diff --git a/include/Ntop.h b/include/Ntop.h index c6ae78c18c..e2c9c0addd 100644 --- a/include/Ntop.h +++ b/include/Ntop.h @@ -78,7 +78,9 @@ class Ntop { void loadLocalInterfaceAddress(); void initAllowedProtocolPresets(); - + + bool checkUserPassword(const char * const user, const char * const password) const; + public: /** * @brief A Constructor @@ -396,10 +398,11 @@ class Ntop { void getUsers(lua_State* vm); void getUserGroup(lua_State* vm); void getAllowedNetworks(lua_State* vm); - bool getInterfaceAllowed(lua_State* vm, char *ifname) const; - bool isInterfaceAllowed(lua_State* vm, const char *ifname) const; - bool isInterfaceAllowed(lua_State* vm, int ifid) const; - bool checkUserPassword(const char *user, const char *password); + bool getInterfaceAllowed(lua_State* vm, char *ifname) const; + bool isInterfaceAllowed(lua_State* vm, const char *ifname) const; + bool isInterfaceAllowed(lua_State* vm, int ifid) const; + bool checkUser(const char * const user, const char *password) const; + bool checkUserInterfaces(const char * const user) const; bool resetUserPassword(char *username, char *old_password, char *new_password); bool mustChangePassword(const char *user); bool changeUserRole(char *username, char *user_role) const; @@ -415,7 +418,7 @@ class Ntop { bool isCaptivePortalUser(const char * const username); bool deleteUser(char *username); bool getUserHostPool(char *username, u_int16_t *host_pool_id); - bool getUserAllowedIfname(char *username, char *buf, size_t buflen); + bool getUserAllowedIfname(const char * const username, char *buf, size_t buflen) const; bool hasUserLimitedLifetime(const char * const username, int32_t *lifetime_secs); void setWorkingDir(char *dir); void fixPath(char *str, bool replaceDots = true); @@ -453,7 +456,7 @@ class Ntop { void swapHostBlacklist(); void addToHostBlacklist(char *net); bool isBlacklistedIP(IpAddress *ip); - bool isExistingInterface(char *name); + bool isExistingInterface(const char * const name) const; inline NetworkInterface* getFirstInterface() { return(iface[0]); } inline NetworkInterface* getInterface(int i) { return(((i < num_defined_interfaces) && iface[i]) ? iface[i] : NULL); } #ifdef NTOPNG_PRO diff --git a/src/HTTPserver.cpp b/src/HTTPserver.cpp index 8898a073ad..0bbd225d0d 100644 --- a/src/HTTPserver.cpp +++ b/src/HTTPserver.cpp @@ -318,7 +318,7 @@ static int is_authorized(const struct mg_connection *conn, get_qsvar(request_info, "password", password, sizeof(password)); } - return(ntop->checkUserPassword(username, password) + return(ntop->checkUser(username, password) && checkCaptive(conn, request_info, username, password)); } } @@ -349,7 +349,7 @@ static int is_authorized(const struct mg_connection *conn, getline(authss, user_s, ':'); getline(authss, pword_s, ':'); - return ntop->checkUserPassword(user_s.c_str(), pword_s.c_str()); + return ntop->checkUser(user_s.c_str(), pword_s.c_str()); } mg_get_cookie(conn, "user", username, username_len); @@ -364,9 +364,13 @@ static int is_authorized(const struct mg_connection *conn, /* Last resort: see if we have a user and password matching */ mg_get_cookie(conn, "password", password, sizeof(password)); - return(ntop->checkUserPassword(username, password)); + return(ntop->checkUser(username, password)); } + /* Make sure there are existing interfaces for username */ + if(!ntop->checkUserInterfaces(username)) + return(0); + // ntop->getTrace()->traceEvent(TRACE_WARNING, "[HTTP] Received session %s/%s", session_id, username); snprintf(key, sizeof(key), CONST_RUNTIME_IS_AUTOLOGOUT_ENABLED); @@ -620,8 +624,9 @@ static void authorize(struct mg_connection *conn, } } - if(isCaptiveConnection(conn) || ntop->isCaptivePortalUser(user) || - (!ntop->checkUserPassword(user, password))) { + if(isCaptiveConnection(conn) + || ntop->isCaptivePortalUser(user) + || !ntop->checkUser(user, password)) { // Authentication failure, redirect to login redirect_to_login(conn, request_info, (referer[0] == '\0') ? NULL : referer); } else { diff --git a/src/LuaEngine.cpp b/src/LuaEngine.cpp index 49b28065a6..9b95dafd4e 100644 --- a/src/LuaEngine.cpp +++ b/src/LuaEngine.cpp @@ -8179,7 +8179,6 @@ int LuaEngine::handle_script_request(struct mg_connection *conn, if(!ntop->isExistingInterface(ifname)) { NetworkInterface *iface = ntop->getFirstInterface(); - ntop->getRedis()->set(key, iface->get_name()); getLuaVMUservalue(L,ifname) = iface->get_name(); getLuaVMUservalue(L,iface) = iface; } else { diff --git a/src/Ntop.cpp b/src/Ntop.cpp index 8df2bc3251..ca43c38d2e 100644 --- a/src/Ntop.cpp +++ b/src/Ntop.cpp @@ -984,8 +984,35 @@ bool Ntop::isInterfaceAllowed(lua_State* vm, int ifid) const { /* ******************************************* */ +bool Ntop::checkUserInterfaces(const char * const user) const { + char ifbuf[MAX_INTERFACE_NAME_LEN]; + + /* Check if the user has an allowed interface and that interface has not yet been + instantiated in ntopng (e.g, this can happen with dynamic interfaces after ntopng + has been restarted.) */ + getUserAllowedIfname(user, ifbuf, sizeof(ifbuf)); + if(ifbuf[0] != '\0' && !isExistingInterface(ifbuf)) + return false; + + return true; +} + +/* ******************************************* */ + +bool Ntop::checkUser(const char * const user, const char *password) const { + if(!checkUserPassword(user, password)) + return false; + + if(!checkUserInterfaces(user)) + return false; + + return true; +} + +/* ******************************************* */ + // Return 1 if username/password is allowed, 0 otherwise. -bool Ntop::checkUserPassword(const char *user, const char *password) { +bool Ntop::checkUserPassword(const char * const user, const char * const password) const { char key[64], val[64], password_hash[33]; #if defined(NTOPNG_PRO) && defined(HAVE_LDAP) bool localAuth = true; @@ -1356,7 +1383,7 @@ bool Ntop::getUserHostPool(char *username, u_int16_t *host_pool_id) { /* ******************************************* */ -bool Ntop::getUserAllowedIfname(char *username, char *buf, size_t buflen) { +bool Ntop::getUserAllowedIfname(const char * const username, char *buf, size_t buflen) const { char key[64]; snprintf(key, sizeof(key), CONST_STR_USER_ALLOWED_IFNAME, username ? username : ""); @@ -1525,7 +1552,7 @@ NetworkInterface* Ntop::getInterfaceById(int if_id) { /* ******************************************* */ -bool Ntop::isExistingInterface(char *name) { +bool Ntop::isExistingInterface(const char * const name) const { if(name == NULL) return(false); for(int i=0; i