1 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
2
3 #include "remote/filterutility.hpp"
4 #include "remote/httputility.hpp"
5 #include "config/configcompiler.hpp"
6 #include "config/expression.hpp"
7 #include "base/namespace.hpp"
8 #include "base/json.hpp"
9 #include "base/configtype.hpp"
10 #include "base/logger.hpp"
11 #include "base/utility.hpp"
12 #include <boost/algorithm/string/case_conv.hpp>
13
14 using namespace icinga;
15
TypeFromPluralName(const String & pluralName)16 Type::Ptr FilterUtility::TypeFromPluralName(const String& pluralName)
17 {
18 String uname = pluralName;
19 boost::algorithm::to_lower(uname);
20
21 for (const Type::Ptr& type : Type::GetAllTypes()) {
22 String pname = type->GetPluralName();
23 boost::algorithm::to_lower(pname);
24
25 if (uname == pname)
26 return type;
27 }
28
29 return nullptr;
30 }
31
FindTargets(const String & type,const std::function<void (const Value &)> & addTarget) const32 void ConfigObjectTargetProvider::FindTargets(const String& type, const std::function<void (const Value&)>& addTarget) const
33 {
34 Type::Ptr ptype = Type::GetByName(type);
35 auto *ctype = dynamic_cast<ConfigType *>(ptype.get());
36
37 if (ctype) {
38 for (const ConfigObject::Ptr& object : ctype->GetObjects()) {
39 addTarget(object);
40 }
41 }
42 }
43
GetTargetByName(const String & type,const String & name) const44 Value ConfigObjectTargetProvider::GetTargetByName(const String& type, const String& name) const
45 {
46 ConfigObject::Ptr obj = ConfigObject::GetObject(type, name);
47
48 if (!obj)
49 BOOST_THROW_EXCEPTION(std::invalid_argument("Object does not exist."));
50
51 return obj;
52 }
53
IsValidType(const String & type) const54 bool ConfigObjectTargetProvider::IsValidType(const String& type) const
55 {
56 Type::Ptr ptype = Type::GetByName(type);
57
58 if (!ptype)
59 return false;
60
61 return ConfigObject::TypeInstance->IsAssignableFrom(ptype);
62 }
63
GetPluralName(const String & type) const64 String ConfigObjectTargetProvider::GetPluralName(const String& type) const
65 {
66 return Type::GetByName(type)->GetPluralName();
67 }
68
EvaluateFilter(ScriptFrame & frame,Expression * filter,const Object::Ptr & target,const String & variableName)69 bool FilterUtility::EvaluateFilter(ScriptFrame& frame, Expression *filter,
70 const Object::Ptr& target, const String& variableName)
71 {
72 if (!filter)
73 return true;
74
75 Type::Ptr type = target->GetReflectionType();
76 String varName;
77
78 if (variableName.IsEmpty())
79 varName = type->GetName().ToLower();
80 else
81 varName = variableName;
82
83 Namespace::Ptr frameNS;
84
85 if (frame.Self.IsEmpty()) {
86 frameNS = new Namespace();
87 frame.Self = frameNS;
88 } else {
89 /* Enforce a namespace object for 'frame.self'. */
90 ASSERT(frame.Self.IsObjectType<Namespace>());
91
92 frameNS = frame.Self;
93
94 ASSERT(frameNS != ScriptGlobal::GetGlobals());
95 }
96
97 frameNS->Set("obj", target);
98 frameNS->Set(varName, target);
99
100 for (int fid = 0; fid < type->GetFieldCount(); fid++) {
101 Field field = type->GetFieldInfo(fid);
102
103 if ((field.Attributes & FANavigation) == 0)
104 continue;
105
106 Object::Ptr joinedObj = target->NavigateField(fid);
107
108 if (field.NavigationName)
109 frameNS->Set(field.NavigationName, joinedObj);
110 else
111 frameNS->Set(field.Name, joinedObj);
112 }
113
114 return Convert::ToBool(filter->Evaluate(frame));
115 }
116
FilteredAddTarget(ScriptFrame & permissionFrame,Expression * permissionFilter,ScriptFrame & frame,Expression * ufilter,std::vector<Value> & result,const String & variableName,const Object::Ptr & target)117 static void FilteredAddTarget(ScriptFrame& permissionFrame, Expression *permissionFilter,
118 ScriptFrame& frame, Expression *ufilter, std::vector<Value>& result, const String& variableName, const Object::Ptr& target)
119 {
120 if (FilterUtility::EvaluateFilter(permissionFrame, permissionFilter, target, variableName)) {
121 if (FilterUtility::EvaluateFilter(frame, ufilter, target, variableName)) {
122 result.emplace_back(std::move(target));
123 }
124 }
125 }
126
CheckPermission(const ApiUser::Ptr & user,const String & permission,Expression ** permissionFilter)127 void FilterUtility::CheckPermission(const ApiUser::Ptr& user, const String& permission, Expression **permissionFilter)
128 {
129 if (permissionFilter)
130 *permissionFilter = nullptr;
131
132 if (permission.IsEmpty())
133 return;
134
135 bool foundPermission = false;
136 String requiredPermission = permission.ToLower();
137
138 Array::Ptr permissions = user->GetPermissions();
139 if (permissions) {
140 ObjectLock olock(permissions);
141 for (const Value& item : permissions) {
142 String permission;
143 Function::Ptr filter;
144 if (item.IsObjectType<Dictionary>()) {
145 Dictionary::Ptr dict = item;
146 permission = dict->Get("permission");
147 filter = dict->Get("filter");
148 } else
149 permission = item;
150
151 permission = permission.ToLower();
152
153 if (!Utility::Match(permission, requiredPermission))
154 continue;
155
156 foundPermission = true;
157
158 if (filter && permissionFilter) {
159 std::vector<std::unique_ptr<Expression> > args;
160 args.emplace_back(new GetScopeExpression(ScopeThis));
161 std::unique_ptr<Expression> indexer{new IndexerExpression(std::unique_ptr<Expression>(MakeLiteral(filter)), std::unique_ptr<Expression>(MakeLiteral("call")))};
162 FunctionCallExpression *fexpr = new FunctionCallExpression(std::move(indexer), std::move(args));
163
164 if (!*permissionFilter)
165 *permissionFilter = fexpr;
166 else
167 *permissionFilter = new LogicalOrExpression(std::unique_ptr<Expression>(*permissionFilter), std::unique_ptr<Expression>(fexpr));
168 }
169 }
170 }
171
172 if (!foundPermission) {
173 Log(LogWarning, "FilterUtility")
174 << "Missing permission: " << requiredPermission;
175
176 BOOST_THROW_EXCEPTION(ScriptError("Missing permission: " + requiredPermission));
177 }
178 }
179
GetFilterTargets(const QueryDescription & qd,const Dictionary::Ptr & query,const ApiUser::Ptr & user,const String & variableName)180 std::vector<Value> FilterUtility::GetFilterTargets(const QueryDescription& qd, const Dictionary::Ptr& query, const ApiUser::Ptr& user, const String& variableName)
181 {
182 std::vector<Value> result;
183
184 TargetProvider::Ptr provider;
185
186 if (qd.Provider)
187 provider = qd.Provider;
188 else
189 provider = new ConfigObjectTargetProvider();
190
191 Expression *permissionFilter;
192 CheckPermission(user, qd.Permission, &permissionFilter);
193
194 Namespace::Ptr permissionFrameNS = new Namespace();
195 ScriptFrame permissionFrame(false, permissionFrameNS);
196
197 for (const String& type : qd.Types) {
198 String attr = type;
199 boost::algorithm::to_lower(attr);
200
201 if (attr == "type")
202 attr = "name";
203
204 if (query && query->Contains(attr)) {
205 String name = HttpUtility::GetLastParameter(query, attr);
206 Object::Ptr target = provider->GetTargetByName(type, name);
207
208 if (!FilterUtility::EvaluateFilter(permissionFrame, permissionFilter, target, variableName))
209 BOOST_THROW_EXCEPTION(ScriptError("Access denied to object '" + name + "' of type '" + type + "'"));
210
211 result.emplace_back(std::move(target));
212 }
213
214 attr = provider->GetPluralName(type);
215 boost::algorithm::to_lower(attr);
216
217 if (query && query->Contains(attr)) {
218 Array::Ptr names = query->Get(attr);
219 if (names) {
220 ObjectLock olock(names);
221 for (const String& name : names) {
222 Object::Ptr target = provider->GetTargetByName(type, name);
223
224 if (!FilterUtility::EvaluateFilter(permissionFrame, permissionFilter, target, variableName))
225 BOOST_THROW_EXCEPTION(ScriptError("Access denied to object '" + name + "' of type '" + type + "'"));
226
227 result.emplace_back(std::move(target));
228 }
229 }
230 }
231 }
232
233 if ((query && query->Contains("filter")) || result.empty()) {
234 if (!query->Contains("type"))
235 BOOST_THROW_EXCEPTION(std::invalid_argument("Type must be specified when using a filter."));
236
237 String type = HttpUtility::GetLastParameter(query, "type");
238
239 if (!provider->IsValidType(type))
240 BOOST_THROW_EXCEPTION(std::invalid_argument("Invalid type specified."));
241
242 if (qd.Types.find(type) == qd.Types.end())
243 BOOST_THROW_EXCEPTION(std::invalid_argument("Invalid type specified for this query."));
244
245 Namespace::Ptr frameNS = new Namespace();
246 ScriptFrame frame(false, frameNS);
247 frame.Sandboxed = true;
248
249 if (query->Contains("filter")) {
250 String filter = HttpUtility::GetLastParameter(query, "filter");
251 std::unique_ptr<Expression> ufilter = ConfigCompiler::CompileText("<API query>", filter);
252
253 Dictionary::Ptr filter_vars = query->Get("filter_vars");
254 if (filter_vars) {
255 ObjectLock olock(filter_vars);
256 for (const Dictionary::Pair& kv : filter_vars) {
257 frameNS->Set(kv.first, kv.second);
258 }
259 }
260
261 provider->FindTargets(type, [&permissionFrame, permissionFilter, &frame, &ufilter, &result, variableName](const Object::Ptr& target) {
262 FilteredAddTarget(permissionFrame, permissionFilter, frame, &*ufilter, result, variableName, target);
263 });
264 } else {
265 /* Ensure to pass a nullptr as filter expression.
266 * GCC 8.1.1 on F28 causes problems, see GH #6533.
267 */
268 provider->FindTargets(type, [&permissionFrame, permissionFilter, &frame, &result, variableName](const Object::Ptr& target) {
269 FilteredAddTarget(permissionFrame, permissionFilter, frame, nullptr, result, variableName, target);
270 });
271 }
272 }
273
274 return result;
275 }
276
277