tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-07-31 01:34:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/incorrect-db-privilege-checks-8707'

Browse Source 
fixes #8707
This commit is contained in:
Johannes Meyer 2015-04-13 14:18:27 +02:00
commit edaa51c41d
2 changed files with 38 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/setup/library/Setup/Utils/DbTool.php
View File

@ -78,7 +78,7 @@ class DbTool
'INSERT' => 29, 'INSERT' => 29,
'LOCK TABLES' => 5, 'LOCK TABLES' => 5,
'PROCESS' => 1, 'PROCESS' => 1,
'REFERENCES' => 0, 'REFERENCES' => 12,
'RELOAD' => 1, 'RELOAD' => 1,
'REPLICATION CLIENT' => 1, 'REPLICATION CLIENT' => 1,
'REPLICATION SLAVE' => 1, 'REPLICATION SLAVE' => 1,
@ -629,10 +629,6 @@ EOD;
$mysqlPrivileges = array_intersect($privileges, array_keys($this->mysqlGrantContexts)); $mysqlPrivileges = array_intersect($privileges, array_keys($this->mysqlGrantContexts));
list($_, $host) = explode('@', $this->query('select current_user()')->fetchColumn()); list($_, $host) = explode('@', $this->query('select current_user()')->fetchColumn());
$grantee = "'" . ($username === null ? $this->config['username'] : $username) . "'@'" . $host . "'"; $grantee = "'" . ($username === null ? $this->config['username'] : $username) . "'@'" . $host . "'";
$privilegeCondition = sprintf(
'privilege_type IN (%s)',
join(',', array_map(array($this, 'quote'), $mysqlPrivileges))
);
if (isset($this->config['dbname'])) { if (isset($this->config['dbname'])) {
$dbPrivileges = array(); $dbPrivileges = array();
@ -653,7 +649,7 @@ EOD;
. ' FROM information_schema.schema_privileges' . ' FROM information_schema.schema_privileges'
. ' WHERE grantee = :grantee' . ' WHERE grantee = :grantee'
. ' AND table_schema = :dbname' . ' AND table_schema = :dbname'
. ' AND ' . $privilegeCondition . ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $dbPrivileges)) . ')'
. ($requireGrants ? " AND is_grantable = 'YES'" : ''), . ($requireGrants ? " AND is_grantable = 'YES'" : ''),
array(':grantee' => $grantee, ':dbname' => $this->config['dbname']) array(':grantee' => $grantee, ':dbname' => $this->config['dbname'])
); );
@ -666,14 +662,13 @@ EOD;
!$dbPrivilegesGranted || array_intersect($dbPrivileges, $tablePrivileges) != $tablePrivileges !$dbPrivilegesGranted || array_intersect($dbPrivileges, $tablePrivileges) != $tablePrivileges
) )
) { ) {
$tableCondition = 'table_name IN (' . join(',', array_map(array($this, 'quote'), $context)) . ')';
$query = $this->query( $query = $this->query(
'SELECT COUNT(*) as matches' 'SELECT COUNT(*) as matches'
. ' FROM information_schema.table_privileges' . ' FROM information_schema.table_privileges'
. ' WHERE grantee = :grantee' . ' WHERE grantee = :grantee'
. ' AND table_schema = :dbname' . ' AND table_schema = :dbname'
. ' AND ' . $tableCondition . ' AND table_name IN (' . join(',', array_map(array($this, 'quote'), $context)) . ')'
. ' AND ' . $privilegeCondition . ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $tablePrivileges)) . ')'
. ($requireGrants ? " AND is_grantable = 'YES'" : ''), . ($requireGrants ? " AND is_grantable = 'YES'" : ''),
array(':grantee' => $grantee, ':dbname' => $this->config['dbname']) array(':grantee' => $grantee, ':dbname' => $this->config['dbname'])
); );
@ -688,7 +683,8 @@ EOD;
$query = $this->query( $query = $this->query(
'SELECT COUNT(*) as matches FROM information_schema.user_privileges WHERE grantee = :grantee' 'SELECT COUNT(*) as matches FROM information_schema.user_privileges WHERE grantee = :grantee'
. ' AND ' . $privilegeCondition . ($requireGrants ? " AND is_grantable = 'YES'" : ''), . ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $mysqlPrivileges)) . ')'
. ($requireGrants ? " AND is_grantable = 'YES'" : ''),
array(':grantee' => $grantee) array(':grantee' => $grantee)
); );
return (int) $query->fetchObject()->matches === count($mysqlPrivileges); return (int) $query->fetchObject()->matches === count($mysqlPrivileges);
@ -721,7 +717,8 @@ EOD;
foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) { foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) {
if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) { if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) {
$tablePrivileges[] = $privilege; $tablePrivileges[] = $privilege;
} elseif ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) { }
if ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) {
$dbPrivileges[] = $privilege; $dbPrivileges[] = $privilege;
} }
} }
@ -760,7 +757,6 @@ EOD;
// connected to the database defined in the resource configuration it is safe to just ignore them // connected to the database defined in the resource configuration it is safe to just ignore them
// as the chances are very high that the database is created later causing the current user being // as the chances are very high that the database is created later causing the current user being
// the owner with ALL privileges. (Which in turn can be granted to others.) // the owner with ALL privileges. (Which in turn can be granted to others.)
}
if (array_search('CREATE', $privileges) !== false) { if (array_search('CREATE', $privileges) !== false) {
$query = $this->query( $query = $this->query(
@ -769,6 +765,7 @@ EOD;
); );
$privilegesGranted &= $query->fetchColumn() !== false; $privilegesGranted &= $query->fetchColumn() !== false;
} }
}
if (array_search('CREATEROLE', $privileges) !== false) { if (array_search('CREATEROLE', $privileges) !== false) {
$query = $this->query( $query = $this->query(

32
modules/setup/library/Setup/WebWizard.php
View File

@ -17,7 +17,7 @@ use Icinga\Module\Setup\Forms\PreferencesPage;
use Icinga\Module\Setup\Forms\AuthBackendPage; use Icinga\Module\Setup\Forms\AuthBackendPage;
use Icinga\Module\Setup\Forms\AdminAccountPage; use Icinga\Module\Setup\Forms\AdminAccountPage;
use Icinga\Module\Setup\Forms\LdapDiscoveryPage; use Icinga\Module\Setup\Forms\LdapDiscoveryPage;
use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage; //use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage;
use Icinga\Module\Setup\Forms\LdapResourcePage; use Icinga\Module\Setup\Forms\LdapResourcePage;
use Icinga\Module\Setup\Forms\RequirementsPage; use Icinga\Module\Setup\Forms\RequirementsPage;
use Icinga\Module\Setup\Forms\GeneralConfigPage; use Icinga\Module\Setup\Forms\GeneralConfigPage;
@ -41,6 +41,17 @@ use Icinga\Module\Setup\Requirement\ConfigDirectoryRequirement;
*/ */
class WebWizard extends Wizard implements SetupWizard class WebWizard extends Wizard implements SetupWizard
{ {
/**
* The privileges required by Icinga Web 2 to create the database and a login
*
* @var array
*/
protected $databaseCreationPrivileges = array(
'CREATE',
'CREATE USER', // MySQL
'CREATEROLE' // PostgreSQL
);
/** /**
* The privileges required by Icinga Web 2 to setup the database * The privileges required by Icinga Web 2 to setup the database
* *
@ -48,10 +59,8 @@ class WebWizard extends Wizard implements SetupWizard
*/ */
protected $databaseSetupPrivileges = array( protected $databaseSetupPrivileges = array(
'CREATE', 'CREATE',
'ALTER', 'ALTER', // MySQL only
'REFERENCES', 'REFERENCES'
'CREATE USER', // MySQL
'CREATEROLE' // PostgreSQL
); );
/** /**
@ -148,7 +157,9 @@ class WebWizard extends Wizard implements SetupWizard
$page->setResourceConfig($this->getPageData('setup_ldap_resource')); $page->setResourceConfig($this->getPageData('setup_ldap_resource'));
} }
} elseif ($page->getName() === 'setup_database_creation') { } elseif ($page->getName() === 'setup_database_creation') {
$page->setDatabaseSetupPrivileges($this->databaseSetupPrivileges); $page->setDatabaseSetupPrivileges(
array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges)
);
$page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges); $page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges);
$page->setResourceConfig($this->getPageData('setup_db_resource')); $page->setResourceConfig($this->getPageData('setup_db_resource'));
} elseif ($page->getName() === 'setup_summary') { } elseif ($page->getName() === 'setup_summary') {
@ -211,8 +222,8 @@ class WebWizard extends Wizard implements SetupWizard
try { try {
$db->connectToDb(); // Are we able to login on the database? $db->connectToDb(); // Are we able to login on the database?
if (array_search(key($this->databaseTables), $db->listTables()) === false) { if (array_search(key($this->databaseTables), $db->listTables()) === false) {
// In case the database schema does not yet exist the user // In case the database schema does not yet exist the
// needs the privileges to create and setup the database // user needs the privileges to setup the database
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables); $skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
} else { } else {
// In case the database schema exists the user needs the required privileges // In case the database schema exists the user needs the required privileges
@ -224,7 +235,10 @@ class WebWizard extends Wizard implements SetupWizard
$db->connectToHost(); // Are we able to login on the server? $db->connectToHost(); // Are we able to login on the server?
// It is not possible to reliably determine whether a database exists or not if a user can't // It is not possible to reliably determine whether a database exists or not if a user can't
// log in to the database, so we just require the user to be able to create the database // log in to the database, so we just require the user to be able to create the database
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables); $skip = $db->checkPrivileges(
array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges),
$this->databaseTables
);
} catch (PDOException $_) { } catch (PDOException $_) {
// We are NOT able to login on the server.. // We are NOT able to login on the server..
} }