[tarantool-patches] [PATCH] Add errors for non-existent privileges and entities.

Tarantool development patches archive
 help / color / mirror / Atom feed

From: Serge Petrenko <sergepetrenko@tarantool.org>
To: tarantool-patches@freelists.org
Cc: Serge Petrenko <sergepetrenko@tarantool.org>
Subject: [tarantool-patches] [PATCH] Add errors for non-existent privileges and entities.
Date: Fri, 13 Jul 2018 19:18:46 +0300	[thread overview]
Message-ID: <20180713161846.14380-1-sergepetrenko@tarantool.org> (raw)

There were no checks for granting and revoking a non-existent
privilege or a privilege to a non-existent entity.
Added the checks, and a test case.

Closes #3417
---
https://github.com/tarantool/tarantool/issues/3417
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3417-nonexistent-privs-entities

 src/box/lua/schema.lua        |  5 ++++-
 test/box/access_misc.result   | 28 ++++++++++++++++++++++++++++
 test/box/access_misc.test.lua | 11 +++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
index ef544c879..b9b8c9004 100644
--- a/src/box/lua/schema.lua
+++ b/src/box/lua/schema.lua
@@ -1747,7 +1747,10 @@ local priv_object_combo = {
 --
 local function privilege_check(privilege, object_type)
     local priv_hex = privilege_resolve(privilege)
-    if bit.band(priv_hex, priv_object_combo[object_type] or 0) ~= priv_hex then
+    if priv_object_combo[object_type] == nil then
+        box.error(box.error.UNKNOWN_SCHEMA_OBJECT, object_type)
+    elseif type(priv_hex) ~= 'number' or priv_hex == 0 or
+           bit.band(priv_hex, priv_object_combo[object_type] or 0) ~= priv_hex then
         box.error(box.error.UNSUPPORTED_PRIV, object_type, privilege)
     end
     return priv_hex
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 839b576ac..2d87fa2d5 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -815,6 +815,34 @@ box.space._func:select()
 session = nil
 ---
 ...
+-- an error when granting or revoking non-existent privilege
+box.schema.user.grant("guest", "everything", "universe")
+---
+- error: Unsupported universe privilege 'everything'
+...
+box.schema.user.revoke("guest", "everything", "universe")
+---
+- error: Unsupported universe privilege 'everything'
+...
+-- an error when granting or revoking a privilege on a non-existent entity
+box.schema.user.grant("guest", "read", "everywhere")
+---
+- error: Unknown object type 'everywhere'
+...
+box.schema.user.revoke("guest", "read", "everywhere")
+---
+- error: Unknown object type 'everywhere'
+...
+-- an error even when granting or revoking a non-existent privilege
+-- on a non-existent entity
+box.schema.user.grant("guest", "everything", "everywhere")
+---
+- error: Unknown object type 'everywhere'
+...
+box.schema.user.revoke("guest", "everything", "everywhere")
+---
+- error: Unknown object type 'everywhere'
+...
 --  produce an error if revoking a non-granted privilege
 box.schema.user.create("tester")
 ---
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index 7dd796f62..35234898d 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -298,6 +298,17 @@ box.space._func:select()
 
 session = nil
 
+-- an error when granting or revoking non-existent privilege
+box.schema.user.grant("guest", "everything", "universe")
+box.schema.user.revoke("guest", "everything", "universe")
+-- an error when granting or revoking a privilege on a non-existent entity
+box.schema.user.grant("guest", "read", "everywhere")
+box.schema.user.revoke("guest", "read", "everywhere")
+-- an error even when granting or revoking a non-existent privilege
+-- on a non-existent entity
+box.schema.user.grant("guest", "everything", "everywhere")
+box.schema.user.revoke("guest", "everything", "everywhere")
+
 --  produce an error if revoking a non-granted privilege
 box.schema.user.create("tester")
 box.schema.user.grant('tester', 'read', 'universe')
-- 
2.15.2 (Apple Git-101.1)

                 reply	other threads:[~2018-07-13 16:18 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180713161846.14380-1-sergepetrenko@tarantool.org \
    --to=sergepetrenko@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [tarantool-patches] [PATCH] Add errors for non-existent privileges and entities.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox