Skip to content

Commit

Permalink
Merge pull request #1217 from GlobalNOC/cgi-permissions-review
Browse files Browse the repository at this point in the history
update permissions on various webservice methods
  • Loading branch information
jonstout authored Sep 23, 2020
2 parents 6f5aee1 + 391dc2d commit a606b43
Show file tree
Hide file tree
Showing 3 changed files with 84 additions and 35 deletions.
80 changes: 59 additions & 21 deletions frontend/webservice/admin/admin.cgi
Original file line number Diff line number Diff line change
Expand Up @@ -696,11 +696,6 @@ sub register_webservice_methods {
callback => sub { get_remote_links(@_) } );
$svc->register_method($method);

$method = GRNOC::WebService::Method->new( name => 'submit_topology',
description => '',
callback => sub { submit_topology(@_) } );
$svc->register_method($method);

$method = GRNOC::WebService::Method->new( name => 'get_remote_devices',
description => '',
callback => sub { get_remote_devices(@_) } );
Expand Down Expand Up @@ -881,6 +876,12 @@ sub get_diffs {
my ( $method, $args ) = @_ ;
my $approved = $args->{'approved'}{'value'};

my ($ok, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => 'read-only');
if (defined $err) {
$method->set_error($err);
return;
}

my $diffs = $db->get_diffs($approved);
if (!defined $diffs) {
$method->set_error($db->get_error());
Expand All @@ -893,6 +894,12 @@ sub get_diffs {
sub get_diff_text {
my ( $method, $args ) = @_ ;

my ($ok, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => 'read-only');
if (defined $err) {
$method->set_error($err);
return;
}

my $node_id = $args->{'node_id'}{'value'};
require OESS::RabbitMQ::Client;
my $mq = OESS::RabbitMQ::Client->new(
Expand Down Expand Up @@ -930,6 +937,12 @@ sub set_diff_approval {
my $approved = $args->{'approved'}{'value'};
my $node_id = $args->{'node_id'}{'value'};

my ($ok, $err) = OESS::DB::User::has_system_access(db => $db2, role => 'normal', username => $ENV{REMOTE_USER});
if (defined $err) {
$method->set_error($err);
return;
}

if ($approved != 1) {
$method->set_error("Diffs may only be approved via the web API.");
return;
Expand All @@ -947,8 +960,6 @@ sub set_diff_approval {
sub get_circuits_on_interface{
my ($method, $args) = @_;


#my ($user, $err) = authorization(admin => 1, read_only => 1);
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role=>'read-only');
if (defined $err) {
$method->set_error($err);
Expand Down Expand Up @@ -989,8 +1000,7 @@ sub insert_node_in_path{
sub is_new_node_in_path{
my ($method, $args) = @_;

#my ($user, $err) = authorization(admin => 1, read_only => 0);
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username =>$ENV{'REMOTE_USER'}, role=> 'normal');
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username =>$ENV{'REMOTE_USER'}, role=> 'read-only');
if (defined $err) {
$method->set_error($err);
return;
Expand All @@ -1007,8 +1017,7 @@ sub is_new_node_in_path{
sub is_ok_to_decom{
my ($method, $args) = @_;

#my ($user, $err) = authorization(admin => 1, read_only => 0);
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role=>'normal');
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => 'read-only');
if (defined $err) {
$method->set_error($err);
return;
Expand Down Expand Up @@ -1248,12 +1257,29 @@ sub update_interface_owner {
sub add_workgroup {
my ($method, $args) = @_;

#my ($user, $err) = authorization(admin => 1, read_only => 0);
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role=>'normal');
if (defined $err) {
$method->set_error($err);
my $ok;

my $user = new OESS::User(db => $db2, username => $ENV{REMOTE_USER});
$user->load_workgroups;
foreach my $wg (@{$user->workgroups}) {
if ($wg->{role} eq 'admin') {
$ok = 1;
last;
}
}
if (!$ok) {
($ok, undef) = OESS::DB::User::has_system_access(db => $db2, role => 'normal', username => $ENV{REMOTE_USER});
}
if (!$ok) {
$method->set_error('Not authorized.');
return;
}


#my ($user, $err) = authorization(admin => 1, read_only => 0);
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role=>'normal');


my $results;
my $model = {
name => $args->{'name'}{'value'},
Expand Down Expand Up @@ -2506,8 +2532,7 @@ sub get_pending_links {
sub gen_topology{
my ($method, $args) = @_;

# my ($user, $err) = authorization(admin => 1, read_only => 1);
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => 'read-only');
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => 'read-only');
if (defined $err) {
$method->set_error($err);
return;
Expand All @@ -2520,7 +2545,7 @@ sub gen_topology{
$results->{'results'} = [];
$results->{'error'} = 1;
$results->{'error_text'} = $db->get_error();
}
}
else {
$results->{'results'} = [{'topo' => $topo}];
}
Expand All @@ -2536,7 +2561,13 @@ sub edit_workgroup{
return;
}

my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => $workgroup->{type});
my $ok;
my $err;
if ($workgroup->type eq 'admin') {
($ok, $err) = OESS::DB::User::has_system_access(db => $db2, role => 'admin', username => $ENV{REMOTE_USER});
} else {
($ok, $err) = OESS::DB::User::has_workgroup_access(db => $db2, role => 'admin', username => $ENV{REMOTE_USER}, workgroup_id => $args->{workgroup_id}{value});
}
if (defined $err) {
$method->set_error($err);
return;
Expand Down Expand Up @@ -2580,12 +2611,19 @@ sub decom_workgroup{
$method->set_error("No workgroup with that ID found");
return;
}
#Check if the user is authorized to decom the workgroup if level of access depneding on type of workgroup
my ($result, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{'REMOTE_USER'}, role => $workgroup->{type});

my $ok;
my $err;
if ($workgroup->type eq 'admin') {
($ok, $err) = OESS::DB::User::has_system_access(db => $db2, role => 'admin', username => $ENV{REMOTE_USER});
} else {
($ok, $err) = OESS::DB::User::has_workgroup_access(db => $db2, role => 'admin', username => $ENV{REMOTE_USER}, workgroup_id => $args->{workgroup_id}{value});
}
if (defined $err) {
$method->set_error($err);
return;
}

# Gather interfaces to remove the acls and start the transaction
my $interfaces = OESS::DB::Interface::get_interfaces(db => $db2, workgroup_id => $workgroup_id);

Expand Down
28 changes: 14 additions & 14 deletions frontend/webservice/admin/maintenance.cgi
Original file line number Diff line number Diff line change
Expand Up @@ -246,9 +246,9 @@ sub node_maintenances {
my $results;
my $node_id = $args->{'node_id'}{'value'};

my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_AUTH}, role => 'normal');
my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_USER}, role => 'read-only');
if (defined $err) {
$method->get_error($err);
$method->set_error($err);
return;
}
my $data;
Expand All @@ -273,9 +273,9 @@ sub start_node_maintenance {
my $node_id = $args->{'node_id'}{'value'};
my $description = $args->{'description'}{'value'};

my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_AUTH}, role => 'normal');
my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_USER}, role => 'normal');
if (defined $err) {
$method->get_error($err);
$method->set_error($err);
return;
}
if (!defined $node_id) {
Expand Down Expand Up @@ -324,9 +324,9 @@ sub end_node_maintenance {
my $results;
my $node_id = $args->{'node_id'}{'value'};

my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_AUTH}, role => 'normal');
my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_USER}, role => 'normal');
if (defined $err) {
$method->get_error($err);
$method->set_error($err);
return;
}
my $data = $db->end_node_maintenance($node_id);
Expand Down Expand Up @@ -354,10 +354,10 @@ sub link_maintenances {
my ( $method, $args ) = @_ ;
my $results;
my $link_id = $args->{'link_id'}{'value'};
my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_AUTH}, role => 'normal');

my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_USER}, role => 'read-only');
if (defined $err) {
$method->get_error($err);
$method->set_error($err);
return;
}
my $data;
Expand All @@ -369,7 +369,7 @@ sub link_maintenances {

if (!defined $data) {
$method->set_error("Failed to retrieve links under maintenance.");
return;
return;
}
$results->{'results'} = $data;
return $results;
Expand All @@ -382,9 +382,9 @@ sub start_link_maintenance {
my $link_id = $args->{'link_id'}{'value'};
my $description = $args->{'description'}{'value'};

my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_AUTH}, role => 'normal');
my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_USER}, role => 'normal');
if (defined $err) {
$method->get_error($err);
$method->set_error($err);
return;
}
if (!defined $link_id) {
Expand Down Expand Up @@ -428,9 +428,9 @@ sub end_link_maintenance {
my $results;
my $link_id = $args->{'link_id'}{'value'};

my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_AUTH}, role => 'normal');
my ($auth, $err) = OESS::DB::User::has_system_access(db => $db2, username => $ENV{REMOTE_USER}, role => 'normal');
if (defined $err) {
$method->get_error($err);
$method->set_error($err);
return;
}
my $data = $db->end_link_maintenance($link_id);
Expand Down
11 changes: 11 additions & 0 deletions frontend/webservice/interface.cgi
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,17 @@ sub get_workgroup_interfaces{
my $workgroup_id = $params->{'workgroup_id'}{'value'};
my $vlan = $params->{'vlan'}{'value'};

my ($ok, $err) = OESS::DB::User::has_workgroup_access(
db => $db,
username => $ENV{REMOTE_USER},
workgroup_id => $params->{workgroup_id}->{value},
role => 'read-only'
);
if (defined $err) {
$method->set_error($err);
return;
}

my $workgroup = OESS::Workgroup->new( workgroup_id => $workgroup_id, db => $db);
my $interfaces = $workgroup->interfaces();

Expand Down

0 comments on commit a606b43

Please sign in to comment.