Reestructure the permission database and make permissions by role work.

Author: asfernandes

src/etc/scripts/java-security.sql

@@ -1,43 +1,53 @@
-create sequence seq_permission_group start with 2;
+create sequence seq_permission_group;
 
 create table permission_group (
-	id bigint not null constraint permission_group_pk primary key,
+	id bigint not null constraint pergro_pk primary key,
 	name varchar(255) not null
 );
 
 create table permission (
-	permission_group bigint not null constraint permission_pg_fk references permission_group,
-	user_name varchar(31) not null,
+	permission_group bigint not null constraint per_fk01 references permission_group,
 	class_name varchar(255) not null,
 	arg1 varchar(255),
 	arg2 varchar(255)
 );
 
-create table database_permission_group (
-	database_pattern varchar(255) not null,
-	permission_group bigint not null constraint database_permission_group_pg_fk references permission_group
+create table permission_group_grant (
+	permission_group bigint not null constraint pergrogra_fk01 references permission_group,
+	database_pattern varchar(1024) not null,
+	grantee_type varchar(4) not null constraint pergrogra_ck01 check (grantee_type in ('USER', 'ROLE')),
+	grantee_pattern varchar(512) not null
 );
 
--- Common permission group
-insert into permission_group (id, name)
-	values (1, 'COMMON');
-
--- Public permissions
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'file.separator', 'read');
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'java.version', 'read');
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'java.vendor', 'read');
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'java.vendor.url', 'read');
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'line.separator', 'read');
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'os.*', 'read');
-insert into permission (permission_group, user_name, class_name, arg1, arg2)
-	values (1, 'PUBLIC', 'java.util.PropertyPermission', 'path.separator', 'read');
-
--- Common permissions
-insert into database_permission_group (database_pattern, permission_group)
-	values ('%', 1);
+set term !;
+
+execute block
+as
+	declare pergro_id type of column permission_group.id;
+begin
+	-- Common permissions, by default granted to all users.
+
+	insert into permission_group (id, name)
+		values (next value for seq_permission_group, 'COMMON')
+		returning id into pergro_id;
+
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'file.separator', 'read');
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'java.version', 'read');
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'java.vendor', 'read');
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'java.vendor.url', 'read');
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'line.separator', 'read');
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'os.*', 'read');
+	insert into permission (permission_group, class_name, arg1, arg2)
+		values (:pergro_id, 'java.util.PropertyPermission', 'path.separator', 'read');
+
+	insert into permission_group_grant (permission_group, database_pattern, grantee_type, grantee_pattern)
+		values (:pergro_id, '%', 'USER', '%');
+end!
+
+set term ;!

src/fbjava/src/main/java/org/firebirdsql/fbjava/impl/DbPolicy.java

@@ -33,11 +33,14 @@
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.sql.Statement;
 import java.util.HashMap;
 import java.util.HashSet;
 
 import javax.security.auth.Subject;
 
+import org.firebirdsql.fbjava.impl.FbClientLibrary.IExternalContext;
+import org.firebirdsql.fbjava.impl.FbClientLibrary.IStatus;
 import org.firebirdsql.gds.ISCConstants;
 import org.firebirdsql.gds.TransactionParameterBuffer;
 import org.firebirdsql.jdbc.FBConnection;
@@ -82,13 +85,16 @@ static void databaseOpened() throws SQLException
 
 				stmt = securityDb.prepareStatement(
 					"select p.class_name, p.arg1, p.arg2\n" +
-					"  from database_permission_group dpg\n" +
+					"  from permission_group_grant pgg\n" +
 					"  join permission_group pg\n" +
-					"    on pg.id = dpg.permission_group\n" +
+					"    on pg.id = pgg.permission_group\n" +
 					"  join permission p\n" +
 					"    on p.permission_group = pg.id\n" +
-					"  where cast(? as varchar(1024)) similar to dpg.database_pattern escape '\\' and\n" +
-					"  p.user_name in (?, 'PUBLIC')");
+					"  where cast(? as varchar(1024)) similar to pgg.database_pattern escape '\\' and\n" +
+					"        ((pgg.grantee_type = 'USER' and\n" +
+					"          cast(? as varchar(512)) similar to pgg.grantee_pattern escape '\\') or\n" +
+					"         (pgg.grantee_type = 'ROLE' and\n" +
+					"          cast(? as varchar(512)) similar to pgg.grantee_pattern escape '\\'))");
 			}
 		}
 	}
@@ -106,19 +112,41 @@ static void databaseClosed() throws SQLException
 		}
 	}
 
-	static synchronized Subject getUserSubject(String databaseName, String userName)
+	static synchronized Subject getUserSubject(IStatus status, IExternalContext context, DbClassLoader classLoader)
+		throws Exception
 	{
+		String databaseName = classLoader.databaseName;
+		String userName = context.getUserName();
+		String key = databaseName + "\0" + userName;
+
 		synchronized (userSubjects)
 		{
-			Subject subj = userSubjects.get(userName);
+			Subject subj = userSubjects.get(key);
 			if (subj != null)
 				return subj;
 
+			String roleName;
+
+			try (InternalContext internalContext = InternalContext.get(status, context))
+			{
+				try (Connection conn = internalContext.getConnection())
+				{
+					try (Statement stmt = conn.createStatement())
+					{
+						try (ResultSet rs = stmt.executeQuery("select current_role from rdb$database"))
+						{
+							rs.next();
+							roleName = rs.getString(1);
+						}
+					}
+				}
+			}
+
 			final HashSet<Principal> principals = new HashSet<Principal>();
-			principals.add(new DbPrincipal(databaseName, userName));
+			principals.add(new DbPrincipal(databaseName, roleName, userName));
 			subj = new Subject(true, principals, new HashSet<Object>(), new HashSet<Object>());
 
-			userSubjects.put(userName, subj);
+			userSubjects.put(key, subj);
 
 			return subj;
 		}
@@ -143,7 +171,11 @@ public PermissionCollection run()
 				for (Principal principal : domain.getPrincipals())
 				{
 					if (principal instanceof DbPrincipal)
-						loadPermissions(((DbPrincipal) principal).getDatabaseName(), principal.getName(), permissions);
+					{
+						DbPrincipal dbPrincipal = (DbPrincipal) principal;
+						loadPermissions(dbPrincipal.getDatabaseName(), dbPrincipal.getRoleName(), dbPrincipal.getName(),
+							permissions);
+					}
 				}
 
 				return permissions;
@@ -168,7 +200,8 @@ public Boolean run()
 		});
 	}
 
-	private void loadPermissions(String databaseName, String userName, PermissionCollection permissions)
+	private void loadPermissions(String databaseName, String roleName, String userName,
+		PermissionCollection permissions)
 	{
 		//// TODO: cache
 		synchronized (stmt)
@@ -177,8 +210,9 @@ private void loadPermissions(String databaseName, String userName, PermissionCol
 			{
 				stmt.setString(1, databaseName);
 				stmt.setString(2, userName);
-				ResultSet rs = stmt.executeQuery();
-				try
+				stmt.setString(3, roleName);
+
+				try (ResultSet rs = stmt.executeQuery())
 				{
 					while (rs.next())
 					{
@@ -210,10 +244,6 @@ else if (arg1 != null)
 						}
 					}
 				}
-				finally
-				{
-					rs.close();
-				}
 			}
 			catch (SQLException e)
 			{

src/fbjava/src/main/java/org/firebirdsql/fbjava/impl/DbPrincipal.java

@@ -29,42 +29,50 @@
 final class DbPrincipal implements Principal
 {
 	private String databaseName;
-	private String name;
+	private String roleName;
+	private String userName;
 
-	public DbPrincipal(String databaseName, String name)
+	public DbPrincipal(String databaseName, String roleName, String userName)
 	{
 		this.databaseName = databaseName;
-		this.name = name;
+		this.roleName = roleName;
+		this.userName = userName;
 	}
 
 	@Override
 	public String getName()
 	{
-		return name;
+		return userName;
 	}
 
 	@Override
 	public boolean equals(Object another)
 	{
 		return (another instanceof DbPrincipal) &&
 			databaseName.equals(((DbPrincipal) another).databaseName) &&
-			name.equals(((DbPrincipal) another).name);
+			roleName.equals(((DbPrincipal) another).roleName) &&
+			userName.equals(((DbPrincipal) another).userName);
 	}
 
 	@Override
 	public int hashCode()
 	{
-		return name.hashCode();
+		return userName.hashCode();
 	}
 
 	@Override
 	public String toString()
 	{
-		return databaseName + "::" + name;
+		return databaseName + "::" + userName;
 	}
 
 	String getDatabaseName()
 	{
 		return databaseName;
 	}
+
+	public String getRoleName()
+	{
+		return roleName;
+	}
 }

src/fbjava/src/main/java/org/firebirdsql/fbjava/impl/ExternalEngine.java

@@ -1152,7 +1152,7 @@ private Routine getRoutine(IStatus status, IExternalContext context, IRoutineMet
 			String className = entryPoint.substring(0, methodStart - 1).trim();
 			String methodName = entryPoint.substring(methodStart, paramsStart).trim();
 
-			Class<?> clazz = runInClassLoader(context.getUserName(), className, methodName,
+			Class<?> clazz = runInClassLoader(status, context, className, methodName,
 				() -> Class.forName(className, true, sharedData.classLoader));
 
 			Routine routine = new Routine(this);
@@ -1379,15 +1379,15 @@ private char peekChar(String s, int[] pos) throws FbException
 		return s.charAt(pos[0]);
 	}
 
-	<T> T runInClassLoader(String userName, String className, String methodName, CallableThrowable<T> callable)
-		throws Throwable
+	<T> T runInClassLoader(IStatus status, IExternalContext context, String className, String methodName,
+		CallableThrowable<T> callable) throws Throwable
 	{
 		ClassLoader oldClassLoader = Thread.currentThread().getContextClassLoader();
 		try
 		{
 			Thread.currentThread().setContextClassLoader(sharedData.classLoader);
 
-			Subject subj = DbPolicy.getUserSubject(sharedData.classLoader.databaseName, userName);
+			Subject subj = DbPolicy.getUserSubject(status, context, sharedData.classLoader);
 
 			ProtectionDomain[] protectionDomains = {new ProtectionDomain(sharedData.classLoader.codeSource,
 				sharedData.classLoader.codeSourcePermission, sharedData.classLoader,

src/fbjava/src/main/java/org/firebirdsql/fbjava/impl/ExternalFunction.java

@@ -65,7 +65,7 @@ public void execute(IStatus status, IExternalContext context, Pointer inMsg, Poi
 			try (InternalContext internalContext = InternalContext.get(status, context))
 			{
 				Object[] in = routine.getFromMessage(status, context, routine.inputParameters, inMsg);
-				Object[] out = {routine.run(context, in)};
+				Object[] out = {routine.run(status, context, in)};
 
 				routine.putInMessage(status, context, routine.outputParameters, out, 0, outMsg);
 			}

src/fbjava/src/main/java/org/firebirdsql/fbjava/impl/ExternalProcedure.java

@@ -79,7 +79,7 @@ public IExternalResultSet open(IStatus status, IExternalContext context, Pointer
 				for (int i = inCount; i < inOut.length; ++i)
 					inOut[i] = Array.newInstance(routine.outputParameters.get(i - inCount).javaClass, 1);
 
-				ExternalResultSet rs = (ExternalResultSet) routine.run(context, inOut);
+				ExternalResultSet rs = (ExternalResultSet) routine.run(status, context, inOut);
 
 				if (rs == null)
 				{
@@ -91,8 +91,6 @@ public IExternalResultSet open(IStatus status, IExternalContext context, Pointer
 				}
 				else
 				{
-					String userName = context.getUserName();
-
 					//// FIXME: Stack trace filtering is not working fully correct here.
 
 					class ExtResultSet implements IExternalResultSetIntf
@@ -104,7 +102,7 @@ public void dispose()
 						{
 							try
 							{
-								routine.engine.runInClassLoader(userName,
+								routine.engine.runInClassLoader(status, context,
 									routine.method.getDeclaringClass().getName(), routine.method.getName(),
 									() -> {
 										rs.close();
@@ -126,7 +124,7 @@ public boolean fetch(IStatus status) throws FbException
 
 							try
 							{
-								return routine.engine.runInClassLoader(userName,
+								return routine.engine.runInClassLoader(status, context,
 									routine.method.getDeclaringClass().getName(), routine.method.getName(),
 									() -> {
 										if (rs.fetch())

src/fbjava/src/main/java/org/firebirdsql/fbjava/impl/Routine.java

@@ -112,9 +112,9 @@ void putInMessage(IStatus status, IExternalContext context, List<Parameter> para
 		}
 	}
 
-	Object run(IExternalContext context, Object[] args) throws Throwable
+	Object run(IStatus status, IExternalContext context, Object[] args) throws Throwable
 	{
-		return engine.runInClassLoader(context.getUserName(), method.getDeclaringClass().getName(), method.getName(),
+		return engine.runInClassLoader(status, context, method.getDeclaringClass().getName(), method.getName(),
 			() -> {
 				try
 				{