WIP implement stub for /v1/actions/execute-command

[benjamingroeber]

Hi guys!

This is the first step for the implementation of #8040 / #8034 . We started the implementation this week with the first stub, and will continue working on this branch until all stubs are implemented.
We would like to have some feedback from your side before proceeding, to verify that we're on the right path.

During the implementation the following questions arose, which would need some quick feedback from you:

1. Should the ttl parameter have a default value?
2. Is creating a new MessageOrigin() the correct way to obtain the object for the cluster messages?
3. With wait=false we expect the HTTP return code to be 202, however currently the API action handler will always return a 500 error code. What is the desired behavior here? Currently OK results are favored over everything else.

Regarding the implementation of the next stubs:

1. Could you elaborate a little more on the handling of the wait=true parameter? In specific how would you handle the necessary "downtime" while waiting for the result of the Command?
2. Could you elaborate your expectations for the implementation of the third stub in ClusterEvents::ExecuteCheckFromQueue

For sure there is a lot of space fore improvement, and we're excited to hear from you! If you prefer, we're also available for a short call if you prefer @lippserd .

Cheers!

• B

[Al2Klimov]

1. No, IMAO it shall be required.
2. Depending on what's the object for.
3. Always 500? Please show me.

--

1. Forget wait=true for now.
2. Yet you didn't get green light even for the first one. I'd focus on that for now.

[Al2Klimov]

@lippserd Damn! The actions handler doesn't allow to do something for each object (trigger execution) and then do something else for each object (wait). Shall we just omit waiting?

[benjamingroeber]

1. No, IMAO it shall be required.

Ok!

2. Depending on what's the object for.

In this case, for relaying the event::UpdateExecutions API messages, I'm not sure it's the right way to do it

3. Always 500? Please show me.

Yes, when collecting the results, the actions handler defaults to 500 whenever ApiActions::CreateResult returns anything else than 200 OK, which is the case with 202 Accepted defined as response for requests with wait=false. (See here)

Thanks for the feedback for now! We'll get to the implementation asap.

[Al2Klimov]

In this case, for relaying the event::UpdateExecutions API messages, I'm not sure it's the right way to do it

Are you going to let the agent execute the command? See here.

[Al2Klimov]

Yes, when collecting the results, the actions handler defaults to 500 whenever ApiActions::CreateResult returns anything else than 200 OK

Ah, right. Feel free to check not for 200, but for 200-299.

[benjamingroeber]

Ah, right. Feel free to check not for 200, but for 200-299.

Thanks! Currently, we check for the range, but left the statusCode of the action handler at 200.

Do you think it should be propagated from the results?
If yes, how should scenarios for results with different codes be handled?

[Al2Klimov]

200 is OK.

[Al2Klimov]

Don't forget to say like we're done, please review.

[lippserd]

@lippserd Damn! The actions handler doesn't allow to do something for each object (trigger execution) and then do something else for each object (wait). Shall we just omit waiting?

Ok. We just drop the wait option then.

@benjamingroeber The idea of the wait option was that this action should be executable via cURL as easy as possible, i.e. it should be just one request. But since it would be quite some effort to support this, we just go here with execute and poll as well.

[benjamingroeber]

Hi @Al2Klimov
we went over your last set of feedback and implemented the UpdateExecutionsAPIHandler , please let us know what you think.

We noticed that the API does not forward cluster messages to itself (which makes sense), such that we need a separate branch for the handling of local executions. Is there an existing pattern which we can apply to unify remote and local command execution logic?

Thanks!

[Al2Klimov]

We noticed that the API does not forward cluster messages to itself

Interesting, please share the code location.

[Al2Klimov]

Now this stub implementation...

[Al2Klimov]

These two stub implementations are (more than?) enough for a single PR.

Write a test protocol (as comment here) for each of them:

• API action: demonstrate the parameter validation, the checkable property update (locally) and the correctly sent cluster messages with curl, the debug log and the Icinga console
• Cluster message handler: demonstrate the checkable property update with the same tools

Write it replicably so one of us can verify the tests

[mcodato]

This is the configuration that can be used to run the tests:

Master configuration

constants.conf

const NodeName = "PHXL0262"

const ZoneName = "PHXL0262"

hosts.conf

object Host "PHXL0262" {
    check_command = "hostalive"
    enable_active_checks = false
    vars.os = "Linux"
    address = "localhost"
    zone = "localhost.localdomain"
}

services.conf

apply Service "ping" {
    check_command = "ping"
    assign where host.address
    zone = "localhost.localdomain"
}

zones.conf

object Endpoint "PHXL0262" {
  host = "PHXL0262"
}

object Zone "PHXL0262" {
  endpoints = [ "PHXL0262" ]
}


object Endpoint "localhost.localdomain" {
}

object Zone "localhost.localdomain" {
    endpoints = [ "localhost.localdomain" ]
    parent = "PHXL0262"
}

api-users.conf

object ApiUser "root" {
  password = "admin"
  // client_cn = ""

  permissions = [ "*" ]
}

object ApiUser "limited" {
    password = "limited"
    permissions = [
        "objects/query/Host", "objects/query/Service", "actions/execute-command", "objects/query/Endpoint",
        "objects/query/CheckCommand",
        {
            permission = "objects/query/Endpoint"
            filter = {{ regex("^PH", endpoint.name) }}
        }
    ]
}

Satellite configuration

constants.conf

const NodeName = "localhost.localdomain"

const ZoneName = "localhost.localdomain"

hosts.conf

object Host "PHXL0262" {
    check_command = "hostalive"
    enable_active_checks = false
    vars.os = "Linux"
    address = "localhost"
    zone = "localhost.localdomain"
}

services.conf

apply Service "ping" {
    check_command = "ping"
    assign where host.address
    zone = "localhost.localdomain"
}

zones.conf

object Endpoint "PHXL0262" {
    host = "localhost"
    port = "5665"
}

object Zone "master" {
    endpoints = [ "PHXL0262" ]
}

object Endpoint "localhost.localdomain" {
}

object Zone "localhost.localdomain" {
    endpoints = [ "localhost.localdomain" ]
    parent = "master"
}

Tests

Before the tests

• Connect to the master via icinga cli icinga2 console --connect 'https://root:admin@localhost:5665/'
• Check the executions

<1> => var s = get_service("PHXL0262", "ping");
null
<2> => s.executions
null

Test correct request

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"PHXL0262!ping":"586ba1a2-2d04-4059-9c58-489e2f341fe7","code":202.0,"status":"Accepted"}]}

log output master:

[2020-07-06 15:47:13 +0200] information/ApiListener: New client connection from [127.0.0.1]:34838 (no client certificate)
[2020-07-06 15:47:13 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:47:13 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:34838), user: root, agent: curl/7.66.0).
[2020-07-06 15:47:13 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-06 15:47:13 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:47:13 +0200] notice/ApiListener: Relaying 'event::UpdateExecutions' message
[2020-07-06 15:47:13 +0200] notice/ApiListener: Sending message 'event::UpdateExecutions' to 'localhost.localdomain'
[2020-07-06 15:47:13 +0200] critical/ApiListener: Not implemented.
[2020-07-06 15:47:13 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:34838)

log output satellite:

[2020-07-06 15:47:13 +0200] notice/JsonRpcConnection: Received 'event::UpdateExecutions' message from identity 'PHXL0262'.

cli:

<8> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Test wrong command_type

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "WrongCommandType" }'

result:

{"results":[{"code":400.0,"status":"Invalid command_type 'WrongCommandType'."}]}

log output master:

[2020-07-06 15:51:05 +0200] information/ApiListener: New client connection from [127.0.0.1]:34908 (no client certificate)
[2020-07-06 15:51:05 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:51:05 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:34908), user: root, agent: curl/7.66.0).
[2020-07-06 15:51:05 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "WrongCommandType" }'
[2020-07-06 15:51:05 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:51:05 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:34908)

log output satellite:
nothing related to this test

cli:

<9> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Test ttl is required

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"code":400.0,"status":"Parameter ttl is required."}]}

log output master:

[2020-07-06 15:56:41 +0200] information/ApiListener: New client connection from [127.0.0.1]:35000 (no client certificate)
[2020-07-06 15:56:41 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:56:41 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:35000), user: root, agent: curl/7.66.0).
[2020-07-06 15:56:41 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-06 15:56:41 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:56:41 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:35000)

log output satellite:
nothing related to this test

cli:

<10> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Test ttl is negative

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"-15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"code":400.0,"status":"Parameter ttl must be greater than 0."}]}

log output master:

[2020-07-06 15:57:43 +0200] information/ApiListener: New client connection from [127.0.0.1]:35016 (no client certificate)
[2020-07-06 15:57:43 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:57:43 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:35016), user: root, agent: curl/7.66.0).
[2020-07-06 15:57:43 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"-15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-06 15:57:43 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:57:43 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:35016)

log output satellite:
nothing related to this test

cli:

<11> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Test macros is not a dictionary

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": "macros_string", "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"code":400.0,"status":"Parameter macros must be a dictionary."}]}

log output master:

[2020-07-06 15:58:07 +0200] information/ApiListener: New client connection from [127.0.0.1]:35026 (no client certificate)
[2020-07-06 15:58:07 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:58:07 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:35026), user: root, agent: curl/7.66.0).
[2020-07-06 15:58:07 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": "macros_string", "command": "ping", "command_type": "CheckCommand" }'
[2020-07-06 15:58:07 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:58:07 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:35026)

log output satellite:
nothing related to this test

cli:

<12> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Test invalid endpoint

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "INVALID_ENDPOINT"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"code":404.0,"status":"Can't find a valid endpoint for 'INVALID_ENDPOINT'."}]}

log output master:

[2020-07-06 15:58:33 +0200] information/ApiListener: New client connection from [127.0.0.1]:35034 (no client certificate)
[2020-07-06 15:58:33 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:58:33 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:35034), user: root, agent: curl/7.66.0).
[2020-07-06 15:58:33 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "INVALID_ENDPOINT"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-06 15:58:33 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:58:33 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:35034)

log output satellite:
nothing related to this test

cli:

<13> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Test invalid CheckCommand

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "pong", "command_type": "CheckCommand" }'

result:

{"results":[{"code":404.0,"status":"Can't find a valid CheckCommand for 'pong'."}]}

log output master:

[2020-07-06 15:59:11 +0200] information/ApiListener: New client connection from [127.0.0.1]:35038 (no client certificate)
[2020-07-06 15:59:11 +0200] notice/ApiListener: New HTTP client
[2020-07-06 15:59:11 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:35038), user: root, agent: curl/7.66.0).
[2020-07-06 15:59:11 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "pong", "command_type": "CheckCommand" }'
[2020-07-06 15:59:11 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 15:59:11 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:35038)

log output satellite:
nothing related to this test

cli:

<14> => s.executions
{
	"7365dd64-1bda-40e7-86fd-ede0cdf49702" = {
		deadline = 1594043248.425018
		pending = true
	}
}

Tests on satellite

• Connect to the master via icinga cli icinga2 console --connect 'https://root:admin@localhost:5664/'
• Check the executions

<3> => var s = get_service("PHXL0262", "ping");
null
<4> => s.executions
{
	"6b272f78-955a-4113-a418-92ef05162708" = {
		deadline = 1594044191.841134
		pending = true
	}
}

Test correct request

curl -v -k -s -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "localhost.localdomain"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"PHXL0262!ping":"329aa56e-93c5-447f-8099-f8cdcb045d38","code":202.0,"status":"Accepted"}]}

log output master:

[2020-07-06 16:07:27 +0200] information/ApiListener: New client connection from [127.0.0.1]:35264 (no client certificate)
[2020-07-06 16:07:27 +0200] notice/ApiListener: New HTTP client
[2020-07-06 16:07:27 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:35264), user: root, agent: curl/7.66.0).
[2020-07-06 16:07:27 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "localhost.localdomain"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-06 16:07:27 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-06 16:07:27 +0200] notice/ApiListener: Sending message 'event::ExecuteCommand' to 'localhost.localdomain'
[2020-07-06 16:07:27 +0200] notice/ApiListener: Relaying 'event::UpdateExecutions' message
[2020-07-06 16:07:27 +0200] notice/ApiListener: Sending message 'event::UpdateExecutions' to 'localhost.localdomain'
[2020-07-06 16:07:27 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:35264)

log output satellite:

[2020-07-06 16:07:27 +0200] notice/JsonRpcConnection: Received 'event::ExecuteCommand' message from identity 'PHXL0262'.
[2020-07-06 16:07:27 +0200] critical/ApiListener: Not implemented.
[2020-07-06 16:07:27 +0200] notice/JsonRpcConnection: Received 'event::UpdateExecutions' message from identity 'PHXL0262'.

cli:

<5> => s.executions
{
	"329aa56e-93c5-447f-8099-f8cdcb045d38" = {
		deadline = 1594044462.458302
		pending = true
	}
	"6b272f78-955a-4113-a418-92ef05162708" = {
		deadline = 1594044191.841134
		pending = true
	}
}

Tests with a limited user

Test allowed endpoint

curl -v -k -s -u limited:limited -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"checkable":"PHXL0262!ping","code":202.0,"execution":"5ded62ef-17af-48c0-bee7-f53955671301","status":"Accepted"}]}

log output master:

[2020-07-07 16:35:52 +0200] information/ApiListener: New client connection from [127.0.0.1]:48830 (no client certificate)
[2020-07-07 16:35:52 +0200] notice/ApiListener: New HTTP client
[2020-07-07 16:35:52 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:48830), user: limited, agent: curl/7.66.0).
[2020-07-07 16:35:52 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "PHXL0262"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-07 16:35:52 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-07 16:35:52 +0200] notice/ApiListener: Relaying 'event::UpdateExecutions' message
[2020-07-07 16:35:52 +0200] notice/ApiListener: Sending message 'event::UpdateExecutions' to 'localhost.localdomain'
[2020-07-07 16:35:52 +0200] critical/ApiListener: Not implemented.
[2020-07-07 16:35:52 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:48830)

log output satellite:
nothing related to this test

cli:

<1> => var s = get_service("PHXL0262", "ping");
null
<2> => s.executions
{
	"5ded62ef-17af-48c0-bee7-f53955671301" = {
		deadline = 1594132567.603483
		pending = true
	}
}

Test denied endpoint

curl -v -k -s -u limited:limited -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "localhost.localdomain"}, "command": "ping", "command_type": "CheckCommand" }'

result:

{"results":[{"code":404.0,"status":"Can't find a valid endpoint for 'localhost.localdomain'."}]}

log output master:

[2020-07-07 16:38:22 +0200] information/ApiListener: New client connection from [127.0.0.1]:48882 (no client certificate)
[2020-07-07 16:38:22 +0200] notice/ApiListener: New HTTP client
[2020-07-07 16:38:22 +0200] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [127.0.0.1]:48882), user: limited, agent: curl/7.66.0).
[2020-07-07 16:38:22 +0200] debug/HttpUtility: Request body: '{"type":"Service", "service": "PHXL0262!ping", "ttl":"15", "macros": {"command_endpoint": "localhost.localdomain"}, "command": "ping", "command_type": "CheckCommand" }'
[2020-07-07 16:38:22 +0200] notice/ApiActionHandler: Running action execute-command
[2020-07-07 16:38:22 +0200] warning/ApiActions: Error: Access denied to object 'localhost.localdomain' of type 'Endpoint'
[2020-07-07 16:38:22 +0200] information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:48882)

log output satellite:
nothing related to this test

cli:

<3> => s.executions
{
	"5ded62ef-17af-48c0-bee7-f53955671301" = {
		deadline = 1594132567.603483
		pending = true
	}
}

[Al2Klimov]

And the logs with the cluster messages?

And the debug console outputs with the changed checkable executions attribute?

[mcodato]

You're right, we have updated the comment.
We noticed that the event::ExecuteCommand is executed before the event::UpdateExecutions, is this ok?

[Al2Klimov]

You seem to have ordered it right in the code.

[Al2Klimov]

... so you don't need to care about it for now.

[Al2Klimov]

Danm. {"PHXL0262!ping":"329aa56e-93c5-447f-8099-f8cdcb045d38","code":202.0,"status":"Accepted"} is not optimal as "PHXL0262!ping" may also be "code" or "status" (host named like this).

Change it to this: {"checkable":"PHXL0262!ping","execution":"329aa56e-93c5-447f-8099-f8cdcb045d38","code":202.0,"status":"Accepted"}

[Al2Klimov]

And one last thing for now:

The checkable is already there. Don't just GetByName() other objects like the endpoint. Instead use this function with this permission.

Rationale: This new action shall not be a workaround for querying forbidden objects.

[Al2Klimov]

LGTM. And now please a test protocol for allow and denial of an existing object for one of the resolved types.

[mcodato]

We added the tests in the comment above

[Al2Klimov]

@Yonas-net Check out this PR on master + sat and verify the test protocol.

[yhabteab]

I have copied everything one by one and works great 👍 .

[Al2Klimov]

Feel free to implement the remaining stuff now. (New branch, PR into the same branch as here.)