Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System: Access: migrate Users and Groups to MVC/API #8046

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
+2,534 −2,276
Draft

System: Access: migrate Users and Groups to MVC/API #8046

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9457098
System: Access: Groups - in preperation for https://github.com/opnsen…
AdSchellevis Nov 6, 2024
ad5bbe7
System: Access: Users - refactor to MVC (https://github.com/opnsense/…
AdSchellevis Oct 12, 2024
5e38b5d
System: Access: Users - refactor to MVC (https://github.com/opnsense/…
AdSchellevis Nov 13, 2024
544c216
System: Access: Privileges - fix updating groups dropping privileges …
AdSchellevis Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 0 additions & 113 deletions src/etc/inc/auth.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,31 +216,6 @@ function userIsAdmin($username)
return userHasPrivilege($user, 'page-all');
}

function auth_get_shells($uid = 0)
{
$shells = ['' => '/usr/sbin/nologin'];

if ($uid == 0) {
$shells = ['' => '/usr/local/sbin/opnsense-shell'];
}

$etc_shells = @file_get_contents('/etc/shells');
if (!empty($etc_shells)) {
$etc_shells = explode("\n", $etc_shells);
foreach ($etc_shells as $shell) {
$shell = trim($shell);
if (
!empty($shell) && strpos($shell, '#') !== 0 &&
strpos($shell, '/usr/local/sbin/opnsense-') !== 0
) {
$shells[$shell] = $shell;
}
}
}

return $shells;
}

function local_sync_accounts()
{
global $config;
Expand Down Expand Up @@ -428,17 +403,6 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
mwexecf('/usr/sbin/pw %s %s', array($lock_account, $user_name), true);
}

function local_user_del($user)
{
/* remove all memberships */
local_user_set_groups($user);

/* delete from pw db */
mwexecf('/usr/sbin/pw userdel -n %s -r', $user['name']);

/* Delete user from groups needs a call to write_config() */
local_group_del_user($user);
}

function local_user_set_password(&$user, $password = null)
{
Expand Down Expand Up @@ -508,77 +472,6 @@ function local_user_get_groups($user)
return $groups;
}

function local_user_set_groups($user, $new_groups = null)
{
global $config, $groupindex;

if (!isset($config['system']['group'])) {
return;
}

$cur_groups = local_user_get_groups($user);
$mod_groups = array();

if (!is_array($new_groups)) {
$new_groups = array();
}

if (!is_array($cur_groups)) {
$cur_groups = array();
}

/* determine which memberships to add */
foreach ($new_groups as $groupname) {
if (in_array($groupname, $cur_groups) || !isset($groupindex[$groupname])) {
// continue if group is already in current list or the groupname is invalid
continue;
}
$group = &config_read_array('system', 'group', $groupindex[$groupname]);
$group['member'][] = $user['uid'];
$mod_groups[] = $group;
}

/* determine which memberships to remove */
foreach ($cur_groups as $groupname) {
if (in_array($groupname, $new_groups)) {
continue;
}
if (!isset($config['system']['group'][$groupindex[$groupname]])) {
continue;
}
$group = &config_read_array('system', 'group', $groupindex[$groupname]);
if (is_array($group['member'])) {
$index = array_search($user['uid'], $group['member']);
array_splice($group['member'], $index, 1);
$mod_groups[] = $group;
}
}

/* sync all modified groups */
foreach ($mod_groups as $group) {
local_group_set($group);
}
}

function local_group_del_user($user)
{
global $config;

if (!isset($config['system']['group'])) {
return;
}

foreach ($config['system']['group'] as $group) {
if (isset($group['member'])) {
foreach ($group['member'] as $idx => $uid) {
if ($user['uid'] == $uid) {
unset($config['system']['group']['member'][$idx]);
}
}
}
}
}

function local_group_set($group)
{
if (!isset($group['name']) || !isset($group['gid'])) {
Expand Down Expand Up @@ -607,12 +500,6 @@ function local_group_set($group)
mwexecf('/usr/sbin/pw %s %s -g %s -M %s', array($group_op, $group_name, $group_gid, $group_members));
}

function local_group_del($group)
{
/* delete from group db */
mwexecf('/usr/sbin/pw groupdel %s', $group['name']);
}


/**
* @param $name string name of the authentication system configured on the authentication server page or 'Local Database' for local authentication
Expand Down
95 changes: 95 additions & 0 deletions src/opnsense/mvc/app/controllers/OPNsense/Auth/Api/GroupController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
<?php

/*
* Copyright (C) 2024 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

namespace OPNsense\Auth\Api;

use OPNsense\Base\ApiMutableModelControllerBase;
use OPNsense\Base\UserException;
use OPNsense\Core\Backend;
use OPNsense\Core\Config;

/**
* Class GroupController
* @package OPNsense\Auth\Api
*/
class GroupController extends ApiMutableModelControllerBase
{
protected static $internalModelName = 'group';
protected static $internalModelClass = 'OPNsense\Auth\Group';


public function searchAction()
{
return $this->searchBase('group');
}

public function getAction($uuid = null)
{
return $this->getBase('group', 'group', $uuid);
}

public function addAction()
{
$result = $this->addBase('group', 'group');
if ($result['result'] != 'failed') {
$data = $this->request->getPost(static::$internalModelName);
(new Backend())->configdRun('auth sync group '. $data['name']);
}
return $result;
}

public function setAction($uuid = null)
{
$result = $this->setBase('group', 'group', $uuid);
if ($result['result'] != 'failed') {
$data = $this->request->getPost(static::$internalModelName);
(new Backend())->configdRun('auth sync group '. $data['name']);
}
return $result;
}

public function delAction($uuid)
{
$groupname = null;
if ($this->request->isPost()) {
Config::getInstance()->lock();
$node = $this->getModel()->getNodeByReference('group.' . $uuid);
if ($node->scope == 'system') {
throw new UserException(sprintf(gettext("Not allowed to delete system group %s"), $node->name));
}
if (!empty($node)) {
$groupname = (string)$node->name;
}
}
$result = $this->delBase('group', $uuid);
if ($groupname != null) {
(new Backend())->configdRun('auth sync group '. $groupname);
}
return $result;
}
}
143 changes: 143 additions & 0 deletions src/opnsense/mvc/app/controllers/OPNsense/Auth/Api/PrivController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
<?php

/*
* Copyright (C) 2024 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

namespace OPNsense\Auth\Api;

use OPNsense\Base\ApiMutableModelControllerBase;
use OPNsense\Auth\User;
use OPNsense\Auth\Group;
use OPNsense\Core\ACL;
use OPNsense\Core\Config;


/**
* Class PrivController
* @package OPNsense\Auth\Api
*/
class PrivController extends ApiMutableModelControllerBase
{
protected static $internalModelName = 'priv';
protected static $internalModelClass = 'OPNsense\Auth\Priv';


public function searchAction()
{
$userprivs = [];
$groupprivs = [];
foreach ((new User())->user->iterateItems() as $user) {
foreach (explode(',', $user->priv->getCurrentValue()) as $priv) {
if (!isset($userprivs[$priv])) {
$userprivs[$priv] = [];
}
$userprivs[$priv][] = (string)$user->name;
}
}
foreach ((new Group())->group->iterateItems() as $group) {
foreach (explode(',', $group->priv->getCurrentValue()) as $priv) {
if (!isset($groupprivs[$priv])) {
$groupprivs[$priv] = [];
}
$groupprivs[$priv][] = (string)$group->name;
}
}

$records = [];
foreach ((new ACL())->getPrivList() as $auth => $props) {
$records[] = [
'id' => $auth,
'name' => $props['name'],
'match' => implode("\n", $props['match'] ?? []),
'users' => $userprivs[$auth] ?? [],
'groups' => $groupprivs[$auth] ?? [],
];
}
return $this->searchRecordsetBase($records);
}

public function getItemAction($id)
{
$result = parent::getAction();
if (isset($result['priv'])) {
$result['priv']['id'] = $id;
foreach ((new User())->user->iterateItems() as $uuid => $user) {
if (
in_array($id, explode(',', $user->priv->getCurrentValue())) &&
isset($result['priv']['users'][$uuid])
) {
$result['priv']['users'][$uuid]['selected'] = 1;
}
}
foreach ((new Group())->group->iterateItems() as $uuid => $group) {
if (
in_array($id, explode(',', $group->priv->getCurrentValue())) &&
isset($result['priv']['groups'][$uuid])
) {
$result['priv']['groups'][$uuid]['selected'] = 1;
}
}
}

return $result;
}

public function setItemAction($id)
{
if ($this->request->isPost()) {
Config::getInstance()->lock();
}
$result = parent::setAction();
if ($result['result'] != 'failed') {
$mdl = $this->getModel();
$usermdl = new User();
$groupmdl = new Group();
foreach ([$usermdl->user, $groupmdl->group] as $topic) {
if ($topic == $usermdl->user) {
$uuids = explode(',', $mdl->users->getCurrentValue());
} else {
$uuids = explode(',', $mdl->groups->getCurrentValue());
}
foreach ($topic->iterateItems() as $uuid => $item) {
$privlist = array_filter(explode(',', $item->priv->getCurrentValue()));
if (!in_array($uuid, $uuids) && in_array($id, $privlist)) {
unset($privlist[array_search($id, $privlist)]);
} elseif (in_array($uuid, $uuids) && !in_array($id, $privlist)) {
$privlist[] = $id;
} else {
continue;
}
$item->priv = implode(',', $privlist);
}
}
$usermdl->serializeToConfig(false, true);
$groupmdl->serializeToConfig(false, true);
Config::getInstance()->save();
}
return $result;
}

}
Loading