23#ifndef PARTIAL_REVOKES_INCLUDED
24#define PARTIAL_REVOKES_INCLUDED
29#include <unordered_map>
57 virtual size_t size()
const = 0;
85 void add(
const std::string &
db_name,
const ulong revoke_privs);
89 void remove(
const std::string &
db_name,
const ulong revoke_privs);
90 void remove(
const ulong revoke_privs);
92 bool find(
const std::string &
db_name, ulong &access)
const;
95 size_t size()
const override;
96 void clear()
override;
103 void remove(
const ulong remove_restrictions,
104 ulong &restrictions_mask)
const noexcept;
150 static std::unique_ptr<Restrictions_aggregator>
create(
151 THD *thd,
const ACL_USER *acl_user,
const char *db,
const ulong rights,
152 bool is_grant_revoke_all_on_db);
154 static std::unique_ptr<Restrictions_aggregator>
create(
156 const ulong grantor_access,
const ulong grantee_access,
158 const DB_restrictions &grantee_restrictions,
const ulong required_access,
168 ulong &global_access,
203 const ulong grantor_global_access,
204 const ulong grantee_global_access,
205 const ulong requested_access);
245 const ulong grantor_global_access,
246 const ulong grantee_global_access,
249 const ulong requested_access,
256 const ulong grantee_db_access,
const ulong grantee_restrictions,
257 const std::string &
db_name)
noexcept;
259 const ulong restrictions_mask)
noexcept;
290 const ulong grantor_global_access,
const ulong grantee_global_access,
292 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
310 const ulong grantor_global_access,
const ulong grantee_global_access,
312 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
325 const ulong grantor_global_access,
const ulong grantee_global_access,
327 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
344 const ulong grantor_global_access,
const ulong grantee_global_access,
346 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
360 const ulong grantor_global_access,
const ulong grantee_global_access,
361 const ulong grantor_db_access,
const ulong grantee_db_access,
363 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
364 bool is_grant_all,
const std::string &
db_name,
393 const ulong grantor_global_access,
const ulong grantee_global_access,
394 const ulong grantor_db_access,
const ulong grantee_db_access,
396 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
397 bool is_revoke_all,
const std::string &
db_name,
std::map< std::string, unsigned long > Db_access_map
Definition: auth_internal.h:65
Definition: sql_auth_cache.h:245
Abstract class for ACL restrictions.
Definition: partial_revokes.h:52
virtual bool is_empty() const =0
virtual ~Abstract_restrictions()
Abstract restriction destructor.
virtual size_t size() const =0
Abstract_restrictions()
Abstract restriction constructor.
Storage container for default auth ids.
Definition: auth_common.h:1064
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:357
Status validate() override
Validation function for database level grant statement.
Definition: partial_revokes.cc:1278
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:383
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1308
const ulong m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:374
const ulong m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:377
DB_restrictions_aggregator_db_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_grant_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1259
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:380
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:390
const ulong m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:410
Status validate() override
Validation function for database level revoke statement.
Definition: partial_revokes.cc:1375
const ulong m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:407
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:416
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1408
DB_restrictions_aggregator_db_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_revoke_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1356
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:413
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:307
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:1051
DB_restrictions_aggregator_global_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_grant constructor.
Definition: partial_revokes.cc:989
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1012
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:341
void aggregate(DB_restrictions &restrictions) override
Clear all the restrictions and changes the status of object to aggregated.
Definition: partial_revokes.cc:1236
Status validate() override
Validate restriction list for REVOKE ALL.
Definition: partial_revokes.cc:1209
DB_restrictions_aggregator_global_revoke_all(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke_all constructor.
Definition: partial_revokes.cc:1196
Definition: partial_revokes.h:321
Status validate_if_grantee_rl_not_empty()
If grantee restrictions_list is not empty then check the following.
Definition: partial_revokes.cc:1152
DB_restrictions_aggregator_global_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke constructor.
Definition: partial_revokes.cc:1071
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1093
void aggregate(DB_restrictions &restrictions) override
Definition: partial_revokes.cc:1128
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:287
DB_restrictions_aggregator_set_role(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, Db_access_map *db_map)
DB_restrictions_aggregator_set_role constructor.
Definition: partial_revokes.cc:893
void aggregate(DB_restrictions &db_restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:942
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:917
Db_access_map * m_db_map
Definition: partial_revokes.h:300
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:238
void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
A helper method that aggregates the restrictions for global_grant and set_role operations since both ...
Definition: partial_revokes.cc:732
bool find_if_require_next_level_operation(ulong &rights) const override
Get list of privileges that are not restricted through restriction list.
Definition: partial_revokes.cc:635
virtual Status validate()=0
void set_if_db_level_operation(const ulong requested_access, const ulong restrictions_mask) noexcept
Set privileges that needs to be processed further.
Definition: partial_revokes.cc:694
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:273
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:270
virtual void aggregate(DB_restrictions &restrictions)=0
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:276
bool check_db_access_and_restrictions_collision(const ulong grantee_db_access, const ulong grantee_restrictions, const std::string &db_name) noexcept
Check possible descrepancy between DB access being granted and existing restrictions.
Definition: partial_revokes.cc:669
ulong m_privs_not_processed
Privileges that needs to be checked further through DB grants.
Definition: partial_revokes.h:267
SQL_OP
Definition: partial_revokes.h:260
ulong get_grantee_db_access(const std::string &db_name) const
Fetches the grantee's DB access on the specified DB If security context of current user exists and ha...
Definition: partial_revokes.cc:849
bool generate(Abstract_restrictions &restrictions) override
Driver function to aggregate restriction lists.
Definition: partial_revokes.cc:612
DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
Constructor for database level restrictions aggregator.
Definition: partial_revokes.cc:584
DB Restrictions representation in memory.
Definition: partial_revokes.h:74
const db_revocations & get() const
Definition: partial_revokes.h:98
bool has_more_restrictions(const DB_restrictions &, ulong) const
Compare is two restriction list for given privileges.
Definition: partial_revokes.cc:303
void get_as_json(Json_array &restrictions_array) const
Serializer.
Definition: partial_revokes.cc:277
void clear() override
Clear restriction list.
Definition: partial_revokes.cc:264
void remove(const std::string &db_name, const ulong revoke_privs)
Remove given set of privilegs for a database from restriction list.
Definition: partial_revokes.cc:195
size_t size() const override
Status function to get number of entries in restriction list.
Definition: partial_revokes.cc:261
db_revocations m_restrictions
Database restrictions.
Definition: partial_revokes.h:108
void add(const std::string &db_name, const ulong revoke_privs)
Add given privileges as restricted for the database.
Definition: partial_revokes.cc:114
DB_restrictions & operator=(const DB_restrictions &restrictions)
Assignment operator.
Definition: partial_revokes.cc:76
bool find(const std::string &db_name, ulong &access) const
Get restricted access information for given database.
Definition: partial_revokes.cc:245
bool is_empty() const override
Status function to check if restriction list is empty.
Definition: partial_revokes.cc:255
bool is_not_empty() const
Status function to check if restriction list is non-empty.
Definition: partial_revokes.cc:258
DB_restrictions()
DB Restrictions constructor.
Definition: partial_revokes.cc:57
DB_restrictions(DB_restrictions &&restrictions)=delete
db_revocations & db_restrictions()
Definition: partial_revokes.h:102
~DB_restrictions() override
Destructor.
Definition: partial_revokes.cc:69
db_revocations & operator()(void)
Definition: partial_revokes.h:79
bool operator==(const DB_restrictions &restrictions) const
Compare the two restrictions.
Definition: partial_revokes.cc:104
Represents a JSON array container, i.e.
Definition: json_dom.h:519
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:372
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:148
static void fetch_grantee_access(const ACL_USER *grantee, ulong &access, Restrictions &restrictions)
Definition: partial_revokes.cc:533
static ulong fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user, const char *db)
Returns the privileges granted on the DB to the grantee.
Definition: partial_revokes.cc:510
static std::unique_ptr< Restrictions_aggregator > create(THD *thd, const ACL_USER *acl_user, const char *db, const ulong rights, bool is_grant_revoke_all_on_db)
A factory method that creates objects from Restrictions_aggregator hierarchy.
Definition: partial_revokes.cc:357
static ulong fetch_grantor_db_access(THD *thd, const char *db)
Returns the privileges granted on the DB to the grantor.
Definition: partial_revokes.cc:493
static Auth_id fetch_grantee(const ACL_USER *acl_user)
Returns the grantee's user name and host info.
Definition: partial_revokes.cc:475
static void fetch_grantor_access(const Security_context *sctx, const char *db, ulong &global_access, Restrictions &restrictions)
Returns the privileges and restrictions:
Definition: partial_revokes.cc:524
static Auth_id fetch_grantor(const Security_context *sctx)
Returns the grantor user name and host id.
Definition: partial_revokes.cc:458
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:193
Restrictions_aggregator(const Restrictions_aggregator &&)=delete
Restrictions_aggregator & operator=(const Restrictions_aggregator &)=delete
virtual ~Restrictions_aggregator()
Destructor.
const ulong m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:220
virtual bool find_if_require_next_level_operation(ulong &rights) const =0
const ulong m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:223
const ulong m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:226
Restrictions_aggregator(const Restrictions_aggregator &)=delete
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:229
Restrictions_aggregator & operator=(const Restrictions_aggregator &&)=delete
virtual bool generate(Abstract_restrictions &restrictions)=0
Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong requested_access)
Constructor.
Definition: partial_revokes.cc:550
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:217
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:214
Status
Definition: partial_revokes.h:211
Container of all restrictions for a given user.
Definition: partial_revokes.h:117
bool has_more_db_restrictions(const Restrictions &, ulong)
Definition: partial_revokes.cc:1468
Restrictions & operator=(const Restrictions &)
Assignment operator for Restrictions.
Definition: partial_revokes.cc:1452
void set_db(const DB_restrictions &db_restrictions)
Set given database restrictions.
Definition: partial_revokes.cc:1477
~Restrictions()
Destructor.
Definition: partial_revokes.cc:1443
Restrictions()
Constructor for Restrictions.
Definition: partial_revokes.cc:1440
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1482
const DB_restrictions & db() const
Get database restrictions.
Definition: partial_revokes.cc:1474
Restrictions(const Restrictions &)=default
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:136
bool is_empty() const
Return if restrictions are empty or not.
Definition: partial_revokes.cc:1485
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:53
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:33
Various macros useful for communicating with memory debuggers, such as Valgrind.
Some integer typedefs for easier portability.
const char * db_name
Definition: rules_table_service.cc:54
std::unordered_map< std::string, ulong > db_revocations
Definition: partial_revokes.h:46