diff --git a/modules/setup/application/forms/GeneralConfigPage.php b/modules/setup/application/forms/GeneralConfigPage.php index 5b9f0119d5..a1e26b27e3 100644 --- a/modules/setup/application/forms/GeneralConfigPage.php +++ b/modules/setup/application/forms/GeneralConfigPage.php @@ -33,6 +33,8 @@ public function createElements(array $formData) $appConfigForm->createElements($formData); $appConfigForm->removeElement('global_module_path'); $appConfigForm->removeElement('global_config_resource'); + $appConfigForm->removeElement('global_store_roles_in_db'); + $this->addElement('hidden', 'global_store_roles_in_db', ['disabled' => true, 'value' => 1]); $this->addElements($appConfigForm->getElements()); $loggingConfigForm = new LoggingConfigForm(); diff --git a/modules/setup/library/Setup/Steps/AuthenticationStep.php b/modules/setup/library/Setup/Steps/AuthenticationStep.php index 3c6c64a164..ad60cefaed 100644 --- a/modules/setup/library/Setup/Steps/AuthenticationStep.php +++ b/modules/setup/library/Setup/Steps/AuthenticationStep.php @@ -3,23 +3,29 @@ namespace Icinga\Module\Setup\Steps; +use DateTime; use Exception; use Icinga\Application\Config; +use Icinga\Common\Database; use Icinga\Data\ConfigObject; use Icinga\Data\ResourceFactory; use Icinga\Exception\IcingaException; use Icinga\Authentication\User\DbUserBackend; use Icinga\Module\Setup\Step; +use ipl\Sql\Connection; +use ipl\Sql\Insert; class AuthenticationStep extends Step { + use Database; + protected $data; protected $dbError; protected $authIniError; - protected $permIniError; + protected $roleError; public function __construct(array $data) { @@ -29,11 +35,15 @@ public function __construct(array $data) public function apply() { $success = $this->createAuthenticationIni(); + if (isset($this->data['adminAccountData']['resourceConfig'])) { $success &= $this->createAccount(); } - $success &= $this->createRolesIni(); + if (isset($this->data['rolesResourceConfig'])) { + $success &= $this->createRoles(); + } + return $success; } @@ -61,34 +71,59 @@ protected function createAuthenticationIni() return true; } - protected function createRolesIni() + protected function createRoles(): bool { - if (isset($this->data['adminAccountData']['username'])) { - $config = array( - 'users' => $this->data['adminAccountData']['username'], - 'permissions' => '*' - ); + try { + $this->getDb(new ConfigObject($this->data['rolesResourceConfig']))->transaction(function (Connection $db) { + $admins = mt('setup', 'Administrators', 'setup.role.name'); - if ($this->data['backendConfig']['backend'] === 'db') { - $config['groups'] = mt('setup', 'Administrators', 'setup.role.name'); - } - } else { // isset($this->data['adminAccountData']['groupname']) - $config = array( - 'groups' => $this->data['adminAccountData']['groupname'], - 'permissions' => '*' - ); - } + $db->prepexec( + (new Insert()) + ->into('icingaweb_role') + ->columns(['name', 'ctime']) + ->values([$admins, (new DateTime())->getTimestamp() * 1000]) + ); - try { - Config::fromArray(array(mt('setup', 'Administrators', 'setup.role.name') => $config)) - ->setConfigFile(Config::resolvePath('roles.ini')) - ->saveIni(); + $id = $db->lastInsertId(); + + $db->prepexec( + (new Insert()) + ->into('icingaweb_role_permission') + ->columns(['role_id', 'permission', 'allowed']) + ->values([$id, '*', 'y']) + ); + + if (isset($this->data['adminAccountData']['username'])) { + $db->prepexec( + (new Insert()) + ->into('icingaweb_role_user') + ->columns(['role_id', 'user_name']) + ->values([$id, $this->data['adminAccountData']['username']]) + ); + + if ($this->data['backendConfig']['backend'] === 'db') { + $db->prepexec( + (new Insert()) + ->into('icingaweb_role_group') + ->columns(['role_id', 'group_name']) + ->values([$id, $admins]) + ); + } + } else { + $db->prepexec( + (new Insert()) + ->into('icingaweb_role_group') + ->columns(['role_id', 'group_name']) + ->values([$id, $this->data['adminAccountData']['groupname']]) + ); + } + }); } catch (Exception $e) { - $this->permIniError = $e; + $this->roleError = $e; return false; } - $this->permIniError = false; + $this->roleError = false; return true; } @@ -211,7 +246,7 @@ public function getReport() $report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->dbError)); } - if ($this->permIniError === false) { + if ($this->roleError === false) { $report[] = isset($this->data['adminAccountData']['username']) ? sprintf( mt('setup', 'Account "%s" has been successfully defined as initial administrator.'), $this->data['adminAccountData']['username'] @@ -219,7 +254,7 @@ public function getReport() mt('setup', 'The members of the user group "%s" were successfully defined as initial administrators.'), $this->data['adminAccountData']['groupname'] ); - } elseif ($this->permIniError !== null) { + } elseif ($this->roleError !== null) { $report[] = isset($this->data['adminAccountData']['username']) ? sprintf( mt('setup', 'Unable to define account "%s" as initial administrator. An error occured:'), $this->data['adminAccountData']['username'] @@ -230,7 +265,7 @@ public function getReport() ), $this->data['adminAccountData']['groupname'] ); - $report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->permIniError)); + $report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->roleError)); } return $report; diff --git a/modules/setup/library/Setup/WebWizard.php b/modules/setup/library/Setup/WebWizard.php index f3b5557c89..e3fbb8c82b 100644 --- a/modules/setup/library/Setup/WebWizard.php +++ b/modules/setup/library/Setup/WebWizard.php @@ -97,6 +97,11 @@ class WebWizard extends Wizard implements SetupWizard 'icingaweb_group', 'icingaweb_group_membership', 'icingaweb_user', + 'icingaweb_role', + 'icingaweb_role_user', + 'icingaweb_role_group', + 'icingaweb_role_permission', + 'icingaweb_role_restriction', 'icingaweb_user_preference', 'icingaweb_rememberme', 'icingaweb_schema' @@ -514,11 +519,13 @@ public function getSetup() $authType = $pageData['setup_authentication_type']['type']; $setup->addStep( new AuthenticationStep(array( - 'adminAccountData' => $adminAccountData, - 'backendConfig' => $pageData['setup_authentication_backend'], - 'resourceName' => $authType === 'db' ? $pageData['setup_auth_db_resource']['name'] : ( + 'adminAccountData' => $adminAccountData, + 'backendConfig' => $pageData['setup_authentication_backend'], + 'resourceName' => $authType === 'db' ? $pageData['setup_auth_db_resource']['name'] : ( $authType === 'ldap' ? $pageData['setup_ldap_resource']['name'] : null - ) + ), + 'rolesResourceConfig' => $pageData['setup_auth_db_resource'] + ?? $pageData['setup_config_db_resource'] ?? null )) );