From: <mgu...@us...> - 2011-09-12 20:01:58
|
Revision: 1807 http://nagios.svn.sourceforge.net/nagios/?rev=1807&view=rev Author: mguthrie88 Date: 2011-09-12 20:01:51 +0000 (Mon, 12 Sep 2011) Log Message: ----------- Fixed bugs in NagiosUser class that would incorrectly authorize contacts with similar strings in their names. Documented NagiosUser code for phpdoc Fixed small bug in get_tac_data for missing array index Modified Paths: -------------- nagiosvshell/branches/devel/vshell/data/NagiosUser.php nagiosvshell/branches/devel/vshell/data/get_tac_data.php nagiosvshell/branches/devel/vshell/index.php Modified: nagiosvshell/branches/devel/vshell/data/NagiosUser.php =================================================================== --- nagiosvshell/branches/devel/vshell/data/NagiosUser.php 2011-09-12 19:57:39 UTC (rev 1806) +++ nagiosvshell/branches/devel/vshell/data/NagiosUser.php 2011-09-12 20:01:51 UTC (rev 1807) @@ -1,28 +1,41 @@ -<?php //NagiosUser.php nagios user class to handle authorized hosts, services, and admin functionality - - - - -class NagiosUser -{ - //boolean for users who can see and access all features +<?php //NagiosUser.php nagios user class to handle authorized hosts, services, and admin functionality + + + + +class NagiosUser +{ + /* + * boolean for users who can see and access all features + * @var boolean $admin + */ protected $admin = false; - //boolean for viewing all hosts and services - protected $sees_all = false; - - //array for storing global authorizations from cgi file - protected $authKeys = array( - 'authorized_for_all_host_commands' => false, - 'authorized_for_all_hosts' => false, - 'authorized_for_all_service_commands' => false, - 'authorized_for_all_services' => false, - 'authorized_for_configuration_information' => false, - 'authorized_for_system_commands' => false, - 'authorized_for_system_information' => false, - 'authorized_for_read_only' => true, + + /* + * boolean for viewing all hosts and services + * @var boolean $sees_all + */ + protected $sees_all = false; + + /** + * array for storing global authorizations from cgi file + * @var mixed $authKeys + */ + protected $authKeys = array( + 'authorized_for_all_host_commands' => false, + 'authorized_for_all_hosts' => false, + 'authorized_for_all_service_commands' => false, + 'authorized_for_all_services' => false, + 'authorized_for_configuration_information' => false, + 'authorized_for_system_commands' => false, + 'authorized_for_system_information' => false, + 'authorized_for_read_only' => true, ); - - //MAIN AUTH ARRAY + + /** + * MAIN AUTH ARRAY + * @var mixed $authHosts + */ protected $authHosts = array(); //see below for array structure /* $authHosts = @@ -34,19 +47,26 @@ 3 => service3 ) ) - */ - protected $cg_memberships = array(); //contactgroup memberships + */ + /** + * contactgroup memberships + * @var mixed $cg_memberships + */ + protected $cg_memberships = array(); + + /** + * current user + * @var string username + */ protected $username; - //constructor - //initialize authorized hosts and services only upon construction and then (@TODO)cache data - //TODO move towards session auth so this info gets updated upon login and restart of Nagios - function __construct($username=false) { - //some users have requested to turn off authentication or user other methods, this allows override and backwards compatibility - if(!$username) - $this->username = $this->get_user(); - else $this->username = $username; //for users that hard-code a username: NOT RECOMMENDED + /** + * constructor initializes authorized hosts and services and determines global privileges + * @TODO cache data and move towards session auth so this info gets updated upon login and restart of Nagios + */ + function __construct() { + if(!$this->get_user()) exit('Access Denied: No authentication detected.'); //build main authKeys array (cgi.cfg settings) $this->set_perms(); //check if user can see everything @@ -63,37 +83,45 @@ } + /** + * determines authorized user, checks for hard-coded name, then Basic Auth, then Digest auth. Sets $this->username + * @global string $username + * @return string $this->username + */ private function get_user() { - global $username; + global $username; //some users have requested to turn off authentication or user other methods, this allows override and backwards compatibility //allow for basic auth override for backwards compatibility with early versions of V-Shell - if($username) return $username; //TODO: eventually this will be removed, and auth will not be optional - + if($username) + { + $this->username = $username; + } // HTTP BASIC AUTHENTICATION through Nagios Core or XI //$remote_user=""; - if(isset($_SERVER["REMOTE_USER"])) + elseif(isset($_SERVER["REMOTE_USER"])) { $remote_user=$_SERVER["REMOTE_USER"]; //echo "REMOTE USER is set: $remote_user<br />"; - return $remote_user; + $this->username = $remote_user; } //digest authentication elseif(isset($_SERVER['PHP_AUTH_USER'])) { //echo "Auth Digest detected".$_SERVER['PHP_AUTH_USER']; - return $_SERVER['PHP_AUTH_USER']; + $this->username = $_SERVER['PHP_AUTH_USER']; } - else - { - echo "Access Denied: No authentication detected."; + + if(!$this->username) return false; - } - + else return $this->username; + } - //////////////////////////////////////////////////////////// - //$username is obtained from $_SERVER authorized user for nagios - //TODO: make this better. All auth stuff needs to be handled here, no more global authorizations array + /** + * username is obtained from @global $_SERVER authorized user for nagios + * @TODO: make this better. All auth stuff needs to be handled here, no more global authorizations array + * @global mixed $NagiosData + */ private function set_perms() { global $NagiosData; @@ -105,26 +133,31 @@ } } } - ////////////////////////////////////////////////////// - // - //activates authorization for user. See authorizations.inc.php for auth list - // + + /** + * sets authorization for user, also sets global $authorizations. See authorizations.inc.php for auth list + * @TODO replace @global $authorizations array and encapsulate this in user object + * @global mixed $authorizations array + */ private function authorize($auth) //sets global permission { global $authorizations; //global authorization array controller $authorizations[$auth] = 1; $this->authKeys[$auth] = true; //class auth controller - } - - ///////////////get methods + } + + ///////////////get methods /////////////////////// + /** - * @return mixed $authHosts array of all authorized hosts and services - */ - public function get_authorized_hosts() { - return $this->authHosts; - } + * gets list of authorized hosts for user + * @return mixed $authHosts array of all authorized hosts and services + */ + public function get_authorized_hosts() { + return $this->authHosts; + } /** + * returns username * @return string $username current user */ public function get_username() { @@ -132,19 +165,20 @@ } /** + * returns boolean if user is admin * @return boolean $admin boolean if user has admin privileges and can see and do everything - */ - public function is_admin() { - return $this->admin; - } + */ + public function is_admin() { + return $this->admin; + } /** * @return boolean $key authorization key from cgi.cfg file - */ - public function if_has_authKey($key) { - if(isset($this->authKeys[$key])) - return $this->authKeys[$key]; - } - + */ + public function if_has_authKey($key) { + if(isset($this->authKeys[$key])) + return $this->authKeys[$key]; + } + /** * @return boolean decide if this user is an admin */ @@ -157,23 +191,23 @@ return true; } - + /** * sets global auths from cgi.cfg file * @TODO: move to protected method -> this will replace previous global auths in future versions * @return null changes cgi.cfg booleans for current NagiosUser - */ - public function setAuthKey($keyname,$value) { - if(isset($this->authKeys[$keyname])) { - $this->authKeys[$keyname] = $value; - } - } + */ + public function setAuthKey($keyname,$value) { + if(isset($this->authKeys[$keyname])) { + $this->authKeys[$keyname] = $value; + } + } /** * tests if user can view host * @returns boolean - */ + */ public function is_authorized_for_host($hostname) { //can user see everything? if($this->admin == true || $this->sees_all == true) return true; @@ -182,7 +216,7 @@ //not authorized return false; - } + } /** * tests if user can view service @@ -197,7 +231,7 @@ return false; } - + /** /////////////////////////////////////////////////// * main logic function for user-level filtering, builds $this->authHosts array * CREATES SINGLE MULTI-D HEIRARCHY ARRAY @@ -216,6 +250,8 @@ * 3 => service3 ) * * ) + * + * @global mixed $NagiosData object.cache array */ private function build_authorized_objects() { global $NagiosData; @@ -228,7 +264,7 @@ foreach($contactgroups as $cg) { //echo $cg['contactgroup_name']; - if(strpos($cg['members'],$this->username)!==false) + if(in_array($this->username,explode(',',$cg['members'])) ) $this->cg_memberships[] = $cg['contactgroup_name']; //add contactgroup to array if user is a member of it } @@ -237,7 +273,7 @@ { //check is user is a direct contact $key = $host['host_name']; - if(isset($host['contacts']) && strpos($host['contacts'],$this->username) !== false) + if(isset($host['contacts']) && in_array($this->username, explode(',',$host['contacts'])) ) { $this->authHosts[$key] = array('host_name' => $key, 'all_services' => true, 'services' => array()); continue; //skip to next host @@ -276,7 +312,7 @@ if(isset($this->authHosts[$key]) && $this->authHosts[$key]['all_services'] == true) continue; //check for authorization at the service level - if(isset($service['contacts']) && (strpos($service['contacts'],$this->username) !== false)) //user is a contact + if(isset($service['contacts']) && in_array($this->username, explode(',',$service['contacts'])) ) //user is a contact { //echo $service['service_description']." : ".$service['contacts']; //only add the service if it's not already there @@ -321,6 +357,7 @@ /** * sweeps through host escalation definitions and adds to authHosts as needed + * @global mixed $NagiosData object.cache array */ private function add_escalated_hosts() { @@ -333,7 +370,7 @@ if(isset($this->authHosts[$he['host_name']]) && $this->authHosts[$he['host_name']]['all_services']==false) continue; //check if user is a contact for escalation - if(strpos($he['contacts'],$this->username) !==false) //if user is in list of contacts + if(in_array($this->username,explode(',',$he['contacts'])) ) //if user is in list of contacts { //add host if not already there, or if it's there but not all services are authorized if(!isset($this->authHosts[$he['host_name']]) || (isset($this->authHosts[$he['host_name']]) && $this->authHosts[$he['host_name']]['all_services']==false) ) //don't overwrite existing arrays $this->authHosts[$he['host_name']] = array('host_name' => $he['host_name'], 'services' => array(), 'all_services' => true ); @@ -345,7 +382,7 @@ { //compare arrays $matches = array_intersect(explode(',',$he['contact_groups']),$this->cg_memberships); - if($matches !== false) // push host list into authHosts array + if(!empty($matches)) // push host list into authHosts array { if(!isset($this->authHosts[$he['host_name']]) || (isset($this->authHosts[$he['host_name']]) && $this->authHosts[$he['host_name']]['all_services']==false) ) //don't overwrite existing arrays $this->authHosts[$he['host_name']] = array('host_name' => $he['host_name'], 'services' => array(), 'all_services' => true ); @@ -359,6 +396,7 @@ * sweeps through escalation definitions and adds to $authHosts as needed * sort through all service escalations in objects.cache and push appropriate services onto array stack * NOTE host_name and service_descriptions are not comma delineated in objects.cache, all single definitions + * @global mixed $NagiosData object.cache array */ private function add_escalated_services() { @@ -371,7 +409,7 @@ if(isset($this->authHosts[$se['host_name']]) && $this->authHosts[$se['host_name']]['all_services'] == true) continue; //check if user is a contact for escalation - if(isset($se['contacts']) && strpos($se['contacts'],$this->username) !==false) //if user is in list of contacts + if(isset($se['contacts']) && in_array($this->username, explode(',',$se['contacts'])) ) //if user is in list of contacts { //check to see if host key exists in the array if(!isset($this->authHosts[$se['host_name']])) //don't overwrite existing arrays @@ -384,11 +422,10 @@ //check if user's contactgroups are in the list if(isset($se['contact_groups'])) - { - + { //compare arrays $matches = array_intersect(explode(',',$se['contact_groups']),$this->cg_memberships); - if($matches !== false) + if(!empty($matches)) { //check to see if array key exists yet if(!isset($this->authHosts[$se['host_name']]) ) //don't overwrite existing arrays $this->authHosts[$se['host_name']] = array('host_name' => $se['host_name'], 'services' => array($se['service_description']),'all_services'=>false ); @@ -398,9 +435,9 @@ }//end IF contactgroups }//end foreach service escalation }//end method add_escalated_services() - -} ///////////////////end NagiosUser class //////////////////////// - - - + +} ///////////////////end NagiosUser class //////////////////////// + + + ?> \ No newline at end of file Modified: nagiosvshell/branches/devel/vshell/data/get_tac_data.php =================================================================== --- nagiosvshell/branches/devel/vshell/data/get_tac_data.php 2011-09-12 19:57:39 UTC (rev 1806) +++ nagiosvshell/branches/devel/vshell/data/get_tac_data.php 2011-09-12 20:01:51 UTC (rev 1807) @@ -137,6 +137,7 @@ 'servicesWarningDisabled' => 0, 'servicesCriticalDisabled' => 0, 'servicesUnknownDisabled' => 0, + 'servicesTotalDisabled' => 0, 'servicesPending' => 0, 'servicesPendingDisabled' => 0, 'servicesWarningHostProblem' => 0, @@ -219,7 +220,7 @@ $current_host = $h_states[$s['host_name']]; if($s['last_check'] == 0 && $s['active_checks_enabled'] == 1) { $tac_data['servicesPending']++; continue; } //pending if($s['last_check'] == 0 && $s['active_checks_enabled'] == 0) { $tac_data['servicesPendingDisabled']++; continue; } //pending - if($s['active_checks_enabled'] == 0) $tac_data['servicesDisabled']++; + if($s['active_checks_enabled'] == 0) $tac_data['servicesTotalDisabled']++; switch($s['current_state']) { case 0: Modified: nagiosvshell/branches/devel/vshell/index.php =================================================================== --- nagiosvshell/branches/devel/vshell/index.php 2011-09-12 19:57:39 UTC (rev 1806) +++ nagiosvshell/branches/devel/vshell/index.php 2011-09-12 20:01:51 UTC (rev 1807) @@ -50,22 +50,22 @@ // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. //hide error output in browser -ini_set('display_errors','On'); +ini_set('display_errors','Off'); session_start(); //no need for sessions at this time ob_start(); +$username = false; +//////////////USE TO OVERRIDE APACHE AUTHENTICATION LOGIC: /////////////////////////////// +//////////UNCOMMENTING THIS WILL LEAVE YOUR MONITORING ENVIRONMENT WIDE OPEN!!! /////////////////////////// +//$username = 'nagiosadmin'; + + include(dirname(__FILE__).'/inc.inc.php'); //master include file //load language and other sitewide settings init_vshell(); -//////////////USE TO OVERRIDE APACHE AUTHENTICATION LOGIC: /////////////////////////////// -//////////UNCOMMENTING THIS WILL LEAVE YOUR MONITORING ENVIRONMENT WIDE OPEN!!! /////////////////////////// -//$username = false; -//$username = 'mike'; - -$username = $NagiosUser->get_username(); //needs a username to do anything if($username) //if logged in, display the page { This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |