Add generic API functions set access control and traps functions - #2978

This commit is contained in:
enriquecd 2018-10-25 19:48:23 +02:00
parent 3aff162616
commit 2849d62faa
1 changed files with 276 additions and 0 deletions

View File

@ -30,6 +30,7 @@ include_once($config['homedir'] . "/include/functions_network_components.php");
include_once($config['homedir'] . "/include/functions_netflow.php");
include_once($config['homedir'] . "/include/functions_servers.php");
include_once($config['homedir'] . "/include/functions_planned_downtimes.php");
include_once($config['homedir'] . "/include/functions_db.php");
enterprise_include_once ('include/functions_local_components.php');
enterprise_include_once ('include/functions_events.php');
enterprise_include_once ('include/functions_agents.php');
@ -11505,7 +11506,282 @@ function util_api_check_agent_and_print_error($id_agent, $returnType, $access =
return false;
}
function api_get_user_info($thrash1, $thrash2, $other, $returnType) {
if (defined ('METACONSOLE')) {
return;
}
$separator = ';';
$other = json_decode(base64_decode($other['data']),true);
$sql = 'select * from tusuario where id_user = "'.$other[0]['id_user'].'" and password = "'.$other[0]['password'].'"';
$user_info = db_get_all_rows_sql($sql);
if (count($user_info) > 0 and $user_info !== false) {
$data = array('type' => 'array', 'data' => $user_info);
returnData($returnType, $data, $separator);
}
else {
return 0;
}
}
/*
This function receives different parameters to process one of these actions the logging process in our application from the records in the audit of pandora fms, to avoid concurrent access of administrator users, and optionally to prohibit access to non-administrator users:
Parameter 0
The User ID that attempts the action is used to check the status of the application for access.
Parameter 1
Login, logout, exclude, browse.
These requests receive a response that we can treat as we consider, this function only sends answers, does not perform any action in your application, you must customize them.
Login action: free (register our access), taken, denied (if you are not an administrator user and parameter four is set to 1, register the expulsion).
Browse action: It has the same answers as login, but does not register anything in the audit.
Logout action: It records the deslogeo but does not send a response.
All other actions do not return a response,
Parameter 2
IP address of the application is also used to check the status of the application for access.
Parameter 3
Name of the application, it is also used to check the status of the application for access.
Parameter 4
If you mark 1 you will avoid the access to the non-administrators users, returning the response `denied' and registering that expulsion in the audit of pandora fms.
*/
function api_set_access_process($thrash1, $thrash2, $other, $returnType) {
if (defined ('METACONSOLE')) {
return;
}
$other['data'] = explode('|',$other['data']);
$sql = 'select id_usuario,utimestamp from tsesion where descripcion like "%'.$other['data'][2].'%" and accion like "%'.$other['data'][3].' Logon%" and id_usuario IN (select id_user from tusuario where is_admin = 1) and id_usuario != "'.$other['data'][0].'" order by utimestamp DESC limit 1';
$audit_concurrence = db_get_all_rows_sql($sql);
$sql_user = 'select id_usuario,utimestamp from tsesion where descripcion like "%'.$other['data'][2].'%" and accion like "%'.$other['data'][3].' Logon%" and id_usuario IN (select id_user from tusuario where is_admin = 1) and id_usuario = "'.$other['data'][0].'" order by utimestamp DESC limit 1';
$audit_concurrence_user = db_get_all_rows_sql($sql_user);
$sql2 = 'select id_usuario,utimestamp,accion from tsesion where descripcion like "%'.$other['data'][2].'%" and accion like "%'.$other['data'][3].' Logoff%" and id_usuario = "'.$audit_concurrence[0]['id_usuario'].'" order by utimestamp DESC limit 1';
$audit_concurrence_2 = db_get_all_rows_sql($sql2);
//The user trying to log in is an administrator
if(users_is_admin($other['data'][0])){
//The admin user is trying to login
if($other['data'][1] == 'login'){
// Check if there is an administrator user logged in prior to our last login
if($audit_concurrence[0]['utimestamp'] > $audit_concurrence_user[0]['utimestamp']){
// Check if the administrator user logged in later to us has unlogged and left the node free
if($audit_concurrence[0]['utimestamp'] > $audit_concurrence_2[0]['utimestamp']){
// The administrator user logged in later has not yet unlogged
returnData('string', array('type' => 'string', 'data' => 'taken'));
}
else{
// The administrator user logged in later has already unlogged
returnData('string', array('type' => 'string', 'data' => 'free'));
}
}
else{
// There is no administrator user who has logged in since then to log us in.
db_pandora_audit($other['data'][3].' Logon', 'Logged in '.$other['data'][3].' node '.$other['data'][2] , $other['data'][0]);
returnData('string', array('type' => 'string', 'data' => 'free'));
}
}
elseif ($other['data'][1] == 'logout') {
// The administrator user wants to log out
db_pandora_audit($other['data'][3].' Logoff', 'Logout from '.$other['data'][3].' node '.$other['data'][2], $other['data'][0]);
}
elseif ($other['data'][1] == 'exclude') {
// The administrator user has ejected another administrator user who was logged in
db_pandora_audit($other['data'][3].' Logon', 'Logged in '.$other['data'][3].' node '.$other['data'][2] , $other['data'][0]);
db_pandora_audit($other['data'][3].' Logoff', 'Logout from '.$other['data'][3].' node '.$other['data'][2] , $audit_concurrence[0]['id_usuario']);
}
//The admin user is trying to browse
elseif ($other['data'][1] == 'browse') {
// Check if there is an administrator user logged in prior to our last login
if($audit_concurrence[0]['utimestamp'] > $audit_concurrence_user[0]['utimestamp']){
// Check if the administrator user logged in later to us has unlogged and left the node free
if($audit_concurrence[0]['utimestamp'] > $audit_concurrence_2[0]['utimestamp']){
// The administrator user logged in later has not yet unlogged
returnData('string', array('type' => 'string', 'data' => $audit_concurrence[0]['id_usuario']));
}
else{
// The administrator user logged in later has already unlogged
returnData('string', array('type' => 'string', 'data' => 'free'));
}
}
else{
// There is no administrator user who has logged in since then to log us in.
returnData('string', array('type' => 'string', 'data' => 'free'));
}
}
elseif ($other['data'][1] == 'cancelled'){
//The administrator user tries to log in having another administrator logged in, but instead of expelling him he cancels his log in.
db_pandora_audit($other['data'][3].' cancelled access', 'Cancelled access in '.$other['data'][3].' node '.$other['data'][2] , $other['data'][0]);
returnData('string', array('type' => 'string', 'data' => 'cancelled'));
}
}
else{
if($other['data'][4] == 1){
//The user trying to log in is not an administrator and is not allowed no admin access
db_pandora_audit($other['data'][3].' denied access', 'Denied access to non-admin user '.$other['data'][3].' node '.$other['data'][2] , $other['data'][0]);
returnData('string', array('type' => 'string', 'data' => 'denied'));
}
else{
//The user trying to log in is not an administrator and is allowed no admin access
if($other['data'][1] == 'login'){
//The user trying to login is not admin, can enter without concurrent use filter
db_pandora_audit($other['data'][3].' Logon', 'Logged in '.$other['data'][3].' node '.$other['data'][2] , $other['data'][0]);
returnData('string', array('type' => 'string', 'data' => 'free'));
}
elseif ($other['data'][1] == 'logout') {
//The user trying to logoff is not admin
db_pandora_audit($other['data'][3].' Logoff', 'Logout from '.$other['data'][3].' node '.$other['data'][2], $other['data'][0]);
}
elseif ($other['data'][1] == 'browse'){
//The user trying to browse in an app page is not admin, can enter without concurrent use filter
returnData('string', array('type' => 'string', 'data' => 'free'));
}
}
}
}
function api_get_traps($thrash1, $thrash2, $other, $returnType) {
if (defined ('METACONSOLE')) {
return;
}
$other['data'] = explode('|',$other['data']);
$other['data'][1] = date("Y-m-d H:i:s",$other['data'][1]);
$sql = 'SELECT * from ttrap where timestamp >= "'.$other['data'][1].'"';
// $sql = 'SELECT * from ttrap where source = "'.$other['data'][0].'" and timestamp >= "'.$other['data'][1].'"';
if($other['data'][4]){
$other['data'][4] = date("Y-m-d H:i:s",$other['data'][4]);
$sql .= ' and timestamp <= "'.$other['data'][4].'"';
}
if($other['data'][2]){
$sql .= ' limit '.$other['data'][2];
}
if($other['data'][3]){
$sql .= ' offset '.$other['data'][3];
}
if($other['data'][5]){
$sql .= ' and status = 0';
}
if(sizeof($other['data']) == 0){
$sql = 'SELECT * from ttrap';
}
$traps = db_get_all_rows_sql($sql);
if($other['data'][6]){
foreach ($traps as $key => $value) {
if(!strpos($value['oid_custom'],$other['data'][6]) && $other['data'][7] == 'false'){
unset($traps[$key]);
}
if(strpos($value['oid_custom'],$other['data'][6]) && $other['data'][7] == 'true'){
unset($traps[$key]);
}
}
}
$traps_json = json_encode($traps);
if (count($traps) > 0 and $traps !== false) {
returnData('string', array('type' => 'string', 'data' => $traps_json));
}
else {
return 0;
}
}
function api_set_validate_traps ($id, $thrash2, $other, $thrash3) {
if (defined ('METACONSOLE')) {
return;
}
if($id == 'all'){
$result = db_process_sql_update('ttrap',array('status' => 1));
}
else{
$result = db_process_sql_update('ttrap',
array('status' => 1), array('id_trap' => $id));
}
if (is_error($result)) {
// TODO: Improve the error returning more info
returnError('error_update_trap', __('Error in trap update.'));
}
else {
returnData('string',
array('type' => 'string',
'data' => __('Validated traps.')));
}
}
function api_set_delete_traps ($id, $thrash2, $other, $thrash3) {
if (defined ('METACONSOLE')) {
return;
}
if($id == 'all'){
$result = db_process_sql ('delete from ttrap');
}
else{
$result = db_process_sql_delete('ttrap',array('id_trap' => $id));
}
if (is_error($result)) {
// TODO: Improve the error returning more info
returnError('error_delete_trap', __('Error in trap delete.'));
}
else {
returnData('string',
array('type' => 'string',
'data' => __('Deleted traps.')));
}
}