Loading...
Searching...
No Matches
#include "postgres.h"#include "access/table.h"#include "catalog/pg_class.h"#include "catalog/pg_type.h"#include "miscadmin.h"#include "nodes/makefuncs.h"#include "nodes/pg_list.h"#include "parser/parse_relation.h"#include "rewrite/rewriteDefine.h"#include "rewrite/rewriteManip.h"#include "rewrite/rowsecurity.h"#include "utils/acl.h"#include "utils/rel.h"#include "utils/rls.h"
Include dependency graph for rowsecurity.c:
Go to the source code of this file.
Macros | |
| #define | QUAL_FOR_WCO(policy) |
Functions | |
| static void | get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies) |
| static void | sort_policies_by_name (List *policies) |
| static int | row_security_policy_cmp (const ListCell *a, const ListCell *b) |
| static void | add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks) |
| static void | add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using) |
| static bool | check_role_for_policy (ArrayType *policy_roles, Oid user_id) |
| void | get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks) |
Variables | |
| row_security_policy_hook_type | row_security_policy_hook_permissive = NULL |
| row_security_policy_hook_type | row_security_policy_hook_restrictive = NULL |
Macro Definition Documentation
◆ QUAL_FOR_WCO
Value:
( !force_using && \
Function Documentation
◆ add_security_quals()
|
static |
Definition at line 715 of file rowsecurity.c.
720{
721 ListCell *item;
724
725 /*
726 * First collect up the permissive quals. If we do not find any
727 * permissive policies then no rows are visible (this is handled below).
728 */
730 {
732
734 {
738 }
739 }
740
741 /*
742 * We must have permissive quals, always, or no rows are visible.
743 *
744 * If we do not, then we simply return a single 'false' qual which results
745 * in no rows being visible.
746 */
748 {
749 /*
750 * We now know that permissive policies exist, so we can now add
751 * security quals based on the USING clauses from the restrictive
752 * policies. Since these need to be combined together using AND, we
753 * can just add them one at a time.
754 */
756 {
758 Expr *qual;
759
761 {
764
767 }
768 }
769
770 /*
771 * Then add a single security qual combining together the USING
772 * clauses from all the permissive policies using OR.
773 */
776 else
778
781 }
782 else
783
784 /*
785 * A permissive policy must exist for rows to be visible at all.
786 * Therefore, if there were no permissive policies found, return a
787 * single always-false clause.
788 */
792 false, true));
793}
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition makefuncs.c:420
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition makefuncs.c:350
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition rewriteManip.c:733
Definition primnodes.h:190
Definition pg_list.h:54
Definition nodes.h:135
Definition rowsecurity.h:21
Definition pg_list.h:46
References BoolGetDatum(), ChangeVarNodes(), copyObject, fb(), InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, and OR_EXPR.
Referenced by get_row_security_policies().
◆ add_with_check_options()
|
static |
Definition at line 811 of file rowsecurity.c.
819{
820 ListCell *item;
822
823#define QUAL_FOR_WCO(policy) \
824 ( !force_using && \
825 (policy)->with_check_qual != NULL ? \
826 (policy)->with_check_qual : (policy)->qual )
827
828 /*
829 * First collect up the permissive policy clauses, similar to
830 * add_security_quals.
831 */
833 {
836
838 {
841 }
842 }
843
844 /*
845 * There must be at least one permissive qual found or no rows are allowed
846 * to be added. This is the same as in add_security_quals.
847 *
848 * If there are no permissive_quals then we fall through and return a
849 * single 'false' WCO, preventing all new rows.
850 */
852 {
853 /*
854 * Add a single WithCheckOption for all the permissive policy clauses,
855 * combining them together using OR. This check has no policy name,
856 * since if the check fails it means that no policy granted permission
857 * to perform the update, rather than any particular policy being
858 * violated.
859 */
861
863 wco->kind = kind;
867
870 else
872
874
876
877 /*
878 * Now add WithCheckOptions for each of the restrictive policy clauses
879 * (which will be combined together using AND). We use a separate
880 * WithCheckOption for each restrictive policy to allow the policy
881 * name to be included in error reports if the policy is violated.
882 */
884 {
887
889 {
890 qual = copyObject(qual);
892
894 wco->kind = kind;
899
902 }
903 }
904 }
905 else
906 {
907 /*
908 * If there were no policy clauses to check new data, add a single
909 * always-false WCO (a default-deny policy).
910 */
912
914 wco->kind = kind;
919 false, true);
921
923 }
924}
#define QUAL_FOR_WCO(policy)
Definition parsenodes.h:1427
References BoolGetDatum(), ChangeVarNodes(), copyObject, fb(), InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, OR_EXPR, pstrdup(), QUAL_FOR_WCO, and RelationGetRelationName.
Referenced by get_row_security_policies().
◆ check_role_for_policy()
Definition at line 931 of file rowsecurity.c.
932{
935
936 /* Quick fall-thru for policies applied to all roles */
938 return true;
939
941 {
943 return true;
944 }
945
946 return false;
947}
References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, fb(), has_privs_of_role(), and i.
Referenced by get_policies_for_relation().
◆ get_policies_for_relation()
|
static |
Definition at line 556 of file rowsecurity.c.
559{
560 ListCell *item;
561
564
565 /* First find all internal policies for the relation. */
567 {
570
571 /* Always add ALL policies, if they exist. */
574 else
575 {
576 /* Check whether the policy applies to the specified command type */
577 switch (cmd)
578 {
582 break;
586 break;
590 break;
594 break;
596
597 /*
598 * We do not support a separate policy for MERGE command.
599 * Instead it derives from the policies defined for other
600 * commands.
601 */
602 break;
603 default:
605 (int) cmd);
606 break;
607 }
608 }
609
610 /*
611 * Add this policy to the relevant list of policies if it applies to
612 * the specified role.
613 */
615 {
618 else
620 }
621 }
622
623 /*
624 * We sort restrictive policies by name so that any WCOs they generate are
625 * checked in a well-defined order.
626 */
628
629 /*
630 * Then add any permissive or restrictive policies defined by extensions.
631 * These are simply appended to the lists of internal policies, if they
632 * apply to the specified role.
633 */
635 {
637 (*row_security_policy_hook_restrictive) (cmd, relation);
638
639 /*
640 * As with built-in restrictive policies, we sort any hook-provided
641 * restrictive policies by name also. Note that we also intentionally
642 * always check all built-in restrictive policies, in name order,
643 * before checking restrictive policies added by hooks, in name order.
644 */
646
648 {
650
653 }
654 }
655
657 {
659 (*row_security_policy_hook_permissive) (cmd, relation);
660
662 {
664
667 }
668 }
669}
row_security_policy_hook_type row_security_policy_hook_permissive
Definition rowsecurity.c:86
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition rowsecurity.c:931
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition rowsecurity.c:87
References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, elog, ERROR, fb(), lappend(), lfirst, NIL, RowSecurityDesc::policies, RelationData::rd_rsdesc, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().
Referenced by get_row_security_policies().
◆ get_row_security_policies()
| void get_row_security_policies | ( | Query * | root, |
| RangeTblEntry * | rte, | ||
| int | rt_index, | ||
| List ** | securityQuals, | ||
| List ** | withCheckOptions, | ||
| bool * | hasRowSecurity, | ||
| bool * | hasSubLinks | ||
| ) |
Definition at line 98 of file rowsecurity.c.
101{
102 Oid user_id;
104 Relation rel;
105 CmdType commandType;
109
110 /* Defaults for the return values */
113 *hasRowSecurity = false;
115
117
118 /* If this is not a normal relation, just return immediately */
121 return;
122
124
125 /* Switch to checkAsUser if it's set */
128
129 /* Determine the state of RLS for this, pass checkAsUser explicitly */
131
132 /* If there is no RLS on this table at all, nothing to do */
134 return;
135
136 /*
137 * RLS_NONE_ENV means we are not doing any RLS now, but that may change
138 * with changes to the environment, so we mark it as hasRowSecurity to
139 * force a re-plan when the environment changes.
140 */
142 {
143 /*
144 * Indicate that this query may involve RLS and must therefore be
145 * replanned if the environment changes (GUCs, role), but we are not
146 * adding anything here.
147 */
148 *hasRowSecurity = true;
149
150 return;
151 }
152
153 /*
154 * RLS is enabled for this relation.
155 *
156 * Get the security policies that should be applied, based on the command
157 * type. Note that if this isn't the target relation, we actually want
158 * the relation's SELECT policies, regardless of the query command type,
159 * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
160 * policies and t2's SELECT policies.
161 */
163
164 commandType = rt_index == root->resultRelation ?
166
167 /*
168 * In some cases, we need to apply USING policies (which control the
169 * visibility of records) associated with multiple command types (see
170 * specific cases below).
171 *
172 * When considering the order in which to apply these USING policies, we
173 * prefer to apply higher privileged policies, those which allow the user
174 * to lock records (UPDATE and DELETE), first, followed by policies which
175 * don't (SELECT).
176 *
177 * Note that the optimizer is free to push down and reorder quals which
178 * use leakproof functions.
179 *
180 * In all cases, if there are no policy clauses allowing access to rows in
181 * the table for the specific type of operation, then a single
182 * always-false clause (a default-deny policy) will be added (see
183 * add_security_quals).
184 */
185
186 /*
187 * For a SELECT, if UPDATE privileges are required (eg: the user has
188 * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
189 * first.
190 *
191 * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
192 * which the user does not have access to via the UPDATE USING policies,
193 * similar to how we require normal UPDATE rights for these queries.
194 */
196 {
199
202 &update_restrictive_policies);
203
204 add_security_quals(rt_index,
207 securityQuals,
208 hasSubLinks);
209 }
210
211 /*
212 * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
213 * policies. These security quals control access to existing table rows.
214 * Restrictive policies are combined together using AND, and permissive
215 * policies are combined together using OR.
216 */
217
219 &restrictive_policies);
220
222 commandType == CMD_UPDATE ||
223 commandType == CMD_DELETE)
224 add_security_quals(rt_index,
225 permissive_policies,
226 restrictive_policies,
227 securityQuals,
228 hasSubLinks);
229
230 /*
231 * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
232 * are also required (eg: when a RETURNING clause exists, or the user has
233 * provided a WHERE clause which involves columns from the relation), we
234 * collect up CMD_SELECT policies and add them via add_security_quals
235 * first.
236 *
237 * This way, we filter out any records which are not visible through an
238 * ALL or SELECT USING policy.
239 */
241 commandType == CMD_MERGE) &&
243 {
246
249 &select_restrictive_policies);
250
251 add_security_quals(rt_index,
254 securityQuals,
255 hasSubLinks);
256 }
257
258 /*
259 * For INSERT and UPDATE, add withCheckOptions to verify that any new
260 * records added are consistent with the security policies. This will use
261 * each policy's WITH CHECK clause, or its USING clause if no explicit
262 * WITH CHECK clause is defined.
263 */
265 {
266 /* This should be the target relation */
268
269 add_with_check_options(rel, rt_index,
270 commandType == CMD_INSERT ?
272 permissive_policies,
273 restrictive_policies,
274 withCheckOptions,
275 hasSubLinks,
276 false);
277
278 /*
279 * Get and add ALL/SELECT policies, if SELECT rights are required for
280 * this relation (eg: when RETURNING is used). These are added as WCO
281 * policies rather than security quals to ensure that an error is
282 * raised if a policy is violated; otherwise, we might end up silently
283 * dropping rows to be added.
284 */
286 {
289
292 &select_restrictive_policies);
293 add_with_check_options(rel, rt_index,
294 commandType == CMD_INSERT ?
298 withCheckOptions,
299 hasSubLinks,
300 true);
301 }
302
303 /*
304 * For INSERT ... ON CONFLICT DO SELECT/UPDATE we need additional
305 * policy checks for the SELECT/UPDATE which may be applied to the
306 * same RTE.
307 */
311 {
316
318 {
319 /*
320 * Get the policies that apply to the auxiliary UPDATE or
321 * SELECT FOR UPDATE/SHARE.
322 */
326
327 /*
328 * Enforce the USING clauses of the UPDATE policies using WCOs
329 * rather than security quals. This ensures that an error is
330 * raised if the conflicting row cannot be updated/locked due
331 * to RLS, rather than the change being silently dropped.
332 */
333 add_with_check_options(rel, rt_index,
337 withCheckOptions,
338 hasSubLinks,
339 true);
340 }
341
342 /*
343 * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
344 * to ensure they are considered when taking the SELECT/UPDATE
345 * path of an INSERT .. ON CONFLICT, if SELECT rights are required
346 * for this relation, also as WCO policies, again, to avoid
347 * silently dropping data. See above.
348 */
350 {
354 add_with_check_options(rel, rt_index,
358 withCheckOptions,
359 hasSubLinks,
360 true);
361 }
362
363 /*
364 * For INSERT .. ON CONFLICT DO UPDATE, add additional policies to
365 * be checked when the auxiliary UPDATE is executed.
366 */
368 {
369 /* Enforce the WITH CHECK clauses of the UPDATE policies */
370 add_with_check_options(rel, rt_index,
371 WCO_RLS_UPDATE_CHECK,
374 withCheckOptions,
375 hasSubLinks,
376 false);
377
378 /*
379 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to
380 * ensure that the final updated row is visible when taking
381 * the UPDATE path of an INSERT .. ON CONFLICT, if SELECT
382 * rights are required for this relation.
383 */
385 add_with_check_options(rel, rt_index,
386 WCO_RLS_UPDATE_CHECK,
389 withCheckOptions,
390 hasSubLinks,
391 true);
392 }
393 }
394 }
395
396 /*
397 * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
398 * and set them up so that we can enforce the appropriate policy depending
399 * on the final action we take.
400 *
401 * We already fetched the SELECT policies above, to check existing rows,
402 * but we must also check that new rows created by INSERT/UPDATE actions
403 * are visible, if SELECT rights are required. For INSERT actions, we only
404 * do this if RETURNING is specified, to be consistent with a plain INSERT
405 * command, which can only require SELECT rights when RETURNING is used.
406 *
407 * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
408 * really want to apply them while scanning the relation since we don't
409 * know whether we will be doing an UPDATE or a DELETE at the end. We
410 * apply the respective policy once we decide the final action on the
411 * target tuple.
412 *
413 * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
414 * UPDATE/DELETE on the target row, we shall throw an error instead of
415 * silently ignoring the row. This is different than how normal
416 * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO
417 * SELECT/UPDATE handling.
418 */
420 {
429
430 /*
431 * Fetch the UPDATE policies and set them up to execute on the
432 * existing target row before doing UPDATE.
433 */
437
438 /*
439 * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
440 * the existing target row.
441 */
442 add_with_check_options(rel, rt_index,
446 withCheckOptions,
447 hasSubLinks,
448 true);
449
450 /* Enforce the WITH CHECK clauses of the UPDATE policies */
451 add_with_check_options(rel, rt_index,
452 WCO_RLS_UPDATE_CHECK,
455 withCheckOptions,
456 hasSubLinks,
457 false);
458
459 /*
460 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
461 * that the updated row is visible when executing an UPDATE action, if
462 * SELECT rights are required for this relation.
463 */
465 {
469 add_with_check_options(rel, rt_index,
470 WCO_RLS_UPDATE_CHECK,
473 withCheckOptions,
474 hasSubLinks,
475 true);
476 }
477
478 /*
479 * Fetch the DELETE policies and set them up to execute on the
480 * existing target row before doing DELETE.
481 */
485
486 /*
487 * WCO_RLS_MERGE_DELETE_CHECK is used to check DELETE USING quals on
488 * the existing target row.
489 */
490 add_with_check_options(rel, rt_index,
494 withCheckOptions,
495 hasSubLinks,
496 true);
497
498 /*
499 * No special handling is required for INSERT policies. They will be
500 * checked and enforced during ExecInsert(). But we must add them to
501 * withCheckOptions.
502 */
506
507 add_with_check_options(rel, rt_index,
508 WCO_RLS_INSERT_CHECK,
511 withCheckOptions,
512 hasSubLinks,
513 false);
514
515 /*
516 * Add ALL/SELECT policies as WCO_RLS_INSERT_CHECK WCOs, to ensure
517 * that the inserted row is visible when executing an INSERT action,
518 * if RETURNING is specified and SELECT rights are required for this
519 * relation.
520 */
522 add_with_check_options(rel, rt_index,
523 WCO_RLS_INSERT_CHECK,
526 withCheckOptions,
527 hasSubLinks,
528 true);
529 }
530
532
533 /*
534 * Copy checkAsUser to the row security quals and WithCheckOption checks,
535 * in case they contain any subqueries referring to other relations.
536 */
539
540 /*
541 * Mark this query as having row security, so plancache can invalidate it
542 * when necessary (eg: role changes)
543 */
544 *hasRowSecurity = true;
545}
RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)
Definition parse_relation.c:3950
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition rowsecurity.c:811
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition rowsecurity.c:556
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition rowsecurity.c:715
Definition parsenodes.h:1344
Definition rel.h:56
References ACL_SELECT, ACL_UPDATE, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, fb(), get_policies_for_relation(), getRTEPermissionInfo(), GetUserId(), NIL, NoLock, OidIsValid, ONCONFLICT_SELECT, ONCONFLICT_UPDATE, RLS_NONE, RLS_NONE_ENV, root, RTE_RELATION, setRuleCheckAsUser(), table_close(), table_open(), WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, WCO_RLS_MERGE_DELETE_CHECK, WCO_RLS_MERGE_UPDATE_CHECK, and WCO_RLS_UPDATE_CHECK.
Referenced by fireRIRrules().
◆ row_security_policy_cmp()
Definition at line 689 of file rowsecurity.c.
690{
693
694 /* Guard against NULL policy names from extensions */
698 return -1;
699
701}
References a, b, fb(), lfirst, and RowSecurityPolicy::policy_name.
Referenced by sort_policies_by_name().
◆ sort_policies_by_name()
Definition at line 680 of file rowsecurity.c.
681{
683}
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition rowsecurity.c:689
References list_sort(), and row_security_policy_cmp().
Referenced by get_policies_for_relation().
Variable Documentation
◆ row_security_policy_hook_permissive
| row_security_policy_hook_type row_security_policy_hook_permissive = NULL |
Definition at line 86 of file rowsecurity.c.
Referenced by _PG_init(), and get_policies_for_relation().
◆ row_security_policy_hook_restrictive
| row_security_policy_hook_type row_security_policy_hook_restrictive = NULL |
Definition at line 87 of file rowsecurity.c.
Referenced by _PG_init(), and get_policies_for_relation().
