Auth: Merge variable denylists and protections from multiple roles

nilmerg · nilmerg · commit 25905563039e · 2025-11-19T08:50:39.000+01:00
diff --git a/doc/04-Security.md b/doc/04-Security.md
@@ -69,18 +69,18 @@ Denylists prevent users from accessing information and in some cases will block
 >
 > Denylists from multiple roles will further limit access.
 
-Name                         | Description
------------------------------|------------------------------------------------------------------
-icingadb/denylist/routes    | Prevent access to routes that are part of the list
-icingadb/denylist/variables | Hide custom variables of Icinga objects that are part of the list
+| Name                        | Description                                                       |
+|-----------------------------|-------------------------------------------------------------------|
+| icingadb/denylist/routes    | Prevent access to routes that are part of the list                |
+| icingadb/denylist/variables | Hide custom variables of Icinga objects that are part of the list |
 
 `icingadb/denylist/routes` will block users from accessing defined routes and from related information elsewhere.
 For example, if `hostgroups` are part of the list a user won't have access to the hostgroup overview nor to a host's
-groups shown in its detail area. This should be a comma separated list. Possible values are: hostgroups, servicegroups,
+groups shown in its detail area. This should be a comma-separated list. Possible values are: hostgroups, servicegroups,
 contacts, contactgroups
 
 `icingadb/denylist/variables` will block users from accessing certain custom variables. A user affected by this won't
-see that those variables even exist. This should be a comma separated list of [variable paths](#variable-paths). It is
+see that those variables even exist. This should be a comma-separated list of [variable paths](#variable-paths). It is
 possible to use [match patterns](#match-patterns).
 
 ### Protections
@@ -91,12 +91,12 @@ Protections prevent users from accessing actual data. They will know that there
 >
 > Denylists from multiple roles will further limit access.
 
-Name                       | Description
----------------------------|-----------------------------------------------------------------------------
-icingadb/protect/variables | Obfuscate custom variable values of Icinga objects that are part of the list
+| Name                       | Description                                                                  |
+|----------------------------|------------------------------------------------------------------------------|
+| icingadb/protect/variables | Obfuscate custom variable values of Icinga objects that are part of the list |
 
 `icingadb/protect/variables` will replace certain custom variable values with `***`. A user affected by this will still
-be able to see the variable names though. This should be a comma separated list of [variable paths](#variable-paths).
+be able to see the variable names, though. This should be a comma-separated list of [variable paths](#variable-paths).
 It is possible to use [match patterns](#match-patterns).
 
 ### Formats
diff --git a/doc/05-Upgrading.md b/doc/05-Upgrading.md
@@ -9,6 +9,14 @@ If you are upgrading across multiple versions, make sure to follow the steps for
 
 * The minimum required Icinga Web version is now 2.12.
 
+**Breaking Changes**
+
+* The restrictions `icingadb/denylist/variables` and `icingadb/protect/variables` from different roles are now
+  merged into a single list, respectively. This means that variables denied in one role will not show up anymore
+  if another role denies access to different variables. The same applies to `icingadb/protect/variables`, in which
+  case variables protected in one role will now be protected even if another role protects different variables.
+  This has been done to simplify the configuration and to get it more in line with how refusals work in Icinga Web.
+
 **Removed Features**
 
 * The routes `users`, `user`, `usergroup` and `usergroups` have been removed.
diff --git a/library/Icingadb/Common/Auth.php b/library/Icingadb/Common/Auth.php
@@ -119,35 +119,21 @@ public function assertColumnRestrictions(Filter\Rule $filter): void
             return;
         }
 
-        $forbiddenVars = Filter::all();
-        $protectedVars = Filter::any();
-        $hiddenVars = Filter::any();
+        $forbiddenVars = Filter::none();
         foreach ($this->getAuth()->getUser()->getRoles() as $role) {
             if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {
-                $denied = Filter::none();
-                $hiddenVars->add($denied);
                 foreach (explode(',', $restriction) as $value) {
-                    $denied->add(Filter::like('name', trim($value))->ignoreCase());
+                    $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());
                 }
             }
 
             if (($restriction = $role->getRestrictions('icingadb/protect/variables'))) {
-                $protected = Filter::none();
-                $protectedVars->add($protected);
                 foreach (explode(',', $restriction) as $value) {
-                    $protected->add(Filter::like('name', trim($value))->ignoreCase());
+                    $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());
                 }
             }
         }
 
-        if (! $hiddenVars->isEmpty()) {
-            $forbiddenVars->add($hiddenVars);
-        }
-
-        if (! $protectedVars->isEmpty()) {
-            $forbiddenVars->add($protectedVars);
-        }
-
         if ($forbiddenVars->isEmpty()) {
             return;
         }
@@ -217,13 +203,14 @@ public function applyRestrictions(Query $query)
             $resolver = $query->getResolver();
 
             $queryFilter = Filter::any();
-            $obfuscationRules = Filter::any();
+            $forbiddenVars = Filter::all();
+            $obfuscationRules = Filter::all();
             foreach ($this->getAuth()->getUser()->getRoles() as $role) {
                 $roleFilter = Filter::all();
 
                 if ($customVarRelationName !== false) {
                     if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {
-                        $roleFilter->add($this->parseDenylist(
+                        $forbiddenVars->add($this->parseDenylist(
                             $restriction,
                             $customVarRelationName
                                 ? $resolver->qualifyColumn('flatname', $customVarRelationName)
@@ -358,7 +345,8 @@ public function applyRestrictions(Query $query)
                 }
             }
 
-            $query->filter($queryFilter);
+            $query->filter($queryFilter)
+                ->filter($forbiddenVars);
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -119,35 +119,21 @@ public function assertColumnRestrictions(Filter\Rule $filter): void`
`119`	`119`	`return;`
`120`	`120`	`}`
`121`	`121`
`122`		`- $forbiddenVars = Filter::all();`
`123`		`- $protectedVars = Filter::any();`
`124`		`- $hiddenVars = Filter::any();`
	`122`	`+ $forbiddenVars = Filter::none();`
`125`	`123`	`foreach ($this->getAuth()->getUser()->getRoles() as $role) {`
`126`	`124`	`if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {`
`127`		`- $denied = Filter::none();`
`128`		`- $hiddenVars->add($denied);`
`129`	`125`	`foreach (explode(',', $restriction) as $value) {`
`130`		`- $denied->add(Filter::like('name', trim($value))->ignoreCase());`
	`126`	`+ $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());`
`131`	`127`	`}`
`132`	`128`	`}`
`133`	`129`
`134`	`130`	`if (($restriction = $role->getRestrictions('icingadb/protect/variables'))) {`
`135`		`- $protected = Filter::none();`
`136`		`- $protectedVars->add($protected);`
`137`	`131`	`foreach (explode(',', $restriction) as $value) {`
`138`		`- $protected->add(Filter::like('name', trim($value))->ignoreCase());`
	`132`	`+ $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());`
`139`	`133`	`}`
`140`	`134`	`}`
`141`	`135`	`}`
`142`	`136`
`143`		`- if (! $hiddenVars->isEmpty()) {`
`144`		`- $forbiddenVars->add($hiddenVars);`
`145`		`- }`
`146`		`-`
`147`		`- if (! $protectedVars->isEmpty()) {`
`148`		`- $forbiddenVars->add($protectedVars);`
`149`		`- }`
`150`		`-`
`151`	`137`	`if ($forbiddenVars->isEmpty()) {`
`152`	`138`	`return;`
`153`	`139`	`}`
`@@ -217,13 +203,14 @@ public function applyRestrictions(Query $query)`
`217`	`203`	`$resolver = $query->getResolver();`
`218`	`204`
`219`	`205`	`$queryFilter = Filter::any();`
`220`		`- $obfuscationRules = Filter::any();`
	`206`	`+ $forbiddenVars = Filter::all();`
	`207`	`+ $obfuscationRules = Filter::all();`
`221`	`208`	`foreach ($this->getAuth()->getUser()->getRoles() as $role) {`
`222`	`209`	`$roleFilter = Filter::all();`
`223`	`210`
`224`	`211`	`if ($customVarRelationName !== false) {`
`225`	`212`	`if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {`
`226`		`- $roleFilter->add($this->parseDenylist(`
	`213`	`+ $forbiddenVars->add($this->parseDenylist(`
`227`	`214`	`$restriction,`
`228`	`215`	`$customVarRelationName`
`229`	`216`	`? $resolver->qualifyColumn('flatname', $customVarRelationName)`
`@@ -358,7 +345,8 @@ public function applyRestrictions(Query $query)`
`358`	`345`	`}`
`359`	`346`	`}`
`360`	`347`
`361`		`- $query->filter($queryFilter);`
	`348`	`+ $query->filter($queryFilter)`
	`349`	`+ ->filter($forbiddenVars);`
`362`	`350`	`}`
`363`	`351`	`}`
`364`	`352`