firebird/firebird-mirror
firebird/firebird-mirror
8
0
Fork 1
mirror of https://github.com/FirebirdSQL/firebird.git synced 2025-01-31 00:43:02 +01:00
Code Issues
2868cc6cdd
firebird-mirror/src/jrd/scl.h
dimitr e956e2e6c0 1) Restricted ALTER/DROP permissions to the object owners only. Now this applies to domains, charsets, collations, generators and exceptions. This fixes CORE-304: Metadata security hole - any user can alter/drop generators and exceptions. 
2) Opened the gates to implement the standard USAGE privilege (CORE-2884). SQL support and validation logic are still to be developed.
3) Added the grant option to the owner permissions for packages, procedures and functions.
4) Misc cleanup and refactoring.
2012-01-08 14:05:29 +00:00

166 lines
4.9 KiB
C++
Raw Blame History

/*
* PROGRAM: JRD Access Method
* MODULE: scl.h
* DESCRIPTION: Security class definitions
*
* The contents of this file are subject to the Interbase Public
* License Version 1.0 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy
* of the License at http://www.Inprise.com/IPL.html
*
* Software distributed under the License is distributed on an
* "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express
* or implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code was created by Inprise Corporation
* and its predecessors. Portions created by Inprise Corporation are
* Copyright (C) Inprise Corporation.
*
* All Rights Reserved.
* Contributor(s): ______________________________________.
*/
#ifndef JRD_SCL_H
#define JRD_SCL_H
#include "../common/classes/MetaName.h"
#include "../common/classes/tree.h"
#include "../common/security.h"
namespace Jrd {
const size_t ACL_BLOB_BUFFER_SIZE = MAX_USHORT; // used to read/write acl blob
// Security class definition
class SecurityClass
{
public:
typedef USHORT flags_t;
SecurityClass(Firebird::MemoryPool &pool, const Firebird::MetaName& name)
: scl_flags(0), scl_name(pool, name)
{}
flags_t scl_flags; // Access permissions
const Firebird::MetaName scl_name;
static const Firebird::MetaName& generate(const void*, const SecurityClass* item)
{
return item->scl_name;
}
};
typedef Firebird::BePlusTree<
SecurityClass*,
Firebird::MetaName,
Firebird::MemoryPool,
SecurityClass
> SecurityClassList;
const SecurityClass::flags_t SCL_read = 1; // Read access
const SecurityClass::flags_t SCL_write = 2; // Write access
const SecurityClass::flags_t SCL_delete = 4; // Delete access
const SecurityClass::flags_t SCL_control = 8; // Control access
const SecurityClass::flags_t SCL_grant = 16; // Grant privileges
const SecurityClass::flags_t SCL_exists = 32; // At least ACL exists
const SecurityClass::flags_t SCL_scanned = 64; // But we did look
const SecurityClass::flags_t SCL_protect = 128; // Change protection
const SecurityClass::flags_t SCL_corrupt = 256; // ACL does look too good
const SecurityClass::flags_t SCL_sql_insert = 512;
const SecurityClass::flags_t SCL_sql_delete = 1024;
const SecurityClass::flags_t SCL_sql_update = 2048;
const SecurityClass::flags_t SCL_sql_references = 4096;
const SecurityClass::flags_t SCL_execute = 8192;
// information about the user
const USHORT USR_locksmith = 1; // User has great karma
const USHORT USR_dba = 2; // User has DBA privileges
const USHORT USR_owner = 4; // User owns database
const USHORT USR_trole = 8; // Role was set by trusted auth
class UserId
{
public:
Firebird::string usr_user_name; // User name
Firebird::string usr_sql_role_name; // Role name
Firebird::string usr_project_name; // Project name
Firebird::string usr_org_name; // Organization name
Auth::UserData::AuthenticationBlock usr_auth_block; // Authentication block like it was passed to engine
USHORT usr_user_id; // User id
USHORT usr_group_id; // Group id
USHORT usr_flags; // Misc. crud
bool locksmith() const
{
return usr_flags & (USR_locksmith | USR_owner | USR_dba);
}
UserId()
: usr_user_id(0), usr_group_id(0), usr_flags(0)
{ }
UserId(Firebird::MemoryPool& p, const UserId& ui)
: usr_user_name(p, ui.usr_user_name),
usr_sql_role_name(p, ui.usr_sql_role_name),
usr_project_name(p, ui.usr_project_name),
usr_org_name(p, ui.usr_org_name),
usr_auth_block(p),
usr_user_id(ui.usr_user_id),
usr_group_id(ui.usr_group_id),
usr_flags(ui.usr_flags)
{
usr_auth_block.assign(ui.usr_auth_block);
}
UserId(const UserId& ui)
: usr_user_name(ui.usr_user_name),
usr_sql_role_name(ui.usr_sql_role_name),
usr_project_name(ui.usr_project_name),
usr_org_name(ui.usr_org_name),
usr_user_id(ui.usr_user_id),
usr_group_id(ui.usr_group_id),
usr_flags(ui.usr_flags)
{
usr_auth_block.assign(ui.usr_auth_block);
}
UserId& operator=(const UserId& ui)
{
usr_user_name = ui.usr_user_name;
usr_sql_role_name = ui.usr_sql_role_name;
usr_project_name = ui.usr_project_name;
usr_org_name = ui.usr_org_name;
usr_user_id = ui.usr_user_id;
usr_group_id = ui.usr_group_id;
usr_flags = ui.usr_flags;
usr_auth_block.assign(ui.usr_auth_block);
return *this;
}
};
// These numbers are arbitrary and only used at run-time. Can be changed if necessary at any moment.
// We need to include here the new objects that accept ACLs.
const SLONG SCL_object_database = 1;
const SLONG SCL_object_table = 2;
const SLONG SCL_object_package = 3;
const SLONG SCL_object_procedure = 4;
const SLONG SCL_object_function = 5;
const SLONG SCL_object_column = 6;
const SLONG SCL_object_collation = 7;
const SLONG SCL_object_exception = 8;
const SLONG SCL_object_generator = 9;
const SLONG SCL_object_charset = 10;
const SLONG SCL_object_domain = 11;
} //namespace Jrd
#endif // JRD_SCL_H
View Git Blame Copy Permalink