mirror of
https://github.com/Icinga/icinga2.git
synced 2025-10-31 19:24:25 +01:00
331 lines
8.4 KiB
C++
331 lines
8.4 KiB
C++
/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
|
|
|
|
#include "remote/objectqueryhandler.hpp"
|
|
#include "remote/httputility.hpp"
|
|
#include "remote/filterutility.hpp"
|
|
#include "base/serializer.hpp"
|
|
#include "base/dependencygraph.hpp"
|
|
#include "base/configtype.hpp"
|
|
#include <boost/algorithm/string/case_conv.hpp>
|
|
#include <set>
|
|
#include <unordered_map>
|
|
|
|
using namespace icinga;
|
|
|
|
REGISTER_URLHANDLER("/v1/objects", ObjectQueryHandler);
|
|
|
|
Dictionary::Ptr ObjectQueryHandler::SerializeObjectAttrs(const Object::Ptr& object,
|
|
const String& attrPrefix, const Array::Ptr& attrs, bool isJoin, bool allAttrs)
|
|
{
|
|
Type::Ptr type = object->GetReflectionType();
|
|
|
|
std::vector<int> fids;
|
|
|
|
if (isJoin && attrs) {
|
|
ObjectLock olock(attrs);
|
|
for (const String& attr : attrs) {
|
|
if (attr == attrPrefix) {
|
|
allAttrs = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!isJoin && (!attrs || attrs->GetLength() == 0))
|
|
allAttrs = true;
|
|
|
|
if (allAttrs) {
|
|
for (int fid = 0; fid < type->GetFieldCount(); fid++) {
|
|
fids.push_back(fid);
|
|
}
|
|
} else if (attrs) {
|
|
ObjectLock olock(attrs);
|
|
for (const String& attr : attrs) {
|
|
String userAttr;
|
|
|
|
if (isJoin) {
|
|
String::SizeType dpos = attr.FindFirstOf(".");
|
|
if (dpos == String::NPos)
|
|
continue;
|
|
|
|
String userJoinAttr = attr.SubStr(0, dpos);
|
|
if (userJoinAttr != attrPrefix)
|
|
continue;
|
|
|
|
userAttr = attr.SubStr(dpos + 1);
|
|
} else
|
|
userAttr = attr;
|
|
|
|
int fid = type->GetFieldId(userAttr);
|
|
|
|
if (fid < 0)
|
|
BOOST_THROW_EXCEPTION(ScriptError("Invalid field specified: " + userAttr));
|
|
|
|
fids.push_back(fid);
|
|
}
|
|
}
|
|
|
|
DictionaryData resultAttrs;
|
|
resultAttrs.reserve(fids.size());
|
|
|
|
for (int fid : fids) {
|
|
Field field = type->GetFieldInfo(fid);
|
|
|
|
Value val = object->GetField(fid);
|
|
|
|
/* hide attributes which shouldn't be user-visible */
|
|
if (field.Attributes & FANoUserView)
|
|
continue;
|
|
|
|
/* hide internal navigation fields */
|
|
if (field.Attributes & FANavigation && !(field.Attributes & (FAConfig | FAState)))
|
|
continue;
|
|
|
|
Value sval = Serialize(val, FAConfig | FAState);
|
|
resultAttrs.emplace_back(field.Name, sval);
|
|
}
|
|
|
|
return new Dictionary(std::move(resultAttrs));
|
|
}
|
|
|
|
bool ObjectQueryHandler::HandleRequest(
|
|
AsioTlsStream& stream,
|
|
const ApiUser::Ptr& user,
|
|
boost::beast::http::request<boost::beast::http::string_body>& request,
|
|
const Url::Ptr& url,
|
|
boost::beast::http::response<boost::beast::http::string_body>& response,
|
|
const Dictionary::Ptr& params,
|
|
boost::asio::yield_context& yc,
|
|
HttpServerConnection& server
|
|
)
|
|
{
|
|
namespace http = boost::beast::http;
|
|
|
|
if (url->GetPath().size() < 3 || url->GetPath().size() > 4)
|
|
return false;
|
|
|
|
if (request.method() != http::verb::get)
|
|
return false;
|
|
|
|
Type::Ptr type = FilterUtility::TypeFromPluralName(url->GetPath()[2]);
|
|
|
|
if (!type) {
|
|
HttpUtility::SendJsonError(response, params, 400, "Invalid type specified.");
|
|
return true;
|
|
}
|
|
|
|
QueryDescription qd;
|
|
qd.Types.insert(type->GetName());
|
|
qd.Permission = "objects/query/" + type->GetName();
|
|
|
|
Array::Ptr uattrs, ujoins, umetas;
|
|
|
|
try {
|
|
uattrs = params->Get("attrs");
|
|
} catch (const std::exception&) {
|
|
HttpUtility::SendJsonError(response, params, 400,
|
|
"Invalid type for 'attrs' attribute specified. Array type is required.");
|
|
return true;
|
|
}
|
|
|
|
try {
|
|
ujoins = params->Get("joins");
|
|
} catch (const std::exception&) {
|
|
HttpUtility::SendJsonError(response, params, 400,
|
|
"Invalid type for 'joins' attribute specified. Array type is required.");
|
|
return true;
|
|
}
|
|
|
|
try {
|
|
umetas = params->Get("meta");
|
|
} catch (const std::exception&) {
|
|
HttpUtility::SendJsonError(response, params, 400,
|
|
"Invalid type for 'meta' attribute specified. Array type is required.");
|
|
return true;
|
|
}
|
|
|
|
bool allJoins = HttpUtility::GetLastParameter(params, "all_joins");
|
|
|
|
params->Set("type", type->GetName());
|
|
|
|
if (url->GetPath().size() >= 4) {
|
|
String attr = type->GetName();
|
|
boost::algorithm::to_lower(attr);
|
|
params->Set(attr, url->GetPath()[3]);
|
|
}
|
|
|
|
std::vector<Value> objs;
|
|
|
|
try {
|
|
objs = FilterUtility::GetFilterTargets(qd, params, user);
|
|
} catch (const std::exception& ex) {
|
|
HttpUtility::SendJsonError(response, params, 404,
|
|
"No objects found.",
|
|
DiagnosticInformation(ex));
|
|
return true;
|
|
}
|
|
|
|
ArrayData results;
|
|
results.reserve(objs.size());
|
|
|
|
std::set<String> joinAttrs;
|
|
std::set<String> userJoinAttrs;
|
|
|
|
if (ujoins) {
|
|
ObjectLock olock(ujoins);
|
|
for (const String& ujoin : ujoins) {
|
|
userJoinAttrs.insert(ujoin.SubStr(0, ujoin.FindFirstOf(".")));
|
|
}
|
|
}
|
|
|
|
for (int fid = 0; fid < type->GetFieldCount(); fid++) {
|
|
Field field = type->GetFieldInfo(fid);
|
|
|
|
if (!(field.Attributes & FANavigation))
|
|
continue;
|
|
|
|
if (!allJoins && userJoinAttrs.find(field.NavigationName) == userJoinAttrs.end())
|
|
continue;
|
|
|
|
joinAttrs.insert(field.Name);
|
|
}
|
|
|
|
std::unordered_map<Type*, std::pair<bool, std::unique_ptr<Expression>>> typePermissions;
|
|
std::unordered_map<Object*, bool> objectAccessAllowed;
|
|
|
|
for (const ConfigObject::Ptr& obj : objs) {
|
|
DictionaryData result1{
|
|
{ "name", obj->GetName() },
|
|
{ "type", obj->GetReflectionType()->GetName() }
|
|
};
|
|
|
|
DictionaryData metaAttrs;
|
|
|
|
if (umetas) {
|
|
ObjectLock olock(umetas);
|
|
for (const String& meta : umetas) {
|
|
if (meta == "used_by") {
|
|
Array::Ptr used_by = new Array();
|
|
metaAttrs.emplace_back("used_by", used_by);
|
|
|
|
for (const Object::Ptr& pobj : DependencyGraph::GetParents((obj)))
|
|
{
|
|
ConfigObject::Ptr configObj = dynamic_pointer_cast<ConfigObject>(pobj);
|
|
|
|
if (!configObj)
|
|
continue;
|
|
|
|
used_by->Add(new Dictionary({
|
|
{ "type", configObj->GetReflectionType()->GetName() },
|
|
{ "name", configObj->GetName() }
|
|
}));
|
|
}
|
|
} else if (meta == "location") {
|
|
metaAttrs.emplace_back("location", obj->GetSourceLocation());
|
|
} else {
|
|
HttpUtility::SendJsonError(response, params, 400, "Invalid field specified for meta: " + meta);
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
|
|
result1.emplace_back("meta", new Dictionary(std::move(metaAttrs)));
|
|
|
|
try {
|
|
result1.emplace_back("attrs", SerializeObjectAttrs(obj, String(), uattrs, false, false));
|
|
} catch (const ScriptError& ex) {
|
|
HttpUtility::SendJsonError(response, params, 400, ex.what());
|
|
return true;
|
|
}
|
|
|
|
DictionaryData joins;
|
|
|
|
for (const String& joinAttr : joinAttrs) {
|
|
Object::Ptr joinedObj;
|
|
int fid = type->GetFieldId(joinAttr);
|
|
|
|
if (fid < 0) {
|
|
HttpUtility::SendJsonError(response, params, 400, "Invalid field specified for join: " + joinAttr);
|
|
return true;
|
|
}
|
|
|
|
Field field = type->GetFieldInfo(fid);
|
|
|
|
if (!(field.Attributes & FANavigation)) {
|
|
HttpUtility::SendJsonError(response, params, 400, "Not a joinable field: " + joinAttr);
|
|
return true;
|
|
}
|
|
|
|
joinedObj = obj->NavigateField(fid);
|
|
|
|
if (!joinedObj)
|
|
continue;
|
|
|
|
Type::Ptr reflectionType = joinedObj->GetReflectionType();
|
|
auto it = typePermissions.find(reflectionType.get());
|
|
bool granted;
|
|
|
|
if (it == typePermissions.end()) {
|
|
String permission = "objects/query/" + reflectionType->GetName();
|
|
|
|
std::unique_ptr<Expression> permissionFilter;
|
|
granted = FilterUtility::HasPermission(user, permission, &permissionFilter);
|
|
|
|
it = typePermissions.insert({reflectionType.get(), std::make_pair(granted, std::move(permissionFilter))}).first;
|
|
}
|
|
|
|
granted = it->second.first;
|
|
const std::unique_ptr<Expression>& permissionFilter = it->second.second;
|
|
|
|
if (!granted) {
|
|
// Not authorized
|
|
continue;
|
|
}
|
|
|
|
auto relation = objectAccessAllowed.find(joinedObj.get());
|
|
bool accessAllowed;
|
|
|
|
if (relation == objectAccessAllowed.end()) {
|
|
ScriptFrame permissionFrame(false, new Namespace());
|
|
|
|
try {
|
|
accessAllowed = FilterUtility::EvaluateFilter(permissionFrame, permissionFilter.get(), joinedObj);
|
|
} catch (const ScriptError& err) {
|
|
accessAllowed = false;
|
|
}
|
|
|
|
objectAccessAllowed.insert({joinedObj.get(), accessAllowed});
|
|
} else {
|
|
accessAllowed = relation->second;
|
|
}
|
|
|
|
if (!accessAllowed) {
|
|
// Access denied
|
|
continue;
|
|
}
|
|
|
|
String prefix = field.NavigationName;
|
|
|
|
try {
|
|
joins.emplace_back(prefix, SerializeObjectAttrs(joinedObj, prefix, ujoins, true, allJoins));
|
|
} catch (const ScriptError& ex) {
|
|
HttpUtility::SendJsonError(response, params, 400, ex.what());
|
|
return true;
|
|
}
|
|
}
|
|
|
|
result1.emplace_back("joins", new Dictionary(std::move(joins)));
|
|
|
|
results.push_back(new Dictionary(std::move(result1)));
|
|
}
|
|
|
|
Dictionary::Ptr result = new Dictionary({
|
|
{ "results", new Array(std::move(results)) }
|
|
});
|
|
|
|
response.result(http::status::ok);
|
|
HttpUtility::SendJsonBody(response, params, result);
|
|
|
|
return true;
|
|
}
|