SMusatov
/
netdata
зеркало из https://github.com/netdata/netdata.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293
							// SPDX-License-Identifier: GPL-3.0-or-later

#include "web_api.h"

bool netdata_is_protected_by_bearer = false; // this is controlled by cloud, at the point the agent logs in - this should also be saved to /var/lib/netdata
DICTIONARY *netdata_authorized_bearers = NULL;

static short int web_client_check_acl_and_bearer(struct web_client *w, WEB_CLIENT_ACL endpoint_acl) {
    if(endpoint_acl == WEB_CLIENT_ACL_NONE || (endpoint_acl & WEB_CLIENT_ACL_NOCHECK))
        // the endpoint is totally public
        return HTTP_RESP_OK;

    bool acl_allows = w->acl & endpoint_acl;
    if(!acl_allows)
        // the channel we received the request from (w->acl) is not compatible with the endpoint
        return HTTP_RESP_FORBIDDEN;

    if(!netdata_is_protected_by_bearer && !(endpoint_acl & WEB_CLIENT_ACL_BEARER_REQUIRED))
        // bearer protection is not enabled and is not required by the endpoint
        return HTTP_RESP_OK;

    if(!(endpoint_acl & (WEB_CLIENT_ACL_BEARER_REQUIRED|WEB_CLIENT_ACL_BEARER_OPTIONAL)))
        // endpoint does not require a bearer
        return HTTP_RESP_OK;

    if((w->acl & (WEB_CLIENT_ACL_ACLK|WEB_CLIENT_ACL_WEBRTC)))
        // the request is coming from ACLK or WEBRTC (authorized already),
        return HTTP_RESP_OK;

    // at this point we need a bearer to serve the request
    // either because:
    //
    // 1. WEB_CLIENT_ACL_BEARER_REQUIRED, or
    // 2. netdata_is_protected_by_bearer == true
    //

    BEARER_STATUS t = api_check_bearer_token(w);
    if(t == BEARER_STATUS_AVAILABLE_AND_VALIDATED)
        // we have a valid bearer on the request
        return HTTP_RESP_OK;

    netdata_log_info("BEARER: bearer is required for request: code %d", t);

    return HTTP_RESP_PRECOND_FAIL;
}

int web_client_api_request_vX(RRDHOST *host, struct web_client *w, char *url_path_endpoint, struct web_api_command *api_commands) {
    buffer_no_cacheable(w->response.data);

    if(unlikely(!url_path_endpoint || !*url_path_endpoint)) {
        buffer_flush(w->response.data);
        buffer_sprintf(w->response.data, "Which API command?");
        return HTTP_RESP_BAD_REQUEST;
    }

    char *api_command = strchr(url_path_endpoint, '/');
    if (likely(api_command == NULL)) // only config command supports subpaths for now
        api_command = url_path_endpoint;
    else {
        size_t api_command_len = api_command - url_path_endpoint;
        api_command = callocz(1, api_command_len + 1);
        memcpy(api_command, url_path_endpoint, api_command_len);
    }

    uint32_t hash = simple_hash(api_command);

    for(int i = 0; api_commands[i].command ; i++) {
        if(unlikely(hash == api_commands[i].hash && !strcmp(api_command, api_commands[i].command))) {
            if(unlikely(!api_commands[i].allow_subpaths && api_command != url_path_endpoint)) {
                buffer_flush(w->response.data);
                buffer_sprintf(w->response.data, "API command '%s' does not support subpaths.", api_command);
                freez(api_command);
                return HTTP_RESP_BAD_REQUEST;
            }

            if (api_command != url_path_endpoint)
                freez(api_command);

            short int code = web_client_check_acl_and_bearer(w, api_commands[i].acl);
            if(code != HTTP_RESP_OK) {
                if(code == HTTP_RESP_FORBIDDEN)
                    return web_client_permission_denied(w);

                if(code == HTTP_RESP_PRECOND_FAIL)
                    return web_client_bearer_required(w);

                buffer_flush(w->response.data);
                buffer_sprintf(w->response.data, "Failed with code %d", code);
                w->response.code = code;
                return code;
            }

            char *query_string = (char *)buffer_tostring(w->url_query_string_decoded);

            if(*query_string == '?')
                query_string = &query_string[1];

            return api_commands[i].callback(host, w, query_string);
        }
    }

    if (api_command != url_path_endpoint)
        freez(api_command);

    buffer_flush(w->response.data);
    buffer_strcat(w->response.data, "Unsupported API command: ");
    buffer_strcat_htmlescape(w->response.data, url_path_endpoint);
    return HTTP_RESP_NOT_FOUND;
}

RRDCONTEXT_TO_JSON_OPTIONS rrdcontext_to_json_parse_options(char *o) {
    RRDCONTEXT_TO_JSON_OPTIONS options = RRDCONTEXT_OPTION_NONE;
    char *tok;

    while(o && *o && (tok = strsep_skip_consecutive_separators(&o, ", |"))) {
        if(!*tok) continue;

        if(!strcmp(tok, "full") || !strcmp(tok, "all"))
            options |= RRDCONTEXT_OPTIONS_ALL;
        else if(!strcmp(tok, "charts") || !strcmp(tok, "instances"))
            options |= RRDCONTEXT_OPTION_SHOW_INSTANCES;
        else if(!strcmp(tok, "dimensions") || !strcmp(tok, "metrics"))
            options |= RRDCONTEXT_OPTION_SHOW_METRICS;
        else if(!strcmp(tok, "queue"))
            options |= RRDCONTEXT_OPTION_SHOW_QUEUED;
        else if(!strcmp(tok, "flags"))
            options |= RRDCONTEXT_OPTION_SHOW_FLAGS;
        else if(!strcmp(tok, "uuids"))
            options |= RRDCONTEXT_OPTION_SHOW_UUIDS;
        else if(!strcmp(tok, "deleted"))
            options |= RRDCONTEXT_OPTION_SHOW_DELETED;
        else if(!strcmp(tok, "labels"))
            options |= RRDCONTEXT_OPTION_SHOW_LABELS;
        else if(!strcmp(tok, "deepscan"))
            options |= RRDCONTEXT_OPTION_DEEPSCAN;
        else if(!strcmp(tok, "hidden"))
            options |= RRDCONTEXT_OPTION_SHOW_HIDDEN;
    }

    return options;
}

int web_client_api_request_weights(RRDHOST *host, struct web_client *w, char *url, WEIGHTS_METHOD method, WEIGHTS_FORMAT format, size_t api_version) {
    if (!netdata_ready)
        return HTTP_RESP_BACKEND_FETCH_FAILED;

    time_t baseline_after = 0, baseline_before = 0, after = 0, before = 0;
    size_t points = 0;
    RRDR_OPTIONS options = 0;
    RRDR_TIME_GROUPING time_group_method = RRDR_GROUPING_AVERAGE;
    time_t timeout_ms = 0;
    size_t tier = 0;
    const char *time_group_options = NULL, *scope_contexts = NULL, *scope_nodes = NULL, *contexts = NULL, *nodes = NULL,
        *instances = NULL, *dimensions = NULL, *labels = NULL, *alerts = NULL;

    struct group_by_pass group_by = {
            .group_by = RRDR_GROUP_BY_NONE,
            .group_by_label = NULL,
            .aggregation = RRDR_GROUP_BY_FUNCTION_AVERAGE,
    };

    while (url) {
        char *value = strsep_skip_consecutive_separators(&url, "&");
        if (!value || !*value)
            continue;

        char *name = strsep_skip_consecutive_separators(&value, "=");
        if (!name || !*name)
            continue;
        if (!value || !*value)
            continue;

        if (!strcmp(name, "baseline_after"))
            baseline_after = str2l(value);

        else if (!strcmp(name, "baseline_before"))
            baseline_before = str2l(value);

        else if (!strcmp(name, "after") || !strcmp(name, "highlight_after"))
            after = str2l(value);

        else if (!strcmp(name, "before") || !strcmp(name, "highlight_before"))
            before = str2l(value);

        else if (!strcmp(name, "points") || !strcmp(name, "max_points"))
            points = str2ul(value);

        else if (!strcmp(name, "timeout"))
            timeout_ms = str2l(value);

        else if((api_version == 1 && !strcmp(name, "group")) || (api_version >= 2 && !strcmp(name, "time_group")))
            time_group_method = time_grouping_parse(value, RRDR_GROUPING_AVERAGE);

        else if((api_version == 1 && !strcmp(name, "group_options")) || (api_version >= 2 && !strcmp(name, "time_group_options")))
            time_group_options = value;

        else if(!strcmp(name, "options"))
            options |= web_client_api_request_v1_data_options(value);

        else if(!strcmp(name, "method"))
            method = weights_string_to_method(value);

        else if(api_version == 1 && (!strcmp(name, "context") || !strcmp(name, "contexts")))
            scope_contexts = value;

        else if(api_version >= 2 && !strcmp(name, "scope_nodes")) scope_nodes = value;
        else if(api_version >= 2 && !strcmp(name, "scope_contexts")) scope_contexts = value;
        else if(api_version >= 2 && !strcmp(name, "nodes")) nodes = value;
        else if(api_version >= 2 && !strcmp(name, "contexts")) contexts = value;
        else if(api_version >= 2 && !strcmp(name, "instances")) instances = value;
        else if(api_version >= 2 && !strcmp(name, "dimensions")) dimensions = value;
        else if(api_version >= 2 && !strcmp(name, "labels")) labels = value;
        else if(api_version >= 2 && !strcmp(name, "alerts")) alerts = value;
        else if(api_version >= 2 && (!strcmp(name, "group_by") || !strcmp(name, "group_by[0]"))) {
            group_by.group_by = group_by_parse(value);
        }
        else if(api_version >= 2 && (!strcmp(name, "group_by_label") || !strcmp(name, "group_by_label[0]"))) {
            group_by.group_by_label = value;
        }
        else if(api_version >= 2 && (!strcmp(name, "aggregation") || !strcmp(name, "aggregation[0]"))) {
            group_by.aggregation = group_by_aggregate_function_parse(value);
        }

        else if(!strcmp(name, "tier")) {
            tier = str2ul(value);
            if(tier < storage_tiers)
                options |= RRDR_OPTION_SELECTED_TIER;
            else
                tier = 0;
        }
    }

    if(options == 0)
        // the user did not set any options
        options  = RRDR_OPTION_NOT_ALIGNED | RRDR_OPTION_NULL2ZERO | RRDR_OPTION_NONZERO;
    else
        // the user set some options, add also these
        options |= RRDR_OPTION_NOT_ALIGNED | RRDR_OPTION_NULL2ZERO;

    if(options & RRDR_OPTION_PERCENTAGE)
        options |= RRDR_OPTION_ABSOLUTE;

    if(options & RRDR_OPTION_DEBUG)
        options &= ~RRDR_OPTION_MINIFY;

    BUFFER *wb = w->response.data;
    buffer_flush(wb);
    wb->content_type = CT_APPLICATION_JSON;

    QUERY_WEIGHTS_REQUEST qwr = {
            .version = api_version,
            .host = (api_version == 1) ? NULL : host,
            .scope_nodes = scope_nodes,
            .scope_contexts = scope_contexts,
            .nodes = nodes,
            .contexts = contexts,
            .instances = instances,
            .dimensions = dimensions,
            .labels = labels,
            .alerts = alerts,
            .group_by = {
                .group_by = group_by.group_by,
                .group_by_label = group_by.group_by_label,
                .aggregation = group_by.aggregation,
            },
            .method = method,
            .format = format,
            .time_group_method = time_group_method,
            .time_group_options = time_group_options,
            .baseline_after = baseline_after,
            .baseline_before = baseline_before,
            .after = after,
            .before = before,
            .points = points,
            .options = options,
            .tier = tier,
            .timeout_ms = timeout_ms,

            .interrupt_callback = web_client_interrupt_callback,
            .interrupt_callback_data = w,
    };

    return web_api_v12_weights(wb, &qwr);
}

bool web_client_interrupt_callback(void *data) {
    struct web_client *w = data;

    if(w->interrupt.callback)
        return w->interrupt.callback(w, w->interrupt.callback_data);

    return sock_has_output_error(w->ofd);
}