feature(frontend): manage LDAP access restrictions

issue UPC#916
Klius · Nov 13, 2018 · 24829f7 · 24829f7
1 parent 7a8ad2f
commit 24829f7
Show file tree

Hide file tree

Showing 3 changed files with 194 additions and 1 deletion.
diff --git a/lib/Ravada/Auth/LDAP.pm b/lib/Ravada/Auth/LDAP.pm
@@ -142,6 +142,7 @@ sub search_user {
     my $field = (delete $args{field} or 'uid');
     my $ldap = (delete $args{ldap} or _init_ldap_admin());
     my $base = (delete $args{base} or _dc_base());
+    my $typesonly= (delete $args{typesonly} or 0);
 
     confess "ERROR: Unknown fields ".Dumper(\%args) if keys %args;
     confess "ERROR: I can't connect to LDAP " if!$ldap;
@@ -152,12 +153,14 @@ sub search_user {
     base   => $base,
     scope  => 'sub',
     filter => "($field=$username)",
+    typesonly => $typesonly,
     attrs  => ['*']
+
     );
 
     warn "LDAP retry ".$mesg->code." ".$mesg->error if $retry > 1;
 
-    if ( $retry <= 3 && $mesg->code ) {
+    if ( $retry <= 3 && $mesg->code && $mesg->code != 4 ) {
          warn "LDAP error ".$mesg->code." ".$mesg->error."."
             ."Retrying ! [$retry]"  if $retry;
          $LDAP_ADMIN = undef;
@@ -167,6 +170,7 @@ sub search_user {
                 name => $username
               ,field => $field
               ,retry => ++$retry
+              ,typesonly => $typesonly
          );
     }
 

diff --git a/public/js/ravada.js b/public/js/ravada.js
@@ -168,6 +168,7 @@
                     $scope.new_name=$scope.showmachine.name+"-2";
                     $scope.validate_new_name($scope.showmachine.name);
                     $scope.refresh_machine();
+                    $scope.init_ldap_access();
                 });
           };
           $scope.domain_remove = 0;
@@ -323,6 +324,59 @@
                             }
                       });
 
+          };
+          $scope.list_ldap_attributes= function() {
+              $scope.ldap_entries = 0;
+              $scope.ldap_verified = 0;
+              console.log($scope.cn);
+              $http.get('/list_ldap_attributes/'+$scope.cn).then(function(response) {
+                  $scope.ldap_attributes = response.data.attributes;
+              });
+          };
+          $scope.count_ldap_entries = function() {
+              $scope.ldap_verifying = true;
+              $http.get('/count_ldap_entries/'+$scope.ldap_attribute+'/'+$scope.ldap_attribute_value)
+                    .then(function(response) {
+                  $scope.ldap_entries = response.data.entries;
+                  $scope.ldap_verified = true;
+                  $scope.ldap_verifying = false;
+              });
+          };
+          $scope.add_ldap_access = function() {
+              $http.get('/add_ldap_access/'+$scope.showmachine.id+'/'+$scope.ldap_attribute+'/'
+                            +$scope.ldap_attribute_value+"/"+$scope.ldap_attribute_allowed)
+                    .then(function(response) {
+                        $scope.init_ldap_access();
+                    });
+          };
+           $scope.delete_ldap_access= function(id_access) {
+              $http.get('/delete_ldap_access/'+$scope.showmachine.id+'/'+id_access)
+                    .then(function(response) {
+                        $scope.init_ldap_access();
+                    });
+          };
+          $scope.move_ldap_access= function(id_access, count) {
+              $http.get('/move_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+count)
+                    .then(function(response) {
+                        $scope.init_ldap_access();
+                    });
+          };
+          $scope.set_ldap_access = function(id_access, allowed) {
+              $http.get('/set_ldap_access/'+$scope.showmachine.id+'/'+id_access+'/'+allowed)
+                    .then(function(response) {
+                        $scope.init_ldap_access();
+                    });
+          };
+          $scope.init_ldap_access = function() {
+              $scope.ldap_entries = 0;
+              $scope.ldap_verified = 0;
+              $scope.ldap_attribute = '';
+              $scope.ldap_attribute_value = '';
+              $scope.ldap_attribute_allowed=true;
+              $http.get('/list_ldap_access/'+$scope.showmachine.id).then(function(response) {
+                  $scope.ldap_attributes_domain  = response.data.list;
+                  $scope.ldap_attributes_default = response.data.default;
+              });
           };
             $scope.removed_hardware = [];
             $scope.pending_before = 10;

diff --git a/rvd_front.pl b/rvd_front.pl
@@ -637,6 +637,140 @@
     return $c->render(template => 'main/manage_user');
 };
 
+get '/list_ldap_attributes/(#cn)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my $cn = $c->stash('cn');
+    my $user;
+    eval {
+        ($user) = Ravada::Auth::LDAP::search_user($cn);
+    };
+    return $c->render(json => { error => $@ }) if $@;
+    return $c->render(json => []) if !$user;
+
+    $c->session(ldap_attributes_cn => $cn) if $user;
+    return $c->render(json => {attributes => [$user->attributes]});
+};
+
+get '/count_ldap_entries/(#attribute)/(#value)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my @entries;
+    eval {
+        @entries = Ravada::Auth::LDAP::search_user(
+            field => $c->stash('attribute')
+            ,name => $c->stash('value')
+            ,typesonly => 1
+        );
+    };
+    @entries = [ 'too many' ] if $@ =~ /Sizelimit exceeded/;
+    return $c->render(json => { entries => scalar @entries });
+};
+
+get '/add_ldap_access/(#id_domain)/(#attribute)/(#value)/(#allowed)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my $domain_id = $c->stash('id_domain');
+    my $domain = Ravada::Front::Domain->open($domain_id);
+
+    my $attribute = $c->stash('attribute');
+    my $value = $c->stash('value');
+    my $allowed = 1;
+    if ($c->stash('allowed') eq 'false') {
+        $allowed = 0;
+    }
+
+    eval { $domain->allow_ldap_access($attribute => $value, $allowed ) };
+    _fix_default_ldap_access($c, $domain, $allowed) if !$@;
+    return $c->render(json => { error => $@ }) if $@;
+    return $c->render(json => { ok => 1 });
+
+};
+
+sub _fix_default_ldap_access($c, $domain, $allowed) {
+    my @list = $domain->list_ldap_access();
+    my $default_found;
+    for ( @list ) {
+        if ( $_->{value} eq '*' ) {
+            $default_found = $_->{id};
+        }
+    }
+    if ( $default_found ) {
+        $domain->move_ldap_access($default_found, +1);
+        return;
+    }
+    my $allowed_default = 0;
+    $allowed_default = 1 if !$allowed;
+    eval { $domain->allow_ldap_access('DEFAULT' => '*', $allowed_default ) };
+    warn $@ if $@;
+}
+
+get '/delete_ldap_access/(#id_domain)/(#id_access)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my $domain_id = $c->stash('id_domain');
+    my $domain = Ravada::Front::Domain->open($domain_id);
+
+    $domain->delete_ldap_access($c->stash('id_access'));
+
+    return $c->render(json => { ok => 1 });
+};
+
+get '/list_ldap_access/(#id_domain)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my $domain_id = $c->stash('id_domain');
+    my $domain = Ravada::Front::Domain->open($domain_id);
+
+    my @ldap_access = $domain->list_ldap_access();
+    my $default = {};
+    if ($ldap_access[-1]->{value} eq '*') {
+        $default = pop @ldap_access;
+    }
+    return $c->render(json => {list => \@ldap_access, default => $default} );
+};
+
+get '/move_ldap_access/(#id_domain)/(#id_access)/(#count)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my $domain_id = $c->stash('id_domain');
+    my $domain = Ravada::Front::Domain->open($domain_id);
+
+    $domain->move_ldap_access($c->stash('id_access'), $c->stash('count'));
+
+    return $c->render(json => { ok => 1});
+};
+
+get '/set_ldap_access/(#id_domain)/(#id_access)/(#allowed)' => sub {
+    my $c = shift;
+
+    return _access_denied($c) if !$USER->is_admin;
+
+    my $domain_id = $c->stash('id_domain');
+    my $domain = Ravada::Front::Domain->open($domain_id);
+
+    my $allowed = $c->stash('allowed');
+    if ($allowed =~ /false/ || !$allowed) {
+        $allowed = 0;
+    } else {
+        $allowed = 1;
+    }
+
+    $domain->set_ldap_access($c->stash('id_access'), $allowed);
+    return $c->render(json => { ok => 1});
+};
 ##############################################
 
 
@@ -1432,6 +1566,7 @@ sub manage_machine {
     $c->stash(domain => $domain);
     $c->stash(USER => $USER);
     $c->stash(list_users => $RAVADA->list_users);
+    $c->stash(ldap_attributes_cn => ( $c->session('ldap_attributes_cn') or $USER->name or ''));
 
     $c->stash(  ram => int( $domain->get_info()->{max_mem} / 1024 ));
     $c->stash( cram => int( $domain->get_info()->{memory} / 1024 ));