File Coverage

blib/lib/JsonSQL/Validator.pm

Criterion	Covered	Total	%
statement	100	103	97.0
branch	27	30	90.0
condition	8	11	72.7
subroutine	15	15	100.0
pod	4	4	100.0
total	154	163	94.4

line	stmt	bran	cond	sub	pod	time	code
1							# ABSTRACT: JSON schema validation module. Returns a JsonSQL::Validator object for validating a JSON string against a pre-defined schema.
2
3
4	3			3		240247	use strict;
	3					11
	3					89
5	3			3		17	use warnings;
	3					6
	3					90
6	3			3		61	use 5.014;
	3					12
7
8							package JsonSQL::Validator;
9
10							our $VERSION = '0.41'; # VERSION
11
12	3			3		1002	use JSON::Validator;
	3					462712
	3					134
13	3			3		827	use JSON::Parse qw( assert_valid_json parse_json );
	3					2413
	3					167
14	3			3		20	use List::Util qw( any );
	3					5
	3					141
15
16	3			3		775	use JsonSQL::Schemas::Schema;
	3					7
	3					73
17	3			3		14	use JsonSQL::Error;
	3					5
	3					2025
18							#use Data::Dumper;
19
20
21
22							sub new {
23	14			14	1	2601	my ( $class, $jsonSchema, $ruleSets ) = @_;
24
25	14					33	my $self = {};
26
27							# Load the specified JSON schema.
28	14					70	my $schema = JsonSQL::Schemas::Schema->load_schema($jsonSchema);
29	14	50				24	if ( eval { $schema->is_error } ) {
	14					206
30	0					0	return JsonSQL::Error->new("validate", "Error loading JSON schema object '$jsonSchema': $schema->{message}.");
31							} else {
32	14					465	my $validator = JSON::Validator->new;
33	14					121	$validator->schema($schema);
34	14					145577	$self->{jsonValidator} = $validator;
35							}
36
37	14	50	33			100	if (defined $ruleSets && 'ARRAY' eq ref ($ruleSets) ) {
38	14					33	$self->{ruleSets} = $ruleSets;
39							} else {
40	0					0	$self->{ruleSets} = [];
41							}
42
43	14					34	bless $self, $class;
44	14					52	return $self;
45							}
46
47
48							sub validate_schema {
49	16			16	1	2696	my ( $self, $json ) = @_;
50
51							# Parse and validate the JSON string.
52	16					27	eval {
53							# Check if string is valid JSON before continuing.
54	16					115	assert_valid_json($json);
55							};
56
57	16	100				64	if ( $@ ) {
58	1					10	return JsonSQL::Error->new("validate", "Input is invalid JSON at: $@");
59							} else {
60	15					150	my $perldata = parse_json($json);
61	15					68	my @errors = $self->{jsonValidator}->validate($perldata);
62
63	15	100				20673	if ( @errors ) {
64	2					5	my $err = "JSON failed schema validation at: \n";
65	2					6	for my $error ( @errors ) {
66	2					9	$err .= "\t $error->{message} at $error->{path} \n";
67							}
68	2					12	return JsonSQL::Error->new("validate", $err);
69							} else {
70	13					38	return $perldata;
71							}
72							}
73							}
74
75
76
77							sub _getRuleSets {
78	24			24		49	my ( $self, $schemaString ) = @_;
79
80	24		100			67	my $schema = $schemaString \|\| '';
81	24					38	my @matchingRuleSets;
82
83	24					32	for my $ruleSet ( @{ $self->{ruleSets} } ) {
	24					59
84	24	100	100			92	if ( $ruleSet->{schema} eq $schema \|\| $ruleSet->{schema} eq '#anySchema' ) {
85	21					50	push(@matchingRuleSets, $ruleSet);
86							}
87							}
88
89	24					54	return \@matchingRuleSets;
90							}
91
92
93							sub _getTableRules {
94	21			21		40	my ( $tableString, $ruleSet ) = @_;
95
96	21					30	my @matchingTableRules;
97	21					28	for my $tableRule ( keys %{ $ruleSet } ) {
	21					51
98	50	100	66			156	if ( $tableRule eq '#anyTable' ) {
		100
99	13					27	push(@matchingTableRules, $tableRule);
100							} elsif ( defined $tableString && $tableRule eq $tableString ) {
101	6					15	push(@matchingTableRules, $ruleSet->{$tableRule});
102							}
103							}
104
105	21					44	return \@matchingTableRules;
106							}
107
108
109							sub check_table_allowed {
110	24			24	1	1682	my ( $self, $tableObj ) = @_;
111
112	24					38	my @table_rules;
113							my @table_violations;
114	24					57	my $ruleSets = $self->_getRuleSets($tableObj->{schema});
115
116	24	100				35	if ( @{ $ruleSets } ) {
	24					51
117	21					26	for my $ruleSet ( @{ $ruleSets } ) {
	21					38
118							# For a given rule set, the default is to be restrictive.
119	21					28	my $table_allowed = 0;
120	21					47	my $tableRules = _getTableRules($tableObj->{table}, $ruleSet);
121
122	21					33	for my $tableRule ( @{ $tableRules } ) {
	21					42
123							# If there is a rule defined for the table, the table is marked as "allowed"...
124	19					27	$table_allowed = 1;
125
126							# Check to be sure the table rule is an array of allowed columns.
127							# The table rule '#anyTable' is a special case that turns off restrictions for all tables in the schema.
128	19	100				68	unless ( $tableRule eq '#anyTable' ) {
129	6	50				17	if ( 'ARRAY' eq ref ($tableRule) ) {
130	6					15	push(@table_rules, $tableRule);
131							} else {
132	0					0	push(@table_violations, "Bad syntax in rule set $ruleSet->{schema}. Table rules must be arrays of allowed columns.");
133							}
134							}
135							}
136
137	21	100				55	unless ( $table_allowed ) {
138	2					8	push(@table_violations, "Table $tableObj->{table} is not allowed by rule set $ruleSet->{schema}");
139							}
140							}
141							} else {
142							# If no rule sets are defined, the default is to be restrictive.
143	3					6	push(@table_violations, "No access rules have been defined. Default is to be restrictive.");
144							}
145
146							# If any violation is found, the access control test fails.
147							# If cases where there are multiple rule sets for a schema, this ensures that the most restrictive set is used.
148	24	100				54	if ( @table_violations ) {
149	5					7	my $err = "Table failed access control test.\n\t";
150	5					14	$err .= join("\n\t", @table_violations);
151	5					16	return JsonSQL::Error->new("access_control", $err);
152							} else {
153							# Otherwise, return the @table_rules so they can be used for additional checks.
154	19					54	return \@table_rules;
155							}
156							}
157
158
159							sub check_field_allowed {
160	31			31	1	536	my ( $self, $table_rules, $field ) = @_;
161
162	31					44	my @column_violations;
163	31					38	for my $tableRule ( @{ $table_rules } ) {
	31					55
164							# Check allowed column list for the table.
165	9	100		5		67	unless ( any { $_ eq $field \|\| $_ eq '#anyColumn' } @{ $tableRule } ) {
	5	100				42
	9					35
166	5					21	push(@column_violations, "Field $field is not allowed by the table rule set.");
167							}
168							}
169
170	31	100				69	if ( @column_violations ) {
171	5					7	my $err = "Field failed access control test.\n\t";
172	5					14	$err .= join("\n\t", @column_violations);
173	5					19	return JsonSQL::Error->new("access_control", $err);
174							} else {
175	26					66	return 1;
176							}
177							}
178
179
180							1;
181
182							__END__
183
184							=pod
185
186							=encoding UTF-8
187
188							=head1 NAME
189
190							JsonSQL::Validator - JSON schema validation module. Returns a JsonSQL::Validator object for validating a JSON string against a pre-defined schema.
191
192							=head1 VERSION
193
194							version 0.41
195
196							=head1 SYNOPSIS
197
198							This is a supporting module used by JsonSQL::Query modules.
199
200							To use this:
201
202							my $validator = JsonSQL::Validator->new(<json_schema_name>, <whitelisting_rule_set>);
203							my $perldata = $validator->validate_schema(<json_string>);
204							if ( eval { $perldata->is_error } ) {
205							return "$perldata->{message}";
206							} else {
207							...
208							}
209
210							To use the whitelisting module:
211
212							my $table_rules = $validator->check_table_allowed({ schema => <schemaname>, table => <tablename> });
213							if ( eval { $table_rules->is_error } ) {
214							return "Use of table failed access check: $table_rules->{message}";
215							} else {
216							my $allowedField = $validator->check_field_allowed($table_rules, <fieldname>);
217							if ( eval { $allowedField->is_error } ) {
218							return "Use of field in table failed access check: $allowedField->{message}";
219							} else {
220							...
221							}
222							}
223
224							For more information on the whitelisting module, and how to construct rule sets, see documentation below.
225
226							=head1 METHODS
227
228							=head2 Constructor new($jsonSchema, $ruleSets) -> JsonSQL::Validator
229
230							Loads the specified $jsonSchema and creates a JSON::Validator instance with it. A reference to the validator and to the provided
231							whitelisting rule sets is saved in the object before it is returned. If an error occurs during schema loading, a JsonSQL::Error object
232							is returned.
233
234							$jsonSchema => The JSON schema to load. Must be present in JsonSQL::Schemas as a subclass of JsonSQL::Schemas::Schema.
235							$ruleSets => An array of whitelisting rules to be applied when a JsonSQL query object is being constructed (see below).
236
237							=head2 ObjectMethod validate_schema($json) -> \%hash
238
239							Parses the provided JSON string into a Perl data structure, and then uses the stored JSON::Validator to validate it
240							against the specified schema (a JsonSQL::Schemas::<schema>). If the process fails at any step, it will return a JsonSQL::Error object
241							with an appropriate error message. If successful, a Perl data structure (depends on the schema, but usually a hashref)
242							representing the SQL query is returned.
243
244							$json => The JSON string to validate. Must be valid JSON.
245
246							=head2 PrivateMethod _getRuleSets($schemaString) -> \@array
247
248							Searches the @ruleSets array for the specified $schemaString and returns all matching rule sets.
249
250							$schemaString => Name of schema to match for identifying rulesets.
251
252							Matches a rule set if ( $schemaString eq $ruleSet->{schema} \|\| $ruleSet->{schema} eq '#anySchema' ).
253
254							=head2 PrivateMethod _getTableRules($tableString, $ruleSet) -> \@array
255
256							Looks at each table rule in the \@ruleSet array and returns it if it matches the specified $tableString.
257
258							$tableString => Name of table to match for identifying table rules.
259							$ruleSet => The @\ruleSet array to search for table matches.
260
261							Matches table rules of the form ( $ruleSet->{$tableString} \|\| $ruleSet->{'#anyTable'} ).
262
263							=head2 ObjectMethod check_table_allowed($tableObj) -> \@array
264
265							Determines whether access to a table is allowed by the current stored rule set. If yes, a set of table rules applicable to the table is
266							returned to use for column verification. If no, a JsonSQL::Error object is returned.
267
268							$tableObj => Name of table to match for identifying table rules.
269							Takes the form { schema => <schemaname>, table => <tablename> }
270
271							=head2 ObjectMethod check_field_allowed($table_rules, $field) -> 1 \|\| JsonSQL::Error
272
273							Determines whether access to a column is allowed by the supplied table rules. If yes, a true value is returned. If no,
274							a JsonSQL::Error object is returned.
275
276							$table_rules => Array of table rules as returned by check_table_allowed.
277							$field => The name of the field to check.
278
279							=head1 Whitelisting Module
280
281							To provide some basic whitelisting support for table and column identifiers, a set of whitelisting rules is saved in the
282							JsonSQL::Validator object when it is being created. The rules take the form of an \@arrayref as follows:
283
284							[
285							{
286							schema => 'schemaName' \|\| '#anySchema',
287							<'#anyTable' \|\| allowedTableName1 => [ '#anyColumn' \|\| allowedFieldName1, allowedFieldName2, ... ]>,
288							<... additional table rules ...>
289							},
290							< ... additional rule sets ... >
291							]
292
293							Rule sets are generally grouped by schema. If you are not using schemas (or you are using a DB that doesn't support them), you will have
294							to provide a rule set with the schema property set to '#anySchema'. Whitelisting security is enabled and restrictive by default, so
295							at least one rule set will have to be defined in order to create JsonSQL query objects. If you want to disable whitelisting security
296							(not recommended), use this rule set,
297
298							[ { schema = '#anySchema', '#anyTable' } ]
299
300							The above allows access to all tables in any schema. Column restrictions are not meaningful without table restrictions, so table rules
301							have to be defined if you want column restrictions. You can have more than one rule set per schema, but in this case the most
302							restrictive rule set will be the one that takes precedent. This behavior can be used as an effective way to disable access to specific
303							schemas. For example,
304
305							[
306							{ schema => '#anySchema', '#anyTable' },
307							{ schema => 'forbiddenSchema' }
308							]
309
310							will first allow access to all tables in any schema, and then restrict access to any table in 'forbiddenSchema'. Table verification and
311							column verification take place in separate steps. During table verification, rule sets are selected based on the schema property. The
312							remaining keys in each rule set %hash correspond to tables that the query object is allowed access to.
313
314							If there is a key in the rule set with the special name '#anyTable', access to any table in that rule set (schema) will be allowed.
315							For other keys (table names), the value needs to be set to an array of column names. During column verification, this list will be
316							used to determine whether the query object has access to particular columns in the table.
317
318							As with schemas, access to a table can be governed by more than one 'table rule'. In this case, the most restrictive rule is the one
319							that takes precedent. For example,
320
321							[
322							{ schema => 'allowedSchema', '#anyTable', 'allowedTable' => [ 'allowedColumnA', 'allowedColumnB' ] }
323							]
324
325							will allow access to all columns of all tables in the schema 'allowedSchema', but for the table 'allowedTable', only access to
326							columns 'allowedColumnA' and 'allowedColumnB' is allowed. Similarly,
327
328							[
329							{ schema => 'allowedSchema', '#anyTable', 'forbiddenTable' => [] }
330							]
331
332							will allow access to all columns of all tables in the schema 'allowedSchema', but block access to the table 'forbiddenTable'.
333							(Technically, it is only blocking access to the columns in that table, but this is effectively the same thing for most SQL operations).
334
335							If the column list contains the special string '#anyColumn' access to all columns in the table will be allowed. So,
336
337							[
338							{ schema => 'allowedSchema', 'allowedTable1' => [ '#anyColumn' ], 'allowedTable2' => [ 'allowedColumn1' ] }
339							]
340
341							will allow access to any column in 'allowedTable1' and only column 'allowedColumn1' of 'allowedTable2'. Access to all other tables
342							in 'allowedSchema' will be blocked.
343
344							This module is designed to err on the side of caution, and in so doing will always take the more restrictive course of action in the
345							case of ambiguity. As such, many SQL queries will probably fail validation if you don't use fully-qualified table and column identifiers,
346							which is generally recommended as good practice when writing SQL queries anyway. However, if you are writing simple queries and find this
347							to be annoying, you can turn off whitelisting and rely only on database-level security.
348
349							It is important to note that while this module aims to reduce the attack surface, it is NOT a replacement for database-level security. But
350							when combined with good database-level security (ex: per-user schemas and Kerberos), it provides for reasonably safe SQL query generation
351							using data from untrusted sources (ex: web browsers).
352
353							=head1 AUTHOR
354
355							Chris Hoefler <bhoefler@draper.com>
356
357							=head1 COPYRIGHT AND LICENSE
358
359							This software is copyright (c) 2017 by Chris Hoefler.
360
361							This is free software; you can redistribute it and/or modify it under
362							the same terms as the Perl 5 programming language system itself.
363
364							=cut