PostgreSQL Source Code  git master
Macros | Functions | Variables
rowsecurity.c File Reference
#include "postgres.h"
#include "access/table.h"
#include "catalog/pg_class.h"
#include "catalog/pg_type.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "nodes/pg_list.h"
#include "parser/parse_relation.h"
#include "rewrite/rewriteDefine.h"
#include "rewrite/rewriteManip.h"
#include "rewrite/rowsecurity.h"
#include "utils/acl.h"
#include "utils/rel.h"
#include "utils/rls.h"
Include dependency graph for rowsecurity.c:

Go to the source code of this file.

Macros

#define QUAL_FOR_WCO(policy)
 

Functions

static void get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
 
static void sort_policies_by_name (List *policies)
 
static int row_security_policy_cmp (const ListCell *a, const ListCell *b)
 
static void add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
 
static void add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
 
static bool check_role_for_policy (ArrayType *policy_roles, Oid user_id)
 
void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

row_security_policy_hook_type row_security_policy_hook_permissive = NULL
 
row_security_policy_hook_type row_security_policy_hook_restrictive = NULL
 

Macro Definition Documentation

◆ QUAL_FOR_WCO

#define QUAL_FOR_WCO (   policy)
Value:
( !force_using && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )

Function Documentation

◆ add_security_quals()

static void add_security_quals ( int  rt_index,
List permissive_policies,
List restrictive_policies,
List **  securityQuals,
bool hasSubLinks 
)
static

Definition at line 700 of file rowsecurity.c.

705 {
706  ListCell *item;
707  List *permissive_quals = NIL;
708  Expr *rowsec_expr;
709 
710  /*
711  * First collect up the permissive quals. If we do not find any
712  * permissive policies then no rows are visible (this is handled below).
713  */
714  foreach(item, permissive_policies)
715  {
716  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
717 
718  if (policy->qual != NULL)
719  {
720  permissive_quals = lappend(permissive_quals,
721  copyObject(policy->qual));
722  *hasSubLinks |= policy->hassublinks;
723  }
724  }
725 
726  /*
727  * We must have permissive quals, always, or no rows are visible.
728  *
729  * If we do not, then we simply return a single 'false' qual which results
730  * in no rows being visible.
731  */
732  if (permissive_quals != NIL)
733  {
734  /*
735  * We now know that permissive policies exist, so we can now add
736  * security quals based on the USING clauses from the restrictive
737  * policies. Since these need to be combined together using AND, we
738  * can just add them one at a time.
739  */
740  foreach(item, restrictive_policies)
741  {
742  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
743  Expr *qual;
744 
745  if (policy->qual != NULL)
746  {
747  qual = copyObject(policy->qual);
748  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
749 
750  *securityQuals = list_append_unique(*securityQuals, qual);
751  *hasSubLinks |= policy->hassublinks;
752  }
753  }
754 
755  /*
756  * Then add a single security qual combining together the USING
757  * clauses from all the permissive policies using OR.
758  */
759  if (list_length(permissive_quals) == 1)
760  rowsec_expr = (Expr *) linitial(permissive_quals);
761  else
762  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
763 
764  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
765  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
766  }
767  else
768 
769  /*
770  * A permissive policy must exist for rows to be visible at all.
771  * Therefore, if there were no permissive policies found, return a
772  * single always-false clause.
773  */
774  *securityQuals = lappend(*securityQuals,
775  makeConst(BOOLOID, -1, InvalidOid,
776  sizeof(bool), BoolGetDatum(false),
777  false, true));
778 }
lappend
List * lappend(List *list, void *datum)
Definition: list.c:339
list_append_unique
List * list_append_unique(List *list, void *datum)
Definition: list.c:1343
makeConst
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:301
makeBoolExpr
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:371
copyObject
#define copyObject(obj)
Definition: nodes.h:224
lfirst
#define lfirst(lc)
Definition: pg_list.h:172
list_length
static int list_length(const List *l)
Definition: pg_list.h:152
NIL
#define NIL
Definition: pg_list.h:68
linitial
#define linitial(l)
Definition: pg_list.h:178
BoolGetDatum
static Datum BoolGetDatum(bool X)
Definition: postgres.h:102
InvalidOid
#define InvalidOid
Definition: postgres_ext.h:36
OR_EXPR
@ OR_EXPR
Definition: primnodes.h:901
ChangeVarNodes
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:674
List
Definition: pg_list.h:54
Node
Definition: nodes.h:129

References BoolGetDatum(), ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, OR_EXPR, and RowSecurityPolicy::qual.

Referenced by get_row_security_policies().

◆ add_with_check_options()

static void add_with_check_options ( Relation  rel,
int  rt_index,
WCOKind  kind,
List permissive_policies,
List restrictive_policies,
List **  withCheckOptions,
bool hasSubLinks,
bool  force_using 
)
static

Definition at line 796 of file rowsecurity.c.

804 {
805  ListCell *item;
806  List *permissive_quals = NIL;
807 
808 #define QUAL_FOR_WCO(policy) \
809  ( !force_using && \
810  (policy)->with_check_qual != NULL ? \
811  (policy)->with_check_qual : (policy)->qual )
812 
813  /*
814  * First collect up the permissive policy clauses, similar to
815  * add_security_quals.
816  */
817  foreach(item, permissive_policies)
818  {
819  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
820  Expr *qual = QUAL_FOR_WCO(policy);
821 
822  if (qual != NULL)
823  {
824  permissive_quals = lappend(permissive_quals, copyObject(qual));
825  *hasSubLinks |= policy->hassublinks;
826  }
827  }
828 
829  /*
830  * There must be at least one permissive qual found or no rows are allowed
831  * to be added. This is the same as in add_security_quals.
832  *
833  * If there are no permissive_quals then we fall through and return a
834  * single 'false' WCO, preventing all new rows.
835  */
836  if (permissive_quals != NIL)
837  {
838  /*
839  * Add a single WithCheckOption for all the permissive policy clauses,
840  * combining them together using OR. This check has no policy name,
841  * since if the check fails it means that no policy granted permission
842  * to perform the update, rather than any particular policy being
843  * violated.
844  */
845  WithCheckOption *wco;
846 
847  wco = makeNode(WithCheckOption);
848  wco->kind = kind;
849  wco->relname = pstrdup(RelationGetRelationName(rel));
850  wco->polname = NULL;
851  wco->cascaded = false;
852 
853  if (list_length(permissive_quals) == 1)
854  wco->qual = (Node *) linitial(permissive_quals);
855  else
856  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
857 
858  ChangeVarNodes(wco->qual, 1, rt_index, 0);
859 
860  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
861 
862  /*
863  * Now add WithCheckOptions for each of the restrictive policy clauses
864  * (which will be combined together using AND). We use a separate
865  * WithCheckOption for each restrictive policy to allow the policy
866  * name to be included in error reports if the policy is violated.
867  */
868  foreach(item, restrictive_policies)
869  {
870  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
871  Expr *qual = QUAL_FOR_WCO(policy);
872 
873  if (qual != NULL)
874  {
875  qual = copyObject(qual);
876  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
877 
878  wco = makeNode(WithCheckOption);
879  wco->kind = kind;
880  wco->relname = pstrdup(RelationGetRelationName(rel));
881  wco->polname = pstrdup(policy->policy_name);
882  wco->qual = (Node *) qual;
883  wco->cascaded = false;
884 
885  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
886  *hasSubLinks |= policy->hassublinks;
887  }
888  }
889  }
890  else
891  {
892  /*
893  * If there were no policy clauses to check new data, add a single
894  * always-false WCO (a default-deny policy).
895  */
896  WithCheckOption *wco;
897 
898  wco = makeNode(WithCheckOption);
899  wco->kind = kind;
900  wco->relname = pstrdup(RelationGetRelationName(rel));
901  wco->polname = NULL;
902  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
903  sizeof(bool), BoolGetDatum(false),
904  false, true);
905  wco->cascaded = false;
906 
907  *withCheckOptions = lappend(*withCheckOptions, wco);
908  }
909 }
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1695
makeNode
#define makeNode(_type_)
Definition: nodes.h:155
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:539
QUAL_FOR_WCO
#define QUAL_FOR_WCO(policy)

References BoolGetDatum(), WithCheckOption::cascaded, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, WithCheckOption::kind, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, OR_EXPR, RowSecurityPolicy::policy_name, WithCheckOption::polname, pstrdup(), WithCheckOption::qual, QUAL_FOR_WCO, RelationGetRelationName, and WithCheckOption::relname.

Referenced by get_row_security_policies().

◆ check_role_for_policy()

static bool check_role_for_policy ( ArrayType policy_roles,
Oid  user_id 
)
static

Definition at line 916 of file rowsecurity.c.

917 {
918  int i;
919  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
920 
921  /* Quick fall-thru for policies applied to all roles */
922  if (roles[0] == ACL_ID_PUBLIC)
923  return true;
924 
925  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
926  {
927  if (has_privs_of_role(user_id, roles[i]))
928  return true;
929  }
930 
931  return false;
932 }
has_privs_of_role
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:5128
ACL_ID_PUBLIC
#define ACL_ID_PUBLIC
Definition: acl.h:46
ARR_DATA_PTR
#define ARR_DATA_PTR(a)
Definition: array.h:322
ARR_DIMS
#define ARR_DIMS(a)
Definition: array.h:294
i
int i
Definition: isn.c:73
Oid
unsigned int Oid
Definition: postgres_ext.h:31

References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, has_privs_of_role(), and i.

Referenced by get_policies_for_relation().

◆ get_policies_for_relation()

static void get_policies_for_relation ( Relation  relation,
CmdType  cmd,
Oid  user_id,
List **  permissive_policies,
List **  restrictive_policies 
)
static

Definition at line 541 of file rowsecurity.c.

544 {
545  ListCell *item;
546 
547  *permissive_policies = NIL;
548  *restrictive_policies = NIL;
549 
550  /* First find all internal policies for the relation. */
551  foreach(item, relation->rd_rsdesc->policies)
552  {
553  bool cmd_matches = false;
554  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
555 
556  /* Always add ALL policies, if they exist. */
557  if (policy->polcmd == '*')
558  cmd_matches = true;
559  else
560  {
561  /* Check whether the policy applies to the specified command type */
562  switch (cmd)
563  {
564  case CMD_SELECT:
565  if (policy->polcmd == ACL_SELECT_CHR)
566  cmd_matches = true;
567  break;
568  case CMD_INSERT:
569  if (policy->polcmd == ACL_INSERT_CHR)
570  cmd_matches = true;
571  break;
572  case CMD_UPDATE:
573  if (policy->polcmd == ACL_UPDATE_CHR)
574  cmd_matches = true;
575  break;
576  case CMD_DELETE:
577  if (policy->polcmd == ACL_DELETE_CHR)
578  cmd_matches = true;
579  break;
580  case CMD_MERGE:
581 
582  /*
583  * We do not support a separate policy for MERGE command.
584  * Instead it derives from the policies defined for other
585  * commands.
586  */
587  break;
588  default:
589  elog(ERROR, "unrecognized policy command type %d",
590  (int) cmd);
591  break;
592  }
593  }
594 
595  /*
596  * Add this policy to the relevant list of policies if it applies to
597  * the specified role.
598  */
599  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
600  {
601  if (policy->permissive)
602  *permissive_policies = lappend(*permissive_policies, policy);
603  else
604  *restrictive_policies = lappend(*restrictive_policies, policy);
605  }
606  }
607 
608  /*
609  * We sort restrictive policies by name so that any WCOs they generate are
610  * checked in a well-defined order.
611  */
612  sort_policies_by_name(*restrictive_policies);
613 
614  /*
615  * Then add any permissive or restrictive policies defined by extensions.
616  * These are simply appended to the lists of internal policies, if they
617  * apply to the specified role.
618  */
619  if (row_security_policy_hook_restrictive)
620  {
621  List *hook_policies =
622  (*row_security_policy_hook_restrictive) (cmd, relation);
623 
624  /*
625  * As with built-in restrictive policies, we sort any hook-provided
626  * restrictive policies by name also. Note that we also intentionally
627  * always check all built-in restrictive policies, in name order,
628  * before checking restrictive policies added by hooks, in name order.
629  */
630  sort_policies_by_name(hook_policies);
631 
632  foreach(item, hook_policies)
633  {
634  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
635 
636  if (check_role_for_policy(policy->roles, user_id))
637  *restrictive_policies = lappend(*restrictive_policies, policy);
638  }
639  }
640 
641  if (row_security_policy_hook_permissive)
642  {
643  List *hook_policies =
644  (*row_security_policy_hook_permissive) (cmd, relation);
645 
646  foreach(item, hook_policies)
647  {
648  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
649 
650  if (check_role_for_policy(policy->roles, user_id))
651  *permissive_policies = lappend(*permissive_policies, policy);
652  }
653  }
654 }
ACL_SELECT_CHR
#define ACL_SELECT_CHR
Definition: acl.h:138
ACL_DELETE_CHR
#define ACL_DELETE_CHR
Definition: acl.h:140
ACL_INSERT_CHR
#define ACL_INSERT_CHR
Definition: acl.h:137
ACL_UPDATE_CHR
#define ACL_UPDATE_CHR
Definition: acl.h:139
ERROR
#define ERROR
Definition: elog.h:39
elog
#define elog(elevel,...)
Definition: elog.h:224
CMD_MERGE
@ CMD_MERGE
Definition: nodes.h:269
CMD_INSERT
@ CMD_INSERT
Definition: nodes.h:267
CMD_DELETE
@ CMD_DELETE
Definition: nodes.h:268
CMD_UPDATE
@ CMD_UPDATE
Definition: nodes.h:266
CMD_SELECT
@ CMD_SELECT
Definition: nodes.h:265
row_security_policy_hook_permissive
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:86
check_role_for_policy
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:916
row_security_policy_hook_restrictive
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:87
sort_policies_by_name
static void sort_policies_by_name(List *policies)
Definition: rowsecurity.c:665
RelationData::rd_rsdesc
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:119
RowSecurityPolicy::roles
ArrayType * roles
Definition: rowsecurity.h:24

References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, elog, ERROR, lappend(), lfirst, NIL, RowSecurityPolicy::permissive, RowSecurityPolicy::polcmd, RowSecurityDesc::policies, RelationData::rd_rsdesc, RowSecurityPolicy::roles, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().

Referenced by get_row_security_policies().

◆ get_row_security_policies()

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 98 of file rowsecurity.c.

101 {
102  Oid user_id;
103  int rls_status;
104  Relation rel;
105  CmdType commandType;
106  List *permissive_policies;
107  List *restrictive_policies;
108  RTEPermissionInfo *perminfo;
109 
110  /* Defaults for the return values */
111  *securityQuals = NIL;
112  *withCheckOptions = NIL;
113  *hasRowSecurity = false;
114  *hasSubLinks = false;
115 
116  Assert(rte->rtekind == RTE_RELATION);
117 
118  /* If this is not a normal relation, just return immediately */
119  if (rte->relkind != RELKIND_RELATION &&
120  rte->relkind != RELKIND_PARTITIONED_TABLE)
121  return;
122 
123  perminfo = getRTEPermissionInfo(root->rteperminfos, rte);
124 
125  /* Switch to checkAsUser if it's set */
126  user_id = OidIsValid(perminfo->checkAsUser) ?
127  perminfo->checkAsUser : GetUserId();
128 
129  /* Determine the state of RLS for this, pass checkAsUser explicitly */
130  rls_status = check_enable_rls(rte->relid, perminfo->checkAsUser, false);
131 
132  /* If there is no RLS on this table at all, nothing to do */
133  if (rls_status == RLS_NONE)
134  return;
135 
136  /*
137  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
138  * with changes to the environment, so we mark it as hasRowSecurity to
139  * force a re-plan when the environment changes.
140  */
141  if (rls_status == RLS_NONE_ENV)
142  {
143  /*
144  * Indicate that this query may involve RLS and must therefore be
145  * replanned if the environment changes (GUCs, role), but we are not
146  * adding anything here.
147  */
148  *hasRowSecurity = true;
149 
150  return;
151  }
152 
153  /*
154  * RLS is enabled for this relation.
155  *
156  * Get the security policies that should be applied, based on the command
157  * type. Note that if this isn't the target relation, we actually want
158  * the relation's SELECT policies, regardless of the query command type,
159  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
160  * policies and t2's SELECT policies.
161  */
162  rel = table_open(rte->relid, NoLock);
163 
164  commandType = rt_index == root->resultRelation ?
165  root->commandType : CMD_SELECT;
166 
167  /*
168  * In some cases, we need to apply USING policies (which control the
169  * visibility of records) associated with multiple command types (see
170  * specific cases below).
171  *
172  * When considering the order in which to apply these USING policies, we
173  * prefer to apply higher privileged policies, those which allow the user
174  * to lock records (UPDATE and DELETE), first, followed by policies which
175  * don't (SELECT).
176  *
177  * Note that the optimizer is free to push down and reorder quals which
178  * use leakproof functions.
179  *
180  * In all cases, if there are no policy clauses allowing access to rows in
181  * the table for the specific type of operation, then a single
182  * always-false clause (a default-deny policy) will be added (see
183  * add_security_quals).
184  */
185 
186  /*
187  * For a SELECT, if UPDATE privileges are required (eg: the user has
188  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
189  * first.
190  *
191  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
192  * which the user does not have access to via the UPDATE USING policies,
193  * similar to how we require normal UPDATE rights for these queries.
194  */
195  if (commandType == CMD_SELECT && perminfo->requiredPerms & ACL_UPDATE)
196  {
197  List *update_permissive_policies;
198  List *update_restrictive_policies;
199 
200  get_policies_for_relation(rel, CMD_UPDATE, user_id,
201  &update_permissive_policies,
202  &update_restrictive_policies);
203 
204  add_security_quals(rt_index,
205  update_permissive_policies,
206  update_restrictive_policies,
207  securityQuals,
208  hasSubLinks);
209  }
210 
211  /*
212  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
213  * policies. These security quals control access to existing table rows.
214  * Restrictive policies are combined together using AND, and permissive
215  * policies are combined together using OR.
216  */
217 
218  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
219  &restrictive_policies);
220 
221  if (commandType == CMD_SELECT ||
222  commandType == CMD_UPDATE ||
223  commandType == CMD_DELETE)
224  add_security_quals(rt_index,
225  permissive_policies,
226  restrictive_policies,
227  securityQuals,
228  hasSubLinks);
229 
230  /*
231  * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
232  * are also required (eg: when a RETURNING clause exists, or the user has
233  * provided a WHERE clause which involves columns from the relation), we
234  * collect up CMD_SELECT policies and add them via add_security_quals
235  * first.
236  *
237  * This way, we filter out any records which are not visible through an
238  * ALL or SELECT USING policy.
239  */
240  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
241  commandType == CMD_MERGE) &&
242  perminfo->requiredPerms & ACL_SELECT)
243  {
244  List *select_permissive_policies;
245  List *select_restrictive_policies;
246 
247  get_policies_for_relation(rel, CMD_SELECT, user_id,
248  &select_permissive_policies,
249  &select_restrictive_policies);
250 
251  add_security_quals(rt_index,
252  select_permissive_policies,
253  select_restrictive_policies,
254  securityQuals,
255  hasSubLinks);
256  }
257 
258  /*
259  * For INSERT and UPDATE, add withCheckOptions to verify that any new
260  * records added are consistent with the security policies. This will use
261  * each policy's WITH CHECK clause, or its USING clause if no explicit
262  * WITH CHECK clause is defined.
263  */
264  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
265  {
266  /* This should be the target relation */
267  Assert(rt_index == root->resultRelation);
268 
269  add_with_check_options(rel, rt_index,
270  commandType == CMD_INSERT ?
271  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
272  permissive_policies,
273  restrictive_policies,
274  withCheckOptions,
275  hasSubLinks,
276  false);
277 
278  /*
279  * Get and add ALL/SELECT policies, if SELECT rights are required for
280  * this relation (eg: when RETURNING is used). These are added as WCO
281  * policies rather than security quals to ensure that an error is
282  * raised if a policy is violated; otherwise, we might end up silently
283  * dropping rows to be added.
284  */
285  if (perminfo->requiredPerms & ACL_SELECT)
286  {
287  List *select_permissive_policies = NIL;
288  List *select_restrictive_policies = NIL;
289 
290  get_policies_for_relation(rel, CMD_SELECT, user_id,
291  &select_permissive_policies,
292  &select_restrictive_policies);
293  add_with_check_options(rel, rt_index,
294  commandType == CMD_INSERT ?
295  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
296  select_permissive_policies,
297  select_restrictive_policies,
298  withCheckOptions,
299  hasSubLinks,
300  true);
301  }
302 
303  /*
304  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
305  * checks for the UPDATE which may be applied to the same RTE.
306  */
307  if (commandType == CMD_INSERT &&
308  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
309  {
310  List *conflict_permissive_policies;
311  List *conflict_restrictive_policies;
312  List *conflict_select_permissive_policies = NIL;
313  List *conflict_select_restrictive_policies = NIL;
314 
315  /* Get the policies that apply to the auxiliary UPDATE */
316  get_policies_for_relation(rel, CMD_UPDATE, user_id,
317  &conflict_permissive_policies,
318  &conflict_restrictive_policies);
319 
320  /*
321  * Enforce the USING clauses of the UPDATE policies using WCOs
322  * rather than security quals. This ensures that an error is
323  * raised if the conflicting row cannot be updated due to RLS,
324  * rather than the change being silently dropped.
325  */
326  add_with_check_options(rel, rt_index,
327  WCO_RLS_CONFLICT_CHECK,
328  conflict_permissive_policies,
329  conflict_restrictive_policies,
330  withCheckOptions,
331  hasSubLinks,
332  true);
333 
334  /*
335  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
336  * to ensure they are considered when taking the UPDATE path of an
337  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
338  * for this relation, also as WCO policies, again, to avoid
339  * silently dropping data. See above.
340  */
341  if (perminfo->requiredPerms & ACL_SELECT)
342  {
343  get_policies_for_relation(rel, CMD_SELECT, user_id,
344  &conflict_select_permissive_policies,
345  &conflict_select_restrictive_policies);
346  add_with_check_options(rel, rt_index,
347  WCO_RLS_CONFLICT_CHECK,
348  conflict_select_permissive_policies,
349  conflict_select_restrictive_policies,
350  withCheckOptions,
351  hasSubLinks,
352  true);
353  }
354 
355  /* Enforce the WITH CHECK clauses of the UPDATE policies */
356  add_with_check_options(rel, rt_index,
357  WCO_RLS_UPDATE_CHECK,
358  conflict_permissive_policies,
359  conflict_restrictive_policies,
360  withCheckOptions,
361  hasSubLinks,
362  false);
363 
364  /*
365  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
366  * that the final updated row is visible when taking the UPDATE
367  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
368  * are required for this relation.
369  */
370  if (perminfo->requiredPerms & ACL_SELECT)
371  add_with_check_options(rel, rt_index,
372  WCO_RLS_UPDATE_CHECK,
373  conflict_select_permissive_policies,
374  conflict_select_restrictive_policies,
375  withCheckOptions,
376  hasSubLinks,
377  true);
378  }
379  }
380 
381  /*
382  * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
383  * and set them up so that we can enforce the appropriate policy depending
384  * on the final action we take.
385  *
386  * We already fetched the SELECT policies above, to check existing rows,
387  * but we must also check that new rows created by INSERT/UPDATE actions
388  * are visible, if SELECT rights are required. For INSERT actions, we only
389  * do this if RETURNING is specified, to be consistent with a plain INSERT
390  * command, which can only require SELECT rights when RETURNING is used.
391  *
392  * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
393  * really want to apply them while scanning the relation since we don't
394  * know whether we will be doing an UPDATE or a DELETE at the end. We
395  * apply the respective policy once we decide the final action on the
396  * target tuple.
397  *
398  * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
399  * UPDATE/DELETE on the target row, we shall throw an error instead of
400  * silently ignoring the row. This is different than how normal
401  * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
402  * handling.
403  */
404  if (commandType == CMD_MERGE)
405  {
406  List *merge_update_permissive_policies;
407  List *merge_update_restrictive_policies;
408  List *merge_delete_permissive_policies;
409  List *merge_delete_restrictive_policies;
410  List *merge_insert_permissive_policies;
411  List *merge_insert_restrictive_policies;
412  List *merge_select_permissive_policies = NIL;
413  List *merge_select_restrictive_policies = NIL;
414 
415  /*
416  * Fetch the UPDATE policies and set them up to execute on the
417  * existing target row before doing UPDATE.
418  */
419  get_policies_for_relation(rel, CMD_UPDATE, user_id,
420  &merge_update_permissive_policies,
421  &merge_update_restrictive_policies);
422 
423  /*
424  * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
425  * the existing target row.
426  */
427  add_with_check_options(rel, rt_index,
428  WCO_RLS_MERGE_UPDATE_CHECK,
429  merge_update_permissive_policies,
430  merge_update_restrictive_policies,
431  withCheckOptions,
432  hasSubLinks,
433  true);
434 
435  /* Enforce the WITH CHECK clauses of the UPDATE policies */
436  add_with_check_options(rel, rt_index,
437  WCO_RLS_UPDATE_CHECK,
438  merge_update_permissive_policies,
439  merge_update_restrictive_policies,
440  withCheckOptions,
441  hasSubLinks,
442  false);
443 
444  /*
445  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
446  * that the updated row is visible when executing an UPDATE action, if
447  * SELECT rights are required for this relation.
448  */
449  if (perminfo->requiredPerms & ACL_SELECT)
450  {
451  get_policies_for_relation(rel, CMD_SELECT, user_id,
452  &merge_select_permissive_policies,
453  &merge_select_restrictive_policies);
454  add_with_check_options(rel, rt_index,
455  WCO_RLS_UPDATE_CHECK,
456  merge_select_permissive_policies,
457  merge_select_restrictive_policies,
458  withCheckOptions,
459  hasSubLinks,
460  true);
461  }
462 
463  /*
464  * Fetch the DELETE policies and set them up to execute on the
465  * existing target row before doing DELETE.
466  */
467  get_policies_for_relation(rel, CMD_DELETE, user_id,
468  &merge_delete_permissive_policies,
469  &merge_delete_restrictive_policies);
470 
471  /*
472  * WCO_RLS_MERGE_DELETE_CHECK is used to check DELETE USING quals on
473  * the existing target row.
474  */
475  add_with_check_options(rel, rt_index,
476  WCO_RLS_MERGE_DELETE_CHECK,
477  merge_delete_permissive_policies,
478  merge_delete_restrictive_policies,
479  withCheckOptions,
480  hasSubLinks,
481  true);
482 
483  /*
484  * No special handling is required for INSERT policies. They will be
485  * checked and enforced during ExecInsert(). But we must add them to
486  * withCheckOptions.
487  */
488  get_policies_for_relation(rel, CMD_INSERT, user_id,
489  &merge_insert_permissive_policies,
490  &merge_insert_restrictive_policies);
491 
492  add_with_check_options(rel, rt_index,
493  WCO_RLS_INSERT_CHECK,
494  merge_insert_permissive_policies,
495  merge_insert_restrictive_policies,
496  withCheckOptions,
497  hasSubLinks,
498  false);
499 
500  /*
501  * Add ALL/SELECT policies as WCO_RLS_INSERT_CHECK WCOs, to ensure
502  * that the inserted row is visible when executing an INSERT action,
503  * if RETURNING is specified and SELECT rights are required for this
504  * relation.
505  */
506  if (perminfo->requiredPerms & ACL_SELECT && root->returningList)
507  add_with_check_options(rel, rt_index,
508  WCO_RLS_INSERT_CHECK,
509  merge_select_permissive_policies,
510  merge_select_restrictive_policies,
511  withCheckOptions,
512  hasSubLinks,
513  true);
514  }
515 
516  table_close(rel, NoLock);
517 
518  /*
519  * Copy checkAsUser to the row security quals and WithCheckOption checks,
520  * in case they contain any subqueries referring to other relations.
521  */
522  setRuleCheckAsUser((Node *) *securityQuals, perminfo->checkAsUser);
523  setRuleCheckAsUser((Node *) *withCheckOptions, perminfo->checkAsUser);
524 
525  /*
526  * Mark this query as having row security, so plancache can invalidate it
527  * when necessary (eg: role changes)
528  */
529  *hasRowSecurity = true;
530 }
Assert
#define Assert(condition)
Definition: c.h:858
OidIsValid
#define OidIsValid(objectId)
Definition: c.h:775
NoLock
#define NoLock
Definition: lockdefs.h:34
GetUserId
Oid GetUserId(void)
Definition: miscinit.c:514
ONCONFLICT_UPDATE
@ ONCONFLICT_UPDATE
Definition: nodes.h:419
CmdType
CmdType
Definition: nodes.h:263
getRTEPermissionInfo
RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)
Definition: parse_relation.c:3903
WCO_RLS_MERGE_UPDATE_CHECK
@ WCO_RLS_MERGE_UPDATE_CHECK
Definition: parsenodes.h:1367
WCO_RLS_CONFLICT_CHECK
@ WCO_RLS_CONFLICT_CHECK
Definition: parsenodes.h:1366
WCO_RLS_INSERT_CHECK
@ WCO_RLS_INSERT_CHECK
Definition: parsenodes.h:1364
WCO_RLS_UPDATE_CHECK
@ WCO_RLS_UPDATE_CHECK
Definition: parsenodes.h:1365
WCO_RLS_MERGE_DELETE_CHECK
@ WCO_RLS_MERGE_DELETE_CHECK
Definition: parsenodes.h:1368
ACL_UPDATE
#define ACL_UPDATE
Definition: parsenodes.h:78
RTE_RELATION
@ RTE_RELATION
Definition: parsenodes.h:1028
ACL_SELECT
#define ACL_SELECT
Definition: parsenodes.h:77
root
tree ctl root
Definition: radixtree.h:1880
setRuleCheckAsUser
void setRuleCheckAsUser(Node *node, Oid userid)
Definition: rewriteDefine.c:631
check_enable_rls
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
RLS_NONE
@ RLS_NONE
Definition: rls.h:43
RLS_NONE_ENV
@ RLS_NONE_ENV
Definition: rls.h:44
add_with_check_options
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:796
get_policies_for_relation
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:541
add_security_quals
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:700
RTEPermissionInfo::requiredPerms
AclMode requiredPerms
Definition: parsenodes.h:1295
RangeTblEntry::rtekind
RTEKind rtekind
Definition: parsenodes.h:1057
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References ACL_SELECT, ACL_UPDATE, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), RTEPermissionInfo::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, get_policies_for_relation(), getRTEPermissionInfo(), GetUserId(), NIL, NoLock, OidIsValid, ONCONFLICT_UPDATE, RangeTblEntry::relid, RTEPermissionInfo::requiredPerms, RLS_NONE, RLS_NONE_ENV, root, RTE_RELATION, RangeTblEntry::rtekind, setRuleCheckAsUser(), table_close(), table_open(), WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, WCO_RLS_MERGE_DELETE_CHECK, WCO_RLS_MERGE_UPDATE_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

◆ row_security_policy_cmp()

static int row_security_policy_cmp ( const ListCell a,
const ListCell b 
)
static

Definition at line 674 of file rowsecurity.c.

675 {
676  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) lfirst(a);
677  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) lfirst(b);
678 
679  /* Guard against NULL policy names from extensions */
680  if (pa->policy_name == NULL)
681  return pb->policy_name == NULL ? 0 : 1;
682  if (pb->policy_name == NULL)
683  return -1;
684 
685  return strcmp(pa->policy_name, pb->policy_name);
686 }
b
int b
Definition: isn.c:70
a
int a
Definition: isn.c:69

References a, b, lfirst, and RowSecurityPolicy::policy_name.

Referenced by sort_policies_by_name().

◆ sort_policies_by_name()

static void sort_policies_by_name ( List policies)
static

Definition at line 665 of file rowsecurity.c.

666 {
667  list_sort(policies, row_security_policy_cmp);
668 }
list_sort
void list_sort(List *list, list_sort_comparator cmp)
Definition: list.c:1674
row_security_policy_cmp
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition: rowsecurity.c:674

References list_sort(), and row_security_policy_cmp().

Referenced by get_policies_for_relation().

Variable Documentation

◆ row_security_policy_hook_permissive

row_security_policy_hook_type row_security_policy_hook_permissive = NULL

Definition at line 86 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().

◆ row_security_policy_hook_restrictive

row_security_policy_hook_type row_security_policy_hook_restrictive = NULL

Definition at line 87 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().