Examples with ViewExpression io.trino.spi.security.ViewExpression used on opensource projects

Example 36 with ViewExpression

use of io.trino.spi.security.ViewExpression in project trino by trinodb.

the class TestRowFilter method testSqlInjection.

@Test
public void testSqlInjection() {
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "regionkey IN (SELECT regionkey FROM region WHERE name = 'ASIA')"));
    assertThat(assertions.query("WITH region(regionkey, name) AS (VALUES (0, 'ASIA'), (1, 'ASIA'), (2, 'ASIA'), (3, 'ASIA'), (4, 'ASIA'))" + "SELECT name FROM nation ORDER BY name LIMIT 1")).matches(// if sql-injection would work then query would return ALGERIA
    "VALUES CAST('CHINA' AS VARCHAR(25))");
}

Example 37 with ViewExpression

use of io.trino.spi.security.ViewExpression in project trino by trinodb.

the class TestRowFilter method testDelete.

@Test
public void testDelete() {
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(MOCK_CATALOG, "tiny", "nation"), USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "nationkey < 10"));
    // Within allowed row filter
    assertions.query("DELETE FROM mock.tiny.nation WHERE nationkey < 3").assertThat().matches("SELECT BIGINT '3'");
    assertions.query("DELETE FROM mock.tiny.nation WHERE nationkey IN (1, 2, 3)").assertThat().matches("SELECT BIGINT '3'");
    // Outside allowed row filter, only readable rows were dropped
    assertions.query("DELETE FROM mock.tiny.nation").assertThat().matches("SELECT BIGINT '10'");
    assertions.query("DELETE FROM mock.tiny.nation WHERE nationkey IN (1, 11)").assertThat().matches("SELECT BIGINT '1'");
    assertions.query("DELETE FROM mock.tiny.nation WHERE nationkey >= 10").assertThat().matches("SELECT BIGINT '0'");
}

Example 38 with ViewExpression

use of io.trino.spi.security.ViewExpression in project trino by trinodb.

the class TestRowFilter method testShowStats.

@Test
public void testShowStats() {
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "orders"), USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "orderkey = 0"));
    assertThat(assertions.query("SHOW STATS FOR (SELECT * FROM tiny.orders)")).containsAll("VALUES " + "(VARCHAR 'orderkey', 0e1, 0e1, 1e0, CAST(NULL AS double), CAST(NULL AS varchar), CAST(NULL AS varchar))," + "(VARCHAR 'custkey', 0e1, 0e1, 1e0, CAST(NULL AS double), CAST(NULL AS varchar), CAST(NULL AS varchar))," + "(NULL, NULL, NULL, NULL, 0e1, NULL, NULL)");
}

Example 39 with ViewExpression

use of io.trino.spi.security.ViewExpression in project trino by trinodb.

the class TestRowFilter method testView.

@Test
public void testView() {
    // filter on the underlying table for view owner when running query as different user
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.empty(), Optional.empty(), "nationkey = 1"));
    assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(RUN_AS_USER).build()).build(), "SELECT name FROM mock.default.nation_view")).matches("VALUES CAST('ARGENTINA' AS VARCHAR(25))");
    // filter on the underlying table for view owner when running as themselves
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.of(CATALOG), Optional.of("tiny"), "nationkey = 1"));
    assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(VIEW_OWNER).build()).build(), "SELECT name FROM mock.default.nation_view")).matches("VALUES CAST('ARGENTINA' AS VARCHAR(25))");
    // filter on the underlying table for user running the query (different from view owner) should not be applied
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "nationkey = 1"));
    Session session = Session.builder(SESSION).setIdentity(Identity.forUser(RUN_AS_USER).build()).build();
    assertThat(assertions.query(session, "SELECT count(*) FROM mock.default.nation_view")).matches("VALUES BIGINT '25'");
    // filter on the view
    accessControl.reset();
    accessControl.rowFilter(new QualifiedObjectName(MOCK_CATALOG, "default", "nation_view"), USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "nationkey = 1"));
    assertThat(assertions.query("SELECT name FROM mock.default.nation_view")).matches("VALUES CAST('ARGENTINA' AS VARCHAR(25))");
}

Example 40 with ViewExpression

use of io.trino.spi.security.ViewExpression in project trino by trinodb.

the class TestColumnMask method testJoin.

@Test
public void testJoin() {
    accessControl.reset();
    accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "orderkey + 1"));
    assertThat(assertions.query("SELECT count(*) FROM orders JOIN orders USING (orderkey)")).matches("VALUES BIGINT '15000'");
    // multiple masks
    accessControl.reset();
    accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "-orderkey"));
    accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "orderkey * 2"));
    assertThat(assertions.query("SELECT count(*) FROM orders JOIN orders USING (orderkey)")).matches("VALUES BIGINT '15000'");
}