engine: check authorization in engine instead of analyzer

jfontan · jfontan · commit a8b0c56a347d · 2018-11-06T14:19:37.000+01:00
This makes it more controllable and uses auth from engine. Previously
it had to be added to the rules with the builder.

Signed-off-by: Javi Fontan &lt;jfontan@gmail.com&gt;
diff --git a/auth/common_test.go b/auth/common_test.go
@@ -46,7 +46,7 @@ func authEngine(au auth.Auth) (string, *sqle.Engine, error) {
 
 	catalog.RegisterIndexDriver(pilosa.NewDriver(tmpDir))
 
-	a := analyzer.NewBuilder(catalog).WithAuth(au).Build()
+	a := analyzer.NewBuilder(catalog).Build()
 	config := &sqle.Config{Auth: au}
 
 	return tmpDir, sqle.New(catalog, a, config), nil
diff --git a/engine.go b/engine.go
@@ -72,9 +72,19 @@ func (e *Engine) Query(
 		return nil, nil, err
 	}
 
+	var perm = auth.ReadPerm
 	var typ = sql.QueryProcess
-	if _, ok := parsed.(*plan.CreateIndex); ok {
+	switch parsed.(type) {
+	case *plan.CreateIndex:
 		typ = sql.CreateIndexProcess
+		perm = auth.ReadPerm | auth.WritePerm
+	case *plan.InsertInto, *plan.DropIndex, *plan.UnlockTables, *plan.LockTables:
+		perm = auth.ReadPerm | auth.WritePerm
+	}
+
+	err = e.Auth.Allowed(ctx, perm)
+	if err != nil {
+		return nil, nil, err
 	}
 
 	ctx, err = e.Catalog.AddProcess(ctx, typ, query)
diff --git a/engine_test.go b/engine_test.go
@@ -1550,9 +1550,9 @@ func TestReadOnly(t *testing.T) {
 	catalog.AddDatabase(db)
 
 	au := auth.NewNativeSingle("user", "pass", auth.ReadPerm)
-
-	a := analyzer.NewBuilder(catalog).WithAuth(au).Build()
-	e := sqle.New(catalog, a, nil)
+	cfg := &sqle.Config{Auth: au}
+	a := analyzer.NewBuilder(catalog).Build()
+	e := sqle.New(catalog, a, cfg)
 
 	_, _, err := e.Query(newCtx(), `SELECT i FROM mytable`)
 	require.NoError(err)
diff --git a/sql/analyzer/analyzer.go b/sql/analyzer/analyzer.go
@@ -6,7 +6,6 @@ import (
 	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/src-d/go-errors.v1"
-	"gopkg.in/src-d/go-mysql-server.v0/auth"
 	"gopkg.in/src-d/go-mysql-server.v0/sql"
 )
 
@@ -47,11 +46,6 @@ func (ab *Builder) WithParallelism(parallelism int) *Builder {
 	return ab
 }
 
-// WithAuth adds add authorization rule.
-func (ab *Builder) WithAuth(a auth.Auth) *Builder {
-	return ab.AddPostValidationRule(CheckAuthorizationRule, CheckAuthorization(a))
-}
-
 // AddPreAnalyzeRule adds a new rule to the analyze before the standard analyzer rules.
 func (ab *Builder) AddPreAnalyzeRule(name string, fn RuleFunc) *Builder {
 	ab.preAnalyzeRules = append(ab.preAnalyzeRules, Rule{name, fn})
diff --git a/sql/analyzer/check_auth.go b/sql/analyzer/check_auth.go
