From 22f151bc6da6f6c9f0260cfc6f41c6acb01a60ad Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Wed, 28 Apr 2021 17:01:50 +0200 Subject: [PATCH 01/23] fixed bug in users search --- .../operation/search_users.getdata.php | 39 +++++++------------ 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/pandora_console/operation/search_users.getdata.php b/pandora_console/operation/search_users.getdata.php index 99ca08ee68..9ba7ee24af 100644 --- a/pandora_console/operation/search_users.getdata.php +++ b/pandora_console/operation/search_users.getdata.php @@ -221,7 +221,18 @@ if ($searchUsers) { // Check ACLs $users_id = []; foreach ($users as $key => $user) { - if (!check_acl($config['id_user'], users_get_groups($user['id_user']), 'UM') && $config['id_user'] != $user['id_user']) { + $user_can_manage_all = users_can_manage_group_all('UM'); + + $user_groups = users_get_groups( + $user['id_user'], + 'AR', + $user_can_manage_all + ); + + // Get group IDs. + $user_groups = array_keys($user_groups); + + if (!check_acl_one_of_groups($config['id_user'], $user_groups, 'UM') && $config['id_user'] != $user['id_user']) { unset($users[$key]); } else { $users_id[] = $user['id_user']; @@ -229,33 +240,9 @@ if ($searchUsers) { } if ($only_count) { + $totalUsers = count($users); unset($users); } - - switch ($config['dbtype']) { - case 'mysql': - case 'postgresql': - $sql = "SELECT COUNT(id_user) AS count FROM tusuario - WHERE id_user LIKE '%".$stringSearchSQL."%' OR - fullname LIKE '%".$stringSearchSQL."%' OR - firstname LIKE '%".$stringSearchSQL."%' OR - lastname LIKE '%".$stringSearchSQL."%' OR - middlename LIKE '%".$stringSearchSQL."%' OR - email LIKE '%".$stringSearchSQL."%'"; - break; - - case 'oracle': - $sql = "SELECT COUNT(id_user) AS count FROM tusuario - WHERE upper(id_user) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(fullname) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(firstname) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(lastname) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(middlename) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(email LIKE) '%".strtolower($stringSearchSQL)."%'"; - break; - } - - $totalUsers = db_get_value_sql($sql); } else { $totalUsers = 0; } From 1c1e25e71261830a6429b8b33132d65fed0e6e30 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Fri, 14 May 2021 14:54:09 +0200 Subject: [PATCH 02/23] Added new item type in reports --- .../reporting_builder.item_editor.php | 155 ++++++++++++++++++ .../include/functions_reporting.php | 13 ++ .../include/functions_reporting_html.php | 63 ++++++- pandora_console/include/functions_reports.php | 5 + 4 files changed, 235 insertions(+), 1 deletion(-) diff --git a/pandora_console/godmode/reporting/reporting_builder.item_editor.php b/pandora_console/godmode/reporting/reporting_builder.item_editor.php index ed52b23aad..c7dd995dbe 100755 --- a/pandora_console/godmode/reporting/reporting_builder.item_editor.php +++ b/pandora_console/godmode/reporting/reporting_builder.item_editor.php @@ -3020,6 +3020,144 @@ $class = 'databox filters'; + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -5223,6 +5361,12 @@ function chooseType() { $("#row_users").hide(); $("#row_profiles_group").hide(); $("#row_select_by_group").hide(); + $("#row_os").hide(); + $("#row_custom_field").hide(); + $("#row_agent_status").hide(); + $("#row_agent_version").hide(); + $("#row_agent_remote_conf").hide(); + $("#row_module_free_search").hide(); // SLA list default state. @@ -5764,6 +5908,17 @@ function chooseType() { break; + case 'agents_inventory': + $("#row_group").show(); + $("#row_os").show(); + $("#row_custom_field").show(); + $("#row_status").show(); + $("#row_agent_version").show(); + $("#row_agent_remote_conf").show(); + $("#row_module_free_search").show(); + + break; + case 'inventory': $("#row_description").show(); $("#row_group").show(); diff --git a/pandora_console/include/functions_reporting.php b/pandora_console/include/functions_reporting.php index e82bac98ce..93aa30d878 100755 --- a/pandora_console/include/functions_reporting.php +++ b/pandora_console/include/functions_reporting.php @@ -734,6 +734,13 @@ function reporting_make_reporting_data( ); break; + case 'agents_inventory': + $report['contents'][] = reporting_agents_inventory( + $report, + $content + ); + break; + case 'inventory': $report['contents'][] = reporting_inventory( $report, @@ -2256,6 +2263,12 @@ function reporting_event_report_module( } +function reporting_agents_inventory($report, $content) +{ + hd($content); +} + + function reporting_inventory_changes($report, $content, $type) { global $config; diff --git a/pandora_console/include/functions_reporting_html.php b/pandora_console/include/functions_reporting_html.php index de800f09d3..211d8b193d 100644 --- a/pandora_console/include/functions_reporting_html.php +++ b/pandora_console/include/functions_reporting_html.php @@ -247,7 +247,7 @@ function reporting_html_print_report($report, $mini=false, $report_info=1) } $table->colspan['description_row']['description'] = 3; - + hd($item['type']); switch ($item['type']) { case 'availability': default: @@ -377,6 +377,10 @@ function reporting_html_print_report($report, $mini=false, $report_info=1) reporting_html_agent_module($table, $item); break; + case 'agents_inventory': + reporting_html_agents_inventory($table, $item); + break; + case 'inventory': reporting_html_inventory($table, $item); break; @@ -1425,6 +1429,63 @@ function reporting_html_event_report_module($table, $item, $pdf=0) } +/** + * Print in html agents inventory + * + * @param object $table Head table or false if it comes from pdf. + * @param array $item Items data. + * @param boolean $pdf Print pdf true or false. + * + * @return html + */ +function reporting_html_agents_inventory($table, $item, $pdf=0) +{ + hd('agents inventory'); + hd($item); + + global $config; + + if (empty($item['data']) === false) { + $table_data = new stdClass(); + $table_data->width = '100%'; + $table_data->headstyle = []; + $table_data->headstyle[0] = 'text-align: left;'; + $table_data->style = []; + $table_data->style[0] = 'text-align: left;'; + $table_data->head = [ + __('Name'), + __('Date'), + __('Data'), + __('Status'), + ]; + + $table_data->data = []; + $table_data->data[1][0] = $item['data']['agent_name']; + $table_data->data[1][0] .= ' / '; + $table_data->data[1][0] .= $item['data']['module_name']; + + $table_data->data[1][1] = date( + 'Y-m-d H:i:s', + $item['data']['utimestamp'] + ); + } + + if ($pdf === 0) { + $table->colspan['last_value']['cell'] = 3; + $table->cellstyle['last_value']['cell'] = 'text-align: center;'; + $table->data['last_value']['cell'] = html_print_table( + $table_data, + true + ); + } else { + return html_print_table( + $table_data, + true + ); + } +} + + /** * Print in html inventory changes reports * diff --git a/pandora_console/include/functions_reports.php b/pandora_console/include/functions_reports.php index fbf647d392..71fa925ba5 100755 --- a/pandora_console/include/functions_reports.php +++ b/pandora_console/include/functions_reports.php @@ -848,6 +848,11 @@ function reports_get_report_types($template=false, $not_editor=false) 'name' => __('Group event report'), ]; + $types['agents_inventory'] = [ + 'optgroup' => __('Inventory'), + 'name' => __('Agents inventory'), + ]; + if ($config['enterprise_installed']) { $types['inventory'] = [ 'optgroup' => __('Inventory'), From 7abe6d544668ae0dc0640bcba0d28ed8c62eca0f Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Thu, 27 May 2021 11:22:01 +0200 Subject: [PATCH 03/23] created new report item --- .../reporting_builder.item_editor.php | 116 ++++++++++++-- .../godmode/reporting/reporting_builder.php | 24 +++ pandora_console/include/ajax/module.php | 2 +- .../include/functions_reporting.php | 124 ++++++++++++++- .../include/functions_reporting_html.php | 143 ++++++++++++++---- 5 files changed, 360 insertions(+), 49 deletions(-) diff --git a/pandora_console/godmode/reporting/reporting_builder.item_editor.php b/pandora_console/godmode/reporting/reporting_builder.item_editor.php index c7dd995dbe..16db89b622 100755 --- a/pandora_console/godmode/reporting/reporting_builder.item_editor.php +++ b/pandora_console/godmode/reporting/reporting_builder.item_editor.php @@ -62,6 +62,20 @@ $show_sort_options = []; $show_sort_options[1] = __('Ascending'); $show_sort_options[2] = __('Descending'); +// Agents inventory display options. +$agents_inventory_display_options = []; +$agents_inventory_display_options['alias'] = __('Alias'); +$agents_inventory_display_options['direccion'] = __('IP'); +$agents_inventory_display_options['id_os'] = __('OS'); +$agents_inventory_display_options['id_grupo'] = __('Group'); +$agents_inventory_display_options['secondary_groups'] = __('Secondary groups'); +$agents_inventory_display_options['comentarios'] = __('Description'); +$agents_inventory_display_options['url_address'] = __('URL'); +$agents_inventory_display_options['custom_fields'] = __('Custom fields'); +$agents_inventory_display_options['estado'] = __('Status'); +$agents_inventory_display_options['agent_version'] = __('Version'); +$agents_inventory_display_options['remote'] = __('Remote configuration'); + enterprise_include('/godmode/reporting/reporting_builder.item_editor.php'); require_once $config['homedir'].'/include/functions_agents.php'; if (enterprise_include_once('include/functions_metaconsole.php')) { @@ -725,6 +739,26 @@ switch ($action) { $idAgentModule = $module; break; + case 'agents_inventory': + + + + $description = $item['description']; + $es = json_decode($item['external_source'], true); + // hd($es); + $date = $es['date']; + $selected_agent_group_filter = $es['agent_group_filter']; + $selected_agents_inventory_display_options = $es['agents_inventory_display_options']; + $selected_agent_os_filter = $es['agent_os_filter']; + $selected_agent_custom_field_filter = $es['agent_custom_field_filter']; + $selected_agent_status_filter = $es['agent_status_filter']; + $selected_agent_module_search_filter = $es['agent_module_search_filter']; + $selected_agent_version_filter = $es['agent_version_filter']; + + $idAgent = $es['id_agents']; + $idAgentModule = $inventory_modules; + break; + case 'inventory': $description = $item['description']; $es = json_decode($item['external_source'], true); @@ -3020,18 +3054,64 @@ $class = 'databox filters'; + + + + + + + + + + + + + + + + + + @@ -3082,8 +3162,8 @@ $class = 'databox filters'; html_print_select( $fields, - 'users_groups[]', - [], + 'agent_status_filter', + $selected_agent_status_filter, '', false, '', @@ -3101,14 +3181,14 @@ $class = 'databox filters'; $value) { + if (array_search('secondary_groups', $es_agents_inventory_display_options) !== false) { + $sql_agent_sec_group = sprintf( + 'SELECT id_group + FROM tagent_secondary_group + WHERE id_agent = %d', + $value['id_agente'] + ); + + $agent_secondary_groups = []; + $agent_secondary_groups = db_get_all_rows_sql($sql_agent_sec_group); + + $agents[$key]['secondary_groups'] = $agent_secondary_groups; + } + + if (array_search('custom_fields', $es_agents_inventory_display_options) !== false) { + $sql_agent_custom_fields = sprintf( + 'SELECT tacd.description, tacf.name + FROM tagent_custom_data tacd INNER JOIN tagent_custom_fields tacf + ON tacd.id_field = tacf.id_field + WHERE tacd.description != "" AND tacd.id_agent = %d', + $value['id_agente'] + ); + + $agent_custom_fields = []; + $agent_custom_fields = db_get_all_rows_sql($sql_agent_custom_fields); + + $agents[$key]['custom_fields'] = $agent_custom_fields; + } + } + + foreach ($agents as $key => $value) { + foreach ($value as $agent_val_key => $agent_val) { + // Exclude from data to be displayed in report those fields that were not selected to be displayed by user. + if (array_search($agent_val_key, $es_agents_inventory_display_options) === false) { + unset($agents[$key][$agent_val_key]); + } + } + } + + $return['data'] = $agents; + + return reporting_check_structure_content($return); } @@ -2286,7 +2406,7 @@ function reporting_inventory_changes($report, $content, $type) metaconsole_connect($server); } - $es = json_decode($content['external_source'], true); + $es = json_decode($content['external_source'], true); $id_agent = $es['id_agents']; $module_name = $es['inventory_modules']; diff --git a/pandora_console/include/functions_reporting_html.php b/pandora_console/include/functions_reporting_html.php index 211d8b193d..ceba581f11 100644 --- a/pandora_console/include/functions_reporting_html.php +++ b/pandora_console/include/functions_reporting_html.php @@ -247,7 +247,7 @@ function reporting_html_print_report($report, $mini=false, $report_info=1) } $table->colspan['description_row']['description'] = 3; - hd($item['type']); + switch ($item['type']) { case 'availability': default: @@ -1440,46 +1440,129 @@ function reporting_html_event_report_module($table, $item, $pdf=0) */ function reporting_html_agents_inventory($table, $item, $pdf=0) { - hd('agents inventory'); - hd($item); - global $config; - if (empty($item['data']) === false) { - $table_data = new stdClass(); - $table_data->width = '100%'; - $table_data->headstyle = []; - $table_data->headstyle[0] = 'text-align: left;'; - $table_data->style = []; - $table_data->style[0] = 'text-align: left;'; - $table_data->head = [ - __('Name'), - __('Date'), - __('Data'), - __('Status'), - ]; + $table1 = new stdClass(); + $table1->width = '100%'; - $table_data->data = []; - $table_data->data[1][0] = $item['data']['agent_name']; - $table_data->data[1][0] .= ' / '; - $table_data->data[1][0] .= $item['data']['module_name']; + $table1->style[0] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->class = 'databox data'; + $table1->cellpadding = 1; + $table1->cellspacing = 1; + $table1->styleTable = 'overflow: wrap; table-layout: fixed;'; - $table_data->data[1][1] = date( - 'Y-m-d H:i:s', - $item['data']['utimestamp'] - ); + $table1->style[0] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[1] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[2] = 'text-align: left;vertical-align: top; min-width: 100px'; + $table1->style[3] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[4] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[5] = 'text-align: left;vertical-align: top; min-width: 100px'; + $table1->style[6] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[7] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[8] = 'text-align: left;vertical-align: top; min-width: 100px'; + $table1->style[9] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[10] = 'text-align: left;vertical-align: top;min-width: 100px;'; + $table1->style[11] = 'text-align: left;vertical-align: top; min-width: 100px'; + + $table1->head = []; + + foreach ($item['data'][0] as $field_key => $field_value) { + switch ($field_key) { + case 'alias': + $table1->head[] = __('Alias'); + break; + + case 'direccion': + $table1->head[] = __('IP Address'); + break; + + case 'id_os': + $table1->head[] = __('OS'); + break; + + case 'id_grupo': + $table1->head[] = __('Group'); + break; + + case 'comentarios': + $table1->head[] = __('Description'); + break; + + case 'secondary_groups': + $table1->head[] = __('Sec. groups'); + break; + + case 'url_address': + $table1->head[] = __('URL'); + break; + + case 'custom_fields': + $table1->head[] = __('Custom fields'); + break; + + case 'estado': + $table1->head[] = __('Status'); + break; + + case 'agent_version': + $table1->head[] = __('Version'); + break; + + case 'remote': + $table1->head[] = __('Remote conf.'); + break; + } + } + + $table1->headstyle[0] = 'text-align: left'; + $table1->headstyle[1] = 'text-align: left'; + $table1->headstyle[2] = 'text-align: left'; + $table1->headstyle[3] = 'text-align: left'; + $table1->headstyle[4] = 'text-align: left'; + $table1->headstyle[5] = 'text-align: left'; + $table1->headstyle[6] = 'text-align: left'; + $table1->headstyle[7] = 'text-align: left'; + $table1->headstyle[8] = 'text-align: left'; + $table1->headstyle[9] = 'text-align: left'; + $table1->headstyle[10] = 'text-align: left'; + $table1->headstyle[11] = 'text-align: left'; + + $table1->data = []; + + foreach ($item['data'] as $data) { + $row = []; + + foreach ($data as $data_field_key => $data_field_value) { + $column_value = $data_field_value; + + if ($data_field_key === 'id_os') { + $column_value = get_os_name((int) $data_field_value); + } else if ($data_field_key === 'estado') { + $column_value = ui_print_module_status((int) $data_field_value, true); + } else if ($data_field_key === 'id_grupo') { + $column_value = ui_print_group_icon((int) $data_field_value, true); + } + + $row[] = $column_value; + } + + $table1->data[] = $row; + + if ($pdf !== 0) { + $table1->data[] = '
'; + } } if ($pdf === 0) { - $table->colspan['last_value']['cell'] = 3; - $table->cellstyle['last_value']['cell'] = 'text-align: center;'; - $table->data['last_value']['cell'] = html_print_table( - $table_data, + $table->colspan['permissions']['cell'] = 3; + $table->cellstyle['permissions']['cell'] = 'text-align: center;'; + $table->data['permissions']['cell'] = html_print_table( + $table1, true ); } else { return html_print_table( - $table_data, + $table1, true ); } From 3aee7e7c4d29fa3cc11b47a01ed9ba2e92425914 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Gonz=C3=A1lez?= Date: Thu, 27 May 2021 14:55:01 +0200 Subject: [PATCH 04/23] Improved code and fix xss vulnerability --- .../operation/visual_console/view.php | 46 ++++++++++--------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/pandora_console/operation/visual_console/view.php b/pandora_console/operation/visual_console/view.php index 0b229c46d8..ceb2aa7745 100644 --- a/pandora_console/operation/visual_console/view.php +++ b/pandora_console/operation/visual_console/view.php @@ -1,9 +1,8 @@ toArray(); $groupId = $visualConsoleData['groupId']; -$visualConsoleName = $visualConsoleData['name']; +$visualConsoleName = io_safe_input(strip_tags(io_safe_output($visualConsoleData['name']))); // ACL. -$aclRead = check_acl_restricted_all($config['id_user'], $groupId, 'VR'); -$aclWrite = check_acl_restricted_all($config['id_user'], $groupId, 'VW'); -$aclManage = check_acl_restricted_all($config['id_user'], $groupId, 'VM'); +$aclRead = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VR'); +$aclWrite = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VW'); +$aclManage = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VM'); -if (!$aclRead && !$aclWrite && !$aclManage) { +if ($aclRead === false && $aclWrite === false && $aclManage === false) { db_pandora_audit( 'ACL Violation', 'Trying to access visual console without group access' @@ -121,9 +121,9 @@ $options['consoles_list']['text'] = ''.html_print_image( 'images/wand_services.png', true, @@ -198,7 +198,7 @@ $options['view']['text'] = ''.html_print_image( 'images/full_screen.png', @@ -368,7 +368,7 @@ if ($pure === false) { echo ''; echo ''; - if ($aclWrite || $aclManage) { + if ($aclWrite === true || $aclManage === true) { echo html_print_checkbox_switch('edit-mode', 1, false, true); } @@ -394,7 +394,7 @@ if ($pure === true) { // Quit fullscreen. echo '
  • '; - if (is_metaconsole()) { + if (is_metaconsole() === true) { $urlNoFull = 'index.php?sec=screen&sec2=screens/screens&action=visualmap&pure=0&id_visualmap='.$visualConsoleId.'&refr='.$refr; } else { $urlNoFull = 'index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&refr='.$refr; @@ -407,7 +407,7 @@ if ($pure === true) { // Countdown. echo '
  • '; - if (is_metaconsole()) { + if (is_metaconsole() === true) { echo '
    '; } else { echo '
    '; @@ -432,11 +432,13 @@ if ($pure === true) { // Console name. echo '
  • '; - if (is_metaconsole()) { - echo '
    '.$visualConsoleName.'
    '; - } else { - echo '
    '.$visualConsoleName.'
    '; - } + + html_print_div( + [ + 'class' => (is_metaconsole() === true) ? 'vc-title-meta' : 'vc-title', + 'content' => $visualConsoleName, + ] + ); echo '
    • '; @@ -465,7 +467,7 @@ if ($pure === true) { // Check groups can access user. $aclUserGroups = []; -if (!users_can_manage_group_all('AR')) { +if (users_can_manage_group_all('AR') === false) { $aclUserGroups = array_keys(users_get_groups(false, 'AR')); } @@ -489,7 +491,7 @@ ui_require_css_file('form');