2009-10-26 17:35:34 +01:00
|
|
|
<?php
|
|
|
|
//Pandora FMS- http://pandorafms.com
|
|
|
|
// ==================================================
|
2011-03-02 22:56:48 +01:00
|
|
|
// Copyright (c) 2005-2011 Artica Soluciones Tecnologicas
|
2009-10-26 17:35:34 +01:00
|
|
|
// Please see http://pandorafms.org for full contribution list
|
|
|
|
|
|
|
|
// This program is free software; you can redistribute it and/or
|
|
|
|
// modify it under the terms of the GNU Lesser General Public License
|
|
|
|
// as published by the Free Software Foundation; version 2
|
|
|
|
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU General Public License for more details.
|
|
|
|
|
|
|
|
require_once ("config.php");
|
|
|
|
require_once("functions_api.php");
|
2011-09-25 19:26:36 +02:00
|
|
|
|
|
|
|
global $config;
|
|
|
|
|
2012-04-25 20:09:05 +02:00
|
|
|
define("DEBUG", 0);
|
|
|
|
define("VERBOSE", 0);
|
|
|
|
|
2013-10-16 16:13:53 +02:00
|
|
|
//TESTING THE UPDATE MANAGER
|
|
|
|
|
2012-04-25 20:09:05 +02:00
|
|
|
|
2009-12-21 18:11:31 +01:00
|
|
|
enterprise_include_once ('include/functions_enterprise_api.php');
|
2009-10-26 17:35:34 +01:00
|
|
|
|
|
|
|
$ipOrigin = $_SERVER['REMOTE_ADDR'];
|
2010-05-27 17:23:46 +02:00
|
|
|
|
|
|
|
//Get the parameters and parse if necesary.
|
2009-10-26 17:35:34 +01:00
|
|
|
$op = get_parameter('op');
|
|
|
|
$op2 = get_parameter('op2');
|
2012-06-14 17:07:40 +02:00
|
|
|
$ext_name = get_parameter('ext_name');
|
|
|
|
$ext_function = get_parameter('ext_function');
|
2009-10-26 17:35:34 +01:00
|
|
|
$id = get_parameter('id');
|
|
|
|
$id2 = get_parameter('id2');
|
2010-05-27 17:23:46 +02:00
|
|
|
$otherSerialize = get_parameter('other');
|
|
|
|
$otherMode = get_parameter('other_mode', 'url_encode');
|
2009-10-26 17:35:34 +01:00
|
|
|
$returnType = get_parameter('return_type', 'string');
|
2012-06-14 13:59:10 +02:00
|
|
|
$api_password = get_parameter('apipass', '');
|
2011-02-14 17:56:17 +01:00
|
|
|
$password = get_parameter('pass', '');
|
2011-09-12 13:28:32 +02:00
|
|
|
$user = get_parameter('user', '');
|
2013-11-05 18:23:13 +01:00
|
|
|
$info = get_parameter('info', '');
|
2009-10-26 17:35:34 +01:00
|
|
|
|
2010-05-27 17:23:46 +02:00
|
|
|
$other = parseOtherParameter($otherSerialize, $otherMode);
|
|
|
|
|
2015-03-02 17:28:34 +01:00
|
|
|
$apiPassword = io_output_password(db_get_value_filter('value', 'tconfig', array('token' => 'api_password')));
|
2011-02-14 17:56:17 +01:00
|
|
|
|
|
|
|
$correctLogin = false;
|
2011-09-12 13:28:32 +02:00
|
|
|
$user_in_db = null;
|
2012-06-14 13:59:10 +02:00
|
|
|
$no_login_msg = "";
|
|
|
|
|
2018-03-07 16:50:12 +01:00
|
|
|
// Clean unwanted output
|
|
|
|
ob_clean();
|
|
|
|
|
2018-08-07 13:03:53 +02:00
|
|
|
// READ THIS:
|
2013-11-05 18:23:13 +01:00
|
|
|
// Special call without checks to retrieve version and build of the Pandora FMS
|
|
|
|
// This info is avalable from the web console without login
|
|
|
|
// Don't change the format, it is parsed by applications
|
|
|
|
switch($info) {
|
|
|
|
case 'version':
|
2017-02-14 09:36:11 +01:00
|
|
|
if (!$config["MR"]) {
|
|
|
|
$config["MR"] = 0;
|
2016-06-01 10:43:22 +02:00
|
|
|
}
|
|
|
|
|
2018-08-07 13:03:53 +02:00
|
|
|
echo 'Pandora FMS ' . $pandora_version . ' - ' . $build_version . " MR" . $config["MR"];
|
2017-02-14 09:36:11 +01:00
|
|
|
|
2013-11-05 18:23:13 +01:00
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
2012-06-14 13:59:10 +02:00
|
|
|
if (isInACL($ipOrigin)) {
|
2013-05-16 11:19:16 +02:00
|
|
|
if (empty($apiPassword) || (!empty($apiPassword) && $api_password === $apiPassword)) {
|
2012-08-20 Miguel de Dios <miguel.dedios@artica.es>
* index.php, extras/pandoradb_migrate_4.0.x_to_5.0.postgreSQL.sql,
extras/pandoradb_migrate_4.0.x_to_5.0.mysql.sql,
extras/pandoradb_migrate_4.0.x_to_5.0.oracle.sql,
general/login_page.php, general/logon_failed.php,
godmode/users/configure_user.php, include/api.php,
include/auth/mysql.php, pandoradb.sql, pandoradb.postgreSQL.sql,
pandoradb.oracle.sql: added the feature to set any user with
"not login" for only the user can work across the API.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@6891 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2012-08-20 20:06:04 +02:00
|
|
|
$user_in_db = process_user_login($user, $password, true);
|
2012-08-22 17:11:44 +02:00
|
|
|
|
2011-09-12 13:28:32 +02:00
|
|
|
if ($user_in_db !== false) {
|
2011-09-25 19:26:36 +02:00
|
|
|
$config['id_user'] = $user_in_db;
|
2011-09-12 13:28:32 +02:00
|
|
|
$correctLogin = true;
|
2018-06-14 16:47:23 +02:00
|
|
|
|
|
|
|
//XXXX
|
|
|
|
session_start();
|
|
|
|
$_SESSION["id_usuario"] = $user;
|
|
|
|
session_write_close();
|
|
|
|
|
|
|
|
file_put_contents(session_save_path() . DIRECTORY_SEPARATOR . "pansess_" . session_id(), $user);
|
|
|
|
|
2011-09-12 13:28:32 +02:00
|
|
|
}
|
2012-06-14 13:59:10 +02:00
|
|
|
else {
|
|
|
|
$no_login_msg = "Incorrect user credentials";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$no_login_msg = "Incorrect given API password";
|
2011-09-12 13:28:32 +02:00
|
|
|
}
|
2011-02-14 17:56:17 +01:00
|
|
|
}
|
|
|
|
else {
|
2012-06-14 13:59:10 +02:00
|
|
|
$no_login_msg = "IP $ipOrigin is not in ACL list";
|
2011-02-14 17:56:17 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if ($correctLogin) {
|
2009-10-26 17:35:34 +01:00
|
|
|
if (($op !== 'get') && ($op !== 'set') && ($op !== 'help'))
|
2012-06-14 17:07:40 +02:00
|
|
|
returnError('no_set_no_get_no_help', $returnType);
|
2009-10-26 17:35:34 +01:00
|
|
|
else {
|
2012-06-14 17:07:40 +02:00
|
|
|
$function_name = '';
|
|
|
|
|
|
|
|
// Check if is an extension function and get the function name
|
|
|
|
if ($op2 == 'extension') {
|
|
|
|
$extension_api_url = $config["homedir"]."/".EXTENSIONS_DIR."/$ext_name/$ext_name.api.php";
|
|
|
|
// The extension API file must exist and the extension must be enabled
|
2013-05-16 11:19:16 +02:00
|
|
|
if (file_exists($extension_api_url) && !in_array($ext_name,extensions_get_disabled_extensions())) {
|
2012-06-14 17:07:40 +02:00
|
|
|
include_once($extension_api_url);
|
2013-07-30 12:25:49 +02:00
|
|
|
$function_name = 'apiextension_' . $op .'_' . $ext_function;
|
2012-06-14 17:07:40 +02:00
|
|
|
}
|
|
|
|
}
|
2009-10-26 17:35:34 +01:00
|
|
|
else {
|
2013-07-30 12:25:49 +02:00
|
|
|
$function_name = 'api_' . $op . '_' . $op2;
|
2018-03-19 10:05:29 +01:00
|
|
|
|
|
|
|
if ($op == "set" && $id){
|
|
|
|
switch ($op2) {
|
|
|
|
case "update_agent":
|
|
|
|
|
|
|
|
case "add_module_in_conf":
|
|
|
|
case "update_module_in_conf":
|
|
|
|
case "delete_module_in_conf":
|
|
|
|
|
|
|
|
$id_os = db_get_value_sql('select id_os from tagente where id_agente = '.$id);
|
|
|
|
|
2018-04-23 13:52:16 +02:00
|
|
|
if($id_os == 100){
|
2018-03-19 10:05:29 +01:00
|
|
|
returnError('not_allowed_operation_cluster', $returnType);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case "create_network_module":
|
|
|
|
case "create_plugin_module":
|
|
|
|
case "create_data_module":
|
|
|
|
case "create_synthetic_module":
|
|
|
|
case "create_snmp_module":
|
|
|
|
case "delete_module":
|
|
|
|
case "delete_agent":
|
|
|
|
|
|
|
|
$id_os = db_get_value_sql('select id_os from tagente where nombre = "'.$id.'"');
|
|
|
|
|
2018-04-23 13:52:16 +02:00
|
|
|
if($id_os == 100){
|
2018-03-19 10:05:29 +01:00
|
|
|
returnError('not_allowed_operation_cluster', $returnType);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case "update_network_module":
|
|
|
|
case "update_plugin_module":
|
|
|
|
case "update_data_module":
|
|
|
|
case "update_snmp_module":
|
|
|
|
|
|
|
|
$id_os = db_get_value_sql('select id_os from tagente where id_agente = (select id_agente from tagente_modulo where id_agente_modulo ='.$id.')');
|
|
|
|
|
2018-04-23 13:52:16 +02:00
|
|
|
if($id_os == 100){
|
2018-03-19 10:05:29 +01:00
|
|
|
returnError('not_allowed_operation_cluster', $returnType);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
|
|
// break;
|
|
|
|
}
|
|
|
|
}
|
2012-06-14 17:07:40 +02:00
|
|
|
}
|
2018-03-19 10:05:29 +01:00
|
|
|
|
2012-06-14 17:07:40 +02:00
|
|
|
// Check if the function exists
|
|
|
|
if (function_exists($function_name)) {
|
2012-04-25 20:09:05 +02:00
|
|
|
if (!DEBUG) {
|
|
|
|
error_reporting(0);
|
|
|
|
}
|
|
|
|
if (VERBOSE) {
|
|
|
|
error_reporting(E_ALL);
|
|
|
|
ini_set("display_errors", 1);
|
|
|
|
}
|
|
|
|
|
2012-06-14 17:07:40 +02:00
|
|
|
call_user_func($function_name, $id, $id2, $other, $returnType, $user_in_db);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
returnError('no_exist_operation', $returnType);
|
2009-10-26 17:35:34 +01:00
|
|
|
}
|
|
|
|
}
|
2018-06-14 16:47:23 +02:00
|
|
|
|
|
|
|
//XXXXX
|
|
|
|
if (file_exists(session_save_path() . DIRECTORY_SEPARATOR . "pansess_" . session_id())) {
|
|
|
|
unlink(session_save_path() . DIRECTORY_SEPARATOR . "pansess_" . session_id());
|
|
|
|
}
|
2009-10-26 17:35:34 +01:00
|
|
|
}
|
|
|
|
else {
|
2013-12-26 19:55:56 +01:00
|
|
|
// TODO: Implement a new switch in config to enable / disable
|
|
|
|
// ACL auth failure: if enabled and have lots of traffic can produce millions
|
|
|
|
// of records and a considerable OVERHEAD in the system :(
|
|
|
|
|
|
|
|
//db_pandora_audit("API access Failed", $no_login_msg, $user, $ipOrigin);
|
2013-02-22 14:31:29 +01:00
|
|
|
sleep (15);
|
2013-05-16 11:19:16 +02:00
|
|
|
|
2013-02-22 14:31:29 +01:00
|
|
|
//Protection on DoS attacks
|
2012-06-14 13:59:10 +02:00
|
|
|
echo 'auth error';
|
2009-10-26 17:35:34 +01:00
|
|
|
}
|
2009-11-02 17:07:05 +01:00
|
|
|
?>
|