Merge pull request snipe#1 in SNIPE/snipeit_temp from source-master t…

…o master

* commit 'c68c0e1208d12e4bd03d0d9ae328c1f81a6cfff2':
  Account for limit if none is passed in the request
  Math is hard
  Bumped version
  Limit API request results per page (snipe#7405)
  Added console rekey tool (snipe#7330)
  Removed withErrors on JSON response
  Smaller chunking for custom report, add max_execution_time
  Fixed snipe#7259 - upgraded phpdocumentor/reflection-docblock to v4
  Fixed  snipe#7289 - git fetch before checkout in upgrade.php
  Fixed snipe#7321 - added link to Helm Chart repo
  Fixes to history importer
  History importer fixes
  Group related variables in .env

.env.example

@@ -7,6 +7,7 @@ APP_KEY=ChangeMe
 APP_URL=null
 APP_TIMEZONE='UTC'
 APP_LOCALE=en
+MAX_RESULTS=500
 
 # --------------------------------------------
 # REQUIRED: DATABASE SETTINGS
@@ -64,6 +65,8 @@ SECURE_COOKIES=false
 # --------------------------------------------
 # OPTIONAL: SECURITY HEADER SETTINGS
 # --------------------------------------------
+APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
+ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
 ENABLE_CSP=false
 CORS_ALLOWED_ORIGINS=null
@@ -110,8 +113,6 @@ APP_LOG=single
 APP_LOG_MAX_FILES=10
 APP_LOCKED=false
 FILESYSTEM_DISK=local
-APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
-ALLOW_IFRAMING=false
 APP_CIPHER=AES-256-CBC
 GOOGLE_MAPS_API=
 BACKUP_ENV=true

README.md

@@ -62,6 +62,7 @@ Since the release of the JSON REST API, several third-party developers have been
 - [Marksman](https://github.com/Scope-IT/marksman) - A Windows agent for Snipe-IT
 - [Snipe-IT plugin for Jira Service Desk (beta)](https://marketplace.atlassian.com/apps/1220379/snipe-it-for-jira-service-desk-beta?hosting=cloud&tab=overview) - for the upcoming Snipe-IT v5 only
 - [Python 3 CSV importer](https://github.com/gastamper/snipeit-csvimporter) - allows importing assets into Snipe-IT based on Item Name rather than Asset Tag.
+- [Snipe-IT Kubernetes Helm Chart](https://github.com/t3n/helm-charts/tree/master/snipeit) - For more information, [click here](https://hub.helm.sh/charts/t3n/snipeit).
 
 As these were created by third-parties, Snipe-IT cannot provide support for these project, and you should contact the developers directly if you need assistance. Additionally, Snipe-IT makes no guarantees as to the reliability, accuracy or maintainability of these libraries. Use at your own risk. :) 
 

app/Console/Commands/RotateAppKey.php

@@ -0,0 +1,135 @@
+<?php
+
+namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+use Artisan;
+use App\Models\CustomField;
+use App\Models\Asset;
+use App\Models\Setting;
+use \Illuminate\Encryption\Encrypter;
+
+class RotateAppKey extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'snipeit:rotate-key';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Command description';
+
+    /**
+     * Create a new command instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    /**
+     * Execute the console command.
+     *
+     * @return mixed
+     */
+    public function handle()
+    {
+        if ($this->confirm("\n****************************************************\nTHIS WILL MODIFY YOUR APP_KEY AND DE-CRYPT YOUR ENCRYPTED CUSTOM FIELDS AND \nRE-ENCRYPT THEM WITH A NEWLY GENERATED KEY. \n\nThere is NO undo. \n\nMake SURE you have a database backup and a backup of your .env generated BEFORE running this command. \n\nIf you do not save the newly generated APP_KEY to your .env in this process, \nyour encrypted data will no longer be decryptable. \n\nAre you SURE you wish to continue, and have confirmed you have a database backup and an .env backup? "))  {
+
+
+
+            // Get the existing app_key and ciphers
+            // We put them in a variable since we clear the cache partway through here.
+            $old_app_key = config('app.key');
+            $cipher = config('app.cipher');
+
+            // Generate a new one
+            Artisan::call('key:generate', ['--show' => true]);
+            $new_app_key = Artisan::output();
+
+            // Clear the config cache
+            Artisan::call('config:clear');
+
+            $this->warn('Your app cipher is: '.$cipher);
+            $this->warn('Your old APP_KEY is: '.$old_app_key);
+            $this->warn('Your new APP_KEY is: '.$new_app_key);
+
+            // Write the new app key to the .env file
+            $this->writeNewEnvironmentFileWith($new_app_key);
+
+            // Manually create an old encrypter instance using the old app key
+            // and also create a new encrypter instance so we can re-crypt the field
+            // using the newly generated app key
+            $oldEncrypter = new Encrypter(base64_decode(substr($old_app_key, 7)), $cipher);
+            $newEncrypter = new Encrypter(base64_decode(substr($new_app_key, 7)), $cipher);
+
+            $fields = CustomField::where('field_encrypted', '1')->get();
+
+
+            foreach ($fields as $field) {
+
+                $assets = Asset::whereNotNull($field->db_column)->get();
+
+                foreach ($assets as $asset) {
+
+                    $asset->{$field->db_column} = $oldEncrypter->decrypt($asset->{$field->db_column});
+                    $this->line('DECRYPTED: '. $field->db_column);
+                    $asset->{$field->db_column} = $newEncrypter->encrypt($asset->{$field->db_column});
+                    $this->line('ENCRYPTED: '.$field->db_column);
+                    $asset->save();
+
+                }
+
+            }
+
+            // Handle the LDAP password if one is provided
+            $setting = Setting::first();
+            if ($setting->ldap_pword!='') {
+                $setting->ldap_pword =  $oldEncrypter->decrypt($setting->ldap_pword);
+                $setting->ldap_pword =  $newEncrypter->encrypt($setting->ldap_pword);
+                $setting->save();
+                $this->warn('LDAP password has been re-encrypted.');
+            }
+
+
+        } else {
+            $this->info('This operation has been canceled. No changes have been made.');
+        }
+    }
+
+    /**
+     * Write a new environment file with the given key.
+     *
+     * @param  string  $key
+     * @return void
+     */
+    protected function writeNewEnvironmentFileWith($key)
+    {
+
+        file_put_contents($this->laravel->environmentFilePath(), preg_replace(
+            $this->keyReplacementPattern(),
+            'APP_KEY='.$key,
+            file_get_contents($this->laravel->environmentFilePath())
+        ));
+    }
+
+    /**
+     * Get a regex pattern that will match env APP_KEY with any random key.
+     *
+     * @return string
+     */
+    protected function keyReplacementPattern()
+    {
+        $escaped = preg_quote('='.$this->laravel['config']['app.key'], '/');
+        return "/^APP_KEY{$escaped}/m";
+    }
+
+}

app/Console/Kernel.php

@@ -3,40 +3,13 @@
 namespace App\Console;
 
 use App\Console\Commands\ImportLocations;
+use App\Console\Commands\ReEncodeCustomFieldNames;
 use App\Console\Commands\RestoreDeletedUsers;
 use Illuminate\Console\Scheduling\Schedule;
 use Illuminate\Foundation\Console\Kernel as ConsoleKernel;
 
 class Kernel extends ConsoleKernel
 {
-    /**
-     * The Artisan commands provided by your application.
-     *
-     * @var array
-     */
-    protected $commands = [
-        Commands\PaveIt::class,
-        Commands\CreateAdmin::class,
-        Commands\SendExpirationAlerts::class,
-        Commands\SendInventoryAlerts::class,
-        Commands\SendExpectedCheckinAlerts::class,
-        Commands\ObjectImportCommand::class,
-        Commands\Version::class,
-        Commands\SystemBackup::class,
-        Commands\DisableLDAP::class,
-        Commands\Purge::class,
-        Commands\LdapSync::class,
-        Commands\FixDoubleEscape::class,
-        Commands\RecryptFromMcrypt::class,
-        Commands\ResetDemoSettings::class,
-        Commands\SyncAssetLocations::class,
-        Commands\RegenerateAssetTags::class,
-        Commands\SyncAssetCounters::class,
-        Commands\RestoreDeletedUsers::class,
-        Commands\SendUpcomingAuditReport::class,
-        Commands\ImportLocations::class,
-        Commands\ReEncodeCustomFieldNames::class,
-    ];
 
     /**
      * Define the application's command schedule.

app/Http/Controllers/Api/AccessoriesController.php

@@ -50,7 +50,11 @@ public function index(Request $request)
         }
 
         $offset = (($accessories) && (request('offset') > $accessories->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
 

app/Http/Controllers/Api/AssetMaintenancesController.php

@@ -45,7 +45,10 @@ public function index(Request $request)
         }
 
         $offset = (($maintenances) && (request('offset') > $maintenances->count())) ? 0 : request('offset', 0);
-        $limit = request('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
 
         $allowed_columns = [
                                 'id',

app/Http/Controllers/Api/AssetModelsController.php

@@ -61,7 +61,10 @@ public function index(Request $request)
         }
 
         $offset = (($assetmodels) && (request('offset') > $assetmodels->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'models.created_at';
 

app/Http/Controllers/Api/AssetsController.php

@@ -145,7 +145,10 @@ public function index(Request $request, $audit = null)
         $request->filled('order_number') ? $assets = $assets->where('assets.order_number', '=', e($request->get('order_number'))) : '';
 
         $offset = (($assets) && (request('offset') > $assets->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
 
         // This is used by the audit reporting routes
@@ -645,7 +648,7 @@ public function checkout(AssetCheckoutRequest $request, $asset_id)
             return response()->json(Helper::formatStandardApiResponse('success', ['asset'=> e($asset->asset_tag)], trans('admin/hardware/message.checkout.success')));
         }
 
-        return response()->json(Helper::formatStandardApiResponse('error', ['asset'=> e($asset->asset_tag)], trans('admin/hardware/message.checkout.error')))->withErrors($asset->getErrors());
+        return response()->json(Helper::formatStandardApiResponse('error', ['asset'=> e($asset->asset_tag)], trans('admin/hardware/message.checkout.error')));
     }
 
 

app/Http/Controllers/Api/CategoriesController.php

@@ -31,7 +31,10 @@ public function index(Request $request)
         }
 
         $offset = (($categories) && (request('offset') > $categories->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'assets_count';
         $categories->orderBy($sort, $order);

app/Http/Controllers/Api/CompaniesController.php

@@ -42,7 +42,10 @@ public function index(Request $request)
         }
 
         $offset = (($companies) && (request('offset') > $companies->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
         $companies->orderBy($sort, $order);

app/Http/Controllers/Api/ComponentsController.php

@@ -44,7 +44,9 @@ public function index(Request $request)
         }
 
         $offset = (($components) && (request('offset') > $components->count())) ? 0 : request('offset', 0);
-        $limit = request('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
 
         $allowed_columns = ['id','name','min_amt','order_number','serial','purchase_date','purchase_cost','company','category','qty','location','image'];
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';

app/Http/Controllers/Api/ConsumablesController.php

@@ -45,7 +45,10 @@ public function index(Request $request)
 
 
         $offset = (($consumables) && (request('offset') > $consumables->count())) ? 0 : request('offset', 0);
-        $limit = request('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $allowed_columns = ['id','name','order_number','min_amt','purchase_date','purchase_cost','company','category','model_number', 'item_no', 'manufacturer','location','qty','image'];
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';

app/Http/Controllers/Api/DepartmentsController.php

@@ -40,7 +40,10 @@ public function index(Request $request)
         }
 
         $offset = (($departments) && (request('offset') > $departments->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
 

app/Http/Controllers/Api/DepreciationsController.php

@@ -29,7 +29,10 @@ public function index(Request $request)
         }
 
         $offset = (($depreciations) && (request('offset') > $depreciations->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
         $depreciations->orderBy($sort, $order);

app/Http/Controllers/Api/GroupsController.php

@@ -29,7 +29,10 @@ public function index(Request $request)
         }
 
         $offset = (($groups) && (request('offset') > $groups->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
         $groups->orderBy($sort, $order);

app/Http/Controllers/Api/LicensesController.php

@@ -83,7 +83,10 @@ public function index(Request $request)
 
 
         $offset = (($licenses) && (request('offset') > $licenses->count())) ? 0 : request('offset', 0);
-        $limit = request('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
 
 

app/Http/Controllers/Api/LocationsController.php

@@ -52,7 +52,10 @@ public function index(Request $request)
 
 
         $offset = (($locations) && (request('offset') > $locations->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
 

app/Http/Controllers/Api/ManufacturersController.php

@@ -40,7 +40,10 @@ public function index(Request $request)
 
 
         $offset = (($manufacturers) && (request('offset') > $manufacturers->count())) ? 0 : request('offset', 0);
-        $limit = $request->input('limit', 50);
+
+        // Check to make sure the limit is not higher than the max allowed
+        ((config('app.max_results') >= $request->input('limit')) && ($request->filled('limit'))) ? $limit = $request->input('limit') : $limit = config('app.max_results');
+
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';
         $manufacturers->orderBy($sort, $order);