Fix and control API sessions

pandora_console/include/api.php

@@ -46,21 +46,19 @@ $apiPassword = io_output_password(db_get_value_filter('value', 'tconfig', ['toke
 $correctLogin = false;
 $no_login_msg = '';
 
-// Clean unwanted output
+// Clean unwanted output.
 ob_clean();
 
 // READ THIS:
 // Special call without checks to retrieve version and build of the Pandora FMS
 // This info is avalable from the web console without login
 // Don't change the format, it is parsed by applications
-switch ($info) {
-    case 'version':
-        if (!$config['MR']) {
-            $config['MR'] = 0;
-        }
-
-        echo 'Pandora FMS '.$pandora_version.' - '.$build_version.' MR'.$config['MR'];
+if ($info == 'version') {
+    if (!$config['MR']) {
+        $config['MR'] = 0;
+    }
 
+    echo 'Pandora FMS '.$pandora_version.' - '.$build_version.' MR'.$config['MR'];
     exit;
 }
 
@@ -68,6 +66,8 @@ if (isInACL($ipOrigin)) {
     if (empty($apiPassword) || (!empty($apiPassword) && $api_password === $apiPassword)) {
         $user_in_db = process_user_login($user, $password, true);
         if ($user_in_db !== false) {
+            $config['id_usuario'] = $user_in_db;
+            // Compat.
             $config['id_user'] = $user_in_db;
             $correctLogin = true;
 
@@ -76,6 +76,8 @@ if (isInACL($ipOrigin)) {
             }
 
             $_SESSION['id_usuario'] = $user;
+
+            config_prepare_session();
             session_write_close();
         } else {
             $no_login_msg = 'Incorrect user credentials';
@@ -220,3 +222,8 @@ if ($correctLogin) {
     // Protection on DoS attacks
     echo 'auth error';
 }
+
+// Logout.
+session_destroy();
+header_remove('Set-Cookie');
+setcookie(session_name(), $_COOKIE[session_name()], (time() - 4800), '/');

pandora_console/include/chart_generator.php

@@ -11,12 +11,13 @@
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 // GNU General Public License for more details.
 // Global & session manageme
-session_id($_REQUEST['session_id']);
-
 require_once 'config.php';
-require_once $config['homedir'].'/include/auth/mysql.php';
-require_once $config['homedir'].'/include/functions.php';
-require_once $config['homedir'].'/include/functions_db.php';
+
+require_once __DIR__.'/config.php';
+require_once __DIR__.'/functions.php';
+require_once __DIR__.'/functions_db.php';
+require_once __DIR__.'/auth/mysql.php';
+require_once $config['homedir'].'/include/lib/User.php';
 require_once $config['homedir'].'/include/functions_reporting.php';
 require_once $config['homedir'].'/include/functions_graph.php';
 require_once $config['homedir'].'/include/functions_custom_graphs.php';
@@ -24,18 +25,56 @@ require_once $config['homedir'].'/include/functions_modules.php';
 require_once $config['homedir'].'/include/functions_agents.php';
 require_once $config['homedir'].'/include/functions_tags.php';
 
-check_login();
 
+// Initialize session.
 global $config;
-// get_parameter(array)('data', '');
+
+// Try to initialize session using existing php session id.
+$user = new PandoraFMS\User(['phpsessionid' => $_REQUEST['session_id']]);
+if (check_login(false) === false) {
+    // Error handler.
+    ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <title>Access denied</title>
+    <link rel="stylesheet" href="styles/pandora.css" type="text/css" />
+    <link rel="stylesheet" href="styles/pandora_minimal.css" type="text/css" />
+    <link rel="stylesheet" href="styles/js/jquery-ui.min.css" type="text/css" />
+    <link rel="stylesheet" href="styles/js/jquery-ui_custom.css" type="text/css" />
+    <script language="javascript" type='text/javascript' src='javascript/pandora.js'></script>
+    <script language="javascript" type='text/javascript' src='javascript/jquery-3.3.1.min.js'></script>
+</head>
+<body>
+    <h1>Access is not granted</h1>
+    <script type="text/javascript">
+        $('document').ready(function () {
+            setTimeout(function () {
+                try {
+                    var status = window.callPhantom({ status: "loaded" });
+                } catch (error) {
+                    console.log("CALLBACK ERROR", error.message)
+                }
+            }, 100);
+        });
+    </script>
+</body>
+</html>
+
+    <?php
+    exit;
+}
+
+// Access granted.
 $params = json_decode($_REQUEST['data'], true);
 
-// Metaconsole connection to the node
+// Metaconsole connection to the node.
 $server_id = $params['server_id'];
 
 if ($config['metaconsole'] && !empty($server_id)) {
     $server = metaconsole_get_connection_by_id($server_id);
-    // Error connecting
+    // Error connecting.
     if (metaconsole_connect($server) !== NOERR) {
         echo '<html>';
             echo '<body>';
@@ -48,8 +87,9 @@ if ($config['metaconsole'] && !empty($server_id)) {
 
 
 $user_language = get_user_language($config['id_user']);
-if (file_exists('languages/'.$user_language.'.mo')) {
-    $l10n = new gettext_reader(new CachedFileReader('languages/'.$user_language.'.mo'));
+if (file_exists('languages/'.$user_language.'.mo') === true) {
+    $cfr = new CachedFileReader('languages/'.$user_language.'.mo');
+    $l10n = new gettext_reader($cfr);
     $l10n->load_tables();
 }
 
@@ -208,7 +248,7 @@ if (file_exists('languages/'.$user_language.'.mo')) {
         break;
 
         default:
-            // code...
+            // Code...
         break;
     }
 

pandora_console/include/lib/User.php

@@ -85,9 +85,26 @@ class User
                 return null;
             }
 
-            if (isset($data['id_usuario']) === true) {
-                // TODO: Here a login must be processed.
-                $this->idUser = $data['id_usuario'];
+            if (isset($data['id_usuario']) === true
+                && isset($data['password']) === true
+            ) {
+                $user_in_db = process_user_login($user, $password, true);
+                if ($user_in_db !== false) {
+                    $config['id_usuario'] = $user_in_db;
+                    $correctLogin = true;
+
+                    // Originally at api.php.
+                    if (session_status() === PHP_SESSION_NONE) {
+                        session_start();
+                    }
+
+                    $_SESSION['id_usuario'] = $user;
+                    session_write_close();
+
+                    $this->idUser = $data['id_usuario'];
+                    // Valid session.
+                    return $this;
+                }
             }
         }
 
@@ -96,15 +113,4 @@ class User
     }
 
 
-    /**
-     * Tries to perform a login with current data.
-     *
-     * @return boolean Allowed or not.
-     */
-    public function login()
-    {
-        return false;
-    }
-
-
 }

pandora_console/include/load_session.php

@@ -91,11 +91,6 @@ function pandora_session_write($session_id, $data)
 {
     $session_id = addslashes($session_id);
 
-    // If it's an api call, the session must not be created.
-    if (get_parameter('op', false) && get_parameter('op2', false)) {
-        return true;
-    }
-
     if (is_ajax()) {
         // Avoid session upadte while processing ajax responses - notifications.
         if (get_parameter('check_new_notifications', false)) {

pandora_console/include/web2image.js

@@ -1,5 +1,7 @@
 var system = require("system");
 
+/* global phantom */
+
 if (system.args.length < 3 || system.args.length > 11) {
   phantom.exit(1);
 }
@@ -14,6 +16,7 @@ var viewport_width = system.args[7];
 var viewport_height = system.args[8];
 var session_id = system.args[9];
 var base_64 = system.args[10];
+var post_data = "";
 
 if (!viewport_width) {
   viewport_width = 750;
@@ -64,7 +67,7 @@ page.onError = function(msg) {
   phantom.exit();
 };
 
-page.onCallback = function(st) {
+page.onCallback = function() {
   if (!base_64) {
     page.render(output_filename, { format: "png" });
   } else {