You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2022/10/05 21:21:57 UTC

[GitHub] [trafficcontrol] github-code-scanning[bot] commented on a diff in pull request #7079: Assign multiple servers to a capability

github-code-scanning[bot] commented on code in PR #7079:
URL: https://github.com/apache/trafficcontrol/pull/7079#discussion_r988365003


##########
traffic_ops/traffic_ops_golang/server/servers_server_capability.go:
##########
@@ -453,77 +454,167 @@
 	}
 	defer inf.Close()
 
-	var msc tc.MultipleServerCapabilities
-	if err := json.NewDecoder(r.Body).Decode(&msc); err != nil {
-		api.HandleErr(w, r, tx, http.StatusBadRequest, err, nil)
+	var mssc tc.MultipleServersCapabilities
+	if err := json.NewDecoder(r.Body).Decode(&mssc); err != nil {
+		api.HandleErr(w, r, tx, http.StatusBadRequest, fmt.Errorf("error decoding POST request body into MultipleServersCapabilities struct %w", err), nil)
 		return
 	}
 
-	// Check existence prior to checking type
-	_, exists, err := dbhelpers.GetServerNameFromID(tx, int64(msc.ServerID))
-	if err != nil {
-		api.HandleErr(w, r, tx, http.StatusInternalServerError, nil, err)
-	}
-	if !exists {
-		userErr := fmt.Errorf("server %d does not exist", msc.ServerID)
-		api.HandleErr(w, r, tx, http.StatusNotFound, userErr, nil)
-		return
+	if len(mssc.ServerIDs) == 1 {
+		errCode, userErr, sysErr = checkExistingServer(tx, mssc.ServerIDs[0], inf.User.UserName)
+		if userErr != nil || sysErr != nil {
+			api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+			return
+		}
 	}
 
-	// Ensure type is correct
-	correctType := true
-	if err := tx.QueryRow(scCheckServerTypeQuery(), msc.ServerID).Scan(&correctType); err != nil {
+	//Check if the server type is MID and/or EDGE
+	var servArray []int64
+	queryType := `SELECT array_agg(s.id) 
+		FROM server s
+		JOIN type t ON s.type = t.id
+		WHERE s.id = any ($1)
+		AND t.use_in_table = 'server'
+		AND (t.name LIKE 'MID%' OR t.name LIKE 'EDGE%')`
+	if err := tx.QueryRow(queryType, pq.Array(mssc.ServerIDs)).Scan(pq.Array(&servArray)); err != nil {
 		api.HandleErr(w, r, tx, http.StatusInternalServerError, nil, fmt.Errorf("checking server type: %w", err))
 		return
 	}
-	if !correctType {
-		userErr := fmt.Errorf("server %d has an incorrect server type. Server capabilities can only be assigned to EDGE or MID servers", msc.ServerID)
-		api.HandleErr(w, r, tx, http.StatusBadRequest, userErr, nil)
-		return
+	cmp := make(map[int64]bool)
+	for _, item := range servArray {
+		cmp[item] = true
+	}
+	for _, sid := range mssc.ServerIDs {
+		if _, ok := cmp[sid]; !ok {
+			userErr := fmt.Errorf("server id: %d has an incorrect server type. Server capability can only be assigned to EDGE or MID servers", sid)
+			api.HandleErr(w, r, tx, http.StatusBadRequest, userErr, nil)
+			return
+		}
+	}
+
+	// Insert rows in DB
+	sid := make([]int64, len(mssc.ServerCapabilities))
+	scs := make([]string, len(mssc.ServerIDs))
+	if len(mssc.ServerIDs) == 1 {
+		if len(mssc.ServerCapabilities) >= 1 {
+			for i := range mssc.ServerCapabilities {
+				sid[i] = mssc.ServerIDs[0]
+			}
+			scs = mssc.ServerCapabilities
+		}
+	} else if len(mssc.ServerCapabilities) == 1 {
+		if len(mssc.ServerIDs) >= 1 {
+			for i := range mssc.ServerIDs {
+				scs[i] = mssc.ServerCapabilities[0]
+			}
+			sid = mssc.ServerIDs
+		}
+	} else {
+		scs = mssc.ServerCapabilities
+		sid = mssc.ServerIDs
 	}
 
-	cdnName, err := dbhelpers.GetCDNNameFromServerID(tx, int64(msc.ServerID))
+	msscQuery := `INSERT INTO server_server_capability
+			select "server_capability", "server"
+			FROM UNNEST($1::text[], $2::int[]) AS tmp("server_capability", "server")`
+	_, err := tx.Query(msscQuery, pq.Array(scs), pq.Array(sid))
 	if err != nil {
-		api.HandleErr(w, r, tx, http.StatusInternalServerError, nil, err)
+		useErr, sysErr, statusCode := api.ParseDBError(err)
+		api.HandleErr(w, r, tx, statusCode, useErr, sysErr)
 		return
 	}
 
-	userErr, sysErr, errCode = dbhelpers.CheckIfCurrentUserCanModifyCDN(tx, string(cdnName), inf.User.UserName)
+	var alerts tc.Alerts
+	if len(mssc.ServerCapabilities) == 1 && len(mssc.ServerIDs) == 1 {
+		alerts = tc.CreateAlerts(tc.SuccessLevel, "Assigned either a Server Capability to a server or a Server to a capability")
+	} else if len(mssc.ServerCapabilities) > 1 && len(mssc.ServerIDs) == 1 {
+		alerts = tc.CreateAlerts(tc.SuccessLevel, "Multiple Server Capabilities assigned to a server")
+	} else if len(mssc.ServerCapabilities) == 1 && len(mssc.ServerIDs) > 1 {
+		alerts = tc.CreateAlerts(tc.SuccessLevel, "Multiple Servers assigned to a capability")
+	} else {
+		alerts = tc.CreateAlerts(tc.SuccessLevel, "Multiple Servers assigned to multiple capabilities")
+	}
+	api.WriteAlertsObj(w, r, http.StatusOK, alerts, mssc)
+	return
+}
+
+// DeleteMultipleServersCapabilities deletes multiple servers to a capability or multiple server capabilities to a server
+func DeleteMultipleServersCapabilities(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, nil, nil)
+	tx := inf.Tx.Tx
 	if userErr != nil || sysErr != nil {
-		api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
 		return
 	}
+	defer inf.Close()
 
-	//Delete existing rows from server_server_capability for a given server
-	_, err = tx.Exec("DELETE FROM server_server_capability ssc WHERE ssc.server=$1", msc.ServerID)
-	if err != nil {
-		useErr, sysErr, statusCode := api.ParseDBError(err)
-		api.HandleErr(w, r, tx, statusCode, useErr, sysErr)
+	var mssc tc.MultipleServersCapabilities
+	if err := json.NewDecoder(r.Body).Decode(&mssc); err != nil {
+		api.HandleErr(w, r, tx, http.StatusBadRequest, fmt.Errorf("error decoding DELETE request body into MultipleServersCapabilities struct %w", err), nil)
 		return
 	}
 
-	multipleServerCapabilities := make([]string, 0, len(msc.ServerCapabilities))
+	if len(mssc.ServerIDs) == 1 {
+		errCode, userErr, sysErr = checkExistingServer(tx, mssc.ServerIDs[0], inf.User.UserName)
+		if userErr != nil || sysErr != nil {
+			api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+			return
+		}
+	}
 
-	mscQuery := `WITH inserted AS (
-		INSERT INTO server_server_capability
-		SELECT "server_capability", $2
-		FROM UNNEST($1::text[]) AS tmp("server_capability")
-		RETURNING server_capability
-		)
-		SELECT ARRAY_AGG(server_capability)
-		FROM (
-			SELECT server_capability
-			FROM inserted
-		) AS returned(server_capability)`
+	//Delete existing rows from server_server_capability for a given server or for a given capability
+	var where string
+	if len(mssc.ServerCapabilities) == 1 && len(mssc.ServerIDs) == 1 {
+		where = fmt.Sprintf("WHERE ssc.server_capability='%s' AND ssc.server=%v", mssc.ServerCapabilities[0], mssc.ServerIDs[0])
+	} else if len(mssc.ServerCapabilities) == 1 {
+		where = fmt.Sprintf("WHERE ssc.server_capability='%s'", mssc.ServerCapabilities[0])
+	} else if len(mssc.ServerIDs) == 1 {
+		where = fmt.Sprintf("WHERE ssc.server=%v", mssc.ServerIDs[0])
+	}
 
-	err = tx.QueryRow(mscQuery, pq.Array(msc.ServerCapabilities), msc.ServerID).Scan(pq.Array(&multipleServerCapabilities))
+	delString := "DELETE FROM server_server_capability ssc " + where
+	result, err := tx.Exec(delString)

Review Comment:
   ## Database query built from user-controlled sources
   
   This query depends on a [user-provided value](1).
   
   [Show more details](https://github.com/apache/trafficcontrol/security/code-scanning/234)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org