MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Changes to the sync action pages 

- fixed access control
- any admin can now encode new servers. Org admins can pull/push for their own instances.

- Upload certificates during an edit
pull/217/head
iglocska 2014-01-21 16:41:32 +01:00
parent 89bf5f06b6
commit a9d945ff19
4 changed files with 60 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
app/Controller/ServersController.php
View File

@ -65,34 +65,13 @@ class ServersController extends AppController {
* @return void
*/
public function add() {
if ((!$this->_IsSiteAdmin()) && !($this->Server->organization == $this->Auth->user('org') && $this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
if (!$this->_isAdmin()) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
if ($this->request->is('post')) {
// force check userid and orgname to be from yourself
$this->request->data['Server']['org'] = $this->Auth->user('org');
if ($this->Server->save($this->request->data)) {
if (isset($this->data['Server']['submitted_cert'])) {
$ext = '';
App::uses('File', 'Utility');
$file = new File($this->data['Server']['submitted_cert']['name']);
$ext = $file->ext();
if (($ext != 'pem') || !$this->data['Server']['submitted_cert']['size'] > 0) {
$this->Session->setFlash('Incorrect extension of empty file.');
$this->redirect(array('action' => 'index'));
}
}
if (isset($this->data['Server']['submitted_cert']) && ($ext != 'pem') && $this->data['Server']['submitted_cert']['size'] > 0 &&
is_uploaded_file($this->data['Event']['submittedgfi']['tmp_name'])) {
$this->Session->setFlash(__('You may only upload GFI Sandbox zip files.'));
} else {
$pemData = fread(fopen($this->data['Server']['submitted_cert']['tmp_name'], "r"),
$this->data['Server']['submitted_cert']['size']);
$destpath = APP . "files" . DS . "certs" . DS;
if (!preg_match('@^[\w-,\s,\.]+\.[A-Za-z0-9_]{2,4}$@', $this->data['Server']['submitted_cert']['name'])) throw new Exception ('Filename not allowed');
$pemfile = new File ($destpath . $this->Server->id . '.' . $ext);
$result = $pemfile->write($pemData);
$s = $this->Server->read(null, $this->Server->id);
$s['Server']['cert_file'] = $s['Server']['id'] . '.' . $ext;
if ($result) $this->Server->save($s);
if (isset($this->request->data['Server']['submitted_cert'])) {
$this->__saveCert($this->request->data, $this->Server->id);
}
$this->Session->setFlash(__('The server has been saved'));
$this->redirect(array('action' => 'index'));
@ -110,11 +89,12 @@ class ServersController extends AppController {
* @throws NotFoundException
*/
public function edit($id = null) {
if (!$this->_IsSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
$this->Server->id = $id;
if (!$this->Server->exists()) {
throw new NotFoundException(__('Invalid server'));
}
$s = $this->Server->read(null, $id);
if (!$this->_isSiteAdmin() && !($s['Server']['org'] == $this->Auth->user('org') && $this->_isAdmin())) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
if ($this->request->is('post') || $this->request->is('put')) {
// say what fields are to be updated
$fieldList = array('id', 'url', 'push', 'pull', 'organization');
@ -123,6 +103,9 @@ class ServersController extends AppController {
$fieldList[] = 'authkey';
// Save the data
if ($this->Server->save($this->request->data, true, $fieldList)) {
if (isset($this->request->data['Server']['submitted_cert'])) {
$this->__saveCert($this->request->data, $this->Server->id);
}
$this->Session->setFlash(__('The server has been saved'));
$this->redirect(array('action' => 'index'));
} else {
@ -144,7 +127,6 @@ class ServersController extends AppController {
* @throws NotFoundException
*/
public function delete($id = null) {
if(!$this->_IsSiteAdmin() && !($this->Server->id == $this->Auth->user('org') && $this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
if (!$this->request->is('post')) {
throw new MethodNotAllowedException();
}
@ -152,6 +134,8 @@ class ServersController extends AppController {
if (!$this->Server->exists()) {
throw new NotFoundException(__('Invalid server'));
}
$s = $this->Server->read(null, $id);
if (!$this->_isSiteAdmin() || !($s['Server']['org'] == $this->Auth->user('org') && $this->_isSiteAdmin())) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
if ($this->Server->delete()) {
$this->Session->setFlash(__('Server deleted'));
$this->redirect(array('action' => 'index'));
@ -173,13 +157,17 @@ class ServersController extends AppController {
* @throws NotFoundException
*/
public function pull($id = null, $technique=false) {
if (!$this->_isSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
$this->Server->id = $id;
if (!$this->Server->exists()) {
throw new NotFoundException(__('Invalid server'));
}
$s = $this->Server->read(null, $id);
if (!$this->_isSiteAdmin() && !($s['Server']['org'] == $this->Auth->user('org') && $this->_isSiteAdmin())) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
$this->Server->id = $id;
if (!$this->Server->exists()) {
throw new NotFoundException(__('Invalid server'));
}
$s = $this->Server->read(null, $id);
if (false == $this->Server->data['Server']['pull']) {
$this->Session->setFlash(__('Pull setting not enabled for this server.'));
$this->redirect(array('action' => 'index'));
@ -238,11 +226,12 @@ class ServersController extends AppController {
}
public function push($id = null, $technique=false) {
if (!$this->_isSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
$this->Server->id = $id;
if (!$this->Server->exists()) {
throw new NotFoundException(__('Invalid server'));
}
$s = $this->Server->read(null, $id);
if (!$this->_isSiteAdmin() && !($s['Server']['org'] == $this->Auth->user('org') && $this->_isSiteAdmin())) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
if (!Configure::read('MISP.background_jobs')) {
$server = $this->Server->read(null, $id);
App::uses('SyncTool', 'Tools');
@ -275,4 +264,24 @@ class ServersController extends AppController {
$this->redirect(array('action' => 'index'));
}
}
public function __saveCert($server, $id) {
$ext = '';
App::uses('File', 'Utility');
$file = new File($server['Server']['submitted_cert']['name']);
$ext = $file->ext();
if (($ext != 'pem') || !$server['Server']['submitted_cert']['size'] > 0) {
$this->Session->setFlash('Incorrect extension of empty file.');
$this->redirect(array('action' => 'index'));
}
$pemData = fread(fopen($server['Server']['submitted_cert']['tmp_name'], "r"),
$server['Server']['submitted_cert']['size']);
$destpath = APP . "files" . DS . "certs" . DS;
if (!preg_match('@^[\w-,\s,\.]+\.[A-Za-z0-9_]{2,4}$@', $server['Server']['submitted_cert']['name'])) throw new Exception ('Filename not allowed');
$pemfile = new File ($destpath . $id . '.' . $ext);
$result = $pemfile->write($pemData);
$s = $this->Server->read(null, $id);
$s['Server']['cert_file'] = $s['Server']['id'] . '.' . $ext;
if ($result) $this->Server->save($s);
}
}

2
app/View/Elements/side_menu.ctp
View File

@ -119,7 +119,7 @@
<li class="divider"></li>
<?php endif; ?>
<li <?php if ($menuItem === 'index') echo 'class="active";'?>><?php echo $this->Html->link('List Servers', array('controller' => 'servers', 'action' => 'index'));?></li>
<li <?php if ($menuItem === 'add') echo 'class="active";'?>><?php if ($isSiteAdmin) echo $this->Html->link(__('New Server'), array('controller' => 'servers', 'action' => 'add')); ?></li>
<li <?php if ($menuItem === 'add') echo 'class="active";'?>><?php echo $this->Html->link(__('New Server'), array('controller' => 'servers', 'action' => 'add')); ?></li>
<?php
break;

26
app/View/Servers/edit.ctp
View File

@ -1,20 +1,16 @@
<div class="servers form">
<?php echo $this->Form->create('Server', array('novalidate'=>true));?>
<?php echo $this->Form->create('Server', array('type' => 'file', 'novalidate'=>true));?>
<fieldset>
<legend>Edit Server</legend>
<legend>Add Server</legend>
<?php
echo $this->Form->input('url', array(
'label' => 'Base URL',
));
?>
<div class = "input clear"></div>
<?php
echo $this->Form->input('organization', array(
'label' => 'Organization',
));
?>
<div class = "input clear"></div>
<?php
echo $this->Form->input('authkey', array(
));
?>
@ -22,10 +18,20 @@
<?php
echo $this->Form->input('push', array(
));
echo $this->Form->input('pull', array(
));
?>
<div class = "input clear"></div>
<?php
echo $this->Form->input('pull', array(
<?php
echo $this->Form->input('self_signed', array(
'type' => 'checkbox',
));
echo $this->Form->input('Server.submitted_cert', array(
'label' => '<b>Certificate file</b>',
'type' => 'file',
'div' => 'clear'
));
?>
</fieldset>

26
app/View/Servers/index.ctp
View File

@ -22,17 +22,8 @@
<th><?php echo $this->Paginator->sort('pull');?></th>
<th><?php echo $this->Paginator->sort('url');?></th>
<th>From</th>
<?php
if ($isSiteAdmin): ?>
<th><?php echo $this->Paginator->sort('cert_file');?></th>
<?php
endif;
if ($isAdmin):
?>
<th><?php echo $this->Paginator->sort('cert_file');?></th>
<th><?php echo $this->Paginator->sort('org');?></th>
<?php
endif;
?>
<th>Last Pulled ID</th>
<th>Last Pushed ID</th>
<th class="actions">Actions</th>
@ -44,27 +35,20 @@ foreach ($servers as $server): ?>
<td class="short" style="text-align: center;"><?php echo ($server['Server']['pull'])? 'Yes' : 'No'; ?>&nbsp;</td>
<td><?php echo h($server['Server']['url']); ?>&nbsp;</td>
<td><?php echo h($server['Server']['organization']); ?>&nbsp;</td>
<?php
if ($isSiteAdmin): ?>
<td class="short"><?php echo h($server['Server']['cert_file']); ?>&nbsp;</td>
<?php
endif;
if ($isAdmin): ?>
<td class="short"><?php echo h($server['Server']['cert_file']); ?>&nbsp;</td>
<td class="short"><?php echo h($server['Server']['org']); ?>&nbsp;</td>
<?php
endif; ?>
<td class="short"><?php echo $server['Server']['lastpulledid']; ?></td>
<td class="short"><?php echo $server['Server']['lastpushedid']; ?></td>
<td class="short action-links">
<?php
if ($server['Server']['pull'] && $isSiteAdmin)
if ($server['Server']['pull'])
echo $this->Html->link('', array('action' => 'pull', $server['Server']['id'], 'full'), array('class' => 'icon-download', 'title' => 'Pull all'));
if ($server['Server']['push'] && $isSiteAdmin)
if ($server['Server']['push'])
echo $this->Html->link('', array('action' => 'push', $server['Server']['id'], 'full'), array('class' => 'icon-upload', 'title' => 'Push all'));
?>
&nbsp;
<?php
$mayModify = ($isSiteAdmin || $me['org'] == $server['Server']['organization']) || ($isAdmin && ($server['Server']['organization'] == $me['org']));
$mayModify = ($isSiteAdmin || ($isAdmin && ($server['Server']['org'] == $me['org'])));
if ($mayModify) echo $this->Html->link('', array('action' => 'edit', $server['Server']['id']), array('class' => 'icon-edit', 'title' => 'Edit'));
if ($mayModify) echo $this->Form->postLink('', array('action' => 'delete', $server['Server']['id']), array('class' => 'icon-trash', 'title' => 'Delete'), __('Are you sure you want to delete # %s?', $server['Server']['id']));
?>