PostgreSQL Source Code  git master
dumputils.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * Utility routines for SQL dumping
4  *
5  * Basically this is stuff that is useful in both pg_dump and pg_dumpall.
6  *
7  *
8  * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
9  * Portions Copyright (c) 1994, Regents of the University of California
10  *
11  * src/bin/pg_dump/dumputils.c
12  *
13  *-------------------------------------------------------------------------
14  */
15 #include "postgres_fe.h"
16 
17 #include <ctype.h>
18 
19 #include "dumputils.h"
20 #include "fe_utils/string_utils.h"
21 
22 
23 static bool parseAclItem(const char *item, const char *type,
24  const char *name, const char *subname, int remoteVersion,
25  PQExpBuffer grantee, PQExpBuffer grantor,
26  PQExpBuffer privs, PQExpBuffer privswgo);
27 static char *copyAclUserName(PQExpBuffer output, char *input);
28 static void AddAcl(PQExpBuffer aclbuf, const char *keyword,
29  const char *subname);
30 
31 
32 /*
33  * Build GRANT/REVOKE command(s) for an object.
34  *
35  * name: the object name, in the form to use in the commands (already quoted)
36  * subname: the sub-object name, if any (already quoted); NULL if none
37  * nspname: the namespace the object is in (NULL if none); not pre-quoted
38  * type: the object type (as seen in GRANT command: must be one of
39  * TABLE, SEQUENCE, FUNCTION, PROCEDURE, LANGUAGE, SCHEMA, DATABASE, TABLESPACE,
40  * FOREIGN DATA WRAPPER, SERVER, or LARGE OBJECT)
41  * acls: the ACL string fetched from the database
42  * racls: the ACL string of any initial-but-now-revoked privileges
43  * owner: username of object owner (will be passed through fmtId); can be
44  * NULL or empty string to indicate "no owner known"
45  * prefix: string to prefix to each generated command; typically empty
46  * remoteVersion: version of database
47  *
48  * Returns true if okay, false if could not parse the acl string.
49  * The resulting commands (if any) are appended to the contents of 'sql'.
50  *
51  * Note: when processing a default ACL, prefix is "ALTER DEFAULT PRIVILEGES "
52  * or something similar, and name is an empty string.
53  *
54  * Note: beware of passing a fmtId() result directly as 'name' or 'subname',
55  * since this routine uses fmtId() internally.
56  */
57 bool
58 buildACLCommands(const char *name, const char *subname, const char *nspname,
59  const char *type, const char *acls, const char *racls,
60  const char *owner, const char *prefix, int remoteVersion,
61  PQExpBuffer sql)
62 {
63  bool ok = true;
64  char **aclitems = NULL;
65  char **raclitems = NULL;
66  int naclitems = 0;
67  int nraclitems = 0;
68  int i;
69  PQExpBuffer grantee,
70  grantor,
71  privs,
72  privswgo;
73  PQExpBuffer firstsql,
74  secondsql;
75  bool found_owner_privs = false;
76 
77  if (strlen(acls) == 0 && strlen(racls) == 0)
78  return true; /* object has default permissions */
79 
80  /* treat empty-string owner same as NULL */
81  if (owner && *owner == '\0')
82  owner = NULL;
83 
84  if (strlen(acls) != 0)
85  {
86  if (!parsePGArray(acls, &aclitems, &naclitems))
87  {
88  if (aclitems)
89  free(aclitems);
90  return false;
91  }
92  }
93 
94  if (strlen(racls) != 0)
95  {
96  if (!parsePGArray(racls, &raclitems, &nraclitems))
97  {
98  if (aclitems)
99  free(aclitems);
100  if (raclitems)
101  free(raclitems);
102  return false;
103  }
104  }
105 
106  grantee = createPQExpBuffer();
107  grantor = createPQExpBuffer();
108  privs = createPQExpBuffer();
109  privswgo = createPQExpBuffer();
110 
111  /*
112  * At the end, these two will be pasted together to form the result.
113  *
114  * For older systems we use these to ensure that the owner privileges go
115  * before the other ones, as a GRANT could create the default entry for
116  * the object, which generally includes all rights for the owner. In more
117  * recent versions we normally handle this because the owner rights come
118  * first in the ACLs, but older versions might have them after the PUBLIC
119  * privileges.
120  *
121  * For 9.6 and later systems, much of this changes. With 9.6, we check
122  * the default privileges for the objects at dump time and create two sets
123  * of ACLs- "racls" which are the ACLs to REVOKE from the object (as the
124  * object may have initial privileges on it, along with any default ACLs
125  * which are not part of the current set of privileges), and regular
126  * "acls", which are the ACLs to GRANT to the object. We handle the
127  * REVOKEs first, followed by the GRANTs.
128  */
129  firstsql = createPQExpBuffer();
130  secondsql = createPQExpBuffer();
131 
132  /*
133  * For pre-9.6 systems, we always start with REVOKE ALL FROM PUBLIC, as we
134  * don't wish to make any assumptions about what the default ACLs are, and
135  * we do not collect them during the dump phase (and racls will always be
136  * the empty set, see above).
137  *
138  * For 9.6 and later, if any revoke ACLs have been provided, then include
139  * them in 'firstsql'.
140  *
141  * Revoke ACLs happen when an object starts out life with a set of
142  * privileges (eg: GRANT SELECT ON pg_class TO PUBLIC;) and the user has
143  * decided to revoke those rights. Since those objects come into being
144  * with those default privileges, we have to revoke them to match what the
145  * current state of affairs is. Note that we only started explicitly
146  * tracking such initial rights in 9.6, and prior to that all initial
147  * rights are actually handled by the simple 'REVOKE ALL .. FROM PUBLIC'
148  * case, for initdb-created objects. Prior to 9.6, we didn't handle
149  * extensions correctly, but we do now by tracking their initial
150  * privileges, in the same way we track initdb initial privileges, see
151  * pg_init_privs.
152  */
153  if (remoteVersion < 90600)
154  {
155  Assert(nraclitems == 0);
156 
157  appendPQExpBuffer(firstsql, "%sREVOKE ALL", prefix);
158  if (subname)
159  appendPQExpBuffer(firstsql, "(%s)", subname);
160  appendPQExpBuffer(firstsql, " ON %s ", type);
161  if (nspname && *nspname)
162  appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
163  appendPQExpBuffer(firstsql, "%s FROM PUBLIC;\n", name);
164  }
165  else
166  {
167  /* Scan individual REVOKE ACL items */
168  for (i = 0; i < nraclitems; i++)
169  {
170  if (!parseAclItem(raclitems[i], type, name, subname, remoteVersion,
171  grantee, grantor, privs, NULL))
172  {
173  ok = false;
174  break;
175  }
176 
177  if (privs->len > 0)
178  {
179  appendPQExpBuffer(firstsql, "%sREVOKE %s ON %s ",
180  prefix, privs->data, type);
181  if (nspname && *nspname)
182  appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
183  appendPQExpBuffer(firstsql, "%s FROM ", name);
184  if (grantee->len == 0)
185  appendPQExpBufferStr(firstsql, "PUBLIC;\n");
186  else if (strncmp(grantee->data, "group ",
187  strlen("group ")) == 0)
188  appendPQExpBuffer(firstsql, "GROUP %s;\n",
189  fmtId(grantee->data + strlen("group ")));
190  else
191  appendPQExpBuffer(firstsql, "%s;\n",
192  fmtId(grantee->data));
193  }
194  }
195  }
196 
197  /*
198  * We still need some hacking though to cover the case where new default
199  * public privileges are added in new versions: the REVOKE ALL will revoke
200  * them, leading to behavior different from what the old version had,
201  * which is generally not what's wanted. So add back default privs if the
202  * source database is too old to have had that particular priv.
203  */
204  if (remoteVersion < 80200 && strcmp(type, "DATABASE") == 0)
205  {
206  /* database CONNECT priv didn't exist before 8.2 */
207  appendPQExpBuffer(firstsql, "%sGRANT CONNECT ON %s %s TO PUBLIC;\n",
208  prefix, type, name);
209  }
210 
211  /* Scan individual ACL items */
212  for (i = 0; i < naclitems; i++)
213  {
214  if (!parseAclItem(aclitems[i], type, name, subname, remoteVersion,
215  grantee, grantor, privs, privswgo))
216  {
217  ok = false;
218  break;
219  }
220 
221  if (grantor->len == 0 && owner)
222  printfPQExpBuffer(grantor, "%s", owner);
223 
224  if (privs->len > 0 || privswgo->len > 0)
225  {
226  /*
227  * Prior to 9.6, we had to handle owner privileges in a special
228  * manner by first REVOKE'ing the rights and then GRANT'ing them
229  * after. With 9.6 and above, what we need to REVOKE and what we
230  * need to GRANT is figured out when we dump and stashed into
231  * "racls" and "acls", respectively. See above.
232  */
233  if (remoteVersion < 90600 && owner
234  && strcmp(grantee->data, owner) == 0
235  && strcmp(grantor->data, owner) == 0)
236  {
237  found_owner_privs = true;
238 
239  /*
240  * For the owner, the default privilege level is ALL WITH
241  * GRANT OPTION.
242  */
243  if (strcmp(privswgo->data, "ALL") != 0)
244  {
245  appendPQExpBuffer(firstsql, "%sREVOKE ALL", prefix);
246  if (subname)
247  appendPQExpBuffer(firstsql, "(%s)", subname);
248  appendPQExpBuffer(firstsql, " ON %s ", type);
249  if (nspname && *nspname)
250  appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
251  appendPQExpBuffer(firstsql, "%s FROM %s;\n",
252  name, fmtId(grantee->data));
253  if (privs->len > 0)
254  {
255  appendPQExpBuffer(firstsql,
256  "%sGRANT %s ON %s ",
257  prefix, privs->data, type);
258  if (nspname && *nspname)
259  appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
260  appendPQExpBuffer(firstsql,
261  "%s TO %s;\n",
262  name, fmtId(grantee->data));
263  }
264  if (privswgo->len > 0)
265  {
266  appendPQExpBuffer(firstsql,
267  "%sGRANT %s ON %s ",
268  prefix, privswgo->data, type);
269  if (nspname && *nspname)
270  appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
271  appendPQExpBuffer(firstsql,
272  "%s TO %s WITH GRANT OPTION;\n",
273  name, fmtId(grantee->data));
274  }
275  }
276  }
277  else
278  {
279  /*
280  * For systems prior to 9.6, we can assume we are starting
281  * from no privs at this point.
282  *
283  * For 9.6 and above, at this point we have issued REVOKE
284  * statements for all initial and default privileges which are
285  * no longer present on the object (as they were passed in as
286  * 'racls') and we can simply GRANT the rights which are in
287  * 'acls'.
288  */
289  if (grantor->len > 0
290  && (!owner || strcmp(owner, grantor->data) != 0))
291  appendPQExpBuffer(secondsql, "SET SESSION AUTHORIZATION %s;\n",
292  fmtId(grantor->data));
293 
294  if (privs->len > 0)
295  {
296  appendPQExpBuffer(secondsql, "%sGRANT %s ON %s ",
297  prefix, privs->data, type);
298  if (nspname && *nspname)
299  appendPQExpBuffer(secondsql, "%s.", fmtId(nspname));
300  appendPQExpBuffer(secondsql, "%s TO ", name);
301  if (grantee->len == 0)
302  appendPQExpBufferStr(secondsql, "PUBLIC;\n");
303  else if (strncmp(grantee->data, "group ",
304  strlen("group ")) == 0)
305  appendPQExpBuffer(secondsql, "GROUP %s;\n",
306  fmtId(grantee->data + strlen("group ")));
307  else
308  appendPQExpBuffer(secondsql, "%s;\n", fmtId(grantee->data));
309  }
310  if (privswgo->len > 0)
311  {
312  appendPQExpBuffer(secondsql, "%sGRANT %s ON %s ",
313  prefix, privswgo->data, type);
314  if (nspname && *nspname)
315  appendPQExpBuffer(secondsql, "%s.", fmtId(nspname));
316  appendPQExpBuffer(secondsql, "%s TO ", name);
317  if (grantee->len == 0)
318  appendPQExpBufferStr(secondsql, "PUBLIC");
319  else if (strncmp(grantee->data, "group ",
320  strlen("group ")) == 0)
321  appendPQExpBuffer(secondsql, "GROUP %s",
322  fmtId(grantee->data + strlen("group ")));
323  else
324  appendPQExpBufferStr(secondsql, fmtId(grantee->data));
325  appendPQExpBufferStr(secondsql, " WITH GRANT OPTION;\n");
326  }
327 
328  if (grantor->len > 0
329  && (!owner || strcmp(owner, grantor->data) != 0))
330  appendPQExpBufferStr(secondsql, "RESET SESSION AUTHORIZATION;\n");
331  }
332  }
333  }
334 
335  /*
336  * For systems prior to 9.6, if we didn't find any owner privs, the owner
337  * must have revoked 'em all.
338  *
339  * For 9.6 and above, we handle this through the 'racls'. See above.
340  */
341  if (remoteVersion < 90600 && !found_owner_privs && owner)
342  {
343  appendPQExpBuffer(firstsql, "%sREVOKE ALL", prefix);
344  if (subname)
345  appendPQExpBuffer(firstsql, "(%s)", subname);
346  appendPQExpBuffer(firstsql, " ON %s ", type);
347  if (nspname && *nspname)
348  appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
349  appendPQExpBuffer(firstsql, "%s FROM %s;\n",
350  name, fmtId(owner));
351  }
352 
353  destroyPQExpBuffer(grantee);
354  destroyPQExpBuffer(grantor);
355  destroyPQExpBuffer(privs);
356  destroyPQExpBuffer(privswgo);
357 
358  appendPQExpBuffer(sql, "%s%s", firstsql->data, secondsql->data);
359  destroyPQExpBuffer(firstsql);
360  destroyPQExpBuffer(secondsql);
361 
362  if (aclitems)
363  free(aclitems);
364 
365  if (raclitems)
366  free(raclitems);
367 
368  return ok;
369 }
370 
371 /*
372  * Build ALTER DEFAULT PRIVILEGES command(s) for single pg_default_acl entry.
373  *
374  * type: the object type (TABLES, FUNCTIONS, etc)
375  * nspname: schema name, or NULL for global default privileges
376  * acls: the ACL string fetched from the database
377  * owner: username of privileges owner (will be passed through fmtId)
378  * remoteVersion: version of database
379  *
380  * Returns true if okay, false if could not parse the acl string.
381  * The resulting commands (if any) are appended to the contents of 'sql'.
382  */
383 bool
384 buildDefaultACLCommands(const char *type, const char *nspname,
385  const char *acls, const char *racls,
386  const char *initacls, const char *initracls,
387  const char *owner,
388  int remoteVersion,
389  PQExpBuffer sql)
390 {
391  PQExpBuffer prefix;
392 
393  prefix = createPQExpBuffer();
394 
395  /*
396  * We incorporate the target role directly into the command, rather than
397  * playing around with SET ROLE or anything like that. This is so that a
398  * permissions error leads to nothing happening, rather than changing
399  * default privileges for the wrong user.
400  */
401  appendPQExpBuffer(prefix, "ALTER DEFAULT PRIVILEGES FOR ROLE %s ",
402  fmtId(owner));
403  if (nspname)
404  appendPQExpBuffer(prefix, "IN SCHEMA %s ", fmtId(nspname));
405 
406  if (strlen(initacls) != 0 || strlen(initracls) != 0)
407  {
408  appendPQExpBufferStr(sql, "SELECT pg_catalog.binary_upgrade_set_record_init_privs(true);\n");
409  if (!buildACLCommands("", NULL, NULL, type,
410  initacls, initracls, owner,
411  prefix->data, remoteVersion, sql))
412  {
413  destroyPQExpBuffer(prefix);
414  return false;
415  }
416  appendPQExpBufferStr(sql, "SELECT pg_catalog.binary_upgrade_set_record_init_privs(false);\n");
417  }
418 
419  if (!buildACLCommands("", NULL, NULL, type,
420  acls, racls, owner,
421  prefix->data, remoteVersion, sql))
422  {
423  destroyPQExpBuffer(prefix);
424  return false;
425  }
426 
427  destroyPQExpBuffer(prefix);
428 
429  return true;
430 }
431 
432 /*
433  * This will parse an aclitem string, having the general form
434  * username=privilegecodes/grantor
435  * or
436  * group groupname=privilegecodes/grantor
437  * (the "group" case occurs only with servers before 8.1).
438  *
439  * Returns true on success, false on parse error. On success, the components
440  * of the string are returned in the PQExpBuffer parameters.
441  *
442  * The returned grantee string will be the dequoted username or groupname
443  * (preceded with "group " in the latter case). Note that a grant to PUBLIC
444  * is represented by an empty grantee string. The returned grantor is the
445  * dequoted grantor name. Privilege characters are translated to GRANT/REVOKE
446  * comma-separated privileges lists. If "privswgo" is non-NULL, the result is
447  * separate lists for privileges with grant option ("privswgo") and without
448  * ("privs"). Otherwise, "privs" bears every relevant privilege, ignoring the
449  * grant option distinction.
450  *
451  * Note: for cross-version compatibility, it's important to use ALL to
452  * represent the privilege sets whenever appropriate.
453  */
454 static bool
455 parseAclItem(const char *item, const char *type,
456  const char *name, const char *subname, int remoteVersion,
457  PQExpBuffer grantee, PQExpBuffer grantor,
458  PQExpBuffer privs, PQExpBuffer privswgo)
459 {
460  char *buf;
461  bool all_with_go = true;
462  bool all_without_go = true;
463  char *eqpos;
464  char *slpos;
465  char *pos;
466 
467  buf = pg_strdup(item);
468 
469  /* user or group name is string up to = */
470  eqpos = copyAclUserName(grantee, buf);
471  if (*eqpos != '=')
472  {
473  pg_free(buf);
474  return false;
475  }
476 
477  /* grantor should appear after / */
478  slpos = strchr(eqpos + 1, '/');
479  if (slpos)
480  {
481  *slpos++ = '\0';
482  slpos = copyAclUserName(grantor, slpos);
483  if (*slpos != '\0')
484  {
485  pg_free(buf);
486  return false;
487  }
488  }
489  else
490  {
491  pg_free(buf);
492  return false;
493  }
494 
495  /* privilege codes */
496 #define CONVERT_PRIV(code, keywd) \
497 do { \
498  if ((pos = strchr(eqpos + 1, code))) \
499  { \
500  if (*(pos + 1) == '*' && privswgo != NULL) \
501  { \
502  AddAcl(privswgo, keywd, subname); \
503  all_without_go = false; \
504  } \
505  else \
506  { \
507  AddAcl(privs, keywd, subname); \
508  all_with_go = false; \
509  } \
510  } \
511  else \
512  all_with_go = all_without_go = false; \
513 } while (0)
514 
515  resetPQExpBuffer(privs);
516  resetPQExpBuffer(privswgo);
517 
518  if (strcmp(type, "TABLE") == 0 || strcmp(type, "SEQUENCE") == 0 ||
519  strcmp(type, "TABLES") == 0 || strcmp(type, "SEQUENCES") == 0)
520  {
521  CONVERT_PRIV('r', "SELECT");
522 
523  if (strcmp(type, "SEQUENCE") == 0 ||
524  strcmp(type, "SEQUENCES") == 0)
525  /* sequence only */
526  CONVERT_PRIV('U', "USAGE");
527  else
528  {
529  /* table only */
530  CONVERT_PRIV('a', "INSERT");
531  CONVERT_PRIV('x', "REFERENCES");
532  /* rest are not applicable to columns */
533  if (subname == NULL)
534  {
535  CONVERT_PRIV('d', "DELETE");
536  CONVERT_PRIV('t', "TRIGGER");
537  if (remoteVersion >= 80400)
538  CONVERT_PRIV('D', "TRUNCATE");
539  }
540  }
541 
542  /* UPDATE */
543  CONVERT_PRIV('w', "UPDATE");
544  }
545  else if (strcmp(type, "FUNCTION") == 0 ||
546  strcmp(type, "FUNCTIONS") == 0)
547  CONVERT_PRIV('X', "EXECUTE");
548  else if (strcmp(type, "PROCEDURE") == 0 ||
549  strcmp(type, "PROCEDURES") == 0)
550  CONVERT_PRIV('X', "EXECUTE");
551  else if (strcmp(type, "LANGUAGE") == 0)
552  CONVERT_PRIV('U', "USAGE");
553  else if (strcmp(type, "SCHEMA") == 0 ||
554  strcmp(type, "SCHEMAS") == 0)
555  {
556  CONVERT_PRIV('C', "CREATE");
557  CONVERT_PRIV('U', "USAGE");
558  }
559  else if (strcmp(type, "DATABASE") == 0)
560  {
561  CONVERT_PRIV('C', "CREATE");
562  CONVERT_PRIV('c', "CONNECT");
563  CONVERT_PRIV('T', "TEMPORARY");
564  }
565  else if (strcmp(type, "TABLESPACE") == 0)
566  CONVERT_PRIV('C', "CREATE");
567  else if (strcmp(type, "TYPE") == 0 ||
568  strcmp(type, "TYPES") == 0)
569  CONVERT_PRIV('U', "USAGE");
570  else if (strcmp(type, "FOREIGN DATA WRAPPER") == 0)
571  CONVERT_PRIV('U', "USAGE");
572  else if (strcmp(type, "FOREIGN SERVER") == 0)
573  CONVERT_PRIV('U', "USAGE");
574  else if (strcmp(type, "FOREIGN TABLE") == 0)
575  CONVERT_PRIV('r', "SELECT");
576  else if (strcmp(type, "LARGE OBJECT") == 0)
577  {
578  CONVERT_PRIV('r', "SELECT");
579  CONVERT_PRIV('w', "UPDATE");
580  }
581  else
582  abort();
583 
584 #undef CONVERT_PRIV
585 
586  if (all_with_go)
587  {
588  resetPQExpBuffer(privs);
589  printfPQExpBuffer(privswgo, "ALL");
590  if (subname)
591  appendPQExpBuffer(privswgo, "(%s)", subname);
592  }
593  else if (all_without_go)
594  {
595  resetPQExpBuffer(privswgo);
596  printfPQExpBuffer(privs, "ALL");
597  if (subname)
598  appendPQExpBuffer(privs, "(%s)", subname);
599  }
600 
601  pg_free(buf);
602 
603  return true;
604 }
605 
606 /*
607  * Transfer a user or group name starting at *input into the output buffer,
608  * dequoting if needed. Returns a pointer to just past the input name.
609  * The name is taken to end at an unquoted '=' or end of string.
610  */
611 static char *
613 {
614  resetPQExpBuffer(output);
615 
616  while (*input && *input != '=')
617  {
618  /*
619  * If user name isn't quoted, then just add it to the output buffer
620  */
621  if (*input != '"')
622  appendPQExpBufferChar(output, *input++);
623  else
624  {
625  /* Otherwise, it's a quoted username */
626  input++;
627  /* Loop until we come across an unescaped quote */
628  while (!(*input == '"' && *(input + 1) != '"'))
629  {
630  if (*input == '\0')
631  return input; /* really a syntax error... */
632 
633  /*
634  * Quoting convention is to escape " as "". Keep this code in
635  * sync with putid() in backend's acl.c.
636  */
637  if (*input == '"' && *(input + 1) == '"')
638  input++;
639  appendPQExpBufferChar(output, *input++);
640  }
641  input++;
642  }
643  }
644  return input;
645 }
646 
647 /*
648  * Append a privilege keyword to a keyword list, inserting comma if needed.
649  */
650 static void
651 AddAcl(PQExpBuffer aclbuf, const char *keyword, const char *subname)
652 {
653  if (aclbuf->len > 0)
654  appendPQExpBufferChar(aclbuf, ',');
655  appendPQExpBufferStr(aclbuf, keyword);
656  if (subname)
657  appendPQExpBuffer(aclbuf, "(%s)", subname);
658 }
659 
660 
661 /*
662  * buildShSecLabelQuery
663  *
664  * Build a query to retrieve security labels for a shared object.
665  * The object is identified by its OID plus the name of the catalog
666  * it can be found in (e.g., "pg_database" for database names).
667  * The query is appended to "sql". (We don't execute it here so as to
668  * keep this file free of assumptions about how to deal with SQL errors.)
669  */
670 void
671 buildShSecLabelQuery(const char *catalog_name, Oid objectId,
672  PQExpBuffer sql)
673 {
674  appendPQExpBuffer(sql,
675  "SELECT provider, label FROM pg_catalog.pg_shseclabel "
676  "WHERE classoid = 'pg_catalog.%s'::pg_catalog.regclass "
677  "AND objoid = '%u'", catalog_name, objectId);
678 }
679 
680 /*
681  * emitShSecLabels
682  *
683  * Construct SECURITY LABEL commands using the data retrieved by the query
684  * generated by buildShSecLabelQuery, and append them to "buffer".
685  * Here, the target object is identified by its type name (e.g. "DATABASE")
686  * and its name (not pre-quoted).
687  */
688 void
690  const char *objtype, const char *objname)
691 {
692  int i;
693 
694  for (i = 0; i < PQntuples(res); i++)
695  {
696  char *provider = PQgetvalue(res, i, 0);
697  char *label = PQgetvalue(res, i, 1);
698 
699  /* must use fmtId result before calling it again */
700  appendPQExpBuffer(buffer,
701  "SECURITY LABEL FOR %s ON %s",
702  fmtId(provider), objtype);
703  appendPQExpBuffer(buffer,
704  " %s IS ",
705  fmtId(objname));
706  appendStringLiteralConn(buffer, label, conn);
707  appendPQExpBufferStr(buffer, ";\n");
708  }
709 }
710 
711 /*
712  * buildACLQueries
713  *
714  * Build the subqueries to extract out the correct set of ACLs to be
715  * GRANT'd and REVOKE'd for the specific kind of object, accounting for any
716  * initial privileges (from pg_init_privs) and based on if we are in binary
717  * upgrade mode or not.
718  *
719  * Also builds subqueries to extract out the set of ACLs to go from the object
720  * default privileges to the privileges in pg_init_privs, if we are in binary
721  * upgrade mode, so that those privileges can be set up and recorded in the new
722  * cluster before the regular privileges are added on top of those.
723  */
724 void
725 buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery,
726  PQExpBuffer init_acl_subquery, PQExpBuffer init_racl_subquery,
727  const char *acl_column, const char *acl_owner,
728  const char *initprivs_expr,
729  const char *obj_kind, bool binary_upgrade)
730 {
731  /*
732  * To get the delta from what the permissions were at creation time
733  * (either initdb or CREATE EXTENSION) vs. what they are now, we have to
734  * look at two things:
735  *
736  * What privileges have been added, which we calculate by extracting all
737  * the current privileges (using the set of default privileges for the
738  * object type if current privileges are NULL) and then removing those
739  * which existed at creation time (again, using the set of default
740  * privileges for the object type if there were no creation time
741  * privileges).
742  *
743  * What privileges have been removed, which we calculate by extracting the
744  * privileges as they were at creation time (or the default privileges, as
745  * above), and then removing the current privileges (or the default
746  * privileges, if current privileges are NULL).
747  *
748  * As a good cross-check, both directions of these checks should result in
749  * the empty set if both the current ACL and the initial privs are NULL
750  * (meaning, in practice, that the default ACLs were there at init time
751  * and is what the current privileges are).
752  *
753  * We always perform this delta on all ACLs and expect that by the time
754  * these are run the initial privileges will be in place, even in a binary
755  * upgrade situation (see below).
756  *
757  * Finally, the order in which privileges are in the ACL string (the order
758  * they been GRANT'd in, which the backend maintains) must be preserved to
759  * ensure that GRANTs WITH GRANT OPTION and subsequent GRANTs based on
760  * those are dumped in the correct order.
761  */
762  printfPQExpBuffer(acl_subquery,
763  "(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM "
764  "(SELECT acl, row_n FROM "
765  "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) "
766  "WITH ORDINALITY AS perm(acl,row_n) "
767  "WHERE NOT EXISTS ( "
768  "SELECT 1 FROM "
769  "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) "
770  "AS init(init_acl) WHERE acl = init_acl)) as foo)",
771  acl_column,
772  obj_kind,
773  acl_owner,
774  initprivs_expr,
775  obj_kind,
776  acl_owner);
777 
778  printfPQExpBuffer(racl_subquery,
779  "(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM "
780  "(SELECT acl, row_n FROM "
781  "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) "
782  "WITH ORDINALITY AS initp(acl,row_n) "
783  "WHERE NOT EXISTS ( "
784  "SELECT 1 FROM "
785  "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) "
786  "AS permp(orig_acl) WHERE acl = orig_acl)) as foo)",
787  initprivs_expr,
788  obj_kind,
789  acl_owner,
790  acl_column,
791  obj_kind,
792  acl_owner);
793 
794  /*
795  * In binary upgrade mode we don't run the extension script but instead
796  * dump out the objects independently and then recreate them. To preserve
797  * the initial privileges which were set on extension objects, we need to
798  * grab the set of GRANT and REVOKE commands necessary to get from the
799  * default privileges of an object to the initial privileges as recorded
800  * in pg_init_privs.
801  *
802  * These will then be run ahead of the regular ACL commands, which were
803  * calculated using the queries above, inside of a block which sets a flag
804  * to indicate that the backend should record the results of these GRANT
805  * and REVOKE statements into pg_init_privs. This is how we preserve the
806  * contents of that catalog across binary upgrades.
807  */
808  if (binary_upgrade)
809  {
810  printfPQExpBuffer(init_acl_subquery,
811  "CASE WHEN privtype = 'e' THEN "
812  "(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM "
813  "(SELECT acl, row_n FROM pg_catalog.unnest(%s) "
814  "WITH ORDINALITY AS initp(acl,row_n) "
815  "WHERE NOT EXISTS ( "
816  "SELECT 1 FROM "
817  "pg_catalog.unnest(pg_catalog.acldefault(%s,%s)) "
818  "AS privm(orig_acl) WHERE acl = orig_acl)) as foo) END",
819  initprivs_expr,
820  obj_kind,
821  acl_owner);
822 
823  printfPQExpBuffer(init_racl_subquery,
824  "CASE WHEN privtype = 'e' THEN "
825  "(SELECT pg_catalog.array_agg(acl) FROM "
826  "(SELECT acl, row_n FROM "
827  "pg_catalog.unnest(pg_catalog.acldefault(%s,%s)) "
828  "WITH ORDINALITY AS privp(acl,row_n) "
829  "WHERE NOT EXISTS ( "
830  "SELECT 1 FROM pg_catalog.unnest(%s) "
831  "AS initp(init_acl) WHERE acl = init_acl)) as foo) END",
832  obj_kind,
833  acl_owner,
834  initprivs_expr);
835  }
836  else
837  {
838  printfPQExpBuffer(init_acl_subquery, "NULL");
839  printfPQExpBuffer(init_racl_subquery, "NULL");
840  }
841 }
842 
843 /*
844  * Detect whether the given GUC variable is of GUC_LIST_QUOTE type.
845  *
846  * It'd be better if we could inquire this directly from the backend; but even
847  * if there were a function for that, it could only tell us about variables
848  * currently known to guc.c, so that it'd be unsafe for extensions to declare
849  * GUC_LIST_QUOTE variables anyway. Lacking a solution for that, it doesn't
850  * seem worth the work to do more than have this list, which must be kept in
851  * sync with the variables actually marked GUC_LIST_QUOTE in guc.c.
852  */
853 bool
855 {
856  if (pg_strcasecmp(name, "local_preload_libraries") == 0 ||
857  pg_strcasecmp(name, "search_path") == 0 ||
858  pg_strcasecmp(name, "session_preload_libraries") == 0 ||
859  pg_strcasecmp(name, "shared_preload_libraries") == 0 ||
860  pg_strcasecmp(name, "temp_tablespaces") == 0 ||
861  pg_strcasecmp(name, "unix_socket_directories") == 0)
862  return true;
863  else
864  return false;
865 }
866 
867 /*
868  * SplitGUCList --- parse a string containing identifiers or file names
869  *
870  * This is used to split the value of a GUC_LIST_QUOTE GUC variable, without
871  * presuming whether the elements will be taken as identifiers or file names.
872  * See comparable code in src/backend/utils/adt/varlena.c.
873  *
874  * Inputs:
875  * rawstring: the input string; must be overwritable! On return, it's
876  * been modified to contain the separated identifiers.
877  * separator: the separator punctuation expected between identifiers
878  * (typically '.' or ','). Whitespace may also appear around
879  * identifiers.
880  * Outputs:
881  * namelist: receives a malloc'd, null-terminated array of pointers to
882  * identifiers within rawstring. Caller should free this
883  * even on error return.
884  *
885  * Returns true if okay, false if there is a syntax error in the string.
886  */
887 bool
888 SplitGUCList(char *rawstring, char separator,
889  char ***namelist)
890 {
891  char *nextp = rawstring;
892  bool done = false;
893  char **nextptr;
894 
895  /*
896  * Since we disallow empty identifiers, this is a conservative
897  * overestimate of the number of pointers we could need. Allow one for
898  * list terminator.
899  */
900  *namelist = nextptr = (char **)
901  pg_malloc((strlen(rawstring) / 2 + 2) * sizeof(char *));
902  *nextptr = NULL;
903 
904  while (isspace((unsigned char) *nextp))
905  nextp++; /* skip leading whitespace */
906 
907  if (*nextp == '\0')
908  return true; /* allow empty string */
909 
910  /* At the top of the loop, we are at start of a new identifier. */
911  do
912  {
913  char *curname;
914  char *endp;
915 
916  if (*nextp == '"')
917  {
918  /* Quoted name --- collapse quote-quote pairs */
919  curname = nextp + 1;
920  for (;;)
921  {
922  endp = strchr(nextp + 1, '"');
923  if (endp == NULL)
924  return false; /* mismatched quotes */
925  if (endp[1] != '"')
926  break; /* found end of quoted name */
927  /* Collapse adjacent quotes into one quote, and look again */
928  memmove(endp, endp + 1, strlen(endp));
929  nextp = endp;
930  }
931  /* endp now points at the terminating quote */
932  nextp = endp + 1;
933  }
934  else
935  {
936  /* Unquoted name --- extends to separator or whitespace */
937  curname = nextp;
938  while (*nextp && *nextp != separator &&
939  !isspace((unsigned char) *nextp))
940  nextp++;
941  endp = nextp;
942  if (curname == nextp)
943  return false; /* empty unquoted name not allowed */
944  }
945 
946  while (isspace((unsigned char) *nextp))
947  nextp++; /* skip trailing whitespace */
948 
949  if (*nextp == separator)
950  {
951  nextp++;
952  while (isspace((unsigned char) *nextp))
953  nextp++; /* skip leading whitespace for next */
954  /* we expect another name, so done remains false */
955  }
956  else if (*nextp == '\0')
957  done = true;
958  else
959  return false; /* invalid syntax */
960 
961  /* Now safe to overwrite separator with a null */
962  *endp = '\0';
963 
964  /*
965  * Finished isolating current name --- add it to output array
966  */
967  *nextptr++ = curname;
968 
969  /* Loop back if we didn't reach end of string */
970  } while (!done);
971 
972  *nextptr = NULL;
973  return true;
974 }
975 
976 /*
977  * Helper function for dumping "ALTER DATABASE/ROLE SET ..." commands.
978  *
979  * Parse the contents of configitem (a "name=value" string), wrap it in
980  * a complete ALTER command, and append it to buf.
981  *
982  * type is DATABASE or ROLE, and name is the name of the database or role.
983  * If we need an "IN" clause, type2 and name2 similarly define what to put
984  * there; otherwise they should be NULL.
985  * conn is used only to determine string-literal quoting conventions.
986  */
987 void
988 makeAlterConfigCommand(PGconn *conn, const char *configitem,
989  const char *type, const char *name,
990  const char *type2, const char *name2,
992 {
993  char *mine;
994  char *pos;
995 
996  /* Parse the configitem. If we can't find an "=", silently do nothing. */
997  mine = pg_strdup(configitem);
998  pos = strchr(mine, '=');
999  if (pos == NULL)
1000  {
1001  pg_free(mine);
1002  return;
1003  }
1004  *pos++ = '\0';
1005 
1006  /* Build the command, with suitable quoting for everything. */
1007  appendPQExpBuffer(buf, "ALTER %s %s ", type, fmtId(name));
1008  if (type2 != NULL && name2 != NULL)
1009  appendPQExpBuffer(buf, "IN %s %s ", type2, fmtId(name2));
1010  appendPQExpBuffer(buf, "SET %s TO ", fmtId(mine));
1011 
1012  /*
1013  * Variables that are marked GUC_LIST_QUOTE were already fully quoted by
1014  * flatten_set_variable_args() before they were put into the setconfig
1015  * array. However, because the quoting rules used there aren't exactly
1016  * like SQL's, we have to break the list value apart and then quote the
1017  * elements as string literals. (The elements may be double-quoted as-is,
1018  * but we can't just feed them to the SQL parser; it would do the wrong
1019  * thing with elements that are zero-length or longer than NAMEDATALEN.)
1020  *
1021  * Variables that are not so marked should just be emitted as simple
1022  * string literals. If the variable is not known to
1023  * variable_is_guc_list_quote(), we'll do that; this makes it unsafe to
1024  * use GUC_LIST_QUOTE for extension variables.
1025  */
1026  if (variable_is_guc_list_quote(mine))
1027  {
1028  char **namelist;
1029  char **nameptr;
1030 
1031  /* Parse string into list of identifiers */
1032  /* this shouldn't fail really */
1033  if (SplitGUCList(pos, ',', &namelist))
1034  {
1035  for (nameptr = namelist; *nameptr; nameptr++)
1036  {
1037  if (nameptr != namelist)
1038  appendPQExpBufferStr(buf, ", ");
1039  appendStringLiteralConn(buf, *nameptr, conn);
1040  }
1041  }
1042  pg_free(namelist);
1043  }
1044  else
1045  appendStringLiteralConn(buf, pos, conn);
1046 
1047  appendPQExpBufferStr(buf, ";\n");
1048 
1049  pg_free(mine);
1050 }
void printfPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:237
char * PQgetvalue(const PGresult *res, int tup_num, int field_num)
Definition: fe-exec.c:3642
bool parsePGArray(const char *atext, char ***itemarray, int *nitems)
Definition: string_utils.c:657
void * pg_malloc(size_t size)
Definition: fe_memutils.c:47
static void AddAcl(PQExpBuffer aclbuf, const char *keyword, const char *subname)
Definition: dumputils.c:651
const char * fmtId(const char *rawid)
Definition: string_utils.c:64
static void output(uint64 loop_count)
void buildShSecLabelQuery(const char *catalog_name, Oid objectId, PQExpBuffer sql)
Definition: dumputils.c:671
bool variable_is_guc_list_quote(const char *name)
Definition: dumputils.c:854
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:369
bool buildDefaultACLCommands(const char *type, const char *nspname, const char *acls, const char *racls, const char *initacls, const char *initracls, const char *owner, int remoteVersion, PQExpBuffer sql)
Definition: dumputils.c:384
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
unsigned int Oid
Definition: postgres_ext.h:31
NameData subname
int PQntuples(const PGresult *res)
Definition: fe-exec.c:3248
static char * copyAclUserName(PQExpBuffer output, char *input)
Definition: dumputils.c:612
void destroyPQExpBuffer(PQExpBuffer str)
Definition: pqexpbuffer.c:116
void emitShSecLabels(PGconn *conn, PGresult *res, PQExpBuffer buffer, const char *objtype, const char *objname)
Definition: dumputils.c:689
PGconn * conn
Definition: streamutil.c:54
#define CONVERT_PRIV(code, keywd)
void appendPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:267
static JitProviderCallbacks provider
Definition: jit.c:43
bool SplitGUCList(char *rawstring, char separator, char ***namelist)
Definition: dumputils.c:888
static char * buf
Definition: pg_test_fsync.c:68
char * pg_strdup(const char *in)
Definition: fe_memutils.c:85
void makeAlterConfigCommand(PGconn *conn, const char *configitem, const char *type, const char *name, const char *type2, const char *name2, PQExpBuffer buf)
Definition: dumputils.c:988
PQExpBuffer createPQExpBuffer(void)
Definition: pqexpbuffer.c:74
static char * label
void appendPQExpBufferChar(PQExpBuffer str, char ch)
Definition: pqexpbuffer.c:380
#define free(a)
Definition: header.h:65
#define Assert(condition)
Definition: c.h:804
void buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery, PQExpBuffer init_acl_subquery, PQExpBuffer init_racl_subquery, const char *acl_column, const char *acl_owner, const char *initprivs_expr, const char *obj_kind, bool binary_upgrade)
Definition: dumputils.c:725
bool buildACLCommands(const char *name, const char *subname, const char *nspname, const char *type, const char *acls, const char *racls, const char *owner, const char *prefix, int remoteVersion, PQExpBuffer sql)
Definition: dumputils.c:58
void pg_free(void *ptr)
Definition: fe_memutils.c:105
const char * name
Definition: encode.c:561
static int binary_upgrade
Definition: pg_dumpall.c:68
void appendStringLiteralConn(PQExpBuffer buf, const char *str, PGconn *conn)
Definition: string_utils.c:293
int i
static bool parseAclItem(const char *item, const char *type, const char *name, const char *subname, int remoteVersion, PQExpBuffer grantee, PQExpBuffer grantor, PQExpBuffer privs, PQExpBuffer privswgo)
Definition: dumputils.c:455
void resetPQExpBuffer(PQExpBuffer str)
Definition: pqexpbuffer.c:148