setup: store roles in database
This commit is contained in:
parent
0baa788cc0
commit
287cfaa87d
|
@ -33,6 +33,8 @@ class GeneralConfigPage extends Form
|
|||
$appConfigForm->createElements($formData);
|
||||
$appConfigForm->removeElement('global_module_path');
|
||||
$appConfigForm->removeElement('global_config_resource');
|
||||
$appConfigForm->removeElement('global_store_roles_in_db');
|
||||
$this->addElement('hidden', 'global_store_roles_in_db', ['disabled' => true, 'value' => 1]);
|
||||
$this->addElements($appConfigForm->getElements());
|
||||
|
||||
$loggingConfigForm = new LoggingConfigForm();
|
||||
|
|
|
@ -3,23 +3,29 @@
|
|||
|
||||
namespace Icinga\Module\Setup\Steps;
|
||||
|
||||
use DateTime;
|
||||
use Exception;
|
||||
use Icinga\Application\Config;
|
||||
use Icinga\Common\Database;
|
||||
use Icinga\Data\ConfigObject;
|
||||
use Icinga\Data\ResourceFactory;
|
||||
use Icinga\Exception\IcingaException;
|
||||
use Icinga\Authentication\User\DbUserBackend;
|
||||
use Icinga\Module\Setup\Step;
|
||||
use ipl\Sql\Connection;
|
||||
use ipl\Sql\Insert;
|
||||
|
||||
class AuthenticationStep extends Step
|
||||
{
|
||||
use Database;
|
||||
|
||||
protected $data;
|
||||
|
||||
protected $dbError;
|
||||
|
||||
protected $authIniError;
|
||||
|
||||
protected $permIniError;
|
||||
protected $roleError;
|
||||
|
||||
public function __construct(array $data)
|
||||
{
|
||||
|
@ -29,11 +35,15 @@ class AuthenticationStep extends Step
|
|||
public function apply()
|
||||
{
|
||||
$success = $this->createAuthenticationIni();
|
||||
|
||||
if (isset($this->data['adminAccountData']['resourceConfig'])) {
|
||||
$success &= $this->createAccount();
|
||||
}
|
||||
|
||||
$success &= $this->createRolesIni();
|
||||
if (isset($this->data['rolesResourceConfig'])) {
|
||||
$success &= $this->createRoles();
|
||||
}
|
||||
|
||||
return $success;
|
||||
}
|
||||
|
||||
|
@ -61,34 +71,59 @@ class AuthenticationStep extends Step
|
|||
return true;
|
||||
}
|
||||
|
||||
protected function createRolesIni()
|
||||
protected function createRoles(): bool
|
||||
{
|
||||
if (isset($this->data['adminAccountData']['username'])) {
|
||||
$config = array(
|
||||
'users' => $this->data['adminAccountData']['username'],
|
||||
'permissions' => '*'
|
||||
);
|
||||
|
||||
if ($this->data['backendConfig']['backend'] === 'db') {
|
||||
$config['groups'] = mt('setup', 'Administrators', 'setup.role.name');
|
||||
}
|
||||
} else { // isset($this->data['adminAccountData']['groupname'])
|
||||
$config = array(
|
||||
'groups' => $this->data['adminAccountData']['groupname'],
|
||||
'permissions' => '*'
|
||||
);
|
||||
}
|
||||
|
||||
try {
|
||||
Config::fromArray(array(mt('setup', 'Administrators', 'setup.role.name') => $config))
|
||||
->setConfigFile(Config::resolvePath('roles.ini'))
|
||||
->saveIni();
|
||||
$this->getDb(new ConfigObject($this->data['rolesResourceConfig']))->transaction(function (Connection $db) {
|
||||
$admins = mt('setup', 'Administrators', 'setup.role.name');
|
||||
|
||||
$db->prepexec(
|
||||
(new Insert())
|
||||
->into('icingaweb_role')
|
||||
->columns(['name', 'ctime'])
|
||||
->values([$admins, (new DateTime())->getTimestamp() * 1000])
|
||||
);
|
||||
|
||||
$id = $db->lastInsertId();
|
||||
|
||||
$db->prepexec(
|
||||
(new Insert())
|
||||
->into('icingaweb_role_permission')
|
||||
->columns(['role_id', 'permission', 'allowed'])
|
||||
->values([$id, '*', 'y'])
|
||||
);
|
||||
|
||||
if (isset($this->data['adminAccountData']['username'])) {
|
||||
$db->prepexec(
|
||||
(new Insert())
|
||||
->into('icingaweb_role_user')
|
||||
->columns(['role_id', 'user_name'])
|
||||
->values([$id, $this->data['adminAccountData']['username']])
|
||||
);
|
||||
|
||||
if ($this->data['backendConfig']['backend'] === 'db') {
|
||||
$db->prepexec(
|
||||
(new Insert())
|
||||
->into('icingaweb_role_group')
|
||||
->columns(['role_id', 'group_name'])
|
||||
->values([$id, $admins])
|
||||
);
|
||||
}
|
||||
} else {
|
||||
$db->prepexec(
|
||||
(new Insert())
|
||||
->into('icingaweb_role_group')
|
||||
->columns(['role_id', 'group_name'])
|
||||
->values([$id, $this->data['adminAccountData']['groupname']])
|
||||
);
|
||||
}
|
||||
});
|
||||
} catch (Exception $e) {
|
||||
$this->permIniError = $e;
|
||||
$this->roleError = $e;
|
||||
return false;
|
||||
}
|
||||
|
||||
$this->permIniError = false;
|
||||
$this->roleError = false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -211,7 +246,7 @@ class AuthenticationStep extends Step
|
|||
$report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->dbError));
|
||||
}
|
||||
|
||||
if ($this->permIniError === false) {
|
||||
if ($this->roleError === false) {
|
||||
$report[] = isset($this->data['adminAccountData']['username']) ? sprintf(
|
||||
mt('setup', 'Account "%s" has been successfully defined as initial administrator.'),
|
||||
$this->data['adminAccountData']['username']
|
||||
|
@ -219,7 +254,7 @@ class AuthenticationStep extends Step
|
|||
mt('setup', 'The members of the user group "%s" were successfully defined as initial administrators.'),
|
||||
$this->data['adminAccountData']['groupname']
|
||||
);
|
||||
} elseif ($this->permIniError !== null) {
|
||||
} elseif ($this->roleError !== null) {
|
||||
$report[] = isset($this->data['adminAccountData']['username']) ? sprintf(
|
||||
mt('setup', 'Unable to define account "%s" as initial administrator. An error occured:'),
|
||||
$this->data['adminAccountData']['username']
|
||||
|
@ -230,7 +265,7 @@ class AuthenticationStep extends Step
|
|||
),
|
||||
$this->data['adminAccountData']['groupname']
|
||||
);
|
||||
$report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->permIniError));
|
||||
$report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->roleError));
|
||||
}
|
||||
|
||||
return $report;
|
||||
|
|
|
@ -97,6 +97,11 @@ class WebWizard extends Wizard implements SetupWizard
|
|||
'icingaweb_group',
|
||||
'icingaweb_group_membership',
|
||||
'icingaweb_user',
|
||||
'icingaweb_role',
|
||||
'icingaweb_role_user',
|
||||
'icingaweb_role_group',
|
||||
'icingaweb_role_permission',
|
||||
'icingaweb_role_restriction',
|
||||
'icingaweb_user_preference',
|
||||
'icingaweb_rememberme',
|
||||
'icingaweb_schema'
|
||||
|
@ -514,11 +519,13 @@ class WebWizard extends Wizard implements SetupWizard
|
|||
$authType = $pageData['setup_authentication_type']['type'];
|
||||
$setup->addStep(
|
||||
new AuthenticationStep(array(
|
||||
'adminAccountData' => $adminAccountData,
|
||||
'backendConfig' => $pageData['setup_authentication_backend'],
|
||||
'resourceName' => $authType === 'db' ? $pageData['setup_auth_db_resource']['name'] : (
|
||||
'adminAccountData' => $adminAccountData,
|
||||
'backendConfig' => $pageData['setup_authentication_backend'],
|
||||
'resourceName' => $authType === 'db' ? $pageData['setup_auth_db_resource']['name'] : (
|
||||
$authType === 'ldap' ? $pageData['setup_ldap_resource']['name'] : null
|
||||
)
|
||||
),
|
||||
'rolesResourceConfig' => $pageData['setup_auth_db_resource']
|
||||
?? $pageData['setup_config_db_resource'] ?? null
|
||||
))
|
||||
);
|
||||
|
||||
|
|
Loading…
Reference in New Issue