POC planbuilder authorization

Hydrocharged · Hydrocharged · commit cbb9ee196397 · 2024-10-23T08:06:21.000-07:00
diff --git a/enginetest/queries/priv_auth_queries.go b/enginetest/queries/priv_auth_queries.go
@@ -1780,10 +1780,10 @@ var UserPrivTests = []UserPrivilegeTest{
 				},
 			},
 			{
-				User:        "rand_user1",
-				Host:        "54.244.85.252",
-				Query:       "SELECT * FROM mydb.test;",
-				ExpectedErr: sql.ErrDatabaseAccessDeniedForUser,
+				User:           "rand_user1",
+				Host:           "54.244.85.252",
+				Query:          "SELECT * FROM mydb.test;",
+				ExpectedErrStr: "Access denied for user 'rand_user1' (errno 1045) (sqlstate 28000)",
 			},
 			{
 				User:  "rand_user2",
@@ -1804,10 +1804,10 @@ var UserPrivTests = []UserPrivilegeTest{
 				},
 			},
 			{
-				User:        "rand_user2",
-				Host:        "54.244.85.252",
-				Query:       "SELECT * FROM mydb.test2;",
-				ExpectedErr: sql.ErrDatabaseAccessDeniedForUser,
+				User:           "rand_user2",
+				Host:           "54.244.85.252",
+				Query:          "SELECT * FROM mydb.test2;",
+				ExpectedErrStr: "Access denied for user 'rand_user2' (errno 1045) (sqlstate 28000)",
 			},
 		},
 	},
diff --git a/go.mod b/go.mod
@@ -43,4 +43,6 @@ require (
 	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
 )
 
+replace github.com/dolthub/vitess => ../vitess
+
 go 1.22.2
diff --git a/sql/mysql_db/privileged_database_provider.go b/sql/mysql_db/privileged_database_provider.go
@@ -164,58 +164,12 @@ func (pdb PrivilegedDatabase) Name() string {
 
 // GetTableInsensitive implements the interface sql.Database.
 func (pdb PrivilegedDatabase) GetTableInsensitive(ctx *sql.Context, tblName string) (sql.Table, bool, error) {
-	checkName := pdb.db.Name()
-	if adb, ok := pdb.db.(sql.AliasedDatabase); ok {
-		checkName = adb.AliasedName()
-	}
-
-	privSet := pdb.grantTables.UserActivePrivilegeSet(ctx)
-	dbSet := privSet.Database(checkName)
-	// If there are no usable privileges for this database then the table is inaccessible.
-	if privSet.Count() == 0 && !dbSet.HasPrivileges() {
-		return nil, false, sql.ErrDatabaseAccessDeniedForUser.New(pdb.usernameFromCtx(ctx), checkName)
-	}
-
-	tblSet := dbSet.Table(tblName)
-	// If the user has no global static privileges, database-level privileges, or table-relevant privileges then the
-	// table is not accessible.
-	if privSet.Count() == 0 && dbSet.Count() == 0 && !tblSet.HasPrivileges() {
-		return nil, false, sql.ErrTableAccessDeniedForUser.New(pdb.usernameFromCtx(ctx), tblName)
-	}
 	return pdb.db.GetTableInsensitive(ctx, tblName)
 }
 
 // GetTableNames implements the interface sql.Database.
 func (pdb PrivilegedDatabase) GetTableNames(ctx *sql.Context) ([]string, error) {
-	var tablesWithAccess []string
-	var err error
-	privSet := pdb.grantTables.UserActivePrivilegeSet(ctx)
-
-	checkName := pdb.db.Name()
-	if adb, ok := pdb.db.(sql.AliasedDatabase); ok {
-		checkName = adb.AliasedName()
-	}
-
-	dbSet := privSet.Database(checkName)
-	// If there are no usable privileges for this database then no table is accessible.
-	privSetCount := privSet.Count()
-	if privSetCount == 0 && !dbSet.HasPrivileges() {
-		return nil, nil
-	}
-
-	tblNames, err := pdb.db.GetTableNames(ctx)
-	if err != nil {
-		return nil, err
-	}
-	dbSetCount := dbSet.Count()
-	for _, tblName := range tblNames {
-		// If the user has any global static privileges, database-level privileges, or table-relevant privileges then a
-		// table is accessible.
-		if privSetCount > 0 || dbSetCount > 0 || dbSet.Table(tblName).HasPrivileges() {
-			tablesWithAccess = append(tablesWithAccess, tblName)
-		}
-	}
-	return tablesWithAccess, nil
+	return pdb.db.GetTableNames(ctx)
 }
 
 // GetTableInsensitiveAsOf returns a new sql.VersionedDatabase.
@@ -224,26 +178,6 @@ func (pdb PrivilegedDatabase) GetTableInsensitiveAsOf(ctx *sql.Context, tblName
 	if !ok {
 		return nil, false, sql.ErrAsOfNotSupported.New(pdb.db.Name())
 	}
-
-	privSet := pdb.grantTables.UserActivePrivilegeSet(ctx)
-
-	checkName := pdb.db.Name()
-	if adb, ok := pdb.db.(sql.AliasedDatabase); ok {
-		checkName = adb.AliasedName()
-	}
-
-	dbSet := privSet.Database(checkName)
-	// If there are no usable privileges for this database then the table is inaccessible.
-	if privSet.Count() == 0 && !dbSet.HasPrivileges() {
-		return nil, false, sql.ErrDatabaseAccessDeniedForUser.New(pdb.usernameFromCtx(ctx), checkName)
-	}
-
-	tblSet := dbSet.Table(tblName)
-	// If the user has no global static privileges, database-level privileges, or table-relevant privileges then the
-	// table is not accessible.
-	if privSet.Count() == 0 && dbSet.Count() == 0 && !tblSet.HasPrivileges() {
-		return nil, false, sql.ErrTableAccessDeniedForUser.New(pdb.usernameFromCtx(ctx), tblName)
-	}
 	return db.GetTableInsensitiveAsOf(ctx, tblName, asOf)
 }
 
@@ -253,37 +187,7 @@ func (pdb PrivilegedDatabase) GetTableNamesAsOf(ctx *sql.Context, asOf interface
 	if !ok {
 		return nil, nil
 	}
-
-	var tablesWithAccess []string
-	var err error
-	privSet := pdb.grantTables.UserActivePrivilegeSet(ctx)
-
-	checkName := pdb.db.Name()
-	if adb, ok := pdb.db.(sql.AliasedDatabase); ok {
-		checkName = adb.AliasedName()
-	}
-
-	dbSet := privSet.Database(checkName)
-	// If there are no usable privileges for this database then no table is accessible.
-	if privSet.Count() == 0 && !dbSet.HasPrivileges() {
-		return nil, nil
-	}
-
-	tblNames, err := db.GetTableNamesAsOf(ctx, asOf)
-	if err != nil {
-		return nil, err
-	}
-	privSetCount := privSet.Count()
-	dbSetCount := dbSet.Count()
-	for _, tblName := range tblNames {
-		// If the user has any global static privileges, database-level privileges, or table-relevant privileges then a
-		// table is accessible.
-		if privSetCount > 0 || dbSetCount > 0 && dbSet.Table(tblName).HasPrivileges() {
-			tablesWithAccess = append(tablesWithAccess, tblName)
-		}
-	}
-
-	return tablesWithAccess, nil
+	return db.GetTableNamesAsOf(ctx, asOf)
 }
 
 // CreateTable implements the interface sql.TableCreator.
diff --git a/sql/plan/delete.go b/sql/plan/delete.go
@@ -115,27 +115,6 @@ func (p *DeleteFrom) WithChildren(children ...sql.Node) (sql.Node, error) {
 
 // CheckPrivileges implements the interface sql.Node.
 func (p *DeleteFrom) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedOperationChecker) bool {
-	// TODO: If column values are retrieved then the SELECT privilege is required
-	//       For example: "DELETE FROM table WHERE z > 0"
-	//       We would need SELECT privileges on the "z" column as it's retrieving values
-
-	for _, target := range p.GetDeleteTargets() {
-		deletable, err := GetDeletable(target)
-		if err != nil {
-			ctx.GetLogger().Warnf("unable to determine deletable table from delete target: %v", target)
-			return false
-		}
-
-		subject := sql.PrivilegeCheckSubject{
-			Database: CheckPrivilegeNameForDatabase(GetDatabase(target)),
-			Table:    deletable.Name(),
-		}
-		op := sql.NewPrivilegedOperation(subject, sql.PrivilegeType_Delete)
-		if opChecker.UserHasPrivileges(ctx, op) == false {
-			return false
-		}
-	}
-
 	return true
 }
 
diff --git a/sql/plan/insert.go b/sql/plan/insert.go
@@ -164,18 +164,7 @@ func (ii *InsertInto) WithChildren(children ...sql.Node) (sql.Node, error) {
 
 // CheckPrivileges implements the interface sql.Node.
 func (ii *InsertInto) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedOperationChecker) bool {
-	subject := sql.PrivilegeCheckSubject{
-		Database: CheckPrivilegeNameForDatabase(ii.db),
-		Table:    getTableName(ii.Destination),
-	}
-
-	if ii.IsReplace {
-		return opChecker.UserHasPrivileges(ctx,
-			sql.NewPrivilegedOperation(subject, sql.PrivilegeType_Insert, sql.PrivilegeType_Delete))
-	} else {
-		return opChecker.UserHasPrivileges(ctx,
-			sql.NewPrivilegedOperation(subject, sql.PrivilegeType_Insert))
-	}
+	return true
 }
 
 // CollationCoercibility implements the interface sql.CollationCoercible.
diff --git a/sql/plan/resolved_table.go b/sql/plan/resolved_table.go
@@ -227,22 +227,7 @@ func (t *ResolvedTable) WithChildren(children ...sql.Node) (sql.Node, error) {
 
 // CheckPrivileges implements the interface sql.Node.
 func (t *ResolvedTable) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedOperationChecker) bool {
-	// It is assumed that if we've landed upon this node, then we're doing a SELECT operation. Most other nodes that
-	// may contain a TableNode will have their own privilege checks, so we should only end up here if the parent
-	// nodes are things such as indexed access, filters, limits, etc.
-	if IsDualTable(t) {
-		return true
-	}
-
-	subject := sql.PrivilegeCheckSubject{
-		Database: CheckPrivilegeNameForDatabase(t.SqlDatabase),
-		Table:    t.Table.Name(),
-	}
-	if subject.Database == sql.InformationSchemaDatabaseName {
-		return true
-	}
-	return opChecker.UserHasPrivileges(ctx,
-		sql.NewPrivilegedOperation(subject, sql.PrivilegeType_Select))
+	return true
 }
 
 // CollationCoercibility implements the interface sql.CollationCoercible.
diff --git a/sql/plan/update.go b/sql/plan/update.go
@@ -183,15 +183,7 @@ func (u *Update) WithChildren(children ...sql.Node) (sql.Node, error) {
 
 // CheckPrivileges implements the interface sql.Node.
 func (u *Update) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedOperationChecker) bool {
-	//TODO: If column values are retrieved then the SELECT privilege is required
-	// For example: "UPDATE table SET x = y + 1 WHERE z > 0"
-	// We would need SELECT privileges on both the "y" and "z" columns as they're retrieving values
-	subject := sql.PrivilegeCheckSubject{
-		Database: CheckPrivilegeNameForDatabase(u.DB()),
-		Table:    getTableName(u.Child),
-	}
-	// TODO: this needs a real database, fix it
-	return opChecker.UserHasPrivileges(ctx, sql.NewPrivilegedOperation(subject, sql.PrivilegeType_Update))
+	return true
 }
 
 // CollationCoercibility implements the interface sql.CollationCoercible.
diff --git a/sql/planbuilder/auth.go b/sql/planbuilder/auth.go
@@ -0,0 +1,136 @@
+// Copyright 2023 Dolthub, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package planbuilder
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/dolthub/vitess/go/mysql"
+	ast "github.com/dolthub/vitess/go/vt/sqlparser"
+
+	"github.com/dolthub/go-mysql-server/sql"
+	"github.com/dolthub/go-mysql-server/sql/mysql_db"
+)
+
+// TODO: doc
+var Authorization = func(b *Builder, auth ast.AuthInformation) {
+	// TODO: expose necessary stuff from Builder to public
+	ctx := b.ctx
+	// TODO: database loading shouldn't be done for every call, this needs to be cached for each Parse call in some way
+	db, err := b.cat.Database(ctx, "mysql")
+	if err != nil {
+		b.handleErr(err)
+	}
+	mysqlDb, ok := db.(*mysql_db.MySQLDb)
+	if !ok {
+		b.handleErr(fmt.Errorf("FOR TESTING: could not load the `mysql` database")) // TODO: Check if this is likely
+	}
+	if !mysqlDb.Enabled() {
+		return
+	}
+	// TODO: cache that the user exists
+	client := ctx.Session.Client()
+	user := func() *mysql_db.User {
+		rd := mysqlDb.Reader()
+		defer rd.Close()
+		return mysqlDb.GetUser(rd, client.User, client.Address, false)
+	}()
+	if user == nil {
+		b.handleErr(mysql.NewSQLError(mysql.ERAccessDeniedError, mysql.SSAccessDeniedError, "Access denied for user '%s'", client.User))
+	}
+	// TODO: cache for the call
+	privSet := mysqlDb.UserActivePrivilegeSet(ctx)
+
+	var privilegeTypes []sql.PrivilegeType
+	switch auth.AuthType {
+	case ast.AuthType_IGNORE:
+		// This means that authorization is being handled elsewhere (such as a child or parent), and should be ignored here
+		return
+	case ast.AuthType_DELETE:
+		privilegeTypes = []sql.PrivilegeType{sql.PrivilegeType_Delete}
+	case ast.AuthType_INSERT:
+		privilegeTypes = []sql.PrivilegeType{sql.PrivilegeType_Insert}
+	case ast.AuthType_REPLACE:
+		privilegeTypes = []sql.PrivilegeType{sql.PrivilegeType_Insert, sql.PrivilegeType_Delete}
+	case ast.AuthType_SELECT:
+		privilegeTypes = []sql.PrivilegeType{sql.PrivilegeType_Select}
+	case ast.AuthType_UPDATE:
+		privilegeTypes = []sql.PrivilegeType{sql.PrivilegeType_Update}
+	default:
+		b.handleErr(fmt.Errorf("FOR TESTING: default case hit for AuthType"))
+	}
+
+	hasPrivileges := true
+	switch auth.TargetType {
+	case ast.AuthTargetType_SingleTableIdentifier:
+		dbName := auth.TargetNames[0]
+		tableName := auth.TargetNames[1]
+		if strings.EqualFold(dbName, "information_schema") {
+			return
+		}
+		authCheckDatabaseTableNames(b, privSet, user.User, dbName, tableName)
+		subject := sql.PrivilegeCheckSubject{
+			Database: authDatabaseName(ctx, dbName),
+			Table:    tableName,
+		}
+		hasPrivileges = mysqlDb.UserHasPrivileges(ctx, sql.NewPrivilegedOperation(subject, privilegeTypes...))
+	case ast.AuthTargetType_MultipleTableIdentifiers:
+		for i := 0; i < len(auth.TargetNames) && hasPrivileges; i += 2 {
+			dbName := auth.TargetNames[i]
+			tableName := auth.TargetNames[i+1]
+			if strings.EqualFold(dbName, "information_schema") {
+				continue
+			}
+			authCheckDatabaseTableNames(b, privSet, user.User, dbName, tableName)
+			subject := sql.PrivilegeCheckSubject{
+				Database: authDatabaseName(ctx, dbName),
+				Table:    tableName,
+			}
+			hasPrivileges = hasPrivileges && mysqlDb.UserHasPrivileges(ctx, sql.NewPrivilegedOperation(subject, privilegeTypes...))
+		}
+	default:
+		b.handleErr(fmt.Errorf("FOR TESTING: default case hit for TargetType"))
+	}
+
+	if !hasPrivileges {
+		b.handleErr(sql.ErrPrivilegeCheckFailed.New(user.UserHostToString("'")))
+	}
+}
+
+// authDatabaseName uses the current database from the context if a database is not specified, otherwise it returns the
+// given database name.
+func authDatabaseName(ctx *sql.Context, dbName string) string {
+	if len(dbName) == 0 {
+		return ctx.GetCurrentDatabase()
+	}
+	return dbName
+}
+
+// authCheckDatabaseTableNames errors if the user does not have access to the database or table in any capacity,
+// regardless of the command.
+func authCheckDatabaseTableNames(b *Builder, privSet mysql_db.PrivilegeSet, userName string, dbName string, tableName string) {
+	dbSet := privSet.Database(dbName)
+	// If there are no usable privileges for this database then the table is inaccessible.
+	if privSet.Count() == 0 && !dbSet.HasPrivileges() {
+		b.handleErr(sql.ErrDatabaseAccessDeniedForUser.New(userName, dbName))
+	}
+	tblSet := dbSet.Table(tableName)
+	// If the user has no global static privileges, database-level privileges, or table-relevant privileges then the
+	// table is not accessible.
+	if privSet.Count() == 0 && dbSet.Count() == 0 && !tblSet.HasPrivileges() {
+		b.handleErr(sql.ErrTableAccessDeniedForUser.New(userName, tableName))
+	}
+}
diff --git a/sql/planbuilder/dml.go b/sql/planbuilder/dml.go
@@ -34,6 +34,7 @@ func (b *Builder) buildInsert(inScope *scope, i *ast.Insert) (outScope *scope) {
 	sql.IncrementStatusVariable(b.ctx, "Com_insert", 1)
 	b.qFlags.Set(sql.QFlagInsert)
 
+	Authorization(b, i.Auth)
 	if i.With != nil {
 		inScope = b.buildWith(inScope, i.With)
 	}
diff --git a/sql/planbuilder/from.go b/sql/planbuilder/from.go

Original file line number	Diff line number	Diff line change
`@@ -43,4 +43,6 @@ require (`
`43`	`43`	`gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect`
`44`	`44`	`)`
`45`	`45`
	`46`	`+replace github.com/dolthub/vitess => ../vitess`
	`47`	`+`
`46`	`48`	`go 1.22.2`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ func (b Builder) buildInsert(inScope scope, i ast.Insert) (outScope scope) {`
`34`	`34`	`sql.IncrementStatusVariable(b.ctx, "Com_insert", 1)`
`35`	`35`	`b.qFlags.Set(sql.QFlagInsert)`
`36`	`36`
	`37`	`+ Authorization(b, i.Auth)`
`37`	`38`	`if i.With != nil {`
`38`	`39`	`inScope = b.buildWith(inScope, i.With)`
`39`	`40`	`}`