PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
rowsecurity.c
Go to the documentation of this file.
1 /*
2  * rewrite/rowsecurity.c
3  * Routines to support policies for row level security (aka RLS).
4  *
5  * Policies in PostgreSQL provide a mechanism to limit what records are
6  * returned to a user and what records a user is permitted to add to a table.
7  *
8  * Policies can be defined for specific roles, specific commands, or provided
9  * by an extension. Row security can also be enabled for a table without any
10  * policies being explicitly defined, in which case a default-deny policy is
11  * applied.
12  *
13  * Any part of the system which is returning records back to the user, or
14  * which is accepting records from the user to add to a table, needs to
15  * consider the policies associated with the table (if any). For normal
16  * queries, this is handled by calling get_row_security_policies() during
17  * rewrite, for each RTE in the query. This returns the expressions defined
18  * by the table's policies as a list that is prepended to the securityQuals
19  * list for the RTE. For queries which modify the table, any WITH CHECK
20  * clauses from the table's policies are also returned and prepended to the
21  * list of WithCheckOptions for the Query to check each row that is being
22  * added to the table. Other parts of the system (eg: COPY) simply construct
23  * a normal query and use that, if RLS is to be applied.
24  *
25  * The check to see if RLS should be enabled is provided through
26  * check_enable_rls(), which returns an enum (defined in rowsecurity.h) to
27  * indicate if RLS should be enabled (RLS_ENABLED), or bypassed (RLS_NONE or
28  * RLS_NONE_ENV). RLS_NONE_ENV indicates that RLS should be bypassed
29  * in the current environment, but that may change if the row_security GUC or
30  * the current role changes.
31  *
32  * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
33  * Portions Copyright (c) 1994, Regents of the University of California
34  */
35 #include "postgres.h"
36 
37 #include "access/heapam.h"
38 #include "access/htup_details.h"
39 #include "access/sysattr.h"
40 #include "catalog/pg_class.h"
41 #include "catalog/pg_inherits_fn.h"
42 #include "catalog/pg_policy.h"
43 #include "catalog/pg_type.h"
44 #include "miscadmin.h"
45 #include "nodes/makefuncs.h"
46 #include "nodes/nodeFuncs.h"
47 #include "nodes/pg_list.h"
48 #include "nodes/plannodes.h"
49 #include "parser/parsetree.h"
50 #include "rewrite/rewriteHandler.h"
51 #include "rewrite/rewriteManip.h"
52 #include "rewrite/rowsecurity.h"
53 #include "utils/acl.h"
54 #include "utils/lsyscache.h"
55 #include "utils/rel.h"
56 #include "utils/rls.h"
57 #include "utils/syscache.h"
58 #include "tcop/utility.h"
59 
60 static void get_policies_for_relation(Relation relation,
61  CmdType cmd, Oid user_id,
62  List **permissive_policies,
63  List **restrictive_policies);
64 
65 static List *sort_policies_by_name(List *policies);
66 
67 static int row_security_policy_cmp(const void *a, const void *b);
68 
69 static void add_security_quals(int rt_index,
70  List *permissive_policies,
71  List *restrictive_policies,
72  List **securityQuals,
73  bool *hasSubLinks);
74 
75 static void add_with_check_options(Relation rel,
76  int rt_index,
77  WCOKind kind,
78  List *permissive_policies,
79  List *restrictive_policies,
80  List **withCheckOptions,
81  bool *hasSubLinks,
82  bool force_using);
83 
84 static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
85 
86 /*
87  * hooks to allow extensions to add their own security policies
88  *
89  * row_security_policy_hook_permissive can be used to add policies which
90  * are combined with the other permissive policies, using OR.
91  *
92  * row_security_policy_hook_restrictive can be used to add policies which
93  * are enforced, regardless of other policies (they are combined using AND).
94  */
97 
98 /*
99  * Get any row security quals and WithCheckOption checks that should be
100  * applied to the specified RTE.
101  *
102  * In addition, hasRowSecurity is set to true if row level security is enabled
103  * (even if this RTE doesn't have any row security quals), and hasSubLinks is
104  * set to true if any of the quals returned contain sublinks.
105  */
106 void
108  List **securityQuals, List **withCheckOptions,
109  bool *hasRowSecurity, bool *hasSubLinks)
110 {
111  Oid user_id;
112  int rls_status;
113  Relation rel;
114  CmdType commandType;
115  List *permissive_policies;
116  List *restrictive_policies;
117 
118  /* Defaults for the return values */
119  *securityQuals = NIL;
120  *withCheckOptions = NIL;
121  *hasRowSecurity = false;
122  *hasSubLinks = false;
123 
124  /* If this is not a normal relation, just return immediately */
125  if (rte->relkind != RELKIND_RELATION &&
127  return;
128 
129  /* Switch to checkAsUser if it's set */
130  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
131 
132  /* Determine the state of RLS for this, pass checkAsUser explicitly */
133  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
134 
135  /* If there is no RLS on this table at all, nothing to do */
136  if (rls_status == RLS_NONE)
137  return;
138 
139  /*
140  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
141  * with changes to the environment, so we mark it as hasRowSecurity to
142  * force a re-plan when the environment changes.
143  */
144  if (rls_status == RLS_NONE_ENV)
145  {
146  /*
147  * Indicate that this query may involve RLS and must therefore be
148  * replanned if the environment changes (GUCs, role), but we are not
149  * adding anything here.
150  */
151  *hasRowSecurity = true;
152 
153  return;
154  }
155 
156  /*
157  * RLS is enabled for this relation.
158  *
159  * Get the security policies that should be applied, based on the command
160  * type. Note that if this isn't the target relation, we actually want
161  * the relation's SELECT policies, regardless of the query command type,
162  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
163  * policies and t2's SELECT policies.
164  */
165  rel = heap_open(rte->relid, NoLock);
166 
167  commandType = rt_index == root->resultRelation ?
168  root->commandType : CMD_SELECT;
169 
170  /*
171  * In some cases, we need to apply USING policies (which control the
172  * visibility of records) associated with multiple command types (see
173  * specific cases below).
174  *
175  * When considering the order in which to apply these USING policies, we
176  * prefer to apply higher privileged policies, those which allow the user
177  * to lock records (UPDATE and DELETE), first, followed by policies which
178  * don't (SELECT).
179  *
180  * Note that the optimizer is free to push down and reorder quals which
181  * use leakproof functions.
182  *
183  * In all cases, if there are no policy clauses allowing access to rows in
184  * the table for the specific type of operation, then a single
185  * always-false clause (a default-deny policy) will be added (see
186  * add_security_quals).
187  */
188 
189  /*
190  * For a SELECT, if UPDATE privileges are required (eg: the user has
191  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
192  * first.
193  *
194  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
195  * which the user does not have access to via the UPDATE USING policies,
196  * similar to how we require normal UPDATE rights for these queries.
197  */
198  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
199  {
200  List *update_permissive_policies;
201  List *update_restrictive_policies;
202 
204  &update_permissive_policies,
205  &update_restrictive_policies);
206 
207  add_security_quals(rt_index,
208  update_permissive_policies,
209  update_restrictive_policies,
210  securityQuals,
211  hasSubLinks);
212  }
213 
214  /*
215  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
216  * policies. These security quals control access to existing table rows.
217  * Restrictive policies are combined together using AND, and permissive
218  * policies are combined together using OR.
219  */
220 
221  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
222  &restrictive_policies);
223 
224  if (commandType == CMD_SELECT ||
225  commandType == CMD_UPDATE ||
226  commandType == CMD_DELETE)
227  add_security_quals(rt_index,
228  permissive_policies,
229  restrictive_policies,
230  securityQuals,
231  hasSubLinks);
232 
233  /*
234  * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
235  * required (eg: when a RETURNING clause exists, or the user has provided
236  * a WHERE clause which involves columns from the relation), we collect up
237  * CMD_SELECT policies and add them via add_security_quals first.
238  *
239  * This way, we filter out any records which are not visible through an
240  * ALL or SELECT USING policy.
241  */
242  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
243  rte->requiredPerms & ACL_SELECT)
244  {
245  List *select_permissive_policies;
246  List *select_restrictive_policies;
247 
249  &select_permissive_policies,
250  &select_restrictive_policies);
251 
252  add_security_quals(rt_index,
253  select_permissive_policies,
254  select_restrictive_policies,
255  securityQuals,
256  hasSubLinks);
257  }
258 
259  /*
260  * For INSERT and UPDATE, add withCheckOptions to verify that any new
261  * records added are consistent with the security policies. This will use
262  * each policy's WITH CHECK clause, or its USING clause if no explicit
263  * WITH CHECK clause is defined.
264  */
265  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
266  {
267  /* This should be the target relation */
268  Assert(rt_index == root->resultRelation);
269 
270  add_with_check_options(rel, rt_index,
271  commandType == CMD_INSERT ?
273  permissive_policies,
274  restrictive_policies,
275  withCheckOptions,
276  hasSubLinks,
277  false);
278 
279  /*
280  * Get and add ALL/SELECT policies, if SELECT rights are required for
281  * this relation (eg: when RETURNING is used). These are added as WCO
282  * policies rather than security quals to ensure that an error is
283  * raised if a policy is violated; otherwise, we might end up silently
284  * dropping rows to be added.
285  */
286  if (rte->requiredPerms & ACL_SELECT)
287  {
288  List *select_permissive_policies = NIL;
289  List *select_restrictive_policies = NIL;
290 
292  &select_permissive_policies,
293  &select_restrictive_policies);
294  add_with_check_options(rel, rt_index,
295  commandType == CMD_INSERT ?
296  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
297  select_permissive_policies,
298  select_restrictive_policies,
299  withCheckOptions,
300  hasSubLinks,
301  true);
302  }
303 
304  /*
305  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
306  * checks for the UPDATE which may be applied to the same RTE.
307  */
308  if (commandType == CMD_INSERT &&
309  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
310  {
311  List *conflict_permissive_policies;
312  List *conflict_restrictive_policies;
313 
314  /* Get the policies that apply to the auxiliary UPDATE */
316  &conflict_permissive_policies,
317  &conflict_restrictive_policies);
318 
319  /*
320  * Enforce the USING clauses of the UPDATE policies using WCOs
321  * rather than security quals. This ensures that an error is
322  * raised if the conflicting row cannot be updated due to RLS,
323  * rather than the change being silently dropped.
324  */
325  add_with_check_options(rel, rt_index,
327  conflict_permissive_policies,
328  conflict_restrictive_policies,
329  withCheckOptions,
330  hasSubLinks,
331  true);
332 
333  /*
334  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
335  * to ensure they are considered when taking the UPDATE path of an
336  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
337  * for this relation, also as WCO policies, again, to avoid
338  * silently dropping data. See above.
339  */
340  if (rte->requiredPerms & ACL_SELECT)
341  {
342  List *conflict_select_permissive_policies = NIL;
343  List *conflict_select_restrictive_policies = NIL;
344 
346  &conflict_select_permissive_policies,
347  &conflict_select_restrictive_policies);
348  add_with_check_options(rel, rt_index,
350  conflict_select_permissive_policies,
351  conflict_select_restrictive_policies,
352  withCheckOptions,
353  hasSubLinks,
354  true);
355  }
356 
357  /* Enforce the WITH CHECK clauses of the UPDATE policies */
358  add_with_check_options(rel, rt_index,
359  WCO_RLS_UPDATE_CHECK,
360  conflict_permissive_policies,
361  conflict_restrictive_policies,
362  withCheckOptions,
363  hasSubLinks,
364  false);
365  }
366  }
367 
368  heap_close(rel, NoLock);
369 
370  /*
371  * Mark this query as having row security, so plancache can invalidate it
372  * when necessary (eg: role changes)
373  */
374  *hasRowSecurity = true;
375 
376  return;
377 }
378 
379 /*
380  * get_policies_for_relation
381  *
382  * Returns lists of permissive and restrictive policies to be applied to the
383  * specified relation, based on the command type and role.
384  *
385  * This includes any policies added by extensions.
386  */
387 static void
389  List **permissive_policies,
390  List **restrictive_policies)
391 {
392  ListCell *item;
393 
394  *permissive_policies = NIL;
395  *restrictive_policies = NIL;
396 
397  /*
398  * First find all internal policies for the relation. CREATE POLICY does
399  * not currently support defining restrictive policies, so for now all
400  * internal policies are permissive.
401  */
402  foreach(item, relation->rd_rsdesc->policies)
403  {
404  bool cmd_matches = false;
405  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
406 
407  /* Always add ALL policies, if they exist. */
408  if (policy->polcmd == '*')
409  cmd_matches = true;
410  else
411  {
412  /* Check whether the policy applies to the specified command type */
413  switch (cmd)
414  {
415  case CMD_SELECT:
416  if (policy->polcmd == ACL_SELECT_CHR)
417  cmd_matches = true;
418  break;
419  case CMD_INSERT:
420  if (policy->polcmd == ACL_INSERT_CHR)
421  cmd_matches = true;
422  break;
423  case CMD_UPDATE:
424  if (policy->polcmd == ACL_UPDATE_CHR)
425  cmd_matches = true;
426  break;
427  case CMD_DELETE:
428  if (policy->polcmd == ACL_DELETE_CHR)
429  cmd_matches = true;
430  break;
431  default:
432  elog(ERROR, "unrecognized policy command type %d",
433  (int) cmd);
434  break;
435  }
436  }
437 
438  /*
439  * Add this policy to the list of permissive policies if it applies to
440  * the specified role.
441  */
442  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
443  {
444  if (policy->permissive)
445  *permissive_policies = lappend(*permissive_policies, policy);
446  else
447  *restrictive_policies = lappend(*restrictive_policies, policy);
448  }
449  }
450 
451  /*
452  * We sort restrictive policies by name so that any WCOs they generate are
453  * checked in a well-defined order.
454  */
455  *restrictive_policies = sort_policies_by_name(*restrictive_policies);
456 
457  /*
458  * Then add any permissive or restrictive policies defined by extensions.
459  * These are simply appended to the lists of internal policies, if they
460  * apply to the specified role.
461  */
463  {
464  List *hook_policies =
465  (*row_security_policy_hook_restrictive) (cmd, relation);
466 
467  /*
468  * As with built-in restrictive policies, we sort any hook-provided
469  * restrictive policies by name also. Note that we also intentionally
470  * always check all built-in restrictive policies, in name order,
471  * before checking restrictive policies added by hooks, in name order.
472  */
473  hook_policies = sort_policies_by_name(hook_policies);
474 
475  foreach(item, hook_policies)
476  {
477  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
478 
479  if (check_role_for_policy(policy->roles, user_id))
480  *restrictive_policies = lappend(*restrictive_policies, policy);
481  }
482  }
483 
485  {
486  List *hook_policies =
487  (*row_security_policy_hook_permissive) (cmd, relation);
488 
489  foreach(item, hook_policies)
490  {
491  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
492 
493  if (check_role_for_policy(policy->roles, user_id))
494  *permissive_policies = lappend(*permissive_policies, policy);
495  }
496  }
497 }
498 
499 /*
500  * sort_policies_by_name
501  *
502  * This is only used for restrictive policies, ensuring that any
503  * WithCheckOptions they generate are applied in a well-defined order.
504  * This is not necessary for permissive policies, since they are all combined
505  * together using OR into a single WithCheckOption check.
506  */
507 static List *
509 {
510  int npol = list_length(policies);
511  RowSecurityPolicy *pols;
512  ListCell *item;
513  int ii = 0;
514 
515  if (npol <= 1)
516  return policies;
517 
518  pols = (RowSecurityPolicy *) palloc(sizeof(RowSecurityPolicy) * npol);
519 
520  foreach(item, policies)
521  {
522  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
523 
524  pols[ii++] = *policy;
525  }
526 
527  qsort(pols, npol, sizeof(RowSecurityPolicy), row_security_policy_cmp);
528 
529  policies = NIL;
530  for (ii = 0; ii < npol; ii++)
531  policies = lappend(policies, &pols[ii]);
532 
533  return policies;
534 }
535 
536 /*
537  * qsort comparator to sort RowSecurityPolicy entries by name
538  */
539 static int
540 row_security_policy_cmp(const void *a, const void *b)
541 {
542  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) a;
543  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) b;
544 
545  /* Guard against NULL policy names from extensions */
546  if (pa->policy_name == NULL)
547  return pb->policy_name == NULL ? 0 : 1;
548  if (pb->policy_name == NULL)
549  return -1;
550 
551  return strcmp(pa->policy_name, pb->policy_name);
552 }
553 
554 /*
555  * add_security_quals
556  *
557  * Add security quals to enforce the specified RLS policies, restricting
558  * access to existing data in a table. If there are no policies controlling
559  * access to the table, then all access is prohibited --- i.e., an implicit
560  * default-deny policy is used.
561  *
562  * New security quals are added to securityQuals, and hasSubLinks is set to
563  * true if any of the quals added contain sublink subqueries.
564  */
565 static void
566 add_security_quals(int rt_index,
567  List *permissive_policies,
568  List *restrictive_policies,
569  List **securityQuals,
570  bool *hasSubLinks)
571 {
572  ListCell *item;
573  List *permissive_quals = NIL;
574  Expr *rowsec_expr;
575 
576  /*
577  * First collect up the permissive quals. If we do not find any
578  * permissive policies then no rows are visible (this is handled below).
579  */
580  foreach(item, permissive_policies)
581  {
582  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
583 
584  if (policy->qual != NULL)
585  {
586  permissive_quals = lappend(permissive_quals,
587  copyObject(policy->qual));
588  *hasSubLinks |= policy->hassublinks;
589  }
590  }
591 
592  /*
593  * We must have permissive quals, always, or no rows are visible.
594  *
595  * If we do not, then we simply return a single 'false' qual which results
596  * in no rows being visible.
597  */
598  if (permissive_quals != NIL)
599  {
600  /*
601  * We now know that permissive policies exist, so we can now add
602  * security quals based on the USING clauses from the restrictive
603  * policies. Since these need to be combined together using AND, we
604  * can just add them one at a time.
605  */
606  foreach(item, restrictive_policies)
607  {
608  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
609  Expr *qual;
610 
611  if (policy->qual != NULL)
612  {
613  qual = copyObject(policy->qual);
614  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
615 
616  *securityQuals = list_append_unique(*securityQuals, qual);
617  *hasSubLinks |= policy->hassublinks;
618  }
619  }
620 
621  /*
622  * Then add a single security qual combining together the USING
623  * clauses from all the permissive policies using OR.
624  */
625  if (list_length(permissive_quals) == 1)
626  rowsec_expr = (Expr *) linitial(permissive_quals);
627  else
628  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
629 
630  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
631  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
632  }
633  else
634 
635  /*
636  * A permissive policy must exist for rows to be visible at all.
637  * Therefore, if there were no permissive policies found, return a
638  * single always-false clause.
639  */
640  *securityQuals = lappend(*securityQuals,
642  sizeof(bool), BoolGetDatum(false),
643  false, true));
644 }
645 
646 /*
647  * add_with_check_options
648  *
649  * Add WithCheckOptions of the specified kind to check that new records
650  * added by an INSERT or UPDATE are consistent with the specified RLS
651  * policies. Normally new data must satisfy the WITH CHECK clauses from the
652  * policies. If a policy has no explicit WITH CHECK clause, its USING clause
653  * is used instead. In the special case of an UPDATE arising from an
654  * INSERT ... ON CONFLICT DO UPDATE, existing records are first checked using
655  * a WCO_RLS_CONFLICT_CHECK WithCheckOption, which always uses the USING
656  * clauses from RLS policies.
657  *
658  * New WCOs are added to withCheckOptions, and hasSubLinks is set to true if
659  * any of the check clauses added contain sublink subqueries.
660  */
661 static void
663  int rt_index,
664  WCOKind kind,
665  List *permissive_policies,
666  List *restrictive_policies,
667  List **withCheckOptions,
668  bool *hasSubLinks,
669  bool force_using)
670 {
671  ListCell *item;
672  List *permissive_quals = NIL;
673 
674 #define QUAL_FOR_WCO(policy) \
675  ( !force_using && \
676  (policy)->with_check_qual != NULL ? \
677  (policy)->with_check_qual : (policy)->qual )
678 
679  /*
680  * First collect up the permissive policy clauses, similar to
681  * add_security_quals.
682  */
683  foreach(item, permissive_policies)
684  {
685  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
686  Expr *qual = QUAL_FOR_WCO(policy);
687 
688  if (qual != NULL)
689  {
690  permissive_quals = lappend(permissive_quals, copyObject(qual));
691  *hasSubLinks |= policy->hassublinks;
692  }
693  }
694 
695  /*
696  * There must be at least one permissive qual found or no rows are allowed
697  * to be added. This is the same as in add_security_quals.
698  *
699  * If there are no permissive_quals then we fall through and return a
700  * single 'false' WCO, preventing all new rows.
701  */
702  if (permissive_quals != NIL)
703  {
704  /*
705  * Add a single WithCheckOption for all the permissive policy clauses,
706  * combining them together using OR. This check has no policy name,
707  * since if the check fails it means that no policy granted permission
708  * to perform the update, rather than any particular policy being
709  * violated.
710  */
711  WithCheckOption *wco;
712 
713  wco = makeNode(WithCheckOption);
714  wco->kind = kind;
716  wco->polname = NULL;
717  wco->cascaded = false;
718 
719  if (list_length(permissive_quals) == 1)
720  wco->qual = (Node *) linitial(permissive_quals);
721  else
722  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
723 
724  ChangeVarNodes(wco->qual, 1, rt_index, 0);
725 
726  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
727 
728  /*
729  * Now add WithCheckOptions for each of the restrictive policy clauses
730  * (which will be combined together using AND). We use a separate
731  * WithCheckOption for each restrictive policy to allow the policy
732  * name to be included in error reports if the policy is violated.
733  */
734  foreach(item, restrictive_policies)
735  {
736  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
737  Expr *qual = QUAL_FOR_WCO(policy);
738  WithCheckOption *wco;
739 
740  if (qual != NULL)
741  {
742  qual = copyObject(qual);
743  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
744 
745  wco = makeNode(WithCheckOption);
746  wco->kind = kind;
748  wco->polname = pstrdup(policy->policy_name);
749  wco->qual = (Node *) qual;
750  wco->cascaded = false;
751 
752  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
753  *hasSubLinks |= policy->hassublinks;
754  }
755  }
756  }
757  else
758  {
759  /*
760  * If there were no policy clauses to check new data, add a single
761  * always-false WCO (a default-deny policy).
762  */
763  WithCheckOption *wco;
764 
765  wco = makeNode(WithCheckOption);
766  wco->kind = kind;
768  wco->polname = NULL;
769  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
770  sizeof(bool), BoolGetDatum(false),
771  false, true);
772  wco->cascaded = false;
773 
774  *withCheckOptions = lappend(*withCheckOptions, wco);
775  }
776 }
777 
778 /*
779  * check_role_for_policy -
780  * determines if the policy should be applied for the current role
781  */
782 static bool
783 check_role_for_policy(ArrayType *policy_roles, Oid user_id)
784 {
785  int i;
786  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
787 
788  /* Quick fall-thru for policies applied to all roles */
789  if (roles[0] == ACL_ID_PUBLIC)
790  return true;
791 
792  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
793  {
794  if (has_privs_of_role(user_id, roles[i]))
795  return true;
796  }
797 
798  return false;
799 }
#define NIL
Definition: pg_list.h:69
#define ACL_INSERT_CHR
Definition: acl.h:138
Oid GetUserId(void)
Definition: miscinit.c:284
OnConflictExpr * onConflict
Definition: parsenodes.h:142
void get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
Definition: rowsecurity.c:107
char * pstrdup(const char *in)
Definition: mcxt.c:1076
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4828
int resultRelation
Definition: parsenodes.h:120
#define ACL_DELETE_CHR
Definition: acl.h:141
List *(* row_security_policy_hook_type)(CmdType cmdtype, Relation relation)
Definition: rowsecurity.h:37
Definition: nodes.h:509
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:95
AclMode requiredPerms
Definition: parsenodes.h:1053
#define heap_close(r, l)
Definition: heapam.h:97
unsigned int Oid
Definition: postgres_ext.h:31
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:296
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:783
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:366
#define QUAL_FOR_WCO(policy)
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:566
#define linitial(l)
Definition: pg_list.h:111
#define ERROR
Definition: elog.h:43
#define ARR_DIMS(a)
Definition: array.h:275
#define ARR_DATA_PTR(a)
Definition: array.h:303
#define NoLock
Definition: lockdefs.h:34
List * list_append_unique(List *list, void *datum)
Definition: list.c:962
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:96
#define RelationGetRelationName(relation)
Definition: rel.h:436
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:662
ArrayType * roles
Definition: rowsecurity.h:24
WCOKind
Definition: parsenodes.h:1111
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:122
static List * sort_policies_by_name(List *policies)
Definition: rowsecurity.c:508
List * lappend(List *list, void *datum)
Definition: list.c:128
OnConflictAction action
Definition: primnodes.h:1487
#define ACL_SELECT_CHR
Definition: acl.h:139
#define ACL_UPDATE
Definition: parsenodes.h:74
#define RELKIND_PARTITIONED_TABLE
Definition: pg_class.h:168
#define ACL_SELECT
Definition: parsenodes.h:73
Relation heap_open(Oid relationId, LOCKMODE lockmode)
Definition: heapam.c:1290
static int row_security_policy_cmp(const void *a, const void *b)
Definition: rowsecurity.c:540
#define BoolGetDatum(X)
Definition: postgres.h:408
#define InvalidOid
Definition: postgres_ext.h:36
CmdType commandType
Definition: parsenodes.h:110
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:53
#define makeNode(_type_)
Definition: nodes.h:557
#define Assert(condition)
Definition: c.h:664
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
#define ACL_UPDATE_CHR
Definition: acl.h:140
#define BOOLOID
Definition: pg_type.h:288
void * palloc(Size size)
Definition: mcxt.c:848
int i
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:607
#define ACL_ID_PUBLIC
Definition: acl.h:47
#define elog
Definition: elog.h:219
#define qsort(a, b, c, d)
Definition: port.h:443
#define copyObject(obj)
Definition: nodes.h:622
#define RELKIND_RELATION
Definition: pg_class.h:160
Definition: rls.h:43
Definition: pg_list.h:45
CmdType
Definition: nodes.h:649
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:388