Backend changes
This commit is contained in:
José González
parent
b175ffbd3a
commit
ded27ce411
|
|
@ -14,7 +14,7 @@
|
|||
* |___| |___._|__|__|_____||_____|__| |___._| |___| |__|_|__|_______|
|
||||
*
|
||||
* ============================================================================
|
||||
* Copyright (c) 2005-2021 Artica Soluciones Tecnologicas
|
||||
* Copyright (c) 2005-2022 Artica Soluciones Tecnologicas
|
||||
* Please see http://pandorafms.org for full contribution list
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
|
|
@ -74,6 +74,7 @@ $password = get_parameter('pass', '');
|
|||
$user = get_parameter('user', '');
|
||||
$info = get_parameter('info', '');
|
||||
$raw_decode = (bool) get_parameter('raw_decode', false);
|
||||
$apiToken = (string) get_parameter('token');
|
||||
|
||||
$other = parseOtherParameter($otherSerialize, $otherMode, $raw_decode);
|
||||
$apiPassword = io_output_password(
|
||||
|
|
@ -84,6 +85,7 @@ $apiPassword = io_output_password(
|
|||
)
|
||||
);
|
||||
|
||||
$apiTokenValid = (isset($_GET['token']) === true && (bool) api_token_check($apiToken));
|
||||
$correctLogin = false;
|
||||
$no_login_msg = '';
|
||||
|
||||
|
|
@ -94,8 +96,8 @@ ob_clean();
|
|||
// Special call without checks to retrieve version and build of the Pandora FMS
|
||||
// This info is avalable from the web console without login
|
||||
// Don't change the format, it is parsed by applications.
|
||||
if ($info == 'version') {
|
||||
if (!$config['MR']) {
|
||||
if ($info === 'version') {
|
||||
if ((bool) $config['MR'] === false) {
|
||||
$config['MR'] = 0;
|
||||
}
|
||||
|
||||
|
|
@ -105,6 +107,7 @@ if ($info == 'version') {
|
|||
|
||||
if (empty($apiPassword) === true
|
||||
|| (empty($apiPassword) === false && $api_password === $apiPassword)
|
||||
|| $apiTokenValid === true
|
||||
) {
|
||||
if (enterprise_hook('metaconsole_validate_origin', [get_parameter('server_auth')]) === true
|
||||
|| enterprise_hook('console_validate_origin', [get_parameter('server_auth')]) === true
|
||||
|
|
@ -118,7 +121,14 @@ if (empty($apiPassword) === true
|
|||
$correctLogin = true;
|
||||
} else if ((bool) isInACL($ipOrigin) === true) {
|
||||
// External access.
|
||||
$user_in_db = process_user_login($user, $password, true);
|
||||
// Token is valid. Bypass the credentials.
|
||||
if ($apiTokenValid === true) {
|
||||
$credentials = db_get_row('tusuario', 'api_token', $apiToken);
|
||||
$user = $credentials['id_user'];
|
||||
$password = $credentials['password'];
|
||||
}
|
||||
|
||||
$user_in_db = process_user_login($user, $password, true, $apiTokenValid);
|
||||
if ($user_in_db !== false) {
|
||||
$config['id_usuario'] = $user_in_db;
|
||||
// Compat.
|
||||
|
|
@ -144,19 +154,19 @@ if (empty($apiPassword) === true
|
|||
$no_login_msg = 'Incorrect given API password';
|
||||
}
|
||||
|
||||
if ($correctLogin) {
|
||||
if ($correctLogin === true) {
|
||||
if (($op !== 'get') && ($op !== 'set') && ($op !== 'help')) {
|
||||
returnError('no_set_no_get_no_help', $returnType);
|
||||
} else {
|
||||
$function_name = '';
|
||||
|
||||
// Check if is an extension function and get the function name.
|
||||
if ($op2 == 'extension') {
|
||||
if ($op2 === 'extension') {
|
||||
$extension_api_url = $config['homedir'].'/'.EXTENSIONS_DIR.'/'.$ext_name.'/'.$ext_name.'.api.php';
|
||||
// The extension API file must exist and the extension must be
|
||||
// enabled.
|
||||
if (file_exists($extension_api_url)
|
||||
&& !in_array($ext_name, extensions_get_disabled_extensions())
|
||||
if (file_exists($extension_api_url) === true
|
||||
&& in_array($ext_name, extensions_get_disabled_extensions()) === false
|
||||
) {
|
||||
include_once $extension_api_url;
|
||||
$function_name = 'apiextension_'.$op.'_'.$ext_function;
|
||||
|
|
@ -164,7 +174,7 @@ if ($correctLogin) {
|
|||
} else {
|
||||
$function_name = 'api_'.$op.'_'.$op2;
|
||||
|
||||
if ($op == 'set' && $id) {
|
||||
if ($op === 'set' && $id) {
|
||||
switch ($op2) {
|
||||
case 'update_agent':
|
||||
case 'add_module_in_conf':
|
||||
|
|
@ -173,7 +183,7 @@ if ($correctLogin) {
|
|||
$agent = agents_locate_agent($id);
|
||||
if ($agent !== false) {
|
||||
$id_os = $agent['id_os'];
|
||||
if ($id_os == 100) {
|
||||
if ((int) $id_os === 100) {
|
||||
returnError(
|
||||
'not_allowed_operation_cluster',
|
||||
$returnType
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ $config['admin_can_make_admin'] = true;
|
|||
* @return mixed False in case of error or invalid credentials, the username in
|
||||
* case it's correct.
|
||||
*/
|
||||
function process_user_login($login, $pass, $api=false)
|
||||
function process_user_login($login, $pass, $api=false, $passAlreadyEncrypted=false)
|
||||
{
|
||||
global $config;
|
||||
|
||||
|
|
@ -114,10 +114,10 @@ function process_user_login($login, $pass, $api=false)
|
|||
if ($config['fallback_local_auth']
|
||||
|| is_user_admin($login)
|
||||
|| $local_user === true
|
||||
|| strtolower($config['auth']) == 'mysql'
|
||||
|| strtolower($config['auth']) === 'mysql'
|
||||
|| (bool) $user_not_login === true
|
||||
) {
|
||||
return process_user_login_local($login, $pass, $api);
|
||||
return process_user_login_local($login, $pass, $api, $passAlreadyEncrypted);
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -128,88 +128,44 @@ function process_user_login($login, $pass, $api=false)
|
|||
}
|
||||
|
||||
|
||||
function process_user_login_local($login, $pass, $api=false)
|
||||
function process_user_login_local($login, $pass, $api=false, $passAlreadyEncrypted=false)
|
||||
{
|
||||
global $config, $mysql_cache;
|
||||
|
||||
// Connect to Database
|
||||
switch ($config['dbtype']) {
|
||||
case 'mysql':
|
||||
if (!$api) {
|
||||
$sql = sprintf(
|
||||
"SELECT `id_user`, `password`
|
||||
FROM `tusuario`
|
||||
WHERE `id_user` = '%s' AND `not_login` = 0
|
||||
AND `disabled` = 0",
|
||||
$login
|
||||
);
|
||||
} else {
|
||||
$sql = sprintf(
|
||||
"SELECT `id_user`, `password`
|
||||
FROM `tusuario`
|
||||
WHERE `id_user` = '%s'
|
||||
AND `disabled` = 0",
|
||||
$login
|
||||
);
|
||||
}
|
||||
break;
|
||||
|
||||
case 'postgresql':
|
||||
if (!$api) {
|
||||
$sql = sprintf(
|
||||
'SELECT "id_user", "password"
|
||||
FROM "tusuario"
|
||||
WHERE "id_user" = \'%s\' AND "not_login" = 0
|
||||
AND "disabled" = 0',
|
||||
$login
|
||||
);
|
||||
} else {
|
||||
$sql = sprintf(
|
||||
'SELECT "id_user", "password"
|
||||
FROM "tusuario"
|
||||
WHERE "id_user" = \'%s\'
|
||||
AND "disabled" = 0',
|
||||
$login
|
||||
);
|
||||
}
|
||||
break;
|
||||
|
||||
case 'oracle':
|
||||
if (!$api) {
|
||||
$sql = sprintf(
|
||||
'SELECT id_user, password
|
||||
FROM tusuario
|
||||
WHERE id_user = \'%s\' AND not_login = 0
|
||||
AND disabled = 0',
|
||||
$login
|
||||
);
|
||||
} else {
|
||||
$sql = sprintf(
|
||||
'SELECT id_user, password
|
||||
FROM tusuario
|
||||
WHERE id_user = \'%s\'
|
||||
AND disabled = 0',
|
||||
$login
|
||||
);
|
||||
}
|
||||
break;
|
||||
if ($api === false) {
|
||||
$sql = sprintf(
|
||||
"SELECT `id_user`, `password`
|
||||
FROM `tusuario`
|
||||
WHERE `id_user` = '%s' AND `not_login` = 0
|
||||
AND `disabled` = 0",
|
||||
$login
|
||||
);
|
||||
} else {
|
||||
$sql = sprintf(
|
||||
"SELECT `id_user`, `password`
|
||||
FROM `tusuario`
|
||||
WHERE `id_user` = '%s'
|
||||
AND `disabled` = 0",
|
||||
$login
|
||||
);
|
||||
}
|
||||
|
||||
$row = db_get_row_sql($sql);
|
||||
|
||||
// Check that row exists, that password is not empty and that password is the same hash
|
||||
if ($row !== false && $row['password'] !== md5('')
|
||||
&& $row['password'] == md5($pass)
|
||||
// Check that row exists, that password is not empty and that password is the same hash.
|
||||
if (($row !== false && $row['password'] !== md5('')
|
||||
&& (string) $row['password'] === md5($pass))
|
||||
|| ($passAlreadyEncrypted === true && (string) $row['password'] === (string) $pass)
|
||||
) {
|
||||
// Login OK
|
||||
// Nick could be uppercase or lowercase (select in MySQL
|
||||
// is not case sensitive)
|
||||
// We get DB nick to put in PHP Session variable,
|
||||
// to avoid problems with case-sensitive usernames.
|
||||
// Thanks to David Muñiz for Bug discovery :)
|
||||
// Thanks to David Muñiz for Bug discovery :).
|
||||
$filter = ['id_usuario' => $login];
|
||||
$user_profile = db_get_row_filter('tusuario_perfil', $filter);
|
||||
if (!users_is_admin($login) && !$user_profile) {
|
||||
if ((bool) users_is_admin($login) === false && (bool) $user_profile === false) {
|
||||
$mysql_cache['auth_error'] = 'User does not have any profile';
|
||||
$config['auth_error'] = 'User does not have any profile';
|
||||
return false;
|
||||
|
|
@ -217,7 +173,7 @@ function process_user_login_local($login, $pass, $api=false)
|
|||
|
||||
return $row['id_user'];
|
||||
} else {
|
||||
if (!user_can_login($login)) {
|
||||
if (user_can_login($login) === false) {
|
||||
$mysql_cache['auth_error'] = 'User only can use the API.';
|
||||
$config['auth_error'] = 'User only can use the API.';
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -17714,13 +17714,13 @@ function api_set_enable_disable_discovery_task($id_task, $thrash2, $other)
|
|||
*
|
||||
* @param string $token Token for check.
|
||||
*
|
||||
* @return integer Id of user. If returns 0 there is not valid token.
|
||||
* @return mixed Id of user. If returns 0 there is not valid token.
|
||||
*/
|
||||
function api_token_check(string $token)
|
||||
{
|
||||
if (empty($token) === true) {
|
||||
return 0;
|
||||
return -1;
|
||||
} else {
|
||||
return (int) db_get_value('id_user', 'tusuario', 'api_token', $token);
|
||||
return db_get_value('id_user', 'tusuario', 'api_token', $token);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -886,6 +886,7 @@ function users_get_users_group_by_group($id_group)
|
|||
*/
|
||||
function api_token_generate()
|
||||
{
|
||||
include_once 'functions_api.php';
|
||||
// Generate a cryptographically secure chain.
|
||||
$generateToken = bin2hex(openssl_random_pseudo_bytes(16));
|
||||
// Check if token exists in DB.
|
||||
|
|
@ -898,15 +899,13 @@ function api_token_generate()
|
|||
/**
|
||||
* Returns User API Token
|
||||
*
|
||||
* @param integer $idUser Id of the user.
|
||||
* @param string $idUser Id of the user.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function users_get_API_token(int $idUser)
|
||||
function users_get_API_token(string $idUser)
|
||||
{
|
||||
$apiToken = db_get_value('api_token', 'tusuario', 'id_user', $idUser);
|
||||
|
||||
return $apiToken;
|
||||
return db_get_value('api_token', 'tusuario', 'id_user', $idUser);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue