PostgreSQL Source Code  git master
rowsecurity.c File Reference
#include "postgres.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/table.h"
#include "catalog/pg_class.h"
#include "catalog/pg_inherits.h"
#include "catalog/pg_policy.h"
#include "catalog/pg_type.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "nodes/nodeFuncs.h"
#include "nodes/pg_list.h"
#include "nodes/plannodes.h"
#include "parser/parsetree.h"
#include "rewrite/rewriteDefine.h"
#include "rewrite/rewriteHandler.h"
#include "rewrite/rewriteManip.h"
#include "rewrite/rowsecurity.h"
#include "utils/acl.h"
#include "utils/lsyscache.h"
#include "utils/rel.h"
#include "utils/rls.h"
#include "utils/syscache.h"
#include "tcop/utility.h"
Include dependency graph for rowsecurity.c:

Go to the source code of this file.

Macros

#define QUAL_FOR_WCO(policy)
 

Functions

static void get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
 
static void sort_policies_by_name (List *policies)
 
static int row_security_policy_cmp (const ListCell *a, const ListCell *b)
 
static void add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
 
static void add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
 
static bool check_role_for_policy (ArrayType *policy_roles, Oid user_id)
 
void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

row_security_policy_hook_type row_security_policy_hook_permissive = NULL
 
row_security_policy_hook_type row_security_policy_hook_restrictive = NULL
 

Macro Definition Documentation

◆ QUAL_FOR_WCO

#define QUAL_FOR_WCO (   policy)
Value:
( !force_using && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )

Referenced by add_with_check_options().

Function Documentation

◆ add_security_quals()

static void add_security_quals ( int  rt_index,
List permissive_policies,
List restrictive_policies,
List **  securityQuals,
bool hasSubLinks 
)
static

Definition at line 561 of file rowsecurity.c.

References BoolGetDatum, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, OR_EXPR, and RowSecurityPolicy::qual.

Referenced by get_row_security_policies().

566 {
567  ListCell *item;
568  List *permissive_quals = NIL;
569  Expr *rowsec_expr;
570 
571  /*
572  * First collect up the permissive quals. If we do not find any
573  * permissive policies then no rows are visible (this is handled below).
574  */
575  foreach(item, permissive_policies)
576  {
577  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
578 
579  if (policy->qual != NULL)
580  {
581  permissive_quals = lappend(permissive_quals,
582  copyObject(policy->qual));
583  *hasSubLinks |= policy->hassublinks;
584  }
585  }
586 
587  /*
588  * We must have permissive quals, always, or no rows are visible.
589  *
590  * If we do not, then we simply return a single 'false' qual which results
591  * in no rows being visible.
592  */
593  if (permissive_quals != NIL)
594  {
595  /*
596  * We now know that permissive policies exist, so we can now add
597  * security quals based on the USING clauses from the restrictive
598  * policies. Since these need to be combined together using AND, we
599  * can just add them one at a time.
600  */
601  foreach(item, restrictive_policies)
602  {
603  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
604  Expr *qual;
605 
606  if (policy->qual != NULL)
607  {
608  qual = copyObject(policy->qual);
609  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
610 
611  *securityQuals = list_append_unique(*securityQuals, qual);
612  *hasSubLinks |= policy->hassublinks;
613  }
614  }
615 
616  /*
617  * Then add a single security qual combining together the USING
618  * clauses from all the permissive policies using OR.
619  */
620  if (list_length(permissive_quals) == 1)
621  rowsec_expr = (Expr *) linitial(permissive_quals);
622  else
623  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
624 
625  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
626  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
627  }
628  else
629 
630  /*
631  * A permissive policy must exist for rows to be visible at all.
632  * Therefore, if there were no permissive policies found, return a
633  * single always-false clause.
634  */
635  *securityQuals = lappend(*securityQuals,
636  makeConst(BOOLOID, -1, InvalidOid,
637  sizeof(bool), BoolGetDatum(false),
638  false, true));
639 }
#define NIL
Definition: pg_list.h:65
Definition: nodes.h:525
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:297
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:367
#define linitial(l)
Definition: pg_list.h:195
List * list_append_unique(List *list, void *datum)
Definition: list.c:1181
List * lappend(List *list, void *datum)
Definition: list.c:322
#define BoolGetDatum(X)
Definition: postgres.h:402
#define InvalidOid
Definition: postgres_ext.h:36
#define lfirst(lc)
Definition: pg_list.h:190
static int list_length(const List *l)
Definition: pg_list.h:169
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
#define copyObject(obj)
Definition: nodes.h:641
Definition: pg_list.h:50

◆ add_with_check_options()

static void add_with_check_options ( Relation  rel,
int  rt_index,
WCOKind  kind,
List permissive_policies,
List restrictive_policies,
List **  withCheckOptions,
bool hasSubLinks,
bool  force_using 
)
static

Definition at line 657 of file rowsecurity.c.

References BoolGetDatum, WithCheckOption::cascaded, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, WithCheckOption::kind, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, OR_EXPR, RowSecurityPolicy::policy_name, WithCheckOption::polname, pstrdup(), WithCheckOption::qual, QUAL_FOR_WCO, RelationGetRelationName, and WithCheckOption::relname.

Referenced by get_row_security_policies().

665 {
666  ListCell *item;
667  List *permissive_quals = NIL;
668 
669 #define QUAL_FOR_WCO(policy) \
670  ( !force_using && \
671  (policy)->with_check_qual != NULL ? \
672  (policy)->with_check_qual : (policy)->qual )
673 
674  /*
675  * First collect up the permissive policy clauses, similar to
676  * add_security_quals.
677  */
678  foreach(item, permissive_policies)
679  {
680  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
681  Expr *qual = QUAL_FOR_WCO(policy);
682 
683  if (qual != NULL)
684  {
685  permissive_quals = lappend(permissive_quals, copyObject(qual));
686  *hasSubLinks |= policy->hassublinks;
687  }
688  }
689 
690  /*
691  * There must be at least one permissive qual found or no rows are allowed
692  * to be added. This is the same as in add_security_quals.
693  *
694  * If there are no permissive_quals then we fall through and return a
695  * single 'false' WCO, preventing all new rows.
696  */
697  if (permissive_quals != NIL)
698  {
699  /*
700  * Add a single WithCheckOption for all the permissive policy clauses,
701  * combining them together using OR. This check has no policy name,
702  * since if the check fails it means that no policy granted permission
703  * to perform the update, rather than any particular policy being
704  * violated.
705  */
706  WithCheckOption *wco;
707 
708  wco = makeNode(WithCheckOption);
709  wco->kind = kind;
711  wco->polname = NULL;
712  wco->cascaded = false;
713 
714  if (list_length(permissive_quals) == 1)
715  wco->qual = (Node *) linitial(permissive_quals);
716  else
717  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
718 
719  ChangeVarNodes(wco->qual, 1, rt_index, 0);
720 
721  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
722 
723  /*
724  * Now add WithCheckOptions for each of the restrictive policy clauses
725  * (which will be combined together using AND). We use a separate
726  * WithCheckOption for each restrictive policy to allow the policy
727  * name to be included in error reports if the policy is violated.
728  */
729  foreach(item, restrictive_policies)
730  {
731  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
732  Expr *qual = QUAL_FOR_WCO(policy);
733  WithCheckOption *wco;
734 
735  if (qual != NULL)
736  {
737  qual = copyObject(qual);
738  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
739 
740  wco = makeNode(WithCheckOption);
741  wco->kind = kind;
743  wco->polname = pstrdup(policy->policy_name);
744  wco->qual = (Node *) qual;
745  wco->cascaded = false;
746 
747  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
748  *hasSubLinks |= policy->hassublinks;
749  }
750  }
751  }
752  else
753  {
754  /*
755  * If there were no policy clauses to check new data, add a single
756  * always-false WCO (a default-deny policy).
757  */
758  WithCheckOption *wco;
759 
760  wco = makeNode(WithCheckOption);
761  wco->kind = kind;
763  wco->polname = NULL;
764  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
765  sizeof(bool), BoolGetDatum(false),
766  false, true);
767  wco->cascaded = false;
768 
769  *withCheckOptions = lappend(*withCheckOptions, wco);
770  }
771 }
#define NIL
Definition: pg_list.h:65
char * pstrdup(const char *in)
Definition: mcxt.c:1186
Definition: nodes.h:525
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:297
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:367
#define QUAL_FOR_WCO(policy)
#define linitial(l)
Definition: pg_list.h:195
List * list_append_unique(List *list, void *datum)
Definition: list.c:1181
#define RelationGetRelationName(relation)
Definition: rel.h:453
List * lappend(List *list, void *datum)
Definition: list.c:322
#define BoolGetDatum(X)
Definition: postgres.h:402
#define InvalidOid
Definition: postgres_ext.h:36
#define makeNode(_type_)
Definition: nodes.h:573
#define lfirst(lc)
Definition: pg_list.h:190
static int list_length(const List *l)
Definition: pg_list.h:169
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
#define copyObject(obj)
Definition: nodes.h:641
Definition: pg_list.h:50

◆ check_role_for_policy()

static bool check_role_for_policy ( ArrayType policy_roles,
Oid  user_id 
)
static

Definition at line 778 of file rowsecurity.c.

References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, has_privs_of_role(), and i.

Referenced by get_policies_for_relation().

779 {
780  int i;
781  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
782 
783  /* Quick fall-thru for policies applied to all roles */
784  if (roles[0] == ACL_ID_PUBLIC)
785  return true;
786 
787  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
788  {
789  if (has_privs_of_role(user_id, roles[i]))
790  return true;
791  }
792 
793  return false;
794 }
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4908
unsigned int Oid
Definition: postgres_ext.h:31
#define ARR_DIMS(a)
Definition: array.h:282
#define ARR_DATA_PTR(a)
Definition: array.h:310
int i
#define ACL_ID_PUBLIC
Definition: acl.h:46

◆ get_policies_for_relation()

static void get_policies_for_relation ( Relation  relation,
CmdType  cmd,
Oid  user_id,
List **  permissive_policies,
List **  restrictive_policies 
)
static

Definition at line 410 of file rowsecurity.c.

References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, elog, ERROR, lappend(), lfirst, NIL, RowSecurityPolicy::permissive, RowSecurityPolicy::polcmd, RowSecurityDesc::policies, RelationData::rd_rsdesc, RowSecurityPolicy::roles, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().

Referenced by get_row_security_policies().

413 {
414  ListCell *item;
415 
416  *permissive_policies = NIL;
417  *restrictive_policies = NIL;
418 
419  /* First find all internal policies for the relation. */
420  foreach(item, relation->rd_rsdesc->policies)
421  {
422  bool cmd_matches = false;
423  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
424 
425  /* Always add ALL policies, if they exist. */
426  if (policy->polcmd == '*')
427  cmd_matches = true;
428  else
429  {
430  /* Check whether the policy applies to the specified command type */
431  switch (cmd)
432  {
433  case CMD_SELECT:
434  if (policy->polcmd == ACL_SELECT_CHR)
435  cmd_matches = true;
436  break;
437  case CMD_INSERT:
438  if (policy->polcmd == ACL_INSERT_CHR)
439  cmd_matches = true;
440  break;
441  case CMD_UPDATE:
442  if (policy->polcmd == ACL_UPDATE_CHR)
443  cmd_matches = true;
444  break;
445  case CMD_DELETE:
446  if (policy->polcmd == ACL_DELETE_CHR)
447  cmd_matches = true;
448  break;
449  default:
450  elog(ERROR, "unrecognized policy command type %d",
451  (int) cmd);
452  break;
453  }
454  }
455 
456  /*
457  * Add this policy to the relevant list of policies if it applies to
458  * the specified role.
459  */
460  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
461  {
462  if (policy->permissive)
463  *permissive_policies = lappend(*permissive_policies, policy);
464  else
465  *restrictive_policies = lappend(*restrictive_policies, policy);
466  }
467  }
468 
469  /*
470  * We sort restrictive policies by name so that any WCOs they generate are
471  * checked in a well-defined order.
472  */
473  sort_policies_by_name(*restrictive_policies);
474 
475  /*
476  * Then add any permissive or restrictive policies defined by extensions.
477  * These are simply appended to the lists of internal policies, if they
478  * apply to the specified role.
479  */
481  {
482  List *hook_policies =
483  (*row_security_policy_hook_restrictive) (cmd, relation);
484 
485  /*
486  * As with built-in restrictive policies, we sort any hook-provided
487  * restrictive policies by name also. Note that we also intentionally
488  * always check all built-in restrictive policies, in name order,
489  * before checking restrictive policies added by hooks, in name order.
490  */
491  sort_policies_by_name(hook_policies);
492 
493  foreach(item, hook_policies)
494  {
495  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
496 
497  if (check_role_for_policy(policy->roles, user_id))
498  *restrictive_policies = lappend(*restrictive_policies, policy);
499  }
500  }
501 
503  {
504  List *hook_policies =
505  (*row_security_policy_hook_permissive) (cmd, relation);
506 
507  foreach(item, hook_policies)
508  {
509  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
510 
511  if (check_role_for_policy(policy->roles, user_id))
512  *permissive_policies = lappend(*permissive_policies, policy);
513  }
514  }
515 }
#define NIL
Definition: pg_list.h:65
#define ACL_INSERT_CHR
Definition: acl.h:137
#define ACL_DELETE_CHR
Definition: acl.h:140
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:96
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:778
#define ERROR
Definition: elog.h:43
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:97
ArrayType * roles
Definition: rowsecurity.h:24
static void sort_policies_by_name(List *policies)
Definition: rowsecurity.c:526
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:91
List * lappend(List *list, void *datum)
Definition: list.c:322
#define ACL_SELECT_CHR
Definition: acl.h:138
#define lfirst(lc)
Definition: pg_list.h:190
#define ACL_UPDATE_CHR
Definition: acl.h:139
#define elog(elevel,...)
Definition: elog.h:226
Definition: pg_list.h:50

◆ get_row_security_policies()

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 108 of file rowsecurity.c.

References ACL_SELECT, ACL_UPDATE, OnConflictExpr::action, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), RangeTblEntry::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, Query::commandType, get_policies_for_relation(), GetUserId(), NIL, NoLock, Query::onConflict, ONCONFLICT_UPDATE, RangeTblEntry::relid, RangeTblEntry::relkind, RangeTblEntry::requiredPerms, Query::resultRelation, RLS_NONE, RLS_NONE_ENV, setRuleCheckAsUser(), table_close(), table_open(), WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

111 {
112  Oid user_id;
113  int rls_status;
114  Relation rel;
115  CmdType commandType;
116  List *permissive_policies;
117  List *restrictive_policies;
118 
119  /* Defaults for the return values */
120  *securityQuals = NIL;
121  *withCheckOptions = NIL;
122  *hasRowSecurity = false;
123  *hasSubLinks = false;
124 
125  /* If this is not a normal relation, just return immediately */
126  if (rte->relkind != RELKIND_RELATION &&
127  rte->relkind != RELKIND_PARTITIONED_TABLE)
128  return;
129 
130  /* Switch to checkAsUser if it's set */
131  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
132 
133  /* Determine the state of RLS for this, pass checkAsUser explicitly */
134  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
135 
136  /* If there is no RLS on this table at all, nothing to do */
137  if (rls_status == RLS_NONE)
138  return;
139 
140  /*
141  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
142  * with changes to the environment, so we mark it as hasRowSecurity to
143  * force a re-plan when the environment changes.
144  */
145  if (rls_status == RLS_NONE_ENV)
146  {
147  /*
148  * Indicate that this query may involve RLS and must therefore be
149  * replanned if the environment changes (GUCs, role), but we are not
150  * adding anything here.
151  */
152  *hasRowSecurity = true;
153 
154  return;
155  }
156 
157  /*
158  * RLS is enabled for this relation.
159  *
160  * Get the security policies that should be applied, based on the command
161  * type. Note that if this isn't the target relation, we actually want
162  * the relation's SELECT policies, regardless of the query command type,
163  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
164  * policies and t2's SELECT policies.
165  */
166  rel = table_open(rte->relid, NoLock);
167 
168  commandType = rt_index == root->resultRelation ?
169  root->commandType : CMD_SELECT;
170 
171  /*
172  * In some cases, we need to apply USING policies (which control the
173  * visibility of records) associated with multiple command types (see
174  * specific cases below).
175  *
176  * When considering the order in which to apply these USING policies, we
177  * prefer to apply higher privileged policies, those which allow the user
178  * to lock records (UPDATE and DELETE), first, followed by policies which
179  * don't (SELECT).
180  *
181  * Note that the optimizer is free to push down and reorder quals which
182  * use leakproof functions.
183  *
184  * In all cases, if there are no policy clauses allowing access to rows in
185  * the table for the specific type of operation, then a single
186  * always-false clause (a default-deny policy) will be added (see
187  * add_security_quals).
188  */
189 
190  /*
191  * For a SELECT, if UPDATE privileges are required (eg: the user has
192  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
193  * first.
194  *
195  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
196  * which the user does not have access to via the UPDATE USING policies,
197  * similar to how we require normal UPDATE rights for these queries.
198  */
199  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
200  {
201  List *update_permissive_policies;
202  List *update_restrictive_policies;
203 
205  &update_permissive_policies,
206  &update_restrictive_policies);
207 
208  add_security_quals(rt_index,
209  update_permissive_policies,
210  update_restrictive_policies,
211  securityQuals,
212  hasSubLinks);
213  }
214 
215  /*
216  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
217  * policies. These security quals control access to existing table rows.
218  * Restrictive policies are combined together using AND, and permissive
219  * policies are combined together using OR.
220  */
221 
222  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
223  &restrictive_policies);
224 
225  if (commandType == CMD_SELECT ||
226  commandType == CMD_UPDATE ||
227  commandType == CMD_DELETE)
228  add_security_quals(rt_index,
229  permissive_policies,
230  restrictive_policies,
231  securityQuals,
232  hasSubLinks);
233 
234  /*
235  * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
236  * required (eg: when a RETURNING clause exists, or the user has provided
237  * a WHERE clause which involves columns from the relation), we collect up
238  * CMD_SELECT policies and add them via add_security_quals first.
239  *
240  * This way, we filter out any records which are not visible through an
241  * ALL or SELECT USING policy.
242  */
243  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
244  rte->requiredPerms & ACL_SELECT)
245  {
246  List *select_permissive_policies;
247  List *select_restrictive_policies;
248 
250  &select_permissive_policies,
251  &select_restrictive_policies);
252 
253  add_security_quals(rt_index,
254  select_permissive_policies,
255  select_restrictive_policies,
256  securityQuals,
257  hasSubLinks);
258  }
259 
260  /*
261  * For INSERT and UPDATE, add withCheckOptions to verify that any new
262  * records added are consistent with the security policies. This will use
263  * each policy's WITH CHECK clause, or its USING clause if no explicit
264  * WITH CHECK clause is defined.
265  */
266  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
267  {
268  /* This should be the target relation */
269  Assert(rt_index == root->resultRelation);
270 
271  add_with_check_options(rel, rt_index,
272  commandType == CMD_INSERT ?
274  permissive_policies,
275  restrictive_policies,
276  withCheckOptions,
277  hasSubLinks,
278  false);
279 
280  /*
281  * Get and add ALL/SELECT policies, if SELECT rights are required for
282  * this relation (eg: when RETURNING is used). These are added as WCO
283  * policies rather than security quals to ensure that an error is
284  * raised if a policy is violated; otherwise, we might end up silently
285  * dropping rows to be added.
286  */
287  if (rte->requiredPerms & ACL_SELECT)
288  {
289  List *select_permissive_policies = NIL;
290  List *select_restrictive_policies = NIL;
291 
293  &select_permissive_policies,
294  &select_restrictive_policies);
295  add_with_check_options(rel, rt_index,
296  commandType == CMD_INSERT ?
298  select_permissive_policies,
299  select_restrictive_policies,
300  withCheckOptions,
301  hasSubLinks,
302  true);
303  }
304 
305  /*
306  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
307  * checks for the UPDATE which may be applied to the same RTE.
308  */
309  if (commandType == CMD_INSERT &&
310  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
311  {
312  List *conflict_permissive_policies;
313  List *conflict_restrictive_policies;
314  List *conflict_select_permissive_policies = NIL;
315  List *conflict_select_restrictive_policies = NIL;
316 
317  /* Get the policies that apply to the auxiliary UPDATE */
319  &conflict_permissive_policies,
320  &conflict_restrictive_policies);
321 
322  /*
323  * Enforce the USING clauses of the UPDATE policies using WCOs
324  * rather than security quals. This ensures that an error is
325  * raised if the conflicting row cannot be updated due to RLS,
326  * rather than the change being silently dropped.
327  */
328  add_with_check_options(rel, rt_index,
330  conflict_permissive_policies,
331  conflict_restrictive_policies,
332  withCheckOptions,
333  hasSubLinks,
334  true);
335 
336  /*
337  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
338  * to ensure they are considered when taking the UPDATE path of an
339  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
340  * for this relation, also as WCO policies, again, to avoid
341  * silently dropping data. See above.
342  */
343  if (rte->requiredPerms & ACL_SELECT)
344  {
346  &conflict_select_permissive_policies,
347  &conflict_select_restrictive_policies);
348  add_with_check_options(rel, rt_index,
350  conflict_select_permissive_policies,
351  conflict_select_restrictive_policies,
352  withCheckOptions,
353  hasSubLinks,
354  true);
355  }
356 
357  /* Enforce the WITH CHECK clauses of the UPDATE policies */
358  add_with_check_options(rel, rt_index,
360  conflict_permissive_policies,
361  conflict_restrictive_policies,
362  withCheckOptions,
363  hasSubLinks,
364  false);
365 
366  /*
367  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
368  * that the final updated row is visible when taking the UPDATE
369  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
370  * are required for this relation.
371  */
372  if (rte->requiredPerms & ACL_SELECT)
373  add_with_check_options(rel, rt_index,
375  conflict_select_permissive_policies,
376  conflict_select_restrictive_policies,
377  withCheckOptions,
378  hasSubLinks,
379  true);
380  }
381  }
382 
383  table_close(rel, NoLock);
384 
385  /*
386  * Copy checkAsUser to the row security quals and WithCheckOption checks,
387  * in case they contain any subqueries referring to other relations.
388  */
389  setRuleCheckAsUser((Node *) *securityQuals, rte->checkAsUser);
390  setRuleCheckAsUser((Node *) *withCheckOptions, rte->checkAsUser);
391 
392  /*
393  * Mark this query as having row security, so plancache can invalidate it
394  * when necessary (eg: role changes)
395  */
396  *hasRowSecurity = true;
397 
398  return;
399 }
#define NIL
Definition: pg_list.h:65
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:133
void setRuleCheckAsUser(Node *node, Oid userid)
Oid GetUserId(void)
Definition: miscinit.c:380
OnConflictExpr * onConflict
Definition: parsenodes.h:144
int resultRelation
Definition: parsenodes.h:122
Definition: nodes.h:525
AclMode requiredPerms
Definition: parsenodes.h:1096
unsigned int Oid
Definition: postgres_ext.h:31
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:561
#define NoLock
Definition: lockdefs.h:34
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:657
OnConflictAction action
Definition: primnodes.h:1512
#define ACL_UPDATE
Definition: parsenodes.h:76
#define ACL_SELECT
Definition: parsenodes.h:75
CmdType commandType
Definition: parsenodes.h:112
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
#define Assert(condition)
Definition: c.h:732
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
Definition: rls.h:43
Definition: pg_list.h:50
CmdType
Definition: nodes.h:668
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:410

◆ row_security_policy_cmp()

static int row_security_policy_cmp ( const ListCell a,
const ListCell b 
)
static

Definition at line 535 of file rowsecurity.c.

References lfirst, and RowSecurityPolicy::policy_name.

Referenced by sort_policies_by_name().

536 {
537  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) lfirst(a);
538  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) lfirst(b);
539 
540  /* Guard against NULL policy names from extensions */
541  if (pa->policy_name == NULL)
542  return pb->policy_name == NULL ? 0 : 1;
543  if (pb->policy_name == NULL)
544  return -1;
545 
546  return strcmp(pa->policy_name, pb->policy_name);
547 }
#define lfirst(lc)
Definition: pg_list.h:190

◆ sort_policies_by_name()

static void sort_policies_by_name ( List policies)
static

Definition at line 526 of file rowsecurity.c.

References list_sort(), and row_security_policy_cmp().

Referenced by get_policies_for_relation().

527 {
529 }
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition: rowsecurity.c:535
void list_sort(List *list, list_sort_comparator cmp)
Definition: list.c:1482

Variable Documentation

◆ row_security_policy_hook_permissive

row_security_policy_hook_type row_security_policy_hook_permissive = NULL

Definition at line 96 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().

◆ row_security_policy_hook_restrictive

row_security_policy_hook_type row_security_policy_hook_restrictive = NULL

Definition at line 97 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().