%3 ::xowiki::Includelet ::xowiki::Includelet → available_includelets → describe_includelets → glob_clause → html_encode → html_id → html_to_text → js_encode → js_name → listing → locale_clause → parent_id_clause → publish_status_clause → require_YUI_CSS → require_YUI_JS category_clause get_current_folder get_page_order include_head_entries initialize js_name resolve_page_name screen_name tableWidget ::xo::Context ::xo::Context exists_query_parameter export_vars get_all_query_parameter get_parameters initialize original_url_and_query process_query_parameter query_parameter set_query_parameter unset_query_parameter ::xowiki::Includelet->::xo::Context ::xotcl::Object ::xotcl::Object ::xo::Context->::xotcl::Object ::xowiki::includelet::kibana ::xowiki::includelet::kibana → check_permission → grant_permission → url include_head_entries render ::xowiki::includelet::kibana->::xowiki::Includelet

Class ::xowiki::includelet::kibana

::xowiki::includelet::kibana[i] create ... \
           [ -__decoration (default "plain") ] \
           [ -id (default "[xowiki::Includelet js_name [self]]") ] \
           [ -parameter_declaration (default "
          {-chart openacs-status-codes}
          {-from now-24h}
          {-to now}
          {-hash ""}
          {-width:integer 800}
          {-height:integer 400}
        ") ]
Include a Kibana chart identified by the provided hash
Documented Parameters:
from
start of time window (default now-24h)
to
end of time window (default now-)
hash
hash of the included visualization
width
width of included content
height
height of included content
Defined in packages/xowiki/tcl/kibana-procs.tcl

Class Relations

  • class: ::xowiki::IncludeletClass[i]
  • superclass: ::xowiki::Includelet[i]
::xowiki::IncludeletClass create ::xowiki::includelet::kibana \
     -superclass ::xowiki::Includelet

Methods (to be applied on the object)

  • check_permission (scripted)

    #set grantAlways {^/kibana/(api|built_assets|bundles|node_modules|translations|ui)/}
set grantAlways {^/kibana/(built_assets|bundles|node_modules|translations|ui)/}
set grantNever {^/kibana/(elasticsearch)}
set restricted {
  /kibana
  /kibana/app/canvas
  /kibana/app/maps
  /kibana/app/ml
  /kibana/app/infra
  /kibana/app/apm
  /kibana/app/uptime
  /kibana/app/siem
  /kibana/app/monitoring
}
set strippedUrl [string trimright $url /]

#
# Grant some access always and some access never.
#
#ns_log notice "kibana CHECK PERMISSIONS for <$strippedUrl> in restricted --> [expr {$strippedUrl in $restricted}]"
if {[regexp $grantAlways $url]} {
  set when always
  set granted 1

} elseif {$strippedUrl in $restricted || [regexp $grantNever $url]} {
  set when never
  set granted 0

} else {
  #
  # Go into the details.
  #
  ::xo::ConnectionContext require
  set when sometimes
  set user_id [::xo::cc user_id]
  set method  [ns_conn method]
  set granted [nsv_exists kibana_permissions $user_id]
  try {
    ad_get_signed_cookie ad_kibana

  } trap {AD_EXCEPTION NO_COOKIE} {errorMsg} {
    set cookie ""
    append when -nocookie

  } trap {AD_EXCEPTION INVALID_COOKIE} {errorMsg} {
    set cookie ""
    append when -invalidcookie

  } on ok {cookie} {
  }

  if {$granted} {
    #
    # Just allow one access to the main app. This is the first
    # call inside the iframe (should be actually
    # "/kibana/app/kibana")
    #
    nsv_unset kibana_permissions $user_id
    append when -first

  } elseif {$cookie ne ""} {
    #
    # The cookie is the object_id. Therefore, we can check whether
    # the current user_id has permissions on this object.
    #
    set granted [permission::permission_p  -party_id $user_id  -object_id $cookie  -privilege read]
    append when -$granted

    if {$granted} {
      #
      # Check as well whether the user has rights on the hash. We
      # can this do just in limited cases. Since this hash is just
      # in a few queries.
      #
      if {$method eq "POST" && $url eq "/kibana/api/saved_objects/_bulk_get"} {
        set payload [ns_conn content]
        if {[regexp {"id":"([^\"]+)"} $payload . hash]} {
          #
          # We have the hash_code, the user_id and the object_id
          #
          set granted [nsv_exists kibana_hashes $user_id-$hash]
          ns_log notice "kibana CHECK PERMISSIONS $url hash $hash -> $granted"
          append when -payload=$granted
        }
      } else {
        #
        # For the time being, also allow the following cases, when the cookie is ok.
        #
        ns_log notice "kibana CHECK PERMISSIONS for $user_id [ns_conn request] // [ns_set array [ns_conn headers]]"
        if {$method eq "POST"} {
          ns_log notice "kibana CHECK PERMISSIONS payload [ns_conn content]"
        }
      }
    }
  }
}

if {$when ne "always"} {
  ns_log notice "kibana CHECK PERMISSIONS <$url$when --> $granted"
}
return $granted

  • grant_permission (scripted)

    nsv_set kibana_permissions [::xo::cc user_id] $object_id
nsv_set kibana_hashes [::xo::cc user_id]-$hash 1
ns_log notice "kibana GRANT ACCESS for <$url> to [::xo::cc user_id]"
ad_set_signed_cookie -discard t -scriptable f ad_kibana $object_id

  • url (scripted)

    set url $::xowiki::includelet::kibana_location$path
#ns_log notice "xowiki KIBANA request: $url"
return $url

Methods (to be applied on instances)

  • __decoration (setter)

  • id (setter)
    

  • include_head_entries (scripted)
    

    next
  • parameter_declaration (setter)
    

  • render (scripted)
    

    :get_parameters
#set width 800
#set height 400
#set from now-24h
#set to now
#set hash [kibana get visitors-map-openacs]
set refreshInterval {(pause:!t,value:0)}
set time [subst {from:$from,mode:quick,to:$to}]
set _g (refreshInterval:$refreshInterval,time:($time))
set url /kibana/app/kibana#/visualize/edit/$hash?embed=true&_g=[ns_urlencode $_g]
#ns_log notice "kibana iframe src: $url"
[self class] grant_permission [${:__including_page} item_id] $hash $url
set HTML [subst {<iframe src="$url" width="$width" height="$height" frameborder="0"></iframe>}]
return $HTML