fix: ban revoking public role

992c072c · Вартан Бабаян · ea296762 · 992c072c · 992c072c
Commit 992c072c authored 5 months ago by Вартан Бабаян
--- a/src/access_control.rs
+++ b/src/access_control.rs
@@ -479,6 +479,15 @@ fn access_check_grant_revoke(

            assert_eq!(object_id, granted_role.id, "user metadata id mismatch");

+            // Forbid revoking role "public" since it takes away permission to execute SQL queries
+            if access == PrivType::Revoke && granted_role.name == "public" {
+                return Err(BoxError::new(
+                    AccessDenied,
+                    format!("Revoking role '{}' is denied", granted_role.name),
+                )
+                .into());
+            }
+
            // Only the creator of the role or admin can grant or revoke it.
            // Everyone can grant 'PUBLIC' role.
            // Note that having a role means having execute privilege on it.

--- a/test/int/test_acl.py
+++ b/test/int/test_acl.py
@@ -840,3 +840,27 @@ def test_admin_set_password(cluster: Cluster):
        print(f"Expected error occurred: {err}")

    assert not is_connected
+
+
+def test_revoke_role_public(cluster: Cluster):
+    i1 = cluster.add_instance(wait_online=False)
+    i1.start()
+    i1.wait_online()
+
+    user = "billy"
+    password = "Password1#"
+
+    i1.sql('CREATE ROLE "reader";')
+    i1.sql(f"""CREATE USER "{user}" WITH PASSWORD '{password}' USING chap-sha1;""")
+    i1.sql(f"""GRANT "reader" TO "{user}";""")
+    with pytest.raises(
+        TarantoolError,
+        match="Revoking role 'public' is denied",
+    ):
+        i1.sql(f"""REVOKE "public" FROM "{user}";""")
+
+    i1.grant_privilege(user, "create", "table")
+    with i1.connect(timeout=5, user=user, password=password) as conn:
+        conn.sql(
+            "CREATE TABLE warehouse (id INTEGER PRIMARY KEY);",
+        )