Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Runtime modification bypasses↪️ Object#Validate() constraints👮‍♂️ #10178

Open
Al2Klimov opened this issue Sep 27, 2024 · 0 comments
Open

Runtime modification bypasses↪️ Object#Validate() constraints👮‍♂️ #10178

Al2Klimov opened this issue Sep 27, 2024 · 0 comments
Labels
area/api REST API area/configuration DSL, parser, compiler, error handling bug Something isn't working

Comments

@Al2Klimov
Copy link
Member

Describe the bug

During startup and runtime creation, T#Validate() asserts own constraints after calling ObjectImpl<T>#Validate(). The latter calls individual attribute validators. In contrast, runtime modification consults only the individual attribute validators in question. Hence, one can cheat on T#Validate() constraints via runtime modification.

To Reproduce

  1. Setup API
    • prefix/sbin/icinga2 api setup
    • perl -pi -e 's/password = ".*?"/password = "123456"/' prefix/etc/icinga2/conf.d/api-users.conf
  2. Start Icinga
    • prefix/sbin/icinga2 daemon -d
  3. Create a Notification w/o recipients
    • curl -kvu root:123456 -X PUT -H 'Accept: application/json' -d '{"pretty":true, "attrs":{"command":"mail-host-notification"}}' 'https://127.0.0.1:5665/v1/objects/notifications/ws-aklimov7777777.local!lolcat'
    • Will fail: Error: Validation failed for object 'ws-aklimov7777777.local!lolcat' of type 'Notification': Validation failed: No users/user_groups specified. 👍
  4. Create a Notification w/ a recipient
    • curl -kvu root:123456 -X PUT -H 'Accept: application/json' -d '{"pretty":true, "attrs":{"command":"mail-host-notification", "users":["icingaadmin"]}}' 'https://127.0.0.1:5665/v1/objects/notifications/ws-aklimov7777777.local!lolcat' 👍
  5. Delete the recipient
    • curl -kvu root:123456 -X POST -H 'Accept: application/json' -d '{"pretty":true, "attrs":{"users":[]}}' 'https://127.0.0.1:5665/v1/objects/notifications/ws-aklimov7777777.local!lolcat'
    • Will succeed 😢

Expected behavior

Object constraints involving 2+ attributes get an own method which is still called by T#Validate() and additionally during runtime modification. Not sure how the latter can work.

Or each constraint(!) involving 2+ attributes gets an own method which isn't called directly by T#Validate() "anymore", but by individual attribute validators. E.g both the users and user groups attribute check for the constraint bypassed above.

Your Environment

  • Version used (icinga2 --version): 01d3a1d
  • Operating System and version: macOS 14.7
  • Enabled features (icinga2 feature list): api checker mainlog notification
  • Config validation (icinga2 daemon -C): ✅

Additional context
@Al2Klimov Al2Klimov added bug Something isn't working area/configuration DSL, parser, compiler, error handling area/api REST API labels Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api REST API area/configuration DSL, parser, compiler, error handling bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Al2Klimov