Commit Graph

241 Commits

Author SHA1 Message Date
Isaac Connor 0142c71c85 Merge branch 'master' into fix_2772 2019-12-20 11:02:27 -05:00
Isaac Connor 5f006421cc fix #2771. Correct relationship from hasMany to hasAndBelongsToMany for Monitors in Group Modelel. Use save Assiociated in Controller, and add code to handle backwards compatibility by turning MonitorIds into the appropriate Monitor array 2019-12-15 15:31:40 -05:00
Isaac Connor eee3729b85 dirty fix filtering Monitors by GroupId. Change occurrences of GroupId to ' ' as that is what the key is in conditions. Please note that other operators like != won't work. 2019-12-04 22:23:55 -05:00
Isaac Connor c19632e114
Merge pull request #2769 from connortechnology/fix_api_alarm_auth
Fix api alarm auth
2019-12-02 07:53:50 -05:00
Isaac Connor 76d795f413 add rendering of enums for Events Controller 2019-12-01 12:32:14 -05:00
Isaac Connor 0b2853095e cleanup auth in monitors alarm method 2019-12-01 12:30:27 -05:00
Pliable Pixels 16a6938710 add model validation so that we don't create empty monitors 2019-11-02 08:30:25 -04:00
Isaac Connor 9889311b03 Handle username=&password= as well in HostController::login 2019-09-18 11:40:55 -04:00
Isaac Connor 50aa0108e5 Add authhash to session 2019-09-03 11:33:02 -04:00
Isaac Connor a384e978c8 don't load user from session if we have already gotten it from elsewhere 2019-09-03 11:19:42 -04:00
Isaac Connor b84d005d8f Load use from session when it exists 2019-09-03 10:54:34 -04:00
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Isaac Connor cfeedd39a4 Use zm_session_start instead of session_start 2019-08-16 15:07:20 -04:00
Isaac Connor 1d0ee227d7 fix mUser to username, etc. 2019-08-16 14:12:37 -04:00
Isaac Connor 4108495a7d Add session storage if stateful query param is on, but only for LEGACY_API_AUTH 2019-08-16 14:12:14 -04:00
Isaac Connor 618e6816ef Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. 2019-08-15 14:59:15 -04:00
Isaac Connor 9da10abca9 Move APIEnabled check to the api from auth.php 2019-08-13 11:29:32 -04:00
Isaac Connor a63b6486b9 Remove Session from App Components list. 2019-08-12 15:36:40 -04:00
Isaac Connor c2e1293472 spacing 2019-08-12 15:10:58 -04:00
Isaac Connor 0bf036fc55 Remove Session from the components list 2019-08-12 15:06:46 -04:00
Isaac Connor 2320ab4d66 update HostController. Use config constants, don't use sessions 2019-08-12 15:01:40 -04:00
Pliable Pixels a9d01ba3d2 Alarm api (#2665)
* fixed alarm api to use tokens if present

* clearer debug logs for tokens

* space
2019-07-17 20:38:58 -04:00
Pliable Pixels c4dc5f34e4 add event file system path to API (#2639) 2019-06-16 11:59:23 -04:00
Pliable Pixels bc0565858b check for API disabled only when auth is on (#2624) 2019-05-28 13:44:06 -04:00
Isaac Connor 1ddd5b1f74 Merge branch 'master' of github.com:ZoneMinder/zoneminder 2019-05-24 13:56:30 -04:00
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor 2ce2381269 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-19 08:45:42 -04:00
Pliable Pixels 8e1037458a when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist 2019-05-18 11:23:16 -04:00
Isaac Connor 93aeceecfc Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-17 10:18:15 -04:00
Pliable Pixels 41ae745b17 removed stale code 2019-05-12 18:53:51 -04:00
Pliable Pixels ec279ccc9a make old API auth mechanism optional 2019-05-12 18:51:07 -04:00
Pliable Pixels 881d531fe9 make old API auth optional, on by default 2019-05-12 18:19:19 -04:00
Pliable Pixels 225893fcd6 add mintokenexpiry to DB seek 2019-05-12 05:50:19 -04:00
Pliable Pixels 88d50ec9ca added revoke all tokens code, removed test code 2019-05-11 15:47:57 -04:00
Pliable Pixels 95b448abdd handle case when supplied password is hashed, fix wrong params in AppController 2019-05-10 11:25:55 -04:00
Pliable Pixels 1770ebea23 make sure refresh token login doesn't generate another refresh token 2019-05-08 15:26:51 -04:00
Pliable Pixels 0bc96dfe83 Error out if used did not create an AUTH_HASH_SECRET 2019-05-08 14:26:16 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels 27e6e46f84 remove allowing auth_hash_ip for token 2019-05-08 12:11:32 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels d36c1f5d3c Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading 2019-05-07 15:04:12 -04:00
Pliable Pixels 0bbc582971 New token= query for JWT 2019-05-07 15:03:13 -04:00
Isaac Connor 5b68ddcc9a add a note deprecating getDiskPercent 2019-04-17 09:55:34 -04:00
Pliable Pixels d270fbd0ad added support for named params to consoleEvents (#2571) 2019-04-09 16:28:46 -04:00
Isaac Connor 110e5075f4 fix namespace fixes #3566 2019-04-01 17:21:01 -04:00
Isaac Connor fa9803d819 Can't use this->data to avoid another db hit. Must load by id 2019-04-01 10:11:56 -04:00
Isaac Connor b988ce0573 more parentheses to make logic more clear 2019-03-20 14:26:35 -04:00
Isaac Connor 520c41da23 Merge ../ZoneMinder.connortechnology.bad into storageareas 2019-03-18 14:40:03 -04:00
Matthew Noorenberghe abb6ef1688 API: Escape 'named' params for SQLi in two more Event endpoints.
Fixes #2099
2019-03-11 00:21:51 -07:00
Matthew Noorenberghe 056b96f7fc API: Monitor and Event 'index' SQLi. Fixes #2099 2019-03-11 00:21:51 -07:00
Isaac Connor af9c87a112 Merge branch 'master' into storageareas 2019-02-27 10:53:19 -05:00
Isaac Connor 4c35f2910c fix ZM namespace 2019-02-26 18:09:18 -05:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor fbdb5bcb62 Merge branch 'master' into storageareas 2019-02-19 12:06:32 -05:00
Isaac Connor eaa7341935 Add missing / in path to auth.php 2019-02-19 10:07:36 -05:00
Isaac Connor 5029d7214a Merge branch 'master' into storageareas 2019-02-18 17:00:45 -05:00
Isaac Connor 4cd3a93e96 add missing / 2019-02-18 16:30:03 -05:00
Mitch Capper 04c17283ec need to prefix with _dir_ otherwise relative to initial script (#2531) 2019-02-17 11:31:10 -05:00
Isaac Connor 5060358870 Merge branch 'master' into storageareas 2018-12-29 09:56:53 -05:00
Andrew Bauer 3258d8e590 remove ZM_DIR_IMAGES (#2374) 2018-12-29 09:52:58 -05:00
Isaac Connor 27826b4aca Merge branch 'master' into storageareas 2018-12-24 09:48:29 -05:00
Isaac Connor 47465260d1 Update permissions checking for Groups to not use session. Fixes #2353 2018-12-21 10:01:48 -05:00
Isaac Connor e626049f6b Merge branch 'swresample' into storageareas 2018-12-20 14:08:40 -05:00
Pliable Pixels 622c17f628 make sure auth is regenerated each time we call this API (#2347) 2018-12-16 11:02:07 -05:00
Isaac Connor 7d90a56561 Merge branch 'master' into storageareas 2018-11-30 14:46:42 -05:00
Pliable Pixels e6b8a7bc66 resolves #2327 2018-11-29 09:21:10 -05:00
Isaac Connor f5328265ef fix missing daemons definition 2018-11-28 09:12:22 -05:00
Isaac Connor 51d8c0ea73 add back daemon parameter, but make it actually work 2018-11-14 12:59:44 -05:00
Isaac Connor d671761a35 simplify params to daemonControl since they really aren't being used anyways. Return the status text 2018-11-14 12:54:10 -05:00
Andrew Bauer 073193e410
Merge pull request #2281 from connortechnology/fix_2279_delete_camera_through_api
Fix 2279 delete camera through api
2018-10-30 07:06:14 -05:00
Isaac Connor 39061038fb Don't include related models in Storage index 2018-10-29 14:40:05 -04:00
Isaac Connor 9a2d58adce We don't store all the permissions in the session anymore. We just use the global user object 2018-10-29 11:03:03 -04:00
Isaac Connor 8878397622 fix spacing 2018-10-20 11:36:25 -04:00
Andrew Bauer 409fd6aa6f
Merge pull request #2232 from connortechnology/fix_2229_getDiskPercent
Fix 2229 get disk percent
2018-10-03 18:11:28 -05:00
Isaac Connor 66221e39ab rough in a StorageController for api 2018-10-03 11:22:51 -04:00
Isaac Connor 12bed9b6ac Use alternate, working test for relative ZM_DIR_EVENTS. Don't use human output from du when specifying mid to be consistent. 2018-10-03 11:11:33 -04:00
Isaac Connor 03f09bdc48 Use defined CONFIG constants instead of looking up config from db 2018-10-03 10:56:02 -04:00
Isaac Connor 23ddc83ad4
fix_2167 (#2168)
* Populate a global  from the session on every request. Use the  object instead of using allowedMonitors in session.

* fix when  gets loaded.

* use  for auth, and add Monitor Edit checks to Zone add/delete/edit

* add back the ZM_OPT_USE_AUTH test for being logged in in AppController

* Update permissions code to use

* change quotes

* Update permission code to use

* Use  instal of session for systemPermission

* deprecate montiorPermision in session

* use  instead of session streamPermission

* move login code back into AppController. Has to be done for every request

* deprecate eventPermission, controlPermission and systemPermission in session.

* handle auth params in query string as well as post

* exit on HUP to free up memory.

* add missing global user

* system should be System
2018-08-08 09:59:46 -04:00
Isaac Connor dc57a3c91c fix spacing/quotes/google code style 2018-07-24 16:41:09 -04:00
Pliable Pixels 997aa6aa55 fixed getCredentials not working if called directly 2018-07-17 13:57:20 -04:00
Pliable Pixels 0ff9002adf 2156 api login (#2157)
* error can be due to bad user or password

* added login/logout and related private functions

* handle case when userLogin fails, current code returns PHP error for  and API throw is not called

* formatting

* converted login params to POST, removed user=&pass= for other APIs

* formatting

* add auth check back but leave out login/out

* fixes to make it work across zmN, postman and curl

* added back enabled check
2018-07-15 21:17:35 -04:00
Isaac Connor fe5ebe094d More work just using auth.php instead of cake code. Don't reload the User object 2018-07-11 11:45:49 -04:00
Isaac Connor 4f80ca6871 Use userLogin function from auth.php instead of cake code. 2018-07-11 10:33:49 -04:00
Isaac Connor 983e3c45be Fix spacing and quotes 2018-07-11 09:54:25 -04:00
Isaac Connor f10509690b add username and passwordHash to Session so that generateAuthHash works 2018-07-11 09:54:15 -04:00
Isaac Connor 21438d17ac Fix authenticating User 2018-07-10 13:19:51 -04:00
Isaac Connor 930d929427 Merge branch 'storageareas' into api_auth 2018-07-10 12:46:30 -04:00
Isaac Connor e04eac57ae Include values in /etc/zm files in viewByName 2018-06-25 15:43:01 -04:00
Isaac Connor 24ceb75936 Merge branch 'master' into include_fs_config_in_api_config 2018-06-21 21:41:54 -04:00
Isaac Connor cd64619743 Fix controlling daemon when the monitor is Local 2018-06-06 12:56:33 -04:00
Isaac Connor 2a5f05499e Munge the config in the global configvals into the configs array before returning it. 2018-05-10 13:44:46 -04:00
Isaac Connor 62edca6dcb add fileSize to the api, and use it to add remote fileSize reporting in includes/Event 2018-05-08 13:33:56 -07:00
Isaac Connor 1a012c62ff Add fileExists to event view 2018-05-07 14:07:03 -07:00
Pliable Pixels e953a04f61 naming consistency of attribute (#2096) 2018-05-03 14:03:49 -04:00
Pliable Pixels a3158fcc97 auth_key api for different situations (#2090)
* auth_key api for different situations

* added new flag to indicate if password needs to be appended

* pure json view
2018-05-02 12:26:28 -04:00
Isaac Connor c3b6cd4bab include auth.php if auth is on, and return '' for auth_hash is auth is disabled 2018-04-30 11:24:53 -04:00
Isaac Connor 513708b11c don't need to define the config, it will have already been done. Include auth.php instead of functions.php as the code has been moved 2018-04-06 14:42:10 -04:00
Isaac Connor a789fc88aa implement getAuthHash 2018-04-06 14:41:39 -04:00
Isaac Connor 632ab143fe error when can't set session in cake 2018-04-05 14:21:56 -04:00
Isaac Connor a4fee5c91c further merges from cakephp 2.10.8 2018-03-21 13:09:55 -04:00