Skip to content

fix(security): enforce SQL authorization across transports#177

Merged
farhan-syah merged 7 commits into
mainfrom
fix/query-transport-parity
Jul 14, 2026
Merged

fix(security): enforce SQL authorization across transports#177
farhan-syah merged 7 commits into
mainfrom
fix/query-transport-parity

Conversation

@farhan-syah

@farhan-syah farhan-syah commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Fixes GHSA-rgrf-mv99-jwgv by introducing one transport-neutral SQL authorization boundary for:

  • pgwire simple and prepared execution
  • HTTP JSON and NDJSON queries
  • WebSocket RPC and LIVE subscriptions
  • native materialized and lazy SQL execution

Security boundary

  • validates access to the selected database before DDL, planning, or metadata exposure
  • exhaustively authorizes every protected resource in the final task set, including joins, source/target DML, implicit tasks, clone reads, facets, cursors, EXPLAIN, and subscriptions
  • enforces collection ownership, explicit user/role grants, built-in roles, database-role isolation, and superuser-only _system.* access
  • runs before triggers, sequences, streams, replay, orchestration, staging, Calvin routing, clone probes, or Data Plane dispatch
  • maps denials consistently to HTTP 403, SQLSTATE 42501, WebSocket errors, and native protocol errors
  • emits one terminal authorization-denial audit event

Regression coverage

Adds end-to-end coverage for:

  • database-scoped API keys
  • denied reads and writes with no-mutation assertions
  • explicit collection grants
  • multi-resource joins
  • prepared Parse/Describe metadata protection
  • cursors, facets, EXPLAIN, and LIVE SELECT
  • WebSocket upgrade, replay, and subscription authorization
  • native materialized, lazy, and EXPLAIN authorization

Validation

Passed:

  • shared authorization unit tests
  • HTTP JSON/NDJSON authorization and baseline suites
  • WebSocket authorization, lifecycle, and baseline suites
  • native SQL authorization and protocol baseline suites
  • pgwire database, grant, tenant-scoping, prepared-query, and API-key scope suites
  • focused clone read/copy-up and DDL error-mapping tests
  • cargo fmt --all
  • cargo clippy --all-targets --all-features -- -D warnings
  • bash scripts/ci/check_calvin_determinism.sh
  • git diff --check

The separate cluster stage exposed existing Calvin explicit-transaction/OLLP failures unrelated to this authorization boundary; no cluster behavior was changed or included in this PR.

@farhan-syah farhan-syah marked this pull request as ready for review July 13, 2026 13:39
@farhan-syah farhan-syah marked this pull request as draft July 13, 2026 13:42
@farhan-syah farhan-syah changed the title test: cover SQL transport authorization parity fix(security): enforce SQL authorization across transports Jul 14, 2026
@farhan-syah farhan-syah marked this pull request as ready for review July 14, 2026 01:32
@farhan-syah farhan-syah merged commit 9ff09f7 into main Jul 14, 2026
1 check passed
@farhan-syah farhan-syah deleted the fix/query-transport-parity branch July 14, 2026 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant