'api_password'] ) ); $apiTokenValid = false; // Try getting bearer token from header. // TODO. Getting token from url will be removed. $apiToken = (string) io_safe_input(getBearerToken()); if (empty($apiToken) === true) { // Legacy user/pass token. // TODO. Revome in future. $api_password = get_parameter('apipass', ''); $user = get_parameter('user', ''); $password = get_parameter('pass', ''); } else { $apiTokenValid = (bool) api_token_check($apiToken); } $correctLogin = false; $no_login_msg = ''; // Clean unwanted output. ob_clean(); // READ THIS: // Special call without checks to retrieve version and build of the Pandora FMS // This info is avalable from the web console without login // Don't change the format, it is parsed by applications. if ($info === 'version') { if ((bool) $config['MR'] === false) { $config['MR'] = 0; } echo 'Pandora FMS '.$pandora_version.' - '.$build_version.' MR'.$config['MR']; exit; } $user_in_db = null; if (empty($apiPassword) === true || (empty($apiPassword) === false && $api_password === $apiPassword) || $apiTokenValid === true ) { if (enterprise_hook('metaconsole_validate_origin', [get_parameter('server_auth')]) === true || enterprise_hook('console_validate_origin', [get_parameter('server_auth')]) === true ) { // Allow internal direct node -> metaconsole connection // or node -> own console connection. $server_uid = get_parameter(('server_auth')); $config['__internal_call'] = true; $config['id_usuario'] = $server_uid; // Compat. $config['id_user'] = $server_uid; $correctLogin = true; $config['is_admin'][$server_uid] = true; // Bypass credentials if server-auth and api-pass are correct. } else if (($config['server_unique_identifier'] === get_parameter('server_auth')) && ($api_password === $apiPassword) && ((bool) isInACL($ipOrigin) === true) ) { $server_uid = get_parameter(('server_auth')); $config['id_usuario'] = $server_uid; $config['id_user'] = $server_uid; $config['is_admin'][$server_uid] = true; $correctLogin = true; } else if ((bool) isInACL($ipOrigin) === true) { // External access. // Token is valid. Bypass the credentials. if ($apiTokenValid === true) { $credentials = db_get_row('tusuario', 'api_token', $apiToken); $user = $credentials['id_user']; $password = $credentials['password']; } $user_in_db = process_user_login($user, $password, true, $apiTokenValid); if ($user_in_db !== false) { $config['id_usuario'] = $user_in_db; // Compat. $config['id_user'] = $user_in_db; $correctLogin = true; if (session_status() === PHP_SESSION_NONE) { session_start(); $_SESSION = []; } $_SESSION['id_usuario'] = $user; config_prepare_session(); session_write_close(); } else { $no_login_msg = 'Incorrect user credentials'; } } else { $no_login_msg = 'IP '.$ipOrigin.' is not in ACL list'; } } else { $no_login_msg = 'Incorrect given API password'; } if ($correctLogin === true) { if (($op !== 'get') && ($op !== 'set') && ($op !== 'help')) { returnError('no_set_no_get_no_help', $returnType); } else { $function_name = ''; // Check if is an extension function and get the function name. if ($op2 === 'extension') { $extension_api_url = $config['homedir'].'/'.EXTENSIONS_DIR.'/'.$ext_name.'/'.$ext_name.'.api.php'; // The extension API file must exist and the extension must be // enabled. if (file_exists($extension_api_url) === true && in_array($ext_name, extensions_get_disabled_extensions()) === false ) { include_once $extension_api_url; $function_name = 'apiextension_'.$op.'_'.$ext_function; } } else { $function_name = 'api_'.$op.'_'.$op2; if ($op === 'set' && $id) { switch ($op2) { case 'update_agent': case 'add_module_in_conf': case 'update_module_in_conf': case 'delete_module_in_conf': $agent = agents_locate_agent($id); if ($agent !== false) { $id_os = $agent['id_os']; if ((int) $id_os === 100) { returnError( 'not_allowed_operation_cluster', $returnType ); return false; } } break; // case 'create_network_module': case 'create_plugin_module': // case 'create_data_module': case 'create_synthetic_module': case 'create_snmp_module': case 'delete_module': case 'delete_agent': $agent = agents_locate_agent($id); if ($agent !== false) { $id_os = $agent['id_os']; if ($id_os == 100) { returnError( 'not_allowed_operation_cluster', $returnType ); return false; } } break; case 'update_network_module': case 'update_plugin_module': case 'update_data_module': case 'update_snmp_module': $id_os = db_get_value_sql( sprintf( 'SELECT id_os FROM tagente WHERE id_agente = ( SELECT id_agente FROM tagente_modulo WHERE id_agente_modulo = %d )', $id ) ); if ($id_os == 100) { returnError( 'not_allowed_operation_cluster', $returnType ); return false; } break; case 'delete_user_permission': if ($user_db === '') { returnError( __('User or group not specified'), __('User, group not specified') ); return; } $id_os = api_set_delete_user_profiles( $thrash1, $thrash2, $other, $returnType ); if ($id_os != 100) { return; } if ($id_os == false) { returnError( 'not_allowed_operation_cluster', $returnType ); return false; } break; case 'add_permission_user_to_group': if ($user_db == null || $group_db == null || $id_up == null ) { returnError( __('User, group or profile not specified'), __('User, group or profile status not specified') ); return; } $id_os = api_set_add_permission_user_to_group( $thrash1, $thrash2, $other, $returnType ); if ($id_os != 100) { return; } if ($id_os == false) { returnError( 'not_allowed_operation_cluster', $returnType ); return false; } break; case 'event': // Preventive check for users if not available write events. if (! check_acl($config['id_user'], $event['id_grupo'], 'EW')) { return false; } break; default: // Ignore. break; } } } // Check if the function exists. if (function_exists($function_name)) { if (!DEBUG) { error_reporting(0); } if (VERBOSE) { error_reporting(E_ALL); ini_set('display_errors', 1); } call_user_func( $function_name, $id, $id2, $other, $returnType, $user_in_db ); } else { returnError('no_exist_operation', $returnType); } } } else { /* * //TODO: Implement a new switch in config to enable / disable * ACL auth failure: if enabled and have lots of traffic can produce * millions of records and a considerable OVERHEAD in the system :( * db_pandora_ audit("API access Failed", $no_login_msg, $user, $ipOrigin); */ sleep(15); // Protection on DoS attacks. echo 'auth error'; } // Logout. if (session_status() !== PHP_SESSION_DISABLED) { $_SESSION = []; // Could give a warning if no session file is created. Ignore. @session_destroy(); header_remove('Set-Cookie'); if (isset($_COOKIE[session_name()]) === true) { setcookie(session_name(), $_COOKIE[session_name()], (time() - 4800), '/'); } }