core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

Dashboard: point index page to new dashboard

Open swhite2 opened this issue 1 year ago • 1 comments

PR to discuss the following points:

  1. How the ACLs for the new widgets should be structured. For now I've bulked them into the core ACL file and allowed configurability of each. Each widget ACL implies access to /api/core/dashboard/saveWidgets.
  2. Pointing the default page to the new dashboard. This PR has attempted backwards compatibility, but I may have missed things.

In this PR, the wizard prompt/completion remains in index.php with the unconditional include of authgui.inc providing access to all previous GET parameters. Redirection occurs through

header('Location: /ui/core/dashboard');
exit;

TODO: rm -rf /usr/core/src/www/widgets TODO: match ACLs with current existing components e.g. firewall live log ACL implies dashboard firewall widget access as well.

swhite2 avatar Jun 14 '24 14:06 swhite2

Haven’t reviewed it yet, but the default landing page likely needs another default as well.

https://github.com/opnsense/core/blob/0487802a4b9255bd3084eaffc993ad30c050d9ff/src/www/authgui.inc#L204

https://github.com/opnsense/core/blob/34cafe3e9835cb48c41ad063d2aba2700e7f701a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php#L366

AdSchellevis avatar Jun 14 '24 15:06 AdSchellevis

https://github.com/opnsense/core/pull/7529/commits/f74eaee2637a0933c4a738a0b10cdd2698a4a8f0 matches ACLs from a user perspective based on what is logically allowed given the current ACL configuration:

The following widgets are allowed based on existing ACLs:

  • Announcements: api/core/dashboard/product_info_feed. Implies page-system-login-logout.
  • Interfaces: /api/interfaces/overview/interfacesInfo. Implies page-status-interfaces.
  • InterfaceStatistics: /api/interfaces/statistics/*. Implies page-status-trafficgraph.
  • Traffic: /api/diagnostics/traffic/*. Implies page-status-traffic-graph.
  • Firewall: /api/diagnostics/firewall/streamLog and /api/diagnostics/interface/getInterfaceNames. Implies page-diagnostics-logs-firewall-dynamic. NOTE: Added /api/diagnostics/firewall/streamLog to ACL.
  • CARP: /api/diagnostics/interface/get_vip_status. Implies page-status-carp.
  • Gateways: /api/routes/gateway/status. Added api/routes/gateway/status to page-system-gateways.
  • Monit: /api/monit/status/get/xml. Implies page-services-monit.
  • LiveLog: /api/diagnostics/log/core/*. Implies page-diagnostics-logs-system.
  • IPsecLeases: /api/ipsec/*. Implies page-status-ipsec-leases and page-vpn-ipsec-connections.
  • IPsecTunnels: /api/ipsec/*. Implies page-status-ipsec and page-vpn-ipsec-connections.

The following widgets get a separate ACL as they are the only consumers:

  • SystemInformation: api/core/system/systemInformation.
  • CPU: /api/diagnostics/cpu_usage/*.
  • Memory: /api/diagnostics/system/systemResources.
  • Disk: /api/diagnostics/system/systemDisk.
  • FirewallStates: /api/diagnostics/firewall/pf_states.
  • MBUF: /api/diagnostics/system/system_mbuf.
  • Swap: /api/diagnostics/system/system_swap.
  • ThermalSensors: /api/diagnostics/system/systemTemperature.

This commit also moves the functions developed for the widgets in /api/core/system/* to /api/diagnostics/system/* as the namespace is more logical.

swhite2 avatar Jul 01 '24 13:07 swhite2

I've temporary disabled the additional ACL's (https://github.com/opnsense/core/pull/7529/commits/1557a4c68ed2e07a5e3908f42b0c83d7bae0e1c5) as I'm unsure these bring anything to the table, when needed we can re-enable them easily or merge them into another one later on.

PR is merged in https://github.com/opnsense/core/commit/cff24b7a8a19cf64dc6feaf46c0d094227f475df

AdSchellevis avatar Jul 07 '24 09:07 AdSchellevis