From d17d3bd3eb07707992ad9f04a317c90e7263f6ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Su=C3=A1rez?= <felix.suarez@pandorafms.com>
Date: Tue, 11 Jul 2023 14:38:14 -0600
Subject: [PATCH] Use server UID to authorize instead of user/pass.

---
 pandora_console/include/api.php       | 14 ++++++++++++--
 pandora_server/lib/PandoraFMS/Core.pm |  6 ++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/pandora_console/include/api.php b/pandora_console/include/api.php
index 526256e260..7ed38d638c 100644
--- a/pandora_console/include/api.php
+++ b/pandora_console/include/api.php
@@ -118,7 +118,7 @@ if ($info === 'version') {
 if (empty($apiPassword) === true
     || (empty($apiPassword) === false && $api_password === $apiPassword)
     || $apiTokenValid === true
-) {
+) {  
     if (enterprise_hook('metaconsole_validate_origin', [get_parameter('server_auth')]) === true
         || enterprise_hook('console_validate_origin', [get_parameter('server_auth')])  === true
     ) {
@@ -129,7 +129,17 @@ if (empty($apiPassword) === true
         // Compat.
         $config['id_user'] = 'admin';
         $correctLogin = true;
-    } else if ((bool) isInACL($ipOrigin) === true) {
+    // Bypass credentials if server-auth and api-pass are correct. 
+    } else if (($op === 'get') 
+        && ($config['server_unique_identifier'] === get_parameter('server_auth'))
+        && ($api_password === $apiPassword)  
+        && ((bool) isInACL($ipOrigin) === true)) {
+
+        $config['id_usuario'] = 'admin';
+        $config['id_user'] = 'admin';
+        $correctLogin = true;
+
+    } else if ((bool) isInACL($ipOrigin) === true) {   
         // External access.
         // Token is valid. Bypass the credentials.
         if ($apiTokenValid === true) {
diff --git a/pandora_server/lib/PandoraFMS/Core.pm b/pandora_server/lib/PandoraFMS/Core.pm
index c6e87003f7..c513a7816f 100644
--- a/pandora_server/lib/PandoraFMS/Core.pm
+++ b/pandora_server/lib/PandoraFMS/Core.pm
@@ -1707,8 +1707,7 @@ sub pandora_execute_action ($$$$$$$$$;$$) {
 		
 		my $params = {};
 		$params->{"apipass"} = $pa_config->{"console_api_pass"};
-		$params->{"user"} ||= $pa_config->{"console_user"};
-		$params->{"pass"} ||= $pa_config->{"console_pass"};
+		$params->{"server_auth"} = $pa_config->{"server_unique_identifier"};
 		$params->{"op"} = "set";
 		$params->{"op2"} = "send_report";
 		$params->{"other_mode"} = "url_encode_separator_|;|";
@@ -1739,8 +1738,7 @@ sub pandora_execute_action ($$$$$$$$$;$$) {
 		
 		my $params = {};
 		$params->{"apipass"} = $pa_config->{"console_api_pass"};
-		$params->{"user"} ||= $pa_config->{"console_user"};
-		$params->{"pass"} ||= $pa_config->{"console_pass"};
+		$params->{"server_auth"} = $pa_config->{"server_unique_identifier"};
 		$params->{"op"} = "set";
 		$params->{"op2"} = "send_report";
 		$params->{"other_mode"} = "url_encode_separator_|;|";