refs #6014 feat(execute): use user_hasRoutinePriv. feat(execute): split in executeProc & executeFunc

2023-11-10 10:58:58 +01:00 · 2023-11-10 10:58:58 +01:00 · 69255fe2fc
parent f1b5e45491
commit 69255fe2fc
10 changed files with 265 additions and 144 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -12,6 +12,7 @@
        "editor.defaultFormatter": "dbaeumer.vscode-eslint"
    },
    "cSpell.words": [
-        "salix"
+        "salix",
+        "fdescribe"
    ]
 }
--- a/db/changes/234201/00-ACL_executeRoutine.sql
+++ b/db/changes/234201/00-ACL_executeRoutine.sql
@ -1,3 +0,0 @@
-INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
-    VALUES
-        ('Application', 'executeRoutine', '*', 'ALLOW', 'ROLE', 'employee');
--- a/db/changes/234801/00-ACL_executeRoutine.sql
+++ b/db/changes/234801/00-ACL_executeRoutine.sql
@ -0,0 +1,4 @@
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+    VALUES
+        ('Application', 'executeProc', '*', 'ALLOW', 'ROLE', 'employee'),
+        ('Application', 'executeFunc', '*', 'ALLOW', 'ROLE', 'employee');
--- a/db/dump/structure.sql
+++ b/db/dump/structure.sql
@ -2352,6 +2352,90 @@ BEGIN
 	END IF;
 END ;;
 DELIMITER ;
+
+
+DELIMITER ;;
+CREATE DEFINER=`root`@`localhost` FUNCTION `account`.`user_hasRoutinePriv`(vType ENUM('PROCEDURE', 'FUNCTION'),
+	vChain VARCHAR(100),
+	vUserFk INT
+) RETURNS tinyint(1)
+    READS SQL DATA
+BEGIN
+
+/**
+ * Search if the user has privileges on routines.
+ *
+ * @param vType procedure or function
+ * @param vChain string passed with this syntax dbName.tableName
+ * @param vUserFk user to ckeck
+ * @return vHasPrivilege
+ */
+	DECLARE vHasPrivilege BOOL DEFAULT FALSE;
+	DECLARE vDb VARCHAR(50);
+	DECLARE vObject VARCHAR(50);
+	DECLARE vChainExists BOOL;
+	DECLARE vExecutePriv INT DEFAULT 262144;
+	-- 262144 = CONV(1000000000000000000, 2, 10)
+	-- 1000000000000000000 execution permission expressed in binary base
+
+	SET vDb = SUBSTRING_INDEX(vChain, '.', 1);
+	SET vChain = SUBSTRING(vChain, LENGTH(vDb) + 2);
+	SET vObject = SUBSTRING_INDEX(vChain, '.', 1);
+
+	SELECT COUNT(*) INTO vChainExists
+		FROM mysql.proc
+			WHERE db = vDb
+				AND `name` = vObject
+				AND `type` = vType
+			LIMIT 1;
+
+	IF NOT vChainExists THEN
+		RETURN FALSE;
+	END IF;
+
+	DROP TEMPORARY TABLE IF EXISTS tRole;
+	CREATE TEMPORARY TABLE tRole
+		(INDEX (`name`))
+		ENGINE = MEMORY
+		SELECT r.`name`
+			FROM user u
+				JOIN roleRole rr ON rr.role = u.role
+				JOIN `role` r ON r.id = rr.inheritsFrom
+			WHERE u.id = vUserFk;
+
+	SELECT TRUE INTO vHasPrivilege
+		FROM mysql.global_priv gp
+			JOIN tRole tr ON tr.name = gp.`User`
+				OR CONCAT('$', tr.name) = gp.`User`
+		WHERE JSON_VALUE(gp.Priv, '$.access') >= vExecutePriv
+			AND gp.Host = ''
+		LIMIT 1;
+
+	IF NOT vHasPrivilege THEN
+		SELECT TRUE INTO vHasPrivilege
+			FROM mysql.db db
+				JOIN tRole tr ON tr.name = db.`User`
+			WHERE db.Db = vDb
+				AND db.Execute_priv = 'Y';
+	END IF;
+
+	IF NOT vHasPrivilege THEN
+		SELECT TRUE INTO vHasPrivilege
+			FROM mysql.procs_priv pp
+				JOIN tRole tr ON tr.name = pp.`User`
+			WHERE pp.Db = vDb
+				AND pp.Routine_name = vObject
+				AND pp.Routine_type = vType
+				AND pp.Proc_priv = 'Execute'
+			LIMIT 1;
+	END IF;
+
+	DROP TEMPORARY TABLE tRole;
+	RETURN vHasPrivilege;
+END ;;
+DELIMITER ;
+
+
 /*!50003 SET sql_mode              = @saved_sql_mode */ ;
 /*!50003 SET character_set_client  = @saved_cs_client */ ;
 /*!50003 SET character_set_results = @saved_cs_results */ ;
--- a/loopback/common/methods/application/execute.js
+++ b/loopback/common/methods/application/execute.js
@ -0,0 +1,34 @@
+const UserError = require('vn-loopback/util/user-error');
+
+module.exports = Self => {
+    Self.execute = async(ctx, routine, params, schema, type, options) => {
+        const userId = ctx.req.accessToken.userId;
+        const models = Self.app.models;
+        let caller = 'CALL';
+
+        params = params ?? [];
+        schema = schema ?? 'vn';
+        type = type ?? 'procedure';
+
+        const myOptions = {userId: ctx.req.accessToken.userId};
+        if (typeof options == 'object')
+            Object.assign(myOptions, options);
+
+        const chain = `${schema}.${routine}`;
+        const [canExecute] = await models.ProcsPriv.rawSql(
+            'SELECT account.user_hasRoutinePriv(?,?,?)',
+            [type.toUpperCase(), chain, userId],
+            myOptions);
+        if (!Object.values(canExecute)[0]) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
+
+        const isFunction = type == 'function';
+        let argString = params.map(() => '?').join(',');
+
+        if (isFunction)
+            caller = 'SELECT';
+        const query = `${caller} ${chain}(${argString})`;
+
+        const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
+        return response;
+    };
+};
--- a/loopback/common/methods/application/executeFunc.js
+++ b/loopback/common/methods/application/executeFunc.js
@ -0,0 +1,38 @@
+module.exports = Self => {
+    Self.remoteMethodCtx('executeFunc', {
+        description: 'Return result of function',
+        accessType: '*',
+        accepts: [
+            {
+                arg: 'routine',
+                type: 'string',
+                description: 'The routine name',
+                required: true,
+                http: {source: 'path'}
+            },
+            {
+                arg: 'params',
+                type: ['any'],
+                description: 'The params array',
+            },
+            {
+                arg: 'schema',
+                type: 'string',
+                description: 'The routine schema',
+            }
+        ],
+        returns: {
+            type: 'any',
+            root: true
+        },
+        http: {
+            path: `/:routine/execute-func`,
+            verb: 'POST'
+        }
+    });
+
+    Self.executeFunc = async(ctx, routine, params, schema, options) => {
+        const response = await Self.execute(ctx, routine, params, schema, 'function', options);
+        return Object.values(response)[0];
+    };
+};
--- a/loopback/common/methods/application/executeProc.js
+++ b/loopback/common/methods/application/executeProc.js
@ -0,0 +1,36 @@
+module.exports = Self => {
+    Self.remoteMethodCtx('executeProc', {
+        description: 'Return result of procedure',
+        accessType: '*',
+        accepts: [
+            {
+                arg: 'routine',
+                type: 'string',
+                description: 'The routine name',
+                required: true,
+                http: {source: 'path'}
+            },
+            {
+                arg: 'params',
+                type: ['any'],
+                description: 'The params array',
+            },
+            {
+                arg: 'schema',
+                type: 'string',
+                description: 'The routine schema',
+            }
+        ],
+        returns: {
+            type: 'any',
+            root: true
+        },
+        http: {
+            path: `/:routine/execute-proc`,
+            verb: 'POST'
+        }
+    });
+
+    Self.executeProc = async(ctx, routine, params, schema, options) =>
+        Self.execute(ctx, routine, params, schema, 'procedure', options);
+};
--- a/loopback/common/methods/application/executeRoutine.js
+++ b/loopback/common/methods/application/executeRoutine.js
@ -1,100 +0,0 @@
-const UserError = require('vn-loopback/util/user-error');
-
-module.exports = Self => {
-    Self.remoteMethodCtx('executeRoutine', {
-        description: 'Return the routes by worker',
-        accessType: '*',
-        accepts: [
-            {
-                arg: 'routine',
-                type: 'string',
-                description: 'The routine name',
-                required: true,
-                http: {source: 'path'}
-            },
-            {
-                arg: 'params',
-                type: ['any'],
-                description: 'The params array',
-            },
-            {
-                arg: 'schema',
-                type: 'string',
-                description: 'The routine schema',
-            },
-            {
-                arg: 'type',
-                type: 'string',
-                description: 'The routine type',
-            }
-        ],
-        returns: {
-            type: 'any',
-            root: true
-        },
-        http: {
-            path: `/:routine/execute-routine`,
-            verb: 'POST'
-        }
-    });
-
-    Self.executeRoutine = async(ctx, routine, params, schema, type, options) => {
-        const userId = ctx.req.accessToken.userId;
-        const models = Self.app.models;
-        const isFunction = type == 'function';
-        params = params ?? [];
-        schema = schema ?? 'vn';
-        type = type ?? 'procedure';
-        let caller = 'CALL';
-
-        if (isFunction)
-            caller = 'SELECT';
-
-        const myOptions = {userId: ctx.req.accessToken.userId};
-        if (typeof options == 'object')
-            Object.assign(myOptions, options);
-
-        const user = await models.VnUser.findById(userId, {
-            fields: ['id', 'roleFk'],
-            include: {
-                relation: 'role',
-                scope: {
-                    fields: ['id', 'name']
-                }
-            }
-        });
-
-        const inherits = await models.RoleRole.find({
-            include: {
-                relation: 'inherits',
-                scope: {
-                    fields: ['id', 'name']
-                }
-            },
-            where: {
-                role: user.role().id
-            }
-        });
-
-        const roles = inherits.map(inherit => inherit.inherits().name);
-
-        const canExecute = await models.ProcsPriv.findOne({
-            where: {
-                schema,
-                type: type.toUpperCase(),
-                name: routine,
-                host: process.env.NODE_ENV ? '' : '%',
-                role: {inq: roles}
-            }
-        });
-
-        if (!canExecute) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
-
-        let argString = params.map(() => '?').join(',');
-
-        const query = `${caller} ${schema}.${routine}(${argString})`;
-
-        const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
-        return isFunction ? Object.values(response)[0] : response;
-    };
-};
--- a/loopback/common/methods/application/spec/executeRoutine.spec.js
+++ b/loopback/common/methods/application/spec/executeRoutine.spec.js
@ -1,6 +1,6 @@
 const models = require('vn-loopback/server/server').models;

-describe('Application executeRoutine()', () => {
+describe('Application execute()/executeProc()/executeFunc()', () => {
    const userWithoutPrivileges = 1;
    const userWithPrivileges = 9;
    const userWithInheritedPrivileges = 120;
@ -48,7 +48,7 @@ describe('Application executeRoutine()', () => {
        try {
            const options = {transaction: tx};

-            await models.Application.executeRoutine(
+            await models.Application.execute(
                ctx,
                'myProcedure',
                [1],
@ -71,7 +71,7 @@ describe('Application executeRoutine()', () => {
        try {
            const options = {transaction: tx};

-            const response = await models.Application.executeRoutine(
+            const response = await models.Application.execute(
                ctx,
                'myProcedure',
                [1],
@ -90,17 +90,42 @@ describe('Application executeRoutine()', () => {
        }
    });

+    describe('Application executeProc()', () => {
+        it('should execute procedure and get data (executeProc)', async() => {
+            const ctx = getCtx(userWithPrivileges);
+            try {
+                const options = {transaction: tx};
+
+                const response = await models.Application.executeProc(
+                    ctx,
+                    'myProcedure',
+                    [1],
+                    null,
+                    options
+                );
+
+                expect(response.length).toEqual(2);
+                expect(response[0].myParam).toEqual(1);
+
+                await tx.rollback();
+            } catch (e) {
+                await tx.rollback();
+                throw e;
+            }
+        });
+    });
+
+    describe('Application executeFunc()', () => {
        it('should execute function and get data', async() => {
            const ctx = getCtx(userWithPrivileges);
            try {
                const options = {transaction: tx};

-            const response = await models.Application.executeRoutine(
+                const response = await models.Application.executeFunc(
                    ctx,
                    'myFunction',
                    [1],
                    'bs',
-                'function',
                    options
                );

@ -118,12 +143,11 @@ describe('Application executeRoutine()', () => {
            try {
                const options = {transaction: tx};

-            const response = await models.Application.executeRoutine(
+                const response = await models.Application.executeFunc(
                    ctx,
                    'myFunction',
                    [1],
                    'bs',
-                'function',
                    options
                );

@ -135,4 +159,5 @@ describe('Application executeRoutine()', () => {
                throw e;
            }
        });
+    });
 });
--- a/loopback/common/models/application.js
+++ b/loopback/common/models/application.js
@ -2,5 +2,7 @@
 module.exports = function(Self) {
    require('../methods/application/status')(Self);
    require('../methods/application/post')(Self);
-    require('../methods/application/executeRoutine')(Self);
+    require('../methods/application/execute')(Self);
+    require('../methods/application/executeProc')(Self);
+    require('../methods/application/executeFunc')(Self);
 };