From 046409976458753a322a9527fef8e7c7499a6942 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 11:19:30 +0200 Subject: [PATCH 1/9] Monitoring: implement "Security" config tab --- .../monitoring/application/controllers/ConfigController.php | 5 +++++ .../application/views/scripts/config/security.phtml | 3 +++ modules/monitoring/configuration.php | 5 ++++- 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 modules/monitoring/application/views/scripts/config/security.phtml diff --git a/modules/monitoring/application/controllers/ConfigController.php b/modules/monitoring/application/controllers/ConfigController.php index c06ded57f..d777390a8 100644 --- a/modules/monitoring/application/controllers/ConfigController.php +++ b/modules/monitoring/application/controllers/ConfigController.php @@ -258,4 +258,9 @@ class Monitoring_ConfigController extends ModuleActionController $instanceCfg = $this->Config('instances'); return $instanceCfg && $instanceCfg->get($instance); } + + public function securityAction() + { + $this->view->tabs = $this->Module()->getConfigTabs()->activate('security'); + } } diff --git a/modules/monitoring/application/views/scripts/config/security.phtml b/modules/monitoring/application/views/scripts/config/security.phtml new file mode 100644 index 000000000..87b22b9ac --- /dev/null +++ b/modules/monitoring/application/views/scripts/config/security.phtml @@ -0,0 +1,3 @@ +
+ tabs ?> +
diff --git a/modules/monitoring/configuration.php b/modules/monitoring/configuration.php index ffd769482..479ee525f 100644 --- a/modules/monitoring/configuration.php +++ b/modules/monitoring/configuration.php @@ -12,4 +12,7 @@ $this->provideConfigTab('backends', array( 'title' => 'Backends', 'url' => 'config' )); - +$this->provideConfigTab('security', array( + 'title' => 'Security', + 'url' => 'config/security' +)); From 6b468b7f9bd5cfddac82b94ad8d10a0321dc3343 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 13:51:10 +0200 Subject: [PATCH 2/9] Monitoring_ConfigController: make writeConfiguration's parameter `file' non-required refs #6641 --- modules/monitoring/application/controllers/ConfigController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/monitoring/application/controllers/ConfigController.php b/modules/monitoring/application/controllers/ConfigController.php index d777390a8..d110a32e2 100644 --- a/modules/monitoring/application/controllers/ConfigController.php +++ b/modules/monitoring/application/controllers/ConfigController.php @@ -216,7 +216,7 @@ class Monitoring_ConfigController extends ModuleActionController /** * Display a form to remove the instance identified by the 'instance' parameter */ - private function writeConfiguration($config, $file) + private function writeConfiguration($config, $file = null) { $target = $this->Config($file)->getConfigFile(); $writer = new PreservingIniWriter(array('filename' => $target, 'config' => $config)); From 1ba3954b95a30f1ca6554a0e09dd11ece40c82d9 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 14:02:26 +0200 Subject: [PATCH 3/9] Monitoring config: implement SecurityForm refs #6641 --- .../application/forms/Config/SecurityForm.php | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 modules/monitoring/application/forms/Config/SecurityForm.php diff --git a/modules/monitoring/application/forms/Config/SecurityForm.php b/modules/monitoring/application/forms/Config/SecurityForm.php new file mode 100644 index 000000000..51b64dea0 --- /dev/null +++ b/modules/monitoring/application/forms/Config/SecurityForm.php @@ -0,0 +1,56 @@ +addElement( + 'text', + 'customvars', + array( + 'label' => 'Protected Custom Variables', + 'required' => true, + 'value' => $this->config->customvars + ) + ); + $this->setSubmitLabel('{{SAVE_ICON}} Save'); + } + + /** + * Set the configuration to be used for initial population of the form + */ + public function setConfiguration($config) + { + $this->config = $config; + } + + /** + * Return the configuration set by this form + * + * @return Zend_Config The configuration set in this form + */ + public function getConfig() + { + $values = $this->getValues(); + return new Zend_Config(array( + 'customvars' => $values['customvars'] + )); + } +} From 65473ac8eec9474793c691aae84abe852ab7b2d5 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 14:04:00 +0200 Subject: [PATCH 4/9] Monitoring config: use SecurityForm refs #6641 --- .../controllers/ConfigController.php | 17 +++++++++++++++++ .../views/scripts/config/security.phtml | 1 + 2 files changed, 18 insertions(+) diff --git a/modules/monitoring/application/controllers/ConfigController.php b/modules/monitoring/application/controllers/ConfigController.php index d110a32e2..f0982c29a 100644 --- a/modules/monitoring/application/controllers/ConfigController.php +++ b/modules/monitoring/application/controllers/ConfigController.php @@ -14,6 +14,7 @@ use Icinga\Module\Monitoring\Form\Config\Backend\EditBackendForm; use Icinga\Module\Monitoring\Form\Config\Backend\CreateBackendForm; use Icinga\Module\Monitoring\Form\Config\Instance\EditInstanceForm; use Icinga\Module\Monitoring\Form\Config\Instance\CreateInstanceForm; +use Icinga\Module\Monitoring\Form\Config\SecurityForm; use Icinga\Exception\NotReadableError; @@ -262,5 +263,21 @@ class Monitoring_ConfigController extends ModuleActionController public function securityAction() { $this->view->tabs = $this->Module()->getConfigTabs()->activate('security'); + + $form = new SecurityForm(); + $form->setConfiguration($this->Config()->get('security')); + $form->setRequest($this->getRequest()); + if ($form->isSubmittedAndValid()) { + $config = $this->Config()->toArray(); + $config['security'] = $form->getConfig(); + if ($this->writeConfiguration(new Zend_Config($config))) { + Notification::success('Configuration modified successfully'); + $this->redirectNow('monitoring/config/security'); + } else { + $this->render('show-configuration'); + return; + } + } + $this->view->form = $form; } } diff --git a/modules/monitoring/application/views/scripts/config/security.phtml b/modules/monitoring/application/views/scripts/config/security.phtml index 87b22b9ac..b4619b4fe 100644 --- a/modules/monitoring/application/views/scripts/config/security.phtml +++ b/modules/monitoring/application/views/scripts/config/security.phtml @@ -1,3 +1,4 @@
tabs ?>
+form ?> From 3e079efe2a6ce582371a541910cbf2cd6825394d Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 14:51:30 +0200 Subject: [PATCH 5/9] SecurityForm: replace `customvars' with `protected_customvars' refs #6641 --- .../monitoring/application/forms/Config/SecurityForm.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/monitoring/application/forms/Config/SecurityForm.php b/modules/monitoring/application/forms/Config/SecurityForm.php index 51b64dea0..288c00b9c 100644 --- a/modules/monitoring/application/forms/Config/SecurityForm.php +++ b/modules/monitoring/application/forms/Config/SecurityForm.php @@ -23,11 +23,11 @@ class SecurityForm extends Form { $this->addElement( 'text', - 'customvars', + 'protected_customvars', array( 'label' => 'Protected Custom Variables', 'required' => true, - 'value' => $this->config->customvars + 'value' => $this->config->protected_customvars ) ); $this->setSubmitLabel('{{SAVE_ICON}} Save'); @@ -50,7 +50,7 @@ class SecurityForm extends Form { $values = $this->getValues(); return new Zend_Config(array( - 'customvars' => $values['customvars'] + 'protected_customvars' => $values['protected_customvars'] )); } } From c6d4ab4c443c9d2d55c004d8fb81c5014aafbbe7 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 15:04:43 +0200 Subject: [PATCH 6/9] Vagrant/Puppet: add file '/etc/icingaweb/modules/monitoring/config.ini' refs #6641 --- .../files/etc/icingaweb/modules/monitoring/config.ini | 2 ++ .vagrant-puppet/manifests/default.pp | 6 ++++++ config/modules/monitoring/config.ini | 2 ++ 3 files changed, 10 insertions(+) create mode 100644 .vagrant-puppet/files/etc/icingaweb/modules/monitoring/config.ini create mode 100644 config/modules/monitoring/config.ini diff --git a/.vagrant-puppet/files/etc/icingaweb/modules/monitoring/config.ini b/.vagrant-puppet/files/etc/icingaweb/modules/monitoring/config.ini new file mode 100644 index 000000000..9b69fe86f --- /dev/null +++ b/.vagrant-puppet/files/etc/icingaweb/modules/monitoring/config.ini @@ -0,0 +1,2 @@ +[security] +protected_customvars = "*pw*,*pass*,community" diff --git a/.vagrant-puppet/manifests/default.pp b/.vagrant-puppet/manifests/default.pp index 5caf10452..db7b1baba 100644 --- a/.vagrant-puppet/manifests/default.pp +++ b/.vagrant-puppet/manifests/default.pp @@ -735,6 +735,12 @@ file { '/etc/icingaweb/modules/monitoring/backends.ini': group => 'apache', } +file { '/etc/icingaweb/modules/monitoring/config.ini': + source => 'puppet:////vagrant/.vagrant-puppet/files/etc/icingaweb/modules/monitoring/config.ini', + owner => 'apache', + group => 'apache', +} + file { '/etc/icingaweb/modules/monitoring/instances.ini': source => 'puppet:////vagrant/.vagrant-puppet/files/etc/icingaweb/modules/monitoring/instances.ini', owner => 'apache', diff --git a/config/modules/monitoring/config.ini b/config/modules/monitoring/config.ini new file mode 100644 index 000000000..9b69fe86f --- /dev/null +++ b/config/modules/monitoring/config.ini @@ -0,0 +1,2 @@ +[security] +protected_customvars = "*pw*,*pass*,community" From ea0248ecf4032d55cd855f9383af39390a7cc41e Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 17:54:22 +0200 Subject: [PATCH 7/9] Remove '{{SAVE_ICON}}', tiny design fixes refs #6641 --- modules/monitoring/application/forms/Config/SecurityForm.php | 2 +- .../application/views/scripts/config/security.phtml | 4 +++- .../views/scripts/show/components/customvars.phtml | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/monitoring/application/forms/Config/SecurityForm.php b/modules/monitoring/application/forms/Config/SecurityForm.php index 288c00b9c..ace1594f2 100644 --- a/modules/monitoring/application/forms/Config/SecurityForm.php +++ b/modules/monitoring/application/forms/Config/SecurityForm.php @@ -30,7 +30,7 @@ class SecurityForm extends Form 'value' => $this->config->protected_customvars ) ); - $this->setSubmitLabel('{{SAVE_ICON}} Save'); + $this->setSubmitLabel('Save'); } /** diff --git a/modules/monitoring/application/views/scripts/config/security.phtml b/modules/monitoring/application/views/scripts/config/security.phtml index b4619b4fe..71f2a341a 100644 --- a/modules/monitoring/application/views/scripts/config/security.phtml +++ b/modules/monitoring/application/views/scripts/config/security.phtml @@ -1,4 +1,6 @@
tabs ?>
-form ?> +
+ form ?> +
diff --git a/modules/monitoring/application/views/scripts/show/components/customvars.phtml b/modules/monitoring/application/views/scripts/show/components/customvars.phtml index 9eeb4a0ac..ef79d0e70 100644 --- a/modules/monitoring/application/views/scripts/show/components/customvars.phtml +++ b/modules/monitoring/application/views/scripts/show/components/customvars.phtml @@ -13,4 +13,3 @@ foreach ($object->customvars as $name => $value) { $this->escape($value) ); } - From 071937910b4b4fc29e74edfe9754547694f4d968 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Tue, 19 Aug 2014 18:46:37 +0200 Subject: [PATCH 8/9] Monitoring/Object: filter protected customvars Move the responsibility from the viewscript to Monitoring/Object refs #6641 --- .../scripts/show/components/customvars.phtml | 7 ------- .../Monitoring/Object/AbstractObject.php | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/modules/monitoring/application/views/scripts/show/components/customvars.phtml b/modules/monitoring/application/views/scripts/show/components/customvars.phtml index ef79d0e70..d89260e95 100644 --- a/modules/monitoring/application/views/scripts/show/components/customvars.phtml +++ b/modules/monitoring/application/views/scripts/show/components/customvars.phtml @@ -1,12 +1,5 @@ customvars) { return; } - foreach ($object->customvars as $name => $value) { - $name = ucwords(str_replace('_', ' ', strtolower($name))); - if (preg_match('~(?:pw|pass|community)~', strtolower($name))) { - $value = '***'; - } printf( "%s%s\n", $this->escape($name), diff --git a/modules/monitoring/library/Monitoring/Object/AbstractObject.php b/modules/monitoring/library/Monitoring/Object/AbstractObject.php index 73314fbc9..483516f9c 100644 --- a/modules/monitoring/library/Monitoring/Object/AbstractObject.php +++ b/modules/monitoring/library/Monitoring/Object/AbstractObject.php @@ -20,6 +20,7 @@ use Icinga\Module\Monitoring\DataView\Comment; use Icinga\Module\Monitoring\DataView\Servicegroup; use Icinga\Module\Monitoring\DataView\Customvar; use Icinga\Web\UrlParams; +use Icinga\Application\Config; abstract class AbstractObject @@ -120,6 +121,17 @@ abstract class AbstractObject public function fetchCustomvars() { + $monitoringSecurity = Config::module('monitoring')->get('security')->toArray(); + $customvars = array(); + foreach (explode(',', $monitoringSecurity['protected_customvars']) as $customvar) { + $nonWildcards = array(); + foreach (explode('*', $customvar) as $nonWildcard) { + $nonWildcards[] = preg_quote($nonWildcard, '/'); + } + $customvars[] = implode('.*', $nonWildcards); + } + $customvars = '/^(' . implode('|', $customvars) . ')$/i'; + $query = Customvar::fromParams(array('backend' => null), array( 'varname', 'varvalue' @@ -136,6 +148,12 @@ abstract class AbstractObject } $this->customvars = $query->getQuery()->fetchPairs(); + foreach ($this->customvars as $name => &$value) { + if (preg_match($customvars, ucwords(str_replace('_', ' ', strtolower($name))))) { + $value = '***'; + } + } + return $this; } From 78b98a7d67fc6c20dd164b5c65091028aa0931c8 Mon Sep 17 00:00:00 2001 From: Alexander Klimov Date: Wed, 20 Aug 2014 12:19:53 +0200 Subject: [PATCH 9/9] SecurityForm: Add helptext refs #6641 --- modules/monitoring/application/forms/Config/SecurityForm.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/monitoring/application/forms/Config/SecurityForm.php b/modules/monitoring/application/forms/Config/SecurityForm.php index ace1594f2..74577c0d5 100644 --- a/modules/monitoring/application/forms/Config/SecurityForm.php +++ b/modules/monitoring/application/forms/Config/SecurityForm.php @@ -27,7 +27,10 @@ class SecurityForm extends Form array( 'label' => 'Protected Custom Variables', 'required' => true, - 'value' => $this->config->protected_customvars + 'value' => $this->config->protected_customvars, + 'helptext' => 'Comma separated case insensitive list of protected custom variables.' + . ' Use * as a placeholder for zero or more wildcard characters.' + . ' Existance of those custom variables will be shown, but their values will be masked.' ) ); $this->setSubmitLabel('Save');