1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Database::QueryAnalyzers::RestrictAllowedSchemas,
query_analyzers: false, feature_category: :database do
let(:analyzer) { described_class }
context 'properly analyzes queries' do
using RSpec::Parameterized::TableSyntax
where do
examples = {
"for SELECT on projects" => {
sql: "SELECT 1 FROM projects",
expected_allowed_gitlab_schemas: {
no_schema: :dml_not_allowed,
gitlab_main: :success,
gitlab_main_clusterwide: :success,
gitlab_main_cell: :success,
gitlab_ci: :dml_access_denied # cross-schema access
}
},
"for SELECT on namespaces" => {
sql: "SELECT 1 FROM namespaces",
expected_allowed_gitlab_schemas: {
no_schema: :dml_not_allowed,
gitlab_main: :success,
gitlab_main_clusterwide: :success,
gitlab_main_cell: :success,
gitlab_ci: :dml_access_denied # cross-schema access
}
},
"for INSERT on projects" => {
sql: "INSERT INTO projects VALUES (1)",
expected_allowed_gitlab_schemas: {
no_schema: :dml_not_allowed,
gitlab_main: :success,
gitlab_main_clusterwide: :success,
gitlab_main_cell: :success,
gitlab_ci: :dml_access_denied # cross-schema access
}
},
"for INSERT on namespaces" => {
sql: "INSERT INTO namespaces VALUES (1)",
expected_allowed_gitlab_schemas: {
no_schema: :dml_not_allowed,
gitlab_main: :success,
gitlab_main_clusterwide: :success,
gitlab_main_cell: :success,
gitlab_ci: :dml_access_denied # cross-schema access
}
},
"for CREATE INDEX" => {
sql: "CREATE INDEX index_projects_on_hidden ON projects (hidden)",
expected_allowed_gitlab_schemas: {
no_schema: :success,
gitlab_main: :ddl_not_allowed,
gitlab_ci: :ddl_not_allowed
}
},
"for CREATE SCHEMA" => {
sql: "CREATE SCHEMA __test_schema",
expected_allowed_gitlab_schemas: {
no_schema: :success,
# TODO: This is currently not properly detected
gitlab_main: :success,
gitlab_ci: :success
}
},
"for CREATE FUNCTION" => {
sql: "CREATE FUNCTION add(integer, integer) RETURNS integer AS 'select $1 + $2;' LANGUAGE SQL",
expected_allowed_gitlab_schemas: {
no_schema: :success,
gitlab_main: :ddl_not_allowed,
gitlab_ci: :ddl_not_allowed
}
},
"for CREATE TRIGGER" => {
sql: "CREATE TRIGGER check_projects BEFORE UPDATE ON projects FOR EACH ROW EXECUTE PROCEDURE check_projects_update()",
expected_allowed_gitlab_schemas: {
no_schema: :success,
gitlab_main: :ddl_not_allowed,
gitlab_ci: :ddl_not_allowed
}
}
}
# Expands all examples into individual tests
examples.flat_map do |name, configuration|
configuration[:expected_allowed_gitlab_schemas].map do |allowed_gitlab_schema, expectation|
[
"#{name} for allowed_gitlab_schema=#{allowed_gitlab_schema}",
{
sql: configuration[:sql],
allowed_gitlab_schema: allowed_gitlab_schema, # nil, gitlab_main
expectation: expectation # success, dml_access_denied, ...
}
]
end
end.to_h
end
with_them do
subject do
process_sql(sql) do
analyzer.allowed_gitlab_schemas = [allowed_gitlab_schema] unless allowed_gitlab_schema == :no_schema
end
end
it do
case expectation
when :success
expect { subject }.not_to raise_error
when :ddl_not_allowed
expect { subject }.to raise_error(described_class::DDLNotAllowedError)
when :dml_not_allowed
expect { subject }.to raise_error(described_class::DMLNotAllowedError)
when :dml_access_denied
expect { subject }.to raise_error(described_class::DMLAccessDeniedError)
else
raise "invalid expectation: #{expectation}"
end
end
end
end
describe '.require_ddl_mode!' do
subject { described_class.require_ddl_mode! }
it "when not configured does not raise exception" do
expect { subject }.not_to raise_error
end
it "when no schemas are configured does not raise exception (DDL mode)" do
with_analyzer do
expect { subject }.not_to raise_error
end
end
it "with schemas configured does raise exception (DML mode)" do
with_analyzer do
analyzer.allowed_gitlab_schemas = %i[gitlab_main]
expect { subject }.to raise_error(described_class::DMLNotAllowedError)
end
end
end
describe '.require_dml_mode!' do
subject { described_class.require_dml_mode! }
it "when not configured does not raise exception" do
expect { subject }.not_to raise_error
end
it "when no schemas are configured does raise exception (DDL mode)" do
with_analyzer do
expect { subject }.to raise_error(described_class::DDLNotAllowedError)
end
end
it "with schemas configured does raise exception (DML mode)" do
with_analyzer do
analyzer.allowed_gitlab_schemas = %i[gitlab_main]
expect { subject }.not_to raise_error
end
end
end
def with_analyzer
Gitlab::Database::QueryAnalyzer.instance.within([analyzer]) do
yield
end
end
def process_sql(sql, model = ActiveRecord::Base)
with_analyzer do
yield if block_given?
# Skip load balancer and retrieve connection assigned to model
Gitlab::Database::QueryAnalyzer.instance.send(:process_sql, sql, model.retrieve_connection, 'load')
end
end
end
|
