From d6253eafbb0bb8e6465ff4bec5262bcdcfee95fb Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Thu, 21 Jul 2022 09:25:55 +0200 Subject: [PATCH] Introduce new restriction `icingadb/scope/commands` I thought this is worthwhile to have. It allows to limit users with a specific set of granted command permissions to certain hosts and services. The difference to the other restrictions is though, that it doesn't affect the visiblity of objects but rather the validity of the granted command permissions only. This is the same effect that the current restrictions already have. But this allows to set up a role that doesn't limit a user in what's shown and what's not, but where which commands are allowed. --- configuration.php | 5 +++++ doc/04-Security.md | 15 +++++++++++++-- .../Authentication/ObjectAuthorization.php | 4 ++++ 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/configuration.php b/configuration.php index 6e950165..a6c145f1 100644 --- a/configuration.php +++ b/configuration.php @@ -102,6 +102,11 @@ namespace Icinga\Module\Icingadb { $this->translate('Allow to view an object\'s source data. (May contain sensitive data!)') ); + $this->provideRestriction( + 'icingadb/scope/commands', + $this->translate('Restrict to which objects the command permissions this role grants will apply') + ); + $this->provideRestriction( 'icingadb/filter/objects', $this->translate('Restrict access to the Icinga objects that match the filter') diff --git a/doc/04-Security.md b/doc/04-Security.md index c6653d93..113ef59d 100644 --- a/doc/04-Security.md +++ b/doc/04-Security.md @@ -9,8 +9,8 @@ The same applies to routes, objects and variables. To these, users can be restri > **Restricted Command Permissions:** > -> If a role [limits users](#filters) to a specific set of results, the command -> permissions or refusals of the very same role only apply to these results. +> If a role [limits users](#filters) to a specific set of results, the granted command permissions of the very same +> role only apply to these results. The [`icingadb/scope/commands`](#scopes) restriction has the same effect. | Name | Allow... | |------------------------------------------------|----------------------------------------------------------------------------------| @@ -61,6 +61,17 @@ unrestricted. It should be one or more [filter expressions](#filter-expressions) `icingadb/filter/services` will only allow users to access matching services. Other objects remain unrestricted. It should be one or more [filter expressions](#filter-expressions). +### Scopes + +Scopes don't limit users in what they can see, just in what they can do where. + +| Name | Description | +|-------------------------|----------------------------------------------------------------------------| +| icingadb/scope/commands | Restrict to which objects the command permissions a role grants will apply | + +`icingadb/scope/commands` will limit where the granted command permissions of a role will apply. +It should be one or more [filter expressions](#filter-expressions). + ### Denylists Denylists prevent users from accessing information and in some cases will block them entirely from it. diff --git a/library/Icingadb/Authentication/ObjectAuthorization.php b/library/Icingadb/Authentication/ObjectAuthorization.php index ba5aa17e..4f8bbfa4 100644 --- a/library/Icingadb/Authentication/ObjectAuthorization.php +++ b/library/Icingadb/Authentication/ObjectAuthorization.php @@ -153,6 +153,10 @@ class ObjectAuthorization foreach ($this->getAuth()->getUser()->getRoles() as $role) { $roleFilter = Filter::all(); + if (($restriction = $role->getRestrictions('icingadb/scope/commands'))) { + $roleFilter->add($this->parseRestriction($restriction, 'icingadb/scopes/commands')); + } + if (($restriction = $role->getRestrictions('icingadb/filter/objects'))) { $roleFilter->add($this->parseRestriction($restriction, 'icingadb/filter/objects')); }