Apply relevant restrictions on REST url endpoints

raviks789 · raviks789 · commit 8d9ecf3b0a85 · 2025-03-26T11:12:15.000+01:00
The following url end points should apply relevant restrictions to filter out objects and show correct HTTP status code:
- icingaweb2/director/service, if the host name is left out of the query (Example: icingaweb2/director/service?name=service-name)
- icingaweb2/directore/notification
- icingaweb2/director/serviceset
- icingaweb2/director/scheduled-downtime
diff --git a/application/controllers/NotificationController.php b/application/controllers/NotificationController.php
@@ -2,6 +2,7 @@
 
 namespace Icinga\Module\Director\Controllers;
 
+use Icinga\Exception\NotFoundError;
 use Icinga\Module\Director\Web\Controller\ObjectController;
 use Icinga\Module\Director\Objects\IcingaHost;
 use Icinga\Module\Director\Objects\IcingaNotification;
@@ -80,6 +81,10 @@ protected function loadObject()
             }
         }
 
+        if (! $this->allowsObject($this->object)) {
+            throw new NotFoundError('No such object available');
+        }
+
         return $this->object;
     }
 }
diff --git a/application/controllers/ServiceController.php b/application/controllers/ServiceController.php
@@ -48,14 +48,6 @@ public function init()
         $this->host = $this->getOptionalRelatedObjectFromParams('host', 'host');
         $this->set = $this->getOptionalRelatedObjectFromParams('service_set', 'set');
         parent::init();
-        if ($this->object) {
-            if ($this->host === null) {
-                $this->host = $this->loadOptionalRelatedObject($this->object, 'host');
-            }
-            if ($this->set === null) {
-                $this->set = $this->loadOptionalRelatedObject($this->object, 'service_set');
-            }
-        }
         $this->addOptionalHostTabs();
         $this->addOptionalSetTabs();
     }
@@ -76,6 +68,20 @@ protected function getOptionalRelatedObjectFromParams($type, $parameter)
         return null;
     }
 
+    protected function loadOptionalObject(): void
+    {
+        parent::loadOptionalObject();
+
+        if ($this->object) {
+            if ($this->host === null) {
+                $this->host = $this->loadOptionalRelatedObject($this->object, 'host');
+            }
+            if ($this->set === null) {
+                $this->set = $this->loadOptionalRelatedObject($this->object, 'service_set');
+            }
+        }
+    }
+
     protected function loadOptionalRelatedObject(IcingaObject $object, $relation)
     {
         $key = $object->getUnresolvedRelated($relation);
diff --git a/application/controllers/ServicesetController.php b/application/controllers/ServicesetController.php
@@ -3,6 +3,7 @@
 namespace Icinga\Module\Director\Controllers;
 
 use Icinga\Data\Filter\Filter;
+use Icinga\Exception\NotFoundError;
 use Icinga\Module\Director\Forms\IcingaServiceSetForm;
 use Icinga\Module\Director\Objects\IcingaHost;
 use Icinga\Module\Director\Objects\IcingaServiceSet;
@@ -136,6 +137,10 @@ protected function loadObject()
             }
         }
 
+        if (! $this->allowsObject($this->object)) {
+            throw new NotFoundError('No such object available');
+        }
+
         return $this->object;
     }
 }
diff --git a/library/Director/Restriction/FilterByNameRestriction.php b/library/Director/Restriction/FilterByNameRestriction.php
@@ -5,6 +5,7 @@
 use gipfl\IcingaWeb2\Zf1\Db\FilterRenderer;
 use Icinga\Authentication\Auth;
 use Icinga\Data\Filter\Filter;
+use Icinga\Data\Filter\FilterEqual;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Objects\IcingaObject;
 use Zend_Db_Select as ZfSelect;
@@ -30,7 +31,11 @@ protected function setType($type)
 
     protected function setNameForType($type)
     {
-        $this->name = "director/${type}/filter-by-name";
+        if ($type === 'service_set') {
+            $this->name = "director/{$type}/filter-by-name";
+        } else {
+            $this->name = "director/{$type}/apply/filter-by-name";
+        }
     }
 
     public function allows(IcingaObject $object)
@@ -39,9 +44,9 @@ public function allows(IcingaObject $object)
             return true;
         }
 
-        return $this->getFilter()->matches([
+        return $this->getFilter()->matches(
             (object) ['object_name' => $object->getObjectName()]
-        ]);
+        );
     }
 
     public function getFilter()
diff --git a/library/Director/Web/Controller/Extension/ObjectRestrictions.php b/library/Director/Web/Controller/Extension/ObjectRestrictions.php
@@ -5,6 +5,7 @@
 use Icinga\Authentication\Auth;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Objects\IcingaObject;
+use Icinga\Module\Director\Restriction\FilterByNameRestriction;
 use Icinga\Module\Director\Restriction\HostgroupRestriction;
 use Icinga\Module\Director\Restriction\ObjectRestriction;
 
@@ -13,6 +14,9 @@ trait ObjectRestrictions
     /** @var ObjectRestriction[] */
     private $objectRestrictions;
 
+    /** @var IcingaObject */
+    private $dummyRestrictedObject;
+
     /**
      * @return ObjectRestriction[]
      */
@@ -30,13 +34,27 @@ public function getObjectRestrictions()
      */
     protected function loadObjectRestrictions(Db $db, Auth $auth)
     {
-        return [
-            new HostgroupRestriction($db, $auth)
-        ];
+        $objectType = $this->dummyRestrictedObject->getShortTableName();
+        if (
+            ($objectType === 'service' && $this->dummyRestrictedObject->isApplyRule())
+            || $objectType === 'notification'
+            || $objectType === 'service_set'
+            || $objectType === 'scheduled_downtime'
+        ) {
+            if ($objectType === 'scheduled_downtime') {
+                $objectType = 'scheduled-downtime';
+            }
+
+            return [new FilterByNameRestriction($db, $auth, $objectType)];
+        }
+
+        // If the object is host or host group load HostgroupRestriction
+        return [new HostgroupRestriction($db, $auth)];
     }
 
     public function allowsObject(IcingaObject $object)
     {
+        $this->dummyRestrictedObject = $object;
         foreach ($this->getObjectRestrictions() as $restriction) {
             if (! $restriction->allows($object)) {
                 return false;
diff --git a/library/Director/Web/Controller/ObjectsController.php b/library/Director/Web/Controller/ObjectsController.php
@@ -16,6 +16,7 @@
 use Icinga\Module\Director\RestApi\IcingaObjectsHandler;
 use Icinga\Module\Director\Web\ActionBar\ObjectsActionBar;
 use Icinga\Module\Director\Web\ActionBar\TemplateActionBar;
+use Icinga\Module\Director\Web\Controller\Extension\ObjectRestrictions;
 use Icinga\Module\Director\Web\Form\FormLoader;
 use Icinga\Module\Director\Web\Table\ApplyRulesTable;
 use Icinga\Module\Director\Web\Table\ObjectSetTable;
@@ -32,6 +33,7 @@
 abstract class ObjectsController extends ActionController
 {
     use BranchHelper;
+    use ObjectRestrictions;
 
     protected $isApified = true;
 
@@ -73,9 +75,13 @@ protected function apiRequestHandler()
         $request = $this->getRequest();
         $table = $this->getTable();
         if ($request->getControllerName() === 'services'
-            && $host = $this->params->get('host')
+            && $hostName = $this->params->get('host')
         ) {
-            $host = IcingaHost::load($host, $this->db());
+            $host = IcingaHost::load($hostName, $this->db());
+            if (! $this->allowsObject($host)) {
+                throw new NotFoundError(sprintf('Failed to load %s "%s"', $host->getTableName(), $hostName));
+            }
+
             $table->getQuery()->where('o.host_id = ?', $host->get('id'));
         }
 
diff --git a/library/Director/Web/Table/ObjectsTable.php b/library/Director/Web/Table/ObjectsTable.php
@@ -229,10 +229,14 @@ protected function loadRestrictions()
         $db = $this->connection();
         $auth = $this->getAuth();
 
-        return [
-            new HostgroupRestriction($db, $auth),
-            new FilterByNameRestriction($db, $auth, $this->getDummyObject()->getShortTableName())
-        ];
+        $dummyObject = $this->getDummyObject();
+        $type = $dummyObject->getShortTableName();
+
+        if ($dummyObject->isApplyRule()) {
+            return [new FilterByNameRestriction($db, $auth, $type)];
+        } else {
+            return [new HostgroupRestriction($db, $auth)];
+        }
     }
 
     /**
@@ -298,6 +302,7 @@ protected function prepareQuery()
             $query->order('object_name')->limit(100);
         } else {
             $this->applyObjectTypeFilter($query);
+            $this->applyRestrictions($query);
             $query->order('o.object_name')->limit(100);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`namespace Icinga\Module\Director\Controllers;`
`4`	`4`
	`5`	`+use Icinga\Exception\NotFoundError;`
`5`	`6`	`use Icinga\Module\Director\Web\Controller\ObjectController;`
`6`	`7`	`use Icinga\Module\Director\Objects\IcingaHost;`
`7`	`8`	`use Icinga\Module\Director\Objects\IcingaNotification;`
`@@ -80,6 +81,10 @@ protected function loadObject()`
`80`	`81`	`}`
`81`	`82`	`}`
`82`	`83`
	`84`	`+ if (! $this->allowsObject($this->object)) {`
	`85`	`+ throw new NotFoundError('No such object available');`
	`86`	`+ }`
	`87`	`+`
`83`	`88`	`return $this->object;`
`84`	`89`	`}`
`85`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`namespace Icinga\Module\Director\Controllers;`
`4`	`4`
`5`	`5`	`use Icinga\Data\Filter\Filter;`
	`6`	`+use Icinga\Exception\NotFoundError;`
`6`	`7`	`use Icinga\Module\Director\Forms\IcingaServiceSetForm;`
`7`	`8`	`use Icinga\Module\Director\Objects\IcingaHost;`
`8`	`9`	`use Icinga\Module\Director\Objects\IcingaServiceSet;`
`@@ -136,6 +137,10 @@ protected function loadObject()`
`136`	`137`	`}`
`137`	`138`	`}`
`138`	`139`
	`140`	`+ if (! $this->allowsObject($this->object)) {`
	`141`	`+ throw new NotFoundError('No such object available');`
	`142`	`+ }`
	`143`	`+`
`139`	`144`	`return $this->object;`
`140`	`145`	`}`
`141`	`146`	`}`