diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..68dd932 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: daily + ignore: + - dependency-name: "*" + update-types: [ "version-update:semver-major" ] + labels: feature / dependency + - package-ecosystem: pip + directory: / + schedule: + interval: daily + ignore: + - dependency-name: "*" + update-types: [ "version-update:semver-major" ] + labels: feature / dependency diff --git a/.github/labels.yml b/.github/labels.yml new file mode 100644 index 0000000..df15d03 --- /dev/null +++ b/.github/labels.yml @@ -0,0 +1,91 @@ +labels: + - name: bug / broken-feature + description: Existing feature malfunctioning or broken + color: 'd73a4a' + - name: bug / security-vulnerability + description: Security vulnerability identified with the application + color: 'd73a4a' + - name: docs / discussion + description: Documentation change proposals + color: '0075ca' + - name: docs / request + description: Documentation change request + color: '0075ca' + - name: feature / dependency + description: Existing feature dependency + color: '008672' + - name: feature / discussion + description: New or existing feature discussion + color: '008672' + - name: feature / request + description: New feature or enhancement request + color: '008672' + - name: help / deployment + description: Questions regarding application deployment + color: 'd876e3' + - name: help / features + description: Questions regarding the use of application features + color: 'd876e3' + - name: help / other + description: General questions not specific to application deployment or features + color: 'd876e3' + - name: mod / accepted + description: This request has been accepted + color: 'e5ef23' + - name: mod / announcement + description: This is an admin announcement + color: 'e5ef23' + - name: mod / changes-requested + description: Changes have been requested before proceeding + color: 'e5ef23' + - name: mod / duplicate + description: This issue or pull request already exists + color: 'e5ef23' + - name: mod / good-first-issue + description: Good for newcomers + color: 'e5ef23' + - name: mod / help-wanted + description: Extra attention is needed + color: 'e5ef23' + - name: mod / invalid + description: This doesn't seem right + color: 'e5ef23' + - name: mod / rejected + description: This request has been rejected + color: 'e5ef23' + - name: mod / reviewed + description: This request has been reviewed + color: 'e5ef23' + - name: mod / reviewing + description: This request is being reviewed + color: 'e5ef23' + - name: mod / stale + description: This request has gone stale + color: 'e5ef23' + - name: mod / tested + description: This has been tested + color: 'e5ef23' + - name: mod / testing + description: This is being tested + color: 'e5ef23' + - name: mod / wont-fix + description: This will not be worked on + color: 'e5ef23' + - name: skill / database + description: Requires a database skill-set + color: '5319E7' + - name: skill / docker + description: Requires a Docker skill-set + color: '5319E7' + - name: skill / documentation + description: Requires a documentation skill-set + color: '5319E7' + - name: skill / html + description: Requires a HTML skill-set + color: '5319E7' + - name: skill / javascript + description: Requires a JavaScript skill-set + color: '5319E7' + - name: skill / python + description: Requires a Python skill-set + color: '5319E7' \ No newline at end of file diff --git a/.github/stale.yml b/.github/stale.yml index a1b7aa1..0c0b1c3 100644 --- a/.github/stale.yml +++ b/.github/stale.yml @@ -5,11 +5,12 @@ daysUntilClose: 7 # Issues with these labels will never be considered stale exemptLabels: - pinned - - security - - enhancement - - feature request + - bug / broken-feature + - bug / security-vulnerability + - feature / request + - mod / help-wanted # Label to use when marking an issue as stale -staleLabel: wontfix +staleLabel: mod / stale # Comment to post when marking an issue as stale. Set to `false` to disable markComment: > This issue has been automatically marked as stale because it has not had diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 4b103f8..52649e6 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -1,4 +1,7 @@ +name: 'Docker Image' + on: + workflow_dispatch: push: branches: - 'master' @@ -7,45 +10,45 @@ on: jobs: build-and-push-docker-image: - name: Build Docker image and push to repositories + name: Build Docker Image runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Repository Checkout uses: actions/checkout@v2 - - name: Docker meta + - name: Docker Image Metadata id: meta uses: docker/metadata-action@v3 with: images: | - ngoduykhanh/powerdns-admin + powerdnsadmin/pda-legacy tags: | type=ref,event=tag type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - - name: Set up Docker Buildx + - name: Docker Buildx Setup id: buildx uses: docker/setup-buildx-action@v1 - - name: Login to DockerHub + - name: Docker Hub Authentication uses: docker/login-action@v1 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + username: ${{ secrets.DOCKERHUB_USERNAME_V2 }} + password: ${{ secrets.DOCKERHUB_TOKEN_V2 }} - - name: Build latest image + - name: Docker Image Build uses: docker/build-push-action@v2 if: github.ref == 'refs/heads/master' with: context: ./ file: ./docker/Dockerfile push: true - tags: ngoduykhanh/powerdns-admin:latest + tags: powerdnsadmin/pda-legacy:latest - - name: Build release image + - name: Docker Image Release Tagging uses: docker/build-push-action@v2 if: ${{ startsWith(github.ref, 'refs/tags/v') }} with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..bba8c1f --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,73 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + workflow_dispatch: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '45 2 * * 2' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript', 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/.gitignore b/.gitignore index 4a62dbb..539325f 100644 --- a/.gitignore +++ b/.gitignore @@ -38,5 +38,7 @@ node_modules powerdnsadmin/static/generated .webassets-cache .venv* +venv* .pytest_cache .DS_Store +yarn-error.log diff --git a/README.md b/README.md index bec39a5..ce12f62 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # PowerDNS-Admin A PowerDNS web interface with advanced features. -[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/ngoduykhanh/PowerDNS-Admin.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/ngoduykhanh/PowerDNS-Admin/context:python) -[![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/ngoduykhanh/PowerDNS-Admin.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/ngoduykhanh/PowerDNS-Admin/context:javascript) +[![CodeQL](https://github.com/PowerDNS-Admin/PowerDNS-Admin/actions/workflows/codeql-analysis.yml/badge.svg?branch=master)](https://github.com/PowerDNS-Admin/PowerDNS-Admin/actions/workflows/codeql-analysis.yml) +[![Docker Image](https://github.com/PowerDNS-Admin/PowerDNS-Admin/actions/workflows/build-and-publish.yml/badge.svg?branch=master)](https://github.com/PowerDNS-Admin/PowerDNS-Admin/actions/workflows/build-and-publish.yml) #### Features: - Multiple domain management @@ -21,11 +21,11 @@ A PowerDNS web interface with advanced features. ## Running PowerDNS-Admin There are several ways to run PowerDNS-Admin. The easiest way is to use Docker. -If you are looking to install and run PowerDNS-Admin directly onto your system check out the [Wiki](https://github.com/ngoduykhanh/PowerDNS-Admin/wiki#installation-guides) for ways to do that. +If you are looking to install and run PowerDNS-Admin directly onto your system check out the [Wiki](https://github.com/PowerDNS-Admin/PowerDNS-Admin/wiki#installation-guides) for ways to do that. ### Docker -This are two options to run PowerDNS-Admin using Docker. -To get started as quickly as possible try option 1. If you want to make modifications to the configuration option 2 may be cleaner. +Here are two options to run PowerDNS-Admin using Docker. +To get started as quickly as possible, try option 1. If you want to make modifications to the configuration option 2 may be cleaner. #### Option 1: From Docker Hub The easiest is to just run the latest Docker image from Docker Hub: @@ -34,14 +34,14 @@ $ docker run -d \ -e SECRET_KEY='a-very-secret-key' \ -v pda-data:/data \ -p 9191:80 \ - ngoduykhanh/powerdns-admin:latest + powerdnsadmin/pda-legacy:latest ``` This creates a volume called `pda-data` to persist the SQLite database with the configuration. #### Option 2: Using docker-compose 1. Update the configuration Edit the `docker-compose.yml` file to update the database connection string in `SQLALCHEMY_DATABASE_URI`. - Other environment variables are mentioned in the [legal_envvars](https://github.com/ngoduykhanh/PowerDNS-Admin/blob/master/configs/docker_config.py#L5-L46). + Other environment variables are mentioned in the [legal_envvars](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/configs/docker_config.py#L5-L46). To use the Docker secrets feature it is possible to append `_FILE` to the environment variables and point to a file with the values stored in it. Make sure to set the environment variable `SECRET_KEY` to a long random string (https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY) @@ -56,5 +56,5 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ![dashboard](https://user-images.githubusercontent.com/6447444/44068603-0d2d81f6-9fa5-11e8-83af-14e2ad79e370.png) ## LICENSE -MIT. See [LICENSE](https://github.com/ngoduykhanh/PowerDNS-Admin/blob/master/LICENSE) +MIT. See [LICENSE](https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/master/LICENSE) diff --git a/configs/development.py b/configs/development.py index 2c2e63d..d4bd24f 100644 --- a/configs/development.py +++ b/configs/development.py @@ -7,7 +7,6 @@ SALT = '$2b$12$yLUMTIfl21FKJQpTkRQXCu' SECRET_KEY = 'e951e5a1f4b94151b360f47edf596dd2' BIND_ADDRESS = '0.0.0.0' PORT = 9191 -OFFLINE_MODE = False ### DATABASE CONFIG SQLA_DB_USER = 'pda' @@ -113,6 +112,14 @@ SAML_ENABLED = False # ### the user is set as a non-administrator user. # #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin' +## Attribute to get admin status for groups with the IdP +# ### Default: Don't set administrator group with SAML attributes +#SAML_GROUP_ADMIN_NAME = 'GroupName' + +## Attribute to get operator status for groups with the IdP +# ### Default: Don't set operator group with SAML attributes +#SAML_GROUP_OPERATOR_NAME = 'GroupName' + # ## Attribute to get account names from # ### Default: Don't control accounts with SAML attribute # ### If set, the user will be added and removed from accounts to match @@ -120,6 +127,16 @@ SAML_ENABLED = False # ### be created and the user added to them. # SAML_ATTRIBUTE_ACCOUNT = 'https://example.edu/pdns-account' +# ## Attribute name that aggregates group names +# ### Default: Don't collect IdP groups from SAML group attributes +# ### In Okta, you can assign administrators by group using "Group Attribute Statements." +# ### In this case, the SAML_ATTRIBUTE_GROUP will be the attribute name for a collection of +# ### groups passed in the SAML assertion. From there, you can specify a SAML_GROUP_ADMIN_NAME. +# ### If the user is a member of this group, and that group name is included in the collection, +# ### the user will be set as an administrator. +# #SAML_ATTRIBUTE_GROUP = 'https://example.edu/pdns-groups' +# #SAML_GROUP_ADMIN_NAME = 'PowerDNSAdmin-Administrators' + # SAML_SP_ENTITY_ID = 'http://' # SAML_SP_CONTACT_NAME = '' # SAML_SP_CONTACT_MAIL = '' @@ -133,8 +150,8 @@ SAML_ENABLED = False # CAUTION: For production use, usage of self-signed certificates it's highly discouraged. # Use certificates from trusted CA instead # ########################################################################################### -# SAML_CERT_FILE = '/etc/pki/powerdns-admin/cert.crt' -# SAML_CERT_KEY = '/etc/pki/powerdns-admin/key.pem' +# SAML_CERT = '/etc/pki/powerdns-admin/cert.crt' +# SAML_KEY = '/etc/pki/powerdns-admin/key.pem' # Configures if SAML tokens should be encrypted. # SAML_SIGN_REQUEST = False @@ -148,6 +165,10 @@ SAML_ENABLED = False # #SAML_ASSERTION_ENCRYPTED = True +# Some IdPs, like Okta, do not return Attribute Statements by default +# Set the following to False if you are using Okta and not manually configuring Attribute Statements +# #SAML_WANT_ATTRIBUTE_STATEMENT = True + # Remote authentication settings # Whether to enable remote user authentication or not diff --git a/configs/docker_config.py b/configs/docker_config.py index 6666fc2..1099a4a 100644 --- a/configs/docker_config.py +++ b/configs/docker_config.py @@ -2,6 +2,8 @@ BIND_ADDRESS = '0.0.0.0' PORT = 80 SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db' +SESSION_COOKIE_SAMESITE = 'Lax' +CSRF_COOKIE_HTTPONLY = True legal_envvars = ( 'SECRET_KEY', @@ -48,7 +50,6 @@ legal_envvars = ( 'SAML_LOGOUT', 'SAML_LOGOUT_URL', 'SAML_ASSERTION_ENCRYPTED', - 'OFFLINE_MODE', 'REMOTE_USER_LOGOUT_URL', 'REMOTE_USER_COOKIES', 'SIGNUP_ENABLED', @@ -56,7 +57,9 @@ legal_envvars = ( 'LDAP_ENABLED', 'SAML_CERT', 'SAML_KEY', - 'FILESYSTEM_SESSIONS_ENABLED' + 'FILESYSTEM_SESSIONS_ENABLED', + 'SESSION_COOKIE_SECURE', + 'CSRF_COOKIE_SECURE', ) legal_envvars_int = ('PORT', 'MAIL_PORT', 'SAML_METADATA_CACHE_LIFETIME') @@ -73,12 +76,13 @@ legal_envvars_bool = ( 'SAML_WANT_MESSAGE_SIGNED', 'SAML_LOGOUT', 'SAML_ASSERTION_ENCRYPTED', - 'OFFLINE_MODE', 'REMOTE_USER_ENABLED', 'SIGNUP_ENABLED', 'LOCAL_DB_ENABLED', 'LDAP_ENABLED', - 'FILESYSTEM_SESSIONS_ENABLED' + 'FILESYSTEM_SESSIONS_ENABLED', + 'SESSION_COOKIE_SECURE', + 'CSRF_COOKIE_SECURE', ) # import everything from environment variables diff --git a/deploy/auto-setup/setup_linux.sh b/deploy/auto-setup/setup_linux.sh new file mode 100644 index 0000000..19cda58 --- /dev/null +++ b/deploy/auto-setup/setup_linux.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# Create a new group for PowerDNS-Admin +groupadd powerdnsadmin + +# Create a user for PowerDNS-Admin +useradd --system -g powerdnsadmin powerdnsadmin + +# Make the new user and group the owners of the PowerDNS-Admin files +chown -R powerdnsadmin:powerdnsadmin /opt/web/powerdns-admin + +# Start the PowerDNS-Admin service +systemctl start powerdns-admin + +# Enable the PowerDNS-Admin service to start automatically at boot +systemctl enable powerdns-admin diff --git a/deploy/auto-setup/setup_win.bat b/deploy/auto-setup/setup_win.bat new file mode 100644 index 0000000..a5ee9fd --- /dev/null +++ b/deploy/auto-setup/setup_win.bat @@ -0,0 +1,16 @@ +@echo off + +rem Create a new group for PowerDNS-Admin +net localgroup powerdnsadmin /add + +rem Create a user for PowerDNS-Admin +net user powerdnsadmin /add /passwordchg:no /homedir:nul /active:yes /expires:never /passwordreq:no /s + +rem Make the new user and group the owners of the PowerDNS-Admin files +icacls "C:\path\to\powerdns-admin" /setowner "powerdnsadmin" + +rem Start the PowerDNS-Admin service +net start powerdns-admin + +rem Enable the PowerDNS-Admin service to start automatically at boot +sc config powerdns-admin start= auto diff --git a/deploy/docker/portainer.yaml b/deploy/docker/portainer.yaml new file mode 100644 index 0000000..84402ef --- /dev/null +++ b/deploy/docker/portainer.yaml @@ -0,0 +1,15 @@ +version: '3.3' +services: + + core: + image: powerdnsadmin/pda-legacy:latest + restart: unless-stopped + environment: + - SECRET_KEY=INSECURE-CHANGE-ME-9I0DAtfkfj5JmBkPSaHah3ECAa8Df5KK + ports: + - "12000:9191" + volumes: + - "core_data:/data" + +volumes: + core_data: diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md new file mode 100644 index 0000000..f0394b0 --- /dev/null +++ b/deploy/kubernetes/README.md @@ -0,0 +1,2 @@ +# Kubernetes +Example and simplified deployment for kubernetes. diff --git a/deploy/kubernetes/configmap.yml b/deploy/kubernetes/configmap.yml new file mode 100644 index 0000000..4270db2 --- /dev/null +++ b/deploy/kubernetes/configmap.yml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: powerdnsadmin-env +data: + FLASK_APP: powerdnsadmin/__init__.py + SECRET_KEY: changeme_secret + SQLALCHEMY_DATABASE_URI: 'mysql://user:password@host/database' diff --git a/deploy/kubernetes/deployment.yml b/deploy/kubernetes/deployment.yml new file mode 100644 index 0000000..d3e4cfe --- /dev/null +++ b/deploy/kubernetes/deployment.yml @@ -0,0 +1,29 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: powerdnsadmin + labels: + app: powerdnsadmin +spec: + strategy: + type: RollingUpdate + replicas: 1 + selector: + matchLabels: + app: powerdnsadmin + template: + metadata: + labels: + app: powerdnsadmin + spec: + containers: + - name: powerdnsadmin + image: powerdnsadmin/pda-legacy + ports: + - containerPort: 80 + protocol: TCP + envFrom: + - configMapRef: + name: powerdnsadmin-env + imagePullPolicy: Always + restartPolicy: Always \ No newline at end of file diff --git a/deploy/kubernetes/service.yml b/deploy/kubernetes/service.yml new file mode 100644 index 0000000..813b37b --- /dev/null +++ b/deploy/kubernetes/service.yml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: powerdnsadmin + namespace: powerdnsadmin + labels: + app: powerdnsadmin +spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + app: powerdnsadmin + diff --git a/docker-compose.yml b/docker-compose.yml index e18d683..74ff185 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: app: - image: ngoduykhanh/powerdns-admin:latest + image: powerdnsadmin/pda-legacy:latest container_name: powerdns_admin ports: - "9191:80" @@ -15,4 +15,3 @@ services: - GUNICORN_TIMEOUT=60 - GUNICORN_WORKERS=2 - GUNICORN_LOGLEVEL=DEBUG - - OFFLINE_MODE=False # True for offline, False for external resources diff --git a/docker/Dockerfile b/docker/Dockerfile index 5296e02..e9905d6 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,4 @@ -FROM alpine:3.13 AS builder -LABEL maintainer="k@ndk.name" +FROM alpine:3.17 AS builder ARG BUILD_DEPENDENCIES="build-base \ libffi-dev \ @@ -30,7 +29,7 @@ COPY ./requirements.txt /build/requirements.txt # Get application dependencies RUN pip install --upgrade pip && \ - pip install -r requirements.txt + pip install --use-pep517 -r requirements.txt # Add sources COPY . /build @@ -66,12 +65,12 @@ RUN mkdir -p /app && \ cp -r /build/configs/docker_config.py /app/configs # Build image -FROM alpine:3.13 +FROM alpine:3.17 ENV FLASK_APP=/app/powerdnsadmin/__init__.py \ USER=pda -RUN apk add --no-cache mariadb-connector-c postgresql-client py3-gunicorn py3-psycopg2 xmlsec tzdata libcap && \ +RUN apk add --no-cache mariadb-connector-c postgresql-client py3-gunicorn py3-pyldap py3-flask py3-psycopg2 xmlsec tzdata libcap && \ addgroup -S ${USER} && \ adduser -S -D -G ${USER} ${USER} && \ mkdir /data && \ @@ -80,7 +79,7 @@ RUN apk add --no-cache mariadb-connector-c postgresql-client py3-gunicorn py3-ps apk del libcap COPY --from=builder /usr/bin/flask /usr/bin/ -COPY --from=builder /usr/lib/python3.8/site-packages /usr/lib/python3.8/site-packages/ +COPY --from=builder /usr/lib/python3.10/site-packages /usr/lib/python3.10/site-packages/ COPY --from=builder --chown=root:${USER} /app /app/ COPY ./docker/entrypoint.sh /usr/bin/ diff --git a/docs/API.md b/docs/API.md index 890f556..7514d5c 100644 --- a/docs/API.md +++ b/docs/API.md @@ -11,6 +11,8 @@ #### Accessing the API +PDA has its own API, that should not be confused with the PowerDNS API. Keep in mind that you have to enable PowerDNS API with a key that will be used by PDA to manage it. Therefore, you should use PDA created keys to browse PDA's API, on PDA's adress and port. They don't grant access to PowerDNS' API. + The PDA API consists of two distinct parts: - The /powerdnsadmin endpoints manages PDA content (accounts, users, apikeys) and also allow domain creation/deletion @@ -18,7 +20,7 @@ The PDA API consists of two distinct parts: The requests to the API needs two headers: -- The classic 'Content-Type: application/json' is required to all POST and PUT requests, though it's armless to use it on each call +- The classic 'Content-Type: application/json' is required to all POST and PUT requests, though it's harmless to use it on each call - The authentication header to provide either the login:password basic authentication or the Api Key authentication. When you access the `/powerdnsadmin` endpoint, you must use the Basic Auth: diff --git a/docs/wiki/README.md b/docs/wiki/README.md new file mode 100644 index 0000000..62f1bf1 --- /dev/null +++ b/docs/wiki/README.md @@ -0,0 +1,46 @@ +# PowerDNS-Admin wiki + +## Database Setup guides + +- [MySQL / MariaDB](database-setup/Setup-MySQL-or-MariaDB.md) +- [PostgreSQL](database-setup/Setup-PostgreSQL.md) + +## Installation guides + +- [General (Read this first)](install/General.md) + - BSD: + - [Install on FreeBSD 12.1-RELEASE](install/Running-on-FreeBSD.md) + - Containers: + - [Install on Docker](install/Running-PowerDNS-Admin-on-Docker.md) + - Debian: + - [Install on Ubuntu or Debian](install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md) + - Red-Hat: + - [Install on Centos 7](install/Running-PowerDNS-Admin-on-Centos-7.md) + - [Install on Fedora 23](install/Running-PowerDNS-Admin-on-Fedora-23.md) + - [Install on Fedora 30](install/Running-PowerDNS-Admin-on-Fedora-30.md) + +### Post install Setup + +- [Environment Variables](configuration/Environment-variables.md) +- [Getting started](configuration/Getting-started.md) +- SystemD: + - [Running PowerDNS-Admin as a service using Systemd](install/Running-PowerDNS-Admin-as-a-service-(Systemd).md) + +### Web Server configuration + +- [Supervisord](web-server/Supervisord-example.md) +- [Systemd](web-server/Systemd-example.md) +- [Systemd + Gunicorn + Nginx](web-server/Running-PowerDNS-Admin-with-Systemd-Gunicorn-and-Nginx.md) +- [Systemd + Gunicorn + Apache](web-server/Running-PowerDNS-Admin-with-Systemd,-Gunicorn-and-Apache.md) +- [uWSGI](web-server/uWSGI-example.md) +- [WSGI-Apache](web-server/WSGI-Apache-example.md) + +## Using PowerDNS-Admin + +- Setting up a domain +- Adding a record +- + +## Feature usage + +- [DynDNS2](features/DynDNS2.md) \ No newline at end of file diff --git a/docs/wiki/configuration/Configure-Active-Directory-Authentication-using-Group-Security.md b/docs/wiki/configuration/Configure-Active-Directory-Authentication-using-Group-Security.md new file mode 100644 index 0000000..417bdc3 --- /dev/null +++ b/docs/wiki/configuration/Configure-Active-Directory-Authentication-using-Group-Security.md @@ -0,0 +1,34 @@ +Active Directory Setup - Tested with Windows Server 2012 + +1) Login as an admin to PowerDNS Admin + +2) Go to Settings --> Authentication + +3) Under Authentication, select LDAP + +4) Click the Radio Button for Active Directory + +5) Fill in the required info - + +* LDAP URI - ldap://ip.of.your.domain.controller:389 +* LDAP Base DN - dc=youdomain,dc=com +* Active Directory domain - yourdomain.com +* Basic filter - (objectCategory=person) + * the brackets here are **very important** +* Username field - sAMAccountName +* GROUP SECURITY - Status - On +* Admin group - CN=Your_AD_Admin_Group,OU=Your_AD_OU,DC=yourdomain,DC=com +* Operator group - CN=Your_AD_Operator_Group,OU=Your_AD_OU,DC=yourdomain,DC=com +* User group - CN=Your_AD_User_Group,OU=Your_AD_OU,DC=yourdomain,DC=com + +6) Click Save + +7) Logout and re-login as an LDAP user from each of the above groups. + +If you're having problems getting the correct information for your groups, the following tool can be useful - + +https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer + +In our testing, groups with spaces in the name did not work, we had to create groups with underscores to get everything operational. + +YMMV diff --git a/docs/wiki/configuration/Environment-variables.md b/docs/wiki/configuration/Environment-variables.md new file mode 100644 index 0000000..3ee84c4 --- /dev/null +++ b/docs/wiki/configuration/Environment-variables.md @@ -0,0 +1,61 @@ +# Supported environment variables + +| Variable | Description | Required | Default value | +| ---------| ----------- | -------- | ------------- | +| BIND_ADDRESS | +| CSRF_COOKIE_SECURE | +| FILESYSTEM_SESSIONS_ENABLED | +| LDAP_ENABLED | +| LOCAL_DB_ENABLED | +| LOG_LEVEL | +| MAIL_DEBUG | +| MAIL_DEFAULT_SENDER | +| MAIL_PASSWORD | +| MAIL_PORT | +| MAIL_SERVER | +| MAIL_USERNAME | +| MAIL_USE_SSL | +| MAIL_USE_TLS | +| OFFLINE_MODE | +| OIDC_OAUTH_API_URL | | | | +| OIDC_OAUTH_AUTHORIZE_URL | +| OIDC_OAUTH_TOKEN_URL | | | | +| PORT | +| REMOTE_USER_COOKIES | +| REMOTE_USER_LOGOUT_URL | +| SALT | +| SAML_ASSERTION_ENCRYPTED | +| SAML_ATTRIBUTE_ACCOUNT | +| SAML_ATTRIBUTE_ADMIN | +| SAML_ATTRIBUTE_EMAIL | +| SAML_ATTRIBUTE_GIVENNAME | +| SAML_ATTRIBUTE_GROUP | +| SAML_ATTRIBUTE_NAME | +| SAML_ATTRIBUTE_SURNAME | +| SAML_ATTRIBUTE_USERNAME | +| SAML_CERT | +| SAML_DEBUG | +| SAML_ENABLED | +| SAML_GROUP_ADMIN_NAME | +| SAML_GROUP_TO_ACCOUNT_MAPPING | +| SAML_IDP_SSO_BINDING | +| SAML_IDP_ENTITY_ID | +| SAML_KEY | +| SAML_LOGOUT | +| SAML_LOGOUT_URL | +| SAML_METADATA_CACHE_LIFETIME | +| SAML_METADATA_URL | +| SAML_NAMEID_FORMAT | +| SAML_PATH | +| SAML_SIGN_REQUEST | +| SAML_SP_CONTACT_MAIL | +| SAML_SP_CONTACT_NAME | +| SAML_SP_ENTITY_ID | +| SAML_WANT_MESSAGE_SIGNED | +| SECRET_KEY | Flask secret key [^1] | Y | no default | +| SESSION_COOKIE_SECURE | +| SIGNUP_ENABLED | +| SQLALCHEMY_DATABASE_URI | SQL Alchemy URI to connect to database | N | no default | +| SQLALCHEMY_TRACK_MODIFICATIONS | + +[^1]: Flask secret key (see https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY for how to generate) diff --git a/docs/wiki/configuration/Getting-started.md b/docs/wiki/configuration/Getting-started.md new file mode 100644 index 0000000..ce72234 --- /dev/null +++ b/docs/wiki/configuration/Getting-started.md @@ -0,0 +1,16 @@ +# Getting started with PowerDNS-Admin + + +In your FLASK_CONF (check the installation directions for where yours is) file, make sure you have the database URI filled in (in some previous documentation this was called config.py): + +For MySQL / MariaDB: +``` +SQLALCHEMY_DATABASE_URI = 'mysql://username:password@127.0.0.1/db_name' +``` + +For Postgres: +``` +SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin:powerdnsadmin@127.0.0.1/powerdnsadmindb' +``` + +Open your web browser and go to `http://localhost:9191` to visit PowerDNS-Admin web interface. Register a user. The first user will be in the Administrator role. diff --git a/docs/wiki/database-setup/README.md b/docs/wiki/database-setup/README.md new file mode 100644 index 0000000..e4e4d01 --- /dev/null +++ b/docs/wiki/database-setup/README.md @@ -0,0 +1,4 @@ +# Database setup guides + +- [MySQL / MariaDB](Setup-MySQL-or-MariaDB.md) +- [PostgreSQL](Setup-PostgreSQL.md) diff --git a/docs/wiki/database-setup/Setup-MySQL-or-MariaDB.md b/docs/wiki/database-setup/Setup-MySQL-or-MariaDB.md new file mode 100644 index 0000000..5242b69 --- /dev/null +++ b/docs/wiki/database-setup/Setup-MySQL-or-MariaDB.md @@ -0,0 +1,56 @@ +# Setup MySQL database for PowerDNS-Admin + +This guide will show you how to prepare a MySQL or MariaDB database for PowerDNS-Admin. + +We assume the database is installed per your platform's directions (apt, yum, etc). Directions to do this can be found below: +- MariaDB: + - https://mariadb.com/kb/en/getting-installing-and-upgrading-mariadb/ + - https://www.digitalocean.com/community/tutorials/how-to-install-mariadb-on-ubuntu-20-04 +- MySQL: + - https://dev.mysql.com/downloads/mysql/ + - https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-20-04 + +The following directions assume a default configuration and for productions setups `mysql_secure_installation` has been run. + +## Setup database: + +Connect to the database (Usually using `mysql -u root -p` if a password has been set on the root database user or `sudo mysql` if not), then enter the following: +``` +CREATE DATABASE `powerdnsadmin` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; +GRANT ALL PRIVILEGES ON `powerdnsadmin`.* TO 'pdnsadminuser'@'localhost' IDENTIFIED BY 'YOUR_PASSWORD_HERE'; +FLUSH PRIVILEGES; +``` +- If your database server is located on a different machine then change 'localhost' to '%' +- Replace YOUR_PASSWORD_HERE with a secure password. + +Once there are no errors you can type `quit` in the mysql shell to exit from it. + +## Install required packages: +### Red-hat based systems: +``` +yum install MariaDB-shared mariadb-devel mysql-community-devel +``` + +### Debian based systems: +``` +apt install libmysqlclient-dev +``` + +### Install python packages: +``` +pip3 install mysqlclient==2.0.1 +``` + +## Known issues: + +Problem: If you plan to manage large zones, you may encounter some issues while applying changes. This is due to PowerDNS-Admin trying to insert the entire modified zone into the column history.detail. + +Using MySQL/MariaDB, this column is created by default as TEXT and thus limited to 65,535 characters. + +Solution: Convert the column to MEDIUMTEXT: +1. Connect to the database shell as described in the setup database section: +2. Execute the following commands: + ``` + USE powerdnsadmin; + ALTER TABLE history MODIFY detail MEDIUMTEXT; + ``` diff --git a/docs/wiki/database-setup/Setup-PostgreSQL.md b/docs/wiki/database-setup/Setup-PostgreSQL.md new file mode 100644 index 0000000..a6e3364 --- /dev/null +++ b/docs/wiki/database-setup/Setup-PostgreSQL.md @@ -0,0 +1,84 @@ +# Setup Postgres database for PowerDNS-Admin + +This guide will show you how to prepare a PostgreSQL database for PowerDNS-Admin. + +We assume the database is installed per your platform's directions (apt, yum, etc). Directions to do this can be found below: + +- https://www.postgresql.org/download/ +- https://www.digitalocean.com/community/tutorials/how-to-install-postgresql-on-ubuntu-22-04-quickstart + +We assume a default configuration and only the postgres user existing. + +## Setup database +The below will create a database called powerdnsadmindb and a user of powerdnsadmin. + +``` +$ sudo su - postgres +$ createuser powerdnsadmin +$ createdb powerdnsadmindb +$ psql +postgres=# alter user powerdnsadmin with encrypted password 'powerdnsadmin'; +postgres=# grant all privileges on database powerdnsadmindb to powerdnsadmin; +``` + +Note: +- Please change the information above (db, user, password) to fit your setup. + +### Setup Remote access to database: +If your database is on a different server postgres does not allow remote connections by default. + +To change this follow the below directions: +``` +[root@host ~]$ sudo su - postgres +# Edit /var/lib/pgsql/data/postgresql.conf +# Change the following line: +listen_addresses = 'localhost' +# to: +listen_addresses = '*' +# Edit /var/lib/pgsql/data/pg_hba.conf +# Add the following lines to the end of the +host all all 0.0.0.0/0 md5 +host all all ::/0 md5 + +[postgres@host ~]$ exit +[root@host ~]$ sudo systemctl restart postgresql +``` + +On debian based systems these files are located in: +``` +/etc/postgresql//main/ +``` + +## Install required packages: +### Red-hat based systems: +``` +sudo yum install postgresql-libs +``` + +### Debian based systems: +``` +apt install libpq-dev python-dev +``` + +### Install python packages: +``` +pip3 install psycopg2 +``` + +## Known Issues: + +** To fill in ** + + +## Docker (TODO: to move to docker docs) +TODO: Setup a local Docker postgres database ready to go (should probably move to the top). +``` +docker run --name pdnsadmin-test -e BIND_ADDRESS=0.0.0.0 +-e SECRET_KEY='a-very-secret-key' +-e PORT='9191' +-e SQLA_DB_USER='powerdns_admin_user' +-e SQLA_DB_PASSWORD='exceptionallysecure' +-e SQLA_DB_HOST='192.168.0.100' +-e SQLA_DB_NAME='powerdns_admin_test' +-v /data/node_modules:/var/www/powerdns-admin/node_modules -d -p 9191:9191 ixpict/powerdns-admin-pgsql:latest +``` diff --git a/docs/wiki/features/DynDNS2.md b/docs/wiki/features/DynDNS2.md new file mode 100644 index 0000000..b599727 --- /dev/null +++ b/docs/wiki/features/DynDNS2.md @@ -0,0 +1,16 @@ +Usage: +IPv4: http://user:pass@yournameserver.yoursite.tld/nic/update?hostname=record.domain.tld&myip=127.0.0.1 +IPv6: http://user:pass@yournameserver.yoursite.tld/nic/update?hostname=record.domain.tld&myip=::1 +Multiple IPs: http://user:pass@yournameserver.yoursite.tld/nic/update?hostname=record.domain.tld&myip=127.0.0.1,127.0.0.2,::1,::2 + +Notes: +- user needs to be a LOCAL user, not LDAP etc +- user must have already logged-in +- user needs to be added to Domain Access Control list of domain.tld - admin status (manage all) does not suffice +- record has to exist already - unless on-demand creation is allowed +- ipv4 address in myip field will change A record +- ipv6 address in myip field will change AAAA record +- use commas to separate multiple IP addresses in the myip field, mixing v4 & v6 is allowed + +DynDNS also works without authentication header (user:pass@) when already authenticated via session cookie from /login, even with external auth like LDAP. +However Domain Access Control restriction still applies. \ No newline at end of file diff --git a/docs/wiki/images/readme_screenshots/fullscreen-dashboard.png b/docs/wiki/images/readme_screenshots/fullscreen-dashboard.png new file mode 100644 index 0000000..828fc48 Binary files /dev/null and b/docs/wiki/images/readme_screenshots/fullscreen-dashboard.png differ diff --git a/docs/wiki/images/readme_screenshots/fullscreen-domaincreate.png b/docs/wiki/images/readme_screenshots/fullscreen-domaincreate.png new file mode 100644 index 0000000..ceb2d00 Binary files /dev/null and b/docs/wiki/images/readme_screenshots/fullscreen-domaincreate.png differ diff --git a/docs/wiki/images/readme_screenshots/fullscreen-domainmanage.png b/docs/wiki/images/readme_screenshots/fullscreen-domainmanage.png new file mode 100644 index 0000000..998bf9e Binary files /dev/null and b/docs/wiki/images/readme_screenshots/fullscreen-domainmanage.png differ diff --git a/docs/wiki/images/readme_screenshots/fullscreen-login.png b/docs/wiki/images/readme_screenshots/fullscreen-login.png new file mode 100644 index 0000000..4d95472 Binary files /dev/null and b/docs/wiki/images/readme_screenshots/fullscreen-login.png differ diff --git a/docs/wiki/images/webui/create.jpg b/docs/wiki/images/webui/create.jpg new file mode 100644 index 0000000..3707735 Binary files /dev/null and b/docs/wiki/images/webui/create.jpg differ diff --git a/docs/wiki/images/webui/index.jpg b/docs/wiki/images/webui/index.jpg new file mode 100644 index 0000000..33f0ded Binary files /dev/null and b/docs/wiki/images/webui/index.jpg differ diff --git a/docs/wiki/images/webui/login.jpg b/docs/wiki/images/webui/login.jpg new file mode 100644 index 0000000..08bb3c1 Binary files /dev/null and b/docs/wiki/images/webui/login.jpg differ diff --git a/docs/wiki/install/Architecture.png b/docs/wiki/install/Architecture.png new file mode 100644 index 0000000..04440be Binary files /dev/null and b/docs/wiki/install/Architecture.png differ diff --git a/docs/wiki/install/General.md b/docs/wiki/install/General.md new file mode 100644 index 0000000..f0823c8 --- /dev/null +++ b/docs/wiki/install/General.md @@ -0,0 +1,32 @@ +# General installation + +## PowerDNS-Admin Architecture + +![PowerDNS-Admin Component Layout](Architecture.png) + +A PowerDNS-Admin installation includes four main components: +- PowerDNS-Admin Database +- PowerDNS-Admin Application Server +- PowerDNS-Admin Frontend Web server +- PowerDNS server that + +All 3 components can be installed on one server or if your installation is large enough or for security reasons can be split across multiple servers. + +## Requirements for PowerDNS-Admin: +- A linux based system. Others (Arch-based for example) may work but are currently not tested. + - Ubuntu versions tested: + - To fill in + - Red hat versions tested: + - To fill in + - Python versions tested: + - 3.6 + - 3.7 + - 3.8 + - 3.9 + - 3.10 + - 3.11 - Failing due to issue with python3-saml later than 1.12.0 +- A database for PowerDNS-Admin, if you are using a database for PowerDNS itself this must be separate to that database. The currently supported databases are: + - MySQL + - PostgreSQL + - SQLite +- A PowerDNS server that PowerDNS-Admin will manage. diff --git a/docs/wiki/install/Running-PowerDNS-Admin-as-a-service-(Systemd).md b/docs/wiki/install/Running-PowerDNS-Admin-as-a-service-(Systemd).md new file mode 100644 index 0000000..f693736 --- /dev/null +++ b/docs/wiki/install/Running-PowerDNS-Admin-as-a-service-(Systemd).md @@ -0,0 +1,72 @@ +*** +**WARNING** +This just uses the development server for testing purposes. For production environments you should probably go with a more robust solution, like [gunicorn](web-server/Running-PowerDNS-Admin-with-Systemd,-Gunicorn--and--Nginx.md) or a WSGI server. +*** + +### Following example shows a systemd unit file that can run PowerDNS-Admin + +You shouldn't run PowerDNS-Admin as _root_, so let's start of with the user/group creation that will later run PowerDNS-Admin: + +Create a new group for PowerDNS-Admin: + +> sudo groupadd powerdnsadmin + +Create a user for PowerDNS-Admin: + +> sudo useradd --system -g powerdnsadmin powerdnsadmin + +_`--system` creates a user without login-shell and password, suitable for running system services._ + +Create new systemd service file: + +> sudo vim /etc/systemd/system/powerdns-admin.service + +General example: +``` +[Unit] +Description=PowerDNS-Admin +After=network.target + +[Service] +Type=simple +User=powerdnsadmin +Group=powerdnsadmin +ExecStart=/opt/web/powerdns-admin/flask/bin/python ./run.py +WorkingDirectory=/opt/web/powerdns-admin +Restart=always + +[Install] +WantedBy=multi-user.target +``` + +Debian example: +``` +[Unit] +Description=PowerDNS-Admin +After=network.target + +[Service] +Type=simple +User=powerdnsadmin +Group=powerdnsadmin +Environment=PATH=/opt/web/powerdns-admin/flask/bin +ExecStart=/opt/web/powerdns-admin/flask/bin/python /opt/web/powerdns-admin/run.py +WorkingDirectory=/opt/web/powerdns-admin +Restart=always + +[Install] +WantedBy=multi-user.target +``` +Before starting the service, we need to make sure that the new user can work on the files in the PowerDNS-Admin folder: +> chown -R powerdnsadmin:powerdnsadmin /opt/web/powerdns-admin + +After saving the file, we need to reload the systemd daemon: +> sudo systemctl daemon-reload + +We can now try to start the service: +> sudo systemctl start powerdns-admin + +If you would like to start PowerDNS-Admin automagically at startup enable the service: +> systemctl enable powerdns-admin + +Should the service not be up by now, consult your syslog. Generally this will be a file permission issue, or python not finding it's modules. See the Debian unit example to see how you can use systemd in a python `virtualenv` \ No newline at end of file diff --git a/docs/wiki/install/Running-PowerDNS-Admin-on-Centos-7.md b/docs/wiki/install/Running-PowerDNS-Admin-on-Centos-7.md new file mode 100644 index 0000000..cee272c --- /dev/null +++ b/docs/wiki/install/Running-PowerDNS-Admin-on-Centos-7.md @@ -0,0 +1,83 @@ +# Installing PowerDNS-Admin on CentOS 7 + +``` +NOTE: If you are logged in as User and not root, add "sudo", or get root by sudo -i. +``` + +## Install required packages: +### Install needed repositories: + +``` +yum install epel-release +yum install https://repo.ius.io/ius-release-el7.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm +``` + +### Install Python 3.6 and tools: +First remove python 3.4 if installed +``` +yum remove python34* +yum autoremove +``` + +``` +yum install python3 python3-devel python3-pip +pip3.6 install -U pip +pip install -U virtualenv +``` + +### Install required packages for building python libraries from requirements.txt file: +``` +yum install gcc openldap-devel xmlsec1-devel xmlsec1-openssl libtool-ltdl-devel +``` + +### Install yarn to build asset files + Nodejs 14: +``` +curl -sL https://rpm.nodesource.com/setup_14.x | bash - +curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo +yum install yarn +``` + +### Checkout source code and create virtualenv: +NOTE: Please adjust `/opt/web/powerdns-admin` to your local web application directory + +``` +git clone https://github.com/PowerDNS-Admin/PowerDNS-Admin.git /opt/web/powerdns-admin +cd /opt/web/powerdns-admin +virtualenv -p python3 flask +``` + +Activate your python3 environment and install libraries: +``` +. ./flask/bin/activate +pip install python-dotenv +pip install -r requirements.txt +``` + +## Running PowerDNS-Admin: +NOTE: The default config file is located at `./powerdnsadmin/default_config.py`. If you want to load another one, please set the `FLASK_CONF` environment variable. E.g. +```bash +export FLASK_CONF=../configs/development.py +``` + +### Create the database schema: +``` +export FLASK_APP=powerdnsadmin/__init__.py +flask db upgrade +``` + +**Also, we should generate asset files:** +``` +yarn install --pure-lockfile +flask assets build +``` + +**Now you can run PowerDNS-Admin by command:** +``` +./run.py +``` + +Open your web browser and access to `http://localhost:9191` to visit PowerDNS-Admin web interface. Register an user. The first user will be in Administrator role. + +At the first time you login into the PDA UI, you will be redirected to setting page to configure the PDNS API information. + +_**Note:**_ For production environment, i would recommend you to run PowerDNS-Admin with gunicorn or uwsgi instead of flask's built-in web server, take a look at WIKI page to see how to configure them. diff --git a/docs/wiki/install/Running-PowerDNS-Admin-on-Docker.md b/docs/wiki/install/Running-PowerDNS-Admin-on-Docker.md new file mode 100644 index 0000000..1e3ef50 --- /dev/null +++ b/docs/wiki/install/Running-PowerDNS-Admin-on-Docker.md @@ -0,0 +1,14 @@ +# Installation on docker + +The Docker image is powerdnsadmin/pda-legacy available on [DockerHub](https://hub.docker.com/r/powerdnsadmin/pda-legacy) + +The supported environment variables to configure the container are located [here](../configuration/Environment-variables.md). + +You can run the container and expose the web server on port 9191 using: +```bash +docker run -d \ + -e SECRET_KEY='a-very-secret-key' \ + -v pda-data:/data \ + -p 9191:80 \ + powerdnsadmin/pda-legacy:latest +``` diff --git a/docs/wiki/install/Running-PowerDNS-Admin-on-Fedora-23.md b/docs/wiki/install/Running-PowerDNS-Admin-on-Fedora-23.md new file mode 100644 index 0000000..ca84460 --- /dev/null +++ b/docs/wiki/install/Running-PowerDNS-Admin-on-Fedora-23.md @@ -0,0 +1 @@ +Please refer to CentOS guide: [Running-PowerDNS-Admin-on-Centos-7](Running-PowerDNS-Admin-on-Centos-7.md) \ No newline at end of file diff --git a/docs/wiki/install/Running-PowerDNS-Admin-on-Fedora-30.md b/docs/wiki/install/Running-PowerDNS-Admin-on-Fedora-30.md new file mode 100644 index 0000000..53f1c7c --- /dev/null +++ b/docs/wiki/install/Running-PowerDNS-Admin-on-Fedora-30.md @@ -0,0 +1,82 @@ +``` +NOTE: If you are logged in as User and not root, add "sudo", or get root by sudo -i. + Normally under centos you are anyway mostly root. +``` +
+ +## Install required packages + +**Install Python and requirements** +```bash +dnf install python37 python3-devel python3-pip +``` +**Install Backend and Environment prerequisites** +```bash +dnf install mariadb-devel mariadb-common openldap-devel xmlsec1-devel xmlsec1-openssl libtool-ltdl-devel +``` +**Install Development tools** +```bash +dnf install gcc gc make +``` +**Install PIP** +```bash +pip3.7 install -U pip +``` +**Install Virtual Environment** +```bash +pip install -U virtualenv +``` +**Install Yarn for building NodeJS asset files:** +```bash +dnf install npm +npm install yarn -g +``` + +## Clone the PowerDNS-Admin repository to the installation path: +```bash +cd /opt/web/ +git clone https://github.com/PowerDNS-Admin/PowerDNS-Admin.git powerdns-admin +``` + +**Prepare the Virtual Environment:** +```bash +cd /opt/web/powerdns-admin +virtualenv -p python3 flask +``` +**Activate the Python Environment and install libraries** +```bash +. ./flask/bin/activate +pip install python-dotenv +pip install -r requirements.txt +``` + +## Running PowerDNS-Admin + +NOTE: The default config file is located at `./powerdnsadmin/default_config.py`. If you want to load another one, please set the `FLASK_CONF` environment variable. E.g. +```bash +export FLASK_CONF=../configs/development.py +``` + +**Then create the database schema by running:** +``` +(flask) [khanh@localhost powerdns-admin] export FLASK_APP=powerdnsadmin/__init__.py +(flask) [khanh@localhost powerdns-admin] flask db upgrade +``` + +**Also, we should generate asset files:** +``` +(flask) [khanh@localhost powerdns-admin] yarn install --pure-lockfile +(flask) [khanh@localhost powerdns-admin] flask assets build +``` + +**Now you can run PowerDNS-Admin by command:** +``` +(flask) [khanh@localhost powerdns-admin] ./run.py +``` + +Open your web browser and access to `http://localhost:9191` to visit PowerDNS-Admin web interface. Register an user. The first user will be in Administrator role. + +At the first time you login into the PDA UI, you will be redirected to setting page to configure the PDNS API information. + +_**Note:**_ For production environment, i recommend to run PowerDNS-Admin with WSGI over Apache instead of flask's built-in web server... + Take a look at [WSGI Apache Example](web-server/WSGI-Apache-example#fedora) WIKI page to see how to configure it. \ No newline at end of file diff --git a/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md b/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md new file mode 100644 index 0000000..d3bc834 --- /dev/null +++ b/docs/wiki/install/Running-PowerDNS-Admin-on-Ubuntu-or-Debian.md @@ -0,0 +1,79 @@ +# Installing PowerDNS-Admin on Ubuntu or Debian based systems + +First setup your database accordingly: +[Database Setup](../database-setup/README.md) + +## Install required packages: + +### Install required packages for building python libraries from requirements.txt file + +```bash +sudo apt install -y python3-dev git libsasl2-dev libldap2-dev libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev pkg-config apt-transport-https virtualenv build-essential curl +``` + +### Install NodeJs + +```bash +curl -sL https://deb.nodesource.com/setup_14.x | bash - +apt install -y nodejs +``` + +### Install yarn to build asset files + +```bash +sudo curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - +echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list +sudo apt update -y +sudo apt install -y yarn +``` + +### Checkout source code and create virtualenv +_**Note:**_ Please adjust `/opt/web/powerdns-admin` to your local web application directory + +```bash +git clone https://github.com/PowerDNS-Admin/PowerDNS-Admin.git /opt/web/powerdns-admin +cd /opt/web/powerdns-admin +python3 -mvenv ./venv +``` + +Activate your python3 environment and install libraries: + +```bash +source ./venv/bin/activate +pip install --upgrade pip +pip install -r requirements.txt +``` +## Running PowerDNS-Admin + +Create PowerDNS-Admin config file and make the changes necessary for your use case. Make sure to change `SECRET_KEY` to a long random string that you generated yourself ([see Flask docs](https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY)), do not use the pre-defined one. E.g.: + +```bash +cp /opt/web/powerdns-admin/configs/development.py /opt/web/powerdns-admin/configs/production.py +vim /opt/web/powerdns-admin/configs/production.py +export FLASK_CONF=../configs/production.py +``` + +Do the DB migration + +```bash +export FLASK_APP=powerdnsadmin/__init__.py +flask db upgrade +``` + +Then generate asset files + +```bash +yarn install --pure-lockfile +flask assets build +``` + +Now you can run PowerDNS-Admin by command + +```bash +./run.py +``` + +This is good for testing, but for production usage, you should use gunicorn or uwsgi. See [Running PowerDNS Admin with Systemd, Gunicorn and Nginx](../web-server/Running-PowerDNS-Admin-with-Systemd-Gunicorn-and-Nginx.md) for instructions. + + +From here you can now follow the [Getting started guide](../configuration/Getting-started.md). diff --git a/docs/wiki/install/Running-on-FreeBSD.md b/docs/wiki/install/Running-on-FreeBSD.md new file mode 100644 index 0000000..b37e9c3 --- /dev/null +++ b/docs/wiki/install/Running-on-FreeBSD.md @@ -0,0 +1,102 @@ +On [FreeBSD](https://www.freebsd.org/), most software is installed using `pkg`. You can always build from source with the Ports system. This method uses as many binary ports as possible, and builds some python packages from source. It installs all the required runtimes in the global system (e.g., python, node, yarn) and then builds a virtual python environment in `/opt/python`. Likewise, it installs powerdns-admin in `/opt/powerdns-admin`. + +### Build an area to host files + +```bash +mkdir -p /opt/python +``` + +### Install prerequisite runtimes: python, node, yarn + +```bash +sudo pkg install git python3 curl node12 yarn-node12 +sudo pkg install libxml2 libxslt pkgconf py37-xmlsec py37-cffi py37-ldap +``` + +## Check Out Source Code +_**Note:**_ Please adjust `/opt/powerdns-admin` to your local web application directory + +```bash +git clone https://github.com/PowerDNS-Admin/PowerDNS-Admin.git /opt/powerdns-admin +cd /opt/powerdns-admin +``` + +## Make Virtual Python Environment + +Make a virtual environment for python. Activate your python3 environment and install libraries. It's easier to install some python libraries as system packages, so we add the `--system-site-packages` option to pull those in. + +> Note: I couldn't get `python-ldap` to install correctly, and I don't need it. I commented out the `python-ldap` line in `requirements.txt` and it all built and installed correctly. If you don't intend to use LDAP authentication, you'll be fine. If you need LDAP authentication, it probably won't work. + +```bash +python3 -m venv /web/python --system-site-packages +source /web/python/bin/activate +/web/python/bin/python3 -m pip install --upgrade pip wheel +# this command comments out python-ldap +perl -pi -e 's,^python-ldap,\# python-ldap,' requirements.txt +pip3 install -r requirements.txt +``` + +## Configuring PowerDNS-Admin + +NOTE: The default config file is located at `./powerdnsadmin/default_config.py`. If you want to load another one, please set the `FLASK_CONF` environment variable. E.g. +```bash +cp configs/development.py /opt/powerdns-admin/production.py +export FLASK_CONF=/opt/powerdns-admin/production.py +``` + +### Update the Flask config + +Edit your flask python configuration. Insert values for the database server, user name, password, etc. + +```bash +vim $FLASK_CONF +``` + +Edit the values below to something sensible +```python +### BASIC APP CONFIG +SALT = '[something]' +SECRET_KEY = '[something]' +BIND_ADDRESS = '0.0.0.0' +PORT = 9191 +OFFLINE_MODE = False + +### DATABASE CONFIG +SQLA_DB_USER = 'pda' +SQLA_DB_PASSWORD = 'changeme' +SQLA_DB_HOST = '127.0.0.1' +SQLA_DB_NAME = 'pda' +SQLALCHEMY_TRACK_MODIFICATIONS = True +``` + +Be sure to uncomment one of the lines like `SQLALCHEMY_DATABASE_URI`. + +### Initialise the database + +```bash +export FLASK_APP=powerdnsadmin/__init__.py +flask db upgrade +``` + +### Build web assets + +```bash +yarn install --pure-lockfile +flask assets build +``` + +## Running PowerDNS-Admin + +Now you can run PowerDNS-Admin by command + +```bash +./run.py +``` + +Open your web browser and go to `http://localhost:9191` to visit PowerDNS-Admin web interface. Register a user. The first user will be in the Administrator role. + +### Running at startup + +This is good for testing, but for production usage, you should use gunicorn or uwsgi. See [Running PowerDNS Admin with Systemd, Gunicorn and Nginx](../web-server/Running-PowerDNS-Admin-with-Systemd,-Gunicorn--and--Nginx.md) for instructions. + +The right approach long-term is to create a startup script in `/usr/local/etc/rc.d` and enable it through `/etc/rc.conf`. \ No newline at end of file diff --git a/docs/wiki/web-server/Running-PowerDNS-Admin-with-Systemd,-Gunicorn-and-Apache.md b/docs/wiki/web-server/Running-PowerDNS-Admin-with-Systemd,-Gunicorn-and-Apache.md new file mode 100644 index 0000000..a2d4fa2 --- /dev/null +++ b/docs/wiki/web-server/Running-PowerDNS-Admin-with-Systemd,-Gunicorn-and-Apache.md @@ -0,0 +1,97 @@ +Following is an example showing how to run PowerDNS-Admin with systemd, gunicorn and Apache: + +The systemd and gunicorn setup are the same as for with nginx. This set of configurations assumes you have installed your PowerDNS-Admin under /opt/powerdns-admin and are running with a package-installed gunicorn. + +## Configure systemd service + +`$ sudo vim /etc/systemd/system/powerdns-admin.service` + +``` +[Unit] +Description=PowerDNS web administration service +Requires=powerdns-admin.socket +Wants=network.target +After=network.target mysqld.service postgresql.service slapd.service mariadb.service + +[Service] +PIDFile=/run/powerdns-admin/pid +User=pdnsa +Group=pdnsa +WorkingDirectory=/opt/powerdns-admin +ExecStart=/usr/bin/gunicorn-3.6 --workers 4 --log-level info --pid /run/powerdns-admin/pid --bind unix:/run/powerdns-admin/socket "powerdnsadmin:create_app(config='config.py')" +ExecReload=/bin/kill -s HUP $MAINPID +ExecStop=/bin/kill -s TERM $MAINPID +PrivateTmp=true +Restart=on-failure +RestartSec=10 +StartLimitInterval=0 + +[Install] +WantedBy=multi-user.target +``` + +`$ sudo vim /etc/systemd/system/powerdns-admin.socket` + +``` +[Unit] +Description=PowerDNS-Admin socket + +[Socket] +ListenStream=/run/powerdns-admin/socket + +[Install] +WantedBy=sockets.target +``` + +`$ sudo vim /etc/tmpfiles.d/powerdns-admin.conf` + +``` +d /run/powerdns-admin 0755 pdnsa pdnsa - +``` + +Then `sudo systemctl daemon-reload; sudo systemctl start powerdns-admin.socket; sudo systemctl enable powerdns-admin.socket` to start the Powerdns-Admin service and make it run on boot. + +## Sample Apache configuration + +This includes SSL redirect. + +``` + + ServerName dnsadmin.company.com + DocumentRoot "/opt/powerdns-admin" + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + + Redirect permanent / https://dnsadmin.company.com/ + + + ServerName dnsadmin.company.com + DocumentRoot "/opt/powerdns-admin/powerdnsadmin" + ## Alias declarations for resources outside the DocumentRoot + Alias /static/ "/opt/powerdns-admin/powerdnsadmin/static/" + Alias /favicon.ico "/opt/powerdns-admin/powerdnsadmin/static/favicon.ico" + + AllowOverride None + Require all granted + + ## Proxy rules + ProxyRequests Off + ProxyPreserveHost On + ProxyPass /static/ ! + ProxyPass /favicon.ico ! + ProxyPass / unix:/var/run/powerdns-admin/socket|http://%{HTTP_HOST}/ + ProxyPassReverse / unix:/var/run/powerdns-admin/socket|http://%{HTTP_HOST}/ + ## SSL directives + SSLEngine on + SSLCertificateFile "/etc/pki/tls/certs/dnsadmin.company.com.crt" + SSLCertificateKeyFile "/etc/pki/tls/private/dnsadmin.company.com.key" + +``` + +## Notes +* The above assumes your installation is under /opt/powerdns-admin +* The hostname is assumed as dnsadmin.company.com +* gunicorn is installed in /usr/bin via a package (as in the case with CentOS/Redhat 7) and you have Python 3.6 installed. If you prefer to use flask then see the systemd configuration for nginx. +* On Ubuntu / Debian systems, you may need to enable the "proxy_http" module with `a2enmod proxy_http` diff --git a/docs/wiki/web-server/Running-PowerDNS-Admin-with-Systemd-Gunicorn-and-Nginx.md b/docs/wiki/web-server/Running-PowerDNS-Admin-with-Systemd-Gunicorn-and-Nginx.md new file mode 100644 index 0000000..57725bc --- /dev/null +++ b/docs/wiki/web-server/Running-PowerDNS-Admin-with-Systemd-Gunicorn-and-Nginx.md @@ -0,0 +1,181 @@ +Following is an example showing how to run PowerDNS-Admin with systemd, gunicorn and nginx: + +## Configure PowerDNS-Admin + +Create PowerDNS-Admin config file and make the changes necessary for your use case. Make sure to change `SECRET_KEY` to a long random string that you generated yourself ([see Flask docs](https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY)), do not use the pre-defined one. +``` +$ cp /opt/web/powerdns-admin/configs/development.py /opt/web/powerdns-admin/configs/production.py +$ vim /opt/web/powerdns-admin/configs/production.py +``` + +## Configure systemd service + +`$ sudo vim /etc/systemd/system/powerdns-admin.service` + +``` +[Unit] +Description=PowerDNS-Admin +Requires=powerdns-admin.socket +After=network.target + +[Service] +PIDFile=/run/powerdns-admin/pid +User=pdns +Group=pdns +WorkingDirectory=/opt/web/powerdns-admin +ExecStartPre=+mkdir -p /run/powerdns-admin/ +ExecStartPre=+chown pdns:pdns -R /run/powerdns-admin/ +ExecStart=/usr/local/bin/gunicorn --pid /run/powerdns-admin/pid --bind unix:/run/powerdns-admin/socket 'powerdnsadmin:create_app()' +ExecReload=/bin/kill -s HUP $MAINPID +ExecStop=/bin/kill -s TERM $MAINPID +PrivateTmp=true + +[Install] +WantedBy=multi-user.target +``` + +`$ sudo systemctl edit powerdns-admin.service` + +``` +[Service] +Environment="FLASK_CONF=../configs/production.py" +``` + +`$ sudo vim /etc/systemd/system/powerdns-admin.socket` + +``` +[Unit] +Description=PowerDNS-Admin socket + +[Socket] +ListenStream=/run/powerdns-admin/socket + +[Install] +WantedBy=sockets.target +``` + +`$ sudo vim /etc/tmpfiles.d/powerdns-admin.conf` + +``` +d /run/powerdns-admin 0755 pdns pdns - +``` + +Then `sudo systemctl daemon-reload; sudo systemctl start powerdns-admin.socket; sudo systemctl enable powerdns-admin.socket` to start the Powerdns-Admin service and make it run on boot. + +## Sample nginx configuration +``` +server { + listen *:80; + server_name powerdns-admin.local www.powerdns-admin.local; + + index index.html index.htm index.php; + root /opt/web/powerdns-admin; + access_log /var/log/nginx/powerdns-admin.local.access.log combined; + error_log /var/log/nginx/powerdns-admin.local.error.log; + + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffers 32 4k; + proxy_buffer_size 8k; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_headers_hash_bucket_size 64; + + location ~ ^/static/ { + include /etc/nginx/mime.types; + root /opt/web/powerdns-admin/powerdnsadmin; + + location ~* \.(jpg|jpeg|png|gif)$ { + expires 365d; + } + + location ~* ^.+.(css|js)$ { + expires 7d; + } + } + + location / { + proxy_pass http://unix:/run/powerdns-admin/socket; + proxy_read_timeout 120; + proxy_connect_timeout 120; + proxy_redirect off; + } + +} +``` + +
+Sample Nginx-Configuration for SSL + +* Im binding this config to every dns-name with default_server... +* but you can remove it and set your server_name. + +``` +server { + listen 80 default_server; + server_name ""; + return 301 https://$http_host$request_uri; +} + +server { + listen 443 ssl http2 default_server; + server_name _; + index index.html index.htm; + error_log /var/log/nginx/error_powerdnsadmin.log error; + access_log off; + + ssl_certificate path_to_your_fullchain_or_cert; + ssl_certificate_key path_to_your_key; + ssl_dhparam path_to_your_dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_session_cache shared:SSL:10m; + + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffers 32 4k; + proxy_buffer_size 8k; + proxy_set_header Host $http_host; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_headers_hash_bucket_size 64; + + location ~ ^/static/ { + include mime.types; + root /opt/web/powerdns-admin/powerdnsadmin; + location ~* \.(jpg|jpeg|png|gif)$ { expires 365d; } + location ~* ^.+.(css|js)$ { expires 7d; } + } + + location ~ ^/upload/ { + include mime.types; + root /opt/web/powerdns-admin; + location ~* \.(jpg|jpeg|png|gif)$ { expires 365d; } + location ~* ^.+.(css|js)$ { expires 7d; } + } + + location / { + proxy_pass http://unix:/run/powerdns-admin/socket; + proxy_read_timeout 120; + proxy_connect_timeout 120; + proxy_redirect http:// $scheme://; + } +} +``` +
+ +## Note +* `/opt/web/powerdns-admin` is the path to your powerdns-admin web directory +* Make sure you have installed gunicorn in flask virtualenv already. +* `powerdns-admin.local` just an example of your web domain name. \ No newline at end of file diff --git a/docs/wiki/web-server/Supervisord-example.md b/docs/wiki/web-server/Supervisord-example.md new file mode 100644 index 0000000..11cebc8 --- /dev/null +++ b/docs/wiki/web-server/Supervisord-example.md @@ -0,0 +1,18 @@ +Following is an example showing how to run PowerDNS-Admin with supervisord + +Create supervisord program config file +``` +$ sudo vim /etc/supervisor.d/powerdnsadmin.conf +``` + +``` +[program:powerdnsadmin] +command=/opt/web/powerdns-admin/flask/bin/python ./run.py +stdout_logfile=/var/log/supervisor/program_powerdnsadmin.log +stderr_logfile=/var/log/supervisor/program_powerdnsadmin.error +autostart=true +autorestart=true +directory=/opt/web/powerdns-admin +``` + +Then `sudo supervisorctl start powerdnsadmin` to start the Powerdns-Admin service. \ No newline at end of file diff --git a/docs/wiki/web-server/Systemd-example.md b/docs/wiki/web-server/Systemd-example.md new file mode 100644 index 0000000..d7f738b --- /dev/null +++ b/docs/wiki/web-server/Systemd-example.md @@ -0,0 +1,50 @@ +## Configure systemd service + +This example uses package-installed gunicorn (instead of flask-installed) and PowerDNS-Admin installed under /opt/powerdns-admin + +`$ sudo vim /etc/systemd/system/powerdns-admin.service` + +``` +[Unit] +Description=PowerDNS web administration service +Requires=powerdns-admin.socket +Wants=network.target +After=network.target mysqld.service postgresql.service slapd.service mariadb.service + +[Service] +PIDFile=/run/powerdns-admin/pid +User=pdnsa +Group=pdnsa +WorkingDirectory=/opt/powerdns-admin +ExecStart=/usr/bin/gunicorn-3.6 --workers 4 --log-level info --pid /run/powerdns-admin/pid --bind unix:/run/powerdns-admin/socket "powerdnsadmin:create_app(config='config.py')" +ExecReload=/bin/kill -s HUP $MAINPID +ExecStop=/bin/kill -s TERM $MAINPID +PrivateTmp=true +Restart=on-failure +RestartSec=10 +StartLimitInterval=0 + +[Install] +WantedBy=multi-user.target +``` + +`$ sudo vim /etc/systemd/system/powerdns-admin.socket` + +``` +[Unit] +Description=PowerDNS-Admin socket + +[Socket] +ListenStream=/run/powerdns-admin/socket + +[Install] +WantedBy=sockets.target +``` + +`$ sudo vim /etc/tmpfiles.d/powerdns-admin.conf` + +``` +d /run/powerdns-admin 0755 pdns pdns - +``` + +Then `sudo systemctl daemon-reload; sudo systemctl start powerdns-admin.socket; sudo systemctl enable powerdns-admin.socket` to start the Powerdns-Admin service and make it run on boot. diff --git a/docs/wiki/web-server/WSGI-Apache-example.md b/docs/wiki/web-server/WSGI-Apache-example.md new file mode 100644 index 0000000..d31e4f7 --- /dev/null +++ b/docs/wiki/web-server/WSGI-Apache-example.md @@ -0,0 +1,100 @@ +How to run PowerDNS-Admin via WSGI and Apache2.4 using mod_wsgi. + +**Note**: You must install mod_wsgi by using pip3 instead of system default mod_wsgi!!! + +### Ubuntu/Debian +```shell +# apt install apache2-dev +# virtualenv -p python3 flask +# source ./flask/bin/activate +(flask) # pip3 install mod-wsgi +(flask) # mod_wsgi-express install-module > /etc/apache2/mods-available/wsgi.load +(flask) # a2enmod wsgi +(flask) # systemctl restart apache2 +``` +### CentOS +```shell +# yum install httpd-devel +# virtualenv -p python3 flask +# source ./flask/bin/activate +(flask) # pip3 install mod-wsgi +(flask) # mod_wsgi-express install-module > /etc/httpd/conf.modules.d/02-wsgi.conf +(flask) # systemctl restart httpd +``` +### Fedora +```bash +# Install Apache's Development interfaces and package requirements +dnf install httpd-devel gcc gc make +virtualenv -p python3 flask +source ./flask/bin/activate +# Install WSGI for HTTPD +pip install mod_wsgi-httpd +# Install WSGI +pip install mod-wsgi +# Enable the module in Apache: +mod_wsgi-express install-module > /etc/httpd/conf.modules.d/02-wsgi.conf +systemctl restart httpd +``` + +Apache vhost configuration; +```apache + + ServerName superawesomedns.foo.bar + ServerAlias [fe80::1] + ServerAdmin webmaster@foo.bar + + SSLEngine On + SSLCertificateFile /some/path/ssl/certs/cert.pem + SSLCertificateKeyFile /some/path/ssl/private/cert.key + + ErrorLog /var/log/apache2/error-superawesomedns.foo.bar.log + CustomLog /var/log/apache2/access-superawesomedns.foo.bar.log combined + + DocumentRoot /srv/vhosts/superawesomedns.foo.bar/ + + WSGIDaemonProcess pdnsadmin user=pdnsadmin group=pdnsadmin threads=5 + WSGIScriptAlias / /srv/vhosts/superawesomedns.foo.bar/powerdnsadmin.wsgi + + # pass BasicAuth on to the WSGI process + WSGIPassAuthorization On + + + WSGIProcessGroup pdnsadmin + WSGIApplicationGroup %{GLOBAL} + + AllowOverride None + Options +ExecCGI +FollowSymLinks + SSLRequireSSL + AllowOverride None + Require all granted + + +``` +**In Fedora, you might want to change the following line:** +```apache +WSGIDaemonProcess pdnsadmin socket-user=apache user=pdnsadmin group=pdnsadmin threads=5 +``` +**And you should add the following line to `/etc/httpd/conf/httpd.conf`:** +```apache +WSGISocketPrefix /var/run/wsgi +``` + +Content of `/srv/vhosts/superawesomedns.foo.bar/powerdnsadmin.wsgi`; +```python +#!/usr/bin/env python3 +import sys +sys.path.insert(0, '/srv/vhosts/superawesomedns.foo.bar') + +from app import app as application +``` +Starting from 0.2 version, the `powerdnsadmin.wsgi` file is slighty different : +```python +#!/usr/bin/env python3 +import sys +sys.path.insert(0, '/srv/vhosts/superawesomedns.foo.bar') + +from powerdnsadmin import create_app +application = create_app() +``` + +(this implies that the pdnsadmin user/group exists, and that you have mod_wsgi loaded) \ No newline at end of file diff --git a/docs/wiki/web-server/uWSGI-example.md b/docs/wiki/web-server/uWSGI-example.md new file mode 100644 index 0000000..db15d03 --- /dev/null +++ b/docs/wiki/web-server/uWSGI-example.md @@ -0,0 +1,56 @@ +# uWSGI Example + +This guide will show you how to run PowerDNS-Admin via uWSGI and nginx. This guide was written using Debian 8 with the following software versions: +- nginx 1.6.2 +- uwsgi 2.0.7-debian +- python 2.7.9 + +## Software installation: + +1. apt install the following packages: + - `uwsgi` + - `uwsgi-plugin-python` + - `nginx` + +## Step-by-step instructions +1. Create a uWSGI .ini in `/etc/uwsgi/apps-enabled` with the following contents, making sure to replace the chdir, pythonpath and virtualenv directories with where you've installed PowerDNS-Admin: + ```ini + [uwsgi] + plugins = python27 + + uid=www-data + gid=www-data + + chdir = /opt/pdns-admin/PowerDNS-Admin/ + pythonpath = /opt/pdns-admin/PowerDNS-Admin/ + virtualenv = /opt/pdns-admin/PowerDNS-Admin/flask + + mount = /pdns=powerdnsadmin:create_app() + manage-script-name = true + + vacuum = true + harakiri = 20 + buffer-size = 32768 + post-buffering = 8192 + socket = /run/uwsgi/app/%n/%n.socket + chown-socket = www-data + pidfile = /run/uwsgi/app/%n/%n.pid + + daemonize = /var/log/uwsgi/app/%n.log + enable-threads + ``` +2. Add the following configuration to your nginx config: + ```nginx + location / { try_files $uri @pdns_admin; } + + location @pdns_admin { + include uwsgi_params; + uwsgi_pass unix:/run/uwsgi/app/pdns-admin/pdns-admin.socket; + } + + location /pdns/static/ { + alias /opt/pdns-admin/PowerDNS-Admin/app/static/; + } + ``` +3. Restart nginx and uwsgi. +4. You're done and PowerDNS-Admin will now be available via nginx. \ No newline at end of file diff --git a/migrations/env.py b/migrations/env.py index 6a10e6d..4742e14 100755 --- a/migrations/env.py +++ b/migrations/env.py @@ -19,7 +19,7 @@ logger = logging.getLogger('alembic.env') # target_metadata = mymodel.Base.metadata from flask import current_app config.set_main_option('sqlalchemy.url', - current_app.config.get('SQLALCHEMY_DATABASE_URI')) + current_app.config.get('SQLALCHEMY_DATABASE_URI').replace("%","%%")) target_metadata = current_app.extensions['migrate'].db.metadata # other values from the config, defined by the needs of env.py, diff --git a/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py b/migrations/versions/31a4ed468b18_remove_all_settings_in_the_db.py similarity index 100% rename from migrations/versions/1274ed462010_remove_all_settings_in_the_db.py rename to migrations/versions/31a4ed468b18_remove_all_settings_in_the_db.py diff --git a/migrations/versions/6ea7dc05f496_fix_typo_in_history_detail.py b/migrations/versions/6ea7dc05f496_fix_typo_in_history_detail.py new file mode 100644 index 0000000..6a03994 --- /dev/null +++ b/migrations/versions/6ea7dc05f496_fix_typo_in_history_detail.py @@ -0,0 +1,46 @@ +"""Fix typo in history detail + +Revision ID: 6ea7dc05f496 +Revises: fbc7cf864b24 +Create Date: 2022-05-10 10:16:58.784497 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '6ea7dc05f496' +down_revision = 'fbc7cf864b24' +branch_labels = None +depends_on = None + +history_table = sa.sql.table('history', + sa.Column('detail', sa.Text), + ) + + +def upgrade(): + op.execute( + history_table.update() + .where(history_table.c.detail.like('%"add_rrests":%')) + .values({ + 'detail': sa.func.replace( + sa.func.replace(history_table.c.detail, '"add_rrests":', '"add_rrsets":'), + '"del_rrests":', '"del_rrsets":' + ) + }) + ) + + +def downgrade(): + op.execute( + history_table.update() + .where(history_table.c.detail.like('%"add_rrsets":%')) + .values({ + 'detail': sa.func.replace( + sa.func.replace(history_table.c.detail, '"add_rrsets":', '"add_rrests":'), + '"del_rrsets":', '"del_rrests":' + ) + }) + ) diff --git a/migrations/versions/f41520e41cee_update_domain_type_length.py b/migrations/versions/f41520e41cee_update_domain_type_length.py new file mode 100644 index 0000000..f4672de --- /dev/null +++ b/migrations/versions/f41520e41cee_update_domain_type_length.py @@ -0,0 +1,31 @@ +"""update domain type length + +Revision ID: f41520e41cee +Revises: 6ea7dc05f496 +Create Date: 2023-01-10 11:56:28.538485 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = 'f41520e41cee' +down_revision = '6ea7dc05f496' +branch_labels = None +depends_on = None + + +def upgrade(): + with op.batch_alter_table('domain') as batch_op: + batch_op.alter_column('type', + existing_type=sa.String(length=6), + type_=sa.String(length=8)) + + +def downgrade(): + with op.batch_alter_table('domain') as batch_op: + batch_op.alter_column('type', + existing_type=sa.String(length=8), + type_=sa.String(length=6)) + diff --git a/migrations/versions/fbc7cf864b24_update_history_detail_quotes.py b/migrations/versions/fbc7cf864b24_update_history_detail_quotes.py new file mode 100644 index 0000000..4aaf16c --- /dev/null +++ b/migrations/versions/fbc7cf864b24_update_history_detail_quotes.py @@ -0,0 +1,47 @@ +"""update history detail quotes + +Revision ID: fbc7cf864b24 +Revises: 0967658d9c0d +Create Date: 2022-05-04 19:49:54.054285 + +""" +from alembic import op +import sqlalchemy as sa + +# revision identifiers, used by Alembic. +revision = 'fbc7cf864b24' +down_revision = '0967658d9c0d' +branch_labels = None +depends_on = None + + +def upgrade(): + history_table = sa.sql.table( + 'history', + sa.Column('id', sa.Integer), + sa.Column('msg', sa.String), + sa.Column('detail', sa.Text), + sa.Column('created_by', sa.String), + sa.Column('created_on', sa.DateTime), + sa.Column('domain_id', sa.Integer) + ) + + op.execute( + history_table.update().where( + sa.and_( + history_table.c.detail.like("%'%"), + history_table.c.detail.notlike("%rrests%"), + history_table.c.detail.notlike("%rrsets%") + ) + ).values({ + 'detail': sa.func.replace( + history_table.c.detail, + "'", + '"' + ) + }) + ) + + +def downgrade(): + pass diff --git a/powerdnsadmin/__init__.py b/powerdnsadmin/__init__.py index c70b273..5adf748 100755 --- a/powerdnsadmin/__init__.py +++ b/powerdnsadmin/__init__.py @@ -1,7 +1,6 @@ import os import logging from flask import Flask -from flask_seasurf import SeaSurf from flask_mail import Mail from werkzeug.middleware.proxy_fix import ProxyFix from flask_session import Session @@ -33,31 +32,6 @@ def create_app(config=None): # Proxy app.wsgi_app = ProxyFix(app.wsgi_app) - # CSRF protection - csrf = SeaSurf(app) - csrf.exempt(routes.index.dyndns_checkip) - csrf.exempt(routes.index.dyndns_update) - csrf.exempt(routes.index.saml_authorized) - csrf.exempt(routes.api.api_login_create_zone) - csrf.exempt(routes.api.api_login_delete_zone) - csrf.exempt(routes.api.api_generate_apikey) - csrf.exempt(routes.api.api_delete_apikey) - csrf.exempt(routes.api.api_update_apikey) - csrf.exempt(routes.api.api_zone_subpath_forward) - csrf.exempt(routes.api.api_zone_forward) - csrf.exempt(routes.api.api_create_zone) - csrf.exempt(routes.api.api_create_account) - csrf.exempt(routes.api.api_delete_account) - csrf.exempt(routes.api.api_update_account) - csrf.exempt(routes.api.api_create_user) - csrf.exempt(routes.api.api_delete_user) - csrf.exempt(routes.api.api_update_user) - csrf.exempt(routes.api.api_list_account_users) - csrf.exempt(routes.api.api_add_account_user) - csrf.exempt(routes.api.api_remove_account_user) - csrf.exempt(routes.api.api_zone_cryptokeys) - csrf.exempt(routes.api.api_zone_cryptokey) - # Load config from env variables if using docker if os.path.exists(os.path.join(app.root_path, 'docker_config.py')): app.config.from_object('powerdnsadmin.docker_config') @@ -69,7 +43,7 @@ def create_app(config=None): if 'FLASK_CONF' in os.environ: app.config.from_envvar('FLASK_CONF') - # Load app sepecified configuration + # Load app specified configuration if config is not None: if isinstance(config, dict): app.config.update(config) @@ -100,8 +74,6 @@ def create_app(config=None): app.jinja_env.filters['display_record_name'] = utils.display_record_name app.jinja_env.filters['display_master_name'] = utils.display_master_name app.jinja_env.filters['display_second_to_time'] = utils.display_time - app.jinja_env.filters[ - 'email_to_gravatar_url'] = utils.email_to_gravatar_url app.jinja_env.filters[ 'display_setting_state'] = utils.display_setting_state app.jinja_env.filters['pretty_domain_name'] = utils.pretty_domain_name @@ -119,9 +91,4 @@ def create_app(config=None): setting = Setting() return dict(SETTING=setting) - @app.context_processor - def inject_mode(): - setting = app.config.get('OFFLINE_MODE', False) - return dict(OFFLINE_MODE=setting) - return app diff --git a/powerdnsadmin/assets.py b/powerdnsadmin/assets.py index dfe79ff..233e23a 100644 --- a/powerdnsadmin/assets.py +++ b/powerdnsadmin/assets.py @@ -23,7 +23,8 @@ css_login = Bundle('node_modules/bootstrap/dist/css/bootstrap.css', js_login = Bundle('node_modules/jquery/dist/jquery.js', 'node_modules/bootstrap/dist/js/bootstrap.js', 'node_modules/icheck/icheck.js', - filters=(ConcatFilter, 'jsmin'), + 'custom/js/custom.js', + filters=(ConcatFilter, 'rjsmin'), output='generated/login.js') js_validation = Bundle('node_modules/bootstrap-validator/dist/validator.js', @@ -60,7 +61,7 @@ js_main = Bundle('node_modules/jquery/dist/jquery.js', 'node_modules/jquery.quicksearch/src/jquery.quicksearch.js', 'custom/js/custom.js', 'node_modules/bootstrap-datepicker/dist/js/bootstrap-datepicker.js', - filters=(ConcatFilter, 'jsmin'), + filters=(ConcatFilter, 'rjsmin'), output='generated/main.js') assets = Environment() diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py index e2a35bb..6382141 100644 --- a/powerdnsadmin/decorators.py +++ b/powerdnsadmin/decorators.py @@ -1,12 +1,13 @@ import base64 import binascii from functools import wraps -from flask import g, request, abort, current_app, render_template +from flask import g, request, abort, current_app, Response from flask_login import current_user from .models import User, ApiKey, Setting, Domain, Setting -from .lib.errors import RequestIsNotJSON, NotEnoughPrivileges -from .lib.errors import DomainAccessForbidden +from .lib.errors import RequestIsNotJSON, NotEnoughPrivileges, RecordTTLNotAllowed, RecordTypeNotAllowed +from .lib.errors import DomainAccessForbidden, DomainOverrideForbidden + def admin_role_required(f): """ @@ -259,6 +260,13 @@ def api_can_create_domain(f): msg = "User {0} does not have enough privileges to create domain" current_app.logger.error(msg.format(current_user.username)) raise NotEnoughPrivileges() + + if Setting().get('deny_domain_override'): + req = request.get_json(force=True) + domain = Domain() + if req['name'] and domain.is_overriding(req['name']): + raise DomainOverrideForbidden() + return f(*args, **kwargs) return decorated_function @@ -269,6 +277,9 @@ def apikey_can_create_domain(f): Grant access if: - user is in Operator role or higher, or - allow_user_create_domain is on + and + - deny_domain_override is off or + - override_domain is true (from request) """ @wraps(f) def decorated_function(*args, **kwargs): @@ -278,6 +289,13 @@ def apikey_can_create_domain(f): msg = "ApiKey #{0} does not have enough privileges to create domain" current_app.logger.error(msg.format(g.apikey.id)) raise NotEnoughPrivileges() + + if Setting().get('deny_domain_override'): + req = request.get_json(force=True) + domain = Domain() + if req['name'] and domain.is_overriding(req['name']): + raise DomainOverrideForbidden() + return f(*args, **kwargs) return decorated_function @@ -367,6 +385,60 @@ def apikey_can_configure_dnssec(http_methods=[]): return decorated_function return decorator +def allowed_record_types(f): + @wraps(f) + def decorated_function(*args, **kwargs): + if request.method == 'GET': + return f(*args, **kwargs) + + if g.apikey.role.name in ['Administrator', 'Operator']: + return f(*args, **kwargs) + + records_allowed_to_edit = Setting().get_records_allow_to_edit() + content = request.get_json() + try: + for record in content['rrsets']: + if 'type' not in record: + raise RecordTypeNotAllowed() + + if record['type'] not in records_allowed_to_edit: + current_app.logger.error(f"Error: Record type not allowed: {record['type']}") + raise RecordTypeNotAllowed(message=f"Record type not allowed: {record['type']}") + except (TypeError, KeyError) as e: + raise e + return f(*args, **kwargs) + + return decorated_function + +def allowed_record_ttl(f): + @wraps(f) + def decorated_function(*args, **kwargs): + if not Setting().get('enforce_api_ttl'): + return f(*args, **kwargs) + + if request.method == 'GET': + return f(*args, **kwargs) + + if g.apikey.role.name in ['Administrator', 'Operator']: + return f(*args, **kwargs) + + allowed_ttls = Setting().get_ttl_options() + allowed_numeric_ttls = [ ttl[0] for ttl in allowed_ttls ] + content = request.get_json() + try: + for record in content['rrsets']: + if 'ttl' not in record: + raise RecordTTLNotAllowed() + + if record['ttl'] not in allowed_numeric_ttls: + current_app.logger.error(f"Error: Record TTL not allowed: {record['ttl']}") + raise RecordTTLNotAllowed(message=f"Record TTL not allowed: {record['ttl']}") + except (TypeError, KeyError) as e: + raise e + return f(*args, **kwargs) + + return decorated_function + def apikey_auth(f): @wraps(f) @@ -409,7 +481,7 @@ def dyndns_login_required(f): @wraps(f) def decorated_function(*args, **kwargs): if current_user.is_authenticated is False: - return render_template('dyndns.html', response='badauth'), 200 + return Response(headers={'WWW-Authenticate': 'Basic'}, status=401) return f(*args, **kwargs) return decorated_function diff --git a/powerdnsadmin/default_config.py b/powerdnsadmin/default_config.py index 16b8161..81d0e32 100644 --- a/powerdnsadmin/default_config.py +++ b/powerdnsadmin/default_config.py @@ -8,8 +8,9 @@ SECRET_KEY = 'e951e5a1f4b94151b360f47edf596dd2' BIND_ADDRESS = '0.0.0.0' PORT = 9191 HSTS_ENABLED = False -OFFLINE_MODE = False FILESYSTEM_SESSIONS_ENABLED = False +SESSION_COOKIE_SAMESITE = 'Lax' +CSRF_COOKIE_HTTPONLY = True ### DATABASE CONFIG SQLA_DB_USER = 'pda' diff --git a/powerdnsadmin/lib/certutil.py b/powerdnsadmin/lib/certutil.py index 9e09cf6..863e40b 100644 --- a/powerdnsadmin/lib/certutil.py +++ b/powerdnsadmin/lib/certutil.py @@ -1,48 +1,58 @@ -from OpenSSL import crypto -from datetime import datetime -import pytz +import datetime import os -CRYPT_PATH = os.path.abspath(os.path.dirname(os.path.realpath(__file__)) + "/../../") + +from cryptography import x509 +from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.x509.oid import NameOID + + +CRYPT_PATH = os.path.abspath(os.path.dirname(os.path.realpath(__file__)) + "/../../") CERT_FILE = CRYPT_PATH + "/saml_cert.crt" KEY_FILE = CRYPT_PATH + "/saml_cert.key" -def check_certificate(): - if not os.path.isfile(CERT_FILE): - return False - st_cert = open(CERT_FILE, 'rt').read() - cert = crypto.load_certificate(crypto.FILETYPE_PEM, st_cert) - now = datetime.now(pytz.utc) - begin = datetime.strptime(cert.get_notBefore(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC) - begin_ok = begin < now - end = datetime.strptime(cert.get_notAfter(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC) - end_ok = end > now - if begin_ok and end_ok: - return True - return False - def create_self_signed_cert(): + """ Generate a new self-signed RSA-2048-SHA256 x509 certificate. """ + # Generate our key + key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + ) - # create a key pair - k = crypto.PKey() - k.generate_key(crypto.TYPE_RSA, 2048) + # Write our key to disk for safe keeping + with open(KEY_FILE, "wb") as key_file: + key_file.write(key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + )) - # create a self-signed cert - cert = crypto.X509() - cert.get_subject().C = "DE" - cert.get_subject().ST = "NRW" - cert.get_subject().L = "Dortmund" - cert.get_subject().O = "Dummy Company Ltd" - cert.get_subject().OU = "Dummy Company Ltd" - cert.get_subject().CN = "PowerDNS-Admin" - cert.set_serial_number(1000) - cert.gmtime_adj_notBefore(0) - cert.gmtime_adj_notAfter(10*365*24*60*60) - cert.set_issuer(cert.get_subject()) - cert.set_pubkey(k) - cert.sign(k, 'sha256') + # Various details about who we are. For a self-signed certificate the + # subject and issuer are always the same. + subject = issuer = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, "DE"), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "NRW"), + x509.NameAttribute(NameOID.LOCALITY_NAME, "Dortmund"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Dummy Company Ltd"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Dummy Company Ltd"), + x509.NameAttribute(NameOID.COMMON_NAME, "PowerDNS-Admin"), + ]) - open(CERT_FILE, "bw").write( - crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) - open(KEY_FILE, "bw").write( - crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) \ No newline at end of file + cert = x509.CertificateBuilder().subject_name( + subject + ).issuer_name( + issuer + ).public_key( + key.public_key() + ).serial_number( + x509.random_serial_number() + ).not_valid_before( + datetime.datetime.utcnow() + ).not_valid_after( + datetime.datetime.utcnow() + datetime.timedelta(days=10*365) + ).sign(key, hashes.SHA256()) + + # Write our certificate out to disk. + with open(CERT_FILE, "wb") as cert_file: + cert_file.write(cert.public_bytes(serialization.Encoding.PEM)) diff --git a/powerdnsadmin/lib/errors.py b/powerdnsadmin/lib/errors.py index 687f554..e1e0785 100644 --- a/powerdnsadmin/lib/errors.py +++ b/powerdnsadmin/lib/errors.py @@ -44,6 +44,13 @@ class DomainAccessForbidden(StructuredException): self.message = message self.name = name +class DomainOverrideForbidden(StructuredException): + status_code = 409 + + def __init__(self, name=None, message="Domain override of record not allowed"): + StructuredException.__init__(self) + self.message = message + self.name = name class ApiKeyCreateFail(StructuredException): status_code = 500 @@ -129,6 +136,13 @@ class AccountNotExists(StructuredException): self.message = message self.name = name +class InvalidAccountNameException(StructuredException): + status_code = 400 + + def __init__(self, name=None, message="The account name is invalid"): + StructuredException.__init__(self) + self.message = message + self.name = name class UserCreateFail(StructuredException): status_code = 500 @@ -138,7 +152,6 @@ class UserCreateFail(StructuredException): self.message = message self.name = name - class UserCreateDuplicate(StructuredException): status_code = 409 @@ -163,7 +176,6 @@ class UserUpdateFailEmail(StructuredException): self.message = message self.name = name - class UserDeleteFail(StructuredException): status_code = 500 @@ -171,3 +183,19 @@ class UserDeleteFail(StructuredException): StructuredException.__init__(self) self.message = message self.name = name + +class RecordTypeNotAllowed(StructuredException): + status_code = 400 + + def __init__(self, name=None, message="Record type not allowed or does not present"): + StructuredException.__init__(self) + self.message = message + self.name = name + +class RecordTTLNotAllowed(StructuredException): + status_code = 400 + + def __init__(self, name=None, message="Record TTL not allowed or does not present"): + StructuredException.__init__(self) + self.message = message + self.name = name diff --git a/powerdnsadmin/lib/helper.py b/powerdnsadmin/lib/helper.py index a5925ef..1b5a082 100644 --- a/powerdnsadmin/lib/helper.py +++ b/powerdnsadmin/lib/helper.py @@ -14,9 +14,9 @@ def forward_request(): msg_str = "Sending request to powerdns API {0}" if request.method != 'GET' and request.method != 'DELETE': - msg = msg_str.format(request.get_json(force=True)) + msg = msg_str.format(request.get_json(force=True, silent=True)) current_app.logger.debug(msg) - data = request.get_json(force=True) + data = request.get_json(force=True, silent=True) verify = False diff --git a/powerdnsadmin/lib/utils.py b/powerdnsadmin/lib/utils.py index 951f750..f63a11c 100644 --- a/powerdnsadmin/lib/utils.py +++ b/powerdnsadmin/lib/utils.py @@ -2,13 +2,12 @@ import logging import re import json import requests -import hashlib import ipaddress +import idna from collections.abc import Iterable from distutils.version import StrictVersion from urllib.parse import urlparse -from datetime import datetime, timedelta def auth_from_url(url): @@ -185,17 +184,6 @@ def pdns_api_extended_uri(version): return "" -def email_to_gravatar_url(email="", size=100): - """ - AD doesn't necessarily have email - """ - if email is None: - email = "" - - hash_string = hashlib.md5(email.encode('utf-8')).hexdigest() - return "https://s.gravatar.com/avatar/{0}?s={1}".format(hash_string, size) - - def display_setting_state(value): if value == 1: return "ON" @@ -237,21 +225,42 @@ class customBoxes: } order = ["reverse", "ip6arpa", "inaddrarpa"] -def pretty_domain_name(value): - """ - Display domain name in original format. - If it is IDN domain (Punycode starts with xn--), do the - idna decoding. - Note that any part of the domain name can be individually punycoded - """ - if isinstance(value, str): - if value.startswith('xn--') \ - or value.find('.xn--') != -1: +def pretty_domain_name(domain_name): + # Add a debugging statement to print out the domain name + print("Received domain name:", domain_name) + + # Check if the domain name is encoded using Punycode + if domain_name.endswith('.xn--'): + try: + # Decode the domain name using the idna library + domain_name = idna.decode(domain_name) + except Exception as e: + # If the decoding fails, raise an exception with more information + raise Exception('Cannot decode IDN domain: {}'.format(e)) + + # Return the "pretty" version of the domain name + return domain_name + + +def to_idna(value, action): + splits = value.split('.') + result = [] + if action == 'encode': + for split in splits: try: - return value.encode().decode('idna') - except: - raise Exception("Cannot decode IDN domain") - else: - return value + # Try encoding to idna + if not split.startswith('_') and not split.startswith('-'): + result.append(idna.encode(split).decode()) + else: + result.append(split) + except idna.IDNAError: + result.append(split) + elif action == 'decode': + for split in splits: + if not split.startswith('_') and not split.startswith('--'): + result.append(idna.decode(split)) + else: + result.append(split) else: - raise Exception("Require the Punycode in string format") + raise Exception('No valid action received') + return '.'.join(result) diff --git a/powerdnsadmin/models/account.py b/powerdnsadmin/models/account.py index 4d08fc1..ab2341e 100644 --- a/powerdnsadmin/models/account.py +++ b/powerdnsadmin/models/account.py @@ -3,6 +3,7 @@ from flask import current_app from urllib.parse import urljoin from ..lib import utils +from ..lib.errors import InvalidAccountNameException from .base import db from .setting import Setting from .user import User @@ -22,7 +23,7 @@ class Account(db.Model): back_populates="accounts") def __init__(self, name=None, description=None, contact=None, mail=None): - self.name = name + self.name = Account.sanitize_name(name) if name is not None else name self.description = description self.contact = contact self.mail = mail @@ -33,9 +34,30 @@ class Account(db.Model): self.PDNS_VERSION = Setting().get('pdns_version') self.API_EXTENDED_URL = utils.pdns_api_extended_uri(self.PDNS_VERSION) - if self.name is not None: - self.name = ''.join(c for c in self.name.lower() - if c in "abcdefghijklmnopqrstuvwxyz0123456789") + + @staticmethod + def sanitize_name(name): + """ + Formats the provided name to fit into the constraint + """ + if not isinstance(name, str): + raise InvalidAccountNameException("Account name must be a string") + + allowed_characters = "abcdefghijklmnopqrstuvwxyz0123456789" + + if Setting().get('account_name_extra_chars'): + allowed_characters += "_-." + + sanitized_name = ''.join(c for c in name.lower() if c in allowed_characters) + + if len(sanitized_name) > Account.name.type.length: + current_app.logger.error("Account name {0} too long. Truncated to: {1}".format( + sanitized_name, sanitized_name[:Account.name.type.length])) + + if not sanitized_name: + raise InvalidAccountNameException("Empty string is not a valid account name") + + return sanitized_name[:Account.name.type.length] def __repr__(self): return ''.format(self.name) @@ -68,11 +90,9 @@ class Account(db.Model): """ Create a new account """ - # Sanity check - account name - if self.name == "": - return {'status': False, 'msg': 'No account name specified'} + self.name = Account.sanitize_name(self.name) - # check that account name is not already used + # Check that account name is not already used account = Account.query.filter(Account.name == self.name).first() if account: return {'status': False, 'msg': 'Account already exists'} diff --git a/powerdnsadmin/models/api_key.py b/powerdnsadmin/models/api_key.py index 4c26cd2..7bd0fda 100644 --- a/powerdnsadmin/models/api_key.py +++ b/powerdnsadmin/models/api_key.py @@ -60,31 +60,31 @@ class ApiKey(db.Model): def update(self, role_name=None, description=None, domains=None, accounts=None): try: - if role_name: - role = Role.query.filter(Role.name == role_name).first() - self.role_id = role.id + if role_name: + role = Role.query.filter(Role.name == role_name).first() + self.role_id = role.id - if description: - self.description = description + if description: + self.description = description - if domains is not None: - domain_object_list = Domain.query \ - .filter(Domain.name.in_(domains)) \ - .all() - self.domains[:] = domain_object_list + if domains is not None: + domain_object_list = Domain.query \ + .filter(Domain.name.in_(domains)) \ + .all() + self.domains[:] = domain_object_list - if accounts is not None: - account_object_list = Account.query \ - .filter(Account.name.in_(accounts)) \ - .all() - self.accounts[:] = account_object_list + if accounts is not None: + account_object_list = Account.query \ + .filter(Account.name.in_(accounts)) \ + .all() + self.accounts[:] = account_object_list - db.session.commit() + db.session.commit() except Exception as e: - msg_str = 'Update of apikey failed. Error: {0}' - current_app.logger.error(msg_str.format(e)) - db.session.rollback - raise e + msg_str = 'Update of apikey failed. Error: {0}' + current_app.logger.error(msg_str.format(e)) + db.session.rollback() # fixed line + raise e def get_hashed_password(self, plain_text_password=None): # Hash a password for the first time diff --git a/powerdnsadmin/models/domain.py b/powerdnsadmin/models/domain.py index e30421d..ab154c1 100644 --- a/powerdnsadmin/models/domain.py +++ b/powerdnsadmin/models/domain.py @@ -1,3 +1,4 @@ +import json import re import traceback from flask import current_app @@ -19,7 +20,7 @@ class Domain(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(255), index=True, unique=True) master = db.Column(db.String(128)) - type = db.Column(db.String(6), nullable=False) + type = db.Column(db.String(8), nullable=False) serial = db.Column(db.BigInteger) notified_serial = db.Column(db.BigInteger) last_check = db.Column(db.Integer) @@ -109,6 +110,22 @@ class Domain(db.Model): 'Domain does not exist. ERROR: {0}'.format(e)) return None + def search_idn_domains(self, search_string): + """ + Search for IDN domains using the provided search string. + """ + # Compile the regular expression pattern for matching IDN domain names + idn_pattern = re.compile(r'^xn--') + + # Search for domain names that match the IDN pattern + idn_domains = [ + domain for domain in self.get_domains() if idn_pattern.match(domain) + ] + + # Filter the search results based on the provided search string + return [domain for domain in idn_domains if search_string in domain] + + def update(self): """ Fetch zones (domains) from PowerDNS and update into DB @@ -142,9 +159,20 @@ class Domain(db.Model): current_app.logger.debug(traceback.format_exc()) # update/add new domain + account_cache = {} for data in jdata: if 'account' in data: - account_id = Account().get_id_by_name(data['account']) + # if no account is set don't try to query db + if data['account'] == '': + find_account_id = None + else: + find_account_id = account_cache.get(data['account']) + # if account was not queried in the past and hence not in cache + if find_account_id is None: + find_account_id = Account().get_id_by_name(data['account']) + # add to cache + account_cache[data['account']] = find_account_id + account_id = find_account_id else: current_app.logger.debug( "No 'account' data found in API result - Unsupported PowerDNS version?" @@ -208,7 +236,7 @@ class Domain(db.Model): Add a domain to power dns """ - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} domain_name = domain_name + '.' domain_ns = [ns + '.' for ns in domain_ns] @@ -311,7 +339,7 @@ class Domain(db.Model): if not domain: return {'status': 'error', 'msg': 'Domain does not exist.'} - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} if soa_edit_api not in ["DEFAULT", "INCREASE", "EPOCH", "OFF"]: soa_edit_api = 'DEFAULT' @@ -361,7 +389,7 @@ class Domain(db.Model): if not domain: return {'status': 'error', 'msg': 'Domain does not exist.'} - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} post_data = {"kind": kind, "masters": masters} @@ -421,7 +449,7 @@ class Domain(db.Model): if result['status'] == 'ok': history = History(msg='Add reverse lookup domain {0}'.format( domain_reverse_name), - detail=str({ + detail=json.dumps({ 'domain_type': 'Master', 'domain_master_ips': '' }), @@ -681,7 +709,7 @@ class Domain(db.Model): """ domain = Domain.query.filter(Domain.name == domain_name).first() if domain: - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} try: # Enable API-RECTIFY for domain, BEFORE activating DNSSEC post_data = {"api_rectify": True} @@ -747,7 +775,7 @@ class Domain(db.Model): """ domain = Domain.query.filter(Domain.name == domain_name).first() if domain: - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} try: # Deactivate DNSSEC jdata = utils.fetch_json( @@ -806,7 +834,7 @@ class Domain(db.Model): else: return {'status': 'error', 'msg': 'This domain does not exist'} - def assoc_account(self, account_id): + def assoc_account(self, account_id, update=True): """ Associate domain with a domain, specified by account id """ @@ -821,7 +849,7 @@ class Domain(db.Model): if not domain: return {'status': False, 'msg': 'Domain does not exist'} - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} account_name = Account().get_name_by_id(account_id) @@ -842,7 +870,8 @@ class Domain(db.Model): current_app.logger.error(jdata['error']) return {'status': 'error', 'msg': jdata['error']} else: - self.update() + if update: + self.update() msg_str = 'Account changed for domain {0} successfully' current_app.logger.info(msg_str.format(domain_name)) return {'status': 'ok', 'msg': 'account changed successfully'} @@ -879,3 +908,18 @@ class Domain(db.Model): DomainUser.user_id == user_id, AccountUser.user_id == user_id )).filter(Domain.id == self.id).first() + + # Return None if this domain does not exist as record, + # Return the parent domain that hold the record if exist + def is_overriding(self, domain_name): + upper_domain_name = '.'.join(domain_name.split('.')[1:]) + while upper_domain_name != '': + if self.get_id_by_name(upper_domain_name.rstrip('.')) != None: + upper_domain = self.get_domain_info(upper_domain_name) + if 'rrsets' in upper_domain: + for r in upper_domain['rrsets']: + if domain_name.rstrip('.') in r['name'].rstrip('.'): + current_app.logger.error('Domain already exists as a record: {} under domain: {}'.format(r['name'].rstrip('.'), upper_domain_name)) + return upper_domain_name + upper_domain_name = '.'.join(upper_domain_name.split('.')[1:]) + return None diff --git a/powerdnsadmin/models/record.py b/powerdnsadmin/models/record.py index e2e2b5a..b6c3f54 100644 --- a/powerdnsadmin/models/record.py +++ b/powerdnsadmin/models/record.py @@ -99,7 +99,7 @@ class Record(object): } # Continue if the record is ready to be added - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} try: jdata = utils.fetch_json(urljoin( @@ -169,12 +169,12 @@ class Record(object): record['record_data'] = record['record_data'].replace('[ZONE]', domain_name) # Translate record name into punycode (IDN) as that's the only way # to convey non-ascii records to the dns server - record['record_name'] = record['record_name'].encode('idna').decode() + record['record_name'] = utils.to_idna(record["record_name"], "encode") #TODO: error handling # If the record is an alias (CNAME), we will also make sure that # the target domain is properly converted to punycode (IDN) - if record["record_type"] == 'CNAME': - record['record_data'] = record['record_data'].encode('idna').decode() + if record['record_type'] == 'CNAME' or record['record_type'] == 'SOA': + record['record_data'] = utils.to_idna(record['record_data'], 'encode') #TODO: error handling # If it is ipv6 reverse zone and PRETTY_IPV6_PTR is enabled, # We convert ipv6 address back to reverse record format @@ -293,7 +293,7 @@ class Record(object): return new_rrsets, del_rrsets def apply_rrsets(self, domain_name, rrsets): - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} jdata = utils.fetch_json(urljoin( self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain_name)), @@ -303,10 +303,48 @@ class Record(object): data=rrsets) return jdata + @staticmethod + def to_api_payload(new_rrsets, del_rrsets): + """Turn the given changes into a single api payload.""" + + def replace_for_api(rrset): + """Return a modified copy of the given RRset with changetype REPLACE.""" + if not rrset or rrset.get('changetype', None) != 'REPLACE': + return rrset + replace_copy = dict(rrset) + # For compatibility with some backends: Remove comments from rrset if all are blank + if not any((bool(c.get('content', None)) for c in replace_copy.get('comments', []))): + replace_copy.pop('comments', None) + return replace_copy + + def rrset_in(needle, haystack): + """Return whether the given RRset (identified by name and type) is in the list.""" + for hay in haystack: + if needle['name'] == hay['name'] and needle['type'] == hay['type']: + return True + return False + + def delete_for_api(rrset): + """Return a minified copy of the given RRset with changetype DELETE.""" + if not rrset or rrset.get('changetype', None) != 'DELETE': + return rrset + delete_copy = dict(rrset) + delete_copy.pop('ttl', None) + delete_copy.pop('records', None) + delete_copy.pop('comments', None) + return delete_copy + + replaces = [replace_for_api(r) for r in new_rrsets] + deletes = [delete_for_api(r) for r in del_rrsets if not rrset_in(r, replaces)] + return { + # order matters: first deletions, then additions+changes + 'rrsets': deletes + replaces + } + def apply(self, domain_name, submitted_records): """ Apply record changes to a domain. This function - will make 2 calls to the PDNS API to DELETE and + will make 1 call to the PDNS API to DELETE and REPLACE records (rrsets) """ current_app.logger.debug( @@ -315,68 +353,24 @@ class Record(object): # Get the list of rrsets to be added and deleted new_rrsets, del_rrsets = self.compare(domain_name, submitted_records) - # Remove blank comments from rrsets for compatibility with some backends - def remove_blank_comments(rrset): - if not rrset['comments']: - del rrset['comments'] - elif isinstance(rrset['comments'], list): - # Merge all non-blank comment values into a list - merged_comments = [ - v - for c in rrset['comments'] - for v in c.values() - if v - ] - # Delete comment if all values are blank (len(merged_comments) == 0) - if not merged_comments: - del rrset['comments'] - - for r in new_rrsets['rrsets']: - remove_blank_comments(r) - - for r in del_rrsets['rrsets']: - remove_blank_comments(r) + # The history logic still needs *all* the deletes with full data to display a useful diff. + # So create a "minified" copy for the api call, and return the original data back up + api_payload = self.to_api_payload(new_rrsets['rrsets'], del_rrsets['rrsets']) + current_app.logger.debug(f"api payload: \n{utils.pretty_json(api_payload)}") # Submit the changes to PDNS API try: - if del_rrsets["rrsets"]: - result = self.apply_rrsets(domain_name, del_rrsets) + if api_payload["rrsets"]: + result = self.apply_rrsets(domain_name, api_payload) if 'error' in result.keys(): current_app.logger.error( - 'Cannot apply record changes with deleting rrsets step. PDNS error: {}' + 'Cannot apply record changes. PDNS error: {}' .format(result['error'])) return { 'status': 'error', 'msg': result['error'].replace("'", "") } - if new_rrsets["rrsets"]: - result = self.apply_rrsets(domain_name, new_rrsets) - if 'error' in result.keys(): - current_app.logger.error( - 'Cannot apply record changes with adding rrsets step. PDNS error: {}' - .format(result['error'])) - - # rollback - re-add the removed record if the adding operation is failed. - if del_rrsets["rrsets"]: - rollback_rrests = del_rrsets - for r in del_rrsets["rrsets"]: - r['changetype'] = 'REPLACE' - rollback = self.apply_rrsets(domain_name, rollback_rrests) - if 'error' in rollback.keys(): - return dict(status='error', - msg='Failed to apply changes. Cannot rollback previous failed operation: {}' - .format(rollback['error'].replace("'", ""))) - else: - return dict(status='error', - msg='Failed to apply changes. Rolled back previous failed operation: {}' - .format(result['error'].replace("'", ""))) - else: - return { - 'status': 'error', - 'msg': result['error'].replace("'", "") - } - self.auto_ptr(domain_name, new_rrsets, del_rrsets) self.update_db_serial(domain_name) current_app.logger.info('Record was applied successfully.') @@ -500,7 +494,7 @@ class Record(object): """ Delete a record from domain """ - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} data = { "rrsets": [{ "name": self.name.rstrip('.') + '.', @@ -562,7 +556,7 @@ class Record(object): """ Update single record """ - headers = {'X-API-Key': self.PDNS_API_KEY} + headers = {'X-API-Key': self.PDNS_API_KEY, 'Content-Type': 'application/json'} data = { "rrsets": [{ diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index 4b9bcc5..a73c75c 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -28,7 +28,7 @@ class Setting(db.Model): 'allow_user_create_domain': False, 'allow_user_remove_domain': False, 'allow_user_view_history': False, - 'delete_sso_accounts': False, + 'delete_sso_accounts': False, 'bg_domain_updates': False, 'enable_api_rr_history': True, 'site_name': 'PowerDNS-Admin', @@ -110,6 +110,7 @@ class Setting(db.Model): 'oidc_oauth_email': 'email', 'oidc_oauth_account_name_property': '', 'oidc_oauth_account_description_property': '', + 'enforce_api_ttl': False, 'forward_records_allow_edit': { 'A': True, 'AAAA': True, @@ -189,7 +190,11 @@ class Setting(db.Model): 'ttl_options': '1 minute,5 minutes,30 minutes,60 minutes,24 hours', 'otp_field_enabled': True, 'custom_css': '', - 'max_history_records': 1000 + 'otp_force': False, + 'max_history_records': 1000, + 'deny_domain_override': False, + 'account_name_extra_chars': False, + 'gravatar_enabled': False, } def __init__(self, id=None, name=None, value=None): @@ -270,15 +275,15 @@ class Setting(db.Model): def get(self, setting): if setting in self.defaults: - + if setting.upper() in current_app.config: result = current_app.config[setting.upper()] else: result = self.query.filter(Setting.name == setting).first() - + if result is not None: if hasattr(result,'value'): - result = result.value + result = result.value return strtobool(result) if result in [ 'True', 'False' ] else result @@ -286,7 +291,7 @@ class Setting(db.Model): return self.defaults[setting] else: current_app.logger.error('Unknown setting queried: {0}'.format(setting)) - + def get_records_allow_to_edit(self): return list( set(self.get_forward_records_allow_to_edit() + diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py index f5e3556..1e39569 100644 --- a/powerdnsadmin/models/user.py +++ b/powerdnsadmin/models/user.py @@ -8,6 +8,9 @@ import ldap.filter from flask import current_app from flask_login import AnonymousUserMixin from sqlalchemy import orm +import qrcode as qrc +import qrcode.image.svg as qrc_svg +from io import BytesIO from .base import db from .role import Role @@ -80,10 +83,7 @@ class User(db.Model): return False def get_id(self): - try: - return unicode(self.id) # python 2 - except NameError: - return str(self.id) # python 3 + return str(self.id) def __repr__(self): return ''.format(self.username) @@ -94,7 +94,7 @@ class User(db.Model): def verify_totp(self, token): totp = pyotp.TOTP(self.otp_secret) - return totp.verify(token) + return totp.verify(token, valid_window = 5) def get_hashed_password(self, plain_text_password=None): # Hash a password for the first time @@ -107,9 +107,10 @@ class User(db.Model): def check_password(self, hashed_password): # Check hashed password. Using bcrypt, the salt is saved into the hash itself - if (self.plain_text_password): - return bcrypt.checkpw(self.plain_text_password.encode('utf-8'), - hashed_password.encode('utf-8')) + if hasattr(self, "plain_text_password"): + if self.plain_text_password != None: + return bcrypt.checkpw(self.plain_text_password.encode('utf-8'), + hashed_password.encode('utf-8')) return False def get_user_info_by_id(self): @@ -125,7 +126,6 @@ class User(db.Model): conn = ldap.initialize(Setting().get('ldap_uri')) conn.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) - conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) conn.set_option(ldap.OPT_X_TLS_DEMAND, True) conn.set_option(ldap.OPT_DEBUG_LEVEL, 255) conn.protocol_version = ldap.VERSION3 @@ -171,28 +171,6 @@ class User(db.Model): current_app.logger.error(e) return False - def ad_recursive_groups(self, groupDN): - """ - Recursively list groups belonging to a group. It will allow checking deep in the Active Directory - whether a user is allowed to enter or not - """ - LDAP_BASE_DN = Setting().get('ldap_base_dn') - groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap.filter.escape_filter_chars( - groupDN) - result = [groupDN] - try: - groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN) - for group in groups: - result += [group[0][0]] - if 'memberOf' in group[0][1]: - for member in group[0][1]['memberOf']: - result += self.ad_recursive_groups( - member.decode("utf-8")) - return result - except ldap.LDAPError as e: - current_app.logger.exception("Recursive AD Group search error") - return result - def is_validate(self, method, src_ip='', trust_user=False): """ Validate user credential @@ -304,7 +282,17 @@ class User(db.Model): LDAP_USER_GROUP)) return False elif LDAP_TYPE == 'ad': - user_ldap_groups = [] + ldap_admin_group_filter, ldap_operator_group, ldap_user_group = "", "", "" + if LDAP_ADMIN_GROUP: + ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP) + if LDAP_OPERATOR_GROUP: + ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP) + if LDAP_USER_GROUP: + ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP) + searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username, + ldap_admin_group_filter, + ldap_operator_group, ldap_user_group) + ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN) user_ad_member_of = ldap_result[0][0][1].get( 'memberOf') @@ -314,26 +302,21 @@ class User(db.Model): .format(self.username)) return False - for group in [ - g.decode("utf-8") - for g in user_ad_member_of - ]: - user_ldap_groups += self.ad_recursive_groups( - group) + user_ad_member_of = [g.decode("utf-8") for g in user_ad_member_of] - if (LDAP_ADMIN_GROUP in user_ldap_groups): + if (LDAP_ADMIN_GROUP in user_ad_member_of): role_name = 'Administrator' current_app.logger.info( 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' .format(self.username, LDAP_ADMIN_GROUP)) - elif (LDAP_OPERATOR_GROUP in user_ldap_groups): + elif (LDAP_OPERATOR_GROUP in user_ad_member_of): role_name = 'Operator' current_app.logger.info( 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' .format(self.username, LDAP_OPERATOR_GROUP)) - elif (LDAP_USER_GROUP in user_ldap_groups): + elif (LDAP_USER_GROUP in user_ad_member_of): current_app.logger.info( 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' .format(self.username, @@ -439,8 +422,12 @@ class User(db.Model): self.role_id = Role.query.filter_by( name='Administrator').first().id - self.password = self.get_hashed_password( - self.plain_text_password) if self.plain_text_password else '*' + if hasattr(self, "plain_text_password"): + if self.plain_text_password != None: + self.password = self.get_hashed_password( + self.plain_text_password) + else: + self.password = '*' if self.password and self.password != '*': self.password = self.password.decode("utf-8") @@ -476,9 +463,10 @@ class User(db.Model): user.email = self.email # store new password hash (only if changed) - if self.plain_text_password: - user.password = self.get_hashed_password( - self.plain_text_password).decode("utf-8") + if hasattr(self, "plain_text_password"): + if self.plain_text_password != None: + user.password = self.get_hashed_password( + self.plain_text_password).decode("utf-8") db.session.commit() return {'status': True, 'msg': 'User updated successfully'} @@ -493,9 +481,11 @@ class User(db.Model): user.firstname = self.firstname if self.firstname else user.firstname user.lastname = self.lastname if self.lastname else user.lastname - user.password = self.get_hashed_password( - self.plain_text_password).decode( - "utf-8") if self.plain_text_password else user.password + + if hasattr(self, "plain_text_password"): + if self.plain_text_password != None: + user.password = self.get_hashed_password( + self.plain_text_password).decode("utf-8") if self.email: # Can not update to a new email that @@ -634,6 +624,13 @@ class User(db.Model): accounts.append(q[1]) return accounts + def get_qrcode_value(self): + img = qrc.make(self.get_totp_uri(), + image_factory=qrc_svg.SvgPathImage) + stream = BytesIO() + img.save(stream) + return stream.getvalue() + def read_entitlements(self, key): """ @@ -787,14 +784,11 @@ def get_role_names(roles): """ roles_list=[] for role in roles: - roles_list.append(role.name) + roles_list.append(role.name) return roles_list - + def getUserInfo(DomainsOrAccounts): current=[] for DomainOrAccount in DomainsOrAccounts: current.append(DomainOrAccount.name) return current - - - diff --git a/powerdnsadmin/routes/__init__.py b/powerdnsadmin/routes/__init__.py index 829f110..7d8aa9a 100644 --- a/powerdnsadmin/routes/__init__.py +++ b/powerdnsadmin/routes/__init__.py @@ -1,15 +1,19 @@ -from .base import login_manager, handle_bad_request, handle_unauthorized_access, handle_access_forbidden, handle_page_not_found, handle_internal_server_error +from .base import ( + csrf, login_manager, handle_bad_request, handle_unauthorized_access, + handle_access_forbidden, handle_page_not_found, handle_internal_server_error +) from .index import index_bp from .user import user_bp from .dashboard import dashboard_bp from .domain import domain_bp from .admin import admin_bp -from .api import api_bp +from .api import api_bp, apilist_bp def init_app(app): login_manager.init_app(app) + csrf.init_app(app) app.register_blueprint(index_bp) app.register_blueprint(user_bp) @@ -17,6 +21,7 @@ def init_app(app): app.register_blueprint(domain_bp) app.register_blueprint(admin_bp) app.register_blueprint(api_bp) + app.register_blueprint(apilist_bp) app.register_error_handler(400, handle_bad_request) app.register_error_handler(401, handle_unauthorized_access) diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 17d84a6..9474503 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -23,6 +23,7 @@ from ..models.domain_template_record import DomainTemplateRecord from ..models.api_key import ApiKey from ..models.base import db +from ..lib.errors import ApiKeyCreateFail from ..lib.schema import ApiPlainKeySchema apikey_plain_schema = ApiPlainKeySchema(many=True) @@ -43,10 +44,10 @@ change_type: "addition" or "deletion" or "status" for status change or "unchange Note: A change in "content", is considered a deletion and recreation of the same record, holding the new content value. """ -def get_record_changes(del_rrest, add_rrest): +def get_record_changes(del_rrset, add_rrset): changeSet = [] - delSet = del_rrest['records'] if 'records' in del_rrest else [] - addSet = add_rrest['records'] if 'records' in add_rrest else [] + delSet = del_rrset['records'] if 'records' in del_rrset else [] + addSet = add_rrset['records'] if 'records' in add_rrset else [] for d in delSet: # get the deletions and status changes exists = False for a in addSet: @@ -86,44 +87,44 @@ def get_record_changes(del_rrest, add_rrest): return changeSet # out_changes is a list of HistoryRecordEntry objects in which we will append the new changes -# a HistoryRecordEntry represents a pair of add_rrest and del_rrest +# a HistoryRecordEntry represents a pair of add_rrset and del_rrset def extract_changelogs_from_a_history_entry(out_changes, history_entry, change_num, record_name=None, record_type=None): if history_entry.detail is None: return - if "add_rrests" in history_entry.detail: - detail_dict = json.loads(history_entry.detail.replace("\'", '')) + if "add_rrsets" in history_entry.detail: + detail_dict = json.loads(history_entry.detail) else: # not a record entry return - add_rrests = detail_dict['add_rrests'] - del_rrests = detail_dict['del_rrests'] + add_rrsets = detail_dict['add_rrsets'] + del_rrsets = detail_dict['del_rrsets'] - for add_rrest in add_rrests: + for add_rrset in add_rrsets: exists = False - for del_rrest in del_rrests: - if del_rrest['name'] == add_rrest['name'] and del_rrest['type'] == add_rrest['type']: + for del_rrset in del_rrsets: + if del_rrset['name'] == add_rrset['name'] and del_rrset['type'] == add_rrset['type']: exists = True if change_num not in out_changes: out_changes[change_num] = [] - out_changes[change_num].append(HistoryRecordEntry(history_entry, del_rrest, add_rrest, "*")) + out_changes[change_num].append(HistoryRecordEntry(history_entry, del_rrset, add_rrset, "*")) break if not exists: # this is a new record if change_num not in out_changes: out_changes[change_num] = [] - out_changes[change_num].append(HistoryRecordEntry(history_entry, [], add_rrest, "+")) # (add_rrest, del_rrest, change_type) - for del_rrest in del_rrests: + out_changes[change_num].append(HistoryRecordEntry(history_entry, [], add_rrset, "+")) # (add_rrset, del_rrset, change_type) + for del_rrset in del_rrsets: exists = False - for add_rrest in add_rrests: - if del_rrest['name'] == add_rrest['name'] and del_rrest['type'] == add_rrest['type']: + for add_rrset in add_rrsets: + if del_rrset['name'] == add_rrset['name'] and del_rrset['type'] == add_rrset['type']: exists = True # no need to add in the out_changes set break if not exists: # this is a deletion if change_num not in out_changes: out_changes[change_num] = [] - out_changes[change_num].append(HistoryRecordEntry(history_entry, del_rrest, [], "-")) + out_changes[change_num].append(HistoryRecordEntry(history_entry, del_rrset, [], "-")) # only used for changelog per record @@ -133,9 +134,9 @@ def extract_changelogs_from_a_history_entry(out_changes, history_entry, change_n else: return for hre in changes_i: # for each history record entry in changes_i - if 'type' in hre.add_rrest and hre.add_rrest['name'] == record_name and hre.add_rrest['type'] == record_type: + if 'type' in hre.add_rrset and hre.add_rrset['name'] == record_name and hre.add_rrset['type'] == record_type: continue - elif 'type' in hre.del_rrest and hre.del_rrest['name'] == record_name and hre.del_rrest['type'] == record_type: + elif 'type' in hre.del_rrset and hre.del_rrset['name'] == record_name and hre.del_rrset['type'] == record_type: continue else: out_changes[change_num].remove(hre) @@ -144,42 +145,42 @@ def extract_changelogs_from_a_history_entry(out_changes, history_entry, change_n # records with same (name,type) are considered as a single HistoryRecordEntry # history_entry is of type History - used to extract created_by and created_on -# add_rrest is a dictionary of replace -# del_rrest is a dictionary of remove +# add_rrset is a dictionary of replace +# del_rrset is a dictionary of remove class HistoryRecordEntry: - def __init__(self, history_entry, del_rrest, add_rrest, change_type): - # search the add_rrest index into the add_rrest set for the key (name, type) + def __init__(self, history_entry, del_rrset, add_rrset, change_type): + # search the add_rrset index into the add_rrset set for the key (name, type) self.history_entry = history_entry - self.add_rrest = add_rrest - self.del_rrest = del_rrest + self.add_rrset = add_rrset + self.del_rrset = del_rrset self.change_type = change_type # "*": edit or unchanged, "+" new tuple(name,type), "-" deleted (name,type) tuple self.changed_fields = [] # contains a subset of : [ttl, name, type] - self.changeSet = [] # all changes for the records of this add_rrest-del_rrest pair + self.changeSet = [] # all changes for the records of this add_rrset-del_rrset pair if change_type == "+": # addition self.changed_fields.append("name") self.changed_fields.append("type") self.changed_fields.append("ttl") - self.changeSet = get_record_changes(del_rrest, add_rrest) + self.changeSet = get_record_changes(del_rrset, add_rrset) elif change_type == "-": # removal self.changed_fields.append("name") self.changed_fields.append("type") self.changed_fields.append("ttl") - self.changeSet = get_record_changes(del_rrest, add_rrest) + self.changeSet = get_record_changes(del_rrset, add_rrset) elif change_type == "*": # edit of unchanged - if add_rrest['ttl'] != del_rrest['ttl']: + if add_rrset['ttl'] != del_rrset['ttl']: self.changed_fields.append("ttl") - self.changeSet = get_record_changes(del_rrest, add_rrest) + self.changeSet = get_record_changes(del_rrset, add_rrset) def toDict(self): return { - "add_rrest" : self.add_rrest, - "del_rrest" : self.del_rrest, + "add_rrset" : self.add_rrset, + "del_rrset" : self.del_rrset, "changed_fields" : self.changed_fields, "created_on" : self.history_entry.created_on, "created_by" : self.history_entry.created_by, @@ -362,13 +363,13 @@ def edit_key(key_id=None): current_app.logger.error('Error: {0}'.format(e)) history = History(msg=history_message, - detail=str({ - 'key': apikey.id, - 'role': apikey.role.name, - 'description': apikey.description, - 'domains': [domain.name for domain in apikey.domains], - 'accounts': [a.name for a in apikey.accounts] - }), + detail = json.dumps({ + 'key': apikey.id, + 'role': apikey.role.name, + 'description': apikey.description, + 'domains': [domain.name for domain in apikey.domains], + 'accounts': [a.name for a in apikey.accounts] + }), created_by=current_user.username) history.add() @@ -411,12 +412,12 @@ def manage_keys(): current_app.logger.info('Delete API key {0}'.format(apikey.id)) history = History(msg='Delete API key {0}'.format(apikey.id), - detail=str({ - 'key': history_apikey_id, - 'role': history_apikey_role, - 'description': history_apikey_description, - 'domains': history_apikey_domains - }), + detail = json.dumps({ + 'key': history_apikey_id, + 'role': history_apikey_role, + 'description': history_apikey_description, + 'domains': history_apikey_domains + }), created_by=current_user.username) history.add() @@ -763,10 +764,7 @@ class DetailedHistory(): self.detailed_msg = "" return - if 'add_rrest' in history.detail: - detail_dict = json.loads(history.detail.replace("\'", '')) - else: - detail_dict = json.loads(history.detail.replace("'", '"')) + detail_dict = json.loads(history.detail) if 'domain_type' in detail_dict and 'account_id' in detail_dict: # this is a domain creation self.detailed_msg = render_template_string(""" @@ -806,7 +804,7 @@ class DetailedHistory(): authenticator=detail_dict['authenticator'], ip_address=detail_dict['ip_address']) - elif 'add_rrests' in detail_dict: # this is a domain record change + elif 'add_rrsets' in detail_dict: # this is a domain record change # changes_set = [] self.detailed_msg = "" # extract_changelogs_from_a_history_entry(changes_set, history, 0) @@ -883,6 +881,16 @@ class DetailedHistory(): domain_type=DetailedHistory.get_key_val(detail_dict, "domain_type"), domain_master_ips=DetailedHistory.get_key_val(detail_dict, "domain_master_ips")) + elif DetailedHistory.get_key_val(detail_dict, 'msg') and DetailedHistory.get_key_val(detail_dict, 'status'): + self.detailed_msg = render_template_string(''' + + + +
Status: {{ history_status }}
Message:{{ history_msg }}
+ ''', + history_status=DetailedHistory.get_key_val(detail_dict, 'status'), + history_msg=DetailedHistory.get_key_val(detail_dict, 'msg')) + # check for lower key as well for old databases @staticmethod def get_key_val(_dict, key): @@ -895,7 +903,7 @@ def convert_histories(histories): detailedHistories = [] j = 0 for i in range(len(histories)): - if histories[i].detail and ('add_rrests' in histories[i].detail or 'del_rrests' in histories[i].detail): + if histories[i].detail and ('add_rrsets' in histories[i].detail or 'del_rrsets' in histories[i].detail): extract_changelogs_from_a_history_entry(changes_set, histories[i], j) if j in changes_set: detailedHistories.append(DetailedHistory(histories[i], changes_set[j])) @@ -1251,20 +1259,41 @@ def history_table(): # ajax call data @login_required @operator_role_required def setting_basic(): - if request.method == 'GET': - settings = [ - 'maintenance', 'fullscreen_layout', 'record_helper', - 'login_ldap_first', 'default_record_table_size', - 'default_domain_table_size', 'auto_ptr', 'record_quick_edit', - 'pretty_ipv6_ptr', 'dnssec_admins_only', - 'allow_user_create_domain', 'allow_user_remove_domain', 'allow_user_view_history', 'bg_domain_updates', 'site_name', - 'session_timeout', 'warn_session_timeout', 'ttl_options', - 'pdns_api_timeout', 'verify_ssl_connections', 'verify_user_email', - 'delete_sso_accounts', 'otp_field_enabled', 'custom_css', 'enable_api_rr_history', 'max_history_records' + settings = [ + 'account_name_extra_chars', + 'allow_user_create_domain', + 'allow_user_remove_domain', + 'allow_user_view_history', + 'auto_ptr', + 'bg_domain_updates', + 'custom_css', + 'default_domain_table_size', + 'default_record_table_size', + 'delete_sso_accounts', + 'deny_domain_override', + 'dnssec_admins_only', + 'enable_api_rr_history', + 'enforce_api_ttl', + 'fullscreen_layout', + 'gravatar_enabled', + 'login_ldap_first', + 'maintenance', + 'max_history_records', + 'otp_field_enabled', + 'otp_force', + 'pdns_api_timeout', + 'pretty_ipv6_ptr', + 'record_helper', + 'record_quick_edit', + 'session_timeout', + 'site_name', + 'ttl_options', + 'verify_ssl_connections', + 'verify_user_email', + 'warn_session_timeout', + ] - ] - - return render_template('admin_setting_basic.html', settings=settings) + return render_template('admin_setting_basic.html', settings=settings) @admin_bp.route('/setting/basic//edit', methods=['POST']) @@ -1664,10 +1693,10 @@ def create_template(): result = t.create() if result['status'] == 'ok': history = History(msg='Add domain template {0}'.format(name), - detail=str({ - 'name': name, - 'description': description - }), + detail = json.dumps({ + 'name': name, + 'description': description + }), created_by=current_user.username) history.add() return redirect(url_for('admin.templates')) @@ -1711,10 +1740,10 @@ def create_template_from_zone(): result = t.create() if result['status'] == 'ok': history = History(msg='Add domain template {0}'.format(name), - detail=str({ - 'name': name, - 'description': description - }), + detail = json.dumps({ + 'name': name, + 'description': description + }), created_by=current_user.username) history.add() @@ -1844,7 +1873,7 @@ def apply_records(template): history = History( msg='Apply domain template record changes to domain template {0}' .format(template), - detail=str(json.dumps(jdata)), + detail = json.dumps(jdata), created_by=current_user.username) history.add() return make_response(jsonify(result), 200) @@ -1874,7 +1903,7 @@ def delete_template(template): if result['status'] == 'ok': history = History( msg='Deleted domain template {0}'.format(template), - detail=str({'name': template}), + detail = json.dumps({'name': template}), created_by=current_user.username) history.add() return redirect(url_for('admin.templates')) diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py index 4fce368..3df31e1 100644 --- a/powerdnsadmin/routes/api.py +++ b/powerdnsadmin/routes/api.py @@ -6,6 +6,7 @@ from flask import ( ) from flask_login import current_user +from .base import csrf from ..models.base import db from ..models import ( User, Domain, DomainUser, Account, AccountUser, History, Setting, ApiKey, @@ -23,19 +24,20 @@ from ..lib.errors import ( AccountCreateFail, AccountUpdateFail, AccountDeleteFail, AccountCreateDuplicate, AccountNotExists, UserCreateFail, UserCreateDuplicate, UserUpdateFail, UserDeleteFail, - UserUpdateFailEmail, + UserUpdateFailEmail, InvalidAccountNameException ) from ..decorators import ( api_basic_auth, api_can_create_domain, is_json, apikey_auth, apikey_can_create_domain, apikey_can_remove_domain, apikey_is_admin, apikey_can_access_domain, apikey_can_configure_dnssec, api_role_can, apikey_or_basic_auth, - callback_if_request_body_contains_key, + callback_if_request_body_contains_key, allowed_record_types, allowed_record_ttl ) import secrets import string api_bp = Blueprint('api', __name__, url_prefix='/api/v1') +apilist_bp = Blueprint('apilist', __name__, url_prefix='/') apikey_schema = ApiKeySchema(many=True) apikey_single_schema = ApiKeySchema() @@ -47,6 +49,7 @@ user_detailed_schema = UserDetailedSchema() account_schema = AccountSchema(many=True) account_single_schema = AccountSchema() + def get_user_domains(): domains = db.session.query(Domain) \ .outerjoin(DomainUser, Domain.id == DomainUser.domain_id) \ @@ -177,9 +180,15 @@ def before_request(): })) +@apilist_bp.route('/api', methods=['GET']) +def index(): + return '[{"url": "/api/v1", "version": 1}]', 200 + + @api_bp.route('/pdnsadmin/zones', methods=['POST']) @api_basic_auth @api_can_create_domain +@csrf.exempt def api_login_create_zone(): pdns_api_url = Setting().get('pdns_api_url') pdns_api_key = Setting().get('pdns_api_key') @@ -188,6 +197,7 @@ def api_login_create_zone(): api_full_uri = api_uri_with_prefix + '/servers/localhost/zones' headers = {} headers['X-API-Key'] = pdns_api_key + headers['Content-Type'] = 'application/json' msg_str = "Sending request to powerdns API {0}" msg = msg_str.format(request.get_json(force=True)) @@ -247,6 +257,7 @@ def api_login_list_zones(): @api_bp.route('/pdnsadmin/zones/', methods=['DELETE']) @api_basic_auth @api_can_create_domain +@csrf.exempt def api_login_delete_zone(domain_name): pdns_api_url = Setting().get('pdns_api_url') pdns_api_key = Setting().get('pdns_api_key') @@ -287,13 +298,12 @@ def api_login_delete_zone(domain_name): domain.update() history = History(msg='Delete domain {0}'.format( - pretty_domain_name(domain_name)), + utils.pretty_domain_name(domain_name)), detail='', created_by=current_user.username, domain_id=domain_id) history.add() - except Exception as e: current_app.logger.error('Error: {0}'.format(e)) abort(500) @@ -303,6 +313,7 @@ def api_login_delete_zone(domain_name): @api_bp.route('/pdnsadmin/apikeys', methods=['POST']) @api_basic_auth +@csrf.exempt def api_generate_apikey(): data = request.get_json() description = None @@ -459,6 +470,7 @@ def api_get_apikey(apikey_id): @api_bp.route('/pdnsadmin/apikeys/', methods=['DELETE']) @api_basic_auth +@csrf.exempt def api_delete_apikey(apikey_id): apikey = ApiKey.query.get(apikey_id) @@ -496,6 +508,7 @@ def api_delete_apikey(apikey_id): @api_bp.route('/pdnsadmin/apikeys/', methods=['PUT']) @api_basic_auth +@csrf.exempt def api_update_apikey(apikey_id): # if role different and user is allowed to change it, update # if apikey domains are different and user is allowed to handle @@ -657,6 +670,7 @@ def api_list_users(username=None): @api_bp.route('/pdnsadmin/users', methods=['POST']) @api_basic_auth @api_role_can('create users', allow_self=True) +@csrf.exempt def api_create_user(): """ Create new user @@ -730,6 +744,7 @@ def api_create_user(): @api_bp.route('/pdnsadmin/users/', methods=['PUT']) @api_basic_auth @api_role_can('update users', allow_self=True) +@csrf.exempt def api_update_user(user_id): """ Update existing user @@ -802,6 +817,7 @@ def api_update_user(user_id): @api_bp.route('/pdnsadmin/users/', methods=['DELETE']) @api_basic_auth @api_role_can('delete users') +@csrf.exempt def api_delete_user(user_id): user = User.query.get(user_id) if not user: @@ -853,6 +869,7 @@ def api_list_accounts(account_name): @api_bp.route('/pdnsadmin/accounts', methods=['POST']) @api_basic_auth +@csrf.exempt def api_create_account(): if current_user.role.name not in ['Administrator', 'Operator']: msg = "{} role cannot create accounts".format(current_user.role.name) @@ -863,12 +880,15 @@ def api_create_account(): contact = data['contact'] if 'contact' in data else None mail = data['mail'] if 'mail' in data else None if not name: - current_app.logger.debug("Account name missing") - abort(400) + current_app.logger.debug("Account creation failed: name missing") + raise InvalidAccountNameException(message="Account name missing") + + sanitized_name = Account.sanitize_name(name) + account_exists = Account.query.filter(Account.name == sanitized_name).all() - account_exists = [] or Account.query.filter(Account.name == name).all() if len(account_exists) > 0: - msg = "Account {} already exists".format(name) + msg = ("Requested Account {} would be translated to {}" + " which already exists").format(name, sanitized_name) current_app.logger.debug(msg) raise AccountCreateDuplicate(message=msg) @@ -894,6 +914,7 @@ def api_create_account(): @api_bp.route('/pdnsadmin/accounts/', methods=['PUT']) @api_basic_auth @api_role_can('update accounts') +@csrf.exempt def api_update_account(account_id): data = request.get_json() name = data['name'] if 'name' in data else None @@ -906,8 +927,9 @@ def api_update_account(account_id): if not account: abort(404) - if name and name != account.name: - abort(400) + if name and Account.sanitize_name(name) != account.name: + msg = "Account name is immutable" + raise AccountUpdateFail(message=msg) if current_user.role.name not in ['Administrator', 'Operator']: msg = "User role update accounts" @@ -934,12 +956,25 @@ def api_update_account(account_id): @api_bp.route('/pdnsadmin/accounts/', methods=['DELETE']) @api_basic_auth @api_role_can('delete accounts') +@csrf.exempt def api_delete_account(account_id): account_list = [] or Account.query.filter(Account.id == account_id).all() if len(account_list) == 1: account = account_list[0] else: abort(404) + current_app.logger.debug( + f'Deleting Account {account.name}' + ) + + # Remove account association from domains first + if len(account.domains) > 0: + for domain in account.domains: + current_app.logger.info(f"Disassociating domain {domain.name} with {account.name}") + Domain(name=domain.name).assoc_account(None, update=False) + current_app.logger.info("Syncing all domains") + Domain().update() + current_app.logger.debug( "Deleting account {} ({})".format(account_id, account.name)) result = account.delete_account() @@ -973,6 +1008,7 @@ def api_list_account_users(account_id): methods=['PUT']) @api_basic_auth @api_role_can('add user to account') +@csrf.exempt def api_add_account_user(account_id, user_id): account = Account.query.get(account_id) if not account: @@ -1000,6 +1036,7 @@ def api_add_account_user(account_id, user_id): methods=['DELETE']) @api_basic_auth @api_role_can('remove user from account') +@csrf.exempt def api_remove_account_user(account_id, user_id): account = Account.query.get(account_id) if not account: @@ -1031,6 +1068,7 @@ def api_remove_account_user(account_id, user_id): @apikey_auth @apikey_can_access_domain @apikey_can_configure_dnssec(http_methods=['POST']) +@csrf.exempt def api_zone_cryptokeys(server_id, zone_id): resp = helper.forward_request() return resp.content, resp.status_code, resp.headers.items() @@ -1042,6 +1080,7 @@ def api_zone_cryptokeys(server_id, zone_id): @apikey_auth @apikey_can_access_domain @apikey_can_configure_dnssec() +@csrf.exempt def api_zone_cryptokey(server_id, zone_id, cryptokey_id): resp = helper.forward_request() return resp.content, resp.status_code, resp.headers.items() @@ -1052,6 +1091,7 @@ def api_zone_cryptokey(server_id, zone_id, cryptokey_id): methods=['GET', 'POST', 'PUT', 'PATCH', 'DELETE']) @apikey_auth @apikey_can_access_domain +@csrf.exempt def api_zone_subpath_forward(server_id, zone_id, subpath): resp = helper.forward_request() return resp.content, resp.status_code, resp.headers.items() @@ -1060,11 +1100,14 @@ def api_zone_subpath_forward(server_id, zone_id, subpath): @api_bp.route('/servers//zones/', methods=['GET', 'PUT', 'PATCH', 'DELETE']) @apikey_auth +@allowed_record_types +@allowed_record_ttl @apikey_can_access_domain @apikey_can_remove_domain(http_methods=['DELETE']) @callback_if_request_body_contains_key(apikey_can_configure_dnssec()(), http_methods=['PUT'], keys=['dnssec', 'nsec3param']) +@csrf.exempt def api_zone_forward(server_id, zone_id): resp = helper.forward_request() if not Setting().get('bg_domain_updates'): @@ -1074,7 +1117,7 @@ def api_zone_forward(server_id, zone_id): if 200 <= status < 300: current_app.logger.debug("Request to powerdns API successful") if Setting().get('enable_api_rr_history'): - if request.method in ['POST', 'PATCH'] : + if request.method in ['POST', 'PATCH']: data = request.get_json(force=True) for rrset_data in data['rrsets']: history = History(msg='{0} zone {1} record of {2}'.format( @@ -1102,6 +1145,7 @@ def api_zone_forward(server_id, zone_id): @api_bp.route('/servers/', methods=['GET', 'PUT']) @apikey_auth @apikey_is_admin +@csrf.exempt def api_server_sub_forward(subpath): resp = helper.forward_request() return resp.content, resp.status_code, resp.headers.items() @@ -1110,6 +1154,7 @@ def api_server_sub_forward(subpath): @api_bp.route('/servers//zones', methods=['POST']) @apikey_auth @apikey_can_create_domain +@csrf.exempt def api_create_zone(server_id): resp = helper.forward_request() @@ -1147,8 +1192,10 @@ def api_get_zones(server_id): return jsonify(domain_schema.dump(domain_obj_list)), 200 else: resp = helper.forward_request() - if (g.apikey.role.name not in ['Administrator', 'Operator'] - and resp.status_code == 200): + if ( + g.apikey.role.name not in ['Administrator', 'Operator'] + and resp.status_code == 200 + ): domain_list = [d['name'] for d in domain_schema.dump(g.apikey.domains)] @@ -1169,16 +1216,35 @@ def api_server_forward(): resp = helper.forward_request() return resp.content, resp.status_code, resp.headers.items() + @api_bp.route('/servers/', methods=['GET']) @apikey_auth def api_server_config_forward(server_id): resp = helper.forward_request() return resp.content, resp.status_code, resp.headers.items() -# The endpoint to snychronize Domains in background +# The endpoint to synchronize Domains in background @api_bp.route('/sync_domains', methods=['GET']) @apikey_or_basic_auth def sync_domains(): domain = Domain() domain.update() return 'Finished synchronization in background', 200 + +@api_bp.route('/health', methods=['GET']) +@apikey_auth +def health(): + domain = Domain() + domain_to_query = domain.query.first() + + if not domain_to_query: + current_app.logger.error("No domain found to query a health check") + return make_response("Unknown", 503) + + try: + domain.get_domain_info(domain_to_query.name) + except Exception as e: + current_app.logger.error("Health Check - Failed to query authoritative server for domain {}".format(domain_to_query.name)) + return make_response("Down", 503) + + return make_response("Up", 200) diff --git a/powerdnsadmin/routes/base.py b/powerdnsadmin/routes/base.py index 48ef1c0..16ed00a 100644 --- a/powerdnsadmin/routes/base.py +++ b/powerdnsadmin/routes/base.py @@ -1,9 +1,13 @@ import base64 + from flask import render_template, url_for, redirect, session, request, current_app from flask_login import LoginManager +from flask_seasurf import SeaSurf from ..models.user import User + +csrf = SeaSurf() login_manager = LoginManager() diff --git a/powerdnsadmin/routes/domain.py b/powerdnsadmin/routes/domain.py index e3b61cc..87d0be4 100644 --- a/powerdnsadmin/routes/domain.py +++ b/powerdnsadmin/routes/domain.py @@ -10,6 +10,7 @@ from flask_login import login_required, current_user, login_manager from ..lib.utils import pretty_domain_name from ..lib.utils import pretty_json +from ..lib.utils import to_idna from ..decorators import can_create_domain, operator_role_required, can_access_domain, can_configure_dnssec, can_remove_domain from ..models.user import User, Anonymous from ..models.account import Account @@ -31,7 +32,6 @@ domain_bp = Blueprint('domain', template_folder='templates', url_prefix='/domain') - @domain_bp.before_request def before_request(): # Check if user is anonymous @@ -63,7 +63,7 @@ def domain(domain_name): # Query domain's rrsets from PowerDNS API rrsets = Record().get_rrsets(domain.name) - current_app.logger.debug("Fetched rrests: \n{}".format(pretty_json(rrsets))) + current_app.logger.debug("Fetched rrsets: \n{}".format(pretty_json(rrsets))) # API server might be down, misconfigured if not rrsets and domain.type != 'Slave': @@ -202,7 +202,7 @@ def changelog(domain_name): # Query domain's rrsets from PowerDNS API rrsets = Record().get_rrsets(domain.name) - current_app.logger.debug("Fetched rrests: \n{}".format(pretty_json(rrsets))) + current_app.logger.debug("Fetched rrsets: \n{}".format(pretty_json(rrsets))) # API server might be down, misconfigured if not rrsets and domain.type != 'Slave': @@ -277,7 +277,7 @@ def changelog(domain_name): """ Returns a changelog for a specific pair of (record_name, record_type) """ -@domain_bp.route('//changelog/-', methods=['GET']) +@domain_bp.route('//changelog//', methods=['GET']) @login_required @can_access_domain @history_access_required @@ -290,7 +290,7 @@ def record_changelog(domain_name, record_name, record_type): abort(404) # Query domain's rrsets from PowerDNS API rrsets = Record().get_rrsets(domain.name) - current_app.logger.debug("Fetched rrests: \n{}".format(pretty_json(rrsets))) + current_app.logger.debug("Fetched rrsets: \n{}".format(pretty_json(rrsets))) # API server might be down, misconfigured if not rrsets and domain.type != 'Slave': @@ -328,9 +328,9 @@ def record_changelog(domain_name, record_name, record_type): for change_num in changes_set_of_record: changes_i = changes_set_of_record[change_num] for hre in changes_i: # for each history record entry in changes_i - if 'type' in hre.add_rrest and hre.add_rrest['name'] == record_name and hre.add_rrest['type'] == record_type: + if 'type' in hre.add_rrset and hre.add_rrset['name'] == record_name and hre.add_rrset['type'] == record_type: continue - elif 'type' in hre.del_rrest and hre.del_rrest['name'] == record_name and hre.del_rrest['type'] == record_type: + elif 'type' in hre.del_rrset and hre.del_rrset['name'] == record_name and hre.del_rrset['type'] == record_type: continue else: changes_set_of_record[change_num].remove(hre) @@ -363,6 +363,9 @@ def add(): 'errors/400.html', msg="Please enter a valid domain name"), 400 + if domain_name.endswith('.'): + domain_name = domain_name[:-1] + # If User creates the domain, check some additional stuff if current_user.role.name not in ['Administrator', 'Operator']: # Get all the account_ids of the user @@ -379,7 +382,7 @@ def add(): # Encode domain name into punycode (IDN) try: - domain_name = domain_name.encode('idna').decode() + domain_name = to_idna(domain_name, 'encode') except: current_app.logger.error("Cannot encode the domain name {}".format(domain_name)) current_app.logger.debug(traceback.format_exc()) @@ -400,6 +403,38 @@ def add(): account_name = Account().get_name_by_id(account_id) d = Domain() + + ### Test if a record same as the domain already exists in an upper level domain + if Setting().get('deny_domain_override'): + + upper_domain = None + domain_override = False + domain_override_toggle = False + + if current_user.role.name in ['Administrator', 'Operator']: + domain_override = request.form.get('domain_override') + domain_override_toggle = True + + + # If overriding box is not selected. + # False = Do not allow ovrriding, perform checks + # True = Allow overriding, do not perform checks + if not domain_override: + upper_domain = d.is_overriding(domain_name) + + if upper_domain: + if current_user.role.name in ['Administrator', 'Operator']: + accounts = Account.query.order_by(Account.name).all() + else: + accounts = current_user.get_accounts() + + msg = 'Domain already exists as a record under domain: {}'.format(upper_domain) + + return render_template('domain_add.html', + domain_override_message=msg, + accounts=accounts, + domain_override_toggle=domain_override_toggle) + result = d.add(domain_name=domain_name, domain_type=domain_type, soa_edit_api=soa_edit_api, @@ -409,7 +444,7 @@ def add(): domain_id = Domain().get_id_by_name(domain_name) history = History(msg='Add domain {0}'.format( pretty_domain_name(domain_name)), - detail=str({ + detail = json.dumps({ 'domain_type': domain_type, 'domain_master_ips': domain_master_ips, 'account_id': account_id @@ -445,17 +480,16 @@ def add(): history = History( msg='Applying template {0} to {1} successfully.'. format(template.name, domain_name), - detail=str( - json.dumps({ - "domain": + detail = json.dumps({ + 'domain': domain_name, - "template": + 'template': template.name, - "add_rrests": + 'add_rrsets': result['data'][0]['rrsets'], - "del_rrests": + 'del_rrsets': result['data'][1]['rrsets'] - })), + }), created_by=current_user.username, domain_id=domain_id) history.add() @@ -464,7 +498,7 @@ def add(): msg= 'Failed to apply template {0} to {1}.' .format(template.name, domain_name), - detail=str(result), + detail = json.dumps(result), created_by=current_user.username) history.add() return redirect(url_for('dashboard.dashboard')) @@ -478,14 +512,17 @@ def add(): # Get else: + domain_override_toggle = False # Admins and Operators can set to any account if current_user.role.name in ['Administrator', 'Operator']: accounts = Account.query.order_by(Account.name).all() + domain_override_toggle = True else: accounts = current_user.get_accounts() return render_template('domain_add.html', templates=templates, - accounts=accounts) + accounts=accounts, + domain_override_toggle=domain_override_toggle) @@ -545,7 +582,7 @@ def setting(domain_name): history = History( msg='Change domain {0} access control'.format( pretty_domain_name(domain_name)), - detail=str({'user_has_access': new_user_list}), + detail=json.dumps({'user_has_access': new_user_list}), created_by=current_user.username, domain_id=d.id) history.add() @@ -583,7 +620,7 @@ def change_type(domain_name): if status['status'] == 'ok': history = History(msg='Update type for domain {0}'.format( pretty_domain_name(domain_name)), - detail=str({ + detail=json.dumps({ "domain": domain_name, "type": domain_type, "masters": domain_master_ips @@ -617,9 +654,9 @@ def change_soa_edit_api(domain_name): history = History( msg='Update soa_edit_api for domain {0}'.format( pretty_domain_name(domain_name)), - detail=str({ - "domain": domain_name, - "soa_edit_api": new_setting + detail = json.dumps({ + 'domain': domain_name, + 'soa_edit_api': new_setting }), created_by=current_user.username, domain_id=d.get_id_by_name(domain_name)) @@ -684,12 +721,11 @@ def record_apply(domain_name): if result['status'] == 'ok': history = History( msg='Apply record changes to domain {0}'.format(pretty_domain_name(domain_name)), - detail=str( - json.dumps({ - "domain": domain_name, - "add_rrests": result['data'][0]['rrsets'], - "del_rrests": result['data'][1]['rrsets'] - })), + detail = json.dumps({ + 'domain': domain_name, + 'add_rrsets': result['data'][0]['rrsets'], + 'del_rrsets': result['data'][1]['rrsets'] + }), created_by=current_user.username, domain_id=domain.id) history.add() @@ -698,11 +734,10 @@ def record_apply(domain_name): history = History( msg='Failed to apply record changes to domain {0}'.format( pretty_domain_name(domain_name)), - detail=str( - json.dumps({ - "domain": domain_name, - "msg": result['msg'], - })), + detail = json.dumps({ + 'domain': domain_name, + 'msg': result['msg'], + }), created_by=current_user.username) history.add() return make_response(jsonify(result), 400) @@ -780,6 +815,12 @@ def dnssec(domain_name): def dnssec_enable(domain_name): domain = Domain() dnssec = domain.enable_domain_dnssec(domain_name) + domain_object = Domain.query.filter(domain_name == Domain.name).first() + history = History( + msg='DNSSEC was enabled for domain ' + domain_name , + created_by=current_user.username, + domain_id=domain_object.id) + history.add() return make_response(jsonify(dnssec), 200) @@ -793,7 +834,12 @@ def dnssec_disable(domain_name): for key in dnssec['dnssec']: domain.delete_dnssec_key(domain_name, key['id']) - + domain_object = Domain.query.filter(domain_name == Domain.name).first() + history = History( + msg='DNSSEC was disabled for domain ' + domain_name , + created_by=current_user.username, + domain_id=domain_object.id) + history.add() return make_response(jsonify({'status': 'ok', 'msg': 'DNSSEC removed.'})) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index ccdcd6b..e6e8343 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -4,13 +4,13 @@ import json import traceback import datetime import ipaddress +import base64 from distutils.util import strtobool from yaml import Loader, load -from onelogin.saml2.utils import OneLogin_Saml2_Utils from flask import Blueprint, render_template, make_response, url_for, current_app, g, session, request, redirect, abort from flask_login import login_user, logout_user, login_required, current_user -from .base import login_manager +from .base import csrf, login_manager from ..lib import utils from ..decorators import dyndns_login_required from ..models.base import db @@ -84,7 +84,6 @@ def index(): @index_bp.route('/ping', methods=['GET']) -@login_required def ping(): return make_response('ok') @@ -167,10 +166,8 @@ def login(): return redirect(url_for('index.login')) session['user_id'] = user.id - login_user(user, remember=False) session['authentication_type'] = 'OAuth' - signin_history(user.username, 'Google OAuth', True) - return redirect(url_for('index.index')) + return authenticate_user(user, 'Google OAuth') if 'github_token' in session: me = json.loads(github.get('user').text) @@ -195,9 +192,7 @@ def login(): session['user_id'] = user.id session['authentication_type'] = 'OAuth' - login_user(user, remember=False) - signin_history(user.username, 'Github OAuth', True) - return redirect(url_for('index.index')) + return authenticate_user(user, 'Github OAuth') if 'azure_token' in session: azure_info = azure.get('me?$select=displayName,givenName,id,mail,surname,userPrincipalName').text @@ -329,14 +324,15 @@ def login(): continue account = Account() - account_id = account.get_id_by_name(account_name=group_name) + sanitized_group_name = Account.sanitize_name(group_name) + account_id = account.get_id_by_name(account_name=sanitized_group_name) if account_id: account = Account.query.get(account_id) # check if user has permissions account_users = account.get_user() current_app.logger.info('Group: {} Users: {}'.format( - group_name, + group_name, account_users)) if user.id in account_users: current_app.logger.info('User id {} is already in account {}'.format( @@ -350,13 +346,15 @@ def login(): current_app.logger.info('User {} added to Account {}'.format( user.username, account.name)) else: - account.name = group_name - account.description = group_description - account.contact = '' - account.mail = '' + account = Account( + name=sanitized_group_name, + description=group_description, + contact='', + mail='' + ) account.create_account() history = History(msg='Create account {0}'.format( - account.name), + account.name), created_by='System') history.add() @@ -366,10 +364,7 @@ def login(): history.add() current_app.logger.warning('group info: {} '.format(account_id)) - - login_user(user, remember=False) - signin_history(user.username, 'Azure OAuth', True) - return redirect(url_for('index.index')) + return authenticate_user(user, 'Azure OAuth') if 'oidc_token' in session: me = json.loads(oidc.get('userinfo').text) @@ -409,7 +404,7 @@ def login(): if name_prop in me and desc_prop in me: accounts_name_prop = [me[name_prop]] if type(me[name_prop]) is not list else me[name_prop] accounts_desc_prop = [me[desc_prop]] if type(me[desc_prop]) is not list else me[desc_prop] - + #Run on all groups the user is in by the index num. for i in range(len(accounts_name_prop)): description = '' @@ -419,7 +414,7 @@ def login(): account_to_add.append(account) user_accounts = user.get_accounts() - + # Add accounts for account in account_to_add: if account not in user_accounts: @@ -433,9 +428,7 @@ def login(): session['user_id'] = user.id session['authentication_type'] = 'OAuth' - login_user(user, remember=False) - signin_history(user.username, 'OIDC OAuth', True) - return redirect(url_for('index.index')) + return authenticate_user(user, 'OIDC OAuth') if request.method == 'GET': return render_template('login.html', saml_enabled=SAML_ENABLED) @@ -469,7 +462,7 @@ def login(): auth = user.is_validate(method=auth_method, src_ip=request.remote_addr) if auth == False: - signin_history(user.username, 'LOCAL', False) + signin_history(user.username, auth_method, False) return render_template('login.html', saml_enabled=SAML_ENABLED, error='Invalid credentials') @@ -486,7 +479,7 @@ def login(): if otp_token and otp_token.isdigit(): good_token = user.verify_totp(otp_token) if not good_token: - signin_history(user.username, 'LOCAL', False) + signin_history(user.username, auth_method, False) return render_template('login.html', saml_enabled=SAML_ENABLED, error='Invalid credentials') @@ -495,13 +488,13 @@ def login(): saml_enabled=SAML_ENABLED, error='Token required') - if Setting().get('autoprovisioning') and auth_method!='LOCAL': + if Setting().get('autoprovisioning') and auth_method!='LOCAL': urn_value=Setting().get('urn_value') Entitlements=user.read_entitlements(Setting().get('autoprovisioning_attribute')) if len(Entitlements)==0 and Setting().get('purge'): user.set_role("User") user.revoke_privilege(True) - + elif len(Entitlements)!=0: if checkForPDAEntries(Entitlements, urn_value): user.updateUser(Entitlements) @@ -512,9 +505,7 @@ def login(): user.revoke_privilege(True) current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' ) - login_user(user, remember=remember_me) - signin_history(user.username, 'LOCAL', True) - return redirect(session.get('next', url_for('index.index'))) + return authenticate_user(user, auth_method, remember_me) def checkForPDAEntries(Entitlements, urn_value): """ @@ -561,12 +552,12 @@ def signin_history(username, authenticator, success): # Write history History(msg='User {} authentication {}'.format(username, str_success), - detail=str({ - "username": username, - "authenticator": authenticator, - "ip_address": request_ip, - "success": 1 if success else 0 - }), + detail = json.dumps({ + 'username': username, + 'authenticator': authenticator, + 'ip_address': request_ip, + 'success': 1 if success else 0 + }), created_by='System').add() # Get a list of Azure security groups the user is a member of @@ -584,6 +575,23 @@ def get_azure_groups(uri): mygroups = [] return mygroups +# Handle user login, write history and, if set, handle showing the register_otp QR code. +# if Setting for OTP on first login is enabled, and OTP field is also enabled, +# but user isn't using it yet, enable OTP, get QR code and display it, logging the user out. +def authenticate_user(user, authenticator, remember=False): + login_user(user, remember=remember) + signin_history(user.username, authenticator, True) + if Setting().get('otp_force') and Setting().get('otp_field_enabled') and not user.otp_secret: + user.update_profile(enable_otp=True) + user_id = current_user.id + prepare_welcome_user(user_id) + return redirect(url_for('index.welcome')) + return redirect(url_for('index.login')) + +# Prepare user to enter /welcome screen, otherwise they won't have permission to do so +def prepare_welcome_user(user_id): + logout_user() + session['welcome_user_id'] = user_id @index_bp.route('/logout') def logout(): @@ -674,7 +682,12 @@ def register(): if result and result['status']: if Setting().get('verify_user_email'): send_account_verification(email) - return redirect(url_for('index.login')) + if Setting().get('otp_force') and Setting().get('otp_field_enabled'): + user.update_profile(enable_otp=True) + prepare_welcome_user(user.id) + return redirect(url_for('index.welcome')) + else: + return redirect(url_for('index.login')) else: return render_template('register.html', error=result['msg']) @@ -684,6 +697,28 @@ def register(): return render_template('errors/404.html'), 404 +# Show welcome page on first login if otp_force is enabled +@index_bp.route('/welcome', methods=['GET', 'POST']) +def welcome(): + if 'welcome_user_id' not in session: + return redirect(url_for('index.index')) + + user = User(id=session['welcome_user_id']) + encoded_img_data = base64.b64encode(user.get_qrcode_value()) + + if request.method == 'GET': + return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user) + elif request.method == 'POST': + otp_token = request.form.get('otptoken', '') + if otp_token and otp_token.isdigit(): + good_token = user.verify_totp(otp_token) + if not good_token: + return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user, error="Invalid token") + else: + return render_template('register_otp.html', qrcode_image=encoded_img_data.decode(), user=user, error="Token required") + session.pop('welcome_user_id') + return redirect(url_for('index.index')) + @index_bp.route('/confirm/', methods=['GET']) def confirm_email(token): email = confirm_token(token) @@ -729,6 +764,7 @@ def resend_confirmation_email(): @index_bp.route('/nic/checkip.html', methods=['GET', 'POST']) +@csrf.exempt def dyndns_checkip(): # This route covers the default ddclient 'web' setting for the checkip service return render_template('dyndns.html', @@ -737,6 +773,7 @@ def dyndns_checkip(): @index_bp.route('/nic/update', methods=['GET', 'POST']) +@csrf.exempt @dyndns_login_required def dyndns_update(): # dyndns protocol response codes in use are: @@ -804,7 +841,7 @@ def dyndns_update(): remote_addr = utils.validate_ipaddress( request.headers.get('X-Forwarded-For', - request.remote_addr).split(', ')[:1]) + request.remote_addr).split(', ')[0]) response = 'nochg' for ip in myip_addr or remote_addr: @@ -831,13 +868,13 @@ def dyndns_update(): if result['status'] == 'ok': history = History( msg='DynDNS update: updated {} successfully'.format(hostname), - detail=str({ - "domain": domain.name, - "record": hostname, - "type": rtype, - "old_value": oldip, - "new_value": str(ip) - }), + detail = json.dumps({ + 'domain': domain.name, + 'record': hostname, + 'type': rtype, + 'old_value': oldip, + 'new_value': str(ip) + }), created_by=current_user.username, domain_id=domain.id) history.add() @@ -873,11 +910,11 @@ def dyndns_update(): msg= 'DynDNS update: created record {0} in zone {1} successfully' .format(hostname, domain.name, str(ip)), - detail=str({ - "domain": domain.name, - "record": hostname, - "value": str(ip) - }), + detail = json.dumps({ + 'domain': domain.name, + 'record': hostname, + 'value': str(ip) + }), created_by=current_user.username, domain_id=domain.id) history.add() @@ -898,6 +935,7 @@ def dyndns_update(): def saml_login(): if not current_app.config.get('SAML_ENABLED'): abort(400) + from onelogin.saml2.utils import OneLogin_Saml2_Utils req = saml.prepare_flask_request(request) auth = saml.init_saml_auth(req) redirect_url = OneLogin_Saml2_Utils.get_self_url(req) + url_for( @@ -910,7 +948,7 @@ def saml_metadata(): if not current_app.config.get('SAML_ENABLED'): current_app.logger.error("SAML authentication is disabled.") abort(400) - + from onelogin.saml2.utils import OneLogin_Saml2_Utils req = saml.prepare_flask_request(request) auth = saml.init_saml_auth(req) settings = auth.get_settings() @@ -926,11 +964,13 @@ def saml_metadata(): @index_bp.route('/saml/authorized', methods=['GET', 'POST']) +@csrf.exempt def saml_authorized(): errors = [] if not current_app.config.get('SAML_ENABLED'): current_app.logger.error("SAML authentication is disabled.") abort(400) + from onelogin.saml2.utils import OneLogin_Saml2_Utils req = saml.prepare_flask_request(request) auth = saml.init_saml_auth(req) auth.process_response() @@ -974,6 +1014,8 @@ def saml_authorized(): None) admin_group_name = current_app.config.get('SAML_GROUP_ADMIN_NAME', None) + operator_group_name = current_app.config.get('SAML_GROUP_OPERATOR_NAME', + None) group_to_account_mapping = create_group_to_account_mapping() if email_attribute_name in session['samlUserdata']: @@ -1027,6 +1069,8 @@ def saml_authorized(): uplift_to_admin(user) elif admin_group_name in user_groups: uplift_to_admin(user) + elif operator_group_name in user_groups: + uplift_to_operator(user) elif admin_attribute_name or group_attribute_name: if user.role.name != 'User': user.role_id = Role.query.filter_by(name='User').first().id @@ -1037,9 +1081,7 @@ def saml_authorized(): user.plain_text_password = None user.update_profile() session['authentication_type'] = 'SAML' - login_user(user, remember=False) - signin_history(user.username, 'SAML', True) - return redirect(url_for('index.login')) + return authenticate_user(user, 'SAML') else: return render_template('errors/SAML.html', errors=errors) @@ -1056,14 +1098,10 @@ def create_group_to_account_mapping(): def handle_account(account_name, account_description=""): - clean_name = ''.join(c for c in account_name.lower() - if c in "abcdefghijklmnopqrstuvwxyz0123456789") - if len(clean_name) > Account.name.type.length: - current_app.logger.error( - "Account name {0} too long. Truncated.".format(clean_name)) + clean_name = Account.sanitize_name(account_name) account = Account.query.filter_by(name=clean_name).first() if not account: - account = Account(name=clean_name.lower(), + account = Account(name=clean_name, description=account_description, contact='', mail='') @@ -1085,6 +1123,14 @@ def uplift_to_admin(user): created_by='SAML Assertion') history.add() +def uplift_to_operator(user): + if user.role.name != 'Operator': + user.role_id = Role.query.filter_by(name='Operator').first().id + history = History(msg='Promoting {0} to operator'.format( + user.username), + created_by='SAML Assertion') + history.add() + @index_bp.route('/saml/sls') def saml_logout(): diff --git a/powerdnsadmin/routes/user.py b/powerdnsadmin/routes/user.py index 6ca927b..65d7e08 100644 --- a/powerdnsadmin/routes/user.py +++ b/powerdnsadmin/routes/user.py @@ -1,8 +1,10 @@ import datetime -import qrcode as qrc -import qrcode.image.svg as qrc_svg -from io import BytesIO -from flask import Blueprint, request, render_template, make_response, jsonify, redirect, url_for, g, session, current_app +import hashlib +import imghdr +import mimetypes + +from flask import Blueprint, request, render_template, make_response, jsonify, redirect, url_for, g, session, \ + current_app, after_this_request, abort from flask_login import current_user, login_required, login_manager from ..models.user import User, Anonymous @@ -94,13 +96,60 @@ def qrcode(): if not current_user: return redirect(url_for('index')) - img = qrc.make(current_user.get_totp_uri(), - image_factory=qrc_svg.SvgPathImage) - stream = BytesIO() - img.save(stream) - return stream.getvalue(), 200, { + return current_user.get_qrcode_value(), 200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' } + + +@user_bp.route('/image', methods=['GET']) +@login_required +def image(): + """Returns the user profile image or avatar.""" + + @after_this_request + def add_cache_headers(response_): + """When the response is ok, add cache headers.""" + if 200 <= response_.status_code <= 399: + response_.cache_control.private = True + response_.cache_control.max_age = int(datetime.timedelta(days=1).total_seconds()) + return response_ + + def return_image(content, content_type=None): + """Return the given binary image content. Guess the type if not given.""" + if not content_type: + guess = mimetypes.guess_type('example.' + imghdr.what(None, h=content)) + if guess and guess[0]: + content_type = guess[0] + + return content, 200, {'Content-Type': content_type} + + # To prevent "cache poisoning", the username query parameter is required + if request.args.get('username', None) != current_user.username: + abort(400) + + setting = Setting() + + if session['authentication_type'] == 'LDAP': + search_filter = '(&({0}={1}){2})'.format(setting.get('ldap_filter_username'), + current_user.username, + setting.get('ldap_filter_basic')) + result = User().ldap_search(search_filter, setting.get('ldap_base_dn')) + if result and result[0] and result[0][0] and result[0][0][1]: + user_obj = result[0][0][1] + for key in ['jpegPhoto', 'thumbnailPhoto']: + if key in user_obj and user_obj[key] and user_obj[key][0]: + current_app.logger.debug(f'Return {key} from ldap as user image') + return return_image(user_obj[key][0]) + + email = current_user.email + if email and setting.get('gravatar_enabled'): + hash_ = hashlib.md5(email.encode('utf-8')).hexdigest() + url = f'https://s.gravatar.com/avatar/{hash_}?s=100' + current_app.logger.debug('Redirect user image request to gravatar') + return redirect(url, 307) + + # Fallback to the local default image + return current_app.send_static_file('img/user_image.png') diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py index 40c97bf..4a33ee6 100644 --- a/powerdnsadmin/services/saml.py +++ b/powerdnsadmin/services/saml.py @@ -72,8 +72,9 @@ class SAML(object): def prepare_flask_request(self, request): # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields url_data = urlparse(request.url) + proto = request.headers.get('HTTP_X_FORWARDED_PROTO', request.scheme) return { - 'https': 'on' if request.scheme == 'https' else 'off', + 'https': 'on' if proto == 'https' else 'off', 'http_host': request.host, 'server_port': url_data.port, 'script_name': request.path, @@ -163,7 +164,8 @@ class SAML(object): 'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' settings['security']['wantAssertionsEncrypted'] = current_app.config.get( 'SAML_ASSERTION_ENCRYPTED', True) - settings['security']['wantAttributeStatement'] = True + settings['security']['wantAttributeStatement'] = current_app.config.get( + 'SAML_WANT_ATTRIBUTE_STATEMENT', True) settings['security']['wantNameId'] = True settings['security']['authnRequestsSigned'] = current_app.config[ 'SAML_SIGN_REQUEST'] diff --git a/powerdnsadmin/static/custom/css/custom.css b/powerdnsadmin/static/custom/css/custom.css index f5dcb34..1cd3728 100644 --- a/powerdnsadmin/static/custom/css/custom.css +++ b/powerdnsadmin/static/custom/css/custom.css @@ -42,15 +42,6 @@ table td { background-position: center; } -.navbar-nav>.user-menu>.dropdown-menu>li.user-header>img.img-circle.offline { - filter: brightness(0); - border-color: black; -} - -.navbar-nav>.user-menu .user-image.offline { - filter: brightness(0); -} - .search-input { width: 100%; } \ No newline at end of file diff --git a/powerdnsadmin/static/custom/js/custom.js b/powerdnsadmin/static/custom/js/custom.js index 9bd9669..e4b72b1 100644 --- a/powerdnsadmin/static/custom/js/custom.js +++ b/powerdnsadmin/static/custom/js/custom.js @@ -12,13 +12,7 @@ function applyChanges(data, url, showResult, refreshPage) { console.log("Applied changes successfully."); console.log(data); if (showResult) { - var modal = $("#modal_success"); - if (data['msg']) { - modal.find('.modal-body p').text(data['msg']); - } else { - modal.find('.modal-body p').text("Applied changes successfully"); - } - modal.modal('show'); + showSuccessModal(data['msg'] || "Applied changes successfully"); } if (refreshPage) { location.reload(true); @@ -27,10 +21,8 @@ function applyChanges(data, url, showResult, refreshPage) { error : function(jqXHR, status) { console.log(jqXHR); - var modal = $("#modal_error"); var responseJson = jQuery.parseJSON(jqXHR.responseText); - modal.find('.modal-body p').text(responseJson['msg']); - modal.modal('show'); + showErrorModal(responseJson['msg']); } }); } @@ -50,18 +42,14 @@ function applyRecordChanges(data, domain) { }); console.log("Applied changes successfully.") - var modal = $("#modal_success"); - modal.find('.modal-body p').text("Applied changes successfully"); - modal.modal('show'); + showSuccessModal("Applied changes successfully"); setTimeout(() => {window.location.reload()}, 2000); }, error : function(jqXHR, status) { console.log(jqXHR); - var modal = $("#modal_error"); var responseJson = jQuery.parseJSON(jqXHR.responseText); - modal.find('.modal-body p').text(responseJson['msg']); - modal.modal('show'); + showErrorModal(responseJson['msg']); } }); } @@ -76,13 +64,17 @@ function getTableData(table) { record["record_type"] = r[1].trim(); record["record_status"] = r[2].trim(); record["record_ttl"] = r[3].trim(); - record["record_data"] = r[4].trim(); - record["record_comment"] = r[5].trim(); + record["record_data"] = convertHTMLEntityToText(r[4].trim()); + record["record_comment"] = convertHTMLEntityToText(r[5].trim()); records.push(record); }); return records } +function convertHTMLEntityToText(htmlEntity) { + return $('