admin / Syanpse-Vanguard
public
Syanpse-Vanguard / synapse-vanguard-v3 / sv / query / guard.py
1086 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | """Query-time RBAC guard. RBAC constrains not just which endpoint is reachable but what a query may do. The Auditor (READ_ONLY_VIEWER) is strictly read-only.""" from __future__ import annotations import re from sv.auth.rbac import Permission, Role, can from sv.auth.session import User _MUTATING = re.compile(r"\b(INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE|COPY)\b", re.IGNORECASE) def guard_search(user: User) -> None: if not can(user.role, Permission.LOG_READ): raise PermissionError(f"role {user.role.value} may not read logs") def assert_read_only_sql(user: User, sql: str) -> None: """Defense in depth for any path that would run raw SQL (e.g. NL->SQL). A non-write role submitting a mutating statement is rejected before execution.""" if _MUTATING.search(sql) and not can(user.role, Permission.RULE_WRITE): raise PermissionError("read-only role may not execute mutating SQL") if user.role is Role.READ_ONLY_VIEWER and _MUTATING.search(sql): raise PermissionError("auditor role is strictly read-only") |