Module: check_mk
Branch: master
Commit: 4c36596a6c7082c9a3dad86df308503727df1549
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4c36596a6c7082…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Oct 23 10:23:48 2013 +0200
LDAP: Added option to make group and role sync plugin handle nested groups
---
ChangeLog | 4 ++++
web/htdocs/wato.py | 30 +++++++++++++++++++++------
web/plugins/userdb/ldap.py | 49 +++++++++++++++++++++++++++++++++++---------
3 files changed, 67 insertions(+), 16 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index c22bec4..759029d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,9 @@
* Wiki Sidebar Snapin: showing navigation and quicksearch. OMD only.
* Sidebar can now be folded. Simply click somewhere at the left 10 pixels.
* Foldable sections now have an animated triangle icon that shows the folding state
+ * LDAP: Added option to make group and role sync plugin handle nested
+ groups (only in Active Directory at the moment). Enabling this
+ feature might increase the sync time a lot - use only when really needed.
* FIX: Fixed encoding problem in webservice column output
* FIX: Fix output format python for several numeric columns
* FIX: Fixed searching hosts by aliases/adresses
@@ -87,6 +90,7 @@
distributed WATO (available in the "Distributed Monitoring")
* bulk inventory: display percentage in progress bar
* New option for full SNMP scan in bulk inventory
+ * LDAP: Added test to validate the configured role sync groups
* FIX: correct display of number of hosts in bulk inventory
* FIX: nailed down ".siteid" exception when added new site
* FIX: fixed setting for locking mode from 'ait' to 'wait'
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 6602edd..78d053a 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -5624,12 +5624,30 @@ def mode_ldap_config(phase):
else:
return (False, msg)
+ def test_groups_to_roles(address):
+ if 'groups_to_roles' not in config.ldap_active_plugins:
+ return True, _('Skipping this test (Plugin is not enabled)')
+
+ userdb.ldap_connect(enforce_new = True, enforce_server = address)
+ num = 0
+ for role_id, dn in config.ldap_active_plugins['groups_to_roles'].items():
+ if isinstance(dn, str):
+ num += 1
+ try:
+ ldap_groups = userdb.ldap_get_groups('(distinguishedName=%s)' % dn)
+ if not ldap_groups:
+ return False, _('Could not find the group specified for role %s') % role_id
+ except Exception, e:
+ return False, _('Error while fetching group for role %s: %s') % (role_id, str(e))
+ return True, _('Found all %d groups.') % num
+
tests = [
- (_('Connect'), test_connect),
- (_('User Base-DN'), test_user_base_dn),
- (_('Count Users'), test_user_count),
- (_('Group Base-DN'), test_group_base_dn),
- (_('Count Groups'), test_group_count),
+ (_('Connect'), test_connect),
+ (_('User Base-DN'), test_user_base_dn),
+ (_('Count Users'), test_user_count),
+ (_('Group Base-DN'), test_group_base_dn),
+ (_('Count Groups'), test_group_count),
+ (_('Sync-Plugin: Roles'), test_groups_to_roles),
]
for address in userdb.ldap_servers():
@@ -5642,7 +5660,7 @@ def mode_ldap_config(phase):
state, msg = test(address)
except Exception, e:
state = False
- msg = _('Exception: %s') % e
+ msg = _('Exception: %s') % html.attrencode(e)
if state:
img = '<img src="images/icon_success.gif" alt="%s" />' % _('Success')
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 4aa68d3..77faf2e 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -505,7 +505,7 @@ def ldap_get_groups(add_filt = None):
filt = '(&%s%s)' % (filt, add_filt)
return ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']), filt, ['cn'])
-def ldap_user_groups(username, user_dn, attr = 'cn'):
+def ldap_user_groups(username, user_dn, attr = 'cn', nested = False):
# When configured to convert user_ids to lower case, all user ids here are lower case.
# Otherwise all user_ids are in the case which they are in LDAP. This should be ok
# for this function! I removed the snippet below to reduce the number of ldap queries.
@@ -515,11 +515,12 @@ def ldap_user_groups(username, user_dn, attr = 'cn'):
# # so the username read from ldap might differ. Fix it here.
# user_dn, username = ldap_get_user(username, True)
- if username in g_ldap_group_cache:
+ cache_key = '%s-%s' % (username, nested and 'n' or 'f')
+ if cache_key in g_ldap_group_cache:
if attr == 'cn':
- return g_ldap_group_cache[username][0]
+ return g_ldap_group_cache[cache_key][0]
else:
- return g_ldap_group_cache[username][1]
+ return g_ldap_group_cache[cache_key][1]
# posixGroup objects use the memberUid attribute to specify the group memberships.
# This is the username instead of the users DN. So the username needs to be used
@@ -531,7 +532,10 @@ def ldap_user_groups(username, user_dn, attr = 'cn'):
# Apply configured group ldap filter and only reply with groups
# having the current user as member
- add_filt = '(%s=%s)' % (ldap_member_attr(), ldap.filter.escape_filter_chars(user_filter))
+ if config.ldap_connection['type'] and nested:
+ add_filt = '(member:1.2.840.113556.1.4.1941:=%s)' % ldap.filter.escape_filter_chars(user_dn)
+ else:
+ add_filt = '(%s=%s)' % (ldap_member_attr(), ldap.filter.escape_filter_chars(user_filter))
# First get all groups
groups_cn = []
@@ -540,7 +544,7 @@ def ldap_user_groups(username, user_dn, attr = 'cn'):
groups_cn.append(group['cn'][0])
groups_dn.append(dn)
- g_ldap_group_cache.setdefault(username, (groups_cn, groups_dn))
+ g_ldap_group_cache.setdefault(cache_key, (groups_cn, groups_dn))
if attr == 'cn':
return groups_cn
@@ -744,7 +748,7 @@ register_user_attribute_sync_plugins()
def ldap_convert_groups_to_contactgroups(params, user_id, ldap_user, user):
groups = []
# 1. Fetch CNs of all LDAP groups of the user (use group_dn, group_filter)
- ldap_groups = ldap_user_groups(user_id, ldap_user['dn'])
+ ldap_groups = ldap_user_groups(user_id, ldap_user['dn'], nested = params.get('nested', False))
# 2. Fetch all existing group names in WATO
cg_names = load_group_information().get("contact", {}).keys()
@@ -759,20 +763,32 @@ ldap_attribute_plugins['groups_to_contactgroups'] = {
'contactgroup must match the common name (cn) of the LDAP group.'),
'convert': ldap_convert_groups_to_contactgroups,
'lock_attributes': ['contactgroups'],
- 'no_param_txt': _('Add user to all contactgroups where the common name matches the group name.'),
+ 'parameters': [
+ ('nested', FixedValue(
+ title = _('Handle nested group memberships (Active Directory only at the moment)'),
+ help = _('Once you enable this option, this plugin will not only handle direct '
+ 'group memberships, instead it will also dig into nested groups and treat '
+ 'the members of those groups as contact group members as well. Please mind '
+ 'that this feature might increase the execution time of your LDAP sync.'),
+ value = True,
+ totext = _('Nested group memberships are resolved'),
+ )
+ )
+ ],
}
def ldap_convert_groups_to_roles(params, user_id, ldap_user, user):
groups = []
# 1. Fetch DNs of all LDAP groups of the user
- ldap_groups = [ g.lower() for g in ldap_user_groups(user_id, ldap_user['dn'], 'dn') ]
+ ldap_groups = [ g.lower() for g in ldap_user_groups(user_id, ldap_user['dn'],
+ attr = 'dn', nested = params.get('nested', False)) ]
# 2. Load default roles from default user profile
roles = config.default_user_profile['roles'][:]
# 3. Loop all roles mentioned in params (configured to be synchronized)
for role_id, dn in params.items():
- if dn.lower() in ldap_groups and role_id not in roles:
+ if isinstance(dn, str) and dn.lower() in ldap_groups and role_id not in roles:
roles.append(role_id)
return {'roles': roles}
@@ -788,6 +804,19 @@ def ldap_list_roles_with_group_dn():
size = 80,
enforce_suffix = ldap_replace_macros(config.ldap_groupspec.get('dn', '')),
)))
+
+ elements.append(
+ ('nested', FixedValue(
+ title = _('Handle nested group memberships (Active Directory only at the moment)'),
+ help = _('Once you enable this option, this plugin will not only handle direct '
+ 'group memberships, instead it will also dig into nested groups and treat '
+ 'the members of those groups as contact group members as well. Please mind '
+ 'that this feature might increase the execution time of your LDAP sync.'),
+ value = True,
+ totext = _('Nested group memberships are resolved'),
+ )
+ )
+ )
return elements
ldap_attribute_plugins['groups_to_roles'] = {
Module: check_mk
Branch: master
Commit: e880eb02fcf2461fe04311ffc6abf46442bf8bfb
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e880eb02fcf246…
Author: Götz Golla <gg(a)mathias-kettner.de>
Date: Tue Oct 22 17:16:40 2013 +0200
Allow another enterprise ids introduced as a bug some genuscreen versions
---
checkman/genua_carp | 4 +++-
checks/genua_carp | 37 ++++++++++++++++++++-----------------
2 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/checkman/genua_carp b/checkman/genua_carp
index 38f418f..3407638 100644
--- a/checkman/genua_carp
+++ b/checkman/genua_carp
@@ -14,7 +14,9 @@ description:
For a cluster the check determines the number of carp interfaces on the cluster with
the state master. If it is either {0} or {>1} the check is critical.
- The check is known to run with genuscreen version 3.0, others may also work.
+ The check is known to run with genuscreen version 3.0 and supports genuas regular
+ enterprise id 3717 as well as the id 3137 which was introduced in a bug in some
+ versions of genuscreen.
perfdata:
None
diff --git a/checks/genua_carp b/checks/genua_carp
index f84faa4..800da49 100644
--- a/checks/genua_carp
+++ b/checks/genua_carp
@@ -42,6 +42,9 @@
def inventory_genua_carp(info):
inventory = []
+ # remove empty elements due to two alternative enterprise ids in snmp_info
+ info = filter(None, info)
+
if info[0]:
for ifIndex, ifName, ifType, ifLinkState, ifCarpState in info[0]:
if ifCarpState in [ "0", "1", "2" ]:
@@ -84,11 +87,15 @@ def genua_carpstate(st):
def check_genua_carp(item, _no_params, info):
+ # remove empty elements due to two alternative enterprise ids in snmp_info
+ info = filter(None, info)
+
if not info[0]:
return(3, "Invalid Output from Agent")
state = 0
nodes = len(info)
masters = 0
+ output = ""
if nodes > 1:
prefix = "Cluster test: "
else:
@@ -102,13 +109,14 @@ def check_genua_carp(item, _no_params, info):
ifLinkStateStr = genua_linkstate(str(ifLinkState))
ifCarpStateStr = genua_carpstate(str(ifCarpState))
# is inventorized interface in state carp master ?
- if ifName == item:
- output = "node in carp state %s with IfLinkState %s" \
- % (ifCarpStateStr,ifLinkStateStr)
if ifName == item and ifCarpState == "2":
# is master
masters += 1
if masters == 1:
+ if nodes > 1:
+ output = "one "
+ output += "node in carp state %s with IfLinkState %s" \
+ % (ifCarpStateStr,ifLinkStateStr)
# first master
if ifLinkState == "2":
state = 0
@@ -120,10 +128,12 @@ def check_genua_carp(item, _no_params, info):
state = 3
else:
state = 2
- output = "%d masters found on cluster with %d nodes" \
- % (masters,nodes)
+ output = "%d nodes in carp state %s on cluster with %d nodes" \
+ % (masters,ifCarpStateStr,nodes)
# look for non-masters, only interesting if no cluster
elif ifName == item and nodes == 1:
+ output = "node in carp state %s with IfLinkState %s" \
+ % (ifCarpStateStr,ifLinkStateStr)
# carp backup
if ifCarpState == "1" and ifLinkState == "1":
state = 0
@@ -143,27 +153,20 @@ check_info['genua_carp'] = {
"check_function" : check_genua_carp,
"service_description": "Carp Interface %s",
"has_perfdata" : False,
- "snmp_info" : [( ".1.3.6.1.4.1.3717.2.1.2",[
+ "snmp_info" : [( ".1.3.6.1.4.1.3137.2.1.2",[
"1.1", # "ifIndex"
"1.2", # "ifName"
"1.3", # "ifType"
"1.4", # "ifLinkState"
"1.7", # "ifCarpState"
- ])],
- "snmp_scan_function" : lambda oid: "genuscreen" in oid(".1.3.6.1.2.1.1.1.0").lower()
-}
-
-check_info['genua_carp_bad_eoid'] = {
- "inventory_function" : inventory_genua_carp,
- "check_function" : check_genua_carp,
- "service_description": "Carp Interface %s",
- "has_perfdata" : False,
- "snmp_info" : [( ".1.3.6.1.4.1.3137.2.1.2",[
+ ]),
+ ( ".1.3.6.1.4.1.3717.2.1.2",[
"1.1", # "ifIndex"
"1.2", # "ifName"
"1.3", # "ifType"
"1.4", # "ifLinkState"
"1.7", # "ifCarpState"
- ])],
+ ]),
+ ],
"snmp_scan_function" : lambda oid: "genuscreen" in oid(".1.3.6.1.2.1.1.1.0").lower()
}
Module: check_mk
Branch: master
Commit: f530c885025f574da6972b07b82041145fad5199
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f530c885025f57…
Author: Götz Golla <gg(a)mathias-kettner.de>
Date: Tue Oct 22 17:18:32 2013 +0200
New check to test for correlation of carp interface states on genuscreen devices
---
checkman/genua_state_correlation | 20 +++++++
checks/genua_state_correlation | 112 ++++++++++++++++++++++++++++++++++++++
2 files changed, 132 insertions(+)
diff --git a/checkman/genua_state_correlation b/checkman/genua_state_correlation
new file mode 100644
index 0000000..c459cf1
--- /dev/null
+++ b/checkman/genua_state_correlation
@@ -0,0 +1,20 @@
+title: Correlation of the state of carp interfaces on genuscreen devices
+agents: snmp
+catalog: hw/network/genua
+license: GPL
+distribution: check_mk
+description:
+ This check monitors if the two carp interfaces found on genuscreen devices
+ have the same carp state. If not, the check is critical.
+
+ The check is known to run with genuscreen version 3.0 and supports genuas regular
+ enterprise id 3717 as well as the id 3137 which was introduced in a bug in some
+ versions of genuscreen.
+
+perfdata:
+ None
+
+inventory:
+ The inventory process checks if the device has a system description OIDs (.1.3.6.1.2.1.1.2.0)
+ and if the name of this OID contains "genuscreen" (case insensitive).
+ If this is true the system is inventorized.
diff --git a/checks/genua_state_correlation b/checks/genua_state_correlation
new file mode 100644
index 0000000..482db93
--- /dev/null
+++ b/checks/genua_state_correlation
@@ -0,0 +1,112 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2013 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+# Example Agent Output:
+# GENUA-MIB:
+
+#.1.3.6.1.4.1.3137.2.1.2.1.1.9 = INTEGER: 9
+#.1.3.6.1.4.1.3137.2.1.2.1.1.10 = INTEGER: 10
+#.1.3.6.1.4.1.3137.2.1.2.1.2.9 = STRING: "carp0"
+#.1.3.6.1.4.1.3137.2.1.2.1.2.10 = STRING: "carp1"
+#.1.3.6.1.4.1.3137.2.1.2.1.3.9 = INTEGER: 5
+#.1.3.6.1.4.1.3137.2.1.2.1.3.10 = INTEGER: 5
+#.1.3.6.1.4.1.3137.2.1.2.1.4.9 = INTEGER: 2
+#.1.3.6.1.4.1.3137.2.1.2.1.4.10 = INTEGER: 2
+#.1.3.6.1.4.1.3137.2.1.2.1.7.9 = INTEGER: 2
+#.1.3.6.1.4.1.3137.2.1.2.1.7.10 = INTEGER: 2
+
+
+def inventory_genua_state(info):
+ # remove empty elements due to two alternative enterprise ids in snmp_info
+ info = filter(None, info)
+ if info[0]:
+ numifs = 0
+ for ifIndex, ifName, ifType, ifLinkState, ifCarpState in info[0]:
+ if ifCarpState in [ "0", "1", "2" ]:
+ numifs += 1
+ # inventorize only if we find at least two carp interfaces
+ if numifs > 1:
+ return [(None, None)]
+ return None
+
+def genua_state_str(st):
+ names = {
+ '0' : 'init',
+ '1' : 'backup',
+ '2' : 'master',
+ }
+ return names.get(st, st)
+
+def check_genua_state(item, _no_params, info):
+
+ # remove empty elements due to two alternative enterprise ids in snmp_info
+ info = filter(None, info)
+ if not info[0]:
+ return(3, "Invalid Output from Agent")
+
+ state = 0
+ output = "Node test:"
+ carp_info = []
+
+ for ifIndex, ifName, ifType, ifLinkState, ifCarpState in info[0]:
+ if ifType == "6":
+ carp_info.append((ifIndex, ifName, ifType, ifLinkState, ifCarpState))
+
+ if len(carp_info) != 2:
+ return(3, "Number of carp interfaces is %d, needs to be 2" % len(carp_info))
+
+ # Output formatieren
+ output += " %s:%s %s:%s" % (carp_info[0][1], genua_state_str(carp_info[0][4])\
+ , carp_info[1][1], genua_state_str(carp_info[1][4]))
+
+ # critical if the two carp interfaces dont have the same state
+ if carp_info[0][4] != carp_info[1][4]:
+ state = 2
+
+ return(state, output)
+
+check_info['genua_state_correlation'] = {
+ "inventory_function" : inventory_genua_state,
+ "check_function" : check_genua_state,
+ "service_description": "Carp Correlation",
+ "has_perfdata" : False,
+ "snmp_info" : [( ".1.3.6.1.4.1.3717.2.1.2",[
+ "1.1", # "ifIndex"
+ "1.2", # "ifName"
+ "1.3", # "ifType"
+ "1.4", # "ifLinkState"
+ "1.7", # "ifCarpState"
+ ]),
+ ( ".1.3.6.1.4.1.3137.2.1.2",[
+ "1.1", # "ifIndex"
+ "1.2", # "ifName"
+ "1.3", # "ifType"
+ "1.4", # "ifLinkState"
+ "1.7", # "ifCarpState"
+ ])],
+ "snmp_scan_function" : lambda oid: "genuscreen" in oid(".1.3.6.1.2.1.1.1.0").lower()
+ #"snmp_scan_function" : lambda oid: oid(".1.3.6.1.4.1.3717.2.1.2.1.7") != None
+}
Module: check_mk
Branch: master
Commit: 9a88392d2b4b5c4d9e35e5aa23e00bb1d1661611
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9a88392d2b4b5c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Oct 22 16:30:36 2013 +0200
FIX: Added code to prevent injection of bogus varnames
---
ChangeLog | 2 ++
web/htdocs/html_mod_python.py | 10 +++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index a91c9ce..c22bec4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,8 @@
* FIX: Remove duplicate entries from Quicksearch
* FIX: Avoid timed browser reload after execution of exections
* FIX: Hosttag filter now works in service related views
+ * FIX: Added code to prevent injection of bogus varnames
+ (This might break code which uses some uncommon chars for varnames)
BI:
* FIX: Fix exception when showing BI tree in reporting time warp
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index a48f313..e794044 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -1,8 +1,10 @@
from mod_python import Cookie, util, apache
import htmllib
-import os, time, config, weblib
+import os, time, config, weblib, re
import defaults
+varname_regex = re.compile('^[\w\d_-]+$')
+
class html_mod_python(htmllib.html):
def __init__(self, req):
@@ -45,6 +47,12 @@ class html_mod_python(htmllib.html):
for field in fields.list:
varname = field.name
value = field.value
+
+ # To prevent variours injections, we only allow a defined set
+ # of characters to be used in variables
+ if not varname_regex.match(varname):
+ continue
+
# Multiple occurrance of a variable? Store in extra list dict
if varname in self.vars:
if varname in self.listvars:
Module: check_mk
Branch: master
Commit: ac4d50feeaf6732fc2b81b23361a405f82e6906f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ac4d50feeaf673…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Oct 22 15:16:53 2013 +0200
Fixed invalid function call in latest change
---
web/htdocs/sidebar.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/web/htdocs/sidebar.py b/web/htdocs/sidebar.py
index 672c2af..f8c6ddc 100644
--- a/web/htdocs/sidebar.py
+++ b/web/htdocs/sidebar.py
@@ -565,7 +565,7 @@ def ajax_del_bookmark():
try:
del bookmarks[num]
except IndexError:
- raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % htmllib.attrencode(num))
+ raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % html.attrencode(num))
save_bookmarks(bookmarks)
render_bookmarks()
@@ -597,7 +597,7 @@ def page_edit_bookmark():
raise MKGeneralException(_("Invalid bookmark id."))
bookmarks = load_bookmarks()
if n >= len(bookmarks):
- raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % htmllib.attrencode(n))
+ raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % html.attrencode(n))
if html.var("save") and html.check_transaction():
title = html.var("title")