Feature/validate role options (#101)

Be more rigorous about validating user flags. Only accept CREATE ROLE flags that doesn't have any params (i.e. not ADMIN or CONNECTION LIMIT). Check that both flag and NOflag are not used at the same time.

Feature/validate role options (#101)
7667847b · Oleksii Kliukin · GitHub · 969a06f5 · 7667847b · 7667847b
Commit 7667847b authored 7 years ago by Oleksii Kliukin Committed by GitHub 7 years ago
--- a/pkg/cluster/util.go
+++ b/pkg/cluster/util.go
@@ -21,25 +21,46 @@ func isValidUsername(username string) bool {
 	return userRegexp.MatchString(username)
 }
-func normalizeUserFlags(userFlags []string) (flags []string, err error) {
+func isValidFlag(flag string) bool {
+	for _, validFlag := range []string{constants.RoleFlagSuperuser, constants.RoleFlagLogin, constants.RoleFlagCreateDB,
+		constants.RoleFlagInherit, constants.RoleFlagReplication, constants.RoleFlagByPassRLS} {
+		if flag == validFlag || flag == "NO"+validFlag {
+			return true
+		}
+	}
+	return false
+}
+func invertFlag(flag string) string {
+	if flag[:2] == "NO" {
+		return flag[2:]
+	}
+	return "NO" + flag
+}
+func normalizeUserFlags(userFlags []string) ([]string, error) {
 	uniqueFlags := make(map[string]bool)
 	addLogin := true
 	for _, flag := range userFlags {
 		if !alphaNumericRegexp.MatchString(flag) {
-			err = fmt.Errorf("user flag '%v' is not alphanumeric", flag)
+			return nil, fmt.Errorf("user flag %q is not alphanumeric", flag)
-			return
 		}
 		flag = strings.ToUpper(flag)
 		if _, ok := uniqueFlags[flag]; !ok {
+			if !isValidFlag(flag) {
+				return nil, fmt.Errorf("user flag %q is not valid", flag)
+			}
+			invFlag := invertFlag(flag)
+			if uniqueFlags[invFlag] {
+				return nil, fmt.Errorf("conflicting user flags: %q and %q", flag, invFlag)
+			}
 			uniqueFlags[flag] = true
 		}
 	}
-	if uniqueFlags[constants.RoleFlagLogin] && uniqueFlags[constants.RoleFlagNoLogin] {
-		return nil, fmt.Errorf("conflicting or redundant flags: LOGIN and NOLOGIN")
-	}
-	flags = []string{}
+	flags := []string{}
 	for k := range uniqueFlags {
 		if k == constants.RoleFlagNoLogin || k == constants.RoleFlagLogin {
 			addLogin = false
@@ -55,7 +76,7 @@ func normalizeUserFlags(userFlags []string) (flags []string, err error) {
 		flags = append(flags, constants.RoleFlagLogin)
 	}
-	return
+	return flags, nil
 }
 func specPatch(spec interface{}) ([]byte, error) {

--- a/pkg/util/constants/roles.go
+++ b/pkg/util/constants/roles.go
@@ -12,4 +12,6 @@ const (
 	RoleFlagNoLogin        = "NOLOGIN"
 	RoleFlagCreateRole     = "CREATEROLE"
 	RoleFlagCreateDB       = "CREATEDB"
+	RoleFlagReplication    = "REPLICATION"
+	RoleFlagByPassRLS      = "BYPASSRLS"
 )