granicus.if.org Git - icinga2/blob - lib/remote/filterutility.cpp

   1 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
   2
   3 #include "remote/filterutility.hpp"
   4 #include "remote/httputility.hpp"
   5 #include "config/configcompiler.hpp"
   6 #include "config/expression.hpp"
   7 #include "base/namespace.hpp"
   8 #include "base/json.hpp"
   9 #include "base/configtype.hpp"
  10 #include "base/logger.hpp"
  11 #include "base/utility.hpp"
  12 #include <boost/algorithm/string/case_conv.hpp>
  13
  14 using namespace icinga;
  15
  16 Type::Ptr FilterUtility::TypeFromPluralName(const String& pluralName)
  17 {
  18         String uname = pluralName;
  19         boost::algorithm::to_lower(uname);
  20
  21         for (const Type::Ptr& type : Type::GetAllTypes()) {
  22                 String pname = type->GetPluralName();
  23                 boost::algorithm::to_lower(pname);
  24
  25                 if (uname == pname)
  26                         return type;
  27         }
  28
  29         return nullptr;
  30 }
  31
  32 void ConfigObjectTargetProvider::FindTargets(const String& type, const std::function<void (const Value&)>& addTarget) const
  33 {
  34         Type::Ptr ptype = Type::GetByName(type);
  35         auto *ctype = dynamic_cast<ConfigType *>(ptype.get());
  36
  37         if (ctype) {
  38                 for (const ConfigObject::Ptr& object : ctype->GetObjects()) {
  39                         addTarget(object);
  40                 }
  41         }
  42 }
  43
  44 Value ConfigObjectTargetProvider::GetTargetByName(const String& type, const String& name) const
  45 {
  46         ConfigObject::Ptr obj = ConfigObject::GetObject(type, name);
  47
  48         if (!obj)
  49                 BOOST_THROW_EXCEPTION(std::invalid_argument("Object does not exist."));
  50
  51         return obj;
  52 }
  53
  54 bool ConfigObjectTargetProvider::IsValidType(const String& type) const
  55 {
  56         Type::Ptr ptype = Type::GetByName(type);
  57
  58         if (!ptype)
  59                 return false;
  60
  61         return ConfigObject::TypeInstance->IsAssignableFrom(ptype);
  62 }
  63
  64 String ConfigObjectTargetProvider::GetPluralName(const String& type) const
  65 {
  66         return Type::GetByName(type)->GetPluralName();
  67 }
  68
  69 bool FilterUtility::EvaluateFilter(ScriptFrame& frame, Expression *filter,
  70         const Object::Ptr& target, const String& variableName)
  71 {
  72         if (!filter)
  73                 return true;
  74
  75         Type::Ptr type = target->GetReflectionType();
  76         String varName;
  77
  78         if (variableName.IsEmpty())
  79                 varName = type->GetName().ToLower();
  80         else
  81                 varName = variableName;
  82
  83         Namespace::Ptr frameNS;
  84
  85         if (frame.Self.IsEmpty()) {
  86                 frameNS = new Namespace();
  87                 frame.Self = frameNS;
  88         } else {
  89                 /* Enforce a namespace object for 'frame.self'. */
  90                 ASSERT(frame.Self.IsObjectType<Namespace>());
  91
  92                 frameNS = frame.Self;
  93
  94                 ASSERT(frameNS != ScriptGlobal::GetGlobals());
  95         }
  96
  97         frameNS->Set("obj", target);
  98         frameNS->Set(varName, target);
  99
 100         for (int fid = 0; fid < type->GetFieldCount(); fid++) {
 101                 Field field = type->GetFieldInfo(fid);
 102
 103                 if ((field.Attributes & FANavigation) == 0)
 104                         continue;
 105
 106                 Object::Ptr joinedObj = target->NavigateField(fid);
 107
 108                 if (field.NavigationName)
 109                         frameNS->Set(field.NavigationName, joinedObj);
 110                 else
 111                         frameNS->Set(field.Name, joinedObj);
 112         }
 113
 114         return Convert::ToBool(filter->Evaluate(frame));
 115 }
 116
 117 static void FilteredAddTarget(ScriptFrame& permissionFrame, Expression *permissionFilter,
 118         ScriptFrame& frame, Expression *ufilter, std::vector<Value>& result, const String& variableName, const Object::Ptr& target)
 119 {
 120         if (FilterUtility::EvaluateFilter(permissionFrame, permissionFilter, target, variableName)) {
 121                 if (FilterUtility::EvaluateFilter(frame, ufilter, target, variableName)) {
 122                         result.emplace_back(std::move(target));
 123                 }
 124         }
 125 }
 126
 127 void FilterUtility::CheckPermission(const ApiUser::Ptr& user, const String& permission, Expression **permissionFilter)
 128 {
 129         if (permissionFilter)
 130                 *permissionFilter = nullptr;
 131
 132         if (permission.IsEmpty())
 133                 return;
 134
 135         bool foundPermission = false;
 136         String requiredPermission = permission.ToLower();
 137
 138         Array::Ptr permissions = user->GetPermissions();
 139         if (permissions) {
 140                 ObjectLock olock(permissions);
 141                 for (const Value& item : permissions) {
 142                         String permission;
 143                         Function::Ptr filter;
 144                         if (item.IsObjectType<Dictionary>()) {
 145                                 Dictionary::Ptr dict = item;
 146                                 permission = dict->Get("permission");
 147                                 filter = dict->Get("filter");
 148                         } else
 149                                 permission = item;
 150
 151                         permission = permission.ToLower();
 152
 153                         if (!Utility::Match(permission, requiredPermission))
 154                                 continue;
 155
 156                         foundPermission = true;
 157
 158                         if (filter && permissionFilter) {
 159                                 std::vector<std::unique_ptr<Expression> > args;
 160                                 args.emplace_back(new GetScopeExpression(ScopeThis));
 161                                 std::unique_ptr<Expression> indexer{new IndexerExpression(std::unique_ptr<Expression>(MakeLiteral(filter)), std::unique_ptr<Expression>(MakeLiteral("call")))};
 162                                 FunctionCallExpression *fexpr = new FunctionCallExpression(std::move(indexer), std::move(args));
 163
 164                                 if (!*permissionFilter)
 165                                         *permissionFilter = fexpr;
 166                                 else
 167                                         *permissionFilter = new LogicalOrExpression(std::unique_ptr<Expression>(*permissionFilter), std::unique_ptr<Expression>(fexpr));
 168                         }
 169                 }
 170         }
 171
 172         if (!foundPermission) {
 173                 Log(LogWarning, "FilterUtility")
 174                         << "Missing permission: " << requiredPermission;
 175
 176                 BOOST_THROW_EXCEPTION(ScriptError("Missing permission: " + requiredPermission));
 177         }
 178 }
 179
 180 std::vector<Value> FilterUtility::GetFilterTargets(const QueryDescription& qd, const Dictionary::Ptr& query, const ApiUser::Ptr& user, const String& variableName)
 181 {
 182         std::vector<Value> result;
 183
 184         TargetProvider::Ptr provider;
 185
 186         if (qd.Provider)
 187                 provider = qd.Provider;
 188         else
 189                 provider = new ConfigObjectTargetProvider();
 190
 191         Expression *permissionFilter;
 192         CheckPermission(user, qd.Permission, &permissionFilter);
 193
 194         Namespace::Ptr permissionFrameNS = new Namespace();
 195         ScriptFrame permissionFrame(false, permissionFrameNS);
 196
 197         for (const String& type : qd.Types) {
 198                 String attr = type;
 199                 boost::algorithm::to_lower(attr);
 200
 201                 if (attr == "type")
 202                         attr = "name";
 203
 204                 if (query && query->Contains(attr)) {
 205                         String name = HttpUtility::GetLastParameter(query, attr);
 206                         Object::Ptr target = provider->GetTargetByName(type, name);
 207
 208                         if (!FilterUtility::EvaluateFilter(permissionFrame, permissionFilter, target, variableName))
 209                                 BOOST_THROW_EXCEPTION(ScriptError("Access denied to object '" + name + "' of type '" + type + "'"));
 210
 211                         result.emplace_back(std::move(target));
 212                 }
 213
 214                 attr = provider->GetPluralName(type);
 215                 boost::algorithm::to_lower(attr);
 216
 217                 if (query && query->Contains(attr)) {
 218                         Array::Ptr names = query->Get(attr);
 219                         if (names) {
 220                                 ObjectLock olock(names);
 221                                 for (const String& name : names) {
 222                                         Object::Ptr target = provider->GetTargetByName(type, name);
 223
 224                                         if (!FilterUtility::EvaluateFilter(permissionFrame, permissionFilter, target, variableName))
 225                                                 BOOST_THROW_EXCEPTION(ScriptError("Access denied to object '" + name + "' of type '" + type + "'"));
 226
 227                                         result.emplace_back(std::move(target));
 228                                 }
 229                         }
 230                 }
 231         }
 232
 233         if ((query && query->Contains("filter")) || result.empty()) {
 234                 if (!query->Contains("type"))
 235                         BOOST_THROW_EXCEPTION(std::invalid_argument("Type must be specified when using a filter."));
 236
 237                 String type = HttpUtility::GetLastParameter(query, "type");
 238
 239                 if (!provider->IsValidType(type))
 240                         BOOST_THROW_EXCEPTION(std::invalid_argument("Invalid type specified."));
 241
 242                 if (qd.Types.find(type) == qd.Types.end())
 243                         BOOST_THROW_EXCEPTION(std::invalid_argument("Invalid type specified for this query."));
 244
 245                 Namespace::Ptr frameNS = new Namespace();
 246                 ScriptFrame frame(false, frameNS);
 247                 frame.Sandboxed = true;
 248
 249                 if (query->Contains("filter")) {
 250                         String filter = HttpUtility::GetLastParameter(query, "filter");
 251                         std::unique_ptr<Expression> ufilter = ConfigCompiler::CompileText("<API query>", filter);
 252
 253                         Dictionary::Ptr filter_vars = query->Get("filter_vars");
 254                         if (filter_vars) {
 255                                 ObjectLock olock(filter_vars);
 256                                 for (const Dictionary::Pair& kv : filter_vars) {
 257                                         frameNS->Set(kv.first, kv.second);
 258                                 }
 259                         }
 260
 261                         provider->FindTargets(type, std::bind(&FilteredAddTarget,
 262                                 std::ref(permissionFrame), permissionFilter,
 263                                 std::ref(frame), &*ufilter, std::ref(result), variableName, _1));
 264                 } else {
 265                         /* Ensure to pass a nullptr as filter expression.
 266                          * GCC 8.1.1 on F28 causes problems, see GH #6533.
 267                          */
 268                         provider->FindTargets(type, std::bind(&FilteredAddTarget,
 269                                 std::ref(permissionFrame), permissionFilter,
 270                                 std::ref(frame), nullptr, std::ref(result), variableName, _1));
 271                 }
 272         }
 273
 274         return result;
 275 }
 276