feat: restrict access to all tables by default

for #10

Author: bcho

fixture_test.go

@@ -23,6 +23,8 @@ import (
 	"k8s.io/klog/v2/ktesting"
 )
 
+var enabledTestTables = []string{"test", "test_view"}
+
 type TestContext struct {
 	server    *httptest.Server
 	db        *sqlx.DB
@@ -135,6 +137,7 @@ func createTestContextUsingInMemoryDB(t testing.TB) *TestContext {
 		Execer:  db,
 	}
 	serverOpts.AuthOptions.disableAuth = true
+	serverOpts.SecurityOptions.EnabledTableOrViews = enabledTestTables
 	server, err := NewServer(serverOpts)
 	if err != nil {
 		t.Fatal(err)
@@ -190,6 +193,7 @@ func createTestContextWithHMACTokenAuth(t testing.TB) *TestContext {
 		Execer:  db,
 	}
 	serverOpts.AuthOptions.TokenFilePath = testTokenFile
+	serverOpts.SecurityOptions.EnabledTableOrViews = enabledTestTables
 	server, err := NewServer(serverOpts)
 	if err != nil {
 		t.Fatal(err)
@@ -265,6 +269,7 @@ func createTestContextWithRSATokenAuth(t testing.TB) *TestContext {
 		Execer:  db,
 	}
 	serverOpts.AuthOptions.RSAPublicKeyFilePath = testTokenFile
+	serverOpts.SecurityOptions.EnabledTableOrViews = enabledTestTables
 	server, err := NewServer(serverOpts)
 	if err != nil {
 		t.Fatal(err)

integration_security_test.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSecurityNegativeCases(t *testing.T) {
+	t.Run("Unauthorized", func(t *testing.T) {
+		tc := createTestContextWithHMACTokenAuth(t)
+		defer tc.CleanUp(t)
+
+		tc.authToken = "" // disable auth
+		client := tc.Client()
+		_, _, err := client.From("test").Select("id", "", false).Execute()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "Unauthorized")
+	})
+
+	t.Run("TableAccessRestricted", func(t *testing.T) {
+		tc := createTestContextWithHMACTokenAuth(t)
+		defer tc.CleanUp(t)
+
+		client := tc.Client()
+		_, _, err := client.From(tableNameMigrations).Select("id", "", false).Execute()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "Access Restricted")
+	})
+}

server.go

@@ -21,22 +21,27 @@ const (
 )
 
 type ServerOptions struct {
-	Logger      logr.Logger
-	Addr        string
-	AuthOptions ServerAuthOptions
-	Queryer     sqlx.QueryerContext
-	Execer      sqlx.ExecerContext
+	Logger          logr.Logger
+	Addr            string
+	AuthOptions     ServerAuthOptions
+	SecurityOptions ServerSecurityOptions
+	Queryer         sqlx.QueryerContext
+	Execer          sqlx.ExecerContext
 }
 
 func (opts *ServerOptions) bindCLIFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&opts.Addr, "http-addr", ":8080", "server listen addr")
 	opts.AuthOptions.bindCLIFlags(fs)
+	opts.SecurityOptions.bindCLIFlags(fs)
 }
 
 func (opts *ServerOptions) defaults() error {
 	if err := opts.AuthOptions.defaults(); err != nil {
 		return err
 	}
+	if err := opts.SecurityOptions.defaults(); err != nil {
+		return err
+	}
 
 	if opts.Logger.GetSink() == nil {
 		opts.Logger = logr.Discard()
@@ -82,17 +87,21 @@ func NewServer(opts *ServerOptions) (*dbServer, error) {
 
 	// TODO: allow specifying cors config from cli / table
 	serverMux.Use(cors.AllowAll().Handler)
-	authMiddleware := opts.AuthOptions.createAuthMiddleware(rv.responseError)
 
 	{
-		serverMux.With(authMiddleware).Group(func(r chi.Router) {
-			routePattern := fmt.Sprintf("/{%s:[^/]+}", routeVarTableOrView)
-			r.Get(routePattern, rv.handleQueryTableOrView)
-			r.Post(routePattern, rv.handleInsertTable)
-			r.Patch(routePattern, rv.handleUpdateTable)
-			r.Put(routePattern, rv.handleUpdateSingleEntity)
-			r.Delete(routePattern, rv.handleDeleteTable)
-		})
+		serverMux.
+			With(
+				opts.AuthOptions.createAuthMiddleware(rv.responseError),
+				opts.SecurityOptions.createTableOrViewAccessCheckMiddleware(rv.responseError, routeVarTableOrView),
+			).
+			Group(func(r chi.Router) {
+				routePattern := fmt.Sprintf("/{%s:[^/]+}", routeVarTableOrView)
+				r.Get(routePattern, rv.handleQueryTableOrView)
+				r.Post(routePattern, rv.handleInsertTable)
+				r.Patch(routePattern, rv.handleUpdateTable)
+				r.Put(routePattern, rv.handleUpdateSingleEntity)
+				r.Delete(routePattern, rv.handleDeleteTable)
+			})
 	}
 
 	rv.server.Handler = serverMux

server_errors.go

@@ -41,6 +41,11 @@ var (
 		Message:    "Unauthorized",
 		StatusCode: http.StatusUnauthorized,
 	}
+
+	ErrAccessRestricted = &ServerError{
+		Message:    "Access Restricted",
+		StatusCode: http.StatusForbidden,
+	}
 )
 
 func ErrUnsupportedOperator(op string) *ServerError {

server_security.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/spf13/pflag"
+)
+
+// TODO: generally speaking, we need a fine-grained RBAC system.
+
+type ServerSecurityOptions struct {
+	// EnabledTableOrViews list of table or view names that are accessible (read & write).
+	EnabledTableOrViews []string
+}
+
+func (opts *ServerSecurityOptions) bindCLIFlags(fs *pflag.FlagSet) {
+	fs.StringSliceVar(
+		&opts.EnabledTableOrViews,
+		"--security-allow-table",
+		[]string{},
+		"list of table or view names that are accessible (read & write)",
+	)
+}
+
+func (opts *ServerSecurityOptions) defaults() error {
+	return nil
+}
+
+func (opts *ServerSecurityOptions) createTableOrViewAccessCheckMiddleware(
+	responseErr func(w http.ResponseWriter, err error),
+	routeVarTableOrView string,
+) func(http.Handler) http.Handler {
+	accesibleTableOrViews := make(map[string]struct{})
+	for _, t := range opts.EnabledTableOrViews {
+		accesibleTableOrViews[t] = struct{}{}
+	}
+	fmt.Println(accesibleTableOrViews)
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			target := chi.URLParam(req, routeVarTableOrView)
+
+			if _, ok := accesibleTableOrViews[target]; !ok {
+				responseErr(w, ErrAccessRestricted)
+				return
+			}
+
+			next.ServeHTTP(w, req)
+		})
+	}
+}