Apply correct restrictions to REST url endpoints

The following url end points should apply relevant restrictions to filter out objects and show correct HTTP status code:
- icingaweb2/director/service, if the host name is left out of the query (Example: icingaweb2/director/service?name=service-name)
- icingaweb2/directore/notification
- icingaweb2/director/serviceset
- icingaweb2/director/scheduled-downtime

Author: raviks789

application/controllers/NotificationController.php

@@ -2,6 +2,7 @@
 
 namespace Icinga\Module\Director\Controllers;
 
+use Icinga\Exception\NotFoundError;
 use Icinga\Module\Director\Web\Controller\ObjectController;
 use Icinga\Module\Director\Objects\IcingaHost;
 use Icinga\Module\Director\Objects\IcingaNotification;
@@ -80,6 +81,10 @@ protected function loadObject()
             }
         }
 
+        if (! $this->allowsObject($this->object)) {
+            throw new NotFoundError('No such object available');
+        }
+
         return $this->object;
     }
 }

application/controllers/ServiceController.php

@@ -49,14 +49,6 @@ public function init()
         $this->host = $this->getOptionalRelatedObjectFromParams('host', 'host');
         $this->set = $this->getOptionalRelatedObjectFromParams('service_set', 'set');
         parent::init();
-        if ($this->object) {
-            if ($this->host === null) {
-                $this->host = $this->loadOptionalRelatedObject($this->object, 'host');
-            }
-            if ($this->set === null) {
-                $this->set = $this->loadOptionalRelatedObject($this->object, 'service_set');
-            }
-        }
         $this->addOptionalHostTabs();
         $this->addOptionalSetTabs();
     }
@@ -77,6 +69,20 @@ protected function getOptionalRelatedObjectFromParams($type, $parameter)
         return null;
     }
 
+    protected function loadOptionalObject(): void
+    {
+        parent::loadOptionalObject();
+
+        if ($this->object) {
+            if ($this->host === null) {
+                $this->host = $this->loadOptionalRelatedObject($this->object, 'host');
+            }
+            if ($this->set === null) {
+                $this->set = $this->loadOptionalRelatedObject($this->object, 'service_set');
+            }
+        }
+    }
+
     protected function loadOptionalRelatedObject(IcingaObject $object, $relation)
     {
         $key = $object->getUnresolvedRelated($relation);

application/controllers/ServicesetController.php

@@ -3,6 +3,7 @@
 namespace Icinga\Module\Director\Controllers;
 
 use Icinga\Data\Filter\Filter;
+use Icinga\Exception\NotFoundError;
 use Icinga\Module\Director\Forms\IcingaServiceSetForm;
 use Icinga\Module\Director\Objects\IcingaHost;
 use Icinga\Module\Director\Objects\IcingaServiceSet;
@@ -136,6 +137,10 @@ protected function loadObject()
             }
         }
 
+        if (! $this->allowsObject($this->object)) {
+            throw new NotFoundError('No such object available');
+        }
+
         return $this->object;
     }
 }

library/Director/Restriction/FilterByNameRestriction.php

@@ -5,6 +5,7 @@
 use gipfl\IcingaWeb2\Zf1\Db\FilterRenderer;
 use Icinga\Authentication\Auth;
 use Icinga\Data\Filter\Filter;
+use Icinga\Data\Filter\FilterEqual;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Objects\IcingaObject;
 use Zend_Db_Select as ZfSelect;
@@ -30,7 +31,11 @@ protected function setType($type)
 
     protected function setNameForType($type)
     {
-        $this->name = "director/{$type}/filter-by-name";
+        if ($type === 'service_set') {
+            $this->name = "director/{$type}/filter-by-name";
+        } else {
+            $this->name = "director/{$type}/apply/filter-by-name";
+        }
     }
 
     public function allows(IcingaObject $object)
@@ -39,9 +44,9 @@ public function allows(IcingaObject $object)
             return true;
         }
 
-        return $this->getFilter()->matches([
+        return $this->getFilter()->matches(
             (object) ['object_name' => $object->getObjectName()]
-        ]);
+        );
     }
 
     public function getFilter()

library/Director/Web/Controller/Extension/ObjectRestrictions.php

@@ -5,6 +5,7 @@
 use Icinga\Authentication\Auth;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Objects\IcingaObject;
+use Icinga\Module\Director\Restriction\FilterByNameRestriction;
 use Icinga\Module\Director\Restriction\HostgroupRestriction;
 use Icinga\Module\Director\Restriction\ObjectRestriction;
 
@@ -13,6 +14,9 @@ trait ObjectRestrictions
     /** @var ObjectRestriction[] */
     private $objectRestrictions;
 
+    /** @var IcingaObject */
+    private $dummyRestrictedObject;
+
     /**
      * @return ObjectRestriction[]
      */
@@ -30,13 +34,27 @@ public function getObjectRestrictions()
      */
     protected function loadObjectRestrictions(Db $db, Auth $auth)
     {
-        return [
-            new HostgroupRestriction($db, $auth)
-        ];
+        $objectType = $this->dummyRestrictedObject->getShortTableName();
+        if (
+            ($objectType === 'service' && $this->dummyRestrictedObject->isApplyRule())
+            || $objectType === 'notification'
+            || $objectType === 'service_set'
+            || $objectType === 'scheduled_downtime'
+        ) {
+            if ($objectType === 'scheduled_downtime') {
+                $objectType = 'scheduled-downtime';
+            }
+
+            return [new FilterByNameRestriction($db, $auth, $objectType)];
+        }
+
+        // If the object is host or host group load HostgroupRestriction
+        return [new HostgroupRestriction($db, $auth)];
     }
 
     public function allowsObject(IcingaObject $object)
     {
+        $this->dummyRestrictedObject = $object;
         foreach ($this->getObjectRestrictions() as $restriction) {
             if (! $restriction->allows($object)) {
                 return false;

library/Director/Web/Controller/ObjectsController.php

@@ -17,6 +17,7 @@
 use Icinga\Module\Director\RestApi\IcingaObjectsHandler;
 use Icinga\Module\Director\Web\ActionBar\ObjectsActionBar;
 use Icinga\Module\Director\Web\ActionBar\TemplateActionBar;
+use Icinga\Module\Director\Web\Controller\Extension\ObjectRestrictions;
 use Icinga\Module\Director\Web\Form\FormLoader;
 use Icinga\Module\Director\Web\Table\ApplyRulesTable;
 use Icinga\Module\Director\Web\Table\ObjectSetTable;
@@ -33,6 +34,7 @@
 abstract class ObjectsController extends ActionController
 {
     use BranchHelper;
+    use ObjectRestrictions;
 
     protected $isApified = true;
 
@@ -75,9 +77,13 @@ protected function apiRequestHandler()
         $table = $this->getTable();
         if (
             $request->getControllerName() === 'services'
-            && $host = $this->params->get('host')
+            && $hostName = $this->params->get('host')
         ) {
-            $host = IcingaHost::load($host, $this->db());
+            $host = IcingaHost::load($hostName, $this->db());
+            if (! $this->allowsObject($host)) {
+                throw new NotFoundError(sprintf('Failed to load %s "%s"', $host->getTableName(), $hostName));
+            }
+
             $table->getQuery()->where('o.host_id = ?', $host->get('id'));
         }
 

library/Director/Web/Table/ObjectsTable.php

@@ -226,11 +226,14 @@ protected function loadRestrictions()
     {
         /** @var Db $db */
         $db = $this->connection();
+        $dummyObject = $this->getDummyObject();
+        $type = $dummyObject->getShortTableName();
 
-        return [
-            new HostgroupRestriction($db, $this->auth),
-            new FilterByNameRestriction($db, $this->auth, $this->getDummyObject()->getShortTableName())
-        ];
+        if ($dummyObject->isApplyRule()) {
+            return [new FilterByNameRestriction($db, $this->auth, $type)];
+        } else {
+            return [new HostgroupRestriction($db, $this->auth)];
+        }
     }
 
     /**