Planbuilder Authorization

Author: Hydrocharged

engine.go

@@ -63,6 +63,9 @@ type Config struct {
 	// disabled, and including any users here will enable authentication. All users in this list will have full access.
 	// This field is only temporary, and will be removed as development on users and authentication continues.
 	TemporaryUsers []TemporaryUser
+	// AuthorizationHandler sets the handler that will be used for authorization on all calls. Will use the default
+	// handler if one is not specified.
+	AuthorizationHandler planbuilder.AuthorizationHandler
 }
 
 // TemporaryUser is a user that will be added to the engine. This is for temporary use while the remaining features
@@ -148,6 +151,7 @@ type Engine struct {
 	Version           sql.AnalyzerVersion
 	EventScheduler    *eventscheduler.EventScheduler
 	Parser            sql.Parser
+	AuthHandler       planbuilder.AuthorizationHandler
 }
 
 type ColumnWithRawDefault struct {
@@ -167,6 +171,13 @@ func New(a *analyzer.Analyzer, cfg *Config) *Engine {
 		a.Catalog.MySQLDb.AddRootAccount()
 	}
 
+	var authHandler planbuilder.AuthorizationHandler
+	if cfg.AuthorizationHandler != nil {
+		authHandler = cfg.AuthorizationHandler
+	} else {
+		authHandler = planbuilder.DefaultAuthorizationHandler()
+	}
+
 	ls := sql.NewLockSubsystem()
 
 	variables.InitStatusVariables()
@@ -193,6 +204,7 @@ func New(a *analyzer.Analyzer, cfg *Config) *Engine {
 		mu:                &sync.Mutex{},
 		EventScheduler:    nil,
 		Parser:            sql.GlobalParser,
+		AuthHandler:       authHandler,
 	}
 	ret.ReadOnly.Store(cfg.IsReadOnly)
 	return ret
@@ -209,7 +221,7 @@ func (e *Engine) AnalyzeQuery(
 	ctx *sql.Context,
 	query string,
 ) (sql.Node, error) {
-	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser)
+	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser, e.AuthHandler)
 	parsed, _, _, qFlags, err := binder.Parse(query, nil, false)
 	if err != nil {
 		return nil, err
@@ -237,7 +249,7 @@ func (e *Engine) PrepareParsedQuery(
 	statementKey, query string,
 	stmt sqlparser.Statement,
 ) (sql.Node, error) {
-	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser)
+	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser, e.AuthHandler)
 	node, _, err := binder.BindOnly(stmt, query, nil)
 
 	if err != nil {
@@ -495,7 +507,7 @@ func (e *Engine) BoundQueryPlan(ctx *sql.Context, query string, parsed sqlparser
 
 	query = sql.RemoveSpaceAndDelimiter(query, ';')
 
-	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser)
+	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser, e.AuthHandler)
 	binder.SetBindings(bindings)
 
 	// Begin a transaction if necessary (no-op if one is in flight)
@@ -549,7 +561,7 @@ func (e *Engine) preparedStatement(ctx *sql.Context, query string, parsed sqlpar
 		preparedAst, preparedDataFound = e.PreparedDataCache.GetCachedStmt(ctx.Session.ID(), query)
 	}
 
-	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser)
+	binder := planbuilder.New(ctx, e.Analyzer.Catalog, e.Parser, e.AuthHandler)
 	if preparedDataFound {
 		parsed = preparedAst
 		binder.SetBindings(bindings)
@@ -782,6 +794,10 @@ func (e *Engine) EngineAnalyzer() *analyzer.Analyzer {
 	return e.Analyzer
 }
 
+func (e *Engine) AuthorizationHandler() planbuilder.AuthorizationHandler {
+	return e.AuthHandler
+}
+
 // InitializeEventScheduler initializes the EventScheduler for the engine with the given sql.Context
 // getter function, |ctxGetterFunc, the EventScheduler |status|, and the |period| for the event scheduler
 // to check for events to execute. If |period| is less than 1, then it is ignored and the default period

enginetest/engine_only_test.go

@@ -510,7 +510,7 @@ func TestAnalyzer_Exp(t *testing.T) {
 			require.NoError(t, err)
 
 			ctx := enginetest.NewContext(harness)
-			b := planbuilder.New(ctx, e.EngineAnalyzer().Catalog, sql.NewMysqlParser())
+			b := planbuilder.New(ctx, e.EngineAnalyzer().Catalog, sql.NewMysqlParser(), e.AuthorizationHandler())
 			parsed, _, _, _, err := b.Parse(tt.query, nil, false)
 			require.NoError(t, err)
 

enginetest/enginetests.go

@@ -584,7 +584,7 @@ func TestQueryPlanWithName(t *testing.T, name string, harness Harness, e QueryEn
 	t.Run(name, func(t *testing.T) {
 		ctx := NewContext(harness)
 
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, query)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), query)
 		require.NoError(t, err)
 
 		node, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
@@ -611,7 +611,7 @@ func TestQueryPlanWithName(t *testing.T, name string, harness Harness, e QueryEn
 func TestQueryPlanWithEngine(t *testing.T, harness Harness, e QueryEngine, tt queries.QueryPlanTest, verbose bool) {
 	t.Run(tt.Query, func(t *testing.T) {
 		ctx := NewContext(harness)
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, tt.Query)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), tt.Query)
 		require.NoError(t, err)
 
 		node, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
@@ -1360,7 +1360,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t5 ORDER BY 1", []sql.Row{{int64(1), int64(1)}, {int64(2), int64(2)}}, nil, nil, nil)
 
 		deleteStr := "DELETE FROM t5"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1389,7 +1389,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		RunQueryWithContext(t, e, harness, ctx, "INSERT INTO t6parent VALUES (1,1), (2,2)")
 		RunQueryWithContext(t, e, harness, ctx, "INSERT INTO t6child VALUES (1,1), (2,2)")
 
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, "DELETE FROM t6parent")
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), "DELETE FROM t6parent")
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1417,7 +1417,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t7i ORDER BY 1", []sql.Row{{int64(3), int64(3)}}, nil, nil, nil)
 
 		deleteStr := "DELETE FROM t7"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1445,7 +1445,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t8 ORDER BY 1", []sql.Row{{int64(1), int64(4)}, {int64(2), int64(5)}}, nil, nil, nil)
 
 		deleteStr := "DELETE FROM t8"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1474,7 +1474,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t9 ORDER BY 1", []sql.Row{{int64(7), int64(7)}, {int64(8), int64(8)}}, nil, nil, nil)
 
 		deleteStr := "DELETE FROM t9 WHERE pk > 0"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1501,7 +1501,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t10 ORDER BY 1", []sql.Row{{int64(8), int64(8)}, {int64(9), int64(9)}}, nil, nil, nil)
 
 		deleteStr := "DELETE FROM t10 LIMIT 1000"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1528,7 +1528,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t11 ORDER BY 1", []sql.Row{{int64(1), int64(1)}, {int64(9), int64(9)}}, nil, nil, nil)
 
 		deleteStr := "DELETE FROM t11 ORDER BY 1"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)
@@ -1559,7 +1559,7 @@ func TestTruncate(t *testing.T, harness Harness) {
 		TestQueryWithContext(t, ctx, e, harness, "SELECT * FROM t12b ORDER BY 1", []sql.Row{{int64(1), int64(1)}, {int64(2), int64(2)}}, nil, nil, nil)
 
 		deleteStr := "DELETE t12a, t12b FROM t12a INNER JOIN t12b WHERE t12a.pk=t12b.pk"
-		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, deleteStr)
+		parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), deleteStr)
 		require.NoError(t, err)
 		analyzed, err := e.EngineAnalyzer().Analyze(ctx, parsed, nil, qFlags)
 		require.NoError(t, err)

enginetest/evaluation.go

@@ -526,7 +526,7 @@ func injectBindVarsAndPrepare(
 		}
 	}
 
-	b := planbuilder.New(ctx, e.EngineAnalyzer().Catalog, sql.NewMysqlParser())
+	b := planbuilder.New(ctx, e.EngineAnalyzer().Catalog, sql.NewMysqlParser(), e.AuthorizationHandler())
 	b.SetParserOptions(sql.LoadSqlMode(ctx).ParserOptions())
 	resPlan, _, err := b.BindOnly(parsed, q, nil)
 	if err != nil {

enginetest/harness.go

@@ -23,6 +23,7 @@ import (
 	"github.com/dolthub/go-mysql-server/enginetest/scriptgen/setup"
 	"github.com/dolthub/go-mysql-server/server"
 	"github.com/dolthub/go-mysql-server/sql"
+	"github.com/dolthub/go-mysql-server/sql/planbuilder"
 )
 
 // Harness provides a way for database integrators to validate their implementation against the standard set of queries
@@ -173,3 +174,11 @@ type ResultEvaluationHarness interface {
 	// EvaluateExpectedErrorKind compares expected error kinds to actual errors and emits failed test assertions in the
 	EvaluateExpectedErrorKind(t *testing.T, expected *errors.Kind, err error)
 }
+
+// AuthorizingHarness specifies the AuthorizationHandler that should be used.
+type AuthorizingHarness interface {
+	Harness
+
+	// AuthorizationHandler returns the handler to use.
+	AuthorizationHandler() planbuilder.AuthorizationHandler
+}

enginetest/initialization.go

@@ -103,6 +103,9 @@ func NewEngineWithProvider(_ *testing.T, harness Harness, provider sql.DatabaseP
 	if idh, ok := harness.(IndexDriverHarness); ok {
 		idh.InitializeIndexDriver(engine.Analyzer.Catalog.AllDatabases(NewContext(harness)))
 	}
+	if ah, ok := harness.(AuthorizingHarness); ok {
+		engine.AuthHandler = ah.AuthorizationHandler()
+	}
 
 	return engine
 }

enginetest/join_planning_tests.go

@@ -1777,7 +1777,7 @@ func evalJoinTypeTest(t *testing.T, harness Harness, e QueryEngine, query string
 }
 
 func analyzeQuery(ctx *sql.Context, e QueryEngine, query string) (sql.Node, error) {
-	parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, query)
+	parsed, qFlags, err := planbuilder.Parse(ctx, e.EngineAnalyzer().Catalog, e.AuthorizationHandler(), query)
 	if err != nil {
 		return nil, err
 	}

enginetest/mysqlshim/table.go

@@ -381,7 +381,7 @@ func (t Table) getCreateTable() (*plan.CreateTable, error) {
 		return nil, sql.ErrTableNotFound.New(t.name)
 	}
 	// TODO add catalog
-	createTableNode, _, err := planbuilder.Parse(sql.NewEmptyContext(), sql.MapCatalog{Tables: map[string]sql.Table{t.name: t}}, rows[0][1].(string))
+	createTableNode, _, err := planbuilder.Parse(sql.NewEmptyContext(), sql.MapCatalog{Tables: map[string]sql.Table{t.name: t}}, nil, rows[0][1].(string))
 	if err != nil {
 		return nil, err
 	}

enginetest/plangen/cmd/plangen/main.go

@@ -165,7 +165,7 @@ func generatePlansForSuite(spec PlanSpec, w *bytes.Buffer) error {
 
 		if !tt.Skip {
 			ctx := enginetest.NewContextWithEngine(harness, engine)
-			binder := planbuilder.New(ctx, engine.EngineAnalyzer().Catalog, sql.NewMysqlParser())
+			binder := planbuilder.New(ctx, engine.EngineAnalyzer().Catalog, sql.NewMysqlParser(), engine.AuthorizationHandler())
 			parsed, _, _, qFlags, err := binder.Parse(tt.Query, nil, false)
 			if err != nil {
 				exit(fmt.Errorf("%w\nfailed to parse query: %s", err, tt.Query))

enginetest/queries/priv_auth_queries.go

@@ -1780,10 +1780,10 @@ var UserPrivTests = []UserPrivilegeTest{
 				},
 			},
 			{
-				User:        "rand_user1",
-				Host:        "54.244.85.252",
-				Query:       "SELECT * FROM mydb.test;",
-				ExpectedErr: sql.ErrDatabaseAccessDeniedForUser,
+				User:           "rand_user1",
+				Host:           "54.244.85.252",
+				Query:          "SELECT * FROM mydb.test;",
+				ExpectedErrStr: "Access denied for user 'rand_user1' (errno 1045) (sqlstate 28000)",
 			},
 			{
 				User:  "rand_user2",
@@ -1804,10 +1804,10 @@ var UserPrivTests = []UserPrivilegeTest{
 				},
 			},
 			{
-				User:        "rand_user2",
-				Host:        "54.244.85.252",
-				Query:       "SELECT * FROM mydb.test2;",
-				ExpectedErr: sql.ErrDatabaseAccessDeniedForUser,
+				User:           "rand_user2",
+				Host:           "54.244.85.252",
+				Query:          "SELECT * FROM mydb.test2;",
+				ExpectedErrStr: "Access denied for user 'rand_user2' (errno 1045) (sqlstate 28000)",
 			},
 		},
 	},