Commit Graph

144 Commits

Author SHA1 Message Date
Nigel Kukard
138532fb95 fix: allow the specification of any combination of groups in LDAP group security configuration
Previous behavior required the specification of all three group security groups before the
"Save Settings" button would be enabled.

This adds a check into users.py which checks that the group is set before searching and
removes the javascript preventing the specification of any combination of groups.

Tested:
- Tested all combinations on AD after MR 1238
- Tested all combinations on OpenLDAP
- Tested enabling the Group Security with no groups set which correctly prevents login

Resolves #1462
2023-03-18 20:30:52 +00:00
Matt Scott
defb3e5a48
Merge pull request #1238 from melck/fix-ldap-ad-nested-member
Fix LDAP user group search for nested groups #1238
2023-03-18 16:03:48 -04:00
Matt Scott
78f0332a2d
Merge branch 'dev' into nkupdates-password-policy 2023-03-17 15:31:10 -04:00
Nigel Kukard
bb6d2d0497 feat(authentication): added admin settings for password policies 2023-03-17 03:42:45 +00:00
Stefan Ubbink
a2d1179fd2 Change domain(s) to zone(s) in the python code and docs 2023-03-16 17:02:23 +01:00
Stefan Ubbink
6eef5eb59c Make the OTP label the same as the site_name #1237 2023-03-13 18:54:49 +01:00
benshalev849
bd30c73ca4
Merge branch 'dev' into custom_current_user 2023-03-12 17:23:44 +02:00
Your Name
ee68b18e27 Added custom header in created_by segment option 2023-03-12 13:36:30 +00:00
Matt Scott
1afe9b4908 Finished adding new OAuth Server Metadata URL setting to Google, GitHub, and Microsoft OAuth service configuration features. 2023-03-12 09:13:54 -04:00
Matt Scott
fd30e3ff49 Added new JWKS URL setting for each OAuth provider and updated the associated authorization service to use the setting during the initialization of the authlib. 2023-03-11 14:46:58 -05:00
AdvanticGmbH
5ad384bfe9 Add support for oidc_oauth_metadata_url configuration option
This commit adds support for the `oidc_oauth_metadata_url` configuration
option. This option specifies the URL of the OIDC server's
metadata endpoint, which contains information about the OIDC server's
endpoints, supported scopes, and other configuration details. By using this
option, we can ensure compatibility with different OIDC servers and reduce
the risk of errors due to manual endpoint configuration.
2023-02-23 09:21:01 +01:00
Matt Scott
0418edddd9
Merge pull request #1078 from famedly/shine/config_table_key_uniqueness
fix: making the key name in the config database unique
2023-02-17 13:49:38 -05:00
Matt Scott
ef3880f76d
Merge pull request #1374 from VassilisAsteriou/auto_ptr_bugfix
Changed auto_ptr() logic to remove-then-add
2023-02-17 13:35:35 -05:00
Matt Scott
145358113d
Merge pull request #1380 from raunz/preserve_history
Preserve domain records history after domain deletion
2023-02-17 13:30:02 -05:00
Matt Scott
2a3ffe8481
Merge pull request #1339 from ymage/bugfix_tests
Improve bugfix tests
2023-02-17 12:19:35 -05:00
Matt Scott
ba14d52c8d
Merge pull request #1231 from AdvanticGmbH/assoc_domain_list
Allow to manage associated domains under account edit
2023-02-17 12:04:16 -05:00
Rauno Tuul
7221271a7b Preserve domain records history after domain deletion. 2023-02-13 12:08:03 +02:00
Kateřina Churanová
c23e89bde3
Merge branch 'PowerDNS-Admin:master' into shine/config_table_key_uniqueness 2023-02-09 12:29:14 +00:00
Vassilis Asteriou
0568a90ec1 Changed auto_ptr() logic to remove-then-add 2023-02-08 15:27:45 +02:00
Matt Scott
51249aecd3
Merge pull request #1212 from corubba/feature/privacy-first
Privacy first
2023-01-24 05:34:30 -05:00
Robert Walter
c02cb3b7fe
Model change: Changing domain model type variable to 8 chars
PowerDNS 4.7 is supporting 2 new zone types: "producer" & "consumer"
Due to the domain type variable is limited to 6 chars, PDA Zone update will fail if producer or cusomer zones exist.
To solve this problem, this commit increases the lenght of the domain model type variable to 8 chars.
2023-01-10 13:51:04 +01:00
Ymage
7d153932b3 Fix back_populate relationships 2022-12-22 22:50:01 +01:00
Matt Scott
8373363c4d
Merge pull request #1323 from jbe-dw/fixLDAPDeprecatedOpt
Draft: Fix pyhton-ldap upgrade
2022-12-13 20:56:03 -05:00
Aaron Carson
ff671ebabe Fix 1329 2022-12-14 00:34:12 +00:00
Jérôme BECOT
8d5b92402d
fix: Remove deprecated option OPT_X_TLS 2022-12-12 15:57:11 +01:00
Bernward Sanchez
dfdb0dca17
Update domain.py 2022-12-10 10:37:06 +08:00
Matt Scott
2cd8f60f8d
Merge pull request #1247 from unilogicbv/models_user_plain_text_password_guard
models/user.py: properly guard plain_text_password property
2022-12-08 22:10:21 -05:00
Matt Scott
7873e5f3f8
Merge pull request #1249 from unilogicbv/models_user_totp_valid_window
models/user.py: add non-zero valid_window to totp.verify
2022-12-08 22:05:34 -05:00
Bernward Sanchez
2656242b45
Update api_key.py
I added the parentheses to the `db.session.rollback` line to call the method, which will now properly roll back any changes made to the database if an error occurs.
2022-12-09 09:33:17 +08:00
corubba
cb835978df Fix order of operations in api payload
PDNS checks that when a `CNAME` rrset is created that no other rrset of
the same name but a different rtype exists. When changing a record type
to `CNAME`, PDA will send two operations in one api call to PDNS: A
deletion of the old rrset, and the addition of the new rrset. For the
check in PDNS to pass, the deletion needs to happen before the addition.
Before PR #1201 that was the case, the first api call did deletions and
the second handled additions and changes. Currently the api payload
contains additions first and deletions last. PDNS applies these in the
order they are passed in the payload to the api, so to restore the
original/correct/working behaviour the order of operations in the api
payload has to be reversed.

fixes #1251
2022-09-23 00:19:22 +02:00
Pascal de Bruijn
846c03f154 models/user.py: add non-zero valid_window to totp.verify
PyOTP's totp.verify defaults to the valid_window of zero, which means
it will reject valid codes, if submitted just past the 30 sec window.
It also means, users will run into authentication issues very quickly
if their phones time-sync isn't perfect.

Therefore valid_window should at the very least be 1 or more, settting
it higher trades security for robustness, especially with regard to
time desync issues.
2022-09-07 14:23:34 +02:00
Pascal de Bruijn
4fd1b10018 models/user.py: properly guard plain_text_password property
Resolves the following issue, which occurs with force_otp enabled
and OAuth authentication sources:

File "/srv/powerdnsadmin/powerdnsadmin/models/user.py", line 481, in update_profile
  "utf-8") if self.plain_text_password else user.password
AttributeError: 'User' object has no attribute 'plain_text_password'
2022-09-06 15:31:43 +02:00
Melchior NOGUES
4383c337d4
fix: ldap type ad search user group when nested groups 2022-09-02 17:12:08 +02:00
AdvanticGmbH
cfab13824d Add history entries for association changes of domains 2022-06-28 11:19:00 +02:00
corubba
607caa1a2d Rework user image handling
Moved all the logic out of the template into a separate endpoint. This
makes it easy to extend to also support images from different sources
like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow
time-based caching in the browser, the url needs to be unique for every
user by using a query parameter.

Replaced the default/fallback user image with a new one. It is based on
the old one, but does not need css to be visible. And removed said css.

Gravatar has now its own setting named `gravatar_enabled`, which is
disabled by default.
2022-06-18 19:11:13 +02:00
corubba
af902f24a2 Update using only one api call
Starting with the very first commit, the update was always done with
two api calls: one for DELETE and one for REPLACE. It is however
perfectly valid and save to do both at once, which makes it atomic, so
no need for the rollback. Plus it only updates the serial once.
There is no point in sending the full RRset data when deleting it, the
key attributes to identify it are enough. This also make the behaviour
consistent with the api docs [0] where it says "MUST NOT be included
when changetype is set to DELETE."

[0] https://doc.powerdns.com/authoritative/http-api/zone.html#rrset
2022-06-18 18:58:39 +02:00
Jérôme BECOT
a87b931520
feat: Move the account parse calls to a method 2022-06-18 14:30:56 +02:00
Jérôme BECOT
eb13b37e09
feat: Add the extra chars as an option 2022-06-18 14:30:56 +02:00
Jérôme BECOT
a3c50828a6
feat: Allow underscores and hyphens in account name 2022-06-18 14:28:32 +02:00
AdvanticGmbH
beed738d02
enh: Improve performance of domain update (#1218)
author: @AdvanticGmbH
2022-06-18 14:23:05 +02:00
RGanor
81f158d9bc
enh: Enforce Record Restrictions in API (#1089)
Co-authored-by: Tom <tom@tom.com>
2022-06-18 14:20:49 +02:00
TomSebty
1926b862b8
feat: Option to forbid the creation of domain if it exists as a record (#1127)
When enabled, forbids the creation of a domain if it exists as a record in one of its parent domains (administrators and operators are not limited though).
2022-06-17 17:50:51 +02:00
jbe-dw
2a75013de4
Merge pull request #1163 from AdvanticGmbH/idna_decode
fix: use idna module to support extended character set
2022-06-17 15:47:55 +02:00
Vasileios Markopoulos
41343fd598
Merge pull request #1199 from corubba/bugfix/rrest-typo
Fix rrest typo in history detail
2022-05-25 10:45:50 +03:00
corubba
f98326ea90 Fix remaining typo occurrence 2022-05-24 23:45:14 +02:00
Jérôme BECOT
88df88f30b
fix: Active directory filter is broken 2022-05-24 13:58:45 +02:00
jbe-dw
e81453c5e3
Merge pull request #1188 from corubba/bugfix/pyOpenSSL
Small bugfixes
2022-05-23 13:59:18 +02:00
jbe-dw
6579c9e830
Merge pull request #1182 from jbe-dw/revertCorruptedHistoryFix
fix: Insert valid JSON in history.detail and replace single quotes in the database
2022-05-12 21:30:20 +02:00
corubba
0e2cd063c5 Remove python v2 remnant
As vermin [0] confirms, the codebase has long moved beyond supporting
python v2 (which is not a bad thing). This removes the last explicit py2
piece of code.

And in case anyone wonders, vermin currently reports the minium version
to be v3.6.

[0] https://pypi.org/project/vermin/
2022-05-07 21:14:48 +02:00
jbe-dw
fa9bdcfde0
Merge pull request #1134 from jbe-dw/fixAPIDeleteAccount
Fix API Account deletion
2022-05-06 23:35:24 +02:00