From 4efdf576180fb555f7b4e2a37b03eb9383c74f87 Mon Sep 17 00:00:00 2001 From: mdtrooper Date: Thu, 12 May 2011 14:33:07 +0000 Subject: [PATCH] 2011-05-12 Miguel de Dios * include/functions.php: added new parameter for the "check_acl" function the $id_agent, by default is 0, and this parameter now only is used in the enterprise ACL check (as you see in the hook for enterprise into the function source). And cleaned source code style. * include/functions_agents.php, operation/search_modules.php, operation/agentes/status_monitor.php, operation/agentes/estado_ultimopaquete.php, operation/agentes/alerts_status.php, operation/agentes/estado_agente.php, operation/agentes/estado_monitores.php, operation/agentes/ver_agente.php, godmode/agentes/module_manager.php, godmode/agentes/modificar_agente.php, godmode/agentes/configurar_agente.php, godmode/alerts/alert_list.list.php: added checks for the ACL enterprise. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@4347 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 16 +++++++++++ .../godmode/agentes/configurar_agente.php | 2 +- .../godmode/agentes/modificar_agente.php | 28 ++++++++++++------- .../godmode/agentes/module_manager.php | 4 +++ .../godmode/alerts/alert_list.list.php | 4 +++ pandora_console/include/functions.php | 27 ++++++++++++------ pandora_console/include/functions_agents.php | 16 +++++++---- .../operation/agentes/alerts_status.php | 7 ++++- .../operation/agentes/estado_agente.php | 18 ++++++++---- .../operation/agentes/estado_monitores.php | 3 ++ .../agentes/estado_ultimopaquete.php | 5 ++++ .../operation/agentes/status_monitor.php | 14 +++++++--- .../operation/agentes/ver_agente.php | 2 +- pandora_console/operation/search_modules.php | 10 +++++-- 14 files changed, 118 insertions(+), 38 deletions(-) diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 8581590d91..40461d7ac4 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,19 @@ +2011-05-12 Miguel de Dios + + * include/functions.php: added new parameter for the "check_acl" function + the $id_agent, by default is 0, and this parameter now only is used in the + enterprise ACL check (as you see in the hook for enterprise into the + function source). And cleaned source code style. + + * include/functions_agents.php, operation/search_modules.php, + operation/agentes/status_monitor.php, + operation/agentes/estado_ultimopaquete.php, + operation/agentes/alerts_status.php, operation/agentes/estado_agente.php, + operation/agentes/estado_monitores.php, operation/agentes/ver_agente.php, + godmode/agentes/module_manager.php, godmode/agentes/modificar_agente.php, + godmode/agentes/configurar_agente.php, godmode/alerts/alert_list.list.php: + added checks for the ACL enterprise. + 2011-05-12 Miguel de Dios * include/db/postgresql.php, include/db/mysql.php: fixed the scape of name diff --git a/pandora_console/godmode/agentes/configurar_agente.php b/pandora_console/godmode/agentes/configurar_agente.php index 5f517192c3..13edc034b0 100644 --- a/pandora_console/godmode/agentes/configurar_agente.php +++ b/pandora_console/godmode/agentes/configurar_agente.php @@ -28,7 +28,7 @@ $group = 0; if ($id_agente) $group = agents_get_agent_group ($id_agente); -if (! check_acl ($config["id_user"], $group, "AW")) { +if (! check_acl ($config["id_user"], $group, "AW", $id_agente)) { db_pandora_audit("ACL Violation", "Trying to access agent manager"); require ("general/noaccess.php"); diff --git a/pandora_console/godmode/agentes/modificar_agente.php b/pandora_console/godmode/agentes/modificar_agente.php index 18a14fa87f..67d39e4252 100644 --- a/pandora_console/godmode/agentes/modificar_agente.php +++ b/pandora_console/godmode/agentes/modificar_agente.php @@ -224,27 +224,34 @@ if ($ag_group > 0) { else { // Admin user get ANY group, even if they doesnt exist - if (check_acl ($config['id_user'], 0, "PM")){ - $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s', $search_sql); + if (check_acl ($config['id_user'], 0, "PM")) { + $subquery_enterprise = ''; + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise(); + } + + $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s %s', $search_sql, $subquery_enterprise); $total_agents = db_get_sql ($sql); switch ($config["dbtype"]) { case "mysql": $sql = sprintf ('SELECT * - FROM tagente WHERE 1=1 %s - ORDER BY %s %s LIMIT %d, %d', $search_sql, $order['field'], $order['order'], $offset, $config["block_size"]); + FROM tagente WHERE 1=1 %s %s + ORDER BY %s %s LIMIT %d, %d', $search_sql, $subquery_enterprise, $order['field'], + $order['order'], $offset, $config["block_size"]); break; case "postgresql": $sql = sprintf ('SELECT * - FROM tagente WHERE 1=1 %s - ORDER BY %s %s LIMIT %d OFFSET %d', $search_sql, $order['field'], $order['order'], $config["block_size"], $offset); + FROM tagente WHERE 1=1 %s %s + ORDER BY %s %s LIMIT %d OFFSET %d', $search_sql, $subquery_enterprise, $order['field'], + $order['order'], $config["block_size"], $offset); break; case "oracle": $set = array (); $set['limit'] = $config["block_size"]; $set['offset'] = $offset; $sql = sprintf ('SELECT * - FROM tagente WHERE 1=1 %s - ORDER BY %s %s', $search_sql, $order['field'], $order['order']); + FROM tagente WHERE 1=1 %s %s + ORDER BY %s %s', $search_sql, $subquery_enterprise, $order['field'], $order['order']); $sql = oracle_recode_query ($sql, $set); break; } @@ -339,12 +346,13 @@ if ($agents !== false) { $iterator = 0; foreach ($agents as $agent) { $id_grupo = $agent["id_grupo"]; - if (! check_acl ($config["id_user"], $id_grupo, "AW")) + if (! check_acl ($config["id_user"], $id_grupo, "AW", $agent['id_agente'])) continue; + if ($color == 1) { $tdcolor = "datos"; $color = 0; - } + } else { $tdcolor = "datos2"; $color = 1; diff --git a/pandora_console/godmode/agentes/module_manager.php b/pandora_console/godmode/agentes/module_manager.php index 8c918a0ca8..ea9d0986fd 100644 --- a/pandora_console/godmode/agentes/module_manager.php +++ b/pandora_console/godmode/agentes/module_manager.php @@ -312,6 +312,10 @@ foreach($tempRows as $row) { } foreach ($modules as $module) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue; + } + $type = $module["id_tipo_modulo"]; $id_module = $module["id_modulo"]; $nombre_modulo = $module["nombre"]; diff --git a/pandora_console/godmode/alerts/alert_list.list.php b/pandora_console/godmode/alerts/alert_list.list.php index 5231c58d13..6e0f97798e 100644 --- a/pandora_console/godmode/alerts/alert_list.list.php +++ b/pandora_console/godmode/alerts/alert_list.list.php @@ -373,6 +373,10 @@ $rowPair = true; $iterator = 0; foreach ($simple_alerts as $alert) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!alert_in_acl_enterprise($alert['id'])) continue; + } + if ($alert['disabled']) { $table->rowstyle[$iterator] = 'font-style: italic; color: #aaaaaa;'; $table->style[$iterator][1] = 'font-style: italic; color: #aaaaaa;'; diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php index d965dfe5ae..9319718710 100644 --- a/pandora_console/include/functions.php +++ b/pandora_console/include/functions.php @@ -925,14 +925,18 @@ function enterprise_include_once ($filename) { // Load enterprise extensions $filepath = realpath ($config["homedir"].'/'.ENTERPRISE_DIR.'/'.$filename); + if ($filepath === false) return ENTERPRISE_NOT_HOOK; + if (strncmp ($config["homedir"], $filepath, strlen ($config["homedir"])) != 0) return ENTERPRISE_NOT_HOOK; + if (file_exists ($filepath)) { require_once ($filepath); return true; } + return ENTERPRISE_NOT_HOOK; } @@ -1246,10 +1250,11 @@ function check_login () { * @param int $id_user User id * @param int $id_group Agents group id to check from * @param string $access Access privilege + * @param int $id_agent The agent id. * * @return bool 1 if the user has privileges, 0 if not. */ -function check_acl($id_user, $id_group, $access) { +function check_acl($id_user, $id_group, $access, $id_agent = 0) { if (empty ($id_user)) { //User ID needs to be specified trigger_error ("Security error: check_acl got an empty string for user id", E_USER_WARNING); @@ -1261,7 +1266,7 @@ function check_acl($id_user, $id_group, $access) { else { $id_group = (int) $id_group; } - + $parents_id = array($id_group); if ($id_group != 0) { $group = db_get_row_filter('tgrupo', array('id_grupo' => $id_group)); @@ -1274,7 +1279,7 @@ function check_acl($id_user, $id_group, $access) { else { $parents_id = array(); } - + //Joined multiple queries into one. That saves on the query overhead and query cache. if ($id_group == 0) { $query = sprintf("SELECT tperfil.incident_view, tperfil.incident_edit, @@ -1301,9 +1306,9 @@ function check_acl($id_user, $id_group, $access) { } $rowdup = db_get_all_rows_sql ($query); - + if (empty ($rowdup)) - return 0; + return 0; $result = 0; foreach ($rowdup as $row) { @@ -1341,9 +1346,15 @@ function check_acl($id_user, $id_group, $access) { break; } } - - if ($result >= 1) - return 1; + + if ($result >= 1) { + if ($id_agent != 0) { + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + return check_acl_policy($id_user, $id_agent); + } + } + else return 1; + } return 0; } diff --git a/pandora_console/include/functions_agents.php b/pandora_console/include/functions_agents.php index aff1157eb2..48d9fe3a94 100644 --- a/pandora_console/include/functions_agents.php +++ b/pandora_console/include/functions_agents.php @@ -326,7 +326,7 @@ function agents_get_agents ($filter = false, $fields = false, $access = 'AR', $o if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { $enterprise_include = true; } - + if (! is_array ($filter)) { $filter = array (); } @@ -888,6 +888,10 @@ function agents_get_group_agents ($id_group = 0, $search = false, $case = "lower */ function agents_get_modules ($id_agent = null, $details = false, $filter = false, $indexed = true, $get_not_init_modules = true) { global $config; + + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise(); + } if ($id_agent === null) { //Extract the agents of group user. @@ -998,20 +1002,22 @@ function agents_get_modules ($id_agent = null, $details = false, $filter = false case "postgresql": $sql = sprintf ('SELECT %s%s FROM tagente_modulo - %s + %s %s ORDER BY nombre', ($details != '*' && $indexed) ? 'id_agente_modulo,' : '', io_safe_output(implode (",", (array) $details)), - $where); + $where, + $subquery_enterprise); break; case "oracle": $sql = sprintf ('SELECT %s%s FROM tagente_modulo - %s + %s %s ORDER BY dbms_lob.substr(nombre, 4000, 1)', ($details != '*' && $indexed) ? 'id_agente_modulo,' : '', io_safe_output(implode (",", (array) $details)), - $where); + $where, + $subquery_enterprise); break; } diff --git a/pandora_console/operation/agentes/alerts_status.php b/pandora_console/operation/agentes/alerts_status.php index 9a82f6a37a..ab22877882 100644 --- a/pandora_console/operation/agentes/alerts_status.php +++ b/pandora_console/operation/agentes/alerts_status.php @@ -362,6 +362,10 @@ $table->data = array (); $rowPair = true; $iterator = 0; foreach ($alerts['alerts_simple'] as $alert) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!alert_in_acl_enterprise($alert['id'])) continue; + } + if ($rowPair) $table->rowclass[$iterator] = 'rowPair'; else @@ -376,7 +380,8 @@ echo '
'; if (!empty ($table->data)) { ui_pagination ($countAlertsSimple, $url, $offset_simple, 0, false, 'offset_simple'); html_print_table ($table); -} else { +} +else { echo '
'.__('No simple alerts found').'
'; } diff --git a/pandora_console/operation/agentes/estado_agente.php b/pandora_console/operation/agentes/estado_agente.php index a97ede7e67..8f405740b9 100644 --- a/pandora_console/operation/agentes/estado_agente.php +++ b/pandora_console/operation/agentes/estado_agente.php @@ -26,9 +26,9 @@ require_once($config['homedir'] . '/include/functions_modules.php'); check_login (); if (! check_acl ($config['id_user'], 0, "AR")) { - db_pandora_audit("ACL Violation", - "Trying to access agent main list view"); + db_pandora_audit("ACL Violation", "Trying to access agent main list view"); require ("general/noaccess.php"); + return; } @@ -262,11 +262,19 @@ else { $total_agents = 0; $agents = false; if (! empty ($agent_names)) { - if (check_acl ($config['id_user'], 0, "PM")){ - $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s', $search_sql); + $subquery_enterprise = ''; + if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise(); + } + + if (check_acl ($config['id_user'], 0, "PM")) { + $sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s %s', $search_sql, $subquery_enterprise); $total_agents = db_get_sql ($sql); - $sql = sprintf ('SELECT * FROM tagente WHERE 1=1 %s ORDER BY %s %s LIMIT %d, %d', $search_sql, $order['field'], $order['order'], $offset, $config["block_size"]); + $sql = sprintf ('SELECT * FROM tagente + WHERE 1=1 %s %s + ORDER BY %s %s LIMIT %d, %d', $search_sql, $subquery_enterprise, + $order['field'], $order['order'], $offset, $config["block_size"]); $agents = db_get_all_rows_sql ($sql); } diff --git a/pandora_console/operation/agentes/estado_monitores.php b/pandora_console/operation/agentes/estado_monitores.php index d79305de38..cf0933b972 100644 --- a/pandora_console/operation/agentes/estado_monitores.php +++ b/pandora_console/operation/agentes/estado_monitores.php @@ -185,6 +185,9 @@ $table->align = array("left","left","left","left","left","center"); $last_modulegroup = 0; $rowIndex = 0; foreach ($modules as $module) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue; + } //The code add the row of 1 cell with title of group for to be more organice the list. diff --git a/pandora_console/operation/agentes/estado_ultimopaquete.php b/pandora_console/operation/agentes/estado_ultimopaquete.php index 1b4213c54f..6445a990b3 100644 --- a/pandora_console/operation/agentes/estado_ultimopaquete.php +++ b/pandora_console/operation/agentes/estado_ultimopaquete.php @@ -224,6 +224,11 @@ $texto=''; $last_modulegroup = 0; $color = 1; $write = check_acl ($config['id_user'], $agent['id_grupo'], "AW"); foreach ($modules as $module) { + if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { + if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue; + } + + // Calculate table line color if ($color == 1){ $tdcolor = "datos"; diff --git a/pandora_console/operation/agentes/status_monitor.php b/pandora_console/operation/agentes/status_monitor.php index eea84b8407..4921574679 100644 --- a/pandora_console/operation/agentes/status_monitor.php +++ b/pandora_console/operation/agentes/status_monitor.php @@ -34,6 +34,12 @@ require_once($config['homedir'] . '/include/functions_users.php'); $isFunctionPolicies = enterprise_include_once ('include/functions_policies.php'); +//Add the subquery for the ACL enterprise +if (ENTERPRISE_NOT_HOOK !== $isFunctionPolicies) { + $subquery_enterprise = subquery_acl_enterprise(); + $subquery_enterprise2 = subquery_acl_enterprise('AND', 'tagente.id_agente'); +} + ui_print_page_header ("Monitor detail", "images/bricks.png", false); @@ -85,7 +91,7 @@ switch ($config["dbtype"]) { $sql = ' SELECT distinct(nombre) FROM tagente_modulo - WHERE nombre <> "delete_pending" and id_agente in + WHERE nombre <> "delete_pending" ' . $subquery_enterprise . ' and id_agente in ( select id_agente from tagente where id_grupo IN ( @@ -117,7 +123,7 @@ switch ($config["dbtype"]) { $sql = ' select distinct(nombre) from tagente_modulo - where nombre <> \'delete_pending\' and id_agente in + where nombre <> \'delete_pending\' ' . $subquery_enterprise . ' and id_agente in ( select id_agente from tagente where id_grupo IN ( @@ -156,7 +162,7 @@ switch ($config["dbtype"]) { $sql = ' select nombre from (select distinct dbms_lob.substr(nombre,4000,1) as nombre, ' . $column_names .' from tagente_modulo) - where nombre <> \'delete_pending\' and id_agente in + where nombre <> \'delete_pending\' ' . $subquery_enterprise . ' and id_agente in ( select id_agente from tagente where id_grupo IN ( @@ -208,7 +214,7 @@ $sql = " FROM tagente, tagente_modulo, tagente_estado WHERE tagente.id_agente = tagente_modulo.id_agente AND tagente_modulo.disabled = 0 AND tagente.disabled = 0 - AND tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo"; + AND tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo" . $subquery_enterprise2 ; // Agent group selector if ($ag_group > 0 && check_acl ($config["id_user"], $ag_group, "AR")) { diff --git a/pandora_console/operation/agentes/ver_agente.php b/pandora_console/operation/agentes/ver_agente.php index 67821922a4..8e7d3ebca1 100644 --- a/pandora_console/operation/agentes/ver_agente.php +++ b/pandora_console/operation/agentes/ver_agente.php @@ -342,7 +342,7 @@ if (empty ($id_agente)) { $agent = db_get_row ('tagente', 'id_agente', $id_agente); // get group for this id_agente $id_grupo = $agent['id_grupo']; -if (! check_acl ($config['id_user'], $id_grupo, "AR")) { +if (! check_acl ($config['id_user'], $id_grupo, "AR", $id_agente)) { db_pandora_audit("ACL Violation", "Trying to access (read) to agent ".agents_get_name($id_agente)); include ("general/noaccess.php"); diff --git a/pandora_console/operation/search_modules.php b/pandora_console/operation/search_modules.php index 4eca750674..adff02dbfa 100644 --- a/pandora_console/operation/search_modules.php +++ b/pandora_console/operation/search_modules.php @@ -18,6 +18,10 @@ global $config; include_once($config['homedir'] . "/include/functions_modules.php"); include_once($config['homedir'] . '/include/functions_users.php'); +$subquery_enterprise = ''; +if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { + $subquery_enterprise = subquery_acl_enterprise('', 't1.id_agente', 'AND'); +} $searchModules = check_acl($config['id_user'], 0, "AR"); @@ -73,7 +77,7 @@ if ($searchModules) { ON t3.id_grupo = t2.id_grupo INNER JOIN tagente_estado AS t4 ON t4.id_agente_modulo = t1.id_agente_modulo - WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') + WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') OR 0 IN ( SELECT id_grupo FROM tusuario_perfil @@ -96,7 +100,7 @@ if ($searchModules) { ON t3.id_grupo = t2.id_grupo INNER JOIN tagente_estado AS t4 ON t4.id_agente_modulo = t1.id_agente_modulo - WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') + WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') OR 0 IN ( SELECT id_grupo FROM tusuario_perfil @@ -119,7 +123,7 @@ if ($searchModules) { ON t3.id_grupo = t2.id_grupo INNER JOIN tagente_estado AS t4 ON t4.id_agente_modulo = t1.id_agente_modulo - WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') + WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') OR 0 IN ( SELECT id_grupo FROM tusuario_perfil