maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

implement 'master database user for customers'; fixes #1227

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2024-02-11 10:26:22 +01:00
parent 686ca84a30
commit 8132976559
10 changed files with 226 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
lib/Froxlor/Api/Commands/Customers.php
View File

@@ -739,6 +739,21 @@ class Customers extends ApiCommand implements ResourceEntity
}
}
// Create default mysql-user if enabled
if ($mysqls != 0) {
foreach ($allowed_mysqlserver as $dbserver) {
// require privileged access for target db-server
Database::needRoot(true, $dbserver, false);
// get DbManager
$dbm = new DbManager($this->logger());
// give permission to the user on every access-host we have
foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
$dbm->getManager()->grantPrivilegesTo($loginname, $password, $mysql_access_host, false, false);
}
$dbm->getManager()->flushPrivileges();
}
}
if ($sendpassword == '1') {
$srv_hostname = Settings::Get('system.hostname');
if (Settings::Get('system.froxlordirectlyviahostname') == '0') {
@@ -1297,12 +1312,32 @@ class Customers extends ApiCommand implements ResourceEntity
]);
$upd_stmt = Database::prepare("
UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `deactivated`= :deactivated WHERE `customerid` = :customerid");
UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `deactivated`= :deactivated WHERE `customerid` = :customerid
");
Database::pexecute($upd_stmt, [
'deactivated' => $deactivated,
'customerid' => $id
]);
// enable/disable global mysql-user (loginname)
foreach ($result['allowed_mysqlserver'] as $dbserver) {
// require privileged access for target db-server
Database::needRoot(true, $dbserver, false);
// get DbManager
$dbm = new DbManager($this->logger());
foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
// Prevent access, if deactivated
if ($deactivated) {
// failsafe if user has been deleted manually (requires MySQL 4.1.2+)
$dbm->getManager()->disableUser($result['loginname'], $mysql_access_host);
} else {
// Otherwise grant access
$dbm->getManager()->enableUser($result['loginname'], $mysql_access_host, true);
}
}
$dbm->getManager()->flushPrivileges();
}
// Retrieve customer's databases
$databases_stmt = Database::prepare("SELECT * FROM " . TABLE_PANEL_DATABASES . " WHERE customerid = :customerid ORDER BY `dbserver`");
Database::pexecute($databases_stmt, [
@@ -1323,9 +1358,7 @@ class Customers extends ApiCommand implements ResourceEntity
$last_dbserver = $row_database['dbserver'];
}
foreach (array_unique(explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
$mysql_access_host = trim($mysql_access_host);
foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
// Prevent access, if deactivated
if ($deactivated) {
// failsafe if user has been deleted manually (requires MySQL 4.1.2+)
@@ -1616,6 +1649,19 @@ class Customers extends ApiCommand implements ResourceEntity
]);
$id = $result['customerid'];
// remove global mysql-user (loginname)
foreach ($result['allowed_mysqlserver'] as $dbserver) {
// require privileged access for target db-server
Database::needRoot(true, $dbserver, false);
// get DbManager
$dbm = new DbManager($this->logger());
foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
$dbm->getManager()->deleteUser($result['loginname'], $mysql_access_host);
}
$dbm->getManager()->flushPrivileges();
}
// remove all databases
$databases_stmt = Database::prepare("
SELECT * FROM `" . TABLE_PANEL_DATABASES . "`
WHERE `customerid` = :id ORDER BY `dbserver`
@@ -1631,8 +1677,8 @@ class Customers extends ApiCommand implements ResourceEntity
$priv_changed = false;
while ($row_database = $databases_stmt->fetch(PDO::FETCH_ASSOC)) {
if ($last_dbserver != $row_database['dbserver']) {
Database::needRoot(true, $row_database['dbserver']);
$dbm->getManager()->flushPrivileges();
Database::needRoot(true, $row_database['dbserver']);
$last_dbserver = $row_database['dbserver'];
}
$dbm->getManager()->deleteDatabase($row_database['databasename']);

2
lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
View File

@@ -321,6 +321,7 @@ EOC;
WHERE
dom.`customerid` = cust.`customerid`
AND cust.deactivated = 0
AND dom.`ssl_enabled` = 1
AND dom.`letsencrypt` = 1
AND dom.`aliasdomain` IS NULL
AND dom.`iswildcarddomain` = 0
@@ -382,6 +383,7 @@ EOC;
WHERE
dom.`customerid` = cust.`customerid`
AND cust.deactivated = 0
AND dom.`ssl_enabled` = 1
AND dom.`letsencrypt` = 1
AND dom.`aliasdomain` IS NULL
AND dom.`iswildcarddomain` = 0

2
lib/Froxlor/Cron/Traffic/TrafficCron.php
View File

@@ -122,7 +122,7 @@ class TrafficCron extends FroxlorCron
if ($mysql_usage_row) {
$mysqlusage_all[$row_database['customerid']] += floatval($mysql_usage_row['customerusage']);
} else {
FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Cannot get usage for database " . $row_database['databasename'] . ".");
FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_NOTICE, "Cannot get usage for database " . $row_database['databasename'] . ".");
}
} else {
FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Seems like the database " . $row_database['databasename'] . " had been removed manually.");

30
lib/Froxlor/Database/Manager/DbManagerMySQL.php
View File

@@ -76,9 +76,11 @@ class DbManagerMySQL
* optional, whether the password is encrypted or not, default false
* @param bool $update
* optional, whether to update the password only (not create user)
* @param bool $grant_access_prefix
* optional, whether the given user will have access to all databases starting with the username, default false
* @throws \Exception
*/
public function grantPrivilegesTo(string $username, $password, string $access_host = null, bool $p_encrypted = false, bool $update = false)
public function grantPrivilegesTo(string $username, $password, string $access_host = null, bool $p_encrypted = false, bool $update = false, bool $grant_access_prefix = false)
{
$pwd_plugin = 'mysql_native_password';
if (is_array($password) && count($password) == 2) {
@@ -108,7 +110,7 @@ class DbManagerMySQL
]);
// grant privileges
$stmt = Database::prepare("
GRANT ALL ON `" . $username . "`.* TO :username@:host
GRANT ALL ON `" . $username . ($grant_access_prefix ? '%' : '') . "`.* TO :username@:host
");
Database::pexecute($stmt, [
"username" => $username,
@@ -219,17 +221,31 @@ class DbManagerMySQL
*
* @param string $username
* @param string $host
* @param bool $grant_access_prefix
* @throws \Exception
*/
public function enableUser(string $username, string $host)
public function enableUser(string $username, string $host, bool $grant_access_prefix = false)
{
// check whether user exists to avoid errors
if ($this->userExistsOnHost($username, $host)) {
Database::query('GRANT ALL PRIVILEGES ON `' . $username . ($grant_access_prefix ? '%' : '') . '`.* TO `' . $username . '`@`' . $host . '`');
Database::query('GRANT ALL PRIVILEGES ON `' . str_replace('_', '\_', $username) . ($grant_access_prefix ? '%' : '') . '` . * TO `' . $username . '`@`' . $host . '`');
}
}
/**
* Check whether a given username exists for the given host
*
* @param string $username
* @param string $host
* @return bool
* @throws \Exception
*/
public function userExistsOnHost(string $username, string $host): bool
{
$exist_check_stmt = Database::prepare("SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '" . $username . "' AND host = '" . $host . "')");
$exist_check = Database::pexecute_first($exist_check_stmt);
if ($exist_check && array_pop($exist_check) == '1') {
Database::query('GRANT ALL PRIVILEGES ON `' . $username . '`.* TO `' . $username . '`@`' . $host . '`');
Database::query('GRANT ALL PRIVILEGES ON `' . str_replace('_', '\_', $username) . '` . * TO `' . $username . '`@`' . $host . '`');
}
return ($exist_check && array_pop($exist_check) == '1');
}
/**

53
lib/formfields/customer/mysql/formfield.mysql_global_user.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
use Froxlor\Settings;
use Froxlor\System\Crypt;
/**
* This file is part of the Froxlor project.
* Copyright (c) 2010 the Froxlor Team (see authors).
*
* For the full copyright and license information, please view the COPYING
* file that was distributed with this source code. You can also view the
* COPYING file online at https://files.froxlor.org/misc/COPYING.txt
*
* @copyright (c) the authors
* @author Froxlor team <team@froxlor.org> (2010-)
* @license GPLv2 https://files.froxlor.org/misc/COPYING.txt
* @package Formfields
*/
return [
'mysql_global_user' => [
'title' => lng('mysql.edit_global_user'),
'self_overview' => ['section' => 'mysql', 'page' => 'mysqls'],
'sections' => [
'section_a' => [
'title' => lng('mysql.edit_global_user'),
'fields' => [
'username' => [
'label' => lng('login.username'),
'value' => $userinfo['loginname'],
'type' => 'text',
'readonly' => true
],
'mysql_password' => [
'label' => lng('login.password'),
'type' => 'password',
'autocomplete' => 'off',
'mandatory' => true,
'next_to' => [
'mysql_password_suggestion' => [
'next_to_prefix' => lng('customer.generated_pwd') . ':',
'type' => 'text',
'visible' => (Settings::Get('panel.password_regex') == ''),
'value' => Crypt::generatePassword(),
'readonly' => true
]
]
]
]
]
]
]
];