1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
#include "remote/variablequeryhandler.hpp"
#include "remote/httputility.hpp"
#include "remote/filterutility.hpp"
#include "base/configtype.hpp"
#include "base/scriptglobal.hpp"
#include "base/logger.hpp"
#include "base/serializer.hpp"
#include "base/namespace.hpp"
#include <set>
using namespace icinga;
REGISTER_URLHANDLER("/v1/variables", VariableQueryHandler);
class VariableTargetProvider final : public TargetProvider
{
public:
DECLARE_PTR_TYPEDEFS(VariableTargetProvider);
void FindTargets(const String& type,
const std::function<void (const Value&)>& addTarget) const override
{
Namespace::Ptr globals = ScriptGlobal::GetGlobals();
ObjectLock olock(globals);
for (auto& [key, value] : globals) {
/* We want wo avoid leaking the TicketSalt over the API, so we remove it here,
* as early as possible, so it isn't possible to abuse the fact that all of the
* global variables we return here later get checked against a user-provided
* filter expression that can cause its content to be printed in an error message
* or potentially access them otherwise.
*/
if (key == "TicketSalt") {
continue;
}
addTarget(FilterUtility::GetTargetForVar(key, value.Val));
}
}
Value GetTargetByName(const String& type, const String& name) const override
{
if (name == "TicketSalt") {
BOOST_THROW_EXCEPTION(std::invalid_argument{"Access to TicketSalt via /v1/variables is not permitted."});
}
return FilterUtility::GetTargetForVar(name, ScriptGlobal::Get(name));
}
bool IsValidType(const String& type) const override
{
return type == "Variable";
}
String GetPluralName(const String& type) const override
{
return "variables";
}
};
bool VariableQueryHandler::HandleRequest(
const WaitGroup::Ptr&,
AsioTlsStream& stream,
const ApiUser::Ptr& user,
boost::beast::http::request<boost::beast::http::string_body>& request,
const Url::Ptr& url,
boost::beast::http::response<boost::beast::http::string_body>& response,
const Dictionary::Ptr& params,
boost::asio::yield_context& yc,
HttpServerConnection& server
)
{
namespace http = boost::beast::http;
if (url->GetPath().size() > 3)
return false;
if (request.method() != http::verb::get)
return false;
QueryDescription qd;
qd.Types.insert("Variable");
qd.Permission = "variables";
qd.Provider = new VariableTargetProvider();
params->Set("type", "Variable");
if (url->GetPath().size() >= 3)
params->Set("variable", url->GetPath()[2]);
std::vector<Value> objs;
try {
objs = FilterUtility::GetFilterTargets(qd, params, user, "variable");
} catch (const std::exception& ex) {
HttpUtility::SendJsonError(response, params, 404,
"No variables found.",
DiagnosticInformation(ex));
return true;
}
ArrayData results;
for (Dictionary::Ptr var : objs) {
results.emplace_back(new Dictionary({
{ "name", var->Get("name") },
{ "type", var->Get("type") },
{ "value", Serialize(var->Get("value"), 0) }
}));
}
Dictionary::Ptr result = new Dictionary({
{ "results", new Array(std::move(results)) }
});
response.result(http::status::ok);
HttpUtility::SendJsonBody(response, params, result);
return true;
}
|
