schema/spacewalk/oracle/triggers/rhnPackageEvr.sql | 32 ++++++++++ schema/spacewalk/postgres/procs/no_operation_trig_fun.sql | 10 +++ schema/spacewalk/postgres/triggers/rhnPackageEvr.sql | 7 ++ schema/spacewalk/schema-source-sanity-check.pl | 1 schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/031-no_operation_trig_fun.sql.postgresql | 10 +++ schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.oracle | 32 ++++++++++ schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.postgresql | 7 ++ 7 files changed, 99 insertions(+)
New commits: commit 3acf583a6e74c24ebc0e3a7da63476508e5393b9 Author: Jan Pazdziora jpazdziora@redhat.com Date: Fri Apr 20 13:17:33 2012 +0200
Schema hardening: catch code which would update or delete rhnPackageEvr.
diff --git a/schema/spacewalk/oracle/triggers/rhnPackageEvr.sql b/schema/spacewalk/oracle/triggers/rhnPackageEvr.sql new file mode 100644 index 0000000..bc59d37 --- /dev/null +++ b/schema/spacewalk/oracle/triggers/rhnPackageEvr.sql @@ -0,0 +1,32 @@ +-- +-- Copyright (c) 2012 Red Hat, Inc. +-- +-- This software is licensed to you under the GNU General Public License, +-- version 2 (GPLv2). There is NO WARRANTY for this software, express or +-- implied, including the implied warranties of MERCHANTABILITY or FITNESS +-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2 +-- along with this software; if not, see +-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. +-- +-- Red Hat trademarks are not licensed under GPLv2. No permission is +-- granted to use or replicate Red Hat trademarks that are incorporated +-- in this software or its documentation. +-- + +create or replace trigger +rhn_pack_evr_no_updel_trig +before update or delete on rhnPackageEvr +declare + operation varchar(20); +begin + if updating then + operation := 'UPDATE'; + elsif deleting then + operation := 'DELETE'; + else + raise_application_error(-20051, 'Unknown operation (no UPDATE and no DELETE)'); + end if; + raise_application_error(-20050, 'Permission denied: ' || operation || ' is not allowed on RHNPACKAGEEVR'); +end; +/ +show errors diff --git a/schema/spacewalk/postgres/procs/no_operation_trig_fun.sql b/schema/spacewalk/postgres/procs/no_operation_trig_fun.sql new file mode 100644 index 0000000..fc6453c --- /dev/null +++ b/schema/spacewalk/postgres/procs/no_operation_trig_fun.sql @@ -0,0 +1,10 @@ +-- oracle equivalent source none + +create function no_operation_trig_fun() +returns trigger as +$$ +begin + raise exception 'Permission denied: % is not allowed on %', TG_OP, TG_RELNAME; +end; +$$ language plpgsql; + diff --git a/schema/spacewalk/postgres/triggers/rhnPackageEvr.sql b/schema/spacewalk/postgres/triggers/rhnPackageEvr.sql new file mode 100644 index 0000000..fea41f1 --- /dev/null +++ b/schema/spacewalk/postgres/triggers/rhnPackageEvr.sql @@ -0,0 +1,7 @@ +-- oracle equivalent source sha1 f9833597e5035b2a9d3f8a1c399c736391f1a862 + +create trigger +rhn_pack_evr_no_updel_trig +before insert or update on rhnPackageEvr +execute procedure no_operation_trig_fun(); + diff --git a/schema/spacewalk/schema-source-sanity-check.pl b/schema/spacewalk/schema-source-sanity-check.pl index a52b2f3..b27cf46 100644 --- a/schema/spacewalk/schema-source-sanity-check.pl +++ b/schema/spacewalk/schema-source-sanity-check.pl @@ -131,6 +131,7 @@ sub check_file_content { |\s*\n |create(?:\s+or\s+replace)?\s+function\s+(\w+)(?s:.+?)\s+language\s+plpgsql; \s+create(\s+or\s+replace)?\s+trigger[^;]+\s+on\s+$name\b[^;]+execute\s+procedure\s+\1(); + |create(\s+or\s+replace)?\s+trigger[^;]+\s+on\s+$name\b[^;]+execute\s+procedure\s+no_operation_trig_fun(); |create(\s+or\s+replace)?\s+trigger[^;]+\s+on\s+$name\b(?s:.+?);\n/\n |show\s+errors;?\n )+$!ix) { diff --git a/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/031-no_operation_trig_fun.sql.postgresql b/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/031-no_operation_trig_fun.sql.postgresql new file mode 100644 index 0000000..fc6453c --- /dev/null +++ b/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/031-no_operation_trig_fun.sql.postgresql @@ -0,0 +1,10 @@ +-- oracle equivalent source none + +create function no_operation_trig_fun() +returns trigger as +$$ +begin + raise exception 'Permission denied: % is not allowed on %', TG_OP, TG_RELNAME; +end; +$$ language plpgsql; + diff --git a/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.oracle b/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.oracle new file mode 100644 index 0000000..bc59d37 --- /dev/null +++ b/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.oracle @@ -0,0 +1,32 @@ +-- +-- Copyright (c) 2012 Red Hat, Inc. +-- +-- This software is licensed to you under the GNU General Public License, +-- version 2 (GPLv2). There is NO WARRANTY for this software, express or +-- implied, including the implied warranties of MERCHANTABILITY or FITNESS +-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2 +-- along with this software; if not, see +-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. +-- +-- Red Hat trademarks are not licensed under GPLv2. No permission is +-- granted to use or replicate Red Hat trademarks that are incorporated +-- in this software or its documentation. +-- + +create or replace trigger +rhn_pack_evr_no_updel_trig +before update or delete on rhnPackageEvr +declare + operation varchar(20); +begin + if updating then + operation := 'UPDATE'; + elsif deleting then + operation := 'DELETE'; + else + raise_application_error(-20051, 'Unknown operation (no UPDATE and no DELETE)'); + end if; + raise_application_error(-20050, 'Permission denied: ' || operation || ' is not allowed on RHNPACKAGEEVR'); +end; +/ +show errors diff --git a/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.postgresql b/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.postgresql new file mode 100644 index 0000000..fea41f1 --- /dev/null +++ b/schema/spacewalk/upgrade/spacewalk-schema-1.7-to-spacewalk-schema-1.8/032-rhnPackageEvr-trigger.sql.postgresql @@ -0,0 +1,7 @@ +-- oracle equivalent source sha1 f9833597e5035b2a9d3f8a1c399c736391f1a862 + +create trigger +rhn_pack_evr_no_updel_trig +before insert or update on rhnPackageEvr +execute procedure no_operation_trig_fun(); +
spacewalk-commits@lists.fedorahosted.org