Required Command ACL validation

This adds a new controller plugin to validate in each controller action
if all required commands to run the module properly are given in the
used Console/Profile Command ACL.

Additionally a new view helper is introduced to centralize the ACL alert
message which is displayed when the given Command ACL does not fit the
requirements.

This commit changes the views and controllers of the following modules:

- Dashboard
- Jobs
- Restore
- Clients
- Schedules
- Storages
- Pools
- Media/Volumes
- Director

Furthermore this commit removes some whitespace from the Director Model.

module/Application/config/module.config.php

@@ -90,6 +90,7 @@
       'invokables' => array (
          //'printExample' => 'Application\View\Helper\Example', // Example ViewHelper
          'UpdateAlert' => 'Application\View\Helper\UpdateAlert',
+         'ACLAlert' => 'Application\View\Helper\ACLAlert',
       ),
    ),
     'view_manager' => array(

module/Application/src/Application/Controller/Plugin/CommandACLPlugin.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Application\Controller\Plugin;
+
+use Zend\Mvc\Controller\Plugin\AbstractPlugin;
+
+class CommandACLPlugin extends AbstractPlugin
+{
+   private $commands = null;
+   private $required = null;
+
+   public function validate($commands=null, $required=null)
+   {
+      $this->commands = $commands;
+      $this->required = $required;
+
+      foreach($this->required as $cmd) {
+         if($this->commands[$cmd]['permission'] == 0) {
+            return false;
+         }
+      }
+      return true;
+   }
+}

module/Application/src/Application/View/Helper/ACLAlert.php

@@ -0,0 +1,63 @@
+<?php
+
+/**
+ *
+ * bareos-webui - Bareos Web-Frontend
+ *
+ * @link      https://github.com/bareos/bareos-webui for the canonical source repository
+ * @copyright Copyright (c) 2013-2016 Bareos GmbH & Co. KG (http://www.bareos.org/)
+ * @license   GNU Affero General Public License (http://www.gnu.org/licenses/)
+ * @author    Frank Bergkemper
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace Application\View\Helper;
+
+use Zend\View\Helper\AbstractHelper;
+
+class ACLAlert extends AbstractHelper
+{
+   private $required_commands = null;
+   private $alert = null;
+
+   public function __invoke($required_commands)
+   {
+      $msg_part_a = _('Sorry, it seems you are not authorized to run this module. If you think this is an error, please contact your local administrator.');
+      $msg_part_b = _('Please read the <a href="http://doc.bareos.org/master/html/bareos-manual-main-reference.html#sec:webui-console" target="_blank">Bareos documentation</a> for any additional information on how to configure the Command ACL directive of your Console/Profile resources. Following is a list of required commands which need to be in your Command ACL to run this module properly:');
+
+      $this->required_commands = $required_commands;
+
+      $this->alert = '<div class="container-fluid">';
+      $this->alert .= '<div class="row">';
+      $this->alert .= '<div class="col-md-6">';
+      $this->alert .= '<div class="alert alert-danger"><b>'.$msg_part_a.'</b></div>';
+      $this->alert .= $msg_part_b;
+
+      $this->alert .= '</br></br>';
+      $this->alert .= '<ul>';
+
+      foreach($this->required_commands as $cmd) {
+         $this->alert .= '<li>'.$cmd.'</li>';
+      }
+
+      $this->alert .= '</ul>';
+      $this->alert .= '</div>';
+      $this->alert .= '<div class="col-md-6"></div>';
+      $this->alert .= '</div>';
+      $this->alert .= '</div>';
+
+      return $this->alert;
+   }
+}

module/Auth/src/Auth/Controller/AuthController.php

@@ -92,7 +92,6 @@ public function loginAction()
 
                   try {
                      $dird_version = $this->getDirectorModel()->getDirectorVersion($this->bsock);
-                     $this->bsock->disconnect();
                   }
                   catch(Exception $e) {
                      echo $e->getMessage();
@@ -132,6 +131,30 @@ public function loginAction()
                   $_SESSION['bareos']['product-updates-status'] = false;
                }
 
+               // Get available commands
+               try {
+                  $commands = $this->getDirectorModel()->getAvailableCommands($this->bsock);
+               }
+               catch(Exception $e) {
+                  echo $e->getMessage();
+               }
+
+               // Push available commands into SESSION context.
+               $_SESSION['bareos']['commands'] = $commands;
+
+               // Check if Command ACL has the minimal requirements
+               if($_SESSION['bareos']['commands']['.help']['permission'] == 0) {
+                  $this->bsock->disconnect();
+                  session_destroy();
+                  $err_msg = 'Sorry, your Command ACL does not fit the minimal requirements. For further information, please read the <a href="http://doc.bareos.org/master/html/bareos-manual-main-reference.html" target="_blank">Bareos documentation</a>.';
+                  return new ViewModel(
+                     array(
+                        'form' => $form,
+                        'err_msg' => $err_msg,
+                     )
+                  );
+               }
+
                // Get the config.
                $configuration = $this->getServiceLocator()->get('configuration');
 
@@ -151,6 +174,8 @@ public function loginAction()
                else {
                   return $this->redirect()->toRoute('dashboard', array('action' => 'index'));
                }
+
+               $this->bsock->disconnect();
             } else {
                $this->bsock->disconnect();
                session_destroy();

module/Auth/view/auth/auth/login.phtml

@@ -161,6 +161,27 @@ $this->headTitle($title);
 
 </diV>
 
+<div class="row">
+
+<!-- Left space -->
+<div class="col-md-3">
+</div>
+
+<!-- ALERTS -->
+   <?php
+      if(!empty($this->err_msg)) {
+         echo '<div class="col-md-6 alert alert-danger" role="alert">';
+         echo $this->err_msg;
+         echo '</div>';
+      }
+   ?>
+
+<!-- Right space -->
+<div class="col-md-3">
+</div>
+
+</div>
+
 <script>
 
 /*

module/Client/src/Client/Controller/ClientController.php

@@ -35,6 +35,15 @@ class ClientController extends AbstractActionController
    protected $clientModel = null;
    protected $directorModel = null;
    protected $bsock = null;
+   protected $acl_alert = false;
+
+   private $required_commands = array(
+      "llist",
+      "status",
+      "enable",
+      "disable",
+      "version"
+   );
 
    public function indexAction()
    {
@@ -44,6 +53,16 @@ public function indexAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       $result = null;
 
       $action = $this->params()->fromQuery('action');
@@ -101,6 +120,16 @@ public function detailsAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       return new ViewModel(
          array(
             'client' => $this->params()->fromRoute('id')
@@ -116,6 +145,16 @@ public function statusAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       $result = null;
 
       $clientname = $this->params()->fromQuery('client');

module/Client/view/client/client/index.phtml

@@ -34,6 +34,8 @@ $this->headTitle($title);
 
 <br />
 
+<?php if($this->acl_alert) : echo $this->ACLAlert($this->required_commands); elseif(!$this->acl_alert) : ?>
+
 <div class="row">
 
 <div class="col-md-8">
@@ -275,3 +277,5 @@ $(document).ready(function() {
 } );
 
 </script>
+
+<?php endif; ?>

module/Dashboard/src/Dashboard/Controller/DashboardController.php

@@ -35,6 +35,12 @@ class DashboardController extends AbstractActionController
    protected $jobModel = null;
    protected $dashboardModel = null;
    protected $bsock = null;
+   protected $acl_alert = false;
+
+   private $required_commands = array(
+      "list",
+      "llist"
+   );
 
    public function indexAction()
    {
@@ -44,6 +50,16 @@ public function indexAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       try {
          $this->bsock = $this->getServiceLocator()->get('director');
          $running = $this->getJobs("running", 1, null);

module/Dashboard/view/dashboard/dashboard/index.phtml

@@ -29,6 +29,8 @@ $this->headTitle($title);
 
 ?>
 
+<?php if($this->acl_alert) : echo $this->ACLAlert($this->required_commands); elseif(!$this->acl_alert) : ?>
+
 <div class="row">
 
    <div class="col-md-4">
@@ -189,3 +191,5 @@ $this->headTitle($title);
    );
 
 </script>
+
+<?php endif; ?>

module/Director/src/Director/Controller/DirectorController.php

@@ -33,6 +33,14 @@ class DirectorController extends AbstractActionController
 {
    protected $directorModel = null;
    protected $bsock = null;
+   protected $acl_alert = false;
+
+   private $required_commands = array(
+      "list",
+      "llist",
+      "status",
+      "help"
+   );
 
    public function indexAction()
    {
@@ -42,6 +50,16 @@ public function indexAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       try {
          $this->bsock = $this->getServiceLocator()->get('director');
          $result = $this->getDirectorModel()->getDirectorStatus($this->bsock);
@@ -64,6 +82,16 @@ public function messagesAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       return new ViewModel();
    }
 
@@ -75,6 +103,16 @@ public function consoleAction()
          return $this->redirect()->toRoute('auth', array('action' => 'login'), array('query' => array('req' => $this->RequestURIPlugin()->getRequestURI(), 'dird' => $_SESSION['bareos']['director'])));
       }
 
+      if(!$this->CommandACLPlugin()->validate($_SESSION['bareos']['commands'], $this->required_commands)) {
+         $this->acl_alert = true;
+         return new ViewModel(
+            array(
+               'acl_alert' => $this->acl_alert,
+               'required_commands' => $this->required_commands,
+            )
+         );
+      }
+
       return new ViewModel();
    }
 

module/Director/src/Director/Model/DirectorModel.php

@@ -27,6 +27,19 @@
 
 class DirectorModel
 {
+   public function getAvailableCommands(&$bsock=null)
+   {
+      if(isset($bsock)) {
+         $cmd = '.help';
+         $result = $bsock->send_command($cmd, 2, null);
+         $messages = \Zend\Json\Json::decode($result, \Zend\Json\Json::TYPE_ARRAY);
+         return $messages['result'];
+      }
+      else {
+         throw new \Exception('Missing argument.');
+      }
+   }
+
    public function getDirectorVersion(&$bsock=null)
    {
       if(isset($bsock)) {