Skip to content

Commit

Permalink
Restrict grant to/from any babelfish created role
Browse files Browse the repository at this point in the history
  • Loading branch information
@lohia-shalini
lohia-shalini committed Jan 8, 2025
1 parent 42d44ff commit bc1f5a5
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions contrib/babelfishpg_tds/src/backend/tds/tdsutils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -949,11 +949,13 @@ is_babelfish_role(const char *role)
Oid bbf_msdb_guest_oid;
Oid securityadmin;
Oid dbcreator;
Oid bbf_admin_oid;

sysadmin_oid = get_role_oid(BABELFISH_SYSADMIN, true); /* missing OK */
role_oid = get_role_oid(role, true); /* missing OK */
securityadmin = get_role_oid(BABELFISH_SECURITYADMIN, true); /* missing OK */
dbcreator = get_role_oid(BABELFISH_DBCREATOR, true); /* missing OK */
bbf_admin_oid = get_role_oid(BABELFISH_ROLE_ADMIN, true); /* missing OK */

if (!OidIsValid(sysadmin_oid) || !OidIsValid(role_oid)
|| !OidIsValid(securityadmin) || !OidIsValid(dbcreator))
Expand All @@ -973,7 +975,8 @@ is_babelfish_role(const char *role)
&& OidIsValid(bbf_msdb_guest_oid)
&& is_member_of_role(role_oid, bbf_master_guest_oid)
&& is_member_of_role(role_oid, bbf_tempdb_guest_oid)
&& is_member_of_role(role_oid, bbf_msdb_guest_oid))
&& is_member_of_role(role_oid, bbf_msdb_guest_oid)
&& is_member_of_role(bbf_admin_oid, role_oid))
return true;

return false;
Expand Down Expand Up @@ -1231,7 +1234,7 @@ handle_grant_role(GrantRoleStmt *grant_stmt)
if (get_bbf_role_admin_oid() == GetUserId())
return true;

/* Restrict roles to added as a member of BBF default server roles */
/* Restrict roles to added as a member of babelfish created roles */
foreach(item, grant_stmt->granted_roles)
{
AccessPriv *priv = (AccessPriv *) lfirst(item);
Expand All @@ -1242,20 +1245,25 @@ handle_grant_role(GrantRoleStmt *grant_stmt)
continue;

roleid = get_role_oid(rolename, false);
if (OidIsValid(roleid) && IS_DEFAULT_BBF_SERVER_ROLE(rolename))
if (OidIsValid(roleid) && is_babelfish_role(rolename))
{
pfree(rolename);
check_babelfish_alterrole_restictions(false);
}
}

/* Restrict grant to/from bbf_role_admin, securityadmin or dbcreator role */
/* Restrict grant to/from any babelfish created role */

foreach(item, grant_stmt->grantee_roles)
{
RoleSpec *rolespec = lfirst_node(RoleSpec, item);
Oid roleid;

roleid = get_rolespec_oid(rolespec, false);
if (OidIsValid(roleid) && IS_DEFAULT_BBF_SERVER_ROLE(rolespec->rolename))
if (OidIsValid(roleid) && is_babelfish_role(rolespec->rolename))
{
check_babelfish_alterrole_restictions(false);
}
}

return true;
Expand Down

0 comments on commit bc1f5a5

Please sign in to comment.