[dev.icinga.com #12903] /actions/schedule-downtime doesn't validate the request body as expected

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12903

Created by aklimov on 2016-10-12 15:10:55 +00:00

Assignee: (none)
Status: New
Target Version: (none)
Last Update: 2016-10-12 15:10:55 +00:00 (in Redmine)

Icinga Version: 2.5.4
Backport?: Not yet backported
Include in Changelog: 1

---

As a user I expect the API to complain about the following 2 requests (and all other possible requests with wrong JSON data types):

[root@icingaweb2 ~]# curl -sku root:icinga  -H 'Accept: application/json' https://localhost:5665/v1/actions/schedule-downtime -d $'{"author":"icingaadmin","comment":"LOLCAT","start_time":"1480000000","end_time":"1480000001","duration":null,"fixed":true,"trigger_name":null,"filter":"host.name==\\"localhost\\"","type":["Host","Service"]}' | python -mjson.tool
{
    "results": [
        {
            "code": 200.0,
            "legacy_id": 30.0,
            "name": "localhost!negative!icingaweb2.int.netways.de-1476284301-28",
            "status": "Successfully scheduled downtime 'localhost!negative!icingaweb2.int.netways.de-1476284301-28' for object 'localhost!negative'."
        },
        {
            "code": 200.0,
            "legacy_id": 31.0,
            "name": "localhost!ping4!icingaweb2.int.netways.de-1476284301-29",
            "status": "Successfully scheduled downtime 'localhost!ping4!icingaweb2.int.netways.de-1476284301-29' for object 'localhost!ping4'."
        },
        {
            "code": 200.0,
            "legacy_id": 32.0,
            "name": "localhost!ping6!icingaweb2.int.netways.de-1476284301-30",
            "status": "Successfully scheduled downtime 'localhost!ping6!icingaweb2.int.netways.de-1476284301-30' for object 'localhost!ping6'."
        },
        {
            "code": 200.0,
            "legacy_id": 33.0,
            "name": "localhost!ssh!icingaweb2.int.netways.de-1476284301-31",
            "status": "Successfully scheduled downtime 'localhost!ssh!icingaweb2.int.netways.de-1476284301-31' for object 'localhost!ssh'."
        },
        {
            "code": 200.0,
            "legacy_id": 34.0,
            "name": "localhost!http!icingaweb2.int.netways.de-1476284301-32",
            "status": "Successfully scheduled downtime 'localhost!http!icingaweb2.int.netways.de-1476284301-32' for object 'localhost!http'."
        },
        {
            "code": 200.0,
            "legacy_id": 35.0,
            "name": "localhost!disk!icingaweb2.int.netways.de-1476284301-33",
            "status": "Successfully scheduled downtime 'localhost!disk!icingaweb2.int.netways.de-1476284301-33' for object 'localhost!disk'."
        },
        {
            "code": 200.0,
            "legacy_id": 36.0,
            "name": "localhost!icinga!icingaweb2.int.netways.de-1476284301-34",
            "status": "Successfully scheduled downtime 'localhost!icinga!icingaweb2.int.netways.de-1476284301-34' for object 'localhost!icinga'."
        },
        {
            "code": 200.0,
            "legacy_id": 37.0,
            "name": "localhost!disk /!icingaweb2.int.netways.de-1476284301-35",
            "status": "Successfully scheduled downtime 'localhost!disk /!icingaweb2.int.netways.de-1476284301-35' for object 'localhost!disk /'."
        },
        {
            "code": 200.0,
            "legacy_id": 38.0,
            "name": "localhost!load!icingaweb2.int.netways.de-1476284301-36",
            "status": "Successfully scheduled downtime 'localhost!load!icingaweb2.int.netways.de-1476284301-36' for object 'localhost!load'."
        },
        {
            "code": 200.0,
            "legacy_id": 39.0,
            "name": "localhost!procs!icingaweb2.int.netways.de-1476284301-37",
            "status": "Successfully scheduled downtime 'localhost!procs!icingaweb2.int.netways.de-1476284301-37' for object 'localhost!procs'."
        },
        {
            "code": 200.0,
            "legacy_id": 40.0,
            "name": "localhost!swap!icingaweb2.int.netways.de-1476284301-38",
            "status": "Successfully scheduled downtime 'localhost!swap!icingaweb2.int.netways.de-1476284301-38' for object 'localhost!swap'."
        },
        {
            "code": 200.0,
            "legacy_id": 41.0,
            "name": "localhost!users!icingaweb2.int.netways.de-1476284302-39",
            "status": "Successfully scheduled downtime 'localhost!users!icingaweb2.int.netways.de-1476284302-39' for object 'localhost!users'."
        }
    ]
}
[root@icingaweb2 ~]# curl -sku root:icinga  -H 'Accept: application/json' https://localhost:5665/v1/actions/schedule-downtime -d $'{"author":"icingaadmin","comment":"LOLCAT","start_time":"1480000000","end_time":"1480000001","duration":null,"fixed":true,"trigger_name":null,"filter":"host.name==\\"localhost\\"","type":["Service","Host"]}' | python -mjson.tool
{
    "results": [
        {
            "code": 200.0,
            "legacy_id": 43.0,
            "name": "localhost!icingaweb2.int.netways.de-1476284419-41",
            "status": "Successfully scheduled downtime 'localhost!icingaweb2.int.netways.de-1476284419-41' for object 'localhost'."
        }
    ]
}
[root@icingaweb2 ~]#

[dnsmichi]

Note: It is about the type attribute being an array.

[Al2Klimov]

After a few debugging I figured out why this happens:

• in /actions/schedule-downtime you have to filter for objects
• FilterUtility::GetFilterTargets() has to examine the query's config object type
• to get it, it calls HttpUtility::GetLastParameter()

So e.g. the first "malformed" query targets all the services because Service is the last type given.

[dnsmichi]

While it is misleading, the documentation says to use a type string value, not an array. As there's no generic fix for this, I'll close here.