refs #6014 feat(execute): use user_hasRoutinePriv. feat(execute): split in executeProc & executeFunc
gitea/salix/pipeline/head This commit looks good Details

This commit is contained in:
Alex Moreno 2023-11-10 10:58:58 +01:00
parent f1b5e45491
commit 69255fe2fc
10 changed files with 265 additions and 144 deletions

View File

@ -12,6 +12,7 @@
"editor.defaultFormatter": "dbaeumer.vscode-eslint"
},
"cSpell.words": [
"salix"
"salix",
"fdescribe"
]
}

View File

@ -1,3 +0,0 @@
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
VALUES
('Application', 'executeRoutine', '*', 'ALLOW', 'ROLE', 'employee');

View File

@ -0,0 +1,4 @@
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
VALUES
('Application', 'executeProc', '*', 'ALLOW', 'ROLE', 'employee'),
('Application', 'executeFunc', '*', 'ALLOW', 'ROLE', 'employee');

View File

@ -2352,6 +2352,90 @@ BEGIN
END IF;
END ;;
DELIMITER ;
DELIMITER ;;
CREATE DEFINER=`root`@`localhost` FUNCTION `account`.`user_hasRoutinePriv`(vType ENUM('PROCEDURE', 'FUNCTION'),
vChain VARCHAR(100),
vUserFk INT
) RETURNS tinyint(1)
READS SQL DATA
BEGIN
/**
* Search if the user has privileges on routines.
*
* @param vType procedure or function
* @param vChain string passed with this syntax dbName.tableName
* @param vUserFk user to ckeck
* @return vHasPrivilege
*/
DECLARE vHasPrivilege BOOL DEFAULT FALSE;
DECLARE vDb VARCHAR(50);
DECLARE vObject VARCHAR(50);
DECLARE vChainExists BOOL;
DECLARE vExecutePriv INT DEFAULT 262144;
-- 262144 = CONV(1000000000000000000, 2, 10)
-- 1000000000000000000 execution permission expressed in binary base
SET vDb = SUBSTRING_INDEX(vChain, '.', 1);
SET vChain = SUBSTRING(vChain, LENGTH(vDb) + 2);
SET vObject = SUBSTRING_INDEX(vChain, '.', 1);
SELECT COUNT(*) INTO vChainExists
FROM mysql.proc
WHERE db = vDb
AND `name` = vObject
AND `type` = vType
LIMIT 1;
IF NOT vChainExists THEN
RETURN FALSE;
END IF;
DROP TEMPORARY TABLE IF EXISTS tRole;
CREATE TEMPORARY TABLE tRole
(INDEX (`name`))
ENGINE = MEMORY
SELECT r.`name`
FROM user u
JOIN roleRole rr ON rr.role = u.role
JOIN `role` r ON r.id = rr.inheritsFrom
WHERE u.id = vUserFk;
SELECT TRUE INTO vHasPrivilege
FROM mysql.global_priv gp
JOIN tRole tr ON tr.name = gp.`User`
OR CONCAT('$', tr.name) = gp.`User`
WHERE JSON_VALUE(gp.Priv, '$.access') >= vExecutePriv
AND gp.Host = ''
LIMIT 1;
IF NOT vHasPrivilege THEN
SELECT TRUE INTO vHasPrivilege
FROM mysql.db db
JOIN tRole tr ON tr.name = db.`User`
WHERE db.Db = vDb
AND db.Execute_priv = 'Y';
END IF;
IF NOT vHasPrivilege THEN
SELECT TRUE INTO vHasPrivilege
FROM mysql.procs_priv pp
JOIN tRole tr ON tr.name = pp.`User`
WHERE pp.Db = vDb
AND pp.Routine_name = vObject
AND pp.Routine_type = vType
AND pp.Proc_priv = 'Execute'
LIMIT 1;
END IF;
DROP TEMPORARY TABLE tRole;
RETURN vHasPrivilege;
END ;;
DELIMITER ;
/*!50003 SET sql_mode = @saved_sql_mode */ ;
/*!50003 SET character_set_client = @saved_cs_client */ ;
/*!50003 SET character_set_results = @saved_cs_results */ ;

View File

@ -0,0 +1,34 @@
const UserError = require('vn-loopback/util/user-error');
module.exports = Self => {
Self.execute = async(ctx, routine, params, schema, type, options) => {
const userId = ctx.req.accessToken.userId;
const models = Self.app.models;
let caller = 'CALL';
params = params ?? [];
schema = schema ?? 'vn';
type = type ?? 'procedure';
const myOptions = {userId: ctx.req.accessToken.userId};
if (typeof options == 'object')
Object.assign(myOptions, options);
const chain = `${schema}.${routine}`;
const [canExecute] = await models.ProcsPriv.rawSql(
'SELECT account.user_hasRoutinePriv(?,?,?)',
[type.toUpperCase(), chain, userId],
myOptions);
if (!Object.values(canExecute)[0]) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
const isFunction = type == 'function';
let argString = params.map(() => '?').join(',');
if (isFunction)
caller = 'SELECT';
const query = `${caller} ${chain}(${argString})`;
const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
return response;
};
};

View File

@ -0,0 +1,38 @@
module.exports = Self => {
Self.remoteMethodCtx('executeFunc', {
description: 'Return result of function',
accessType: '*',
accepts: [
{
arg: 'routine',
type: 'string',
description: 'The routine name',
required: true,
http: {source: 'path'}
},
{
arg: 'params',
type: ['any'],
description: 'The params array',
},
{
arg: 'schema',
type: 'string',
description: 'The routine schema',
}
],
returns: {
type: 'any',
root: true
},
http: {
path: `/:routine/execute-func`,
verb: 'POST'
}
});
Self.executeFunc = async(ctx, routine, params, schema, options) => {
const response = await Self.execute(ctx, routine, params, schema, 'function', options);
return Object.values(response)[0];
};
};

View File

@ -0,0 +1,36 @@
module.exports = Self => {
Self.remoteMethodCtx('executeProc', {
description: 'Return result of procedure',
accessType: '*',
accepts: [
{
arg: 'routine',
type: 'string',
description: 'The routine name',
required: true,
http: {source: 'path'}
},
{
arg: 'params',
type: ['any'],
description: 'The params array',
},
{
arg: 'schema',
type: 'string',
description: 'The routine schema',
}
],
returns: {
type: 'any',
root: true
},
http: {
path: `/:routine/execute-proc`,
verb: 'POST'
}
});
Self.executeProc = async(ctx, routine, params, schema, options) =>
Self.execute(ctx, routine, params, schema, 'procedure', options);
};

View File

@ -1,100 +0,0 @@
const UserError = require('vn-loopback/util/user-error');
module.exports = Self => {
Self.remoteMethodCtx('executeRoutine', {
description: 'Return the routes by worker',
accessType: '*',
accepts: [
{
arg: 'routine',
type: 'string',
description: 'The routine name',
required: true,
http: {source: 'path'}
},
{
arg: 'params',
type: ['any'],
description: 'The params array',
},
{
arg: 'schema',
type: 'string',
description: 'The routine schema',
},
{
arg: 'type',
type: 'string',
description: 'The routine type',
}
],
returns: {
type: 'any',
root: true
},
http: {
path: `/:routine/execute-routine`,
verb: 'POST'
}
});
Self.executeRoutine = async(ctx, routine, params, schema, type, options) => {
const userId = ctx.req.accessToken.userId;
const models = Self.app.models;
const isFunction = type == 'function';
params = params ?? [];
schema = schema ?? 'vn';
type = type ?? 'procedure';
let caller = 'CALL';
if (isFunction)
caller = 'SELECT';
const myOptions = {userId: ctx.req.accessToken.userId};
if (typeof options == 'object')
Object.assign(myOptions, options);
const user = await models.VnUser.findById(userId, {
fields: ['id', 'roleFk'],
include: {
relation: 'role',
scope: {
fields: ['id', 'name']
}
}
});
const inherits = await models.RoleRole.find({
include: {
relation: 'inherits',
scope: {
fields: ['id', 'name']
}
},
where: {
role: user.role().id
}
});
const roles = inherits.map(inherit => inherit.inherits().name);
const canExecute = await models.ProcsPriv.findOne({
where: {
schema,
type: type.toUpperCase(),
name: routine,
host: process.env.NODE_ENV ? '' : '%',
role: {inq: roles}
}
});
if (!canExecute) throw new UserError(`You don't have enough privileges`, 'ACCESS_DENIED');
let argString = params.map(() => '?').join(',');
const query = `${caller} ${schema}.${routine}(${argString})`;
const [response] = await models.ProcsPriv.rawSql(query, params, myOptions);
return isFunction ? Object.values(response)[0] : response;
};
};

View File

@ -1,6 +1,6 @@
const models = require('vn-loopback/server/server').models;
describe('Application executeRoutine()', () => {
describe('Application execute()/executeProc()/executeFunc()', () => {
const userWithoutPrivileges = 1;
const userWithPrivileges = 9;
const userWithInheritedPrivileges = 120;
@ -48,7 +48,7 @@ describe('Application executeRoutine()', () => {
try {
const options = {transaction: tx};
await models.Application.executeRoutine(
await models.Application.execute(
ctx,
'myProcedure',
[1],
@ -71,7 +71,7 @@ describe('Application executeRoutine()', () => {
try {
const options = {transaction: tx};
const response = await models.Application.executeRoutine(
const response = await models.Application.execute(
ctx,
'myProcedure',
[1],
@ -90,49 +90,74 @@ describe('Application executeRoutine()', () => {
}
});
it('should execute function and get data', async() => {
const ctx = getCtx(userWithPrivileges);
try {
const options = {transaction: tx};
describe('Application executeProc()', () => {
it('should execute procedure and get data (executeProc)', async() => {
const ctx = getCtx(userWithPrivileges);
try {
const options = {transaction: tx};
const response = await models.Application.executeRoutine(
ctx,
'myFunction',
[1],
'bs',
'function',
options
);
const response = await models.Application.executeProc(
ctx,
'myProcedure',
[1],
null,
options
);
expect(response).toEqual(1);
expect(response.length).toEqual(2);
expect(response[0].myParam).toEqual(1);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
});
it('should execute function and get data with user with inherited privileges', async() => {
const ctx = getCtx(userWithInheritedPrivileges);
try {
const options = {transaction: tx};
describe('Application executeFunc()', () => {
it('should execute function and get data', async() => {
const ctx = getCtx(userWithPrivileges);
try {
const options = {transaction: tx};
const response = await models.Application.executeRoutine(
ctx,
'myFunction',
[1],
'bs',
'function',
options
);
const response = await models.Application.executeFunc(
ctx,
'myFunction',
[1],
'bs',
options
);
expect(response).toEqual(1);
expect(response).toEqual(1);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should execute function and get data with user with inherited privileges', async() => {
const ctx = getCtx(userWithInheritedPrivileges);
try {
const options = {transaction: tx};
const response = await models.Application.executeFunc(
ctx,
'myFunction',
[1],
'bs',
options
);
expect(response).toEqual(1);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
});
});

View File

@ -2,5 +2,7 @@
module.exports = function(Self) {
require('../methods/application/status')(Self);
require('../methods/application/post')(Self);
require('../methods/application/executeRoutine')(Self);
require('../methods/application/execute')(Self);
require('../methods/application/executeProc')(Self);
require('../methods/application/executeFunc')(Self);
};