You can download the full code from gethub.com CBAC Simple
This example depends on the HR Demo schema being loaded. We will be building on this example over the next several months to present a full blown application that includes many of the secure coding features I have been talking about.
We need to do better. I keep walking into customers, where I keep hearing: “It’s harder to do.” “We have deadlines to make.” “We will address that sql injection flaw after we go production; because we are behind schedule.” Now guys, I get it! I have been down in the trenches for about thirty years coding, designing, and administering some sensitive information systems. (They are all sensitive in my view.) We really need to get on top of this, now.
First lets go back and see where we started this discussion. In part 1 and part 2, I introduced you to the better Architecture of using multiple schemas then we discussed definers rights and invokers rights.
Secure Coding Part 1
Secure Coding Part 2
Lets start: the first part of the code we are going to be doing some clean up. This way we can run the code again and again without getting error messages.
1 -- clean up before we start.
3 procedure Drop_User(pUser in varchar2) is
4 User_Doesnt_Exist exception;
5 pragma Exception_Init(User_Doesnt_Exist, -01918);
7 execute immediate 'drop user '||pUser||' cascade';
8 exception when User_Doesnt_Exist then null;
9 end Drop_User;
17 Role_Doesnt_Exist exception;
18 pragma exception_init(Role_Doesnt_Exist, -01919);
20 execute immediate 'drop role hr_emp_select_role';
21 execute immediate 'drop role hr_backup_role';
22 execute immediate 'drop role api_admin_role';
23 exception when Role_Doesnt_Exist then null;
25 -- done cleaning up.
Now lets get the two schemas we will be using in this example.
Line 3: we are creating a HR_API schema that will hold all the code to access data objects in the HR schema.
Line 5: we are creating the USR1 user that will make calls to code in the HR_API schema. (In a future post, I’ll be adding in HR_CODE schema that will hold the business logic. But for now, we are keeping it simple to demo CBAC.
1 -- this is going to be my api schema that will
2 -- have access to the hr objects.
3 create user hr_api identified by x;
4 -- this will be my executing user.
5 create user usr1 identified by x;
Now lets get to the roles we are going to need.
Line 3 we are creating the role HR_EMP_SELECT_ROLE. This role will have select on hr.employees. We will be granting this role to the api package that accesses the hr.employees table.
Line 6 we are creating the HR_BACKUP_ROLE. This role will be granted create any table, and then the role will be granted to the api package that does the backup. I really don’t like granting create any table, but for this purpose it is required to create a table in a different schema.
Line 8 is the API_ADMIN_ROLE. This role will have the create procedure privilege and will be assigned to the HR_API schema.
1 -- the hr_emp_select_role will have select in hr.ermployees.
2 create role hr_emp_select_role;
3 -- the hr_backup_role has create any table privilege. I really don't
4 -- like that, but that is what the role needs to create a table in
5 -- a diffrent schema.
6 create role hr_backup_role;
7 -- the api_admin_role has create procedure privilege.
8 create role api_admin_role;
.Now lets get into the grants we will need.
Lines 4 – 6 we are granting create session to usr1. At this time, this is the only privilege this user will need. Once we have the API package compiled, we will grant execute on that package to usr1
Lines 10 – 12 we are granting create procedure to the API_ADMIN_ROLE. This will be needed for HR_API to create a package in it’s schema.
Lines 16 – 18 we are granting select on hr.employees to the HR_EMP_SELECT_ROLE. This role will be granted to the HR_API schema with delegate option. I’ll discuss more about that later.
Lines 20 – 21 we are granting select on hr.employees to the HR_API schema. I really don’t like this, but it’s needed in order to compile the package.
Lines 26 – 28 we are granting create session to the HR_API schema. This will be needed to so HR_API can connect and create the required objects with only the permissions needed.
Line 32 we are granting create any table to the HR_BACKUP_ROLE. I really don’t like granting create any. This role will be granted to the API package that does some dynamic sql. I really need to think about tightening this down a bit. But for this iteration, we are going to use this to create a backup table in the hr schema.
Lines 36 – 39 here we are granting the HR_EMP_SELECT_ROLE and HR_BACKUP_ROLE to the HR_API schema with delegate option. This is important, you need to use either the DELEGATE OPTION or the ADMIN OPTION in order to be able to grant the roles to the HR_API packages.
Lines 41 – 43 and finally on our grants, we are granting the API_ADMIN_ROLE to the HR_API schema so HR_API can create the required packages.
1 -- the user usr1 will only need create session. after we've created
2 -- the package in the hr_api schema, we will grant execute on the
3 -- package to usr1.
5 create session
6 to usr1;
8 -- the api_admin_role will need the create procedure privilege.
9 -- this will be granted to hr_api.
11 create procedure
12 to api_admin_role;
14 -- this will give the hr_emp_select role the privilege
15 -- it needs to execute.
17 select on hr.employees
18 to hr_emp_select_role;
20 -- this will be needed to compile the code in the api schema.
23 on hr.employees to hr_api;
25 -- we are going to revoke create session after we are done.
27 create session
28 to hr_api;
30 -- the hr_bacup_role is used to demenstrate
31 -- using dynamic sql.
32 grant create any table to hr_backup_role;
34 -- hr_api needs the roles with delegate option (or admin option)
35 -- to be able to grant the role to a package.
39 to hr_api with delegate option;
43 to hr_api;
The final step to setup our users and roles is to alter the user HR_API so there are no default roles. This is going to be done, because in the next installment we will be looking at creating password protected roles.
1 -- during normal operating, the hr_api schema does not
2 -- need any privileges.
3 alter user hr_api
4 default role none;
Now lets get into building our HR_API schema. It starts simple enough,
Line 1 connect to hr_api
Line 4 We set the roles we will need to create the api package, and the roles that will be granted to the api package.
1 -- connect as hr_api
2 conn hr_api/x@orcl
4 SET role hr_emp_select_role, api_admin_role, hr_backup_role;
Lines 1 – 8 we are creating a simple package that does two things. One get the phone number of a person based on first and last name. The second package is used to make a backup of the hr.employees table.
Line 12 Now that we have the package specification, we can grant the role HR_EMP_SELECT_ROLE and HR_BACKUP_ROLE to the hr_api.pgk_emp_select package.
1 create or replace package hr_api.pkg_emp_select
2 authid current_user AS
3 PROCEDURE pGetPhone(pFname IN VARCHAR2,
4 pLname IN VARCHAR2,
5 pPhone OUT VARCHAR2);
6 PROCEDURE pBackupEmp;
10 -- we are going to grant the hr_emp_select_role
11 -- to pkg_emp_select
12 GRANT hr_emp_select_role, hr_backup_role to package pkg_emp_select;
Lines 3 – 24 don’t do anything very interesting, this procedure will get a phone number based on first and last name. My exception handler is really quite simple and does not do much. We’ll address that in a later post, because as you know, returning errors to the user is not the best practice from a infosec point of view.
Lines 30 – 39 is using dynamic sql to create a backup of the hr.employees table. We granted HR_BACKUP_ROLE to the package, this way, the package can create a table in the hr schema. I’m going to have to rethink this example, I don’t like it all that much because granting CREATE ANY TABLE is not really a good practice.
1 CREATE OR REPLACE PACKAGE BODY hr_api.pkg_emp_select AS
3 PROCEDURE pGetPhone(pFname IN VARCHAR2,
4 pLname IN VARCHAR2,
5 pPhone OUT VARCHAR2) IS
6 x INTEGER;
9 SELECT phone_number
10 INTO pPhone
11 FROM hr.employees
12 WHERE first_name = pFname
13 AND last_name = pLname;
14 EXCEPTION WHEN no_data_found then
15 pPhone := 'xxx';
16 WHEN too_many_rows THEN
17 pPhone := 'yyy';
18 WHEN others THEN
19 -- we can add in the help desk error handler later, again this
20 -- is just to demo granting roles to packages.
21 sys.dbms_output.put_line('pGetPhone raised an exception ' || sqlerrm);
24 END pGetPhone;
26 -- this is a very simple procedure, create a backup table using execute
27 -- immediate. (dynamic sql) the only way this procedure is going to work
28 -- is if the package has create any table privilege to be able to
29 -- create a table in another schema.
30 PROCEDURE pBackupEmp IS
31 -- This is the date string 20170805
32 dt VARCHAR2(8);
34 dt := to_char(sysdate,'rrrrmmdd');
35 execute immediate 'create table hr.employees' ||dt|| ' as select * from hr.employees';
36 sys.dbms_output.put_line('create table success');
37 exception when others then
38 sys.dbms_output.put_line('create table error ' || sqlerrm);
39 END pBackupEmp;
40 end pkg_emp_select;
Now that we have all that, lets’ test it.
1 conn usr1/x@orcl
2 set serveroutput on
4 -- to hold the phone number, because we can't reference
5 -- hr.employees we can not use phone_number%type.
6 lPhone VARCHAR2(20);
8 sys.dbms_output.put_line('testing cbac select on emp');
9 hr_api.pkg_emp_select.pGetPhone(pFname => 'Jose Manuel',
10 pLname => 'Urman',
11 pPhone => lPhone);
16 -- if you run this twice on the same day you are going to get
17 -- a ORA-00955 error. this is because the package creates
18 -- a backup of the hr.employees table by appending the date
19 -- to the table name. So, if you are going to run it twice
20 -- you need to drop or rename the backup table.
22 sys.dbms_output.put_line('testing dynamic sql');
25 exception when others then
26 sys.dbms_output.put_line('daaaa ' || sqlerrm);