refs #6014 feat(execute): use user_hasRoutinePriv. feat(execute): split in executeProc & executeFunc
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
This commit is contained in:
parent
f1b5e45491
commit
69255fe2fc
|
@ -12,6 +12,7 @@
|
|||
"editor.defaultFormatter": "dbaeumer.vscode-eslint"
|
||||
},
|
||||
"cSpell.words": [
|
||||
"salix"
|
||||
"salix",
|
||||
"fdescribe"
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||
VALUES
|
||||
('Application', 'executeRoutine', '*', 'ALLOW', 'ROLE', 'employee');
|
|
@ -0,0 +1,4 @@
|
|||
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||
VALUES
|
||||
('Application', 'executeProc', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Application', 'executeFunc', '*', 'ALLOW', 'ROLE', 'employee');
|
|
@ -2352,6 +2352,90 @@ BEGIN
|
|||
END IF;
|
||||
END ;;
|
||||
DELIMITER ;
|
||||
|
||||
|
||||
DELIMITER ;;
|
||||
CREATE DEFINER=`root`@`localhost` FUNCTION `account`.`user_hasRoutinePriv`(vType ENUM('PROCEDURE', 'FUNCTION'),
|
||||
vChain VARCHAR(100),
|
||||
vUserFk INT
|
||||
) RETURNS tinyint(1)
|
||||
READS SQL DATA
|
||||
BEGIN
|
||||
|
||||
/**
|
||||
* Search if the user has privileges on routines.
|
||||
*
|
||||
* @param vType procedure or function
|
||||
* @param vChain string passed with this syntax dbName.tableName
|
||||
* @param vUserFk user to ckeck
|
||||
* @return vHasPrivilege
|
||||
*/
|
||||
DECLARE vHasPrivilege BOOL DEFAULT FALSE;
|
||||
DECLARE vDb VARCHAR(50);
|
||||
DECLARE vObject VARCHAR(50);
|
||||
DECLARE vChainExists BOOL;
|
||||
DECLARE vExecutePriv INT DEFAULT 262144;
|
||||
-- 262144 = CONV(1000000000000000000, 2, 10)
|
||||
-- 1000000000000000000 execution permission expressed in binary base
|
||||
|
||||
SET vDb = SUBSTRING_INDEX(vChain, '.', 1);
|
||||
SET vChain = SUBSTRING(vChain, LENGTH(vDb) + 2);
|
||||
SET vObject = SUBSTRING_INDEX(vChain, '.', 1);
|
||||
|
||||
SELECT COUNT(*) INTO vChainExists
|
||||
FROM mysql.proc
|
||||
WHERE db = vDb
|
||||
AND `name` = vObject
|
||||
AND `type` = vType
|
||||
LIMIT 1;
|
||||
|
||||
IF NOT vChainExists THEN
|
||||
RETURN FALSE;
|
||||
END IF;
|
||||
|
||||
DROP TEMPORARY TABLE IF EXISTS tRole;
|
||||
CREATE TEMPORARY TABLE tRole
|
||||
(INDEX (`name`))
|
||||
ENGINE = MEMORY
|
||||
SELECT r.`name`
|
||||
FROM user u
|
||||
JOIN roleRole rr ON rr.role = u.role
|
||||
JOIN `role` r ON r.id = rr.inheritsFrom
|
||||
WHERE u.id = vUserFk;
|
||||
|
||||
SELECT TRUE INTO vHasPrivilege
|
||||
FROM mysql.global_priv gp
|
||||
JOIN tRole tr ON tr.name = gp.`User`
|
||||
OR CONCAT('$', tr.name) = gp.`User`
|
||||
WHERE JSON_VALUE(gp.Priv, '$.access') >= vExecutePriv
|
||||
AND gp.Host = ''
|
||||
LIMIT 1;
|
||||
|
||||
IF NOT vHasPrivilege THEN
|
||||
SELECT TRUE INTO vHasPrivilege
|
||||
FROM mysql.db db
|
||||
JOIN tRole tr ON tr.name = db.`User`
|
||||
WHERE db.Db = vDb
|
||||
AND db.Execute_priv = 'Y';
|
||||
END IF;
|
||||
|
||||
IF NOT vHasPrivilege THEN
|
||||
SELECT TRUE INTO vHasPrivilege
|
||||
FROM mysql.procs_priv pp
|
||||
JOIN tRole tr ON tr.name = pp.`User`
|
||||
WHERE pp.Db = vDb
|
||||
AND pp.Routine_name = vObject
|
||||
AND pp.Routine_type = vType
|
||||
AND pp.Proc_priv = 'Execute'
|
||||
LIMIT 1;
|
||||
END IF;
|
||||
|
||||
DROP TEMPORARY TABLE tRole;
|
||||
RETURN vHasPrivilege;
|
||||
END ;;
|
||||
DELIMITER ;
|
||||
|
||||
|
||||
/*!50003 SET sql_mode = @saved_sql_mode */ ;
|
||||
/*!50003 SET character_set_client = @saved_cs_client */ ;
|
||||
/*!50003 SET character_set_results = @saved_cs_results */ ;
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
const UserError = require('vn-loopback/util/user-error');
|
||||
|
||||
module.exports = Self => {
|
||||
Self.execute = async(ctx, routine, params, schema, type, options) => {
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const models = Self.app.models;
|
||||
let caller = 'CALL';
|
||||
|
||||
params = params ?? [];
|
||||
schema = schema ?? 'vn';
|
||||
type = type ?? 'procedure';
|
||||
|
||||
const myOptions = {userId: ctx.req.accessToken.userId};
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
const chain = `${schema}.${routine}`;
|
||||
const [canExecute] = await models.ProcsPriv.rawSql(
|
||||
'SELECT account.user_hasRoutinePriv(?,?,?)',
|
||||
[type.toUpperCase(), chain, userId],
|
||||
myOptions);
|
||||
if (!Object.values(canExecute)[0]) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
|
||||
|
||||
const isFunction = type == 'function';
|
||||
let argString = params.map(() => '?').join(',');
|
||||
|
||||
if (isFunction)
|
||||
caller = 'SELECT';
|
||||
const query = `${caller} ${chain}(${argString})`;
|
||||
|
||||
const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
|
||||
return response;
|
||||
};
|
||||
};
|
|
@ -0,0 +1,38 @@
|
|||
module.exports = Self => {
|
||||
Self.remoteMethodCtx('executeFunc', {
|
||||
description: 'Return result of function',
|
||||
accessType: '*',
|
||||
accepts: [
|
||||
{
|
||||
arg: 'routine',
|
||||
type: 'string',
|
||||
description: 'The routine name',
|
||||
required: true,
|
||||
http: {source: 'path'}
|
||||
},
|
||||
{
|
||||
arg: 'params',
|
||||
type: ['any'],
|
||||
description: 'The params array',
|
||||
},
|
||||
{
|
||||
arg: 'schema',
|
||||
type: 'string',
|
||||
description: 'The routine schema',
|
||||
}
|
||||
],
|
||||
returns: {
|
||||
type: 'any',
|
||||
root: true
|
||||
},
|
||||
http: {
|
||||
path: `/:routine/execute-func`,
|
||||
verb: 'POST'
|
||||
}
|
||||
});
|
||||
|
||||
Self.executeFunc = async(ctx, routine, params, schema, options) => {
|
||||
const response = await Self.execute(ctx, routine, params, schema, 'function', options);
|
||||
return Object.values(response)[0];
|
||||
};
|
||||
};
|
|
@ -0,0 +1,36 @@
|
|||
module.exports = Self => {
|
||||
Self.remoteMethodCtx('executeProc', {
|
||||
description: 'Return result of procedure',
|
||||
accessType: '*',
|
||||
accepts: [
|
||||
{
|
||||
arg: 'routine',
|
||||
type: 'string',
|
||||
description: 'The routine name',
|
||||
required: true,
|
||||
http: {source: 'path'}
|
||||
},
|
||||
{
|
||||
arg: 'params',
|
||||
type: ['any'],
|
||||
description: 'The params array',
|
||||
},
|
||||
{
|
||||
arg: 'schema',
|
||||
type: 'string',
|
||||
description: 'The routine schema',
|
||||
}
|
||||
],
|
||||
returns: {
|
||||
type: 'any',
|
||||
root: true
|
||||
},
|
||||
http: {
|
||||
path: `/:routine/execute-proc`,
|
||||
verb: 'POST'
|
||||
}
|
||||
});
|
||||
|
||||
Self.executeProc = async(ctx, routine, params, schema, options) =>
|
||||
Self.execute(ctx, routine, params, schema, 'procedure', options);
|
||||
};
|
|
@ -1,100 +0,0 @@
|
|||
const UserError = require('vn-loopback/util/user-error');
|
||||
|
||||
module.exports = Self => {
|
||||
Self.remoteMethodCtx('executeRoutine', {
|
||||
description: 'Return the routes by worker',
|
||||
accessType: '*',
|
||||
accepts: [
|
||||
{
|
||||
arg: 'routine',
|
||||
type: 'string',
|
||||
description: 'The routine name',
|
||||
required: true,
|
||||
http: {source: 'path'}
|
||||
},
|
||||
{
|
||||
arg: 'params',
|
||||
type: ['any'],
|
||||
description: 'The params array',
|
||||
},
|
||||
{
|
||||
arg: 'schema',
|
||||
type: 'string',
|
||||
description: 'The routine schema',
|
||||
},
|
||||
{
|
||||
arg: 'type',
|
||||
type: 'string',
|
||||
description: 'The routine type',
|
||||
}
|
||||
],
|
||||
returns: {
|
||||
type: 'any',
|
||||
root: true
|
||||
},
|
||||
http: {
|
||||
path: `/:routine/execute-routine`,
|
||||
verb: 'POST'
|
||||
}
|
||||
});
|
||||
|
||||
Self.executeRoutine = async(ctx, routine, params, schema, type, options) => {
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const models = Self.app.models;
|
||||
const isFunction = type == 'function';
|
||||
params = params ?? [];
|
||||
schema = schema ?? 'vn';
|
||||
type = type ?? 'procedure';
|
||||
let caller = 'CALL';
|
||||
|
||||
if (isFunction)
|
||||
caller = 'SELECT';
|
||||
|
||||
const myOptions = {userId: ctx.req.accessToken.userId};
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
const user = await models.VnUser.findById(userId, {
|
||||
fields: ['id', 'roleFk'],
|
||||
include: {
|
||||
relation: 'role',
|
||||
scope: {
|
||||
fields: ['id', 'name']
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
const inherits = await models.RoleRole.find({
|
||||
include: {
|
||||
relation: 'inherits',
|
||||
scope: {
|
||||
fields: ['id', 'name']
|
||||
}
|
||||
},
|
||||
where: {
|
||||
role: user.role().id
|
||||
}
|
||||
});
|
||||
|
||||
const roles = inherits.map(inherit => inherit.inherits().name);
|
||||
|
||||
const canExecute = await models.ProcsPriv.findOne({
|
||||
where: {
|
||||
schema,
|
||||
type: type.toUpperCase(),
|
||||
name: routine,
|
||||
host: process.env.NODE_ENV ? '' : '%',
|
||||
role: {inq: roles}
|
||||
}
|
||||
});
|
||||
|
||||
if (!canExecute) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
|
||||
|
||||
let argString = params.map(() => '?').join(',');
|
||||
|
||||
const query = `${caller} ${schema}.${routine}(${argString})`;
|
||||
|
||||
const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
|
||||
return isFunction ? Object.values(response)[0] : response;
|
||||
};
|
||||
};
|
|
@ -1,6 +1,6 @@
|
|||
const models = require('vn-loopback/server/server').models;
|
||||
|
||||
describe('Application executeRoutine()', () => {
|
||||
describe('Application execute()/executeProc()/executeFunc()', () => {
|
||||
const userWithoutPrivileges = 1;
|
||||
const userWithPrivileges = 9;
|
||||
const userWithInheritedPrivileges = 120;
|
||||
|
@ -48,7 +48,7 @@ describe('Application executeRoutine()', () => {
|
|||
try {
|
||||
const options = {transaction: tx};
|
||||
|
||||
await models.Application.executeRoutine(
|
||||
await models.Application.execute(
|
||||
ctx,
|
||||
'myProcedure',
|
||||
[1],
|
||||
|
@ -71,7 +71,7 @@ describe('Application executeRoutine()', () => {
|
|||
try {
|
||||
const options = {transaction: tx};
|
||||
|
||||
const response = await models.Application.executeRoutine(
|
||||
const response = await models.Application.execute(
|
||||
ctx,
|
||||
'myProcedure',
|
||||
[1],
|
||||
|
@ -90,17 +90,42 @@ describe('Application executeRoutine()', () => {
|
|||
}
|
||||
});
|
||||
|
||||
describe('Application executeProc()', () => {
|
||||
it('should execute procedure and get data (executeProc)', async() => {
|
||||
const ctx = getCtx(userWithPrivileges);
|
||||
try {
|
||||
const options = {transaction: tx};
|
||||
|
||||
const response = await models.Application.executeProc(
|
||||
ctx,
|
||||
'myProcedure',
|
||||
[1],
|
||||
null,
|
||||
options
|
||||
);
|
||||
|
||||
expect(response.length).toEqual(2);
|
||||
expect(response[0].myParam).toEqual(1);
|
||||
|
||||
await tx.rollback();
|
||||
} catch (e) {
|
||||
await tx.rollback();
|
||||
throw e;
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
describe('Application executeFunc()', () => {
|
||||
it('should execute function and get data', async() => {
|
||||
const ctx = getCtx(userWithPrivileges);
|
||||
try {
|
||||
const options = {transaction: tx};
|
||||
|
||||
const response = await models.Application.executeRoutine(
|
||||
const response = await models.Application.executeFunc(
|
||||
ctx,
|
||||
'myFunction',
|
||||
[1],
|
||||
'bs',
|
||||
'function',
|
||||
options
|
||||
);
|
||||
|
||||
|
@ -118,12 +143,11 @@ describe('Application executeRoutine()', () => {
|
|||
try {
|
||||
const options = {transaction: tx};
|
||||
|
||||
const response = await models.Application.executeRoutine(
|
||||
const response = await models.Application.executeFunc(
|
||||
ctx,
|
||||
'myFunction',
|
||||
[1],
|
||||
'bs',
|
||||
'function',
|
||||
options
|
||||
);
|
||||
|
||||
|
@ -136,3 +160,4 @@ describe('Application executeRoutine()', () => {
|
|||
}
|
||||
});
|
||||
});
|
||||
});
|
|
@ -2,5 +2,7 @@
|
|||
module.exports = function(Self) {
|
||||
require('../methods/application/status')(Self);
|
||||
require('../methods/application/post')(Self);
|
||||
require('../methods/application/executeRoutine')(Self);
|
||||
require('../methods/application/execute')(Self);
|
||||
require('../methods/application/executeProc')(Self);
|
||||
require('../methods/application/executeFunc')(Self);
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue