2011-05-12 Miguel de Dios <miguel.dedios@artica.es>

* include/functions.php: added new parameter for the "check_acl" function
	the $id_agent, by default is 0, and this parameter now only is used in the
	enterprise ACL check (as you see in the hook for enterprise into the
	function source). And cleaned source code style.
	
	* include/functions_agents.php, operation/search_modules.php,
	operation/agentes/status_monitor.php,
	operation/agentes/estado_ultimopaquete.php,
	operation/agentes/alerts_status.php, operation/agentes/estado_agente.php,
	operation/agentes/estado_monitores.php, operation/agentes/ver_agente.php,
	godmode/agentes/module_manager.php, godmode/agentes/modificar_agente.php,
	godmode/agentes/configurar_agente.php, godmode/alerts/alert_list.list.php:
	added checks for the ACL enterprise.



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@4347 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
mdtrooper 2011-05-12 14:33:07 +00:00
parent 9f3c87253e
commit 4efdf57618
14 changed files with 118 additions and 38 deletions

View File

@ -1,3 +1,19 @@
2011-05-12 Miguel de Dios <miguel.dedios@artica.es>
* include/functions.php: added new parameter for the "check_acl" function
the $id_agent, by default is 0, and this parameter now only is used in the
enterprise ACL check (as you see in the hook for enterprise into the
function source). And cleaned source code style.
* include/functions_agents.php, operation/search_modules.php,
operation/agentes/status_monitor.php,
operation/agentes/estado_ultimopaquete.php,
operation/agentes/alerts_status.php, operation/agentes/estado_agente.php,
operation/agentes/estado_monitores.php, operation/agentes/ver_agente.php,
godmode/agentes/module_manager.php, godmode/agentes/modificar_agente.php,
godmode/agentes/configurar_agente.php, godmode/alerts/alert_list.list.php:
added checks for the ACL enterprise.
2011-05-12 Miguel de Dios <miguel.dedios@artica.es> 2011-05-12 Miguel de Dios <miguel.dedios@artica.es>
* include/db/postgresql.php, include/db/mysql.php: fixed the scape of name * include/db/postgresql.php, include/db/mysql.php: fixed the scape of name

View File

@ -28,7 +28,7 @@ $group = 0;
if ($id_agente) if ($id_agente)
$group = agents_get_agent_group ($id_agente); $group = agents_get_agent_group ($id_agente);
if (! check_acl ($config["id_user"], $group, "AW")) { if (! check_acl ($config["id_user"], $group, "AW", $id_agente)) {
db_pandora_audit("ACL Violation", db_pandora_audit("ACL Violation",
"Trying to access agent manager"); "Trying to access agent manager");
require ("general/noaccess.php"); require ("general/noaccess.php");

View File

@ -224,27 +224,34 @@ if ($ag_group > 0) {
else { else {
// Admin user get ANY group, even if they doesnt exist // Admin user get ANY group, even if they doesnt exist
if (check_acl ($config['id_user'], 0, "PM")){ if (check_acl ($config['id_user'], 0, "PM")) {
$sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s', $search_sql); $subquery_enterprise = '';
if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) {
$subquery_enterprise = subquery_acl_enterprise();
}
$sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s %s', $search_sql, $subquery_enterprise);
$total_agents = db_get_sql ($sql); $total_agents = db_get_sql ($sql);
switch ($config["dbtype"]) { switch ($config["dbtype"]) {
case "mysql": case "mysql":
$sql = sprintf ('SELECT * $sql = sprintf ('SELECT *
FROM tagente WHERE 1=1 %s FROM tagente WHERE 1=1 %s %s
ORDER BY %s %s LIMIT %d, %d', $search_sql, $order['field'], $order['order'], $offset, $config["block_size"]); ORDER BY %s %s LIMIT %d, %d', $search_sql, $subquery_enterprise, $order['field'],
$order['order'], $offset, $config["block_size"]);
break; break;
case "postgresql": case "postgresql":
$sql = sprintf ('SELECT * $sql = sprintf ('SELECT *
FROM tagente WHERE 1=1 %s FROM tagente WHERE 1=1 %s %s
ORDER BY %s %s LIMIT %d OFFSET %d', $search_sql, $order['field'], $order['order'], $config["block_size"], $offset); ORDER BY %s %s LIMIT %d OFFSET %d', $search_sql, $subquery_enterprise, $order['field'],
$order['order'], $config["block_size"], $offset);
break; break;
case "oracle": case "oracle":
$set = array (); $set = array ();
$set['limit'] = $config["block_size"]; $set['limit'] = $config["block_size"];
$set['offset'] = $offset; $set['offset'] = $offset;
$sql = sprintf ('SELECT * $sql = sprintf ('SELECT *
FROM tagente WHERE 1=1 %s FROM tagente WHERE 1=1 %s %s
ORDER BY %s %s', $search_sql, $order['field'], $order['order']); ORDER BY %s %s', $search_sql, $subquery_enterprise, $order['field'], $order['order']);
$sql = oracle_recode_query ($sql, $set); $sql = oracle_recode_query ($sql, $set);
break; break;
} }
@ -339,12 +346,13 @@ if ($agents !== false) {
$iterator = 0; $iterator = 0;
foreach ($agents as $agent) { foreach ($agents as $agent) {
$id_grupo = $agent["id_grupo"]; $id_grupo = $agent["id_grupo"];
if (! check_acl ($config["id_user"], $id_grupo, "AW")) if (! check_acl ($config["id_user"], $id_grupo, "AW", $agent['id_agente']))
continue; continue;
if ($color == 1) { if ($color == 1) {
$tdcolor = "datos"; $tdcolor = "datos";
$color = 0; $color = 0;
} }
else { else {
$tdcolor = "datos2"; $tdcolor = "datos2";
$color = 1; $color = 1;

View File

@ -312,6 +312,10 @@ foreach($tempRows as $row) {
} }
foreach ($modules as $module) { foreach ($modules as $module) {
if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue;
}
$type = $module["id_tipo_modulo"]; $type = $module["id_tipo_modulo"];
$id_module = $module["id_modulo"]; $id_module = $module["id_modulo"];
$nombre_modulo = $module["nombre"]; $nombre_modulo = $module["nombre"];

View File

@ -373,6 +373,10 @@ $rowPair = true;
$iterator = 0; $iterator = 0;
foreach ($simple_alerts as $alert) { foreach ($simple_alerts as $alert) {
if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
if (!alert_in_acl_enterprise($alert['id'])) continue;
}
if ($alert['disabled']) { if ($alert['disabled']) {
$table->rowstyle[$iterator] = 'font-style: italic; color: #aaaaaa;'; $table->rowstyle[$iterator] = 'font-style: italic; color: #aaaaaa;';
$table->style[$iterator][1] = 'font-style: italic; color: #aaaaaa;'; $table->style[$iterator][1] = 'font-style: italic; color: #aaaaaa;';

View File

@ -925,14 +925,18 @@ function enterprise_include_once ($filename) {
// Load enterprise extensions // Load enterprise extensions
$filepath = realpath ($config["homedir"].'/'.ENTERPRISE_DIR.'/'.$filename); $filepath = realpath ($config["homedir"].'/'.ENTERPRISE_DIR.'/'.$filename);
if ($filepath === false) if ($filepath === false)
return ENTERPRISE_NOT_HOOK; return ENTERPRISE_NOT_HOOK;
if (strncmp ($config["homedir"], $filepath, strlen ($config["homedir"])) != 0) if (strncmp ($config["homedir"], $filepath, strlen ($config["homedir"])) != 0)
return ENTERPRISE_NOT_HOOK; return ENTERPRISE_NOT_HOOK;
if (file_exists ($filepath)) { if (file_exists ($filepath)) {
require_once ($filepath); require_once ($filepath);
return true; return true;
} }
return ENTERPRISE_NOT_HOOK; return ENTERPRISE_NOT_HOOK;
} }
@ -1246,10 +1250,11 @@ function check_login () {
* @param int $id_user User id * @param int $id_user User id
* @param int $id_group Agents group id to check from * @param int $id_group Agents group id to check from
* @param string $access Access privilege * @param string $access Access privilege
* @param int $id_agent The agent id.
* *
* @return bool 1 if the user has privileges, 0 if not. * @return bool 1 if the user has privileges, 0 if not.
*/ */
function check_acl($id_user, $id_group, $access) { function check_acl($id_user, $id_group, $access, $id_agent = 0) {
if (empty ($id_user)) { if (empty ($id_user)) {
//User ID needs to be specified //User ID needs to be specified
trigger_error ("Security error: check_acl got an empty string for user id", E_USER_WARNING); trigger_error ("Security error: check_acl got an empty string for user id", E_USER_WARNING);
@ -1261,7 +1266,7 @@ function check_acl($id_user, $id_group, $access) {
else { else {
$id_group = (int) $id_group; $id_group = (int) $id_group;
} }
$parents_id = array($id_group); $parents_id = array($id_group);
if ($id_group != 0) { if ($id_group != 0) {
$group = db_get_row_filter('tgrupo', array('id_grupo' => $id_group)); $group = db_get_row_filter('tgrupo', array('id_grupo' => $id_group));
@ -1274,7 +1279,7 @@ function check_acl($id_user, $id_group, $access) {
else { else {
$parents_id = array(); $parents_id = array();
} }
//Joined multiple queries into one. That saves on the query overhead and query cache. //Joined multiple queries into one. That saves on the query overhead and query cache.
if ($id_group == 0) { if ($id_group == 0) {
$query = sprintf("SELECT tperfil.incident_view, tperfil.incident_edit, $query = sprintf("SELECT tperfil.incident_view, tperfil.incident_edit,
@ -1301,9 +1306,9 @@ function check_acl($id_user, $id_group, $access) {
} }
$rowdup = db_get_all_rows_sql ($query); $rowdup = db_get_all_rows_sql ($query);
if (empty ($rowdup)) if (empty ($rowdup))
return 0; return 0;
$result = 0; $result = 0;
foreach ($rowdup as $row) { foreach ($rowdup as $row) {
@ -1341,9 +1346,15 @@ function check_acl($id_user, $id_group, $access) {
break; break;
} }
} }
if ($result >= 1) if ($result >= 1) {
return 1; if ($id_agent != 0) {
if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) {
return check_acl_policy($id_user, $id_agent);
}
}
else return 1;
}
return 0; return 0;
} }

View File

@ -326,7 +326,7 @@ function agents_get_agents ($filter = false, $fields = false, $access = 'AR', $o
if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) { if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) {
$enterprise_include = true; $enterprise_include = true;
} }
if (! is_array ($filter)) { if (! is_array ($filter)) {
$filter = array (); $filter = array ();
} }
@ -888,6 +888,10 @@ function agents_get_group_agents ($id_group = 0, $search = false, $case = "lower
*/ */
function agents_get_modules ($id_agent = null, $details = false, $filter = false, $indexed = true, $get_not_init_modules = true) { function agents_get_modules ($id_agent = null, $details = false, $filter = false, $indexed = true, $get_not_init_modules = true) {
global $config; global $config;
if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) {
$subquery_enterprise = subquery_acl_enterprise();
}
if ($id_agent === null) { if ($id_agent === null) {
//Extract the agents of group user. //Extract the agents of group user.
@ -998,20 +1002,22 @@ function agents_get_modules ($id_agent = null, $details = false, $filter = false
case "postgresql": case "postgresql":
$sql = sprintf ('SELECT %s%s $sql = sprintf ('SELECT %s%s
FROM tagente_modulo FROM tagente_modulo
%s %s %s
ORDER BY nombre', ORDER BY nombre',
($details != '*' && $indexed) ? 'id_agente_modulo,' : '', ($details != '*' && $indexed) ? 'id_agente_modulo,' : '',
io_safe_output(implode (",", (array) $details)), io_safe_output(implode (",", (array) $details)),
$where); $where,
$subquery_enterprise);
break; break;
case "oracle": case "oracle":
$sql = sprintf ('SELECT %s%s $sql = sprintf ('SELECT %s%s
FROM tagente_modulo FROM tagente_modulo
%s %s %s
ORDER BY dbms_lob.substr(nombre, 4000, 1)', ORDER BY dbms_lob.substr(nombre, 4000, 1)',
($details != '*' && $indexed) ? 'id_agente_modulo,' : '', ($details != '*' && $indexed) ? 'id_agente_modulo,' : '',
io_safe_output(implode (",", (array) $details)), io_safe_output(implode (",", (array) $details)),
$where); $where,
$subquery_enterprise);
break; break;
} }

View File

@ -362,6 +362,10 @@ $table->data = array ();
$rowPair = true; $rowPair = true;
$iterator = 0; $iterator = 0;
foreach ($alerts['alerts_simple'] as $alert) { foreach ($alerts['alerts_simple'] as $alert) {
if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
if (!alert_in_acl_enterprise($alert['id'])) continue;
}
if ($rowPair) if ($rowPair)
$table->rowclass[$iterator] = 'rowPair'; $table->rowclass[$iterator] = 'rowPair';
else else
@ -376,7 +380,8 @@ echo '<form method="post" action="'.$url.'">';
if (!empty ($table->data)) { if (!empty ($table->data)) {
ui_pagination ($countAlertsSimple, $url, $offset_simple, 0, false, 'offset_simple'); ui_pagination ($countAlertsSimple, $url, $offset_simple, 0, false, 'offset_simple');
html_print_table ($table); html_print_table ($table);
} else { }
else {
echo '<div class="nf">'.__('No simple alerts found').'</div>'; echo '<div class="nf">'.__('No simple alerts found').'</div>';
} }

View File

@ -26,9 +26,9 @@ require_once($config['homedir'] . '/include/functions_modules.php');
check_login (); check_login ();
if (! check_acl ($config['id_user'], 0, "AR")) { if (! check_acl ($config['id_user'], 0, "AR")) {
db_pandora_audit("ACL Violation", db_pandora_audit("ACL Violation", "Trying to access agent main list view");
"Trying to access agent main list view");
require ("general/noaccess.php"); require ("general/noaccess.php");
return; return;
} }
@ -262,11 +262,19 @@ else {
$total_agents = 0; $total_agents = 0;
$agents = false; $agents = false;
if (! empty ($agent_names)) { if (! empty ($agent_names)) {
if (check_acl ($config['id_user'], 0, "PM")){ $subquery_enterprise = '';
$sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s', $search_sql); if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) {
$subquery_enterprise = subquery_acl_enterprise();
}
if (check_acl ($config['id_user'], 0, "PM")) {
$sql = sprintf ('SELECT COUNT(*) FROM tagente WHERE 1=1 %s %s', $search_sql, $subquery_enterprise);
$total_agents = db_get_sql ($sql); $total_agents = db_get_sql ($sql);
$sql = sprintf ('SELECT * FROM tagente WHERE 1=1 %s ORDER BY %s %s LIMIT %d, %d', $search_sql, $order['field'], $order['order'], $offset, $config["block_size"]); $sql = sprintf ('SELECT * FROM tagente
WHERE 1=1 %s %s
ORDER BY %s %s LIMIT %d, %d', $search_sql, $subquery_enterprise,
$order['field'], $order['order'], $offset, $config["block_size"]);
$agents = db_get_all_rows_sql ($sql); $agents = db_get_all_rows_sql ($sql);
} }

View File

@ -185,6 +185,9 @@ $table->align = array("left","left","left","left","left","center");
$last_modulegroup = 0; $last_modulegroup = 0;
$rowIndex = 0; $rowIndex = 0;
foreach ($modules as $module) { foreach ($modules as $module) {
if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue;
}
//The code add the row of 1 cell with title of group for to be more organice the list. //The code add the row of 1 cell with title of group for to be more organice the list.

View File

@ -224,6 +224,11 @@ $texto=''; $last_modulegroup = 0;
$color = 1; $color = 1;
$write = check_acl ($config['id_user'], $agent['id_grupo'], "AW"); $write = check_acl ($config['id_user'], $agent['id_grupo'], "AW");
foreach ($modules as $module) { foreach ($modules as $module) {
if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
if (!module_in_acl_enterprise($module['id_agente_modulo'])) continue;
}
// Calculate table line color // Calculate table line color
if ($color == 1){ if ($color == 1){
$tdcolor = "datos"; $tdcolor = "datos";

View File

@ -34,6 +34,12 @@ require_once($config['homedir'] . '/include/functions_users.php');
$isFunctionPolicies = enterprise_include_once ('include/functions_policies.php'); $isFunctionPolicies = enterprise_include_once ('include/functions_policies.php');
//Add the subquery for the ACL enterprise
if (ENTERPRISE_NOT_HOOK !== $isFunctionPolicies) {
$subquery_enterprise = subquery_acl_enterprise();
$subquery_enterprise2 = subquery_acl_enterprise('AND', 'tagente.id_agente');
}
ui_print_page_header ("Monitor detail", "images/bricks.png", false); ui_print_page_header ("Monitor detail", "images/bricks.png", false);
@ -85,7 +91,7 @@ switch ($config["dbtype"]) {
$sql = ' $sql = '
SELECT distinct(nombre) SELECT distinct(nombre)
FROM tagente_modulo FROM tagente_modulo
WHERE nombre <> "delete_pending" and id_agente in WHERE nombre <> "delete_pending" ' . $subquery_enterprise . ' and id_agente in
( (
select id_agente select id_agente
from tagente where id_grupo IN ( from tagente where id_grupo IN (
@ -117,7 +123,7 @@ switch ($config["dbtype"]) {
$sql = ' $sql = '
select distinct(nombre) select distinct(nombre)
from tagente_modulo from tagente_modulo
where nombre <> \'delete_pending\' and id_agente in where nombre <> \'delete_pending\' ' . $subquery_enterprise . ' and id_agente in
( (
select id_agente select id_agente
from tagente where id_grupo IN ( from tagente where id_grupo IN (
@ -156,7 +162,7 @@ switch ($config["dbtype"]) {
$sql = ' $sql = '
select nombre select nombre
from (select distinct dbms_lob.substr(nombre,4000,1) as nombre, ' . $column_names .' from tagente_modulo) from (select distinct dbms_lob.substr(nombre,4000,1) as nombre, ' . $column_names .' from tagente_modulo)
where nombre <> \'delete_pending\' and id_agente in where nombre <> \'delete_pending\' ' . $subquery_enterprise . ' and id_agente in
( (
select id_agente select id_agente
from tagente where id_grupo IN ( from tagente where id_grupo IN (
@ -208,7 +214,7 @@ $sql = " FROM tagente, tagente_modulo, tagente_estado
WHERE tagente.id_agente = tagente_modulo.id_agente WHERE tagente.id_agente = tagente_modulo.id_agente
AND tagente_modulo.disabled = 0 AND tagente_modulo.disabled = 0
AND tagente.disabled = 0 AND tagente.disabled = 0
AND tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo"; AND tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo" . $subquery_enterprise2 ;
// Agent group selector // Agent group selector
if ($ag_group > 0 && check_acl ($config["id_user"], $ag_group, "AR")) { if ($ag_group > 0 && check_acl ($config["id_user"], $ag_group, "AR")) {

View File

@ -342,7 +342,7 @@ if (empty ($id_agente)) {
$agent = db_get_row ('tagente', 'id_agente', $id_agente); $agent = db_get_row ('tagente', 'id_agente', $id_agente);
// get group for this id_agente // get group for this id_agente
$id_grupo = $agent['id_grupo']; $id_grupo = $agent['id_grupo'];
if (! check_acl ($config['id_user'], $id_grupo, "AR")) { if (! check_acl ($config['id_user'], $id_grupo, "AR", $id_agente)) {
db_pandora_audit("ACL Violation", db_pandora_audit("ACL Violation",
"Trying to access (read) to agent ".agents_get_name($id_agente)); "Trying to access (read) to agent ".agents_get_name($id_agente));
include ("general/noaccess.php"); include ("general/noaccess.php");

View File

@ -18,6 +18,10 @@ global $config;
include_once($config['homedir'] . "/include/functions_modules.php"); include_once($config['homedir'] . "/include/functions_modules.php");
include_once($config['homedir'] . '/include/functions_users.php'); include_once($config['homedir'] . '/include/functions_users.php');
$subquery_enterprise = '';
if (ENTERPRISE_NOT_HOOK !== enterprise_include_once('include/functions_policies.php')) {
$subquery_enterprise = subquery_acl_enterprise('', 't1.id_agente', 'AND');
}
$searchModules = check_acl($config['id_user'], 0, "AR"); $searchModules = check_acl($config['id_user'], 0, "AR");
@ -73,7 +77,7 @@ if ($searchModules) {
ON t3.id_grupo = t2.id_grupo ON t3.id_grupo = t2.id_grupo
INNER JOIN tagente_estado AS t4 INNER JOIN tagente_estado AS t4
ON t4.id_agente_modulo = t1.id_agente_modulo ON t4.id_agente_modulo = t1.id_agente_modulo
WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ')
OR 0 IN ( OR 0 IN (
SELECT id_grupo SELECT id_grupo
FROM tusuario_perfil FROM tusuario_perfil
@ -96,7 +100,7 @@ if ($searchModules) {
ON t3.id_grupo = t2.id_grupo ON t3.id_grupo = t2.id_grupo
INNER JOIN tagente_estado AS t4 INNER JOIN tagente_estado AS t4
ON t4.id_agente_modulo = t1.id_agente_modulo ON t4.id_agente_modulo = t1.id_agente_modulo
WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ')
OR 0 IN ( OR 0 IN (
SELECT id_grupo SELECT id_grupo
FROM tusuario_perfil FROM tusuario_perfil
@ -119,7 +123,7 @@ if ($searchModules) {
ON t3.id_grupo = t2.id_grupo ON t3.id_grupo = t2.id_grupo
INNER JOIN tagente_estado AS t4 INNER JOIN tagente_estado AS t4
ON t4.id_agente_modulo = t1.id_agente_modulo ON t4.id_agente_modulo = t1.id_agente_modulo
WHERE (t2.id_grupo IN (' . implode(',', $id_userGroups) . ') WHERE ' . $subquery_enterprise . ' (t2.id_grupo IN (' . implode(',', $id_userGroups) . ')
OR 0 IN ( OR 0 IN (
SELECT id_grupo SELECT id_grupo
FROM tusuario_perfil FROM tusuario_perfil