PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
rowsecurity.c File Reference
#include "postgres.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "catalog/pg_class.h"
#include "catalog/pg_inherits_fn.h"
#include "catalog/pg_policy.h"
#include "catalog/pg_type.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "nodes/nodeFuncs.h"
#include "nodes/pg_list.h"
#include "nodes/plannodes.h"
#include "parser/parsetree.h"
#include "rewrite/rewriteHandler.h"
#include "rewrite/rewriteManip.h"
#include "rewrite/rowsecurity.h"
#include "utils/acl.h"
#include "utils/lsyscache.h"
#include "utils/rel.h"
#include "utils/rls.h"
#include "utils/syscache.h"
#include "tcop/utility.h"
Include dependency graph for rowsecurity.c:

Go to the source code of this file.

Macros

#define QUAL_FOR_WCO(policy)
 

Functions

static void get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
 
static Listsort_policies_by_name (List *policies)
 
static int row_security_policy_cmp (const void *a, const void *b)
 
static void add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
 
static void add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks)
 
static bool check_role_for_policy (ArrayType *policy_roles, Oid user_id)
 
void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

row_security_policy_hook_type row_security_policy_hook_permissive = NULL
 
row_security_policy_hook_type row_security_policy_hook_restrictive = NULL
 

Macro Definition Documentation

#define QUAL_FOR_WCO (   policy)
Value:
( kind != WCO_RLS_CONFLICT_CHECK && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )
#define NULL
Definition: c.h:226

Referenced by add_with_check_options().

Function Documentation

static void add_security_quals ( int  rt_index,
List permissive_policies,
List restrictive_policies,
List **  securityQuals,
bool hasSubLinks 
)
static

Definition at line 560 of file rowsecurity.c.

References BoolGetDatum, BOOLOID, ChangeVarNodes(), copyObject(), RowSecurityPolicy::hassublinks, InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, NULL, OR_EXPR, and RowSecurityPolicy::qual.

Referenced by get_row_security_policies().

565 {
566  ListCell *item;
567  List *permissive_quals = NIL;
568  Expr *rowsec_expr;
569 
570  /*
571  * First collect up the permissive quals. If we do not find any
572  * permissive policies then no rows are visible (this is handled below).
573  */
574  foreach(item, permissive_policies)
575  {
576  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
577 
578  if (policy->qual != NULL)
579  {
580  permissive_quals = lappend(permissive_quals,
581  copyObject(policy->qual));
582  *hasSubLinks |= policy->hassublinks;
583  }
584  }
585 
586  /*
587  * We must have permissive quals, always, or no rows are visible.
588  *
589  * If we do not, then we simply return a single 'false' qual which results
590  * in no rows being visible.
591  */
592  if (permissive_quals != NIL)
593  {
594  /*
595  * We now know that permissive policies exist, so we can now add
596  * security quals based on the USING clauses from the restrictive
597  * policies. Since these need to be combined together using AND, we
598  * can just add them one at a time.
599  */
600  foreach(item, restrictive_policies)
601  {
602  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
603  Expr *qual;
604 
605  if (policy->qual != NULL)
606  {
607  qual = copyObject(policy->qual);
608  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
609 
610  *securityQuals = list_append_unique(*securityQuals, qual);
611  *hasSubLinks |= policy->hassublinks;
612  }
613  }
614 
615  /*
616  * Then add a single security qual combining together the USING
617  * clauses from all the permissive policies using OR.
618  */
619  if (list_length(permissive_quals) == 1)
620  rowsec_expr = (Expr *) linitial(permissive_quals);
621  else
622  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
623 
624  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
625  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
626  }
627  else
628 
629  /*
630  * A permissive policy must exist for rows to be visible at all.
631  * Therefore, if there were no permissive policies found, return a
632  * single always-false clause.
633  */
634  *securityQuals = lappend(*securityQuals,
636  sizeof(bool), BoolGetDatum(false),
637  false, true));
638 }
#define NIL
Definition: pg_list.h:69
Definition: nodes.h:508
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:296
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:366
void * copyObject(const void *from)
Definition: copyfuncs.c:4475
#define linitial(l)
Definition: pg_list.h:110
List * list_append_unique(List *list, void *datum)
Definition: list.c:962
List * lappend(List *list, void *datum)
Definition: list.c:128
#define BoolGetDatum(X)
Definition: postgres.h:410
#define InvalidOid
Definition: postgres_ext.h:36
#define NULL
Definition: c.h:226
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
#define BOOLOID
Definition: pg_type.h:288
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
Definition: pg_list.h:45
static void add_with_check_options ( Relation  rel,
int  rt_index,
WCOKind  kind,
List permissive_policies,
List restrictive_policies,
List **  withCheckOptions,
bool hasSubLinks 
)
static

Definition at line 656 of file rowsecurity.c.

References BoolGetDatum, BOOLOID, WithCheckOption::cascaded, ChangeVarNodes(), copyObject(), RowSecurityPolicy::hassublinks, InvalidOid, WithCheckOption::kind, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, NULL, OR_EXPR, RowSecurityPolicy::policy_name, WithCheckOption::polname, pstrdup(), WithCheckOption::qual, QUAL_FOR_WCO, RelationGetRelationName, and WithCheckOption::relname.

Referenced by get_row_security_policies().

663 {
664  ListCell *item;
665  List *permissive_quals = NIL;
666 
667 #define QUAL_FOR_WCO(policy) \
668  ( kind != WCO_RLS_CONFLICT_CHECK && \
669  (policy)->with_check_qual != NULL ? \
670  (policy)->with_check_qual : (policy)->qual )
671 
672  /*
673  * First collect up the permissive policy clauses, similar to
674  * add_security_quals.
675  */
676  foreach(item, permissive_policies)
677  {
678  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
679  Expr *qual = QUAL_FOR_WCO(policy);
680 
681  if (qual != NULL)
682  {
683  permissive_quals = lappend(permissive_quals, copyObject(qual));
684  *hasSubLinks |= policy->hassublinks;
685  }
686  }
687 
688  /*
689  * There must be at least one permissive qual found or no rows are allowed
690  * to be added. This is the same as in add_security_quals.
691  *
692  * If there are no permissive_quals then we fall through and return a
693  * single 'false' WCO, preventing all new rows.
694  */
695  if (permissive_quals != NIL)
696  {
697  /*
698  * Add a single WithCheckOption for all the permissive policy clauses,
699  * combining them together using OR. This check has no policy name,
700  * since if the check fails it means that no policy granted permission
701  * to perform the update, rather than any particular policy being
702  * violated.
703  */
704  WithCheckOption *wco;
705 
706  wco = makeNode(WithCheckOption);
707  wco->kind = kind;
709  wco->polname = NULL;
710  wco->cascaded = false;
711 
712  if (list_length(permissive_quals) == 1)
713  wco->qual = (Node *) linitial(permissive_quals);
714  else
715  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
716 
717  ChangeVarNodes(wco->qual, 1, rt_index, 0);
718 
719  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
720 
721  /*
722  * Now add WithCheckOptions for each of the restrictive policy clauses
723  * (which will be combined together using AND). We use a separate
724  * WithCheckOption for each restrictive policy to allow the policy
725  * name to be included in error reports if the policy is violated.
726  */
727  foreach(item, restrictive_policies)
728  {
729  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
730  Expr *qual = QUAL_FOR_WCO(policy);
731  WithCheckOption *wco;
732 
733  if (qual != NULL)
734  {
735  qual = copyObject(qual);
736  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
737 
738  wco = makeNode(WithCheckOption);
739  wco->kind = kind;
741  wco->polname = pstrdup(policy->policy_name);
742  wco->qual = (Node *) qual;
743  wco->cascaded = false;
744 
745  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
746  *hasSubLinks |= policy->hassublinks;
747  }
748  }
749  }
750  else
751  {
752  /*
753  * If there were no policy clauses to check new data, add a single
754  * always-false WCO (a default-deny policy).
755  */
756  WithCheckOption *wco;
757 
758  wco = makeNode(WithCheckOption);
759  wco->kind = kind;
761  wco->polname = NULL;
762  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
763  sizeof(bool), BoolGetDatum(false),
764  false, true);
765  wco->cascaded = false;
766 
767  *withCheckOptions = lappend(*withCheckOptions, wco);
768  }
769 }
#define NIL
Definition: pg_list.h:69
char * pstrdup(const char *in)
Definition: mcxt.c:1165
Definition: nodes.h:508
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:296
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:366
void * copyObject(const void *from)
Definition: copyfuncs.c:4475
#define QUAL_FOR_WCO(policy)
#define linitial(l)
Definition: pg_list.h:110
List * list_append_unique(List *list, void *datum)
Definition: list.c:962
#define RelationGetRelationName(relation)
Definition: rel.h:433
List * lappend(List *list, void *datum)
Definition: list.c:128
#define BoolGetDatum(X)
Definition: postgres.h:410
#define InvalidOid
Definition: postgres_ext.h:36
#define makeNode(_type_)
Definition: nodes.h:556
#define NULL
Definition: c.h:226
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
#define BOOLOID
Definition: pg_type.h:288
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
Definition: pg_list.h:45
static bool check_role_for_policy ( ArrayType policy_roles,
Oid  user_id 
)
static

Definition at line 776 of file rowsecurity.c.

References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, has_privs_of_role(), and i.

Referenced by get_policies_for_relation().

777 {
778  int i;
779  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
780 
781  /* Quick fall-thru for policies applied to all roles */
782  if (roles[0] == ACL_ID_PUBLIC)
783  return true;
784 
785  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
786  {
787  if (has_privs_of_role(user_id, roles[i]))
788  return true;
789  }
790 
791  return false;
792 }
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4831
unsigned int Oid
Definition: postgres_ext.h:31
#define ARR_DIMS(a)
Definition: array.h:275
#define ARR_DATA_PTR(a)
Definition: array.h:303
int i
#define ACL_ID_PUBLIC
Definition: acl.h:39
static void get_policies_for_relation ( Relation  relation,
CmdType  cmd,
Oid  user_id,
List **  permissive_policies,
List **  restrictive_policies 
)
static

Definition at line 382 of file rowsecurity.c.

References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, elog, ERROR, lappend(), lfirst, NIL, RowSecurityPolicy::permissive, RowSecurityPolicy::polcmd, RowSecurityDesc::policies, RelationData::rd_rsdesc, RowSecurityPolicy::roles, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().

Referenced by get_row_security_policies().

385 {
386  ListCell *item;
387 
388  *permissive_policies = NIL;
389  *restrictive_policies = NIL;
390 
391  /*
392  * First find all internal policies for the relation. CREATE POLICY does
393  * not currently support defining restrictive policies, so for now all
394  * internal policies are permissive.
395  */
396  foreach(item, relation->rd_rsdesc->policies)
397  {
398  bool cmd_matches = false;
399  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
400 
401  /* Always add ALL policies, if they exist. */
402  if (policy->polcmd == '*')
403  cmd_matches = true;
404  else
405  {
406  /* Check whether the policy applies to the specified command type */
407  switch (cmd)
408  {
409  case CMD_SELECT:
410  if (policy->polcmd == ACL_SELECT_CHR)
411  cmd_matches = true;
412  break;
413  case CMD_INSERT:
414  if (policy->polcmd == ACL_INSERT_CHR)
415  cmd_matches = true;
416  break;
417  case CMD_UPDATE:
418  if (policy->polcmd == ACL_UPDATE_CHR)
419  cmd_matches = true;
420  break;
421  case CMD_DELETE:
422  if (policy->polcmd == ACL_DELETE_CHR)
423  cmd_matches = true;
424  break;
425  default:
426  elog(ERROR, "unrecognized policy command type %d",
427  (int) cmd);
428  break;
429  }
430  }
431 
432  /*
433  * Add this policy to the list of permissive policies if it applies to
434  * the specified role.
435  */
436  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
437  {
438  if (policy->permissive)
439  *permissive_policies = lappend(*permissive_policies, policy);
440  else
441  *restrictive_policies = lappend(*restrictive_policies, policy);
442  }
443  }
444 
445  /*
446  * We sort restrictive policies by name so that any WCOs they generate are
447  * checked in a well-defined order.
448  */
449  *restrictive_policies = sort_policies_by_name(*restrictive_policies);
450 
451  /*
452  * Then add any permissive or restrictive policies defined by extensions.
453  * These are simply appended to the lists of internal policies, if they
454  * apply to the specified role.
455  */
457  {
458  List *hook_policies =
459  (*row_security_policy_hook_restrictive) (cmd, relation);
460 
461  /*
462  * As with built-in restrictive policies, we sort any hook-provided
463  * restrictive policies by name also. Note that we also intentionally
464  * always check all built-in restrictive policies, in name order,
465  * before checking restrictive policies added by hooks, in name order.
466  */
467  hook_policies = sort_policies_by_name(hook_policies);
468 
469  foreach(item, hook_policies)
470  {
471  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
472 
473  if (check_role_for_policy(policy->roles, user_id))
474  *restrictive_policies = lappend(*restrictive_policies, policy);
475  }
476  }
477 
479  {
480  List *hook_policies =
481  (*row_security_policy_hook_permissive) (cmd, relation);
482 
483  foreach(item, hook_policies)
484  {
485  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
486 
487  if (check_role_for_policy(policy->roles, user_id))
488  *permissive_policies = lappend(*permissive_policies, policy);
489  }
490  }
491 }
#define NIL
Definition: pg_list.h:69
#define ACL_INSERT_CHR
Definition: acl.h:130
#define ACL_DELETE_CHR
Definition: acl.h:133
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:94
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:776
#define ERROR
Definition: elog.h:43
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:95
ArrayType * roles
Definition: rowsecurity.h:24
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:121
static List * sort_policies_by_name(List *policies)
Definition: rowsecurity.c:502
List * lappend(List *list, void *datum)
Definition: list.c:128
#define ACL_SELECT_CHR
Definition: acl.h:131
#define lfirst(lc)
Definition: pg_list.h:106
#define ACL_UPDATE_CHR
Definition: acl.h:132
#define elog
Definition: elog.h:219
Definition: pg_list.h:45
void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 106 of file rowsecurity.c.

References ACL_SELECT, ACL_UPDATE, OnConflictExpr::action, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), RangeTblEntry::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, Query::commandType, get_policies_for_relation(), GetUserId(), heap_close, heap_open(), NIL, NoLock, Query::onConflict, ONCONFLICT_UPDATE, RangeTblEntry::relid, RangeTblEntry::relkind, RELKIND_PARTITIONED_TABLE, RELKIND_RELATION, RangeTblEntry::requiredPerms, Query::resultRelation, RLS_NONE, RLS_NONE_ENV, WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

109 {
110  Oid user_id;
111  int rls_status;
112  Relation rel;
113  CmdType commandType;
114  List *permissive_policies;
115  List *restrictive_policies;
116 
117  /* Defaults for the return values */
118  *securityQuals = NIL;
119  *withCheckOptions = NIL;
120  *hasRowSecurity = false;
121  *hasSubLinks = false;
122 
123  /* If this is not a normal relation, just return immediately */
124  if (rte->relkind != RELKIND_RELATION &&
126  return;
127 
128  /* Switch to checkAsUser if it's set */
129  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
130 
131  /* Determine the state of RLS for this, pass checkAsUser explicitly */
132  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
133 
134  /* If there is no RLS on this table at all, nothing to do */
135  if (rls_status == RLS_NONE)
136  return;
137 
138  /*
139  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
140  * with changes to the environment, so we mark it as hasRowSecurity to
141  * force a re-plan when the environment changes.
142  */
143  if (rls_status == RLS_NONE_ENV)
144  {
145  /*
146  * Indicate that this query may involve RLS and must therefore be
147  * replanned if the environment changes (GUCs, role), but we are not
148  * adding anything here.
149  */
150  *hasRowSecurity = true;
151 
152  return;
153  }
154 
155  /*
156  * RLS is enabled for this relation.
157  *
158  * Get the security policies that should be applied, based on the command
159  * type. Note that if this isn't the target relation, we actually want
160  * the relation's SELECT policies, regardless of the query command type,
161  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
162  * policies and t2's SELECT policies.
163  */
164  rel = heap_open(rte->relid, NoLock);
165 
166  commandType = rt_index == root->resultRelation ?
167  root->commandType : CMD_SELECT;
168 
169  /*
170  * In some cases, we need to apply USING policies (which control the
171  * visibility of records) associated with multiple command types (see
172  * specific cases below).
173  *
174  * When considering the order in which to apply these USING policies, we
175  * prefer to apply higher privileged policies, those which allow the user
176  * to lock records (UPDATE and DELETE), first, followed by policies which
177  * don't (SELECT).
178  *
179  * Note that the optimizer is free to push down and reorder quals which
180  * use leakproof functions.
181  *
182  * In all cases, if there are no policy clauses allowing access to rows in
183  * the table for the specific type of operation, then a single
184  * always-false clause (a default-deny policy) will be added (see
185  * add_security_quals).
186  */
187 
188  /*
189  * For a SELECT, if UPDATE privileges are required (eg: the user has
190  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
191  * first.
192  *
193  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
194  * which the user does not have access to via the UPDATE USING policies,
195  * similar to how we require normal UPDATE rights for these queries.
196  */
197  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
198  {
199  List *update_permissive_policies;
200  List *update_restrictive_policies;
201 
203  &update_permissive_policies,
204  &update_restrictive_policies);
205 
206  add_security_quals(rt_index,
207  update_permissive_policies,
208  update_restrictive_policies,
209  securityQuals,
210  hasSubLinks);
211  }
212 
213  /*
214  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
215  * policies. These security quals control access to existing table rows.
216  * Restrictive policies are combined together using AND, and permissive
217  * policies are combined together using OR.
218  */
219 
220  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
221  &restrictive_policies);
222 
223  if (commandType == CMD_SELECT ||
224  commandType == CMD_UPDATE ||
225  commandType == CMD_DELETE)
226  add_security_quals(rt_index,
227  permissive_policies,
228  restrictive_policies,
229  securityQuals,
230  hasSubLinks);
231 
232  /*
233  * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
234  * required (eg: when a RETURNING clause exists, or the user has provided
235  * a WHERE clause which involves columns from the relation), we collect up
236  * CMD_SELECT policies and add them via add_security_quals first.
237  *
238  * This way, we filter out any records which are not visible through an
239  * ALL or SELECT USING policy.
240  */
241  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
242  rte->requiredPerms & ACL_SELECT)
243  {
244  List *select_permissive_policies;
245  List *select_restrictive_policies;
246 
248  &select_permissive_policies,
249  &select_restrictive_policies);
250 
251  add_security_quals(rt_index,
252  select_permissive_policies,
253  select_restrictive_policies,
254  securityQuals,
255  hasSubLinks);
256  }
257 
258  /*
259  * For INSERT and UPDATE, add withCheckOptions to verify that any new
260  * records added are consistent with the security policies. This will use
261  * each policy's WITH CHECK clause, or its USING clause if no explicit
262  * WITH CHECK clause is defined.
263  */
264  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
265  {
266  /* This should be the target relation */
267  Assert(rt_index == root->resultRelation);
268 
269  add_with_check_options(rel, rt_index,
270  commandType == CMD_INSERT ?
272  permissive_policies,
273  restrictive_policies,
274  withCheckOptions,
275  hasSubLinks);
276 
277  /*
278  * Get and add ALL/SELECT policies, if SELECT rights are required for
279  * this relation (eg: when RETURNING is used). These are added as WCO
280  * policies rather than security quals to ensure that an error is
281  * raised if a policy is violated; otherwise, we might end up silently
282  * dropping rows to be added.
283  */
284  if (rte->requiredPerms & ACL_SELECT)
285  {
286  List *select_permissive_policies = NIL;
287  List *select_restrictive_policies = NIL;
288 
290  &select_permissive_policies,
291  &select_restrictive_policies);
292  add_with_check_options(rel, rt_index,
293  commandType == CMD_INSERT ?
295  select_permissive_policies,
296  select_restrictive_policies,
297  withCheckOptions,
298  hasSubLinks);
299  }
300 
301  /*
302  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
303  * checks for the UPDATE which may be applied to the same RTE.
304  */
305  if (commandType == CMD_INSERT &&
306  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
307  {
308  List *conflict_permissive_policies;
309  List *conflict_restrictive_policies;
310 
311  /* Get the policies that apply to the auxiliary UPDATE */
313  &conflict_permissive_policies,
314  &conflict_restrictive_policies);
315 
316  /*
317  * Enforce the USING clauses of the UPDATE policies using WCOs
318  * rather than security quals. This ensures that an error is
319  * raised if the conflicting row cannot be updated due to RLS,
320  * rather than the change being silently dropped.
321  */
322  add_with_check_options(rel, rt_index,
324  conflict_permissive_policies,
325  conflict_restrictive_policies,
326  withCheckOptions,
327  hasSubLinks);
328 
329  /*
330  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
331  * to ensure they are considered when taking the UPDATE path of an
332  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
333  * for this relation, also as WCO policies, again, to avoid
334  * silently dropping data. See above.
335  */
336  if (rte->requiredPerms & ACL_SELECT)
337  {
338  List *conflict_select_permissive_policies = NIL;
339  List *conflict_select_restrictive_policies = NIL;
340 
342  &conflict_select_permissive_policies,
343  &conflict_select_restrictive_policies);
344  add_with_check_options(rel, rt_index,
346  conflict_select_permissive_policies,
347  conflict_select_restrictive_policies,
348  withCheckOptions,
349  hasSubLinks);
350  }
351 
352  /* Enforce the WITH CHECK clauses of the UPDATE policies */
353  add_with_check_options(rel, rt_index,
355  conflict_permissive_policies,
356  conflict_restrictive_policies,
357  withCheckOptions,
358  hasSubLinks);
359  }
360  }
361 
362  heap_close(rel, NoLock);
363 
364  /*
365  * Mark this query as having row security, so plancache can invalidate it
366  * when necessary (eg: role changes)
367  */
368  *hasRowSecurity = true;
369 
370  return;
371 }
#define NIL
Definition: pg_list.h:69
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks)
Definition: rowsecurity.c:656
Oid GetUserId(void)
Definition: miscinit.c:282
OnConflictExpr * onConflict
Definition: parsenodes.h:133
int resultRelation
Definition: parsenodes.h:113
AclMode requiredPerms
Definition: parsenodes.h:965
#define heap_close(r, l)
Definition: heapam.h:97
unsigned int Oid
Definition: postgres_ext.h:31
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:560
#define NoLock
Definition: lockdefs.h:34
OnConflictAction action
Definition: primnodes.h:1449
#define ACL_UPDATE
Definition: parsenodes.h:67
#define RELKIND_PARTITIONED_TABLE
Definition: pg_class.h:168
#define ACL_SELECT
Definition: parsenodes.h:66
Relation heap_open(Oid relationId, LOCKMODE lockmode)
Definition: heapam.c:1287
CmdType commandType
Definition: parsenodes.h:103
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:53
#define Assert(condition)
Definition: c.h:671
#define RELKIND_RELATION
Definition: pg_class.h:160
Definition: rls.h:43
Definition: pg_list.h:45
CmdType
Definition: nodes.h:641
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:382
static int row_security_policy_cmp ( const void *  a,
const void *  b 
)
static

Definition at line 534 of file rowsecurity.c.

References NULL, and RowSecurityPolicy::policy_name.

Referenced by sort_policies_by_name().

535 {
536  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) a;
537  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) b;
538 
539  /* Guard against NULL policy names from extensions */
540  if (pa->policy_name == NULL)
541  return pb->policy_name == NULL ? 0 : 1;
542  if (pb->policy_name == NULL)
543  return -1;
544 
545  return strcmp(pa->policy_name, pb->policy_name);
546 }
#define NULL
Definition: c.h:226
static List * sort_policies_by_name ( List policies)
static

Definition at line 502 of file rowsecurity.c.

References lappend(), lfirst, list_length(), NIL, palloc(), qsort, and row_security_policy_cmp().

Referenced by get_policies_for_relation().

503 {
504  int npol = list_length(policies);
505  RowSecurityPolicy *pols;
506  ListCell *item;
507  int ii = 0;
508 
509  if (npol <= 1)
510  return policies;
511 
512  pols = (RowSecurityPolicy *) palloc(sizeof(RowSecurityPolicy) * npol);
513 
514  foreach(item, policies)
515  {
516  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
517 
518  pols[ii++] = *policy;
519  }
520 
521  qsort(pols, npol, sizeof(RowSecurityPolicy), row_security_policy_cmp);
522 
523  policies = NIL;
524  for (ii = 0; ii < npol; ii++)
525  policies = lappend(policies, &pols[ii]);
526 
527  return policies;
528 }
#define NIL
Definition: pg_list.h:69
List * lappend(List *list, void *datum)
Definition: list.c:128
static int row_security_policy_cmp(const void *a, const void *b)
Definition: rowsecurity.c:534
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
void * palloc(Size size)
Definition: mcxt.c:891
#define qsort(a, b, c, d)
Definition: port.h:440

Variable Documentation

row_security_policy_hook_type row_security_policy_hook_permissive = NULL

Definition at line 94 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().

row_security_policy_hook_type row_security_policy_hook_restrictive = NULL

Definition at line 95 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().