Since the test set follows the kernel it would be better to just
support it in opnsense-update which is done. "qyua" can use this
to bootstrap and we do not have to worry about fetch env for this
optional component as it cannot be installed from the GUI or console
menu.
* System: Access: Groups - in preperation for https://github.com/opnsense/core/issues/7904, add support for comma separated member lists.
If we convert groups to a model, we will switch the nested <member> tags into comma separated fields, e.g.
<member>1</member>
<member>12</member>
will convert to:
<member>1,12</member>
using this commit we support both for areas where these are being read.
* System: Access: Users - refactor to MVC (https://github.com/opnsense/core/issues/7904)
* add initial boilerplate
* unpack `<priv/>` field on first access
* unpack '<apikeys/>' field on first access and implement key actions into ApiKeyField
* add apikey grid in user management view
* change isset() to !empty() for users disabled flag in backend code
* move user atributes into dialog
* hook PrivField type to \OPNsense\Core\ACL()
* refactor Auth/API to use new User class
* otp seed logic with simple api call to generate new seeds and some JS glue for the frontend
* uid autonumber field
* language selector using get_locale_list() via configd (cached)
* add StoreB64Field field for authorizedkeys so we can keep the field contents backwards compatible.
* ExpiresField for custom date parsing, supporting previous input formats as well.
* group membership using a volatile custom field type, controller is responisble for persisting the configuration data to avoid entanglement between models
* add button which links to most likely user certs (based on commonname), to avoid all sorts of magic to reflect certs back into the usermanager.
* add getUserPrivs() to model so we can fetch a full list of privs for a user
* show user icons, long this might be less relevant
* add addApiKeyAction() to create a new api key for a user (by name)
* download new api key from user view
* implement hashing when setting a new (or scrabled) password
* use new "auth sync user" event to trigger local user db changes
* in API authenticator keep createKey and dropKey as stubs to the new model implementation
* prevent removal of "system" users (root)
* hook ACL and Menu
* add Group administration using the same logic as users
* cleanup unused
* add System: Access: Privileges to manage and change user and group privileges
* System: Access: Users - refactor to MVC (https://github.com/opnsense/core/issues/7904)
review comments from @Monviech
* "Create and Download API Key for this user" refresh apikeys bootgrid
* "Users" bootgrid, add some columns
* rename "Username" to "Group Name" in group edit
* Disable sorting the bootgrid by "Users" and "Groups" as these are aggregated/formatted columns
* System: Access: Privileges - fix updating groups dropping privileges for https://github.com/opnsense/core/pull/8046
* System: Access: Users - hook group model for https://github.com/opnsense/core/issues/7904
* System: Access: Users - add some safety fences to prevent accidental removal of rights https://github.com/opnsense/core/issues/7904
* Update src/opnsense/service/conf/actions.d/actions_auth.conf
* Update src/opnsense/service/conf/actions.d/actions_auth.conf
* System: Access: Users - remove userDNmap support as it belonged to the import https://github.com/opnsense/core/issues/7904
* System: Access: migrate Users and Groups to MVC/API (https://github.com/opnsense/core/pull/8046), review comments
* System: Access: migrate Users and Groups to MVC/API (https://github.com/opnsense/core/pull/8046)
o align "policy change for %s unlink group" with master (unlink when duplicates exists)
* System: Access: migrate Users and Groups to MVC/API (https://github.com/opnsense/core/pull/8046)
refactor add user event so it utilizes our new model instead of direct config access, while performing the operation, also make sure we lock/unlock the config.xml
* System: Access: migrate Users and Groups to MVC/API (https://github.com/opnsense/core/pull/8046)
replace page-system-groupmanager-addprivs with page-system-usermanager-addprivs
* plist
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
* we expect memberof instead of memberOf in our ldap responses, make sure we lowercase the response at all times
* make $memberof optional when pushing default groups
The scenario's we should support are the following:
1. groups are synchronized via ldap/radius and users are created when they don't exist, which means existing groups will be altered after login to equal "memberOf" + optional default group[s]
2. groups are not synchronized via ldap/radius, but default groups exist, in which case default group[s] will be added when not yet assigned, no groups will be removed
* feat(dhcp): add dhcp-socket-type option to Kea DHCP server
This adds the ability to configure the DHCP socket type (UDP/Raw) in the
Kea DHCP server settings through the web UI.
- Added socket type field to model definition
- Added dropdown in general settings form
- Updated config generation to include socket type setting
* changed default value for dhcp_socket_type to raw
* bumped version number for KeaDhcpv4.xml
* Reduce pointless logging
Mitigates https://github.com/opnsense/core/issues/7101
* Do not compress stats.log on log rotation
This reverts 55ac1715bf done for https://github.com/opnsense/core/issues/4085
Nothing else in OPNsense compresses the logs on rotation, the compression is very much pointless on ZFS with lz4 compression enabled by default, plus sanitizing the stats interval reduces the log size to a sane value, smaller than what was previously achieved by gzip on log rotation.
commit a59dc4394043aa5fce060426f13d965ab3c6679f
Author: Ad Schellevis <ad@opnsense.org>
Date: Mon Nov 18 21:16:13 2024 +0100
Services: Kea DHCP [new]: Leases DHCPv4 - minor cleanups for https://github.com/opnsense/core/pull/8053
commit 9986eca14c4ee72675bedc31953cefe60a6659cd
Merge: d23170c05 8d0ab40c5
Author: cpalv <13182421+cpalv@users.noreply.github.com>
Date: Mon Nov 11 23:46:43 2024 -0600
Merge branch 'opnsense:master' into mac-db
commit d23170c05f3d511000d8302dd2403c0761d757ac
Author: eddie <13182421+cpalv@users.noreply.github.com>
Date: Mon Nov 11 23:45:16 2024 -0600
Add MAC formatter, removed unclosed table row tag
macformatter will include the hardware manufacturer info (if it exists) in the same table cell as MAC address
removed unclosed 'tr' tag. linked 'hwaddr' column to macformatter. adjusted spacing
commit 04e7cf40ee809b3afdcc203d27cd3ed9cd9ff128
Author: eddie <13182421+cpalv@users.noreply.github.com>
Date: Mon Nov 11 23:39:30 2024 -0600
add MAC manufacturer info to dhcp lease record
Be done with the retry and use the launcher.sh -r argument for
the cron-based execution. Leave the backend commands where they
are.
Since the file had no copyright header looking at the old code
it looks like Bill and Scott worked on the file first in 2005.
Not really concerned with consecutive history here for lack of
creating a copyright header for so long.
This also moves the initial output to the start of the script
again which clears and seeds the output file so the GUI picks
up the right operation immediately. This was a problem during
CRL setup which may delay the execution too much.
Make the output_done() and output_reboot() both never return
which simplifies the code a bit.
There is more potential for improved output handling but for
the time being this should suffice to fix the current glitches.
This reverts commit 1ff4c95f115028cd3786f249ef77500767c904bf.
Intended side effect so that the launcher will have access to the vars
published by config.sh -- when the launcher starts the actual script
the script itself will source the config.sh again causing the env_init()
to be called for all participating COMMANDS. This ensures the env_init()
call is locked by default.
Running the grep below lights up a few spots still:
# git grep 'pkg[^/\[\.a-z'"'"',()_+"]'
Make a few decisions for the future:
* Use "pkg-static" outside the firmware code consistently
with a full path
* Modify ambiguous code or comments to not be found by the
grep above
* Firmware uses PKG now if we ever have to pivot to pkg-static
or when we need to overwise modify the call.
The goal of this excerise was to find all stray package manager
spots that may run their own embedded pkg-update without the
proper environment which should be gone for now.
While debugging some missing TLS parameters, I noticed the ciphers where different than expected. Digging a bit deeper seemed to indicate env_init() wasn't called on my end.
If SELF should be the command, the intention was likely to pass the parameter instead of the script name (which is always launcher)
cc @fichtner
