summaryrefslogtreecommitdiffstats
path: root/admin/WebConsole/rest/ogagent.php
diff options
context:
space:
mode:
authorramon <ramongomez@us.es>2016-10-03 17:13:32 +0000
committerramon <ramongomez@us.es>2016-10-03 17:13:32 +0000
commita9140b08dfa5e29fd8e0f308d1f89f274ea7b811 (patch)
tree4592cf709a8ed90e75fe84d16a355adaafa77a6b /admin/WebConsole/rest/ogagent.php
parent2a0be21fe0d0e2301589ea53082dd318bc4fb735 (diff)
#708: Mejoras en las rutas REST para OGAgent (rutas {{{/ogagent/...}}}):
* Registrar rutas en los errores del fichero de log. * Mejorar seguridad comprobando que el párametro IP del mensaje corresponde con la del emisor. * Comprobar que la clave de acceso a la API REST de un OGAgent iniciado se almacena bien en la BD. git-svn-id: https://opengnsys.es/svn/branches/version1.1@5026 a21b9725-9963-47de-94b9-378ad31fedc9
Diffstat (limited to 'admin/WebConsole/rest/ogagent.php')
-rw-r--r--admin/WebConsole/rest/ogagent.php58
1 files changed, 43 insertions, 15 deletions
diff --git a/admin/WebConsole/rest/ogagent.php b/admin/WebConsole/rest/ogagent.php
index 422e7d12..c6c575af 100644
--- a/admin/WebConsole/rest/ogagent.php
+++ b/admin/WebConsole/rest/ogagent.php
@@ -2,14 +2,22 @@
// OpenGnsys REST routes for OGAgent communications.
// Author: Ramón M. Gómez
-// Date: 2015-09-04
-// Warning: authentication/authorisation not included.
+// Date: 2016-10-03
// OGAgent sessions log file.
define('LOG_FILE', '/opt/opengnsys/log/ogagent.log');
-// OGAgent notifies that its service is started on client.
+/**
+ * @brief OGAgent notifies that its service is started on a client.
+ * @note Route: /ogagent/started, Method: POST
+ * @param string ip IP address
+ * @param string mac MAC (Ethernet) address
+ * @param string ostype OS type (Linux, Windows)
+ * @param string osversion OS name and version
+ * @param string secret random secret key to access client's REST API
+ * @return Null string if OK, else error message.
+ */
$app->post('/ogagent/started',
function() use ($app) {
global $cmd;
@@ -21,16 +29,24 @@ $app->post('/ogagent/started',
$mac = htmlspecialchars($input->mac);
if (isset($input->ostype)) $osType = htmlspecialchars($input->ostype);
if (isset($input->osversion)) $osVersion = str_replace(",", ";", htmlspecialchars($input->osversion));
+ // Check sender IP address consistency (same as parameter value).
+ if ($ip !== $_SERVER['REMOTE_ADDR']) {
+ throw new Exception("Bad IP address: agent=$ip, sender=".$_SERVER['REMOTE_ADDR']);
+ }
// Client secret key for secure communications.
if (isset($input->secret)) {
+ // Check if secret key is valid (32 alphanumeric characters).
+ if (! ctype_alnum($input->secret) or strlen($input->secret) !== 32) {
+ throw new Exception("Bad secret key: ip=$ip, mac=$mac, os=$osType:$osVersion.");
+ }
// Store secret key in DB.
- $secret = htmlspecialchars($input->secret);
$cmd->texto = "UPDATE ordenadores
SET agentkey='$secret'
- WHERE ip='$ip' AND mac=UPPER(REPLACE('$mac',':',''))";
- if ($cmd->Ejecutar() !== true) {
- // DB access error.
- throw new Exception("Cannot store secret key: ip=$ip, mac=$mac, os=$osType:$osVersion.");
+ WHERE ip='$ip' AND mac=UPPER(REPLACE('$mac',':',''))
+ LIMIT 1";
+ if ($cmd->Ejecutar() !== true or mysql_affected_rows() !== 1) {
+ // DB access error or not updated.
+ throw new Exception("Cannot store new secret key: ip=$ip, mac=$mac, os=$osType:$osVersion.");
}
} else {
// Insecure agent exception.
@@ -44,7 +60,7 @@ $app->post('/ogagent/started',
} catch (Exception $e) {
// Comunication error.
$response["message"] = $e->getMessage();
- file_put_contents(LOG_FILE, date(DATE_RSS).": ".__FUNCTION__.": ERROR: ".$response["message"]."\n", FILE_APPEND);
+ file_put_contents(LOG_FILE, date(DATE_RSS).": ".$app->request()->getResourceUri().": ERROR: ".$response["message"]."\n", FILE_APPEND);
jsonResponse(400, $response);
}
}
@@ -61,7 +77,11 @@ $app->post('/ogagent/stopped',
$mac = htmlspecialchars($input->mac);
if (isset($input->ostype)) $osType = htmlspecialchars($input->ostype);
if (isset($input->osversion)) $osVersion = str_replace(",", ";", htmlspecialchars($input->osversion));
- // May check that client is included in the server database?
+ // Check sender IP address consistency (same as parameter value).
+ if ($ip !== $_SERVER['REMOTE_ADDR']) {
+ throw new Exception("Bad IP address: agent=$ip, sender=".$_SERVER['REMOTE_ADDR']);
+ }
+ // May check if client is included in the server database?
// Default processing: log activity.
file_put_contents(LOG_FILE, date(DATE_RSS).": OGAgent stopped: ip=$ip, mac=$mac, os=$osType:$osVersion.\n", FILE_APPEND);
// Response.
@@ -70,7 +90,7 @@ $app->post('/ogagent/stopped',
} catch (Exception $e) {
// Comunication error.
$response["message"] = $e->getMessage();
- file_put_contents(LOG_FILE, date(DATE_RSS).": ".__FUNCTION__.": ERROR: ".$response["message"]."\n", FILE_APPEND);
+ file_put_contents(LOG_FILE, date(DATE_RSS).": ".$app->request()->getResourceUri().": ERROR: ".$response["message"]."\n", FILE_APPEND);
jsonResponse(400, $response);
}
}
@@ -84,7 +104,11 @@ $app->post('/ogagent/loggedin',
$input = json_decode($app->request()->getBody());
$ip = htmlspecialchars($input->ip);
$user = htmlspecialchars($input->user);
- // May check that client is included in the server database?
+ // Check sender IP address consistency (same as parameter value).
+ if ($ip !== $_SERVER['REMOTE_ADDR']) {
+ throw new Exception("Bad IP address: agent=$ip, sender=".$_SERVER['REMOTE_ADDR']);
+ }
+ // May check if client is included in the server database?
// Default processing: log activity.
file_put_contents(LOG_FILE, date(DATE_RSS).": User logged in: ip=$ip, user=$user.\n", FILE_APPEND);
// Response.
@@ -93,7 +117,7 @@ $app->post('/ogagent/loggedin',
} catch (Exception $e) {
// Comunication error.
$response["message"] = $e->getMessage();
- file_put_contents(LOG_FILE, date(DATE_RSS).": ".__FUNCTION__.": ERROR: ".$response["message"]."\n", FILE_APPEND);
+ file_put_contents(LOG_FILE, date(DATE_RSS).": ".$app->request()->getResourceUri().": ERROR: ".$response["message"]."\n", FILE_APPEND);
jsonResponse(400, $response);
}
}
@@ -107,7 +131,11 @@ $app->post('/ogagent/loggedout',
$input = json_decode($app->request()->getBody());
$ip = htmlspecialchars($input->ip);
$user = htmlspecialchars($input->user);
- // May check that client is included in the server database?
+ // Check sender IP address consistency (same as parameter value).
+ if ($ip !== $_SERVER['REMOTE_ADDR']) {
+ throw new Exception("Bad IP address: agent=$ip, sender=".$_SERVER['REMOTE_ADDR']);
+ }
+ // May check if client is included in the server database?
// Default processing: log activity.
file_put_contents(LOG_FILE, date(DATE_RSS).": User logged out: ip=$ip, user=$user.\n", FILE_APPEND);
// Response.
@@ -116,7 +144,7 @@ $app->post('/ogagent/loggedout',
} catch (Exception $e) {
// Comunication error.
$response["message"] = $e->getMessage();
- file_put_contents(LOG_FILE, date(DATE_RSS).": ".__FUNCTION__.": ERROR: ".$response["message"]."\n", FILE_APPEND);
+ file_put_contents(LOG_FILE, date(DATE_RSS).": ".$app->request()->getResourceUri().": ERROR: ".$response["message"]."\n", FILE_APPEND);
jsonResponse(400, $response);
}
}