + data-bind="enable: local_db_enabled() && pwd_enforce_characters(), value: pwd_min_len, valueUpdate: 'afterkeydown'">
    + data-bind="enable: local_db_enabled, checked: pwd_enforce_complexity"> @@ -167,7 +176,7 @@ name="pwd_min_complexity" id="pwd_min_complexity" data-error="Please enter the minimum password complexity required" - value="{{ SETTING.get('pwd_min_complexity') }}"> + data-bind="enable: local_db_enabled() && pwd_enforce_complexity(), value: pwd_min_complexity, valueUpdate: 'afterkeydown'">
    @@ -201,13 +210,18 @@ to be enabled.

    Password Requirements

    -
    This section allows you to customize your local DB password - requirements - and ensure that when users change their password or signup - they are - picking strong passwords.
    -
    Setting any entry field to a blank value will revert it back - to default.
    +
    This section allows you to customize your local DB + password + requirements + and ensure that when users change their password or + signup + they are + picking strong passwords. +
    +
    Setting any entry field to a blank value will revert it + back + to default. +
    Enforce Character Requirements
    This option will enforce the character type requirements for @@ -247,7 +261,7 @@ log factor is 11 as it is considered secure. More information about - the this can be found at + this can be found at here @@ -264,7 +278,7 @@
    -
    +
    {% if error %} @@ -281,7 +295,7 @@
    -

    LDAP Settings

    +

    LDAP Authentication Settings

    @@ -290,7 +304,7 @@ + data-bind="checked: ldap_enabled">
    @@ -299,18 +313,17 @@
       
    @@ -325,7 +338,7 @@ id="ldap_uri" placeholder="e.g. ldaps://your-ldap-server:636" data-error="Please input LDAP URI" - value="{{ SETTING.get('ldap_uri') }}"> + data-bind="enable: ldap_enabled, value: ldap_uri, valueUpdate: 'afterkeydown'">
    @@ -334,11 +347,11 @@ id="ldap_base_dn" placeholder="e.g. dc=mydomain,dc=com" data-error="Please input LDAP Base DN" - value="{{ SETTING.get('ldap_base_dn') }}"> + data-bind="enable: ldap_enabled, value: ldap_base_dn, valueUpdate: 'afterkeydown'">
    -
    +
    + data-bind="enable: ldap_enabled() && ldap_type() == 'ldap', value: ldap_admin_username, valueUpdate: 'afterkeydown'">
    -
    +
    + data-bind="enable: ldap_enabled() && ldap_type() == 'ldap', value: ldap_admin_password, valueUpdate: 'afterkeydown'">
    -
    +
    + data-bind="enable: ldap_enabled() && ldap_type() == 'ad', value: ldap_domain, valueUpdate: 'afterkeydown'">
    @@ -383,7 +396,7 @@ id="ldap_filter_basic" placeholder="e.g. (objectClass=inetorgperson)" data-error="Please input LDAP filter" - value="{{ SETTING.get('ldap_filter_basic') }}"> + data-bind="enable: ldap_enabled, value: ldap_filter_basic, valueUpdate: 'afterkeydown'">
    @@ -394,7 +407,7 @@ id="ldap_filter_username" placeholder="e.g. uid" data-error="Please input field for username filtering" - value="{{ SETTING.get('ldap_filter_username') }}"> + data-bind="enable: ldap_enabled, value: ldap_filter_username, valueUpdate: 'afterkeydown'">
    @@ -406,7 +419,7 @@ id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" - value="{{ SETTING.get('ldap_filter_group') }}"> + data-bind="enable: ldap_enabled, value: ldap_filter_group, valueUpdate: 'afterkeydown'">
    @@ -417,7 +430,7 @@ id="ldap_filter_groupname" placeholder="e.g. member" data-error="Please input field for group name filtering" - value="{{ SETTING.get('ldap_filter_groupname') }}"> + data-bind="enable: ldap_enabled, value: ldap_filter_groupname, valueUpdate: 'afterkeydown'">
    @@ -429,15 +442,15 @@
       
    @@ -448,7 +461,7 @@ name="ldap_admin_group" id="ldap_admin_group" placeholder="e.g. cn=sysops,dc=mydomain,dc=com" data-error="Please input LDAP DN for Admin group" - value="{{ SETTING.get('ldap_admin_group') }}"> + data-bind="enable: ldap_enabled() && ldap_sg_enabled(), value: ldap_admin_group, valueUpdate: 'afterkeydown'">
    @@ -459,7 +472,7 @@ id="ldap_operator_group" placeholder="e.g. cn=operators,dc=mydomain,dc=com" data-error="Please input LDAP DN for Operator group" - value="{{ SETTING.get('ldap_operator_group') }}"> + data-bind="enable: ldap_enabled() && ldap_sg_enabled(), value: ldap_operator_group, valueUpdate: 'afterkeydown'">
    @@ -468,7 +481,7 @@ name="ldap_user_group" id="ldap_user_group" placeholder="e.g. cn=users,dc=mydomain,dc=com" data-error="Please input LDAP DN for User group" - value="{{ SETTING.get('ldap_user_group') }}"> + data-bind="enable: ldap_enabled() && ldap_sg_enabled(), value: ldap_user_group, valueUpdate: 'afterkeydown'">
    @@ -479,17 +492,17 @@
       
    @@ -501,7 +514,7 @@ id="autoprovisioning_attribute" placeholder="e.g. eduPersonEntitlement" data-error=" Please input field responsible for autoprovisioning" - value="{{ SETTING.get('autoprovisioning_attribute') }}"> + data-bind="enable: ldap_enabled() && autoprovisioning(), value: autoprovisioning_attribute, valueUpdate: 'afterkeydown'">
    @@ -513,7 +526,7 @@ id="urn_value" placeholder="e.g. urn:mace:" data-error="Please fill this field" - value="{{ SETTING.get('urn_value') }}"> + data-bind="enable: ldap_enabled() && autoprovisioning(), value: urn_value, valueUpdate: 'afterkeydown'"> {% if error %} Please input the correct prefix for your urn value {% endif %} @@ -524,16 +537,16 @@    
    @@ -722,7 +735,7 @@
    -
    +
    @@ -739,7 +752,7 @@
    + data-bind="checked: google_oauth_enabled">
    @@ -751,7 +764,7 @@ id="google_oauth_client_id" placeholder="Google OAuth Client ID" data-error="Please input Client ID" - value="{{ SETTING.get('google_oauth_client_id') }}"> + data-bind="enable: google_oauth_enabled, value: google_oauth_client_id, valueUpdate: 'afterkeydown'">
    @@ -762,7 +775,7 @@ id="google_oauth_client_secret" placeholder="Google OAuth Client Secret" data-error="Please input Client Secret" - value="{{ SETTING.get('google_oauth_client_secret') }}"> + data-bind="enable: google_oauth_enabled, value: google_oauth_client_secret, valueUpdate: 'afterkeydown'">
    @@ -772,16 +785,16 @@ id="google_oauth_scope" placeholder="e.g. email profile" data-error="Please input scope" - value="{{ SETTING.get('google_oauth_scope') }}"> + data-bind="enable: google_oauth_enabled, value: google_oauth_scope, valueUpdate: 'afterkeydown'">
    + data-bind="enable: google_oauth_enabled, value: google_base_url, valueUpdate: 'afterkeydown'">
    @@ -790,18 +803,18 @@ + data-bind="enable: google_oauth_enabled, value: google_oauth_metadata_url, valueUpdate: 'afterkeydown'">
    + data-bind="enable: google_oauth_enabled, value: google_token_url, valueUpdate: 'afterkeydown'">
    @@ -810,9 +823,9 @@ + data-bind="enable: google_oauth_enabled, value: google_authorize_url, valueUpdate: 'afterkeydown'">
    @@ -853,7 +866,7 @@
    -
    +
    @@ -869,7 +882,7 @@
    + data-bind="checked: github_oauth_enabled">
    @@ -879,7 +892,7 @@ name="github_oauth_key" id="github_oauth_key" placeholder="Github OAuth Client ID" data-error="Please input Client ID" - value="{{ SETTING.get('github_oauth_key') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_key, valueUpdate: 'afterkeydown'">
    @@ -890,7 +903,7 @@ id="github_oauth_secret" placeholder="Github OAuth Client Secret" data-error="Please input Client Secret" - value="{{ SETTING.get('github_oauth_secret') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_secret, valueUpdate: 'afterkeydown'">
    @@ -900,7 +913,7 @@ id="github_oauth_scope" placeholder="e.g. email" data-error="Please input scope" - value="{{ SETTING.get('github_oauth_scope') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_scope, valueUpdate: 'afterkeydown'">
    @@ -910,7 +923,7 @@ id="github_oauth_api_url" placeholder="e.g. https://api.github.com/user" data-error="Please input API URL" - value="{{ SETTING.get('github_oauth_api_url') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_api_url, valueUpdate: 'afterkeydown'">
    @@ -921,7 +934,7 @@ id="github_oauth_metadata_url" placeholder="e.g. https://{yourDomain}/.well-known/oauth-metadata.json" data-error="Please input Metadata URL" - value="{{ SETTING.get('github_oauth_metadata_url') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_metadata_url, valueUpdate: 'afterkeydown'">
    @@ -932,7 +945,7 @@ id="github_oauth_token_url" placeholder="e.g. https://github.com/login/oauth/access_token" data-error="Please input Token URL" - value="{{ SETTING.get('github_oauth_token_url') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_token_url, valueUpdate: 'afterkeydown'">
    @@ -943,7 +956,7 @@ id="github_oauth_authorize_url" placeholder="e.g. https://github.com/login/oauth/authorize" data-error="Please input Authorize URL" - value="{{ SETTING.get('github_oauth_authorize_url') }}"> + data-bind="enable: github_oauth_enabled, value: github_oauth_authorize_url, valueUpdate: 'afterkeydown'">
    @@ -981,7 +994,7 @@
    -
    +
    @@ -989,7 +1002,7 @@
    -

    Microsoft OAuth Settings

    +

    Azure OAuth Settings

    @@ -997,7 +1010,7 @@
    + data-bind="checked: azure_oauth_enabled"> @@ -1008,7 +1021,7 @@ name="azure_oauth_key" id="azure_oauth_key" placeholder="Azure OAuth Client ID" data-error="Please input Client Key" - value="{{ SETTING.get('azure_oauth_key') }}"> + data-bind="enable: azure_oauth_enabled, value: azure_oauth_key, valueUpdate: 'afterkeydown'">
    @@ -1019,7 +1032,7 @@ id="azure_oauth_secret" placeholder="Azure OAuth Client Secret" data-error="Please input Client Secret" - value="{{ SETTING.get('azure_oauth_secret') }}"> + data-bind="enable: azure_oauth_enabled, value: azure_oauth_secret, valueUpdate: 'afterkeydown'">
    @@ -1029,7 +1042,7 @@ id="azure_oauth_scope" placeholder="e.g. email" data-error="Please input scope - e.g. User.Read" - value="{{ SETTING.get('azure_oauth_scope') }}"> + data-bind="enable: azure_oauth_enabled, value: azure_oauth_scope, valueUpdate: 'afterkeydown'">
    @@ -1039,7 +1052,7 @@ id="azure_oauth_api_url" placeholder="e.g. https://graph.microsoft.com/v1.0/" data-error="Please input API URL" - value="{{ SETTING.get('azure_oauth_api_url') }}"> + data-bind="enable: azure_oauth_enabled, value: azure_oauth_api_url, valueUpdate: 'afterkeydown'">
    @@ -1048,9 +1061,9 @@ + data-bind="enable: azure_oauth_enabled, value: azure_oauth_metadata_url, valueUpdate: 'afterkeydown'">
    @@ -1058,9 +1071,9 @@ + data-bind="enable: azure_oauth_enabled, value: azure_oauth_token_url, valueUpdate: 'afterkeydown'">
    @@ -1069,9 +1082,9 @@ + data-bind="enable: azure_oauth_enabled, value: azure_oauth_authorize_url, valueUpdate: 'afterkeydown'">
    @@ -1082,15 +1095,15 @@
       
    @@ -1102,7 +1115,7 @@ id="azure_admin_group" placeholder="e.g. 00000000-0000-0000-0000-000000000000" data-error="Please input the ID for Admin group" - value="{{ SETTING.get('azure_admin_group') }}"> + data-bind="enable: azure_oauth_enabled() && azure_sg_enabled(), value: azure_admin_group, valueUpdate: 'afterkeydown'">
    @@ -1113,7 +1126,7 @@ id="azure_operator_group" placeholder="e.g. 00000000-0000-0000-0000-000000000000" data-error="Please input the ID for Operator group" - value="{{ SETTING.get('azure_operator_group') }}"> + data-bind="enable: azure_oauth_enabled() && azure_sg_enabled(), value: azure_operator_group, valueUpdate: 'afterkeydown'">
    @@ -1122,7 +1135,7 @@ name="azure_user_group" id="azure_user_group" placeholder="e.g. 00000000-0000-0000-0000-000000000000" data-error="Please input the ID for User group" - value="{{ SETTING.get('azure_user_group') }}"> + data-bind="enable: azure_oauth_enabled() && azure_sg_enabled(), value: azure_user_group, valueUpdate: 'afterkeydown'">
    @@ -1136,8 +1149,8 @@ + value="0" + data-bind="enable: azure_oauth_enabled, checked: azure_group_accounts_enabled, checkedValue: false"> OFF     @@ -1145,8 +1158,8 @@ + value="1" + data-bind="enable: azure_oauth_enabled, checked: azure_group_accounts_enabled, checkedValue: true"> ON
    @@ -1160,7 +1173,7 @@ id="azure_group_accounts_name" placeholder="e.g. displayName" data-error="Please input the Claim for Azure group name" - value="{{ SETTING.get('azure_group_accounts_name') }}"> + data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_name, valueUpdate: 'afterkeydown'">
    @@ -1172,7 +1185,7 @@ id="azure_group_accounts_name_re" placeholder="e.g. (.*)" data-error="Please input the regex for Azure group name" - value="{{ SETTING.get('azure_group_accounts_name_re') }}"> + data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_name_re, valueUpdate: 'afterkeydown'">
    @@ -1184,7 +1197,7 @@ id="azure_group_accounts_description" placeholder="e.g. description. If empty uses whole string" data-error="Please input the Claim for Azure group description" - value="{{ SETTING.get('azure_group_accounts_description') }}"> + data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_description, valueUpdate: 'afterkeydown'">
    @@ -1196,7 +1209,7 @@ id="azure_group_accounts_description_re" placeholder="e.g. (.*). If empty uses whole string" data-error="Please input the regex for Azure group description" - value="{{ SETTING.get('azure_group_accounts_description_re') }}"> + data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_description_re, valueUpdate: 'afterkeydown'">
    @@ -1289,7 +1302,7 @@
    -
    +
    @@ -1305,7 +1318,7 @@
    + data-bind="checked: oidc_oauth_enabled"> @@ -1316,7 +1329,7 @@ name="oidc_oauth_key" id="oidc_oauth_key" placeholder="OIDC OAuth Client ID" data-error="Please input Client ID" - value="{{ SETTING.get('oidc_oauth_key') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_key, valueUpdate: 'afterkeydown'">
    @@ -1326,7 +1339,7 @@ id="oidc_oauth_secret" placeholder="OIDC OAuth Client Secret" data-error="Please input Client Secret" - value="{{ SETTING.get('oidc_oauth_secret') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_secret, valueUpdate: 'afterkeydown'">
    @@ -1335,7 +1348,7 @@ name="oidc_oauth_scope" id="oidc_oauth_scope" placeholder="e.g. email" data-error="Please input scope" - value="{{ SETTING.get('oidc_oauth_scope') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_scope, valueUpdate: 'afterkeydown'">
    @@ -1345,7 +1358,7 @@ id="oidc_oauth_api_url" placeholder="e.g. https://api.oidc.com/user" data-error="Please input API URL" - value="{{ SETTING.get('oidc_oauth_api_url') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_api_url, valueUpdate: 'afterkeydown'">
    @@ -1354,9 +1367,9 @@ + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_metadata_url, valueUpdate: 'afterkeydown'">
    @@ -1364,9 +1377,9 @@ + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_token_url, valueUpdate: 'afterkeydown'">
    @@ -1375,9 +1388,9 @@ + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_authorize_url, valueUpdate: 'afterkeydown'">
    @@ -1386,9 +1399,9 @@ + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_logout_url, valueUpdate: 'afterkeydown'">
    @@ -1401,7 +1414,16 @@ id="oidc_oauth_username" placeholder="e.g. preferred_username" data-error="Please input Username claim" - value="{{ SETTING.get('oidc_oauth_username') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_username, valueUpdate: 'afterkeydown'"> + +
    +
    + +
    @@ -1411,7 +1433,7 @@ id="oidc_oauth_firstname" placeholder="e.g. given_name" data-error="Please input First Name claim" - value="{{ SETTING.get('oidc_oauth_firstname') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_firstname, valueUpdate: 'afterkeydown'">
    @@ -1421,16 +1443,7 @@ id="oidc_oauth_last_name" placeholder="e.g. family_name" data-error="Please input Last Name claim" - value="{{ SETTING.get('oidc_oauth_last_name') }}"> - -
    -
    - - + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_last_name, valueUpdate: 'afterkeydown'">
    @@ -1444,7 +1457,7 @@ id="oidc_oauth_account_name_property" placeholder="e.g. account_name" data-error="Please input property containing account_name" - value="{{ SETTING.get('oidc_oauth_account_name_property') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_account_name_property, valueUpdate: 'afterkeydown'">
    @@ -1456,7 +1469,7 @@ id="oidc_oauth_account_description_property" placeholder="e.g. account_description" data-error="Please input property containing account_description" - value="{{ SETTING.get('oidc_oauth_account_description_property') }}"> + data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_account_description_property, valueUpdate: 'afterkeydown'">
    @@ -1516,8 +1529,18 @@ {%- endassets %} + + + + - + {%- endassets %} - - + + @@ -1565,334 +1530,6 @@ model.init(true); }) - - {% endblock %} {% block modals %} From cf62890fcf96136a969f5e1f006240812810bbb8 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Mon, 10 Apr 2023 17:28:54 -0400 Subject: [PATCH 69/77] Working on implementing the jQuery Validation plugin for the authentication settings editor. --- .../js/app-authentication-settings-editor.js | 121 +++++++++++++++++- .../admin_setting_authentication.html | 24 ++-- 2 files changed, 132 insertions(+), 13 deletions(-) diff --git a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js index 72d1542..0fa6aa2 100644 --- a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js +++ b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js @@ -267,6 +267,38 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele return self.ldap_enabled() === 1 && self.autoprovisioning() === 1; } + let google_oauth_auto_configure_enabled = function (element) { + return self.google_oauth_enabled() && self.google_oauth_auto_configure(); + } + + let google_oauth_auto_configure_disabled = function (element) { + return self.google_oauth_enabled() && !self.google_oauth_auto_configure(); + } + + let github_oauth_auto_configure_enabled = function (element) { + return self.github_oauth_enabled() && self.github_oauth_auto_configure(); + } + + let github_oauth_auto_configure_disabled = function (element) { + return self.github_oauth_enabled() && !self.github_oauth_auto_configure(); + } + + let azure_oauth_auto_configure_enabled = function (element) { + return self.azure_oauth_enabled() && self.azure_oauth_auto_configure(); + } + + let azure_oauth_auto_configure_disabled = function (element) { + return self.azure_oauth_enabled() && !self.azure_oauth_auto_configure(); + } + + let oidc_oauth_auto_configure_enabled = function (element) { + return self.oidc_oauth_enabled() && self.oidc_oauth_auto_configure(); + } + + let oidc_oauth_auto_configure_disabled = function (element) { + return self.oidc_oauth_enabled() && !self.oidc_oauth_auto_configure(); + } + jQuery.validator.addMethod('auth_enabled', auth_enabled, 'At least one authentication method must be enabled.'); jQuery.validator.addMethod('ldap_exclusive', ldap_exclusive, 'The LDAP group security and role auto-provisioning features are mutually exclusive.'); @@ -275,6 +307,7 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele ]; $(selector).validate({ + ignore: '', errorPlacement: function (error, element) { let useFooter = false; for (let i = 0; i < footerErrorElements.length; i++) { @@ -413,8 +446,94 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele maxlength: 100, }, purge: ldap_enabled, + google_oauth_client_id: { + required: google_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + google_oauth_client_secret: { + required: google_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + google_oauth_scope: { + required: google_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + google_base_url: { + required: google_oauth_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + google_oauth_metadata_url: { + required: google_oauth_auto_configure_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + google_token_url: { + required: google_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + google_authorize_url: { + required: google_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + github_oauth_key: { + required: github_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + github_oauth_secret: { + required: github_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + github_oauth_scope: { + required: github_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + github_oauth_api_url: { + required: github_oauth_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + github_oauth_metadata_url: { + required: github_oauth_auto_configure_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + github_oauth_token_url: { + required: github_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + github_oauth_authorize_url: { + required: github_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + + }, + messages: { + ldap_sg_enabled: { + ldap_exclusive: 'The LDAP group security feature is mutually exclusive with the LDAP role auto-provisioning feature.', + }, + autoprovisioning: { + ldap_exclusive: 'The LDAP role auto-provisioning feature is mutually exclusive with the LDAP group security feature.', + }, }, - messages: {}, }); } diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index 2729ed7..7c031db 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -89,7 +89,7 @@
    -
    +
    @@ -280,7 +280,7 @@
    -
    +
    {% if error %} @@ -744,7 +744,7 @@
    -
    @@ -803,7 +803,7 @@ id="google_oauth_auto_configure" name="google_oauth_auto_configure" class="checkbox" - data-bind="checked: google_oauth_auto_configure"> + data-bind="enable: google_oauth_enabled, checked: google_oauth_auto_configure"> @@ -869,7 +869,7 @@
    -
    @@ -927,7 +927,7 @@ id="github_oauth_auto_configure" name="github_oauth_auto_configure" class="checkbox" - data-bind="checked: github_oauth_auto_configure"> + data-bind="enable: github_oauth_enabled, checked: github_oauth_auto_configure"> @@ -991,7 +991,7 @@
    -
    +
    @@ -1049,7 +1049,7 @@ id="azure_oauth_auto_configure" name="azure_oauth_auto_configure" class="checkbox" - data-bind="checked: azure_oauth_auto_configure"> + data-bind="enable: azure_oauth_enabled, checked: azure_oauth_auto_configure">
    @@ -1293,7 +1293,7 @@
    -
    +
    @@ -1349,7 +1349,7 @@ id="oidc_oauth_auto_configure" name="oidc_oauth_auto_configure" class="checkbox" - data-bind="checked: oidc_oauth_auto_configure"> + data-bind="enable: oidc_oauth_enabled, checked: oidc_oauth_auto_configure">
    @@ -1509,8 +1509,8 @@ {% endblock %} {% block head_styles %} - {% endblock %} From ea10b814d6377541ab84dc683795210aaa677edd Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Mon, 10 Apr 2023 18:35:25 -0400 Subject: [PATCH 70/77] Working on implementing the jQuery Validation plugin for the authentication settings editor. --- .../js/app-authentication-settings-editor.js | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js index 0fa6aa2..27eac02 100644 --- a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js +++ b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js @@ -323,6 +323,26 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele element.after(error); } }, + showErrors: function (errorMap, errorList) { + this.defaultShowErrors(); + let selectors = [ + 'input.error:not([disabled])', + 'select.error:not([disabled])', + 'textarea.error:not([disabled])', + ]; + let selector_query = selectors.join(','); + let tabs = target.find('.tab-content > *[data-tab]') + tabs.each(function (index, tab) { + tab = $(tab); + let tabId = tab.data('tab'); + let tabLink = target.find('.nav-tabs > li > a[data-tab="' + tabId + '"]'); + if (tab.find(selector_query).length > 0) { + tabLink.addClass('error'); + } else { + tabLink.removeClass('error'); + } + }); + }, rules: { local_db_enabled: 'auth_enabled', ldap_enabled: 'auth_enabled', From e132ced6696659d246643299bd49b2367b4acd39 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Mon, 10 Apr 2023 19:29:18 -0400 Subject: [PATCH 71/77] Completed first pass at the jQuery Validation implementation for the authentication settings editor. --- .../js/app-authentication-settings-editor.js | 193 ++++++++++++++++-- 1 file changed, 179 insertions(+), 14 deletions(-) diff --git a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js index 27eac02..fccea97 100644 --- a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js +++ b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js @@ -185,6 +185,25 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele } self.setupValidation = function () { + let uuidRegExp = /^([0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})|[0-9]+$/i; + + let footerErrorElements = [ + 'input#local_db_enabled', + ]; + + let errorCheckSelectors = [ + 'input.error:not([disabled])', + 'select.error:not([disabled])', + 'textarea.error:not([disabled])', + ]; + + let errorCheckQuery = errorCheckSelectors.join(','); + let tabs = target.find('.tab-content > *[data-tab]') + + let onElementChanged = function (event) { + target.valid(); + } + let auth_enabled = function (value, element, params) { let enabled = 0; if (self.local_db_enabled()) { @@ -219,6 +238,10 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele return enabled < 2; } + let uuid = function (value, element, params) { + return uuidRegExp.test(value); + } + let local_enabled = function (element) { return self.local_db_enabled(); }; @@ -267,6 +290,14 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele return self.ldap_enabled() === 1 && self.autoprovisioning() === 1; } + let azure_gs_enabled = function (element) { + return self.azure_oauth_enabled() === 1 && self.azure_sg_enabled() === 1; + } + + let azure_gas_enabled = function (element) { + return self.azure_oauth_enabled() && self.azure_group_accounts_enabled(); + } + let google_oauth_auto_configure_enabled = function (element) { return self.google_oauth_enabled() && self.google_oauth_auto_configure(); } @@ -301,12 +332,9 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele jQuery.validator.addMethod('auth_enabled', auth_enabled, 'At least one authentication method must be enabled.'); jQuery.validator.addMethod('ldap_exclusive', ldap_exclusive, 'The LDAP group security and role auto-provisioning features are mutually exclusive.'); + jQuery.validator.addMethod('uuid', uuid, 'A valid UUID is required.'); - let footerErrorElements = [ - 'input#local_db_enabled', - ]; - - $(selector).validate({ + target.validate({ ignore: '', errorPlacement: function (error, element) { let useFooter = false; @@ -325,18 +353,11 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele }, showErrors: function (errorMap, errorList) { this.defaultShowErrors(); - let selectors = [ - 'input.error:not([disabled])', - 'select.error:not([disabled])', - 'textarea.error:not([disabled])', - ]; - let selector_query = selectors.join(','); - let tabs = target.find('.tab-content > *[data-tab]') tabs.each(function (index, tab) { tab = $(tab); let tabId = tab.data('tab'); let tabLink = target.find('.nav-tabs > li > a[data-tab="' + tabId + '"]'); - if (tab.find(selector_query).length > 0) { + if (tab.find(errorCheckQuery).length > 0) { tabLink.addClass('error'); } else { tabLink.removeClass('error'); @@ -544,7 +565,148 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele maxlength: 255, url: true, }, - + azure_oauth_key: { + required: azure_oauth_enabled, + minlength: 1, + maxlength: 255, + uuid: true, + }, + azure_oauth_secret: { + required: azure_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + azure_oauth_scope: { + required: azure_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + azure_oauth_api_url: { + required: azure_oauth_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + azure_oauth_metadata_url: { + required: azure_oauth_auto_configure_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + azure_oauth_token_url: { + required: azure_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + azure_oauth_authorize_url: { + required: azure_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + azure_sg_enabled: azure_oauth_enabled, + azure_admin_group: { + uuid: azure_gs_enabled, + }, + azure_operator_group: { + uuid: azure_gs_enabled, + }, + azure_user_group: { + uuid: azure_gs_enabled, + }, + azure_group_accounts_enabled: azure_oauth_enabled, + azure_group_accounts_name: { + required: azure_gas_enabled, + minlength: 1, + maxlength: 255, + }, + azure_group_accounts_name_re: { + required: azure_gas_enabled, + minlength: 1, + maxlength: 255, + }, + azure_group_accounts_description: { + required: azure_gas_enabled, + minlength: 1, + maxlength: 255, + }, + azure_group_accounts_description_re: { + required: azure_gas_enabled, + minlength: 1, + maxlength: 255, + }, + oidc_oauth_key: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + oidc_oauth_secret: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + oidc_oauth_scope: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + oidc_oauth_api_url: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + oidc_oauth_metadata_url: { + required: oidc_oauth_auto_configure_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + oidc_oauth_token_url: { + required: oidc_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + oidc_oauth_authorize_url: { + required: oidc_oauth_auto_configure_disabled, + minlength: 1, + maxlength: 255, + url: true, + }, + oidc_oauth_logout_url: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + url: true, + }, + oidc_oauth_username: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + oidc_oauth_email: { + required: oidc_oauth_enabled, + minlength: 1, + maxlength: 255, + }, + oidc_oauth_firstname: { + minlength: 0, + maxlength: 255, + }, + oidc_oauth_last_name: { + minlength: 0, + maxlength: 255, + }, + oidc_oauth_account_name_property: { + minlength: 0, + maxlength: 255, + }, + oidc_oauth_account_description_property: { + minlength: 0, + maxlength: 255, + }, }, messages: { ldap_sg_enabled: { @@ -555,6 +717,9 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele }, }, }); + + target.find('input, select, textarea, label').on('change,keyup,blur,click', onElementChanged); + target.valid(); } self.activateTab = function (tab) { From 69ce3cb88a57e39d488c149ee6c7272f688227bc Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Mon, 10 Apr 2023 19:52:18 -0400 Subject: [PATCH 72/77] Added additional UI alerts / messaging to handle success / failure scenarios. --- .../js/app-authentication-settings-editor.js | 58 ++++------- .../admin_setting_authentication.html | 98 +++++++------------ 2 files changed, 58 insertions(+), 98 deletions(-) diff --git a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js index fccea97..fe3a942 100644 --- a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js +++ b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js @@ -6,6 +6,10 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele self.selector = selector; self.loading = false; self.saving = false; + self.saved = false; + self.save_failed = false; + self.messages = []; + self.messages_class = 'info'; self.tab_active = ''; self.tab_default = 'local'; @@ -107,6 +111,10 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele self.init = function (autoload) { self.loading = ko.observable(self.loading); self.saving = ko.observable(self.saving); + self.saved = ko.observable(self.saved); + self.save_failed = ko.observable(self.save_failed); + self.messages = ko.observableArray(self.messages); + self.messages_class = ko.observable(self.messages_class); self.tab_active = ko.observable(self.tab_active); self.tab_default = ko.observable(self.tab_default); self.update(user_data); @@ -742,59 +750,33 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele self.onDataLoaded = function (result) { if (result.status == 0) { - console.log('Error loading settings.'); - - if (result.messages.length) { - for (let i = 0; i < result.messages.length; i++) { - let message = result.messages[i]; - console.log(message); - } - } - + self.messages_class('danger'); + self.messages(result.messages); self.loading(false); return false; } self.update(result.data); - - console.log('Settings loaded.'); - - if (result.messages.length) { - for (let i = 0; i < result.messages.length; i++) { - let message = result.messages[i]; - console.log(message); - } - } - + self.messages_class('info'); + self.messages(result.messages); self.loading(false); } self.onDataSaved = function (result) { if (result.status == 0) { - console.log('Error saving settings.'); - - if (result.messages.length) { - for (let i = 0; i < result.messages.length; i++) { - let message = result.messages[i]; - console.log(message); - } - } - + self.saved(false); + self.save_failed(true); + self.messages_class('danger'); + self.messages(result.messages); self.saving(false); return false; } self.update(result.data); - - console.log('Settings saved.'); - - if (result.messages.length) { - for (let i = 0; i < result.messages.length; i++) { - let message = result.messages[i]; - console.log(message); - } - } - + self.saved(true); + self.save_failed(false); + self.messages_class('info'); + self.messages(result.messages); self.saving(false); } diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index 7c031db..e7984bc 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -40,16 +40,33 @@ data-bind="text: (loading() ? 'Loading' : 'Saving') + ' settings...'">
    - {% if result %} -
    - - {{ result['msg'] }} -
    - {% endif %} - + + + +
    • @@ -89,7 +106,8 @@
    -
    +
    @@ -280,7 +298,8 @@
    -
    +
    {% if error %} @@ -745,7 +764,7 @@
    + data-bind="class: 'tab-pane' + (tab_active() == 'google' ? ' active' : '')">
    @@ -870,7 +889,7 @@
    + data-bind="class: 'tab-pane' + (tab_active() == 'github' ? ' active' : '')">
    @@ -991,7 +1010,8 @@
    -
    +
    @@ -1293,7 +1313,8 @@
    -
    +
    @@ -1510,7 +1531,7 @@ {% block head_styles %} {% endblock %} @@ -1531,46 +1552,3 @@ }) {% endblock %} - -{% block modals %} - - - -{% endblock %} From 9f076330d6362149aafeb46d323e625e019425c4 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Mon, 10 Apr 2023 19:54:47 -0400 Subject: [PATCH 73/77] Removed legacy backend controller code for handling authentication settings form submission. --- powerdnsadmin/routes/admin.py | 276 +--------------------------------- 1 file changed, 1 insertion(+), 275 deletions(-) diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 05b188d..28eb3df 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1552,281 +1552,7 @@ def has_an_auth_method(local_db_enabled=None, @login_required @admin_role_required def setting_authentication(): - if request.method == 'GET': - return render_template('admin_setting_authentication.html') - elif request.method == 'POST': - conf_type = request.form.get('config_tab') - result = None - - if conf_type == 'general': - local_db_enabled = True if request.form.get( - 'local_db_enabled') else False - signup_enabled = True if request.form.get( - 'signup_enabled') else False - - pwd_enforce_characters = True if request.form.get('pwd_enforce_characters') else False - pwd_min_len = safe_cast(request.form.get('pwd_min_len', Setting().defaults["pwd_min_len"]), int, - Setting().defaults["pwd_min_len"]) - pwd_min_lowercase = safe_cast( - request.form.get('pwd_min_lowercase', Setting().defaults["pwd_min_lowercase"]), int, - Setting().defaults["pwd_min_lowercase"]) - pwd_min_uppercase = safe_cast( - request.form.get('pwd_min_uppercase', Setting().defaults["pwd_min_uppercase"]), int, - Setting().defaults["pwd_min_uppercase"]) - pwd_min_digits = safe_cast(request.form.get('pwd_min_digits', Setting().defaults["pwd_min_digits"]), int, - Setting().defaults["pwd_min_digits"]) - pwd_min_special = safe_cast(request.form.get('pwd_min_special', Setting().defaults["pwd_min_special"]), int, - Setting().defaults["pwd_min_special"]) - - pwd_enforce_complexity = True if request.form.get('pwd_enforce_complexity') else False - pwd_min_complexity = safe_cast(request.form.get('pwd_min_complexity', - Setting().defaults["pwd_min_complexity"]), int, - Setting().defaults["pwd_min_complexity"]) - - if not has_an_auth_method(local_db_enabled=local_db_enabled): - result = { - 'status': - False, - 'msg': - 'Must have at least one authentication method enabled.' - } - else: - Setting().set('local_db_enabled', local_db_enabled) - Setting().set('signup_enabled', signup_enabled) - Setting().set('pwd_enforce_characters', pwd_enforce_characters) - Setting().set('pwd_min_len', pwd_min_len) - Setting().set('pwd_min_lowercase', pwd_min_lowercase) - Setting().set('pwd_min_uppercase', pwd_min_uppercase) - Setting().set('pwd_min_digits', pwd_min_digits) - Setting().set('pwd_min_special', pwd_min_special) - Setting().set('pwd_enforce_complexity', pwd_enforce_complexity) - Setting().set('pwd_min_complexity', pwd_min_complexity) - - result = {'status': True, 'msg': 'Saved successfully'} - - elif conf_type == 'ldap': - ldap_enabled = True if request.form.get('ldap_enabled') else False - - if not has_an_auth_method(ldap_enabled=ldap_enabled): - result = { - 'status': - False, - 'msg': - 'Must have at least one authentication method enabled.' - } - else: - Setting().set('ldap_enabled', ldap_enabled) - Setting().set('ldap_type', request.form.get('ldap_type')) - Setting().set('ldap_uri', request.form.get('ldap_uri')) - Setting().set('ldap_base_dn', request.form.get('ldap_base_dn')) - Setting().set('ldap_admin_username', - request.form.get('ldap_admin_username')) - Setting().set('ldap_admin_password', - request.form.get('ldap_admin_password')) - Setting().set('ldap_filter_basic', - request.form.get('ldap_filter_basic')) - Setting().set('ldap_filter_group', - request.form.get('ldap_filter_group')) - Setting().set('ldap_filter_username', - request.form.get('ldap_filter_username')) - Setting().set('ldap_filter_groupname', - request.form.get('ldap_filter_groupname')) - Setting().set( - 'ldap_sg_enabled', True - if request.form.get('ldap_sg_enabled') == 'ON' else False) - Setting().set('ldap_admin_group', - request.form.get('ldap_admin_group')) - Setting().set('ldap_operator_group', - request.form.get('ldap_operator_group')) - Setting().set('ldap_user_group', - request.form.get('ldap_user_group')) - Setting().set('ldap_domain', request.form.get('ldap_domain')) - Setting().set( - 'autoprovisioning', True - if request.form.get('autoprovisioning') == 'ON' else False) - Setting().set('autoprovisioning_attribute', - request.form.get('autoprovisioning_attribute')) - - if request.form.get('autoprovisioning') == 'ON': - if validateURN(request.form.get('urn_value')): - Setting().set('urn_value', - request.form.get('urn_value')) - else: - return render_template('admin_setting_authentication.html', - error="Invalid urn") - else: - Setting().set('urn_value', - request.form.get('urn_value')) - - Setting().set('purge', True - if request.form.get('purge') == 'ON' else False) - - result = {'status': True, 'msg': 'Saved successfully'} - elif conf_type == 'google': - google_oauth_enabled = True if request.form.get( - 'google_oauth_enabled') else False - if not has_an_auth_method(google_oauth_enabled=google_oauth_enabled): - result = { - 'status': - False, - 'msg': - 'Must have at least one authentication method enabled.' - } - else: - Setting().set('google_oauth_enabled', google_oauth_enabled) - Setting().set('google_oauth_client_id', - request.form.get('google_oauth_client_id')) - Setting().set('google_oauth_client_secret', - request.form.get('google_oauth_client_secret')) - Setting().set('google_oauth_metadata_url', - request.form.get('google_oauth_metadata_url')) - Setting().set('google_token_url', - request.form.get('google_token_url')) - Setting().set('google_oauth_scope', - request.form.get('google_oauth_scope')) - Setting().set('google_authorize_url', - request.form.get('google_authorize_url')) - Setting().set('google_base_url', - request.form.get('google_base_url')) - result = { - 'status': True, - 'msg': - 'Saved successfully. Please reload PDA to take effect.' - } - elif conf_type == 'github': - github_oauth_enabled = True if request.form.get( - 'github_oauth_enabled') else False - if not has_an_auth_method(github_oauth_enabled=github_oauth_enabled): - result = { - 'status': - False, - 'msg': - 'Must have at least one authentication method enabled.' - } - else: - Setting().set('github_oauth_enabled', github_oauth_enabled) - Setting().set('github_oauth_key', - request.form.get('github_oauth_key')) - Setting().set('github_oauth_secret', - request.form.get('github_oauth_secret')) - Setting().set('github_oauth_scope', - request.form.get('github_oauth_scope')) - Setting().set('github_oauth_api_url', - request.form.get('github_oauth_api_url')) - Setting().set('github_oauth_metadata_url', - request.form.get('github_oauth_metadata_url')) - Setting().set('github_oauth_token_url', - request.form.get('github_oauth_token_url')) - Setting().set('github_oauth_authorize_url', - request.form.get('github_oauth_authorize_url')) - result = { - 'status': True, - 'msg': - 'Saved successfully. Please reload PDA to take effect.' - } - elif conf_type == 'azure': - azure_oauth_enabled = True if request.form.get( - 'azure_oauth_enabled') else False - if not has_an_auth_method(azure_oauth_enabled=azure_oauth_enabled): - result = { - 'status': - False, - 'msg': - 'Must have at least one authentication method enabled.' - } - else: - Setting().set('azure_oauth_enabled', azure_oauth_enabled) - Setting().set('azure_oauth_key', - request.form.get('azure_oauth_key')) - Setting().set('azure_oauth_secret', - request.form.get('azure_oauth_secret')) - Setting().set('azure_oauth_scope', - request.form.get('azure_oauth_scope')) - Setting().set('azure_oauth_api_url', - request.form.get('azure_oauth_api_url')) - Setting().set('azure_oauth_metadata_url', - request.form.get('azure_oauth_metadata_url')) - Setting().set('azure_oauth_token_url', - request.form.get('azure_oauth_token_url')) - Setting().set('azure_oauth_authorize_url', - request.form.get('azure_oauth_authorize_url')) - Setting().set( - 'azure_sg_enabled', True - if request.form.get('azure_sg_enabled') == 'ON' else False) - Setting().set('azure_admin_group', - request.form.get('azure_admin_group')) - Setting().set('azure_operator_group', - request.form.get('azure_operator_group')) - Setting().set('azure_user_group', - request.form.get('azure_user_group')) - Setting().set( - 'azure_group_accounts_enabled', True - if request.form.get('azure_group_accounts_enabled') == 'ON' else False) - Setting().set('azure_group_accounts_name', - request.form.get('azure_group_accounts_name')) - Setting().set('azure_group_accounts_name_re', - request.form.get('azure_group_accounts_name_re')) - Setting().set('azure_group_accounts_description', - request.form.get('azure_group_accounts_description')) - Setting().set('azure_group_accounts_description_re', - request.form.get('azure_group_accounts_description_re')) - result = { - 'status': True, - 'msg': - 'Saved successfully. Please reload PDA to take effect.' - } - elif conf_type == 'oidc': - oidc_oauth_enabled = True if request.form.get( - 'oidc_oauth_enabled') else False - if not has_an_auth_method(oidc_oauth_enabled=oidc_oauth_enabled): - result = { - 'status': - False, - 'msg': - 'Must have at least one authentication method enabled.' - } - else: - Setting().set( - 'oidc_oauth_enabled', - True if request.form.get('oidc_oauth_enabled') else False) - Setting().set('oidc_oauth_key', - request.form.get('oidc_oauth_key')) - Setting().set('oidc_oauth_secret', - request.form.get('oidc_oauth_secret')) - Setting().set('oidc_oauth_scope', - request.form.get('oidc_oauth_scope')) - Setting().set('oidc_oauth_api_url', - request.form.get('oidc_oauth_api_url')) - Setting().set('oidc_oauth_metadata_url', - request.form.get('oidc_oauth_metadata_url')) - Setting().set('oidc_oauth_token_url', - request.form.get('oidc_oauth_token_url')) - Setting().set('oidc_oauth_authorize_url', - request.form.get('oidc_oauth_authorize_url')) - Setting().set('oidc_oauth_logout_url', - request.form.get('oidc_oauth_logout_url')) - Setting().set('oidc_oauth_username', - request.form.get('oidc_oauth_username')) - Setting().set('oidc_oauth_firstname', - request.form.get('oidc_oauth_firstname')) - Setting().set('oidc_oauth_last_name', - request.form.get('oidc_oauth_last_name')) - Setting().set('oidc_oauth_email', - request.form.get('oidc_oauth_email')) - Setting().set('oidc_oauth_account_name_property', - request.form.get('oidc_oauth_account_name_property')) - Setting().set('oidc_oauth_account_description_property', - request.form.get('oidc_oauth_account_description_property')) - result = { - 'status': True, - 'msg': - 'Saved successfully. Please reload PDA to take effect.' - } - else: - return abort(400) - - return render_template('admin_setting_authentication.html', - result=result) + return render_template('admin_setting_authentication.html') @admin_bp.route('/setting/authentication/api', methods=['POST']) From c7aba5626d71ce7c82b4cd3d259e6e6954774591 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Mon, 10 Apr 2023 19:58:58 -0400 Subject: [PATCH 74/77] Moved authentication settings editor JavaScript into `js_main` assets build process instead of direct linking it to the view. --- powerdnsadmin/assets.py | 1 + powerdnsadmin/templates/admin_setting_authentication.html | 7 ------- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/powerdnsadmin/assets.py b/powerdnsadmin/assets.py index 2674bee..d46d431 100644 --- a/powerdnsadmin/assets.py +++ b/powerdnsadmin/assets.py @@ -58,6 +58,7 @@ js_main = Bundle( 'node_modules/jtimeout/src/jTimeout.js', 'node_modules/jquery.quicksearch/src/jquery.quicksearch.js', 'node_modules/knockout/build/output/knockout-latest.js', + 'custom/js/app-authentication-settings-editor.js', 'custom/js/custom.js', 'node_modules/bootstrap-datepicker/dist/js/bootstrap-datepicker.js', filters=(ConcatFilter, 'rjsmin'), diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index e7984bc..c44367d 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -1536,13 +1536,6 @@ {% endblock %} {% block extrascripts %} - {% assets "js_validation" -%} - - {%- endassets %} - - -
    Associate: {{ history_assoc_account }}