253 lines
6.8 KiB
PHP
253 lines
6.8 KiB
PHP
<?php
|
|
/**
|
|
* Configuration file for Ziti Router Enrollment UI
|
|
*/
|
|
|
|
// Start session if not already started
|
|
if (session_status() === PHP_SESSION_NONE) {
|
|
session_start();
|
|
}
|
|
|
|
// Application configuration
|
|
define('APP_NAME', 'ZitiNexus Router Enrollment');
|
|
define('APP_VERSION', '1.0.0');
|
|
|
|
// Default API configuration
|
|
define('DEFAULT_API_ENDPOINT', 'https://backend.zitinexus.com');
|
|
|
|
// File paths (matching the bash script)
|
|
define('CONFIG_DIR', '/etc/zitirouter');
|
|
define('CERTS_DIR', CONFIG_DIR . '/certs');
|
|
define('ROUTER_CONFIG', CONFIG_DIR . '/router.yaml');
|
|
define('JWT_FILE', CONFIG_DIR . '/enrollment.jwt');
|
|
define('LOG_FILE', '/var/log/ziti-router-enrollment.log');
|
|
define('SYSTEMD_SERVICE_FILE', '/etc/systemd/system/ziti-router.service');
|
|
|
|
// UI specific paths
|
|
define('UI_LOG_DIR', __DIR__ . '/../logs');
|
|
define('UI_TEMP_DIR', __DIR__ . '/../temp');
|
|
|
|
// Authentication
|
|
define('ADMIN_USERNAME', 'admin');
|
|
define('ADMIN_PASSWORD_HASH', password_hash('admin123', PASSWORD_DEFAULT)); // Change this in production
|
|
|
|
// Security settings
|
|
define('SESSION_TIMEOUT', 3600); // 1 hour
|
|
define('CSRF_TOKEN_NAME', 'csrf_token');
|
|
|
|
// System commands
|
|
define('SYSTEMCTL_CMD', 'systemctl');
|
|
define('HOSTNAME_CMD', 'hostname');
|
|
define('ZITI_CMD', 'ziti');
|
|
|
|
/**
|
|
* Check if user is authenticated
|
|
*/
|
|
function isAuthenticated() {
|
|
return isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
|
|
}
|
|
|
|
/**
|
|
* Check if session is valid
|
|
*/
|
|
function isSessionValid() {
|
|
if (!isset($_SESSION['last_activity'])) {
|
|
return false;
|
|
}
|
|
|
|
if (time() - $_SESSION['last_activity'] > SESSION_TIMEOUT) {
|
|
session_destroy();
|
|
return false;
|
|
}
|
|
|
|
$_SESSION['last_activity'] = time();
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Generate CSRF token
|
|
*/
|
|
function generateCSRFToken() {
|
|
if (!isset($_SESSION[CSRF_TOKEN_NAME])) {
|
|
$_SESSION[CSRF_TOKEN_NAME] = bin2hex(random_bytes(32));
|
|
}
|
|
return $_SESSION[CSRF_TOKEN_NAME];
|
|
}
|
|
|
|
/**
|
|
* Verify CSRF token
|
|
*/
|
|
function verifyCSRFToken($token) {
|
|
return isset($_SESSION[CSRF_TOKEN_NAME]) && hash_equals($_SESSION[CSRF_TOKEN_NAME], $token);
|
|
}
|
|
|
|
/**
|
|
* Sanitize input
|
|
*/
|
|
function sanitizeInput($input) {
|
|
return htmlspecialchars(trim($input), ENT_QUOTES, 'UTF-8');
|
|
}
|
|
|
|
/**
|
|
* Log message to file
|
|
*/
|
|
function logMessage($level, $message) {
|
|
$timestamp = date('Y-m-d H:i:s');
|
|
$logEntry = "[$timestamp] [$level] $message" . PHP_EOL;
|
|
|
|
// Try to write to system log first
|
|
if (is_writable(dirname(LOG_FILE))) {
|
|
file_put_contents(LOG_FILE, $logEntry, FILE_APPEND | LOCK_EX);
|
|
}
|
|
|
|
// Also write to UI log
|
|
$uiLogFile = UI_LOG_DIR . '/ui-enrollment.log';
|
|
if (!is_dir(UI_LOG_DIR)) {
|
|
mkdir(UI_LOG_DIR, 0755, true);
|
|
}
|
|
file_put_contents($uiLogFile, $logEntry, FILE_APPEND | LOCK_EX);
|
|
}
|
|
|
|
/**
|
|
* Check if running as root/admin or has sudo privileges
|
|
*/
|
|
function isRunningAsRoot() {
|
|
// If actually running as root
|
|
if (posix_getuid() === 0) {
|
|
return true;
|
|
}
|
|
|
|
// Test if we have sudo privileges by trying a simple sudo command
|
|
$output = '';
|
|
$returnCode = 0;
|
|
$testCommand = 'sudo -n whoami 2>/dev/null';
|
|
|
|
$descriptorspec = [
|
|
0 => ['pipe', 'r'],
|
|
1 => ['pipe', 'w'],
|
|
2 => ['pipe', 'w']
|
|
];
|
|
|
|
$process = proc_open($testCommand, $descriptorspec, $pipes);
|
|
|
|
if (is_resource($process)) {
|
|
fclose($pipes[0]);
|
|
$stdout = stream_get_contents($pipes[1]);
|
|
fclose($pipes[1]);
|
|
fclose($pipes[2]);
|
|
$returnCode = proc_close($process);
|
|
|
|
// If sudo command succeeded, we have sudo privileges
|
|
return $returnCode === 0;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Execute system command safely with automatic sudo for privileged operations
|
|
*/
|
|
function executeCommand($command, &$output = null, &$returnCode = null) {
|
|
// Commands that typically need sudo privileges
|
|
$sudoCommands = [
|
|
'apt-get', 'systemctl', 'mkdir', 'chmod', 'chown', 'curl', 'gpg',
|
|
'ziti', 'cp', 'mv', 'rm', 'ln', 'update-alternatives'
|
|
];
|
|
|
|
// Check if command needs sudo and doesn't already have it
|
|
$needsSudo = false;
|
|
$commandParts = explode(' ', trim($command));
|
|
$baseCommand = $commandParts[0];
|
|
|
|
// Skip if already has sudo
|
|
if ($baseCommand !== 'sudo') {
|
|
foreach ($sudoCommands as $sudoCmd) {
|
|
if ($baseCommand === $sudoCmd || strpos($command, $sudoCmd) !== false) {
|
|
$needsSudo = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
// Also check for file operations in system directories
|
|
if (strpos($command, '/etc/') !== false ||
|
|
strpos($command, '/var/') !== false ||
|
|
strpos($command, '/usr/') !== false ||
|
|
strpos($command, '/opt/') !== false) {
|
|
$needsSudo = true;
|
|
}
|
|
}
|
|
|
|
// Add sudo if needed and we're not already root
|
|
if ($needsSudo && posix_getuid() !== 0) {
|
|
$command = 'sudo ' . $command;
|
|
}
|
|
|
|
$descriptorspec = [
|
|
0 => ['pipe', 'r'], // stdin
|
|
1 => ['pipe', 'w'], // stdout
|
|
2 => ['pipe', 'w'] // stderr
|
|
];
|
|
|
|
$process = proc_open($command, $descriptorspec, $pipes);
|
|
|
|
if (is_resource($process)) {
|
|
fclose($pipes[0]);
|
|
|
|
$stdout = stream_get_contents($pipes[1]);
|
|
$stderr = stream_get_contents($pipes[2]);
|
|
|
|
fclose($pipes[1]);
|
|
fclose($pipes[2]);
|
|
|
|
$returnCode = proc_close($process);
|
|
$output = trim($stdout . $stderr);
|
|
|
|
return $returnCode === 0;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Get the correct asset path based on current directory structure
|
|
*/
|
|
function getAssetPath($asset) {
|
|
// Clean the asset path
|
|
$asset = ltrim($asset, '/');
|
|
|
|
// Get the current script's directory and the request URI
|
|
$scriptDir = dirname($_SERVER['SCRIPT_FILENAME']);
|
|
$requestUri = $_SERVER['REQUEST_URI'];
|
|
$scriptName = $_SERVER['SCRIPT_NAME'];
|
|
|
|
// Check if we're accessing files from the public directory
|
|
// but the document root is set to the main UI directory
|
|
if (strpos($scriptName, '/public/') !== false ||
|
|
strpos($requestUri, '/public/') !== false ||
|
|
basename($scriptDir) === 'public') {
|
|
// We're in the public directory context, use relative paths
|
|
return '../assets/' . $asset;
|
|
} else {
|
|
// We're in the main directory context, use direct paths
|
|
return 'assets/' . $asset;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get base URL for the application
|
|
*/
|
|
function getBaseUrl() {
|
|
$protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
|
|
$host = $_SERVER['HTTP_HOST'];
|
|
$scriptName = $_SERVER['SCRIPT_NAME'];
|
|
|
|
// Remove the script filename to get the base path
|
|
$basePath = dirname($scriptName);
|
|
if ($basePath === '/') {
|
|
$basePath = '';
|
|
}
|
|
|
|
return $protocol . '://' . $host . $basePath;
|
|
}
|
|
?>
|