tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-29 08:45:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

WIP:Api auth with bearer token

Browse Source
This commit is contained in:
Calvo 2022-12-29 17:20:34 +01:00
parent f84f9733e3
commit c14842a4f9
7 changed files with 153 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
pandora_console/extensions/api_checker.php
View File

@ -65,42 +65,58 @@ function api_execute(
string $other_mode='', string $other_mode='',
string $token='' string $token=''
) { ) {
$data = [];
if (empty($url) === true) { if (empty($url) === true) {
$url = 'http://'.$ip.$pandora_url.'/include/api.php'; $url = 'http://'.$ip.$pandora_url.'/include/api.php?';
$url .= '?';
$url .= '&op='.$op; if (empty($op) === false) {
$url .= '&op2='.$op2; $data['op'] = $op;
}
if (empty($op2) === false) {
$data['op2'] = $op2;
}
if (empty($id) === false) { if (empty($id) === false) {
$url .= '&id='.$id; $data['id'] = $id;
} }
if (empty($id2) === false) { if (empty($id2) === false) {
$url .= '&id2='.$id2; $data['id2'] = $id2;
} }
if (empty($return_type) === false) { if (empty($return_type) === false) {
$url .= '&return_type='.$return_type; $data['return_type'] = $return_type;
} }
if (empty($other) === false) { if (empty($other) === false) {
$url .= '&other_mode='.$other_mode; $data['other_mode'] = $other_mode;
$url .= '&other='.$other; $data['other'] = $other;
} }
// If token is reported, have priority. // If token is not reported,use old method.
if (empty($token) === false) { if (empty($token) === true) {
$url .= 'token='.$token; $data['apipass'] = $apipass;
} else { $data['user'] = $user;
$url .= 'apipass='.$apipass; $data['password'] = $password;
$url .= '&user='.$user;
$url .= '&pass='.$password;
} }
} }
$curlObj = curl_init(); $curlObj = curl_init($url);
if (empty($data) === false) {
$url .= http_build_query($data);
}
// set the content type json
$headers = [
'Content-Type: application/json',
'Authorization: Bearer '.$token,
];
curl_setopt($curlObj, CURLOPT_URL, $url); curl_setopt($curlObj, CURLOPT_URL, $url);
curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($curlObj); $result = curl_exec($curlObj);
curl_close($curlObj); curl_close($curlObj);

15
pandora_console/include/api.php
View File

@ -74,7 +74,6 @@ $password = get_parameter('pass', '');
$user = get_parameter('user', ''); $user = get_parameter('user', '');
$info = get_parameter('info', ''); $info = get_parameter('info', '');
$raw_decode = (bool) get_parameter('raw_decode', false); $raw_decode = (bool) get_parameter('raw_decode', false);
$apiToken = (string) get_parameter('token');
$other = parseOtherParameter($otherSerialize, $otherMode, $raw_decode); $other = parseOtherParameter($otherSerialize, $otherMode, $raw_decode);
$apiPassword = io_output_password( $apiPassword = io_output_password(
@ -85,7 +84,19 @@ $apiPassword = io_output_password(
) )
); );
$apiTokenValid = (isset($_GET['token']) === true && (bool) api_token_check($apiToken)); // Try getting bearer token from header.
// TODO. Getting token from url will be removed.
$apiToken = (string) getBearerToken();
if ($apiToken === false) {
// Legacy token in GET.
// TODO. Revome in future.
$apiToken = (string) get_parameter('token');
$apiTokenValid = (isset($_GET['token']) === true && (bool) api_token_check($apiToken));
} else {
$apiTokenValid = (bool) api_token_check($apiToken);
}
$correctLogin = false; $correctLogin = false;
$no_login_msg = ''; $no_login_msg = '';

47
pandora_console/include/functions.php
View File

@ -6277,7 +6277,7 @@ function arrayOutputSorting($sort, $sortField)
/** /**
* Get dowload started cookie from js and set ready cokkie for download ready comntrol. * Get dowload started cookie from js and set ready cokkie for download ready comntrol.
* *
* @return * @return void
*/ */
function setDownloadCookieToken() function setDownloadCookieToken()
{ {
@ -6293,3 +6293,48 @@ function setDownloadCookieToken()
); );
} }
} }
/**
* Get header Authorization
* */
function getAuthorizationHeader()
{
$headers = null;
if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER['Authorization']);
} else if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
// Nginx or fast CGI
$headers = trim($_SERVER['HTTP_AUTHORIZATION']);
} else if (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
// print_r($requestHeaders);
if (isset($requestHeaders['Authorization'])) {
$headers = trim($requestHeaders['Authorization']);
}
}
return $headers;
}
/**
* Get access token from header
*
* @return array/false Token received, false in case thre is no token.
* */
function getBearerToken()
{
$headers = getAuthorizationHeader();
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
return $matches[1];
}
}
return false;
}

34
pandora_console/include/functions_api.php
View File

@ -17346,23 +17346,6 @@ function api_set_enable_disable_discovery_task($id_task, $thrash2, $other)
} }
/**
* Check if token is correct.
*
* @param string $token Token for check.
*
* @return mixed Id of user. If returns 0 there is not valid token.
*/
function api_token_check(string $token)
{
if (empty($token) === true) {
return -1;
} else {
return db_get_value('id_user', 'tusuario', 'api_token', $token);
}
}
/** /**
* Make report (PDF, CSV or XML) and send it via e-mail (this method is intended to be used by server's execution * Make report (PDF, CSV or XML) and send it via e-mail (this method is intended to be used by server's execution
* of alert actions that involve sending reports by e-mail). * of alert actions that involve sending reports by e-mail).
@ -17660,3 +17643,20 @@ function api_set_send_report($thrash1, $thrash2, $other, $returnType)
returnData($returnType, $data, ';'); returnData($returnType, $data, ';');
} }
} }
/**
* Check if token is correct.
*
* @param string $token Token for check.
*
* @return mixed Id of user. If returns 0 there is not valid token.
*/
function api_token_check(string $token)
{
if (empty($token) === true) {
return 0;
} else {
return db_get_value('id_user', 'tusuario', 'api_token', $token);
}
}

8
pandora_console/include/functions_ui.php
View File

@ -2370,13 +2370,17 @@ function ui_print_help_tip(
$return=false, $return=false,
$img='images/tip_help.png', $img='images/tip_help.png',
$is_relative=false, $is_relative=false,
$style='' $style='',
$blink=false
) { ) {
$output = '<a href="javascript:" class="tip" style="'.$style.'" >'; $output = '<a href="javascript:" class="tip" style="'.$style.'" >';
$output .= html_print_image( $output .= html_print_image(
$img, $img,
true, true,
['title' => $text], [
'title' => $text,
'class' => $blink === true ? 'blink' : '',
],
false, false,
$is_relative && is_metaconsole() $is_relative && is_metaconsole()
).'</a>'; ).'</a>';

15
pandora_console/include/styles/pandora.css
View File

@ -4678,6 +4678,21 @@ input:checked + .p-slider:before {
animation: fadein 0.5s, fadeout 0.5s 7.5s; animation: fadein 0.5s, fadeout 0.5s 7.5s;
} }
.blink {
animation: blink-animation 1s steps(5, start) infinite;
-webkit-animation: blink-animation 1s steps(5, start) infinite;
}
@keyframes blink-animation {
to {
visibility: hidden;
}
}
@-webkit-keyframes blink-animation {
to {
visibility: hidden;
}
}
.snackbar p, .snackbar p,
.snackbar h3 { .snackbar h3 {
text-align: left; text-align: left;

23
pandora_console/operation/users/user_edit.php
View File

@ -290,6 +290,16 @@ $user_id .= html_print_anchor(
true true
); );
// Check php conf for header auth.
$lines = file('/etc/httpd/conf.d/php.conf');
$http_authorization = false;
foreach ($lines as $l) {
if (preg_match('/SetEnvIfNoCase \^Authorization\$ \"\(\.\+\)\" HTTP_AUTHORIZATION=\$1/', $l)) {
$http_authorization = true;
}
}
$user_id .= html_print_anchor( $user_id .= html_print_anchor(
[ [
'onClick' => sprintf( 'onClick' => sprintf(
@ -309,8 +319,19 @@ $user_id .= html_print_anchor(
], ],
true true
); );
$user_id .= '</div>';
if ($http_authorization === false) {
$user_id .= ui_print_help_tip(
__('Directive HTTP_AUTHORIZATION=$1 is not set. Please, add it to /etc/httpd/conf.d/php.conf'),
true,
'images/warn.png',
false,
'',
true
);
}
$user_id .= '</div>';
$full_name = ' <div class="label_select_simple">'.html_print_input_text_extended( $full_name = ' <div class="label_select_simple">'.html_print_input_text_extended(
'fullname', 'fullname',
$user_info['fullname'], $user_info['fullname'],