Catalyst / admin/Syanpse-Vanguard 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Syanpse-Vanguard

public
Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Syanpse-Vanguard / synapse-vanguard-v3 / sv / query / guard.py 1086 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
"""Query-time RBAC guard. RBAC constrains not just which endpoint is reachable
but what a query may do. The Auditor (READ_ONLY_VIEWER) is strictly read-only."""
from __future__ import annotations

import re

from sv.auth.rbac import Permission, Role, can
from sv.auth.session import User

_MUTATING = re.compile(r"\b(INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE|COPY)\b",
                       re.IGNORECASE)


def guard_search(user: User) -> None:
    if not can(user.role, Permission.LOG_READ):
        raise PermissionError(f"role {user.role.value} may not read logs")


def assert_read_only_sql(user: User, sql: str) -> None:
    """Defense in depth for any path that would run raw SQL (e.g. NL->SQL). A
    non-write role submitting a mutating statement is rejected before execution."""
    if _MUTATING.search(sql) and not can(user.role, Permission.RULE_WRITE):
        raise PermissionError("read-only role may not execute mutating SQL")
    if user.role is Role.READ_ONLY_VIEWER and _MUTATING.search(sql):
        raise PermissionError("auditor role is strictly read-only")