use of com.alibaba.druid.sql.ast.statement.SQLUpdateStatement in project Mycat_plus by coderczp.
the class MycatPrivileges method checkDmlPrivilege.
// 审计SQL权限
@Override
public boolean checkDmlPrivilege(String user, String schema, String sql) {
if (schema == null) {
return true;
}
boolean isPassed = false;
MycatConfig conf = MycatServer.getInstance().getConfig();
UserConfig userConfig = conf.getUsers().get(user);
if (userConfig != null) {
UserPrivilegesConfig userPrivilege = userConfig.getPrivilegesConfig();
if (userPrivilege != null && userPrivilege.isCheck()) {
UserPrivilegesConfig.SchemaPrivilege schemaPrivilege = userPrivilege.getSchemaPrivilege(schema);
if (schemaPrivilege != null) {
String tableName = null;
int index = -1;
// com.alibaba.druid.sql.parser.ParserException: syntax error, error in :'begin',expect END, actual EOF begin
if (sql != null && sql.length() == 5 && sql.equalsIgnoreCase("begin")) {
return true;
}
SQLStatementParser parser = new MycatStatementParser(sql);
SQLStatement stmt = parser.parseStatement();
if (stmt instanceof MySqlReplaceStatement || stmt instanceof SQLInsertStatement) {
index = 0;
} else if (stmt instanceof SQLUpdateStatement) {
index = 1;
} else if (stmt instanceof SQLSelectStatement) {
index = 2;
} else if (stmt instanceof SQLDeleteStatement) {
index = 3;
}
if (index > -1) {
SchemaStatVisitor schemaStatVisitor = new MycatSchemaStatVisitor();
stmt.accept(schemaStatVisitor);
String key = schemaStatVisitor.getCurrentTable();
if (key != null) {
if (key.contains("`")) {
key = key.replaceAll("`", "");
}
int dotIndex = key.indexOf(".");
if (dotIndex > 0) {
tableName = key.substring(dotIndex + 1);
} else {
tableName = key;
}
// 获取table 权限, 此处不需要检测空值, 无设置则自动继承父级权限
UserPrivilegesConfig.TablePrivilege tablePrivilege = schemaPrivilege.getTablePrivilege(tableName);
if (tablePrivilege.getDml()[index] > 0) {
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
if (!isPassed) {
ALARM.error(new StringBuilder().append(Alarms.DML_ATTACK).append("[sql=").append(sql).append(",user=").append(user).append(']').toString());
}
return isPassed;
}
use of com.alibaba.druid.sql.ast.statement.SQLUpdateStatement in project Mycat-Server by MyCATApache.
the class MycatPrivileges method checkDmlPrivilege.
// 审计SQL权限
@Override
public boolean checkDmlPrivilege(String user, String schema, String sql) {
if (schema == null) {
return true;
}
boolean isPassed = false;
MycatConfig conf = MycatServer.getInstance().getConfig();
UserConfig userConfig = conf.getUsers().get(user);
if (userConfig != null) {
UserPrivilegesConfig userPrivilege = userConfig.getPrivilegesConfig();
if (userPrivilege != null && userPrivilege.isCheck()) {
UserPrivilegesConfig.SchemaPrivilege schemaPrivilege = userPrivilege.getSchemaPrivilege(schema);
if (schemaPrivilege != null) {
String tableName = null;
int index = -1;
// com.alibaba.druid.sql.parser.ParserException: syntax error, error in :'begin',expect END, actual EOF begin
if (sql != null && sql.length() == 5 && sql.equalsIgnoreCase("begin")) {
return true;
}
SQLStatementParser parser = new MycatStatementParser(sql);
SQLStatement stmt = parser.parseStatement();
if (stmt instanceof MySqlReplaceStatement || stmt instanceof SQLInsertStatement) {
index = 0;
} else if (stmt instanceof SQLUpdateStatement) {
index = 1;
} else if (stmt instanceof SQLSelectStatement) {
index = 2;
} else if (stmt instanceof SQLDeleteStatement) {
index = 3;
}
if (index > -1) {
SchemaStatVisitor schemaStatVisitor = new MycatSchemaStatVisitor();
stmt.accept(schemaStatVisitor);
String key = schemaStatVisitor.getCurrentTable();
if (key != null) {
if (key.contains("`")) {
key = key.replaceAll("`", "");
}
int dotIndex = key.indexOf(".");
if (dotIndex > 0) {
tableName = key.substring(dotIndex + 1);
} else {
tableName = key;
}
// 获取table 权限, 此处不需要检测空值, 无设置则自动继承父级权限
UserPrivilegesConfig.TablePrivilege tablePrivilege = schemaPrivilege.getTablePrivilege(tableName);
if (tablePrivilege.getDml()[index] > 0) {
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
} else {
// skip
isPassed = true;
}
if (!isPassed) {
ALARM.error(new StringBuilder().append(Alarms.DML_ATTACK).append("[sql=").append(sql).append(",user=").append(user).append(']').toString());
}
return isPassed;
}
use of com.alibaba.druid.sql.ast.statement.SQLUpdateStatement in project Mycat-Server by MyCATApache.
the class DruidMycatRouteStrategy method routeDisTable.
private RouteResultset routeDisTable(SQLStatement statement, RouteResultset rrs) throws SQLSyntaxErrorException {
SQLTableSource tableSource = null;
if (statement instanceof SQLInsertStatement) {
SQLInsertStatement insertStatement = (SQLInsertStatement) statement;
tableSource = insertStatement.getTableSource();
for (RouteResultsetNode node : rrs.getNodes()) {
SQLExprTableSource from2 = getDisTable(tableSource, node);
insertStatement.setTableSource(from2);
node.setStatement(insertStatement.toString());
}
}
if (statement instanceof SQLDeleteStatement) {
SQLDeleteStatement deleteStatement = (SQLDeleteStatement) statement;
tableSource = deleteStatement.getTableSource();
for (RouteResultsetNode node : rrs.getNodes()) {
SQLExprTableSource from2 = getDisTable(tableSource, node);
deleteStatement.setTableSource(from2);
node.setStatement(deleteStatement.toString());
}
}
if (statement instanceof SQLUpdateStatement) {
SQLUpdateStatement updateStatement = (SQLUpdateStatement) statement;
tableSource = updateStatement.getTableSource();
for (RouteResultsetNode node : rrs.getNodes()) {
SQLExprTableSource from2 = getDisTable(tableSource, node);
updateStatement.setTableSource(from2);
node.setStatement(updateStatement.toString());
}
}
return rrs;
}
use of com.alibaba.druid.sql.ast.statement.SQLUpdateStatement in project druid by alibaba.
the class SQLUpdateBuilderImpl method setValue.
public SQLUpdateBuilderImpl setValue(String column, Object value) {
SQLUpdateStatement update = getSQLUpdateStatement();
SQLExpr columnExpr = SQLUtils.toSQLExpr(column, dbType);
SQLExpr valueExpr = toSQLExpr(value, dbType);
SQLUpdateSetItem item = new SQLUpdateSetItem();
item.setColumn(columnExpr);
item.setValue(valueExpr);
update.addItem(item);
return this;
}
use of com.alibaba.druid.sql.ast.statement.SQLUpdateStatement in project druid by alibaba.
the class SQLUpdateBuilderImpl method whereAnd.
@Override
public SQLUpdateBuilderImpl whereAnd(String expr) {
SQLUpdateStatement update = getSQLUpdateStatement();
SQLExpr exprObj = SQLUtils.toSQLExpr(expr, dbType);
SQLExpr newCondition = SQLUtils.buildCondition(SQLBinaryOperator.BooleanAnd, exprObj, false, update.getWhere());
update.setWhere(newCondition);
return this;
}
Aggregations