db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r675133 - in /db/derby/code/trunk/java: engine/org/apache/derby/iapi/sql/dictionary/ engine/org/apache/derby/impl/sql/catalog/ engine/org/apache/derby/impl/sql/execute/ testing/org/apache/derbyTesting/functionTests/tests/lang/
Date Wed, 09 Jul 2008 11:27:26 GMT
Author: dag
Date: Wed Jul  9 04:27:25 2008
New Revision: 675133

URL: http://svn.apache.org/viewvc?rev=675133&view=rev
Log:
DERBY-3223 SQL roles: make use of privileges granted to roles in actual privilege checking

Patch derby-3223-revise-iterator-api-b.

Modified:
    db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleClosureIterator.java
    db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleGrantDescriptor.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/RoleClosureIteratorImpl.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java

Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleClosureIterator.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleClosureIterator.java?rev=675133&r1=675132&r2=675133&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleClosureIterator.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleClosureIterator.java
Wed Jul  9 04:27:25 2008
@@ -20,9 +20,7 @@
  */
 package org.apache.derby.iapi.sql.dictionary;
 
-import org.apache.derby.iapi.sql.Activation;
 import org.apache.derby.iapi.error.StandardException;
-import java.util.HashMap;
 
 /**
  * Allows iterator over the role grant closure defined by the relation
@@ -34,8 +32,8 @@
 {
 
     /**
-     * Returns the next (as yet unseen) role in the closure of the
-     * grant or grant<sup>-1</sup> relation. 
+     * Returns the next (as yet unreturned) role in the transitive closure of
+     * the grant or grant<sup>-1</sup> relation.
      *
      * The grant relation forms a DAG (directed acyclic graph).
      * <pre>
@@ -70,20 +68,21 @@
      * An iterator on the inverse relation starting at h for the above
      * grant graph will return:
      * <pre>
-     *       closure(h, grant-inv) = {e, b, a1, f, c, a2, d, a3}
+     *       closure(h, grant-inv) = {h, e, b, a1, f, c, a2, d, a3}
      * </pre>
      * <p>
      * An iterator on normal (not inverse) relation starting at a1 for
      * the above grant graph will return:
      * <pre>
-     *       closure(a1, grant)    = {b, j, e, h, f, c}
+     *       closure(a1, grant)    = {a1, b, j, e, h, f, c}
      * </pre>
      *
-     * @return a role name identifying a yet unseen node, or null if
-     *         the closure is exhausted.  The order in which the nodes
-     *         are returned is not defined.
+     * @return a role name identifying a yet unseen node, or null if the
+     *         closure is exhausted.  The order in which the nodes are returned
+     *         is not defined, except that the root is always returned first (h
+     *         and a1 in the above examples).
      */
-    public String next();
+    public String next() throws StandardException;
 
 
     /**

Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleGrantDescriptor.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleGrantDescriptor.java?rev=675133&r1=675132&r2=675133&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleGrantDescriptor.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/RoleGrantDescriptor.java
Wed Jul  9 04:27:25 2008
@@ -71,13 +71,13 @@
      * @param isDef
      *
      */
-    RoleGrantDescriptor(DataDictionary dd,
-                        UUID uuid,
-                        String roleName,
-                        String grantee,
-                        String grantor,
-                        boolean withAdminOption,
-                        boolean isDef) {
+    public RoleGrantDescriptor(DataDictionary dd,
+                               UUID uuid,
+                               String roleName,
+                               String grantee,
+                               String grantor,
+                               boolean withAdminOption,
+                               boolean isDef) {
         super(dd);
         this.uuid = uuid;
         this.roleName = roleName;

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java?rev=675133&r1=675132&r2=675133&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
Wed Jul  9 04:27:25 2008
@@ -2969,6 +2969,7 @@
 		return false;
 	}
 
+
 	/**
 	 * Return an in-memory representation of the role grant graph (sans
 	 * grant of roles to users, only role-role relation.
@@ -2985,7 +2986,7 @@
 	 * FIXME: Need to cache graph and invalidate when role graph is modified.
 	 * Currently, we always read from SYSROLES.
 	 */
-	private HashMap getRoleGrantGraph(TransactionController tc, boolean inverse)
+	HashMap getRoleGrantGraph(TransactionController tc, boolean inverse)
 			throws StandardException {
 
 		HashMap hm = new HashMap();
@@ -3068,9 +3069,7 @@
 		 boolean inverse
 		) throws StandardException {
 
-		HashMap graph = getRoleGrantGraph(tc, inverse);
-
-		return new RoleClosureIteratorImpl(role, inverse, graph);
+		return new RoleClosureIteratorImpl(role, inverse, this, tc);
 	}
 
 

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/RoleClosureIteratorImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/RoleClosureIteratorImpl.java?rev=675133&r1=675132&r2=675133&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/RoleClosureIteratorImpl.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/RoleClosureIteratorImpl.java
Wed Jul  9 04:27:25 2008
@@ -21,13 +21,15 @@
 
 package org.apache.derby.impl.sql.catalog;
 
-import org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor;
-import org.apache.derby.iapi.sql.dictionary.RoleClosureIterator;
-import org.apache.derby.iapi.error.StandardException;
 import java.util.List;
 import java.util.HashMap;
 import java.util.ArrayList;
 import java.util.Iterator;
+import org.apache.derby.iapi.sql.dictionary.RoleGrantDescriptor;
+import org.apache.derby.iapi.sql.dictionary.RoleClosureIterator;
+import org.apache.derby.iapi.error.StandardException;
+import org.apache.derby.iapi.services.sanity.SanityManager;
+import org.apache.derby.iapi.store.access.TransactionController;
 
 /**
  * Allows iterator over the role grant closure defined by the relation
@@ -79,6 +81,31 @@
     private Iterator currNodeIter;
 
     /**
+     * DataDictionaryImpl used to get closure graph
+     */
+    private DataDictionaryImpl dd;
+
+    /**
+     * TransactionController used to get closure graph
+     */
+    private TransactionController tc;
+
+    /**
+     * The role for which we compute the closure.
+     */
+    private String root;
+
+    /**
+     * true before next is called the first time
+     */
+    private boolean initial;
+
+    /**
+     * true of iterator is open and next can be called
+     */
+    private boolean open;
+
+    /**
      * Constructor (package private).
      * Use {@code createRoleClosureIterator} to obtain an instance.
      * @see org.apache.derby.iapi.sql.dictionary.DataDictionary#createRoleClosureIterator
@@ -86,33 +113,64 @@
      * @param root The role name for which to compute the closure
      * @param inverse If {@code true}, {@code graph} represents the
      *                grant<sup>-1</sup> relation.
-     * @param graph The grant graph for which to construct a closure
-     *              and iterator.
+     * @param dd data dictionary
+     * @param tc transaction controller
      *
      */
     RoleClosureIteratorImpl(String root, boolean inverse,
-                            HashMap graph) {
+                            DataDictionaryImpl dd,
+                            TransactionController tc) {
         this.inverse = inverse;
-        this.graph = graph;
-
-        // we omit root from closure, so don't add it here.
+        this.graph = null;
+        this.root = root;
+        this.dd = dd;
+        this.tc = tc;
         seenSoFar = new HashMap();
         lifo      = new ArrayList(); // remaining work stack
-        // present iterator of outgoing arcs of the node we are
-        // currently looking at
-        List outgoingArcs = (List)graph.get(root);
-        if (outgoingArcs != null) {
-            this.currNodeIter = outgoingArcs.iterator();
-        } else {
-            // empty
-            this.currNodeIter = new ArrayList().iterator();
-        }
-
 
+        RoleGrantDescriptor dummy = new RoleGrantDescriptor
+            (null,
+             null,
+             inverse ? root : null,
+             inverse ? null : root,
+             null,
+             false,
+             false);
+        List dummyList = new ArrayList();
+        dummyList.add(dummy);
+        currNodeIter = dummyList.iterator();
+        initial = true;
+        open = true;
     }
 
 
-    public String next() {
+    public String next() throws StandardException {
+        if (!open) {
+            if (SanityManager.DEBUG) {
+                SanityManager.
+                    THROWASSERT("next called on a closed RoleClosureIterator");
+            }
+
+            return null;
+        }
+
+        if (initial) {
+            // Optimization so we don't compute the closure for the current
+            // role if unnecessary (when next is only called once).
+            initial = false;
+            seenSoFar.put(root, null);
+
+            return root;
+
+        } else if (graph == null) {
+            // We get here the second time next is called.
+            graph = dd.getRoleGrantGraph(tc, inverse);
+            List outArcs = (List)graph.get(root);
+            if (outArcs != null) {
+                currNodeIter = outArcs.iterator();
+            }
+        }
+
         RoleGrantDescriptor result = null;
 
         while (result == null) {
@@ -161,9 +219,9 @@
         }
 
         if (result != null) {
-            seenSoFar.put(inverse ? result.getRoleName(): result.getGrantee(),
-                          null);
-            return inverse ? result.getRoleName() : result.getGrantee();
+            String role = inverse ? result.getRoleName(): result.getGrantee();
+            seenSoFar.put(role, null);
+            return role;
         } else {
             return null;
         }
@@ -171,9 +229,12 @@
 
 
     public void close() throws StandardException{
-        seenSoFar = null;
+        open = false;
         graph = null;
         lifo = null;
+        seenSoFar = null;
         currNodeIter = null;
+        dd = null;
+        tc = null;
     }
 }

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java?rev=675133&r1=675132&r2=675133&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/GrantRoleConstantAction.java
Wed Jul  9 04:27:25 2008
@@ -21,8 +21,6 @@
 
 package org.apache.derby.impl.sql.execute;
 
-import org.apache.derby.iapi.sql.execute.ConstantAction;
-
 import java.util.Iterator;
 import java.util.List;
 import org.apache.derby.iapi.error.StandardException;
@@ -205,14 +203,6 @@
         // granted now, from one of the roles in the grant closure of
         // grantee, there is a circularity.
 
-        // Trivial circularity: a->a
-        if (role.equals(grantee)) {
-            throw StandardException.newException
-                (SQLState.AUTH_ROLE_GRANT_CIRCULARITY,
-                 role, grantee);
-        }
-
-
         // Via grant closure of grantee
         RoleClosureIterator rci =
             dd.createRoleClosureIterator(tc, grantee, false);

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java?rev=675133&r1=675132&r2=675133&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java
Wed Jul  9 04:27:25 2008
@@ -27,7 +27,6 @@
 import java.sql.Statement;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import java.sql.DriverManager;
 import junit.framework.Test;
 import junit.framework.TestSuite;
 import org.apache.derbyTesting.junit.BaseJDBCTestCase;
@@ -122,9 +121,6 @@
      * Construct top level suite in this JUnit test
      *
      * @return A suite containing embedded and client suites.
-     *         Client/server suite commented out to speed up this test as
-     *         it does not add much value given the nature of the changes
-     *         (SQL language only).
      */
     public static Test suite()
     {



Mime
View raw message