From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 8258E27524 for ; Fri, 13 Jul 2018 12:18:57 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wrrOwDvb8Gk for ; Fri, 13 Jul 2018 12:18:57 -0400 (EDT) Received: from smtp52.i.mail.ru (smtp52.i.mail.ru [94.100.177.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 3BBE8273CB for ; Fri, 13 Jul 2018 12:18:57 -0400 (EDT) From: Serge Petrenko Subject: [tarantool-patches] [PATCH] Add errors for non-existent privileges and entities. Date: Fri, 13 Jul 2018 19:18:46 +0300 Message-Id: <20180713161846.14380-1-sergepetrenko@tarantool.org> Sender: tarantool-patches-bounce@freelists.org Errors-to: tarantool-patches-bounce@freelists.org Reply-To: tarantool-patches@freelists.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: tarantool-patches List-subscribe: List-owner: List-post: List-archive: To: tarantool-patches@freelists.org Cc: Serge Petrenko There were no checks for granting and revoking a non-existent privilege or a privilege to a non-existent entity. Added the checks, and a test case. Closes #3417 --- https://github.com/tarantool/tarantool/issues/3417 https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3417-nonexistent-privs-entities src/box/lua/schema.lua | 5 ++++- test/box/access_misc.result | 28 ++++++++++++++++++++++++++++ test/box/access_misc.test.lua | 11 +++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua index ef544c879..b9b8c9004 100644 --- a/src/box/lua/schema.lua +++ b/src/box/lua/schema.lua @@ -1747,7 +1747,10 @@ local priv_object_combo = { -- local function privilege_check(privilege, object_type) local priv_hex = privilege_resolve(privilege) - if bit.band(priv_hex, priv_object_combo[object_type] or 0) ~= priv_hex then + if priv_object_combo[object_type] == nil then + box.error(box.error.UNKNOWN_SCHEMA_OBJECT, object_type) + elseif type(priv_hex) ~= 'number' or priv_hex == 0 or + bit.band(priv_hex, priv_object_combo[object_type] or 0) ~= priv_hex then box.error(box.error.UNSUPPORTED_PRIV, object_type, privilege) end return priv_hex diff --git a/test/box/access_misc.result b/test/box/access_misc.result index 839b576ac..2d87fa2d5 100644 --- a/test/box/access_misc.result +++ b/test/box/access_misc.result @@ -815,6 +815,34 @@ box.space._func:select() session = nil --- ... +-- an error when granting or revoking non-existent privilege +box.schema.user.grant("guest", "everything", "universe") +--- +- error: Unsupported universe privilege 'everything' +... +box.schema.user.revoke("guest", "everything", "universe") +--- +- error: Unsupported universe privilege 'everything' +... +-- an error when granting or revoking a privilege on a non-existent entity +box.schema.user.grant("guest", "read", "everywhere") +--- +- error: Unknown object type 'everywhere' +... +box.schema.user.revoke("guest", "read", "everywhere") +--- +- error: Unknown object type 'everywhere' +... +-- an error even when granting or revoking a non-existent privilege +-- on a non-existent entity +box.schema.user.grant("guest", "everything", "everywhere") +--- +- error: Unknown object type 'everywhere' +... +box.schema.user.revoke("guest", "everything", "everywhere") +--- +- error: Unknown object type 'everywhere' +... -- produce an error if revoking a non-granted privilege box.schema.user.create("tester") --- diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua index 7dd796f62..35234898d 100644 --- a/test/box/access_misc.test.lua +++ b/test/box/access_misc.test.lua @@ -298,6 +298,17 @@ box.space._func:select() session = nil +-- an error when granting or revoking non-existent privilege +box.schema.user.grant("guest", "everything", "universe") +box.schema.user.revoke("guest", "everything", "universe") +-- an error when granting or revoking a privilege on a non-existent entity +box.schema.user.grant("guest", "read", "everywhere") +box.schema.user.revoke("guest", "read", "everywhere") +-- an error even when granting or revoking a non-existent privilege +-- on a non-existent entity +box.schema.user.grant("guest", "everything", "everywhere") +box.schema.user.revoke("guest", "everything", "everywhere") + -- produce an error if revoking a non-granted privilege box.schema.user.create("tester") box.schema.user.grant('tester', 'read', 'universe') -- 2.15.2 (Apple Git-101.1)