From 007ad5bd5a5f49761e23156f65bf5f75b31cd980 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Tue, 29 Oct 2024 10:42:04 +0100 Subject: [PATCH 01/42] version bump --- client/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/package.json b/client/package.json index b85e4bd..f2631c3 100644 --- a/client/package.json +++ b/client/package.json @@ -1,6 +1,6 @@ { "name": "ansible_forms_vue", - "version": "5.0.7", + "version": "5.0.8", "private": true, "scripts": { "serve": "vue-cli-service serve", From b30d702d70a0fa0813e15ba768af69d7f26640aa Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Mon, 4 Nov 2024 16:23:56 +0100 Subject: [PATCH 02/42] moving docker files to root, now includes the client build as well --- .dockerignore | 8 +++ server/Dockerfile => Dockerfile | 48 +++++++++++++---- server/Dockerfile-debian => Dockerfile-debian | 51 +++++++++++++++---- server/.dockerignore | 5 -- 4 files changed, 88 insertions(+), 24 deletions(-) create mode 100644 .dockerignore rename server/Dockerfile => Dockerfile (75%) rename server/Dockerfile-debian => Dockerfile-debian (79%) delete mode 100644 server/.dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..3728569 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +**/node_modules/ +node_modules +**/vue.config.js +vue.config.js +Dockerfile +.env.* +.env +README.md diff --git a/server/Dockerfile b/Dockerfile similarity index 75% rename from server/Dockerfile rename to Dockerfile index 5b84eb7..4960645 100644 --- a/server/Dockerfile +++ b/Dockerfile @@ -45,20 +45,41 @@ RUN npm install -g npm@9.8.1 FROM node AS tmp_builder -# Use /app -WORKDIR /app - -# Copy package.json and package-lock.json to /app -COPY package*.json ./ - # Update npm RUN npm install -g npm@9.8.1 +# Install vue cli service +RUN npm install -g @vue/cli-service + +# Use /app/client +WORKDIR /app/client + +# Copy client package.json and package-lock.json to /app/client +COPY ./client/package*.json ./ + +# install node modules for client +RUN npm install + +# Copy the rest of the code +COPY ./client . + +# build client +RUN npm run build + +# Use /app/server +WORKDIR /app/server + +# Copy package.json and package-lock.json to /app/server +COPY ./server/package*.json ./ + # install node modules RUN npm install # Copy the rest of the code -COPY . . +COPY ./server . + +# Copy the docs help file to /app/server +COPY ./docs/_data/help.yaml . # Invoke the build script to transpile code to js RUN npm run build @@ -66,6 +87,15 @@ RUN npm run build # Remove persistent subfolder RUN rm -rf ./dist/persistent +# Remove client subfolder +RUN rm -rf ./dist/views + +# Create the views folder +RUN mkdir -p ./dist/views + +# move client build to server +RUN mv /app/client/dist/* ./dist/views + ################################################## # final build # take base and install production app dependencies @@ -80,10 +110,10 @@ COPY package*.json ./ RUN npm i --only=production # Copy transpiled js from builder stage into the final image -COPY --from=tmp_builder /app/dist ./dist +COPY --from=tmp_builder /app/server/dist ./dist # Copy the ansible.cfg file to /etc/ansible/ directory -COPY ansible.cfg /etc/ansible/ansible.cfg +COPY ./server/ansible.cfg /etc/ansible/ansible.cfg # Use js files to run the application ENTRYPOINT ["node", "./dist/index.js"] diff --git a/server/Dockerfile-debian b/Dockerfile-debian similarity index 79% rename from server/Dockerfile-debian rename to Dockerfile-debian index dc85074..5481fc3 100644 --- a/server/Dockerfile-debian +++ b/Dockerfile-debian @@ -64,21 +64,43 @@ RUN ansible-galaxy collection install community.mysql -p /usr/share/ansible/coll # why from diff image? for faster build, this image has node preinstalled and can start building immediately # if only the node app changes, the intermediate image can be cached and the final image will be faster to build -FROM node:16-alpine AS tmp_builder +FROM node AS tmp_builder -# Use /app -WORKDIR /app +# Update npm +RUN npm install -g npm@9.8.1 -# Copy package.json and package-lock.json to /app -COPY package*.json ./ +# Install vue cli service +RUN npm install -g @vue/cli-service -# Install all dependencies -RUN npm install -g +# Use /app/client +WORKDIR /app/client +# Copy client package.json and package-lock.json to /app/client +COPY ./client/package*.json ./ + +# install node modules for client RUN npm install # Copy the rest of the code -COPY . . +COPY ./client . + +# build client +RUN npm run build + +# Use /app/server +WORKDIR /app/server + +# Copy package.json and package-lock.json to /app/server +COPY ./server/package*.json ./ + +# install node modules +RUN npm install + +# Copy the rest of the code +COPY ./server . + +# Copy the docs help file to /app/server +COPY ./docs/_data/help.yaml . # Invoke the build script to transpile code to js RUN npm run build @@ -86,6 +108,15 @@ RUN npm run build # Remove persistent subfolder RUN rm -rf ./dist/persistent +# Remove client subfolder +RUN rm -rf ./dist/views + +# Create the views folder +RUN mkdir -p ./dist/views + +# move client build to server +RUN mv /app/client/dist/* ./dist/views + ################################################## # final build # take base and install production app dependencies @@ -97,7 +128,7 @@ FROM debianbase as final COPY package*.json ./ # Copy transpiled js from builder stage into the final image -COPY --from=tmp_builder /app/dist ./dist +COPY --from=tmp_builder /app/server/dist ./dist # Install only production dependencies # the build was done in alpine, so we need to remove any previous node_modules @@ -105,7 +136,7 @@ RUN rm -rf ./dist/node_modules RUN npm install --only=production # Copy the ansible.cfg file to /etc/ansible/ directory -COPY ansible.cfg /etc/ansible/ansible.cfg +COPY ./server/ansible.cfg /etc/ansible/ansible.cfg # Use js files to run the application ENTRYPOINT ["node", "./dist/index.js"] diff --git a/server/.dockerignore b/server/.dockerignore deleted file mode 100644 index b07b275..0000000 --- a/server/.dockerignore +++ /dev/null @@ -1,5 +0,0 @@ -node_modules/ -Dockerfile -.env.* -.env -README.md From 05c519292153481479038c3e6cafb0d19588aace Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Mon, 4 Nov 2024 16:27:35 +0100 Subject: [PATCH 03/42] fix some typos --- Dockerfile-debian | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile-debian b/Dockerfile-debian index 5481fc3..84f3fc1 100644 --- a/Dockerfile-debian +++ b/Dockerfile-debian @@ -64,7 +64,7 @@ RUN ansible-galaxy collection install community.mysql -p /usr/share/ansible/coll # why from diff image? for faster build, this image has node preinstalled and can start building immediately # if only the node app changes, the intermediate image can be cached and the final image will be faster to build -FROM node AS tmp_builder +FROM node:16-alpine AS tmp_builder # Update npm RUN npm install -g npm@9.8.1 @@ -128,7 +128,7 @@ FROM debianbase as final COPY package*.json ./ # Copy transpiled js from builder stage into the final image -COPY --from=tmp_builder /app/server/dist ./dist +COPY --from=tmp_builder /app/dist ./dist # Install only production dependencies # the build was done in alpine, so we need to remove any previous node_modules From 426c301fd4cbeb847d1bfca8a98fcb4ec4c88d16 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Mon, 4 Nov 2024 16:43:48 +0100 Subject: [PATCH 04/42] typos --- Dockerfile | 2 +- Dockerfile-debian | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4960645..717c426 100644 --- a/Dockerfile +++ b/Dockerfile @@ -104,7 +104,7 @@ RUN mv /app/client/dist/* ./dist/views FROM nodebase as final # Copy package.json and package-lock.json -COPY package*.json ./ +COPY ./server/package*.json ./ # Install only production dependencies RUN npm i --only=production diff --git a/Dockerfile-debian b/Dockerfile-debian index 84f3fc1..343e81a 100644 --- a/Dockerfile-debian +++ b/Dockerfile-debian @@ -125,10 +125,10 @@ RUN mv /app/client/dist/* ./dist/views FROM debianbase as final # Copy package.json and package-lock.json -COPY package*.json ./ +COPY ./server/package*.json ./ # Copy transpiled js from builder stage into the final image -COPY --from=tmp_builder /app/dist ./dist +COPY --from=tmp_builder /app/server/dist ./dist # Install only production dependencies # the build was done in alpine, so we need to remove any previous node_modules From 02dd9ce3e9913e90c760e504b991908ceb10c633 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Tue, 5 Nov 2024 17:51:17 +0100 Subject: [PATCH 05/42] regex typos --- client/src/views/Repos.vue | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/src/views/Repos.vue b/client/src/views/Repos.vue index ddaaa5a..4a86c75 100644 --- a/client/src/views/Repos.vue +++ b/client/src/views/Repos.vue @@ -44,8 +44,8 @@
- - + + @@ -263,7 +263,7 @@ required, regex : helpers.withParams( {description: "User must be a valid repository name",type:"regex"}, - (value) => !helpers.req(value) || (new RegExp("^[a-z0-9_-]{1,50}$").test(value)) // eslint-disable-line + (value) => !helpers.req(value) || (new RegExp("^[a-zA-Z0-9_-]{1,50}$").test(value)) // eslint-disable-line ) }, uri: { @@ -278,7 +278,7 @@ }, cron: { regex : helpers.withParams( - {description: "User must be a valid github user (alphanumeric / hyphens)",type:"regex"}, + {description: "Cron must be valid format",type:"regex"}, (value) => !helpers.req(value) || (new RegExp("^[0-9-,*/]+ [0-9-,*/]+ [0-9-,*/L]+ [0-9-,*/]+ [0-9-,*/L]+$").test(value)) // eslint-disable-line ) }, @@ -286,7 +286,7 @@ maxLength:39, regex : helpers.withParams( {description: "User must be a valid github user (alphanumeric / hyphens)",type:"regex"}, - (value) => !helpers.req(value) || (new RegExp("^[a-z\d](?:[a-z\d]|-(?=[a-z\d])){0,38}$").test(value)) // eslint-disable-line + (value) => !helpers.req(value) || (new RegExp("^[a-zA-Z0-9-](?:[a-zA-Z0-9-]|-(?=[a-zA-Z0-9-])){0,38}$").test(value)) // eslint-disable-line ) } } From 9ff6c968ff4b28688eb4f3a0319fbd9bc7564734 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:26:52 +0100 Subject: [PATCH 06/42] remove baseurl --- server/src/templates/approval.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/templates/approval.html b/server/src/templates/approval.html index 197b5fd..9c845a9 100644 --- a/server/src/templates/approval.html +++ b/server/src/templates/approval.html @@ -144,7 +144,7 @@

There is an approval request awaiting your action

- Review Approval Request + Review Approval Request

Request details :

${message}

Regards,
AnsibleForms

From b762218632f64c60ad7d418e132b187b4fcfa25c Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:27:27 +0100 Subject: [PATCH 07/42] allow admin delete --- server/src/models/user.model.js | 49 ++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/server/src/models/user.model.js b/server/src/models/user.model.js index 8e2cb69..62d7a0c 100644 --- a/server/src/models/user.model.js +++ b/server/src/models/user.model.js @@ -37,9 +37,6 @@ User.create = function (record) { }) }; User.update = function (record,id) { - if(id==1 && record.group_id!=undefined && record.group_id!=1){ - return Promise.reject("You cannot change the 'admin' user out of the 'admins' group.") - } if(record.password){ logger.info(`Updating user with password ${(record.username)?record.username:id}`) return crypto.hashPassword(record.password) @@ -54,12 +51,8 @@ User.update = function (record,id) { }; User.delete = function(id){ - if(id==1){ - return Promise.reject("You cannot delete user 'admin'") - }else{ - logger.info(`Deleting user ${id}`) - return mysql.do("DELETE FROM AnsibleForms.`users` WHERE id = ? AND username<>'admin'", [id]) - } + logger.info(`Deleting user ${id}`) + return mysql.do("DELETE FROM AnsibleForms.`users` WHERE id = ?", [id]) }; User.findAll = function () { logger.info("Finding all users") @@ -115,10 +108,14 @@ User.checkToken = function (username,username_type,refresh_token) { } }) }; -User.getRoles = function(groups,user){ - var roles = ["public"] - var forms=undefined +User.getRolesAndOptions = function(groups,user){ + var result = {} + var roles = [] + var options = {} var full_username = `${user.type}/${user.username}` + + logger.debug(`Getting roles and options for ${full_username}`) + return Form.load() .then((forms)=>{ // derive roles from forms @@ -127,18 +124,38 @@ User.getRoles = function(groups,user){ forms.roles.forEach(function(role){ if(role.groups && role.groups.includes(group)){ roles.push(role.name) + if(role.options){ + for (const [key, value] of Object.entries(role.options)) { + logger.debug(`Adding option ${key} = ${value}`) + if(options[key]===undefined){ + options[key] = value + }else{ + options[key] = options[key] && value + } + } + } } }) }) - // add all the roles that match the user + logger.debug(`Adding public role to ${full_username}`) + roles.push("public") + // if the public role has any option set, we add it to the options, we don't overwrite forms.roles.forEach(function(role){ - if(role.users && role.users.includes(full_username)){ - roles.push(role.name) + if(role.name=="public" && role.options){ + for (const [key, value] of Object.entries(role.options)) { + if(options[key]===undefined){ + logger.debug(`Adding public option ${key} = ${value}`) + options[key] = value + } + } } }) - return roles + result.roles = roles + result.options = options + + return result }) .catch((e)=>{ // return temp role if needed From 3e0908f8a187b193f4ecc771f60c345d6621fa4b Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:28:00 +0100 Subject: [PATCH 08/42] auto creat admins group and admin user --- server/src/init/index.js | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/server/src/init/index.js b/server/src/init/index.js index d8991f4..5ad69d1 100644 --- a/server/src/init/index.js +++ b/server/src/init/index.js @@ -5,11 +5,14 @@ async function init(){ var Form = require('../models/form.model'); var Job = require('../models/job.model'); var Schema = require('../models/schema.model'); + var adminGroupId = undefined const mysql=require("../models/db.model"); const Repository = require('../models/repository.model'); const parser = require("cron-parser") const dayjs = require("dayjs") - const util = require('util') + const appConfig = require("../../config/app.config") + const User = require("../models/user.model") + const Group = require("../models/group.model") // this is at startup, don't start the app until mysql is ready // rewrite with await @@ -67,6 +70,40 @@ async function init(){ } + // check admins groups + try{ + var adminGroupName = "admins" + var adminGroup = await Group.findByName(adminGroupName) + if(adminGroup.length==0){ + logger.warning(`Group ${adminGroupName} not found, creating it`) + adminGroup = {} + adminGroup.id = await Group.create(new Group({name:adminGroup})) + }else{ + adminGroup = adminGroup[0] + } + adminGroupId = adminGroup.id + }catch(err){ + logger.error("Failed to check/create admins group : " + err) + throw err + } + + // check admin user + logger.info("Checking admin user exists") + try{ + var adminUsername = appConfig.adminUsername + var adminUser = await User.findByUsername(adminUsername) + if(adminUser.length==0){ + logger.warning(`Admin user ${adminUsername} not found, creating it`) + var adminPassword = appConfig.adminPassword + await User.create(new User({username:adminUsername,email:'',password:adminPassword,group_id:adminGroupId})) + }else{ + adminUser = adminUser[0] + } + }catch(err){ + logger.error("Failed to check/create admin user : " + err) + throw err + } + Ssh.generate(false) .catch((err)=>{ From 174097e4a069ff82953dd569b938693db4f213ce Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:28:29 +0100 Subject: [PATCH 09/42] add ytt vars and admin/pass var --- server/config/app.config.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/server/config/app.config.js b/server/config/app.config.js index 15c16ba..2b049c2 100644 --- a/server/config/app.config.js +++ b/server/config/app.config.js @@ -8,6 +8,10 @@ var app_config = { allowSchemaCreation: (process.env.ALLOW_SCHEMA_CREATION ?? 1)==1, formsPath: process.env.FORMS_PATH || path.resolve(__dirname + "/../persistent/forms.yaml"), useYtt: (process.env.USE_YTT ?? 0)==1, + yttDangerousAllowAllSymlinkDestinations: (process.env.YTT_DANGEROUS_ALLOW_ALL_SYMLINK_DESTINATIONS ?? 0)==1, + yttAllowSymlinkDestinations: process.env.YTT_ALLOW_SYMLINK_DESTINATIONS || "", + yttLibData: {}, + yttVarsPrefix: process.env.YTT_VARS_PREFIX || "", lockPath: process.env.LOCK_PATH || path.resolve(__dirname + "/../persistent/ansibleForms.lock"), helpPath: path.resolve(__dirname + "/../help.yaml"), encryptionSecret: ((process.env.ENCRYPTION_SECRET + "vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3").substring(0,32)) || "vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3", @@ -20,5 +24,14 @@ var app_config = { enableBypass: (process.env.ENABLE_BYPASS ?? 0)==1, enableDbQueryLogging: (process.env.ENABLE_DB_QUERY_LOGGING ?? 0)==1, enableFormsYamlInDatabase: (process.env.ENABLE_FORMS_YAML_IN_DATABASE ?? 0)==1, + adminUsername: process.env.ADMIN_USERNAME || "admin", + adminPassword: process.env.ADMIN_PASSWORD || "AnsibleForms!123" }; + +// process dynamic YTT_LIB_DATA_ environment variables +Object.entries(process.env).filter( ([key, value]) => key.startsWith('YTT_LIB_DATA_')).forEach( ([key, value]) => { + const libName = key.replace('YTT_LIB_DATA_', '').toLowerCase(); + app_config.yttLibData[libName] = value; +}); + module.exports = app_config; From e0d9cb8c1a688d5f769d77d33b4a25e25e98a772 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:28:49 +0100 Subject: [PATCH 10/42] version bump and typo fix --- server/src/swagger.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/server/src/swagger.json b/server/src/swagger.json index b283f6e..00e85ac 100644 --- a/server/src/swagger.json +++ b/server/src/swagger.json @@ -2,7 +2,7 @@ "swagger": "2.0", "info": { "description": "This is the swagger interface for AnsibleForms.\r\nUse the `/auth/login` api with basic authentication to obtain a JWT token.\r\nThen use the access token, prefixed with the word '**Bearer**' to use all other api's.\r\nNote that the access token is limited in time. You can then either login again and get a new set of tokens or use the `/token` api and the refresh token to obtain a new set (preferred).", - "version": "5.0.7", + "version": "5.0.8", "title": "AnsibleForms", "contact": { "email": "info@ansibleforms.com" @@ -96,7 +96,7 @@ "name": "expiryDays", "type": "integer", "required": false, - "description": "Expiry days, only for admins" + "description": "Expiry days, requires extendedTokenExpiration option to be set to true in role-options" } ], "summary": "Get authorization bearer token", @@ -1720,7 +1720,7 @@ "bearerAuth": [] } ], - "summary": "Get Azure AD configuration", + "summary": "Get MS Entra Id configuration", "produces": [ "application/json" ], @@ -1754,7 +1754,7 @@ }, "put": { "tags": [ - "Azure AD config" + "MS Entra Id config" ], "security": [ { @@ -1764,7 +1764,7 @@ "parameters": [ { "in": "body", - "name": "Azure AD config", + "name": "MS Entra Id config", "schema": { "type": "object", "properties": { @@ -1860,7 +1860,7 @@ }, "put": { "tags": [ - "OIDC config" + "Open ID Connect config" ], "security": [ { From 3d9b9906c08d63a30e62dac4d2cb1a652889487a Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:29:36 +0100 Subject: [PATCH 11/42] add roleoptions --- client/src/App.vue | 5 ++++ client/src/router.js | 51 ++++++++++++++++++++++----------- server/src/models/lock.model.js | 10 +++---- 3 files changed, 44 insertions(+), 22 deletions(-) diff --git a/client/src/App.vue b/client/src/App.vue index d830cc0..902f6fd 100644 --- a/client/src/App.vue +++ b/client/src/App.vue @@ -56,6 +56,10 @@
  • {{ r }}
+ Options : +
    +
  • {{ o }} : {{ profile.options[o] }}
    • +
@@ -107,6 +111,7 @@ // console.log("checking if is admin") var payload = TokenStorage.getPayload() if(payload.user && payload.user.roles){ + this.profile = payload.user this.isAdmin=payload.user.roles.includes("admin") } }, diff --git a/client/src/router.js b/client/src/router.js index 48b8359..301cddb 100644 --- a/client/src/router.js +++ b/client/src/router.js @@ -26,12 +26,29 @@ import ReferenceGuide from './views/ReferenceGuide.vue' import Install from './views/Install.vue' import TokenStorage from './lib/TokenStorage.js' Vue.use(Router); -const checkAdmin=(to, from, next) => { + +const checkDesigner=(to, from, next) => { + var payload = TokenStorage.getPayload() + if(payload?.user?.options?.showDesigner ?? payload?.user?.roles?.includes("admin")){ + next() + }else{ + console.log("You are not allowed to access designer") + } +} +const checkLogs=(to, from, next) => { + var payload = TokenStorage.getPayload() + if(payload?.user?.options?.showLogs ?? payload?.user?.roles?.includes("admin")){ + next() + }else{ + console.log("You are not allowed to access logs") + } +} +const checkSettings=(to, from, next) => { var payload = TokenStorage.getPayload() - if(payload?.user?.roles?.includes("admin")){ + if(payload?.user?.options?.showSettings ?? payload?.user?.roles?.includes("admin")){ next() }else{ - console.log("You are not an admin user") + console.log("You are not allowed to access settings") } } @@ -120,85 +137,85 @@ export default new Router({ path:"/groups", name:"Groups", component:Groups, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/repos", name:"Repos", component:Repos, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/users", name:"Users", component:Users, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/ldap", name:"Ldap", component:Ldap, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/azuread", name:"AzureAd", component:AzureAd, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/oidc", name:"OIDC", component:OIDC, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/settings", name:"Settings", component:Settings, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/mail_settings", name:"Settings Mail", component:MailSettings, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/awx", name:"Awx", component:Awx, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/credentials", name:"Credentials", component:Credentials, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/sshkey", name:"Sshkey", component:Sshkey, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/knownhosts", name:"KnownHost", component:KnownHosts, - beforeEnter: checkAdmin + beforeEnter: checkSettings }, { path:"/logs", name:"Logs", component:Logs, - beforeEnter: checkAdmin + beforeEnter: checkLogs }, { path:"/designer", name:"Designer", component:Designer, - beforeEnter: checkAdmin + beforeEnter: checkDesigner }, { path:"/jobs", diff --git a/server/src/models/lock.model.js b/server/src/models/lock.model.js index dcbd202..0f6f946 100644 --- a/server/src/models/lock.model.js +++ b/server/src/models/lock.model.js @@ -40,7 +40,7 @@ Lock.status = async function(user){ } } Lock.set = function (user) { - if(config.showDesigner){ + if(config.showDesigner && (user.options?.showDesigner ?? true)){ logger.notice(`Creating lock for user ${user.username}`) user.created = moment(Date.now()).format('YYYY-MM-DD HH:mm:ss') return fsPromises.writeFile(config.lockPath,YAML.stringify(user),{encoding:"utf8",flag:"w"}) @@ -49,8 +49,8 @@ Lock.set = function (user) { return Promise.reject('Designer is disabled') } }; -Lock.delete = function(){ - if(config.showDesigner){ +Lock.delete = function(user={}){ + if(config.showDesigner && (user.options?.showDesigner ?? true)){ logger.notice(`Deleting lock`) return fsPromises.unlink(config.lockPath) }else{ @@ -59,9 +59,9 @@ Lock.delete = function(){ } }; -Lock.get = function () { +Lock.get = function (user={}) { // logger.notice("Getting lock") - if(config.showDesigner){ + if(config.showDesigner && (user.options?.showDesigner ?? true)){ return fsPromises.readFile(config.lockPath,{encoding:"utf8"}) }else{ logger.error("Designer is disabled, can't get lock") From 243f06cafd4e196fc06504197ae083645f61895a Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:29:57 +0100 Subject: [PATCH 12/42] remove log --- client/src/lib/TokenStorage.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/src/lib/TokenStorage.js b/client/src/lib/TokenStorage.js index b9a5758..dffa08c 100644 --- a/client/src/lib/TokenStorage.js +++ b/client/src/lib/TokenStorage.js @@ -28,8 +28,10 @@ var TokenStorage = { jsonPayload = decodeURIComponent(atob(base64).split('').map(function(c) { return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2); }).join('')); + // console.log(JSON.parse(jsonPayload)) return JSON.parse(jsonPayload) }catch(err){ + console.log("Error in getPayload: " + err) return {} } }, From 7b469180e46987beaba2717e5574bae94defc82b Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:30:09 +0100 Subject: [PATCH 13/42] add roleoptions --- client/src/components/BulmaNav.vue | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client/src/components/BulmaNav.vue b/client/src/components/BulmaNav.vue index f8477d1..5a90a2b 100644 --- a/client/src/components/BulmaNav.vue +++ b/client/src/components/BulmaNav.vue @@ -18,16 +18,16 @@ Job log {{approvals}} {{(approvals==1)?"approval":"approvals"}} waiting - + Designer - + Settings
- + Logs From 9ec7f0760ca228441f82eaa312f564cd1df04b9d Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:30:33 +0100 Subject: [PATCH 14/42] add ytt options --- server/src/models/form.model.js | 45 +++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 13 deletions(-) diff --git a/server/src/models/form.model.js b/server/src/models/form.model.js index 2776339..8878415 100644 --- a/server/src/models/form.model.js +++ b/server/src/models/form.model.js @@ -11,6 +11,7 @@ const Ajv = require('ajv'); const ajv = new Ajv() const path=require("path") const AJVErrorParser = require('ajv-error-parser'); +const quote = require('shell-quote/quote'); const Repository = require('./repository.model') const Helpers = require("../lib/common") const {inspect} = require("node:util"); @@ -26,6 +27,8 @@ const formsBackupPath = path.join(backupPath,'forms') const formFileBackupPath = path.join(backupPath,formFileName) const oldBackupDays = appConfig.oldBackupDays +const pathDelimiterRegex = new RegExp(`(? key.startsWith('YTT_LIB_DATA_')).forEach( ([key, value]) => { - const libName = key.replace('YTT_LIB_DATA_', '').toLowerCase(); - yttLibDataOpts += ` --data-values-file @${libName}:data=${value}`; - }); + for (const [libName, value] of Object.entries(appConfig.yttLibData)) { + yttLibDataOpts += ` --data-values-file @${quote([libName])}:data=${quote([value])}`; + } return yttLibDataOpts; } +/** + * Compute extra ytt cli options based on provided env vars + */ +function getYttEnvDataOpts() { + var yttEnvDataOpts = ''; + if (appConfig.yttVarsPrefix || false) { + yttEnvDataOpts += ` --data-values-env ${quote([appConfig.yttVarsPrefix])}`; + } + if (appConfig.yttAllowSymlinkDestinations || false) { + // path.delimiter separated list of paths (delimiter can be escaped with '\') + for (const allowedPath of appConfig.yttAllowSymlinkDestinations.split(pathDelimiterRegex)) { + yttEnvDataOpts += ` --allow-symlink-destination ${quote([allowedPath.replace(/\\(.)/g, '$1')])}`; + } + } + if (appConfig.yttDangerousAllowAllSymlinkDestinations) { + yttEnvDataOpts += " --dangerous-allow-all-symlink-destinations"; + } + return yttEnvDataOpts; +} + // create the backup path and // since version 4.0.3 the backups go under folder => move backups there (should be only once) Form.initBackupFolder=function(){ @@ -99,11 +121,8 @@ Form.load = async function() { var formfiles=[] var files=undefined - var yttEnvDataOpt = '' - if ('YTT_VARS_PREFIX' in process.env) { - yttEnvDataOpt = ` --data-values-env ${process.env.YTT_VARS_PREFIX}`; - } var yttLibDataOpts = getYttLibDataOpts(); + var yttEnvDataOpts = getYttEnvDataOpts(); try{ // read base forms.yaml @@ -115,9 +134,9 @@ Form.load = async function() { try { if (appConfig.useYtt) { logger.info(`interpreting ${appFormsPath} with ytt.`); - logger.debug(`executing 'ytt -f ${appFormsPath} -f ${formslibdirpath}${yttEnvDataOpt}${yttLibDataOpts}'`) + logger.debug(`executing 'ytt -f ${quote([appFormsPath])} -f ${quote([formslibdirpath])}${yttEnvDataOpts}${yttLibDataOpts}'`); rawdata = execSync( - `ytt -f ${appFormsPath} -f ${formslibdirpath}${yttEnvDataOpt}${yttLibDataOpts}`, + `ytt -f ${quote([appFormsPath])} -f ${quote([formslibdirpath])}${yttEnvDataOpts}${yttLibDataOpts}`, { env: process.env, encoding: 'utf-8' @@ -157,9 +176,9 @@ Form.load = async function() { var itemRawData = ''; if (appConfig.useYtt) { logger.info(`interpreting ${itemFormPath} with ytt.`); - logger.debug(`executing 'ytt -f ${itemFormPath} -f ${formslibdirpath}${yttEnvDataOpt}'`) + logger.debug(`executing 'ytt -f ${quote([itemFormPath])} -f ${quote([formslibdirpath])}${yttEnvDataOpts}'`); itemRawData = execSync( - `ytt -f ${itemFormPath} -f ${formslibdirpath}${yttEnvDataOpt}`, + `ytt -f ${quote([itemFormPath])} -f ${quote([formslibdirpath])}${yttEnvDataOpts}`, { env: process.env, encoding: 'utf-8' @@ -490,4 +509,4 @@ Form.loadByName = async function(form,user,forApproval=false){ } } -module.exports= Form; +module.exports= Form; \ No newline at end of file From 13466f7615881fe33925266515f56a4819873915 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:31:01 +0100 Subject: [PATCH 15/42] add issuer --- server/src/controllers/token.controller.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/src/controllers/token.controller.js b/server/src/controllers/token.controller.js index c534ca6..64ee406 100644 --- a/server/src/controllers/token.controller.js +++ b/server/src/controllers/token.controller.js @@ -24,8 +24,8 @@ exports.refresh = function(req, res) { var body = jwtPayload.user if(new Date(jwtPayload.exp*1000)>new Date()){ // logger.info("refresh token is not expired") - const token = jwt.sign({ user: body,access:true }, authConfig.secret,{ expiresIn: authConfig.jwtExpiration}); - const refreshtoken = jwt.sign({ user: body,refresh:true }, authConfig.secret,{ expiresIn: authConfig.jwtRefreshExpiration}); + const token = jwt.sign({ user: body,access:true }, authConfig.secret,{ expiresIn: authConfig.jwtExpiration, issuer: authConfig.jwtIssuer}); + const refreshtoken = jwt.sign({ user: body,refresh:true }, authConfig.secret,{ expiresIn: authConfig.jwtRefreshExpiration, issuer: authConfig.jwtIssuer}); User.storeToken(username,username_type,refreshtoken) .then(()=>{ logger.info("Token is renewed and stored") From 6d607ddc53b188dac79cad21c6d201343f829fb6 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:31:24 +0100 Subject: [PATCH 16/42] typo fix --- server/src/controllers/config.controller.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/controllers/config.controller.js b/server/src/controllers/config.controller.js index a4dfa6b..cc64301 100644 --- a/server/src/controllers/config.controller.js +++ b/server/src/controllers/config.controller.js @@ -102,7 +102,7 @@ exports.save = async function(req,res){ } }catch(err){ logger.error("Failed to get lock : ",err) - res.json(new RestResult("error","Failed to save forms",null,helpers.getError(err,"Faild to get lock"))) + res.json(new RestResult("error","Failed to save forms",null,helpers.getError(err,"Failed to get lock"))) return true } if(lock.match || lock.free){ From 66aff466b7fa659bf7ba630a3af517effa338b90 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:31:48 +0100 Subject: [PATCH 17/42] add extended token expiration --- server/src/controllers/login.controller.js | 111 ++++++++++++--------- 1 file changed, 63 insertions(+), 48 deletions(-) diff --git a/server/src/controllers/login.controller.js b/server/src/controllers/login.controller.js index f611f46..695a19f 100644 --- a/server/src/controllers/login.controller.js +++ b/server/src/controllers/login.controller.js @@ -6,19 +6,26 @@ const passport = require('passport'); const jwt = require('jsonwebtoken'); var authConfig = require('../../config/auth.config') const logger=require("../lib/logger"); -const {inspect}=require("node:util") const helpers=require('../lib/common') const RestResult = require("../models/restResult.model") -const auth_oidc = require("../auth/auth_oidc"); function userToJwt(user,expiryDays){ // is something like // {"username":"administrator","type":"local","roles":["public","admin"]} + var tokenExpiresIn + + if(expiryDays && (user?.options["extendedTokenExpiration"] ?? false) && !isNaN(expiryDays)){ + tokenExpiresIn = `${expiryDays}D` + logger.info("Extended token expiration requested for " + user.username) + }else{ + tokenExpiresIn = authConfig.jwtExpiration + } + // we create 2 jwt tokens (accesstoken and refresh token) - const token = jwt.sign({user,access:true}, authConfig.secret,{ expiresIn: expiryDays || authConfig.jwtExpiration}); - const refreshtoken = jwt.sign({user,refresh:true}, authConfig.secret,{ expiresIn: authConfig.jwtRefreshExpiration}); + const token = jwt.sign({user,access:true}, authConfig.secret,{ expiresIn: tokenExpiresIn, issuer: authConfig.jwtIssuer}); + const refreshtoken = jwt.sign({user,refresh:true}, authConfig.secret,{ expiresIn: authConfig.jwtRefreshExpiration, issuer: authConfig.jwtIssuer}); logger.debug(JSON.stringify(user)) // we store the tokens in the database, to later verify a refresh token action logger.info("Storing refreshtoken in database for user " + user.username) @@ -90,11 +97,7 @@ exports.basic = async function(req, res,next) { //return next(error); } // send the tokens to the requester - // if admin role, you can override the expirydays (for accesstoken only) - if(req.query.expiryDays && user?.roles?.includes("admin") && !isNaN(req.query.expiryDays)){ - return res.json(userToJwt(user,`${req.query.expiryDays}D`)) - } - return res.json(userToJwt(user)); + return res.json(userToJwt(user,req.query.expiryDays)); } ); } catch (error) { @@ -136,11 +139,7 @@ exports.basic_ldap = async function(req, res,next) { return next(error); } // send the tokens to the requester - // if admin role, you can override the expirydays (for accesstoken only) - if(req.query.expiryDays && user?.roles?.includes("admin") && !isNan(req.query.expiryDays)){ - return res.json(userToJwt(user,`${req.query.expiryDays}D`)) - } - return res.json(userToJwt(user)); + return res.json(userToJwt(user,req.query.expiryDays)); } ); } catch (error) { @@ -171,12 +170,32 @@ exports.errorHandler = async function(err,req, res,next) { }; /** - * generate the callback options for login via Azure AD or OIDC + * generate the callback options for login via identity provider oauth2 + * + * Some information about how the identity provide mechanism works: + * + * 1. The user clicks on the identity provider login button + * 2. A browser storage authIssuer key is set with the identity provider name (azuread, oidc, ...) + * 3. The user is redirected to the ansibleforms backend server identity provider api https://ansibleformsurl/auth/azureadoauth2 or https://ansibleformsurl/auth/oidc, ... + * 4. The backend uses passport to authenticate the user with the identity provider and redirects the user away to the identity provider (microsft, google, ...) + * 5. The identity provider authenticates the user and redirects the user back to the callback url https://ansibleformsurl/auth/azureadoauth2/callback or https://ansibleformsurl/auth/oidc/callback + * 6. The backend server receives the callback and uses passport to verify the returned payload. it passes the payload to an authCallback function + * 7. The authCallback function redirects the user back to the frontend with a token (#/login?token=) azuread already passed a token, oidc has a raw payload and we create a manual token. + * 8. The frontend uses the oauth2 token to grab more group information and filter the group information with a filter defined in the database with the identity provider + * 9. The frontend redirects the user to the backend /auth/azureadaoath/login endpoint with the token and the group information + * 10. The backend grabs more information from payload if needed (username,...) and assembles a user-object, the roles and options are added + * 11. The backend converts the user object to json and signs it as a jwt token an returns it in the response + * 12. The frontend grabs the token and stores it in the local storage, ready for jwt-bearer authentication + * */ -const authCallback = function(req, res, next, type='azuread') { - return async (err, token) => { - if (type !== 'azuread') { - token = jwt.sign(token, type); +const authCallback = function(req, res, next, type) { + return async (err, payload) => { + // we assume the payload is a jwt token, with azuread this is the case + var token = payload + // in case of oidc, the payload is not a token, but a raw object + // we need to create a token from it, we use the type 'oidc' as the secret + if(type=="oidc"){ + token = jwt.sign(payload, type); } try { // if we have an error; we return it @@ -198,37 +217,17 @@ const extractAzureUser = async function(payload, groups) { return { username: payload.upn, id: payload.oid, - groups: groups, + groups: groups.map(g => `azuread/${g}`) // groups are prefixed with azuread/ to avoid conflicts with oidc groups etc } }; const extractOidcUser = async function(payload, groups) { return { username: payload.preferred_username, - groups: groups.map(g => `oidc/${g}`) + groups: groups.map(g => `oidc/${g}`) // groups are prefixed with oidc/ to avoid conflicts with azuread groups etc } }; -/** - * Function to perform login via token from identity provider (Azure AD / OIDC) - */ -const tokenLogin = async function(type, req, res) { - logger.debug("Login") - var payload = type === 'azuread' ? jwt.decode(req.body.token, '', true) : jwt.verify(req.body.token, type); - - const user= type === 'azuread' ? - await extractAzureUser(payload, req.body.groups) : - await extractOidcUser(payload, req.body.groups); - user.type = type - user.roles = await User.getRoles(user.groups, user) - - // if admin role, you can override the expirydays (for accesstoken only) - if(req.query.expiryDays && user?.roles?.includes("admin") && !isNan(req.query.expiryDays)){ - return res.json(userToJwt(user,`${req.query.expiryDays}D`)) - } - res.json(userToJwt(user)) -} - // this redirects to Azure AD login but with the proper application client id & secret exports.azureadoauth2 = async function(req, res,next) { logger.debug("Redirect to azure") @@ -236,14 +235,22 @@ exports.azureadoauth2 = async function(req, res,next) { passport.authenticate('azure_ad_oauth2')(req,res,next) }; -// callback with the Azure AD user info +// callback with the Azure AD access token exports.azureadoauth2callback = async function(req, res,next) { - passport.authenticate('azure_ad_oauth2', authCallback(req, res, next))(req, res, next) + passport.authenticate('azure_ad_oauth2', authCallback(req, res, next,"azuread"))(req, res, next) }; -// callback with the Azure AD user info +// callback with the Azure AD user info (including groups) exports.azureadoauth2login = async function(req, res,next) { try { - await tokenLogin('azuread', req, res, next) + var payload = jwt.decode(req.body.token, '', true) + const user = await extractAzureUser(payload, req.body.groups) + user.type = "azuread" + const ro = await User.getRolesAndOptions(user.groups,user) + user.roles = ro.roles + user.options = ro.options + // return token + res.json(userToJwt(user)) + } catch(err){ logger.error(helpers.getError(err)) next(err) @@ -257,14 +264,22 @@ exports.oidc = async function(req, res,next) { passport.authenticate('oidc')(req,res,next) }; -// callback with the OIDC user info +// callback with the OIDC access token exports.oidcCallback = async function(req, res,next) { passport.authenticate('oidc', authCallback(req, res, next, 'oidc'))(req, res, next) }; -// callback with the OIDC user info +// callback with the OIDC user info (including groups) exports.oidcLogin = async function(req, res, next) { try { - await tokenLogin('oidc', req, res, next) + var payload = jwt.verify(req.body.token, 'oidc'); // verify, with secret "oidc" + const user = await extractOidcUser(payload, req.body.groups) + user.type = "oidc" + const ro = await User.getRolesAndOptions(user.groups,user) + user.roles = ro.roles + user.options = ro.options + // return token + res.json(userToJwt(user)) + } catch(err){ logger.error(helpers.getError(err)) next(err) From 424b7009b9cd53a96934b88c29fc9669f05757e4 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:32:15 +0100 Subject: [PATCH 18/42] lock bug fix --- server/src/controllers/lock.controller.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/src/controllers/lock.controller.js b/server/src/controllers/lock.controller.js index 61df990..68f6a5b 100644 --- a/server/src/controllers/lock.controller.js +++ b/server/src/controllers/lock.controller.js @@ -18,7 +18,8 @@ exports.set = function(req, res) { .catch((err)=>{ res.json(new RestResult("error","failed to create lock",null,Helpers.getError(err))) }) }; exports.delete = function(req, res) { - Lock.delete() + const user = req.user.user + Lock.delete(user) .then(()=>{res.json(new RestResult("success","lock deleted",null,"")) }) .catch((err)=>{res.json(new RestResult("error","failed to delete lock",null,Helpers.getError(err)))}) }; From 70ea97299dca7d0411b233bd507adbbb238715ff Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:33:02 +0100 Subject: [PATCH 19/42] add roleoptions --- server/src/auth/auth_basic.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/server/src/auth/auth_basic.js b/server/src/auth/auth_basic.js index ad18b6d..a604658 100644 --- a/server/src/auth/auth_basic.js +++ b/server/src/auth/auth_basic.js @@ -37,7 +37,9 @@ passport.use( user.id = result.user.id user.type = 'local' user.groups = User.getGroups(user,result.user.groups) - user.roles = await User.getRoles(user.groups,user) + const ro = await User.getRolesAndOptions(user.groups,user) + user.roles = ro.roles + user.options = ro.options logger.info("local login is ok => " + user.username) return user }) @@ -66,7 +68,9 @@ passport.use( user.email = result[ldapConfig.mail_attribute] user.type = 'ldap' user.groups = User.getGroups(user,result,ldapConfig) - user.roles = await User.getRoles(user.groups,user) + const ro = await User.getRolesAndOptions(user.groups,user) + user.roles = ro.roles + user.options = ro.options logger.info("ldap login for " + user.username) return user }) From 029ee3350972b27ece6cf4e62b485712b35494b1 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:33:18 +0100 Subject: [PATCH 20/42] add formoptions --- server/schema/forms_schema.json | 150 ++++++++++++++++++-------------- 1 file changed, 86 insertions(+), 64 deletions(-) diff --git a/server/schema/forms_schema.json b/server/schema/forms_schema.json index b3c48c2..56866bf 100644 --- a/server/schema/forms_schema.json +++ b/server/schema/forms_schema.json @@ -43,10 +43,25 @@ "roles": { "type": "array", "contains": { - "const": { - "name": "public", - "groups": [] - } + "type": "object", + "properties": { + "name": { "const": "public"}, + "groups": { "const": []}, + "options": { + "type": "object", + "properties": { + "showDesigner": { "type": "boolean"}, + "showLogs": { "type": "boolean" }, + "showDebugButtons": { "type": "boolean" }, + "showSettings": { "type": "boolean" }, + "showExtravars": { "type": "boolean" }, + "extendedTokenExpiration": { "type": "boolean" }, + "jwtExpirationDays": { "type": "number" } + }, + "additionalProperties": false + } + }, + "additionalProperties": false }, "items": { "type": "object", @@ -69,6 +84,19 @@ "$id": "/role", "type": "string" }, + "options": { + "type": "object", + "properties": { + "showDesigner": { "type": "boolean"}, + "showLogs": { "type": "boolean" }, + "showDebugButtons": { "type": "boolean" }, + "showSettings": { "type": "boolean" }, + "showExtravars": { "type": "boolean" }, + "extendedTokenExpiration": { "type": "boolean" }, + "tokenExpirationDays": { "type": "number" } + }, + "additionalProperties": false + }, "groups": { "type": "array", "items": { @@ -86,7 +114,7 @@ } } }, - "additionalProperties": true + "additionalProperties": false } }, "constants":{ @@ -266,8 +294,16 @@ "$ref": "/icon" }, "tileClass": { - "type": "string", - "pattern": "^has-background-.+" + "anyOf":[ + { + "type": "string", + "pattern": "^has-background-.+" + }, + { + "type": "string", + "pattern": "^bg-.+" + } + ] }, "verbose": { "type": "boolean" @@ -358,6 +394,7 @@ "$ref": "/formfield" }, "template": {"type": "string"}, + "abortable": {"type": "boolean"}, "awxCredentials": { "type": "array", "items": { @@ -456,6 +493,7 @@ }, "playbook": {"type": "string"}, "key": {"type": "string"}, + "abortable": {"type": "boolean"}, "template": {"type": "string"}, "credentials": { "type": "object", @@ -534,9 +572,11 @@ "deleteMarker": {"not":{}}, "insertMarker": {"not":{}}, "refresh": {"not":{}}, + "switch": {"not":{}}, "readonlyColumns": {"not":{}}, "values": {"not":{}}, "isHtml": {"not":{}}, + "accept": {"not":{}}, "multiple": {"not":{}}, "outputObject": {"not":{}} } @@ -560,6 +600,7 @@ "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "hide": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, @@ -574,6 +615,7 @@ "asCredential": {"not":{}}, "keydown": {"not":{}}, "refresh": {"not":{}}, + "switch": {"not":{}}, "readonlyColumns": {"not":{}}, "values": {"not":{}}, "isHtml": {"not":{}}, @@ -603,6 +645,8 @@ "values": {"not":{}}, "multiple": {"not":{}}, "refresh": {"not":{}}, + "switch": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, @@ -638,6 +682,7 @@ "isHtml": {"not":{}}, "dbConfig": {"not":{}}, "hide": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, @@ -645,6 +690,7 @@ "readonlyColumns": {"not":{}}, "multiple": {"not":{}}, "asCredential": {"not":{}}, + "switch": {"not":{}}, "outputObject": {"not":{}} }, "required": ["values"] @@ -674,6 +720,7 @@ "dbConfig": {"not":{}}, "refresh": {"not":{}}, "hide": {"not":{}}, + "accept": {"not":{}}, "values": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, @@ -703,6 +750,7 @@ "runLocal": {"not":{}}, "keydown": {"not":{}}, "refresh": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, @@ -710,37 +758,11 @@ "readonlyColumns": {"not":{}}, "isHtml": {"not":{}}, "dbConfig": {"not":{}}, + "switch": {"not":{}}, "hide": {"not":{}} }, "required": ["values"] }, - { - "properties": { - "type": { - "enum": ["query"] - }, - "values": {"not":{}}, - "regex": {"not":{}}, - "minValue": {"not":{}}, - "maxValue": {"not":{}}, - "minSize": {"not":{}}, - "maxSize": {"not":{}}, - "minLength": {"not":{}}, - "maxLength": {"not":{}}, - "editable": {"not":{}}, - "expression": {"not":{}}, - "keydown": {"not":{}}, - "allowDelete": {"not":{}}, - "allowInsert": {"not":{}}, - "deleteMarker": {"not":{}}, - "insertMarker": {"not":{}}, - "readonlyColumns": {"not":{}}, - "isHtml": {"not":{}}, - "runLocal": {"not":{}}, - "hide": {"not":{}} - }, - "required": ["query", "dbConfig"] - }, { "properties": { "type": { @@ -764,37 +786,11 @@ "readonlyColumns": {"not":{}}, "isHtml": {"not":{}}, "runLocal": {"not":{}}, + "switch": {"not":{}}, "hide": {"not":{}} }, "required": ["query", "dbConfig"] }, - { - "properties": { - "type": { - "enum": ["query"] - }, - "values": {"not":{}}, - "regex": {"not":{}}, - "editable": {"not":{}}, - "minValue": {"not":{}}, - "maxValue": {"not":{}}, - "minSize": {"not":{}}, - "maxSize": {"not":{}}, - "minLength": {"not":{}}, - "maxLength": {"not":{}}, - "query": {"not":{}}, - "keydown": {"not":{}}, - "allowDelete": {"not":{}}, - "allowInsert": {"not":{}}, - "deleteMarker": {"not":{}}, - "insertMarker": {"not":{}}, - "readonlyColumns": {"not":{}}, - "isHtml": {"not":{}}, - "dbConfig": {"not":{}}, - "hide": {"not":{}} - }, - "required": ["expression"] - }, { "properties": { "type": { @@ -811,6 +807,7 @@ "maxLength": {"not":{}}, "query": {"not":{}}, "keydown": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, @@ -818,6 +815,7 @@ "readonlyColumns": {"not":{}}, "isHtml": {"not":{}}, "dbConfig": {"not":{}}, + "switch": {"not":{}}, "hide": {"not":{}} }, "required": ["expression"] @@ -838,12 +836,14 @@ "filterColumns": {"not":{}}, "dbConfig": {"not":{}}, "multiple": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, "insertMarker": {"not":{}}, "readonlyColumns": {"not":{}}, "keydown": {"not":{}}, + "switch": {"not":{}}, "outputObject": {"not":{}} }, "required": ["expression"] @@ -863,6 +863,7 @@ "filterColumns": {"not":{}}, "dbConfig": {"not":{}}, "multiple": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, @@ -870,6 +871,7 @@ "readonlyColumns": {"not":{}}, "keydown": {"not":{}}, "expression": {"not":{}}, + "switch": {"not":{}}, "outputObject": {"not":{}} }, "required": ["value"] @@ -891,12 +893,14 @@ "filterColumns": {"not":{}}, "multiple": {"not":{}}, "runLocal": {"not":{}}, + "accept": {"not":{}}, "allowDelete": {"not":{}}, "allowInsert": {"not":{}}, "deleteMarker": {"not":{}}, "insertMarker": {"not":{}}, "readonlyColumns": {"not":{}}, "keydown": {"not":{}}, + "switch": {"not":{}}, "outputObject": {"not":{}} }, "required": ["query", "dbConfig"] @@ -919,6 +923,7 @@ "in": {"not":{}}, "minValue": {"not":{}}, "maxValue": {"not":{}}, + "accept": {"not":{}}, "minSize": {"not":{}}, "maxSize": {"not":{}}, "minLength": {"not":{}}, @@ -952,6 +957,7 @@ "size": {"not":{}}, "hide": {"not":{}}, "icon": {"not":{}}, + "switch": {"not":{}}, "tableFields": {"not":{}} }, "required": ["expression"] @@ -998,6 +1004,7 @@ "multiple": {"not":{}}, "size": {"not":{}}, "hide": {"not":{}}, + "switch": {"not":{}}, "tableFields": {"not":{}} } }, @@ -1014,11 +1021,13 @@ "maxLength": {"not":{}}, "values": {"not":{}}, "from": {"not":{}}, + "accept": {"not":{}}, "outputObject": {"not":{}}, "columns": {"not":{}}, "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "previewColumn": {"not":{}}, + "switch": {"not":{}}, "valueColumn": {"not":{}} }, "required": ["dateType"] @@ -1042,11 +1051,13 @@ "filterColumns": {"not":{}}, "maxLength": {"not":{}}, "multiple": {"not":{}}, + "accept": {"not":{}}, "refresh": {"not":{}}, "outputObject": {"not":{}}, "keydown": {"not":{}}, "isHtml": {"not":{}}, "icon": {"not":{}}, + "switch": {"not":{}}, "default": {"not":{}} }, "required": ["tableFields"] @@ -1055,7 +1066,7 @@ "properties": { "type": { "type": "string", - "enum": ["text","textarea", "password", "checkbox", "enum", "query", "number", "radio", "expression","local","local_out","credential", "table","datetime","html","file"] + "enum": ["text","textarea", "password", "checkbox", "enum", "number", "radio", "expression","local","local_out","credential", "table","datetime","html","file"] }, "name": { "$id": "/formfield", @@ -1072,6 +1083,10 @@ {"type": "integer"} ] }, + "accept": { + "type": "array", + "items": {"type": "string"} + }, "evalDefault": {"type": "boolean"}, "dateType": {"type": "string","enum":["date","datetime","year","month","time","week"]}, "noOutput": {"type": "boolean"}, @@ -1159,6 +1174,7 @@ "runLocal": {"type": "boolean"}, "query": {"type": "string"}, "outputObject": {"type": "boolean"}, + "switch": {"type": "boolean"}, "columns": { "type": "array", "items": {"type": "string"} @@ -1312,6 +1328,7 @@ "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "previewColumn": {"not":{}}, + "switch": {"not":{}}, "valueColumn": {"not":{}} } }, @@ -1337,6 +1354,7 @@ "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "previewColumn": {"not":{}}, + "switch": {"not":{}}, "valueColumn": {"not":{}} } }, @@ -1358,6 +1376,7 @@ "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "previewColumn": {"not":{}}, + "switch": {"not":{}}, "valueColumn": {"not":{}} }, "required": ["dateType"] @@ -1378,6 +1397,7 @@ "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "previewColumn": {"not":{}}, + "switch": {"not":{}}, "valueColumn": {"not":{}} } }, @@ -1419,6 +1439,7 @@ "pctColumns": {"not":{}}, "filterColumns": {"not":{}}, "previewColumn": {"not":{}}, + "switch": {"not":{}}, "valueColumn": {"not":{}} }, "required": ["values"] @@ -1426,7 +1447,7 @@ { "properties": { "type": { - "enum": ["query","enum"] + "enum": ["enum"] }, "regex": {"not":{}}, "minValue": {"not":{}}, @@ -1441,7 +1462,7 @@ "properties": { "type": { "type": "string", - "enum": ["text","textarea", "password", "checkbox", "enum", "query", "number","datetime","html"] + "enum": ["text","textarea", "password", "checkbox", "enum", "number","datetime","html"] }, "name": {"type": "string"}, "label": {"type": "string"}, @@ -1449,6 +1470,7 @@ "from": {"type": "string"}, "sticky": {"type": "boolean"}, "horizontal": {"type": "boolean"}, + "switch": {"type": "boolean"}, "default": { "anyOf": [{"type": "string"}, {"type": "boolean"}, From 5e5b3ab8229414ee4ca883d3371afb8a823bb7a1 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:33:31 +0100 Subject: [PATCH 21/42] add issuer --- server/config/auth.config.js | 1 + 1 file changed, 1 insertion(+) diff --git a/server/config/auth.config.js b/server/config/auth.config.js index 99ab852..a7797c8 100644 --- a/server/config/auth.config.js +++ b/server/config/auth.config.js @@ -2,6 +2,7 @@ module.exports = { secret: process.env.ACCESS_TOKEN_SECRET || "j6fz%Q9S2YJC?x|u", jwtExpiration: process.env.ACCESS_TOKEN_EXPIRATION || "30m", jwtRefreshExpiration: process.env.ACCESS_TOKEN_REFRESH_EXPIRATION || "24h", + jwtIssuer: process.env.ACCESS_TOKEN_ISSUER || "ansibleforms", azureGraphUrl: process.env.AZURE_GRAPH_URI || "https://graph.microsoft.com", ldapErrorRegex:".*, data ([^,]*),.*", ldapErrors:{ From a40cbe1e6a4666886e73c4fe66f23b65aa5c5f51 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:33:57 +0100 Subject: [PATCH 22/42] add new help for roleoptions, admin/pass, ytt --- docs/_data/help.yaml | 107 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 1 deletion(-) diff --git a/docs/_data/help.yaml b/docs/_data/help.yaml index 76f71de..8da3ecc 100644 --- a/docs/_data/help.yaml +++ b/docs/_data/help.yaml @@ -64,6 +64,26 @@ short: Certificate default: "%PERSISTENT_FOLDER%/certificates/cert.pem" description: The path to the server certificate, in BASE64/PEM format. + - name: ADMIN_USERNAME + type: string + allowed: a valid username + short: Admin username + version: 5.0.8 + default: admin + description: | + The admin username is the first user that can login to the application. + This user has full access to the application and is created at first start if not present. + This user will be added to the `admins` group, which will be created as well if not present. + - name: ADMIN_PASSWORD + type: string + allowed: a valid password + short: Admin password + version: 5.0.8 + default: AnsibleForms!123 + description: | + The admin password is the password for first user that can login to the application. + This user has full access to the application and is created at first start if not present. + This user will be added to the `admins` group, which will be created as well if not present. - name: FORMS_PATH type: string allowed: a valid file path @@ -184,6 +204,42 @@ description: | https://github.com/carvel-dev/ytt is a tool for yaml templating. It can be activated by this variable. version: 5.0.2 + - name: YTT_ALLOW_SYMLINK_DESTINATIONS + type: string + allowed: valid paths + short: Ytt allowed symlink destinations + default: "" + description: | + Ytt disables templating with symlinks by default. If you want to allow symlink use on specific directories, this variable can be set to the path(s) where the symlinks are allowed (multiple paths separated by Node's `path.delimiter`). Note: enabling this may come with some risks, see ytt FAQ for more info. + version: 5.0.8 + - name: YTT_DANGEROUS_ALLOW_ALL_SYMLINK_DESTINATIONS + type: number + choices: + - name: 0 + description: Disables all symlink destinations + - name: 1 + description: Enables all symlink destinations + default: 0 + short: Ytt dangerous allow all symlink destinations + description: | + Ytt disables templating with symlinks by default. If you want to allow all symlink use EVERYWHERE, you can set this variable to 1. Note: enabling this comes with some risks (hence the 'DANGEROUS' part), see ytt FAQ for more info. + version: 5.0.8 + - name: YTT_VARS_PREFIX + type: string + allowed: a valid prefix + short: Ytt vars prefix + default: "" + description: | + Environment variable prefix for ytt to get data values from. For example, when set to `MY_PREFIX`, `MY_PREFIX_my_var=value` results to the ytt data value `my_var=value`. + version: 5.0.8 + - name: YTT_LIB_DATA_{dynamic} + type: string + allowed: a valid lib data value + short: Ytt lib data + default: "" + description: | + This is not a single variable but rather an infinite amount of variables. You can set as many as you want. The dynamic part is the name of the lib data. For example `YTT_LIB_DATA_MYLIB=values.yml` results in the contents of `values.yml` to be used by ytt in the `mylib` library. + version: 5.0.8 - name: LOG_LEVEL type: string choices: @@ -380,6 +436,16 @@ Once the access token is expired, and the client tries to connect to the server, the client hits a 401 error (unauthorized). the client application captures this error, and calls the refresh api with its refresh token. If the refresh token is valid, the client gets a new set of access and refresh tokens and retries the last unauthorized api call with the renew access token. With this mechanism, the client can keep the user-connection open for a long time and avoid a sudden logout during a save action. If the client has not connected back to the server during the expiration time of the refresh token, the client is logged of and authentication is required again. + - name: ACCESS_TOKEN_ISSUER + type: string + allowed: a valid issuer string + short: Issuer of the access token + default: ansibleforms + version: 5.0.8 + description: | + The issuer of the access token is the name of the application that issues the token. + This is used to verify the token on the server side. + Also reverse proxies can be picky about the issuer being present. - name: HOME_PATH type: string allowed: a valid path @@ -481,7 +547,19 @@ short: Roles description: | The roles provide RBAC. Each role has a name and 1 or more groups (local, ldap or azuread). The `admin` and `public` rol is mandatory. - Since version 4.0.11 you can also add users (local, ldap or azuread) + Since version 4.0.11 you can also add users (local, ldap or azuread). + Since version 5.0.8 options are introduced to add specific role-options. + - showDesigner: The user can see the designer + - showSettings: The user can see the settings page + - showDebugButtons: The user can see the debug buttons on a form + - showExtravars: The user can see the extravars on a form + - showLogs: The user can see the logs page + - extendedTokenExpiration: The user can request a token with a longer expiration time (for coding api purposes for example) + + When options are not set, the admin role will have all options. + When options are set on the public role, they will have the lowest precedence and can be used as default options for all roles. + You can add options on role level, which will override the public role options. + examples: - name: Roles code: | @@ -494,6 +572,12 @@ - name: operator groups: - local/operator + - name: architect + groups: + - local/architect + options: + showDesigner: true # architects can see the designer + showLogs: true # architects can see the logs - name: demo groups: - local/demo @@ -502,6 +586,9 @@ - local/myuser - name: public # is mandatory groups: [] + options: + showDebugButtons: true # everyone can see the debug buttons + showExtravars: true # everyone can see the extravars - name: constants type: object allowed: Free object structure @@ -1197,6 +1284,14 @@ **Note** : You can also dynamically set this property by using a field called `__keepExtravars__`. It must be sent as extravar. If this extravar is found it will overwrite the static diff field. The field must result in a boolean (expression or checkbox) **Note** : If you use multistep and you want to dynamically set every step, use the `key` property and `model` property to create separate extravars per step. + - name: abortable + type: boolean + short: Allow aborting the job + group: workflow + version: 5.0.8 + default: true + description: | + By default you can allow the user to abort the job. Use this attribute to disable this behaviour. - name: tags type: string allowed: comma separated tag-list @@ -1826,6 +1921,7 @@ name: areyousure label: Confirmation default: false + switch: true placeholder: are you sure? - name: radio description: A radio field (multi options) @@ -1977,6 +2073,7 @@ label: membership placeholder: Paid yet ? type: checkbox + switch: true required: true default: true short: Field type @@ -2319,6 +2416,14 @@ description: A default can be treated as javascript and can thus hold expressions like `'$(other_field)'.toUpperCase()` or `Math.PI` or `Date.getDate.toISOString()` version: 4.0.5 with_types: text, textarea, number, expression, password, enum, radio, checkbox, datetime + - name: switch + type: boolean + group: visualization + default: false + short: Show checkbox as switch + description: A checkbox can be shown as a switch, enabling a more modern look. + version: 4.0.5 + with_types: checkbox - name: required type: boolean group: validation From 81927754b820843ebba2bf9b98063f23cec866c3 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:34:14 +0100 Subject: [PATCH 23/42] allow admin delete --- client/src/views/Users.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/views/Users.vue b/client/src/views/Users.vue index 6a577b3..c20d2b8 100644 --- a/client/src/views/Users.vue +++ b/client/src/views/Users.vue @@ -17,7 +17,7 @@
Date: Fri, 3 Jan 2025 18:34:51 +0100 Subject: [PATCH 24/42] identity providers more help and better code --- client/src/views/Login.vue | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/client/src/views/Login.vue b/client/src/views/Login.vue index fbc59f0..98d0c9d 100644 --- a/client/src/views/Login.vue +++ b/client/src/views/Login.vue @@ -83,7 +83,7 @@ if(token && this.azureAdEnabled){ if(localStorage.getItem("authIssuer")=="azuread") // get cookie and see if we issued azuread - this.getGroupsAndLogin(token) + this.getGroupsAndLogin(token, `${this.azureGraphUrl}/v1.0/me/transitiveMemberOf`, 'azuread') } if (token && this.oidcEnabled) { // get cookie ans see if we issued oidc if(localStorage.getItem("authIssuer")=="oidc") @@ -97,7 +97,10 @@ this.$toast.error(`Failed to get settings: ${err}`) }) }, - getGroupsAndLogin(token, url = `${this.azureGraphUrl}/v1.0/me/transitiveMemberOf`, type='azuread', allGroups = []) { + getGroupsAndLogin(token, url, type, allGroups = []) { + // implement azuread group lookup + // azuread has a group lookup api, we get the groups from the api + // this must be done from the client side, because the server side might not have access to the graph api if (type === 'azuread') { const config = { headers: { @@ -107,7 +110,8 @@ axios.get(url, config) .then((res) => { - const groups = res.data.value.filter(x => x.displayName).map(x => (`azuread/` + x.displayName)); + // filter out groups with no displayName and map to an array of group names + const groups = res.data.value.filter(x => x.displayName).map(x => x.displayName); allGroups = allGroups.concat(groups); if (res.data['@odata.nextLink']) { @@ -115,13 +119,16 @@ this.getGroupsAndLogin(token, res.data['@odata.nextLink'], type, allGroups); } else { // No more nextLink, you have all the groups - this.tokenLogin(token, allGroups) + this.tokenLogin(token, allGroups, 'azuread'); } }) .catch((err) => { this.$toast.error("Failed to get group membership"); }); } + // implement oidc group lookup + // oidc has no group lookup api, the groups are part of the payload + // we decode the token and get the groups from the payload else if (type === 'oidc') { const payload = jwt.decode(token, {complete: true}).payload this.tokenLogin(token, payload.groups || [], 'oidc') @@ -129,9 +136,12 @@ this.$toast.error("Invalid Identity Provider type, contact developer") } }, - tokenLogin(token, allGroups, type='azuread') { + tokenLogin(token, allGroups, type) { var validRegex=true var regex + + // implement a group filter reduction to reduce the jwt token payload, because this can because very large if you are in a lot of groups + // a header maximum could be reached and fail the login var groupfilter if(type === 'azuread'){ groupfilter = this.azureGroupfilter From 11ddcf7248a69072840964dcd9b448b3657988f3 Mon Sep 17 00:00:00 2001 From: ansibleguy76 Date: Fri, 3 Jan 2025 18:35:09 +0100 Subject: [PATCH 25/42] add roleoptions --- client/src/components/Form.vue | 53 +++++++++++++++++++++++++++++----- client/src/views/Form.vue | 8 ++--- 2 files changed, 49 insertions(+), 12 deletions(-) diff --git a/client/src/components/Form.vue b/client/src/components/Form.vue index bdb5f12..1d37915 100644 --- a/client/src/components/Form.vue +++ b/client/src/components/Form.vue @@ -21,7 +21,7 @@ -
-
+
- + + + + + + -
+
+
+ +
@@ -470,14 +497,17 @@ import BulmaCheckRadio from './BulmaCheckRadio.vue' import BulmaEditTable from './BulmaEditTable.vue' import DatePicker from 'vue2-datepicker'; + import YAML from 'yaml' import 'vue2-datepicker/index.css'; import 'highlight.js/styles/monokai-sublime.css' import hljs from 'highlight.js/lib/core'; import javascript from 'highlight.js/lib/languages/javascript'; + import yaml from 'highlight.js/lib/languages/yaml'; import vuePlugin from "@highlightjs/vue-plugin"; hljs.registerLanguage('javascript', javascript); + hljs.registerLanguage('yaml', yaml); import Helpers from './../lib/Helpers' import Copy from 'copy-to-clipboard' @@ -487,6 +517,7 @@ import { useVuelidate } from '@vuelidate/core' import { minValue,maxValue,minLength,maxLength,helpers,requiredIf,sameAs } from '@vuelidate/validators' + Vue.use(vuePlugin); Vue.use(VueShowdown) @@ -496,7 +527,8 @@ props:{ currentForm:{type:Object}, constants:{type:Object}, - isAdmin:{type:Boolean} + isAdmin:{type:Boolean}, + profile:{type:Object} }, setup(){ return { v$: useVuelidate() } @@ -517,6 +549,7 @@ error:"" } }, + viewAsYaml:false, // flag to show extravars as yaml watchdog:0, // main loop counter loopdelay:100, // main loop delay subjob:{}, // output of last subjob @@ -671,6 +704,10 @@ return obj }, computed: { + // get the formdata as yaml + formdataYaml(){ + return YAML.stringify(this.formdata) + }, // unevaluatedFieldsWarning unevaluatedFieldsWarning(){ if(this.canSubmit){ diff --git a/client/src/views/Form.vue b/client/src/views/Form.vue index 0419248..c1ee163 100644 --- a/client/src/views/Form.vue +++ b/client/src/views/Form.vue @@ -1,9 +1,8 @@