000001  /*
000002  ** 2003 January 11
000003  **
000004  ** The author disclaims copyright to this source code.  In place of
000005  ** a legal notice, here is a blessing:
000006  **
000007  **    May you do good and not evil.
000008  **    May you find forgiveness for yourself and forgive others.
000009  **    May you share freely, never taking more than you give.
000010  **
000011  *************************************************************************
000012  ** This file contains code used to implement the sqlite3_set_authorizer()
000013  ** API.  This facility is an optional feature of the library.  Embedded
000014  ** systems that do not need this facility may omit it by recompiling
000015  ** the library with -DSQLITE_OMIT_AUTHORIZATION=1
000016  */
000017  #include "sqliteInt.h"
000018  
000019  /*
000020  ** All of the code in this file may be omitted by defining a single
000021  ** macro.
000022  */
000023  #ifndef SQLITE_OMIT_AUTHORIZATION
000024  
000025  /*
000026  ** Set or clear the access authorization function.
000027  **
000028  ** The access authorization function is be called during the compilation
000029  ** phase to verify that the user has read and/or write access permission on
000030  ** various fields of the database.  The first argument to the auth function
000031  ** is a copy of the 3rd argument to this routine.  The second argument
000032  ** to the auth function is one of these constants:
000033  **
000034  **       SQLITE_CREATE_INDEX
000035  **       SQLITE_CREATE_TABLE
000036  **       SQLITE_CREATE_TEMP_INDEX
000037  **       SQLITE_CREATE_TEMP_TABLE
000038  **       SQLITE_CREATE_TEMP_TRIGGER
000039  **       SQLITE_CREATE_TEMP_VIEW
000040  **       SQLITE_CREATE_TRIGGER
000041  **       SQLITE_CREATE_VIEW
000042  **       SQLITE_DELETE
000043  **       SQLITE_DROP_INDEX
000044  **       SQLITE_DROP_TABLE
000045  **       SQLITE_DROP_TEMP_INDEX
000046  **       SQLITE_DROP_TEMP_TABLE
000047  **       SQLITE_DROP_TEMP_TRIGGER
000048  **       SQLITE_DROP_TEMP_VIEW
000049  **       SQLITE_DROP_TRIGGER
000050  **       SQLITE_DROP_VIEW
000051  **       SQLITE_INSERT
000052  **       SQLITE_PRAGMA
000053  **       SQLITE_READ
000054  **       SQLITE_SELECT
000055  **       SQLITE_TRANSACTION
000056  **       SQLITE_UPDATE
000057  **
000058  ** The third and fourth arguments to the auth function are the name of
000059  ** the table and the column that are being accessed.  The auth function
000060  ** should return either SQLITE_OK, SQLITE_DENY, or SQLITE_IGNORE.  If
000061  ** SQLITE_OK is returned, it means that access is allowed.  SQLITE_DENY
000062  ** means that the SQL statement will never-run - the sqlite3_exec() call
000063  ** will return with an error.  SQLITE_IGNORE means that the SQL statement
000064  ** should run but attempts to read the specified column will return NULL
000065  ** and attempts to write the column will be ignored.
000066  **
000067  ** Setting the auth function to NULL disables this hook.  The default
000068  ** setting of the auth function is NULL.
000069  */
000070  int sqlite3_set_authorizer(
000071    sqlite3 *db,
000072    int (*xAuth)(void*,int,const char*,const char*,const char*,const char*),
000073    void *pArg
000074  ){
000075  #ifdef SQLITE_ENABLE_API_ARMOR
000076    if( !sqlite3SafetyCheckOk(db) ) return SQLITE_MISUSE_BKPT;
000077  #endif
000078    sqlite3_mutex_enter(db->mutex);
000079    db->xAuth = (sqlite3_xauth)xAuth;
000080    db->pAuthArg = pArg;
000081    sqlite3ExpirePreparedStatements(db);
000082    sqlite3_mutex_leave(db->mutex);
000083    return SQLITE_OK;
000084  }
000085  
000086  /*
000087  ** Write an error message into pParse->zErrMsg that explains that the
000088  ** user-supplied authorization function returned an illegal value.
000089  */
000090  static void sqliteAuthBadReturnCode(Parse *pParse){
000091    sqlite3ErrorMsg(pParse, "authorizer malfunction");
000092    pParse->rc = SQLITE_ERROR;
000093  }
000094  
000095  /*
000096  ** Invoke the authorization callback for permission to read column zCol from
000097  ** table zTab in database zDb. This function assumes that an authorization
000098  ** callback has been registered (i.e. that sqlite3.xAuth is not NULL).
000099  **
000100  ** If SQLITE_IGNORE is returned and pExpr is not NULL, then pExpr is changed
000101  ** to an SQL NULL expression. Otherwise, if pExpr is NULL, then SQLITE_IGNORE
000102  ** is treated as SQLITE_DENY. In this case an error is left in pParse.
000103  */
000104  int sqlite3AuthReadCol(
000105    Parse *pParse,                  /* The parser context */
000106    const char *zTab,               /* Table name */
000107    const char *zCol,               /* Column name */
000108    int iDb                         /* Index of containing database. */
000109  ){
000110    sqlite3 *db = pParse->db;          /* Database handle */
000111    char *zDb = db->aDb[iDb].zDbSName; /* Schema name of attached database */
000112    int rc;                            /* Auth callback return code */
000113  
000114    if( db->init.busy ) return SQLITE_OK;
000115    rc = db->xAuth(db->pAuthArg, SQLITE_READ, zTab,zCol,zDb,pParse->zAuthContext
000116  #ifdef SQLITE_USER_AUTHENTICATION
000117                   ,db->auth.zAuthUser
000118  #endif
000119                  );
000120    if( rc==SQLITE_DENY ){
000121      char *z = sqlite3_mprintf("%s.%s", zTab, zCol);
000122      if( db->nDb>2 || iDb!=0 ) z = sqlite3_mprintf("%s.%z", zDb, z);
000123      sqlite3ErrorMsg(pParse, "access to %z is prohibited", z);
000124      pParse->rc = SQLITE_AUTH;
000125    }else if( rc!=SQLITE_IGNORE && rc!=SQLITE_OK ){
000126      sqliteAuthBadReturnCode(pParse);
000127    }
000128    return rc;
000129  }
000130  
000131  /*
000132  ** The pExpr should be a TK_COLUMN expression.  The table referred to
000133  ** is in pTabList or else it is the NEW or OLD table of a trigger.  
000134  ** Check to see if it is OK to read this particular column.
000135  **
000136  ** If the auth function returns SQLITE_IGNORE, change the TK_COLUMN 
000137  ** instruction into a TK_NULL.  If the auth function returns SQLITE_DENY,
000138  ** then generate an error.
000139  */
000140  void sqlite3AuthRead(
000141    Parse *pParse,        /* The parser context */
000142    Expr *pExpr,          /* The expression to check authorization on */
000143    Schema *pSchema,      /* The schema of the expression */
000144    SrcList *pTabList     /* All table that pExpr might refer to */
000145  ){
000146    sqlite3 *db = pParse->db;
000147    Table *pTab = 0;      /* The table being read */
000148    const char *zCol;     /* Name of the column of the table */
000149    int iSrc;             /* Index in pTabList->a[] of table being read */
000150    int iDb;              /* The index of the database the expression refers to */
000151    int iCol;             /* Index of column in table */
000152  
000153    if( db->xAuth==0 ) return;
000154    iDb = sqlite3SchemaToIndex(pParse->db, pSchema);
000155    if( iDb<0 ){
000156      /* An attempt to read a column out of a subquery or other
000157      ** temporary table. */
000158      return;
000159    }
000160  
000161    assert( pExpr->op==TK_COLUMN || pExpr->op==TK_TRIGGER );
000162    if( pExpr->op==TK_TRIGGER ){
000163      pTab = pParse->pTriggerTab;
000164    }else{
000165      assert( pTabList );
000166      for(iSrc=0; ALWAYS(iSrc<pTabList->nSrc); iSrc++){
000167        if( pExpr->iTable==pTabList->a[iSrc].iCursor ){
000168          pTab = pTabList->a[iSrc].pTab;
000169          break;
000170        }
000171      }
000172    }
000173    iCol = pExpr->iColumn;
000174    if( NEVER(pTab==0) ) return;
000175  
000176    if( iCol>=0 ){
000177      assert( iCol<pTab->nCol );
000178      zCol = pTab->aCol[iCol].zName;
000179    }else if( pTab->iPKey>=0 ){
000180      assert( pTab->iPKey<pTab->nCol );
000181      zCol = pTab->aCol[pTab->iPKey].zName;
000182    }else{
000183      zCol = "ROWID";
000184    }
000185    assert( iDb>=0 && iDb<db->nDb );
000186    if( SQLITE_IGNORE==sqlite3AuthReadCol(pParse, pTab->zName, zCol, iDb) ){
000187      pExpr->op = TK_NULL;
000188    }
000189  }
000190  
000191  /*
000192  ** Do an authorization check using the code and arguments given.  Return
000193  ** either SQLITE_OK (zero) or SQLITE_IGNORE or SQLITE_DENY.  If SQLITE_DENY
000194  ** is returned, then the error count and error message in pParse are
000195  ** modified appropriately.
000196  */
000197  int sqlite3AuthCheck(
000198    Parse *pParse,
000199    int code,
000200    const char *zArg1,
000201    const char *zArg2,
000202    const char *zArg3
000203  ){
000204    sqlite3 *db = pParse->db;
000205    int rc;
000206  
000207    /* Don't do any authorization checks if the database is initialising
000208    ** or if the parser is being invoked from within sqlite3_declare_vtab.
000209    */
000210    if( db->init.busy || IN_DECLARE_VTAB ){
000211      return SQLITE_OK;
000212    }
000213  
000214    if( db->xAuth==0 ){
000215      return SQLITE_OK;
000216    }
000217  
000218    /* EVIDENCE-OF: R-43249-19882 The third through sixth parameters to the
000219    ** callback are either NULL pointers or zero-terminated strings that
000220    ** contain additional details about the action to be authorized.
000221    **
000222    ** The following testcase() macros show that any of the 3rd through 6th
000223    ** parameters can be either NULL or a string. */
000224    testcase( zArg1==0 );
000225    testcase( zArg2==0 );
000226    testcase( zArg3==0 );
000227    testcase( pParse->zAuthContext==0 );
000228  
000229    rc = db->xAuth(db->pAuthArg, code, zArg1, zArg2, zArg3, pParse->zAuthContext
000230  #ifdef SQLITE_USER_AUTHENTICATION
000231                   ,db->auth.zAuthUser
000232  #endif
000233                  );
000234    if( rc==SQLITE_DENY ){
000235      sqlite3ErrorMsg(pParse, "not authorized");
000236      pParse->rc = SQLITE_AUTH;
000237    }else if( rc!=SQLITE_OK && rc!=SQLITE_IGNORE ){
000238      rc = SQLITE_DENY;
000239      sqliteAuthBadReturnCode(pParse);
000240    }
000241    return rc;
000242  }
000243  
000244  /*
000245  ** Push an authorization context.  After this routine is called, the
000246  ** zArg3 argument to authorization callbacks will be zContext until
000247  ** popped.  Or if pParse==0, this routine is a no-op.
000248  */
000249  void sqlite3AuthContextPush(
000250    Parse *pParse,
000251    AuthContext *pContext, 
000252    const char *zContext
000253  ){
000254    assert( pParse );
000255    pContext->pParse = pParse;
000256    pContext->zAuthContext = pParse->zAuthContext;
000257    pParse->zAuthContext = zContext;
000258  }
000259  
000260  /*
000261  ** Pop an authorization context that was previously pushed
000262  ** by sqlite3AuthContextPush
000263  */
000264  void sqlite3AuthContextPop(AuthContext *pContext){
000265    if( pContext->pParse ){
000266      pContext->pParse->zAuthContext = pContext->zAuthContext;
000267      pContext->pParse = 0;
000268    }
000269  }
000270  
000271  #endif /* SQLITE_OMIT_AUTHORIZATION */