MXS-2396 Add check_user_variables configuration parameter

The masking filter should check for things like

    set @ssn = (SELECT ssn FROM users WHERE id = 1);

so that

    select @ssn;

is not possible.

Documentation/Filters/Masking.md

@@ -71,6 +71,14 @@ Please see the configuration parameter
 [prevent_function_usage](#prevent_function_usage)
 for how to change the default behaviour.
 
+From MaxScale 2.3.5 onwards, the masking filter will check the
+definition of user variables and reject statements that define a user
+variable using a statement that refers to columns that should be masked.
+
+Please see the configuration parameter
+[check_user_variables](#check_user_variables)
+for how to change the default behaviour.
+
 ## Limitations
 
 The masking filter can _only_ be used for masking columns of the following
@@ -170,6 +178,20 @@ prevent_function_usage=false
 ```
 The default value is `true`.
 
+#### `check_user_variables`
+
+This optional parameter specifies how the masking filter should
+behave with respect to user variables. If true, then a statement like
+```
+set @a = (select ssn from customer where id = 1);
+```
+will be rejected if `ssn` is a column that should be masked.
+```
+check_user_variables=false
+```
+
+The default value is `true`.
+
 ## Rules
 
 The masking rules are expressed as a JSON object.

server/modules/filter/masking/maskingfilter.cc

@@ -90,13 +90,10 @@ extern "C" MXS_MODULE* MXS_CREATE_MODULE()
         "V1.0.0",
         RCAP_TYPE_CONTIGUOUS_INPUT | RCAP_TYPE_CONTIGUOUS_OUTPUT,
         &MaskingFilter::s_object,
-        NULL,                                                                               /* Process init.
-                                                                                             * */
-        NULL,                                                                               /* Process finish.
-                                                                                             * */
-        NULL,                                                                               /* Thread init. */
-        NULL,                                                                               /* Thread finish.
-                                                                                             * */
+        NULL, /* Process init. */
+        NULL, /* Process finish. */
+        NULL, /* Thread init. */
+        NULL, /* Thread finish. */
         {
             {
                 Config::rules_name,
@@ -124,6 +121,12 @@ extern "C" MXS_MODULE* MXS_CREATE_MODULE()
                 Config::prevent_function_usage_default,
                 MXS_MODULE_OPT_NONE,
             },
+            {
+                Config::check_user_variables_name,
+                MXS_MODULE_PARAM_BOOL,
+                Config::check_user_variables_default,
+                MXS_MODULE_OPT_NONE,
+            },
             {MXS_END_MODULE_PARAMS}
         }
     };

server/modules/filter/masking/maskingfilterconfig.cc

@@ -27,6 +27,7 @@ const char config_value_never[] = "never";
 const char config_value_always[] = "always";
 
 const char config_name_prevent_function_usage[] = "prevent_function_usage";
+const char config_check_user_variables[] = "check_user_variables";
 
 const char config_value_true[] = "true";
 }
@@ -84,6 +85,14 @@ const char* MaskingFilterConfig::prevent_function_usage_name = config_name_preve
 // static
 const char* MaskingFilterConfig::prevent_function_usage_default = config_value_true;
 
+/*
+ * PARAM check_user_variables
+ */
+const char* MaskingFilterConfig::check_user_variables_name = config_check_user_variables;
+
+// static
+const char* MaskingFilterConfig::check_user_variables_default = config_value_true;
+
 /*
  * MaskingFilterConfig
  */
@@ -115,3 +124,9 @@ bool MaskingFilterConfig::get_prevent_function_usage(const MXS_CONFIG_PARAMETER*
 {
     return config_get_bool(pParams, prevent_function_usage_name);
 }
+
+// static
+bool MaskingFilterConfig::get_check_user_variables(const MXS_CONFIG_PARAMETER* pParams)
+{
+    return config_get_bool(pParams, check_user_variables_name);
+}

server/modules/filter/masking/maskingfilterconfig.hh

@@ -45,12 +45,16 @@ public:
     static const char* prevent_function_usage_name;
     static const char* prevent_function_usage_default;
 
+    static const char* check_user_variables_name;
+    static const char* check_user_variables_default;
+
     MaskingFilterConfig(const char* zName, const MXS_CONFIG_PARAMETER* pParams)
         : m_name(zName)
         , m_large_payload(get_large_payload(pParams))
         , m_rules(get_rules(pParams))
         , m_warn_type_mismatch(get_warn_type_mismatch(pParams))
         , m_prevent_function_usage(get_prevent_function_usage(pParams))
+        , m_check_user_variables(get_check_user_variables(pParams))
     {
     }
     ~MaskingFilterConfig()
@@ -82,6 +86,11 @@ public:
         return m_prevent_function_usage;
     }
 
+    bool check_user_variables() const
+    {
+        return m_check_user_variables;
+    }
+
     void set_large_payload(large_payload_t l)
     {
         m_large_payload = l;
@@ -101,10 +110,21 @@ public:
         m_prevent_function_usage = b;
     }
 
+    void set_check_user_variables(bool b)
+    {
+        m_check_user_variables = b;
+    }
+
+    bool is_parsing_needed() const
+    {
+        return prevent_function_usage() || check_user_variables();
+    }
+
     static large_payload_t      get_large_payload(const MXS_CONFIG_PARAMETER* pParams);
     static std::string          get_rules(const MXS_CONFIG_PARAMETER* pParams);
     static warn_type_mismatch_t get_warn_type_mismatch(const MXS_CONFIG_PARAMETER* pParams);
     static bool                 get_prevent_function_usage(const MXS_CONFIG_PARAMETER* pParams);
+    static bool                 get_check_user_variables(const MXS_CONFIG_PARAMETER* pParams);
 
 private:
     std::string          m_name;
@@ -112,4 +132,5 @@ private:
     std::string          m_rules;
     warn_type_mismatch_t m_warn_type_mismatch;
     bool                 m_prevent_function_usage;
+    bool                 m_check_user_variables;
 };