diff -r 000000000000 -r bde4ae8d615e os/persistentdata/persistentstorage/sql/SRC/Server/SqlSrvAuthorizer.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/os/persistentdata/persistentstorage/sql/SRC/Server/SqlSrvAuthorizer.cpp Fri Jun 15 03:10:57 2012 +0200 @@ -0,0 +1,571 @@ +// Copyright (c) 2005-2010 Nokia Corporation and/or its subsidiary(-ies). +// All rights reserved. +// This component and the accompanying materials are made available +// under the terms of "Eclipse Public License v1.0" +// which accompanies this distribution, and is available +// at the URL "http://www.eclipse.org/legal/epl-v10.html". +// +// Initial Contributors: +// Nokia Corporation - initial contribution. +// +// Contributors: +// +// Description: +// + +#include "SqlSrvAuthorizer.h" //MSqlPolicyInspector +#include "SqlSrvMain.h" //CSqlServer +#include "SqlSrvSecurityMap.h" //RSqlSecurityMap +#include "SqlSrvDatabase.h" //CSqlSrvDatabase +#include "SqlSecurityImpl.h" //CSqlSecurityPolicy +#include "SqlSrvDbSysSettings.h"//TSqlDbSysSettings +#include "SqlSrvUtil.h" //Global server functions +#include "SqlSrvStatementUtil.h"//Global sql statement related functions +#include "SqlSrvStrings.h" //KTempDb +#include "sqlite3.h" +#include "SqliteSymbian.h" //sqlite3SymbianLastOsError() + +//This macro is used to suppress "function argument not used" compiler warning. +#define UNUSED_ARG(arg) arg = (arg) + +//Array of pragma commands +const TPtrC8 KPragmaCommands[] = + { + KAutoVacuum(), KCacheSize(), KCaseSensitiveLike(), KCountChanges(), KDefaultCacheSize(), + KEmptyResultCallbacks(), KEncoding(), KFullColumnNames(), KFullfsync(), KIncrementalVacuum(), + KJournalMode(), KJournalSizeLimit(), KLegacyFileFormat(), KLockingMode(), KPageSize(), + KMaxPageCount(), KReadUncommitted(), KShortColumnNames(), KSynchronousFlag(), KTempStore(), + KTempStoreDirectory(), KDatabaseList(), KForeignKeyList(), KFreelistCount(), KIndexInfo(), + KIndexIist(), KPageCount(),KTableInfo(), KSchemaVersion(), KUserVersion(), + KIntegrityCheck(),KParserTrace(), KVdbeTrace(), KdbeListing() + }; + +const TInt KMaxPragmaCommands = sizeof(KPragmaCommands) / sizeof(KPragmaCommands[0]); + + +//Define the different ways of calling a pragam depending on the following +// 1) If its a secure or non secure database +// 2) If the pragma is called with a parameter (write) or without a parameter (read) +struct TPragmaAccess + { + TInt iNonSecureRead; + TInt iNonSecureWrite; + TInt iSecureRead; + TInt iSecureWrite; + }; + +//Table specifying the permissions for each pragma command for secure (shared) and non-secure (public and private) +//databases. For each database permissions for the following situations are specified +//1) With Parameter - e.g "Pragma auto_vacuum = 0" +//2) Without Parameter - e.g "Pragma auto_vacuum" + +//Permissions "without parameters" usually apply to a pragma query (or read) +//Permissions "with parameters" usually apply to pragama set (or write) +//However please note that this is not always the case. e.g "index_info" requires a parameter but is used to query +//(or read) the database and not a pragma set. +const TPragmaAccess KPermissionsTable[KMaxPragmaCommands] = + { + ///////////////////////////////////////////////////////////////////////////////////////////////////////////// + // NON_SECURE | SECURE | + // W/Out Parameter |With Parameter |W/Out Parameter|With Parameter |Pragma Command + ///////////////////////////////////////////////////////////////////////////////////////////////////////////// + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //0. auto_vacuum + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //1.cache_size + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //2.case_sensitive_like + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //3.count_changes + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //4.cache_size + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //5.empty_result_callbacks + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //6.encoding + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //7.full_column_names + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //8.fullfsync + {SQLITE_IGNORE, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //9.incremental_vacuum + {SQLITE_IGNORE, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //10.journal_mode + {SQLITE_IGNORE, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //11.journal_size_limit + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //12.legacy_file_format + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //13.locking_mode + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //14.page_size + {SQLITE_IGNORE, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //15.max_page_count + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //16.read_uncommitted + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //17.short_column_names + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //18.synchronous + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //19.temp_store + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //20.temp_store_directory + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //21.database_list + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //22.foreign_key_list + {SQLITE_IGNORE, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //23.freelist_count + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //24.index_info + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //25.index_list + {SQLITE_IGNORE, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //26.page_count + {SQLITE_OK, SQLITE_OK, SQLITE_DENY, SQLITE_DENY}, //27.table_info + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //28.schema_version + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //29.user_version + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //30.integrity_check + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //31.parser_trace + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //32.vdbe_trace + {SQLITE_OK, SQLITE_IGNORE, SQLITE_DENY, SQLITE_DENY}, //33.vdbe_listing + }; + + +//This const array describes the relation between the database operation type and +//the number of the authorizer argument where the table name is. +//For example: +//- SQLITE_CREATE_TEMP_TABLE operation. The table name is in aDbObjName1 argument, so the array element value is 1. +//- SQLITE_PRAGMA operation. No table name for this operation, so the array element value is 0. +//- SQLITE_CREATE_TEMP_TRIGGER operation. The table name is in aDbObjName2 argument, so the array element value is 2. +const TUint8 KTableNameArgIndex[] = + { + ///////////////////////////////////////////////////////////////// + // aDbObjName1 aDbObjName2 + ///////////////////////////////////////////////////////////////// + 1, //SQLITE_COPY Table Name Filename + 2, //SQLITE_CREATE_INDEX Index Name Table Name + 1, //SQLITE_CREATE_TABLE Table Name NULL + 2, //SQLITE_CREATE_TEMP_INDEX Index Name Table Name + 1, //SQLITE_CREATE_TEMP_TABLE Table Name NULL + 2, //SQLITE_CREATE_TEMP_TRIGGER Trigger Name Table Name + 0, //SQLITE_CREATE_TEMP_VIEW View Name NULL + 2, //SQLITE_CREATE_TRIGGER Trigger Name Table Name + 0, //SQLITE_CREATE_VIEW View Name NULL + 1, //SQLITE_DELETE Table Name NULL + 2, //SQLITE_DROP_INDEX Index Name Table Name + 1, //SQLITE_DROP_TABLE Table Name NULL + 2, //SQLITE_DROP_TEMP_INDEX Index Name Table Name + 1, //SQLITE_DROP_TEMP_TABLE Table Name NULL + 2, //SQLITE_DROP_TEMP_TRIGGER Trigger Name Table Name + 0, //SQLITE_DROP_TEMP_VIEW View Name NULL + 2, //SQLITE_DROP_TRIGGER Trigger Name Table Name + 0, //SQLITE_DROP_VIEW View Name NULL + 1, //SQLITE_INSERT Table Name NULL + 0, //SQLITE_PRAGMA Pragma Name 1st arg or NULL + 1, //SQLITE_READ Table Name Column Name + 0, //SQLITE_SELECT NULL NULL + 0, //SQLITE_TRANSACTION NULL NULL + 1, //SQLITE_UPDATE Table Name Column Name + 0, //SQLITE_ATTACH Filename NULL + 0, //SQLITE_DETACH Database Name NULL + 2, //SQLITE_ALTER_TABLE Database Name Table Name + 0, //SQLITE_REINDEX Index Name NULL + 1, //SQLITE_ANALYZE Table Name NULL + 1, //SQLITE_CREATE_VTABLE Table Name Module Name + 1, //SQLITE_DROP_VTABLE Table Name Module Name + 0 //SQLITE_FUNCTION Function Name NULL + }; + +//The function returns the argument number where the table name is. +inline TInt DbOp2TableNameArgIndex(TInt aDbOpType) + { + __ASSERT_DEBUG(aDbOpType > 0 && aDbOpType <= SQLITE_FUNCTION, __SQLPANIC2(ESqlPanicInternalError)); + return KTableNameArgIndex[aDbOpType]; + } + +//The function returns the table name, which may be in aDbObjName1 or aDbObjName2, depending on aDbOpType value. +//The return value is "const char" pointer to a zero terminated string. +inline const char* DbOp2TableName(TInt aDbOpType, const char* aDbObjName1, const char* aDbObjName2) + { + TInt pos = DbOp2TableNameArgIndex(aDbOpType); + if(pos == 2) + { + __ASSERT_DEBUG(aDbObjName2 != NULL, __SQLPANIC2(ESqlPanicInternalError)); + return aDbObjName2; + } + else if(pos == 1) + { + __ASSERT_DEBUG(aDbObjName1 != NULL, __SQLPANIC2(ESqlPanicInternalError)); + return aDbObjName1; + } + return NULL;//Some database operations do not use table name + } + +//This function returns the database name which may be in aDbObjName1 or aDbName depending on aDbOpType value. +//The return value is "const char" pointer to a zero terminated string. +inline const char* DbOp2DbName(TInt aDbOpType, const char* aDbObjName1, const char* aDbName) + { + if(aDbOpType == SQLITE_DETACH || aDbOpType == SQLITE_ALTER_TABLE) + { + __ASSERT_DEBUG(aDbObjName1 != NULL, __SQLPANIC2(ESqlPanicInternalError)); + return aDbObjName1; + } + return aDbName;//It may be NULL for some database operations + } + +/** +This function performs pragma permission checks for non-secure and secure databases + +@param aDbObjName1 Database, Table, View, Trigger, Index, Pragma or File name. It depends on the + values of aDbOpType argument. UTF8 encoded, zero-terminated. +@param aParamUsed ETrue if the pragma command has been executed with a parameter, EFalse otherwise +@param aSecure ETrue if the pragam check if for secure database, EFalse otherwise + +@return SQLITE_OK Access is allowed +@return SQLITE_DENY The entire SQL statement should be aborted +@return SQLITE_IGNORE The column should be treated as it has NULL value + +@internalComponent + */ +static TInt PragmaCheck(const char* aDbObjName1, TBool aParamUsed, TBool aSecure) + { + //Retreive the pragma name + TPtrC8 DbObjName1(KNullDesC8); + DbObjName1.Set(reinterpret_cast (aDbObjName1)); + + //Access the pragma permissions table depending if its :- + // 1) Secure or non-secure database. + // 2) Parameter was used or not. + for (TInt index=0; index (tblNamePtr)); + } + + //Under no circumstances is allowed to do any operation with the system tables. + //(Even SQLITE_READ operation, because the system tables data is read at the moment when the database + // is created/opened) + if(::IsSystemTableName(tblName)) + { + return SQLITE_DENY; + } + //================================================================= + // aDbOpType aDbObjName1 aDbObjName2 + //================================================================= + MSqlPolicyInspector& inspector = ::SqlServer().SecurityInspector(); + TSecurityPolicy schemaPolicy = aSecurityPolicy->DbPolicy(RSqlSecurityPolicy::ESchemaPolicy); + TSecurityPolicy writePolicy = aSecurityPolicy->DbPolicy(RSqlSecurityPolicy::EWritePolicy); + TSecurityPolicy readPolicy = aSecurityPolicy->DbPolicy(RSqlSecurityPolicy::EReadPolicy); + TInt res = SQLITE_OK; + switch(aDbOpType) + { + //"Database schema policy" check + case SQLITE_CREATE_INDEX:// Index Name Table Name + case SQLITE_CREATE_TABLE:// Table Name NULL + case SQLITE_CREATE_TRIGGER:// Trigger Name Table Name + case SQLITE_CREATE_VIEW:// View Name NULL + case SQLITE_DROP_INDEX:// Index Name Table Name + case SQLITE_DROP_TABLE:// Table Name NULL + case SQLITE_DROP_TRIGGER:// Trigger Name Table Name + case SQLITE_DROP_VIEW:// View Name NULL + case SQLITE_ALTER_TABLE:// Database Name Table Name + if(!inspector.Check(schemaPolicy)) + { + res = SQLITE_DENY; + } + break; + //No policy check + case SQLITE_SELECT:// NULL NULL + case SQLITE_TRANSACTION:// NULL NULL + break; + //"Database schema policy" for sqlite tables + //"Database schema policy" || "Database write policy" for user tables + case SQLITE_DELETE:// Table Name NULL + case SQLITE_INSERT:// Table Name NULL + case SQLITE_UPDATE:// Table Name Column Name + if(!inspector.Check(schemaPolicy)) + { + res = SQLITE_DENY; + if(!::IsSqliteTableName(tblName)) + { + if(inspector.Check(writePolicy)) + { + res = SQLITE_OK; + } + } + } + break; + //"Database schema policy" || "Database read policy" || "Database write policy" for sqlite tables + //"Database schema policy" || "Database read policy" for user tables + case SQLITE_READ:// Table Name Column Name + if(!(inspector.Check(schemaPolicy) || inspector.Check(readPolicy))) + { + res = SQLITE_DENY; + if(::IsSqliteTableName(tblName)) + { + if(inspector.Check(writePolicy)) + { + res = SQLITE_OK; + } + } + } + break; + case SQLITE_PRAGMA:// Pragma Name 1st arg or NULL + res = PragmaCheck(aDbObjName1, (aDbObjName2 != NULL), ETrue); + break; + case SQLITE_ATTACH:// Filename NULL + case SQLITE_DETACH:// Database Name NULL + //If the operation is SQLITE_ATTACH or SQLITE_DETACH, return SQLITE_DENY. + //"ATTACH DATABASE"/"DETACH DATABASE" operations are performed by separate "attach/detach db" methods. + res = SQLITE_DENY; + break; + //No policy check + case SQLITE_REINDEX:// Index Name NULL + case SQLITE_ANALYZE:// Table Name NULL + break; + //No policy check + case SQLITE_FUNCTION: + break; +//All "temp" operations are handled earlier, in CSqlSrvDatabase::AuthorizeCallback(), where a check for "temp" +//database name is performed. +// case SQLITE_CREATE_TEMP_INDEX:// Index Name Table Name +// case SQLITE_CREATE_TEMP_TABLE:// Table Name NULL +// case SQLITE_CREATE_TEMP_TRIGGER:// Trigger Name Table Name +// case SQLITE_CREATE_TEMP_VIEW:// View Name NULL +// case SQLITE_DROP_TEMP_INDEX:// Index Name Table Name +// case SQLITE_DROP_TEMP_TABLE:// Table Name NULL +// case SQLITE_DROP_TEMP_TRIGGER:// Trigger Name Table Name +// case SQLITE_DROP_TEMP_VIEW:// View Name NULL +//"CREATE VIRTUAL TABLE" and "DROP VIRTUAL TABLE" sql statements are not supported +// case SQLITE_CREATE_VTABLE: +// case SQLITE_DROP_VTABLE: + default: + __ASSERT_DEBUG(EFalse, __SQLPANIC2(ESqlPanicInternalError)); + break; + } + return res; + } + +/** +This callback function is invoked by the SQLITE engine at SQL statement compile time +for each attempt to access a column of a table in the database. + +The callback returns SQLITE_OK if access is allowed, +SQLITE_DENY if the entire SQL statement should be aborted with an error and +SQLITE_IGNORE if the column should be treated as a NULL value. + +@param aDb "This" pointer (to the rellated CSqlSrvDatabase object). +@param aDbOpType Database operation type, which needs to be authorized. It could be one of these: + +@code +================================================================= +aDbOpType aDbObjName1 aDbObjName2 +================================================================= +SQLITE_CREATE_INDEX Index Name Table Name +SQLITE_CREATE_TABLE Table Name NULL +SQLITE_CREATE_TEMP_INDEX Index Name Table Name +SQLITE_CREATE_TEMP_TABLE Table Name NULL +SQLITE_CREATE_TEMP_TRIGGER Trigger Name Table Name +SQLITE_CREATE_TEMP_VIEW View Name NULL +SQLITE_CREATE_TRIGGER Trigger Name Table Name +SQLITE_CREATE_VIEW View Name NULL +SQLITE_DELETE Table Name NULL +SQLITE_DROP_INDEX Index Name Table Name +SQLITE_DROP_TABLE Table Name NULL +SQLITE_DROP_TEMP_INDEX Index Name Table Name +SQLITE_DROP_TEMP_TABLE Table Name NULL +SQLITE_DROP_TEMP_TRIGGER Trigger Name Table Name +SQLITE_DROP_TEMP_VIEW View Name NULL +SQLITE_DROP_TRIGGER Trigger Name Table Name +SQLITE_DROP_VIEW View Name NULL +SQLITE_INSERT Table Name NULL +SQLITE_PRAGMA Pragma Name 1st arg or NULL +SQLITE_READ Table Name Column Name +SQLITE_SELECT NULL NULL +SQLITE_TRANSACTION NULL NULL +SQLITE_UPDATE Table Name Column Name +SQLITE_ATTACH Filename NULL +SQLITE_DETACH Database Name NULL +SQLITE_ALTER_TABLE Database Name Table Name +SQLITE_REINDEX Index Name NULL +SQLITE_ANALYZE Table Name NULL +SQLITE_CREATE_VTABLE Table Name Module Name +SQLITE_DROP_VTABLE Table Name Module Name +SQLITE_FUNCTION Function Name NULL +================================================================= +@endcode + +@param aDbObjName1 Database, Table, View, Trigger, Index, Pragma or File name. It depends on the + values of aDbOpType argument. UTF8 encoded, zero-terminated. +@param aDbObjName2 Table or Column name. It depends on the values of aDbOpType argument. UTF8 encoded, zero-terminated. +@param aDbName Database name - "main", "temp", etc. UTF8 encoded, zero-terminated. +@param aTrgOrViewName The name of the inner-most trigger or view that is responsible for the access + attempt or NULL if this access attempt is directly from input SQL code. UTF8 encoded, zero-terminated. + +@return SQLITE_OK Access is allowed +@return SQLITE_DENY The entire SQL statement should be aborted +@return SQLITE_IGNORE The column should be treated as it has NULL value + +@panic SqlDb 4 In _DEBUG mode. The authorizer was called with NULL aDb argument. + +@internalComponent +*/ +TInt CSqlSrvDatabase::AuthorizeCallback(void* aDb, TInt aDbOpType, + const char* aDbObjName1, const char* aDbObjName2, + const char* aDbName, const char* aTrgOrViewName) + { + UNUSED_ARG(aTrgOrViewName); + __ASSERT_DEBUG(aDb != NULL, __SQLPANIC2(ESqlPanicBadArgument)); + +#ifdef _SQL_AUTHORIZER_TRACE_ENABLED + enum TDbOpType {EOpCreateIndex = 1, EOpCreateTable, EOpCreateTempIndex, EOpCreateTempTable, + EOpCreateTempTrigger, EOpCreateTempView, EOpCreateTrigger, EOpCreateView, EOpDelete, EOpDropIndex, + EOpDropTable, EOpDropTempIndex, EOpDropTempTable, EOpDropTempTrigger, EOpDropTempView, EOpDropTrigger, + EOpDropView, EOpInsert, EOpPragma, EOpRead, EOpSelect, EOpTransaction, EOpUpdate, EOpAttach, EOpDettach, + EOpAlterTable, EOpReindex, EOpAnalyze, EOpCreateVTable, EOpDropVTable, EOpFunctionCall}; + TDbOpType dbOpType = static_cast (aDbOpType);//can be seen now in the debugger + ::PrintAuthorizerArguments(dbOpType, aDbObjName1, aDbObjName2, aDbName, aTrgOrViewName); +#endif + + CSqlSrvDatabase& db = *static_cast (aDb); + + //1. If the authorizer is currently disabled - return SQLITE_OK. + // (This happens when a database is attached/detached) + if(db.iAuthorizerDisabled) + { + return SQLITE_OK; + } + + TPtrC8 dbName(KNullDesC8); + const char* dbNamePtr = DbOp2DbName(aDbOpType, aDbObjName1, aDbName);//dbNamePtr is zero terminated + if(dbNamePtr) + { + dbName.Set(reinterpret_cast (dbNamePtr)); + } + aDbName = NULL;//No more use of aDbName argument inside the function. + + //2. If the database name is KTempDb, then allow the access. It is a local database + // (for the client), deleted when closed. + if(dbName.Compare(KTempDb8) == 0) //dbName is guaranteed to be in lower case if it is "temp", + { //so it is possible to use binary string comparison + return SQLITE_OK; + } + + //3. Find the security policies. For DefaultAccess initialized with NULL. + const CSqlSecurityPolicy* securityPolicy = NULL; + if(dbName.Compare(KMainDb8) == 0||dbName.Length() == 0) //dbName is guaranteed to be in lower case if it is "main", + { //so it is possible to use binary string comparison + //4. This is the main database. + securityPolicy = db.iSecurityPolicy; + } + else + { + //5. This is an attached database. Find the attached database security policies. + //dbNamePtr is used here because it is zero terminated + TSqlAttachDbPair* attachDbPair = db.iAttachDbMap.Entry(reinterpret_cast (dbNamePtr)); + if(attachDbPair) + {//secure database, find the security policies + const TUint8* securityMapKey = attachDbPair->iData; + RSqlSecurityMap& map = ::SqlServer().SecurityMap(); + TSqlSecurityPair* pair = map.Entry(securityMapKey); + if(pair) + { + securityPolicy = pair->iData; + } + } + } + + //Here we have: + // - valid database name (not NULL); + + //6. Default or Security Policy Checks + return !securityPolicy ? NonSecureChecks(aDbOpType,aDbObjName1,aDbObjName2): SecureChecks(securityPolicy,aDbOpType,aDbObjName1,aDbObjName2); + }