Add test-cases for checking permissions in filter exprs

Author: jschmidt-icinga

test/CMakeLists.txt

@@ -88,6 +88,7 @@ set(base_test_SOURCES
   icinga-notification.cpp
   icinga-perfdata.cpp
   methods-pluginnotificationtask.cpp
+  remote-filterutility.cpp
   remote-configpackageutility.cpp
   remote-url.cpp
   ${base_OBJS}
@@ -226,6 +227,7 @@ add_boost_test(base
     config_apply/gettargetservices_noindexer_service
     config_ops/simple
     config_ops/advanced
+    config_ops/sandboxed_ticket_salt
     icinga_checkresult/host_1attempt
     icinga_checkresult/host_2attempts
     icinga_checkresult/host_3attempts
@@ -273,6 +275,8 @@ add_boost_test(base
     icinga_perfdata/empty_warn_crit_min_max
     methods_pluginnotificationtask/truncate_long_output
     remote_configpackageutility/ValidateName
+    remote_filterutility/safe_function_permissions
+    remote_filterutility/variable_expression_permissions
     remote_url/id_and_path
     remote_url/parameters
     remote_url/get_and_set

test/config-ops.cpp

@@ -6,7 +6,8 @@
 
 using namespace icinga;
 
-BOOST_AUTO_TEST_SUITE(config_ops)
+BOOST_AUTO_TEST_SUITE(config_ops,
+	*boost::unit_test::label("config"))
 
 BOOST_AUTO_TEST_CASE(simple)
 {
@@ -243,4 +244,44 @@ BOOST_AUTO_TEST_CASE(advanced)
 	BOOST_CHECK(func->Invoke() == 3);
 }
 
+BOOST_AUTO_TEST_CASE(sandboxed_ticket_salt)
+{
+	ScriptFrame frame(true, new Namespace);
+	std::unique_ptr<Expression> expr;
+
+	auto ns = ScriptGlobal::GetGlobals();
+	ns->Set("TicketSalt", "testvalue");
+
+	expr = ConfigCompiler::CompileText("<test>", "TicketSalt");
+	BOOST_CHECK_EQUAL(expr->Evaluate(frame).GetValue(), "testvalue");
+
+	expr = ConfigCompiler::CompileText("<test>", "globals.TicketSalt");
+	BOOST_CHECK_EQUAL(expr->Evaluate(frame).GetValue(), "testvalue");
+
+	expr = ConfigCompiler::CompileText("<test>", "*&TicketSalt");
+	BOOST_CHECK_EQUAL(expr->Evaluate(frame).GetValue(), "testvalue");
+
+	expr = ConfigCompiler::CompileText("<test>", "globals.TicketSalt = {{{other}}}");
+	BOOST_CHECK_NO_THROW(expr->Evaluate(frame));
+
+	frame.Sandboxed = true;
+	ns->Set("TicketSalt", "testvalue", false);
+
+	// Accessing TicketSalt in a sandboxed context is like trying to access a variable that doesn't exist.
+	// In case of direct access, it will throw a ScriptError.
+	expr = ConfigCompiler::CompileText("<test>", "TicketSalt");
+	BOOST_CHECK_THROW(expr->Evaluate(frame).GetValue(), ScriptError);
+
+	// In case of other ways of accessing it, like through the global scope, it evaluates to Empty
+	expr = ConfigCompiler::CompileText("<test>", "globals.TicketSalt");
+	BOOST_CHECK_EQUAL(expr->Evaluate(frame).GetValue(), "");
+
+	// Same for (the different ways of) trying to access it via a reference.
+	expr = ConfigCompiler::CompileText("<test>", "*&TicketSalt");
+	BOOST_CHECK_EQUAL(expr->Evaluate(frame).GetValue(), "");
+
+	expr = ConfigCompiler::CompileText("<test>", "globals.TicketSalt = {{{other}}}");
+	BOOST_CHECK_THROW(expr->Evaluate(frame), ScriptError);
+}
+
 BOOST_AUTO_TEST_SUITE_END()