From c385f58d663a8524390de89fbf3904388982d573 Mon Sep 17 00:00:00 2001 From: liugq Date: Mon, 3 Jul 2023 18:54:38 +0800 Subject: [PATCH] filter insight api index privilege --- plugin/api/insight/api.go | 6 +++--- plugin/api/insight/metadata.go | 32 +++++++++++++++++--------------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/plugin/api/insight/api.go b/plugin/api/insight/api.go index e3c9ed82..8ae2a96e 100644 --- a/plugin/api/insight/api.go +++ b/plugin/api/insight/api.go @@ -12,9 +12,9 @@ type InsightAPI struct { func InitAPI() { insight := InsightAPI{} - api.HandleAPIMethod(api.POST, "/elasticsearch/:id/visualization/metadata", insight.HandleGetMetadata) - api.HandleAPIMethod(api.POST, "/elasticsearch/:id/visualization/data", insight.HandleGetMetricData) - api.HandleAPIMethod(api.POST, "/elasticsearch/:id/visualization/preview", insight.HandleGetPreview) + api.HandleAPIMethod(api.POST, "/elasticsearch/:id/visualization/metadata", insight.RequireLogin(insight.HandleGetMetadata)) + api.HandleAPIMethod(api.POST, "/elasticsearch/:id/visualization/data", insight.RequireLogin(insight.HandleGetMetricData)) + api.HandleAPIMethod(api.POST, "/elasticsearch/:id/visualization/preview", insight.RequireLogin(insight.HandleGetPreview)) api.HandleAPIMethod(api.GET, "/insight/visualization/:visualization_id", insight.getVisualization) api.HandleAPIMethod(api.POST, "/insight/visualization", insight.createVisualization) diff --git a/plugin/api/insight/metadata.go b/plugin/api/insight/metadata.go index 81b2de18..8b4c27c1 100644 --- a/plugin/api/insight/metadata.go +++ b/plugin/api/insight/metadata.go @@ -33,6 +33,10 @@ func (h *InsightAPI) HandleGetPreview(w http.ResponseWriter, req *http.Request, }, http.StatusInternalServerError) return } + if reqBody.IndexPattern != "" && !h.IsIndexAllowed(req, clusterID, reqBody.IndexPattern){ + h.WriteError(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) + return + } if reqBody.ViewID != "" { view := elastic.View{ ID: reqBody.ViewID, @@ -129,9 +133,11 @@ func (h *InsightAPI) HandleGetMetadata(w http.ResponseWriter, req *http.Request, err := h.DecodeJSON(req, &reqBody) if err != nil { log.Error(err) - h.WriteJSON(w, util.MapStr{ - "error": err.Error(), - }, http.StatusInternalServerError) + h.WriteError(w, err.Error(), http.StatusInternalServerError) + return + } + if reqBody.IndexPattern != "" && !h.IsIndexAllowed(req, clusterID, reqBody.IndexPattern){ + h.WriteError(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) return } var fieldsFormat map[string]string @@ -141,9 +147,7 @@ func (h *InsightAPI) HandleGetMetadata(w http.ResponseWriter, req *http.Request, } exists, err := orm.Get(&view) if err != nil || !exists { - h.WriteJSON(w, util.MapStr{ - "error": err.Error(), - }, http.StatusNotFound) + h.WriteError(w, err.Error(), http.StatusNotFound) return } reqBody.IndexPattern = view.Title @@ -159,9 +163,7 @@ func (h *InsightAPI) HandleGetMetadata(w http.ResponseWriter, req *http.Request, fieldsMeta, err := getMetadataByIndexPattern(clusterID, reqBody.IndexPattern, reqBody.TimeField, reqBody.Filter, fieldsFormat) if err != nil { log.Error(err) - h.WriteJSON(w, util.MapStr{ - "error": err.Error(), - }, http.StatusInternalServerError) + h.WriteError(w, err.Error(), http.StatusInternalServerError) return } h.WriteJSON(w, fieldsMeta, http.StatusOK) @@ -172,19 +174,19 @@ func (h *InsightAPI) HandleGetMetricData(w http.ResponseWriter, req *http.Reques err := h.DecodeJSON(req, &reqBody) if err != nil { log.Error(err) - h.WriteJSON(w, util.MapStr{ - "error": err.Error(), - }, http.StatusInternalServerError) + h.WriteError(w, err.Error(), http.StatusInternalServerError) return } clusterID := ps.MustGetParameter("id") + if !h.IsIndexAllowed(req, clusterID, reqBody.IndexPattern){ + h.WriteError(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) + return + } reqBody.ClusterId = clusterID metricData, err := getMetricData(&reqBody) if err != nil { log.Error(err) - h.WriteJSON(w, util.MapStr{ - "error": err.Error(), - }, http.StatusInternalServerError) + h.WriteError(w, err.Error(), http.StatusInternalServerError) return }