Module: check_mk Branch: master Commit: c08a828750b352578726d638450513c396a1cf3a URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c08a828750b352… Author: Andreas Boesl <ab(a)mathias-kettner.de> Date: Mon Jun 12 17:14:02 2017 +0200 4715 FIX Web-API Calls updates. get_ruleset/get_sites: enforce output_format=python. set_ruleset now validates incoming data Change-Id: I4f856f9ea18a68924759d3a547611a46c040e96e --- .werks/4715 | 10 ++++++++++ web/htdocs/webapi.py | 16 +++++++++++----- web/plugins/webapi/webapi.py | 25 +++++++++++++++++++------ 3 files changed, 40 insertions(+), 11 deletions(-) diff --git a/.werks/4715 b/.werks/4715 new file mode 100644 index 0000000..f31650d --- /dev/null +++ b/.werks/4715 @@ -0,0 +1,10 @@ +Title: Web-API Calls updates. get_ruleset/get_sites: enforce output_format=python. set_ruleset now validates incoming data +Level: 1 +Component: wato +Compatible: compat +Edition: cre +Version: 1.5.0i1 +Date: 1497280352 +Class: fix + + diff --git a/web/htdocs/webapi.py b/web/htdocs/webapi.py index dd1ebdb..f84f935 100644 --- a/web/htdocs/webapi.py +++ b/web/htdocs/webapi.py @@ -103,15 +103,21 @@ def page_api(): # Check if the data was sent with the correct data format # Some API calls only allow python code # TODO: convert the api_action dict into an object which handles the validation - required_format = api_actions[action].get("required_input_format") - if required_format: - if required_format != request_object["request_format"]: - raise MKUserError(None, "This API call requires a %s-encoded request parameter" % required_format) + required_input_format = api_actions[action].get("required_input_format") + if required_input_format: + if required_input_format != request_object["request_format"]: + raise MKUserError(None, "This API call requires a %s-encoded request parameter" % required_input_format) + + required_output_format = api_actions[action].get("required_output_format") + if required_output_format: + if required_output_format != html.output_format: + raise MKUserError(None, "This API call requires the parameter output_format=%s" % required_output_format) + + # The request_format parameter is not forwarded into the API action if "request_format" in request_object: del request_object["request_format"] - if api_actions[action].get("locking", True): lock_exclusive() # unlock is done automatically diff --git a/web/plugins/webapi/webapi.py b/web/plugins/webapi/webapi.py index 45a6de2..e6528a8 100644 --- a/web/plugins/webapi/webapi.py +++ b/web/plugins/webapi/webapi.py @@ -625,9 +625,10 @@ class APICallRules(APICallCollection): required_permissions = ["wato.rulesets"] # wato.services ? return { "get_ruleset": { - "handler" : self._get, - "required_permissions": required_permissions, - "locking" : True, # locking? + "handler" : self._get, + "required_permissions" : required_permissions, + "required_output_format" : "python", + "locking" : True, # locking? }, "set_ruleset": { "handler" : self._set, @@ -701,6 +702,17 @@ class APICallRules(APICallCollection): rule_folder = Folder.folder(folder_path) rule_folder.need_permission("write") + # Verify all rules + rule_vs = Ruleset(ruleset_name).rulespec.valuespec + for folder_path, rules in new_ruleset.items(): + for rule in rules: + value = rule["value"] + try: + rule_vs.validate_datatype(value, "test_value") + rule_vs.validate_value(value, "test_value") + except MKException, e: + raise MKException("ERROR: %s. Affected Rule %r" % (str(e), rule)) + # Add new rulesets for folder_path, rules in new_ruleset.items(): @@ -866,9 +878,10 @@ class APICallSites(APICallCollection): required_permissions = ["wato.sites"] return { "get_site": { - "handler" : self._get, - "required_permissions" : required_permissions, - "locking" : False, + "handler" : self._get, + "required_permissions" : required_permissions, + "required_output_format" : "python", + "locking" : False, }, "set_site": { "handler" : self._set,