PostgreSQL Source Code  git master
rowsecurity.c
Go to the documentation of this file.
1 /*
2  * rewrite/rowsecurity.c
3  * Routines to support policies for row-level security (aka RLS).
4  *
5  * Policies in PostgreSQL provide a mechanism to limit what records are
6  * returned to a user and what records a user is permitted to add to a table.
7  *
8  * Policies can be defined for specific roles, specific commands, or provided
9  * by an extension. Row security can also be enabled for a table without any
10  * policies being explicitly defined, in which case a default-deny policy is
11  * applied.
12  *
13  * Any part of the system which is returning records back to the user, or
14  * which is accepting records from the user to add to a table, needs to
15  * consider the policies associated with the table (if any). For normal
16  * queries, this is handled by calling get_row_security_policies() during
17  * rewrite, for each RTE in the query. This returns the expressions defined
18  * by the table's policies as a list that is prepended to the securityQuals
19  * list for the RTE. For queries which modify the table, any WITH CHECK
20  * clauses from the table's policies are also returned and prepended to the
21  * list of WithCheckOptions for the Query to check each row that is being
22  * added to the table. Other parts of the system (eg: COPY) simply construct
23  * a normal query and use that, if RLS is to be applied.
24  *
25  * The check to see if RLS should be enabled is provided through
26  * check_enable_rls(), which returns an enum (defined in rowsecurity.h) to
27  * indicate if RLS should be enabled (RLS_ENABLED), or bypassed (RLS_NONE or
28  * RLS_NONE_ENV). RLS_NONE_ENV indicates that RLS should be bypassed
29  * in the current environment, but that may change if the row_security GUC or
30  * the current role changes.
31  *
32  * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
33  * Portions Copyright (c) 1994, Regents of the University of California
34  */
35 #include "postgres.h"
36 
37 #include "access/htup_details.h"
38 #include "access/sysattr.h"
39 #include "access/table.h"
40 #include "catalog/pg_class.h"
41 #include "catalog/pg_inherits.h"
42 #include "catalog/pg_policy.h"
43 #include "catalog/pg_type.h"
44 #include "miscadmin.h"
45 #include "nodes/makefuncs.h"
46 #include "nodes/nodeFuncs.h"
47 #include "nodes/pg_list.h"
48 #include "nodes/plannodes.h"
49 #include "parser/parsetree.h"
50 #include "parser/parse_relation.h"
51 #include "rewrite/rewriteDefine.h"
52 #include "rewrite/rewriteHandler.h"
53 #include "rewrite/rewriteManip.h"
54 #include "rewrite/rowsecurity.h"
55 #include "tcop/utility.h"
56 #include "utils/acl.h"
57 #include "utils/lsyscache.h"
58 #include "utils/rel.h"
59 #include "utils/rls.h"
60 #include "utils/syscache.h"
61 
62 static void get_policies_for_relation(Relation relation,
63  CmdType cmd, Oid user_id,
64  List **permissive_policies,
65  List **restrictive_policies);
66 
67 static void sort_policies_by_name(List *policies);
68 
69 static int row_security_policy_cmp(const ListCell *a, const ListCell *b);
70 
71 static void add_security_quals(int rt_index,
72  List *permissive_policies,
73  List *restrictive_policies,
74  List **securityQuals,
75  bool *hasSubLinks);
76 
77 static void add_with_check_options(Relation rel,
78  int rt_index,
79  WCOKind kind,
80  List *permissive_policies,
81  List *restrictive_policies,
82  List **withCheckOptions,
83  bool *hasSubLinks,
84  bool force_using);
85 
86 static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
87 
88 /*
89  * hooks to allow extensions to add their own security policies
90  *
91  * row_security_policy_hook_permissive can be used to add policies which
92  * are combined with the other permissive policies, using OR.
93  *
94  * row_security_policy_hook_restrictive can be used to add policies which
95  * are enforced, regardless of other policies (they are combined using AND).
96  */
99 
100 /*
101  * Get any row security quals and WithCheckOption checks that should be
102  * applied to the specified RTE.
103  *
104  * In addition, hasRowSecurity is set to true if row-level security is enabled
105  * (even if this RTE doesn't have any row security quals), and hasSubLinks is
106  * set to true if any of the quals returned contain sublinks.
107  */
108 void
110  List **securityQuals, List **withCheckOptions,
111  bool *hasRowSecurity, bool *hasSubLinks)
112 {
113  Oid user_id;
114  int rls_status;
115  Relation rel;
116  CmdType commandType;
117  List *permissive_policies;
118  List *restrictive_policies;
119  RTEPermissionInfo *perminfo;
120 
121  /* Defaults for the return values */
122  *securityQuals = NIL;
123  *withCheckOptions = NIL;
124  *hasRowSecurity = false;
125  *hasSubLinks = false;
126 
127  Assert(rte->rtekind == RTE_RELATION);
128 
129  /* If this is not a normal relation, just return immediately */
130  if (rte->relkind != RELKIND_RELATION &&
131  rte->relkind != RELKIND_PARTITIONED_TABLE)
132  return;
133 
134  perminfo = getRTEPermissionInfo(root->rteperminfos, rte);
135 
136  /* Switch to checkAsUser if it's set */
137  user_id = OidIsValid(perminfo->checkAsUser) ?
138  perminfo->checkAsUser : GetUserId();
139 
140  /* Determine the state of RLS for this, pass checkAsUser explicitly */
141  rls_status = check_enable_rls(rte->relid, perminfo->checkAsUser, false);
142 
143  /* If there is no RLS on this table at all, nothing to do */
144  if (rls_status == RLS_NONE)
145  return;
146 
147  /*
148  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
149  * with changes to the environment, so we mark it as hasRowSecurity to
150  * force a re-plan when the environment changes.
151  */
152  if (rls_status == RLS_NONE_ENV)
153  {
154  /*
155  * Indicate that this query may involve RLS and must therefore be
156  * replanned if the environment changes (GUCs, role), but we are not
157  * adding anything here.
158  */
159  *hasRowSecurity = true;
160 
161  return;
162  }
163 
164  /*
165  * RLS is enabled for this relation.
166  *
167  * Get the security policies that should be applied, based on the command
168  * type. Note that if this isn't the target relation, we actually want
169  * the relation's SELECT policies, regardless of the query command type,
170  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
171  * policies and t2's SELECT policies.
172  */
173  rel = table_open(rte->relid, NoLock);
174 
175  commandType = rt_index == root->resultRelation ?
176  root->commandType : CMD_SELECT;
177 
178  /*
179  * In some cases, we need to apply USING policies (which control the
180  * visibility of records) associated with multiple command types (see
181  * specific cases below).
182  *
183  * When considering the order in which to apply these USING policies, we
184  * prefer to apply higher privileged policies, those which allow the user
185  * to lock records (UPDATE and DELETE), first, followed by policies which
186  * don't (SELECT).
187  *
188  * Note that the optimizer is free to push down and reorder quals which
189  * use leakproof functions.
190  *
191  * In all cases, if there are no policy clauses allowing access to rows in
192  * the table for the specific type of operation, then a single
193  * always-false clause (a default-deny policy) will be added (see
194  * add_security_quals).
195  */
196 
197  /*
198  * For a SELECT, if UPDATE privileges are required (eg: the user has
199  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
200  * first.
201  *
202  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
203  * which the user does not have access to via the UPDATE USING policies,
204  * similar to how we require normal UPDATE rights for these queries.
205  */
206  if (commandType == CMD_SELECT && perminfo->requiredPerms & ACL_UPDATE)
207  {
208  List *update_permissive_policies;
209  List *update_restrictive_policies;
210 
212  &update_permissive_policies,
213  &update_restrictive_policies);
214 
215  add_security_quals(rt_index,
216  update_permissive_policies,
217  update_restrictive_policies,
218  securityQuals,
219  hasSubLinks);
220  }
221 
222  /*
223  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
224  * policies. These security quals control access to existing table rows.
225  * Restrictive policies are combined together using AND, and permissive
226  * policies are combined together using OR.
227  */
228 
229  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
230  &restrictive_policies);
231 
232  if (commandType == CMD_SELECT ||
233  commandType == CMD_UPDATE ||
234  commandType == CMD_DELETE)
235  add_security_quals(rt_index,
236  permissive_policies,
237  restrictive_policies,
238  securityQuals,
239  hasSubLinks);
240 
241  /*
242  * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
243  * are also required (eg: when a RETURNING clause exists, or the user has
244  * provided a WHERE clause which involves columns from the relation), we
245  * collect up CMD_SELECT policies and add them via add_security_quals
246  * first.
247  *
248  * This way, we filter out any records which are not visible through an
249  * ALL or SELECT USING policy.
250  */
251  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
252  commandType == CMD_MERGE) &&
253  perminfo->requiredPerms & ACL_SELECT)
254  {
255  List *select_permissive_policies;
256  List *select_restrictive_policies;
257 
259  &select_permissive_policies,
260  &select_restrictive_policies);
261 
262  add_security_quals(rt_index,
263  select_permissive_policies,
264  select_restrictive_policies,
265  securityQuals,
266  hasSubLinks);
267  }
268 
269  /*
270  * For INSERT and UPDATE, add withCheckOptions to verify that any new
271  * records added are consistent with the security policies. This will use
272  * each policy's WITH CHECK clause, or its USING clause if no explicit
273  * WITH CHECK clause is defined.
274  */
275  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
276  {
277  /* This should be the target relation */
278  Assert(rt_index == root->resultRelation);
279 
280  add_with_check_options(rel, rt_index,
281  commandType == CMD_INSERT ?
283  permissive_policies,
284  restrictive_policies,
285  withCheckOptions,
286  hasSubLinks,
287  false);
288 
289  /*
290  * Get and add ALL/SELECT policies, if SELECT rights are required for
291  * this relation (eg: when RETURNING is used). These are added as WCO
292  * policies rather than security quals to ensure that an error is
293  * raised if a policy is violated; otherwise, we might end up silently
294  * dropping rows to be added.
295  */
296  if (perminfo->requiredPerms & ACL_SELECT)
297  {
298  List *select_permissive_policies = NIL;
299  List *select_restrictive_policies = NIL;
300 
302  &select_permissive_policies,
303  &select_restrictive_policies);
304  add_with_check_options(rel, rt_index,
305  commandType == CMD_INSERT ?
307  select_permissive_policies,
308  select_restrictive_policies,
309  withCheckOptions,
310  hasSubLinks,
311  true);
312  }
313 
314  /*
315  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
316  * checks for the UPDATE which may be applied to the same RTE.
317  */
318  if (commandType == CMD_INSERT &&
319  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
320  {
321  List *conflict_permissive_policies;
322  List *conflict_restrictive_policies;
323  List *conflict_select_permissive_policies = NIL;
324  List *conflict_select_restrictive_policies = NIL;
325 
326  /* Get the policies that apply to the auxiliary UPDATE */
328  &conflict_permissive_policies,
329  &conflict_restrictive_policies);
330 
331  /*
332  * Enforce the USING clauses of the UPDATE policies using WCOs
333  * rather than security quals. This ensures that an error is
334  * raised if the conflicting row cannot be updated due to RLS,
335  * rather than the change being silently dropped.
336  */
337  add_with_check_options(rel, rt_index,
339  conflict_permissive_policies,
340  conflict_restrictive_policies,
341  withCheckOptions,
342  hasSubLinks,
343  true);
344 
345  /*
346  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
347  * to ensure they are considered when taking the UPDATE path of an
348  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
349  * for this relation, also as WCO policies, again, to avoid
350  * silently dropping data. See above.
351  */
352  if (perminfo->requiredPerms & ACL_SELECT)
353  {
355  &conflict_select_permissive_policies,
356  &conflict_select_restrictive_policies);
357  add_with_check_options(rel, rt_index,
359  conflict_select_permissive_policies,
360  conflict_select_restrictive_policies,
361  withCheckOptions,
362  hasSubLinks,
363  true);
364  }
365 
366  /* Enforce the WITH CHECK clauses of the UPDATE policies */
367  add_with_check_options(rel, rt_index,
369  conflict_permissive_policies,
370  conflict_restrictive_policies,
371  withCheckOptions,
372  hasSubLinks,
373  false);
374 
375  /*
376  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
377  * that the final updated row is visible when taking the UPDATE
378  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
379  * are required for this relation.
380  */
381  if (perminfo->requiredPerms & ACL_SELECT)
382  add_with_check_options(rel, rt_index,
384  conflict_select_permissive_policies,
385  conflict_select_restrictive_policies,
386  withCheckOptions,
387  hasSubLinks,
388  true);
389  }
390  }
391 
392  /*
393  * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
394  * and set them up so that we can enforce the appropriate policy depending
395  * on the final action we take.
396  *
397  * We already fetched the SELECT policies above.
398  *
399  * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
400  * really want to apply them while scanning the relation since we don't
401  * know whether we will be doing an UPDATE or a DELETE at the end. We
402  * apply the respective policy once we decide the final action on the
403  * target tuple.
404  *
405  * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
406  * UPDATE/DELETE on the target row, we shall throw an error instead of
407  * silently ignoring the row. This is different than how normal
408  * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
409  * handling.
410  */
411  if (commandType == CMD_MERGE)
412  {
413  List *merge_permissive_policies;
414  List *merge_restrictive_policies;
415 
416  /*
417  * Fetch the UPDATE policies and set them up to execute on the
418  * existing target row before doing UPDATE.
419  */
421  &merge_permissive_policies,
422  &merge_restrictive_policies);
423 
424  /*
425  * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
426  * the existing target row.
427  */
428  add_with_check_options(rel, rt_index,
430  merge_permissive_policies,
431  merge_restrictive_policies,
432  withCheckOptions,
433  hasSubLinks,
434  true);
435 
436  /*
437  * Same with DELETE policies.
438  */
440  &merge_permissive_policies,
441  &merge_restrictive_policies);
442 
443  add_with_check_options(rel, rt_index,
445  merge_permissive_policies,
446  merge_restrictive_policies,
447  withCheckOptions,
448  hasSubLinks,
449  true);
450 
451  /*
452  * No special handling is required for INSERT policies. They will be
453  * checked and enforced during ExecInsert(). But we must add them to
454  * withCheckOptions.
455  */
457  &merge_permissive_policies,
458  &merge_restrictive_policies);
459 
460  add_with_check_options(rel, rt_index,
462  merge_permissive_policies,
463  merge_restrictive_policies,
464  withCheckOptions,
465  hasSubLinks,
466  false);
467 
468  /* Enforce the WITH CHECK clauses of the UPDATE policies */
469  add_with_check_options(rel, rt_index,
471  merge_permissive_policies,
472  merge_restrictive_policies,
473  withCheckOptions,
474  hasSubLinks,
475  false);
476  }
477 
478  table_close(rel, NoLock);
479 
480  /*
481  * Copy checkAsUser to the row security quals and WithCheckOption checks,
482  * in case they contain any subqueries referring to other relations.
483  */
484  setRuleCheckAsUser((Node *) *securityQuals, perminfo->checkAsUser);
485  setRuleCheckAsUser((Node *) *withCheckOptions, perminfo->checkAsUser);
486 
487  /*
488  * Mark this query as having row security, so plancache can invalidate it
489  * when necessary (eg: role changes)
490  */
491  *hasRowSecurity = true;
492 }
493 
494 /*
495  * get_policies_for_relation
496  *
497  * Returns lists of permissive and restrictive policies to be applied to the
498  * specified relation, based on the command type and role.
499  *
500  * This includes any policies added by extensions.
501  */
502 static void
504  List **permissive_policies,
505  List **restrictive_policies)
506 {
507  ListCell *item;
508 
509  *permissive_policies = NIL;
510  *restrictive_policies = NIL;
511 
512  /* First find all internal policies for the relation. */
513  foreach(item, relation->rd_rsdesc->policies)
514  {
515  bool cmd_matches = false;
516  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
517 
518  /* Always add ALL policies, if they exist. */
519  if (policy->polcmd == '*')
520  cmd_matches = true;
521  else
522  {
523  /* Check whether the policy applies to the specified command type */
524  switch (cmd)
525  {
526  case CMD_SELECT:
527  if (policy->polcmd == ACL_SELECT_CHR)
528  cmd_matches = true;
529  break;
530  case CMD_INSERT:
531  if (policy->polcmd == ACL_INSERT_CHR)
532  cmd_matches = true;
533  break;
534  case CMD_UPDATE:
535  if (policy->polcmd == ACL_UPDATE_CHR)
536  cmd_matches = true;
537  break;
538  case CMD_DELETE:
539  if (policy->polcmd == ACL_DELETE_CHR)
540  cmd_matches = true;
541  break;
542  case CMD_MERGE:
543 
544  /*
545  * We do not support a separate policy for MERGE command.
546  * Instead it derives from the policies defined for other
547  * commands.
548  */
549  break;
550  default:
551  elog(ERROR, "unrecognized policy command type %d",
552  (int) cmd);
553  break;
554  }
555  }
556 
557  /*
558  * Add this policy to the relevant list of policies if it applies to
559  * the specified role.
560  */
561  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
562  {
563  if (policy->permissive)
564  *permissive_policies = lappend(*permissive_policies, policy);
565  else
566  *restrictive_policies = lappend(*restrictive_policies, policy);
567  }
568  }
569 
570  /*
571  * We sort restrictive policies by name so that any WCOs they generate are
572  * checked in a well-defined order.
573  */
574  sort_policies_by_name(*restrictive_policies);
575 
576  /*
577  * Then add any permissive or restrictive policies defined by extensions.
578  * These are simply appended to the lists of internal policies, if they
579  * apply to the specified role.
580  */
582  {
583  List *hook_policies =
584  (*row_security_policy_hook_restrictive) (cmd, relation);
585 
586  /*
587  * As with built-in restrictive policies, we sort any hook-provided
588  * restrictive policies by name also. Note that we also intentionally
589  * always check all built-in restrictive policies, in name order,
590  * before checking restrictive policies added by hooks, in name order.
591  */
592  sort_policies_by_name(hook_policies);
593 
594  foreach(item, hook_policies)
595  {
596  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
597 
598  if (check_role_for_policy(policy->roles, user_id))
599  *restrictive_policies = lappend(*restrictive_policies, policy);
600  }
601  }
602 
604  {
605  List *hook_policies =
606  (*row_security_policy_hook_permissive) (cmd, relation);
607 
608  foreach(item, hook_policies)
609  {
610  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
611 
612  if (check_role_for_policy(policy->roles, user_id))
613  *permissive_policies = lappend(*permissive_policies, policy);
614  }
615  }
616 }
617 
618 /*
619  * sort_policies_by_name
620  *
621  * This is only used for restrictive policies, ensuring that any
622  * WithCheckOptions they generate are applied in a well-defined order.
623  * This is not necessary for permissive policies, since they are all combined
624  * together using OR into a single WithCheckOption check.
625  */
626 static void
628 {
630 }
631 
632 /*
633  * list_sort comparator to sort RowSecurityPolicy entries by name
634  */
635 static int
637 {
638  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) lfirst(a);
639  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) lfirst(b);
640 
641  /* Guard against NULL policy names from extensions */
642  if (pa->policy_name == NULL)
643  return pb->policy_name == NULL ? 0 : 1;
644  if (pb->policy_name == NULL)
645  return -1;
646 
647  return strcmp(pa->policy_name, pb->policy_name);
648 }
649 
650 /*
651  * add_security_quals
652  *
653  * Add security quals to enforce the specified RLS policies, restricting
654  * access to existing data in a table. If there are no policies controlling
655  * access to the table, then all access is prohibited --- i.e., an implicit
656  * default-deny policy is used.
657  *
658  * New security quals are added to securityQuals, and hasSubLinks is set to
659  * true if any of the quals added contain sublink subqueries.
660  */
661 static void
662 add_security_quals(int rt_index,
663  List *permissive_policies,
664  List *restrictive_policies,
665  List **securityQuals,
666  bool *hasSubLinks)
667 {
668  ListCell *item;
669  List *permissive_quals = NIL;
670  Expr *rowsec_expr;
671 
672  /*
673  * First collect up the permissive quals. If we do not find any
674  * permissive policies then no rows are visible (this is handled below).
675  */
676  foreach(item, permissive_policies)
677  {
678  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
679 
680  if (policy->qual != NULL)
681  {
682  permissive_quals = lappend(permissive_quals,
683  copyObject(policy->qual));
684  *hasSubLinks |= policy->hassublinks;
685  }
686  }
687 
688  /*
689  * We must have permissive quals, always, or no rows are visible.
690  *
691  * If we do not, then we simply return a single 'false' qual which results
692  * in no rows being visible.
693  */
694  if (permissive_quals != NIL)
695  {
696  /*
697  * We now know that permissive policies exist, so we can now add
698  * security quals based on the USING clauses from the restrictive
699  * policies. Since these need to be combined together using AND, we
700  * can just add them one at a time.
701  */
702  foreach(item, restrictive_policies)
703  {
704  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
705  Expr *qual;
706 
707  if (policy->qual != NULL)
708  {
709  qual = copyObject(policy->qual);
710  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
711 
712  *securityQuals = list_append_unique(*securityQuals, qual);
713  *hasSubLinks |= policy->hassublinks;
714  }
715  }
716 
717  /*
718  * Then add a single security qual combining together the USING
719  * clauses from all the permissive policies using OR.
720  */
721  if (list_length(permissive_quals) == 1)
722  rowsec_expr = (Expr *) linitial(permissive_quals);
723  else
724  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
725 
726  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
727  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
728  }
729  else
730 
731  /*
732  * A permissive policy must exist for rows to be visible at all.
733  * Therefore, if there were no permissive policies found, return a
734  * single always-false clause.
735  */
736  *securityQuals = lappend(*securityQuals,
737  makeConst(BOOLOID, -1, InvalidOid,
738  sizeof(bool), BoolGetDatum(false),
739  false, true));
740 }
741 
742 /*
743  * add_with_check_options
744  *
745  * Add WithCheckOptions of the specified kind to check that new records
746  * added by an INSERT or UPDATE are consistent with the specified RLS
747  * policies. Normally new data must satisfy the WITH CHECK clauses from the
748  * policies. If a policy has no explicit WITH CHECK clause, its USING clause
749  * is used instead. In the special case of an UPDATE arising from an
750  * INSERT ... ON CONFLICT DO UPDATE, existing records are first checked using
751  * a WCO_RLS_CONFLICT_CHECK WithCheckOption, which always uses the USING
752  * clauses from RLS policies.
753  *
754  * New WCOs are added to withCheckOptions, and hasSubLinks is set to true if
755  * any of the check clauses added contain sublink subqueries.
756  */
757 static void
759  int rt_index,
760  WCOKind kind,
761  List *permissive_policies,
762  List *restrictive_policies,
763  List **withCheckOptions,
764  bool *hasSubLinks,
765  bool force_using)
766 {
767  ListCell *item;
768  List *permissive_quals = NIL;
769 
770 #define QUAL_FOR_WCO(policy) \
771  ( !force_using && \
772  (policy)->with_check_qual != NULL ? \
773  (policy)->with_check_qual : (policy)->qual )
774 
775  /*
776  * First collect up the permissive policy clauses, similar to
777  * add_security_quals.
778  */
779  foreach(item, permissive_policies)
780  {
781  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
782  Expr *qual = QUAL_FOR_WCO(policy);
783 
784  if (qual != NULL)
785  {
786  permissive_quals = lappend(permissive_quals, copyObject(qual));
787  *hasSubLinks |= policy->hassublinks;
788  }
789  }
790 
791  /*
792  * There must be at least one permissive qual found or no rows are allowed
793  * to be added. This is the same as in add_security_quals.
794  *
795  * If there are no permissive_quals then we fall through and return a
796  * single 'false' WCO, preventing all new rows.
797  */
798  if (permissive_quals != NIL)
799  {
800  /*
801  * Add a single WithCheckOption for all the permissive policy clauses,
802  * combining them together using OR. This check has no policy name,
803  * since if the check fails it means that no policy granted permission
804  * to perform the update, rather than any particular policy being
805  * violated.
806  */
807  WithCheckOption *wco;
808 
809  wco = makeNode(WithCheckOption);
810  wco->kind = kind;
812  wco->polname = NULL;
813  wco->cascaded = false;
814 
815  if (list_length(permissive_quals) == 1)
816  wco->qual = (Node *) linitial(permissive_quals);
817  else
818  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
819 
820  ChangeVarNodes(wco->qual, 1, rt_index, 0);
821 
822  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
823 
824  /*
825  * Now add WithCheckOptions for each of the restrictive policy clauses
826  * (which will be combined together using AND). We use a separate
827  * WithCheckOption for each restrictive policy to allow the policy
828  * name to be included in error reports if the policy is violated.
829  */
830  foreach(item, restrictive_policies)
831  {
832  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
833  Expr *qual = QUAL_FOR_WCO(policy);
834 
835  if (qual != NULL)
836  {
837  qual = copyObject(qual);
838  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
839 
840  wco = makeNode(WithCheckOption);
841  wco->kind = kind;
843  wco->polname = pstrdup(policy->policy_name);
844  wco->qual = (Node *) qual;
845  wco->cascaded = false;
846 
847  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
848  *hasSubLinks |= policy->hassublinks;
849  }
850  }
851  }
852  else
853  {
854  /*
855  * If there were no policy clauses to check new data, add a single
856  * always-false WCO (a default-deny policy).
857  */
858  WithCheckOption *wco;
859 
860  wco = makeNode(WithCheckOption);
861  wco->kind = kind;
863  wco->polname = NULL;
864  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
865  sizeof(bool), BoolGetDatum(false),
866  false, true);
867  wco->cascaded = false;
868 
869  *withCheckOptions = lappend(*withCheckOptions, wco);
870  }
871 }
872 
873 /*
874  * check_role_for_policy -
875  * determines if the policy should be applied for the current role
876  */
877 static bool
878 check_role_for_policy(ArrayType *policy_roles, Oid user_id)
879 {
880  int i;
881  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
882 
883  /* Quick fall-thru for policies applied to all roles */
884  if (roles[0] == ACL_ID_PUBLIC)
885  return true;
886 
887  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
888  {
889  if (has_privs_of_role(user_id, roles[i]))
890  return true;
891  }
892 
893  return false;
894 }
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4969
#define ACL_SELECT_CHR
Definition: acl.h:138
#define ACL_DELETE_CHR
Definition: acl.h:140
#define ACL_INSERT_CHR
Definition: acl.h:137
#define ACL_UPDATE_CHR
Definition: acl.h:139
#define ACL_ID_PUBLIC
Definition: acl.h:46
#define ARR_DATA_PTR(a)
Definition: array.h:315
#define ARR_DIMS(a)
Definition: array.h:287
#define OidIsValid(objectId)
Definition: c.h:759
#define ERROR
Definition: elog.h:39
int b
Definition: isn.c:70
int a
Definition: isn.c:69
int i
Definition: isn.c:73
Assert(fmt[strlen(fmt) - 1] !='\n')
void list_sort(List *list, list_sort_comparator cmp)
Definition: list.c:1673
List * lappend(List *list, void *datum)
Definition: list.c:338
List * list_append_unique(List *list, void *datum)
Definition: list.c:1342
#define NoLock
Definition: lockdefs.h:34
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:301
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:371
char * pstrdup(const char *in)
Definition: mcxt.c:1624
Oid GetUserId(void)
Definition: miscinit.c:502
#define copyObject(obj)
Definition: nodes.h:244
@ ONCONFLICT_UPDATE
Definition: nodes.h:428
CmdType
Definition: nodes.h:274
@ CMD_MERGE
Definition: nodes.h:280
@ CMD_INSERT
Definition: nodes.h:278
@ CMD_DELETE
Definition: nodes.h:279
@ CMD_UPDATE
Definition: nodes.h:277
@ CMD_SELECT
Definition: nodes.h:276
#define makeNode(_type_)
Definition: nodes.h:176
RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)
WCOKind
Definition: parsenodes.h:1312
@ WCO_RLS_MERGE_UPDATE_CHECK
Definition: parsenodes.h:1317
@ WCO_RLS_CONFLICT_CHECK
Definition: parsenodes.h:1316
@ WCO_RLS_INSERT_CHECK
Definition: parsenodes.h:1314
@ WCO_RLS_UPDATE_CHECK
Definition: parsenodes.h:1315
@ WCO_RLS_MERGE_DELETE_CHECK
Definition: parsenodes.h:1318
#define ACL_UPDATE
Definition: parsenodes.h:85
@ RTE_RELATION
Definition: parsenodes.h:1013
#define ACL_SELECT
Definition: parsenodes.h:84
#define lfirst(lc)
Definition: pg_list.h:172
static int list_length(const List *l)
Definition: pg_list.h:152
#define NIL
Definition: pg_list.h:68
#define linitial(l)
Definition: pg_list.h:178
static Datum BoolGetDatum(bool X)
Definition: postgres.h:102
#define InvalidOid
Definition: postgres_ext.h:36
unsigned int Oid
Definition: postgres_ext.h:31
@ OR_EXPR
Definition: primnodes.h:855
#define RelationGetRelationName(relation)
Definition: rel.h:535
void setRuleCheckAsUser(Node *node, Oid userid)
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:670
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
@ RLS_NONE
Definition: rls.h:43
@ RLS_NONE_ENV
Definition: rls.h:44
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:97
void get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
Definition: rowsecurity.c:109
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:878
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:98
#define QUAL_FOR_WCO(policy)
static void sort_policies_by_name(List *policies)
Definition: rowsecurity.c:627
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:758
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:503
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition: rowsecurity.c:636
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:662
List *(* row_security_policy_hook_type)(CmdType cmdtype, Relation relation)
Definition: rowsecurity.h:37
Definition: pg_list.h:54
Definition: nodes.h:129
OnConflictAction action
Definition: primnodes.h:1856
OnConflictExpr * onConflict
Definition: parsenodes.h:194
CmdType commandType
Definition: parsenodes.h:128
AclMode requiredPerms
Definition: parsenodes.h:1245
RTEKind rtekind
Definition: parsenodes.h:1032
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:118
ArrayType * roles
Definition: rowsecurity.h:24
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40