Merge branch 'master' into dev-v3

BUILDING.rst

@@ -14,7 +14,6 @@ This document contains instructions for:
 
 THE BUILD SCRIPT WILL MAKE CHANGES TO THE SYSTEM THAT MAY BE INCOMPATIBLE WITH OTHER SOFTWARE
 
-
 Building on Windows
 ===================
 
@@ -46,15 +45,15 @@ Building on CentOS 7 is the easiest way to get a working package for all Linux d
 
 In most cases, building on the distribution that is targeted, e.g. building on Ubuntu 20.04 to deploy on Ubuntu 20.04, will work, but the resulting package will not be as portable.
 
-To start, clone the repository in your directory::
+To start, clone the repository in your directory:
 
-  cd ~
-  git clone https://github.com/NagiosEnterprises/ncpa
+   cd ~
+   git clone https://github.com/NagiosEnterprises/ncpa<<<<<<< HEAD
 
 Now run the setup scripts to install the requirements::
 
-  cd ncpa/build
-  ./build.sh
+   cd ncpa/build
+   ./build.sh
 
 Follow the prompts to setup the system. When running the build.sh script it will setup
 the system and build the ncpa binary.
@@ -63,23 +62,19 @@ the system and build the ncpa binary.
 **Install on the target Linux server**
 --------------------------------
 
-  Copy the resulting ~/ncpa/build/ncpa-3.x.x-x.x86_64.rpm or ncpa_3.x.x-x_amd64.deb to the desired server and install using the appropriate package system:
+Copy the resulting ~/ncpa/build/ncpa-3.x.x-x.x86_64.rpm or ncpa_3.x.x-x_amd64.deb to the desired server and install using the appropriate package system:
 
-  On CentOS/RHEL/Oracle/Amazon/Rocky::
+  On CentOs/RHEL::
 
-    yum install ./ncpa-3.x.x-1.x86_64.rpm
+    yum install ./ncpa-3.x.x-1.elx.x86_64.rpm
 
-  On Ubuntu 16+/Debian 9+::
+  On Ubuntu/Debian::
 
     apt install ./ncpa_3.0.0-1._amd64.deb
 
-  On Ubuntu 14/Debian 8 (not supported, but may work)::
-
-    dpkg --force-depends -i ./ncpa_3.0.0-1._amd64.deb
-
   On OpenSuSE/SLES::
 
-    zypper install ./ncpa-3.x.x-1.x86_64.rpm
+    zypper install ./ncpa_3.0.0-1.x86_64.deb
 
 
 Building on MacOS

README.rst

@@ -6,14 +6,20 @@ NCPA
 
 The *Nagios Cross-Platform Agent*; a single monitoring agent that installs on all major operating systems. NCPA allows both active checks via check_ncpa.py and passive checks via NRDP. NCPA comes with a built-in web GUI, documentation, websocket graphing, and is secured with SSL by default.
 
+NCPA 3 Beta
+---------
+The NCPA 3 beta has been released! You can download the beta via the source code in the `dev-v3-beta-01 branch <https://github.com/NagiosEnterprises/ncpa/tree/dev-v3-beta01>`_ or by visiting the `downloads page <https://www.nagios.org/ncpa/#beta-downloads>`_ for installable packages.
+
 Downloads
 ---------
 
 Current versions:
 
-+---------+-------------+-------------------------------------------------------+
-| Current | **3.0.0**   | `Downloads <https://www.nagios.org/ncpa/#downloads>`_ |
-+---------+-------------+-------------------------------------------------------+
++---------+-------------+------------------------------------------------------------+
+| Current | **2.4.1**   | `Downloads <https://www.nagios.org/ncpa/#downloads>`_      |
++---------+-------------+------------------------------------------------------------+
+| Beta    | **3.0.0**   | `Downloads <https://www.nagios.org/ncpa/#beta-downloads>`_ |
++---------+-------------+------------------------------------------------------------+
 
 `Older Versions <https://www.nagios.org/ncpa/archive.php>`_
 
@@ -78,3 +84,4 @@ While we recommend using the pre-built version above, sometimes you may find the
 +------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+
 | `Building for Windows <https://github.com/NagiosEnterprises/ncpa/blob/master/BUILDING.rst#building-on-windows>`_ | `Building for Linux <https://github.com/NagiosEnterprises/ncpa/blob/master/BUILDING.rst#building-on-linux>`_ | `Building for Mac OS X <https://github.com/NagiosEnterprises/ncpa/blob/master/BUILDING.rst#building-on-mac-os-x>`_ |
 +------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------+
+

agent/listener/server.py

@@ -23,6 +23,7 @@
 
 # Set whether or not a request is internal or not
 import socket
+from hmac import compare_digest
 
 __VERSION__ = ncpa.__VERSION__
 __STARTED__ = datetime.datetime.now()
@@ -162,6 +163,26 @@ def is_network(ip):
         logging.debug(e)
         return False
 
+# Securely compares strings - byte string or unicode
+# Comparison is done via compare_digest() to prevent timing attacks
+# If both items evaluate to false, they match. This makes it easier to handle
+# empty strings or variables which may have "NoneType"
+def secure_compare(item1, item2):
+    is_match = False
+
+    # Convert to unicode, if necessary, both items must have the same encoding
+    if item1 and not isinstance(item1, unicode):
+        item1 = item1.decode('utf-8')
+    if item2 and not isinstance(item2, unicode):
+        item2 = item2.decode('utf-8')
+
+    if item1 and item2 and compare_digest(item1, item2):
+        is_match = True
+    elif not item1 and not item2:
+        is_match = True
+
+    return is_match
+
 
 # ------------------------------
 # Authentication Wrappers
@@ -280,16 +301,17 @@ def requires_token_or_auth(f):
     def token_auth_decoration(*args, **kwargs):
         ncpa_token = listener.config['iconfig'].get('api', 'community_string')
         token = request.values.get('token', None)
+        token_valid = secure_compare(token, ncpa_token)
 
         # This is an internal call, we don't check
         if __INTERNAL__ is True:
             pass
-        elif session.get('logged', False) or token == ncpa_token:
+        elif session.get('logged', False) or token_valid:
             pass
         elif token is None:
             session['redirect'] = request.url
             return redirect(url_for('login'))
-        elif token != ncpa_token:
+        elif not token_valid:
             return error(msg='Incorrect credentials given.')
         return f(*args, **kwargs)
 
@@ -369,6 +391,9 @@ def login():
     url = session.get('redirect', None)
     token = request.values.get('token', None)
 
+    token_valid = secure_compare(token, ncpa_token)
+    token_is_admin = secure_compare(token, admin_password)
+
     template_args = { 'hide_page_links': True,
                       'message': message,
                       'url': url,
@@ -378,9 +403,9 @@ def login():
     session['message'] = None
 
     # Do actual authentication check
-    if token == ncpa_token and not admin_auth_only:
+    if not admin_auth_only and token_valid:
         session['logged'] = True
-    elif token == admin_password and admin_password is not None:
+    elif admin_password is not None and token_is_admin:
         session['logged'] = True
         session['admin_logged'] = True
 
@@ -394,10 +419,10 @@ def login():
     # Display error messages depending on what was given
     if token is not None:
         if not admin_auth_only:
-            if token != ncpa_token or token != admin_password:
+            if not token_valid and not token_is_admin:
                 template_args['error'] = 'Invalid token or password.'
         else:
-            if token == ncpa_token:
+            if token_valid:
                 template_args['error'] = 'Admin authentication only.'
             else:
                 template_args['error'] = 'Invalid password.'
@@ -414,15 +439,16 @@ def admin_login():
 
     # Admin password
     admin_password = get_config_value('listener', 'admin_password', None)
+    password = request.values.get('password', None)
+    password_valid = secure_compare(password, admin_password)
 
     message = session.get('message', None)
-    password = request.values.get('password', None)
     template_args = { 'hide_page_links': False,
                       'message': message }
 
     session['message'] = None
 
-    if password == admin_password and admin_password is not None:
+    if admin_password is not None and password_valid:
         session['admin_logged'] = True
         return redirect(url_for('admin'))
     elif password is not None:

build/build.sh

@@ -190,6 +190,27 @@ if command -v git > /dev/null; then
     echo "GIT_HASH_FILE: $GIT_HASH_FILE"
 fi
 
+# Add file with current GIT hash to build
+GIT_LONG="Not built under GIT"
+GIT_HASH_FILE="NoGIT.githash"
+
+if command -v git > /dev/null; then
+    GIT_LONG=$(git rev-parse HEAD)
+    GIT_SHORT=$(git rev-parse --short HEAD)
+    GIT_UNCOMMITTED=$(git status --untracked-files=no --porcelain)
+    echo "GIT_UNCOMMITTED: $GIT_UNCOMMITTED"
+    if [ "$GIT_UNCOMMITTED" ]; then
+        GIT_LONG="$GIT_LONG++  compiled with uncommitted changes"
+        GIT_SHORT="$GIT_SHORT++"
+    fi
+    GIT_HASH_FILE="git-$GIT_SHORT.githash"
+    echo "GIT_LONG: $GIT_LONG"
+    echo "GIT_SHORT: $GIT_SHORT"
+    echo "GIT_HASH_FILE: $GIT_HASH_FILE"
+fi
+# ls $AGENT_DIR/*.githash >/dev/null && rm $AGENT_DIR/*.githash
+# echo $GIT_LONG > "$AGENT_DIR/$GIT_HASH_FILE"
+
 (
     echo -e "\nBuilding NCPA binaries..."
     cd $AGENT_DIR