1 | /* |
2 | ** 2003 January 11 |
3 | ** |
4 | ** The author disclaims copyright to this source code. In place of |
5 | ** a legal notice, here is a blessing: |
6 | ** |
7 | ** May you do good and not evil. |
8 | ** May you find forgiveness for yourself and forgive others. |
9 | ** May you share freely, never taking more than you give. |
10 | ** |
11 | ************************************************************************* |
12 | ** This file contains code used to implement the sqlite3_set_authorizer() |
13 | ** API. This facility is an optional feature of the library. Embedded |
14 | ** systems that do not need this facility may omit it by recompiling |
15 | ** the library with -DSQLITE_OMIT_AUTHORIZATION=1 |
16 | */ |
17 | #include "sqliteInt.h" |
18 | |
19 | /* |
20 | ** All of the code in this file may be omitted by defining a single |
21 | ** macro. |
22 | */ |
23 | #ifndef SQLITE_OMIT_AUTHORIZATION |
24 | |
25 | /* |
26 | ** Set or clear the access authorization function. |
27 | ** |
28 | ** The access authorization function is be called during the compilation |
29 | ** phase to verify that the user has read and/or write access permission on |
30 | ** various fields of the database. The first argument to the auth function |
31 | ** is a copy of the 3rd argument to this routine. The second argument |
32 | ** to the auth function is one of these constants: |
33 | ** |
34 | ** SQLITE_CREATE_INDEX |
35 | ** SQLITE_CREATE_TABLE |
36 | ** SQLITE_CREATE_TEMP_INDEX |
37 | ** SQLITE_CREATE_TEMP_TABLE |
38 | ** SQLITE_CREATE_TEMP_TRIGGER |
39 | ** SQLITE_CREATE_TEMP_VIEW |
40 | ** SQLITE_CREATE_TRIGGER |
41 | ** SQLITE_CREATE_VIEW |
42 | ** SQLITE_DELETE |
43 | ** SQLITE_DROP_INDEX |
44 | ** SQLITE_DROP_TABLE |
45 | ** SQLITE_DROP_TEMP_INDEX |
46 | ** SQLITE_DROP_TEMP_TABLE |
47 | ** SQLITE_DROP_TEMP_TRIGGER |
48 | ** SQLITE_DROP_TEMP_VIEW |
49 | ** SQLITE_DROP_TRIGGER |
50 | ** SQLITE_DROP_VIEW |
51 | ** SQLITE_INSERT |
52 | ** SQLITE_PRAGMA |
53 | ** SQLITE_READ |
54 | ** SQLITE_SELECT |
55 | ** SQLITE_TRANSACTION |
56 | ** SQLITE_UPDATE |
57 | ** |
58 | ** The third and fourth arguments to the auth function are the name of |
59 | ** the table and the column that are being accessed. The auth function |
60 | ** should return either SQLITE_OK, SQLITE_DENY, or SQLITE_IGNORE. If |
61 | ** SQLITE_OK is returned, it means that access is allowed. SQLITE_DENY |
62 | ** means that the SQL statement will never-run - the sqlite3_exec() call |
63 | ** will return with an error. SQLITE_IGNORE means that the SQL statement |
64 | ** should run but attempts to read the specified column will return NULL |
65 | ** and attempts to write the column will be ignored. |
66 | ** |
67 | ** Setting the auth function to NULL disables this hook. The default |
68 | ** setting of the auth function is NULL. |
69 | */ |
70 | int sqlite3_set_authorizer( |
71 | sqlite3 *db, |
72 | int (*xAuth)(void*,int,const char*,const char*,const char*,const char*), |
73 | void *pArg |
74 | ){ |
75 | #ifdef SQLITE_ENABLE_API_ARMOR |
76 | if( !sqlite3SafetyCheckOk(db) ) return SQLITE_MISUSE_BKPT; |
77 | #endif |
78 | sqlite3_mutex_enter(db->mutex); |
79 | db->xAuth = (sqlite3_xauth)xAuth; |
80 | db->pAuthArg = pArg; |
81 | if( db->xAuth ) sqlite3ExpirePreparedStatements(db, 1); |
82 | sqlite3_mutex_leave(db->mutex); |
83 | return SQLITE_OK; |
84 | } |
85 | |
86 | /* |
87 | ** Write an error message into pParse->zErrMsg that explains that the |
88 | ** user-supplied authorization function returned an illegal value. |
89 | */ |
90 | static void sqliteAuthBadReturnCode(Parse *pParse){ |
91 | sqlite3ErrorMsg(pParse, "authorizer malfunction" ); |
92 | pParse->rc = SQLITE_ERROR; |
93 | } |
94 | |
95 | /* |
96 | ** Invoke the authorization callback for permission to read column zCol from |
97 | ** table zTab in database zDb. This function assumes that an authorization |
98 | ** callback has been registered (i.e. that sqlite3.xAuth is not NULL). |
99 | ** |
100 | ** If SQLITE_IGNORE is returned and pExpr is not NULL, then pExpr is changed |
101 | ** to an SQL NULL expression. Otherwise, if pExpr is NULL, then SQLITE_IGNORE |
102 | ** is treated as SQLITE_DENY. In this case an error is left in pParse. |
103 | */ |
104 | int sqlite3AuthReadCol( |
105 | Parse *pParse, /* The parser context */ |
106 | const char *zTab, /* Table name */ |
107 | const char *zCol, /* Column name */ |
108 | int iDb /* Index of containing database. */ |
109 | ){ |
110 | sqlite3 *db = pParse->db; /* Database handle */ |
111 | char *zDb = db->aDb[iDb].zDbSName; /* Schema name of attached database */ |
112 | int rc; /* Auth callback return code */ |
113 | |
114 | if( db->init.busy ) return SQLITE_OK; |
115 | rc = db->xAuth(db->pAuthArg, SQLITE_READ, zTab,zCol,zDb,pParse->zAuthContext |
116 | #ifdef SQLITE_USER_AUTHENTICATION |
117 | ,db->auth.zAuthUser |
118 | #endif |
119 | ); |
120 | if( rc==SQLITE_DENY ){ |
121 | char *z = sqlite3_mprintf("%s.%s" , zTab, zCol); |
122 | if( db->nDb>2 || iDb!=0 ) z = sqlite3_mprintf("%s.%z" , zDb, z); |
123 | sqlite3ErrorMsg(pParse, "access to %z is prohibited" , z); |
124 | pParse->rc = SQLITE_AUTH; |
125 | }else if( rc!=SQLITE_IGNORE && rc!=SQLITE_OK ){ |
126 | sqliteAuthBadReturnCode(pParse); |
127 | } |
128 | return rc; |
129 | } |
130 | |
131 | /* |
132 | ** The pExpr should be a TK_COLUMN expression. The table referred to |
133 | ** is in pTabList or else it is the NEW or OLD table of a trigger. |
134 | ** Check to see if it is OK to read this particular column. |
135 | ** |
136 | ** If the auth function returns SQLITE_IGNORE, change the TK_COLUMN |
137 | ** instruction into a TK_NULL. If the auth function returns SQLITE_DENY, |
138 | ** then generate an error. |
139 | */ |
140 | void sqlite3AuthRead( |
141 | Parse *pParse, /* The parser context */ |
142 | Expr *pExpr, /* The expression to check authorization on */ |
143 | Schema *pSchema, /* The schema of the expression */ |
144 | SrcList *pTabList /* All table that pExpr might refer to */ |
145 | ){ |
146 | Table *pTab = 0; /* The table being read */ |
147 | const char *zCol; /* Name of the column of the table */ |
148 | int iSrc; /* Index in pTabList->a[] of table being read */ |
149 | int iDb; /* The index of the database the expression refers to */ |
150 | int iCol; /* Index of column in table */ |
151 | |
152 | assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER ); |
153 | assert( !IN_RENAME_OBJECT ); |
154 | assert( pParse->db->xAuth!=0 ); |
155 | iDb = sqlite3SchemaToIndex(pParse->db, pSchema); |
156 | if( iDb<0 ){ |
157 | /* An attempt to read a column out of a subquery or other |
158 | ** temporary table. */ |
159 | return; |
160 | } |
161 | |
162 | if( pExpr->op==TK_TRIGGER ){ |
163 | pTab = pParse->pTriggerTab; |
164 | }else{ |
165 | assert( pTabList ); |
166 | for(iSrc=0; iSrc<pTabList->nSrc; iSrc++){ |
167 | if( pExpr->iTable==pTabList->a[iSrc].iCursor ){ |
168 | pTab = pTabList->a[iSrc].pTab; |
169 | break; |
170 | } |
171 | } |
172 | } |
173 | iCol = pExpr->iColumn; |
174 | if( pTab==0 ) return; |
175 | |
176 | if( iCol>=0 ){ |
177 | assert( iCol<pTab->nCol ); |
178 | zCol = pTab->aCol[iCol].zCnName; |
179 | }else if( pTab->iPKey>=0 ){ |
180 | assert( pTab->iPKey<pTab->nCol ); |
181 | zCol = pTab->aCol[pTab->iPKey].zCnName; |
182 | }else{ |
183 | zCol = "ROWID" ; |
184 | } |
185 | assert( iDb>=0 && iDb<pParse->db->nDb ); |
186 | if( SQLITE_IGNORE==sqlite3AuthReadCol(pParse, pTab->zName, zCol, iDb) ){ |
187 | pExpr->op = TK_NULL; |
188 | } |
189 | } |
190 | |
191 | /* |
192 | ** Do an authorization check using the code and arguments given. Return |
193 | ** either SQLITE_OK (zero) or SQLITE_IGNORE or SQLITE_DENY. If SQLITE_DENY |
194 | ** is returned, then the error count and error message in pParse are |
195 | ** modified appropriately. |
196 | */ |
197 | int sqlite3AuthCheck( |
198 | Parse *pParse, |
199 | int code, |
200 | const char *zArg1, |
201 | const char *zArg2, |
202 | const char *zArg3 |
203 | ){ |
204 | sqlite3 *db = pParse->db; |
205 | int rc; |
206 | |
207 | /* Don't do any authorization checks if the database is initialising |
208 | ** or if the parser is being invoked from within sqlite3_declare_vtab. |
209 | */ |
210 | assert( !IN_RENAME_OBJECT || db->xAuth==0 ); |
211 | if( db->xAuth==0 || db->init.busy || IN_SPECIAL_PARSE ){ |
212 | return SQLITE_OK; |
213 | } |
214 | |
215 | /* EVIDENCE-OF: R-43249-19882 The third through sixth parameters to the |
216 | ** callback are either NULL pointers or zero-terminated strings that |
217 | ** contain additional details about the action to be authorized. |
218 | ** |
219 | ** The following testcase() macros show that any of the 3rd through 6th |
220 | ** parameters can be either NULL or a string. */ |
221 | testcase( zArg1==0 ); |
222 | testcase( zArg2==0 ); |
223 | testcase( zArg3==0 ); |
224 | testcase( pParse->zAuthContext==0 ); |
225 | |
226 | rc = db->xAuth(db->pAuthArg, code, zArg1, zArg2, zArg3, pParse->zAuthContext |
227 | #ifdef SQLITE_USER_AUTHENTICATION |
228 | ,db->auth.zAuthUser |
229 | #endif |
230 | ); |
231 | if( rc==SQLITE_DENY ){ |
232 | sqlite3ErrorMsg(pParse, "not authorized" ); |
233 | pParse->rc = SQLITE_AUTH; |
234 | }else if( rc!=SQLITE_OK && rc!=SQLITE_IGNORE ){ |
235 | rc = SQLITE_DENY; |
236 | sqliteAuthBadReturnCode(pParse); |
237 | } |
238 | return rc; |
239 | } |
240 | |
241 | /* |
242 | ** Push an authorization context. After this routine is called, the |
243 | ** zArg3 argument to authorization callbacks will be zContext until |
244 | ** popped. Or if pParse==0, this routine is a no-op. |
245 | */ |
246 | void sqlite3AuthContextPush( |
247 | Parse *pParse, |
248 | AuthContext *pContext, |
249 | const char *zContext |
250 | ){ |
251 | assert( pParse ); |
252 | pContext->pParse = pParse; |
253 | pContext->zAuthContext = pParse->zAuthContext; |
254 | pParse->zAuthContext = zContext; |
255 | } |
256 | |
257 | /* |
258 | ** Pop an authorization context that was previously pushed |
259 | ** by sqlite3AuthContextPush |
260 | */ |
261 | void sqlite3AuthContextPop(AuthContext *pContext){ |
262 | if( pContext->pParse ){ |
263 | pContext->pParse->zAuthContext = pContext->zAuthContext; |
264 | pContext->pParse = 0; |
265 | } |
266 | } |
267 | |
268 | #endif /* SQLITE_OMIT_AUTHORIZATION */ |
269 | |