Support glpiinventory as replacement of fusioninventory plugin, glpi agent as fusioninventory agent

[AldarisPale]

Hi!

My understanding is that since Fusioninventory team has forked GLPI 9.5, they are not motivated to continue supporting GLPI (https://fusioninventory.org/news/2023/02/12/fusioninventory-server-releases.html) and so GLPI has forked fusioninventory plugin (https://github.com/glpi-project/glpi-inventory-plugin) and agent (https://github.com/glpi-project/glpi-agent)

Currently phpsaml is aware of only fusioninventory agent and fusioninventory plugin and is not aware of glpi agent and glpiinventory plugin.

Please add support for glpi agent and glpiinventory plugin.

#132 (comment) contains a patch which was valid for bleeding edge version of https://github.com/DonutsNL/phpsaml but by now is out of date. It should be valid for all possible combinations of fusioninventory agent, glpi agent, fusioninventory plugin, glpiinventory plugin.

[DonutsNL]

Thanks @AldarisPale

This needs some research. A quick glance suggests that the new agent uses a different useragent header.

const useragent = "GLPI-Injector-v"+version
https://github.com/glpi-project/glpi-agent/blob/f1a94d5615e4b50a35469a39d60ccc641fd7796c/src/cmd/glpi-injector/main.go#LL22C1-L22C44

Also configured an agent to verify useragent string used.

[DonutsNL]

Added exclusions for new GLPI agent and injector

[AldarisPale]

Thanks, @DonutsNL !
When checking the current latest branch at https://github.com/DonutsNL/phpsaml/blob/edce2220ca139336385ca21f188b83f4fdd09dd5/inc/phpsaml.class.php#L56 on aspect is not considered yet, which is that computers are still running FusionInventory agent, but GLPI is already running glpiinventory plugin. In order to handle it, the following EXCLUDED_USERAGENTS combinations could be added:
'FusionInventory-Agent' => '/plugins/glpiinventory/' and 'FusionInventory-Agent' => '/marketplace/glpiinventory/'

[DonutsNL]

See rule #58 where the exclusions are listed.

[AldarisPale]

Thanks. In my installation I'm currently patching https://github.com/DonutsNL/phpsaml/blob/edce2220ca139336385ca21f188b83f4fdd09dd5/inc/phpsaml.class.php#L56 from

private const EXCLUDED_USERAGENTS		= ['FusionInventory-Agent'	=> '/plugins/fusioninventory/',
											   'FusionInventory-Agent'  => '/marketplace/fusioninventory/',
											   'GLPI-Agent_' 			=> '/plugins/glpiinventory',
											   'GLPI-Agent'				=> '/',
											   'GLPI-Injector'			=> '/'];

to

private const EXCLUDED_USERAGENTS		= ['FusionInventory-Agent'	=> '/plugins/fusioninventory/',
											   'FusionInventory-Agent'  => '/marketplace/fusioninventory/',
                                                                                           'FusionInventory-Agent' => '/plugins/glpiinventory/',
                                                                                           'FusionInventory-Agent' => '/marketplace/glpiinventory/',
											   'GLPI-Agent_' 			=> '/plugins/glpiinventory',
											   'GLPI-Agent'				=> '/',
											   'GLPI-Injector'			=> '/'];

This fixes the problem for me. I am not quite sure how #58 is related though?

[DonutsNL]

Is seems codeserver didnt push the latest version yet.

The changes should be present in the repo here: https://github.com/DonutsNL/phpsaml/blob/7df05fff5fa8c958c6f7d20c1249466012f412e6/inc/phpsaml.class.php#L58

[AldarisPale]

Thanks, @DonutsNL !

There's still a problem (and it was there with my manual patch too) that if phpsaml is being enforced, agents (in this case FusionInventory-Agent_v2.6-2) still get saml prompt.

phpsaml version is the current master branch from @DonutsNL , glpi is 10.0.11.

I'd debug, but don't know where to start.

[DonutsNL]

I dont use the inventory, but if you could share useragent and path info from the access log we prob will be able to figure out what additional exclusion to add. Verzonden vanuit Outlook voor iOS<https://aka.ms/o0ukef>

…

________________________________ Van: AldarisPale ***@***.***> Verzonden: Wednesday, December 27, 2023 9:19:02 AM Aan: derricksmith/phpsaml ***@***.***> CC: Chris Gralike | Flevo-Scouts ***@***.***>; Mention ***@***.***> Onderwerp: Re: [derricksmith/phpsaml] Support glpiinventory as replacement of fusioninventory plugin, glpi agent as fusioninventory agent (Issue #134) Thanks, @DonutsNL<https://github.com/DonutsNL> ! There's still a problem (and it was there with my manual patch too) that if phpsaml is being enforced, agents (in this case FusionInventory-Agent_v2.6-2) still get saml prompt. phpsaml version is the current master branch from @DonutsNL<https://github.com/DonutsNL> , glpi is 10.0.11. I'd debug, but don't know where to start. — Reply to this email directly, view it on GitHub<#134 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXIYOYMRAEH6NAEMAKBA4FDYLPKXNAVCNFSM6AAAAAAYT63EOGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZQGA3DCNZYGE>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[AldarisPale]

I dont use the inventory, but if you could share useragent and path info from the access log we prob will be able to figure out what additional exclusion to add.

When not enforced:
[27/Dec/2023:11:00:08 +0000] "POST /plugins/glpiinventory/ HTTP/1.1" 200 76 "-" "FusionInventory-Agent_v2.6-2"

When enforced:
[27/Dec/2023:11:00:45 +0000] "POST /plugins/glpiinventory/ HTTP/1.1" 302 - "-" "FusionInventory-Agent_v2.6-2"

[loyolajavi]

This can be fixed by adding the following line of code in phpsaml/inc/phpsaml.class.php:

private const EXCLUDED_USERAGENTS = ['FusionInventory-Agent' => '/plugins/fusioninventory/',
'FusionInventory-Agent' => '/marketplace/fusioninventory/',
'FusionInventory-Agent' => '/plugins/glpiinventory/',
'FusionInventory-Agent_v2.6-2' => '/plugins/glpiinventory/',
'FusionInventory-Agent' => '/marketplace/glpiinventory/',
'GLPI-Agent' => '/',
'GLPI-Injector' => '/'];

Maybe with a wildcard, can fix all versions of fusioninventory agent

[AldarisPale]

This can be fixed by adding the following line of code in phpsaml/inc/phpsaml.class.php:

My current understanding is that the useagent string is not a problem currently because even after adding the line, agent is still being redirected to SAML login page.

Maybe with a wildcard, can fix all versions of fusioninventory agent

This should already be the case because strpos function is being (I allow myself to be wrong here, as I am no php professional) which does the partial string matching: https://github.com/DonutsNL/phpsaml/blob/7df05fff5fa8c958c6f7d20c1249466012f412e6/inc/phpsaml.class.php#L217

This makes me think that there is some other logic error hiding somewhere.

[AldarisPale]

Turns out the problem is a simple one. With native glpiinventory plugin, the request URI is /front/inventory.php
and not /plugins/glpiinventory/ nor /marketplace/glpiinventory/
meaning lines
https://github.com/DonutsNL/phpsaml/blob/7df05fff5fa8c958c6f7d20c1249466012f412e6/inc/phpsaml.class.php#L58
and
https://github.com/DonutsNL/phpsaml/blob/7df05fff5fa8c958c6f7d20c1249466012f412e6/inc/phpsaml.class.php#L59
should be good for removal and
'FusionInventory-Agent' => '/front/inventory.php', should be added.

edit: sorry for the confusion created by #134 (comment) as it contained wrong URL's.

[AldarisPale]

Stumbled on another, related problem.
If I'm not mistaken, then only the last URL defined will be valid for a given agent at https://github.com/DonutsNL/phpsaml/blob/7df05fff5fa8c958c6f7d20c1249466012f412e6/inc/phpsaml.class.php#L59 as the previous values will be forgotten about.

Quick demo:

<?php

class test_class
{
 const DEMOVAR = ['agent_1' => 'first_uri',
                  'agent_1' => 'second_uri',
                  'agent_2' => 'third_uri'];

 function printcombinations() {
  foreach(self::DEMOVAR as $agent => $request) {
  echo $agent." ".$request.PHP_EOL;
  }
 }
}

$demo = new test_class();
$demo->printcombinations();

?>

Gives the following output:

agent_1 second_uri
agent_2 third_uri

Note that agent_1 first_uri is missing from the output.

[DonutsNL]

ill do you one better, I will make this configurable from GLPI instead of the hardcoded approach.

[AldarisPale]

Thanks, @DonutsNL !!!!
It took some time to find where the exclusions are defined (hint: global dropdowns), but can confirm it's working using current master from https://github.com/DonutsNL/phpsaml