000001  /*
000002  ** 2003 January 11
000003  **
000004  ** The author disclaims copyright to this source code.  In place of
000005  ** a legal notice, here is a blessing:
000006  **
000007  **    May you do good and not evil.
000008  **    May you find forgiveness for yourself and forgive others.
000009  **    May you share freely, never taking more than you give.
000010  **
000011  *************************************************************************
000012  ** This file contains code used to implement the sqlite3_set_authorizer()
000013  ** API.  This facility is an optional feature of the library.  Embedded
000014  ** systems that do not need this facility may omit it by recompiling
000015  ** the library with -DSQLITE_OMIT_AUTHORIZATION=1
000016  */
000017  #include "sqliteInt.h"
000018  
000019  /*
000020  ** All of the code in this file may be omitted by defining a single
000021  ** macro.
000022  */
000023  #ifndef SQLITE_OMIT_AUTHORIZATION
000024  
000025  /*
000026  ** Set or clear the access authorization function.
000027  **
000028  ** The access authorization function is be called during the compilation
000029  ** phase to verify that the user has read and/or write access permission on
000030  ** various fields of the database.  The first argument to the auth function
000031  ** is a copy of the 3rd argument to this routine.  The second argument
000032  ** to the auth function is one of these constants:
000033  **
000034  **       SQLITE_CREATE_INDEX
000035  **       SQLITE_CREATE_TABLE
000036  **       SQLITE_CREATE_TEMP_INDEX
000037  **       SQLITE_CREATE_TEMP_TABLE
000038  **       SQLITE_CREATE_TEMP_TRIGGER
000039  **       SQLITE_CREATE_TEMP_VIEW
000040  **       SQLITE_CREATE_TRIGGER
000041  **       SQLITE_CREATE_VIEW
000042  **       SQLITE_DELETE
000043  **       SQLITE_DROP_INDEX
000044  **       SQLITE_DROP_TABLE
000045  **       SQLITE_DROP_TEMP_INDEX
000046  **       SQLITE_DROP_TEMP_TABLE
000047  **       SQLITE_DROP_TEMP_TRIGGER
000048  **       SQLITE_DROP_TEMP_VIEW
000049  **       SQLITE_DROP_TRIGGER
000050  **       SQLITE_DROP_VIEW
000051  **       SQLITE_INSERT
000052  **       SQLITE_PRAGMA
000053  **       SQLITE_READ
000054  **       SQLITE_SELECT
000055  **       SQLITE_TRANSACTION
000056  **       SQLITE_UPDATE
000057  **
000058  ** The third and fourth arguments to the auth function are the name of
000059  ** the table and the column that are being accessed.  The auth function
000060  ** should return either SQLITE_OK, SQLITE_DENY, or SQLITE_IGNORE.  If
000061  ** SQLITE_OK is returned, it means that access is allowed.  SQLITE_DENY
000062  ** means that the SQL statement will never-run - the sqlite3_exec() call
000063  ** will return with an error.  SQLITE_IGNORE means that the SQL statement
000064  ** should run but attempts to read the specified column will return NULL
000065  ** and attempts to write the column will be ignored.
000066  **
000067  ** Setting the auth function to NULL disables this hook.  The default
000068  ** setting of the auth function is NULL.
000069  */
000070  int sqlite3_set_authorizer(
000071    sqlite3 *db,
000072    int (*xAuth)(void*,int,const char*,const char*,const char*,const char*),
000073    void *pArg
000074  ){
000075  #ifdef SQLITE_ENABLE_API_ARMOR
000076    if( !sqlite3SafetyCheckOk(db) ) return SQLITE_MISUSE_BKPT;
000077  #endif
000078    sqlite3_mutex_enter(db->mutex);
000079    db->xAuth = (sqlite3_xauth)xAuth;
000080    db->pAuthArg = pArg;
000081    if( db->xAuth ) sqlite3ExpirePreparedStatements(db, 1);
000082    sqlite3_mutex_leave(db->mutex);
000083    return SQLITE_OK;
000084  }
000085  
000086  /*
000087  ** Write an error message into pParse->zErrMsg that explains that the
000088  ** user-supplied authorization function returned an illegal value.
000089  */
000090  static void sqliteAuthBadReturnCode(Parse *pParse){
000091    sqlite3ErrorMsg(pParse, "authorizer malfunction");
000092    pParse->rc = SQLITE_ERROR;
000093  }
000094  
000095  /*
000096  ** Invoke the authorization callback for permission to read column zCol from
000097  ** table zTab in database zDb. This function assumes that an authorization
000098  ** callback has been registered (i.e. that sqlite3.xAuth is not NULL).
000099  **
000100  ** If SQLITE_IGNORE is returned and pExpr is not NULL, then pExpr is changed
000101  ** to an SQL NULL expression. Otherwise, if pExpr is NULL, then SQLITE_IGNORE
000102  ** is treated as SQLITE_DENY. In this case an error is left in pParse.
000103  */
000104  int sqlite3AuthReadCol(
000105    Parse *pParse,                  /* The parser context */
000106    const char *zTab,               /* Table name */
000107    const char *zCol,               /* Column name */
000108    int iDb                         /* Index of containing database. */
000109  ){
000110    sqlite3 *db = pParse->db;          /* Database handle */
000111    char *zDb = db->aDb[iDb].zDbSName; /* Schema name of attached database */
000112    int rc;                            /* Auth callback return code */
000113  
000114    if( db->init.busy ) return SQLITE_OK;
000115    rc = db->xAuth(db->pAuthArg, SQLITE_READ, zTab,zCol,zDb,pParse->zAuthContext
000116  #ifdef SQLITE_USER_AUTHENTICATION
000117                   ,db->auth.zAuthUser
000118  #endif
000119                  );
000120    if( rc==SQLITE_DENY ){
000121      char *z = sqlite3_mprintf("%s.%s", zTab, zCol);
000122      if( db->nDb>2 || iDb!=0 ) z = sqlite3_mprintf("%s.%z", zDb, z);
000123      sqlite3ErrorMsg(pParse, "access to %z is prohibited", z);
000124      pParse->rc = SQLITE_AUTH;
000125    }else if( rc!=SQLITE_IGNORE && rc!=SQLITE_OK ){
000126      sqliteAuthBadReturnCode(pParse);
000127    }
000128    return rc;
000129  }
000130  
000131  /*
000132  ** The pExpr should be a TK_COLUMN expression.  The table referred to
000133  ** is in pTabList or else it is the NEW or OLD table of a trigger.  
000134  ** Check to see if it is OK to read this particular column.
000135  **
000136  ** If the auth function returns SQLITE_IGNORE, change the TK_COLUMN 
000137  ** instruction into a TK_NULL.  If the auth function returns SQLITE_DENY,
000138  ** then generate an error.
000139  */
000140  void sqlite3AuthRead(
000141    Parse *pParse,        /* The parser context */
000142    Expr *pExpr,          /* The expression to check authorization on */
000143    Schema *pSchema,      /* The schema of the expression */
000144    SrcList *pTabList     /* All table that pExpr might refer to */
000145  ){
000146    Table *pTab = 0;      /* The table being read */
000147    const char *zCol;     /* Name of the column of the table */
000148    int iSrc;             /* Index in pTabList->a[] of table being read */
000149    int iDb;              /* The index of the database the expression refers to */
000150    int iCol;             /* Index of column in table */
000151  
000152    assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER );
000153    assert( !IN_RENAME_OBJECT );
000154    assert( pParse->db->xAuth!=0 );
000155    iDb = sqlite3SchemaToIndex(pParse->db, pSchema);
000156    if( iDb<0 ){
000157      /* An attempt to read a column out of a subquery or other
000158      ** temporary table. */
000159      return;
000160    }
000161  
000162    if( pExpr->op==TK_TRIGGER ){
000163      pTab = pParse->pTriggerTab;
000164    }else{
000165      assert( pTabList );
000166      for(iSrc=0; iSrc<pTabList->nSrc; iSrc++){
000167        if( pExpr->iTable==pTabList->a[iSrc].iCursor ){
000168          pTab = pTabList->a[iSrc].pSTab;
000169          break;
000170        }
000171      }
000172    }
000173    iCol = pExpr->iColumn;
000174    if( pTab==0 ) return;
000175  
000176    if( iCol>=0 ){
000177      assert( iCol<pTab->nCol );
000178      zCol = pTab->aCol[iCol].zCnName;
000179    }else if( pTab->iPKey>=0 ){
000180      assert( pTab->iPKey<pTab->nCol );
000181      zCol = pTab->aCol[pTab->iPKey].zCnName;
000182    }else{
000183      zCol = "ROWID";
000184    }
000185    assert( iDb>=0 && iDb<pParse->db->nDb );
000186    if( SQLITE_IGNORE==sqlite3AuthReadCol(pParse, pTab->zName, zCol, iDb) ){
000187      pExpr->op = TK_NULL;
000188    }
000189  }
000190  
000191  /*
000192  ** Do an authorization check using the code and arguments given.  Return
000193  ** either SQLITE_OK (zero) or SQLITE_IGNORE or SQLITE_DENY.  If SQLITE_DENY
000194  ** is returned, then the error count and error message in pParse are
000195  ** modified appropriately.
000196  */
000197  int sqlite3AuthCheck(
000198    Parse *pParse,
000199    int code,
000200    const char *zArg1,
000201    const char *zArg2,
000202    const char *zArg3
000203  ){
000204    sqlite3 *db = pParse->db;
000205    int rc;
000206  
000207    /* Don't do any authorization checks if the database is initializing
000208    ** or if the parser is being invoked from within sqlite3_declare_vtab.
000209    */
000210    assert( !IN_RENAME_OBJECT || db->xAuth==0 );
000211    if( db->xAuth==0 || db->init.busy || IN_SPECIAL_PARSE ){
000212      return SQLITE_OK;
000213    }
000214  
000215    /* EVIDENCE-OF: R-43249-19882 The third through sixth parameters to the
000216    ** callback are either NULL pointers or zero-terminated strings that
000217    ** contain additional details about the action to be authorized.
000218    **
000219    ** The following testcase() macros show that any of the 3rd through 6th
000220    ** parameters can be either NULL or a string. */
000221    testcase( zArg1==0 );
000222    testcase( zArg2==0 );
000223    testcase( zArg3==0 );
000224    testcase( pParse->zAuthContext==0 );
000225  
000226    rc = db->xAuth(db->pAuthArg, code, zArg1, zArg2, zArg3, pParse->zAuthContext
000227  #ifdef SQLITE_USER_AUTHENTICATION
000228                   ,db->auth.zAuthUser
000229  #endif
000230                  );
000231    if( rc==SQLITE_DENY ){
000232      sqlite3ErrorMsg(pParse, "not authorized");
000233      pParse->rc = SQLITE_AUTH;
000234    }else if( rc!=SQLITE_OK && rc!=SQLITE_IGNORE ){
000235      rc = SQLITE_DENY;
000236      sqliteAuthBadReturnCode(pParse);
000237    }
000238    return rc;
000239  }
000240  
000241  /*
000242  ** Push an authorization context.  After this routine is called, the
000243  ** zArg3 argument to authorization callbacks will be zContext until
000244  ** popped.  Or if pParse==0, this routine is a no-op.
000245  */
000246  void sqlite3AuthContextPush(
000247    Parse *pParse,
000248    AuthContext *pContext, 
000249    const char *zContext
000250  ){
000251    assert( pParse );
000252    pContext->pParse = pParse;
000253    pContext->zAuthContext = pParse->zAuthContext;
000254    pParse->zAuthContext = zContext;
000255  }
000256  
000257  /*
000258  ** Pop an authorization context that was previously pushed
000259  ** by sqlite3AuthContextPush
000260  */
000261  void sqlite3AuthContextPop(AuthContext *pContext){
000262    if( pContext->pParse ){
000263      pContext->pParse->zAuthContext = pContext->zAuthContext;
000264      pContext->pParse = 0;
000265    }
000266  }
000267  
000268  #endif /* SQLITE_OMIT_AUTHORIZATION */