Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access current user with an SQL function #1399

Merged
merged 4 commits into from
Jan 27, 2021
Merged

Access current user with an SQL function #1399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9821508
Access current user with an SQL function
mattmundell Jan 26, 2021
bb03b1a
Merge branch 'master' into db-setting-id
mattmundell Jan 26, 2021
1b10c1b
Add cases from merge
mattmundell Jan 26, 2021
7618e50
Update changelog
mattmundell Jan 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Send entire families to ospd-openvas using VT_GROUP [#1384](https://github.com/greenbone/gvmd/pull/1384)
- The internal list of current Local Security Checks for the 'Closed CVEs' feature was updated [#1381](https://github.com/greenbone/gvmd/pull/1381)
- Limit "whole-only" config families to "growing" and "every nvt" [#1386](https://github.com/greenbone/gvmd/pull/1386)
- Access current user with an SQL function [#1399](https://github.com/greenbone/gvmd/pull/1399)

### Fixed
- Use GMP version with leading zero for feed dirs [#1287](https://github.com/greenbone/gvmd/pull/1287)
Expand Down
94 changes: 24 additions & 70 deletions src/manage_pg.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,9 @@
void
manage_session_init (const char *uuid)
{
sql ("SET SESSION \"gvmd.user.uuid\" = '%s';", uuid);
sql ("SET SESSION \"gvmd.user.id\" = %llu;",
sql_int64_0 ("SELECT id FROM users WHERE uuid = '%s';",
uuid));
sql ("SET SESSION \"gvmd.tz_override\" = '';");
}

Expand Down Expand Up @@ -146,10 +148,7 @@ sql_rename_column (const char *old_table, const char *new_table,
" WHERE overrides.result_nvt = results.result_nvt" \
" AND ((overrides.owner IS NULL)" \
" OR (overrides.owner" \
" = (SELECT id FROM users" \
" WHERE users.uuid" \
" = (SELECT current_setting" \
" ('gvmd.user.uuid')))))" \
" = gvmd_user ()))" \
" AND ((overrides.end_time = 0)" \
" OR (overrides.end_time >= m_now ()))" \
" AND (overrides.task = results.task" \
Expand Down Expand Up @@ -601,8 +600,7 @@ manage_create_sql_functions ()
" user_zone :="
" coalesce ((SELECT current_setting ('gvmd.tz_override')),"
" (SELECT timezone FROM users"
" WHERE uuid"
" = (SELECT current_setting ('gvmd.user.uuid'))));"
" WHERE id = gvmd_user ()));"
" RETURN iso_time (seconds, user_zone);"
" END;"
"$$ LANGUAGE plpgsql;");
Expand Down Expand Up @@ -740,33 +738,17 @@ manage_create_sql_functions ()
" || ' WHERE id = $2)))))"
" AND subject_location = " G_STRINGIFY (LOCATION_TABLE)
" AND ((subject_type = ''user''"
" AND subject"
" = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" (''gvmd.user.uuid''))))"
" AND subject = gvmd_user ())"
" OR (subject_type = ''group''"
" AND subject"
" IN (SELECT DISTINCT \"group\""
" FROM group_users"
" WHERE"
" \"user\""
" = (SELECT id"
" FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" (''gvmd.user.uuid'')))))"
" WHERE \"user\" = gvmd_user ()))"
" OR (subject_type = ''role''"
" AND subject"
" IN (SELECT DISTINCT role"
" FROM role_users"
" WHERE"
" \"user\""
" = (SELECT id"
" FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" (''gvmd.user.uuid'')))))))'"
" WHERE \"user\" = gvmd_user ()))))'"
" USING arg_type, arg_id"
" INTO owns;"
" RETURN owns;"
Expand Down Expand Up @@ -797,11 +779,7 @@ manage_create_sql_functions ()
" WHERE results.id = arg_id"
" AND results.report = reports.id"
" AND ((reports.owner IS NULL)"
" OR (reports.owner"
" = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid'))))))"
" OR (reports.owner = gvmd_user ())))"
" THEN RETURN true;"
" ELSE RETURN false;"
" END CASE;"
Expand All @@ -811,11 +789,7 @@ manage_create_sql_functions ()
" WHERE id = arg_id"
" AND hidden < 2"
" AND ((owner IS NULL)"
" OR (owner"
" = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid'))))))"
" OR (owner = gvmd_user ())))"
" THEN RETURN true;"
" ELSE RETURN false;"
" END CASE;"
Expand All @@ -825,10 +799,7 @@ manage_create_sql_functions ()
" FROM ' || quote_ident_split ($1 || 's') || '"
" WHERE id = $2"
" AND ((owner IS NULL)"
" OR (owner = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" (''gvmd.user.uuid''))))))'"
" OR (owner = gvmd_user ())))'"
" USING arg_type, arg_id"
" INTO owns;"
" RETURN owns;"
Expand Down Expand Up @@ -873,9 +844,7 @@ manage_create_sql_functions ()
" task_uuid = null;"
" END CASE;"
" is_get = substr (arg_permission, 0, 4) = 'get';"
" user_id = (SELECT id FROM users"
" WHERE uuid = (SELECT current_setting"
" ('gvmd.user.uuid')));"
" user_id = gvmd_user ();"
" ret = (SELECT count(*) FROM permissions"
" WHERE resource_uuid = coalesce (task_uuid, arg_uuid)"
" AND subject_location = " G_STRINGIFY (LOCATION_TABLE)
Expand Down Expand Up @@ -908,6 +877,11 @@ manage_create_sql_functions ()
"$$ LANGUAGE SQL"
" STABLE;");

sql ("CREATE OR REPLACE FUNCTION gvmd_user ()"
" RETURNS integer AS $$"
" SELECT current_setting ('gvmd.user.id')::integer;"
"$$ LANGUAGE SQL;");

sql ("CREATE OR REPLACE FUNCTION common_cve (text, text)"
" RETURNS boolean AS $$"
/* Check if two CVE lists contain a common CVE. */
Expand Down Expand Up @@ -986,10 +960,7 @@ manage_create_sql_functions ()
" SELECT CAST (value AS integer) = 1 FROM settings"
" WHERE name = 'Dynamic Severity'"
" AND ((owner IS NULL)"
" OR (owner = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid')))))"
" OR (owner = gvmd_user ()))"
" ORDER BY coalesce (owner, 0) DESC LIMIT 1;"
"$$ LANGUAGE SQL;");

Expand All @@ -1016,11 +987,7 @@ manage_create_sql_functions ()
" AS (SELECT max(severity) AS max"
" FROM report_counts"
" WHERE report = $1"
" AND (\"user\""
" = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid'))))"
" AND \"user\" = gvmd_user ()"
" AND override = $2"
" AND min_qod = $3"
" AND (end_time = 0 or end_time >= m_now ()))"
Expand Down Expand Up @@ -1088,10 +1055,7 @@ manage_create_sql_functions ()
" SELECT value FROM settings"
" WHERE name = 'Severity Class'"
" AND ((owner IS NULL)"
" OR (owner = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid')))))"
" OR (owner = gvmd_user ()))"
" ORDER BY coalesce (owner, 0) DESC LIMIT 1;"
"$$ LANGUAGE SQL;");

Expand All @@ -1106,11 +1070,7 @@ manage_create_sql_functions ()
" AS (SELECT sum (count) AS total"
" FROM report_counts"
" WHERE report = $1"
" AND (\"user\""
" = (SELECT id FROM users"
" WHERE users.uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid'))))"
" AND \"user\" = gvmd_user ()"
" AND override = $2"
" AND min_qod = $3"
" AND (end_time = 0"
Expand Down Expand Up @@ -1239,7 +1199,7 @@ manage_create_sql_functions ()
" AND scan_run_status = %u)"
" THEN RETURN ''::text;"
/* Get trend only for authenticated users. */
" WHEN (SELECT current_setting ('gvmd.user.uuid') = '')"
" WHEN gvmd_user () = 0"
" THEN RETURN ''::text;"
/* Skip running and container tasks. */
" WHEN (SELECT run_status = %u OR target = 0"
Expand Down Expand Up @@ -1620,10 +1580,7 @@ manage_create_sql_functions ()
" AND ($4 IS NULL OR results.host = $4)"
" AND (results.severity != " G_STRINGIFY (SEVERITY_ERROR) ")"
" AND (SELECT has_permission FROM permissions_get_tasks"
" WHERE \"user\" = (SELECT id FROM users"
" WHERE uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid')))"
" WHERE \"user\" = gvmd_user ()"
" AND task = results.task)"
"$$ LANGUAGE SQL;");

Expand All @@ -1640,10 +1597,7 @@ manage_create_sql_functions ()
" AND ($4 IS NULL OR results.host = $4)"
" AND (results.severity != " G_STRINGIFY (SEVERITY_ERROR) ")"
" AND (SELECT has_permission FROM permissions_get_tasks"
" WHERE \"user\" = (SELECT id FROM users"
" WHERE uuid"
" = (SELECT current_setting"
" ('gvmd.user.uuid')))"
" WHERE \"user\" = gvmd_user ()"
" AND task = results.task))"
"$$ LANGUAGE SQL;");
}
Expand Down
8 changes: 2 additions & 6 deletions src/manage_sql.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15117,7 +15117,7 @@ init_manage_open_db (const db_conn_info_t *database)
}

/* Ensure the user session variables always exists. */
sql ("SET SESSION \"gvmd.user.uuid\" = '';");
sql ("SET SESSION \"gvmd.user.id\" = 0;");
sql ("SET SESSION \"gvmd.tz_override\" = '';");

/* Attach the SCAP and CERT databases. */
Expand Down Expand Up @@ -52468,11 +52468,7 @@ user_resources_in_use (user_t user,
" AND (opts.host IS NULL OR results.host = opts.host)" \
" AND (results.severity != " G_STRINGIFY (SEVERITY_ERROR) ")" \
" AND (SELECT has_permission FROM permissions_get_tasks" \
" WHERE \"user\"" \
" = (SELECT id FROM users" \
" WHERE uuid" \
" = (SELECT current_setting" \
" ('gvmd.user.uuid')))" \
" WHERE \"user\" = gvmd_user ()" \
" AND task = results.task)"

/**
Expand Down
5 changes: 1 addition & 4 deletions src/manage_sql_tickets.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,7 @@ ticket_status_integer (const char *status)
" WHERE ticket = tickets.id" \
" LIMIT 1)" \
" AND result_new_severities.user" \
" = (SELECT users.id" \
" FROM users" \
" WHERE users.uuid" \
" = (SELECT current_setting ('gvmd.user.uuid')))" \
" = gvmd_user ()" \
" AND result_new_severities.dynamic = 0" \
" LIMIT 1)" \
" ELSE severity" \
Expand Down
2 changes: 1 addition & 1 deletion src/sql.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,7 +498,7 @@ sql_int64 (long long int* ret, char* sql, ...)
* @param[in] sql Format string for SQL query.
* @param[in] ... Arguments for format string.
*
* @return 0 success, 1 too few rows, -1 error.
* @return Column value. 0 if no row.
*/
long long int
sql_int64_0 (char* sql, ...)
Expand Down