Merge branch 'f-role-permission' into 'dev'

Fix: Add role permission See merge request caosdb/caosdb-mysqlbackend!23

Merge branch 'f-role-permission' into 'dev'
800c1dd0 · Timm Fitschen · 9f5af78d · e0ceb67d · 800c1dd0 · 800c1dd0
Commit 800c1dd0 authored 4 years ago by Timm Fitschen
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Added ###

+- `utils/make_db` has new `grant-permission` command.
+
 ### Changed ###

 ### Deprecated ###

--- a/tests/test_utils.sh
+++ b/tests/test_utils.sh
@@ -103,5 +103,7 @@ echo -n 'testing logging... '
 $UTILSPATH/log.sh "start"
 $UTILSPATH/log.sh "get" > /dev/null
 $UTILSPATH/log.sh "stop"
+$UTILSPATH/make_db grant-permission anonymous \
+                   '[{"grant":"true","priority":"true","permission":"*"}]'
 echo '[Ok]'
 echo '[Completed]'
--- a/utils/make_db
+++ b/utils/make_db
@@ -3,7 +3,8 @@
 # ** header v3.0
 # This file is a part of the CaosDB Project.
 #
-# Copyright (C) 2019, 2020 Daniel Hornung <d.hornung@indiscale.com>
+# Copyright (C) 2021 Indiscale GmbH <info@indiscale.com>
+# Copyright (C) 2019, 2020, 2021 Daniel Hornung <d.hornung@indiscale.com>
 # Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
 # Copyright (C) 2020 Henrik tom Wörden <h.tomwoerden@indiscale.com>
 # Copyright (C) 2020 IndiScale <info@indiscale.com>
@@ -23,6 +24,10 @@
 #
 # ** end header

+# Although some sanity checks are performed, this script still allows lots of SQL injection
+# possibilities.
+
+
 set -e

 INSTALL_SQL_FILE="db_2_0.sql"
@@ -198,12 +203,50 @@ function _db_exists() {
 }


+# Grant the given permissions to the given role.
+#
+# Arguments
+# ---------
+# role : str
+# The role, may consist of alphanumerical letters plus `.`, `_`, `-`.  The role must exist in the
+# `roles` table.
+#
+# permissions : str
+# The permissions string.  May not contain single quotes, should be similar to:
+# [{"grant":"true","priority":"true","permission":"*"}]
+function grant-permission() {
+    role="$1"
+    permissions="$2"
+    if echo -n "$role" | grep -v -q "^[[:alnum:]._-]*$" ; then
+        echo "Role contains invalid character(s)!"
+        exit 1
+    fi
+    if [[ $permissions == "'" ]]; then
+        echo "Permissions string contains single quote!"
+        exit 1
+    fi
+
+    cmd="SELECT COUNT(1) from roles where name='${role}';"
+    count=$($MYSQL_CMD $(get_mysql_args) -AN -e "$cmd")
+    if [[ $count == "0" ]]; then
+        echo "Role not found!"
+        exit 1
+    fi
+
+    cmd="INSERT INTO permissions (role, permissions) VALUE ('${role}', '${permissions}')"
+    cmd+="ON DUPLICATE KEY UPDATE role='${role}', permissions='${permissions}'"
+    cmd+=";"
+    $MYSQL_CMD $(get_mysql_args) -e "$cmd"
+}
+
+
 case $1 in
    "drop") drop $2 ;;
    "grant") grant $2 ;;
+    "grant-permission") grant-permission $2 $3 ;; # Args: role, permissions
    "test") shift ; runtests $@ ;;
    "test-connection") test-connection ;;
    "install_db") install_db ;;
    "restore_db") restore_db $2 ;;
-    *) echo "Unknown action: $1"
+    *) echo "Unknown action: $1"; exit 32
 esac