24#ifndef PARTIAL_REVOKES_INCLUDED
25#define PARTIAL_REVOKES_INCLUDED
30#include <unordered_map>
58 virtual size_t size()
const = 0;
93 void add(
const std::string &
db_name,
const ulong revoke_privs);
97 void remove(
const std::string &
db_name,
const ulong revoke_privs);
98 void remove(
const ulong revoke_privs);
100 bool find(
const std::string &
db_name, ulong &access)
const;
102 size_t size()
const override;
103 void clear()
override;
110 void remove(
const ulong remove_restrictions,
111 ulong &restrictions_mask)
const noexcept;
188 static std::unique_ptr<Restrictions_aggregator>
create(
189 THD *thd,
const ACL_USER *acl_user,
const char *db,
const ulong rights,
190 bool is_grant_revoke_all_on_db);
192 static std::unique_ptr<Restrictions_aggregator>
create(
194 const ulong grantor_access,
const ulong grantee_access,
196 const DB_restrictions &grantee_restrictions,
const ulong required_access,
206 ulong &global_access,
241 const ulong grantor_global_access,
242 const ulong grantee_global_access,
243 const ulong requested_access);
283 const ulong grantor_global_access,
284 const ulong grantee_global_access,
287 const ulong requested_access,
294 const ulong grantee_db_access,
const ulong grantee_restrictions,
295 const std::string &
db_name)
noexcept;
297 const ulong restrictions_mask)
noexcept;
328 const ulong grantor_global_access,
const ulong grantee_global_access,
330 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
348 const ulong grantor_global_access,
const ulong grantee_global_access,
350 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
363 const ulong grantor_global_access,
const ulong grantee_global_access,
365 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
382 const ulong grantor_global_access,
const ulong grantee_global_access,
384 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
398 const ulong grantor_global_access,
const ulong grantee_global_access,
399 const ulong grantor_db_access,
const ulong grantee_db_access,
401 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
402 bool is_grant_all,
const std::string &
db_name,
431 const ulong grantor_global_access,
const ulong grantee_global_access,
432 const ulong grantor_db_access,
const ulong grantee_db_access,
434 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
435 bool is_revoke_all,
const std::string &
db_name,
std::map< std::string, unsigned long > Db_access_map
Definition: auth_internal.h:66
Definition: sql_auth_cache.h:246
Abstract class for ACL restrictions.
Definition: partial_revokes.h:53
virtual bool is_empty() const =0
virtual ~Abstract_restrictions()
Abstract restriction destructor.
virtual size_t size() const =0
Abstract_restrictions()
Abstract restriction constructor.
Storage container for default auth ids.
Definition: auth_common.h:1065
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:395
Status validate() override
Validation function for database level grant statement.
Definition: partial_revokes.cc:1298
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:421
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1328
const ulong m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:412
const ulong m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:415
DB_restrictions_aggregator_db_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_grant_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1279
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:418
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:428
const ulong m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:448
Status validate() override
Validation function for database level revoke statement.
Definition: partial_revokes.cc:1395
const ulong m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:445
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:454
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1428
DB_restrictions_aggregator_db_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_revoke_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1376
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:451
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:345
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:1071
DB_restrictions_aggregator_global_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_grant constructor.
Definition: partial_revokes.cc:1007
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1030
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:379
void aggregate(DB_restrictions &restrictions) override
Clear all the restrictions and changes the status of object to aggregated.
Definition: partial_revokes.cc:1256
Status validate() override
Validate restriction list for REVOKE ALL.
Definition: partial_revokes.cc:1229
DB_restrictions_aggregator_global_revoke_all(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke_all constructor.
Definition: partial_revokes.cc:1216
Definition: partial_revokes.h:359
Status validate_if_grantee_rl_not_empty()
If grantee restrictions_list is not empty then check the following.
Definition: partial_revokes.cc:1172
DB_restrictions_aggregator_global_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke constructor.
Definition: partial_revokes.cc:1091
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1113
void aggregate(DB_restrictions &restrictions) override
Definition: partial_revokes.cc:1148
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:325
DB_restrictions_aggregator_set_role(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, Db_access_map *db_map)
DB_restrictions_aggregator_set_role constructor.
Definition: partial_revokes.cc:911
void aggregate(DB_restrictions &db_restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:960
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:935
Db_access_map * m_db_map
Definition: partial_revokes.h:338
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:276
void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
A helper method that aggregates the restrictions for global_grant and set_role operations since both ...
Definition: partial_revokes.cc:750
bool find_if_require_next_level_operation(ulong &rights) const override
Get list of privileges that are not restricted through restriction list.
Definition: partial_revokes.cc:653
virtual Status validate()=0
void set_if_db_level_operation(const ulong requested_access, const ulong restrictions_mask) noexcept
Set privileges that needs to be processed further.
Definition: partial_revokes.cc:712
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:311
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:308
virtual void aggregate(DB_restrictions &restrictions)=0
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:314
bool check_db_access_and_restrictions_collision(const ulong grantee_db_access, const ulong grantee_restrictions, const std::string &db_name) noexcept
Check possible descrepancy between DB access being granted and existing restrictions.
Definition: partial_revokes.cc:687
ulong m_privs_not_processed
Privileges that needs to be checked further through DB grants.
Definition: partial_revokes.h:305
SQL_OP
Definition: partial_revokes.h:298
ulong get_grantee_db_access(const std::string &db_name) const
Fetches the grantee's DB access on the specified DB If security context of current user exists and ha...
Definition: partial_revokes.cc:867
bool generate(Abstract_restrictions &restrictions) override
Driver function to aggregate restriction lists.
Definition: partial_revokes.cc:630
DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
Constructor for database level restrictions aggregator.
Definition: partial_revokes.cc:602
DB Restrictions representation in memory.
Definition: partial_revokes.h:82
const db_revocations & get() const
Definition: partial_revokes.h:125
bool has_more_restrictions(const DB_restrictions &, ulong) const
Compare is two restriction list for given privileges.
Definition: partial_revokes.cc:321
void get_as_json(Json_array &restrictions_array) const
Serializer.
Definition: partial_revokes.cc:294
void clear() override
Clear restriction list.
Definition: partial_revokes.cc:284
void remove(const std::string &db_name, const ulong revoke_privs)
Remove given set of privilegs for a database from restriction list.
Definition: partial_revokes.cc:203
size_t size() const override
Status function to get number of entries in restriction list.
Definition: partial_revokes.cc:278
void add(const std::string &db_name, const ulong revoke_privs)
Add given privileges as restricted for the database.
Definition: partial_revokes.cc:118
DB_restrictions & operator=(const DB_restrictions &restrictions)
Assignment operator.
Definition: partial_revokes.cc:77
bool find(const std::string &db_name, ulong &access) const
Get restricted access information for given database.
Definition: partial_revokes.cc:257
bool is_empty() const override
Status function to check if restriction list is empty.
Definition: partial_revokes.cc:273
void copy_restrictions(const DB_restrictions &other)
Definition: partial_revokes.h:142
DB_restrictions()
DB Restrictions constructor.
Definition: partial_revokes.cc:58
db_revocations * m_restrictions
Database restrictions.
Definition: partial_revokes.h:122
db_revocations * create_restrictions_if_needed()
Definition: partial_revokes.h:130
DB_restrictions(DB_restrictions &&restrictions)=delete
db_revocations & db_restrictions()
Definition: partial_revokes.h:137
~DB_restrictions() override
Destructor.
Definition: partial_revokes.cc:70
db_revocations & operator()(void)
Definition: partial_revokes.h:87
bool operator==(const DB_restrictions &restrictions) const
Compare the two restrictions.
Definition: partial_revokes.cc:106
Represents a JSON array container, i.e.
Definition: json_dom.h:520
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:373
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:186
static void fetch_grantee_access(const ACL_USER *grantee, ulong &access, Restrictions &restrictions)
Definition: partial_revokes.cc:551
static ulong fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user, const char *db)
Returns the privileges granted on the DB to the grantee.
Definition: partial_revokes.cc:528
static std::unique_ptr< Restrictions_aggregator > create(THD *thd, const ACL_USER *acl_user, const char *db, const ulong rights, bool is_grant_revoke_all_on_db)
A factory method that creates objects from Restrictions_aggregator hierarchy.
Definition: partial_revokes.cc:375
static ulong fetch_grantor_db_access(THD *thd, const char *db)
Returns the privileges granted on the DB to the grantor.
Definition: partial_revokes.cc:511
static Auth_id fetch_grantee(const ACL_USER *acl_user)
Returns the grantee's user name and host info.
Definition: partial_revokes.cc:493
static void fetch_grantor_access(const Security_context *sctx, const char *db, ulong &global_access, Restrictions &restrictions)
Returns the privileges and restrictions:
Definition: partial_revokes.cc:542
static Auth_id fetch_grantor(const Security_context *sctx)
Returns the grantor user name and host id.
Definition: partial_revokes.cc:476
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:231
Restrictions_aggregator(const Restrictions_aggregator &&)=delete
Restrictions_aggregator & operator=(const Restrictions_aggregator &)=delete
virtual ~Restrictions_aggregator()
Destructor.
const ulong m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:258
virtual bool find_if_require_next_level_operation(ulong &rights) const =0
const ulong m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:261
const ulong m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:264
Restrictions_aggregator(const Restrictions_aggregator &)=delete
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:267
Restrictions_aggregator & operator=(const Restrictions_aggregator &&)=delete
virtual bool generate(Abstract_restrictions &restrictions)=0
Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong requested_access)
Constructor.
Definition: partial_revokes.cc:568
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:255
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:252
Status
Definition: partial_revokes.h:249
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
bool has_more_db_restrictions(const Restrictions &, ulong)
Definition: partial_revokes.cc:1488
Restrictions & operator=(const Restrictions &)
Assignment operator for Restrictions.
Definition: partial_revokes.cc:1472
void set_db(const DB_restrictions &db_restrictions)
Set given database restrictions.
Definition: partial_revokes.cc:1497
~Restrictions()
Destructor.
Definition: partial_revokes.cc:1463
Restrictions()
Constructor for Restrictions.
Definition: partial_revokes.cc:1460
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1502
const DB_restrictions & db() const
Get database restrictions.
Definition: partial_revokes.cc:1494
Restrictions(const Restrictions &)=default
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:174
bool is_empty() const
Return if restrictions are empty or not.
Definition: partial_revokes.cc:1505
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:54
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:34
Various macros useful for communicating with memory debuggers, such as Valgrind.
Some integer typedefs for easier portability.
const char * db_name
Definition: rules_table_service.cc:55
std::unordered_map< std::string, ulong > db_revocations
Definition: partial_revokes.h:47