Role and Permission provisioning for user #20
Conversation
MarcusGoldschmidt
changed the title
btipling
force-pushed
the
goldschmidt/provisioning
branch
from
40627a0 to
68b456a
Compare
| return nil, nil, fmt.Errorf("unexpected database id: %s", splitId[1]) | ||
| } | ||
|
|
||
| permission := splitId[2] |
There was a problem hiding this comment.
nit: maybe we want a helper function for extracting parts of an id
| } | ||
|
|
||
| dbName := splitId[1] | ||
| roleId := splitId[2] |
There was a problem hiding this comment.
nit: maybe helper function?
| return fmt.Errorf("invalid characters in dbName or user") | ||
| } | ||
|
|
||
| command := fmt.Sprintf( |
There was a problem hiding this comment.
nit: is this sprintf safe? should we escape? from the perspective of just this function, with encapsulation in mind where do not assume we know who called this function and with what arguments, we're concatenating unknown unescaped strings into a query against someone's prod database and we don't have any idea of what these strings are
There was a problem hiding this comment.
SQL Server’s limitation, no driver alows us to bind table names, permissions or db.
Like normal command SELECT * FROM user WHERE Id = @p1 we can't use this for grant
Ex: "GRANT @p1 ON DATABASE::[@p2] TO [@p3];"
| return fmt.Errorf("invalid characters in dbName or user") | ||
| } | ||
|
|
||
| command := fmt.Sprintf( |
| l := ctxzap.Extract(ctx) | ||
| l.Debug("getting database role", zap.String("id", id), zap.String("dbName", dbName)) | ||
|
|
||
| if strings.ContainsAny(dbName, "[]\"';") { |
Increase bato-sdl
Add database user provisioning
Provisioning for role and permission
if the user does not exist in the database, create with the current server principal