Merge pull request #1679 from gwenya/filters

Add filtering to all API collections

Author: stgraber

cmd/incusd/api_project.go

@@ -15,6 +15,7 @@ import (
 	"github.com/gorilla/mux"
 
 	incus "github.com/lxc/incus/v6/client"
+	"github.com/lxc/incus/v6/internal/filter"
 	"github.com/lxc/incus/v6/internal/jmap"
 	"github.com/lxc/incus/v6/internal/server/auth"
 	"github.com/lxc/incus/v6/internal/server/db"
@@ -73,6 +74,12 @@ var projectAccessCmd = APIEndpoint{
 //  ---
 //  produces:
 //    - application/json
+//  parameters:
+//    - in: query
+//      name: filter
+//      description: Collection filter
+//      type: string
+//      example: default
 //  responses:
 //    "200":
 //      description: API endpoints
@@ -109,59 +116,72 @@ var projectAccessCmd = APIEndpoint{
 
 // swagger:operation GET /1.0/projects?recursion=1 projects projects_get_recursion1
 //
-//	Get the projects
+//  Get the projects
 //
-//	Returns a list of projects (structs).
+//  Returns a list of projects (structs).
 //
-//	---
-//	produces:
-//	  - application/json
-//	responses:
-//	  "200":
-//	    description: API endpoints
-//	    schema:
-//	      type: object
-//	      description: Sync response
-//	      properties:
-//	        type:
-//	          type: string
-//	          description: Response type
-//	          example: sync
-//	        status:
-//	          type: string
-//	          description: Status description
-//	          example: Success
-//	        status_code:
-//	          type: integer
-//	          description: Status code
-//	          example: 200
-//	        metadata:
-//	          type: array
-//	          description: List of projects
-//	          items:
-//	            $ref: "#/definitions/Project"
-//	  "403":
-//	    $ref: "#/responses/Forbidden"
-//	  "500":
-//	    $ref: "#/responses/InternalServerError"
+//  ---
+//  produces:
+//    - application/json
+//  parameters:
+//    - in: query
+//      name: filter
+//      description: Collection filter
+//      type: string
+//      example: default
+//  responses:
+//    "200":
+//      description: API endpoints
+//      schema:
+//        type: object
+//        description: Sync response
+//        properties:
+//          type:
+//            type: string
+//            description: Response type
+//            example: sync
+//          status:
+//            type: string
+//            description: Status description
+//            example: Success
+//          status_code:
+//            type: integer
+//            description: Status code
+//            example: 200
+//          metadata:
+//            type: array
+//            description: List of projects
+//            items:
+//              $ref: "#/definitions/Project"
+//    "403":
+//      $ref: "#/responses/Forbidden"
+//    "500":
+//      $ref: "#/responses/InternalServerError"
+
 func projectsGet(d *Daemon, r *http.Request) response.Response {
 	s := d.State()
 
 	recursion := localUtil.IsRecursionRequest(r)
 
+	// Parse filter value.
+	filterStr := r.FormValue("filter")
+	clauses, err := filter.Parse(filterStr, filter.QueryOperatorSet())
+	if err != nil {
+		return response.BadRequest(fmt.Errorf("Invalid filter: %w", err))
+	}
+
 	userHasPermission, err := s.Authorizer.GetPermissionChecker(r.Context(), r, auth.EntitlementCanView, auth.ObjectTypeProject)
 	if err != nil {
 		return response.InternalError(err)
 	}
 
-	var result any
+	filtered := make([]api.Project, 0)
 	err = s.DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error {
 		projects, err := cluster.GetProjects(ctx, tx.Tx())
 		if err != nil {
 			return err
 		}
 
-		filtered := []api.Project{}
 		for _, project := range projects {
 			if !userHasPermission(auth.ObjectProject(project.Name)) {
 				continue
@@ -177,18 +197,18 @@ func projectsGet(d *Daemon, r *http.Request) response.Response {
 				return err
 			}
 
-			filtered = append(filtered, *apiProject)
-		}
+			if clauses != nil && len(clauses.Clauses) > 0 {
+				match, err := filter.Match(*apiProject, *clauses)
+				if err != nil {
+					return err
+				}
 
-		if recursion {
-			result = filtered
-		} else {
-			urls := make([]string, len(filtered))
-			for i, p := range filtered {
-				urls[i] = p.URL(version.APIVersion).String()
+				if !match {
+					continue
+				}
 			}
 
-			result = urls
+			filtered = append(filtered, *apiProject)
 		}
 
 		return nil
@@ -197,7 +217,16 @@ func projectsGet(d *Daemon, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
-	return response.SyncResponse(true, result)
+	if recursion {
+		return response.SyncResponse(true, filtered)
+	}
+
+	urls := make([]string, len(filtered))
+	for i, p := range filtered {
+		urls[i] = p.URL(version.APIVersion).String()
+	}
+
+	return response.SyncResponse(true, urls)
 }
 
 // projectUsedBy returns a list of URLs for all instances, images, profiles,

cmd/incusd/certificates.go

@@ -16,6 +16,7 @@ import (
 	"github.com/gorilla/mux"
 
 	incus "github.com/lxc/incus/v6/client"
+	"github.com/lxc/incus/v6/internal/filter"
 	internalInstance "github.com/lxc/incus/v6/internal/instance"
 	"github.com/lxc/incus/v6/internal/server/auth"
 	"github.com/lxc/incus/v6/internal/server/certificate"
@@ -62,6 +63,12 @@ var certificateCmd = APIEndpoint{
 //  ---
 //  produces:
 //    - application/json
+//  parameters:
+//    - in: query
+//      name: filter
+//      description: Collection filter
+//      type: string
+//      example: default
 //  responses:
 //    "200":
 //      description: API endpoints
@@ -98,52 +105,71 @@ var certificateCmd = APIEndpoint{
 
 // swagger:operation GET /1.0/certificates?recursion=1 certificates certificates_get_recursion1
 //
-//	Get the trusted certificates
+//  Get the trusted certificates
 //
-//	Returns a list of trusted certificates (structs).
+//  Returns a list of trusted certificates (structs).
 //
-//	---
-//	produces:
-//	  - application/json
-//	responses:
-//	  "200":
-//	    description: API endpoints
-//	    schema:
-//	      type: object
-//	      description: Sync response
-//	      properties:
-//	        type:
-//	          type: string
-//	          description: Response type
-//	          example: sync
-//	        status:
-//	          type: string
-//	          description: Status description
-//	          example: Success
-//	        status_code:
-//	          type: integer
-//	          description: Status code
-//	          example: 200
-//	        metadata:
-//	          type: array
-//	          description: List of certificates
-//	          items:
-//	            $ref: "#/definitions/Certificate"
-//	  "403":
-//	    $ref: "#/responses/Forbidden"
-//	  "500":
-//	    $ref: "#/responses/InternalServerError"
+//  ---
+//  produces:
+//    - application/json
+//  parameters:
+//    - in: query
+//      name: filter
+//      description: Collection filter
+//      type: string
+//      example: default
+//  responses:
+//    "200":
+//      description: API endpoints
+//      schema:
+//        type: object
+//        description: Sync response
+//        properties:
+//          type:
+//            type: string
+//            description: Response type
+//            example: sync
+//          status:
+//            type: string
+//            description: Status description
+//            example: Success
+//          status_code:
+//            type: integer
+//            description: Status code
+//            example: 200
+//          metadata:
+//            type: array
+//            description: List of certificates
+//            items:
+//              $ref: "#/definitions/Certificate"
+//    "403":
+//      $ref: "#/responses/Forbidden"
+//    "500":
+//      $ref: "#/responses/InternalServerError"
+
 func certificatesGet(d *Daemon, r *http.Request) response.Response {
-	recursion := localUtil.IsRecursionRequest(r)
 	s := d.State()
 
 	userHasPermission, err := s.Authorizer.GetPermissionChecker(r.Context(), r, auth.EntitlementCanView, auth.ObjectTypeCertificate)
 	if err != nil {
 		return response.SmartError(err)
 	}
 
-	if recursion {
-		var certResponses []api.Certificate
+	recursion := localUtil.IsRecursionRequest(r)
+
+	// Parse filter value.
+	filterStr := r.FormValue("filter")
+	clauses, err := filter.Parse(filterStr, filter.QueryOperatorSet())
+	if err != nil {
+		return response.BadRequest(fmt.Errorf("Invalid filter: %w", err))
+	}
+
+	mustLoadObjects := recursion || (clauses != nil && len(clauses.Clauses) > 0)
+
+	linkResults := make([]string, 0)
+	fullResults := make([]api.Certificate, 0)
+
+	if mustLoadObjects {
 		var baseCerts []dbCluster.Certificate
 		var err error
 		err = d.State().DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error {
@@ -152,7 +178,6 @@ func certificatesGet(d *Daemon, r *http.Request) response.Response {
 				return err
 			}
 
-			certResponses = make([]api.Certificate, 0, len(baseCerts))
 			for _, baseCert := range baseCerts {
 				if !userHasPermission(auth.ObjectCertificate(baseCert.Fingerprint)) {
 					continue
@@ -163,38 +188,52 @@ func certificatesGet(d *Daemon, r *http.Request) response.Response {
 					return err
 				}
 
-				certResponses = append(certResponses, *apiCert)
+				if clauses != nil && len(clauses.Clauses) > 0 {
+					match, err := filter.Match(*apiCert, *clauses)
+					if err != nil {
+						return err
+					}
+
+					if !match {
+						continue
+					}
+				}
+
+				fullResults = append(fullResults, *apiCert)
+
+				certificateURL := fmt.Sprintf("/%s/certificates/%s", version.APIVersion, apiCert.Fingerprint)
+				linkResults = append(linkResults, certificateURL)
 			}
 
 			return nil
 		})
 		if err != nil {
 			return response.SmartError(err)
 		}
+	} else {
+		trustedCertificates, err := d.getTrustedCertificates()
+		if err != nil {
+			return response.SmartError(err)
+		}
 
-		return response.SyncResponse(true, certResponses)
-	}
-
-	body := []string{}
-
-	trustedCertificates, err := d.getTrustedCertificates()
-	if err != nil {
-		return response.SmartError(err)
-	}
+		for _, certs := range trustedCertificates {
+			for _, cert := range certs {
+				fingerprint := localtls.CertFingerprint(&cert)
+				if !userHasPermission(auth.ObjectCertificate(fingerprint)) {
+					continue
+				}
 
-	for _, certs := range trustedCertificates {
-		for _, cert := range certs {
-			fingerprint := localtls.CertFingerprint(&cert)
-			if !userHasPermission(auth.ObjectCertificate(fingerprint)) {
-				continue
+				certificateURL := fmt.Sprintf("/%s/certificates/%s", version.APIVersion, fingerprint)
+				linkResults = append(linkResults, certificateURL)
 			}
-
-			certificateURL := fmt.Sprintf("/%s/certificates/%s", version.APIVersion, fingerprint)
-			body = append(body, certificateURL)
 		}
 	}
 
-	return response.SyncResponse(true, body)
+	if recursion {
+		return response.SyncResponse(true, fullResults)
+	}
+
+	return response.SyncResponse(true, linkResults)
 }
 
 func updateCertificateCache(d *Daemon) {