verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 57 Releases Wiki Activity

refs #6015 feat(executeRoutine): check db restrictions. test: add executeRoutine tests
gitea/salix/pipeline/head This commit looks good Details

This commit is contained in:
Alex Moreno 2023-10-23 15:03:05 +02:00
parent c04ceeced2
commit 483526c970
6 changed files with 248 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
db/changes/234201/00-ACL_executeRoutine.sql Normal file
View File

@ -0,0 +1,3 @@
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
VALUES
('Application', 'executeRoutine', '*', 'ALLOW', 'ROLE', 'employee');

67
loopback/common/methods/application/executeRoutine.js
View File

@ -1,3 +1,5 @@
const UserError = require('vn-loopback/util/user-error');
module.exports = Self => { module.exports = Self => {
Self.remoteMethodCtx('executeRoutine', { Self.remoteMethodCtx('executeRoutine', {
description: 'Return the routes by worker', description: 'Return the routes by worker',
@ -6,15 +8,24 @@ module.exports = Self => {
{ {
arg: 'routine', arg: 'routine',
type: 'string', type: 'string',
description: 'The routine sql', description: 'The routine name',
required: true, required: true,
http: {source: 'path'} http: {source: 'path'}
}, },
{ {
arg: 'params', arg: 'params',
type: ['any'], type: ['any'],
description: 'The array of params', description: 'The params array',
required: true, },
{
arg: 'schema',
type: 'string',
description: 'The routine schema',
},
{
arg: 'type',
type: 'string',
description: 'The routine type',
} }
], ],
returns: { returns: {
@ -27,14 +38,23 @@ module.exports = Self => {
} }
}); });
Self.executeRoutine = async(ctx, routine, params, options) => { Self.executeRoutine = async(ctx, routine, params, schema, type, options) => {
const userId = ctx.req.accessToken.userId; const userId = ctx.req.accessToken.userId;
const models = Self.app.models;
const isFunction = type == 'function';
params = params ?? [];
schema = schema ?? 'vn';
type = type ?? 'procedure';
let caller = 'CALL';
const myOptions = {}; if (isFunction)
caller = 'SELECT';
const myOptions = {userId: ctx.req.accessToken.userId};
if (typeof options == 'object') if (typeof options == 'object')
Object.assign(myOptions, options); Object.assign(myOptions, options);
const user = await Self.app.models.VnUser.findById(userId, { const user = await models.VnUser.findById(userId, {
fields: ['id', 'roleFk'], fields: ['id', 'roleFk'],
include: { include: {
relation: 'role', relation: 'role',
@ -44,18 +64,37 @@ module.exports = Self => {
} }
}); });
const inherits = await Self.app.models.RoleRole.find({ const inherits = await models.RoleRole.find({
include: {
relation: 'inherits',
scope: {
fields: ['id', 'name']
}
},
where: { where: {
role: user.role().id
} }
}); });
console.log(user.role.name);
const checkACL = await models.ACL.checkAccessAcl(ctx, 'Application', routine, '*'); const roles = inherits.map(inherit => inherit.inherits().name);
if (!checkACL) throw error;
const requestParams = [routine]; const canExecute = await models.ProcsPriv.findOne({
requestParams.concat(params); where: {
return Self.app.models.Route.rawSql(`CALL ?(...)`, requestParams, myOptions); schema,
type: type.toUpperCase(),
name: routine,
host: process.env.NODE_ENV ? '' : '%',
role: {inq: roles}
}
});
if (!canExecute) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
let argString = params.map(() => '?').join(',');
const query = `${caller} ${schema}.${routine}(${argString})`;
const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
return isFunction ? Object.values(response)[0] : response;
}; };
}; };

138
loopback/common/methods/application/spec/executeRoutine.spec.js Normal file
View File

@ -0,0 +1,138 @@
const models = require('vn-loopback/server/server').models;
describe('Application executeRoutine()', () => {
const userWithoutPrivileges = 1;
const userWithPrivileges = 9;
const userWithInheritedPrivileges = 120;
let tx;
function getCtx(userId) {
return {
req: {
accessToken: {userId},
headers: {origin: 'http://localhost'}
}
};
}
beforeEach(async() => {
tx = await models.Application.beginTransaction({});
const options = {transaction: tx};
await models.Application.rawSql(`
CREATE OR REPLACE PROCEDURE vn.myProcedure(vMyParam INT)
BEGIN
SELECT vMyParam myParam, t.*
FROM ticket t
LIMIT 2;
END
`, null, options);
await models.Application.rawSql(`
CREATE OR REPLACE FUNCTION bs.myFunction(vMyParam INT) RETURNS int(11)
BEGIN
RETURN vMyParam;
END
`, null, options);
await models.Application.rawSql(`
GRANT EXECUTE ON PROCEDURE vn.myProcedure TO developer;
GRANT EXECUTE ON FUNCTION bs.myFunction TO developer;
`, null, options);
});
it('should throw error when execute procedure and not have privileges', async() => {
const ctx = getCtx(userWithoutPrivileges);
let error;
try {
const options = {transaction: tx};
await models.Application.executeRoutine(
ctx,
'myProcedure',
[1],
null,
null,
options
);
await tx.rollback();
} catch (e) {
await tx.rollback();
error = e;
}
expect(error.message).toEqual(`You don't have enough privileges`);
});
it('should execute procedure and get data', async() => {
const ctx = getCtx(userWithPrivileges);
try {
const options = {transaction: tx};
const response = await models.Application.executeRoutine(
ctx,
'myProcedure',
[1],
null,
null,
options
);
expect(response.length).toEqual(2);
expect(response[0].myParam).toEqual(1);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should execute function and get data', async() => {
const ctx = getCtx(userWithPrivileges);
try {
const options = {transaction: tx};
const response = await models.Application.executeRoutine(
ctx,
'myFunction',
[1],
'bs',
'function',
options
);
expect(response).toEqual(1);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should execute function and get data with user with inherited privileges', async() => {
const ctx = getCtx(userWithInheritedPrivileges);
try {
const options = {transaction: tx};
const response = await models.Application.executeRoutine(
ctx,
'myFunction',
[1],
'bs',
'function',
options
);
expect(response).toEqual(1);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
});

1
loopback/common/models/application.js
View File

@ -2,4 +2,5 @@
module.exports = function(Self) { module.exports = function(Self) {
require('../methods/application/status')(Self); require('../methods/application/status')(Self);
require('../methods/application/post')(Self); require('../methods/application/post')(Self);
require('../methods/application/executeRoutine')(Self);
}; };

44
loopback/common/models/procs-priv.json Normal file
View File

@ -0,0 +1,44 @@
{
"name": "ProcsPriv",
"base": "VnModel",
"options": {
"mysql": {
"table": "mysql.procs_priv"
}
},
"properties": {
"name": {
"id": 1,
"type": "string",
"mysql": {
"columnName": "Routine_name"
}
},
"schema": {
"id": 3,
"type": "string",
"mysql": {
"columnName": "Db"
}
},
"role": {
"type": "string",
"mysql": {
"columnName": "user"
}
},
"type": {
"id": 2,
"type": "string",
"mysql": {
"columnName": "Routine_type"
}
},
"host": {
"type": "string",
"mysql": {
"columnName": "Host"
}
}
}
}

10
loopback/server/model-config.json
View File

@ -49,5 +49,13 @@
}, },
"Container": { "Container": {
"dataSource": "vn" "dataSource": "vn"
},
"ProcsPriv": {
"dataSource": "vn",
"options": {
"mysql": {
"table": "mysql.procs_priv"
}
}
} }
} }