PostgreSQL Source Code  git master
rowsecurity.c File Reference
#include "postgres.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "catalog/pg_class.h"
#include "catalog/pg_inherits_fn.h"
#include "catalog/pg_policy.h"
#include "catalog/pg_type.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "nodes/nodeFuncs.h"
#include "nodes/pg_list.h"
#include "nodes/plannodes.h"
#include "parser/parsetree.h"
#include "rewrite/rewriteHandler.h"
#include "rewrite/rewriteManip.h"
#include "rewrite/rowsecurity.h"
#include "utils/acl.h"
#include "utils/lsyscache.h"
#include "utils/rel.h"
#include "utils/rls.h"
#include "utils/syscache.h"
#include "tcop/utility.h"
Include dependency graph for rowsecurity.c:

Go to the source code of this file.

Macros

#define QUAL_FOR_WCO(policy)
 

Functions

static void get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
 
static Listsort_policies_by_name (List *policies)
 
static int row_security_policy_cmp (const void *a, const void *b)
 
static void add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
 
static void add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
 
static bool check_role_for_policy (ArrayType *policy_roles, Oid user_id)
 
void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

row_security_policy_hook_type row_security_policy_hook_permissive = NULL
 
row_security_policy_hook_type row_security_policy_hook_restrictive = NULL
 

Macro Definition Documentation

◆ QUAL_FOR_WCO

#define QUAL_FOR_WCO (   policy)
Value:
( !force_using && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )

Referenced by add_with_check_options().

Function Documentation

◆ add_security_quals()

static void add_security_quals ( int  rt_index,
List permissive_policies,
List restrictive_policies,
List **  securityQuals,
bool hasSubLinks 
)
static

Definition at line 576 of file rowsecurity.c.

References BoolGetDatum, BOOLOID, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, OR_EXPR, and RowSecurityPolicy::qual.

Referenced by get_row_security_policies().

581 {
582  ListCell *item;
583  List *permissive_quals = NIL;
584  Expr *rowsec_expr;
585 
586  /*
587  * First collect up the permissive quals. If we do not find any
588  * permissive policies then no rows are visible (this is handled below).
589  */
590  foreach(item, permissive_policies)
591  {
592  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
593 
594  if (policy->qual != NULL)
595  {
596  permissive_quals = lappend(permissive_quals,
597  copyObject(policy->qual));
598  *hasSubLinks |= policy->hassublinks;
599  }
600  }
601 
602  /*
603  * We must have permissive quals, always, or no rows are visible.
604  *
605  * If we do not, then we simply return a single 'false' qual which results
606  * in no rows being visible.
607  */
608  if (permissive_quals != NIL)
609  {
610  /*
611  * We now know that permissive policies exist, so we can now add
612  * security quals based on the USING clauses from the restrictive
613  * policies. Since these need to be combined together using AND, we
614  * can just add them one at a time.
615  */
616  foreach(item, restrictive_policies)
617  {
618  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
619  Expr *qual;
620 
621  if (policy->qual != NULL)
622  {
623  qual = copyObject(policy->qual);
624  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
625 
626  *securityQuals = list_append_unique(*securityQuals, qual);
627  *hasSubLinks |= policy->hassublinks;
628  }
629  }
630 
631  /*
632  * Then add a single security qual combining together the USING
633  * clauses from all the permissive policies using OR.
634  */
635  if (list_length(permissive_quals) == 1)
636  rowsec_expr = (Expr *) linitial(permissive_quals);
637  else
638  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
639 
640  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
641  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
642  }
643  else
644 
645  /*
646  * A permissive policy must exist for rows to be visible at all.
647  * Therefore, if there were no permissive policies found, return a
648  * single always-false clause.
649  */
650  *securityQuals = lappend(*securityQuals,
652  sizeof(bool), BoolGetDatum(false),
653  false, true));
654 }
#define NIL
Definition: pg_list.h:69
Definition: nodes.h:512
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:298
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:368
#define linitial(l)
Definition: pg_list.h:111
List * list_append_unique(List *list, void *datum)
Definition: list.c:962
List * lappend(List *list, void *datum)
Definition: list.c:128
#define BoolGetDatum(X)
Definition: postgres.h:408
#define InvalidOid
Definition: postgres_ext.h:36
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
#define BOOLOID
Definition: pg_type.h:288
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
#define copyObject(obj)
Definition: nodes.h:625
Definition: pg_list.h:45

◆ add_with_check_options()

static void add_with_check_options ( Relation  rel,
int  rt_index,
WCOKind  kind,
List permissive_policies,
List restrictive_policies,
List **  withCheckOptions,
bool hasSubLinks,
bool  force_using 
)
static

Definition at line 672 of file rowsecurity.c.

References BoolGetDatum, BOOLOID, WithCheckOption::cascaded, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, WithCheckOption::kind, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, OR_EXPR, RowSecurityPolicy::policy_name, WithCheckOption::polname, pstrdup(), WithCheckOption::qual, QUAL_FOR_WCO, RelationGetRelationName, and WithCheckOption::relname.

Referenced by get_row_security_policies().

680 {
681  ListCell *item;
682  List *permissive_quals = NIL;
683 
684 #define QUAL_FOR_WCO(policy) \
685  ( !force_using && \
686  (policy)->with_check_qual != NULL ? \
687  (policy)->with_check_qual : (policy)->qual )
688 
689  /*
690  * First collect up the permissive policy clauses, similar to
691  * add_security_quals.
692  */
693  foreach(item, permissive_policies)
694  {
695  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
696  Expr *qual = QUAL_FOR_WCO(policy);
697 
698  if (qual != NULL)
699  {
700  permissive_quals = lappend(permissive_quals, copyObject(qual));
701  *hasSubLinks |= policy->hassublinks;
702  }
703  }
704 
705  /*
706  * There must be at least one permissive qual found or no rows are allowed
707  * to be added. This is the same as in add_security_quals.
708  *
709  * If there are no permissive_quals then we fall through and return a
710  * single 'false' WCO, preventing all new rows.
711  */
712  if (permissive_quals != NIL)
713  {
714  /*
715  * Add a single WithCheckOption for all the permissive policy clauses,
716  * combining them together using OR. This check has no policy name,
717  * since if the check fails it means that no policy granted permission
718  * to perform the update, rather than any particular policy being
719  * violated.
720  */
721  WithCheckOption *wco;
722 
723  wco = makeNode(WithCheckOption);
724  wco->kind = kind;
726  wco->polname = NULL;
727  wco->cascaded = false;
728 
729  if (list_length(permissive_quals) == 1)
730  wco->qual = (Node *) linitial(permissive_quals);
731  else
732  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
733 
734  ChangeVarNodes(wco->qual, 1, rt_index, 0);
735 
736  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
737 
738  /*
739  * Now add WithCheckOptions for each of the restrictive policy clauses
740  * (which will be combined together using AND). We use a separate
741  * WithCheckOption for each restrictive policy to allow the policy
742  * name to be included in error reports if the policy is violated.
743  */
744  foreach(item, restrictive_policies)
745  {
746  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
747  Expr *qual = QUAL_FOR_WCO(policy);
748  WithCheckOption *wco;
749 
750  if (qual != NULL)
751  {
752  qual = copyObject(qual);
753  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
754 
755  wco = makeNode(WithCheckOption);
756  wco->kind = kind;
758  wco->polname = pstrdup(policy->policy_name);
759  wco->qual = (Node *) qual;
760  wco->cascaded = false;
761 
762  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
763  *hasSubLinks |= policy->hassublinks;
764  }
765  }
766  }
767  else
768  {
769  /*
770  * If there were no policy clauses to check new data, add a single
771  * always-false WCO (a default-deny policy).
772  */
773  WithCheckOption *wco;
774 
775  wco = makeNode(WithCheckOption);
776  wco->kind = kind;
778  wco->polname = NULL;
779  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
780  sizeof(bool), BoolGetDatum(false),
781  false, true);
782  wco->cascaded = false;
783 
784  *withCheckOptions = lappend(*withCheckOptions, wco);
785  }
786 }
#define NIL
Definition: pg_list.h:69
char * pstrdup(const char *in)
Definition: mcxt.c:1063
Definition: nodes.h:512
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:298
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:368
#define QUAL_FOR_WCO(policy)
#define linitial(l)
Definition: pg_list.h:111
List * list_append_unique(List *list, void *datum)
Definition: list.c:962
#define RelationGetRelationName(relation)
Definition: rel.h:445
List * lappend(List *list, void *datum)
Definition: list.c:128
#define BoolGetDatum(X)
Definition: postgres.h:408
#define InvalidOid
Definition: postgres_ext.h:36
#define makeNode(_type_)
Definition: nodes.h:560
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
#define BOOLOID
Definition: pg_type.h:288
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
#define copyObject(obj)
Definition: nodes.h:625
Definition: pg_list.h:45

◆ check_role_for_policy()

static bool check_role_for_policy ( ArrayType policy_roles,
Oid  user_id 
)
static

Definition at line 793 of file rowsecurity.c.

References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, has_privs_of_role(), and i.

Referenced by get_policies_for_relation().

794 {
795  int i;
796  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
797 
798  /* Quick fall-thru for policies applied to all roles */
799  if (roles[0] == ACL_ID_PUBLIC)
800  return true;
801 
802  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
803  {
804  if (has_privs_of_role(user_id, roles[i]))
805  return true;
806  }
807 
808  return false;
809 }
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4833
unsigned int Oid
Definition: postgres_ext.h:31
#define ARR_DIMS(a)
Definition: array.h:279
#define ARR_DATA_PTR(a)
Definition: array.h:307
int i
#define ACL_ID_PUBLIC
Definition: acl.h:47

◆ get_policies_for_relation()

static void get_policies_for_relation ( Relation  relation,
CmdType  cmd,
Oid  user_id,
List **  permissive_policies,
List **  restrictive_policies 
)
static

Definition at line 402 of file rowsecurity.c.

References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, elog, ERROR, lappend(), lfirst, NIL, RowSecurityPolicy::permissive, RowSecurityPolicy::polcmd, RowSecurityDesc::policies, RelationData::rd_rsdesc, RowSecurityPolicy::roles, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().

Referenced by get_row_security_policies().

405 {
406  ListCell *item;
407 
408  *permissive_policies = NIL;
409  *restrictive_policies = NIL;
410 
411  /* First find all internal policies for the relation. */
412  foreach(item, relation->rd_rsdesc->policies)
413  {
414  bool cmd_matches = false;
415  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
416 
417  /* Always add ALL policies, if they exist. */
418  if (policy->polcmd == '*')
419  cmd_matches = true;
420  else
421  {
422  /* Check whether the policy applies to the specified command type */
423  switch (cmd)
424  {
425  case CMD_SELECT:
426  if (policy->polcmd == ACL_SELECT_CHR)
427  cmd_matches = true;
428  break;
429  case CMD_INSERT:
430  if (policy->polcmd == ACL_INSERT_CHR)
431  cmd_matches = true;
432  break;
433  case CMD_UPDATE:
434  if (policy->polcmd == ACL_UPDATE_CHR)
435  cmd_matches = true;
436  break;
437  case CMD_DELETE:
438  if (policy->polcmd == ACL_DELETE_CHR)
439  cmd_matches = true;
440  break;
441  default:
442  elog(ERROR, "unrecognized policy command type %d",
443  (int) cmd);
444  break;
445  }
446  }
447 
448  /*
449  * Add this policy to the relevant list of policies if it applies to
450  * the specified role.
451  */
452  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
453  {
454  if (policy->permissive)
455  *permissive_policies = lappend(*permissive_policies, policy);
456  else
457  *restrictive_policies = lappend(*restrictive_policies, policy);
458  }
459  }
460 
461  /*
462  * We sort restrictive policies by name so that any WCOs they generate are
463  * checked in a well-defined order.
464  */
465  *restrictive_policies = sort_policies_by_name(*restrictive_policies);
466 
467  /*
468  * Then add any permissive or restrictive policies defined by extensions.
469  * These are simply appended to the lists of internal policies, if they
470  * apply to the specified role.
471  */
473  {
474  List *hook_policies =
475  (*row_security_policy_hook_restrictive) (cmd, relation);
476 
477  /*
478  * As with built-in restrictive policies, we sort any hook-provided
479  * restrictive policies by name also. Note that we also intentionally
480  * always check all built-in restrictive policies, in name order,
481  * before checking restrictive policies added by hooks, in name order.
482  */
483  hook_policies = sort_policies_by_name(hook_policies);
484 
485  foreach(item, hook_policies)
486  {
487  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
488 
489  if (check_role_for_policy(policy->roles, user_id))
490  *restrictive_policies = lappend(*restrictive_policies, policy);
491  }
492  }
493 
495  {
496  List *hook_policies =
497  (*row_security_policy_hook_permissive) (cmd, relation);
498 
499  foreach(item, hook_policies)
500  {
501  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
502 
503  if (check_role_for_policy(policy->roles, user_id))
504  *permissive_policies = lappend(*permissive_policies, policy);
505  }
506  }
507 }
#define NIL
Definition: pg_list.h:69
#define ACL_INSERT_CHR
Definition: acl.h:138
#define ACL_DELETE_CHR
Definition: acl.h:141
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:95
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:793
#define ERROR
Definition: elog.h:43
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:96
ArrayType * roles
Definition: rowsecurity.h:24
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:122
static List * sort_policies_by_name(List *policies)
Definition: rowsecurity.c:518
List * lappend(List *list, void *datum)
Definition: list.c:128
#define ACL_SELECT_CHR
Definition: acl.h:139
#define lfirst(lc)
Definition: pg_list.h:106
#define ACL_UPDATE_CHR
Definition: acl.h:140
#define elog
Definition: elog.h:219
Definition: pg_list.h:45

◆ get_row_security_policies()

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 107 of file rowsecurity.c.

References ACL_SELECT, ACL_UPDATE, OnConflictExpr::action, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), RangeTblEntry::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, Query::commandType, get_policies_for_relation(), GetUserId(), heap_close, heap_open(), NIL, NoLock, Query::onConflict, ONCONFLICT_UPDATE, RangeTblEntry::relid, RangeTblEntry::relkind, RELKIND_PARTITIONED_TABLE, RELKIND_RELATION, RangeTblEntry::requiredPerms, Query::resultRelation, RLS_NONE, RLS_NONE_ENV, WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

110 {
111  Oid user_id;
112  int rls_status;
113  Relation rel;
114  CmdType commandType;
115  List *permissive_policies;
116  List *restrictive_policies;
117 
118  /* Defaults for the return values */
119  *securityQuals = NIL;
120  *withCheckOptions = NIL;
121  *hasRowSecurity = false;
122  *hasSubLinks = false;
123 
124  /* If this is not a normal relation, just return immediately */
125  if (rte->relkind != RELKIND_RELATION &&
127  return;
128 
129  /* Switch to checkAsUser if it's set */
130  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
131 
132  /* Determine the state of RLS for this, pass checkAsUser explicitly */
133  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
134 
135  /* If there is no RLS on this table at all, nothing to do */
136  if (rls_status == RLS_NONE)
137  return;
138 
139  /*
140  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
141  * with changes to the environment, so we mark it as hasRowSecurity to
142  * force a re-plan when the environment changes.
143  */
144  if (rls_status == RLS_NONE_ENV)
145  {
146  /*
147  * Indicate that this query may involve RLS and must therefore be
148  * replanned if the environment changes (GUCs, role), but we are not
149  * adding anything here.
150  */
151  *hasRowSecurity = true;
152 
153  return;
154  }
155 
156  /*
157  * RLS is enabled for this relation.
158  *
159  * Get the security policies that should be applied, based on the command
160  * type. Note that if this isn't the target relation, we actually want
161  * the relation's SELECT policies, regardless of the query command type,
162  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
163  * policies and t2's SELECT policies.
164  */
165  rel = heap_open(rte->relid, NoLock);
166 
167  commandType = rt_index == root->resultRelation ?
168  root->commandType : CMD_SELECT;
169 
170  /*
171  * In some cases, we need to apply USING policies (which control the
172  * visibility of records) associated with multiple command types (see
173  * specific cases below).
174  *
175  * When considering the order in which to apply these USING policies, we
176  * prefer to apply higher privileged policies, those which allow the user
177  * to lock records (UPDATE and DELETE), first, followed by policies which
178  * don't (SELECT).
179  *
180  * Note that the optimizer is free to push down and reorder quals which
181  * use leakproof functions.
182  *
183  * In all cases, if there are no policy clauses allowing access to rows in
184  * the table for the specific type of operation, then a single
185  * always-false clause (a default-deny policy) will be added (see
186  * add_security_quals).
187  */
188 
189  /*
190  * For a SELECT, if UPDATE privileges are required (eg: the user has
191  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
192  * first.
193  *
194  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
195  * which the user does not have access to via the UPDATE USING policies,
196  * similar to how we require normal UPDATE rights for these queries.
197  */
198  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
199  {
200  List *update_permissive_policies;
201  List *update_restrictive_policies;
202 
204  &update_permissive_policies,
205  &update_restrictive_policies);
206 
207  add_security_quals(rt_index,
208  update_permissive_policies,
209  update_restrictive_policies,
210  securityQuals,
211  hasSubLinks);
212  }
213 
214  /*
215  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
216  * policies. These security quals control access to existing table rows.
217  * Restrictive policies are combined together using AND, and permissive
218  * policies are combined together using OR.
219  */
220 
221  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
222  &restrictive_policies);
223 
224  if (commandType == CMD_SELECT ||
225  commandType == CMD_UPDATE ||
226  commandType == CMD_DELETE)
227  add_security_quals(rt_index,
228  permissive_policies,
229  restrictive_policies,
230  securityQuals,
231  hasSubLinks);
232 
233  /*
234  * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
235  * required (eg: when a RETURNING clause exists, or the user has provided
236  * a WHERE clause which involves columns from the relation), we collect up
237  * CMD_SELECT policies and add them via add_security_quals first.
238  *
239  * This way, we filter out any records which are not visible through an
240  * ALL or SELECT USING policy.
241  */
242  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
243  rte->requiredPerms & ACL_SELECT)
244  {
245  List *select_permissive_policies;
246  List *select_restrictive_policies;
247 
249  &select_permissive_policies,
250  &select_restrictive_policies);
251 
252  add_security_quals(rt_index,
253  select_permissive_policies,
254  select_restrictive_policies,
255  securityQuals,
256  hasSubLinks);
257  }
258 
259  /*
260  * For INSERT and UPDATE, add withCheckOptions to verify that any new
261  * records added are consistent with the security policies. This will use
262  * each policy's WITH CHECK clause, or its USING clause if no explicit
263  * WITH CHECK clause is defined.
264  */
265  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
266  {
267  /* This should be the target relation */
268  Assert(rt_index == root->resultRelation);
269 
270  add_with_check_options(rel, rt_index,
271  commandType == CMD_INSERT ?
273  permissive_policies,
274  restrictive_policies,
275  withCheckOptions,
276  hasSubLinks,
277  false);
278 
279  /*
280  * Get and add ALL/SELECT policies, if SELECT rights are required for
281  * this relation (eg: when RETURNING is used). These are added as WCO
282  * policies rather than security quals to ensure that an error is
283  * raised if a policy is violated; otherwise, we might end up silently
284  * dropping rows to be added.
285  */
286  if (rte->requiredPerms & ACL_SELECT)
287  {
288  List *select_permissive_policies = NIL;
289  List *select_restrictive_policies = NIL;
290 
292  &select_permissive_policies,
293  &select_restrictive_policies);
294  add_with_check_options(rel, rt_index,
295  commandType == CMD_INSERT ?
297  select_permissive_policies,
298  select_restrictive_policies,
299  withCheckOptions,
300  hasSubLinks,
301  true);
302  }
303 
304  /*
305  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
306  * checks for the UPDATE which may be applied to the same RTE.
307  */
308  if (commandType == CMD_INSERT &&
309  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
310  {
311  List *conflict_permissive_policies;
312  List *conflict_restrictive_policies;
313  List *conflict_select_permissive_policies = NIL;
314  List *conflict_select_restrictive_policies = NIL;
315 
316  /* Get the policies that apply to the auxiliary UPDATE */
318  &conflict_permissive_policies,
319  &conflict_restrictive_policies);
320 
321  /*
322  * Enforce the USING clauses of the UPDATE policies using WCOs
323  * rather than security quals. This ensures that an error is
324  * raised if the conflicting row cannot be updated due to RLS,
325  * rather than the change being silently dropped.
326  */
327  add_with_check_options(rel, rt_index,
329  conflict_permissive_policies,
330  conflict_restrictive_policies,
331  withCheckOptions,
332  hasSubLinks,
333  true);
334 
335  /*
336  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
337  * to ensure they are considered when taking the UPDATE path of an
338  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
339  * for this relation, also as WCO policies, again, to avoid
340  * silently dropping data. See above.
341  */
342  if (rte->requiredPerms & ACL_SELECT)
343  {
345  &conflict_select_permissive_policies,
346  &conflict_select_restrictive_policies);
347  add_with_check_options(rel, rt_index,
349  conflict_select_permissive_policies,
350  conflict_select_restrictive_policies,
351  withCheckOptions,
352  hasSubLinks,
353  true);
354  }
355 
356  /* Enforce the WITH CHECK clauses of the UPDATE policies */
357  add_with_check_options(rel, rt_index,
359  conflict_permissive_policies,
360  conflict_restrictive_policies,
361  withCheckOptions,
362  hasSubLinks,
363  false);
364 
365  /*
366  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
367  * that the final updated row is visible when taking the UPDATE
368  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
369  * are required for this relation.
370  */
371  if (rte->requiredPerms & ACL_SELECT)
372  add_with_check_options(rel, rt_index,
374  conflict_select_permissive_policies,
375  conflict_select_restrictive_policies,
376  withCheckOptions,
377  hasSubLinks,
378  true);
379  }
380  }
381 
382  heap_close(rel, NoLock);
383 
384  /*
385  * Mark this query as having row security, so plancache can invalidate it
386  * when necessary (eg: role changes)
387  */
388  *hasRowSecurity = true;
389 
390  return;
391 }
#define NIL
Definition: pg_list.h:69
Oid GetUserId(void)
Definition: miscinit.c:284
OnConflictExpr * onConflict
Definition: parsenodes.h:142
int resultRelation
Definition: parsenodes.h:120
AclMode requiredPerms
Definition: parsenodes.h:1059
#define heap_close(r, l)
Definition: heapam.h:97
unsigned int Oid
Definition: postgres_ext.h:31
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:576
#define NoLock
Definition: lockdefs.h:34
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:672
OnConflictAction action
Definition: primnodes.h:1494
#define ACL_UPDATE
Definition: parsenodes.h:74
#define RELKIND_PARTITIONED_TABLE
Definition: pg_class.h:168
#define ACL_SELECT
Definition: parsenodes.h:73
Relation heap_open(Oid relationId, LOCKMODE lockmode)
Definition: heapam.c:1290
CmdType commandType
Definition: parsenodes.h:110
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:53
#define Assert(condition)
Definition: c.h:680
#define RELKIND_RELATION
Definition: pg_class.h:160
Definition: rls.h:43
Definition: pg_list.h:45
CmdType
Definition: nodes.h:652
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:402

◆ row_security_policy_cmp()

static int row_security_policy_cmp ( const void *  a,
const void *  b 
)
static

Definition at line 550 of file rowsecurity.c.

References RowSecurityPolicy::policy_name.

Referenced by sort_policies_by_name().

551 {
552  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) a;
553  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) b;
554 
555  /* Guard against NULL policy names from extensions */
556  if (pa->policy_name == NULL)
557  return pb->policy_name == NULL ? 0 : 1;
558  if (pb->policy_name == NULL)
559  return -1;
560 
561  return strcmp(pa->policy_name, pb->policy_name);
562 }

◆ sort_policies_by_name()

static List * sort_policies_by_name ( List policies)
static

Definition at line 518 of file rowsecurity.c.

References lappend(), lfirst, list_length(), NIL, palloc(), qsort, and row_security_policy_cmp().

Referenced by get_policies_for_relation().

519 {
520  int npol = list_length(policies);
521  RowSecurityPolicy *pols;
522  ListCell *item;
523  int ii = 0;
524 
525  if (npol <= 1)
526  return policies;
527 
528  pols = (RowSecurityPolicy *) palloc(sizeof(RowSecurityPolicy) * npol);
529 
530  foreach(item, policies)
531  {
532  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
533 
534  pols[ii++] = *policy;
535  }
536 
537  qsort(pols, npol, sizeof(RowSecurityPolicy), row_security_policy_cmp);
538 
539  policies = NIL;
540  for (ii = 0; ii < npol; ii++)
541  policies = lappend(policies, &pols[ii]);
542 
543  return policies;
544 }
#define NIL
Definition: pg_list.h:69
List * lappend(List *list, void *datum)
Definition: list.c:128
static int row_security_policy_cmp(const void *a, const void *b)
Definition: rowsecurity.c:550
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
void * palloc(Size size)
Definition: mcxt.c:835
#define qsort(a, b, c, d)
Definition: port.h:408

Variable Documentation

◆ row_security_policy_hook_permissive

row_security_policy_hook_type row_security_policy_hook_permissive = NULL

Definition at line 95 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().

◆ row_security_policy_hook_restrictive

row_security_policy_hook_type row_security_policy_hook_restrictive = NULL

Definition at line 96 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().