--- /dev/null
+/*\r
+\r
+ Derby - Class org.apache.derby.iapi.sql.dictionary.StatementColumnPermission\r
+\r
+ Licensed to the Apache Software Foundation (ASF) under one or more\r
+ contributor license agreements. See the NOTICE file distributed with\r
+ this work for additional information regarding copyright ownership.\r
+ The ASF licenses this file to you under the Apache License, Version 2.0\r
+ (the "License"); you may not use this file except in compliance with\r
+ the License. You may obtain a copy of the License at\r
+\r
+ http://www.apache.org/licenses/LICENSE-2.0\r
+\r
+ Unless required by applicable law or agreed to in writing, software\r
+ distributed under the License is distributed on an "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ See the License for the specific language governing permissions and\r
+ limitations under the License.\r
+\r
+ */\r
+\r
+package org.apache.derby.iapi.sql.dictionary;\r
+\r
+import org.apache.derby.iapi.error.StandardException;\r
+import org.apache.derby.catalog.UUID;\r
+import org.apache.derby.iapi.sql.conn.Authorizer;\r
+import org.apache.derby.iapi.reference.SQLState;\r
+import org.apache.derby.iapi.services.io.FormatableBitSet;\r
+import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;\r
+\r
+/**\r
+ * This class describes a column permission used (required) by a statement.\r
+ */\r
+\r
+public class StatementColumnPermission extends StatementTablePermission\r
+{\r
+ private FormatableBitSet columns;\r
+\r
+ /**\r
+ * Constructor for StatementColumnPermission. Creates an instance of column permission requested\r
+ * for the given access.\r
+ * \r
+ * @param tableUUID UUID of the table\r
+ * @param privType Access privilege requested\r
+ * @param columns List of columns\r
+ *\r
+ */\r
+ public StatementColumnPermission(UUID tableUUID, int privType, FormatableBitSet columns)\r
+ {\r
+ super( tableUUID, privType);\r
+ this.columns = columns;\r
+ }\r
+\r
+ /**\r
+ * Return list of columns that need access\r
+ *\r
+ * @return FormatableBitSet of columns\r
+ */\r
+ public FormatableBitSet getColumns()\r
+ {\r
+ return columns;\r
+ }\r
+\r
+ /**\r
+ * Method to check if another instance of column access descriptor matches this.\r
+ * Used to ensure only one access descriptor for a table/columns of given privilege is created.\r
+ *\r
+ * @param obj Another instance of StatementPermission\r
+ *\r
+ * @return true if match\r
+ */\r
+ public boolean equals( Object obj)\r
+ {\r
+ if( obj instanceof StatementColumnPermission)\r
+ {\r
+ StatementColumnPermission other = (StatementColumnPermission) obj;\r
+ if( ! columns.equals( other.columns))\r
+ return false;\r
+ return super.equals( obj);\r
+ }\r
+ return false;\r
+ }\r
+ \r
+ /**\r
+ * @see StatementPermission#check\r
+ */\r
+ public void check( LanguageConnectionContext lcc,\r
+ String authorizationId,\r
+ boolean forGrant)\r
+ throws StandardException\r
+ {\r
+ DataDictionary dd = lcc.getDataDictionary();\r
+\r
+ if( hasPermissionOnTable(dd, authorizationId, forGrant))\r
+ return;\r
+ FormatableBitSet permittedColumns = null;\r
+ if( ! forGrant)\r
+ {\r
+ permittedColumns = addPermittedColumns( dd,\r
+ false /* non-grantable permissions */,\r
+ Authorizer.PUBLIC_AUTHORIZATION_ID,\r
+ permittedColumns);\r
+ permittedColumns = addPermittedColumns( dd,\r
+ false /* non-grantable permissions */,\r
+ authorizationId,\r
+ permittedColumns);\r
+ }\r
+ permittedColumns = addPermittedColumns( dd,\r
+ true /* grantable permissions */,\r
+ Authorizer.PUBLIC_AUTHORIZATION_ID,\r
+ permittedColumns);\r
+ permittedColumns = addPermittedColumns( dd,\r
+ true /* grantable permissions */,\r
+ authorizationId,\r
+ permittedColumns);\r
+ \r
+ for( int i = columns.anySetBit(); i >= 0; i = columns.anySetBit( i))\r
+ {\r
+ if( permittedColumns != null && permittedColumns.get(i))\r
+ continue;\r
+\r
+ // No permission on this column.\r
+ TableDescriptor td = getTableDescriptor( dd);\r
+ ColumnDescriptor cd = td.getColumnDescriptor( i + 1);\r
+ if( cd == null)\r
+ throw StandardException.newException( SQLState.AUTH_INTERNAL_BAD_UUID, "column");\r
+ throw StandardException.newException( forGrant ? SQLState.AUTH_NO_COLUMN_PERMISSION_FOR_GRANT\r
+ : SQLState.AUTH_NO_COLUMN_PERMISSION,\r
+ authorizationId,\r
+ getPrivName(),\r
+ cd.getColumnName(),\r
+ td.getSchemaName(),\r
+ td.getName());\r
+ }\r
+ } // end of check\r
+\r
+ /**\r
+ * Add one user's set of permitted columns to a list of permitted columns.\r
+ */\r
+ private FormatableBitSet addPermittedColumns( DataDictionary dd,\r
+ boolean forGrant,\r
+ String authorizationId,\r
+ FormatableBitSet permittedColumns)\r
+ throws StandardException\r
+ {\r
+ if( permittedColumns != null && permittedColumns.getNumBitsSet() == permittedColumns.size())\r
+ return permittedColumns;\r
+ ColPermsDescriptor perms = dd.getColumnPermissions( tableUUID, privType, false, authorizationId);\r
+ if( perms != null)\r
+ {\r
+ if( permittedColumns == null)\r
+ return perms.getColumns();\r
+ permittedColumns.or( perms.getColumns());\r
+ }\r
+ return permittedColumns;\r
+ } // end of addPermittedColumns\r
+\r
+ /**\r
+ * @see StatementPermission#getPermissionDescriptor\r
+ */\r
+ public PermissionsDescriptor getPermissionDescriptor(String authid, DataDictionary dd)\r
+ throws StandardException\r
+ {\r
+ //If table permission found for authorizationid, then simply return that\r
+ if (oneAuthHasPermissionOnTable( dd, authid, false))\r
+ return dd.getTablePermissions(tableUUID, authid);\r
+ //If table permission found for PUBLIC, then simply return that\r
+ if (oneAuthHasPermissionOnTable( dd, Authorizer.PUBLIC_AUTHORIZATION_ID, false))\r
+ return dd.getTablePermissions(tableUUID, Authorizer.PUBLIC_AUTHORIZATION_ID);\r
+ \r
+ //If table level permission not found, then we have to find permissions \r
+ //at column level. Look for column level permission for the passed \r
+ //authorizer. If found any of the required column level permissions,\r
+ //return the permission descriptor for it.\r
+ ColPermsDescriptor colsPermsDesc = dd.getColumnPermissions(tableUUID, privType, false, authid);\r
+ if( colsPermsDesc != null)\r
+ {\r
+ if( colsPermsDesc.getColumns() != null){\r
+ FormatableBitSet permittedColumns = colsPermsDesc.getColumns();\r
+ for( int i = columns.anySetBit(); i >= 0; i = columns.anySetBit( i))\r
+ {\r
+ if(permittedColumns.get(i))\r
+ return colsPermsDesc;\r
+ }\r
+ }\r
+ }\r
+ return null;\r
+ }\r
+ \r
+ /**\r
+ * This method gets called in execution phase after it is established that \r
+ * all the required privileges exist for the given sql. This method gets \r
+ * called by create view/trigger/constraint to record their dependency on \r
+ * various privileges.\r
+ * Special code is required to track column level privileges.\r
+ * It is possible that some column level privileges are available to the\r
+ * passed authorizer id but the rest required column level privileges\r
+ * are available at PUBLIC level. In this method, we check if all the\r
+ * required column level privileges are found for the passed authorizer.\r
+ * If yes, then simply return null, indicating that no dependency is \r
+ * required at PUBLIC level, because all the required privileges were found\r
+ * at the user level. But if some column level privileges are not\r
+ * available at user level, then they have to exist at the PUBLIC\r
+ * level when this method gets called. \r
+ */\r
+ public PermissionsDescriptor getPUBLIClevelColPermsDescriptor(String authid, DataDictionary dd)\r
+ throws StandardException\r
+ {\r
+ ColPermsDescriptor colsPermsDesc = dd.getColumnPermissions(tableUUID, privType, false, authid);\r
+ FormatableBitSet permittedColumns = colsPermsDesc.getColumns();\r
+ boolean allColumnsCoveredByUserLevelPrivilege = true;\r
+ for( int i = columns.anySetBit(); i >= 0 && allColumnsCoveredByUserLevelPrivilege; i = columns.anySetBit( i))\r
+ {\r
+ if(permittedColumns.get(i))\r
+ continue;\r
+ else\r
+ allColumnsCoveredByUserLevelPrivilege = false;\r
+ }\r
+ if (allColumnsCoveredByUserLevelPrivilege)\r
+ return null;\r
+ else\r
+ return (dd.getColumnPermissions(tableUUID, privType, false, Authorizer.PUBLIC_AUTHORIZATION_ID)); \r
+ }\r
+}\r