Commit Graph

1221 Commits

Author SHA1 Message Date
David Mc Ken
c7dbb33dd7 Rename Fedora 23 filename. 2022-12-08 13:35:35 -04:00
David Mc Ken
99370a9afb Update the guinicorn. 2022-12-08 13:33:43 -04:00
David Mc Ken
31fd350f01 Add Fedora 23 directions and links. 2022-12-08 13:17:09 -04:00
David Mc Ken
4f177407dd Update github urls. 2022-12-08 13:13:05 -04:00
David Mc Ken
45e05f9487 Minor formatting updates. 2022-12-08 13:10:44 -04:00
David Mc Ken
0bdd09b3f1 Update links. 2022-12-08 13:06:00 -04:00
David Mc Ken
6babb1cd03 Update links. 2022-12-08 13:03:15 -04:00
David Mc Ken
3e9fc1f8fc Minor update to header. 2022-12-08 13:00:00 -04:00
David Mc Ken
88b7331db1 Fix missing extensions. 2022-12-08 12:34:31 -04:00
David Mc Ken
2c7c75b3a6 Update DynDNS2.md to features sub-folder. 2022-12-08 12:32:32 -04:00
David Mc Ken
7df3f03362 Move web server config to separate folder. 2022-12-08 12:29:50 -04:00
David Mc Ken
4584b2aa24 Move and fix links for install guides. 2022-12-08 12:26:00 -04:00
David Mc Ken
370aad4dfa Github seems to require the extension. 2022-12-08 12:22:57 -04:00
David Mc Ken
305e529cfe Fix header and update preparation links. 2022-12-08 12:21:45 -04:00
David Mc Ken
d259a6494e Move preparation guides to sub-folder. 2022-12-08 12:20:40 -04:00
David Mc Ken
5f750d1bb8 Move Home.md to README.md 2022-12-08 12:17:08 -04:00
Matt Scott
f6bca2c999
Merge pull request #1298 from PowerDNS-Admin/1297-move-project-wiki-into-files
Added current wiki content to project files.
2022-12-08 10:54:41 -05:00
Matt Scott
3cdf2b6b7c Added current wiki content to project files for ongoing maintenance. Existing wiki will be updated with a link reference to the wiki files. 2022-12-08 10:52:02 -05:00
Will Rouesnel
25ebbf132c
Fix handling of passwords with % in the SQLALCHEMY_DATABASE_URI
Fix Flask-Migrate ValueError from occurring when a password has '%'
characters in it when specified via SQLALCHEMY_DATABASE_URI.
2022-11-04 11:59:59 +11:00
jbe-dw
f6289d140c
Merge pull request #1272 from PowerDNS-Admin/api-doc
Update API.md
2022-10-14 16:03:43 +02:00
jbe-dw
d88da0fde3
Update API.md 2022-10-14 15:33:33 +02:00
WhatshallIbreaktoday
d25a22272e allow null/None JSON data
This change permits to proxy pdns zone notify api requests (which are expected to be with empty body)
2022-10-12 08:10:35 +02:00
jbe-dw
f8048bf6aa
Merge pull request #1255 from corubba/bugfix/api-order
fix: deletes shall come first in api payload (#1251)
2022-09-23 09:20:41 +02:00
corubba
cb835978df Fix order of operations in api payload
PDNS checks that when a `CNAME` rrset is created that no other rrset of
the same name but a different rtype exists. When changing a record type
to `CNAME`, PDA will send two operations in one api call to PDNS: A
deletion of the old rrset, and the addition of the new rrset. For the
check in PDNS to pass, the deletion needs to happen before the addition.
Before PR #1201 that was the case, the first api call did deletions and
the second handled additions and changes. Currently the api payload
contains additions first and deletions last. PDNS applies these in the
order they are passed in the payload to the api, so to restore the
original/correct/working behaviour the order of operations in the api
payload has to be reversed.

fixes #1251
2022-09-23 00:19:22 +02:00
Pascal de Bruijn
846c03f154 models/user.py: add non-zero valid_window to totp.verify
PyOTP's totp.verify defaults to the valid_window of zero, which means
it will reject valid codes, if submitted just past the 30 sec window.
It also means, users will run into authentication issues very quickly
if their phones time-sync isn't perfect.

Therefore valid_window should at the very least be 1 or more, settting
it higher trades security for robustness, especially with regard to
time desync issues.
2022-09-07 14:23:34 +02:00
Pascal de Bruijn
4fd1b10018 models/user.py: properly guard plain_text_password property
Resolves the following issue, which occurs with force_otp enabled
and OAuth authentication sources:

File "/srv/powerdnsadmin/powerdnsadmin/models/user.py", line 481, in update_profile
  "utf-8") if self.plain_text_password else user.password
AttributeError: 'User' object has no attribute 'plain_text_password'
2022-09-06 15:31:43 +02:00
Pascal de Bruijn
9bf74a6baf admin_edit_key: default to User role for new api keys
hopefully this will prevent accidental administator api keys from being created
2022-09-06 15:25:28 +02:00
Phil Jaenke
5f304ee29a
Update to python-ldap 3.4.2
Minor version bump. This is necessary to resolve build issues on Alpine 3.16+ without impacts for any other distributions.
2022-08-22 20:40:17 -04:00
Vasileios Markopoulos
204c996c81
Merge pull request #1221 from corubba/bugfix/changelog-hyphen
Fix rrset changelog for names with hyphen
2022-07-01 15:52:44 +03:00
jbe-dw
e6f6f9cea4
Update Javascript libraries (#1213)
This PR includes all dependabot patches and replace jsmin (abandoned) with rjsmin
2022-06-24 23:23:56 +02:00
dependabot[bot]
e7fbc7af37
Bump shell-quote from 1.6.1 to 1.7.3
Bumps [shell-quote](https://github.com/substack/node-shell-quote) from 1.6.1 to 1.7.3.
- [Release notes](https://github.com/substack/node-shell-quote/releases)
- [Changelog](https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md)
- [Commits](https://github.com/substack/node-shell-quote/compare/1.6.1...1.7.3)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-24 23:03:12 +02:00
Jérôme BECOT
41642fcea4
fix: Update JS minifier library 2022-06-24 23:03:01 +02:00
dependabot[bot]
18150eea34
Bump moment from 2.22.2 to 2.29.2
Bumps [moment](https://github.com/moment/moment) from 2.22.2 to 2.29.2.
- [Release notes](https://github.com/moment/moment/releases)
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/moment/moment/compare/2.22.2...2.29.2)

---
updated-dependencies:
- dependency-name: moment
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-24 23:03:01 +02:00
dependabot[bot]
34be227381
Bump cached-path-relative from 1.0.2 to 1.1.0
Bumps [cached-path-relative](https://github.com/ashaffer/cached-path-relative) from 1.0.2 to 1.1.0.
- [Release notes](https://github.com/ashaffer/cached-path-relative/releases)
- [Commits](https://github.com/ashaffer/cached-path-relative/commits)

---
updated-dependencies:
- dependency-name: cached-path-relative
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-24 23:03:00 +02:00
dependabot[bot]
289faa5019
Bump jquery-ui from 1.12.1 to 1.13.0
Bumps [jquery-ui](https://github.com/jquery/jquery-ui) from 1.12.1 to 1.13.0.
- [Release notes](https://github.com/jquery/jquery-ui/releases)
- [Commits](https://github.com/jquery/jquery-ui/compare/1.12.1...1.13.0)

---
updated-dependencies:
- dependency-name: jquery-ui
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-24 23:03:00 +02:00
dependabot[bot]
a88f4a66c6
Bump path-parse from 1.0.5 to 1.0.7
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.5 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-24 23:02:56 +02:00
jbe-dw
6908f1d209
Allow new domains to be absolute (#1227)
author: corubba
2022-06-24 23:00:33 +02:00
corubba
5036619a67 Allow new domains to be absolute
Allow the new domain name to be input absolute (with a dot at the end).
To keep the rest of the logic working as-is, remove it fairly early in
the function.

Would have loved to use `str.removesuffix()` but that's python v3.9+.
2022-06-23 22:31:00 +02:00
corubba
9890ddfa64 Fix rrset changelog for names with hyphen
When clicking the changelog button for a record with the name
`foo-bar.example.org`, the url you get redirected to is
`/domain/example.org/changelog/foo-bar.example.org.-A`. Because of the
non-greedy behaviour of the path converter, the last part gets split at
the *first* hyphen, so the example above gets wrongly dissected into
`record_name=foo` and `record_type=bar.example.org.-A`. This results
for obvious reasons in an empty changelog.

As described in rfc5395 [0], types have to be alphanumerical, so its
converter is changed from path to string.

The hyphen is one of the few characters recommended by rfc1035 [1],
so it is a bad choice as separator. The separator is instead changed to
a slash.
Granted, this does not entirely solve the issue but at least makes it a
lot less likely to happen. Plus, a lot more and other things break in
pda with slashes in names.

[0] https://datatracker.ietf.org/doc/html/rfc5395#section-3.1
[1] https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1
2022-06-19 12:16:40 +02:00
jbe-dw
dac232147e
enh: Cookies security (#1211)
author: corruba
2022-06-18 22:51:47 +02:00
jbe-dw
35cbc59016
enh: Update zone using a single api call (#1201)
author: corruba
2022-06-18 22:50:33 +02:00
corubba
af902f24a2 Update using only one api call
Starting with the very first commit, the update was always done with
two api calls: one for DELETE and one for REPLACE. It is however
perfectly valid and save to do both at once, which makes it atomic, so
no need for the rollback. Plus it only updates the serial once.
There is no point in sending the full RRset data when deleting it, the
key attributes to identify it are enough. This also make the behaviour
consistent with the api docs [0] where it says "MUST NOT be included
when changetype is set to DELETE."

[0] https://doc.powerdns.com/authoritative/http-api/zone.html#rrset
2022-06-18 18:58:39 +02:00
corubba
52b704baeb Set SameSite on cookies
Setting this attribute on a cookie marks it as non-cross-site, so it
is only send in requests to our own server. It is reasonable that no
one else should need our session or csrf data. Setting it explicitly
also prevents any issues from the ongoing change in browser behaviour [0]
when it is unset.

Seasurf supports the SameSite attribute starting with v0.3. As nothing
obviously broke, I used the opportunity and updated all the way to the
most recent version.

The SeaSurf default for SameSite is already `Lax`, so it only needs to
be set for the session cookie.

[0] https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
2022-06-18 18:51:42 +02:00
corubba
1a77524447 Allow secure cookies in docker
Setting these two options to True is recommended if (and only if) you
serve PDA via TLS. It will break things on plain-HTTP deployments.
For plain deployments these can be set in the flask config file, for
docker they have to be whitelisted to be set via env vars.
2022-06-18 18:51:42 +02:00
corubba
ae2ad6527a Set csrf cookie to httponly
The CSRF token is currently inserted directly in the template and not
in the browser via JavaScript from the cookie, so making it inaccessible
is not a problem.

The Sesson-cookie is already httponly by default [0].

[0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
2022-06-18 18:51:42 +02:00
corubba
3e462dab17 Fix csrf configuration
CSRF has been initialized *before* the app config was fully read. That
made it impossible to configure CSRF properly. Moved the CSRF init into
the routes module, and switched from programmatic to decorated
exemptions. GET routes don't need to be exempted because they are by
default.
2022-06-18 18:51:40 +02:00
jbe-dw
2c0225e961
feat: Allow underscores and hyphens in account name (#1047) 2022-06-18 15:14:37 +02:00
Jérôme BECOT
a87b931520
feat: Move the account parse calls to a method 2022-06-18 14:30:56 +02:00
Jérôme BECOT
eb13b37e09
feat: Add the extra chars as an option 2022-06-18 14:30:56 +02:00
Jérôme BECOT
a3c50828a6
feat: Allow underscores and hyphens in account name 2022-06-18 14:28:32 +02:00