Fixed some general and ACL errors and improved some pieces of code

Downtime editor.
Some of the ACL checks added are:
-Permission check on downtime before adding an agent
-Permission check on agent before adding an agent
-Permission check on downtime before deleting an agent
-Permission check on agent before deleting an agent
-Permission check on downtime before creating or updating the downtime
-Removed the ACL check for every result item (it is done before, into the query)
-Permission check on the query for the agents added to the downtime

Downtime editor ajax.
Some of the ACL checks added are:
-Permission check on downtime before retrieving the modules
-Permission check on agent before retrieving the modules
-Permission check on downtime before deleting the modules
-Permission check on agent before deleting the modules
-Permission check on downtime before adding the modules
-Permission check on agent before adding the modules
(cherry picked from commit 4d43033d46)

Conflicts resolved:
	pandora_console/include/ajax/planned_downtime.ajax.php
This commit is contained in:
Alejandro Gallardo Escobar 2015-07-16 13:53:57 +02:00
parent c7aabdb6f1
commit daedfa6a21
2 changed files with 302 additions and 154 deletions

View File

@ -25,7 +25,8 @@ if (! check_acl ($config['id_user'], 0, "AW")) {
return;
}
$config["past_planned_downtimes"] = isset($config["past_planned_downtimes"]) ? $config["past_planned_downtimes"] : 1;
// Default
set_unless_defined ($config["past_planned_downtimes"], 1);
require_once ('include/functions_users.php');
@ -81,43 +82,59 @@ $id_agent = (int) get_parameter ('id_agent');
$insert_downtime_agent = (int) get_parameter ('insert_downtime_agent');
$delete_downtime_agent = (int) get_parameter ('delete_downtime_agent');
// User groups with AW permission for ACL checks
$user_groups_aw = array_keys(users_get_groups($config['id_user'], 'AW'));
// INSERT A NEW DOWNTIME_AGENT ASSOCIATION
if ($insert_downtime_agent === 1) {
// Check AW permission on downtime
$downtime_group = db_get_value('id_group', 'tplanned_downtime', 'id', $id_downtime);
if ($downtime_group === false || !in_array($downtime_group, $user_groups_aw)) {
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
$agents = (array) get_parameter ('id_agents');
$module_names = (array) get_parameter ('module');
$all_modules = false;
if (empty($module_names)) {
$all_modules = true;
}
else {
//It is empty.
if ($module_names[0] == "0")
$all_modules = true;
}
$all_modules = (empty($module_names) || in_array(0, $module_names));
$executed = db_get_value ('executed', 'tplanned_downtime', 'id', $id_downtime);
if ($executed == 1) {
// 'Is running' check
$is_running = (bool) db_get_value ('executed', 'tplanned_downtime', 'id', $id_downtime);
if ($is_running) {
ui_print_error_message(__("This elements cannot be modified while the downtime is being executed"));
}
else {
$num_agents = count($agents);
for ($a = 0; $a < $num_agents; $a++) {
$id_agente_dt = $agents[$a];
foreach ($agents as $agent_id) {
// Check AW permission on agent
$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $agent_id);
if ($agent_group === false || !in_array($agent_group, $user_groups_aw)) {
continue;
}
$values = array(
'id_downtime' => $id_downtime,
'id_agent' => $id_agente_dt,
'id_agent' => $agent_id,
'all_modules' => $all_modules
);
$result = db_process_sql_insert('tplanned_downtime_agents', $values);
if ($result && !$all_modules) {
foreach ($module_names as $module_name) {
$module = modules_get_agentmodule_id($module_name, $id_agente_dt);
$module = modules_get_agentmodule_id($module_name, $agent_id);
if (empty($module))
continue;
$values = array(
'id_downtime' => $id_downtime,
'id_agent' => $id_agente_dt,
'id_agent' => $agent_id,
'id_agent_module' => $module["id_agente_modulo"]
);
$result = db_process_sql_insert('tplanned_downtime_modules', $values);
@ -138,8 +155,29 @@ if ($delete_downtime_agent === 1) {
$id_da = (int) get_parameter ('id_downtime_agent');
$executed = db_get_value ('executed', 'tplanned_downtime', 'id', $id_downtime);
if ($executed == 1) {
// Check AW permission on downtime
$downtime_group = db_get_value('id_group', 'tplanned_downtime', 'id', $id_downtime);
if ($downtime_group === false || !in_array($downtime_group, $user_groups_aw)) {
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
// Check AW permission on agent
$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agent);
if ($agent_group === false || !in_array($agent_group, $user_groups_aw)) {
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
// 'Is running' check
$is_running = (bool) db_get_value ('executed', 'tplanned_downtime', 'id', $id_downtime);
if ($is_running) {
ui_print_error_message(__("This elements cannot be modified while the downtime is being executed"));
}
else {
@ -158,11 +196,11 @@ if ($delete_downtime_agent === 1) {
// UPDATE OR CREATE A DOWNTIME (MAIN DATA, NOT AGENT ASSOCIATION)
if ($create_downtime || $update_downtime) {
$check = db_get_value ('name', 'tplanned_downtime', 'name', $name);
$check = (bool) db_get_value ('name', 'tplanned_downtime', 'name', $name);
$datetime_from = strtotime ($once_date_from . ' ' . $once_time_from);
$datetime_to = strtotime ($once_date_to . ' ' . $once_time_to);
$now = strtotime(date(DATE_FORMAT). ' ' . date(TIME_FORMAT));
$now = time();
if ($type_execution == 'once' && !$config["past_planned_downtimes"] && $datetime_from < $now) {
ui_print_error_message(__('Not created. Error inserting data. Start time must be higher than the current time' ));
@ -184,6 +222,15 @@ if ($create_downtime || $update_downtime) {
else {
$sql = '';
if ($create_downtime) {
// Check AW permission on new downtime
if (!in_array($id_group, $user_groups_aw)) {
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
if (trim(io_safe_output($name)) != '') {
if (!$check) {
$values = array(
@ -228,20 +275,41 @@ if ($create_downtime || $update_downtime) {
}
}
else if ($update_downtime) {
$has_been_executed = db_get_value ('executed', 'tplanned_downtime', 'name', $name);
$old_downtime = db_get_row('tplanned_downtime', 'id', $id_downtime);
// Check AW permission on OLD downtime
if (empty($old_downtime) || !in_array($old_downtime['id_group'], $user_groups_aw)) {
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
// Check AW permission on NEW downtime group
if (!in_array($id_group, $user_groups_aw)) {
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
// 'Is running' check
$is_running = (bool) $old_downtime['executed'];
$values = array();
if (trim(io_safe_output($name)) == '') {
ui_print_error_message(__('Planned downtime must have a name'));
}
else if ($has_been_executed == 1 && $type_execution == 'once') {
// When running only certain items can be modified for the 'once' type
else if ($is_running && $type_execution == 'once') {
$values = array(
'description' => $description,
'date_to' => $datetime_to,
'id_user' => $config['id_user']
);
}
else if ($has_been_executed == 1) {
ui_print_error_message(__('No updates. Planned Downtime has been executed'));
else if ($is_running) {
ui_print_error_message(__('Cannot be modified while the downtime is being executed'));
}
else {
$values = array(
@ -354,11 +422,16 @@ if ($id_downtime > 0) {
break;
}
$groupsAW = users_get_groups($config['id_user'], 'AW', true, false, null, 'id_grupo');
$groupsAW = array_keys($groupsAW);
$result = db_get_row_sql ($sql);
// Permission check for the downtime with the AW user groups
if (empty($result) || !in_array($result['id_group'], $user_groups_aw) ){
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
$name = (string) $result["name"];
$id_group = (int) $result['id_group'];
@ -386,18 +459,11 @@ if ($id_downtime > 0) {
$saturday = (bool) $result['saturday'];
$sunday = (bool) $result['sunday'];
$executed = (bool) $result['executed'];
if ( !in_array($id_group, $groupsAW) ){
db_pandora_audit("ACL Violation",
"Trying to access downtime scheduler");
require ("general/noaccess.php");
return;
}
$running = (bool) $result['executed'];
}
// when the planned downtime is in execution, only action to postpone on once type is enabled and the other are disabled.
$disabled_in_execution = $executed ? 1 : 0;
$disabled_in_execution = (int) $running;
$table = new StdClass();
$table->class = 'databox filters';
@ -564,42 +630,42 @@ if ($id_downtime > 0) {
// Show available agents to include into downtime
echo '<h4>' . __('Available agents') . ':</h4>';
$filter_group = get_parameter("filter_group", 0);
$filter_group = (int) get_parameter("filter_group", 0);
$groupsAW = users_get_groups($config['id_user'], 'AW', true, false, null, 'id_grupo');
$groupsAW = array_keys($groupsAW);
$id_groups_list = implode(",", $groupsAW);
// User AW groups to str for the filter
$id_groups_str = implode(",", $user_groups_aw);
if (empty($id_groups_list)){
$id_groups_list = -1;
if (empty($id_groups_str)) {
// Restrictive filter on error. This will filter all the downtimes
$id_groups_str = '-1';
}
$filter_cond = '';
if ($filter_group > 0)
$filter_cond = " AND id_grupo = $filter_group ";
$sql = sprintf ("SELECT tagente.id_agente, tagente.nombre,
tagente.id_grupo
$sql = sprintf("SELECT tagente.id_agente, tagente.nombre
FROM tagente
WHERE tagente.id_agente NOT IN (
SELECT tagente.id_agente
FROM tagente, tplanned_downtime_agents
WHERE tplanned_downtime_agents.id_agent = tagente.id_agente
AND tplanned_downtime_agents.id_downtime = %d
) AND disabled = 0 $filter_cond
) AND disabled = 0 %s
AND tagente.id_grupo IN (%s)
ORDER by tagente.nombre", $id_downtime, $id_groups_list);
$downtimes = db_get_all_rows_sql ($sql);
$data = array ();
if ($downtimes) {
foreach ($downtimes as $downtime) {
if (check_acl ($config["id_user"], $downtime['id_grupo'], "AW")) {
$data[$downtime['id_agente']] = $downtime['nombre'];
}
}
}
ORDER BY tagente.nombre", $id_downtime, $filter_cond, $id_groups_str);
$agents = db_get_all_rows_sql ($sql);
if (empty($agents))
$agents = array();
$agent_ids = extract_column($agents, 'id_agente');
$agent_names = extract_column($agents, 'nombre');
// item[<id>] = <name>;
$agents = array_combine($agent_ids, $agent_names);
if ($agents === false)
$agents = array();
$disabled_add_button = false;
if (empty($data) || $disabled_in_execution) {
if (empty($agents) || $disabled_in_execution) {
$disabled_add_button = true;
}
@ -613,7 +679,7 @@ if ($id_downtime > 0) {
echo "<form method=post action='index.php?sec=estado&sec2=godmode/agentes/planned_downtime.editor&insert_downtime_agent=1&id_downtime=$id_downtime'>";
echo html_print_select ($data, "id_agents[]", '', '', '', 0, false, true, true, '', false, 'width: 180px;');
echo html_print_select ($agents, "id_agents[]", '', '', '', 0, false, true, true, '', false, 'width: 180px;');
echo '<h4>' . __('Available modules:') .
ui_print_help_tip (__('Only for type Quiet for downtimes.'), true) . '</h4>';
@ -631,17 +697,20 @@ if ($id_downtime > 0) {
//Start Overview of existing planned downtime
echo '<h4>'.__('Agents planned for this downtime').':</h4>';
$sql = sprintf ("SELECT tagente.nombre, tplanned_downtime_agents.id,
tagente.id_os, tagente.id_agente, tagente.id_grupo,
tagente.ultimo_contacto, tplanned_downtime_agents.all_modules
FROM tagente, tplanned_downtime_agents
WHERE tplanned_downtime_agents.id_agent = tagente.id_agente
AND tplanned_downtime_agents.id_downtime = %d ", $id_downtime);
// User the $id_groups_str built before
$sql = sprintf("SELECT ta.nombre, tpda.id,
ta.id_os, ta.id_agente, ta.id_grupo,
ta.ultimo_contacto, tpda.all_modules
FROM tagente ta
INNER JOIN tplanned_downtime_agents tpda
ON ta.id_agente = tpda.id_agent
AND tpda.id_downtime = %d
WHERE ta.id_grupo IN (%s)",
$id_downtime, $id_groups_str);
$downtimes_agents = db_get_all_rows_sql ($sql);
$downtimes = db_get_all_rows_sql ($sql);
if ($downtimes === false) {
echo '<div class="nf">' .
__('There are no scheduled downtimes') . '</div>';
if (empty($downtimes_agents)) {
echo '<div class="nf">' . __('There are no agents') . '</div>';
}
else {
$table = new stdClass();
@ -656,24 +725,24 @@ if ($id_downtime > 0) {
$table->head[3] = __('Last contact');
$table->head['count_modules'] = __('Modules');
if (!$executed) {
if (!$running) {
$table->head[5] = __('Actions');
$table->align[5] = "center";
$table->size[5] = "5%";
}
foreach ($downtimes as $downtime) {
foreach ($downtimes_agents as $downtime_agent) {
$data = array ();
$data[0] = $downtime['nombre'];
$data[0] = $downtime_agent['nombre'];
$data[1] = db_get_sql ("SELECT nombre
FROM tgrupo
WHERE id_grupo = " . $downtime["id_grupo"]);
WHERE id_grupo = " . $downtime_agent["id_grupo"]);
$data[2] = ui_print_os_icon($downtime["id_os"], true, true);
$data[2] = ui_print_os_icon($downtime_agent["id_os"], true, true);
$data[3] = $downtime["ultimo_contacto"];
$data[3] = $downtime_agent["ultimo_contacto"];
if ($type_downtime == 'disable_agents_alerts') {
$data['count_modules'] = __("All alerts");
@ -682,7 +751,7 @@ if ($id_downtime > 0) {
$data['count_modules'] = __("Entire agent");
}
else {
if ($downtime["all_modules"]) {
if ($downtime_agent["all_modules"]) {
$data['count_modules'] = __("All modules");
}
else {
@ -690,19 +759,19 @@ if ($id_downtime > 0) {
}
}
if (!$executed) {
if (!$running) {
$data[5] = '';
if ($type_downtime != 'disable_agents_alerts' && $type_downtime != 'disable_agents') {
$data[5] = '<a href="javascript:show_editor_module(' . $downtime["id_agente"] . ');">' .
$data[5] = '<a href="javascript:show_editor_module(' . $downtime_agent["id_agente"] . ');">' .
html_print_image("images/config.png", true, array("border" => '0', "alt" => __('Delete'))) . "</a>";
}
$data[5] .= '<a href="index.php?sec=estado&amp;sec2=godmode/agentes/planned_downtime.editor&id_agent=' . $downtime["id_agente"] .
'&delete_downtime_agent=1&id_downtime_agent=' . $downtime["id"] . '&id_downtime=' . $id_downtime . '">' .
$data[5] .= '<a href="index.php?sec=estado&amp;sec2=godmode/agentes/planned_downtime.editor&id_agent=' . $downtime_agent["id_agente"] .
'&delete_downtime_agent=1&id_downtime_agent=' . $downtime_agent["id"] . '&id_downtime=' . $id_downtime . '">' .
html_print_image("images/cross.png", true, array("border" => '0', "alt" => __('Delete'))) . "</a>";
}
$table->data['agent_' . $downtime["id_agente"]] = $data;
$table->data['agent_' . $downtime_agent["id_agente"]] = $data;
}
html_print_table ($table);
}

View File

@ -17,11 +17,17 @@
include_once($config['homedir'] . "/include/functions_io.php");
include_once($config['homedir'] . "/include/functions_db.php");
include_once($config['homedir'] . "/include/functions_modules.php");
include_once($config['homedir'] . "/include/functions_groups.php");
ob_clean();
$get_modules_downtime = (bool)get_parameter('get_modules_downtime', 0);
$delete_module_from_downtime = (bool)get_parameter('delete_module_from_downtime', 0);
$add_module_into_downtime = (bool)get_parameter('add_module_into_downtime', 0);
// User groups with AW permission for ACL checks
$user_groups_aw = array_keys(users_get_groups($config['id_user'], 'AW'));
if ($get_modules_downtime) {
$return = array();
$return['correct'] = 1;
@ -32,34 +38,54 @@ if ($get_modules_downtime) {
$id_downtime = (int) get_parameter('id_downtime', 0);
$none_value = (bool) get_parameter('none_value', false);
$rows = db_get_all_rows_filter('tplanned_downtime_modules',
array('id_agent' => $id_agent, 'id_downtime' => $id_downtime));
if (empty($rows))
$rows = array();
$id_modules_downtime = array();
foreach ($rows as $row) {
$id_modules_downtime[$row['id_agent_module']] = true;
// Check AW permission on downtime
$downtime_group = db_get_value('id_group', 'tplanned_downtime', 'id', $id_downtime);
if ($downtime_group === false || !in_array($downtime_group, $user_groups_aw)) {
$return['correct'] = 0;
echo json_encode($return);
return;
}
$modules = db_get_all_rows_filter('tagente_modulo', array('id_agente' => $id_agent));
// Check AW permission on agent
$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agent);
if ($agent_group === false || !in_array($agent_group, $user_groups_aw)) {
$return['correct'] = 0;
echo json_encode($return);
return;
}
$filter = array(
'id_agent' => $id_agent,
'id_downtime' => $id_downtime
);
$downtime_modules = db_get_all_rows_filter('tplanned_downtime_modules', $filter);
if (empty($downtime_modules))
$downtime_modules = array();
$downtime_module_ids = extract_column($downtime_modules, 'id_agent_module');
$downtime_modules = array_fill_keys($downtime_module_ids, true);
$filter = array(
'id_agente' => $id_agent
);
$modules = db_get_all_rows_filter('tagente_modulo', $filter);
if (empty($modules))
$modules = array();
foreach ($modules as $module) {
if (empty($id_modules_downtime[$module['id_agente_modulo']])) {
$return['in_agent'][$module['id_agente_modulo']] = io_safe_output($module['nombre']);
}
else {
$return['in_downtime'][$module['id_agente_modulo']] = io_safe_output($module['nombre']);
}
}
$module_ids = extract_column($modules, 'id_agente_modulo');
$module_names = extract_column($modules, 'nombre');
$modules = array_combine($module_ids, $module_names);
if ($none_value) {
$return['in_downtime'] = array_intersect_key($modules, $downtime_modules);
$return['in_agent'] = array_diff($modules, $return['in_downtime']);
if ($none_value)
$return['in_agent'][0] = __('None');
}
echo json_encode($return);
exit;
return;
}
if ($delete_module_from_downtime) {
@ -70,36 +96,63 @@ if ($delete_module_from_downtime) {
$id_module = (int) get_parameter('id_module', 0);
$id_downtime = (int) get_parameter('id_downtime', 0);
$id_agent = db_get_value('id_agente', 'tagente_modulo', 'id_agente_modulo', $id_module);
$row = db_get_row_filter('tplanned_downtime_modules',
array('id_agent_module' => $id_module,
'id_downtime' => $id_downtime));
$return['id_agent'] = $row['id_agent'];
// Check AW permission on downtime
$downtime_group = db_get_value('id_group', 'tplanned_downtime', 'id', $id_downtime);
$result = db_process_sql_delete('tplanned_downtime_modules',
array('id_downtime' => $id_downtime,
'id_agent_module' => $id_module));
if ($downtime_group === false || !in_array($downtime_group, $user_groups_aw)) {
$return['correct'] = 0;
echo json_encode($return);
return;
}
// Check AW permission on agent
$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agent);
if ($id_agent === false || $agent_group === false || !in_array($agent_group, $user_groups_aw)) {
$return['correct'] = 0;
echo json_encode($return);
return;
}
$is_running = db_get_value ('executed', 'tplanned_downtime', 'id', $id_downtime);
if ($is_running) {
$return['executed'] = 1;
echo json_encode($return);
return;
}
$return['id_agent'] = $id_agent;
$filter = array(
'id_agent_module' => $id_module,
'id_downtime' => $id_downtime
);
$result = db_process_sql_delete('tplanned_downtime_modules', $filter);
if ($result) {
$rows = db_get_all_rows_filter('tplanned_downtime_modules',
array('id_downtime' => $id_downtime,
'id_agent' => $row['id_agent']));
db_clean_cache();
$filter = array(
'id_agent' => $id_agent,
'id_downtime' => $id_downtime
);
$rows = db_get_all_rows_filter('tplanned_downtime_modules', $filter);
if (empty($rows)) {
db_process_sql_update('tplanned_downtime_agents',
array('all_modules' => 1),
array('id_agent' => $row['id_agent'],
'id_downtime' => $id_downtime));
$values = array('all_modules' => 1);
db_process_sql_update('tplanned_downtime_agents', $values, $filter);
$return['all_modules'] = 1;
$return['id_agent'] = $row['id_agent'];
$return['id_agent'] = $id_agent;
}
$return['correct'] = 1;
}
echo json_encode($return);
exit;
return;
}
if ($add_module_into_downtime) {
@ -111,6 +164,31 @@ if ($add_module_into_downtime) {
$id_module = (int) get_parameter('id_module', 0);
$id_downtime = (int) get_parameter('id_downtime', 0);
// Check AW permission on downtime
$downtime_group = db_get_value('id_group', 'tplanned_downtime', 'id', $id_downtime);
if ($downtime_group === false || !in_array($downtime_group, $user_groups_aw)) {
$return['correct'] = 0;
echo json_encode($return);
return;
}
// Check AW permission on agent
$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agent);
if ($agent_group === false || !in_array($agent_group, $user_groups_aw)) {
$return['correct'] = 0;
echo json_encode($return);
return;
}
$is_running = db_get_value ('executed', 'tplanned_downtime', 'id', $id_downtime);
if ($is_running) {
$return['executed'] = 1;
echo json_encode($return);
return;
}
$values = array();
$values['id_agent'] = $id_agent;
$values['id_agent_module'] = $id_module;
@ -130,6 +208,7 @@ if ($add_module_into_downtime) {
}
echo json_encode($return);
exit;
return;
}
?>