setup: store roles in database

Icinga · Apr 17, 2024 · eb97af8 · eb97af8
1 parent c358f36
commit eb97af8
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 30 deletions.
diff --git a/modules/setup/application/forms/GeneralConfigPage.php b/modules/setup/application/forms/GeneralConfigPage.php
@@ -33,6 +33,8 @@ public function createElements(array $formData)
         $appConfigForm->createElements($formData);
         $appConfigForm->removeElement('global_module_path');
         $appConfigForm->removeElement('global_config_resource');
+        $appConfigForm->removeElement('global_store_roles_in_db');
+        $this->addElement('hidden', 'global_store_roles_in_db', ['disabled' => true, 'value' => 1]);
         $this->addElements($appConfigForm->getElements());
 
         $loggingConfigForm = new LoggingConfigForm();

diff --git a/modules/setup/library/Setup/Steps/AuthenticationStep.php b/modules/setup/library/Setup/Steps/AuthenticationStep.php
@@ -3,23 +3,29 @@
 
 namespace Icinga\Module\Setup\Steps;
 
+use DateTime;
 use Exception;
 use Icinga\Application\Config;
+use Icinga\Common\Database;
 use Icinga\Data\ConfigObject;
 use Icinga\Data\ResourceFactory;
 use Icinga\Exception\IcingaException;
 use Icinga\Authentication\User\DbUserBackend;
 use Icinga\Module\Setup\Step;
+use ipl\Sql\Connection;
+use ipl\Sql\Insert;
 
 class AuthenticationStep extends Step
 {
+    use Database;
+
     protected $data;
 
     protected $dbError;
 
     protected $authIniError;
 
-    protected $permIniError;
+    protected $roleError;
 
     public function __construct(array $data)
     {
@@ -29,11 +35,15 @@ public function __construct(array $data)
     public function apply()
     {
         $success = $this->createAuthenticationIni();
+
         if (isset($this->data['adminAccountData']['resourceConfig'])) {
             $success &= $this->createAccount();
         }
 
-        $success &= $this->createRolesIni();
+        if (isset($this->data['rolesResourceConfig'])) {
+            $success &= $this->createRoles();
+        }
+
         return $success;
     }
 
@@ -61,34 +71,59 @@ protected function createAuthenticationIni()
         return true;
     }
 
-    protected function createRolesIni()
+    protected function createRoles(): bool
     {
-        if (isset($this->data['adminAccountData']['username'])) {
-            $config = array(
-                'users'         => $this->data['adminAccountData']['username'],
-                'permissions'   => '*'
-            );
+        try {
+            $this->getDb(new ConfigObject($this->data['rolesResourceConfig']))->transaction(function (Connection $db) {
+                $admins = mt('setup', 'Administrators', 'setup.role.name');
 
-            if ($this->data['backendConfig']['backend'] === 'db') {
-                $config['groups'] = mt('setup', 'Administrators', 'setup.role.name');
-            }
-        } else { // isset($this->data['adminAccountData']['groupname'])
-            $config = array(
-                'groups'        => $this->data['adminAccountData']['groupname'],
-                'permissions'   => '*'
-            );
-        }
+                $db->prepexec(
+                    (new Insert())
+                        ->into('icingaweb_role')
+                        ->columns(['name', 'ctime'])
+                        ->values([$admins, (new DateTime())->getTimestamp() * 1000])
+                );
 
-        try {
-            Config::fromArray(array(mt('setup', 'Administrators', 'setup.role.name') => $config))
-                ->setConfigFile(Config::resolvePath('roles.ini'))
-                ->saveIni();
+                $id = $db->lastInsertId();
+
+                $db->prepexec(
+                    (new Insert())
+                        ->into('icingaweb_role_permission')
+                        ->columns(['role_id', 'permission', 'allowed'])
+                        ->values([$id, '*', 'y'])
+                );
+
+                if (isset($this->data['adminAccountData']['username'])) {
+                    $db->prepexec(
+                        (new Insert())
+                            ->into('icingaweb_role_user')
+                            ->columns(['role_id', 'user_name'])
+                            ->values([$id, $this->data['adminAccountData']['username']])
+                    );
+
+                    if ($this->data['backendConfig']['backend'] === 'db') {
+                        $db->prepexec(
+                            (new Insert())
+                                ->into('icingaweb_role_group')
+                                ->columns(['role_id', 'group_name'])
+                                ->values([$id, $admins])
+                        );
+                    }
+                } else {
+                    $db->prepexec(
+                        (new Insert())
+                            ->into('icingaweb_role_group')
+                            ->columns(['role_id', 'group_name'])
+                            ->values([$id, $this->data['adminAccountData']['groupname']])
+                    );
+                }
+            });
         } catch (Exception $e) {
-            $this->permIniError = $e;
+            $this->roleError = $e;
             return false;
         }
 
-        $this->permIniError = false;
+        $this->roleError = false;
         return true;
     }
 
@@ -211,15 +246,15 @@ public function getReport()
             $report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->dbError));
         }
 
-        if ($this->permIniError === false) {
+        if ($this->roleError === false) {
             $report[] = isset($this->data['adminAccountData']['username']) ? sprintf(
                 mt('setup', 'Account "%s" has been successfully defined as initial administrator.'),
                 $this->data['adminAccountData']['username']
             ) : sprintf(
                 mt('setup', 'The members of the user group "%s" were successfully defined as initial administrators.'),
                 $this->data['adminAccountData']['groupname']
             );
-        } elseif ($this->permIniError !== null) {
+        } elseif ($this->roleError !== null) {
             $report[] = isset($this->data['adminAccountData']['username']) ? sprintf(
                 mt('setup', 'Unable to define account "%s" as initial administrator. An error occured:'),
                 $this->data['adminAccountData']['username']
@@ -230,7 +265,7 @@ public function getReport()
                 ),
                 $this->data['adminAccountData']['groupname']
             );
-            $report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->permIniError));
+            $report[] = sprintf(mt('setup', 'ERROR: %s'), IcingaException::describe($this->roleError));
         }
 
         return $report;

diff --git a/modules/setup/library/Setup/WebWizard.php b/modules/setup/library/Setup/WebWizard.php
@@ -97,6 +97,11 @@ class WebWizard extends Wizard implements SetupWizard
         'icingaweb_group',
         'icingaweb_group_membership',
         'icingaweb_user',
+        'icingaweb_role',
+        'icingaweb_role_user',
+        'icingaweb_role_group',
+        'icingaweb_role_permission',
+        'icingaweb_role_restriction',
         'icingaweb_user_preference',
         'icingaweb_rememberme',
         'icingaweb_schema'
@@ -514,11 +519,13 @@ public function getSetup()
         $authType = $pageData['setup_authentication_type']['type'];
         $setup->addStep(
             new AuthenticationStep(array(
-                'adminAccountData'  => $adminAccountData,
-                'backendConfig'     => $pageData['setup_authentication_backend'],
-                'resourceName'      => $authType === 'db' ? $pageData['setup_auth_db_resource']['name'] : (
+                'adminAccountData'    => $adminAccountData,
+                'backendConfig'       => $pageData['setup_authentication_backend'],
+                'resourceName'        => $authType === 'db' ? $pageData['setup_auth_db_resource']['name'] : (
                     $authType === 'ldap' ? $pageData['setup_ldap_resource']['name'] : null
-                )
+                ),
+                'rolesResourceConfig' => $pageData['setup_auth_db_resource']
+                    ?? $pageData['setup_config_db_resource'] ?? null
             ))
         );