db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r685526 - in /db/derby/code/trunk/java: engine/org/apache/derby/iapi/sql/dictionary/ engine/org/apache/derby/impl/sql/execute/ testing/org/apache/derbyTesting/functionTests/tests/lang/
Date Wed, 13 Aug 2008 12:20:28 GMT
Author: dag
Date: Wed Aug 13 05:20:27 2008
New Revision: 685526

URL: http://svn.apache.org/viewvc?rev=685526&view=rev
Log:
DERBY-3743 Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation
problem

Patch derby-3743b-2, which is a follow-up to the first patch of this issue.

Modified:
    db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateConstraintConstantAction.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java

Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java?rev=685526&r1=685525&r2=685526&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
Wed Aug 13 05:20:27 2008
@@ -45,6 +45,16 @@
 	}
 									 
 	/**
+	 * Return routine UUID for this access descriptor
+	 *
+	 * @return	Routine UUID
+	 */
+	public UUID getRoutineUUID()
+	{
+		return routineUUID;
+	}
+
+	/**
 	 * @see StatementPermission#check
 	 */
 	public void check( LanguageConnectionContext lcc,

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateConstraintConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateConstraintConstantAction.java?rev=685526&r1=685525&r2=685526&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateConstraintConstantAction.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/CreateConstraintConstantAction.java
Wed Aug 13 05:20:27 2008
@@ -329,7 +329,7 @@
 								);
 				dd.addConstraintDescriptor(conDesc, tc);
 				storeConstraintDependenciesOnPrivileges
-					(activation, conDesc, null);
+					(activation, conDesc, null, providerInfo);
 				break;
 
 			case DataDictionary.FOREIGNKEY_CONSTRAINT:
@@ -372,7 +372,11 @@
 				/* Create stored dependency on the referenced constraint */
 				dm.addDependency(conDesc, referencedConstraint, lcc.getContextManager());
 				//store constraint's dependency on REFERENCES privileges in the dependeny system
-				storeConstraintDependenciesOnPrivileges(activation, conDesc, referencedConstraint.getTableId());
			
+				storeConstraintDependenciesOnPrivileges
+					(activation,
+					 conDesc,
+					 referencedConstraint.getTableId(),
+					 providerInfo);
 				break;
 
 			default:

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java?rev=685526&r1=685525&r2=685526&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java
Wed Aug 13 05:20:27 2008
@@ -35,6 +35,7 @@
 import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
 import org.apache.derby.iapi.sql.depend.DependencyManager;
 import org.apache.derby.iapi.sql.depend.Dependent;
+import org.apache.derby.iapi.sql.depend.ProviderInfo;
 import org.apache.derby.iapi.sql.dictionary.ColPermsDescriptor;
 import org.apache.derby.iapi.sql.dictionary.DataDictionary;
 import org.apache.derby.iapi.sql.dictionary.PermissionsDescriptor;
@@ -265,8 +266,12 @@
 	 *  equation for constraints only. The dependency collection for 
 	 *  constraints is not same as for views and triggers and hence 
 	 *  constraints are handled by this special method.
+	 *
 	 * 	Views and triggers can depend on many different kind of privileges
-	 *  where as constraints only depend on REFERENCES privilege on a table.
+	 *  where as constraints only depend on REFERENCES privilege on a table
+	 *  (FOREIGN KEY constraints) or EXECUTE privileges on one or more
+	 *  functions (CHECK constraints).
+	 *
 	 *  Another difference is only one view or trigger can be defined by a
 	 *  sql statement and hence all the dependencies collected for the sql
 	 *  statement apply to the view or trigger in question. As for constraints,
@@ -282,12 +287,15 @@
 	 *  @param dependent Make this object depend on required privileges
 	 *  @param refTableUUID Make sure we are looking for REFERENCES privilege 
 	 * 		for right table
-	 *
+	 *  @param providers set of providers for this constraint
 	 * @exception StandardException		Thrown on failure
 	 */
 	protected void storeConstraintDependenciesOnPrivileges(
-			Activation activation, Dependent dependent, UUID refTableUUID)
-	throws StandardException
+		Activation activation,
+		Dependent dependent,
+		UUID refTableUUID,
+		ProviderInfo[] providers)
+			throws StandardException
 	{
 		LanguageConnectionContext lcc = activation.getLanguageConnectionContext();
 		DataDictionary dd = lcc.getDataDictionary();
@@ -299,11 +307,12 @@
 		if (!(lcc.getAuthorizationId().equals(dd.getAuthorizationDatabaseOwner())))
 		{
 			PermissionsDescriptor permDesc;
-			//Now, it is time to add into dependency system, constraint's 
-			//dependency on REFERENCES privilege. If the REFERENCES privilege is 
-			//revoked from the constraint owner, the constraint will get 
-			//dropped automatically.
+			// Now, it is time to add into dependency system, constraint's
+			// dependency on REFERENCES or, if it is a CHECK constraint, any
+			// EXECUTE privileges. If the REFERENCES is revoked from the
+			// constraint owner, the constraint will get dropped automatically.
 			List requiredPermissionsList = activation.getPreparedStatement().getRequiredPermissionsList();
+
 			if (requiredPermissionsList != null && ! requiredPermissionsList.isEmpty())
 			{
 				for(Iterator iter = requiredPermissionsList.iterator();iter.hasNext();)
@@ -329,16 +338,32 @@
 							continue;
 					} else if (statPerm instanceof StatementSchemaPermission) { 
 						continue;
+					} else {
+						if (SanityManager.DEBUG) {
+							SanityManager.ASSERT(
+								statPerm instanceof StatementRoutinePermission,
+								"only StatementRoutinePermission expected");
+						}
+
+						// skip if this permission concerns a function not
+						// referenced by this constraint
+						StatementRoutinePermission rp =
+							(StatementRoutinePermission)statPerm;
+						if (!inProviderSet(providers, rp.getRoutineUUID())) {
+							continue;
+						}
 					}
-					//We know that we are working with a REFERENCES 
-					//privilege. Find all the PermissionDescriptors for
-					//this privilege and make constraint depend on it
-					//through dependency manager.
-					//The REFERENCES privilege could be defined at the
-					//table level or it could be defined at individual
-					//column levels. In addition, individual column
-					//REFERENCES privilege could be available at the
-					//user level or PUBLIC level.
+
+
+					// We know that we are working with a REFERENCES or EXECUTE
+					// privilege. Find all the PermissionDescriptors for this
+					// privilege and make constraint depend on it through
+					// dependency manager.  The REFERENCES privilege could be
+					// defined at the table level or it could be defined at
+					// individual column levels. In addition, individual column
+					// REFERENCES privilege could be available at the user
+					// level, PUBLIC or role level.  EXECUTE privilege could be
+					// available at the user or PUBLIC level.
 					permDesc = statPerm.getPermissionDescriptor(lcc.getAuthorizationId(), dd);				
 					if (permDesc == null) 
 					{
@@ -375,11 +400,14 @@
 								dm.addDependency(dependent, permDesc, lcc.getContextManager());	           					
										
 						}
 					}
-					//We have found the REFERENCES privilege for all the
-					//columns in foreign key constraint and we don't 
-					//need to go through the rest of the privileges
-					//for this sql statement.
-					break;																										
+
+					if (statPerm instanceof StatementTablePermission) {
+						//We have found the REFERENCES privilege for all the
+						//columns in foreign key constraint and we don't
+						//need to go through the rest of the privileges
+						//for this sql statement.
+						break;
+					}
 				}
 			}
 		}
@@ -502,5 +530,18 @@
 			
 		}
 	}
+
+	private boolean inProviderSet(ProviderInfo[] providers, UUID routineId) {
+		if (providers == null) {
+			return false;
+		}
+
+		for (int i = 0; i < providers.length; i++) {
+			if (providers[i].getObjectId().equals(routineId)) {
+				return true;
+			}
+		}
+		return false;
+	}
 }
 

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java?rev=685526&r1=685525&r2=685526&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/GrantRevokeDDLTest.java
Wed Aug 13 05:20:27 2008
@@ -6090,7 +6090,72 @@
             ("X0Y25", st,
              "revoke execute on function f_abs from mamta3 restrict");
         st_mamta3.executeUpdate(" drop table dhw");
+
+
+        // DERBY-3743b, test 1: multiple constraints, one routine dep per
+        // constraint.
+        st.executeUpdate(
+            "CREATE FUNCTION F_ABS2(P1 INT) RETURNS INT NO "
+            + "SQL RETURNS NULL ON NULL INPUT EXTERNAL NAME "
+            + "'java.lang.Math.abs' LANGUAGE JAVA PARAMETER STYLE JAVA");
+        st.executeUpdate(
+            " grant execute on function f_abs to mamta3");
+        st.executeUpdate(
+            " grant execute on function f_abs2 to mamta3");
+        st_mamta3.executeUpdate(
+            "create table dhw(i int constraint a1 check(mamta1.f_abs(i) > 0)" +
+                         ",j int constraint a2 check(mamta1.f_abs2(j) > 0))");
+        assertStatementError(
+            "23513", st_mamta3, "insert into dhw values (0,0)");
+        assertStatementError
+            ("X0Y25", st,
+             "revoke execute on function f_abs from mamta3 restrict");
+        assertStatementError
+            ("X0Y25", st,
+             "revoke execute on function f_abs2 from mamta3 restrict");
+        st_mamta3.executeUpdate("alter table dhw drop constraint a2");
+        st.executeUpdate(
+            "revoke execute on function f_abs2 from mamta3 restrict");
+
+        // check that a1 is still in place
+        assertStatementError
+            ("23513", st_mamta3, "insert into dhw values (0,1)");
+        assertStatementError
+            ("X0Y25", st,
+             "revoke execute on function f_abs from mamta3 restrict");
+        // remove  final constraint
+        st_mamta3.executeUpdate("alter table dhw drop constraint a1");
+        st.executeUpdate
+            ("revoke execute on function f_abs from mamta3 restrict");
+        st_mamta3.executeUpdate("insert into dhw values (0,0)");
+
+        st_mamta3.executeUpdate(" drop table dhw");
+
+        // DERBY-3743b, test 2: one constraint, multiple routine deps
+        st.executeUpdate(
+            " grant execute on function f_abs to mamta3");
+        st.executeUpdate(
+            " grant execute on function f_abs2 to mamta3");
+        st_mamta3.executeUpdate(
+            " create table dhw(i int constraint a check(" +
+                              "mamta1.f_abs(i) + mamta1.f_abs2(i) > 0))");
+        assertStatementError
+            ("X0Y25", st,
+             "revoke execute on function f_abs from mamta3 restrict");
+        assertStatementError
+            ("X0Y25", st,
+             "revoke execute on function f_abs2 from mamta3 restrict");
+        st_mamta3.executeUpdate("alter table dhw drop constraint a");
+
+        st.executeUpdate
+            ("revoke execute on function f_abs from mamta3 restrict");
+        st.executeUpdate
+            ("revoke execute on function f_abs2 from mamta3 restrict");
+
+        st_mamta3.executeUpdate(" drop table dhw");
+
         st.executeUpdate("DROP FUNCTION F_ABS");
+        st.executeUpdate("DROP FUNCTION F_ABS2");
 
         // set connection mamta2
         //ij(MAMTA3)> -- DERBY-1847 SELECT statement asserts with 



Mime
View raw message