Example 1 with ExecPreparedStatement
use of org.apache.derby.iapi.sql.execute.ExecPreparedStatement in project derby by apache.
the class StatementColumnPermission method check.
/**
* @see StatementPermission#check
*/
public void check(LanguageConnectionContext lcc, boolean forGrant, Activation activation) throws StandardException {
DataDictionary dd = lcc.getDataDictionary();
ExecPreparedStatement ps = activation.getPreparedStatement();
if (hasPermissionOnTable(lcc, activation, forGrant, ps)) {
return;
}
String currentUserId = lcc.getCurrentUserId(activation);
FormatableBitSet permittedColumns = null;
if (!forGrant) {
permittedColumns = addPermittedColumns(dd, false, /* non-grantable permissions */
Authorizer.PUBLIC_AUTHORIZATION_ID, permittedColumns);
permittedColumns = addPermittedColumns(dd, false, /* non-grantable permissions */
currentUserId, permittedColumns);
}
permittedColumns = addPermittedColumns(dd, true, /* grantable permissions */
Authorizer.PUBLIC_AUTHORIZATION_ID, permittedColumns);
permittedColumns = addPermittedColumns(dd, true, /* grantable permissions */
currentUserId, permittedColumns);
// select t1.c1 from t1, t2
if (privType == Authorizer.MIN_SELECT_PRIV && permittedColumns != null)
return;
FormatableBitSet unresolvedColumns = (FormatableBitSet) columns.clone();
for (int i = unresolvedColumns.anySetBit(); i >= 0; i = unresolvedColumns.anySetBit(i)) {
if (permittedColumns != null && permittedColumns.get(i)) {
// column i (zero-based here) accounted for:
unresolvedColumns.clear(i);
}
}
if (unresolvedColumns.anySetBit() < 0) {
// all ok
return;
}
// If columns are still unauthorized, look to role closure for
// resolution.
String role = lcc.getCurrentRoleId(activation);
RoleGrantDescriptor rd = null;
if (role != null) {
// Check that role is still granted to current user or
// to PUBLIC: A revoked role which is current for this
// session, is lazily set to none when it is attempted
// used.
String dbo = dd.getAuthorizationDatabaseOwner();
rd = dd.getRoleGrantDescriptor(role, currentUserId, dbo);
if (rd == null) {
rd = dd.getRoleGrantDescriptor(role, Authorizer.PUBLIC_AUTHORIZATION_ID, dbo);
}
if (rd == null) {
// we have lost the right to set this role, so we can't
// make use of any permission granted to it or its ancestors.
lcc.setCurrentRole(activation, null);
} else {
// The current role is OK, so we can make use of
// any permission granted to it.
//
// Look at the current role and, if necessary, the transitive
// closure of roles granted to current role to see if
// permission has been granted to any of the applicable roles.
RoleClosureIterator rci = dd.createRoleClosureIterator(activation.getTransactionController(), role, true);
String r;
while (unresolvedColumns.anySetBit() >= 0 && (r = rci.next()) != null) {
// The user does not have needed privilege directly
// granted to it, so let's see if he has that privilege
// available to him/her through his roles.
permittedColumns = tryRole(lcc, dd, forGrant, r);
// select t1.c1 from t1, t2
if (privType == Authorizer.MIN_SELECT_PRIV && permittedColumns != null) {
DependencyManager dm = dd.getDependencyManager();
RoleGrantDescriptor rgd = dd.getRoleDefinitionDescriptor(role);
ContextManager cm = lcc.getContextManager();
dm.addDependency(ps, rgd, cm);
dm.addDependency(activation, rgd, cm);
return;
}
// we will quit out of this while loop
for (int i = unresolvedColumns.anySetBit(); i >= 0; i = unresolvedColumns.anySetBit(i)) {
if (permittedColumns != null && permittedColumns.get(i)) {
unresolvedColumns.clear(i);
}
}
}
}
}
TableDescriptor td = getTableDescriptor(dd);
// privilege on the table or any column in the table
if (privType == Authorizer.MIN_SELECT_PRIV)
throw StandardException.newException(forGrant ? SQLState.AUTH_NO_TABLE_PERMISSION_FOR_GRANT : SQLState.AUTH_NO_TABLE_PERMISSION, currentUserId, getPrivName(), td.getSchemaName(), td.getName());
int remains = unresolvedColumns.anySetBit();
if (remains >= 0) {
// No permission on this column.
ColumnDescriptor cd = td.getColumnDescriptor(remains + 1);
if (cd == null) {
throw StandardException.newException(SQLState.AUTH_INTERNAL_BAD_UUID, "column");
} else {
throw StandardException.newException((forGrant ? SQLState.AUTH_NO_COLUMN_PERMISSION_FOR_GRANT : SQLState.AUTH_NO_COLUMN_PERMISSION), currentUserId, getPrivName(), cd.getColumnName(), td.getSchemaName(), td.getName());
}
} else {
// We found and successfully applied a role to resolve the
// (remaining) required permissions.
//
// Also add a dependency on the role (qua provider), so
// that if role is no longer available to the current
// user (e.g. grant is revoked, role is dropped,
// another role has been set), we are able to
// invalidate the ps or activation (the latter is used
// if the current role changes).
DependencyManager dm = dd.getDependencyManager();
RoleGrantDescriptor rgd = dd.getRoleDefinitionDescriptor(role);
ContextManager cm = lcc.getContextManager();
dm.addDependency(ps, rgd, cm);
dm.addDependency(activation, rgd, cm);
}
}
Also used :
ExecPreparedStatement(org.apache.derby.iapi.sql.execute.ExecPreparedStatement)
ContextManager(org.apache.derby.iapi.services.context.ContextManager)
DependencyManager(org.apache.derby.iapi.sql.depend.DependencyManager)
FormatableBitSet(org.apache.derby.iapi.services.io.FormatableBitSet)
Example 2 with ExecPreparedStatement
use of org.apache.derby.iapi.sql.execute.ExecPreparedStatement in project derby by apache.
the class StatementPermission method genericCheck.
/**
* Generic logic called by check() for USAGE and EXECUTE privileges. Throws
* an exception if the correct permission cannot be found.
*/
public void genericCheck(LanguageConnectionContext lcc, boolean forGrant, Activation activation, String privilegeType) throws StandardException {
DataDictionary dd = lcc.getDataDictionary();
TransactionController tc = lcc.getTransactionExecute();
ExecPreparedStatement ps = activation.getPreparedStatement();
PermissionsDescriptor perm = getPermissionDescriptor(lcc.getCurrentUserId(activation), dd);
if (!isCorrectPermission(perm)) {
perm = getPermissionDescriptor(Authorizer.PUBLIC_AUTHORIZATION_ID, dd);
}
// if the user has the correct permission, we're done
if (isCorrectPermission(perm)) {
return;
}
boolean resolved = false;
// Since no permission exists for the current user or PUBLIC,
// check if a permission exists for the current role (if set).
String role = lcc.getCurrentRoleId(activation);
if (role != null) {
// Check that role is still granted to current user or
// to PUBLIC: A revoked role which is current for this
// session, is lazily set to none when it is attemped
// used.
String dbo = dd.getAuthorizationDatabaseOwner();
RoleGrantDescriptor rd = dd.getRoleGrantDescriptor(role, lcc.getCurrentUserId(activation), dbo);
if (rd == null) {
rd = dd.getRoleGrantDescriptor(role, Authorizer.PUBLIC_AUTHORIZATION_ID, dbo);
}
if (rd == null) {
// We have lost the right to set this role, so we can't
// make use of any permission granted to it or its
// ancestors.
lcc.setCurrentRole(activation, null);
} else {
// The current role is OK, so we can make use of
// any permission granted to it.
//
// Look at the current role and, if necessary, the
// transitive closure of roles granted to current role to
// see if permission has been granted to any of the
// applicable roles.
RoleClosureIterator rci = dd.createRoleClosureIterator(activation.getTransactionController(), role, true);
String r;
while (!resolved && (r = rci.next()) != null) {
perm = getPermissionDescriptor(r, dd);
if (isCorrectPermission(perm)) {
resolved = true;
}
}
}
if (resolved) {
// Also add a dependency on the role (qua provider), so that if
// role is no longer available to the current user (e.g. grant
// is revoked, role is dropped, another role has been set), we
// are able to invalidate the ps or activation (the latter is
// used if the current role changes).
DependencyManager dm = dd.getDependencyManager();
RoleGrantDescriptor rgd = dd.getRoleDefinitionDescriptor(role);
ContextManager cm = lcc.getContextManager();
dm.addDependency(ps, rgd, cm);
dm.addDependency(activation, rgd, cm);
}
}
if (!resolved) {
PrivilegedSQLObject pso = getPrivilegedObject(dd);
if (pso == null) {
throw StandardException.newException(SQLState.AUTH_INTERNAL_BAD_UUID, getObjectType());
}
SchemaDescriptor sd = pso.getSchemaDescriptor();
if (sd == null) {
throw StandardException.newException(SQLState.AUTH_INTERNAL_BAD_UUID, "SCHEMA");
}
throw StandardException.newException((forGrant ? SQLState.AUTH_NO_GENERIC_PERMISSION_FOR_GRANT : SQLState.AUTH_NO_GENERIC_PERMISSION), lcc.getCurrentUserId(activation), privilegeType, getObjectType(), sd.getSchemaName(), pso.getName());
}
}
Also used :
ExecPreparedStatement(org.apache.derby.iapi.sql.execute.ExecPreparedStatement)
ContextManager(org.apache.derby.iapi.services.context.ContextManager)
DependencyManager(org.apache.derby.iapi.sql.depend.DependencyManager)
TransactionController(org.apache.derby.iapi.store.access.TransactionController)
Example 3 with ExecPreparedStatement
use of org.apache.derby.iapi.sql.execute.ExecPreparedStatement in project derby by apache.
the class StatementTablePermission method check.
/**
* @see StatementPermission#check
*/
public void check(LanguageConnectionContext lcc, boolean forGrant, Activation activation) throws StandardException {
ExecPreparedStatement ps = activation.getPreparedStatement();
if (!hasPermissionOnTable(lcc, activation, forGrant, ps)) {
DataDictionary dd = lcc.getDataDictionary();
TableDescriptor td = getTableDescriptor(dd);
throw StandardException.newException((forGrant ? SQLState.AUTH_NO_TABLE_PERMISSION_FOR_GRANT : SQLState.AUTH_NO_TABLE_PERMISSION), lcc.getCurrentUserId(activation), getPrivName(), td.getSchemaName(), td.getName());
}
}
Also used :
ExecPreparedStatement(org.apache.derby.iapi.sql.execute.ExecPreparedStatement)
Example 4 with ExecPreparedStatement
use of org.apache.derby.iapi.sql.execute.ExecPreparedStatement in project derby by apache.
the class SQLBoolean method throwExceptionIfImmediateAndFalse.
public BooleanDataValue throwExceptionIfImmediateAndFalse(String sqlState, String tableName, String constraintName, Activation a, int savedUUIDIdx) throws StandardException {
if (!isNull() && (value == false)) {
final ExecPreparedStatement ps = a.getPreparedStatement();
final UUID constrId = (UUID) ps.getSavedObject(savedUUIDIdx);
final LanguageConnectionContext lcc = a.getLanguageConnectionContext();
final boolean isDeferred = lcc.isEffectivelyDeferred(lcc.getCurrentSQLSessionContext(a), constrId);
if (!isDeferred) {
throw StandardException.newException(sqlState, tableName, constraintName);
} else {
// Just return the false value and validate later,
// cf NoRowsResultSetImpl#evaluateCheckConstraints.
// and InsertResultSet#evaluateCheckConstraints
DMLWriteResultSet rs = (DMLWriteResultSet) a.getResultSet();
rs.rememberConstraint(constrId);
}
}
return this;
}
Also used :
ExecPreparedStatement(org.apache.derby.iapi.sql.execute.ExecPreparedStatement)
LanguageConnectionContext(org.apache.derby.iapi.sql.conn.LanguageConnectionContext)
DMLWriteResultSet(org.apache.derby.impl.sql.execute.DMLWriteResultSet)
UUID(org.apache.derby.catalog.UUID)
Example 5 with ExecPreparedStatement
use of org.apache.derby.iapi.sql.execute.ExecPreparedStatement in project derby by apache.
the class GenericLanguageConnectionContext method endTransactionActivationHandling.
//
// class implementation
//
/**
* If we are called as part of rollback code path, then we will reset all
* the activations that have resultset returning rows associated with
* them. DERBY-3304 Resultsets that do not return rows should be left
* alone when the rollback is through the JDBC Connection object. If the
* rollback is caused by an exception, then at that time, all kinds of
* resultsets should be closed.
*
* If we are called as part of commit code path, then we will do one of
* the following if the activation has resultset assoicated with it. Also,
* we will clear the conglomerate used while scanning for update/delete
* 1)Close result sets that return rows and are not held across commit.
* 2)Clear the current row of the resultsets that return rows and are
* held across commit.
* 3)Leave the result sets untouched if they do not return rows
*
* Additionally, clean up (close()) activations that have been
* marked as unused during statement finalization.
*
* @exception StandardException thrown on failure
*/
private void endTransactionActivationHandling(boolean forRollback) throws StandardException {
// itself from the list, thus invalidating the Enumeration
for (int i = acts.size() - 1; i >= 0; i--) {
// the end of the array
if (i >= acts.size())
continue;
Activation a = acts.get(i);
/*
** Look for stale activations. Activations are
** marked as unused during statement finalization.
** Here, we sweep and remove this inactive ones.
*/
if (!a.isInUse()) {
a.close();
continue;
}
// Determine if the activation has a resultset and if that resultset
// returns rows. For such an activation, we need to take special
// actions during commit and rollback as explained in the comments
// below.
ResultSet activationResultSet = a.getResultSet();
boolean resultsetReturnsRows = activationResultSet != null && activationResultSet.returnsRows();
if (forRollback) {
if (resultsetReturnsRows)
// Since we are dealing with rollback, we need to reset
// the activation no matter what the holdability might
// be provided that resultset returns rows. An example
// where we do not want to close a resultset that does
// not return rows would be a java procedure which has
// user invoked rollback inside of it. That rollback
// should not reset the activation associated with
// the call to java procedure because that activation
// is still being used.
a.reset();
// Only invalidate statements if we performed DDL.
if (dataDictionaryInWriteMode()) {
ExecPreparedStatement ps = a.getPreparedStatement();
if (ps != null) {
ps.makeInvalid(DependencyManager.ROLLBACK, this);
}
}
} else {
// We are dealing with commit here.
if (resultsetReturnsRows) {
if (a.getResultSetHoldability() == false)
// Close result sets that return rows and are not held
// across commit. This is to implement closing JDBC
// result sets that are CLOSE_CURSOR_ON_COMMIT at commit
// time.
activationResultSet.close();
else
// Clear the current row of the result sets that return
// rows and are held across commit. This is to implement
// keeping JDBC result sets open that are
// HOLD_CURSORS_OVER_COMMIT at commit time and marking
// the resultset to be not on a valid row position. The
// user will need to reposition within the resultset
// before doing any row operations.
activationResultSet.clearCurrentRow();
}
a.clearHeapConglomerateController();
}
}
}
Also used :
ExecPreparedStatement(org.apache.derby.iapi.sql.execute.ExecPreparedStatement)
ResultSet(org.apache.derby.iapi.sql.ResultSet)
Activation(org.apache.derby.iapi.sql.Activation)
CursorActivation(org.apache.derby.iapi.sql.execute.CursorActivation)
Aggregations
ExecPreparedStatement (org.apache.derby.iapi.sql.execute.ExecPreparedStatement)13
UUID (org.apache.derby.catalog.UUID)3
ContextManager (org.apache.derby.iapi.services.context.ContextManager)3
DependencyManager (org.apache.derby.iapi.sql.depend.DependencyManager)3
TransactionController (org.apache.derby.iapi.store.access.TransactionController)3
DataValueDescriptor (org.apache.derby.iapi.types.DataValueDescriptor)3
Timestamp (java.sql.Timestamp)2
FormatableBitSet (org.apache.derby.iapi.services.io.FormatableBitSet)2
Activation (org.apache.derby.iapi.sql.Activation)2
ResultSet (org.apache.derby.iapi.sql.ResultSet)2
LanguageConnectionContext (org.apache.derby.iapi.sql.conn.LanguageConnectionContext)2
CursorActivation (org.apache.derby.iapi.sql.execute.CursorActivation)2
ExecRow (org.apache.derby.iapi.sql.execute.ExecRow)2
SQLBoolean (org.apache.derby.iapi.types.SQLBoolean)2
SQLVarchar (org.apache.derby.iapi.types.SQLVarchar)2
GeneratedClass (org.apache.derby.iapi.services.loader.GeneratedClass)1
ResultDescription (org.apache.derby.iapi.sql.ResultDescription)1
Statement (org.apache.derby.iapi.sql.Statement)1
StorablePreparedStatement (org.apache.derby.iapi.sql.StorablePreparedStatement)1
TagFilter (org.apache.derby.iapi.sql.compile.TagFilter)1
