From 0a02bd213e7ceba3d26cc66d7156fc3f99c23805 Mon Sep 17 00:00:00 2001 From: Kevin Duret Date: Mon, 28 Oct 2019 10:50:35 +0100 Subject: [PATCH] fix(acl): filter access to api using external entry point (#8021) --- .../centreon_administration_widget.class.php | 7 +++-- www/api/class/centreon_clapi.class.php | 7 +++-- .../centreon_configuration_objects.class.php | 7 +++-- .../class/centreon_home_customview.class.php | 9 ++++++- www/api/class/centreon_keepalive.class.php | 2 +- www/api/class/centreon_metric.class.php | 9 ++++++- www/api/class/centreon_proxy.class.php | 2 +- .../class/centreon_realtime_base.class.php | 7 +++-- .../class/centreon_results_acceptor.class.php | 7 +++-- .../class/centreon_submit_results.class.php | 7 +++-- www/api/class/centreon_topcounter.class.php | 8 ++++-- www/api/class/centreon_wiki.class.php | 7 +++-- www/api/external.php | 27 +++++++++++++++---- 13 files changed, 81 insertions(+), 25 deletions(-) diff --git a/www/api/class/centreon_administration_widget.class.php b/www/api/class/centreon_administration_widget.class.php index 673d86eb2d7..846bbd54adb 100644 --- a/www/api/class/centreon_administration_widget.class.php +++ b/www/api/class/centreon_administration_widget.class.php @@ -161,10 +161,13 @@ public function postRemove() */ public function authorize($action, $user, $isInternal = false) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiConfiguration()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + return false; } } diff --git a/www/api/class/centreon_clapi.class.php b/www/api/class/centreon_clapi.class.php index 838ed4d1a01..9b3563c31ce 100644 --- a/www/api/class/centreon_clapi.class.php +++ b/www/api/class/centreon_clapi.class.php @@ -229,11 +229,14 @@ public function postAction() */ public function authorize($action, $user, $isInternal = false) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiConfiguration()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + return false; } /** diff --git a/www/api/class/centreon_configuration_objects.class.php b/www/api/class/centreon_configuration_objects.class.php index 286e46d83dd..64b050e6d2c 100644 --- a/www/api/class/centreon_configuration_objects.class.php +++ b/www/api/class/centreon_configuration_objects.class.php @@ -276,10 +276,13 @@ protected function retrieveRelatedValues($relationObject, $id) */ public function authorize($action, $user, $isInternal = false) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiConfiguration()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + return false; } } diff --git a/www/api/class/centreon_home_customview.class.php b/www/api/class/centreon_home_customview.class.php index 360c619fa65..077edc93fd0 100644 --- a/www/api/class/centreon_home_customview.class.php +++ b/www/api/class/centreon_home_customview.class.php @@ -331,6 +331,13 @@ public function getPreferences() */ public function authorize($action, $user, $isInternal = false) { - return true; + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiConfiguration()) + ) { + return true; + } + + return false; } } diff --git a/www/api/class/centreon_keepalive.class.php b/www/api/class/centreon_keepalive.class.php index 7bbdb1e578f..803d695c851 100644 --- a/www/api/class/centreon_keepalive.class.php +++ b/www/api/class/centreon_keepalive.class.php @@ -71,6 +71,6 @@ public function getKeepAlive() */ public function authorize($action, $user, $isInternal = false) { - return true; + return $isInternal; } } diff --git a/www/api/class/centreon_metric.class.php b/www/api/class/centreon_metric.class.php index d44d6c9c6f6..33e5f78acad 100644 --- a/www/api/class/centreon_metric.class.php +++ b/www/api/class/centreon_metric.class.php @@ -778,6 +778,13 @@ protected function executeQueryPeriods($query, $start, $end, $queryValues) */ public function authorize($action, $user, $isInternal = false) { - return true; + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiRealtime()) + ) { + return true; + } + + return false; } } diff --git a/www/api/class/centreon_proxy.class.php b/www/api/class/centreon_proxy.class.php index c5d9b39117d..cbee3ce6c3a 100644 --- a/www/api/class/centreon_proxy.class.php +++ b/www/api/class/centreon_proxy.class.php @@ -37,6 +37,6 @@ public function postCheckConfiguration() */ public function authorize($action, $user, $isInternal = false) { - return true; + return $isInternal; } } diff --git a/www/api/class/centreon_realtime_base.class.php b/www/api/class/centreon_realtime_base.class.php index 64dd4bff787..4e4be004263 100644 --- a/www/api/class/centreon_realtime_base.class.php +++ b/www/api/class/centreon_realtime_base.class.php @@ -259,10 +259,13 @@ protected function retrieveRelatedValues($relationObject, $id) */ public function authorize($action, $user, $isInternal = false) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiRealtime()) + ) { return true; } - return $user->hasAccessRestApiRealtime(); + return false; } } diff --git a/www/api/class/centreon_results_acceptor.class.php b/www/api/class/centreon_results_acceptor.class.php index 7cd916f1177..cb0ad625a48 100644 --- a/www/api/class/centreon_results_acceptor.class.php +++ b/www/api/class/centreon_results_acceptor.class.php @@ -246,10 +246,13 @@ public function postSubmit() */ public function authorize($action, $user, $isInternal) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiConfiguration()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + return false; } } diff --git a/www/api/class/centreon_submit_results.class.php b/www/api/class/centreon_submit_results.class.php index 2dddabf0603..11dab6ab47d 100644 --- a/www/api/class/centreon_submit_results.class.php +++ b/www/api/class/centreon_submit_results.class.php @@ -330,10 +330,13 @@ public function postSubmit() */ public function authorize($action, $user, $isInternal) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiRealtime()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + return false; } } diff --git a/www/api/class/centreon_topcounter.class.php b/www/api/class/centreon_topcounter.class.php index 66c143240e4..bd4a7952dea 100644 --- a/www/api/class/centreon_topcounter.class.php +++ b/www/api/class/centreon_topcounter.class.php @@ -856,9 +856,13 @@ protected function checkChangeState($pollerId, $lastRestart) */ public function authorize($action, $user, $isInternal = false) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiRealtime()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + + return false; } } diff --git a/www/api/class/centreon_wiki.class.php b/www/api/class/centreon_wiki.class.php index 598d41626c3..ccef5e044a9 100644 --- a/www/api/class/centreon_wiki.class.php +++ b/www/api/class/centreon_wiki.class.php @@ -90,10 +90,13 @@ public function postDeletePage() */ public function authorize($action, $user, $isInternal = false) { - if (parent::authorize($action, $user, $isInternal)) { + if ( + parent::authorize($action, $user, $isInternal) + || ($user && $user->hasAccessRestApiConfiguration()) + ) { return true; } - return $user->hasAccessRestApiConfiguration(); + return false; } } diff --git a/www/api/external.php b/www/api/external.php index 9492e2f5744..2ea3eeb38e5 100644 --- a/www/api/external.php +++ b/www/api/external.php @@ -36,10 +36,27 @@ ini_set('error_reporting', E_ALL & ~E_NOTICE & ~E_STRICT); ini_set('display_errors', 'Off'); -require_once dirname(__FILE__) . '/../../bootstrap.php'; -require_once _CENTREON_PATH_ . '/www/class/centreonDB.class.php'; -require_once dirname(__FILE__) . '/class/webService.class.php'; +require_once __DIR__ . '/../../bootstrap.php'; +require_once __DIR__ . '/../class/centreon.class.php'; +require_once __DIR__ . '/class/webService.class.php'; -$pearDB = new CentreonDB; +$pearDB = $dependencyInjector['configuration_db']; -CentreonWebService::router($dependencyInjector, null, false); +$user = null; +// get user information if a token is provided +if (isset($_SERVER['HTTP_CENTREON_AUTH_TOKEN'])) { + try { + $res = $pearDB->prepare( + "SELECT c.* FROM ws_token w, contact c WHERE c.contact_id = w.contact_id AND token = ?" + ); + $res->execute(array($_SERVER['HTTP_CENTREON_AUTH_TOKEN'])); + if ($userInfos = $res->fetch()) { + $centreon = new Centreon($userInfos); + $user = $centreon->user; + } + } catch (\PDOException $e) { + CentreonWebService::sendResult("Database error", 500); + } +} + +CentreonWebService::router($dependencyInjector, $user, false);