15146 filter query results (#15473)

2024-11-06 08:55:24 +00:00 · 2023-12-07 11:24:56 -08:00 · 2023-12-07 11:24:56 -08:00 · 3ba81e1cf6
commit 3ba81e1cf6
parent f6d8bcc732
7 changed files with 126 additions and 12 deletions
--- a/changes/15146-filter-query-reports-by-user
+++ b/changes/15146-filter-query-reports-by-user
@ -0,0 +1 @@
+- query reports now only show results for hosts the user has permission to
--- a/server/datastore/mysql/query_results.go
+++ b/server/datastore/mysql/query_results.go
@ -2,6 +2,7 @@ package mysql

 import (
 	"context"
+	"fmt"
 	"strings"

 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
@ -89,14 +90,15 @@ func (ds *Datastore) OverwriteQueryResultRows(ctx context.Context, rows []*fleet

 // TODO(lucas): Any chance we can store hostname in the query_results table?
 // (to avoid having to left join hosts).
-func (ds *Datastore) QueryResultRows(ctx context.Context, queryID uint) ([]*fleet.ScheduledQueryResultRow, error) {
-	selectStmt := `
+func (ds *Datastore) QueryResultRows(ctx context.Context, queryID uint, filter fleet.TeamFilter) ([]*fleet.ScheduledQueryResultRow, error) {
+	selectStmt := fmt.Sprintf(`
 		SELECT qr.query_id, qr.host_id, qr.last_fetched, qr.data,
 			h.hostname, h.computer_name, h.hardware_model, h.hardware_serial
 			FROM query_results qr
 			LEFT JOIN hosts h ON (qr.host_id=h.id)
-			WHERE query_id = ?
-		`
+			WHERE query_id = ? AND %s
+		`, ds.whereFilterHostsByTeams(filter, "h"))
+
 	results := []*fleet.ScheduledQueryResultRow{}
 	err := sqlx.SelectContext(ctx, ds.reader(ctx), &results, selectStmt, queryID)
 	if err != nil {
--- a/server/datastore/mysql/query_results_test.go
+++ b/server/datastore/mysql/query_results_test.go
@ -29,6 +29,7 @@ func TestQueryResults(t *testing.T) {
 		{"Overwrite", testOverwriteQueryResultRows},
 		{"MaxRows", testQueryResultRowsDoNotExceedMaxRows},
 		{"QueryResultRows", testQueryResultRows},
+		{"QueryResultRowsFilter", testQueryResultRowsTeamFilter},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
@ -142,6 +143,108 @@ func getQueryResultRows(t *testing.T, ds *Datastore) {
 	require.Len(t, results, 0)
 }

+func testQueryResultRowsTeamFilter(t *testing.T, ds *Datastore) {
+	team, err := ds.NewTeam(context.Background(), &fleet.Team{
+		Name: "teamFoo",
+	})
+	require.NoError(t, err)
+	observerTeam, err := ds.NewTeam(context.Background(), &fleet.Team{
+		Name: "observerTeam",
+	})
+	require.NoError(t, err)
+
+	teamUser, err := ds.NewUser(context.Background(), &fleet.User{
+		Password:   []byte("foo"),
+		Salt:       "bar",
+		Name:       "teamUser",
+		Email:      "teamUser@example.com",
+		GlobalRole: nil,
+		Teams: []fleet.UserTeam{
+			{
+				Team: *team,
+				Role: fleet.RoleAdmin,
+			},
+			{
+				Team: *observerTeam,
+				Role: fleet.RoleObserver,
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	query := test.NewQuery(t, ds, nil, "New Query", "SELECT 1", teamUser.ID, true)
+	globalHost := test.NewHost(t, ds, "globalHost", "192.168.1.100", "1111", "UI8XB1223", time.Now())
+	teamHost := test.NewHost(t, ds, "teamHost", "192.168.1.100", "2222", "UI8XB1223", time.Now())
+	err = ds.AddHostsToTeam(context.Background(), &team.ID, []uint{teamHost.ID})
+	require.NoError(t, err)
+	observerTeamHost := test.NewHost(t, ds, "teamHost", "192.168.1.100", "3333", "UI8XB1223", time.Now())
+	err = ds.AddHostsToTeam(context.Background(), &observerTeam.ID, []uint{observerTeamHost.ID})
+	require.NoError(t, err)
+
+	mockTime := time.Now().UTC().Truncate(time.Second)
+
+	globalRow := []*fleet.ScheduledQueryResultRow{
+		{
+			QueryID:     query.ID,
+			HostID:      globalHost.ID,
+			LastFetched: mockTime,
+			Data: json.RawMessage(`{
+				"model": "Global USB Keyboard",
+				"vendor": "Global Inc."
+			}`),
+		},
+	}
+
+	err = ds.OverwriteQueryResultRows(context.Background(), globalRow)
+	require.NoError(t, err)
+
+	teamRow := []*fleet.ScheduledQueryResultRow{
+		{
+			QueryID:     query.ID,
+			HostID:      teamHost.ID,
+			LastFetched: mockTime,
+			Data: json.RawMessage(`{
+				"model": "Team USB Keyboard",
+				"vendor": "Team Inc."
+			}`),
+		},
+	}
+	err = ds.OverwriteQueryResultRows(context.Background(), teamRow)
+	require.NoError(t, err)
+
+	observerTeamRow := []*fleet.ScheduledQueryResultRow{
+		{
+			QueryID:     query.ID,
+			HostID:      observerTeamHost.ID,
+			LastFetched: mockTime,
+			Data: json.RawMessage(`{
+				"model": "Team USB Keyboard",
+				"vendor": "Team Inc."
+			}`),
+		},
+	}
+	err = ds.OverwriteQueryResultRows(context.Background(), observerTeamRow)
+	require.NoError(t, err)
+
+	filter := fleet.TeamFilter{
+		User:            teamUser,
+		IncludeObserver: true,
+	}
+
+	results, err := ds.QueryResultRows(context.Background(), query.ID, filter)
+	require.NoError(t, err)
+
+	require.Len(t, results, 2)
+	require.Equal(t, teamRow[0].HostID, results[0].HostID)
+	require.Equal(t, teamRow[0].QueryID, results[0].QueryID)
+	require.Equal(t, teamRow[0].LastFetched, results[0].LastFetched)
+	require.JSONEq(t, string(teamRow[0].Data), string(results[0].Data))
+	require.Equal(t, observerTeamRow[0].HostID, results[1].HostID)
+	require.Equal(t, observerTeamRow[0].QueryID, results[1].QueryID)
+	require.Equal(t, observerTeamRow[0].LastFetched, results[1].LastFetched)
+	require.JSONEq(t, string(observerTeamRow[0].Data), string(results[1].Data))
+}
+
 func testCountResultsForQuery(t *testing.T, ds *Datastore) {
 	user := test.NewUser(t, ds, "Test User", "test@example.com", true)
 	query1 := test.NewQuery(t, ds, nil, "New Query", "SELECT 1", user.ID, true)
@ -395,8 +498,10 @@ func testQueryResultRows(t *testing.T, ds *Datastore) {
 	err := ds.OverwriteQueryResultRows(context.Background(), overwriteRows)
 	require.NoError(t, err)

+	filter := fleet.TeamFilter{User: user, IncludeObserver: true}
+
 	// Test calling QueryResultRows with a query that has an entry with a host that doesn't exist anymore.
-	results, err := ds.QueryResultRows(context.Background(), query.ID)
+	results, err := ds.QueryResultRows(context.Background(), query.ID, filter)
 	require.NoError(t, err)
 	require.Len(t, results, 1)
 }
--- a/server/fleet/datastore.go
+++ b/server/fleet/datastore.go
@ -399,8 +399,8 @@ type Datastore interface {
 	///////////////////////////////////////////////////////////////////////////////
 	// QueryResultsStore

-	// QueryResultRows returns all the stored results of a query (from all hosts).
-	QueryResultRows(ctx context.Context, queryID uint) ([]*ScheduledQueryResultRow, error)
+	// QueryResultRows returns stored results of a query
+	QueryResultRows(ctx context.Context, queryID uint, filter TeamFilter) ([]*ScheduledQueryResultRow, error)
 	ResultCountForQuery(ctx context.Context, queryID uint) (int, error)
 	ResultCountForQueryAndHost(ctx context.Context, queryID, hostID uint) (int, error)
 	OverwriteQueryResultRows(ctx context.Context, rows []*ScheduledQueryResultRow) error
--- a/server/fleet/service.go
+++ b/server/fleet/service.go
@ -270,7 +270,7 @@ type Service interface {
 	// and only non-scheduled queries will be returned if `*scheduled == false`.
 	ListQueries(ctx context.Context, opt ListOptions, teamID *uint, scheduled *bool) ([]*Query, error)
 	GetQuery(ctx context.Context, id uint) (*Query, error)
-	// GetQueryReportResults returns all the stored results of a query.
+	// GetQueryReportResults returns all the stored results of a query for hosts the requestor has access to
 	GetQueryReportResults(ctx context.Context, id uint) ([]HostQueryResultRow, error)
 	NewQuery(ctx context.Context, p QueryPayload) (*Query, error)
 	ModifyQuery(ctx context.Context, id uint, p QueryPayload) (*Query, error)
--- a/server/mock/datastore_mock.go
+++ b/server/mock/datastore_mock.go
@ -298,7 +298,7 @@ type CleanupExpiredHostsFunc func(ctx context.Context) ([]uint, error)

 type ScheduledQueryIDsByNameFunc func(ctx context.Context, batchSize int, packAndSchedQueryNames ...[2]string) ([]uint, error)

-type QueryResultRowsFunc func(ctx context.Context, queryID uint) ([]*fleet.ScheduledQueryResultRow, error)
+type QueryResultRowsFunc func(ctx context.Context, queryID uint, filter fleet.TeamFilter) ([]*fleet.ScheduledQueryResultRow, error)

 type ResultCountForQueryFunc func(ctx context.Context, queryID uint) (int, error)

@ -2887,11 +2887,11 @@ func (s *DataStore) ScheduledQueryIDsByName(ctx context.Context, batchSize int,
 	return s.ScheduledQueryIDsByNameFunc(ctx, batchSize, packAndSchedQueryNames...)
 }

-func (s *DataStore) QueryResultRows(ctx context.Context, queryID uint) ([]*fleet.ScheduledQueryResultRow, error) {
+func (s *DataStore) QueryResultRows(ctx context.Context, queryID uint, filter fleet.TeamFilter) ([]*fleet.ScheduledQueryResultRow, error) {
 	s.mu.Lock()
 	s.QueryResultRowsFuncInvoked = true
 	s.mu.Unlock()
-	return s.QueryResultRowsFunc(ctx, queryID)
+	return s.QueryResultRowsFunc(ctx, queryID, filter)
 }

 func (s *DataStore) ResultCountForQuery(ctx context.Context, queryID uint) (int, error) {
--- a/server/service/queries.go
+++ b/server/service/queries.go
@ -166,7 +166,13 @@ func (svc *Service) GetQueryReportResults(ctx context.Context, id uint) ([]fleet
 		return nil, err
 	}

-	queryReportResultRows, err := svc.ds.QueryResultRows(ctx, id)
+	vc, ok := viewer.FromContext(ctx)
+	if !ok {
+		return nil, fleet.ErrNoContext
+	}
+	filter := fleet.TeamFilter{User: vc.User, IncludeObserver: true}
+
+	queryReportResultRows, err := svc.ds.QueryResultRows(ctx, id, filter)
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "get query report results")
 	}
				`@ -0,0 +1 @@`
				`- query reports now only show results for hosts the user has permission to`