tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

discovery ACL

This commit is contained in:
fbsanchez 2019-10-09 15:45:02 +02:00 committed by Alejandro Fraguas
parent be2148ff26
commit d09c071684
7 changed files with 215 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pandora_console/godmode/menu.php
View File

@ -21,27 +21,42 @@ require_once 'include/functions_menu.php';
$menu_godmode = []; $menu_godmode = [];
$menu_godmode['class'] = 'godmode'; $menu_godmode['class'] = 'godmode';
if (check_acl($config['id_user'], 0, 'AR')
if (check_acl($config['id_user'], 0, 'PM')) { || check_acl($config['id_user'], 0, 'AW')
|| check_acl($config['id_user'], 0, 'RR')
|| check_acl($config['id_user'], 0, 'RW')
|| check_acl($config['id_user'], 0, 'PM')
) {
$sub = []; $sub = [];
$sub['godmode/servers/discovery&wiz=main']['text'] = __('Main'); $sub['godmode/servers/discovery&wiz=main']['text'] = __('Main');
$sub['godmode/servers/discovery&wiz=main']['id'] = 'Discovery'; $sub['godmode/servers/discovery&wiz=main']['id'] = 'Discovery';
$sub['godmode/servers/discovery&wiz=tasklist']['text'] = __('Task list'); $sub['godmode/servers/discovery&wiz=tasklist']['text'] = __('Task list');
$sub['godmode/servers/discovery&wiz=tasklist']['id'] = 'tasklist'; $sub['godmode/servers/discovery&wiz=tasklist']['id'] = 'tasklist';
if (check_acl($config['id_user'], 0, 'AW')
|| check_acl($config['id_user'], 0, 'PM')
) {
if (check_acl($config['id_user'], 0, 'AW')) {
$sub2 = []; $sub2 = [];
$sub2['godmode/servers/discovery&wiz=hd&mode=netscan']['text'] = __('Network scan'); $sub2['godmode/servers/discovery&wiz=hd&mode=netscan']['text'] = __('Network scan');
enterprise_hook('hostdevices_submenu'); enterprise_hook('hostdevices_submenu');
$sub2['godmode/servers/discovery&wiz=hd&mode=customnetscan']['text'] = __('Custom network scan'); $sub2['godmode/servers/discovery&wiz=hd&mode=customnetscan']['text'] = __('Custom network scan');
}
if (check_acl($config['id_user'], 0, 'PM')) {
$sub2['godmode/servers/discovery&wiz=hd&mode=managenetscanscripts']['text'] = __('Manage scan scripts'); $sub2['godmode/servers/discovery&wiz=hd&mode=managenetscanscripts']['text'] = __('Manage scan scripts');
}
$sub['godmode/servers/discovery&wiz=hd']['text'] = __('Host & devices'); $sub['godmode/servers/discovery&wiz=hd']['text'] = __('Host & devices');
$sub['godmode/servers/discovery&wiz=hd']['id'] = 'hd'; $sub['godmode/servers/discovery&wiz=hd']['id'] = 'hd';
$sub['godmode/servers/discovery&wiz=hd']['sub2'] = $sub2; $sub['godmode/servers/discovery&wiz=hd']['sub2'] = $sub2;
}
if (check_acl($config['id_user'], 0, 'AW')) {
enterprise_hook('applications_menu'); enterprise_hook('applications_menu');
enterprise_hook('cloud_menu'); enterprise_hook('cloud_menu');
enterprise_hook('console_task_menu'); enterprise_hook('console_task_menu');
}
// Add to menu. // Add to menu.
$menu_godmode['discovery']['text'] = __('Discovery'); $menu_godmode['discovery']['text'] = __('Discovery');
@ -92,7 +107,7 @@ if (!empty($sub)) {
} }
$sub = []; $sub = [];
if (check_acl($config['id_user'], 0, 'AW')) { if (check_acl($config['id_user'], 0, 'PM')) {
$sub['godmode/groups/group_list']['text'] = __('Manage agents groups'); $sub['godmode/groups/group_list']['text'] = __('Manage agents groups');
$sub['godmode/groups/group_list']['id'] = 'Manage agents groups'; $sub['godmode/groups/group_list']['id'] = 'Manage agents groups';
} }

20
pandora_console/godmode/servers/discovery.php
View File

@ -4,7 +4,14 @@ global $config;
check_login(); check_login();
if (! check_acl($config['id_user'], 0, 'AW')) { if (! check_acl($config['id_user'], 0, 'AR')
&& ! check_acl($config['id_user'], 0, 'AW')
&& ! check_acl($config['id_user'], 0, 'AM')
&& ! check_acl($config['id_user'], 0, 'RR')
&& ! check_acl($config['id_user'], 0, 'RW')
&& ! check_acl($config['id_user'], 0, 'RM')
&& ! check_acl($config['id_user'], 0, 'PM')
) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access Server Management' 'Trying to access Server Management'
@ -134,11 +141,18 @@ if ($classname_selected === null) {
$classname = basename($classpath, '.class.php'); $classname = basename($classpath, '.class.php');
$obj = new $classname(); $obj = new $classname();
$button = $obj->load();
if ($button === false) {
// No acess, skip.
continue;
}
// DiscoveryTaskList must be first button. // DiscoveryTaskList must be first button.
if ($classname == 'DiscoveryTaskList') { if ($classname == 'DiscoveryTaskList') {
array_unshift($wiz_data, $obj->load()); array_unshift($wiz_data, $button);
} else { } else {
$wiz_data[] = $obj->load(); $wiz_data[] = $button;
} }
} }

46
pandora_console/godmode/wizards/DiscoveryTaskList.class.php
View File

@ -200,7 +200,7 @@ class DiscoveryTaskList extends Wizard
{ {
global $config; global $config;
if (! check_acl($config['id_user'], 0, 'PM')) { if (! check_acl($config['id_user'], 0, 'AW')) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access recon task viewer' 'Trying to access recon task viewer'
@ -241,7 +241,7 @@ class DiscoveryTaskList extends Wizard
{ {
global $config; global $config;
if (! check_acl($config['id_user'], 0, 'PM')) { if (!$this->aclMulticheck('RR|RW|RM|PM')) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access recon task viewer' 'Trying to access recon task viewer'
@ -270,7 +270,7 @@ class DiscoveryTaskList extends Wizard
{ {
global $config; global $config;
if (! check_acl($config['id_user'], 0, 'PM')) { if (! check_acl($config['id_user'], 0, 'RM')) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access recon task viewer' 'Trying to access recon task viewer'
@ -313,13 +313,9 @@ class DiscoveryTaskList extends Wizard
check_login(); check_login();
if (! check_acl($config['id_user'], 0, 'PM')) { if (!$this->aclMulticheck('AR|AW|AM')) {
db_pandora_audit( // Tasklist are allowed only of agent managers.
'ACL Violation', return '';
'Trying to access recon task viewer'
);
include 'general/noaccess.php';
return false;
} }
// Get all discovery servers. // Get all discovery servers.
@ -341,7 +337,7 @@ class DiscoveryTaskList extends Wizard
// -------------------------------- // --------------------------------
// FORCE A RECON TASK // FORCE A RECON TASK
// -------------------------------- // --------------------------------
if (check_acl($config['id_user'], 0, 'PM')) { if (check_acl($config['id_user'], 0, 'AW')) {
if (isset($_GET['force'])) { if (isset($_GET['force'])) {
$id = (int) get_parameter_get('force', 0); $id = (int) get_parameter_get('force', 0);
servers_force_recon_task($id); servers_force_recon_task($id);
@ -387,8 +383,10 @@ class DiscoveryTaskList extends Wizard
// Operations. // Operations.
$table->headstyle[9] .= 'min-width: 150px; width: 150px;'; $table->headstyle[9] .= 'min-width: 150px; width: 150px;';
if (check_acl($config['id_user'], 0, 'AW')) {
$table->head[0] = __('Force'); $table->head[0] = __('Force');
$table->align[0] = 'left'; $table->align[0] = 'left';
}
$table->head[1] = __('Task name'); $table->head[1] = __('Task name');
$table->align[1] = 'left'; $table->align[1] = 'left';
@ -455,11 +453,13 @@ class DiscoveryTaskList extends Wizard
} }
if ($task['disabled'] == 0 && $server_name !== '') { if ($task['disabled'] == 0 && $server_name !== '') {
if (check_acl($config['id_user'], 0, 'AW')) {
$data[0] = '<a href="'.ui_get_full_url( $data[0] = '<a href="'.ui_get_full_url(
'index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=tasklist&server_id='.$id_server.'&force='.$task['id_rt'] 'index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=tasklist&server_id='.$id_server.'&force='.$task['id_rt']
).'">'; ).'">';
$data[0] .= html_print_image('images/target.png', true, ['title' => __('Force')]); $data[0] .= html_print_image('images/target.png', true, ['title' => __('Force')]);
$data[0] .= '</a>'; $data[0] .= '</a>';
}
} else if ($task['disabled'] == 2) { } else if ($task['disabled'] == 2) {
$data[0] = ui_print_help_tip( $data[0] = ui_print_help_tip(
__('This task has not been completely defined, please edit it'), __('This task has not been completely defined, please edit it'),
@ -622,6 +622,7 @@ class DiscoveryTaskList extends Wizard
&& $task['type'] != DISCOVERY_APP_ORACLE && $task['type'] != DISCOVERY_APP_ORACLE
&& $task['type'] != DISCOVERY_CLOUD_AWS_RDS && $task['type'] != DISCOVERY_CLOUD_AWS_RDS
) { ) {
if (check_acl($config['id_user'], 0, 'MR')) {
$data[9] .= '<a href="#" onclick="show_map('.$task['id_rt'].',\''.$task['name'].'\')">'; $data[9] .= '<a href="#" onclick="show_map('.$task['id_rt'].',\''.$task['name'].'\')">';
$data[9] .= html_print_image( $data[9] .= html_print_image(
'images/dynamic_network_icon.png', 'images/dynamic_network_icon.png',
@ -629,11 +630,12 @@ class DiscoveryTaskList extends Wizard
); );
$data[9] .= '</a>'; $data[9] .= '</a>';
} }
}
if (check_acl( if (check_acl(
$config['id_user'], $config['id_user'],
$task['id_group'], $task['id_group'],
'PM' 'AW'
) )
) { ) {
if ($ipam === true) { if ($ipam === true) {
@ -733,6 +735,16 @@ class DiscoveryTaskList extends Wizard
{ {
if ($script !== false) { if ($script !== false) {
switch ($script['type']) { switch ($script['type']) {
case DISCOVERY_SCRIPT_APP_VMWARE:
return 'wiz=app&mode=vmware&page=0';
case DISCOVERY_SCRIPT_IPAM_RECON:
return '';
case DISCOVERY_SCRIPT_IPMI_RECON:
default:
return 'wiz=hd&mode=customnetscan';
case DISCOVERY_SCRIPT_CLOUD_AWS: case DISCOVERY_SCRIPT_CLOUD_AWS:
switch ($task['type']) { switch ($task['type']) {
case DISCOVERY_CLOUD_AWS_EC2: case DISCOVERY_CLOUD_AWS_EC2:
@ -744,16 +756,6 @@ class DiscoveryTaskList extends Wizard
default: default:
return 'wiz=cloud'; return 'wiz=cloud';
} }
case DISCOVERY_SCRIPT_APP_VMWARE:
return 'wiz=app&mode=vmware&page=0';
case DISCOVERY_SCRIPT_IPAM_RECON:
return '';
case DISCOVERY_SCRIPT_IPMI_RECON:
default:
return 'wiz=hd&mode=customnetscan';
} }
} }

48
pandora_console/godmode/wizards/HostDevices.class.php
View File

@ -87,6 +87,7 @@ class HostDevices extends Wizard
) { ) {
$this->setBreadcrum([]); $this->setBreadcrum([]);
$this->access = 'AW';
$this->task = []; $this->task = [];
$this->msg = $msg; $this->msg = $msg;
$this->icon = $icon; $this->icon = $icon;
@ -100,6 +101,32 @@ class HostDevices extends Wizard
} }
/**
* Checks if environment is ready,
* returns array
* icon: icon to be displayed
* label: label to be displayed
*
* @return array With data.
**/
public function load()
{
global $config;
// Check access.
check_login();
if (! $this->aclMulticheck('AW|PM')) {
return false;
}
return [
'icon' => $this->icon,
'label' => $this->label,
'url' => $this->url,
];
}
/** /**
* Run wizard manager. * Run wizard manager.
* *
@ -116,6 +143,8 @@ class HostDevices extends Wizard
if ($mode === null) { if ($mode === null) {
$buttons = []; $buttons = [];
if (check_acl($config['id_user'], 0, $this->access)) {
$buttons[] = [ $buttons[] = [
'url' => $this->url.'&mode=netscan', 'url' => $this->url.'&mode=netscan',
'icon' => 'images/wizard/netscan.png', 'icon' => 'images/wizard/netscan.png',
@ -141,12 +170,15 @@ class HostDevices extends Wizard
'icon' => '/images/wizard/customnetscan.png', 'icon' => '/images/wizard/customnetscan.png',
'label' => __('Custom NetScan'), 'label' => __('Custom NetScan'),
]; ];
}
if (check_acl($config['id_user'], 0, 'PM')) {
$buttons[] = [ $buttons[] = [
'url' => $this->url.'&mode=managenetscanscripts', 'url' => $this->url.'&mode=managenetscanscripts',
'icon' => '/images/wizard/managenetscanscripts.png', 'icon' => '/images/wizard/managenetscanscripts.png',
'label' => __('Manage NetScan scripts'), 'label' => __('Manage NetScan scripts'),
]; ];
}
$this->prepareBreadcrum( $this->prepareBreadcrum(
[ [
@ -311,11 +343,11 @@ class HostDevices extends Wizard
) { ) {
// Default values, no data received. // Default values, no data received.
// User is accesing directly to this page. // User is accesing directly to this page.
if (users_is_admin() !== true && check_acl( if (check_acl(
$config['id_usuario'], $config['id_usuario'],
$this->task['id_group'], $this->task['id_group'],
'PM' $this->access
) !== true ) != true
) { ) {
$this->msg = __('You have no access to edit this task.'); $this->msg = __('You have no access to edit this task.');
return false; return false;
@ -487,7 +519,7 @@ class HostDevices extends Wizard
check_login(); check_login();
if (! check_acl($config['id_user'], 0, 'PM')) { if (! check_acl($config['id_user'], 0, $this->access)) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access Agent Management' 'Trying to access Agent Management'
@ -529,11 +561,11 @@ class HostDevices extends Wizard
// Check ACL. If user is not able to manage target task, // Check ACL. If user is not able to manage target task,
// redirect him to main page. // redirect him to main page.
if (users_is_admin() !== true && check_acl( if (check_acl(
$config['id_usuario'], $config['id_usuario'],
$this->task['id_group'], $this->task['id_group'],
'PM' $this->access
) !== true ) != true
) { ) {
$form['form']['action'] = $this->url.'&mode=netscan&page='.($this->page - 1); $form['form']['action'] = $this->url.'&mode=netscan&page='.($this->page - 1);
} }
@ -750,7 +782,7 @@ class HostDevices extends Wizard
[ [
'name' => 'id_group', 'name' => 'id_group',
'returnAllGroup' => false, 'returnAllGroup' => false,
'privilege' => 'PM', 'privilege' => $this->access,
'type' => 'select_groups', 'type' => 'select_groups',
'selected' => $this->task['id_group'], 'selected' => $this->task['id_group'],
'return' => true, 'return' => true,

51
pandora_console/godmode/wizards/Wizard.main.php
View File

@ -87,6 +87,13 @@ class Wizard
*/ */
public $msg; public $msg;
/**
* Defines access level to use this util.
*
* @var string
*/
public $access = 'AR';
/** /**
* Setter for breadcrum * Setter for breadcrum
@ -234,6 +241,42 @@ class Wizard
public function run() public function run()
{ {
ui_require_css_file('wizard'); ui_require_css_file('wizard');
// Check access.
check_login();
if (! $this->aclMulticheck()) {
return;
}
}
/**
* Check multiple acl perms.
*
* @param string $access Access in PM|AR|RR format. Optional.
*
* @return boolean Alowed or not.
*/
public function aclMulticheck($access=null)
{
global $config;
if (isset($access)) {
$perms = explode('|', $access);
} else {
$perms = explode('|', $this->access);
}
$allowed = false;
foreach ($perms as $perm) {
$allowed = $allowed || (bool) check_acl(
$config['id_user'],
0,
$perm
);
}
return $allowed;
} }
@ -247,6 +290,14 @@ class Wizard
**/ **/
public function load() public function load()
{ {
global $config;
// Check access.
check_login();
if (! $this->aclMulticheck()) {
return false;
}
return [ return [
'icon' => $this->icon, 'icon' => $this->icon,
'label' => $this->label, 'label' => $this->label,

24
pandora_console/include/class/CustomNetScan.class.php
View File

@ -65,6 +65,8 @@ class CustomNetScan extends Wizard
$this->url = ui_get_full_url( $this->url = ui_get_full_url(
'index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd' 'index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd'
); );
$this->access = 'AW';
$this->page = $page; $this->page = $page;
$this->breadcrum = $breadcrum; $this->breadcrum = $breadcrum;
} }
@ -77,6 +79,8 @@ class CustomNetScan extends Wizard
*/ */
public function parseNetScan() public function parseNetScan()
{ {
global $config;
if (isset($this->page) === true && $this->page === 0) { if (isset($this->page) === true && $this->page === 0) {
// Check if we're updating a task. // Check if we're updating a task.
$task_id = get_parameter('task', null); $task_id = get_parameter('task', null);
@ -145,11 +149,11 @@ class CustomNetScan extends Wizard
) { ) {
// Default values, no data received. // Default values, no data received.
// User is accesing directly to this page. // User is accesing directly to this page.
if (users_is_admin() !== true && check_acl( if (check_acl(
$config['id_usuario'], $config['id_user'],
$this->task['id_group'], $this->task['id_group'],
'PM' $this->access
) !== true ) != true
) { ) {
$this->msg = __('You have no access to edit this task.'); $this->msg = __('You have no access to edit this task.');
return false; return false;
@ -275,7 +279,7 @@ class CustomNetScan extends Wizard
{ {
global $config; global $config;
if (!check_acl($config['id_user'], 0, 'PM')) { if (!check_acl($config['id_user'], 0, $this->access)) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access Custom Net Scan.' 'Trying to access Custom Net Scan.'
@ -317,11 +321,11 @@ class CustomNetScan extends Wizard
// Check ACL. If user is not able to manage target task, // Check ACL. If user is not able to manage target task,
// redirect him to main page. // redirect him to main page.
if (users_is_admin() !== true && check_acl( if (check_acl(
$config['id_usuario'], $config['id_user'],
$this->task['id_group'], $this->task['id_group'],
'PM' $this->access
) !== true ) != true
) { ) {
$form['form']['action'] = $this->url.'&mode=customnetscan&page='.($this->page - 1); $form['form']['action'] = $this->url.'&mode=customnetscan&page='.($this->page - 1);
} }
@ -496,7 +500,7 @@ class CustomNetScan extends Wizard
'arguments' => [ 'arguments' => [
'name' => 'id_group', 'name' => 'id_group',
'returnAllGroup' => false, 'returnAllGroup' => false,
'privilege' => 'PM', 'privilege' => $this->access,
'type' => 'select_groups', 'type' => 'select_groups',
'selected' => $this->task['id_group'], 'selected' => $this->task['id_group'],
'return' => true, 'return' => true,

4
pandora_console/include/class/ManageNetScanScripts.class.php
View File

@ -65,6 +65,8 @@ class ManageNetScanScripts extends Wizard
$this->url = ui_get_full_url( $this->url = ui_get_full_url(
'index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd' 'index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd'
); );
$this->access = 'PM';
$this->page = $page; $this->page = $page;
$this->breadcrum = $breadcrum; $this->breadcrum = $breadcrum;
} }
@ -81,7 +83,7 @@ class ManageNetScanScripts extends Wizard
{ {
global $config; global $config;
if (check_acl($config['id_user'], 0, 'AW') === 0) { if (check_acl($config['id_user'], 0, $this->access) === 0) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access Net Scan Script.' 'Trying to access Net Scan Script.'