Merge branch 'master' into per_user_permissions
This commit is contained in:
steschuser
GitHub
commit
f09c0d7508
|
|
@ -582,6 +582,33 @@ class Domain(db.Model):
|
|||
format(self.name, e))
|
||||
current_app.logger.debug(print(traceback.format_exc()))
|
||||
|
||||
def revoke_privileges_by_id(self, user_id):
|
||||
"""
|
||||
Remove a single user from privilege list based on user_id
|
||||
"""
|
||||
new_uids = [u for u in self.get_user() if u != user_id]
|
||||
users = []
|
||||
for uid in new_uids:
|
||||
users.append(User(id=uid).get_user_info_by_id().username)
|
||||
|
||||
self.grant_privileges(users)
|
||||
|
||||
def add_user(self, user):
|
||||
"""
|
||||
Add a single user to Domain by User
|
||||
"""
|
||||
try:
|
||||
du = DomainUser(self.id, user.id)
|
||||
db.session.add(du)
|
||||
db.session.commit()
|
||||
return True
|
||||
except Exception as e:
|
||||
db.session.rollback()
|
||||
current_app.logger.error(
|
||||
'Cannot add user privileges on domain {0}. DETAIL: {1}'.
|
||||
format(self.name, e))
|
||||
return False
|
||||
|
||||
def update_from_master(self, domain_name):
|
||||
"""
|
||||
Update records from Master DNS server
|
||||
|
|
|
|||
|
|
@ -40,6 +40,10 @@ class Setting(db.Model):
|
|||
'verify_ssl_connections': True,
|
||||
'local_db_enabled': True,
|
||||
'signup_enabled': True,
|
||||
'autoprovisioning': False,
|
||||
'urn_value':'',
|
||||
'autoprovisioning_attribute': '',
|
||||
'purge': False,
|
||||
'verify_user_email': False,
|
||||
'ldap_enabled': False,
|
||||
'ldap_type': 'ldap',
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@ from .role import Role
|
|||
from .setting import Setting
|
||||
from .domain_user import DomainUser
|
||||
from .user_permissions import UserPermissions
|
||||
from .account_user import AccountUser
|
||||
|
||||
|
||||
|
||||
class Anonymous(AnonymousUserMixin):
|
||||
|
|
@ -131,9 +133,8 @@ class User(db.Model):
|
|||
conn.protocol_version = ldap.VERSION3
|
||||
return conn
|
||||
|
||||
def ldap_search(self, searchFilter, baseDN):
|
||||
def ldap_search(self, searchFilter, baseDN, retrieveAttributes=None):
|
||||
searchScope = ldap.SCOPE_SUBTREE
|
||||
retrieveAttributes = None
|
||||
|
||||
try:
|
||||
conn = self.ldap_init_conn()
|
||||
|
|
@ -498,7 +499,6 @@ class User(db.Model):
|
|||
"""
|
||||
Update user profile
|
||||
"""
|
||||
|
||||
user = User.query.filter(User.username == self.username).first()
|
||||
if not user:
|
||||
return False
|
||||
|
|
@ -554,9 +554,26 @@ class User(db.Model):
|
|||
Note: This doesn't include the permission granting from Account
|
||||
which user belong to
|
||||
"""
|
||||
|
||||
return self.get_domain_query().all()
|
||||
|
||||
def get_user_domains(self):
|
||||
from ..models.base import db
|
||||
from .account import Account
|
||||
from .domain import Domain
|
||||
from .account_user import AccountUser
|
||||
from .domain_user import DomainUser
|
||||
|
||||
domains = db.session.query(Domain) \
|
||||
.outerjoin(DomainUser, Domain.id == DomainUser.domain_id) \
|
||||
.outerjoin(Account, Domain.account_id == Account.id) \
|
||||
.outerjoin(AccountUser, Account.id == AccountUser.account_id) \
|
||||
.filter(
|
||||
db.or_(
|
||||
DomainUser.user_id == self.id,
|
||||
AccountUser.user_id == self.id
|
||||
)).all()
|
||||
return domains
|
||||
|
||||
def delete(self):
|
||||
"""
|
||||
Delete a user
|
||||
|
|
@ -574,7 +591,7 @@ class User(db.Model):
|
|||
self.username, e))
|
||||
return False
|
||||
|
||||
def revoke_privilege(self):
|
||||
def revoke_privilege(self, update_user=False):
|
||||
"""
|
||||
Revoke all privileges from a user
|
||||
"""
|
||||
|
|
@ -584,6 +601,8 @@ class User(db.Model):
|
|||
user_id = user.id
|
||||
try:
|
||||
DomainUser.query.filter(DomainUser.user_id == user_id).delete()
|
||||
if (update_user)==True:
|
||||
AccountUser.query.filter(AccountUser.user_id == user_id).delete()
|
||||
db.session.commit()
|
||||
return True
|
||||
except Exception as e:
|
||||
|
|
@ -625,3 +644,168 @@ class User(db.Model):
|
|||
for q in query:
|
||||
accounts.append(q[1])
|
||||
return accounts
|
||||
|
||||
|
||||
def read_entitlements(self, key):
|
||||
"""
|
||||
Get entitlements from ldap server associated with this user
|
||||
"""
|
||||
LDAP_BASE_DN = Setting().get('ldap_base_dn')
|
||||
LDAP_FILTER_USERNAME = Setting().get('ldap_filter_username')
|
||||
LDAP_FILTER_BASIC = Setting().get('ldap_filter_basic')
|
||||
searchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_USERNAME,
|
||||
self.username,
|
||||
LDAP_FILTER_BASIC)
|
||||
current_app.logger.debug('Ldap searchFilter {0}'.format(searchFilter))
|
||||
ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN, [key])
|
||||
current_app.logger.debug('Ldap search result: {0}'.format(ldap_result))
|
||||
entitlements=[]
|
||||
if ldap_result:
|
||||
dict=ldap_result[0][0][1]
|
||||
if len(dict)!=0:
|
||||
for entitlement in dict[key]:
|
||||
entitlements.append(entitlement.decode("utf-8"))
|
||||
else:
|
||||
e="Not found value in the autoprovisioning attribute field "
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
return entitlements
|
||||
|
||||
def updateUser(self, Entitlements):
|
||||
"""
|
||||
Update user associations based on ldap attribute
|
||||
"""
|
||||
entitlements= getCorrectEntitlements(Entitlements)
|
||||
if len(entitlements)!=0:
|
||||
self.revoke_privilege(True)
|
||||
for entitlement in entitlements:
|
||||
arguments=entitlement.split(':')
|
||||
entArgs=arguments[arguments.index('powerdns-admin')+1:]
|
||||
role= entArgs[0]
|
||||
self.set_role(role)
|
||||
if (role=="User") and len(entArgs)>1:
|
||||
current_domains=getUserInfo(self.get_user_domains())
|
||||
current_accounts=getUserInfo(self.get_accounts())
|
||||
domain=entArgs[1]
|
||||
self.addMissingDomain(domain, current_domains)
|
||||
if len(entArgs)>2:
|
||||
account=entArgs[2]
|
||||
self.addMissingAccount(account, current_accounts)
|
||||
|
||||
def addMissingDomain(self, autoprovision_domain, current_domains):
|
||||
"""
|
||||
Add domain gathered by autoprovisioning to the current domains list of a user
|
||||
"""
|
||||
from ..models.domain import Domain
|
||||
user = db.session.query(User).filter(User.username == self.username).first()
|
||||
if autoprovision_domain not in current_domains:
|
||||
domain= db.session.query(Domain).filter(Domain.name == autoprovision_domain).first()
|
||||
if domain!=None:
|
||||
domain.add_user(user)
|
||||
|
||||
def addMissingAccount(self, autoprovision_account, current_accounts):
|
||||
"""
|
||||
Add account gathered by autoprovisioning to the current accounts list of a user
|
||||
"""
|
||||
from ..models.account import Account
|
||||
user = db.session.query(User).filter(User.username == self.username).first()
|
||||
if autoprovision_account not in current_accounts:
|
||||
account= db.session.query(Account).filter(Account.name == autoprovision_account).first()
|
||||
if account!=None:
|
||||
account.add_user(user)
|
||||
|
||||
def getCorrectEntitlements(Entitlements):
|
||||
"""
|
||||
Gather a list of valid records from the ldap attribute given
|
||||
"""
|
||||
from ..models.role import Role
|
||||
urn_value=Setting().get('urn_value')
|
||||
urnArgs=[x.lower() for x in urn_value.split(':')]
|
||||
entitlements=[]
|
||||
for Entitlement in Entitlements:
|
||||
arguments=Entitlement.split(':')
|
||||
|
||||
if ('powerdns-admin' in arguments):
|
||||
prefix=arguments[0:arguments.index('powerdns-admin')]
|
||||
prefix=[x.lower() for x in prefix]
|
||||
if (prefix!=urnArgs):
|
||||
e= "Typo in first part of urn value"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
continue
|
||||
|
||||
else:
|
||||
e="Entry not a PowerDNS-Admin record"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
continue
|
||||
|
||||
if len(arguments)<=len(urnArgs)+1: #prefix:powerdns-admin
|
||||
e="No value given after the prefix"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
continue
|
||||
|
||||
entArgs=arguments[arguments.index('powerdns-admin')+1:]
|
||||
role=entArgs[0]
|
||||
roles= Role.query.all()
|
||||
role_names=get_role_names(roles)
|
||||
|
||||
if role not in role_names:
|
||||
e="Role given by entry not a role availabe in PowerDNS-Admin. Check for spelling errors"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
continue
|
||||
|
||||
if len(entArgs)>1:
|
||||
if (role!="User"):
|
||||
e="Too many arguments for Admin or Operator"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
continue
|
||||
else:
|
||||
if len(entArgs)<=3:
|
||||
if entArgs[1] and not checkIfDomainExists(entArgs[1]):
|
||||
continue
|
||||
if len(entArgs)==3:
|
||||
if entArgs[2] and not checkIfAccountExists(entArgs[2]):
|
||||
continue
|
||||
else:
|
||||
e="Too many arguments"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
continue
|
||||
|
||||
entitlements.append(Entitlement)
|
||||
|
||||
return entitlements
|
||||
|
||||
|
||||
def checkIfDomainExists(domainName):
|
||||
from ..models.domain import Domain
|
||||
domain= db.session.query(Domain).filter(Domain.name == domainName)
|
||||
if len(domain.all())==0:
|
||||
e= domainName + " is not found in the database"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
return False
|
||||
return True
|
||||
|
||||
def checkIfAccountExists(accountName):
|
||||
from ..models.account import Account
|
||||
account= db.session.query(Account).filter(Account.name == accountName)
|
||||
if len(account.all())==0:
|
||||
e= accountName + " is not found in the database"
|
||||
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
|
||||
return False
|
||||
return True
|
||||
|
||||
def get_role_names(roles):
|
||||
"""
|
||||
returns all the roles available in database in string format
|
||||
"""
|
||||
roles_list=[]
|
||||
for role in roles:
|
||||
roles_list.append(role.name)
|
||||
return roles_list
|
||||
|
||||
def getUserInfo(DomainsOrAccounts):
|
||||
current=[]
|
||||
for DomainOrAccount in DomainsOrAccounts:
|
||||
current.append(DomainOrAccount.name)
|
||||
return current
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
import json
|
||||
import datetime
|
||||
import traceback
|
||||
import re
|
||||
from base64 import b64encode
|
||||
from ast import literal_eval
|
||||
from flask import Blueprint, render_template, make_response, url_for, current_app, request, redirect, jsonify, abort, flash, session
|
||||
|
|
@ -479,6 +480,7 @@ def edit_account(account_name=None):
|
|||
if request.method == 'GET':
|
||||
if account_name is None:
|
||||
return render_template('admin_edit_account.html',
|
||||
account_user_ids=[],
|
||||
users=users,
|
||||
create=1)
|
||||
|
||||
|
|
@ -868,6 +870,27 @@ def setting_authentication():
|
|||
Setting().set('ldap_user_group',
|
||||
request.form.get('ldap_user_group'))
|
||||
Setting().set('ldap_domain', request.form.get('ldap_domain'))
|
||||
Setting().set(
|
||||
'autoprovisioning', True
|
||||
if request.form.get('autoprovisioning') == 'ON' else False)
|
||||
Setting().set('autoprovisioning_attribute',
|
||||
request.form.get('autoprovisioning_attribute'))
|
||||
|
||||
if request.form.get('autoprovisioning')=='ON':
|
||||
if validateURN(request.form.get('urn_value')):
|
||||
Setting().set('urn_value',
|
||||
request.form.get('urn_value'))
|
||||
else:
|
||||
return render_template('admin_setting_authentication.html',
|
||||
error="Invalid urn")
|
||||
else:
|
||||
Setting().set('urn_value',
|
||||
request.form.get('urn_value'))
|
||||
|
||||
Setting().set('purge', True
|
||||
if request.form.get('purge') == 'ON' else False)
|
||||
|
||||
|
||||
result = {'status': True, 'msg': 'Saved successfully'}
|
||||
elif conf_type == 'google':
|
||||
google_oauth_enabled = True if request.form.get(
|
||||
|
|
@ -1325,3 +1348,29 @@ def global_search():
|
|||
pass
|
||||
|
||||
return render_template('admin_global_search.html', domains=domains, records=records, comments=comments)
|
||||
|
||||
def validateURN(value):
|
||||
NID_PATTERN = re.compile(r'^[0-9a-z][0-9a-z-]{1,31}$', flags=re.IGNORECASE)
|
||||
NSS_PCHAR = '[a-z0-9-._~]|%[a-f0-9]{2}|[!$&\'()*+,;=]|:|@'
|
||||
NSS_PATTERN = re.compile(fr'^({NSS_PCHAR})({NSS_PCHAR}|/|\?)*$', re.IGNORECASE)
|
||||
|
||||
prefix=value.split(':')
|
||||
if (len(prefix)<3):
|
||||
current_app.logger.warning( "Too small urn prefix" )
|
||||
return False
|
||||
|
||||
urn=prefix[0]
|
||||
nid=prefix[1]
|
||||
nss=value.replace(urn+":"+nid+":", "")
|
||||
|
||||
if not urn.lower()=="urn":
|
||||
current_app.logger.warning( urn + ' contains invalid characters ' )
|
||||
return False
|
||||
if not re.match(NID_PATTERN, nid.lower()):
|
||||
current_app.logger.warning( nid + ' contains invalid characters ' )
|
||||
return False
|
||||
if not re.match(NSS_PATTERN, nss):
|
||||
current_app.logger.warning( nss + ' contains invalid characters ' )
|
||||
return False
|
||||
|
||||
return True
|
||||
|
|
|
|||
|
|
@ -973,8 +973,9 @@ def api_zone_subpath_forward(server_id, zone_id, subpath):
|
|||
@apikey_can_access_domain
|
||||
def api_zone_forward(server_id, zone_id):
|
||||
resp = helper.forward_request()
|
||||
domain = Domain()
|
||||
domain.update()
|
||||
if not Setting().get('bg_domain_updates'):
|
||||
domain = Domain()
|
||||
domain.update()
|
||||
status = resp.status_code
|
||||
if 200 <= status < 300:
|
||||
current_app.logger.debug("Request to powerdns API successful")
|
||||
|
|
|
|||
|
|
@ -149,6 +149,18 @@ def add():
|
|||
'errors/400.html',
|
||||
msg="Please enter a valid domain name"), 400
|
||||
|
||||
# If User creates the domain, check some additional stuff
|
||||
if current_user.role.name not in ['Administrator', 'Operator']:
|
||||
# Get all the account_ids of the user
|
||||
user_accounts_ids = current_user.get_accounts()
|
||||
user_accounts_ids = [x.id for x in user_accounts_ids]
|
||||
# User may not create domains without Account
|
||||
if int(account_id) == 0 or int(account_id) not in user_accounts_ids:
|
||||
return render_template(
|
||||
'errors/400.html',
|
||||
msg="Please use a valid Account"), 400
|
||||
|
||||
|
||||
#TODO: Validate ip addresses input
|
||||
|
||||
# Encode domain name into punycode (IDN)
|
||||
|
|
@ -250,13 +262,19 @@ def add():
|
|||
current_app.logger.debug(traceback.format_exc())
|
||||
abort(500)
|
||||
|
||||
# Get
|
||||
else:
|
||||
accounts = Account.query.order_by(Account.name).all()
|
||||
# Admins and Operators can set to any account
|
||||
if current_user.role.name in ['Administrator', 'Operator']:
|
||||
accounts = Account.query.order_by(Account.name).all()
|
||||
else:
|
||||
accounts = current_user.get_accounts()
|
||||
return render_template('domain_add.html',
|
||||
templates=templates,
|
||||
accounts=accounts)
|
||||
|
||||
|
||||
|
||||
@domain_bp.route('/setting/<path:domain_name>/delete', methods=['POST'])
|
||||
@login_required
|
||||
@operator_role_required
|
||||
|
|
|
|||
|
|
@ -473,10 +473,39 @@ def login():
|
|||
saml_enabled=SAML_ENABLED,
|
||||
error='Token required')
|
||||
|
||||
if Setting().get('autoprovisioning') and auth_method!='LOCAL':
|
||||
urn_value=Setting().get('urn_value')
|
||||
Entitlements=user.read_entitlements(Setting().get('autoprovisioning_attribute'))
|
||||
if len(Entitlements)==0 and Setting().get('purge'):
|
||||
user.set_role("User")
|
||||
user.revoke_privilege(True)
|
||||
|
||||
elif len(Entitlements)!=0:
|
||||
if checkForPDAEntries(Entitlements, urn_value):
|
||||
user.updateUser(Entitlements)
|
||||
else:
|
||||
current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
|
||||
if Setting().get('purge'):
|
||||
user.set_role("User")
|
||||
user.revoke_privilege(True)
|
||||
current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' )
|
||||
|
||||
login_user(user, remember=remember_me)
|
||||
signin_history(user.username, 'LOCAL', True)
|
||||
return redirect(session.get('next', url_for('index.index')))
|
||||
|
||||
def checkForPDAEntries(Entitlements, urn_value):
|
||||
"""
|
||||
Run through every record located in the ldap attribute given and determine if there are any valid powerdns-admin records
|
||||
"""
|
||||
urnArguments=[x.lower() for x in urn_value.split(':')]
|
||||
for Entitlement in Entitlements:
|
||||
entArguments=Entitlement.split(':powerdns-admin')
|
||||
entArguments=[x.lower() for x in entArguments[0].split(':')]
|
||||
if (entArguments==urnArguments):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def clear_session():
|
||||
session.pop('user_id', None)
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@
|
|||
<select multiple="multiple" class="form-control" id="account_multi_user"
|
||||
name="account_multi_user">
|
||||
{% for user in users %}
|
||||
<option {% if user.id in account_user_ids %}selected{% endif %}
|
||||
<option {% if user.id in account_user_ids|default([]) %}selected{% endif %}
|
||||
value="{{ user.username }}">{{ user.username }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
|
|
|
|||
|
|
@ -73,11 +73,19 @@
|
|||
<div class="form-group">
|
||||
<button type="submit" class="btn btn-flat btn-primary">Save</button>
|
||||
</div>
|
||||
|
||||
</form>
|
||||
</div>
|
||||
<div class="tab-pane active" id="tabs-ldap">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
{% if error %}
|
||||
<div class="alert alert-danger alert-dismissible">
|
||||
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
|
||||
<h4><i class="icon fa fa-ban"></i> Error!</h4>
|
||||
{{ error }}
|
||||
</div>
|
||||
{% endif %}
|
||||
<form role="form" method="post" data-toggle="validator">
|
||||
<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
|
||||
<input type="hidden" value="ldap" name="config_tab" />
|
||||
|
|
@ -186,6 +194,46 @@
|
|||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset>
|
||||
<legend>ADVANCE</legend>
|
||||
<div class="form-group">
|
||||
<label>Roles Autoprovisioning</label>
|
||||
<div class="radio">
|
||||
<label>
|
||||
<input type="radio" name="autoprovisioning" id="autoprovisioning_off" value="OFF" {% if not SETTING.get('autoprovisioning') %}checked{% endif %}> OFF
|
||||
</label>
|
||||
|
||||
<label>
|
||||
<input type="radio" name="autoprovisioning" id="autoprovisioning_on" value="ON"
|
||||
|
||||
{% if SETTING.get('autoprovisioning') %}checked{% endif %}> ON
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="autoprovisioning_attribute">Roles provisioning field</label>
|
||||
<input type="text" class="form-control" name="autoprovisioning_attribute" id="autoprovisioning_attribute" placeholder="e.g. eduPersonEntitlement" data-error=" Please input field responsible for autoprovisioning" value="{{ SETTING.get('autoprovisioning_attribute') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
|
||||
<div class="form-group {% if error %}has-error{% endif %}">
|
||||
<label for="urn_value">Urn prefix</label>
|
||||
<input type="text" class="form-control" name="urn_value" id="urn_value" placeholder="e.g. urn:mace:<yourOrganization>" data-error="Please fill this field" value="{{ SETTING.get('urn_value') }}">
|
||||
{% if error %}
|
||||
<span class="help-block with-errors">Please input the correct prefix for your urn value</span>
|
||||
{% endif %}
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label>Purge Roles If Empty</label>
|
||||
<div class="radio">
|
||||
<label>
|
||||
<input type="radio" name="purge" id="purge_off" value="OFF" {% if not SETTING.get('purge') %}checked{% endif %}> OFF
|
||||
</label>
|
||||
|
||||
<label>
|
||||
<input type="radio" name="purge" id="purge_on" value="ON" {% if SETTING.get('purge') %}checked{% endif %}> ON
|
||||
</div>
|
||||
</div>
|
||||
</fieldset>
|
||||
<div class="form-group">
|
||||
<button type="submit" class="btn btn-flat btn-primary">Save</button>
|
||||
</div>
|
||||
|
|
@ -261,6 +309,24 @@
|
|||
</li>
|
||||
</ul>
|
||||
</dd>
|
||||
<dt>ADVANCE</dt>
|
||||
<dd> Provision PDA user privileges based on LDAP Object Attributes. Alternative to Group Security Role Management.
|
||||
<ul>
|
||||
<li>
|
||||
Roles Autoprovisioning - If toggled on, the PDA Role and the associations of users found in the local db, will be instantly updated from the LDAP server every time they log in.
|
||||
</li>
|
||||
<li>
|
||||
Roles provisioning field - The attribute in the ldap server populated by the urn values where PDA will look for a new Role and/or new associations to domains/accounts.
|
||||
</li>
|
||||
<li>
|
||||
Urn prefix - The prefix used before the static keyword "powerdns-admin" for your entitlements in the ldap server. Must comply with RFC no.8141.
|
||||
</li>
|
||||
<li>
|
||||
Purge Roles If Empty - If toggled on, ldap entries that have no valid "powerdns-admin" records to their autoprovisioning field, will lose all their associations with any domain or account, also reverting to a User in the process, despite their current role in the local db.<br> If toggled off, in the same scenario they get to keep their existing associations and their current Role.
|
||||
|
||||
</li>
|
||||
</ul>
|
||||
</dd>
|
||||
</dl>
|
||||
</div>
|
||||
</div>
|
||||
|
|
@ -625,7 +691,7 @@
|
|||
{%- endassets %}
|
||||
|
||||
<script>
|
||||
|
||||
|
||||
$(function() {
|
||||
$('#tabs').tabs({
|
||||
// add url anchor tags
|
||||
|
|
@ -648,6 +714,11 @@
|
|||
checkboxClass : 'icheckbox_square-blue',
|
||||
increaseArea : '20%'
|
||||
})
|
||||
|
||||
$('#autoprovisioning').iCheck({
|
||||
checkboxClass : 'icheckbox_square-blue',
|
||||
increaseArea : '20%'
|
||||
})
|
||||
// END: General tab js
|
||||
|
||||
// START: LDAP tab js
|
||||
|
|
@ -679,7 +750,10 @@
|
|||
$('#ldap_operator_group').prop('required', true);
|
||||
$('#ldap_user_group').prop('required', true);
|
||||
}
|
||||
|
||||
if ($('#autoprovisioning').is(":checked")) {
|
||||
$('#autoprovisioning_attribute').prop('required', true);
|
||||
$('#urn_value').prop('required', true);
|
||||
}
|
||||
} else {
|
||||
$('#ldap_uri').prop('required', false);
|
||||
$('#ldap_base_dn').prop('required', false);
|
||||
|
|
@ -695,6 +769,10 @@
|
|||
$('#ldap_operator_group').prop('required', false);
|
||||
$('#ldap_user_group').prop('required', false);
|
||||
}
|
||||
if ($('#autoprovisioning').is(":checked")) {
|
||||
$('#autoprovisioning_attribute').prop('required', false);
|
||||
$('#urn_value').prop('required', true);
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
|
|
@ -708,8 +786,75 @@
|
|||
$('#ldap_operator_group').prop('required', false);
|
||||
$('#ldap_user_group').prop('required', false);
|
||||
}
|
||||
|
||||
if ($('#ldap_sg_on').is(":checked") && $('#autoprovisioning_on').is(":checked")){
|
||||
document.getElementById('ldap_sg_on').checked=false;
|
||||
document.getElementById('ldap_sg_off').checked=true;
|
||||
var modal = $("#modal_warning");
|
||||
|
||||
var info = "Group Security:Status and Advance:Autoprovisioning can not be both enabled at the same time. Please turn off Advance:Autoprovisioning first" ;
|
||||
modal.find('.modal-body p').text(info);
|
||||
modal.find('#button_warning_confirm').click(function () {
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.find('#warning_X').click(function () {
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.modal('show');
|
||||
}
|
||||
});
|
||||
|
||||
$("input[name='autoprovisioning']" ).change(function(){
|
||||
if ($('#autoprovisioning_on').is(":checked") && $('#ldap_enabled').is(":checked")) {
|
||||
$('#autoprovisioning_attribute').prop('required', true);
|
||||
$('#urn_value').prop('required', true);
|
||||
$('#purge').prop('required', true);
|
||||
}
|
||||
else{
|
||||
$('#autoprovisioning_attribute').prop('required', false);
|
||||
$('#urn_value').prop('required', false);
|
||||
$('#purge').prop('required', false);
|
||||
}
|
||||
if ($('#ldap_sg_on').is(":checked") && $('#autoprovisioning_on').is(":checked")){
|
||||
document.getElementById('autoprovisioning_on').checked=false;
|
||||
document.getElementById('autoprovisioning_off').checked=true;
|
||||
var modal = $("#modal_warning");
|
||||
var info = "Group Security:Status and Advance:Autoprovisioning can not be both enabled at the same time. Please turn off Group Security:Status first" ;
|
||||
modal.find('.modal-body p').text(info);
|
||||
modal.find('#button_warning_confirm').click(function () {
|
||||
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.find('#warning_X').click(function () {
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.modal('show');
|
||||
|
||||
}
|
||||
});
|
||||
|
||||
$("input[name='purge']" ).change(function(){
|
||||
if ($("#purge_on").is(":checked")){
|
||||
document.getElementById('purge_on').checked=false;
|
||||
document.getElementById('purge_off').checked=true;
|
||||
var modal = $("#modal_confirm");
|
||||
var info = "Are you sure you want to do this? Users will lose their associated domains unless they already have their autoprovisioning field prepopulated." ;
|
||||
modal.find('.modal-body p').text(info);
|
||||
modal.find('#button_confirm').click(function () {
|
||||
document.getElementById('purge_on').checked=true;
|
||||
document.getElementById('purge_off').checked=false;
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.find('#button_cancel').click(function () {
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.find('#X').click(function () {
|
||||
modal.modal('hide');
|
||||
})
|
||||
modal.modal('show');
|
||||
}
|
||||
});
|
||||
|
||||
$("input[name='ldap_type']" ).change(function(){
|
||||
if ($('#ldap').is(":checked") && $('#ldap_enabled').is(":checked")) {
|
||||
$('#ldap_admin_group').prop('required', true);
|
||||
|
|
@ -747,7 +892,14 @@
|
|||
$('#ldap_operator_group').prop('required', true);
|
||||
$('#ldap_user_group').prop('required', true);
|
||||
}
|
||||
|
||||
if ($('#autoprovisioning_on').is(":checked")) {
|
||||
$('#autoprovisioning_attribute').prop('required', true);
|
||||
$('#urn_value').prop('required', true);
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
|
||||
// END: LDAP tab js
|
||||
|
||||
// START: Google tab js
|
||||
|
|
@ -900,3 +1052,51 @@
|
|||
|
||||
</script>
|
||||
{% endblock %}
|
||||
|
||||
{% block modals %}
|
||||
<div class="modal fade modal-warning" id="modal_confirm" data-keyboard="false" data-backdrop="static">
|
||||
<div class="modal-dialog">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<button type="button" class="close" data-dismiss="modal" aria-label="Close" id="X" >
|
||||
<span aria-hidden="true">×</span>
|
||||
</button>
|
||||
<h4 class="modal-title">Confirmation</h4>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<p></p>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn btn-flat btn-default pull-left" id="button_cancel" name="purge" value="OFF" data-dismiss="modal" >Cancel</button>
|
||||
<button type="button" class="btn btn-flat btn-success" id="button_confirm">Confirm</button>
|
||||
</div>
|
||||
</div>
|
||||
<!-- /.modal-content -->
|
||||
</div>
|
||||
<!-- /.modal-dialog -->
|
||||
</div>
|
||||
|
||||
|
||||
<div class="modal fade modal-warning" id="modal_warning" data-keyboard="false" data-backdrop="static">
|
||||
<div class="modal-dialog">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<button type="button" class="close" data-dismiss="modal" aria-label="Close" id="warning_X" >
|
||||
<span aria-hidden="true">×</span>
|
||||
</button>
|
||||
<h4 class="modal-title">Warning</h4>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<p></p>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn btn-flat btn-success" id="button_warning_confirm">Yes I understand</button>
|
||||
</div>
|
||||
</div>
|
||||
<!-- /.modal-content -->
|
||||
</div>
|
||||
<!-- /.modal-dialog -->
|
||||
</div>
|
||||
|
||||
|
||||
{% endblock %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue