Skip to content

Commit

Permalink
Add --optimize add-/cleanup-feed-permissions
Browse files Browse the repository at this point in the history 
The add-feed-permissions option adds read permissions on the feed data
objects for all roles defined in the "Feed Import Roles" setting if they
do not exist.
The cleanup-feed-permissions removes all role permissions on the feed
data objects that do not match ones in the setting.

(cherry picked from commit 9e97c38)
  • Loading branch information
@timopollmeier
timopollmeier authored and mergify-bot committed Jul 28, 2021
1 parent 9005da2 commit 8beda0c
Show file tree
Hide file tree
Showing 6 changed files with 293 additions and 4 deletions.
18 changes: 18 additions & 0 deletions INSTALL.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,13 +350,31 @@ supported values for `<name>` are:
For more information see the documentation for the `ANALYZE` command of the
database back-end you are using.

- `add-feed-permissions`

This option adds new read permissions on all feed data objects for the roles
defined in the "Feed Import Roles" setting if they do not exist.
The new permissions will be owned by the same user as the data objects,
usually the feed import owner.

This does not affect the command permissions, any permissions created for
users or groups, or other types of permissions like modify or delete.

- `cleanup-config-prefs`

This option removes duplicate preferences from Scan Configs and corrects
some broken preference values. For the latter, the NVT preferences in the
database must be up to date (if Manager and Scanner are both running, then
this should happen automatically).

- `cleanup-feed-permissions`

This option removes permissions on all feed data objects for all roles
that are not defined in the "Feed Import Roles" setting.

This does not affect the command permissions, any permissions created for
users or groups, or other types of permissions like modify or delete.

- `cleanup-port-names`

This cleans up the ports of results as stored in the database by removing
Expand Down
2 changes: 1 addition & 1 deletion doc/gvmd.8
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ Modify user's password and exit.
Modify user's password and exit.
.TP
\fB--optimize=\fINAME\fB\f1
Run an optimization: vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-report-formats, cleanup-result-nvts, cleanup-result-severities, cleanup-schedule-times, migrate-relay-sensors, rebuild-report-cache or update-report-cache.
Run an optimization: vacuum, add-feed-permissions, analyze, cleanup-config-prefs, cleanup-feed-permissions, cleanup-port-names, cleanup-report-formats, cleanup-result-nvts, cleanup-result-severities, cleanup-schedule-times, migrate-relay-sensors, rebuild-report-cache or update-report-cache.
.TP
\fB--osp-vt-update=\fISCANNER-SOCKET\fB\f1
Unix socket for OSP NVT update. Defaults to the path of the 'OpenVAS Default' scanner if it is an absolute path.
Expand Down
3 changes: 2 additions & 1 deletion doc/gvmd.8.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
<option>
<p><opt>--optimize=<arg>NAME</arg></opt></p>
<optdesc>
<p>Run an optimization: vacuum, analyze, cleanup-config-prefs,
<p>Run an optimization: vacuum, add-feed-permissions, analyze,
cleanup-config-prefs, cleanup-feed-permissions,
cleanup-port-names, cleanup-report-formats, cleanup-result-nvts,
cleanup-result-severities, cleanup-schedule-times,
migrate-relay-sensors, rebuild-report-cache
Expand Down
3 changes: 2 additions & 1 deletion doc/gvmd.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,8 @@ <h2>Options</h2>

<p><b>--optimize=<em>NAME</em></b></p>

<p>Run an optimization: vacuum, analyze, cleanup-config-prefs,
<p>Run an optimization: vacuum, analyze, add-feed-permissions,
cleanup-config-prefs, cleanup-feed-permissions,
cleanup-port-names, cleanup-report-formats, cleanup-result-nvts,
cleanup-result-severities, cleanup-schedule-times,
migrate-relay-sensors, rebuild-report-cache
Expand Down
3 changes: 2 additions & 1 deletion src/gvmd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1976,7 +1976,8 @@ gvmd (int argc, char** argv)
"<password>" },
{ "optimize", '\0', 0, G_OPTION_ARG_STRING,
&optimize,
"Run an optimization: vacuum, analyze, cleanup-config-prefs,"
"Run an optimization: vacuum, analyze, add-feed-permissions,"
" cleanup-config-prefs, cleanup-feed-permissions,"
" cleanup-port-names, cleanup-report-formats, cleanup-result-encoding,"
" cleanup-result-nvts, cleanup-result-severities,"
" cleanup-schedule-times, migrate-relay-sensors,"
Expand Down
268 changes: 268 additions & 0 deletions src/manage_sql.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43985,6 +43985,224 @@ modify_permission (const char *permission_id, const char *name_arg,
return 0;
}

/**
* @brief Add role permissions to feed objects according to the
* 'Feed Import Roles' setting.
*
* @param[in] type The object type, e.g. report_format.
* @param[in] type_cap Capitalized type, e.g. "Report Format"
* @param[out] permission_count Number of permissions added.
* @param[out] object_count Number of data objects affected.
*/
static void
add_feed_role_permissions (const char *type,
const char *type_cap,
int *permission_count,
int *object_count)
{
char *roles_str;
gchar **roles;
iterator_t resources;

roles_str = NULL;
setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &roles_str);

if (roles_str == NULL || strlen (roles_str) == 0)
{
g_message ("%s: No feed import roles defined", __func__);
g_free (roles_str);
return;
}

roles = g_strsplit (roles_str, ",", 0);
free (roles_str);

init_iterator (&resources,
"SELECT id, uuid, name, owner FROM %ss"
" WHERE predefined = 1",
type);
while (next (&resources))
{
gboolean added_permission = FALSE;
resource_t permission_resource = iterator_int64 (&resources, 0);
const char *permission_resource_id = iterator_string (&resources, 1);
const char *permission_resource_name = iterator_string (&resources, 2);
user_t owner = iterator_int64 (&resources, 3);
gchar **role = roles;

while (*role)
{
char *role_name = NULL;
resource_name ("role", *role, LOCATION_TABLE, &role_name);

if (sql_int ("SELECT count(*) FROM permissions"
" WHERE name = 'get_%ss'"
" AND subject_type = 'role'"
" AND subject"
" = (SELECT id FROM roles WHERE uuid='%s')"
" AND resource = %llu",
type,
*role,
permission_resource))
{
g_debug ("Role %s (%s) already has read permission"
" for %s %s (%s).",
role_name,
*role,
type_cap,
permission_resource_name,
permission_resource_id);
}
else
{
gchar *permission_name;

g_info ("Creating read permission for role %s (%s)"
" on %s %s (%s).",
role_name,
*role,
type_cap,
permission_resource_name,
permission_resource_id);

added_permission = TRUE;
if (permission_count)
*permission_count = *permission_count + 1;

permission_name = g_strdup_printf ("get_%ss", type);

current_credentials.uuid = user_uuid (owner);
create_permission_internal (0,
permission_name,
"Automatically created by"
" --optimize",
type,
permission_resource_id,
"role",
*role,
NULL);
free (current_credentials.uuid);
current_credentials.uuid = NULL;
}

free (role_name);
role ++;
}
if (object_count && added_permission)
*object_count = *object_count + 1;
}

cleanup_iterator (&resources);
g_strfreev (roles);

return;
}


/**
* @brief Delete permissions to feed objects for roles that are not set
* in the 'Feed Import Roles' setting.
*
* @param[in] type The object type, e.g. report_format.
* @param[in] type_cap Capitalized type, e.g. "Report Format"
* @param[out] permission_count Number of permissions added.
* @param[out] object_count Number of data objects affected.
*/
static void
clean_feed_role_permissions (const char *type,
const char *type_cap,
int *permission_count,
int *object_count)
{
char *roles_str;
gchar **roles, **role;
GString *sql_roles;
iterator_t resources;

roles_str = NULL;
setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &roles_str);

if (roles_str == NULL || strlen (roles_str) == 0)
{
g_message ("%s: No feed import roles defined", __func__);
g_free (roles_str);
return;
}

sql_roles = g_string_new ("(");

if (roles_str)
{
roles = g_strsplit (roles_str, ",", 0);
role = roles;
while (*role)
{
gchar *quoted_role = sql_insert (*role);
g_string_append (sql_roles, quoted_role);

role ++;
if (*role)
g_string_append (sql_roles, ", ");
}

}

g_string_append (sql_roles, ")");
g_debug ("%s: Keeping permissions for roles %s\n", __func__, sql_roles->str);

init_iterator (&resources,
"SELECT id, uuid, name FROM %ss"
" WHERE predefined = 1",
type);

while (next (&resources))
{
gboolean removed_permission = FALSE;
resource_t permission_resource = iterator_int64 (&resources, 0);
const char *permission_resource_id = iterator_string (&resources, 1);
const char *permission_resource_name = iterator_string (&resources, 2);
iterator_t permissions;

init_iterator (&permissions,
"DELETE FROM permissions"
" WHERE name = 'get_%ss'"
" AND resource = %llu"
" AND subject_type = 'role'"
" AND subject NOT IN"
" (SELECT id FROM roles WHERE uuid IN %s)"
" RETURNING"
" (SELECT uuid FROM roles WHERE id = subject),"
" (SELECT name FROM roles WHERE id = subject)",
type,
permission_resource,
sql_roles->str);

while (next (&permissions))
{
const char *role_id = iterator_string (&permissions, 0);
const char *role_name = iterator_string (&permissions, 1);
g_info ("Removed permission on %s %s (%s) for role %s (%s)",
type_cap,
permission_resource_name,
permission_resource_id,
role_name,
role_id);

if (permission_count)
*permission_count = *permission_count + 1;
removed_permission = TRUE;
}

if (object_count && removed_permission)
*object_count = *object_count + 1;
}

cleanup_iterator (&resources);
g_strfreev (roles);

return;
}


/* Roles. */

Expand Down Expand Up @@ -55599,6 +55817,31 @@ manage_optimize (GSList *log_config, const db_conn_info_t *database,
(new_size - old_size)
* 100.0 / old_size);
}
else if (strcasecmp (name, "add-feed-permissions") == 0)
{
int permissions_count, object_count;
permissions_count = 0;
object_count = 0;
sql_begin_immediate ();
add_feed_role_permissions ("config",
"Scan Config / Policy",
&permissions_count,
&object_count);
add_feed_role_permissions ("port_list",
"Port List",
&permissions_count,
&object_count);
add_feed_role_permissions ("report_format",
"Report Format",
&permissions_count,
&object_count);
sql_commit ();
success_text = g_strdup_printf ("Optimized: add-feed-permissions."
" Added %d permissions"
" for %d data objects.",
permissions_count,
object_count);
}
else if (strcasecmp (name, "analyze") == 0)
{
sql ("ANALYZE;");
Expand All @@ -55624,6 +55867,31 @@ manage_optimize (GSList *log_config, const db_conn_info_t *database,
" %d. Corrected preference values: %d",
removed, fixed_values);
}
else if (strcasecmp (name, "cleanup-feed-permissions") == 0)
{
int permissions_count, object_count;
permissions_count = 0;
object_count = 0;
sql_begin_immediate ();
clean_feed_role_permissions ("config",
"Scan Config / Policy",
&permissions_count,
&object_count);
clean_feed_role_permissions ("port_list",
"Port List",
&permissions_count,
&object_count);
clean_feed_role_permissions ("report_format",
"Report Format",
&permissions_count,
&object_count);
sql_commit ();
success_text = g_strdup_printf ("Optimized: cleanup-feed-permissions."
" Removed %d permissions"
" for %d data objects.",
permissions_count,
object_count);
}
else if (strcasecmp (name, "cleanup-port-names") == 0)
{
int changes_iana, changes_old_format;
Expand Down

0 comments on commit 8beda0c

Please sign in to comment.