diff options
Diffstat (limited to 'library/Director/Auth')
| -rw-r--r-- | library/Director/Auth/MonitoringRestriction.php | 36 | ||||
| -rw-r--r-- | library/Director/Auth/Permission.php | 31 | ||||
| -rw-r--r-- | library/Director/Auth/Restriction.php | 17 |
3 files changed, 84 insertions, 0 deletions
diff --git a/library/Director/Auth/MonitoringRestriction.php b/library/Director/Auth/MonitoringRestriction.php new file mode 100644 index 0000000..1fb6013 --- /dev/null +++ b/library/Director/Auth/MonitoringRestriction.php @@ -0,0 +1,36 @@ +<?php + +namespace Icinga\Module\Director\Auth; + +use Icinga\Authentication\Auth; +use Icinga\Data\Filter\Filter; + +class MonitoringRestriction +{ + public static function getObjectsFilter(Auth $auth): Filter + { + $restriction = Filter::matchAny(); + $restriction->setAllowedFilterColumns([ + 'host_name', + 'hostgroup_name', + 'instance_name', + 'service_description', + 'servicegroup_name', + function ($c) { + return preg_match('/^_(?:host|service)_/i', $c); + } + ]); + foreach ($auth->getRestrictions(Restriction::MONITORING_RW_OBJECT_FILTER) as $filter) { + if ($filter === '*') { + return Filter::matchAll(); + } + $restriction->addFilter(Filter::fromQueryString($filter)); + } + + if ($restriction->isEmpty()) { + return Filter::matchAll(); + } + + return $restriction; + } +} diff --git a/library/Director/Auth/Permission.php b/library/Director/Auth/Permission.php new file mode 100644 index 0000000..c29d789 --- /dev/null +++ b/library/Director/Auth/Permission.php @@ -0,0 +1,31 @@ +<?php + +namespace Icinga\Module\Director\Auth; + +class Permission +{ + public const ALL_PERMISSIONS = 'director/*'; + public const ADMIN = 'director/admin'; // internal, assign ALL_PERMISSONS + public const API = 'director/api'; + public const AUDIT = 'director/audit'; + public const DEPLOY = 'director/deploy'; + public const DEPLOYMENTS = 'director/deployments'; // internal, assign ALL_PERMISSONS + public const GROUPS_FOR_RESTRICTED_HOSTS = 'director/groups-for-restricted-hosts'; + public const HOSTS = 'director/hosts'; + public const HOST_GROUPS = 'director/hostgroups'; // internal, assign ALL_PERMISSIONS + public const INSPECT = 'director/inspect'; + public const MONITORING_SERVICES_RO = 'director/monitoring/services-ro'; + public const MONITORING_SERVICES = 'director/monitoring/services'; + public const MONITORING_HOSTS = 'director/monitoring/hosts'; + public const ICINGADB_SERVICES_RO = 'director/icingadb/services-ro'; + public const ICINGADB_SERVICES = 'director/icingadb/services'; + public const ICINGADB_HOSTS = 'director/icingadb/hosts'; + public const NOTIFICATIONS = 'director/notifications'; + public const SCHEDULED_DOWNTIMES = 'director/scheduled-downtimes'; + public const SERVICES = 'director/services'; + public const SERVICE_SETS = 'director/servicesets'; + public const SERVICE_SET_APPLY = 'director/service_set/apply'; + public const SHOW_CONFIG = 'director/showconfig'; + public const SHOW_SQL = 'director/showsql'; + public const USERS = 'director/users'; +} diff --git a/library/Director/Auth/Restriction.php b/library/Director/Auth/Restriction.php new file mode 100644 index 0000000..3394dcc --- /dev/null +++ b/library/Director/Auth/Restriction.php @@ -0,0 +1,17 @@ +<?php + +namespace Icinga\Module\Director\Auth; + +class Restriction +{ + public const MONITORING_RW_OBJECT_FILTER = 'director/monitoring/rw-object-filter'; + public const ICINGADB_RW_OBJECT_FILTER = 'director/icingadb/rw-object-filter'; + public const FILTER_HOSTGROUPS = 'director/filter/hostgroups'; + + // Hint: by-name-Filters are being fetched with variable names, like "director/$type/apply/filter-by-name" + public const NOTIFICATION_APPLY_FILTER_BY_NAME = 'director/notification/apply/filter-by-name'; + public const SCHEDULED_DOWNTIME_APPLY_FILTER_BY_NAME = 'director/scheduled-downtime/apply/filter-by-name'; + public const SERVICE_APPLY_FILTER_BY_NAME = 'director/service/apply/filter-by-name'; + public const SERVICE_SET_FILTER_BY_NAME = 'director/service_set/filter-by-name'; + const DB_RESOURCE = 'director/db_resource'; +} |