Class CsvRulesManager

java.lang.Object
org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager
org.kawanfw.sql.api.server.firewall.CsvRulesManager
All Implemented Interfaces:
SqlFirewallManager

public class CsvRulesManager
extends DefaultSqlFirewallManager
implements SqlFirewallManager
Firewall manager that checks each SQL request against the content of a CSV File. The CSV file is loaded in memory at AceQL server startup.

The name of the CSV file that will be used by a database is: <database>_rules_manager.csv, where database is the name of the database declared in the aceql.properties files.
The file must be located in the same directory as the aceql.properties file used when starting the AceQL server.

The CSV file contains the rules for accessing the tables, with semicolon for separator:
  • First line contains the element names: username;table;delete;insert;select;update;optional comments
  • Subsequent lines contain the rules, with the values for each element:
    • username: AceQL username of the connected client.
    • table: the table name to access. Name must not include dots and prefixes.
    • delete: true if the username has the right to delete rows of the table, else false.
    • insert: true if the username has the right to insert rows in the table, else false.
    • select: true if the username has the right to select rows of the table, else false.
    • update: true if the username has the right to update rows of the table, else false.
    • Optional comments for the rule.

Note that:
  • public value may be used for the username column and means any username. At execution time: if a rule with public returns true for a CSV column, the rule supersedes other declared rules declared for specific users for the same CSV column.
  • all value is allowed for table column and means any table. At execution time: If a rule with all returns true for a CSV column, the rule supersedes other specific rules declared for specific tables for the same CSV column.

See an example of CSV file: sampledb_rules_manager.csv

Since:
4.1
Author:
Nicolas de Pomereu
  • Constructor Details

    • CsvRulesManager

      public CsvRulesManager()
  • Method Details

    • allowSqlRunAfterAnalysis

      public boolean allowSqlRunAfterAnalysis​(String username, String database, Connection connection, String ipAddress, String sql, boolean isPreparedStatement, List<Object> parameterValues) throws IOException, SQLException
      Allows the execution of the statement if an allowing rules exists in the:  <database>_rules_manager.csv file.
      Specified by:
      allowSqlRunAfterAnalysis in interface SqlFirewallManager
      Overrides:
      allowSqlRunAfterAnalysis in class DefaultSqlFirewallManager
      Parameters:
      username - the client username to check the rule for.
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      ipAddress - the IP address of the client user
      sql - the SQL statement
      isPreparedStatement - Says if the statement is a prepared statement
      parameterValues - the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement
      Returns:
      true. No analysis is done so all SQL statements are authorized.
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs
    • runIfStatementRefused

      public void runIfStatementRefused​(String username, String database, Connection connection, String ipAddress, boolean isMetadataQuery, String sql, List<Object> parameterValues) throws IOException, SQLException
      Logs the info using DefaultDatabaseConfigurator.getLogger() Logger.
      Specified by:
      runIfStatementRefused in interface SqlFirewallManager
      Overrides:
      runIfStatementRefused in class DefaultSqlFirewallManager
      Parameters:
      username - the discarded client username
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      ipAddress - the IP address of the client user
      isMetadataQuery - Says if the client request was an AceQL specific Metadata Query API
      sql - the SQL statement
      parameterValues - the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs