# Using views for security

In this Notebook we shall explore two approaches to using views for security.

In the first, simple value-matching is applied; in the second, the data revealed is determined by the connected user.

You will be trying, in the next Notebook, to 'hack' (overcome!) the security offered by these two approaches.

In [2]:
%load_ext sql

## 1 Value-based security

We need to create a user who will be used to access a view which we created in the first Notebook, `patient_doctor`.

Let us call that user `a_patient`, with password '`anybody`'. `a_patient` will need SELECT privilege on `patient_doctor`.

We can then use `a_patient` to connect from a Python script, which will take input from an arbitrary user (you!), and use that input to SELECT data from `patient_doctor`.

So, the steps are:
 - connect as `dbadmin`, to create the user
 - reconnect, as `patient_admin`, to GRANT the SELECT privilege on `patient_doctor` to `a_patient`
 - construct a Python script to obtain the patient name for whom data is required.

In [3]:
# connect as user dbadmin
%sql postgresql://dbadmin:secret@localhost:5432/tm351test

'Connected: dbadmin@tm351test'

In [4]:
%%sql

-- create the new user

DROP USER IF EXISTS a_patient;

CREATE USER a_patient WITH PASSWORD 'anybody';


Done.
Done.


[]

In [5]:
# reconnect as patient_admin
%sql postgresql://patient_admin:patients@localhost:5432/tm351test

'Connected: patient_admin@tm351test'

In [6]:
%%sql

-- GRANT the SELECT privilege to a_patient

GRANT SELECT ON patient_doctor TO a_patient;

Done.


[]

It would be sensible at this point to check that `a_patient` can indeed connect to PostgreSQL and retrieve all the data from `patient_doctor`.

The view is already hiding a lot of data: `a_patient` should not, for example, be able to select information from `patients`.

In [7]:
%sql postgresql://a_patient:anybody@localhost:5432/tm351test

'Connected: a_patient@tm351test'

In [8]:
%%sql

SELECT * FROM patient_doctor;


14 rows affected.


patient_name,doctor_name
Thornton,Gibson
Tennent,Paxton
James,Paxton
Kay,Gibson
Harris,Gibson
Ming,Nolan
Maher,Nolan
Monroe,Rampton
Harris,Rampton
Hunt,Rampton


In [10]:
%%sql
SELECT * from patients;

(psycopg2.ProgrammingError) permission denied for relation patients
 [SQL: 'SELECT * from patients;']


The failure of the second query confirms that `a_patient` can see data from `patients` only through the view `patient_doctor`.

The next cell constructs, in a trivial script, both a connection and a query.  

Note that construction of the query is enclosed in double quotes, as single quotes enclose the text value of the variable patient in the SQL query.  

Note also the user of `lower`. For completeness, this ought also to be applied to the input value, but, in order to keep things simple for the next Notebook, we have omitted that facet.

Run the script, and check that it works.

In [12]:
from sqlalchemy import create_engine
from pandas import read_sql_query as psql
patient = input ("Enter your name (all lower case): ")
connect = 'postgresql://a_patient:anybody@localhost:5432/tm351test'
engine = create_engine(connect)
query = "SELECT * from patient_doctor WHERE lower(patient_name)= '"+patient+"'"
psql (query, engine)

Enter your name (in lower case): dixon


Unnamed: 0,patient_name,doctor_name
0,Dixon,Gibson


This simple example could readily be extended to allow for a (patient-defined) pairing of patient name and password (which would have to have been stored in the database). However, this would complicate Notebook 23.3, in which you will attempt to exploit a well-known security vulnerability in this kind of interface to a database. Thus, we shall stop with this simple mechanism.

## 2 Using the value of current_user in the definition of a view

A more sophisticated approach to security can be based on the value of `current_user`, the username of the connected user, to define which rows of a table appear in a view.

This adds two levels of security: first, the current user must be connected correctly, and secondly, the view - on which they must have SELECT privilege - will be evaluated containing data only for the current user.

The steps here are:
- connect as `doctor_admin`
- create a view that contains the names of patients of the connected user
- create a script that builds the connection and query to connect as one of the doctors, and retrieve all data from the new view.

In [13]:
# connect as doctor_admin

%sql postgresql://doctor_admin:doctors@localhost:5432/tm351test

'Connected: doctor_admin@tm351test'

In [14]:
%%sql

-- Create a view containing the names of the patients of "current_user"
-- Grant select privilege on this new view to all doctor users (by using the ROLE, doctor)

DROP VIEW IF EXISTS my_patients;

CREATE VIEW my_patients AS
SELECT patient_name FROM patient_doctor
WHERE lower(doctor_name) = current_user;

GRANT SELECT ON my_patients to doctor;


Done.
Done.
Done.


[]

In [15]:
%%sql 

-- Check that NO data is returned for the current user (doctor_admin), 
-- and that the correct data IS returned for any of the doctors

SELECT * from my_patients;

0 rows affected.


patient_name


In [16]:
# connect as a doctor;
%sql postgresql://gibson:Nosbig@localhost:5432/tm351test

'Connected: gibson@tm351test'

In [17]:
%%sql 

-- Check that the correct data is returned for this doctor

SELECT * from my_patients;

5 rows affected.


patient_name
Thornton
Kay
Harris
Dixon
Boswell


Create the script.  
Note that the two libraries should already be imported.

In [21]:
# from sqlalchemy import create_engine
# from pandas import read_sql_query as psql
user = input ("Enter your username (lower case): ")
pwd = input ("and your password: ")
connect = 'postgresql://'+user+':'+pwd+'@localhost:5432/tm351test'
# print (connect)
engine = create_engine(connect)
psql ('SELECT * from my_patients', engine)


Enter your username (lower case): paxton
and your password: Notxap


Unnamed: 0,patient_name
0,Tennent
1,James
2,Bell
3,Reed


In Notebook 23.3 you will try to 'hack' each of these scripts, simply by inputting malicious values for name or password.

## What next?

If you are working through this Notebook as part of an inline exercise, return to the module materials now.

If you are working through this set of Notebooks as a whole, move on to `23.3 SQL injection hacks`.