From d17d3bd3eb07707992ad9f04a317c90e7263f6ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Su=C3=A1rez?= Date: Tue, 11 Jul 2023 14:38:14 -0600 Subject: [PATCH 1/2] Use server UID to authorize instead of user/pass. --- pandora_console/include/api.php | 14 ++++++++++++-- pandora_server/lib/PandoraFMS/Core.pm | 6 ++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/pandora_console/include/api.php b/pandora_console/include/api.php index 526256e260..7ed38d638c 100644 --- a/pandora_console/include/api.php +++ b/pandora_console/include/api.php @@ -118,7 +118,7 @@ if ($info === 'version') { if (empty($apiPassword) === true || (empty($apiPassword) === false && $api_password === $apiPassword) || $apiTokenValid === true -) { +) { if (enterprise_hook('metaconsole_validate_origin', [get_parameter('server_auth')]) === true || enterprise_hook('console_validate_origin', [get_parameter('server_auth')]) === true ) { @@ -129,7 +129,17 @@ if (empty($apiPassword) === true // Compat. $config['id_user'] = 'admin'; $correctLogin = true; - } else if ((bool) isInACL($ipOrigin) === true) { + // Bypass credentials if server-auth and api-pass are correct. + } else if (($op === 'get') + && ($config['server_unique_identifier'] === get_parameter('server_auth')) + && ($api_password === $apiPassword) + && ((bool) isInACL($ipOrigin) === true)) { + + $config['id_usuario'] = 'admin'; + $config['id_user'] = 'admin'; + $correctLogin = true; + + } else if ((bool) isInACL($ipOrigin) === true) { // External access. // Token is valid. Bypass the credentials. if ($apiTokenValid === true) { diff --git a/pandora_server/lib/PandoraFMS/Core.pm b/pandora_server/lib/PandoraFMS/Core.pm index c6e87003f7..c513a7816f 100644 --- a/pandora_server/lib/PandoraFMS/Core.pm +++ b/pandora_server/lib/PandoraFMS/Core.pm @@ -1707,8 +1707,7 @@ sub pandora_execute_action ($$$$$$$$$;$$) { my $params = {}; $params->{"apipass"} = $pa_config->{"console_api_pass"}; - $params->{"user"} ||= $pa_config->{"console_user"}; - $params->{"pass"} ||= $pa_config->{"console_pass"}; + $params->{"server_auth"} = $pa_config->{"server_unique_identifier"}; $params->{"op"} = "set"; $params->{"op2"} = "send_report"; $params->{"other_mode"} = "url_encode_separator_|;|"; @@ -1739,8 +1738,7 @@ sub pandora_execute_action ($$$$$$$$$;$$) { my $params = {}; $params->{"apipass"} = $pa_config->{"console_api_pass"}; - $params->{"user"} ||= $pa_config->{"console_user"}; - $params->{"pass"} ||= $pa_config->{"console_pass"}; + $params->{"server_auth"} = $pa_config->{"server_unique_identifier"}; $params->{"op"} = "set"; $params->{"op2"} = "send_report"; $params->{"other_mode"} = "url_encode_separator_|;|"; From 356a3cc9c3988c2ed04faa5ea88e4c31fb2a274a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Su=C3=A1rez?= Date: Wed, 12 Jul 2023 08:31:52 -0600 Subject: [PATCH 2/2] Modify aditional user/pass on core. --- pandora_console/include/api.php | 3 +-- pandora_server/lib/PandoraFMS/Core.pm | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pandora_console/include/api.php b/pandora_console/include/api.php index 7ed38d638c..20028d4b61 100644 --- a/pandora_console/include/api.php +++ b/pandora_console/include/api.php @@ -130,8 +130,7 @@ if (empty($apiPassword) === true $config['id_user'] = 'admin'; $correctLogin = true; // Bypass credentials if server-auth and api-pass are correct. - } else if (($op === 'get') - && ($config['server_unique_identifier'] === get_parameter('server_auth')) + } else if (($config['server_unique_identifier'] === get_parameter('server_auth')) && ($api_password === $apiPassword) && ((bool) isInACL($ipOrigin) === true)) { diff --git a/pandora_server/lib/PandoraFMS/Core.pm b/pandora_server/lib/PandoraFMS/Core.pm index c513a7816f..a615d68a4a 100644 --- a/pandora_server/lib/PandoraFMS/Core.pm +++ b/pandora_server/lib/PandoraFMS/Core.pm @@ -1561,8 +1561,7 @@ sub pandora_execute_action ($$$$$$$$$;$$) { my $params = {}; $params->{"apipass"} = $pa_config->{"console_api_pass"}; - $params->{"user"} ||= $pa_config->{"console_user"}; - $params->{"pass"} ||= $pa_config->{"console_pass"}; + $params->{"server_auth"} = $pa_config->{"server_unique_identifier"}; $params->{"op"} = "get"; $params->{"op2"} = "module_graph"; $params->{"id"} = $module->{'id_agente_modulo'};