box: check permissions on constraint functions on creation

Function execution permissions should only be checked on constraint creation. So when the function is used to check a tuple access rights don't have to be checked on each call for the current user. Closes #7873 NO_DOC=bugfix (cherry picked from commit 6b8f2c5f)

box: check permissions on constraint functions on creation
2cde4c66 · Magomed Kostoev · Aleksandr Lyapunov · 18e54fe7 · 2cde4c66 · 2cde4c66
Commit 2cde4c66 authored 1 year ago by Magomed Kostoev Committed by Aleksandr Lyapunov 1 year ago
--- a/changelogs/unreleased/gh-7873-func-priv-check.md
+++ b/changelogs/unreleased/gh-7873-func-priv-check.md
+## bugfix/box
+
+* Fixed the privilege check when using spaces with functional indexes and
+  constraints (gh-7873).
--- a/src/box/tuple_constraint_func.c
+++ b/src/box/tuple_constraint_func.c
@@ -97,7 +97,8 @@ tuple_constraint_call_func(const struct tuple_constraint *constr,
 					constr->space->format);
 	port_c_add_str(&in_port, constr->def.name, constr->def.name_len);

-	int rc = func_call(constr->func_cache_holder.func, &in_port, &out_port);
+	int rc = func_call_no_access_check(constr->func_cache_holder.func,
+					   &in_port, &out_port);
 	port_destroy(&in_port);
 	if (rc == 0) {
 		uint32_t ret_size;
@@ -189,7 +190,7 @@ tuple_constraint_func_init(struct tuple_constraint *constr,
 		assert(constr->check == tuple_constraint_noop_check);
 		return 0;
 	}
-	if (func == NULL ||
+	if (func == NULL || func_access_check(func) != 0 ||
 	    tuple_constraint_func_verify(constr, func, is_field) != 0) {
 		constr->space = NULL;
 		return -1;

--- a/test/box-luatest/gh_7873_func_perm_check_test.lua
+++ b/test/box-luatest/gh_7873_func_perm_check_test.lua
@@ -66,6 +66,68 @@ local function test_func_indexes()
    box.schema.func.drop(fname)
 end

+local function test_constraints()
+    local prefix = 'test_constraints_'
+    local uname = prefix .. 'user'
+    local fname = prefix .. 'func'
+    local s_test = box.schema.space.create(prefix .. 's_test')
+    local err = "Execute access to function '" .. fname .. "'"
+                .. " is denied for user '" .. uname .. "'"
+
+    -- Fill spaces to invoke format/constraint check.
+    s_test:create_index('pk')
+    for i = 1, 10 do s_test:insert({i}) end
+
+    -- Create a function by 'admin'.
+    box.schema.func.create(fname, {
+        body = 'function(a, b) return true end',
+        is_deterministic = true,
+        is_sandboxed = true
+    })
+
+    -- Set the function as tuple and field constraint.
+    s_test:alter({constraint = fname})
+    s_test:format({{'id', 'unsigned', constraint = fname}})
+
+    -- Create a restricted user.
+    box.session.su('admin')
+    box.schema.user.create(uname)
+    box.schema.user.grant(uname, 'read,write,alter,create,drop', 'universe')
+
+    -- Switch to the restricted user.
+    box.session.su(uname)
+
+    ----------------------------------------------------------------------------
+    -- The restricted user should be able to use the space with a constraint
+    -- that was set by 'admin'.
+
+    s_test:insert({42})
+
+    ----------------------------------------------------------------------------
+    -- The restricted user should not be able to specify the function that was
+    -- created by 'admin' as a constraint without 'execute' permission.
+
+    -- Attempt to set admin's function as a tuple constraint.
+    t.assert_error_msg_equals(err, s_test.alter, s_test, {constraint = fname})
+
+    -- Attempt to set admin's function as a field constraint.
+    t.assert_error_msg_equals(err, s_test.format, s_test, {
+        {'id', 'unsigned', constraint = fname}
+    })
+
+    ----------------------------------------------------------------------------
+    -- Cleanup.
+
+    box.session.su('admin')
+    s_test:drop()
+    box.schema.user.drop(uname)
+    box.schema.func.drop(fname)
+end
+
 g.test_func_indexes = function(cg)
    cg.server:exec(test_func_indexes)
 end
+
+g.test_constraints = function(cg)
+    cg.server:exec(test_constraints)
+end