Merge 'select statement: verify EXECUTE permissions only for non native functions' from Eliran Sinvani

Commit 62458b8e4f introduced the enforcement of EXECUTE permissions of functions in cql select. However, according to the reference in #12869, the permissions should be enforced only on UDFs and UDAs. The code does not distinguish between the two so the permissions are also unintenionally enforced also on native function. This commit introduce the distinction and only enforces the permissions on non native functions. Fixes #16526 Manually verified (before and after change) with the reproducer supplied in #16526 and also with some the `min` and `max` native functions. Also added test that checks for regression on native functions execution and verified that it fails on authorization before the fix and passes after the fix. Closes scylladb/scylladb#16556 * github.com:scylladb/scylladb: test.py: Add test for native functions permissions select statement: verify EXECUTE permissions only for non native functions
2023-12-26 18:14:21 +02:00
parent 3968fc11bf a336550041
commit fc71c34597
2 changed files with 21 additions and 1 deletions
--- a/cql3/statements/select_statement.cc
+++ b/cql3/statements/select_statement.cc
@@ -226,7 +226,8 @@ future<> select_statement::check_access(query_processor& qp, const service::clie
    }
    if (!_selection->is_trivial()) {
        std::vector<::shared_ptr<functions::function>> used_functions = _selection->used_functions();
-        for (const auto& used_function : used_functions) {
+        auto not_native = [] (::shared_ptr<functions::function> func) { return !func->is_native(); };
+        for (const auto& used_function : used_functions | std::ranges::views::filter(not_native)) {
            sstring encoded_signature = auth::encode_signature(used_function->name().name, used_function->arg_types());
            co_await state.has_function_access(used_function->name().keyspace, encoded_signature, auth::permission::EXECUTE);
        }
--- a/test/cql-pytest/test_permissions.py
+++ b/test/cql-pytest/test_permissions.py
@@ -534,3 +534,22 @@ def test_create_on_existing_table(cql):
                    user_session.execute(f"CREATE TABLE IF NOT EXISTS {table}(a int primary key)")
                    ensure_updated_permissions()
                    ensure_all_table_permissions_unauthorized(user_session)
+
+# Test that native functions permissions are always implicitly granted.
+# every user with SELECT permission for a table should be able to use
+# the native functions (non UDF/UDA functions)
+# ref: https://github.com/scylladb/scylladb/issues/16526
+def test_native_functions_always_exeutable(cql):
+    schema = "a int primary key"
+    with new_test_keyspace(cql,"WITH REPLICATION = { 'class': 'NetworkTopologyStrategy', 'replication_factor': 1 }") as keyspace:
+        with new_test_table(cql,keyspace,schema) as table:
+            cql.execute(f'INSERT INTO {table}(a) VALUES(15)')
+            cql.execute(f'INSERT INTO {table}(a) VALUES(3)')
+            cql.execute(f'INSERT INTO {table}(a) VALUES(84)')
+            with new_user(cql) as username:
+                grant(cql, 'SELECT', table, username)
+                with new_session(cql,username) as user_session:
+                    assert list(user_session.execute(f"SELECT count(*) FROM {table}")) == [(3,)]
+                    assert list(user_session.execute(f"SELECT max(a) FROM {table}")) == [(84,)]
+                    assert list(user_session.execute(f"SELECT min(a) FROM {table}")) == [(3,)]
+                    assert list(user_session.execute(f"SELECT sum(a) FROM {table}")) == [(102,)]