PostgreSQL Source Code  git master
Macros | Functions | Variables
rowsecurity.c File Reference
#include "postgres.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/table.h"
#include "catalog/pg_class.h"
#include "catalog/pg_inherits.h"
#include "catalog/pg_policy.h"
#include "catalog/pg_type.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "nodes/nodeFuncs.h"
#include "nodes/pg_list.h"
#include "nodes/plannodes.h"
#include "parser/parsetree.h"
#include "parser/parse_relation.h"
#include "rewrite/rewriteDefine.h"
#include "rewrite/rewriteHandler.h"
#include "rewrite/rewriteManip.h"
#include "rewrite/rowsecurity.h"
#include "tcop/utility.h"
#include "utils/acl.h"
#include "utils/lsyscache.h"
#include "utils/rel.h"
#include "utils/rls.h"
#include "utils/syscache.h"
Include dependency graph for rowsecurity.c:

Go to the source code of this file.

Macros

#define QUAL_FOR_WCO(policy)
 

Functions

static void get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
 
static void sort_policies_by_name (List *policies)
 
static int row_security_policy_cmp (const ListCell *a, const ListCell *b)
 
static void add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
 
static void add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
 
static bool check_role_for_policy (ArrayType *policy_roles, Oid user_id)
 
void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

row_security_policy_hook_type row_security_policy_hook_permissive = NULL
 
row_security_policy_hook_type row_security_policy_hook_restrictive = NULL
 

Macro Definition Documentation

◆ QUAL_FOR_WCO

#define QUAL_FOR_WCO (   policy)
Value:
( !force_using && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )

Function Documentation

◆ add_security_quals()

static void add_security_quals ( int  rt_index,
List permissive_policies,
List restrictive_policies,
List **  securityQuals,
bool hasSubLinks 
)
static

Definition at line 697 of file rowsecurity.c.

702 {
703  ListCell *item;
704  List *permissive_quals = NIL;
705  Expr *rowsec_expr;
706 
707  /*
708  * First collect up the permissive quals. If we do not find any
709  * permissive policies then no rows are visible (this is handled below).
710  */
711  foreach(item, permissive_policies)
712  {
713  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
714 
715  if (policy->qual != NULL)
716  {
717  permissive_quals = lappend(permissive_quals,
718  copyObject(policy->qual));
719  *hasSubLinks |= policy->hassublinks;
720  }
721  }
722 
723  /*
724  * We must have permissive quals, always, or no rows are visible.
725  *
726  * If we do not, then we simply return a single 'false' qual which results
727  * in no rows being visible.
728  */
729  if (permissive_quals != NIL)
730  {
731  /*
732  * We now know that permissive policies exist, so we can now add
733  * security quals based on the USING clauses from the restrictive
734  * policies. Since these need to be combined together using AND, we
735  * can just add them one at a time.
736  */
737  foreach(item, restrictive_policies)
738  {
739  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
740  Expr *qual;
741 
742  if (policy->qual != NULL)
743  {
744  qual = copyObject(policy->qual);
745  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
746 
747  *securityQuals = list_append_unique(*securityQuals, qual);
748  *hasSubLinks |= policy->hassublinks;
749  }
750  }
751 
752  /*
753  * Then add a single security qual combining together the USING
754  * clauses from all the permissive policies using OR.
755  */
756  if (list_length(permissive_quals) == 1)
757  rowsec_expr = (Expr *) linitial(permissive_quals);
758  else
759  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
760 
761  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
762  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
763  }
764  else
765 
766  /*
767  * A permissive policy must exist for rows to be visible at all.
768  * Therefore, if there were no permissive policies found, return a
769  * single always-false clause.
770  */
771  *securityQuals = lappend(*securityQuals,
772  makeConst(BOOLOID, -1, InvalidOid,
773  sizeof(bool), BoolGetDatum(false),
774  false, true));
775 }
lappend
List * lappend(List *list, void *datum)
Definition: list.c:338
list_append_unique
List * list_append_unique(List *list, void *datum)
Definition: list.c:1342
makeConst
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:302
makeBoolExpr
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:372
copyObject
#define copyObject(obj)
Definition: nodes.h:244
lfirst
#define lfirst(lc)
Definition: pg_list.h:172
list_length
static int list_length(const List *l)
Definition: pg_list.h:152
NIL
#define NIL
Definition: pg_list.h:68
linitial
#define linitial(l)
Definition: pg_list.h:178
BoolGetDatum
static Datum BoolGetDatum(bool X)
Definition: postgres.h:102
InvalidOid
#define InvalidOid
Definition: postgres_ext.h:36
OR_EXPR
@ OR_EXPR
Definition: primnodes.h:858
ChangeVarNodes
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:670
List
Definition: pg_list.h:54
Node
Definition: nodes.h:129

References BoolGetDatum(), ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, OR_EXPR, and RowSecurityPolicy::qual.

Referenced by get_row_security_policies().

◆ add_with_check_options()

static void add_with_check_options ( Relation  rel,
int  rt_index,
WCOKind  kind,
List permissive_policies,
List restrictive_policies,
List **  withCheckOptions,
bool hasSubLinks,
bool  force_using 
)
static

Definition at line 793 of file rowsecurity.c.

801 {
802  ListCell *item;
803  List *permissive_quals = NIL;
804 
805 #define QUAL_FOR_WCO(policy) \
806  ( !force_using && \
807  (policy)->with_check_qual != NULL ? \
808  (policy)->with_check_qual : (policy)->qual )
809 
810  /*
811  * First collect up the permissive policy clauses, similar to
812  * add_security_quals.
813  */
814  foreach(item, permissive_policies)
815  {
816  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
817  Expr *qual = QUAL_FOR_WCO(policy);
818 
819  if (qual != NULL)
820  {
821  permissive_quals = lappend(permissive_quals, copyObject(qual));
822  *hasSubLinks |= policy->hassublinks;
823  }
824  }
825 
826  /*
827  * There must be at least one permissive qual found or no rows are allowed
828  * to be added. This is the same as in add_security_quals.
829  *
830  * If there are no permissive_quals then we fall through and return a
831  * single 'false' WCO, preventing all new rows.
832  */
833  if (permissive_quals != NIL)
834  {
835  /*
836  * Add a single WithCheckOption for all the permissive policy clauses,
837  * combining them together using OR. This check has no policy name,
838  * since if the check fails it means that no policy granted permission
839  * to perform the update, rather than any particular policy being
840  * violated.
841  */
842  WithCheckOption *wco;
843 
844  wco = makeNode(WithCheckOption);
845  wco->kind = kind;
846  wco->relname = pstrdup(RelationGetRelationName(rel));
847  wco->polname = NULL;
848  wco->cascaded = false;
849 
850  if (list_length(permissive_quals) == 1)
851  wco->qual = (Node *) linitial(permissive_quals);
852  else
853  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
854 
855  ChangeVarNodes(wco->qual, 1, rt_index, 0);
856 
857  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
858 
859  /*
860  * Now add WithCheckOptions for each of the restrictive policy clauses
861  * (which will be combined together using AND). We use a separate
862  * WithCheckOption for each restrictive policy to allow the policy
863  * name to be included in error reports if the policy is violated.
864  */
865  foreach(item, restrictive_policies)
866  {
867  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
868  Expr *qual = QUAL_FOR_WCO(policy);
869 
870  if (qual != NULL)
871  {
872  qual = copyObject(qual);
873  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
874 
875  wco = makeNode(WithCheckOption);
876  wco->kind = kind;
877  wco->relname = pstrdup(RelationGetRelationName(rel));
878  wco->polname = pstrdup(policy->policy_name);
879  wco->qual = (Node *) qual;
880  wco->cascaded = false;
881 
882  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
883  *hasSubLinks |= policy->hassublinks;
884  }
885  }
886  }
887  else
888  {
889  /*
890  * If there were no policy clauses to check new data, add a single
891  * always-false WCO (a default-deny policy).
892  */
893  WithCheckOption *wco;
894 
895  wco = makeNode(WithCheckOption);
896  wco->kind = kind;
897  wco->relname = pstrdup(RelationGetRelationName(rel));
898  wco->polname = NULL;
899  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
900  sizeof(bool), BoolGetDatum(false),
901  false, true);
902  wco->cascaded = false;
903 
904  *withCheckOptions = lappend(*withCheckOptions, wco);
905  }
906 }
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1644
makeNode
#define makeNode(_type_)
Definition: nodes.h:176
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:538
QUAL_FOR_WCO
#define QUAL_FOR_WCO(policy)

References BoolGetDatum(), WithCheckOption::cascaded, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, WithCheckOption::kind, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, OR_EXPR, RowSecurityPolicy::policy_name, WithCheckOption::polname, pstrdup(), WithCheckOption::qual, QUAL_FOR_WCO, RelationGetRelationName, and WithCheckOption::relname.

Referenced by get_row_security_policies().

◆ check_role_for_policy()

static bool check_role_for_policy ( ArrayType policy_roles,
Oid  user_id 
)
static

Definition at line 913 of file rowsecurity.c.

914 {
915  int i;
916  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
917 
918  /* Quick fall-thru for policies applied to all roles */
919  if (roles[0] == ACL_ID_PUBLIC)
920  return true;
921 
922  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
923  {
924  if (has_privs_of_role(user_id, roles[i]))
925  return true;
926  }
927 
928  return false;
929 }
has_privs_of_role
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4961
ACL_ID_PUBLIC
#define ACL_ID_PUBLIC
Definition: acl.h:46
ARR_DATA_PTR
#define ARR_DATA_PTR(a)
Definition: array.h:315
ARR_DIMS
#define ARR_DIMS(a)
Definition: array.h:287
i
int i
Definition: isn.c:73
Oid
unsigned int Oid
Definition: postgres_ext.h:31

References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, has_privs_of_role(), and i.

Referenced by get_policies_for_relation().

◆ get_policies_for_relation()

static void get_policies_for_relation ( Relation  relation,
CmdType  cmd,
Oid  user_id,
List **  permissive_policies,
List **  restrictive_policies 
)
static

Definition at line 538 of file rowsecurity.c.

541 {
542  ListCell *item;
543 
544  *permissive_policies = NIL;
545  *restrictive_policies = NIL;
546 
547  /* First find all internal policies for the relation. */
548  foreach(item, relation->rd_rsdesc->policies)
549  {
550  bool cmd_matches = false;
551  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
552 
553  /* Always add ALL policies, if they exist. */
554  if (policy->polcmd == '*')
555  cmd_matches = true;
556  else
557  {
558  /* Check whether the policy applies to the specified command type */
559  switch (cmd)
560  {
561  case CMD_SELECT:
562  if (policy->polcmd == ACL_SELECT_CHR)
563  cmd_matches = true;
564  break;
565  case CMD_INSERT:
566  if (policy->polcmd == ACL_INSERT_CHR)
567  cmd_matches = true;
568  break;
569  case CMD_UPDATE:
570  if (policy->polcmd == ACL_UPDATE_CHR)
571  cmd_matches = true;
572  break;
573  case CMD_DELETE:
574  if (policy->polcmd == ACL_DELETE_CHR)
575  cmd_matches = true;
576  break;
577  case CMD_MERGE:
578 
579  /*
580  * We do not support a separate policy for MERGE command.
581  * Instead it derives from the policies defined for other
582  * commands.
583  */
584  break;
585  default:
586  elog(ERROR, "unrecognized policy command type %d",
587  (int) cmd);
588  break;
589  }
590  }
591 
592  /*
593  * Add this policy to the relevant list of policies if it applies to
594  * the specified role.
595  */
596  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
597  {
598  if (policy->permissive)
599  *permissive_policies = lappend(*permissive_policies, policy);
600  else
601  *restrictive_policies = lappend(*restrictive_policies, policy);
602  }
603  }
604 
605  /*
606  * We sort restrictive policies by name so that any WCOs they generate are
607  * checked in a well-defined order.
608  */
609  sort_policies_by_name(*restrictive_policies);
610 
611  /*
612  * Then add any permissive or restrictive policies defined by extensions.
613  * These are simply appended to the lists of internal policies, if they
614  * apply to the specified role.
615  */
616  if (row_security_policy_hook_restrictive)
617  {
618  List *hook_policies =
619  (*row_security_policy_hook_restrictive) (cmd, relation);
620 
621  /*
622  * As with built-in restrictive policies, we sort any hook-provided
623  * restrictive policies by name also. Note that we also intentionally
624  * always check all built-in restrictive policies, in name order,
625  * before checking restrictive policies added by hooks, in name order.
626  */
627  sort_policies_by_name(hook_policies);
628 
629  foreach(item, hook_policies)
630  {
631  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
632 
633  if (check_role_for_policy(policy->roles, user_id))
634  *restrictive_policies = lappend(*restrictive_policies, policy);
635  }
636  }
637 
638  if (row_security_policy_hook_permissive)
639  {
640  List *hook_policies =
641  (*row_security_policy_hook_permissive) (cmd, relation);
642 
643  foreach(item, hook_policies)
644  {
645  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
646 
647  if (check_role_for_policy(policy->roles, user_id))
648  *permissive_policies = lappend(*permissive_policies, policy);
649  }
650  }
651 }
ACL_SELECT_CHR
#define ACL_SELECT_CHR
Definition: acl.h:138
ACL_DELETE_CHR
#define ACL_DELETE_CHR
Definition: acl.h:140
ACL_INSERT_CHR
#define ACL_INSERT_CHR
Definition: acl.h:137
ACL_UPDATE_CHR
#define ACL_UPDATE_CHR
Definition: acl.h:139
ERROR
#define ERROR
Definition: elog.h:39
CMD_MERGE
@ CMD_MERGE
Definition: nodes.h:280
CMD_INSERT
@ CMD_INSERT
Definition: nodes.h:278
CMD_DELETE
@ CMD_DELETE
Definition: nodes.h:279
CMD_UPDATE
@ CMD_UPDATE
Definition: nodes.h:277
CMD_SELECT
@ CMD_SELECT
Definition: nodes.h:276
row_security_policy_hook_permissive
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:97
check_role_for_policy
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:913
row_security_policy_hook_restrictive
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:98
sort_policies_by_name
static void sort_policies_by_name(List *policies)
Definition: rowsecurity.c:662
RelationData::rd_rsdesc
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:119
RowSecurityPolicy::roles
ArrayType * roles
Definition: rowsecurity.h:24

References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, elog(), ERROR, lappend(), lfirst, NIL, RowSecurityPolicy::permissive, RowSecurityPolicy::polcmd, RowSecurityDesc::policies, RelationData::rd_rsdesc, RowSecurityPolicy::roles, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().

Referenced by get_row_security_policies().

◆ get_row_security_policies()

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 109 of file rowsecurity.c.

112 {
113  Oid user_id;
114  int rls_status;
115  Relation rel;
116  CmdType commandType;
117  List *permissive_policies;
118  List *restrictive_policies;
119  RTEPermissionInfo *perminfo;
120 
121  /* Defaults for the return values */
122  *securityQuals = NIL;
123  *withCheckOptions = NIL;
124  *hasRowSecurity = false;
125  *hasSubLinks = false;
126 
127  Assert(rte->rtekind == RTE_RELATION);
128 
129  /* If this is not a normal relation, just return immediately */
130  if (rte->relkind != RELKIND_RELATION &&
131  rte->relkind != RELKIND_PARTITIONED_TABLE)
132  return;
133 
134  perminfo = getRTEPermissionInfo(root->rteperminfos, rte);
135 
136  /* Switch to checkAsUser if it's set */
137  user_id = OidIsValid(perminfo->checkAsUser) ?
138  perminfo->checkAsUser : GetUserId();
139 
140  /* Determine the state of RLS for this, pass checkAsUser explicitly */
141  rls_status = check_enable_rls(rte->relid, perminfo->checkAsUser, false);
142 
143  /* If there is no RLS on this table at all, nothing to do */
144  if (rls_status == RLS_NONE)
145  return;
146 
147  /*
148  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
149  * with changes to the environment, so we mark it as hasRowSecurity to
150  * force a re-plan when the environment changes.
151  */
152  if (rls_status == RLS_NONE_ENV)
153  {
154  /*
155  * Indicate that this query may involve RLS and must therefore be
156  * replanned if the environment changes (GUCs, role), but we are not
157  * adding anything here.
158  */
159  *hasRowSecurity = true;
160 
161  return;
162  }
163 
164  /*
165  * RLS is enabled for this relation.
166  *
167  * Get the security policies that should be applied, based on the command
168  * type. Note that if this isn't the target relation, we actually want
169  * the relation's SELECT policies, regardless of the query command type,
170  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
171  * policies and t2's SELECT policies.
172  */
173  rel = table_open(rte->relid, NoLock);
174 
175  commandType = rt_index == root->resultRelation ?
176  root->commandType : CMD_SELECT;
177 
178  /*
179  * In some cases, we need to apply USING policies (which control the
180  * visibility of records) associated with multiple command types (see
181  * specific cases below).
182  *
183  * When considering the order in which to apply these USING policies, we
184  * prefer to apply higher privileged policies, those which allow the user
185  * to lock records (UPDATE and DELETE), first, followed by policies which
186  * don't (SELECT).
187  *
188  * Note that the optimizer is free to push down and reorder quals which
189  * use leakproof functions.
190  *
191  * In all cases, if there are no policy clauses allowing access to rows in
192  * the table for the specific type of operation, then a single
193  * always-false clause (a default-deny policy) will be added (see
194  * add_security_quals).
195  */
196 
197  /*
198  * For a SELECT, if UPDATE privileges are required (eg: the user has
199  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
200  * first.
201  *
202  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
203  * which the user does not have access to via the UPDATE USING policies,
204  * similar to how we require normal UPDATE rights for these queries.
205  */
206  if (commandType == CMD_SELECT && perminfo->requiredPerms & ACL_UPDATE)
207  {
208  List *update_permissive_policies;
209  List *update_restrictive_policies;
210 
211  get_policies_for_relation(rel, CMD_UPDATE, user_id,
212  &update_permissive_policies,
213  &update_restrictive_policies);
214 
215  add_security_quals(rt_index,
216  update_permissive_policies,
217  update_restrictive_policies,
218  securityQuals,
219  hasSubLinks);
220  }
221 
222  /*
223  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
224  * policies. These security quals control access to existing table rows.
225  * Restrictive policies are combined together using AND, and permissive
226  * policies are combined together using OR.
227  */
228 
229  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
230  &restrictive_policies);
231 
232  if (commandType == CMD_SELECT ||
233  commandType == CMD_UPDATE ||
234  commandType == CMD_DELETE)
235  add_security_quals(rt_index,
236  permissive_policies,
237  restrictive_policies,
238  securityQuals,
239  hasSubLinks);
240 
241  /*
242  * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
243  * are also required (eg: when a RETURNING clause exists, or the user has
244  * provided a WHERE clause which involves columns from the relation), we
245  * collect up CMD_SELECT policies and add them via add_security_quals
246  * first.
247  *
248  * This way, we filter out any records which are not visible through an
249  * ALL or SELECT USING policy.
250  */
251  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
252  commandType == CMD_MERGE) &&
253  perminfo->requiredPerms & ACL_SELECT)
254  {
255  List *select_permissive_policies;
256  List *select_restrictive_policies;
257 
258  get_policies_for_relation(rel, CMD_SELECT, user_id,
259  &select_permissive_policies,
260  &select_restrictive_policies);
261 
262  add_security_quals(rt_index,
263  select_permissive_policies,
264  select_restrictive_policies,
265  securityQuals,
266  hasSubLinks);
267  }
268 
269  /*
270  * For INSERT and UPDATE, add withCheckOptions to verify that any new
271  * records added are consistent with the security policies. This will use
272  * each policy's WITH CHECK clause, or its USING clause if no explicit
273  * WITH CHECK clause is defined.
274  */
275  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
276  {
277  /* This should be the target relation */
278  Assert(rt_index == root->resultRelation);
279 
280  add_with_check_options(rel, rt_index,
281  commandType == CMD_INSERT ?
282  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
283  permissive_policies,
284  restrictive_policies,
285  withCheckOptions,
286  hasSubLinks,
287  false);
288 
289  /*
290  * Get and add ALL/SELECT policies, if SELECT rights are required for
291  * this relation (eg: when RETURNING is used). These are added as WCO
292  * policies rather than security quals to ensure that an error is
293  * raised if a policy is violated; otherwise, we might end up silently
294  * dropping rows to be added.
295  */
296  if (perminfo->requiredPerms & ACL_SELECT)
297  {
298  List *select_permissive_policies = NIL;
299  List *select_restrictive_policies = NIL;
300 
301  get_policies_for_relation(rel, CMD_SELECT, user_id,
302  &select_permissive_policies,
303  &select_restrictive_policies);
304  add_with_check_options(rel, rt_index,
305  commandType == CMD_INSERT ?
306  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
307  select_permissive_policies,
308  select_restrictive_policies,
309  withCheckOptions,
310  hasSubLinks,
311  true);
312  }
313 
314  /*
315  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
316  * checks for the UPDATE which may be applied to the same RTE.
317  */
318  if (commandType == CMD_INSERT &&
319  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
320  {
321  List *conflict_permissive_policies;
322  List *conflict_restrictive_policies;
323  List *conflict_select_permissive_policies = NIL;
324  List *conflict_select_restrictive_policies = NIL;
325 
326  /* Get the policies that apply to the auxiliary UPDATE */
327  get_policies_for_relation(rel, CMD_UPDATE, user_id,
328  &conflict_permissive_policies,
329  &conflict_restrictive_policies);
330 
331  /*
332  * Enforce the USING clauses of the UPDATE policies using WCOs
333  * rather than security quals. This ensures that an error is
334  * raised if the conflicting row cannot be updated due to RLS,
335  * rather than the change being silently dropped.
336  */
337  add_with_check_options(rel, rt_index,
338  WCO_RLS_CONFLICT_CHECK,
339  conflict_permissive_policies,
340  conflict_restrictive_policies,
341  withCheckOptions,
342  hasSubLinks,
343  true);
344 
345  /*
346  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
347  * to ensure they are considered when taking the UPDATE path of an
348  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
349  * for this relation, also as WCO policies, again, to avoid
350  * silently dropping data. See above.
351  */
352  if (perminfo->requiredPerms & ACL_SELECT)
353  {
354  get_policies_for_relation(rel, CMD_SELECT, user_id,
355  &conflict_select_permissive_policies,
356  &conflict_select_restrictive_policies);
357  add_with_check_options(rel, rt_index,
358  WCO_RLS_CONFLICT_CHECK,
359  conflict_select_permissive_policies,
360  conflict_select_restrictive_policies,
361  withCheckOptions,
362  hasSubLinks,
363  true);
364  }
365 
366  /* Enforce the WITH CHECK clauses of the UPDATE policies */
367  add_with_check_options(rel, rt_index,
368  WCO_RLS_UPDATE_CHECK,
369  conflict_permissive_policies,
370  conflict_restrictive_policies,
371  withCheckOptions,
372  hasSubLinks,
373  false);
374 
375  /*
376  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
377  * that the final updated row is visible when taking the UPDATE
378  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
379  * are required for this relation.
380  */
381  if (perminfo->requiredPerms & ACL_SELECT)
382  add_with_check_options(rel, rt_index,
383  WCO_RLS_UPDATE_CHECK,
384  conflict_select_permissive_policies,
385  conflict_select_restrictive_policies,
386  withCheckOptions,
387  hasSubLinks,
388  true);
389  }
390  }
391 
392  /*
393  * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
394  * and set them up so that we can enforce the appropriate policy depending
395  * on the final action we take.
396  *
397  * We already fetched the SELECT policies above, to check existing rows,
398  * but we must also check that new rows created by UPDATE actions are
399  * visible, if SELECT rights are required for this relation. We don't do
400  * this for INSERT actions, since an INSERT command would only do this
401  * check if it had a RETURNING list, and MERGE does not support RETURNING.
402  *
403  * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
404  * really want to apply them while scanning the relation since we don't
405  * know whether we will be doing an UPDATE or a DELETE at the end. We
406  * apply the respective policy once we decide the final action on the
407  * target tuple.
408  *
409  * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
410  * UPDATE/DELETE on the target row, we shall throw an error instead of
411  * silently ignoring the row. This is different than how normal
412  * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
413  * handling.
414  */
415  if (commandType == CMD_MERGE)
416  {
417  List *merge_update_permissive_policies;
418  List *merge_update_restrictive_policies;
419  List *merge_delete_permissive_policies;
420  List *merge_delete_restrictive_policies;
421  List *merge_insert_permissive_policies;
422  List *merge_insert_restrictive_policies;
423 
424  /*
425  * Fetch the UPDATE policies and set them up to execute on the
426  * existing target row before doing UPDATE.
427  */
428  get_policies_for_relation(rel, CMD_UPDATE, user_id,
429  &merge_update_permissive_policies,
430  &merge_update_restrictive_policies);
431 
432  /*
433  * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
434  * the existing target row.
435  */
436  add_with_check_options(rel, rt_index,
437  WCO_RLS_MERGE_UPDATE_CHECK,
438  merge_update_permissive_policies,
439  merge_update_restrictive_policies,
440  withCheckOptions,
441  hasSubLinks,
442  true);
443 
444  /* Enforce the WITH CHECK clauses of the UPDATE policies */
445  add_with_check_options(rel, rt_index,
446  WCO_RLS_UPDATE_CHECK,
447  merge_update_permissive_policies,
448  merge_update_restrictive_policies,
449  withCheckOptions,
450  hasSubLinks,
451  false);
452 
453  /*
454  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
455  * that the updated row is visible when executing an UPDATE action, if
456  * SELECT rights are required for this relation.
457  */
458  if (perminfo->requiredPerms & ACL_SELECT)
459  {
460  List *merge_select_permissive_policies;
461  List *merge_select_restrictive_policies;
462 
463  get_policies_for_relation(rel, CMD_SELECT, user_id,
464  &merge_select_permissive_policies,
465  &merge_select_restrictive_policies);
466  add_with_check_options(rel, rt_index,
467  WCO_RLS_UPDATE_CHECK,
468  merge_select_permissive_policies,
469  merge_select_restrictive_policies,
470  withCheckOptions,
471  hasSubLinks,
472  true);
473  }
474 
475  /*
476  * Fetch the DELETE policies and set them up to execute on the
477  * existing target row before doing DELETE.
478  */
479  get_policies_for_relation(rel, CMD_DELETE, user_id,
480  &merge_delete_permissive_policies,
481  &merge_delete_restrictive_policies);
482 
483  /*
484  * WCO_RLS_MERGE_DELETE_CHECK is used to check DELETE USING quals on
485  * the existing target row.
486  */
487  add_with_check_options(rel, rt_index,
488  WCO_RLS_MERGE_DELETE_CHECK,
489  merge_delete_permissive_policies,
490  merge_delete_restrictive_policies,
491  withCheckOptions,
492  hasSubLinks,
493  true);
494 
495  /*
496  * No special handling is required for INSERT policies. They will be
497  * checked and enforced during ExecInsert(). But we must add them to
498  * withCheckOptions.
499  */
500  get_policies_for_relation(rel, CMD_INSERT, user_id,
501  &merge_insert_permissive_policies,
502  &merge_insert_restrictive_policies);
503 
504  add_with_check_options(rel, rt_index,
505  WCO_RLS_INSERT_CHECK,
506  merge_insert_permissive_policies,
507  merge_insert_restrictive_policies,
508  withCheckOptions,
509  hasSubLinks,
510  false);
511  }
512 
513  table_close(rel, NoLock);
514 
515  /*
516  * Copy checkAsUser to the row security quals and WithCheckOption checks,
517  * in case they contain any subqueries referring to other relations.
518  */
519  setRuleCheckAsUser((Node *) *securityQuals, perminfo->checkAsUser);
520  setRuleCheckAsUser((Node *) *withCheckOptions, perminfo->checkAsUser);
521 
522  /*
523  * Mark this query as having row security, so plancache can invalidate it
524  * when necessary (eg: role changes)
525  */
526  *hasRowSecurity = true;
527 }
OidIsValid
#define OidIsValid(objectId)
Definition: c.h:764
Assert
Assert(fmt[strlen(fmt) - 1] !='\n')
NoLock
#define NoLock
Definition: lockdefs.h:34
GetUserId
Oid GetUserId(void)
Definition: miscinit.c:509
ONCONFLICT_UPDATE
@ ONCONFLICT_UPDATE
Definition: nodes.h:430
CmdType
CmdType
Definition: nodes.h:274
getRTEPermissionInfo
RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)
Definition: parse_relation.c:3900
WCO_RLS_MERGE_UPDATE_CHECK
@ WCO_RLS_MERGE_UPDATE_CHECK
Definition: parsenodes.h:1317
WCO_RLS_CONFLICT_CHECK
@ WCO_RLS_CONFLICT_CHECK
Definition: parsenodes.h:1316
WCO_RLS_INSERT_CHECK
@ WCO_RLS_INSERT_CHECK
Definition: parsenodes.h:1314
WCO_RLS_UPDATE_CHECK
@ WCO_RLS_UPDATE_CHECK
Definition: parsenodes.h:1315
WCO_RLS_MERGE_DELETE_CHECK
@ WCO_RLS_MERGE_DELETE_CHECK
Definition: parsenodes.h:1318
ACL_UPDATE
#define ACL_UPDATE
Definition: parsenodes.h:85
RTE_RELATION
@ RTE_RELATION
Definition: parsenodes.h:1013
ACL_SELECT
#define ACL_SELECT
Definition: parsenodes.h:84
setRuleCheckAsUser
void setRuleCheckAsUser(Node *node, Oid userid)
Definition: rewriteDefine.c:638
check_enable_rls
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
RLS_NONE
@ RLS_NONE
Definition: rls.h:43
RLS_NONE_ENV
@ RLS_NONE_ENV
Definition: rls.h:44
add_with_check_options
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:793
get_policies_for_relation
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:538
add_security_quals
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:697
OnConflictExpr::action
OnConflictAction action
Definition: primnodes.h:2029
Query::onConflict
OnConflictExpr * onConflict
Definition: parsenodes.h:193
Query::commandType
CmdType commandType
Definition: parsenodes.h:127
RTEPermissionInfo::requiredPerms
AclMode requiredPerms
Definition: parsenodes.h:1245
RangeTblEntry::rtekind
RTEKind rtekind
Definition: parsenodes.h:1032
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References ACL_SELECT, ACL_UPDATE, OnConflictExpr::action, add_security_quals(), add_with_check_options(), Assert(), check_enable_rls(), RTEPermissionInfo::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, Query::commandType, get_policies_for_relation(), getRTEPermissionInfo(), GetUserId(), NIL, NoLock, OidIsValid, Query::onConflict, ONCONFLICT_UPDATE, RangeTblEntry::relid, RangeTblEntry::relkind, RTEPermissionInfo::requiredPerms, RLS_NONE, RLS_NONE_ENV, RTE_RELATION, RangeTblEntry::rtekind, setRuleCheckAsUser(), table_close(), table_open(), WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, WCO_RLS_MERGE_DELETE_CHECK, WCO_RLS_MERGE_UPDATE_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

◆ row_security_policy_cmp()

static int row_security_policy_cmp ( const ListCell a,
const ListCell b 
)
static

Definition at line 671 of file rowsecurity.c.

672 {
673  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) lfirst(a);
674  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) lfirst(b);
675 
676  /* Guard against NULL policy names from extensions */
677  if (pa->policy_name == NULL)
678  return pb->policy_name == NULL ? 0 : 1;
679  if (pb->policy_name == NULL)
680  return -1;
681 
682  return strcmp(pa->policy_name, pb->policy_name);
683 }
b
int b
Definition: isn.c:70
a
int a
Definition: isn.c:69

References a, b, lfirst, and RowSecurityPolicy::policy_name.

Referenced by sort_policies_by_name().

◆ sort_policies_by_name()

static void sort_policies_by_name ( List policies)
static

Definition at line 662 of file rowsecurity.c.

663 {
664  list_sort(policies, row_security_policy_cmp);
665 }
list_sort
void list_sort(List *list, list_sort_comparator cmp)
Definition: list.c:1673
row_security_policy_cmp
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition: rowsecurity.c:671

References list_sort(), and row_security_policy_cmp().

Referenced by get_policies_for_relation().

Variable Documentation

◆ row_security_policy_hook_permissive

row_security_policy_hook_type row_security_policy_hook_permissive = NULL

Definition at line 97 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().

◆ row_security_policy_hook_restrictive

row_security_policy_hook_type row_security_policy_hook_restrictive = NULL

Definition at line 98 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().