If one enables to store roles in the database for the first time, mig…

…rate them This prevents the admin from breaking Icinga Web with one checkbox.
Icinga · Apr 18, 2024 · e62725a · e62725a
1 parent eb97af8
commit e62725a
Showing 1 changed file with 121 additions and 2 deletions.
diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php
@@ -3,8 +3,13 @@
 
 namespace Icinga\Controllers;
 
+use DateTime;
 use Exception;
 use Icinga\Application\Version;
+use Icinga\Common\Database;
+use Icinga\Forms\Security\RoleForm;
+use Icinga\Model\Role;
+use Icinga\Util\StringHelper;
 use InvalidArgumentException;
 use Icinga\Application\Config;
 use Icinga\Application\Icinga;
@@ -23,12 +28,18 @@
 use Icinga\Web\Notification;
 use Icinga\Web\Url;
 use Icinga\Web\Widget;
+use ipl\Sql\Connection;
+use ipl\Sql\Insert;
+use ipl\Sql\Select;
+use ipl\Sql\Update;
 
 /**
  * Application and module configuration
  */
 class ConfigController extends Controller
 {
+    use Database;
+
     /**
      * Create and return the tabs to display when showing application configuration
      */
@@ -99,13 +110,21 @@ public function generalAction()
         $form->setOnSuccess(function (GeneralConfigForm $form) {
             $config = Config::app();
             $useStrictCsp = (bool) $config->get('security', 'use_strict_csp', false);
+            $storeRolesInDb = (bool) $config->get('global', 'store_roles_in_db', false);
             if ($form->onSuccess() === false) {
                 return false;
             }
 
             $appConfigForm = $form->getSubForm('form_config_general_application');
-            if ($appConfigForm && (bool) $appConfigForm->getValue('security_use_strict_csp') !== $useStrictCsp) {
-                $this->getResponse()->setReloadWindow(true);
+
+            if ($appConfigForm) {
+                if ((bool) $appConfigForm->getValue('security_use_strict_csp') !== $useStrictCsp) {
+                    $this->getResponse()->setReloadWindow(true);
+                }
+
+                if (! $storeRolesInDb && $appConfigForm->getValue('global_store_roles_in_db')) {
+                    $this->migrateRolesToFreshDb();
+                }
             }
         })->handleRequest();
 
@@ -114,6 +133,106 @@ public function generalAction()
         $this->createApplicationTabs()->activate('general');
     }
 
+    /**
+     * Migrate roles.ini to database if the latter contains no roles
+     */
+    private function migrateRolesToFreshDb(): void
+    {
+        $roles = Config::app('roles');
+        $now = (new DateTime())->getTimestamp() * 1000;
+
+        $this->getDb()->transaction(function (Connection $db) use ($roles, $now) {
+            if (Role::on($db)->columns('id')->first()) {
+                return;
+            }
+
+            foreach ($roles as $name => $role) {
+                $db->prepexec(
+                    (new Insert())
+                        ->into('icingaweb_role')
+                        ->columns(['name', 'unrestricted', 'ctime'])
+                        ->values([$name, $role->unrestricted ? 'y' : 'n', $now])
+                );
+
+                $id = $db->lastInsertId();
+                $permissions = StringHelper::trimSplit($role->permissions);
+                $refusals = StringHelper::trimSplit($role->refusals);
+                $permissionsAndRefusals = [];
+
+                foreach (StringHelper::trimSplit($role->users) as $user) {
+                    $db->prepexec(
+                        (new Insert())
+                            ->into('icingaweb_role_user')
+                            ->columns(['role_id', 'user_name'])
+                            ->values([$id, $user])
+                    );
+                }
+
+                foreach (StringHelper::trimSplit($role->groups) as $group) {
+                    $db->prepexec(
+                        (new Insert())
+                            ->into('icingaweb_role_group')
+                            ->columns(['role_id', 'group_name'])
+                            ->values([$id, $group])
+                    );
+                }
+
+                foreach ([$permissions, $refusals] as $permissionsOrRefusals) {
+                    foreach ($permissionsOrRefusals as $permissionOrRefusal) {
+                        $permissionsAndRefusals[$permissionOrRefusal] = ['allowed' => 'n', 'denied' => 'n'];
+                    }
+                }
+
+                foreach ($permissions as $permission) {
+                    $permissionsAndRefusals[$permission]['allowed'] = 'y';
+                }
+
+                foreach ($refusals as $refusal) {
+                    $permissionsAndRefusals[$refusal]['denied'] = 'y';
+                }
+
+                foreach ($permissionsAndRefusals as $permission => $authz) {
+                    $db->prepexec(
+                        (new Insert())
+                            ->into('icingaweb_role_permission')
+                            ->columns(['role_id', 'permission', 'allowed', 'denied'])
+                            ->values([$id, $permission, $authz['allowed'], $authz['denied']])
+                    );
+                }
+
+                foreach (RoleForm::collectProvidedPrivileges()[1] as $restrictionList) {
+                    foreach ($restrictionList as $restriction => $_) {
+                        if (isset($role->$restriction)) {
+                            $db->prepexec(
+                                (new Insert())
+                                    ->into('icingaweb_role_restriction')
+                                    ->columns(['role_id', 'restriction', 'filter'])
+                                    ->values([$id, $restriction, $role->$restriction])
+                            );
+                        }
+                    }
+                }
+            }
+
+            foreach ($roles as $name => $role) {
+                if (isset($role->parent)) {
+                    $db->prepexec(
+                        (new Update())
+                            ->table('icingaweb_role')
+                            ->set([
+                                'parent_id' => (new Select())
+                                    ->from('icingaweb_role')
+                                    ->where(['name = ?' => $role->parent])
+                                    ->columns(['id'])
+                                ,
+                            ])
+                            ->where(['name = ?' => $name])
+                    );
+                }
+            }
+        });
+    }
+
     /**
      * Display the list of all modules
      */