From e5b324d74b5777c7b5129bce844b3957013b5bfe Mon Sep 17 00:00:00 2001
From: John Warburton <john.warburton@epochcapital.com.au>
Date: Fri, 17 May 2019 09:38:08 +1000
Subject: [PATCH 1/5] Add LDAP_GROUP_SECURITY groupOfNames groups support

---
 app/models.py                                 | 12 +++++++---
 .../admin_setting_authentication.html         | 22 +++++++++++++++++++
 app/views.py                                  |  2 ++
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/app/models.py b/app/models.py
index 8ae1596..6153181 100644
--- a/app/models.py
+++ b/app/models.py
@@ -212,6 +212,8 @@ class User(db.Model):
             LDAP_BASE_DN = Setting().get('ldap_base_dn')
             LDAP_FILTER_BASIC = Setting().get('ldap_filter_basic')
             LDAP_FILTER_USERNAME = Setting().get('ldap_filter_username')
+            LDAP_FILTER_GROUP = Setting().get('ldap_filter_group')
+            LDAP_FILTER_GROUPNAME = Setting().get('ldap_filter_groupname')
             LDAP_ADMIN_GROUP = Setting().get('ldap_admin_group')
             LDAP_OPERATOR_GROUP = Setting().get('ldap_operator_group')
             LDAP_USER_GROUP = Setting().get('ldap_user_group')
@@ -252,15 +254,17 @@ class User(db.Model):
                     if LDAP_GROUP_SECURITY_ENABLED:
                         try:
                             if LDAP_TYPE == 'ldap':
-                                if (self.ldap_search(searchFilter, LDAP_ADMIN_GROUP)):
+                                groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
+                                logging.info('groupSearchFilter is {0}'.format(groupSearchFilter))
+                                if (self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)):
                                     role_name = 'Administrator'
                                     logging.info(
                                         'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP))
-                                elif (self.ldap_search(searchFilter, LDAP_OPERATOR_GROUP)):
+                                elif (self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)):
                                     role_name = 'Operator'
                                     logging.info('User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'.format(
                                         self.username, LDAP_OPERATOR_GROUP))
-                                elif (self.ldap_search(searchFilter, LDAP_USER_GROUP)):
+                                elif (self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)):
                                     logging.info(
                                         'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP))
                                 else:
@@ -2015,7 +2019,9 @@ class Setting(db.Model):
         'ldap_admin_username': '',
         'ldap_admin_password': '',
         'ldap_filter_basic': '',
+        'ldap_filter_group': '',
         'ldap_filter_username': '',
+        'ldap_filter_groupname': '',
         'ldap_sg_enabled': False,
         'ldap_admin_group': '',
         'ldap_operator_group': '',
diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html
index 6e634b1..e5dda1b 100644
--- a/app/templates/admin_setting_authentication.html
+++ b/app/templates/admin_setting_authentication.html
@@ -140,6 +140,16 @@
                                                     <input type="text" class="form-control" name="ldap_filter_username" id="ldap_filter_username" placeholder="e.g. uid" data-error="Please input field for username filtering" value="{{ SETTING.get('ldap_filter_username') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_filter_group">Group filter</label>
+                                                    <input type="text" class="form-control" name="ldap_filter_group" id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" value="{{ SETTING.get('ldap_filter_group') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_filter_groupname">Group name field</label>
+                                                    <input type="text" class="form-control" name="ldap_filter_groupname" id="ldap_filter_groupname" placeholder="e.g. member" data-error="Please input field for group name filtering" value="{{ SETTING.get('ldap_filter_groupname') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
                                             </fieldset>
                                             <fieldset>
                                                 <legend>GROUP SECURITY</legend>
@@ -221,6 +231,12 @@
                                                     <li>
                                                         Username field - The field PDA will look for user's username. (e.g. <i>uid</i> for OpenLDAP and <i>sAMAccountName</i> for Active Directory)
                                                     </li>
+                                                    <li>
+                                                        Group filter - The filter that will be applied to all LDAP group queries by PDA. (e.g. <i>(objectClass=groupOfNames)</i> for OpenLDAP)
+                                                    </li>
+                                                    <li>
+                                                        Group name field - The field PDA will look for group names. (e.g. <i>member</i> for OpenLDAP)
+                                                    </li>
                                                 </ul>
                                             </dd>
                                             <dt>GROUP SECURITY</dt>
@@ -475,7 +491,9 @@
                 $('#ldap_domain').prop('required', true);
             }
             $('#ldap_filter_basic').prop('required', true);
+            $('#ldap_filter_group').prop('required', true);
             $('#ldap_filter_username').prop('required', true);
+            $('#ldap_filter_groupname').prop('required', true);
 
             if ($('#ldap_sg_on').is(":checked")) {
                 $('#ldap_admin_group').prop('required', true);
@@ -489,7 +507,9 @@
             $('#ldap_admin_username').prop('required', false);
             $('#ldap_admin_password').prop('required', false);
             $('#ldap_filter_basic').prop('required', false);
+            $('#ldap_filter_group').prop('required', false);
             $('#ldap_filter_username').prop('required', false);
+            $('#ldap_filter_groupname').prop('required', false);
 
             if ($('#ldap_sg_on').is(":checked")) {
                 $('#ldap_admin_group').prop('required', false);
@@ -539,7 +559,9 @@
             $('#ldap_domain').prop('required', true);
         }
         $('#ldap_filter_basic').prop('required', true);
+        $('#ldap_filter_group').prop('required', true);
         $('#ldap_filter_username').prop('required', true);
+        $('#ldap_filter_groupname').prop('required', true);
 
         if ($('#ldap_sg_on').is(":checked")) {
             $('#ldap_admin_group').prop('required', true);
diff --git a/app/views.py b/app/views.py
index b94cbff..073e40f 100755
--- a/app/views.py
+++ b/app/views.py
@@ -1671,7 +1671,9 @@ def admin_setting_authentication():
                 Setting().set('ldap_admin_username', request.form.get('ldap_admin_username'))
                 Setting().set('ldap_admin_password', request.form.get('ldap_admin_password'))
                 Setting().set('ldap_filter_basic', request.form.get('ldap_filter_basic'))
+                Setting().set('ldap_filter_group', request.form.get('ldap_filter_group'))
                 Setting().set('ldap_filter_username', request.form.get('ldap_filter_username'))
+                Setting().set('ldap_filter_groupname', request.form.get('ldap_filter_groupname'))
                 Setting().set('ldap_sg_enabled', True if request.form.get('ldap_sg_enabled')=='ON' else False)
                 Setting().set('ldap_admin_group', request.form.get('ldap_admin_group'))
                 Setting().set('ldap_operator_group', request.form.get('ldap_operator_group'))

From 67972123b6d36009d0263cb98ed4bff74d813e39 Mon Sep 17 00:00:00 2001
From: John Warburton <john.warburton@epochcapital.com.au>
Date: Fri, 17 May 2019 09:38:08 +1000
Subject: [PATCH 2/5] Add LDAP_GROUP_SECURITY groupOfNames groups support

---
 app/models.py                                 | 12 +++++++---
 .../admin_setting_authentication.html         | 22 +++++++++++++++++++
 app/views.py                                  |  2 ++
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/app/models.py b/app/models.py
index 8ae1596..6153181 100644
--- a/app/models.py
+++ b/app/models.py
@@ -212,6 +212,8 @@ class User(db.Model):
             LDAP_BASE_DN = Setting().get('ldap_base_dn')
             LDAP_FILTER_BASIC = Setting().get('ldap_filter_basic')
             LDAP_FILTER_USERNAME = Setting().get('ldap_filter_username')
+            LDAP_FILTER_GROUP = Setting().get('ldap_filter_group')
+            LDAP_FILTER_GROUPNAME = Setting().get('ldap_filter_groupname')
             LDAP_ADMIN_GROUP = Setting().get('ldap_admin_group')
             LDAP_OPERATOR_GROUP = Setting().get('ldap_operator_group')
             LDAP_USER_GROUP = Setting().get('ldap_user_group')
@@ -252,15 +254,17 @@ class User(db.Model):
                     if LDAP_GROUP_SECURITY_ENABLED:
                         try:
                             if LDAP_TYPE == 'ldap':
-                                if (self.ldap_search(searchFilter, LDAP_ADMIN_GROUP)):
+                                groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
+                                logging.info('groupSearchFilter is {0}'.format(groupSearchFilter))
+                                if (self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)):
                                     role_name = 'Administrator'
                                     logging.info(
                                         'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP))
-                                elif (self.ldap_search(searchFilter, LDAP_OPERATOR_GROUP)):
+                                elif (self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)):
                                     role_name = 'Operator'
                                     logging.info('User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'.format(
                                         self.username, LDAP_OPERATOR_GROUP))
-                                elif (self.ldap_search(searchFilter, LDAP_USER_GROUP)):
+                                elif (self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)):
                                     logging.info(
                                         'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP))
                                 else:
@@ -2015,7 +2019,9 @@ class Setting(db.Model):
         'ldap_admin_username': '',
         'ldap_admin_password': '',
         'ldap_filter_basic': '',
+        'ldap_filter_group': '',
         'ldap_filter_username': '',
+        'ldap_filter_groupname': '',
         'ldap_sg_enabled': False,
         'ldap_admin_group': '',
         'ldap_operator_group': '',
diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html
index 6e634b1..e5dda1b 100644
--- a/app/templates/admin_setting_authentication.html
+++ b/app/templates/admin_setting_authentication.html
@@ -140,6 +140,16 @@
                                                     <input type="text" class="form-control" name="ldap_filter_username" id="ldap_filter_username" placeholder="e.g. uid" data-error="Please input field for username filtering" value="{{ SETTING.get('ldap_filter_username') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_filter_group">Group filter</label>
+                                                    <input type="text" class="form-control" name="ldap_filter_group" id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" value="{{ SETTING.get('ldap_filter_group') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_filter_groupname">Group name field</label>
+                                                    <input type="text" class="form-control" name="ldap_filter_groupname" id="ldap_filter_groupname" placeholder="e.g. member" data-error="Please input field for group name filtering" value="{{ SETTING.get('ldap_filter_groupname') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
                                             </fieldset>
                                             <fieldset>
                                                 <legend>GROUP SECURITY</legend>
@@ -221,6 +231,12 @@
                                                     <li>
                                                         Username field - The field PDA will look for user's username. (e.g. <i>uid</i> for OpenLDAP and <i>sAMAccountName</i> for Active Directory)
                                                     </li>
+                                                    <li>
+                                                        Group filter - The filter that will be applied to all LDAP group queries by PDA. (e.g. <i>(objectClass=groupOfNames)</i> for OpenLDAP)
+                                                    </li>
+                                                    <li>
+                                                        Group name field - The field PDA will look for group names. (e.g. <i>member</i> for OpenLDAP)
+                                                    </li>
                                                 </ul>
                                             </dd>
                                             <dt>GROUP SECURITY</dt>
@@ -475,7 +491,9 @@
                 $('#ldap_domain').prop('required', true);
             }
             $('#ldap_filter_basic').prop('required', true);
+            $('#ldap_filter_group').prop('required', true);
             $('#ldap_filter_username').prop('required', true);
+            $('#ldap_filter_groupname').prop('required', true);
 
             if ($('#ldap_sg_on').is(":checked")) {
                 $('#ldap_admin_group').prop('required', true);
@@ -489,7 +507,9 @@
             $('#ldap_admin_username').prop('required', false);
             $('#ldap_admin_password').prop('required', false);
             $('#ldap_filter_basic').prop('required', false);
+            $('#ldap_filter_group').prop('required', false);
             $('#ldap_filter_username').prop('required', false);
+            $('#ldap_filter_groupname').prop('required', false);
 
             if ($('#ldap_sg_on').is(":checked")) {
                 $('#ldap_admin_group').prop('required', false);
@@ -539,7 +559,9 @@
             $('#ldap_domain').prop('required', true);
         }
         $('#ldap_filter_basic').prop('required', true);
+        $('#ldap_filter_group').prop('required', true);
         $('#ldap_filter_username').prop('required', true);
+        $('#ldap_filter_groupname').prop('required', true);
 
         if ($('#ldap_sg_on').is(":checked")) {
             $('#ldap_admin_group').prop('required', true);
diff --git a/app/views.py b/app/views.py
index b94cbff..073e40f 100755
--- a/app/views.py
+++ b/app/views.py
@@ -1671,7 +1671,9 @@ def admin_setting_authentication():
                 Setting().set('ldap_admin_username', request.form.get('ldap_admin_username'))
                 Setting().set('ldap_admin_password', request.form.get('ldap_admin_password'))
                 Setting().set('ldap_filter_basic', request.form.get('ldap_filter_basic'))
+                Setting().set('ldap_filter_group', request.form.get('ldap_filter_group'))
                 Setting().set('ldap_filter_username', request.form.get('ldap_filter_username'))
+                Setting().set('ldap_filter_groupname', request.form.get('ldap_filter_groupname'))
                 Setting().set('ldap_sg_enabled', True if request.form.get('ldap_sg_enabled')=='ON' else False)
                 Setting().set('ldap_admin_group', request.form.get('ldap_admin_group'))
                 Setting().set('ldap_operator_group', request.form.get('ldap_operator_group'))

From 66ff3426e035122cd943b370710cbf8af967399f Mon Sep 17 00:00:00 2001
From: "mathieu.brunot" <mathieu.brunot@monogramm.io>
Date: Wed, 8 Jan 2020 23:23:40 +0100
Subject: [PATCH 3/5] :ok_hand: Update LDAP selection flip

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
---
 .../admin_setting_authentication.html         | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html
index ffc0726..7006bcc 100644
--- a/powerdnsadmin/templates/admin_setting_authentication.html
+++ b/powerdnsadmin/templates/admin_setting_authentication.html
@@ -17,9 +17,11 @@
         function ldapSelection() {
             if (document.getElementById('ldap').checked) {
                 document.getElementById('ldap_openldap_fields').style.display = 'block';
+                document.getElementById('ldap_openldap_group_filters').style.display = 'block';
                 document.getElementById('ldap_ad_fields').style.display = 'none';
             } else {
                 document.getElementById('ldap_openldap_fields').style.display = 'none';
+                document.getElementById('ldap_openldap_group_filters').style.display = 'none';
                 document.getElementById('ldap_ad_fields').style.display = 'block';
             }
         }
@@ -141,15 +143,17 @@
                                                     <input type="text" class="form-control" name="ldap_filter_username" id="ldap_filter_username" placeholder="e.g. uid" data-error="Please input field for username filtering" value="{{ SETTING.get('ldap_filter_username') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
-                                                <div class="form-group">
-                                                    <label for="ldap_filter_group">Group filter</label>
-                                                    <input type="text" class="form-control" name="ldap_filter_group" id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" value="{{ SETTING.get('ldap_filter_group') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="ldap_filter_groupname">Group name field</label>
-                                                    <input type="text" class="form-control" name="ldap_filter_groupname" id="ldap_filter_groupname" placeholder="e.g. member" data-error="Please input field for group name filtering" value="{{ SETTING.get('ldap_filter_groupname') }}">
-                                                    <span class="help-block with-errors"></span>
+                                                <div id="ldap_openldap_fields">
+                                                    <div class="form-group">
+                                                        <label for="ldap_filter_group">Group filter</label>
+                                                        <input type="text" class="form-control" name="ldap_filter_group" id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" value="{{ SETTING.get('ldap_filter_group') }}">
+                                                        <span class="help-block with-errors"></span>
+                                                    </div>
+                                                    <div class="form-group">
+                                                        <label for="ldap_filter_groupname">Group name field</label>
+                                                        <input type="text" class="form-control" name="ldap_filter_groupname" id="ldap_filter_groupname" placeholder="e.g. member" data-error="Please input field for group name filtering" value="{{ SETTING.get('ldap_filter_groupname') }}">
+                                                        <span class="help-block with-errors"></span>
+                                                    </div>
                                                 </div>
                                             </fieldset>
                                             <fieldset>

From 0ea188f8d6c5a0503d61d09ff91b26307ff0e254 Mon Sep 17 00:00:00 2001
From: "mathieu.brunot" <mathieu.brunot@monogramm.io>
Date: Wed, 8 Jan 2020 23:31:51 +0100
Subject: [PATCH 4/5] :pencil2: Fix copy/paste error in div id

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
---
 powerdnsadmin/templates/admin_setting_authentication.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html
index 7006bcc..50c00ef 100644
--- a/powerdnsadmin/templates/admin_setting_authentication.html
+++ b/powerdnsadmin/templates/admin_setting_authentication.html
@@ -143,7 +143,7 @@
                                                     <input type="text" class="form-control" name="ldap_filter_username" id="ldap_filter_username" placeholder="e.g. uid" data-error="Please input field for username filtering" value="{{ SETTING.get('ldap_filter_username') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
-                                                <div id="ldap_openldap_fields">
+                                                <div id="ldap_openldap_group_filters">
                                                     <div class="form-group">
                                                         <label for="ldap_filter_group">Group filter</label>
                                                         <input type="text" class="form-control" name="ldap_filter_group" id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" value="{{ SETTING.get('ldap_filter_group') }}">

From acef820c54017613aa79c1068b5c26882354bb98 Mon Sep 17 00:00:00 2001
From: "mathieu.brunot" <mathieu.brunot@monogramm.io>
Date: Wed, 8 Jan 2020 23:40:14 +0100
Subject: [PATCH 5/5] :bug: Fix logger for LDAP group filter

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
---
 powerdnsadmin/models/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py
index f061b7e..a0ef67d 100644
--- a/powerdnsadmin/models/user.py
+++ b/powerdnsadmin/models/user.py
@@ -272,7 +272,7 @@ class User(db.Model):
                         try:
                             if LDAP_TYPE == 'ldap':
                                 groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
-                                logging.info('groupSearchFilter is {0}'.format(groupSearchFilter))
+                                current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter))
                                 if (self.ldap_search(groupSearchFilter,
                                                      LDAP_ADMIN_GROUP)):
                                     role_name = 'Administrator'