diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 8581590d91..40461d7ac4 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,19 @@ +2011-05-12 Miguel de Dios + + * include/functions.php: added new parameter for the "check_acl" function + the $id_agent, by default is 0, and this parameter now only is used in the + enterprise ACL check (as you see in the hook for enterprise into the + function source). And cleaned source code style. + + * include/functions_agents.php, operation/search_modules.php, + operation/agentes/status_monitor.php, + operation/agentes/estado_ultimopaquete.php, + operation/agentes/alerts_status.php, operation/agentes/estado_agente.php, + operation/agentes/estado_monitores.php, operation/agentes/ver_agente.php, + godmode/agentes/module_manager.php, godmode/agentes/modificar_agente.php, + godmode/agentes/configurar_agente.php, godmode/alerts/alert_list.list.php: + added checks for the ACL enterprise. + 2011-05-12 Miguel de Dios * include/db/postgresql.php, include/db/mysql.php: fixed the scape of name diff --git a/pandora_console/godmode/agentes/configurar_agente.php b/pandora_console/godmode/agentes/configurar_agente.php index 5f517192c3..13edc034b0 100644 --- a/pandora_console/godmode/agentes/configurar_agente.php +++ b/pandora_console/godmode/agentes/configurar_agente.php @@ -28,7 +28,7 @@ $group = 0; if ($id_agente) $group = agents_get_agent_group ($id_agente); -if (! check_acl ($config["id_user"], $group, "AW")) { +if (! check_acl ($config["id_user"], $group, "AW", $id_agente)) { db_pandora_audit("ACL Violation", "Trying to access agent manager"); require ("general/noaccess.php"); diff --git a/pandora_console/godmode/agentes/modificar_agente.php b/pandora_console/godmode/agentes/modificar_agente.php index 18a14fa87f..67d39e4252 100644 --- a/pandora_console/godmode/agentes/modificar_agente.php +++ b/pandora_console/godmode/agentes/modificar_agente.php @@ -224,27 +224,34 @@ if ($ag_group > 0) { else { // Admin user get ANY group, even if they doesnt exist - if (check_acl ($config['id_user'], 0, "PM")){ - $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s', $search_sql); + if (check_acl ($config['id_user'], 0, "PM")) { + $subquery_enterprise = ''; + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise(); + } + + $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s %s', $search_sql, $subquery_enterprise); $total_agents = db_get_sql ($sql); switch ($config["dbtype"]) { case "mysql": $sql = sprintf ('SELECT * - FROM tagente WHERE 1=1 %s - ORDER BY %s %s LIMIT %d, %d', $search_sql, $order['field'], $order['order'], $offset, $config["block_size"]); + FROM tagente WHERE 1=1 %s %s + ORDER BY %s %s LIMIT %d, %d', $search_sql, $subquery_enterprise, $order['field'], + $order['order'], $offset, $config["block_size"]); break; case "postgresql": $sql = sprintf ('SELECT * - FROM tagente WHERE 1=1 %s - ORDER BY %s %s LIMIT %d OFFSET %d', $search_sql, $order['field'], $order['order'], $config["block_size"], $offset); + FROM tagente WHERE 1=1 %s %s + ORDER BY %s %s LIMIT %d OFFSET %d', $search_sql, $subquery_enterprise, $order['field'], + $order['order'], $config["block_size"], $offset); break; case "oracle": $set = array (); $set['limit'] = $config["block_size"]; $set['offset'] = $offset; $sql = sprintf ('SELECT * - FROM tagente WHERE 1=1 %s - ORDER BY %s %s', $search_sql, $order['field'], $order['order']); + FROM tagente WHERE 1=1 %s %s + ORDER BY %s %s', $search_sql, $subquery_enterprise, $order['field'], $order['order']); $sql = oracle_recode_query ($sql, $set); break; } @@ -339,12 +346,13 @@ if ($agents !== false) { $iterator = 0; foreach ($agents as $agent) { $id_grupo = $agent["id_grupo"]; - if (! check_acl ($config["id_user"], $id_grupo, "AW")) + if (! check_acl ($config["id_user"], $id_grupo, "AW", $agent['id_agente'])) continue; + if ($color == 1) { $tdcolor = "datos"; $color = 0; - } + } else { $tdcolor = "datos2"; $color = 1; diff --git a/pandora_console/godmode/agentes/module_manager.php b/pandora_console/godmode/agentes/module_manager.php index 8c918a0ca8..ea9d0986fd 100644 --- a/pandora_console/godmode/agentes/module_manager.php +++ b/pandora_console/godmode/agentes/module_manager.php @@ -312,6 +312,10 @@ foreach($tempRows as $row) { } foreach ($modules as $module) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue; + } + $type = $module["id_tipo_modulo"]; $id_module = $module["id_modulo"]; $nombre_modulo = $module["nombre"]; diff --git a/pandora_console/godmode/alerts/alert_list.list.php b/pandora_console/godmode/alerts/alert_list.list.php index 5231c58d13..6e0f97798e 100644 --- a/pandora_console/godmode/alerts/alert_list.list.php +++ b/pandora_console/godmode/alerts/alert_list.list.php @@ -373,6 +373,10 @@ $rowPair = true; $iterator = 0; foreach ($simple_alerts as $alert) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!alert_in_acl_enterprise($alert['id'])) continue; + } + if ($alert['disabled']) { $table->rowstyle[$iterator] = 'font-style: italic; color: #aaaaaa;'; $table->style[$iterator][1] = 'font-style: italic; color: #aaaaaa;'; diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php index d965dfe5ae..9319718710 100644 --- a/pandora_console/include/functions.php +++ b/pandora_console/include/functions.php @@ -925,14 +925,18 @@ function enterprise_include_once ($filename) { // Load enterprise extensions $filepath = realpath ($config["homedir"].'/'.ENTERPRISE_DIR.'/'.$filename); + if ($filepath === false) return ENTERPRISE_NOT_HOOK; + if (strncmp ($config["homedir"], $filepath, strlen ($config["homedir"])) != 0) return ENTERPRISE_NOT_HOOK; + if (file_exists ($filepath)) { require_once ($filepath); return true; } + return ENTERPRISE_NOT_HOOK; } @@ -1246,10 +1250,11 @@ function check_login () { * @param int $id_user User id * @param int $id_group Agents group id to check from * @param string $access Access privilege + * @param int $id_agent The agent id. * * @return bool 1 if the user has privileges, 0 if not. */ -function check_acl($id_user, $id_group, $access) { +function check_acl($id_user, $id_group, $access, $id_agent = 0) { if (empty ($id_user)) { //User ID needs to be specified trigger_error ("Security error: check_acl got an empty string for user id", E_USER_WARNING); @@ -1261,7 +1266,7 @@ function check_acl($id_user, $id_group, $access) { else { $id_group = (int) $id_group; } - + $parents_id = array($id_group); if ($id_group != 0) { $group = db_get_row_filter('tgrupo', array('id_grupo' => $id_group)); @@ -1274,7 +1279,7 @@ function check_acl($id_user, $id_group, $access) { else { $parents_id = array(); } - + //Joined multiple queries into one. That saves on the query overhead and query cache. if ($id_group == 0) { $query = sprintf("SELECT tperfil.incident_view, tperfil.incident_edit, @@ -1301,9 +1306,9 @@ function check_acl($id_user, $id_group, $access) { } $rowdup = db_get_all_rows_sql ($query); - + if (empty ($rowdup)) - return 0; + return 0; $result = 0; foreach ($rowdup as $row) { @@ -1341,9 +1346,15 @@ function check_acl($id_user, $id_group, $access) { break; } } - - if ($result >= 1) - return 1; + + if ($result >= 1) { + if ($id_agent != 0) { + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + return check_acl_policy($id_user, $id_agent); + } + } + else return 1; + } return 0; } diff --git a/pandora_console/include/functions_agents.php b/pandora_console/include/functions_agents.php index aff1157eb2..48d9fe3a94 100644 --- a/pandora_console/include/functions_agents.php +++ b/pandora_console/include/functions_agents.php @@ -326,7 +326,7 @@ function agents_get_agents ($filter = false, $fields = false, $access = 'AR', $o if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { $enterprise_include = true; } - + if (! is_array ($filter)) { $filter = array (); } @@ -888,6 +888,10 @@ function agents_get_group_agents ($id_group = 0, $search = false, $case = "lower */ function agents_get_modules ($id_agent = null, $details = false, $filter = false, $indexed = true, $get_not_init_modules = true) { global $config; + + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise(); + } if ($id_agent === null) { //Extract the agents of group user. @@ -998,20 +1002,22 @@ function agents_get_modules ($id_agent = null, $details = false, $filter = false case "postgresql": $sql = sprintf ('SELECT %s%s FROM tagente_modulo - %s + %s %s ORDER BY nombre', ($details != '*' && $indexed) ? 'id_agente_modulo,' : '', io_safe_output(implode (",", (array) $details)), - $where); + $where, + $subquery_enterprise); break; case "oracle": $sql = sprintf ('SELECT %s%s FROM tagente_modulo - %s + %s %s ORDER BY dbms_lob.substr(nombre, 4000, 1)', ($details != '*' && $indexed) ? 'id_agente_modulo,' : '', io_safe_output(implode (",", (array) $details)), - $where); + $where, + $subquery_enterprise); break; } diff --git a/pandora_console/operation/agentes/alerts_status.php b/pandora_console/operation/agentes/alerts_status.php index 9a82f6a37a..ab22877882 100644 --- a/pandora_console/operation/agentes/alerts_status.php +++ b/pandora_console/operation/agentes/alerts_status.php @@ -362,6 +362,10 @@ $table->data = array (); $rowPair = true; $iterator = 0; foreach ($alerts['alerts_simple'] as $alert) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!alert_in_acl_enterprise($alert['id'])) continue; + } + if ($rowPair) $table->rowclass[$iterator] = 'rowPair'; else @@ -376,7 +380,8 @@ echo '
'; if (!empty ($table->data)) { ui_pagination ($countAlertsSimple, $url, $offset_simple, 0, false, 'offset_simple'); html_print_table ($table); -} else { +} +else { echo '
'.__('No simple alerts found').'
'; } diff --git a/pandora_console/operation/agentes/estado_agente.php b/pandora_console/operation/agentes/estado_agente.php index a97ede7e67..8f405740b9 100644 --- a/pandora_console/operation/agentes/estado_agente.php +++ b/pandora_console/operation/agentes/estado_agente.php @@ -26,9 +26,9 @@ require_once($config['homedir'] . '/include/functions_modules.php'); check_login (); if (! check_acl ($config['id_user'], 0, "AR")) { - db_pandora_audit("ACL Violation", - "Trying to access agent main list view"); + db_pandora_audit("ACL Violation", "Trying to access agent main list view"); require ("general/noaccess.php"); + return; } @@ -262,11 +262,19 @@ else { $total_agents = 0; $agents = false; if (! empty ($agent_names)) { - if (check_acl ($config['id_user'], 0, "PM")){ - $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s', $search_sql); + $subquery_enterprise = ''; + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise(); + } + + if (check_acl ($config['id_user'], 0, "PM")) { + $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s %s', $search_sql, $subquery_enterprise); $total_agents = db_get_sql ($sql); - $sql = sprintf ('SELECT * FROM tagente WHERE 1=1 %s ORDER BY %s %s LIMIT %d, %d', $search_sql, $order['field'], $order['order'], $offset, $config["block_size"]); + $sql = sprintf ('SELECT * FROM tagente + WHERE 1=1 %s %s + ORDER BY %s %s LIMIT %d, %d', $search_sql, $subquery_enterprise, + $order['field'], $order['order'], $offset, $config["block_size"]); $agents = db_get_all_rows_sql ($sql); } diff --git a/pandora_console/operation/agentes/estado_monitores.php b/pandora_console/operation/agentes/estado_monitores.php index d79305de38..cf0933b972 100644 --- a/pandora_console/operation/agentes/estado_monitores.php +++ b/pandora_console/operation/agentes/estado_monitores.php @@ -185,6 +185,9 @@ $table->align = array("left","left","left","left","left","center"); $last_modulegroup = 0; $rowIndex = 0; foreach ($modules as $module) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue; + } //The code add the row of 1 cell with title of group for to be more organice the list. diff --git a/pandora_console/operation/agentes/estado_ultimopaquete.php b/pandora_console/operation/agentes/estado_ultimopaquete.php index 1b4213c54f..6445a990b3 100644 --- a/pandora_console/operation/agentes/estado_ultimopaquete.php +++ b/pandora_console/operation/agentes/estado_ultimopaquete.php @@ -224,6 +224,11 @@ $texto=''; $last_modulegroup = 0; $color = 1; $write = check_acl ($config['id_user'], $agent['id_grupo'], "AW"); foreach ($modules as $module) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue; + } + + // Calculate table line color if ($color == 1){ $tdcolor = "datos"; diff --git a/pandora_console/operation/agentes/status_monitor.php b/pandora_console/operation/agentes/status_monitor.php index eea84b8407..4921574679 100644 --- a/pandora_console/operation/agentes/status_monitor.php +++ b/pandora_console/operation/agentes/status_monitor.php @@ -34,6 +34,12 @@ require_once($config['homedir'] . '/include/functions_users.php'); $isFunctionPolicies = enterprise_include_once ('include/functions_policies.php'); +//Add the subquery for the ACL enterprise +if (ENTERPRISE_NOT_HOOK !== $isFunctionPolicies) { + $subquery_enterprise = subquery_acl_enterprise(); + $subquery_enterprise2 = subquery_acl_enterprise('AND', 'tagente.id_agente'); +} + ui_print_page_header ("Monitor detail", "images/bricks.png", false); @@ -85,7 +91,7 @@ switch ($config["dbtype"]) { $sql = ' SELECT distinct(nombre) FROM tagente_modulo - WHERE nombre <> "delete_pending" and id_agente in + WHERE nombre <> "delete_pending" ' . $subquery_enterprise . ' and id_agente in ( select id_agente from tagente where id_grupo IN ( @@ -117,7 +123,7 @@ switch ($config["dbtype"]) { $sql = ' select distinct(nombre) from tagente_modulo - where nombre <> \'delete_pending\' and id_agente in + where nombre <> \'delete_pending\' ' . $subquery_enterprise . ' and id_agente in ( select id_agente from tagente where id_grupo IN ( @@ -156,7 +162,7 @@ switch ($config["dbtype"]) { $sql = ' select nombre from (select distinct dbms_lob.substr(nombre,4000,1) as nombre, ' . $column_names .' from tagente_modulo) - where nombre <> \'delete_pending\' and id_agente in + where nombre <> \'delete_pending\' ' . $subquery_enterprise . ' and id_agente in ( select id_agente from tagente where id_grupo IN ( @@ -208,7 +214,7 @@ $sql = " FROM tagente, tagente_modulo, tagente_estado WHERE tagente.id_agente = tagente_modulo.id_agente AND tagente_modulo.disabled = 0 AND tagente.disabled = 0 - AND tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo"; + AND tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo" . $subquery_enterprise2 ; // Agent group selector if ($ag_group > 0 && check_acl ($config["id_user"], $ag_group, "AR")) { diff --git a/pandora_console/operation/agentes/ver_agente.php b/pandora_console/operation/agentes/ver_agente.php index 67821922a4..8e7d3ebca1 100644 --- a/pandora_console/operation/agentes/ver_agente.php +++ b/pandora_console/operation/agentes/ver_agente.php @@ -342,7 +342,7 @@ if (empty ($id_agente)) { $agent = db_get_row ('tagente', 'id_agente', $id_agente); // get group for this id_agente $id_grupo = $agent['id_grupo']; -if (! check_acl ($config['id_user'], $id_grupo, "AR")) { +if (! check_acl ($config['id_user'], $id_grupo, "AR", $id_agente)) { db_pandora_audit("ACL Violation", "Trying to access (read) to agent ".agents_get_name($id_agente)); include ("general/noaccess.php"); diff --git a/pandora_console/operation/search_modules.php b/pandora_console/operation/search_modules.php index 4eca750674..adff02dbfa 100644 --- a/pandora_console/operation/search_modules.php +++ b/pandora_console/operation/search_modules.php @@ -18,6 +18,10 @@ global $config; include_once($config['homedir'] . "/include/functions_modules.php"); include_once($config['homedir'] . '/include/functions_users.php'); +$subquery_enterprise = ''; +if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise('', 't1.id_agente', 'AND'); +} $searchModules = check_acl($config['id_user'], 0, "AR"); @@ -73,7 +77,7 @@ if ($searchModules) { ON t3.id_grupo = t2.id_grupo INNER JOIN tagente_estado AS t4 ON t4.id_agente_modulo = t1.id_agente_modulo - WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') + WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') OR 0 IN ( SELECT id_grupo FROM tusuario_perfil @@ -96,7 +100,7 @@ if ($searchModules) { ON t3.id_grupo = t2.id_grupo INNER JOIN tagente_estado AS t4 ON t4.id_agente_modulo = t1.id_agente_modulo - WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') + WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') OR 0 IN ( SELECT id_grupo FROM tusuario_perfil @@ -119,7 +123,7 @@ if ($searchModules) { ON t3.id_grupo = t2.id_grupo INNER JOIN tagente_estado AS t4 ON t4.id_agente_modulo = t1.id_agente_modulo - WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') + WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') OR 0 IN ( SELECT id_grupo FROM tusuario_perfil