From 38f72bed8d7e6ee3e732d2814de26f90fda464ae Mon Sep 17 00:00:00 2001
From: fbsanchez <fborja.sanchez@artica.es>
Date: Sat, 22 Jun 2019 13:11:35 +0200
Subject: [PATCH] AWS multi account

---
 .../wizards/DiscoveryTaskList.class.php       |  4 +-
 pandora_console/include/styles/discovery.css  |  5 ++
 pandora_server/lib/PandoraFMS/Core.pm         | 14 ++++
 .../lib/PandoraFMS/DiscoveryServer.pm         | 76 +++++++++----------
 4 files changed, 59 insertions(+), 40 deletions(-)

diff --git a/pandora_console/godmode/wizards/DiscoveryTaskList.class.php b/pandora_console/godmode/wizards/DiscoveryTaskList.class.php
index 9ba322d42f..1a16967f60 100644
--- a/pandora_console/godmode/wizards/DiscoveryTaskList.class.php
+++ b/pandora_console/godmode/wizards/DiscoveryTaskList.class.php
@@ -699,7 +699,7 @@ class DiscoveryTaskList extends Wizard
         if ($script !== false) {
             switch ($script['type']) {
                 case DISCOVERY_SCRIPT_CLOUD_AWS:
-                return 'wiz=cloud&mode=amazonws&page=1';
+                return 'wiz=cloud&mode=amazonws&ki='.$task['auth_strings'].'&page=1';
 
                 case DISCOVERY_SCRIPT_APP_VMWARE:
                 return 'wiz=app&mode=vmware&page=0';
@@ -722,7 +722,7 @@ class DiscoveryTaskList extends Wizard
 
             case DISCOVERY_CLOUD_AWS:
             case DISCOVERY_CLOUD_AWS_EC2:
-            return 'wiz=cloud&mode=amazonws&page=1';
+            return 'wiz=cloud&mode=amazonws&ki='.$task['auth_strings'].'&page=1';
 
             case DISCOVERY_CLOUD_AWS_RDS:
             return 'wiz=cloud&mode=amazonws&sub=rds&page=0';
diff --git a/pandora_console/include/styles/discovery.css b/pandora_console/include/styles/discovery.css
index 0f48611cb9..82b022050f 100644
--- a/pandora_console/include/styles/discovery.css
+++ b/pandora_console/include/styles/discovery.css
@@ -265,3 +265,8 @@ a.tip {
 .discovery_interval_select_width {
   width: 90%;
 }
+
+a.ext_link {
+  margin-left: 1em;
+  font-size: 8pt;
+}
diff --git a/pandora_server/lib/PandoraFMS/Core.pm b/pandora_server/lib/PandoraFMS/Core.pm
index ee66b5ca68..861f123ef8 100644
--- a/pandora_server/lib/PandoraFMS/Core.pm
+++ b/pandora_server/lib/PandoraFMS/Core.pm
@@ -185,6 +185,7 @@ our @EXPORT = qw(
 	pandora_exec_forced_alerts
 	pandora_generate_alerts
 	pandora_get_config_value
+	pandora_get_credential
 	pandora_get_module_tags
 	pandora_get_module_url_tags
 	pandora_get_module_phone_tags
@@ -3122,6 +3123,19 @@ sub pandora_get_config_value ($$) {
 	return (defined ($config_value) ? $config_value : "");
 }
 
+
+##########################################################################
+## Get credential from credential store
+##########################################################################
+sub pandora_get_credential ($$) {
+	my ($dbh, $identifier) = @_;
+
+	my $key = get_db_single_row($dbh, 'SELECT * FROM tcredential_store WHERE identifier = ?', $identifier);
+
+	return $key;
+}
+
+
 ##########################################################################
 =head2 C<< pandora_create_module_tags (I<$pa_config>, I<$dbh>, I<$id_agent_module>, I<$serialized_tags>) >>
 
diff --git a/pandora_server/lib/PandoraFMS/DiscoveryServer.pm b/pandora_server/lib/PandoraFMS/DiscoveryServer.pm
index e15511de44..067bac1555 100644
--- a/pandora_server/lib/PandoraFMS/DiscoveryServer.pm
+++ b/pandora_server/lib/PandoraFMS/DiscoveryServer.pm
@@ -113,10 +113,6 @@ sub run ($) {
     print_message ($pa_config, " [*] Starting " . $pa_config->{'rb_product_name'} . " Discovery Server.", 1);
     my $threads = $pa_config->{'recon_threads'};
 
-    # Prepare some environmental variables.
-    $ENV{'AWS_ACCESS_KEY_ID'} = pandora_get_config_value($dbh, 'aws_access_key_id');
-    $ENV{'AWS_SECRET_ACCESS_KEY'} = pandora_get_config_value($dbh, 'aws_secret_access_key');
-
     # Use hightest value
     if ($pa_config->{'discovery_threads'}  > $pa_config->{'recon_threads'}) {
         $threads = $pa_config->{'discovery_threads'};
@@ -193,42 +189,46 @@ sub data_consumer ($$) {
         my %cnf_extra;
         if ($task->{'type'} == DISCOVERY_CLOUD_AWS_EC2
         || $task->{'type'} == DISCOVERY_CLOUD_AWS_RDS) {
-            $cnf_extra{'aws_access_key_id'} = pandora_get_config_value($dbh, 'aws_access_key_id');
-            $cnf_extra{'aws_secret_access_key'} = pandora_get_config_value($dbh, 'aws_secret_access_key');
+            # auth_strings stores the crential identifier to be used.
+            my $key = pandora_get_credential($dbh, $task->{'auth_strings'});
+
+            if (ref($key) eq "HASH") {
+				$cnf_extra{'aws_access_key_id'} = $key->{'username'};
+				$cnf_extra{'aws_secret_access_key'} = $key->{'password'};
+            } else {
+                # Invalid credential.
+                return;
+            }
+
             $cnf_extra{'cloud_util_path'} = pandora_get_config_value($dbh, 'cloud_util_path');
 
-            if (!defined($ENV{'AWS_ACCESS_KEY_ID'}) || !defined($ENV{'AWS_SECRET_ACCESS_KEY'})
-            || $cnf_extra{'aws_secret_access_key'} ne $ENV{'AWS_ACCESS_KEY_ID'}
-            || $cnf_extra{'cloud_util_path'} ne $ENV{'AWS_SECRET_ACCESS_KEY'}) {
-                # Environmental data is out of date. Create a tmp file to manage
-                # credentials. Perl limitation. We cannot update ENV here.
-                $cnf_extra{'creds_file'} = $pa_config->{'temporal'} . '/tmp_discovery.' . md5($task->{'id_rt'} . $task->{'name'} . time());
-                eval {
-                    open(my $__file_cfg, '> '. $cnf_extra{'creds_file'}) or die($!);
-                    print $__file_cfg $cnf_extra{'aws_access_key_id'} . "\n";
-                    print $__file_cfg $cnf_extra{'aws_secret_access_key'} . "\n";
-                    close($__file_cfg);
-                    set_file_permissions(
-                        $pa_config,
-                        $cnf_extra{'creds_file'},
-                        "0600"
-                    );
-                };
-                if ($@) {
-                    logger(
-                        $pa_config,
-                        'Cannot instantiate configuration file for task: ' . safe_output($task->{'name'}),
-                        5
-                    );
-                    # A server restart will override ENV definition (see run)
-                    logger(
-                        $pa_config,
-                        'Cannot execute Discovery task: ' . safe_output($task->{'name'}) . '. Please restart the server.',
-                        1
-                    );
-                    # Skip this task.
-                    return;
-                }
+            # Pass credentials by file due Perl limitations. We cannot update ENV here.
+            $cnf_extra{'creds_file'} = $pa_config->{'temporal'} . '/tmp_discovery.' . md5($task->{'id_rt'} . $task->{'name'} . time());
+            eval {
+                open(my $__file_cfg, '> '. $cnf_extra{'creds_file'}) or die($!);
+                print $__file_cfg $cnf_extra{'aws_access_key_id'} . "\n";
+                print $__file_cfg $cnf_extra{'aws_secret_access_key'} . "\n";
+                close($__file_cfg);
+                set_file_permissions(
+                    $pa_config,
+                    $cnf_extra{'creds_file'},
+                    "0600"
+                );
+            };
+            if ($@) {
+                logger(
+                    $pa_config,
+                    'Cannot instantiate configuration file for task: ' . safe_output($task->{'name'}),
+                    5
+                );
+                # A server restart will override ENV definition (see run)
+                logger(
+                    $pa_config,
+                    'Cannot execute Discovery task: ' . safe_output($task->{'name'}) . '. Please restart the server.',
+                    1
+                );
+                # Skip this task.
+                return;
             }
         }