Feature/validate role options (#101)
Be more rigorous about validating user flags. Only accept CREATE ROLE flags that doesn't have any params (i.e. not ADMIN or CONNECTION LIMIT). Check that both flag and NOflag are not used at the same time.
This commit is contained in:
Oleksii Kliukin
GitHub
parent
969a06f521
commit
7667847bfe
|
|
@ -21,25 +21,46 @@ func isValidUsername(username string) bool {
|
||||||
return userRegexp.MatchString(username)
|
return userRegexp.MatchString(username)
|
||||||
}
|
}
|
||||||
|
|
||||||
func normalizeUserFlags(userFlags []string) (flags []string, err error) {
|
func isValidFlag(flag string) bool {
|
||||||
|
for _, validFlag := range []string{constants.RoleFlagSuperuser, constants.RoleFlagLogin, constants.RoleFlagCreateDB,
|
||||||
|
constants.RoleFlagInherit, constants.RoleFlagReplication, constants.RoleFlagByPassRLS} {
|
||||||
|
if flag == validFlag || flag == "NO"+validFlag {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func invertFlag(flag string) string {
|
||||||
|
if flag[:2] == "NO" {
|
||||||
|
return flag[2:]
|
||||||
|
}
|
||||||
|
return "NO" + flag
|
||||||
|
}
|
||||||
|
|
||||||
|
func normalizeUserFlags(userFlags []string) ([]string, error) {
|
||||||
uniqueFlags := make(map[string]bool)
|
uniqueFlags := make(map[string]bool)
|
||||||
addLogin := true
|
addLogin := true
|
||||||
|
|
||||||
for _, flag := range userFlags {
|
for _, flag := range userFlags {
|
||||||
if !alphaNumericRegexp.MatchString(flag) {
|
if !alphaNumericRegexp.MatchString(flag) {
|
||||||
err = fmt.Errorf("user flag '%v' is not alphanumeric", flag)
|
return nil, fmt.Errorf("user flag %q is not alphanumeric", flag)
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
flag = strings.ToUpper(flag)
|
flag = strings.ToUpper(flag)
|
||||||
if _, ok := uniqueFlags[flag]; !ok {
|
if _, ok := uniqueFlags[flag]; !ok {
|
||||||
|
if !isValidFlag(flag) {
|
||||||
|
return nil, fmt.Errorf("user flag %q is not valid", flag)
|
||||||
|
}
|
||||||
|
invFlag := invertFlag(flag)
|
||||||
|
if uniqueFlags[invFlag] {
|
||||||
|
return nil, fmt.Errorf("conflicting user flags: %q and %q", flag, invFlag)
|
||||||
|
}
|
||||||
uniqueFlags[flag] = true
|
uniqueFlags[flag] = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if uniqueFlags[constants.RoleFlagLogin] && uniqueFlags[constants.RoleFlagNoLogin] {
|
|
||||||
return nil, fmt.Errorf("conflicting or redundant flags: LOGIN and NOLOGIN")
|
|
||||||
}
|
|
||||||
|
|
||||||
flags = []string{}
|
flags := []string{}
|
||||||
for k := range uniqueFlags {
|
for k := range uniqueFlags {
|
||||||
if k == constants.RoleFlagNoLogin || k == constants.RoleFlagLogin {
|
if k == constants.RoleFlagNoLogin || k == constants.RoleFlagLogin {
|
||||||
addLogin = false
|
addLogin = false
|
||||||
|
|
@ -55,7 +76,7 @@ func normalizeUserFlags(userFlags []string) (flags []string, err error) {
|
||||||
flags = append(flags, constants.RoleFlagLogin)
|
flags = append(flags, constants.RoleFlagLogin)
|
||||||
}
|
}
|
||||||
|
|
||||||
return
|
return flags, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func specPatch(spec interface{}) ([]byte, error) {
|
func specPatch(spec interface{}) ([]byte, error) {
|
||||||
|
|
|
||||||
|
|
@ -12,4 +12,6 @@ const (
|
||||||
RoleFlagNoLogin = "NOLOGIN"
|
RoleFlagNoLogin = "NOLOGIN"
|
||||||
RoleFlagCreateRole = "CREATEROLE"
|
RoleFlagCreateRole = "CREATEROLE"
|
||||||
RoleFlagCreateDB = "CREATEDB"
|
RoleFlagCreateDB = "CREATEDB"
|
||||||
|
RoleFlagReplication = "REPLICATION"
|
||||||
|
RoleFlagByPassRLS = "BYPASSRLS"
|
||||||
)
|
)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue