maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

enhance MysqlServer.add(), implement MysqlServer.update(), adjusted MysqlServer.get() to be callable by customer if allowed access to the given dbserver

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-05-24 09:30:09 +02:00
parent d3a8c8628e
commit 7cbc14f4aa
2 changed files with 270 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

214
lib/Froxlor/Api/Commands/MysqlServer.php
View File

@@ -68,7 +68,9 @@ class MysqlServer extends ApiCommand implements ResourceEntity
* @param string $description * @param string $description
* optional, description for server * optional, description for server
* @param bool $allow_all_customers * @param bool $allow_all_customers
* optional add this configuration to the list of every existing customer's allowed-fpm-config list, default is false (no) * optional add this configuration to the list of every existing customer's allowed-mysqlserver-config list, default is false (no)
* @param bool $test_connection
* optional, test connection with given credentials, default is true (yes)
* *
* @access admin * @access admin
* @throws Exception * @throws Exception
@@ -85,6 +87,8 @@ class MysqlServer extends ApiCommand implements ResourceEntity
$privileged_user = $this->getParam('privileged_user'); $privileged_user = $this->getParam('privileged_user');
$privileged_password = $this->getParam('privileged_password'); $privileged_password = $this->getParam('privileged_password');
$description = $this->getParam('description', true, ''); $description = $this->getParam('description', true, '');
$allow_all_customers = $this->getParam('allow_all_customers', true, 0);
$test_connection = $this->getParam('test_connection', true, 1);
// validation // validation
$mysql_host = Validate::validate_ip2($mysql_host, true, 'invalidip', true, true, false); $mysql_host = Validate::validate_ip2($mysql_host, true, 'invalidip', true, true, false);
@@ -102,20 +106,22 @@ class MysqlServer extends ApiCommand implements ResourceEntity
$description = Validate::validate(trim($description), 'description', Validate::REGEX_DESC_TEXT, '', [], true); $description = Validate::validate(trim($description), 'description', Validate::REGEX_DESC_TEXT, '', [], true);
// testing connection with given credentials // testing connection with given credentials
$options = array( if ($test_connection) {
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET names utf8' $options = array(
); PDO::MYSQL_ATTR_INIT_COMMAND => 'SET names utf8'
if (!empty($mysql_ca)) { );
$options[PDO::MYSQL_ATTR_SSL_CA] = $mysql_ca; if (!empty($mysql_ca)) {
$options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $mysql_verifycert; $options[PDO::MYSQL_ATTR_SSL_CA] = $mysql_ca;
} $options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $mysql_verifycert;
}
$dsn = "mysql:host=" . $mysql_host . ";port=" . $mysql_port . ";"; $dsn = "mysql:host=" . $mysql_host . ";port=" . $mysql_port . ";";
try { try {
$db_test = new \PDO($dsn, $privileged_user, $privileged_password, $options); $db_test = new \PDO($dsn, $privileged_user, $privileged_password, $options);
unset($db_test); unset($db_test);
} catch (PDOException $e) { } catch (PDOException $e) {
throw new Exception("Connection to given mysql database could not be established. Error-message: " . $e->getMessage(), $e->getCode()); throw new Exception("Connection to given mysql database could not be established. Error-message: " . $e->getMessage(), $e->getCode());
}
} }
// get all data from lib/userdata // get all data from lib/userdata
@@ -150,13 +156,22 @@ class MysqlServer extends ApiCommand implements ResourceEntity
]; ];
$this->generateNewUserData($sql, $sql_root); $this->generateNewUserData($sql, $sql_root);
return $this->response(['true']);
// last added to array
$newdbserver = array_key_last($sql_root);
if ($allow_all_customers) {
$this->addDatabaseFromCustomerAllowedList($newdbserver);
}
return $this->response(['dbserver' => $newdbserver]);
} }
/** /**
* remove a mysql-server * remove a mysql-server
* *
* @param int $dbserver number of the mysql server * @param int $dbserver
* the number of the mysql-server
* *
* @access admin * @access admin
* @throws Exception * @throws Exception
@@ -169,7 +184,7 @@ class MysqlServer extends ApiCommand implements ResourceEntity
$dbserver = (int) $this->getParam('dbserver'); $dbserver = (int) $this->getParam('dbserver');
if ($dbserver == 0) { if ($dbserver == 0) {
throw new Exception('Cannot delete first/default mysql-server'); throw new Exception('Cannot delete first/default mysql-server', 406);
} }
// get all data from lib/userdata // get all data from lib/userdata
@@ -185,6 +200,9 @@ class MysqlServer extends ApiCommand implements ResourceEntity
Response::standardError('mysqlserverstillhasdbs', '', true); Response::standardError('mysqlserverstillhasdbs', '', true);
} }
// when removing, remove from list of allowed_mysqlservers from any customers
$this->removeDatabaseFromCustomerAllowedList($dbserver);
unset($sql_root[$dbserver]); unset($sql_root[$dbserver]);
$this->generateNewUserData($sql, $sql_root); $this->generateNewUserData($sql, $sql_root);
@@ -216,6 +234,8 @@ class MysqlServer extends ApiCommand implements ResourceEntity
} elseif (!in_array($index, $allowed_mysqls)) { } elseif (!in_array($index, $allowed_mysqls)) {
continue; continue;
} }
// no usernames required for non-admins
unset($sqlrootdata['user']);
} }
// passwords will not be returned in any case for security reasons // passwords will not be returned in any case for security reasons
unset($sqlrootdata['password']); unset($sqlrootdata['password']);
@@ -249,21 +269,29 @@ class MysqlServer extends ApiCommand implements ResourceEntity
* Return info about a specific mysql-server * Return info about a specific mysql-server
* *
* @param int $dbserver * @param int $dbserver
* index of the mysql-server * the number of the mysql-server
* *
* @access admin * @access admin, customer
* @throws Exception * @throws Exception
* @return string json-encoded array * @return string json-encoded array
*/ */
public function get() public function get()
{ {
$this->validateAccess();
$dbserver = (int) $this->getParam('dbserver'); $dbserver = (int) $this->getParam('dbserver');
// get all data from lib/userdata // get all data from lib/userdata
require Froxlor::getInstallDir() . "/lib/userdata.inc.php"; require Froxlor::getInstallDir() . "/lib/userdata.inc.php";
// limit customer to its allowed servers
if ($this->isAdmin() == false) {
$allowed_mysqls = json_decode($this->getUserDetail('allowed_mysqlserver'), true);
if ($allowed_mysqls === false || empty($allowed_mysqls) || !in_array($dbserver, $allowed_mysqls)) {
throw new Exception("You cannot access this resource", 405);
}
// no usernames required for non-admins
unset($sqlrootdata['user']);
}
if (!isset($sql_root[$dbserver])) { if (!isset($sql_root[$dbserver])) {
throw new Exception('Mysql server not found', 404); throw new Exception('Mysql server not found', 404);
} }
@@ -273,11 +301,111 @@ class MysqlServer extends ApiCommand implements ResourceEntity
} }
/** /**
* @TODO implement me * update given mysql-server
*
* @param int $dbserver
* the number of the mysql server
* @param string $mysql_host
* ip/hostname of mysql-server
* @param string $mysql_port
* optional, port to connect to
* @param string $mysql_ca
* optional, path to certificate file
* @param string $mysql_verifycert
* optional, verify server certificate
* @param string $privileged_user
* privileged user on the mysql-server (must have GRANT privileges)
* @param string $privileged_password
* password of privileged user
* @param string $description
* optional, description for server
* @param bool $allow_all_customers
* optional add this configuration to the list of every existing customer's allowed-mysqlserver-config list, default is false (no)
* @param bool $test_connection
* optional, test connection with given credentials, default is true (yes)
*
* @access admin
* @throws Exception
* @return string json-encoded array
*/ */
public function update() public function update()
{ {
throw new Exception('@TODO Later', 303); $this->validateAccess();
$dbserver = (int) $this->getParam('dbserver');
require Froxlor::getInstallDir() . "/lib/userdata.inc.php";
if (!isset($sql_root[$dbserver])) {
throw new Exception('Mysql server not found', 404);
}
$result = $sql_root[$dbserver];
$mysql_host = $this->getParam('mysql_host', true, $result['host']);
$mysql_port = $this->getParam('mysql_port', true, $result['port'] ?? 3306);
$mysql_ca = $this->getParam('mysql_ca', true, $result['ssl']['caFile'] ?? '');
$mysql_verifycert = $this->getBoolParam('mysql_verifycert', true, $result['ssl']['verifyServerCertificate'] ?? 0);
$privileged_user = $this->getParam('privileged_user', true, $result['user']);
$privileged_password = $this->getParam('privileged_password', true, $result['password']);
$description = $this->getParam('description', true, $result['caption']);
$allow_all_customers = $this->getParam('allow_all_customers', true, 0);
$test_connection = $this->getParam('test_connection', true, 1);
// validation
$mysql_host = Validate::validate_ip2($mysql_host, true, 'invalidip', true, true, false);
if ($mysql_host === false) {
$mysql_host = Validate::validateLocalHostname($mysql_host);
if ($mysql_host === false) {
$mysql_host = Validate::validateDomain($mysql_host);
if ($mysql_host === false) {
throw new Exception("Invalid mysql server ip/hostname", 406);
}
}
}
$mysql_port = Validate::validate($mysql_port, 'port', Validate::REGEX_PORT, '', [3306], true);
$privileged_password = Validate::validate($privileged_password, 'password', '', '', [], true);
$description = Validate::validate(trim($description), 'description', Validate::REGEX_DESC_TEXT, '', [], true);
// testing connection with given credentials
if ($test_connection) {
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET names utf8'
);
if (!empty($mysql_ca)) {
$options[PDO::MYSQL_ATTR_SSL_CA] = $mysql_ca;
$options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $mysql_verifycert;
}
$dsn = "mysql:host=" . $mysql_host . ";port=" . $mysql_port . ";";
try {
$db_test = new \PDO($dsn, $privileged_user, $privileged_password, $options);
unset($db_test);
} catch (PDOException $e) {
throw new Exception("Connection to given mysql database could not be established. Error-message: " . $e->getMessage(), $e->getCode());
}
}
// set new values to sql_root array
$sql_root[$dbserver] = [
'caption' => $description,
'host' => $mysql_host,
'port' => $mysql_port,
'user' => $privileged_user,
'password' => $privileged_password,
'ssl' => [
'caFile' => $mysql_ca ?? "",
'verifyServerCertificate' => $mysql_verifycert ?? false
]
];
$this->generateNewUserData($sql, $sql_root);
if ($allow_all_customers) {
$this->addDatabaseFromCustomerAllowedList($dbserver);
}
return $this->response(['true']);
} }
/** /**
@@ -314,6 +442,46 @@ class MysqlServer extends ApiCommand implements ResourceEntity
} }
} }
private function removeDatabaseFromCustomerAllowedList(int $dbserver)
{
$sel_stmt = Database::prepare("
SELECT customerid, allowed_mysqlserver FROM `" . TABLE_PANEL_CUSTOMERS . "`
");
Database::pexecute($sel_stmt);
$upd_stmt = Database::prepare("
UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET
`allowed_mysqlserver` = :am WHERE `customerid` = :cid
");
while ($customer = $sel_stmt->fetch(PDO::FETCH_ASSOC)) {
$allowed_mysqls = json_decode(($customer['allowed_mysqlserver'] ?? '[]'), true);
if (($key = array_search($dbserver, $allowed_mysqls)) !== false) {
unset($allowed_mysqls[$key]);
$allowed_mysqls = json_encode($allowed_mysqls);
Database::pexecute($upd_stmt, ['am' => $allowed_mysqls, 'cid' => $customer['customerid']]);
}
}
}
private function addDatabaseFromCustomerAllowedList(int $dbserver)
{
$sel_stmt = Database::prepare("
SELECT customerid, allowed_mysqlserver FROM `" . TABLE_PANEL_CUSTOMERS . "`
");
Database::pexecute($sel_stmt);
$upd_stmt = Database::prepare("
UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET
`allowed_mysqlserver` = :am WHERE `customerid` = :cid
");
while ($customer = $sel_stmt->fetch(PDO::FETCH_ASSOC)) {
$allowed_mysqls = json_decode(($customer['allowed_mysqlserver'] ?? '[]'), true);
if (!in_array($dbserver, $allowed_mysqls)) {
$allowed_mysqls[] = $dbserver;
$allowed_mysqls = json_encode($allowed_mysqls);
Database::pexecute($upd_stmt, ['am' => $allowed_mysqls, 'cid' => $customer['customerid']]);
}
}
}
/** /**
* write new userdata.inc.php file * write new userdata.inc.php file
*/ */

79
tests/Mysqls/MysqlServerTest.php Normal file
View File

@@ -0,0 +1,79 @@
<?php
use PHPUnit\Framework\TestCase;
use Froxlor\Api\Commands\MysqlServer;
/**
*
* @covers \Froxlor\Api\ApiCommand
* @covers \Froxlor\Api\ApiParameter
* @covers \Froxlor\Api\Commands\MysqlServer
*/
class MysqlServerTest extends TestCase
{
public function testAdminMysqlServerAdd()
{
global $admin_userdata;
$data = [
'mysql_host' => '192.168.1.254',
'privileged_user' => 'froxroot',
'privileged_password' => 'p4ssw0rd',
'description' => 'Second mysql-server',
'test_connection' => false
];
$json_result = MysqlServer::getLocal($admin_userdata, $data)->add();
$result = json_decode($json_result, true)['data'];
$this->assertEquals(1, $result['dbserver']);
}
public function testAdminMysqlServerAddInvalidHostOrIP()
{
global $admin_userdata;
$data = [
'mysql_host' => '123456789',
'privileged_user' => 'someone',
'privileged_password' => 'something'
];
$this->expectExceptionCode(406);
$this->expectExceptionMessage('Invalid mysql server ip/hostname');
MysqlServer::getLocal($admin_userdata, $data)->add();
}
/**
* @depends testAdminMysqlServerAdd
*/
public function testAdminMysqlServerDeleteDefault()
{
global $admin_userdata;
$data = [
'dbserver' => 0
];
$this->expectExceptionCode(406);
$this->expectExceptionMessage('Cannot delete first/default mysql-server');
MysqlServer::getLocal($admin_userdata, $data)->delete();
}
/**
* @depends testAdminMysqlServerAdd
*/
public function testAdminMysqlServerDeleteUnknown()
{
global $admin_userdata;
$data = [
'dbserver' => 1337
];
$this->expectExceptionCode(404);
$this->expectExceptionMessage('Mysql server not found');
MysqlServer::getLocal($admin_userdata, $data)->delete();
}
}