Toicingadb: Add restrictionAction to migrate monitoring restrictions

Icinga · Oct 30, 2023 · 5fb7639 · 5fb7639
1 parent 0dcb763
commit 5fb7639
Showing 1 changed file with 133 additions and 2 deletions.
diff --git a/modules/migrate/application/clicommands/ToicingadbCommand.php b/modules/migrate/application/clicommands/ToicingadbCommand.php
@@ -50,8 +50,8 @@ public function init(): void
      * REQUIRED OPTIONS:
      *
      *  --user=<username>  Migrate monitoring navigation items only for
-     *                     the given user or matching all similar users
-     *                     if a wildcard is used. (* matches all users)
+     *                     the given user or all similar users if a
+     *                     wildcard is used. (* matches all users)
      *
      * OPTIONS:
      *
@@ -161,6 +161,137 @@ public function navigationAction(): void
         Logger::info('Successfully migrated all local user monitoring navigation items');
     }
 
+
+    /**
+     * Migrate monitoring restrictions in a role to Icinga DB Web restrictions
+     *
+     * USAGE
+     *
+     *  icingacli migrate toicingadb restriction [options]
+     *
+     * OPTIONS:
+     *
+     *  --group=<groupname>  Migrate monitoring restrictions for all roles,
+     *                       the given group or the groups matching the given
+     *                       group belongs to.
+     *                       (wildcard * migrates monitoring restrictions
+     *                       for all roles)
+     *
+     *  --role=<rolename>    Migrate monitoring restrictions for the
+     *                       given role or all the matching roles.
+     *                       (wildcard * migrates monitoring restrictions
+     *                       for all roles)
+     *
+     *  --override          Override the existing Icinga DB restrictions
+     */
+    public function restrictionAction(): void
+    {
+        $override = $this->params->get('override');
+
+        /** @var ?string $groupName */
+        $groupName = $this->params->get('group');
+        /** @var ?string $roleName */
+        $roleName = $this->params->get('role');
+
+        if ($roleName === null && $groupName === null) {
+            $this->fail("One of the parameters 'group' or 'role' must be supplied");
+        }
+
+        $rc = 0;
+        $restrictions = Config::$configDir . '/roles.ini';
+        $rolesConfig = $this->readFromIni($restrictions, $rc);
+        $monitoringRestriction = 'monitoring/filter/objects';
+        $monitoringPropertyBlackList = 'monitoring/blacklist/properties';
+        $icingadbRestrictions = [
+            'objects'  => 'icingadb/filter/objects',
+            'hosts'    => 'icingadb/filter/hosts',
+            'services' => 'icingadb/filter/services'
+        ];
+
+        $icingadbPropertyDenyList = 'icingadb/denylist/variables';
+        Logger::info('Start monitoring restrictions migration');
+        foreach ($rolesConfig as $name => $role) {
+            /** @var string[] $role */
+            $role = iterator_to_array($role);
+            $updateRole = false;
+
+            if ($roleName === '*' || $groupName === '*') {
+                $updateRole = true;
+            } elseif ($roleName !== null && fnmatch($roleName, $name)) {
+                $updateRole = true;
+            } elseif ($groupName !== null && isset($role['groups'])) {
+                $roleGroups = array_map('trim', explode(',', $role['groups']));
+
+                foreach ($roleGroups as $roleGroup) {
+                    if (fnmatch($groupName, $roleGroup)) {
+                        $updateRole = true;
+                        break;
+                    }
+                }
+            }
+
+            if ($updateRole) {
+                if (isset($role[$monitoringRestriction])) {
+                    if (! isset($role[$icingadbRestrictions['objects']]) || $override) {
+                        Logger::info(
+                            'Migrating monitoring restriction filter for role "%s" to the Icinga DB Web restrictions',
+                            $name
+                        );
+                        $transformedFilter = UrlMigrator::transformFilter(
+                            QueryString::parse($role[$monitoringRestriction])
+                        );
+
+                        if ($transformedFilter) {
+                            $role[$icingadbRestrictions['objects']] = QueryString::render($transformedFilter);
+                        }
+                    }
+                }
+
+                if (isset($role[$monitoringPropertyBlackList])) {
+                    if (! isset($role[$icingadbPropertyDenyList]) || $override) {
+                        Logger::info(
+                            'Migrating monitoring blacklisted properties for role "%s" to the Icinga DB Web deny list',
+                            $name
+                        );
+                        $role[$icingadbPropertyDenyList] = $role[$monitoringPropertyBlackList];
+                    }
+                }
+
+                foreach ($icingadbRestrictions as $object => $icingadbRestriction) {
+                    if (isset($role[$icingadbRestriction])) {
+                        $filter = QueryString::parse($role[$icingadbRestriction]);
+                        $filter = $this->transformLegacyWildcardFilter($filter);
+
+                        if ($filter) {
+                            $filter = rawurldecode(QueryString::render($filter));
+                            Logger::info(
+                                'Icinga Db Web restriction of role "%s" for %s changed from "%s" to "%s"',
+                                $name,
+                                $object,
+                                $role[$icingadbRestriction],
+                                $filter
+                            );
+
+                            $role[$icingadbRestriction] = $filter;
+                        }
+                    }
+                }
+
+                $rolesConfig->setSection($name, $role);
+            }
+        }
+
+        try {
+            $rolesConfig->saveIni();
+        } catch (NotWritableError $error) {
+            Logger::error('%s: %s', $error->getMessage(), $error->getPrevious()->getMessage());
+            Logger::error('Failed to migrate monitoring restrictions');
+            exit(256);
+        }
+
+        Logger::info('Successfully migrated monitoring restrictions');
+    }
+
     /**
      * Migrate the given config to the given new config path
      *