PostgreSQL Source Code git master
rowsecurity.c File Reference
#include "postgres.h"
#include "access/table.h"
#include "catalog/pg_class.h"
#include "catalog/pg_type.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "nodes/pg_list.h"
#include "parser/parse_relation.h"
#include "rewrite/rewriteDefine.h"
#include "rewrite/rewriteManip.h"
#include "rewrite/rowsecurity.h"
#include "utils/acl.h"
#include "utils/rel.h"
#include "utils/rls.h"
Include dependency graph for rowsecurity.c:

Go to the source code of this file.

Macros

#define QUAL_FOR_WCO(policy)
 

Functions

static void get_policies_for_relation (Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
 
static void sort_policies_by_name (List *policies)
 
static int row_security_policy_cmp (const ListCell *a, const ListCell *b)
 
static void add_security_quals (int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
 
static void add_with_check_options (Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
 
static bool check_role_for_policy (ArrayType *policy_roles, Oid user_id)
 
void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

row_security_policy_hook_type row_security_policy_hook_permissive = NULL
 
row_security_policy_hook_type row_security_policy_hook_restrictive = NULL
 

Macro Definition Documentation

◆ QUAL_FOR_WCO

#define QUAL_FOR_WCO (   policy)
Value:
( !force_using && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )

Function Documentation

◆ add_security_quals()

static void add_security_quals ( int  rt_index,
List permissive_policies,
List restrictive_policies,
List **  securityQuals,
bool *  hasSubLinks 
)
static

Definition at line 700 of file rowsecurity.c.

705{
706 ListCell *item;
707 List *permissive_quals = NIL;
708 Expr *rowsec_expr;
709
710 /*
711 * First collect up the permissive quals. If we do not find any
712 * permissive policies then no rows are visible (this is handled below).
713 */
714 foreach(item, permissive_policies)
715 {
716 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
717
718 if (policy->qual != NULL)
719 {
720 permissive_quals = lappend(permissive_quals,
721 copyObject(policy->qual));
722 *hasSubLinks |= policy->hassublinks;
723 }
724 }
725
726 /*
727 * We must have permissive quals, always, or no rows are visible.
728 *
729 * If we do not, then we simply return a single 'false' qual which results
730 * in no rows being visible.
731 */
732 if (permissive_quals != NIL)
733 {
734 /*
735 * We now know that permissive policies exist, so we can now add
736 * security quals based on the USING clauses from the restrictive
737 * policies. Since these need to be combined together using AND, we
738 * can just add them one at a time.
739 */
740 foreach(item, restrictive_policies)
741 {
742 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
743 Expr *qual;
744
745 if (policy->qual != NULL)
746 {
747 qual = copyObject(policy->qual);
748 ChangeVarNodes((Node *) qual, 1, rt_index, 0);
749
750 *securityQuals = list_append_unique(*securityQuals, qual);
751 *hasSubLinks |= policy->hassublinks;
752 }
753 }
754
755 /*
756 * Then add a single security qual combining together the USING
757 * clauses from all the permissive policies using OR.
758 */
759 if (list_length(permissive_quals) == 1)
760 rowsec_expr = (Expr *) linitial(permissive_quals);
761 else
762 rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
763
764 ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
765 *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
766 }
767 else
768
769 /*
770 * A permissive policy must exist for rows to be visible at all.
771 * Therefore, if there were no permissive policies found, return a
772 * single always-false clause.
773 */
774 *securityQuals = lappend(*securityQuals,
775 makeConst(BOOLOID, -1, InvalidOid,
776 sizeof(bool), BoolGetDatum(false),
777 false, true));
778}
List * lappend(List *list, void *datum)
Definition: list.c:339
List * list_append_unique(List *list, void *datum)
Definition: list.c:1343
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:373
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:303
#define copyObject(obj)
Definition: nodes.h:224
#define lfirst(lc)
Definition: pg_list.h:172
static int list_length(const List *l)
Definition: pg_list.h:152
#define NIL
Definition: pg_list.h:68
#define linitial(l)
Definition: pg_list.h:178
static Datum BoolGetDatum(bool X)
Definition: postgres.h:107
#define InvalidOid
Definition: postgres_ext.h:37
@ OR_EXPR
Definition: primnodes.h:947
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:668
Definition: pg_list.h:54
Definition: nodes.h:129

References BoolGetDatum(), ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), NIL, OR_EXPR, and RowSecurityPolicy::qual.

Referenced by get_row_security_policies().

◆ add_with_check_options()

static void add_with_check_options ( Relation  rel,
int  rt_index,
WCOKind  kind,
List permissive_policies,
List restrictive_policies,
List **  withCheckOptions,
bool *  hasSubLinks,
bool  force_using 
)
static

Definition at line 796 of file rowsecurity.c.

804{
805 ListCell *item;
806 List *permissive_quals = NIL;
807
808#define QUAL_FOR_WCO(policy) \
809 ( !force_using && \
810 (policy)->with_check_qual != NULL ? \
811 (policy)->with_check_qual : (policy)->qual )
812
813 /*
814 * First collect up the permissive policy clauses, similar to
815 * add_security_quals.
816 */
817 foreach(item, permissive_policies)
818 {
819 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
820 Expr *qual = QUAL_FOR_WCO(policy);
821
822 if (qual != NULL)
823 {
824 permissive_quals = lappend(permissive_quals, copyObject(qual));
825 *hasSubLinks |= policy->hassublinks;
826 }
827 }
828
829 /*
830 * There must be at least one permissive qual found or no rows are allowed
831 * to be added. This is the same as in add_security_quals.
832 *
833 * If there are no permissive_quals then we fall through and return a
834 * single 'false' WCO, preventing all new rows.
835 */
836 if (permissive_quals != NIL)
837 {
838 /*
839 * Add a single WithCheckOption for all the permissive policy clauses,
840 * combining them together using OR. This check has no policy name,
841 * since if the check fails it means that no policy granted permission
842 * to perform the update, rather than any particular policy being
843 * violated.
844 */
845 WithCheckOption *wco;
846
848 wco->kind = kind;
850 wco->polname = NULL;
851 wco->cascaded = false;
852
853 if (list_length(permissive_quals) == 1)
854 wco->qual = (Node *) linitial(permissive_quals);
855 else
856 wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
857
858 ChangeVarNodes(wco->qual, 1, rt_index, 0);
859
860 *withCheckOptions = list_append_unique(*withCheckOptions, wco);
861
862 /*
863 * Now add WithCheckOptions for each of the restrictive policy clauses
864 * (which will be combined together using AND). We use a separate
865 * WithCheckOption for each restrictive policy to allow the policy
866 * name to be included in error reports if the policy is violated.
867 */
868 foreach(item, restrictive_policies)
869 {
870 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
871 Expr *qual = QUAL_FOR_WCO(policy);
872
873 if (qual != NULL)
874 {
875 qual = copyObject(qual);
876 ChangeVarNodes((Node *) qual, 1, rt_index, 0);
877
879 wco->kind = kind;
881 wco->polname = pstrdup(policy->policy_name);
882 wco->qual = (Node *) qual;
883 wco->cascaded = false;
884
885 *withCheckOptions = list_append_unique(*withCheckOptions, wco);
886 *hasSubLinks |= policy->hassublinks;
887 }
888 }
889 }
890 else
891 {
892 /*
893 * If there were no policy clauses to check new data, add a single
894 * always-false WCO (a default-deny policy).
895 */
896 WithCheckOption *wco;
897
899 wco->kind = kind;
901 wco->polname = NULL;
902 wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
903 sizeof(bool), BoolGetDatum(false),
904 false, true);
905 wco->cascaded = false;
906
907 *withCheckOptions = lappend(*withCheckOptions, wco);
908 }
909}
char * pstrdup(const char *in)
Definition: mcxt.c:1696
#define makeNode(_type_)
Definition: nodes.h:155
#define RelationGetRelationName(relation)
Definition: rel.h:539
#define QUAL_FOR_WCO(policy)

References BoolGetDatum(), WithCheckOption::cascaded, ChangeVarNodes(), copyObject, RowSecurityPolicy::hassublinks, InvalidOid, WithCheckOption::kind, lappend(), lfirst, linitial, list_append_unique(), list_length(), makeBoolExpr(), makeConst(), makeNode, NIL, OR_EXPR, RowSecurityPolicy::policy_name, WithCheckOption::polname, pstrdup(), WithCheckOption::qual, QUAL_FOR_WCO, RelationGetRelationName, and WithCheckOption::relname.

Referenced by get_row_security_policies().

◆ check_role_for_policy()

static bool check_role_for_policy ( ArrayType policy_roles,
Oid  user_id 
)
static

Definition at line 916 of file rowsecurity.c.

917{
918 int i;
919 Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
920
921 /* Quick fall-thru for policies applied to all roles */
922 if (roles[0] == ACL_ID_PUBLIC)
923 return true;
924
925 for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
926 {
927 if (has_privs_of_role(user_id, roles[i]))
928 return true;
929 }
930
931 return false;
932}
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:5268
#define ACL_ID_PUBLIC
Definition: acl.h:46
#define ARR_DATA_PTR(a)
Definition: array.h:322
#define ARR_DIMS(a)
Definition: array.h:294
int i
Definition: isn.c:72
unsigned int Oid
Definition: postgres_ext.h:32

References ACL_ID_PUBLIC, ARR_DATA_PTR, ARR_DIMS, has_privs_of_role(), and i.

Referenced by get_policies_for_relation().

◆ get_policies_for_relation()

static void get_policies_for_relation ( Relation  relation,
CmdType  cmd,
Oid  user_id,
List **  permissive_policies,
List **  restrictive_policies 
)
static

Definition at line 541 of file rowsecurity.c.

544{
545 ListCell *item;
546
547 *permissive_policies = NIL;
548 *restrictive_policies = NIL;
549
550 /* First find all internal policies for the relation. */
551 foreach(item, relation->rd_rsdesc->policies)
552 {
553 bool cmd_matches = false;
554 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
555
556 /* Always add ALL policies, if they exist. */
557 if (policy->polcmd == '*')
558 cmd_matches = true;
559 else
560 {
561 /* Check whether the policy applies to the specified command type */
562 switch (cmd)
563 {
564 case CMD_SELECT:
565 if (policy->polcmd == ACL_SELECT_CHR)
566 cmd_matches = true;
567 break;
568 case CMD_INSERT:
569 if (policy->polcmd == ACL_INSERT_CHR)
570 cmd_matches = true;
571 break;
572 case CMD_UPDATE:
573 if (policy->polcmd == ACL_UPDATE_CHR)
574 cmd_matches = true;
575 break;
576 case CMD_DELETE:
577 if (policy->polcmd == ACL_DELETE_CHR)
578 cmd_matches = true;
579 break;
580 case CMD_MERGE:
581
582 /*
583 * We do not support a separate policy for MERGE command.
584 * Instead it derives from the policies defined for other
585 * commands.
586 */
587 break;
588 default:
589 elog(ERROR, "unrecognized policy command type %d",
590 (int) cmd);
591 break;
592 }
593 }
594
595 /*
596 * Add this policy to the relevant list of policies if it applies to
597 * the specified role.
598 */
599 if (cmd_matches && check_role_for_policy(policy->roles, user_id))
600 {
601 if (policy->permissive)
602 *permissive_policies = lappend(*permissive_policies, policy);
603 else
604 *restrictive_policies = lappend(*restrictive_policies, policy);
605 }
606 }
607
608 /*
609 * We sort restrictive policies by name so that any WCOs they generate are
610 * checked in a well-defined order.
611 */
612 sort_policies_by_name(*restrictive_policies);
613
614 /*
615 * Then add any permissive or restrictive policies defined by extensions.
616 * These are simply appended to the lists of internal policies, if they
617 * apply to the specified role.
618 */
620 {
621 List *hook_policies =
622 (*row_security_policy_hook_restrictive) (cmd, relation);
623
624 /*
625 * As with built-in restrictive policies, we sort any hook-provided
626 * restrictive policies by name also. Note that we also intentionally
627 * always check all built-in restrictive policies, in name order,
628 * before checking restrictive policies added by hooks, in name order.
629 */
630 sort_policies_by_name(hook_policies);
631
632 foreach(item, hook_policies)
633 {
634 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
635
636 if (check_role_for_policy(policy->roles, user_id))
637 *restrictive_policies = lappend(*restrictive_policies, policy);
638 }
639 }
640
642 {
643 List *hook_policies =
644 (*row_security_policy_hook_permissive) (cmd, relation);
645
646 foreach(item, hook_policies)
647 {
648 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
649
650 if (check_role_for_policy(policy->roles, user_id))
651 *permissive_policies = lappend(*permissive_policies, policy);
652 }
653 }
654}
#define ACL_SELECT_CHR
Definition: acl.h:138
#define ACL_DELETE_CHR
Definition: acl.h:140
#define ACL_INSERT_CHR
Definition: acl.h:137
#define ACL_UPDATE_CHR
Definition: acl.h:139
#define ERROR
Definition: elog.h:39
#define elog(elevel,...)
Definition: elog.h:225
@ CMD_MERGE
Definition: nodes.h:269
@ CMD_INSERT
Definition: nodes.h:267
@ CMD_DELETE
Definition: nodes.h:268
@ CMD_UPDATE
Definition: nodes.h:266
@ CMD_SELECT
Definition: nodes.h:265
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:86
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:916
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:87
static void sort_policies_by_name(List *policies)
Definition: rowsecurity.c:665
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:119
ArrayType * roles
Definition: rowsecurity.h:24

References ACL_DELETE_CHR, ACL_INSERT_CHR, ACL_SELECT_CHR, ACL_UPDATE_CHR, check_role_for_policy(), CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, elog, ERROR, lappend(), lfirst, NIL, RowSecurityPolicy::permissive, RowSecurityPolicy::polcmd, RowSecurityDesc::policies, RelationData::rd_rsdesc, RowSecurityPolicy::roles, row_security_policy_hook_permissive, row_security_policy_hook_restrictive, and sort_policies_by_name().

Referenced by get_row_security_policies().

◆ get_row_security_policies()

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool *  hasRowSecurity,
bool *  hasSubLinks 
)

Definition at line 98 of file rowsecurity.c.

101{
102 Oid user_id;
103 int rls_status;
104 Relation rel;
105 CmdType commandType;
106 List *permissive_policies;
107 List *restrictive_policies;
108 RTEPermissionInfo *perminfo;
109
110 /* Defaults for the return values */
111 *securityQuals = NIL;
112 *withCheckOptions = NIL;
113 *hasRowSecurity = false;
114 *hasSubLinks = false;
115
116 Assert(rte->rtekind == RTE_RELATION);
117
118 /* If this is not a normal relation, just return immediately */
119 if (rte->relkind != RELKIND_RELATION &&
120 rte->relkind != RELKIND_PARTITIONED_TABLE)
121 return;
122
123 perminfo = getRTEPermissionInfo(root->rteperminfos, rte);
124
125 /* Switch to checkAsUser if it's set */
126 user_id = OidIsValid(perminfo->checkAsUser) ?
127 perminfo->checkAsUser : GetUserId();
128
129 /* Determine the state of RLS for this, pass checkAsUser explicitly */
130 rls_status = check_enable_rls(rte->relid, perminfo->checkAsUser, false);
131
132 /* If there is no RLS on this table at all, nothing to do */
133 if (rls_status == RLS_NONE)
134 return;
135
136 /*
137 * RLS_NONE_ENV means we are not doing any RLS now, but that may change
138 * with changes to the environment, so we mark it as hasRowSecurity to
139 * force a re-plan when the environment changes.
140 */
141 if (rls_status == RLS_NONE_ENV)
142 {
143 /*
144 * Indicate that this query may involve RLS and must therefore be
145 * replanned if the environment changes (GUCs, role), but we are not
146 * adding anything here.
147 */
148 *hasRowSecurity = true;
149
150 return;
151 }
152
153 /*
154 * RLS is enabled for this relation.
155 *
156 * Get the security policies that should be applied, based on the command
157 * type. Note that if this isn't the target relation, we actually want
158 * the relation's SELECT policies, regardless of the query command type,
159 * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
160 * policies and t2's SELECT policies.
161 */
162 rel = table_open(rte->relid, NoLock);
163
164 commandType = rt_index == root->resultRelation ?
165 root->commandType : CMD_SELECT;
166
167 /*
168 * In some cases, we need to apply USING policies (which control the
169 * visibility of records) associated with multiple command types (see
170 * specific cases below).
171 *
172 * When considering the order in which to apply these USING policies, we
173 * prefer to apply higher privileged policies, those which allow the user
174 * to lock records (UPDATE and DELETE), first, followed by policies which
175 * don't (SELECT).
176 *
177 * Note that the optimizer is free to push down and reorder quals which
178 * use leakproof functions.
179 *
180 * In all cases, if there are no policy clauses allowing access to rows in
181 * the table for the specific type of operation, then a single
182 * always-false clause (a default-deny policy) will be added (see
183 * add_security_quals).
184 */
185
186 /*
187 * For a SELECT, if UPDATE privileges are required (eg: the user has
188 * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
189 * first.
190 *
191 * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
192 * which the user does not have access to via the UPDATE USING policies,
193 * similar to how we require normal UPDATE rights for these queries.
194 */
195 if (commandType == CMD_SELECT && perminfo->requiredPerms & ACL_UPDATE)
196 {
197 List *update_permissive_policies;
198 List *update_restrictive_policies;
199
201 &update_permissive_policies,
202 &update_restrictive_policies);
203
204 add_security_quals(rt_index,
205 update_permissive_policies,
206 update_restrictive_policies,
207 securityQuals,
208 hasSubLinks);
209 }
210
211 /*
212 * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
213 * policies. These security quals control access to existing table rows.
214 * Restrictive policies are combined together using AND, and permissive
215 * policies are combined together using OR.
216 */
217
218 get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
219 &restrictive_policies);
220
221 if (commandType == CMD_SELECT ||
222 commandType == CMD_UPDATE ||
223 commandType == CMD_DELETE)
224 add_security_quals(rt_index,
225 permissive_policies,
226 restrictive_policies,
227 securityQuals,
228 hasSubLinks);
229
230 /*
231 * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
232 * are also required (eg: when a RETURNING clause exists, or the user has
233 * provided a WHERE clause which involves columns from the relation), we
234 * collect up CMD_SELECT policies and add them via add_security_quals
235 * first.
236 *
237 * This way, we filter out any records which are not visible through an
238 * ALL or SELECT USING policy.
239 */
240 if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
241 commandType == CMD_MERGE) &&
242 perminfo->requiredPerms & ACL_SELECT)
243 {
244 List *select_permissive_policies;
245 List *select_restrictive_policies;
246
248 &select_permissive_policies,
249 &select_restrictive_policies);
250
251 add_security_quals(rt_index,
252 select_permissive_policies,
253 select_restrictive_policies,
254 securityQuals,
255 hasSubLinks);
256 }
257
258 /*
259 * For INSERT and UPDATE, add withCheckOptions to verify that any new
260 * records added are consistent with the security policies. This will use
261 * each policy's WITH CHECK clause, or its USING clause if no explicit
262 * WITH CHECK clause is defined.
263 */
264 if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
265 {
266 /* This should be the target relation */
267 Assert(rt_index == root->resultRelation);
268
269 add_with_check_options(rel, rt_index,
270 commandType == CMD_INSERT ?
272 permissive_policies,
273 restrictive_policies,
274 withCheckOptions,
275 hasSubLinks,
276 false);
277
278 /*
279 * Get and add ALL/SELECT policies, if SELECT rights are required for
280 * this relation (eg: when RETURNING is used). These are added as WCO
281 * policies rather than security quals to ensure that an error is
282 * raised if a policy is violated; otherwise, we might end up silently
283 * dropping rows to be added.
284 */
285 if (perminfo->requiredPerms & ACL_SELECT)
286 {
287 List *select_permissive_policies = NIL;
288 List *select_restrictive_policies = NIL;
289
291 &select_permissive_policies,
292 &select_restrictive_policies);
293 add_with_check_options(rel, rt_index,
294 commandType == CMD_INSERT ?
296 select_permissive_policies,
297 select_restrictive_policies,
298 withCheckOptions,
299 hasSubLinks,
300 true);
301 }
302
303 /*
304 * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
305 * checks for the UPDATE which may be applied to the same RTE.
306 */
307 if (commandType == CMD_INSERT &&
308 root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
309 {
310 List *conflict_permissive_policies;
311 List *conflict_restrictive_policies;
312 List *conflict_select_permissive_policies = NIL;
313 List *conflict_select_restrictive_policies = NIL;
314
315 /* Get the policies that apply to the auxiliary UPDATE */
317 &conflict_permissive_policies,
318 &conflict_restrictive_policies);
319
320 /*
321 * Enforce the USING clauses of the UPDATE policies using WCOs
322 * rather than security quals. This ensures that an error is
323 * raised if the conflicting row cannot be updated due to RLS,
324 * rather than the change being silently dropped.
325 */
326 add_with_check_options(rel, rt_index,
328 conflict_permissive_policies,
329 conflict_restrictive_policies,
330 withCheckOptions,
331 hasSubLinks,
332 true);
333
334 /*
335 * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
336 * to ensure they are considered when taking the UPDATE path of an
337 * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
338 * for this relation, also as WCO policies, again, to avoid
339 * silently dropping data. See above.
340 */
341 if (perminfo->requiredPerms & ACL_SELECT)
342 {
344 &conflict_select_permissive_policies,
345 &conflict_select_restrictive_policies);
346 add_with_check_options(rel, rt_index,
348 conflict_select_permissive_policies,
349 conflict_select_restrictive_policies,
350 withCheckOptions,
351 hasSubLinks,
352 true);
353 }
354
355 /* Enforce the WITH CHECK clauses of the UPDATE policies */
356 add_with_check_options(rel, rt_index,
358 conflict_permissive_policies,
359 conflict_restrictive_policies,
360 withCheckOptions,
361 hasSubLinks,
362 false);
363
364 /*
365 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
366 * that the final updated row is visible when taking the UPDATE
367 * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
368 * are required for this relation.
369 */
370 if (perminfo->requiredPerms & ACL_SELECT)
371 add_with_check_options(rel, rt_index,
373 conflict_select_permissive_policies,
374 conflict_select_restrictive_policies,
375 withCheckOptions,
376 hasSubLinks,
377 true);
378 }
379 }
380
381 /*
382 * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
383 * and set them up so that we can enforce the appropriate policy depending
384 * on the final action we take.
385 *
386 * We already fetched the SELECT policies above, to check existing rows,
387 * but we must also check that new rows created by INSERT/UPDATE actions
388 * are visible, if SELECT rights are required. For INSERT actions, we only
389 * do this if RETURNING is specified, to be consistent with a plain INSERT
390 * command, which can only require SELECT rights when RETURNING is used.
391 *
392 * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
393 * really want to apply them while scanning the relation since we don't
394 * know whether we will be doing an UPDATE or a DELETE at the end. We
395 * apply the respective policy once we decide the final action on the
396 * target tuple.
397 *
398 * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
399 * UPDATE/DELETE on the target row, we shall throw an error instead of
400 * silently ignoring the row. This is different than how normal
401 * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
402 * handling.
403 */
404 if (commandType == CMD_MERGE)
405 {
406 List *merge_update_permissive_policies;
407 List *merge_update_restrictive_policies;
408 List *merge_delete_permissive_policies;
409 List *merge_delete_restrictive_policies;
410 List *merge_insert_permissive_policies;
411 List *merge_insert_restrictive_policies;
412 List *merge_select_permissive_policies = NIL;
413 List *merge_select_restrictive_policies = NIL;
414
415 /*
416 * Fetch the UPDATE policies and set them up to execute on the
417 * existing target row before doing UPDATE.
418 */
420 &merge_update_permissive_policies,
421 &merge_update_restrictive_policies);
422
423 /*
424 * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
425 * the existing target row.
426 */
427 add_with_check_options(rel, rt_index,
429 merge_update_permissive_policies,
430 merge_update_restrictive_policies,
431 withCheckOptions,
432 hasSubLinks,
433 true);
434
435 /* Enforce the WITH CHECK clauses of the UPDATE policies */
436 add_with_check_options(rel, rt_index,
438 merge_update_permissive_policies,
439 merge_update_restrictive_policies,
440 withCheckOptions,
441 hasSubLinks,
442 false);
443
444 /*
445 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
446 * that the updated row is visible when executing an UPDATE action, if
447 * SELECT rights are required for this relation.
448 */
449 if (perminfo->requiredPerms & ACL_SELECT)
450 {
452 &merge_select_permissive_policies,
453 &merge_select_restrictive_policies);
454 add_with_check_options(rel, rt_index,
456 merge_select_permissive_policies,
457 merge_select_restrictive_policies,
458 withCheckOptions,
459 hasSubLinks,
460 true);
461 }
462
463 /*
464 * Fetch the DELETE policies and set them up to execute on the
465 * existing target row before doing DELETE.
466 */
468 &merge_delete_permissive_policies,
469 &merge_delete_restrictive_policies);
470
471 /*
472 * WCO_RLS_MERGE_DELETE_CHECK is used to check DELETE USING quals on
473 * the existing target row.
474 */
475 add_with_check_options(rel, rt_index,
477 merge_delete_permissive_policies,
478 merge_delete_restrictive_policies,
479 withCheckOptions,
480 hasSubLinks,
481 true);
482
483 /*
484 * No special handling is required for INSERT policies. They will be
485 * checked and enforced during ExecInsert(). But we must add them to
486 * withCheckOptions.
487 */
489 &merge_insert_permissive_policies,
490 &merge_insert_restrictive_policies);
491
492 add_with_check_options(rel, rt_index,
494 merge_insert_permissive_policies,
495 merge_insert_restrictive_policies,
496 withCheckOptions,
497 hasSubLinks,
498 false);
499
500 /*
501 * Add ALL/SELECT policies as WCO_RLS_INSERT_CHECK WCOs, to ensure
502 * that the inserted row is visible when executing an INSERT action,
503 * if RETURNING is specified and SELECT rights are required for this
504 * relation.
505 */
506 if (perminfo->requiredPerms & ACL_SELECT && root->returningList)
507 add_with_check_options(rel, rt_index,
509 merge_select_permissive_policies,
510 merge_select_restrictive_policies,
511 withCheckOptions,
512 hasSubLinks,
513 true);
514 }
515
516 table_close(rel, NoLock);
517
518 /*
519 * Copy checkAsUser to the row security quals and WithCheckOption checks,
520 * in case they contain any subqueries referring to other relations.
521 */
522 setRuleCheckAsUser((Node *) *securityQuals, perminfo->checkAsUser);
523 setRuleCheckAsUser((Node *) *withCheckOptions, perminfo->checkAsUser);
524
525 /*
526 * Mark this query as having row security, so plancache can invalidate it
527 * when necessary (eg: role changes)
528 */
529 *hasRowSecurity = true;
530}
#define Assert(condition)
Definition: c.h:815
#define OidIsValid(objectId)
Definition: c.h:732
#define NoLock
Definition: lockdefs.h:34
Oid GetUserId(void)
Definition: miscinit.c:517
@ ONCONFLICT_UPDATE
Definition: nodes.h:420
CmdType
Definition: nodes.h:263
RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)
@ WCO_RLS_MERGE_UPDATE_CHECK
Definition: parsenodes.h:1372
@ WCO_RLS_CONFLICT_CHECK
Definition: parsenodes.h:1371
@ WCO_RLS_INSERT_CHECK
Definition: parsenodes.h:1369
@ WCO_RLS_UPDATE_CHECK
Definition: parsenodes.h:1370
@ WCO_RLS_MERGE_DELETE_CHECK
Definition: parsenodes.h:1373
#define ACL_UPDATE
Definition: parsenodes.h:78
@ RTE_RELATION
Definition: parsenodes.h:1026
#define ACL_SELECT
Definition: parsenodes.h:77
tree ctl root
Definition: radixtree.h:1857
void setRuleCheckAsUser(Node *node, Oid userid)
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
@ RLS_NONE
Definition: rls.h:43
@ RLS_NONE_ENV
Definition: rls.h:44
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:796
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:541
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:700
AclMode requiredPerms
Definition: parsenodes.h:1300
RTEKind rtekind
Definition: parsenodes.h:1056
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References ACL_SELECT, ACL_UPDATE, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), RTEPermissionInfo::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, get_policies_for_relation(), getRTEPermissionInfo(), GetUserId(), NIL, NoLock, OidIsValid, ONCONFLICT_UPDATE, RangeTblEntry::relid, RTEPermissionInfo::requiredPerms, RLS_NONE, RLS_NONE_ENV, root, RTE_RELATION, RangeTblEntry::rtekind, setRuleCheckAsUser(), table_close(), table_open(), WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, WCO_RLS_MERGE_DELETE_CHECK, WCO_RLS_MERGE_UPDATE_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

◆ row_security_policy_cmp()

static int row_security_policy_cmp ( const ListCell a,
const ListCell b 
)
static

Definition at line 674 of file rowsecurity.c.

675{
676 const RowSecurityPolicy *pa = (const RowSecurityPolicy *) lfirst(a);
677 const RowSecurityPolicy *pb = (const RowSecurityPolicy *) lfirst(b);
678
679 /* Guard against NULL policy names from extensions */
680 if (pa->policy_name == NULL)
681 return pb->policy_name == NULL ? 0 : 1;
682 if (pb->policy_name == NULL)
683 return -1;
684
685 return strcmp(pa->policy_name, pb->policy_name);
686}
int b
Definition: isn.c:69
int a
Definition: isn.c:68

References a, b, lfirst, and RowSecurityPolicy::policy_name.

Referenced by sort_policies_by_name().

◆ sort_policies_by_name()

static void sort_policies_by_name ( List policies)
static

Definition at line 665 of file rowsecurity.c.

666{
668}
void list_sort(List *list, list_sort_comparator cmp)
Definition: list.c:1674
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition: rowsecurity.c:674

References list_sort(), and row_security_policy_cmp().

Referenced by get_policies_for_relation().

Variable Documentation

◆ row_security_policy_hook_permissive

row_security_policy_hook_type row_security_policy_hook_permissive = NULL

Definition at line 86 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().

◆ row_security_policy_hook_restrictive

row_security_policy_hook_type row_security_policy_hook_restrictive = NULL

Definition at line 87 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().