use current frame scope for permission filter function calls

[Elias481]

proposed fix for follow-up issue/regression after implementing #7113 for #6874

should be reviewed by someone having the big-picture of the code

[Elias481]

Possibly the Frames for Permission/Filter evaluation could be created with allocLocals set to false then? As far as I can see the empty Locals Dictionary is not used anywhere. (Just to avoid to create unnecessary Dictionary objects..)

[Al2Klimov]

Test protocol

Environment:

• a fresh Icinga 2
• an API user ("notroot") with the permission objects/query/Host and filter {{ host }}

Before:

A query for Hosts with filter host or with no filter returns no objects to user notroot.

After:

Both queries return all objects.

Unchanged:

Both the query filter var%20x%20%3D%201%0Ax and the permission filter function() { var x = 1; return x && host } don't work as assignments aren't allowed in sandbox mode – so yes, we don't need locals here at all.

[Elias481]

I think technically the functions would be able to use locals as every function-wrapper creates a locals dict in the frame dedicated to the function-run on each execution of function anyway (within function wrapper encapsulated in a Callback / std::function).

The permissionFrame (or the frame passed to the DoEvaluate) is anyway not the frame the function Executes in. There is one more frame created in VMOps::FunctionCall -> Function::InvokeThis for calling the call Method/Function of Function (having no Locals and the Function Object as Self) and within call-method-function the Function to execute itself is taken from that frame and again Function::InvokeThis is called, again creating a ScriptFrame (having no Locals but setting Self to the Value of Arg0 wich is the one we specify in FilterUtility::CheckPermission). The Locals are then populated by the wrapper around the parsed function (which initializes the Locals with ClosedVars and Arguments for each execution).
That means it is effectively no difference for the permissons check function.

The thing that locals assignments are never allowed in sanboxed frames is more a shortcoming or a bug instead of expected behaviour from my point of view. (It wouldn't change any persistent state if the assignment affects only locals as the locals are thrown away at end of function execution...)

[dnsmichi]

Interesting, we had the same ideas on Tuesday (with the holidays up until now in between).

I wouldn't bother with changing the scoping access, or behaviour. Things will break, and I expected this with the change of the Self attribute in #6874 to be honest (which is one reason to leave the ticket open up until @marcofl and others had tested it).

Such scopes and frames are used inside the apply rules too, rendering breaking changes more visible.

Script debugger for permission filters

In terms of this problem, here's one hint for debugging/developing - you can attach to a thrown filter expression from inside a permission filter with running the daemon in foreground with icinga2 daemon -X. This will halt the daemon and move you into the debug console.

There, you can print things like this, globals and host to analyse the current scope better, especially on why the filter doesn't work. The same can be achieved with using debugger as a break point.

michi@mbpmif /usr/local/icinga/icinga2/etc/icinga2 $ icinga2 daemon -X
[2019-05-03 11:44:38 +0200] information/cli: Icinga application loader (version: v2.10.4-636-g759b090f8; debug)
[2019-05-03 11:44:38 +0200] information/cli: Loading configuration file(s).
[2019-05-03 11:44:38 +0200] information/ConfigItem: Committing config item(s).
[2019-05-03 11:44:38 +0200] information/ApiListener: My API identity: mbpmif.int.netways.de
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 7 CheckCommands.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 ApiUser.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 2 Hosts.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 HostGroup.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 Endpoint.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 3 Zones.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2019-05-03 11:44:38 +0200] information/ScriptGlobal: Dumping variables to file '/usr/local/icinga/icinga2/var/cache/icinga2/icinga2.vars'
[2019-05-03 11:44:38 +0200] information/ConfigObject: Restoring program state from file '/usr/local/icinga/icinga2/var/lib/icinga2/icinga2.state'
[2019-05-03 11:44:38 +0200] information/ConfigObject: Restored 21 objects. Loaded 0 new objects without state.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Triggering Start signal for config items
[2019-05-03 11:44:38 +0200] information/FileLogger: 'main-log' started.
[2019-05-03 11:44:38 +0200] information/ApiListener: 'api' started.
[2019-05-03 11:44:38 +0200] information/ApiListener: Started new listener on '[::]:5665'
[2019-05-03 11:44:38 +0200] information/NotificationComponent: 'notification' started.
[2019-05-03 11:44:38 +0200] information/CheckerComponent: 'checker' started.
[2019-05-03 11:44:38 +0200] information/ConfigItem: Activated all objects.

It isn't gdb in there, but allows to print things in a readable manner before deep-diving into the code analysis.

Use the following configuration:

object Host "simplehost_602611" {
  vars.categories = [ "openshift", ]
  display_name = "Servicehost: simplehost_602611"
  check_command = "dummy"
}
object HostGroup "category_openshift"  {
  assign where host.vars.categories && host.vars.categories.contains("openshift")
}
object ApiUser "blah"  {
  password = "welcome"
  permissions = [
  {
    permission = "objects/query/*"
    filter = {{ host.groups && "category_openshift" in host.groups }}
  },
  {
    permission = "actions/schedule-downtime"
    filter = {{ host.groups && "category_openshift" in host.groups }}
  },
  {
    permission = "actions/remove-downtime"
    filter = {{ host.groups && "category_openshift" in host.groups }}
  }, ]
}

And fire an API query for this user.

michi@mbpmif ~/dev/icinga/icinga-vagrant/standalone (master=) $ curl -k -s -u blah:welcome 'https://localhost:5665/v1/objects/hosts'

Change back to the icinga2 daemon terminal.

[2019-05-03 11:45:37 +0200] information/ApiListener: New client connection from [::1]:54425 (no client certificate)
[2019-05-03 11:45:37 +0200] information/HttpServerConnection: Request: GET /v1/objects/hosts (from [::1]:54425), user: blah, agent: curl/7.54.0).
Breakpoint encountered.
Exception: Error: Error while evaluating expression: Tried to access undefined script variable 'host'
Location: in /usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf: 16:17-16:20
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(14):   {
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(15):     permission = "objects/query/*"
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(16):     filter = {{ host.groups && "category_openshift" in host.groups }}
                                                                             ^^^^
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(17):   },
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(18):   {

You can inspect expressions (such as variables) by entering them at the prompt.
To leave the debugger and continue the program use "$continue".
For further commands see "$help".

Now, do some inspectation.

<2> => this
{
}
<3> => locals
{
}
<4> => keys(globals)
[ "ActiveStages", "Icinga", "Internal", "ManubulonPluginDir", "MaxConcurrentChecks", "NodeName", "PluginContribDir", "PluginDir", "ReloadTimeout", "StatsFunctions", "System", "TicketSalt", "Types", "ZoneName" ]
<5> => host
       ^^^^
Error while evaluating expression: Tried to access undefined script variable 'host'
<6> => $continue
[2019-05-03 11:47:28 +0200] information/HttpServerConnection: HTTP client disconnected (from [::1]:54425)

[Elias481]

Ah interesting, now I known what the script debugging mode means.
It would be fine to have such mode always at hand when doing some icinga2 scripting, as we are only working on a live environment when we are implementing some icinga2 scripts we cannot just start in -X mode for that. So sadly in most cases where this would come in very handy it's too much overhead compared to just check what have been done wrong in the script.

But for cases like this there is little information to get there. Just that it is not there (what can also be seen in the error message).
And on the other hand it's obvoius then that the Self of the permissionsFrame had never been populated to the Function and that is was only working because of the use of the Globals Namespace if this issue now appears.
Some Diving is necessary for someone who does not know how the Expressions-Engine works to be sure that the obvious approach is correct. And as this mysterious part of the icinga2 (how to integrate a "touring-complete" scripting language that completely and efficiently within a native C++ programs object model) is very intersting for me I took the chance...

[dnsmichi]

I just thought I'd share it with you, since you're doing a marvelous job with fixing problems in Icinga :)

It is true, this mainly is for developers while doing runtime tests with the API. The real true benefit for users is to use this within icinga2 daemon -C -X and halt on assign where expression errors, or anywhere in the DSL with the debugger keyword. That's what's documented for anyone interested ;)

[dnsmichi]

In terms of the expression language on its own - that's somewhat black magic written by Gunnar, now maintained by us. I am happy to share everything I know, and discuss it with you and others. The most problematic part here is that you likely need to take pen and paper and draw lots of things (which I am doing with @Al2Klimov and @htriem in our office).

My plan during the trainee years of @htriem is also to provide deep technical insights into the config compiler and its expression language thus explaining the DSL on a technical level. And also to tackle ideas like changing the AST into a more compelling faster mode. Maybe this is a good thing for later this year once the major stability problems are fixed, who knows.

Maybe we'll meet at OSMC or an Icinga Camp in the future, I'd like to thank you in person for all the effort you are putting here 😘

In terms of your patch, here's my test results.

Tests

Minimal test config for lldb/gdb for setting a break point inside the filter evaluation.
@Al2Klimov thanks for your tests, this helps a lot already :)

vim /usr/local/icinga/icinga2/etc/icinga2/icinga2.conf

include "constants.conf"
include "zones.conf"
include "features-enabled/*.conf"
include <itl>
/*
include <plugins>
include <plugins-contrib>
include <manubulon>
include <windows-plugins>
include <nscp>
include_recursive "conf.d"
include_recursive "tests"
*/
include "tests/602611.conf"

vim /usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf

object Host "simplehost_602611" {
  vars.categories = [ "openshift", ]
  display_name = "Servicehost: simplehost_602611"
  check_command = "dummy"
}
object HostGroup "category_openshift"  {
  assign where host.vars.categories && host.vars.categories.contains("openshift")
}
object ApiUser "blah"  {
  password = "welcome"
  permissions = [
  {
    permission = "objects/query/*"
    filter = {{ host.groups && "category_openshift" in host.groups }}
  },
  {
    permission = "actions/schedule-downtime"
    filter = {{ host.groups && "category_openshift" in host.groups }}
  },
  {
    permission = "actions/remove-downtime"
    filter = {{ host.groups && "category_openshift" in host.groups }}
  }, ]
}

Query

$ curl -k -s -u blah:welcome 'https://localhost:5665/v1/objects/hosts?pretty=1'
{
    "results": [
        {
            "attrs": {
                "__name": "simplehost_602611",
                "acknowledgement": 0.0,
                "acknowledgement_expiry": 0.0,
                "action_url": "",
                "active": true,
                "address": "",
                "address6": "",
                "check_attempt": 1.0,
                "check_command": "dummy",
                "check_interval": 300.0,
                "check_period": "",
                "check_timeout": null,
                "command_endpoint": "",
                "display_name": "Servicehost: simplehost_602611",
                "downtime_depth": 0.0,
                "enable_active_checks": true,
                "enable_event_handler": true,
                "enable_flapping": false,
                "enable_notifications": true,
                "enable_passive_checks": true,
                "enable_perfdata": true,
                "event_command": "",
                "flapping": false,
                "flapping_current": 0.0,
                "flapping_last_change": 0.0,
                "flapping_threshold": 0.0,
                "flapping_threshold_high": 30.0,
                "flapping_threshold_low": 25.0,
                "force_next_check": false,
                "force_next_notification": false,
                "groups": [
                    "category_openshift"
                ],
                "ha_mode": 0.0,
                "handled": false,
                "icon_image": "",
                "icon_image_alt": "",
                "last_check": 1556894648.842132,
                "last_check_result": {
                    "active": true,
                    "check_source": "mbpmif.int.netways.de",
                    "command": null,
                    "execution_end": 1556894648.842114,
                    "execution_start": 1556894648.842114,
                    "exit_status": 0.0,
                    "output": "Check was successful.",
                    "performance_data": [],
                    "schedule_end": 1556894648.842132,
                    "schedule_start": 1556894648.8361306,
                    "state": 0.0,
                    "ttl": 0.0,
                    "type": "CheckResult",
                    "vars_after": {
                        "attempt": 1.0,
                        "reachable": true,
                        "state": 0.0,
                        "state_type": 1.0
                    },
                    "vars_before": {
                        "attempt": 1.0,
                        "reachable": true,
                        "state": 0.0,
                        "state_type": 1.0
                    }
                },
                "last_hard_state": 0.0,
                "last_hard_state_change": 1556632532.169391,
                "last_reachable": true,
                "last_state": 0.0,
                "last_state_change": 1556632532.169391,
                "last_state_down": 0.0,
                "last_state_type": 1.0,
                "last_state_unreachable": 0.0,
                "last_state_up": 1556894648.84217,
                "max_check_attempts": 3.0,
                "name": "simplehost_602611",
                "next_check": 1556894947.5323632,
                "notes": "",
                "notes_url": "",
                "original_attributes": null,
                "package": "_etc",
                "paused": false,
                "previous_state_change": 1556632532.169391,
                "problem": false,
                "retry_interval": 60.0,
                "severity": 8.0,
                "source_location": {
                    "first_column": 1.0,
                    "first_line": 3.0,
                    "last_column": 31.0,
                    "last_line": 3.0,
                    "path": "/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf"
                },
                "state": 0.0,
                "state_type": 1.0,
                "templates": [
                    "simplehost_602611"
                ],
                "type": "Host",
                "vars": {
                    "categories": [
                        "openshift"
                    ]
                },
                "version": 0.0,
                "volatile": false,
                "zone": ""
            },
            "joins": {},
            "meta": {},
            "name": "simplehost_602611",
            "type": "Host"
        }
    ]
}

Filter debugger

Change the permissions to something like this.

filter = {{ debugger; host.groups && "category_openshift" in host.groups }}

Run

icinga2 daemon -X

Fire the query again.

Change back to Icinga running in foreground.

[2019-05-03 16:45:53 +0200] information/HttpServerConnection: Request: GET /v1/objects/hosts?pretty=1 (from [::1]:49269), user: blah, agent: curl/7.54.0).
Breakpoint encountered.
Location: in /usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf: 16:17-16:24
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(14):   {
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(15):     permission = "objects/query/*"
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(16):     filter = {{ debugger; host.groups && "category_openshift" in host.groups }}
                                                                             ^^^^^^^^
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(17):   },
/usr/local/icinga/icinga2/etc/icinga2/tests/602611.conf(18):   {
You can inspect expressions (such as variables) by entering them at the prompt.
To leave the debugger and continue the program use "$continue".
For further commands see "$help".

<2> => this
{
	check_command = {
		__name = "dummy"
		active = true
		arguments = null
		command = null
		env = null
		execute = {
			arguments = [ "checkable", "cr", "resolvedMacros", "useResolvedMacros" ]
			deprecated = false
			name = "Internal#DummyCheck"
			side_effect_free = false
			type = "Function"
		}
		extensions = {
			DbObject = {
				type = "Object"
			}
		}
		ha_mode = 0.000000
		name = "dummy"
		original_attributes = null
		package = "_etc"
		pause_called = false
		paused = false
		resume_called = true
		source_location = {
			first_column = 1.000000
			first_line = 17.000000
			last_column = 27.000000
			last_line = 17.000000
			path = "/usr/local/icinga/icinga2/share/icinga2/include/command-icinga.conf"
		}
		start_called = true
		state_loaded = true
		stop_called = false
		templates = [ "dummy", "plugin-check-command", "dummy-check-command" ]
		timeout = 60.000000
		type = "CheckCommand"
		vars = {
			dummy_state = 0.000000
			dummy_text = "Check was successful."
		}
		version = 0.000000
		zone = ""
	}
	check_period = null
	command_endpoint = null
	event_command = null
	host = {
		__name = "cmdb-host"
		acknowledgement = 0.000000
		acknowledgement_expiry = 0.000000
		action_url = ""
		active = true
		address = ""
		address6 = ""
		check_attempt = 1.000000
		check_command = "dummy"
		check_interval = 300.000000
		check_period = ""
		check_timeout = null
		command_endpoint = ""
		display_name = "cmdb-host"
		downtime_depth = 0.000000
		enable_active_checks = true
		enable_event_handler = true
		enable_flapping = false
		enable_notifications = true
		enable_passive_checks = true
		enable_perfdata = true
		event_command = ""
		extensions = {
			DbObject = {
				type = "Object"
			}
		}
		flapping = false
		flapping_buffer = 0.000000
		flapping_current = 0.000000
		flapping_index = 3.000000
		flapping_last_change = 0.000000
		flapping_threshold = 0.000000
		flapping_threshold_high = 30.000000
		flapping_threshold_low = 25.000000
		force_next_check = false
		force_next_notification = false
		groups = [ ]
		ha_mode = 0.000000
		handled = false
		icon_image = ""
		icon_image_alt = ""
		last_check = 1556894656.729626
		last_check_result = {
			active = true
			check_source = "mbpmif.int.netways.de"
			command = null
			execution_end = 1556894656.729605
			execution_start = 1556894656.729605
			exit_status = 0.000000
			output = "Check was successful."
			performance_data = [ ]
			schedule_end = 1556894656.729626
			schedule_start = 1556894656.728958
			state = 0.000000
			ttl = 0.000000
			type = "CheckResult"
			vars_after = {
				attempt = 1.000000
				reachable = true
				state = 0.000000
				state_type = 1.000000
			}
			vars_before = {
				attempt = 1.000000
				reachable = true
				state = 0.000000
				state_type = 1.000000
			}
		}
		last_hard_state = 0.000000
		last_hard_state_change = 1556279557.633899
		last_hard_state_raw = 0.000000
		last_reachable = true
		last_state = 0.000000
		last_state_change = 1556279557.633899
		last_state_down = 0.000000
		last_state_raw = 0.000000
		last_state_type = 1.000000
		last_state_unreachable = 0.000000
		last_state_up = 1556894656.729666
		max_check_attempts = 3.000000
		name = "cmdb-host"
		next_check = 1556894942.859719
		notes = ""
		notes_url = ""
		original_attributes = null
		package = "d"
		pause_called = false
		paused = false
		previous_state_change = 1556279557.633899
		problem = false
		resume_called = true
		retry_interval = 60.000000
		severity = 8.000000
		source_location = {
			first_column = 0.000000
			first_line = 1.000000
			last_column = 22.000000
			last_line = 1.000000
			path = "/usr/local/icinga/icinga2/var/lib/icinga2/api/packages/d/1c0d8416-08f0-4e9e-a413-7d37315bc640/conf.d/test.conf"
		}
		start_called = true
		state = 0.000000
		state_loaded = true
		state_raw = 0.000000
		state_type = 1.000000
		stop_called = false
		templates = [ "cmdb-host" ]
		type = "Host"
		vars = null
		version = 0.000000
		volatile = false
		zone = ""
	}
	obj = {
		__name = "cmdb-host"
		acknowledgement = 0.000000
		acknowledgement_expiry = 0.000000
		action_url = ""
		active = true
		address = ""
		address6 = ""
		check_attempt = 1.000000
		check_command = "dummy"
		check_interval = 300.000000
		check_period = ""
		check_timeout = null
		command_endpoint = ""
		display_name = "cmdb-host"
		downtime_depth = 0.000000
		enable_active_checks = true
		enable_event_handler = true
		enable_flapping = false
		enable_notifications = true
		enable_passive_checks = true
		enable_perfdata = true
		event_command = ""
		extensions = {
			DbObject = {
				type = "Object"
			}
		}
		flapping = false
		flapping_buffer = 0.000000
		flapping_current = 0.000000
		flapping_index = 3.000000
		flapping_last_change = 0.000000
		flapping_threshold = 0.000000
		flapping_threshold_high = 30.000000
		flapping_threshold_low = 25.000000
		force_next_check = false
		force_next_notification = false
		groups = [ ]
		ha_mode = 0.000000
		handled = false
		icon_image = ""
		icon_image_alt = ""
		last_check = 1556894656.729626
		last_check_result = {
			active = true
			check_source = "mbpmif.int.netways.de"
			command = null
			execution_end = 1556894656.729605
			execution_start = 1556894656.729605
			exit_status = 0.000000
			output = "Check was successful."
			performance_data = [ ]
			schedule_end = 1556894656.729626
			schedule_start = 1556894656.728958
			state = 0.000000
			ttl = 0.000000
			type = "CheckResult"
			vars_after = {
				attempt = 1.000000
				reachable = true
				state = 0.000000
				state_type = 1.000000
			}
			vars_before = {
				attempt = 1.000000
				reachable = true
				state = 0.000000
				state_type = 1.000000
			}
		}
		last_hard_state = 0.000000
		last_hard_state_change = 1556279557.633899
		last_hard_state_raw = 0.000000
		last_reachable = true
		last_state = 0.000000
		last_state_change = 1556279557.633899
		last_state_down = 0.000000
		last_state_raw = 0.000000
		last_state_type = 1.000000
		last_state_unreachable = 0.000000
		last_state_up = 1556894656.729666
		max_check_attempts = 3.000000
		name = "cmdb-host"
		next_check = 1556894942.859719
		notes = ""
		notes_url = ""
		original_attributes = null
		package = "d"
		pause_called = false
		paused = false
		previous_state_change = 1556279557.633899
		problem = false
		resume_called = true
		retry_interval = 60.000000
		severity = 8.000000
		source_location = {
			first_column = 0.000000
			first_line = 1.000000
			last_column = 22.000000
			last_line = 1.000000
			path = "/usr/local/icinga/icinga2/var/lib/icinga2/api/packages/d/1c0d8416-08f0-4e9e-a413-7d37315bc640/conf.d/test.conf"
		}
		start_called = true
		state = 0.000000
		state_loaded = true
		state_raw = 0.000000
		state_type = 1.000000
		stop_called = false
		templates = [ "cmdb-host" ]
		type = "Host"
		vars = null
		version = 0.000000
		volatile = false
		zone = ""
	}
}
<3> =>

My main concern was globals and this is correctly being accessible. This is important if your filters would use global constants for example.

<4> => keys(globals)
[ "ActiveStages", "Icinga", "Internal", "ManubulonPluginDir", "MaxConcurrentChecks", "NodeName", "PluginContribDir", "PluginDir", "ReloadTimeout", "StatsFunctions", "System", "TicketSalt", "Types", "ZoneName" ]

Conclusion

Works like a charm, many thanks. Would it be ok for you being mentioned in the release changelog with your full name/company?

[Elias481]

There was really once a situation where we could have needed the icinga2 daemon -C -X for something I do not remeber anymore. I will keep it it mind for next situation which is likely to come when I find time to do actual migration of monitoring for application I'm in mainly in charge for. Or possibly that can help me on next work on a script to get some "runtime" data out of icinga2.

I think the AST is quite fast already (most time is accounted for transferring).
On my personal whishlist regarding this (if a bigger rework is done) would be that all scripts that effectively do not change any persistent/runtime state could be run in sandboxed mode - and in turn that a permission like sandboxed-console would be available for API users (that could then safely be used to query Icinga2 without risking that they change anything using more complex logic then possible with plain queries).

I don't have an issue with being mentioned in changelog. And will ask my boss for participation in OSMC or Icinga Camp as I think that's something the company could pay for.