]> granicus.if.org Git - icinga2/commitdiff
projects / icinga2 / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: de9806b)
Config sync shouldn't send updates for objects the client doesn't have access to
authorMichael Friedrich <michael.friedrich@netways.de>
Wed, 30 Sep 2015 13:07:20 +0000 (15:07 +0200)
committerMichael Friedrich <michael.friedrich@netways.de>
Wed, 30 Sep 2015 13:08:01 +0000 (15:08 +0200)
fixes #10249

lib/remote/apilistener-configsync.cpp patch | blob | history

diff --git a/lib/remote/apilistener-configsync.cpp b/lib/remote/apilistener-configsync.cpp
index ec6467346ac1ba1e2f91c49f2fb4d46247d0c3d8..e4ebccc9f9fe0013c8b01783b49e0140e63b367f 100644 (file)
--- a/lib/remote/apilistener-configsync.cpp
+++ b/lib/remote/apilistener-configsync.cpp
@@ -257,6 +257,18 @@ void ApiListener::UpdateConfigObject(const ConfigObject::Ptr& object, const Mess
        if (object->GetZoneName().IsEmpty())
                return;
 
+       /* only send objects to zones which have access to the object */
+       if (client) {
+               Zone::Ptr target_zone = client->GetEndpoint()->GetZone();
+
+               if (target_zone && !target_zone->CanAccessObject(object)) {
+                       Log(LogDebug, "ApiListener")
+                           << "Not sending 'update config' message to unauthorized zone '" << target_zone->GetName() << "'"
+                           << " for object: '" << object->GetName() << "'.";
+
+                       return;
+               }
+       }
        Dictionary::Ptr message = new Dictionary();
        message->Set("jsonrpc", "2.0");
        message->Set("method", "config::UpdateObject");
@@ -303,7 +315,7 @@ void ApiListener::UpdateConfigObject(const ConfigObject::Ptr& object, const Mess
 
 #ifdef I2_DEBUG
        Log(LogDebug, "ApiListener")
-           << "Sent update for object: " << JsonEncode(params);
+           << "Sent update for object '" << object->GetName() << "': " << JsonEncode(params);
 #endif /* I2_DEBUG */
 
        if (client)
@@ -323,6 +335,19 @@ void ApiListener::DeleteConfigObject(const ConfigObject::Ptr& object, const Mess
        if (object->GetZoneName().IsEmpty())
                return;
 
+       /* only send objects to zones which have access to the object */
+       if (client) {
+               Zone::Ptr target_zone = client->GetEndpoint()->GetZone();
+
+               if (target_zone && !target_zone->CanAccessObject(object)) {
+                       Log(LogDebug, "ApiListener")
+                           << "Not sending 'delete config' message to unauthorized zone '" << target_zone->GetName() << "'"
+                           << " for object: '" << object->GetName() << "'.";
+
+                       return;
+               }
+       }
+
        Dictionary::Ptr message = new Dictionary();
        message->Set("jsonrpc", "2.0");
        message->Set("method", "config::DeleteObject");
@@ -338,7 +363,7 @@ void ApiListener::DeleteConfigObject(const ConfigObject::Ptr& object, const Mess
 
 #ifdef I2_DEBUG
        Log(LogDebug, "ApiListener")
-           << "Sent delete object: " << JsonEncode(params);
+           << "Sent delete for object '" << object->GetName() << "': " << JsonEncode(params);
 #endif /* I2_DEBUG */
 
        if (client)
Unnamed repository; edit this file 'description' to name the repository.