N°8604 N°8605 - Add authentication to combodo-db-tools binaries (#817)

* N°8604 N°8605 - Add autoloader and dedicated classes for binaries utils

* N°8605 - Harden security

* N°8604 - Harden security

* N°8604 N°8605 - Fixes from code review

* N°8604 N°8605 - Improve robustness whether module is in datamodels/2.x or env-xxx folder

Author: Molkobain

datamodels/2.x/combodo-db-tools/bin/rebuildhk.php

@@ -10,22 +10,87 @@
  */
 
 use Combodo\iTop\Core\MetaModel\HierarchicalKey;
+use Combodo\iTop\DBTools\Enum\BinExitCode;
+use Combodo\iTop\DBTools\Exception\AuthenticationException;
 
-require_once('../../../approot.inc.php');
+// env-xxx folders
+if (file_exists(__DIR__.'/../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../approot.inc.php';
+}
+// datamodel/2.x and data/xxx-modules folders
+elseif (file_exists(__DIR__.'/../../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../../approot.inc.php';
+}
 require_once APPROOT.'application/startup.inc.php';
 
-foreach (MetaModel::GetClasses() as $sClass) {
-	if (!MetaModel::HasTable($sClass)) {
-		continue;
-	}
+// Prepare output page
+$sPageTitle = "Database maintenance tools - Report";
+$bIsModeCLI = utils::IsModeCLI();
+if ($bIsModeCLI) {
+	$oP = new CLIPage($sPageTitle);
+
+	SetupUtils::CheckPhpAndExtensionsForCli($oP, BinExitCode::FATAL->value);
+} else {
+	$oP = new WebPage($sPageTitle);
+}
+
+// Authentication logic
+try {
+	utils::UseParamFile();
 
-	foreach (MetaModel::ListAttributeDefs($sClass) as $sAttCode => $oAttDef) {
-		// Check (once) all the attributes that are hierarchical keys
-		if ((MetaModel::GetAttributeOrigin($sClass, $sAttCode) == $sClass) && $oAttDef->IsHierarchicalKey()) {
-			echo "Rebuild hierarchical key $sAttCode from $sClass.\n";
-			HierarchicalKey::Rebuild($sClass, $sAttCode, $oAttDef);
+	if ($bIsModeCLI) {
+		$sAuthUser = utils::ReadParam('auth_user', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		$sAuthPwd = utils::ReadParam('auth_pwd', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		if (utils::IsNullOrEmptyString($sAuthUser) || utils::IsNullOrEmptyString($sAuthPwd)) {
+			throw new AuthenticationException("Access credentials not provided, usage: php rebuildhk.php --auth_user=<login> --auth_pwd=<password> [--param_file=<file_path>]");
 		}
+		if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd)) {
+			UserRights::Login($sAuthUser);
+		} else {
+			throw new AuthenticationException("Access wrong credentials ('$sAuthUser')");
+		}
+	} else {
+		// Check user rights and prompt if needed
+		LoginWebPage::DoLoginEx(null, true);
 	}
+
+	if (!UserRights::IsAdministrator()) {
+		throw new AuthenticationException("Access restricted to administrators");
+	}
+} catch (AuthenticationException $oException) {
+	$oP->p($oException->getMessage());
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$oP->p("Error: ".$oException->GetMessage());
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
 }
 
-echo "Done\n";
+// Business logic
+try {
+	foreach (MetaModel::GetClasses() as $sClass) {
+		if (!MetaModel::HasTable($sClass)) {
+			continue;
+		}
+
+		foreach (MetaModel::ListAttributeDefs($sClass) as $sAttCode => $oAttDef) {
+			// Check (once) all the attributes that are hierarchical keys
+			if ((MetaModel::GetAttributeOrigin($sClass, $sAttCode) == $sClass) && $oAttDef->IsHierarchicalKey()) {
+				$oP->p("Rebuild hierarchical key $sAttCode from $sClass.");
+				HierarchicalKey::Rebuild($sClass, $sAttCode, $oAttDef);
+			}
+		}
+	}
+
+	$oP->p("Done");
+	$oP->output();
+} catch (AuthenticationException $oException) {
+	$oP->p($oException->getMessage());
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$oP->p("Error: ".$oException->GetMessage());
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
+}

datamodels/2.x/combodo-db-tools/bin/report.php

@@ -5,22 +5,93 @@
  * @license     http://opensource.org/licenses/AGPL-3.0
  */
 
+use Combodo\iTop\DBTools\Enum\BinExitCode;
+use Combodo\iTop\DBTools\Exception\AuthenticationException;
 use Combodo\iTop\DBTools\Service\DBAnalyzerUtils;
 
-require_once('../../../approot.inc.php');
-require_once(APPROOT.'application/startup.inc.php');
+// env-xxx folders
+if (file_exists(__DIR__.'/../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../approot.inc.php';
+}
+// datamodel/2.x and data/xxx-modules folders
+elseif (file_exists(__DIR__.'/../../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../../approot.inc.php';
+}
+
+require_once APPROOT.'application/startup.inc.php';
+require_once APPROOT.'application/loginwebpage.class.inc.php';
+
+require_once __DIR__.'/../db_analyzer.class.inc.php';
+
+// Prepare output page
+$sPageTitle = "Database maintenance tools - Report";
+$bIsModeCLI = utils::IsModeCLI();
+if ($bIsModeCLI) {
+	$oP = new CLIPage($sPageTitle);
 
-require_once('../db_analyzer.class.inc.php');
-require_once('../src/Service/DBAnalyzerUtils.php');
+	SetupUtils::CheckPhpAndExtensionsForCli($oP, BinExitCode::FATAL->value);
+} else {
+	$oP = new WebPage($sPageTitle);
+}
+
+// Authentication logic
+try {
+	utils::UseParamFile();
 
-$oDBAnalyzer = new DatabaseAnalyzer(0);
-$aResults = $oDBAnalyzer->CheckIntegrity([]);
+	if ($bIsModeCLI) {
+		$sAuthUser = utils::ReadParam('auth_user', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		$sAuthPwd = utils::ReadParam('auth_pwd', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		if (utils::IsNullOrEmptyString($sAuthUser) || utils::IsNullOrEmptyString($sAuthPwd)) {
+			throw new AuthenticationException("Access credentials not provided, usage: php report.php --auth_user=<login> --auth_pwd=<password> [--param_file=<file_path>]");
+		}
+		if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd)) {
+			UserRights::Login($sAuthUser);
+		} else {
+			throw new AuthenticationException("Access wrong credentials ('$sAuthUser')");
+		}
+	} else {
+		// Check user rights and prompt if needed
+		LoginWebPage::DoLoginEx(null, true);
+	}
 
-if (empty($aResults)) {
-	echo "Database OK\n";
-	exit(0);
+	if (!UserRights::IsAdministrator()) {
+		throw new AuthenticationException("Access restricted to administrators");
+	}
+} catch (AuthenticationException $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p($sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p("Error: ".$sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
 }
 
-$sReportFile = DBAnalyzerUtils::GenerateReport($aResults);
+// Business logic
+try {
+	$oDBAnalyzer = new DatabaseAnalyzer(0);
+	$aResults = $oDBAnalyzer->CheckIntegrity([]);
+
+	if (empty($aResults)) {
+		$oP->p("Database OK");
+		$oP->output();
+		exit(BinExitCode::SUCCESS->value);
+	}
 
-echo "Report generated: {$sReportFile}.log\n";
+	$sReportFile = DBAnalyzerUtils::GenerateReport($aResults);
+
+	$oP->p("Report generated: {$sReportFile}.log");
+	$oP->output();
+} catch (AuthenticationException $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p($sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p("Error: ".$sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
+}

datamodels/2.x/combodo-db-tools/composer.json

@@ -0,0 +1,9 @@
+{
+  "name": "combodo/combodo-db-tools",
+  "license": "AGPL-3.0-only",
+  "autoload": {
+    "psr-4": {
+      "Combodo\\iTop\\DBTools\\": "src/"
+    }
+  }
+}

datamodels/2.x/combodo-db-tools/composer.lock

@@ -43,6 +43,7 @@
 		// Components
 		//
 		'datamodel' => [
+			'vendor/autoload.php',
 			'src/Service/DBToolsUtils.php',
 			'src/Service/DBAnalyzerUtils.php',
 		],

datamodels/2.x/combodo-db-tools/module.combodo-db-tools.php

@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DBTools\Enum;
+
+/**
+ * Enum for the exit codes of the bin scripts
+ */
+enum BinExitCode: int
+{
+	case SUCCESS = 0;
+	case ERROR = -1;
+	case FATAL = -2;
+}

datamodels/2.x/combodo-db-tools/src/Enum/BinExitCode.php

@@ -0,0 +1,12 @@
+<?php
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DBTools\Exception;
+
+class AuthenticationException extends \Exception
+{
+
+}

datamodels/2.x/combodo-db-tools/src/Exception/AuthenticationException.php

@@ -0,0 +1,22 @@
+<?php
+
+// autoload.php @generated by Composer
+
+if (PHP_VERSION_ID < 50600) {
+    if (!headers_sent()) {
+        header('HTTP/1.1 500 Internal Server Error');
+    }
+    $err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;
+    if (!ini_get('display_errors')) {
+        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
+            fwrite(STDERR, $err);
+        } elseif (!headers_sent()) {
+            echo $err;
+        }
+    }
+    throw new RuntimeException($err);
+}
+
+require_once __DIR__ . '/composer/autoload_real.php';
+
+return ComposerAutoloaderInit38292b9b3a56c6c8776285a17c58034e::getLoader();