refs #6015 feat(executeRoutine): check db restrictions. test: add executeRoutine tests

2023-10-23 15:03:05 +02:00 · 2023-10-23 15:03:05 +02:00 · 483526c970
parent c04ceeced2
commit 483526c970
6 changed files with 248 additions and 15 deletions
--- a/db/changes/234201/00-ACL_executeRoutine.sql
+++ b/db/changes/234201/00-ACL_executeRoutine.sql
@ -0,0 +1,3 @@
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+    VALUES
+        ('Application', 'executeRoutine', '*', 'ALLOW', 'ROLE', 'employee');
--- a/loopback/common/methods/application/executeRoutine.js
+++ b/loopback/common/methods/application/executeRoutine.js
@ -1,3 +1,5 @@
+const UserError = require('vn-loopback/util/user-error');
+
 module.exports = Self => {
    Self.remoteMethodCtx('executeRoutine', {
        description: 'Return the routes by worker',
@ -6,15 +8,24 @@ module.exports = Self => {
            {
                arg: 'routine',
                type: 'string',
-                description: 'The routine sql',
+                description: 'The routine name',
                required: true,
                http: {source: 'path'}
            },
            {
                arg: 'params',
                type: ['any'],
-                description: 'The array of params',
-                required: true,
+                description: 'The params array',
+            },
+            {
+                arg: 'schema',
+                type: 'string',
+                description: 'The routine schema',
+            },
+            {
+                arg: 'type',
+                type: 'string',
+                description: 'The routine type',
            }
        ],
        returns: {
@ -27,14 +38,23 @@ module.exports = Self => {
        }
    });

-    Self.executeRoutine = async(ctx, routine, params, options) => {
+    Self.executeRoutine = async(ctx, routine, params, schema, type, options) => {
        const userId = ctx.req.accessToken.userId;
+        const models = Self.app.models;
+        const isFunction = type == 'function';
+        params = params ?? [];
+        schema = schema ?? 'vn';
+        type = type ?? 'procedure';
+        let caller = 'CALL';

-        const myOptions = {};
+        if (isFunction)
+            caller = 'SELECT';
+
+        const myOptions = {userId: ctx.req.accessToken.userId};
        if (typeof options == 'object')
            Object.assign(myOptions, options);

-        const user = await Self.app.models.VnUser.findById(userId, {
+        const user = await models.VnUser.findById(userId, {
            fields: ['id', 'roleFk'],
            include: {
                relation: 'role',
@ -44,18 +64,37 @@ module.exports = Self => {
            }
        });

-        const inherits = await Self.app.models.RoleRole.find({
+        const inherits = await models.RoleRole.find({
+            include: {
+                relation: 'inherits',
+                scope: {
+                    fields: ['id', 'name']
+                }
+            },
            where: {
-
+                role: user.role().id
            }
        });
-        console.log(user.role.name);

-        const checkACL = await models.ACL.checkAccessAcl(ctx, 'Application', routine, '*');
-        if (!checkACL) throw error;
+        const roles = inherits.map(inherit => inherit.inherits().name);

-        const requestParams = [routine];
-        requestParams.concat(params);
-        return Self.app.models.Route.rawSql(`CALL ?(...)`, requestParams, myOptions);
+        const canExecute = await models.ProcsPriv.findOne({
+            where: {
+                schema,
+                type: type.toUpperCase(),
+                name: routine,
+                host: process.env.NODE_ENV ? '' : '%',
+                role: {inq: roles}
+            }
+        });
+
+        if (!canExecute) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
+
+        let argString = params.map(() => '?').join(',');
+
+        const query = `${caller} ${schema}.${routine}(${argString})`;
+
+        const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
+        return isFunction ? Object.values(response)[0] : response;
    };
 };
--- a/loopback/common/methods/application/spec/executeRoutine.spec.js
+++ b/loopback/common/methods/application/spec/executeRoutine.spec.js
@ -0,0 +1,138 @@
+const models = require('vn-loopback/server/server').models;
+
+describe('Application executeRoutine()', () => {
+    const userWithoutPrivileges = 1;
+    const userWithPrivileges = 9;
+    const userWithInheritedPrivileges = 120;
+    let tx;
+
+    function getCtx(userId) {
+        return {
+            req: {
+                accessToken: {userId},
+                headers: {origin: 'http://localhost'}
+            }
+        };
+    }
+
+    beforeEach(async() => {
+        tx = await models.Application.beginTransaction({});
+        const options = {transaction: tx};
+
+        await models.Application.rawSql(`
+            CREATE OR REPLACE PROCEDURE vn.myProcedure(vMyParam INT)
+            BEGIN
+                SELECT vMyParam myParam, t.*
+                    FROM ticket t
+                    LIMIT 2;
+            END
+        `, null, options);
+
+        await models.Application.rawSql(`
+            CREATE OR REPLACE FUNCTION bs.myFunction(vMyParam INT) RETURNS int(11)
+            BEGIN
+                RETURN vMyParam;
+            END
+        `, null, options);
+
+        await models.Application.rawSql(`
+            GRANT EXECUTE ON PROCEDURE vn.myProcedure TO developer;
+            GRANT EXECUTE ON FUNCTION bs.myFunction TO developer;
+        `, null, options);
+    });
+
+    it('should throw error when execute procedure and not have privileges', async() => {
+        const ctx = getCtx(userWithoutPrivileges);
+
+        let error;
+        try {
+            const options = {transaction: tx};
+
+            await models.Application.executeRoutine(
+                ctx,
+                'myProcedure',
+                [1],
+                null,
+                null,
+                options
+            );
+
+            await tx.rollback();
+        } catch (e) {
+            await tx.rollback();
+            error = e;
+        }
+
+        expect(error.message).toEqual(`You don't have enough privileges`);
+    });
+
+    it('should execute procedure and get data', async() => {
+        const ctx = getCtx(userWithPrivileges);
+        try {
+            const options = {transaction: tx};
+
+            const response = await models.Application.executeRoutine(
+                ctx,
+                'myProcedure',
+                [1],
+                null,
+                null,
+                options
+            );
+
+            expect(response.length).toEqual(2);
+            expect(response[0].myParam).toEqual(1);
+
+            await tx.rollback();
+        } catch (e) {
+            await tx.rollback();
+            throw e;
+        }
+    });
+
+    it('should execute function and get data', async() => {
+        const ctx = getCtx(userWithPrivileges);
+        try {
+            const options = {transaction: tx};
+
+            const response = await models.Application.executeRoutine(
+                ctx,
+                'myFunction',
+                [1],
+                'bs',
+                'function',
+                options
+            );
+
+            expect(response).toEqual(1);
+
+            await tx.rollback();
+        } catch (e) {
+            await tx.rollback();
+            throw e;
+        }
+    });
+
+    it('should execute function and get data with user with inherited privileges', async() => {
+        const ctx = getCtx(userWithInheritedPrivileges);
+        try {
+            const options = {transaction: tx};
+
+            const response = await models.Application.executeRoutine(
+                ctx,
+                'myFunction',
+                [1],
+                'bs',
+                'function',
+                options
+            );
+
+            expect(response).toEqual(1);
+
+            await tx.rollback();
+        } catch (e) {
+            await tx.rollback();
+            throw e;
+        }
+    });
+});
--- a/loopback/common/models/application.js
+++ b/loopback/common/models/application.js
@ -2,4 +2,5 @@
 module.exports = function(Self) {
    require('../methods/application/status')(Self);
    require('../methods/application/post')(Self);
+    require('../methods/application/executeRoutine')(Self);
 };
--- a/loopback/common/models/procs-priv.json
+++ b/loopback/common/models/procs-priv.json
@ -0,0 +1,44 @@
+{
+    "name": "ProcsPriv",
+    "base": "VnModel",
+    "options": {
+        "mysql": {
+            "table": "mysql.procs_priv"
+        }
+    },
+    "properties": {
+        "name": {
+            "id": 1,
+            "type": "string",
+            "mysql": {
+                "columnName": "Routine_name"
+            }
+        },
+        "schema": {
+            "id": 3,
+			"type": "string",
+			"mysql": {
+				"columnName": "Db"
+			}
+		},
+        "role": {
+			"type": "string",
+			"mysql": {
+				"columnName": "user"
+			}
+		},
+        "type": {
+            "id": 2,
+			"type": "string",
+			"mysql": {
+				"columnName": "Routine_type"
+			}
+		},
+        "host": {
+			"type": "string",
+			"mysql": {
+				"columnName": "Host"
+			}
+		}
+    }
+}
--- a/loopback/server/model-config.json
+++ b/loopback/server/model-config.json
@ -49,5 +49,13 @@
    },
    "Container": {
        "dataSource": "vn"
+    },
+    "ProcsPriv": {
+        "dataSource": "vn",
+        "options": {
+            "mysql": {
+                "table": "mysql.procs_priv"
+            }
+        }
    }
 }