From 8b329f7f3327c3acf12091ea40a6cc48768b50cf Mon Sep 17 00:00:00 2001
From: Johan Wikman <johan.wikman@mariadb.com>
Date: Thu, 21 Mar 2019 17:52:50 +0200
Subject: [PATCH] MXS-2403 Add 'check_subqueries' parameter

Only documentation and parameter handling.
---
 Documentation/Filters/Masking.md              | 23 +++++++++++++++++++
 .../filter/masking/maskingfilterconfig.cc     | 16 +++++++++++++
 .../filter/masking/maskingfilterconfig.hh     | 18 ++++++++++++++-
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/Documentation/Filters/Masking.md b/Documentation/Filters/Masking.md
index babc139ec..2ad3d2d77 100644
--- a/Documentation/Filters/Masking.md
+++ b/Documentation/Filters/Masking.md
@@ -87,6 +87,15 @@ Please see the configuration parameter
 [check_unions](#check_unions)
 for how to change the default behaviour.
 
+From MaxScale 2.3.5 onwards, the masking filter will examine subqueries
+and if a subquery refers to columns that should be masked, the statement
+will be rejected.
+
+Please see the configuration parameter
+[check_subqueries](#check_subqueries)
+for how to change the default behaviour.
+
+
 ## Limitations
 
 The masking filter can _only_ be used for masking columns of the following
@@ -214,6 +223,20 @@ check_unions=false
 
 The default value is `true`.
 
+#### `check_subqueries`
+
+This optional parameter specifies how the masking filter should
+behave with respect to subqueries. If true, then a statement like
+```
+SELECT * FROM (SELECT a as b FROM t1) as t2;
+```
+will be rejected if `a` is a column that should be masked.
+```
+check_subqueries=false
+```
+
+The default value is `true`.
+
 ## Rules
 
 The masking rules are expressed as a JSON object.
diff --git a/server/modules/filter/masking/maskingfilterconfig.cc b/server/modules/filter/masking/maskingfilterconfig.cc
index ff78978be..3f6f2b81c 100644
--- a/server/modules/filter/masking/maskingfilterconfig.cc
+++ b/server/modules/filter/masking/maskingfilterconfig.cc
@@ -29,6 +29,7 @@ const char config_value_always[] = "always";
 const char config_name_prevent_function_usage[] = "prevent_function_usage";
 const char config_check_user_variables[] = "check_user_variables";
 const char config_check_unions[] = "check_unions";
+const char config_check_subqueries[] = "check_subqueries";
 
 const char config_value_true[] = "true";
 }
@@ -104,6 +105,15 @@ const char* MaskingFilterConfig::check_unions_name = config_check_unions;
 // static
 const char* MaskingFilterConfig::check_unions_default = config_value_true;
 
+/*
+ * PARAM check_subqueries
+ */
+// static
+const char* MaskingFilterConfig::check_subqueries_name = config_check_subqueries;
+
+// static
+const char* MaskingFilterConfig::check_subqueries_default = config_value_true;
+
 
 /*
  * MaskingFilterConfig
@@ -148,3 +158,9 @@ bool MaskingFilterConfig::get_check_unions(const MXS_CONFIG_PARAMETER* pParams)
 {
     return config_get_bool(pParams, check_unions_name);
 }
+
+// static
+bool MaskingFilterConfig::get_check_subqueries(const MXS_CONFIG_PARAMETER* pParams)
+{
+    return config_get_bool(pParams, check_subqueries_name);
+}
diff --git a/server/modules/filter/masking/maskingfilterconfig.hh b/server/modules/filter/masking/maskingfilterconfig.hh
index 71f5b09ed..20c3bb3a7 100644
--- a/server/modules/filter/masking/maskingfilterconfig.hh
+++ b/server/modules/filter/masking/maskingfilterconfig.hh
@@ -51,6 +51,9 @@ public:
     static const char* check_unions_name;
     static const char* check_unions_default;
 
+    static const char* check_subqueries_name;
+    static const char* check_subqueries_default;
+
     MaskingFilterConfig(const char* zName, const MXS_CONFIG_PARAMETER* pParams)
         : m_name(zName)
         , m_large_payload(get_large_payload(pParams))
@@ -59,6 +62,7 @@ public:
         , m_prevent_function_usage(get_prevent_function_usage(pParams))
         , m_check_user_variables(get_check_user_variables(pParams))
         , m_check_unions(get_check_unions(pParams))
+        , m_check_subqueries(get_check_subqueries(pParams))
     {
     }
 
@@ -101,6 +105,11 @@ public:
         return m_check_unions;
     }
 
+    bool check_subqueries() const
+    {
+        return m_check_subqueries;
+    }
+
     void set_large_payload(large_payload_t l)
     {
         m_large_payload = l;
@@ -130,9 +139,14 @@ public:
         m_check_unions = b;
     }
 
+    void set_check_subqueries(bool b)
+    {
+        m_check_subqueries = b;
+    }
+
     bool is_parsing_needed() const
     {
-        return prevent_function_usage() || check_user_variables() || check_unions();
+        return prevent_function_usage() || check_user_variables() || check_unions() || check_subqueries();
     }
 
     static large_payload_t      get_large_payload(const MXS_CONFIG_PARAMETER* pParams);
@@ -141,6 +155,7 @@ public:
     static bool                 get_prevent_function_usage(const MXS_CONFIG_PARAMETER* pParams);
     static bool                 get_check_user_variables(const MXS_CONFIG_PARAMETER* pParams);
     static bool                 get_check_unions(const MXS_CONFIG_PARAMETER* pParams);
+    static bool                 get_check_subqueries(const MXS_CONFIG_PARAMETER* pParams);
 
 private:
     std::string          m_name;
@@ -150,4 +165,5 @@ private:
     bool                 m_prevent_function_usage;
     bool                 m_check_user_variables;
     bool                 m_check_unions;
+    bool                 m_check_subqueries;
 };