tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

event ACL with tags

This commit is contained in:
fbsanchez 2019-06-14 18:30:09 +02:00
parent 129c24c287
commit 20257edadd
2 changed files with 316 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

328
pandora_console/include/functions_events.php
View File

@ -273,6 +273,8 @@ function events_delete($id_evento, $filter=null, $history=false)
*/
function events_update_status($id_evento, $status, $filter=null, $history=false)
{
global $config;
if (!$status) {
return false;
}
@ -328,12 +330,15 @@ function events_update_status($id_evento, $status, $filter=null, $history=false)
AND tu.id_agente = tf.id_agente
AND tu.id_agentmodule = tf.id_agentmodule
AND tf.max_id_evento = %d
SET tu.estado = %d, tu.ack_utimestamp = %d',
SET tu.estado = %d,
tu.ack_utimestamp = %d,
tu.id_usuario = "%s"',
$table,
$sql,
$id_evento,
$status,
time()
time(),
$config['id_user']
);
break;
}
@ -369,6 +374,8 @@ function events_get_all(
) {
global $config;
$user_is_admin = users_is_admin();
if (!is_array($filter)) {
error_log('[events_get_all] Filter must be an array.');
throw new Exception('[events_get_all] Filter must be an array.');
@ -455,10 +462,38 @@ function events_get_all(
}
if (isset($filter['id_group_filter']) && $filter['id_group_filter'] > 0) {
$sql_filters[] = sprintf(
' AND id_group = %d ',
$propagate = db_get_value(
'propagate',
'tgrupo',
'id_grupo',
$filter['id_group_filter']
);
if (!$propagate) {
$sql_filters[] = sprintf(
' AND te.id_grupo = %d ',
$filter['id_group_filter']
);
} else {
$groups = [ $filter['id_group_filter'] ];
$childrens = groups_get_childrens($id_group, null, true);
if (!empty($childrens)) {
foreach ($childrens as $child) {
$groups[] = (int) $child['id_grupo'];
}
}
$filter['id_group_filter'] = $groups;
$sql_filters[] = sprintf(
' AND id_group IN (%s) ',
join(',', $filter['id_group_filter'])
);
}
}
// Skip system messages if user is not PM.
if (!check_acl($config['id_user'], 0, 'PM')) {
$sql_filters[] = ' AND te.id_grupo != 0 ';
}
if (isset($filter['status'])) {
@ -487,28 +522,38 @@ function events_get_all(
}
}
if (!users_is_admin()) {
// Get groups where user have ER grants.
$sg_active = enterprise_hook('agents_is_using_secondary_groups');
if (!$user_is_admin) {
$ER_groups = users_get_groups($config['id_user'], 'ER', false);
$EM_groups = users_get_groups($config['id_user'], 'EM', false, true);
$EW_groups = users_get_groups($config['id_user'], 'EW', false, true);
}
if (!$user_is_admin && !users_can_manage_group_all('ER')) {
// Get groups where user have ER grants.
$sql_filters[] = sprintf(
' AND id_grupo IN ( %s )',
' AND te.id_grupo IN ( %s )',
join(', ', array_keys($ER_groups))
);
}
$table = events_get_events_table(is_metaconsole(), $history);
$tevento = sprintf(
'(SELECT *
FROM %s
WHERE 1=1 %s) te',
$table,
join(' ', $sql_filters)
' %s te',
$table
);
// Reset array sql filters.
$sql_filters = [];
// Prepare agent join sql filters.
$agent_join_filters = [];
$tagente_table = 'tagente';
$tagente_field = 'id_agente';
if (is_metaconsole()) {
$tagente_table = 'tmetaconsole_agent';
$tagente_field = 'id_tagente';
}
// Agent alias.
if (!empty($filter['agent_alias'])) {
$agent_join_filters[] = sprintf(
' AND ta.alias = "%s" ',
@ -516,24 +561,240 @@ function events_get_all(
);
}
// Free search.
if (!empty($filter['search'])) {
$sql_filters[] = sprintf(
$sql_filters[] = vsprintf(
' AND (lower(ta.alias) like lower("%%%s%%")
OR te.id_evento like "%%%s%%"
OR lower(te.evento) like lower("%%%s%%")
OR lower(te.user_comment) like lower("%%%s%%")
OR lower(te.id_extra) like lower("%%%s%%")
OR lower(te.source) like lower("%%%s%%") )',
$filter['search'],
$filter['search'],
$filter['search']
OR lower(te.source) like lower("%%%s%%")
OR lower(te.custom_data) like lower("%%%s%%") )',
array_fill(0, 7, $filter['search'])
);
}
// Id extra.
if (!empty($filter['id_extra'])) {
$sql_filters[] = sprintf(
' AND lower(te.id_extra) like lower("%%%s%%") ',
$filter['id_extra']
);
}
// User comment.
if (!empty($filter['user_comment'])) {
$sql_filters[] = sprintf(
' AND lower(te.user_comment) like lower("%%%s%%") ',
$filter['user_comment']
);
}
// Source.
if (!empty($filter['source'])) {
$sql_filters[] = sprintf(
' AND lower(te.source) like lower("%%%s%%") ',
$filter['source']
);
}
// Validated or in process by.
if (!empty($filter['id_user_ack'])) {
$sql_filters[] = sprintf(
' AND te.id_usuario like lower("%%%s%%") ',
$filter['id_user_ack']
);
}
$tag_names = [];
// With following tags.
if (!empty($filter['tag_with'])) {
$tag_with = base64_decode($filter['tag_with']);
$tags = json_decode($tag_with, true);
if (is_array($tags) && !in_array('0', $tags)) {
if (!$user_is_admin) {
$user_tags = array_flip(tags_get_tags_for_module_search());
if ($user_tags != null) {
foreach ($tags as $id_tag) {
// User cannot filter with those tags.
if (!array_search($id_tag, $user_tags)) {
return false;
}
}
}
}
$_tmp = ' AND (';
foreach ($tags as $id_tag) {
if (!isset($tags_names[$id_tag])) {
$tags_names[$id_tag] = tags_get_name($id_tag);
}
if ($first) {
$_tmp .= ' ( ';
$first = false;
} else {
$_tmp .= ' AND ( ';
}
$_tmp .= sprintf(
'tags LIKE "%s"',
$tag_names[$id_tag]
);
$_tmp .= sprintf(
'tags LIKE "%s,%%"',
$tag_names[$id_tag]
);
$_tmp .= sprintf(
'tags LIKE "%%,%s"',
$tag_names[$id_tag]
);
$_tmp .= sprintf(
'tags LIKE "%%,%s,%%"',
$tag_names[$id_tag]
);
$_tmp .= ') ';
}
$sql_filters[] = $_tmp.') ';
}
}
// Without following tags.
if (!empty($filter['tag_without'])) {
$tag_without = base64_decode($filter['tag_without']);
$tags = json_decode($tag_without, true);
if (is_array($tags) && !in_array('0', $tags)) {
$_tmp = ' AND (';
foreach ($tags as $id_tag) {
if (!isset($tags_names[$id_tag])) {
$tags_names[$id_tag] = tags_get_name($id_tag);
}
$_tmp .= sprintf(
' AND tags NOT LIKE "%s" ',
$tag_names[$id_tag]
);
$_tmp .= sprintf(
' AND tags NOT LIKE "%s,%%" ',
$tag_names[$id_tag]
);
$_tmp .= sprintf(
' AND tags NOT LIKE "%%,%s" ',
$tag_names[$id_tag]
);
$_tmp .= sprintf(
' AND tags NOT LIKE "%%,%s,%%" ',
$tag_names[$id_tag]
);
}
$sql_filters[] = $_tmp.') ';
}
}
// Filter/ Only alerts.
if (isset($filter['filter_only_alert'])) {
if ($filter['filter_only_alert'] == 0) {
$sql_filters[] = ' AND event_type NOT LIKE "%alert%"';
} else if ($filter['filter_only_alert'] == 1) {
$sql_filters[] = ' AND event_type LIKE "%alert%"';
}
}
// TAgs ACLS.
if (check_acl($config['id_user'], 0, 'ER')) {
$tags_acls_condition = tags_get_acl_tags(
// Id_user.
$config['id_user'],
// Id_group.
$ER_groups,
// Access.
'ER',
// Return_mode.
'event_condition',
// Query_prefix.
'AND',
// Query_table.
'',
// Meta.
is_metaconsole(),
// Childrens_ids.
[],
// Force_group_and_tag.
true,
// Table tag for id_grupo.
'te.'
);
// FORCE CHECK SQL "(TAG = tag1 AND id_grupo = 1)".
} else if (check_acl($config['id_user'], 0, 'EW')) {
$tags_acls_condition = tags_get_acl_tags(
// Id_user.
$config['id_user'],
// Id_group.
$EW_groups,
// Access.
'EW',
// Return_mode.
'event_condition',
// Query_prefix.
'AND',
// Query_table.
'',
// Meta.
is_metaconsole(),
// Childrens_ids.
[],
// Force_group_and_tag.
true,
// Table tag for id_grupo.
'te.'
);
// FORCE CHECK SQL "(TAG = tag1 AND id_grupo = 1)".
} else if (check_acl($config['id_user'], 0, 'EM')) {
$tags_acls_condition = tags_get_acl_tags(
// Id_user.
$config['id_user'],
// Id_group.
$EM_groups,
// Access.
'EM',
// Return_mode.
'event_condition',
// Query_prefix.
'AND',
// Query_table.
'',
// Meta.
is_metaconsole(),
// Childrens_ids.
[],
// Force_group_and_tag.
true,
// Table tag for id_grupo.
'te.'
);
// FORCE CHECK SQL "(TAG = tag1 AND id_grupo = 1)".
}
if (($tags_acls_condition != ERR_WRONG_PARAMETERS)
&& ($tags_acls_condition != ERR_ACL)
) {
$sql_filters[] = $tags_acls_condition;
}
// Order.
$order_by = '';
if (isset($order, $sort_field)) {
$order_by = events_get_sql_order($sort_field, $order);
}
// Pagination.
$pagination = '';
if (isset($limit, $offset)) {
$pagination = sprintf(' LIMIT %d OFFSET %d', $limit, $offset);
@ -544,6 +805,7 @@ function events_get_all(
$extra = ', server_id';
}
// Group by.
$group_by = 'GROUP BY ';
$tagente_join = 'LEFT';
switch ($filter['group_rep']) {
@ -611,8 +873,8 @@ function events_get_all(
%s
FROM %s
%s
%s JOIN tagente ta
ON ta.id_agente = te.id_agente
%s JOIN %s ta
ON ta.%s = te.id_agente
%s
%s JOIN tgrupo tg
ON te.id_grupo = tg.id_grupo
@ -628,6 +890,8 @@ function events_get_all(
$tevento,
$event_lj,
$tagente_join,
$tagente_table,
$tagente_field,
join(' ', $agent_join_filters),
$tgrupo_join,
join(' ', $tgrupo_join_filters),
@ -637,21 +901,25 @@ function events_get_all(
$pagination
);
if (!users_is_admin()) {
$EM_groups = users_get_groups($config['id_user'], 'EM', false, true);
$EW_groups = users_get_groups($config['id_user'], 'EW', false, true);
// Apply ACL layer.
if (!$user_is_admin) {
// XXX: Confirm there's no extra grants unhandled!.
$sql = sprintf(
'SELECT
tbase.*,
(tbase.id_grupo IN (%s)) as user_can_manage,
(tbase.id_grupo IN (%s)) as user_can_write
FROM
('.$sql.') tbase',
(',
join(', ', array_keys($EM_groups)),
join(', ', array_keys($EW_groups))
);
).$sql.') tbase';
} else {
$sql = 'SELECT
tbase.*,
1 as user_can_manage,
1 as user_can_write
FROM
('.$sql.') tbase';
}
if ($count) {
@ -2543,7 +2811,7 @@ function events_page_responses($event, $childrens_ids=[])
//
// Responses.
//
$table_responses = new StdObject();
$table_responses = new StdClass();
$table_responses->cellspacing = 2;
$table_responses->cellpadding = 2;
$table_responses->id = 'responses_table';
@ -3860,7 +4128,7 @@ function events_page_general($event)
}
for ($i = 0; $i <= $table_data_total; $i++) {
if (count($table_data[$i]) == 2) {
if (is_array($table_data[$i]) && count($table_data[$i]) == 2) {
$table_general->colspan[$i][1] = 2;
$table_general->style[2] = 'text-align:center; width:10%;';
}

24
pandora_console/include/functions_tags.php
View File

@ -744,7 +744,8 @@ function tags_get_acl_tags(
$query_table='',
$meta=false,
$childrens_ids=[],
$force_group_and_tag=false
$force_group_and_tag=false,
$id_grupo_table_pretag=''
) {
global $config;
@ -814,7 +815,13 @@ function tags_get_acl_tags(
case 'event_condition':
// Return the condition of the tags for tevento table.
$condition = tags_get_acl_tags_event_condition($acltags, $meta, $force_group_and_tag);
$condition = tags_get_acl_tags_event_condition(
$acltags,
$meta,
$force_group_and_tag,
false,
$id_grupo_table_pretag
);
if (!empty($condition)) {
return " $query_prefix ".'('.$condition.')';
@ -905,8 +912,13 @@ function tags_get_acl_tags_module_condition($acltags, $modules_table='', $force_
*/
function tags_get_acl_tags_event_condition($acltags, $meta=false, $force_group_and_tag=false, $force_equal=false)
{
function tags_get_acl_tags_event_condition(
$acltags,
$meta=false,
$force_group_and_tag=false,
$force_equal=false,
$id_grupo_table_pretag=''
) {
global $config;
$condition = [];
@ -923,7 +935,7 @@ function tags_get_acl_tags_event_condition($acltags, $meta=false, $force_group_a
// Group condition (The module belongs to an agent of the group X)
// $group_condition = sprintf('id_grupo IN (%s)', implode(',', array_values(groups_get_id_recursive($group_id, true))));.
$group_condition = "(id_grupo = $group_id OR id_group = $group_id)";
$group_condition = '('.$id_grupo_table_pretag.'id_grupo = '.$group_id.' OR id_group = '.$group_id.')';
// Tags condition (The module has at least one of the restricted tags).
$tags_condition = '';
@ -959,7 +971,7 @@ function tags_get_acl_tags_event_condition($acltags, $meta=false, $force_group_a
}
$in_group = implode(',', $without_tags);
$condition .= sprintf('(id_grupo IN (%s) OR id_group IN (%s))', $in_group, $in_group);
$condition .= sprintf('('.$id_grupo_table_pretag.'id_grupo IN (%s) OR id_group IN (%s))', $in_group, $in_group);
}
$condition = !empty($condition) ? "($condition)" : '';