[pkg-nagios-changes] [Git][nagios-team/nagvis][upstream] New upstream version 1.9.46
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Sat Apr 5 12:37:19 BST 2025
Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / nagvis
Commits:
ff826336 by Bas Couwenberg at 2025-04-05T13:32:37+02:00
New upstream version 1.9.46
- - - - -
7 changed files:
- ChangeLog
- docs/en_US/backend_mkbi.html
- omd_install.sh
- share/server/core/classes/CoreExceptions.php
- share/server/core/classes/CoreLogonMultisite.php
- share/server/core/classes/GlobalBackendmkbi.php
- share/server/core/defines/global.php
Changes:
=====================================
ChangeLog
=====================================
@@ -1,3 +1,11 @@
+1.9.46
+ * Feature: add option to verify session cookie via curl. Before when having allow_url_fopen
+ disabled, NagVis was not able to verify the session cookie. Now you can use curl to verify
+ the session cookie. Depending on your distribution the curl extension can be installed differently.
+ * Checkmk BI backend: Add option 'site_internal_auth' to enable the Checkmk 2.4 site internal
+ authentication. This option is configured automatically for the sites local
+ backend ('backend_[site]_bi') which is created automatiocally in Checkmk sites.
+
1.9.45
* FIX: Fix XSS on support info page (Thanks to jmacario24)
* FIX: Fix not working cookie session timestamps validation introduced with 1.9.43 in
=====================================
docs/en_US/backend_mkbi.html
=====================================
@@ -38,17 +38,33 @@
It serves the AJAX-API which the backend connects to. This URL must be reachable
from the host NagVis is running on.</td>
</tr>
+ <tr>
+ <td>site_internal_auth</td>
+ <td>0</td>
+ <td>Use the so called site internal authentication introduced with Checkmk 2.4. The
+ site internal secret is automatically derived from the Checkmk sites environment.
+ </td>
+ </tr>
<tr>
<td>auth_user</td>
<td></td>
<td>User to use for authentication when accessing the <code>base_url</code>. It
has to be created within Checkmk as "automation" user in order to
- configure a backend which is allowed to retrieve Checkmk BI states.</td>
+ configure a backend which is allowed to retrieve Checkmk BI states.
+ Used for the automation authentication together with auth_secret or auth_secret_file.
+ This was the authentication mechanism until Checkmk 2.3.
+ </td>
</tr>
<tr>
<td>auth_secret</td>
<td></td>
- <td>The authentication secret configured within Checkmk for the tiven user.</td>
+ <td>The authentication secret configured within Checkmk for the given user.</td>
+ </tr>
+ <tr>
+ <td>auth_secret_file</td>
+ <td></td>
+ <td>Read the authentication secret configured within Checkmk for the given user from this
+ path.</td>
</tr>
<tr>
<td>verify_peer</td>
=====================================
omd_install.sh
=====================================
@@ -40,7 +40,7 @@ fi
echo -n "Do you really want to continue? [y] "
read OPT
-if [ ! -z "$OPT" ] && [ $OPT != "y" ]; then
+if [ ! -z "$OPT" ] && [ $OPT != "y" ]; then
echo "Terminated by user."
exit 1
fi
@@ -88,7 +88,7 @@ if ! grep omd_install.sh $OMD_CFG >/dev/null 2>&1; then
fi
# Update omd specific nagvis.ini.php file
-cat > $OMD_CFG <<EOF
+cat >$OMD_CFG <<EOF
; <?php return 1; ?>
; -----------------------------------------------------------------
; Don't touch this file. It is under control of OMD. Modifying this
@@ -121,6 +121,11 @@ backend="$OMD_SITE"
[backend_$OMD_SITE]
backendtype="mklivestatus"
socket="unix:$OMD_ROOT/tmp/run/live"
+EOF
+
+# The automation secrets were removed with Checkmk 2.4. Care for both cases for now.
+if [ -f "$OMD_ROOT/var/check_mk/web/automation/automation.secret" ]; then
+ cat >>"$OMD_CFG" <<EOF
[backend_${OMD_SITE}_bi]
backendtype="mkbi"
@@ -129,13 +134,23 @@ auth_user="automation"
auth_secret_file="$OMD_ROOT/var/check_mk/web/automation/automation.secret"
timeout=10
EOF
+else
+ cat >>"$OMD_CFG" <<EOF
+
+[backend_${OMD_SITE}_bi]
+backendtype="mkbi"
+base_url="http://localhost/$OMD_SITE/check_mk/"
+site_internal_auth=1
+timeout=10
+EOF
+fi
# Backup the agvis.conf on first time using omd_install.sh
if ! grep omd_install.sh $OMD_ROOT/etc/apache/conf.d/nagvis.conf >/dev/null 2>&1; then
cp $OMD_ROOT/etc/apache/conf.d/nagvis.conf $OMD_ROOT/etc/apache/conf.d/nagvis.conf.bak
fi
-cat > $OMD_ROOT/etc/apache/conf.d/nagvis.conf <<EOF
+cat >$OMD_ROOT/etc/apache/conf.d/nagvis.conf <<EOF
# NagVis Apache2 configuration file for use in OMD
#
# This file has been created by omd_install.sh which installs NagVis into
=====================================
share/server/core/classes/CoreExceptions.php
=====================================
@@ -75,6 +75,7 @@ class Success extends NagVisException {
}
}
+class AuthenticationException extends NagVisException {}
class CoreAuthModNoSupport extends NagVisException {}
class BackendException extends NagVisException {}
=====================================
share/server/core/classes/CoreLogonMultisite.php
=====================================
@@ -88,7 +88,7 @@ class CoreLogonMultisite extends CoreLogonModule {
private function checkAuthCookie($cookieName) {
if(!isset($_COOKIE[$cookieName]) || $_COOKIE[$cookieName] == '') {
- throw new Exception();
+ throw new AuthenticationException(l("No auth cookie provided."));
}
// Checkmk 1.6+ may add double quotes round the value in some cases
@@ -104,7 +104,7 @@ class CoreLogonMultisite extends CoreLogonModule {
$users = $this->loadAuthFile($this->serialsPath);
if(!isset($users[$username])) {
- throw new Exception();
+ throw new AuthenticationException(l("User not found in auth file."));
}
$user_secret = $users[$username];
@@ -155,9 +155,27 @@ class CoreLogonMultisite extends CoreLogonModule {
];
$context = stream_context_create($contextOptions);
- $result = file_get_contents($url, false, $context);
- if ($result === false) {
- throw new Exception();
+ if(filter_var(ini_get('allow_url_fopen'), FILTER_VALIDATE_BOOLEAN)) {
+ $result = file_get_contents($url, false, $context);
+ if ($result === false) {
+ throw new AuthenticationException(l("Cookie is invalid."));
+ }
+ }
+ else if (extension_loaded('curl')) {
+ $ch = curl_init();
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ $result = curl_exec($ch);
+ $http_status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+ curl_close($ch);
+ if ($http_status != 200) {
+ throw new AuthenticationException(l("Cookie is invalid."));
+ }
+ }
+ else {
+ throw new NagVisException(l('No method to check the session validity is available.
+ Please either enable allow_url_fopen in php.ini or install the curl PHP extension.'));
}
return $username;
@@ -178,7 +196,9 @@ class CoreLogonMultisite extends CoreLogonModule {
session_write_close();
return $name;
- } catch(Exception $e) {}
+ } catch(AuthenticationException $e) {
+ throw new NagVisException(l('LogonMultisite: Not authenticated. ') . $e->getMessage());
+ }
}
return '';
}
=====================================
share/server/core/classes/GlobalBackendmkbi.php
=====================================
@@ -63,6 +63,16 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
'default' => 'http://localhost/check_mk/',
'match' => MATCH_STRING_URL,
),
+ // The automation user based authentication was removed in Checkmk 2.4 and replaced by the
+ // site internal authentication. For the local site backend we make use of it with the
+ // automatically configured backend.
+ 'site_internal_auth' => Array(
+ 'must' => 0,
+ 'editable' => 1,
+ 'default' => 0,
+ 'match' => MATCH_BOOLEAN,
+ 'field_type' => 'boolean',
+ ),
'auth_user' => Array(
'must' => 0,
'editable' => 1,
@@ -141,12 +151,17 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
);
}
- // Always set the HTTP basic auth header
- $username = cfg('backend_'.$backendId, 'auth_user');
- $secret = $this->getSecret();
- if($username && $secret) {
- $authCred = base64_encode($username.':'.$secret);
- $httpContext['header'] = 'Authorization: Basic '.$authCred."\r\n";
+ if ($this->isSiteInternalAuthEnabled()) {
+ $httpContext['header'] = 'Authorization: InternalToken '
+ .base64_encode($this->siteInternalAuthSecret())."\r\n";
+ } else {
+ // Always set the HTTP basic auth header
+ $username = cfg('backend_'.$backendId, 'auth_user');
+ $secret = $this->getSecret();
+ if($username && $secret) {
+ $authCred = base64_encode($username.':'.$secret);
+ $httpContext['header'] = 'Authorization: Basic '.$authCred."\r\n";
+ }
}
$this->context = stream_context_create(array(
@@ -159,6 +174,14 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
* HELPERS
*************************************************************************/
+ private function isSiteInternalAuthEnabled() {
+ return cfg('backend_'.$this->backendId, 'site_internal_auth') == 1;
+ }
+
+ private function siteInternalAuthSecret() {
+ return file_get_contents($_SERVER['OMD_ROOT'] . "/etc/site_internal.secret");
+ }
+
private function getSecret() {
$secret_file_path = cfg('backend_'.$this->backendId, 'auth_secret_file');
if ($secret_file_path)
@@ -178,10 +201,13 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
*/
private function getUrl($params) {
$url = $this->baseUrl.$params.'&output_format=json';
- $username = cfg('backend_'.$this->backendId, 'auth_user');
- $secret = $this->getSecret();
- if ($username && $secret)
- $url .= '&_username='.$username.'&_secret='.$secret;
+
+ if (!$this->isSiteInternalAuthEnabled()) {
+ $username = cfg('backend_'.$this->backendId, 'auth_user');
+ $secret = $this->getSecret();
+ if ($username && $secret)
+ $url .= '&_username='.$username.'&_secret='.$secret;
+ }
// Is there some cache to use? The cache is not persisted. It is available
// until the request has finished.
=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
*****************************************************************************/
// NagVis Version
-define('CONST_VERSION', '1.9.45');
+define('CONST_VERSION', '1.9.46');
// Set PHP error handling to standard level
// Different levels for php versions below 5.1 because PHP 5.1 reports
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/commit/ff8263365327c316d6ebd4ab2c770039fc1f8f7d
--
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/commit/ff8263365327c316d6ebd4ab2c770039fc1f8f7d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20250405/64a7c6f9/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list