Rename blacklist to denylist

Author: lippserd

configuration.php

@@ -118,12 +118,12 @@
     );
 
     $this->provideRestriction(
-        'icingadb/blacklist/routes',
+        'icingadb/denylist/routes',
         $this->translate('Prevent access to routes that are part of the list')
     );
 
     $this->provideRestriction(
-        'icingadb/blacklist/variables',
+        'icingadb/denylist/variables',
         $this->translate('Hide custom variables of Icinga objects that are part of the list')
     );
 
@@ -333,15 +333,15 @@
             'icon'        => 'cog'
         ]);
         $auth = Auth::getInstance();
-        $routeBlacklist = [];
+        $routeDenylist = [];
         if ($auth->isAuthenticated() && ! $auth->getUser()->isUnrestricted()) {
             // The empty array is for PHP pre 7.4, older versions require at least a single param for array_merge
-            $routeBlacklist = array_flip(array_merge([], ...array_map(function ($restriction) {
+            $routeDenylist = array_flip(array_merge([], ...array_map(function ($restriction) {
                 return StringHelper::trimSplit($restriction);
-            }, $auth->getRestrictions('icingadb/blacklist/routes'))));
+            }, $auth->getRestrictions('icingadb/denylist/routes'))));
         }
 
-        if (! array_key_exists('hostgroups', $routeBlacklist)) {
+        if (! array_key_exists('hostgroups', $routeDenylist)) {
             $overviewSection->add(N_('Host Groups'), [
                 'description' => $this->translate('List host groups'),
                 'url'         => 'icingadb/hostgroups',
@@ -350,7 +350,7 @@
             ]);
         }
 
-        if (! array_key_exists('servicegroups', $routeBlacklist)) {
+        if (! array_key_exists('servicegroups', $routeDenylist)) {
             $overviewSection->add(N_('Service Groups'), [
                 'description' => $this->translate('List service groups'),
                 'url'         => 'icingadb/servicegroups',
@@ -359,7 +359,7 @@
             ]);
         }
 
-        if (! array_key_exists('usergroups', $routeBlacklist)) {
+        if (! array_key_exists('usergroups', $routeDenylist)) {
             $overviewSection->add(N_('User Groups'), [
                 'description' => $this->translate('List user groups'),
                 'url'         => 'icingadb/usergroups',
@@ -368,7 +368,7 @@
             ]);
         }
 
-        if (! array_key_exists('users', $routeBlacklist)) {
+        if (! array_key_exists('users', $routeDenylist)) {
             $overviewSection->add(N_('Users'), [
                 'description' => $this->translate('List users'),
                 'url'         => 'icingadb/users',
@@ -463,15 +463,15 @@
 
 
         $auth = Auth::getInstance();
-        $routeBlacklist = [];
+        $routeDenylist = [];
         if ($auth->isAuthenticated() && ! $auth->getUser()->isUnrestricted()) {
             // The empty array is for PHP pre 7.4, older versions require at least a single param for array_merge
-            $routeBlacklist = array_flip(array_merge([], ...array_map(function ($restriction) {
+            $routeDenylist = array_flip(array_merge([], ...array_map(function ($restriction) {
                 return StringHelper::trimSplit($restriction);
-            }, $auth->getRestrictions('icingadb/blacklist/routes'))));
+            }, $auth->getRestrictions('icingadb/denylist/routes'))));
         }
 
-        if (! array_key_exists('hostgroups', $routeBlacklist)) {
+        if (! array_key_exists('hostgroups', $routeDenylist)) {
             $section->add(N_('Host Groups'), [
                 'url'           => 'icingadb/hostgroups',
                 'priority'      => 50,
@@ -480,7 +480,7 @@
             ]);
         }
 
-        if (! array_key_exists('servicegroups', $routeBlacklist)) {
+        if (! array_key_exists('servicegroups', $routeDenylist)) {
             $section->add(N_('Service Groups'), [
                 'url'           => 'icingadb/servicegroups',
                 'priority'      => 60,
@@ -489,7 +489,7 @@
             ]);
         }
 
-        if (! array_key_exists('usergroups', $routeBlacklist)) {
+        if (! array_key_exists('usergroups', $routeDenylist)) {
             $section->add(N_('User Groups'), [
                 'url'           => 'icingadb/usergroups',
                 'priority'      => 70,
@@ -498,7 +498,7 @@
             ]);
         }
 
-        if (! array_key_exists('users', $routeBlacklist)) {
+        if (! array_key_exists('users', $routeDenylist)) {
             $section->add(N_('Users'), [
                 'url'           => 'icingadb/users',
                 'priority'      => 80,

doc/04-Security.md

@@ -61,25 +61,25 @@ unrestricted. It should be one or more [filter expressions](#filter-expressions)
 `icingadb/filter/services` will only allow users to access matching services. Other objects remain unrestricted.
 It should be one or more [filter expressions](#filter-expressions).
 
-### Blacklists
+### Denylists
 
-Blacklists prevent users from accessing information and in some cases will block them entirely from it.
+Denylists prevent users from accessing information and in some cases will block them entirely from it.
 
 > **Note:**
 >
-> Blacklists from multiple roles will further limit access.
+> Denylists from multiple roles will further limit access.
 
 Name                         | Description
 -----------------------------|------------------------------------------------------------------
-icingadb/blacklist/routes    | Prevent access to routes that are part of the list
-icingadb/blacklist/variables | Hide custom variables of Icinga objects that are part of the list
+icingadb/denylist/routes    | Prevent access to routes that are part of the list
+icingadb/denylist/variables | Hide custom variables of Icinga objects that are part of the list
 
-`icingadb/blacklist/routes` will block users from accessing defined routes and from related information elsewhere.
+`icingadb/denylist/routes` will block users from accessing defined routes and from related information elsewhere.
 For example, if `hostgroups` are part of the list a user won't have access to the hostgroup overview nor to a host's
 groups shown in its detail area. This should be a comma separated list. Possible values are: hostgroups, servicegroups,
 contacts, contactgroups
 
-`icingadb/blacklist/variables` will block users from accessing certain custom variables. A user affected by this won't
+`icingadb/denylist/variables` will block users from accessing certain custom variables. A user affected by this won't
 see that those variables even exist. This should be a comma separated list of [variable paths](#variable-paths). It is
 possible to use [match patterns](#match-patterns).
 
@@ -89,7 +89,7 @@ Protections prevent users from accessing actual data. They will know that there
 
 > **Note:**
 >
-> Blacklists from multiple roles will further limit access.
+> Denylists from multiple roles will further limit access.
 
 Name                       | Description
 ---------------------------|-----------------------------------------------------------------------------

doc/10-Migration.md

@@ -118,7 +118,7 @@ or support for them has been dropped. Check the table below for details:
 
 ### `monitoring/blacklist/properties`
 
-This is now `icingadb/blacklist/variables`. However, it does not accept the same rules as
+This is now `icingadb/denylist/variables`. However, it does not accept the same rules as
 `monitoring/blacklist/properties`. It still accepts a comma separated list of GLOB like filters,
 but with some features removed:
 
@@ -133,5 +133,5 @@ Check the [security chapter](04-Security.md#variable-paths) for more details.
 The command permissions have not changed. It is only the module identifier that has changed of course:
 `monitoring.command.*` is now `icingadb.command.*`
 
-The `no-monitoring/contacts` permission (or *fake refusal*) is now a restriction: `icingadb/blacklist/routes`.
+The `no-monitoring/contacts` permission (or *fake refusal*) is now a restriction: `icingadb/denylist/routes`.
 Add `users,usergroups` to it to achieve the same effect.

library/Icingadb/Common/Auth.php

@@ -37,11 +37,11 @@ public function isPermittedRoute(string $name): bool
         }
 
         // The empty array is for PHP pre 7.4, older versions require at least a single param for array_merge
-        $routeBlacklist = array_flip(array_merge([], ...array_map(function ($restriction) {
+        $routeDenylist = array_flip(array_merge([], ...array_map(function ($restriction) {
             return StringHelper::trimSplit($restriction);
-        }, $this->getAuth()->getRestrictions('icingadb/blacklist/routes'))));
+        }, $this->getAuth()->getRestrictions('icingadb/denylist/routes'))));
 
-        return ! array_key_exists($name, $routeBlacklist);
+        return ! array_key_exists($name, $routeDenylist);
     }
 
     /**
@@ -105,7 +105,7 @@ public function isMatchedOn(string $queryString, Model $object): bool
      * This will apply `icingadb/filter/objects` in any case. `icingadb/filter/services` is only
      * applied to queries fetching services and `icingadb/filter/hosts` is applied to queries
      * fetching either hosts or services. It also applies custom variable restrictions and
-     * obfuscations. (`icingadb/blacklist/variables` and `icingadb/protect/variables`)
+     * obfuscations. (`icingadb/denylist/variables` and `icingadb/protect/variables`)
      *
      * @param Query $query
      *
@@ -145,8 +145,8 @@ public function applyRestrictions(Query $query)
                 $roleFilter = Filter::all();
 
                 if ($customVarRelationName !== false) {
-                    if (($restriction = $role->getRestrictions('icingadb/blacklist/variables'))) {
-                        $roleFilter->add($this->parseBlacklist(
+                    if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {
+                        $roleFilter->add($this->parseDenylist(
                             $restriction,
                             $customVarRelationName
                                 ? $resolver->qualifyColumn('flatname', $customVarRelationName)
@@ -155,7 +155,7 @@ public function applyRestrictions(Query $query)
                     }
 
                     if (($restriction = $role->getRestrictions('icingadb/protect/variables'))) {
-                        $obfuscationRules->add($this->parseBlacklist(
+                        $obfuscationRules->add($this->parseDenylist(
                             $restriction,
                             $customVarRelationName
                                 ? $resolver->qualifyColumn('flatname', $customVarRelationName)
@@ -316,17 +316,17 @@ function ($k, $v) {
     }
 
     /**
-     * Parse the given blacklist
+     * Parse the given denylist
      *
-     * @param string $blacklist Comma separated list of column names
-     * @param string $column The column which should not equal any of the blacklisted names
+     * @param string $denylist Comma separated list of column names
+     * @param string $column The column which should not equal any of the denylisted names
      *
      * @return Filter\None
      */
-    protected function parseBlacklist(string $blacklist, string $column): Filter\None
+    protected function parseDenylist(string $denylist, string $column): Filter\None
     {
         $filter = Filter::none();
-        foreach (explode(',', $blacklist) as $value) {
+        foreach (explode(',', $denylist) as $value) {
             $filter->add(Filter::like($column, trim($value)));
         }
 

library/Icingadb/Common/ObjectInspectionDetail.php

@@ -80,7 +80,7 @@ protected function createLastCheckResult()
             $command = join(' ', array_map('escapeshellarg', $command));
         }
 
-        $blacklist = [
+        $denylist = [
             'command',
             'output',
             'type',
@@ -92,7 +92,7 @@ protected function createLastCheckResult()
             new HtmlElement('pre', null, Text::create($command)),
             new HtmlElement('h2', null, Text::create(t('Execution Details'))),
             $this->createNameValueTable(
-                array_diff_key($this->attrs['last_check_result'], array_flip($blacklist)),
+                array_diff_key($this->attrs['last_check_result'], array_flip($denylist)),
                 [
                     'execution_end'     => [$this, 'formatTimestamp'],
                     'execution_start'   => [$this, 'formatTimestamp'],
@@ -126,14 +126,14 @@ protected function createRedisInfo(): array
             return [$title, sprintf('Failed to decode redis data: %s', $e->getMessage())];
         }
 
-        $blacklist = [
+        $denylist = [
             'commandline',
             'environment_id',
             'id'
         ];
 
         return [$title, $this->createNameValueTable(
-            array_diff_key($data, array_flip($blacklist)),
+            array_diff_key($data, array_flip($denylist)),
             [
                 'last_state_change'     => [$this, 'formatMillisecondTimestamp'],
                 'last_update'           => [$this, 'formatMillisecondTimestamp'],
@@ -152,7 +152,7 @@ protected function createRedisInfo(): array
 
     protected function createAttributes(): array
     {
-        $blacklist = [
+        $denylist = [
             'name',
             '__name',
             'host_name',
@@ -171,7 +171,7 @@ protected function createAttributes(): array
         return [
             new HtmlElement('h2', null, Text::create(t('Object Attributes'))),
             $this->createNameValueTable(
-                array_diff_key($this->attrs, array_flip($blacklist)),
+                array_diff_key($this->attrs, array_flip($denylist)),
                 [
                     'acknowledgement_expiry'        => [$this, 'formatTimestamp'],
                     'acknowledgement_last_change'   => [$this, 'formatTimestamp'],