Merge commit from fork

* Auth: Add method `assertColumnRestrictions`

* ObjectSuggestions: Do not suggest protected variables

`assertColumnRestrictions` does not allow to use them
anymore, hence we should not suggest them in searches
as well to not to let the user run into an error by
accepting a suggestion. Though, when fetching values
as well, we still have to obfuscate, otherwise protected
vars won't show up in details anymore.

* Introduce Icinga\Module\Icingadb\Common\Model

Must be used as base for all models, to ensure
column restrictions are asserted on filters.

* Utilize `Icinga\Module\Icingadb\Common\Model` where applicable

Author: nilmerg

library/Icingadb/Common/Auth.php

@@ -7,6 +7,7 @@
 use Icinga\Authentication\Auth as IcingaAuth;
 use Icinga\Exception\ConfigurationError;
 use Icinga\Module\Icingadb\Authentication\ObjectAuthorization;
+use Icinga\Security\SecurityException;
 use Icinga\Util\StringHelper;
 use ipl\Orm\Compat\FilterProcessor;
 use ipl\Orm\Model;
@@ -109,6 +110,75 @@ public function isMatchedOn(string $queryString, Model $object): bool
         return ObjectAuthorization::matchesOn($queryString, $object);
     }
 
+    /**
+     * Assert that the given filter does not contain any column restrictions
+     *
+     * @param Filter\Rule $filter The filter to check
+     *
+     * @return void
+     *
+     * @throws SecurityException
+     */
+    public function assertColumnRestrictions(Filter\Rule $filter): void
+    {
+        if ($this->getAuth()->getUser() === null || $this->getAuth()->getUser()->isUnrestricted()) {
+            return;
+        }
+
+        $forbiddenVars = Filter::all();
+        $protectedVars = Filter::any();
+        $hiddenVars = Filter::any();
+        foreach ($this->getAuth()->getUser()->getRoles() as $role) {
+            if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {
+                $denied = Filter::none();
+                $hiddenVars->add($denied);
+                foreach (explode(',', $restriction) as $value) {
+                    $denied->add(Filter::like('name', trim($value))->ignoreCase());
+                }
+            }
+
+            if (($restriction = $role->getRestrictions('icingadb/protect/variables'))) {
+                $protected = Filter::none();
+                $protectedVars->add($protected);
+                foreach (explode(',', $restriction) as $value) {
+                    $protected->add(Filter::like('name', trim($value))->ignoreCase());
+                }
+            }
+        }
+
+        if (! $hiddenVars->isEmpty()) {
+            $forbiddenVars->add($hiddenVars);
+        }
+
+        if (! $protectedVars->isEmpty()) {
+            $forbiddenVars->add($protectedVars);
+        }
+
+        if ($forbiddenVars->isEmpty()) {
+            return;
+        }
+
+        $checkVars = static function (Filter\Rule $filter) use ($forbiddenVars, &$checkVars) {
+            if ($filter instanceof Filter\Chain) {
+                foreach ($filter as $rule) {
+                    $checkVars($rule);
+                }
+            } elseif (
+                ! $filter->metaData()->get('_isRestriction', false)
+                && preg_match('/^(?:host|service)\.vars\.(.*)/i', $filter->getColumn(), $matches)
+            ) {
+                if (! Filter::match($forbiddenVars, ['name' => $matches[1]])) {
+                    throw new SecurityException(
+                        'The variable "%s" is not allowed to be queried.',
+                        $matches[1]
+                    );
+                }
+            }
+        };
+
+        $checkVars($filter);
+    }
+
     /**
      * Apply Icinga DB Web's restrictions depending on what is queried
      *
@@ -333,9 +403,13 @@ function (Filter\Condition $condition) use (
                     foreach ($allowedColumns as $column) {
                         if (is_callable($column)) {
                             if ($column($condition->getColumn())) {
+                                $condition->metaData()->set('_isRestriction', true);
+
                                 return;
                             }
                         } elseif ($column === $condition->getColumn()) {
+                            $condition->metaData()->set('_isRestriction', true);
+
                             return;
                         }
                     }

library/Icingadb/Common/Model.php

@@ -0,0 +1,27 @@
+<?php
+
+/* Icinga DB Web | (c) 2025 Icinga GmbH | GPLv2 */
+
+namespace Icinga\Module\Icingadb\Common;
+
+use ipl\Orm\Query;
+use ipl\Sql\Connection;
+
+abstract class Model extends \ipl\Orm\Model
+{
+    public static function on(Connection $db)
+    {
+        $query = parent::on($db);
+
+        return $query->on(
+            Query::ON_SELECT_ASSEMBLED,
+            function () use ($query) {
+                $auth = new class () {
+                    use Auth;
+                };
+
+                $auth->assertColumnRestrictions($query->getFilter());
+            }
+        );
+    }
+}

library/Icingadb/Model/AcknowledgementHistory.php

@@ -5,11 +5,11 @@
 namespace Icinga\Module\Icingadb\Model;
 
 use DateTime;
+use Icinga\Module\Icingadb\Common\Model;
 use ipl\Orm\Behavior\BoolCast;
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behavior\MillisecondTimestamp;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/ActionUrl.php

@@ -4,10 +4,10 @@
 
 namespace Icinga\Module\Icingadb\Model;
 
+use Icinga\Module\Icingadb\Common\Model;
 use Icinga\Module\Icingadb\Model\Behavior\ActionAndNoteUrl;
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/Checkcommand.php

@@ -4,10 +4,10 @@
 
 namespace Icinga\Module\Icingadb\Model;
 
+use Icinga\Module\Icingadb\Common\Model;
 use Icinga\Module\Icingadb\Model\Behavior\ReRoute;
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/CheckcommandArgument.php

@@ -4,9 +4,9 @@
 
 namespace Icinga\Module\Icingadb\Model;
 
+use Icinga\Module\Icingadb\Common\Model;
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/CheckcommandCustomvar.php

@@ -4,9 +4,9 @@
 
 namespace Icinga\Module\Icingadb\Model;
 
+use Icinga\Module\Icingadb\Common\Model;
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/CheckcommandEnvvar.php

@@ -6,7 +6,7 @@
 
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
+use Icinga\Module\Icingadb\Common\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/Comment.php

@@ -10,7 +10,7 @@
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behavior\MillisecondTimestamp;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
+use Icinga\Module\Icingadb\Common\Model;
 use ipl\Orm\Relations;
 
 /**

library/Icingadb/Model/CommentHistory.php

@@ -9,7 +9,7 @@
 use ipl\Orm\Behavior\Binary;
 use ipl\Orm\Behavior\MillisecondTimestamp;
 use ipl\Orm\Behaviors;
-use ipl\Orm\Model;
+use Icinga\Module\Icingadb\Common\Model;
 use ipl\Orm\Relations;
 
 /**