AJAXMethods);
}
/**
* Generates a JSON error.
*
* @param string $msg Error message.
*
* @return void
*/
public function error($msg)
{
echo json_encode(
['error' => $msg]
);
}
/**
* Minor function to dump json message as ajax response.
*
* @param string $type Type: result || error.
* @param string $msg Message.
* @param boolean $delete Deletion messages.
*
* @return void
*/
private function ajaxMsg($type, $msg, $delete=false)
{
if ($type === 'error') {
$msg_title = ($delete === true) ? 'Failed while removing' : 'Failed while saving';
} else {
$msg_title = ($delete === true) ? 'Successfully deleted' : 'Successfully saved into keystore';
}
echo json_encode(
[ $type => __($msg_title).':
'.$msg ]
);
exit;
}
/**
* Initializes object and validates user access.
*
* @param string $ajax_controller Path of ajaxController, is the 'page'
* variable sent in ajax calls.
*
* @return object
*/
public function __construct($ajax_controller)
{
global $config;
// Check access.
check_login();
if ((bool) check_acl($config['id_user'], 0, 'PM') === false
|| (bool) check_acl($config['id_user'], 0, 'UM') === false
) {
db_pandora_audit(
AUDIT_LOG_ACL_VIOLATION,
'Trying to access credential store'
);
if (is_ajax()) {
echo json_encode(['error' => 'noaccess']);
} else {
include 'general/noaccess.php';
}
exit;
}
$this->ajaxController = $ajax_controller;
return $this;
}
/**
* Returns an array with all the credentials matching filter and ACL.
*
* @param array $fields Fields array or 'count' keyword to retrieve count.
* @param array $filter Filters to be applied.
* @param integer $offset Offset (pagination).
* @param integer $limit Limit (pagination).
* @param string $order Sort order.
* @param string $sort_field Sort field.
*
* @return array With all results or false if error.
* @throws Exception On error.
*/
public static function getAll(
$fields,
$filter,
$offset=null,
$limit=null,
$order=null,
$sort_field=null
) {
$sql_filters = [];
$order_by = '';
$pagination = '';
global $config;
if (!is_array($filter)) {
error_log('[credential_get_all] Filter must be an array.');
throw new Exception('[credential_get_all] Filter must be an array.');
}
$count = false;
if (!is_array($fields) && $fields == 'count') {
$fields = ['cs.*'];
$count = true;
} else if (!is_array($fields)) {
error_log('[credential_get_all] Fields must be an array or "count".');
throw new Exception('[credential_get_all] Fields must be an array or "count".');
}
if (isset($filter['product']) && !empty($filter['product'])) {
$sql_filters[] = sprintf(' AND cs.product = "%s"', $filter['product']);
}
if (isset($filter['free_search']) && !empty($filter['free_search'])) {
$sql_filters[] = vsprintf(
' AND (lower(cs.username) like lower("%%%s%%")
OR cs.identifier like "%%%s%%"
OR lower(cs.product) like lower("%%%s%%"))',
array_fill(0, 3, $filter['free_search'])
);
}
if (isset($filter['filter_id_group']) && $filter['filter_id_group'] > 0) {
$propagate = db_get_value(
'propagate',
'tgrupo',
'id_grupo',
$filter['filter_id_group']
);
if (!$propagate) {
$sql_filters[] = sprintf(
' AND cs.id_group = %d ',
$filter['filter_id_group']
);
} else {
$groups = [ $filter['filter_id_group'] ];
$childrens = groups_get_children(
$filter['filter_id_group'],
null,
true
);
if (!empty($childrens)) {
foreach ($childrens as $child) {
$groups[] = (int) $child['id_grupo'];
}
}
$filter['filter_id_group'] = $groups;
$sql_filters[] = sprintf(
' AND cs.id_group IN (%s) ',
join(',', $filter['filter_id_group'])
);
}
}
if (isset($filter['group_list']) && is_array($filter['group_list'])) {
$sql_filters[] = sprintf(
' AND cs.id_group IN (%s) ',
join(',', $filter['group_list'])
);
} else if (users_is_admin() !== true) {
$user_groups = users_get_groups(
$config['id_user'],
'AR'
);
// Always add group 'ALL' because 'ALL' group credentials
// must be available for all users.
if (is_array($user_groups) === true) {
$user_groups = ([0] + array_keys($user_groups));
} else {
$user_groups = [0];
}
$sql_filters[] = sprintf(
' AND cs.id_group IN (%s) ',
join(',', $user_groups)
);
}
if (isset($filter['identifier'])) {
$sql_filters[] = sprintf(
' AND cs.identifier = "%s" ',
$filter['identifier']
);
}
if (isset($order)) {
$dir = 'asc';
if ($order == 'desc') {
$dir = 'desc';
};
if (in_array(
$sort_field,
[
'group',
'identifier',
'product',
'username',
'options',
]
)
) {
$order_by = sprintf(
'ORDER BY `%s` %s',
$sort_field,
$dir
);
}
}
if (isset($limit) && $limit > 0
&& isset($offset) && $offset >= 0
) {
$pagination = sprintf(
' LIMIT %d OFFSET %d ',
$limit,
$offset
);
}
$sql = sprintf(
'SELECT %s
FROM tcredential_store cs
LEFT JOIN tgrupo tg
ON tg.id_grupo = cs.id_group
WHERE 1=1
%s
%s
%s',
join(',', $fields),
join(' ', $sql_filters),
$order_by,
$pagination
);
if ($count) {
$sql = sprintf('SELECT count(*) as n FROM ( %s ) tt', $sql);
return db_get_value_sql($sql);
}
$return = db_get_all_rows_sql($sql);
if ($return === false) {
$return = [];
}
// Filter out those items of group all that cannot be edited by user.
$return = array_filter(
$return,
function ($item) {
if ($item['id_group'] == 0 && users_can_manage_group_all('AR') === false) {
return false;
} else {
return true;
}
}
);
return $return;
}
/**
* Retrieves target key from keystore or false in case of error.
*
* @param string $identifier Key identifier.
*
* @return array Key or false if error.
*/
public static function getKey($identifier)
{
global $config;
if (empty($identifier)) {
return false;
}
$keys = self::getAll(
[
'cs.*',
'tg.nombre as `group`',
],
['identifier' => $identifier]
);
if (is_array($keys) === true) {
// Only 1 must exist.
$key = $keys[0];
// Decrypt content.
$key['username'] = io_output_password($key['username']);
$key['password'] = io_output_password($key['password']);
$key['extra_1'] = io_output_password($key['extra_1']);
$key['extra_2'] = io_output_password($key['extra_2']);
return $key;
}
return false;
}
/**
* Return all keys avaliable for current user.
*
* @param string $product Filter by product.
*
* @return array Keys or false if error.
*/
public static function getKeys($product=false)
{
global $config;
$filter = [];
if ($product !== false) {
$filter['product'] = $product;
}
$keys = self::getAll(
[
'cs.*',
'tg.nombre as `group`',
],
$filter
);
if (is_array($keys) === true) {
// Improve usage and decode output.
$return = array_reduce(
$keys,
function ($carry, $item) {
$item['username'] = io_output_password($item['username']);
$item['password'] = io_output_password($item['password']);
$item['extra_1'] = io_output_password($item['extra_1']);
$item['extra_2'] = io_output_password($item['extra_2']);
$carry[$item['identifier']] = $item['identifier'];
return $carry;
},
[]
);
return $return;
}
return [];
}
/**
* Ajax method invoked by datatables to draw content.
*
* @return void
*/
public function draw()
{
global $config;
// Datatables offset, limit and order.
$filter = get_parameter('filter', []);
$start = get_parameter('start', 0);
$length = get_parameter('length', $config['block_size']);
$order = get_datatable_order(true);
if ((bool) users_is_admin() === false) {
$all = users_can_manage_group_all('UM');
$filter['group_list'] = array_keys(
users_get_groups(
$config['id_user'],
'UM',
(bool) $all
)
);
}
try {
ob_start();
$fields = [
'cs.*',
'tg.nombre as `group`',
];
// Retrieve data.
$data = $this->getAll(
// Fields.
$fields,
// Filter.
$filter,
// Offset.
$start,
// Limit.
$length,
// Order.
$order['direction'],
// Sort field.
$order['field']
);
// Retrieve counter.
$count = $this->getAll(
'count',
$filter
);
if ($data) {
$data = array_reduce(
$data,
function ($carry, $item) {
// Transforms array of arrays $data into an array
// of objects, making a post-process of certain fields.
$tmp = (object) $item;
$tmp->username = io_output_password($tmp->username);
if (empty($tmp->group)) {
$tmp->group = __('All');
} else {
$tmp->group = io_safe_output($tmp->group);
}
$carry[] = $tmp;
return $carry;
}
);
}
// Datatables format: RecordsTotal && recordsfiltered.
echo json_encode(
[
'data' => $data,
'recordsTotal' => $count,
'recordsFiltered' => $count,
]
);
// Capture output.
$response = ob_get_clean();
} catch (Exception $e) {
echo json_encode(['error' => $e->getMessage()]);
exit;
}
// If not valid, show error with issue.
json_decode($response);
if (json_last_error() == JSON_ERROR_NONE) {
// If valid dump.
echo $response;
} else {
echo json_encode(
['error' => $response]
);
}
exit;
}
/**
* Prints inputs for modal "Add key".
*
* @return void
*/
public function loadModal()
{
$identifier = get_parameter('identifier', null);
$key = self::getKey($identifier);
echo $this->printInputs($key);
}
/**
* Prepare variables received using form. AJAX environment only.
*
* @return array of values processed or false in case of error.
*/
private function prepareKeyValues()
{
$identifier = get_parameter('identifier', null);
$id_group = get_parameter('id_group', null);
$product = get_parameter('product', null);
$username = get_parameter('username', null);
$password = get_parameter('password', null);
$extra_1 = get_parameter('extra_1', null);
$extra_2 = get_parameter('extra_2', null);
if ($product === 'GOOGLE') {
$google_creds = json_decode(io_safe_output($extra_1));
if (json_last_error() !== JSON_ERROR_NONE) {
$this->ajaxMsg(
'error',
__('Not a valid JSON: %s', json_last_error_msg())
);
exit;
}
$username = $google_creds->client_email;
$password = $google_creds->private_key_id;
}
if ($product !== 'SNMP') {
if (empty($identifier) === true) {
$error = __('Key identifier is required');
} else if ($id_group === null) {
$error = __('You must select a group where store this key!');
} else if (empty($product) === true) {
$error = __('You must specify a product type');
} else if (empty($username) === true || (empty($password) === true)) {
$error = __('You must specify a username and/or password');
} else if (evaluate_ascii_valid_string(io_safe_output($identifier)) === false) {
$error = __('Identifier with forbidden characters. Check the documentation.');
}
if (isset($error) === true) {
$this->ajaxMsg('error', $error);
exit;
}
// Encrypt content (if needed).
$values = [
'identifier' => $identifier,
'id_group' => $id_group,
'product' => $product,
'username' => io_input_password(io_safe_output($username)),
'password' => io_input_password(io_safe_output($password)),
'extra_1' => io_input_password(io_safe_output($extra_1)),
'extra_2' => io_input_password(io_safe_output($extra_2)),
];
} else {
$values = [
'identifier' => $identifier,
'id_group' => $id_group,
'product' => $product,
];
$community = (string) get_parameter('community', '');
$version = (string) get_parameter('version', '1');
$extra_json = [
'community' => $community,
'version' => $version,
];
if ($version === '3') {
$securityLevelV3 = (string) get_parameter('securityLevelV3', 'authNoPriv');
$extra_json['securityLevelV3'] = $securityLevelV3;
$authUserV3 = (string) get_parameter('authUserV3', '');
$extra_json['authUserV3'] = $authUserV3;
if ($securityLevelV3 === 'authNoPriv' || $securityLevelV3 === 'authPriv') {
$authUserV3 = (string) get_parameter('authUserV3', '');
$extra_json['authUserV3'] = $authUserV3;
$authMethodV3 = (string) get_parameter('authMethodV3', 'MD5');
$extra_json['authMethodV3'] = $authMethodV3;
$authPassV3 = (string) get_parameter('authPassV3', '');
$extra_json['authPassV3'] = $authPassV3;
if ($securityLevelV3 === 'authPriv') {
$privacyMethodV3 = (string) get_parameter('privacyMethodV3', 'AES');
$extra_json['privacyMethodV3'] = $privacyMethodV3;
$privacyPassV3 = (string) get_parameter('privacyPassV3', '');
$extra_json['privacyPassV3'] = $privacyPassV3;
}
}
}
$values['extra_1'] = json_encode($extra_json);
}
// Spaces are not allowed.
$values['identifier'] = \io_safe_input(
preg_replace(
'/\s+/',
'-',
trim(
\io_safe_output($identifier)
)
)
);
return $values;
}
/**
* Stores a key into credential store.
*
* @param array $values Key definition.
* @param string $identifier Update or create.
*
* @return boolean True if ok, false if not ok.
*/
private function storeKey($values, $identifier=false)
{
if ($identifier === false) {
// New.
return db_process_sql_insert('tcredential_store', $values);
} else {
// Update.
return db_process_sql_update(
'tcredential_store',
$values,
['identifier' => $identifier]
);
}
}
/**
* Add a new key into Credential Store
*
* @return void
*/
public function addKey()
{
global $config;
$values = $this->prepareKeyValues();
if ($this->storeKey($values) === false) {
$this->ajaxMsg('error', $config['dbconnection']->error);
} else {
$this->ajaxMsg('result', $values['identifier']);
}
exit;
}
/**
* Add a new key into Credential Store
*
* @return void
*/
public function updateKey()
{
global $config;
$values = $this->prepareKeyValues();
$identifier = $values['identifier'];
if ($this->storeKey($values, $identifier) === false) {
$this->ajaxMsg('error', $config['dbconnection']->error);
} else {
$this->ajaxMsg('result', $identifier);
}
exit;
}
/**
* AJAX method. Delete key from keystore.
*
* @return void
*/
public function deleteKey()
{
global $config;
$identifier = get_parameter('identifier', null);
if (empty($identifier)) {
$this->ajaxMsg('error', __('identifier cannot be empty'), true);
}
if (self::getKey($identifier) === false) {
// User has no grants to delete target key.
$this->ajaxMsg('error', __('Not allowed'), true);
}
if (db_process_sql_delete(
'tcredential_store',
['identifier' => $identifier]
) === false
) {
$this->ajaxMsg('error', $config['dbconnection']->error, true);
} else {
$this->ajaxMsg('result', $identifier, true);
}
}
/**
* Run CredentialStore (main page).
*
* @return void
*/
public function run()
{
global $config;
// Require specific CSS and JS.
ui_require_css_file('wizard');
ui_require_css_file('discovery');
ui_require_css_file('credential_store');
if (!isset($config['encryption_passphrase'])) {
$url = 'https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Password_Encryption';
if ($config['language'] == 'es') {
$url = 'https://pandorafms.com/docs/index.php?title=Pandora:Documentation_es:Cifrado_Contrase%C3%B1as';
}
ui_print_warning_message(
__(
'Database encryption is not enabled. Credentials will be stored in plaintext. %s',
''.__('How to configure encryption.').''
)
);
}
// Datatables list.
try {
$columns = [
'group',
'identifier',
'product',
'username',
'options',
];
$column_names = [
__('Group'),
__('Identifier'),
__('Product'),
__('User'),
[
'text' => __('Options'),
'class' => 'table_action_buttons',
],
];
$this->tableId = 'keystore';
// Load datatables user interface.
ui_print_datatable(
[
'id' => $this->tableId,
'class' => 'info_table',
'style' => 'width: 99%',
'columns' => $columns,
'column_names' => $column_names,
'ajax_url' => $this->ajaxController,
'ajax_data' => ['method' => 'draw'],
'ajax_postprocess' => 'process_datatables_item(item)',
'no_sortable_columns' => [-1],
'order' => [
'field' => 'identifier',
'direction' => 'asc',
],
'search_button_class' => 'sub filter float-right',
'filter_main_class' => 'box-flat white_table_graph fixed_filter_bar',
'form' => [
'inputs' => [
[
'label' => __('Group'),
'type' => 'select_groups',
'id' => 'filter_id_group',
'name' => 'filter_id_group',
'privilege' => 'AR',
'type' => 'select_groups',
'nothing' => false,
'selected' => (defined($id_group_filter) ? $id_group_filter : 0),
'return' => true,
'size' => '80%',
],
[
'label' => __('Free search'),
'type' => 'text',
'class' => 'mw250px',
'id' => 'free_search',
'name' => 'free_search',
],
],
],
]
);
} catch (Exception $e) {
echo $e->getMessage();
}
// Auxiliar div.
$modal = '';
$msg = '';
$aux = '';
echo $modal.$msg.$aux;
// Create button.
html_print_action_buttons(
html_print_submit_button(
__('Add key'),
'create',
false,
['icon' => 'next'],
true
)
);
echo $this->loadJS();
}
/**
* Generates inputs for new/update forms.
*
* @param array $values Values or null.
*
* @return string Inputs.
*/
public function printInputs($values=null)
{
if (!is_array($values)) {
$values = [];
}
$return_all_group = false;
if (users_can_manage_group_all('AR') === true) {
$return_all_group = true;
}
$form = [
'action' => '#',
'id' => 'modal_form',
'onsubmit' => 'return false;',
'class' => 'modal',
'extra' => 'autocomplete="new-password"',
];
$inputs = [];
$inputs[] = [
'label' => __('Identifier'),
'id' => 'div-identifier',
'arguments' => [
'name' => 'identifier',
'type' => 'text',
'value' => $values['identifier'],
'disabled' => (bool) $values['identifier'],
'return' => true,
],
];
$inputs[] = [
'label' => __('Group'),
'arguments' => [
'name' => 'id_group',
'id' => 'id_group',
'input_class' => 'flex-row',
'type' => 'select_groups',
'returnAllGroup' => $return_all_group,
'selected' => $values['id_group'],
'return' => true,
'class' => 'w50p',
],
];
$inputs[] = [
'label' => __('Product'),
'id' => 'div-product',
'arguments' => [
'name' => 'product',
'input_class' => 'flex-row',
'type' => 'select',
'script' => 'calculate_inputs()',
'fields' => [
'CUSTOM' => __('Custom'),
'AWS' => __('Aws'),
'AZURE' => __('Azure'),
'SAP' => __('SAP'),
'GOOGLE' => __('Google'),
'WMI' => __('WMI'),
'SNMP' => __('SNMP'),
],
'selected' => (isset($values['product']) ? $values['product'] : 'CUSTOM'),
'disabled' => (bool) $values['product'],
'return' => true,
],
];
$user_label = __('Username');
$pass_label = __('Password');
$extra_1_label = __('Extra');
$extra_2_label = __('Extra (2)');
$extra1_type = 'text';
$user = true;
$pass = true;
$extra1 = true;
$extra2 = true;
// Remember to update credential_store.php also.
switch ($values['product']) {
case 'AWS':
$user_label = __('Access key ID');
$pass_label = __('Secret access key');
$extra1 = false;
$extra2 = false;
break;
case 'AZURE':
$user_label = __('Account ID');
$pass_label = __('Application secret');
$extra_1_label = __('Tenant or domain name');
$extra_2_label = __('Subscription id');
break;
case 'GOOGLE':
$extra_1_label = __('Auth JSON');
$user = false;
$pass = false;
$extra1 = true;
$extra2 = false;
$extra1_type = 'textarea';
break;
case 'WMI':
$extra_1_label = __('Namespace');
$extra1 = true;
$extra2 = false;
break;
case 'SNMP':
$user = false;
$pass = false;
$extra1 = false;
$extra2 = false;
break;
case 'CUSTOM':
case 'SAP':
$user_label = __('Account ID');
$pass_label = __('Password');
$extra1 = false;
$extra2 = false;
default:
// Use defaults.
break;
}
if ($user) {
$inputs[] = [
'label' => $user_label,
'id' => 'div-username',
'arguments' => [
'name' => 'username',
'input_class' => 'flex-row',
'type' => 'text',
'value' => $values['username'],
'return' => true,
],
];
}
if ($pass) {
$inputs[] = [
'label' => $pass_label,
'id' => 'div-password',
'arguments' => [
'name' => 'password',
'input_class' => 'flex-row',
'type' => 'password',
'value' => $values['password'],
'return' => true,
],
];
}
if ($extra1) {
$inputs[] = [
'label' => $extra_1_label,
'id' => 'div-extra_1',
'arguments' => [
'name' => 'extra_1',
'id' => 'text-extra_1',
'input_class' => 'flex-row',
'type' => $extra1_type,
'value' => $values['extra_1'],
'return' => true,
],
];
}
if ($extra2) {
$inputs[] = [
'label' => $extra_2_label,
'id' => 'div-extra_2',
'arguments' => [
'name' => 'extra_2',
'input_class' => 'flex-row',
'type' => 'text',
'value' => $values['extra_2'],
'return' => true,
'display' => $extra2,
],
];
}
if ($values['product'] === 'SNMP') {
$json_values = json_decode($values['extra_1'], true);
$inputs[] = [
'label' => __('SNMP community'),
'id' => 'li_snmp_1',
'arguments' => [
'name' => 'community',
'input_class' => 'flex-row',
'type' => 'text',
'value' => $json_values['community'],
'return' => true,
],
];
$inputs[] = [
'label' => __('SNMP version'),
'id' => 'li_snmp_2',
'arguments' => [
'name' => 'version',
'input_class' => 'flex-row',
'type' => 'select',
'script' => 'showVersion()',
'fields' => [
'1' => __('1'),
'2' => __('2'),
'2c' => __('2c'),
'3' => __('3'),
],
'selected' => (isset($json_values['version']) ? $json_values['version'] : '1'),
'return' => true,
],
];
$inputs[] = [
'label' => __('Security level'),
'id' => 'li_snmp_3',
'style' => ($json_values['version'] !== '3') ? 'display: none;' : '',
'arguments' => [
'name' => 'securityLevelV3',
'input_class' => 'flex-row',
'type' => 'select',
'script' => 'showSecurity()',
'fields' => [
'authNoPriv' => __('Authenticated and non-private method'),
'authPriv' => __('Authenticated and private method'),
'noAuthNoPriv' => __('Non-authenticated and non-private method'),
],
'selected' => (isset($json_values['securityLevelV3']) ? $json_values['securityLevelV3'] : 'authNoPriv'),
'return' => true,
],
];
$inputs[] = [
'label' => __('User authentication'),
'id' => 'li_snmp_4',
'style' => ($json_values['version'] !== '3') ? 'display: none;' : '',
'arguments' => [
'name' => 'authUserV3',
'input_class' => 'flex-row',
'type' => 'text',
'value' => $json_values['authUserV3'],
'return' => true,
],
];
$authNoPrivate = (
isset($json_values['securityLevelV3']) &&
($json_values['securityLevelV3'] === 'authNoPriv' || $json_values['securityLevelV3'] === 'authPriv')
) ? '' : 'display: none;';
$inputs[] = [
'label' => __('Authentication method'),
'id' => 'li_snmp_5',
'style' => $authNoPrivate,
'arguments' => [
'name' => 'authMethodV3',
'input_class' => 'flex-row',
'type' => 'select',
'fields' => [
'MD5' => __('MD5'),
'SHA' => __('SHA'),
],
'selected' => (isset($json_values['authMethodV3']) ? $json_values['authMethodV3'] : 'MD5'),
'return' => true,
],
];
$inputs[] = [
'label' => __('Password authentication'),
'id' => 'li_snmp_6',
'style' => $authNoPrivate,
'arguments' => [
'name' => 'authPassV3',
'input_class' => 'flex-row',
'type' => 'password',
'value' => $json_values['authPassV3'],
'return' => true,
],
];
$authPrivate = (isset($json_values['securityLevelV3']) && $json_values['securityLevelV3'] === 'authPriv')
? ''
: 'display: none;';
$inputs[] = [
'label' => __('Privacy method'),
'id' => 'li_snmp_7',
'style' => $authPrivate,
'arguments' => [
'name' => 'privacyMethodV3',
'input_class' => 'flex-row',
'type' => 'select',
'fields' => [
'AES' => __('AES'),
'DES' => __('DES'),
],
'selected' => (isset($json_values['privacyMethodV3']) ? $json_values['privacyMethodV3'] : 'AES'),
'return' => true,
],
];
$inputs[] = [
'label' => __('Privacy pass'),
'id' => 'li_snmp_8',
'style' => $authPrivate,
'arguments' => [
'name' => 'privacyPassV3',
'input_class' => 'flex-row',
'type' => 'password',
'value' => $json_values['privacyPassV3'],
'return' => true,
],
];
}
return $this->printForm(
[
'form' => $form,
'inputs' => $inputs,
],
true
);
}
/**
* Loads JS content.
*
* @return string JS content.
*/
public function loadJS()
{
ob_start();
// Javascript content.
?>