feat(#3): Add security enforcement for MySQL

nixys · May 22, 2024 · 0fcae67 · 0fcae67
1 parent f89170e
commit 0fcae67
Show file tree

Hide file tree

Showing 5 changed files with 228 additions and 168 deletions.
diff --git a/ctx/context.go b/ctx/context.go
@@ -51,18 +51,8 @@ type progressCtx struct {
 }
 
 type SecurityCtx struct {
-	Policy     securityPolicyCtx
-	Exceptions securityExceptionsCtx
-}
-
-type securityPolicyCtx struct {
-	Tables  misc.SecurityPolicyTablesType
-	Columns misc.SecurityPolicyColumnsType
-}
-
-type securityExceptionsCtx struct {
-	Tables  map[string]any
-	Columns map[string]any
+	TablePolicy     misc.SecurityPolicyTablesType
+	TableExceptions map[string]any
 }
 
 // Init initiates application custom context
@@ -143,6 +133,10 @@ func AppCtxInit() (any, error) {
 
 	c.Rules.Tables = make(map[string]relfilter.TableRules)
 
+	if misc.SecurityPolicyColumnsTypeFromString(conf.Security.Policy.Columns) == misc.SecurityPolicyColumnsRandomize {
+		c.Rules.RandomizeTypes = relfilter.RandomizeTypesDefault
+	}
+
 	for t, f := range conf.Filters {
 
 		c.Rules.Tables[t] = relfilter.TableRules{
@@ -160,6 +154,28 @@ func AppCtxInit() (any, error) {
 		}
 	}
 
+	c.Rules.Defaults = relfilter.TableRules{
+		Columns: func() map[string]relfilter.ColumnRule {
+			cc := make(map[string]relfilter.ColumnRule)
+			for c, cf := range conf.Security.Defaults.Columns {
+				cc[c] = relfilter.ColumnRule{
+					Type:   misc.ValueTypeFromString(cf.Type),
+					Value:  cf.Value,
+					Unique: cf.Unique,
+				}
+			}
+			return cc
+		}(),
+	}
+
+	c.Rules.ExceptionColumns = func() map[string]any {
+		v := make(map[string]any)
+		for _, e := range conf.Security.Exceptions.Columns {
+			v[e] = nil
+		}
+		return v
+	}()
+
 	// Progress settings
 	c.Progress.Humanize = conf.Progress.Humanize
 
@@ -172,26 +188,14 @@ func AppCtxInit() (any, error) {
 	}
 
 	c.Security = SecurityCtx{
-		Policy: securityPolicyCtx{
-			Tables:  misc.SecurityPolicyTablesTypeFromString(conf.Security.Policy.Tables),
-			Columns: misc.SecurityPolicyColumnsTypeFromString(conf.Security.Policy.Columns),
-		},
-		Exceptions: securityExceptionsCtx{
-			Tables: func() map[string]any {
-				v := make(map[string]any)
-				for _, e := range conf.Security.Exceptions.Tables {
-					v[e] = nil
-				}
-				return v
-			}(),
-			Columns: func() map[string]any {
-				v := make(map[string]any)
-				for _, e := range conf.Security.Exceptions.Columns {
-					v[e] = nil
-				}
-				return v
-			}(),
-		},
+		TablePolicy: misc.SecurityPolicyTablesTypeFromString(conf.Security.Policy.Tables),
+		TableExceptions: func() map[string]any {
+			v := make(map[string]any)
+			for _, e := range conf.Security.Exceptions.Tables {
+				v[e] = nil
+			}
+			return v
+		}(),
 	}
 
 	return c, nil

diff --git a/modules/anonymizers/mysql/dh.go b/modules/anonymizers/mysql/dh.go
@@ -243,17 +243,17 @@ func rowDataGen(filter *relfilter.Filter) []byte {
 func securityPolicyCheck(uctx *userCtx, tname string) bool {
 
 	// Continue if security policy is `skip`
-	if uctx.security.policy.tables != misc.SecurityPolicyTablesSkip {
+	if uctx.security.tablePolicy != misc.SecurityPolicyTablesSkip {
 		return true
 	}
 
 	// Check rules for specified table name
-	if _, b := uctx.filter.TableNameLookup(tname); b == true {
+	if tr := uctx.filter.TableRulesLookup(tname); tr != nil {
 		return true
 	}
 
 	// Check specified table name in exceptions
-	if _, b := uctx.security.exceptions.tables[tname]; b == true {
+	if _, b := uctx.security.tableExceptions[tname]; b == true {
 		return true
 	}
 

diff --git a/modules/anonymizers/mysql/mysql.go b/modules/anonymizers/mysql/mysql.go
@@ -17,18 +17,8 @@ type InitSettings struct {
 }
 
 type SecuritySettings struct {
-	Policy     SecurityPolicySettings
-	Exceptions SecurityExceptionsSettings
-}
-
-type SecurityPolicySettings struct {
-	Tables  misc.SecurityPolicyTablesType
-	Columns misc.SecurityPolicyColumnsType
-}
-
-type SecurityExceptionsSettings struct {
-	Tables  map[string]any
-	Columns map[string]any
+	TablePolicy     misc.SecurityPolicyTablesType
+	TableExceptions map[string]any
 }
 
 type userCtx struct {
@@ -48,18 +38,8 @@ type securityCtx struct {
 	tmpBuf []byte
 	isSkip bool
 
-	policy     securityPolicyCtx
-	exceptions securityExceptionsCtx
-}
-
-type securityPolicyCtx struct {
-	tables  misc.SecurityPolicyTablesType
-	columns misc.SecurityPolicyColumnsType
-}
-
-type securityExceptionsCtx struct {
-	tables  map[string]any
-	columns map[string]any
+	tablePolicy     misc.SecurityPolicyTablesType
+	tableExceptions map[string]any
 }
 
 var typeKeys = map[string]relfilter.ColumnType{
@@ -112,14 +92,8 @@ func userCtxInit(s InitSettings) *userCtx {
 	return &userCtx{
 		filter: relfilter.Init(s.Rules),
 		security: securityCtx{
-			policy: securityPolicyCtx{
-				tables:  s.Security.Policy.Tables,
-				columns: s.Security.Policy.Columns,
-			},
-			exceptions: securityExceptionsCtx{
-				tables:  s.Security.Exceptions.Tables,
-				columns: s.Security.Exceptions.Columns,
-			},
+			tablePolicy:     s.Security.TablePolicy,
+			tableExceptions: s.Security.TableExceptions,
 		},
 	}
 }