PostgreSQL Source Code  git master
rowsecurity.c
Go to the documentation of this file.
1 /*
2  * rewrite/rowsecurity.c
3  * Routines to support policies for row-level security (aka RLS).
4  *
5  * Policies in PostgreSQL provide a mechanism to limit what records are
6  * returned to a user and what records a user is permitted to add to a table.
7  *
8  * Policies can be defined for specific roles, specific commands, or provided
9  * by an extension. Row security can also be enabled for a table without any
10  * policies being explicitly defined, in which case a default-deny policy is
11  * applied.
12  *
13  * Any part of the system which is returning records back to the user, or
14  * which is accepting records from the user to add to a table, needs to
15  * consider the policies associated with the table (if any). For normal
16  * queries, this is handled by calling get_row_security_policies() during
17  * rewrite, for each RTE in the query. This returns the expressions defined
18  * by the table's policies as a list that is prepended to the securityQuals
19  * list for the RTE. For queries which modify the table, any WITH CHECK
20  * clauses from the table's policies are also returned and prepended to the
21  * list of WithCheckOptions for the Query to check each row that is being
22  * added to the table. Other parts of the system (eg: COPY) simply construct
23  * a normal query and use that, if RLS is to be applied.
24  *
25  * The check to see if RLS should be enabled is provided through
26  * check_enable_rls(), which returns an enum (defined in rowsecurity.h) to
27  * indicate if RLS should be enabled (RLS_ENABLED), or bypassed (RLS_NONE or
28  * RLS_NONE_ENV). RLS_NONE_ENV indicates that RLS should be bypassed
29  * in the current environment, but that may change if the row_security GUC or
30  * the current role changes.
31  *
32  * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
33  * Portions Copyright (c) 1994, Regents of the University of California
34  */
35 #include "postgres.h"
36 
37 #include "access/htup_details.h"
38 #include "access/sysattr.h"
39 #include "access/table.h"
40 #include "catalog/pg_class.h"
41 #include "catalog/pg_inherits.h"
42 #include "catalog/pg_policy.h"
43 #include "catalog/pg_type.h"
44 #include "miscadmin.h"
45 #include "nodes/makefuncs.h"
46 #include "nodes/nodeFuncs.h"
47 #include "nodes/pg_list.h"
48 #include "nodes/plannodes.h"
49 #include "parser/parsetree.h"
50 #include "rewrite/rewriteDefine.h"
51 #include "rewrite/rewriteHandler.h"
52 #include "rewrite/rewriteManip.h"
53 #include "rewrite/rowsecurity.h"
54 #include "tcop/utility.h"
55 #include "utils/acl.h"
56 #include "utils/lsyscache.h"
57 #include "utils/rel.h"
58 #include "utils/rls.h"
59 #include "utils/syscache.h"
60 
61 static void get_policies_for_relation(Relation relation,
62  CmdType cmd, Oid user_id,
63  List **permissive_policies,
64  List **restrictive_policies);
65 
66 static void sort_policies_by_name(List *policies);
67 
68 static int row_security_policy_cmp(const ListCell *a, const ListCell *b);
69 
70 static void add_security_quals(int rt_index,
71  List *permissive_policies,
72  List *restrictive_policies,
73  List **securityQuals,
74  bool *hasSubLinks);
75 
76 static void add_with_check_options(Relation rel,
77  int rt_index,
78  WCOKind kind,
79  List *permissive_policies,
80  List *restrictive_policies,
81  List **withCheckOptions,
82  bool *hasSubLinks,
83  bool force_using);
84 
85 static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
86 
87 /*
88  * hooks to allow extensions to add their own security policies
89  *
90  * row_security_policy_hook_permissive can be used to add policies which
91  * are combined with the other permissive policies, using OR.
92  *
93  * row_security_policy_hook_restrictive can be used to add policies which
94  * are enforced, regardless of other policies (they are combined using AND).
95  */
98 
99 /*
100  * Get any row security quals and WithCheckOption checks that should be
101  * applied to the specified RTE.
102  *
103  * In addition, hasRowSecurity is set to true if row-level security is enabled
104  * (even if this RTE doesn't have any row security quals), and hasSubLinks is
105  * set to true if any of the quals returned contain sublinks.
106  */
107 void
109  List **securityQuals, List **withCheckOptions,
110  bool *hasRowSecurity, bool *hasSubLinks)
111 {
112  Oid user_id;
113  int rls_status;
114  Relation rel;
115  CmdType commandType;
116  List *permissive_policies;
117  List *restrictive_policies;
118 
119  /* Defaults for the return values */
120  *securityQuals = NIL;
121  *withCheckOptions = NIL;
122  *hasRowSecurity = false;
123  *hasSubLinks = false;
124 
125  /* If this is not a normal relation, just return immediately */
126  if (rte->relkind != RELKIND_RELATION &&
127  rte->relkind != RELKIND_PARTITIONED_TABLE)
128  return;
129 
130  /* Switch to checkAsUser if it's set */
131  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
132 
133  /* Determine the state of RLS for this, pass checkAsUser explicitly */
134  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
135 
136  /* If there is no RLS on this table at all, nothing to do */
137  if (rls_status == RLS_NONE)
138  return;
139 
140  /*
141  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
142  * with changes to the environment, so we mark it as hasRowSecurity to
143  * force a re-plan when the environment changes.
144  */
145  if (rls_status == RLS_NONE_ENV)
146  {
147  /*
148  * Indicate that this query may involve RLS and must therefore be
149  * replanned if the environment changes (GUCs, role), but we are not
150  * adding anything here.
151  */
152  *hasRowSecurity = true;
153 
154  return;
155  }
156 
157  /*
158  * RLS is enabled for this relation.
159  *
160  * Get the security policies that should be applied, based on the command
161  * type. Note that if this isn't the target relation, we actually want
162  * the relation's SELECT policies, regardless of the query command type,
163  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
164  * policies and t2's SELECT policies.
165  */
166  rel = table_open(rte->relid, NoLock);
167 
168  commandType = rt_index == root->resultRelation ?
169  root->commandType : CMD_SELECT;
170 
171  /*
172  * In some cases, we need to apply USING policies (which control the
173  * visibility of records) associated with multiple command types (see
174  * specific cases below).
175  *
176  * When considering the order in which to apply these USING policies, we
177  * prefer to apply higher privileged policies, those which allow the user
178  * to lock records (UPDATE and DELETE), first, followed by policies which
179  * don't (SELECT).
180  *
181  * Note that the optimizer is free to push down and reorder quals which
182  * use leakproof functions.
183  *
184  * In all cases, if there are no policy clauses allowing access to rows in
185  * the table for the specific type of operation, then a single
186  * always-false clause (a default-deny policy) will be added (see
187  * add_security_quals).
188  */
189 
190  /*
191  * For a SELECT, if UPDATE privileges are required (eg: the user has
192  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
193  * first.
194  *
195  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
196  * which the user does not have access to via the UPDATE USING policies,
197  * similar to how we require normal UPDATE rights for these queries.
198  */
199  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
200  {
201  List *update_permissive_policies;
202  List *update_restrictive_policies;
203 
205  &update_permissive_policies,
206  &update_restrictive_policies);
207 
208  add_security_quals(rt_index,
209  update_permissive_policies,
210  update_restrictive_policies,
211  securityQuals,
212  hasSubLinks);
213  }
214 
215  /*
216  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
217  * policies. These security quals control access to existing table rows.
218  * Restrictive policies are combined together using AND, and permissive
219  * policies are combined together using OR.
220  */
221 
222  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
223  &restrictive_policies);
224 
225  if (commandType == CMD_SELECT ||
226  commandType == CMD_UPDATE ||
227  commandType == CMD_DELETE)
228  add_security_quals(rt_index,
229  permissive_policies,
230  restrictive_policies,
231  securityQuals,
232  hasSubLinks);
233 
234  /*
235  * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
236  * are also required (eg: when a RETURNING clause exists, or the user has
237  * provided a WHERE clause which involves columns from the relation), we
238  * collect up CMD_SELECT policies and add them via add_security_quals
239  * first.
240  *
241  * This way, we filter out any records which are not visible through an
242  * ALL or SELECT USING policy.
243  */
244  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
245  commandType == CMD_MERGE) &&
246  rte->requiredPerms & ACL_SELECT)
247  {
248  List *select_permissive_policies;
249  List *select_restrictive_policies;
250 
252  &select_permissive_policies,
253  &select_restrictive_policies);
254 
255  add_security_quals(rt_index,
256  select_permissive_policies,
257  select_restrictive_policies,
258  securityQuals,
259  hasSubLinks);
260  }
261 
262  /*
263  * For INSERT and UPDATE, add withCheckOptions to verify that any new
264  * records added are consistent with the security policies. This will use
265  * each policy's WITH CHECK clause, or its USING clause if no explicit
266  * WITH CHECK clause is defined.
267  */
268  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
269  {
270  /* This should be the target relation */
271  Assert(rt_index == root->resultRelation);
272 
273  add_with_check_options(rel, rt_index,
274  commandType == CMD_INSERT ?
276  permissive_policies,
277  restrictive_policies,
278  withCheckOptions,
279  hasSubLinks,
280  false);
281 
282  /*
283  * Get and add ALL/SELECT policies, if SELECT rights are required for
284  * this relation (eg: when RETURNING is used). These are added as WCO
285  * policies rather than security quals to ensure that an error is
286  * raised if a policy is violated; otherwise, we might end up silently
287  * dropping rows to be added.
288  */
289  if (rte->requiredPerms & ACL_SELECT)
290  {
291  List *select_permissive_policies = NIL;
292  List *select_restrictive_policies = NIL;
293 
295  &select_permissive_policies,
296  &select_restrictive_policies);
297  add_with_check_options(rel, rt_index,
298  commandType == CMD_INSERT ?
300  select_permissive_policies,
301  select_restrictive_policies,
302  withCheckOptions,
303  hasSubLinks,
304  true);
305  }
306 
307  /*
308  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
309  * checks for the UPDATE which may be applied to the same RTE.
310  */
311  if (commandType == CMD_INSERT &&
312  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
313  {
314  List *conflict_permissive_policies;
315  List *conflict_restrictive_policies;
316  List *conflict_select_permissive_policies = NIL;
317  List *conflict_select_restrictive_policies = NIL;
318 
319  /* Get the policies that apply to the auxiliary UPDATE */
321  &conflict_permissive_policies,
322  &conflict_restrictive_policies);
323 
324  /*
325  * Enforce the USING clauses of the UPDATE policies using WCOs
326  * rather than security quals. This ensures that an error is
327  * raised if the conflicting row cannot be updated due to RLS,
328  * rather than the change being silently dropped.
329  */
330  add_with_check_options(rel, rt_index,
332  conflict_permissive_policies,
333  conflict_restrictive_policies,
334  withCheckOptions,
335  hasSubLinks,
336  true);
337 
338  /*
339  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
340  * to ensure they are considered when taking the UPDATE path of an
341  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
342  * for this relation, also as WCO policies, again, to avoid
343  * silently dropping data. See above.
344  */
345  if (rte->requiredPerms & ACL_SELECT)
346  {
348  &conflict_select_permissive_policies,
349  &conflict_select_restrictive_policies);
350  add_with_check_options(rel, rt_index,
352  conflict_select_permissive_policies,
353  conflict_select_restrictive_policies,
354  withCheckOptions,
355  hasSubLinks,
356  true);
357  }
358 
359  /* Enforce the WITH CHECK clauses of the UPDATE policies */
360  add_with_check_options(rel, rt_index,
362  conflict_permissive_policies,
363  conflict_restrictive_policies,
364  withCheckOptions,
365  hasSubLinks,
366  false);
367 
368  /*
369  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
370  * that the final updated row is visible when taking the UPDATE
371  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
372  * are required for this relation.
373  */
374  if (rte->requiredPerms & ACL_SELECT)
375  add_with_check_options(rel, rt_index,
377  conflict_select_permissive_policies,
378  conflict_select_restrictive_policies,
379  withCheckOptions,
380  hasSubLinks,
381  true);
382  }
383  }
384 
385  /*
386  * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
387  * and set them up so that we can enforce the appropriate policy depending
388  * on the final action we take.
389  *
390  * We already fetched the SELECT policies above.
391  *
392  * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
393  * really want to apply them while scanning the relation since we don't
394  * know whether we will be doing an UPDATE or a DELETE at the end. We
395  * apply the respective policy once we decide the final action on the
396  * target tuple.
397  *
398  * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
399  * UPDATE/DELETE on the target row, we shall throw an error instead of
400  * silently ignoring the row. This is different than how normal
401  * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
402  * handling.
403  */
404  if (commandType == CMD_MERGE)
405  {
406  List *merge_permissive_policies;
407  List *merge_restrictive_policies;
408 
409  /*
410  * Fetch the UPDATE policies and set them up to execute on the
411  * existing target row before doing UPDATE.
412  */
414  &merge_permissive_policies,
415  &merge_restrictive_policies);
416 
417  /*
418  * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
419  * the existing target row.
420  */
421  add_with_check_options(rel, rt_index,
423  merge_permissive_policies,
424  merge_restrictive_policies,
425  withCheckOptions,
426  hasSubLinks,
427  true);
428 
429  /*
430  * Same with DELETE policies.
431  */
433  &merge_permissive_policies,
434  &merge_restrictive_policies);
435 
436  add_with_check_options(rel, rt_index,
438  merge_permissive_policies,
439  merge_restrictive_policies,
440  withCheckOptions,
441  hasSubLinks,
442  true);
443 
444  /*
445  * No special handling is required for INSERT policies. They will be
446  * checked and enforced during ExecInsert(). But we must add them to
447  * withCheckOptions.
448  */
450  &merge_permissive_policies,
451  &merge_restrictive_policies);
452 
453  add_with_check_options(rel, rt_index,
455  merge_permissive_policies,
456  merge_restrictive_policies,
457  withCheckOptions,
458  hasSubLinks,
459  false);
460 
461  /* Enforce the WITH CHECK clauses of the UPDATE policies */
462  add_with_check_options(rel, rt_index,
464  merge_permissive_policies,
465  merge_restrictive_policies,
466  withCheckOptions,
467  hasSubLinks,
468  false);
469  }
470 
471  table_close(rel, NoLock);
472 
473  /*
474  * Copy checkAsUser to the row security quals and WithCheckOption checks,
475  * in case they contain any subqueries referring to other relations.
476  */
477  setRuleCheckAsUser((Node *) *securityQuals, rte->checkAsUser);
478  setRuleCheckAsUser((Node *) *withCheckOptions, rte->checkAsUser);
479 
480  /*
481  * Mark this query as having row security, so plancache can invalidate it
482  * when necessary (eg: role changes)
483  */
484  *hasRowSecurity = true;
485 }
486 
487 /*
488  * get_policies_for_relation
489  *
490  * Returns lists of permissive and restrictive policies to be applied to the
491  * specified relation, based on the command type and role.
492  *
493  * This includes any policies added by extensions.
494  */
495 static void
497  List **permissive_policies,
498  List **restrictive_policies)
499 {
500  ListCell *item;
501 
502  *permissive_policies = NIL;
503  *restrictive_policies = NIL;
504 
505  /* First find all internal policies for the relation. */
506  foreach(item, relation->rd_rsdesc->policies)
507  {
508  bool cmd_matches = false;
509  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
510 
511  /* Always add ALL policies, if they exist. */
512  if (policy->polcmd == '*')
513  cmd_matches = true;
514  else
515  {
516  /* Check whether the policy applies to the specified command type */
517  switch (cmd)
518  {
519  case CMD_SELECT:
520  if (policy->polcmd == ACL_SELECT_CHR)
521  cmd_matches = true;
522  break;
523  case CMD_INSERT:
524  if (policy->polcmd == ACL_INSERT_CHR)
525  cmd_matches = true;
526  break;
527  case CMD_UPDATE:
528  if (policy->polcmd == ACL_UPDATE_CHR)
529  cmd_matches = true;
530  break;
531  case CMD_DELETE:
532  if (policy->polcmd == ACL_DELETE_CHR)
533  cmd_matches = true;
534  break;
535  case CMD_MERGE:
536 
537  /*
538  * We do not support a separate policy for MERGE command.
539  * Instead it derives from the policies defined for other
540  * commands.
541  */
542  break;
543  default:
544  elog(ERROR, "unrecognized policy command type %d",
545  (int) cmd);
546  break;
547  }
548  }
549 
550  /*
551  * Add this policy to the relevant list of policies if it applies to
552  * the specified role.
553  */
554  if (cmd_matches && check_role_for_policy(policy->roles, user_id))
555  {
556  if (policy->permissive)
557  *permissive_policies = lappend(*permissive_policies, policy);
558  else
559  *restrictive_policies = lappend(*restrictive_policies, policy);
560  }
561  }
562 
563  /*
564  * We sort restrictive policies by name so that any WCOs they generate are
565  * checked in a well-defined order.
566  */
567  sort_policies_by_name(*restrictive_policies);
568 
569  /*
570  * Then add any permissive or restrictive policies defined by extensions.
571  * These are simply appended to the lists of internal policies, if they
572  * apply to the specified role.
573  */
575  {
576  List *hook_policies =
577  (*row_security_policy_hook_restrictive) (cmd, relation);
578 
579  /*
580  * As with built-in restrictive policies, we sort any hook-provided
581  * restrictive policies by name also. Note that we also intentionally
582  * always check all built-in restrictive policies, in name order,
583  * before checking restrictive policies added by hooks, in name order.
584  */
585  sort_policies_by_name(hook_policies);
586 
587  foreach(item, hook_policies)
588  {
589  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
590 
591  if (check_role_for_policy(policy->roles, user_id))
592  *restrictive_policies = lappend(*restrictive_policies, policy);
593  }
594  }
595 
597  {
598  List *hook_policies =
599  (*row_security_policy_hook_permissive) (cmd, relation);
600 
601  foreach(item, hook_policies)
602  {
603  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
604 
605  if (check_role_for_policy(policy->roles, user_id))
606  *permissive_policies = lappend(*permissive_policies, policy);
607  }
608  }
609 }
610 
611 /*
612  * sort_policies_by_name
613  *
614  * This is only used for restrictive policies, ensuring that any
615  * WithCheckOptions they generate are applied in a well-defined order.
616  * This is not necessary for permissive policies, since they are all combined
617  * together using OR into a single WithCheckOption check.
618  */
619 static void
621 {
623 }
624 
625 /*
626  * list_sort comparator to sort RowSecurityPolicy entries by name
627  */
628 static int
630 {
631  const RowSecurityPolicy *pa = (const RowSecurityPolicy *) lfirst(a);
632  const RowSecurityPolicy *pb = (const RowSecurityPolicy *) lfirst(b);
633 
634  /* Guard against NULL policy names from extensions */
635  if (pa->policy_name == NULL)
636  return pb->policy_name == NULL ? 0 : 1;
637  if (pb->policy_name == NULL)
638  return -1;
639 
640  return strcmp(pa->policy_name, pb->policy_name);
641 }
642 
643 /*
644  * add_security_quals
645  *
646  * Add security quals to enforce the specified RLS policies, restricting
647  * access to existing data in a table. If there are no policies controlling
648  * access to the table, then all access is prohibited --- i.e., an implicit
649  * default-deny policy is used.
650  *
651  * New security quals are added to securityQuals, and hasSubLinks is set to
652  * true if any of the quals added contain sublink subqueries.
653  */
654 static void
655 add_security_quals(int rt_index,
656  List *permissive_policies,
657  List *restrictive_policies,
658  List **securityQuals,
659  bool *hasSubLinks)
660 {
661  ListCell *item;
662  List *permissive_quals = NIL;
663  Expr *rowsec_expr;
664 
665  /*
666  * First collect up the permissive quals. If we do not find any
667  * permissive policies then no rows are visible (this is handled below).
668  */
669  foreach(item, permissive_policies)
670  {
671  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
672 
673  if (policy->qual != NULL)
674  {
675  permissive_quals = lappend(permissive_quals,
676  copyObject(policy->qual));
677  *hasSubLinks |= policy->hassublinks;
678  }
679  }
680 
681  /*
682  * We must have permissive quals, always, or no rows are visible.
683  *
684  * If we do not, then we simply return a single 'false' qual which results
685  * in no rows being visible.
686  */
687  if (permissive_quals != NIL)
688  {
689  /*
690  * We now know that permissive policies exist, so we can now add
691  * security quals based on the USING clauses from the restrictive
692  * policies. Since these need to be combined together using AND, we
693  * can just add them one at a time.
694  */
695  foreach(item, restrictive_policies)
696  {
697  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
698  Expr *qual;
699 
700  if (policy->qual != NULL)
701  {
702  qual = copyObject(policy->qual);
703  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
704 
705  *securityQuals = list_append_unique(*securityQuals, qual);
706  *hasSubLinks |= policy->hassublinks;
707  }
708  }
709 
710  /*
711  * Then add a single security qual combining together the USING
712  * clauses from all the permissive policies using OR.
713  */
714  if (list_length(permissive_quals) == 1)
715  rowsec_expr = (Expr *) linitial(permissive_quals);
716  else
717  rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
718 
719  ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
720  *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
721  }
722  else
723 
724  /*
725  * A permissive policy must exist for rows to be visible at all.
726  * Therefore, if there were no permissive policies found, return a
727  * single always-false clause.
728  */
729  *securityQuals = lappend(*securityQuals,
730  makeConst(BOOLOID, -1, InvalidOid,
731  sizeof(bool), BoolGetDatum(false),
732  false, true));
733 }
734 
735 /*
736  * add_with_check_options
737  *
738  * Add WithCheckOptions of the specified kind to check that new records
739  * added by an INSERT or UPDATE are consistent with the specified RLS
740  * policies. Normally new data must satisfy the WITH CHECK clauses from the
741  * policies. If a policy has no explicit WITH CHECK clause, its USING clause
742  * is used instead. In the special case of an UPDATE arising from an
743  * INSERT ... ON CONFLICT DO UPDATE, existing records are first checked using
744  * a WCO_RLS_CONFLICT_CHECK WithCheckOption, which always uses the USING
745  * clauses from RLS policies.
746  *
747  * New WCOs are added to withCheckOptions, and hasSubLinks is set to true if
748  * any of the check clauses added contain sublink subqueries.
749  */
750 static void
752  int rt_index,
753  WCOKind kind,
754  List *permissive_policies,
755  List *restrictive_policies,
756  List **withCheckOptions,
757  bool *hasSubLinks,
758  bool force_using)
759 {
760  ListCell *item;
761  List *permissive_quals = NIL;
762 
763 #define QUAL_FOR_WCO(policy) \
764  ( !force_using && \
765  (policy)->with_check_qual != NULL ? \
766  (policy)->with_check_qual : (policy)->qual )
767 
768  /*
769  * First collect up the permissive policy clauses, similar to
770  * add_security_quals.
771  */
772  foreach(item, permissive_policies)
773  {
774  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
775  Expr *qual = QUAL_FOR_WCO(policy);
776 
777  if (qual != NULL)
778  {
779  permissive_quals = lappend(permissive_quals, copyObject(qual));
780  *hasSubLinks |= policy->hassublinks;
781  }
782  }
783 
784  /*
785  * There must be at least one permissive qual found or no rows are allowed
786  * to be added. This is the same as in add_security_quals.
787  *
788  * If there are no permissive_quals then we fall through and return a
789  * single 'false' WCO, preventing all new rows.
790  */
791  if (permissive_quals != NIL)
792  {
793  /*
794  * Add a single WithCheckOption for all the permissive policy clauses,
795  * combining them together using OR. This check has no policy name,
796  * since if the check fails it means that no policy granted permission
797  * to perform the update, rather than any particular policy being
798  * violated.
799  */
800  WithCheckOption *wco;
801 
802  wco = makeNode(WithCheckOption);
803  wco->kind = kind;
805  wco->polname = NULL;
806  wco->cascaded = false;
807 
808  if (list_length(permissive_quals) == 1)
809  wco->qual = (Node *) linitial(permissive_quals);
810  else
811  wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
812 
813  ChangeVarNodes(wco->qual, 1, rt_index, 0);
814 
815  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
816 
817  /*
818  * Now add WithCheckOptions for each of the restrictive policy clauses
819  * (which will be combined together using AND). We use a separate
820  * WithCheckOption for each restrictive policy to allow the policy
821  * name to be included in error reports if the policy is violated.
822  */
823  foreach(item, restrictive_policies)
824  {
825  RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
826  Expr *qual = QUAL_FOR_WCO(policy);
827  WithCheckOption *wco;
828 
829  if (qual != NULL)
830  {
831  qual = copyObject(qual);
832  ChangeVarNodes((Node *) qual, 1, rt_index, 0);
833 
834  wco = makeNode(WithCheckOption);
835  wco->kind = kind;
837  wco->polname = pstrdup(policy->policy_name);
838  wco->qual = (Node *) qual;
839  wco->cascaded = false;
840 
841  *withCheckOptions = list_append_unique(*withCheckOptions, wco);
842  *hasSubLinks |= policy->hassublinks;
843  }
844  }
845  }
846  else
847  {
848  /*
849  * If there were no policy clauses to check new data, add a single
850  * always-false WCO (a default-deny policy).
851  */
852  WithCheckOption *wco;
853 
854  wco = makeNode(WithCheckOption);
855  wco->kind = kind;
857  wco->polname = NULL;
858  wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
859  sizeof(bool), BoolGetDatum(false),
860  false, true);
861  wco->cascaded = false;
862 
863  *withCheckOptions = lappend(*withCheckOptions, wco);
864  }
865 }
866 
867 /*
868  * check_role_for_policy -
869  * determines if the policy should be applied for the current role
870  */
871 static bool
872 check_role_for_policy(ArrayType *policy_roles, Oid user_id)
873 {
874  int i;
875  Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
876 
877  /* Quick fall-thru for policies applied to all roles */
878  if (roles[0] == ACL_ID_PUBLIC)
879  return true;
880 
881  for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
882  {
883  if (has_privs_of_role(user_id, roles[i]))
884  return true;
885  }
886 
887  return false;
888 }
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4951
#define ACL_SELECT_CHR
Definition: acl.h:138
#define ACL_DELETE_CHR
Definition: acl.h:140
#define ACL_INSERT_CHR
Definition: acl.h:137
#define ACL_UPDATE_CHR
Definition: acl.h:139
#define ACL_ID_PUBLIC
Definition: acl.h:46
#define ARR_DATA_PTR(a)
Definition: array.h:315
#define ARR_DIMS(a)
Definition: array.h:287
#define ERROR
Definition: elog.h:33
#define elog(elevel,...)
Definition: elog.h:218
int b
Definition: isn.c:70
int a
Definition: isn.c:69
int i
Definition: isn.c:73
Assert(fmt[strlen(fmt) - 1] !='\n')
void list_sort(List *list, list_sort_comparator cmp)
Definition: list.c:1612
List * lappend(List *list, void *datum)
Definition: list.c:336
List * list_append_unique(List *list, void *datum)
Definition: list.c:1302
#define NoLock
Definition: lockdefs.h:34
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
Definition: makefuncs.c:300
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Definition: makefuncs.c:370
char * pstrdup(const char *in)
Definition: mcxt.c:1305
Oid GetUserId(void)
Definition: miscinit.c:492
#define copyObject(obj)
Definition: nodes.h:689
@ ONCONFLICT_UPDATE
Definition: nodes.h:873
CmdType
Definition: nodes.h:719
@ CMD_MERGE
Definition: nodes.h:725
@ CMD_INSERT
Definition: nodes.h:723
@ CMD_DELETE
Definition: nodes.h:724
@ CMD_UPDATE
Definition: nodes.h:722
@ CMD_SELECT
Definition: nodes.h:721
#define makeNode(_type_)
Definition: nodes.h:621
WCOKind
Definition: parsenodes.h:1225
@ WCO_RLS_MERGE_UPDATE_CHECK
Definition: parsenodes.h:1230
@ WCO_RLS_CONFLICT_CHECK
Definition: parsenodes.h:1229
@ WCO_RLS_INSERT_CHECK
Definition: parsenodes.h:1227
@ WCO_RLS_UPDATE_CHECK
Definition: parsenodes.h:1228
@ WCO_RLS_MERGE_DELETE_CHECK
Definition: parsenodes.h:1231
#define ACL_UPDATE
Definition: parsenodes.h:84
#define ACL_SELECT
Definition: parsenodes.h:83
#define lfirst(lc)
Definition: pg_list.h:169
static int list_length(const List *l)
Definition: pg_list.h:149
#define NIL
Definition: pg_list.h:65
#define linitial(l)
Definition: pg_list.h:174
#define BoolGetDatum(X)
Definition: postgres.h:446
#define InvalidOid
Definition: postgres_ext.h:36
unsigned int Oid
Definition: postgres_ext.h:31
@ OR_EXPR
Definition: primnodes.h:628
#define RelationGetRelationName(relation)
Definition: rel.h:523
void setRuleCheckAsUser(Node *node, Oid userid)
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
Definition: rewriteManip.c:610
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
@ RLS_NONE
Definition: rls.h:43
@ RLS_NONE_ENV
Definition: rls.h:44
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:96
void get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
Definition: rowsecurity.c:108
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
Definition: rowsecurity.c:872
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:97
#define QUAL_FOR_WCO(policy)
static void sort_policies_by_name(List *policies)
Definition: rowsecurity.c:620
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:751
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:496
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
Definition: rowsecurity.c:629
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:655
List *(* row_security_policy_hook_type)(CmdType cmdtype, Relation relation)
Definition: rowsecurity.h:37
Definition: pg_list.h:51
Definition: nodes.h:574
OnConflictAction action
Definition: primnodes.h:1841
OnConflictExpr * onConflict
Definition: parsenodes.h:159
int resultRelation
Definition: parsenodes.h:131
CmdType commandType
Definition: parsenodes.h:121
AclMode requiredPerms
Definition: parsenodes.h:1165
struct RowSecurityDesc * rd_rsdesc
Definition: rel.h:117
ArrayType * roles
Definition: rowsecurity.h:24
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39