From: Michael Friedrich <michael.friedrich@netways.de>
Date: Wed, 30 Sep 2015 13:07:20 +0000 (+0200)
Subject: Config sync shouldn't send updates for objects the client doesn't have access to
X-Git-Tag: v2.4.0~237
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=657e749c9bad3804b896a8898356bcde9a4e410f;p=icinga2

Config sync shouldn't send updates for objects the client doesn't have access to

fixes #10249
---

diff --git a/lib/remote/apilistener-configsync.cpp b/lib/remote/apilistener-configsync.cpp
index ec6467346..e4ebccc9f 100644
--- a/lib/remote/apilistener-configsync.cpp
+++ b/lib/remote/apilistener-configsync.cpp
@@ -257,6 +257,18 @@ void ApiListener::UpdateConfigObject(const ConfigObject::Ptr& object, const Mess
 	if (object->GetZoneName().IsEmpty())
 		return;
 
+	/* only send objects to zones which have access to the object */
+	if (client) {
+		Zone::Ptr target_zone = client->GetEndpoint()->GetZone();
+
+		if (target_zone && !target_zone->CanAccessObject(object)) {
+			Log(LogDebug, "ApiListener")
+			    << "Not sending 'update config' message to unauthorized zone '" << target_zone->GetName() << "'"
+			    << " for object: '" << object->GetName() << "'.";
+
+			return;
+		}
+	}
 	Dictionary::Ptr message = new Dictionary();
 	message->Set("jsonrpc", "2.0");
 	message->Set("method", "config::UpdateObject");
@@ -303,7 +315,7 @@ void ApiListener::UpdateConfigObject(const ConfigObject::Ptr& object, const Mess
 
 #ifdef I2_DEBUG
 	Log(LogDebug, "ApiListener")
-	    << "Sent update for object: " << JsonEncode(params);
+	    << "Sent update for object '" << object->GetName() << "': " << JsonEncode(params);
 #endif /* I2_DEBUG */
 
 	if (client)
@@ -323,6 +335,19 @@ void ApiListener::DeleteConfigObject(const ConfigObject::Ptr& object, const Mess
 	if (object->GetZoneName().IsEmpty())
 		return;
 
+	/* only send objects to zones which have access to the object */
+	if (client) {
+		Zone::Ptr target_zone = client->GetEndpoint()->GetZone();
+
+		if (target_zone && !target_zone->CanAccessObject(object)) {
+			Log(LogDebug, "ApiListener")
+			    << "Not sending 'delete config' message to unauthorized zone '" << target_zone->GetName() << "'"
+			    << " for object: '" << object->GetName() << "'.";
+
+			return;
+		}
+	}
+
 	Dictionary::Ptr message = new Dictionary();
 	message->Set("jsonrpc", "2.0");
 	message->Set("method", "config::DeleteObject");
@@ -338,7 +363,7 @@ void ApiListener::DeleteConfigObject(const ConfigObject::Ptr& object, const Mess
 
 #ifdef I2_DEBUG
 	Log(LogDebug, "ApiListener")
-	    << "Sent delete object: " << JsonEncode(params);
+	    << "Sent delete for object '" << object->GetName() << "': " << JsonEncode(params);
 #endif /* I2_DEBUG */
 
 	if (client)