Acasă Explorează Ajutor
Autentificare
chiappa
/
irdb
oglindă de https://git.snix.ch/chiappa/irdb.git
1
0
Bifurcare 0
Fisiere Probleme 0
Arbore: 57ab1ba034
Ramuri Etichete
irdb
/
api
/
db
/
migrations
/
20260505100000_add_users_local_subject_invariant.php

20260505100000_add_users_local_subject_invariant.php 2.8 KB
Istoric Crud

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. use App\Infrastructure\Db\Migrations\BaseMigration;
    6. 

  6. 

  7. /**
    8. 

  8.  * Defense-in-depth for SEC_REVIEW F12: enforce at the DB layer that a
    9. 

  9.  * row with `is_local = 1` always has `subject IS NULL`. SPEC §6 / §8
    10. 

  10.  * documents this invariant — local-admin rows have no OIDC subject —
    11. 

  11.  * and `UserRepository::upsertLocal` honours it in code, but a
    12. 

  12.  * compromised IdP that pushed an OIDC user with the local admin's
    13. 

  13.  * `display_name` plus a later "data fix" flipping `is_local=1` would
    14. 

  14.  * otherwise let `findLocal()` bind the local-admin password to that
    15. 

  15.  * hijacked OIDC identity.
    16. 

  16.  *
    17. 

  17.  * Implementation:
    18. 

  18.  *  - MySQL 8: a CHECK constraint added via ALTER TABLE.
    19. 

  19.  *  - SQLite: a pair of BEFORE INSERT and BEFORE UPDATE triggers that
    20. 

  20.  *    RAISE(ABORT) when the predicate is violated. SQLite cannot ALTER
    21. 

  21.  *    TABLE ADD CHECK without a full table rebuild, and triggers give
    22. 

  22.  *    equivalent runtime enforcement.
    23. 

  23.  *
    24. 

  24.  * If a deployment already has a row violating the invariant
    25. 

  25.  * (is_local=1 AND subject IS NOT NULL), this migration will fail. That
    26. 

  26.  * is the desired signal: the operator must inspect and consolidate
    27. 

  27.  * before applying the constraint.
    28. 

  28.  */
    29. 

  29. final class AddUsersLocalSubjectInvariant extends BaseMigration
    30. 

  30. {
    31. 

  31.     private const CONSTRAINT_NAME = 'chk_users_local_subject_null';
    32. 

  32.     private const TRIGGER_INSERT = 'trg_users_local_subject_null_insert';
    33. 

  33.     private const TRIGGER_UPDATE = 'trg_users_local_subject_null_update';
    34. 

  34. 

  35.     public function up(): void
    36. 

  36.     {
    37. 

  37.         if ($this->isMysql()) {
    38. 

  38.             $this->execute(
    39. 

  39.                 'ALTER TABLE users ADD CONSTRAINT ' . self::CONSTRAINT_NAME . ' '
    40. 

  40.                 . 'CHECK (NOT (is_local = 1 AND subject IS NOT NULL))'
    41. 

  41.             );
    42. 

  42. 

  43.             return;
    44. 

  44.         }
    45. 

  45. 

  46.         $this->execute(<<<'SQL'
    47. 

  47.             CREATE TRIGGER trg_users_local_subject_null_insert
    48. 

  48.             BEFORE INSERT ON users
    49. 

  49.             FOR EACH ROW
    50. 

  50.             WHEN NEW.is_local = 1 AND NEW.subject IS NOT NULL
    51. 

  51.             BEGIN
    52. 

  52.                 SELECT RAISE(ABORT, 'local user must have null subject');
    53. 

  53.             END
    54. 

  54.         SQL);
    55. 

  55. 

  56.         $this->execute(<<<'SQL'
    57. 

  57.             CREATE TRIGGER trg_users_local_subject_null_update
    58. 

  58.             BEFORE UPDATE ON users
    59. 

  59.             FOR EACH ROW
    60. 

  60.             WHEN NEW.is_local = 1 AND NEW.subject IS NOT NULL
    61. 

  61.             BEGIN
    62. 

  62.                 SELECT RAISE(ABORT, 'local user must have null subject');
    63. 

  63.             END
    64. 

  64.         SQL);
    65. 

  65.     }
    66. 

  66. 

  67.     public function down(): void
    68. 

  68.     {
    69. 

  69.         if ($this->isMysql()) {
    70. 

  70.             $this->execute(
    71. 

  71.                 'ALTER TABLE users DROP CONSTRAINT ' . self::CONSTRAINT_NAME
    72. 

  72.             );
    73. 

  73. 

  74.             return;
    75. 

  75.         }
    76. 

  76. 

  77.         $this->execute('DROP TRIGGER IF EXISTS ' . self::TRIGGER_INSERT);
    78. 

  78.         $this->execute('DROP TRIGGER IF EXISTS ' . self::TRIGGER_UPDATE);
    79. 

  79.     }
    80. 

  80. }
    81.