MXS-1346: Add uses_function type rule

The uses_function type rule matches when any of the columns given as
values uses a function. With this, columns can be denied from being used
with a function.

server/modules/filter/dbfwfilter/dbfwfilter.c

@@ -113,6 +113,7 @@ typedef enum
     RT_UNDEFINED = 0x00, /*< Undefined rule */
     RT_COLUMN, /*<  Column name rule*/
     RT_FUNCTION, /*<  Function name rule*/
+    RT_USES_FUNCTION, /*<  Function usage rule*/
     RT_THROTTLE, /*< Query speed rule */
     RT_PERMISSION, /*< Simple denying rule */
     RT_WILDCARD, /*< Wildcard denial rule */
@@ -1191,6 +1192,7 @@ static void rule_free_all(RULE* rule)
         {
         case RT_COLUMN:
         case RT_FUNCTION:
+        case RT_USES_FUNCTION:
             strlink_free((STRLINK*) rule->data);
             break;
 
@@ -1418,6 +1420,29 @@ bool define_function_rule(void* scanner, char* columns)
     return list != NULL;
 }
 
+/**
+ * Define the current rule as a function usage rule
+ *
+ * @param scanner Current scanner
+ * @param columns List of column names
+ *
+ * @return True if rule creation was successful
+ */
+bool define_function_usage_rule(void* scanner, char* columns)
+{
+    struct parser_stack* rstack = dbfw_yyget_extra((yyscan_t) scanner);
+    ss_dassert(rstack);
+    STRLINK* list = NULL;
+
+    if ((list = strlink_push(rstack->rule->data, strip_backticks(columns))))
+    {
+        rstack->rule->type = RT_USES_FUNCTION;
+        rstack->rule->data = list;
+    }
+
+    return list != NULL;
+}
+
 /**
  * Define the topmost rule as a no_where_clause rule
  * @param scanner Current scanner
@@ -2116,6 +2141,33 @@ void match_function(RULE_BOOK *rulebook, GWBUF *queue, enum fw_actions mode,
     }
 }
 
+void match_function_usage(RULE *rule, GWBUF *queue, enum fw_actions mode,
+                          bool *matches, char **msg)
+{
+    const QC_FUNCTION_INFO* infos;
+    size_t n_infos;
+    qc_get_function_info(queue, &infos, &n_infos);
+
+    for (size_t i = 0; i < n_infos; ++i)
+    {
+        const char* tok = "TODO: Use the actual function values";
+
+        for (STRLINK* s = (STRLINK*)rule->data; s; s = s->next)
+        {
+            if (strcasecmp(tok, s->value) == 0)
+            {
+                char emsg[strlen(s->value) + 100];
+                sprintf(emsg, "Permission denied to column '%s' with function.", s->value);
+                MXS_NOTICE("rule '%s': query uses a function with forbidden column: %s",
+                           rule->name, s->value);
+                *msg = MXS_STRDUP_A(emsg);
+                *matches = true;
+                return;
+            }
+        }
+    }
+}
+
 void match_wildcard(RULE_BOOK *rulebook, GWBUF *queue, bool *matches, char **msg)
 {
     const QC_FIELD_INFO* infos;
@@ -2171,6 +2223,7 @@ bool rule_matches(FW_INSTANCE* my_instance,
             {
                 if ((rulebook->rule->type == RT_COLUMN) ||
                     (rulebook->rule->type == RT_FUNCTION) ||
+                    (rulebook->rule->type == RT_USES_FUNCTION) ||
                     (rulebook->rule->type == RT_WILDCARD) ||
                     (rulebook->rule->type == RT_CLAUSE))
                 {
@@ -2229,6 +2282,13 @@ bool rule_matches(FW_INSTANCE* my_instance,
             }
             break;
 
+        case RT_USES_FUNCTION:
+            if (is_sql)
+            {
+                match_function_usage(rulebook->rule, queue, my_instance->action, &matches, &msg);
+            }
+            break;
+
         case RT_WILDCARD:
             if (is_sql)
             {

server/modules/filter/dbfwfilter/dbfwfilter.h

@@ -44,6 +44,7 @@ void define_where_clause_rule(void* scanner);
 bool define_regex_rule(void* scanner, char* pattern);
 bool define_columns_rule(void* scanner, char* columns);
 bool define_function_rule(void* scanner, char* columns);
+bool define_function_usage_rule(void* scanner, char* columns);
 bool define_limit_queries_rule(void* scanner, int max, int timeperiod, int holdoff);
 bool add_at_times_rule(void* scanner, const char* range);
 void add_on_queries_rule(void* scanner, const char* sql);

server/modules/filter/dbfwfilter/ruleparser.y

@@ -37,7 +37,7 @@
 %token FWTOK_RULE <strval>FWTOK_RULENAME FWTOK_USERS <strval>FWTOK_USER FWTOK_RULES FWTOK_MATCH FWTOK_ANY FWTOK_ALL FWTOK_STRICT_ALL FWTOK_DENY
 %token FWTOK_WILDCARD FWTOK_COLUMNS FWTOK_REGEX FWTOK_LIMIT_QUERIES FWTOK_WHERE_CLAUSE FWTOK_AT_TIMES FWTOK_ON_QUERIES
 %token <strval>FWTOK_SQLOP FWTOK_COMMENT <intval>FWTOK_INT <floatval>FWTOK_FLOAT FWTOK_PIPE <strval>FWTOK_TIME
-%token <strval>FWTOK_BTSTR <strval>FWTOK_QUOTEDSTR <strval>FWTOK_STR FWTOK_FUNCTION <strval>FWTOK_CMP
+%token <strval>FWTOK_BTSTR <strval>FWTOK_QUOTEDSTR <strval>FWTOK_STR FWTOK_FUNCTION FWTOK_USES_FUNCTION <strval>FWTOK_CMP
 
 /** Non-terminal symbols */
 %type <strval>rulename
@@ -115,6 +115,7 @@ mandatory:
     | FWTOK_COLUMNS columnlist
     | FWTOK_FUNCTION functionlist
     | FWTOK_FUNCTION {if (!define_function_rule(scanner, "")){YYERROR;}}
+    | FWTOK_USES_FUNCTION functionusagelist
     ;
 
 columnlist:
@@ -135,6 +136,16 @@ functionvalue:
     | FWTOK_BTSTR  {if (!define_function_rule(scanner, $1)){YYERROR;}}
     ;
 
+functionusagevalue:
+    FWTOK_BTSTR {if (!define_function_usage_rule(scanner, $1)){YYERROR;}}
+    | FWTOK_STR {if (!define_function_usage_rule(scanner, $1)){YYERROR;}}
+
+functionusagelist:
+    functionusagevalue
+    | functionusagelist functionusagevalue
+    ;
+
+
 optional:
     FWTOK_AT_TIMES timelist
     | FWTOK_ON_QUERIES orlist

server/modules/filter/dbfwfilter/token.l

@@ -41,6 +41,7 @@ CMP         [=<>!]+
 deny|allow      return FWTOK_DENY; /** This should be removed at some point */
 rule            return FWTOK_RULE;
 function        return FWTOK_FUNCTION;
+uses_function   return FWTOK_USES_FUNCTION;
 no_where_clause return FWTOK_WHERE_CLAUSE;
 wildcard        return FWTOK_WILDCARD;
 columns         return FWTOK_COLUMNS;