Crate postguard

Expand description

Test Postgres-compatible statements against a set of CORS-like rules.

§Why

Postgres has a rich ROLE system for managing privileges around data in a database. But those privileges are often too permissive by default, and are difficult to restrict with by statement or function name.

postguard provides a Guard statement analyzer for protecting databases from malicious or invalid queries. This Guard can be used in any Rust application that has access to statements (perhaps from untrusted sources) before they are run. Under the hood, postguard uses the libpg_query library to parse queries down to a syntax tree before checking the entire tree for disallowed nodes.

§Usage

use postguard::{AllowedFunctions, AllowedStatements, Command, Guard};

// If AllowedFunctions and AllowedStatements both are set to their 'All' variants
// then no parsing is done and all statements pass the guard
#[test]
fn it_does_nothing_by_default() {
    Guard::new(AllowedStatements::All, AllowedFunctions::All)
        .guard("create table test (id serial primary key)")
        .expect("all statements are permitted by default");
}

// Statements are checked against the list of allowed statements when a 'List' variant
// is provided. Statement-checking is done recursively, so nested disallowed statements
// are also caught by the guard
#[test]
fn it_restricts_statements() {
    let statement_guard = Guard::new(AllowedStatements::List(vec![Command::Select]));

    statement_guard
        .guard("create table test (id serial primary key)")
        .expect_err("privileged statements are restricted");

    statement_guard
        .guard("select * from items")
        .expect("select statements are permitted");

    statement_guard
        .guard("insert into items default values")
        .expect_err("commands in top-level queries are restricted");

    statement_guard
        .guard("
            with cte as (
                insert into items default values
                returning id
            )
            select * from cte
        ")
        .expect_err("disallowed commands in nested queries or expressions are restricted");
}

// Functions are also guarded by name. To disallow all functions, leave the 'List' empty.
#[test]
fn it_restricts_functions() {
    let statement_guard = Guard::new(
        AllowedStatements::List(vec![Command::Select]),
        AllowedFunctions::List(vec!["uuid_generate_v4".to_string()])
    );

    statement_guard
        .guard("select pg_sleep(1)")
        .expect_err("built-in functions and stored procs are restricted");

    statement_guard
        .guard("select uuid_generate_v4() as id")
        .expect("allowed functions are permitted");
}

Structs§

Guard: CORS-like statement analyzer for guarding queryable methods

Enums§

AllowedFunctions: Configurations for Allowed Functions (by name)
AllowedStatements: Configurations for Allowed Statements
Command: Possible Commands to filter statements by. These commands are intentionally restricted to basic CRUD operations only.
Error: Errors related to statement rejection or parsing failures

Crate postguardCopy item path

§Why

§Usage

Structs§

Enums§

Crate postguard