tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-4745-8826-cofares-han-dejado-de-llegar-las-graficas-que-nos-llegaban-en-los-correos-de-alerta-por-mail' into 'develop' 

Fix and control API sessions

See merge request artica/pandorafms!2830
This commit is contained in:
Alejandro Fraguas 2019-10-23 16:12:19 +02:00
parent 48fa310aa9 9edb77d288
commit 5364ef0fa1
5 changed files with 325 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
pandora_console/include/api.php
View File

@ -1,15 +1,32 @@
<?php
// Pandora FMS- http://pandorafms.com
// ==================================================
// Copyright (c) 2005-2011 Artica Soluciones Tecnologicas
// Please see http://pandorafms.org for full contribution list
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public License
// as published by the Free Software Foundation; version 2
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
/**
* Pandora FMS integration API.
*
* @category API
* @package Pandora FMS
* @subpackage Console
* @version 1.0.0
* @license See below
*
* ______ ___ _______ _______ ________
* | __ \.-----.--.--.--| |.-----.----.-----. | ___| | | __|
* | __/| _ | | _ || _ | _| _ | | ___| |__ |
* |___| |___._|__|__|_____||_____|__| |___._| |___| |__|_|__|_______|
*
* ============================================================================
* Copyright (c) 2005-2019 Artica Soluciones Tecnologicas
* Please see http://pandorafms.org for full contribution list
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation for version 2.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* ============================================================================
*/
// Begin.
require_once 'config.php';
require_once 'functions_api.php';
@ -18,7 +35,7 @@ global $config;
define('DEBUG', 0);
define('VERBOSE', 0);
// TESTING THE UPDATE MANAGER
// TESTING THE UPDATE MANAGER.
enterprise_include_once('include/functions_enterprise_api.php');
$ipOrigin = $_SERVER['REMOTE_ADDR'];
@ -41,26 +58,30 @@ $info = get_parameter('info', '');
$other = parseOtherParameter($otherSerialize, $otherMode);
$other = parseOtherParameter($otherSerialize, $otherMode);
$apiPassword = io_output_password(db_get_value_filter('value', 'tconfig', ['token' => 'api_password']));
$apiPassword = io_output_password(
db_get_value_filter(
'value',
'tconfig',
['token' => 'api_password']
)
);
$correctLogin = false;
$no_login_msg = '';
// Clean unwanted output
// Clean unwanted output.
ob_clean();
// READ THIS:
// Special call without checks to retrieve version and build of the Pandora FMS
// This info is avalable from the web console without login
// Don't change the format, it is parsed by applications
switch ($info) {
case 'version':
// Don't change the format, it is parsed by applications.
if ($info == 'version') {
if (!$config['MR']) {
$config['MR'] = 0;
}
echo 'Pandora FMS '.$pandora_version.' - '.$build_version.' MR'.$config['MR'];
exit;
}
@ -68,14 +89,19 @@ if (isInACL($ipOrigin)) {
if (empty($apiPassword) || (!empty($apiPassword) && $api_password === $apiPassword)) {
$user_in_db = process_user_login($user, $password, true);
if ($user_in_db !== false) {
$config['id_usuario'] = $user_in_db;
// Compat.
$config['id_user'] = $user_in_db;
$correctLogin = true;
if (session_status() === PHP_SESSION_NONE) {
session_start();
$_SESSION = [];
}
$_SESSION['id_usuario'] = $user;
config_prepare_session();
session_write_close();
} else {
$no_login_msg = 'Incorrect user credentials';
@ -84,7 +110,7 @@ if (isInACL($ipOrigin)) {
$no_login_msg = 'Incorrect given API password';
}
} else {
$no_login_msg = "IP $ipOrigin is not in ACL list";
$no_login_msg = 'IP '.$ipOrigin.' is not in ACL list';
}
if ($correctLogin) {
@ -93,11 +119,14 @@ if ($correctLogin) {
} else {
$function_name = '';
// Check if is an extension function and get the function name
// Check if is an extension function and get the function name.
if ($op2 == 'extension') {
$extension_api_url = $config['homedir'].'/'.EXTENSIONS_DIR."/$ext_name/$ext_name.api.php";
// The extension API file must exist and the extension must be enabled
if (file_exists($extension_api_url) && !in_array($ext_name, extensions_get_disabled_extensions())) {
$extension_api_url = $config['homedir'].'/'.EXTENSIONS_DIR.'/'.$ext_name.'/'.$ext_name.'.api.php';
// The extension API file must exist and the extension must be
// enabled.
if (file_exists($extension_api_url)
&& !in_array($ext_name, extensions_get_disabled_extensions())
) {
include_once $extension_api_url;
$function_name = 'apiextension_'.$op.'_'.$ext_function;
}
@ -107,17 +136,20 @@ if ($correctLogin) {
if ($op == 'set' && $id) {
switch ($op2) {
case 'update_agent':
case 'add_module_in_conf':
case 'update_module_in_conf':
case 'delete_module_in_conf':
$id_os = db_get_value_sql('select id_os from tagente where id_agente = '.$id);
$agent = agents_locate_agent($id);
if ($agent !== false) {
$id_os = $agent['id_os'];
if ($id_os == 100) {
returnError('not_allowed_operation_cluster', $returnType);
returnError(
'not_allowed_operation_cluster',
$returnType
);
return false;
}
}
break;
case 'create_network_module':
@ -127,13 +159,17 @@ if ($correctLogin) {
case 'create_snmp_module':
case 'delete_module':
case 'delete_agent':
$id_os = db_get_value_sql('select id_os from tagente where nombre = "'.$id.'"');
$agent = agents_locate_agent($id);
if ($agent !== false) {
$id_os = $agent['id_os'];
if ($id_os == 100) {
returnError('not_allowed_operation_cluster', $returnType);
returnError(
'not_allowed_operation_cluster',
$returnType
);
return false;
}
}
break;
case 'update_network_module':
@ -141,60 +177,98 @@ if ($correctLogin) {
case 'update_data_module':
case 'update_snmp_module':
$id_os = db_get_value_sql('select id_os from tagente where id_agente = (select id_agente from tagente_modulo where id_agente_modulo ='.$id.')');
$id_os = db_get_value_sql(
sprintf(
'SELECT id_os
FROM tagente
WHERE id_agente = (
SELECT id_agente
FROM tagente_modulo
WHERE id_agente_modulo = %d
)',
$id
)
);
if ($id_os == 100) {
returnError('not_allowed_operation_cluster', $returnType);
returnError(
'not_allowed_operation_cluster',
$returnType
);
return false;
}
break;
case 'delete_user_permission':
if ($user_db === '') {
returnError(__('User or group not specified'), __('User, group not specified'));
returnError(
__('User or group not specified'),
__('User, group not specified')
);
return;
}
$id_os = api_set_delete_user_profiles($thrash1, $thrash2, $other, $returnType);
$id_os = api_set_delete_user_profiles(
$thrash1,
$thrash2,
$other,
$returnType
);
if ($id_os != 100) {
return;
}
if ($id_os == false) {
returnError('not_allowed_operation_cluster', $returnType);
returnError(
'not_allowed_operation_cluster',
$returnType
);
return false;
}
break;
case 'add_permission_user_to_group':
if ($user_db == null || $group_db == null || $id_up == null) {
returnError(__('User, group or profile not specified'), __('User, group or profile status not specified'));
if ($user_db == null
|| $group_db == null
|| $id_up == null
) {
returnError(
__('User, group or profile not specified'),
__('User, group or profile status not specified')
);
return;
}
$id_os = api_set_add_permission_user_to_group($thrash1, $thrash2, $other, $returnType);
$id_os = api_set_add_permission_user_to_group(
$thrash1,
$thrash2,
$other,
$returnType
);
if ($id_os != 100) {
return;
}
if ($id_os == false) {
returnError('not_allowed_operation_cluster', $returnType);
returnError(
'not_allowed_operation_cluster',
$returnType
);
return false;
}
break;
default:
// break;
// Ignore.
break;
}
}
}
// Check if the function exists
// Check if the function exists.
if (function_exists($function_name)) {
if (!DEBUG) {
error_reporting(0);
@ -205,18 +279,37 @@ if ($correctLogin) {
ini_set('display_errors', 1);
}
call_user_func($function_name, $id, $id2, $other, $returnType, $user_in_db);
call_user_func(
$function_name,
$id,
$id2,
$other,
$returnType,
$user_in_db
);
} else {
returnError('no_exist_operation', $returnType);
}
}
} else {
// TODO: Implement a new switch in config to enable / disable
// ACL auth failure: if enabled and have lots of traffic can produce millions
// of records and a considerable OVERHEAD in the system :(
// db_pandora_audit("API access Failed", $no_login_msg, $user, $ipOrigin);
/*
* //TODO: Implement a new switch in config to enable / disable
* ACL auth failure: if enabled and have lots of traffic can produce
* millions of records and a considerable OVERHEAD in the system :(
* db_pandora_audit("API access Failed", $no_login_msg, $user, $ipOrigin);
*/
sleep(15);
// Protection on DoS attacks
// Protection on DoS attacks.
echo 'auth error';
}
// Logout.
if (session_status() === PHP_SESSION_ACTIVE) {
$_SESSION = [];
// Could give a warning if no session file is created. Ignore.
@session_destroy();
header_remove('Set-Cookie');
setcookie(session_name(), $_COOKIE[session_name()], (time() - 4800), '/');
}

64
pandora_console/include/chart_generator.php
View File

@ -11,12 +11,13 @@
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// Global & session manageme
session_id($_REQUEST['session_id']);
require_once 'config.php';
require_once $config['homedir'].'/include/auth/mysql.php';
require_once $config['homedir'].'/include/functions.php';
require_once $config['homedir'].'/include/functions_db.php';
require_once __DIR__.'/config.php';
require_once __DIR__.'/functions.php';
require_once __DIR__.'/functions_db.php';
require_once __DIR__.'/auth/mysql.php';
require_once $config['homedir'].'/include/lib/User.php';
require_once $config['homedir'].'/include/functions_reporting.php';
require_once $config['homedir'].'/include/functions_graph.php';
require_once $config['homedir'].'/include/functions_custom_graphs.php';
@ -24,18 +25,56 @@ require_once $config['homedir'].'/include/functions_modules.php';
require_once $config['homedir'].'/include/functions_agents.php';
require_once $config['homedir'].'/include/functions_tags.php';
check_login();
// Initialize session.
global $config;
// get_parameter(array)('data', '');
// Try to initialize session using existing php session id.
$user = new PandoraFMS\User(['phpsessionid' => $_REQUEST['session_id']]);
if (check_login(false) === false) {
// Error handler.
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Access denied</title>
<link rel="stylesheet" href="styles/pandora.css" type="text/css" />
<link rel="stylesheet" href="styles/pandora_minimal.css" type="text/css" />
<link rel="stylesheet" href="styles/js/jquery-ui.min.css" type="text/css" />
<link rel="stylesheet" href="styles/js/jquery-ui_custom.css" type="text/css" />
<script language="javascript" type='text/javascript' src='javascript/pandora.js'></script>
<script language="javascript" type='text/javascript' src='javascript/jquery-3.3.1.min.js'></script>
</head>
<body>
<h1>Access is not granted</h1>
<script type="text/javascript">
$('document').ready(function () {
setTimeout(function () {
try {
var status = window.callPhantom({ status: "loaded" });
} catch (error) {
console.log("CALLBACK ERROR", error.message)
}
}, 100);
});
</script>
</body>
</html>
<?php
exit;
}
// Access granted.
$params = json_decode($_REQUEST['data'], true);
// Metaconsole connection to the node
// Metaconsole connection to the node.
$server_id = $params['server_id'];
if ($config['metaconsole'] && !empty($server_id)) {
$server = metaconsole_get_connection_by_id($server_id);
// Error connecting
// Error connecting.
if (metaconsole_connect($server) !== NOERR) {
echo '<html>';
echo '<body>';
@ -48,8 +87,9 @@ if ($config['metaconsole'] && !empty($server_id)) {
$user_language = get_user_language($config['id_user']);
if (file_exists('languages/'.$user_language.'.mo')) {
$l10n = new gettext_reader(new CachedFileReader('languages/'.$user_language.'.mo'));
if (file_exists('languages/'.$user_language.'.mo') === true) {
$cfr = new CachedFileReader('languages/'.$user_language.'.mo');
$l10n = new gettext_reader($cfr);
$l10n->load_tables();
}
@ -208,7 +248,7 @@ if (file_exists('languages/'.$user_language.'.mo')) {
break;
default:
// code...
// Code...
break;
}

116
pandora_console/include/lib/User.php Normal file
View File

@ -0,0 +1,116 @@
<?php
/**
* PHP script to manage Pandora FMS websockets.
*
* @category Websocket
* @package Pandora FMS
* @subpackage Console
* @version 1.0.0
* @license See below
*
* ______ ___ _______ _______ ________
* | __ \.-----.--.--.--| |.-----.----.-----. | ___| | | __|
* | __/| _ | | _ || _ | _| _ | | ___| |__ |
* |___| |___._|__|__|_____||_____|__| |___._| |___| |__|_|__|_______|
*
* ============================================================================
* Copyright (c) 2005-2019 Artica Soluciones Tecnologicas
* Please see http://pandorafms.org for full contribution list
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation for version 2.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* ============================================================================
*/
// Begin.
namespace PandoraFMS;
/**
* Object user.
*/
class User
{
/**
* Current 'id_usuario'.
*
* @var string
*/
public $idUser;
/**
* Current PHP session ids.
*
* @var array
*/
public $sessions = [];
/**
* Initializes a user object.
*
* @param array $data User information
* - Username
* - PHP session ID.
*/
public function __construct($data)
{
global $config;
// Unset user.
unset($config['id_usuario']);
unset($_SESSION['id_usuario']);
if (is_array($data) === true) {
if (isset($data['phpsessionid']) === true) {
$this->sessions[$data['phpsessionid']] = 1;
$info = \db_get_row_filter(
'tsessions_php',
['id_session' => $data['phpsessionid']]
);
if ($info !== false) {
// Process.
$session_data = session_decode($info['data']);
$this->idUser = $_SESSION['id_usuario'];
// Valid session.
return $this;
}
return null;
}
if (isset($data['id_usuario']) === true
&& isset($data['password']) === true
) {
$user_in_db = process_user_login($user, $password, true);
if ($user_in_db !== false) {
$config['id_usuario'] = $user_in_db;
$correctLogin = true;
// Originally at api.php.
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
$_SESSION['id_usuario'] = $user;
session_write_close();
$this->idUser = $data['id_usuario'];
// Valid session.
return $this;
}
}
}
return null;
}
}

5
pandora_console/include/load_session.php
View File

@ -91,11 +91,6 @@ function pandora_session_write($session_id, $data)
{
$session_id = addslashes($session_id);
// If it's an api call, the session must not be created.
if (get_parameter('op', false) && get_parameter('op2', false)) {
return true;
}
if (is_ajax()) {
// Avoid session upadte while processing ajax responses - notifications.
if (get_parameter('check_new_notifications', false)) {

5
pandora_console/include/web2image.js
View File

@ -1,5 +1,7 @@
var system = require("system");
/* global phantom */
if (system.args.length < 3 || system.args.length > 11) {
phantom.exit(1);
}
@ -14,6 +16,7 @@ var viewport_width = system.args[7];
var viewport_height = system.args[8];
var session_id = system.args[9];
var base_64 = system.args[10];
var post_data = "";
if (!viewport_width) {
viewport_width = 750;
@ -64,7 +67,7 @@ page.onError = function(msg) {
phantom.exit();
};
page.onCallback = function(st) {
page.onCallback = function() {
if (!base_64) {
page.render(output_filename, { format: "png" });
} else {