You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

263 lines
8.8 KiB

  1. # Copyright (C) 2015 Akretion (<http://www.akretion.com>)
  2. # Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
  3. # @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
  4. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
  5. import re
  6. import uuid
  7. from io import StringIO
  8. import base64
  9. from psycopg2 import ProgrammingError
  10. from odoo import _, api, fields, models
  11. from odoo.exceptions import UserError
  12. class SQLRequestMixin(models.AbstractModel):
  13. _name = 'sql.request.mixin'
  14. _clean_query_enabled = True
  15. _check_prohibited_words_enabled = True
  16. _check_execution_enabled = True
  17. _sql_request_groups_relation = False
  18. _sql_request_users_relation = False
  19. STATE_SELECTION = [
  20. ('draft', 'Draft'),
  21. ('sql_valid', 'SQL Valid'),
  22. ]
  23. PROHIBITED_WORDS = [
  24. 'delete',
  25. 'drop',
  26. 'insert',
  27. 'alter',
  28. 'truncate',
  29. 'execute',
  30. 'create',
  31. 'update',
  32. 'ir_config_parameter',
  33. ]
  34. # Default Section
  35. @api.model
  36. def _default_group_ids(self):
  37. ir_model_obj = self.env['ir.model.data']
  38. return [ir_model_obj.xmlid_to_res_id(
  39. 'sql_request_abstract.group_sql_request_user')]
  40. @api.model
  41. def _default_user_ids(self):
  42. return []
  43. # Columns Section
  44. name = fields.Char('Name', required=True)
  45. query = fields.Text(
  46. string='Query', required=True, help="You can't use the following words"
  47. ": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE.")
  48. state = fields.Selection(
  49. string='State', selection=STATE_SELECTION, default='draft',
  50. help="State of the Request:\n"
  51. " * 'Draft': Not tested\n"
  52. " * 'SQL Valid': SQL Request has been checked and is valid")
  53. group_ids = fields.Many2many(
  54. comodel_name='res.groups', string='Allowed Groups',
  55. relation=_sql_request_groups_relation,
  56. column1='sql_id', column2='group_id',
  57. default=_default_group_ids)
  58. user_ids = fields.Many2many(
  59. comodel_name='res.users', string='Allowed Users',
  60. relation=_sql_request_users_relation,
  61. column1='sql_id', column2='user_id',
  62. default=_default_user_ids)
  63. # Action Section
  64. @api.multi
  65. def button_validate_sql_expression(self):
  66. for item in self:
  67. if item._clean_query_enabled:
  68. item._clean_query()
  69. if item._check_prohibited_words_enabled:
  70. item._check_prohibited_words()
  71. if item._check_execution_enabled:
  72. item._check_execution()
  73. item.state = 'sql_valid'
  74. @api.multi
  75. def button_set_draft(self):
  76. self.write({'state': 'draft'})
  77. # API Section
  78. @api.multi
  79. def _execute_sql_request(
  80. self, params=None, mode='fetchall', rollback=True,
  81. view_name=False, copy_options="CSV HEADER DELIMITER ';'"):
  82. """Execute a SQL request on the current database.
  83. ??? This function checks before if the user has the
  84. right to execute the request.
  85. :param params: (dict) of keys / values that will be replaced in
  86. the sql query, before executing it.
  87. :param mode: (str) result type expected. Available settings :
  88. * 'view': create a view with the select query. Extra param
  89. required 'view_name'.
  90. * 'materialized_view': create a MATERIALIZED VIEW with the
  91. select query. Extra parameter required 'view_name'.
  92. * 'fetchall': execute the select request, and return the
  93. result of 'cr.fetchall()'.
  94. * 'fetchone' : execute the select request, and return the
  95. result of 'cr.fetchone()'
  96. :param rollback: (boolean) mention if a rollback should be played after
  97. the execution of the query. Please keep this feature enabled
  98. for security reason, except if necessary.
  99. (Ignored if @mode in ('view', 'materialized_view'))
  100. :param view_name: (str) name of the view.
  101. (Ignored if @mode not in ('view', 'materialized_view'))
  102. :param copy_options: (str) mentions extra options for
  103. "COPY request STDOUT WITH xxx" request.
  104. (Ignored if @mode != 'stdout')
  105. ..note:: The following exceptions could be raised:
  106. psycopg2.ProgrammingError: Error in the SQL Request.
  107. odoo.exceptions.UserError:
  108. * 'mode' is not implemented.
  109. * materialized view is not supported by the Postgresql Server.
  110. """
  111. self.ensure_one()
  112. res = False
  113. # Check if the request is in a valid state
  114. if self.state == 'draft':
  115. raise UserError(_(
  116. "It is not allowed to execute a not checked request."))
  117. # Disable rollback if a creation of a view is asked
  118. if mode in ('view', 'materialized_view'):
  119. rollback = False
  120. # pylint: disable=sql-injection
  121. if params:
  122. query = self.query % params
  123. else:
  124. query = self.query
  125. query = query
  126. if mode in ('fetchone', 'fetchall'):
  127. pass
  128. elif mode == 'stdout':
  129. query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options)
  130. elif mode in 'view':
  131. query = "CREATE VIEW %s AS (%s);" % (query, view_name)
  132. elif mode in 'materialized_view':
  133. self._check_materialized_view_available()
  134. query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name)
  135. else:
  136. raise UserError(_("Unimplemented mode : '%s'" % mode))
  137. if rollback:
  138. rollback_name = self._create_savepoint()
  139. try:
  140. if mode == 'stdout':
  141. output = StringIO.StringIO()
  142. self.env.cr.copy_expert(query, output)
  143. output.getvalue()
  144. res = base64.b64encode(output.getvalue())
  145. output.close()
  146. else:
  147. self.env.cr.execute(query)
  148. if mode == 'fetchall':
  149. res = self.env.cr.fetchall()
  150. elif mode == 'fetchone':
  151. res = self.env.cr.fetchone()
  152. finally:
  153. self._rollback_savepoint(rollback_name)
  154. return res
  155. # Private Section
  156. @api.model
  157. def _create_savepoint(self):
  158. rollback_name = '%s_%s' % (
  159. self._name.replace('.', '_'), uuid.uuid1().hex)
  160. # pylint: disable=sql-injection
  161. req = "SAVEPOINT %s" % (rollback_name)
  162. self.env.cr.execute(req)
  163. return rollback_name
  164. @api.model
  165. def _rollback_savepoint(self, rollback_name):
  166. # pylint: disable=sql-injection
  167. req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name)
  168. self.env.cr.execute(req)
  169. @api.model
  170. def _check_materialized_view_available(self):
  171. self.env.cr.execute("SHOW server_version;")
  172. res = self.env.cr.fetchone()[0].split('.')
  173. minor_version = float('.'.join(res[:2]))
  174. if minor_version < 9.3:
  175. raise UserError(_(
  176. "Materialized View requires PostgreSQL 9.3 or greater but"
  177. " PostgreSQL %s is currently installed.") % (minor_version))
  178. @api.multi
  179. def _clean_query(self):
  180. self.ensure_one()
  181. query = self.query.strip()
  182. while query[-1] == ';':
  183. query = query[:-1]
  184. self.query = query
  185. @api.multi
  186. def _check_prohibited_words(self):
  187. """Check if the query contains prohibited words, to avoid maliscious
  188. SQL requests"""
  189. self.ensure_one()
  190. query = self.query.lower()
  191. for word in self.PROHIBITED_WORDS:
  192. expr = r'\b%s\b' % word
  193. is_not_safe = re.search(expr, query)
  194. if is_not_safe:
  195. raise UserError(_(
  196. "The query is not allowed because it contains unsafe word"
  197. " '%s'") % (word))
  198. @api.multi
  199. def _check_execution(self):
  200. """Ensure that the query is valid, trying to execute it. A rollback
  201. is done after."""
  202. self.ensure_one()
  203. query = self._prepare_request_check_execution()
  204. rollback_name = self._create_savepoint()
  205. res = False
  206. try:
  207. self.env.cr.execute(query)
  208. res = self._hook_executed_request()
  209. except ProgrammingError as e:
  210. raise UserError(
  211. _("The SQL query is not valid:\n\n %s") % e)
  212. finally:
  213. self._rollback_savepoint(rollback_name)
  214. return res
  215. @api.multi
  216. def _prepare_request_check_execution(self):
  217. """Overload me to replace some part of the query, if it contains
  218. parameters"""
  219. self.ensure_one()
  220. return self.query
  221. def _hook_executed_request(self):
  222. """Overload me to insert custom code, when the SQL request has
  223. been executed, before the rollback.
  224. """
  225. self.ensure_one()
  226. return False