From 5a7e62c5100be7511d3f7a50359f949f6f86d065 Mon Sep 17 00:00:00 2001 From: Ahmed Abdelsalam Date: Tue, 8 Oct 2024 11:13:35 +0200 Subject: [PATCH 1/2] Change: Extend get_feeds GMP command. Added information on whether the feed owner and feed import roles are set and whether the user has access to feed resources. --- src/gmp.c | 50 +++++++++++++++++++++++++++++++ src/manage_acl.c | 29 ++++++++++++++++++ src/manage_acl.h | 3 ++ src/schema_formats/XML/GMP.xml.in | 21 +++++++++++++ 4 files changed, 103 insertions(+) diff --git a/src/gmp.c b/src/gmp.c index 128ff751a..652e144db 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -12976,6 +12976,7 @@ static void handle_get_feeds (gmp_parser_t *gmp_parser, GError **error) { assert (current_credentials.username); + assert (current_credentials.uuid); if (acl_user_may ("get_feeds") == 0) { @@ -12986,10 +12987,59 @@ handle_get_feeds (gmp_parser_t *gmp_parser, GError **error) return; } + char *feed_owner_uuid, *feed_roles; + gboolean feed_owner_set, feed_import_roles_set, feed_resources_access; + + feed_owner_set = feed_import_roles_set = feed_resources_access = FALSE; + + setting_value (SETTING_UUID_FEED_IMPORT_OWNER, &feed_owner_uuid); + + if (feed_owner_uuid != NULL && strlen (feed_owner_uuid) > 0) + feed_owner_set = TRUE; + else + g_warning ("%s: No feed owner set.", __func__); + + setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &feed_roles); + + if (feed_roles != NULL && strlen (feed_roles) > 0) + feed_import_roles_set = TRUE; + else + g_warning ("%s: No feed import roles set.", __func__); + + if (feed_owner_uuid != NULL && strcmp (feed_owner_uuid, current_credentials.uuid) == 0) + feed_resources_access = TRUE; + else if (feed_roles != NULL) + { + gchar **roles = g_strsplit (feed_roles, ",", -1); + gchar **role = roles; + while (*role) + { + if (acl_user_has_role (current_credentials.uuid, *role)) + { + feed_resources_access = TRUE; + break; + } + role++; + } + g_strfreev (roles); + } + + free (feed_roles); + free (feed_owner_uuid); + SEND_TO_CLIENT_OR_FAIL (""); + SENDF_TO_CLIENT_OR_FAIL ("%s", + feed_owner_set ? "1" : "0"); + + SENDF_TO_CLIENT_OR_FAIL ("%s", + feed_import_roles_set ? "1" : "0"); + + SENDF_TO_CLIENT_OR_FAIL ("%s", + feed_resources_access ? "1" : "0"); + if ((get_feeds_data->type == NULL) || (strcasecmp (get_feeds_data->type, "nvt") == 0)) get_feed (gmp_parser, error, NVT_FEED); diff --git a/src/manage_acl.c b/src/manage_acl.c index e2953d8f1..1041d564b 100644 --- a/src/manage_acl.c +++ b/src/manage_acl.c @@ -462,6 +462,35 @@ acl_user_is_user (const char *uuid) return ret; } +/** + * @brief Check whether a user has a given role. + * + * @param[in] user_uuid UUID of the user. + * @param[in] role_uuid UUID of the role. + * + * @return 1 if user has the given role, else 0. + */ +int +acl_user_has_role (const char *user_uuid, const char *role_uuid) +{ + int ret; + gchar *quoted_role_uuid, *quoted_user_uuid; + + quoted_role_uuid = sql_quote (role_uuid); + quoted_user_uuid = sql_quote (user_uuid); + + ret = sql_int ("SELECT count (*) FROM role_users" + " WHERE role = (SELECT id FROM roles" + " WHERE uuid = '%s')" + " AND \"user\" = (SELECT id FROM users WHERE uuid = '%s');", + quoted_role_uuid, quoted_user_uuid); + + g_free (quoted_role_uuid); + g_free (quoted_user_uuid); + return ret; +} + + /* TODO This is only predicatable for unique fields like "id". If the field * is "name" then "SELECT ... format" will choose arbitrarily between * the resources that have the same name. */ diff --git a/src/manage_acl.h b/src/manage_acl.h index 3655ee10f..bb1a78b40 100644 --- a/src/manage_acl.h +++ b/src/manage_acl.h @@ -155,6 +155,9 @@ acl_user_is_super_admin (const char *); int acl_user_is_observer (const char *); +int +acl_user_has_role (const char *, const char *); + int acl_user_owns (const char *, resource_t, int); diff --git a/src/schema_formats/XML/GMP.xml.in b/src/schema_formats/XML/GMP.xml.in index 91860510f..3218e237a 100644 --- a/src/schema_formats/XML/GMP.xml.in +++ b/src/schema_formats/XML/GMP.xml.in @@ -11525,8 +11525,26 @@ END:VCALENDAR text 1 + feed_owner_set + feed_roles_set + feed_resources_access feed + + feed_owner_set + Whether the feed owner is set + boolean + + + feed_roles_set + Whether the feed roles are set + boolean + + + feed_resources_access + Whether the user has access to feed resources + boolean + feed @@ -11590,6 +11608,9 @@ END:VCALENDAR + 1 + 1 + 1 NVT Greenbone Security Feed From 0761c87f5ab359b6cb3ab691215a63a04e2da2e2 Mon Sep 17 00:00:00 2001 From: Ahmed Abdelsalam Date: Tue, 8 Oct 2024 11:50:26 +0200 Subject: [PATCH 2/2] Address review comments --- src/gmp.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/src/gmp.c b/src/gmp.c index 652e144db..c9659aef6 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -12996,15 +12996,11 @@ handle_get_feeds (gmp_parser_t *gmp_parser, GError **error) if (feed_owner_uuid != NULL && strlen (feed_owner_uuid) > 0) feed_owner_set = TRUE; - else - g_warning ("%s: No feed owner set.", __func__); setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &feed_roles); if (feed_roles != NULL && strlen (feed_roles) > 0) feed_import_roles_set = TRUE; - else - g_warning ("%s: No feed import roles set.", __func__); if (feed_owner_uuid != NULL && strcmp (feed_owner_uuid, current_credentials.uuid) == 0) feed_resources_access = TRUE; @@ -13031,13 +13027,11 @@ handle_get_feeds (gmp_parser_t *gmp_parser, GError **error) " status=\"" STATUS_OK "\"" " status_text=\"" STATUS_OK_TEXT "\">"); - SENDF_TO_CLIENT_OR_FAIL ("%s", - feed_owner_set ? "1" : "0"); - - SENDF_TO_CLIENT_OR_FAIL ("%s", - feed_import_roles_set ? "1" : "0"); - - SENDF_TO_CLIENT_OR_FAIL ("%s", + SENDF_TO_CLIENT_OR_FAIL ("%s" + "%s" + "%s", + feed_owner_set ? "1" : "0", + feed_import_roles_set ? "1" : "0", feed_resources_access ? "1" : "0"); if ((get_feeds_data->type == NULL)