diff --git a/changes/15146-filter-query-reports-by-user b/changes/15146-filter-query-reports-by-user new file mode 100644 index 000000000..d612101f6 --- /dev/null +++ b/changes/15146-filter-query-reports-by-user @@ -0,0 +1 @@ +- query reports now only show results for hosts the user has permission to \ No newline at end of file diff --git a/server/datastore/mysql/query_results.go b/server/datastore/mysql/query_results.go index 87fa10277..1a9749b1b 100644 --- a/server/datastore/mysql/query_results.go +++ b/server/datastore/mysql/query_results.go @@ -2,6 +2,7 @@ package mysql import ( "context" + "fmt" "strings" "github.com/fleetdm/fleet/v4/server/contexts/ctxerr" @@ -89,14 +90,15 @@ func (ds *Datastore) OverwriteQueryResultRows(ctx context.Context, rows []*fleet // TODO(lucas): Any chance we can store hostname in the query_results table? // (to avoid having to left join hosts). -func (ds *Datastore) QueryResultRows(ctx context.Context, queryID uint) ([]*fleet.ScheduledQueryResultRow, error) { - selectStmt := ` +func (ds *Datastore) QueryResultRows(ctx context.Context, queryID uint, filter fleet.TeamFilter) ([]*fleet.ScheduledQueryResultRow, error) { + selectStmt := fmt.Sprintf(` SELECT qr.query_id, qr.host_id, qr.last_fetched, qr.data, h.hostname, h.computer_name, h.hardware_model, h.hardware_serial FROM query_results qr LEFT JOIN hosts h ON (qr.host_id=h.id) - WHERE query_id = ? - ` + WHERE query_id = ? AND %s + `, ds.whereFilterHostsByTeams(filter, "h")) + results := []*fleet.ScheduledQueryResultRow{} err := sqlx.SelectContext(ctx, ds.reader(ctx), &results, selectStmt, queryID) if err != nil { diff --git a/server/datastore/mysql/query_results_test.go b/server/datastore/mysql/query_results_test.go index 4decdf41c..116dd71a5 100644 --- a/server/datastore/mysql/query_results_test.go +++ b/server/datastore/mysql/query_results_test.go @@ -29,6 +29,7 @@ func TestQueryResults(t *testing.T) { {"Overwrite", testOverwriteQueryResultRows}, {"MaxRows", testQueryResultRowsDoNotExceedMaxRows}, {"QueryResultRows", testQueryResultRows}, + {"QueryResultRowsFilter", testQueryResultRowsTeamFilter}, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { @@ -142,6 +143,108 @@ func getQueryResultRows(t *testing.T, ds *Datastore) { require.Len(t, results, 0) } +func testQueryResultRowsTeamFilter(t *testing.T, ds *Datastore) { + team, err := ds.NewTeam(context.Background(), &fleet.Team{ + Name: "teamFoo", + }) + require.NoError(t, err) + observerTeam, err := ds.NewTeam(context.Background(), &fleet.Team{ + Name: "observerTeam", + }) + require.NoError(t, err) + + teamUser, err := ds.NewUser(context.Background(), &fleet.User{ + Password: []byte("foo"), + Salt: "bar", + Name: "teamUser", + Email: "teamUser@example.com", + GlobalRole: nil, + Teams: []fleet.UserTeam{ + { + Team: *team, + Role: fleet.RoleAdmin, + }, + { + Team: *observerTeam, + Role: fleet.RoleObserver, + }, + }, + }) + require.NoError(t, err) + + query := test.NewQuery(t, ds, nil, "New Query", "SELECT 1", teamUser.ID, true) + globalHost := test.NewHost(t, ds, "globalHost", "192.168.1.100", "1111", "UI8XB1223", time.Now()) + teamHost := test.NewHost(t, ds, "teamHost", "192.168.1.100", "2222", "UI8XB1223", time.Now()) + err = ds.AddHostsToTeam(context.Background(), &team.ID, []uint{teamHost.ID}) + require.NoError(t, err) + observerTeamHost := test.NewHost(t, ds, "teamHost", "192.168.1.100", "3333", "UI8XB1223", time.Now()) + err = ds.AddHostsToTeam(context.Background(), &observerTeam.ID, []uint{observerTeamHost.ID}) + require.NoError(t, err) + + mockTime := time.Now().UTC().Truncate(time.Second) + + globalRow := []*fleet.ScheduledQueryResultRow{ + { + QueryID: query.ID, + HostID: globalHost.ID, + LastFetched: mockTime, + Data: json.RawMessage(`{ + "model": "Global USB Keyboard", + "vendor": "Global Inc." + }`), + }, + } + + err = ds.OverwriteQueryResultRows(context.Background(), globalRow) + require.NoError(t, err) + + teamRow := []*fleet.ScheduledQueryResultRow{ + { + QueryID: query.ID, + HostID: teamHost.ID, + LastFetched: mockTime, + Data: json.RawMessage(`{ + "model": "Team USB Keyboard", + "vendor": "Team Inc." + }`), + }, + } + err = ds.OverwriteQueryResultRows(context.Background(), teamRow) + require.NoError(t, err) + + observerTeamRow := []*fleet.ScheduledQueryResultRow{ + { + QueryID: query.ID, + HostID: observerTeamHost.ID, + LastFetched: mockTime, + Data: json.RawMessage(`{ + "model": "Team USB Keyboard", + "vendor": "Team Inc." + }`), + }, + } + err = ds.OverwriteQueryResultRows(context.Background(), observerTeamRow) + require.NoError(t, err) + + filter := fleet.TeamFilter{ + User: teamUser, + IncludeObserver: true, + } + + results, err := ds.QueryResultRows(context.Background(), query.ID, filter) + require.NoError(t, err) + + require.Len(t, results, 2) + require.Equal(t, teamRow[0].HostID, results[0].HostID) + require.Equal(t, teamRow[0].QueryID, results[0].QueryID) + require.Equal(t, teamRow[0].LastFetched, results[0].LastFetched) + require.JSONEq(t, string(teamRow[0].Data), string(results[0].Data)) + require.Equal(t, observerTeamRow[0].HostID, results[1].HostID) + require.Equal(t, observerTeamRow[0].QueryID, results[1].QueryID) + require.Equal(t, observerTeamRow[0].LastFetched, results[1].LastFetched) + require.JSONEq(t, string(observerTeamRow[0].Data), string(results[1].Data)) +} + func testCountResultsForQuery(t *testing.T, ds *Datastore) { user := test.NewUser(t, ds, "Test User", "test@example.com", true) query1 := test.NewQuery(t, ds, nil, "New Query", "SELECT 1", user.ID, true) @@ -395,8 +498,10 @@ func testQueryResultRows(t *testing.T, ds *Datastore) { err := ds.OverwriteQueryResultRows(context.Background(), overwriteRows) require.NoError(t, err) + filter := fleet.TeamFilter{User: user, IncludeObserver: true} + // Test calling QueryResultRows with a query that has an entry with a host that doesn't exist anymore. - results, err := ds.QueryResultRows(context.Background(), query.ID) + results, err := ds.QueryResultRows(context.Background(), query.ID, filter) require.NoError(t, err) require.Len(t, results, 1) } diff --git a/server/fleet/datastore.go b/server/fleet/datastore.go index 9fa65df01..27241d83b 100644 --- a/server/fleet/datastore.go +++ b/server/fleet/datastore.go @@ -399,8 +399,8 @@ type Datastore interface { /////////////////////////////////////////////////////////////////////////////// // QueryResultsStore - // QueryResultRows returns all the stored results of a query (from all hosts). - QueryResultRows(ctx context.Context, queryID uint) ([]*ScheduledQueryResultRow, error) + // QueryResultRows returns stored results of a query + QueryResultRows(ctx context.Context, queryID uint, filter TeamFilter) ([]*ScheduledQueryResultRow, error) ResultCountForQuery(ctx context.Context, queryID uint) (int, error) ResultCountForQueryAndHost(ctx context.Context, queryID, hostID uint) (int, error) OverwriteQueryResultRows(ctx context.Context, rows []*ScheduledQueryResultRow) error diff --git a/server/fleet/service.go b/server/fleet/service.go index e7069932a..816a96d2e 100644 --- a/server/fleet/service.go +++ b/server/fleet/service.go @@ -270,7 +270,7 @@ type Service interface { // and only non-scheduled queries will be returned if `*scheduled == false`. ListQueries(ctx context.Context, opt ListOptions, teamID *uint, scheduled *bool) ([]*Query, error) GetQuery(ctx context.Context, id uint) (*Query, error) - // GetQueryReportResults returns all the stored results of a query. + // GetQueryReportResults returns all the stored results of a query for hosts the requestor has access to GetQueryReportResults(ctx context.Context, id uint) ([]HostQueryResultRow, error) NewQuery(ctx context.Context, p QueryPayload) (*Query, error) ModifyQuery(ctx context.Context, id uint, p QueryPayload) (*Query, error) diff --git a/server/mock/datastore_mock.go b/server/mock/datastore_mock.go index c71081a47..adc53e31d 100644 --- a/server/mock/datastore_mock.go +++ b/server/mock/datastore_mock.go @@ -298,7 +298,7 @@ type CleanupExpiredHostsFunc func(ctx context.Context) ([]uint, error) type ScheduledQueryIDsByNameFunc func(ctx context.Context, batchSize int, packAndSchedQueryNames ...[2]string) ([]uint, error) -type QueryResultRowsFunc func(ctx context.Context, queryID uint) ([]*fleet.ScheduledQueryResultRow, error) +type QueryResultRowsFunc func(ctx context.Context, queryID uint, filter fleet.TeamFilter) ([]*fleet.ScheduledQueryResultRow, error) type ResultCountForQueryFunc func(ctx context.Context, queryID uint) (int, error) @@ -2887,11 +2887,11 @@ func (s *DataStore) ScheduledQueryIDsByName(ctx context.Context, batchSize int, return s.ScheduledQueryIDsByNameFunc(ctx, batchSize, packAndSchedQueryNames...) } -func (s *DataStore) QueryResultRows(ctx context.Context, queryID uint) ([]*fleet.ScheduledQueryResultRow, error) { +func (s *DataStore) QueryResultRows(ctx context.Context, queryID uint, filter fleet.TeamFilter) ([]*fleet.ScheduledQueryResultRow, error) { s.mu.Lock() s.QueryResultRowsFuncInvoked = true s.mu.Unlock() - return s.QueryResultRowsFunc(ctx, queryID) + return s.QueryResultRowsFunc(ctx, queryID, filter) } func (s *DataStore) ResultCountForQuery(ctx context.Context, queryID uint) (int, error) { diff --git a/server/service/queries.go b/server/service/queries.go index c77c3638f..47429b792 100644 --- a/server/service/queries.go +++ b/server/service/queries.go @@ -166,7 +166,13 @@ func (svc *Service) GetQueryReportResults(ctx context.Context, id uint) ([]fleet return nil, err } - queryReportResultRows, err := svc.ds.QueryResultRows(ctx, id) + vc, ok := viewer.FromContext(ctx) + if !ok { + return nil, fleet.ErrNoContext + } + filter := fleet.TeamFilter{User: vc.User, IncludeObserver: true} + + queryReportResultRows, err := svc.ds.QueryResultRows(ctx, id, filter) if err != nil { return nil, ctxerr.Wrap(ctx, err, "get query report results") }