#include "nodes/parsenodes.h"
#include "utils/array.h"
#include "utils/relcache.h"

Include dependency graph for rowsecurity.h:

This graph shows which files directly or indirectly include this file:

Data Structures
struct	RowSecurityPolicy

struct	RowSecurityDesc

Typedefs
typedef struct RowSecurityPolicy	RowSecurityPolicy

typedef struct RowSecurityDesc	RowSecurityDesc

typedef List (	row_security_policy_hook_type) (CmdType cmdtype, Relation relation)

Functions
void	get_row_security_policies (Query root, RangeTblEntry rte, int rt_index, List securityQuals, List withCheckOptions, bool hasRowSecurity, bool hasSubLinks)

Variables
PGDLLIMPORT row_security_policy_hook_type	row_security_policy_hook_permissive

PGDLLIMPORT row_security_policy_hook_type	row_security_policy_hook_restrictive

Typedef Documentation

◆ row_security_policy_hook_type

typedef List*(* row_security_policy_hook_type) (CmdType cmdtype, Relation relation)

Definition at line 37 of file rowsecurity.h.

◆ RowSecurityDesc

typedef struct RowSecurityDesc RowSecurityDesc

◆ RowSecurityPolicy

typedef struct RowSecurityPolicy RowSecurityPolicy

Function Documentation

◆ get_row_security_policies()

void get_row_security_policies	(	Query *	root,
		RangeTblEntry *	rte,
		int	rt_index,
		List **	securityQuals,
		List **	withCheckOptions,
		bool *	hasRowSecurity,
		bool *	hasSubLinks
	)

Definition at line 109 of file rowsecurity.c.

 {
     Oid         user_id;
     int         rls_status;
     Relation    rel;
     CmdType     commandType;
     List       *permissive_policies;
     List       *restrictive_policies;
     RTEPermissionInfo *perminfo;
  
     /* Defaults for the return values */
     *securityQuals = NIL;
     *withCheckOptions = NIL;
     *hasRowSecurity = false;
     *hasSubLinks = false;
  
     Assert(rte->rtekind == RTE_RELATION);
  
     /* If this is not a normal relation, just return immediately */
     if (rte->relkind != RELKIND_RELATION &&
         rte->relkind != RELKIND_PARTITIONED_TABLE)
         return;
  
     perminfo = getRTEPermissionInfo(root->rteperminfos, rte);
  
     /* Switch to checkAsUser if it's set */
     user_id = OidIsValid(perminfo->checkAsUser) ?
         perminfo->checkAsUser : GetUserId();
  
     /* Determine the state of RLS for this, pass checkAsUser explicitly */
     rls_status = check_enable_rls(rte->relid, perminfo->checkAsUser, false);
  
     /* If there is no RLS on this table at all, nothing to do */
     if (rls_status == RLS_NONE)
         return;
  
     /*
      * RLS_NONE_ENV means we are not doing any RLS now, but that may change
      * with changes to the environment, so we mark it as hasRowSecurity to
      * force a re-plan when the environment changes.
      */
     if (rls_status == RLS_NONE_ENV)
     {
         /*
          * Indicate that this query may involve RLS and must therefore be
          * replanned if the environment changes (GUCs, role), but we are not
          * adding anything here.
          */
         *hasRowSecurity = true;
  
         return;
     }
  
     /*
      * RLS is enabled for this relation.
      *
      * Get the security policies that should be applied, based on the command
      * type.  Note that if this isn't the target relation, we actually want
      * the relation's SELECT policies, regardless of the query command type,
      * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
      * policies and t2's SELECT policies.
      */
     rel = table_open(rte->relid, NoLock);
  
     commandType = rt_index == root->resultRelation ?
         root->commandType : CMD_SELECT;
  
     /*
      * In some cases, we need to apply USING policies (which control the
      * visibility of records) associated with multiple command types (see
      * specific cases below).
      *
      * When considering the order in which to apply these USING policies, we
      * prefer to apply higher privileged policies, those which allow the user
      * to lock records (UPDATE and DELETE), first, followed by policies which
      * don't (SELECT).
      *
      * Note that the optimizer is free to push down and reorder quals which
      * use leakproof functions.
      *
      * In all cases, if there are no policy clauses allowing access to rows in
      * the table for the specific type of operation, then a single
      * always-false clause (a default-deny policy) will be added (see
      * add_security_quals).
      */
  
     /*
      * For a SELECT, if UPDATE privileges are required (eg: the user has
      * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
      * first.
      *
      * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
      * which the user does not have access to via the UPDATE USING policies,
      * similar to how we require normal UPDATE rights for these queries.
      */
     if (commandType == CMD_SELECT && perminfo->requiredPerms & ACL_UPDATE)
     {
         List       *update_permissive_policies;
         List       *update_restrictive_policies;
  
         get_policies_for_relation(rel, CMD_UPDATE, user_id,
                                   &update_permissive_policies,
                                   &update_restrictive_policies);
  
         add_security_quals(rt_index,
                            update_permissive_policies,
                            update_restrictive_policies,
                            securityQuals,
                            hasSubLinks);
     }
  
     /*
      * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
      * policies.  These security quals control access to existing table rows.
      * Restrictive policies are combined together using AND, and permissive
      * policies are combined together using OR.
      */
  
     get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
                               &restrictive_policies);
  
     if (commandType == CMD_SELECT ||
         commandType == CMD_UPDATE ||
         commandType == CMD_DELETE)
         add_security_quals(rt_index,
                            permissive_policies,
                            restrictive_policies,
                            securityQuals,
                            hasSubLinks);
  
     /*
      * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
      * are also required (eg: when a RETURNING clause exists, or the user has
      * provided a WHERE clause which involves columns from the relation), we
      * collect up CMD_SELECT policies and add them via add_security_quals
      * first.
      *
      * This way, we filter out any records which are not visible through an
      * ALL or SELECT USING policy.
      */
     if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
          commandType == CMD_MERGE) &&
         perminfo->requiredPerms & ACL_SELECT)
     {
         List       *select_permissive_policies;
         List       *select_restrictive_policies;
  
         get_policies_for_relation(rel, CMD_SELECT, user_id,
                                   &select_permissive_policies,
                                   &select_restrictive_policies);
  
         add_security_quals(rt_index,
                            select_permissive_policies,
                            select_restrictive_policies,
                            securityQuals,
                            hasSubLinks);
     }
  
     /*
      * For INSERT and UPDATE, add withCheckOptions to verify that any new
      * records added are consistent with the security policies.  This will use
      * each policy's WITH CHECK clause, or its USING clause if no explicit
      * WITH CHECK clause is defined.
      */
     if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
     {
         /* This should be the target relation */
         Assert(rt_index == root->resultRelation);
  
         add_with_check_options(rel, rt_index,
                                commandType == CMD_INSERT ?
                                WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
                                permissive_policies,
                                restrictive_policies,
                                withCheckOptions,
                                hasSubLinks,
                                false);
  
         /*
          * Get and add ALL/SELECT policies, if SELECT rights are required for
          * this relation (eg: when RETURNING is used).  These are added as WCO
          * policies rather than security quals to ensure that an error is
          * raised if a policy is violated; otherwise, we might end up silently
          * dropping rows to be added.
          */
         if (perminfo->requiredPerms & ACL_SELECT)
         {
             List       *select_permissive_policies = NIL;
             List       *select_restrictive_policies = NIL;
  
             get_policies_for_relation(rel, CMD_SELECT, user_id,
                                       &select_permissive_policies,
                                       &select_restrictive_policies);
             add_with_check_options(rel, rt_index,
                                    commandType == CMD_INSERT ?
                                    WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
                                    select_permissive_policies,
                                    select_restrictive_policies,
                                    withCheckOptions,
                                    hasSubLinks,
                                    true);
         }
  
         /*
          * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
          * checks for the UPDATE which may be applied to the same RTE.
          */
         if (commandType == CMD_INSERT &&
             root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
         {
             List       *conflict_permissive_policies;
             List       *conflict_restrictive_policies;
             List       *conflict_select_permissive_policies = NIL;
             List       *conflict_select_restrictive_policies = NIL;
  
             /* Get the policies that apply to the auxiliary UPDATE */
             get_policies_for_relation(rel, CMD_UPDATE, user_id,
                                       &conflict_permissive_policies,
                                       &conflict_restrictive_policies);
  
             /*
              * Enforce the USING clauses of the UPDATE policies using WCOs
              * rather than security quals.  This ensures that an error is
              * raised if the conflicting row cannot be updated due to RLS,
              * rather than the change being silently dropped.
              */
             add_with_check_options(rel, rt_index,
                                    WCO_RLS_CONFLICT_CHECK,
                                    conflict_permissive_policies,
                                    conflict_restrictive_policies,
                                    withCheckOptions,
                                    hasSubLinks,
                                    true);
  
             /*
              * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
              * to ensure they are considered when taking the UPDATE path of an
              * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
              * for this relation, also as WCO policies, again, to avoid
              * silently dropping data.  See above.
              */
             if (perminfo->requiredPerms & ACL_SELECT)
             {
                 get_policies_for_relation(rel, CMD_SELECT, user_id,
                                           &conflict_select_permissive_policies,
                                           &conflict_select_restrictive_policies);
                 add_with_check_options(rel, rt_index,
                                        WCO_RLS_CONFLICT_CHECK,
                                        conflict_select_permissive_policies,
                                        conflict_select_restrictive_policies,
                                        withCheckOptions,
                                        hasSubLinks,
                                        true);
             }
  
             /* Enforce the WITH CHECK clauses of the UPDATE policies */
             add_with_check_options(rel, rt_index,
                                    WCO_RLS_UPDATE_CHECK,
                                    conflict_permissive_policies,
                                    conflict_restrictive_policies,
                                    withCheckOptions,
                                    hasSubLinks,
                                    false);
  
             /*
              * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
              * that the final updated row is visible when taking the UPDATE
              * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
              * are required for this relation.
              */
             if (perminfo->requiredPerms & ACL_SELECT)
                 add_with_check_options(rel, rt_index,
                                        WCO_RLS_UPDATE_CHECK,
                                        conflict_select_permissive_policies,
                                        conflict_select_restrictive_policies,
                                        withCheckOptions,
                                        hasSubLinks,
                                        true);
         }
     }
  
     /*
      * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
      * and set them up so that we can enforce the appropriate policy depending
      * on the final action we take.
      *
      * We already fetched the SELECT policies above.
      *
      * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
      * really want to apply them while scanning the relation since we don't
      * know whether we will be doing an UPDATE or a DELETE at the end. We
      * apply the respective policy once we decide the final action on the
      * target tuple.
      *
      * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
      * UPDATE/DELETE on the target row, we shall throw an error instead of
      * silently ignoring the row. This is different than how normal
      * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
      * handling.
      */
     if (commandType == CMD_MERGE)
     {
         List       *merge_permissive_policies;
         List       *merge_restrictive_policies;
  
         /*
          * Fetch the UPDATE policies and set them up to execute on the
          * existing target row before doing UPDATE.
          */
         get_policies_for_relation(rel, CMD_UPDATE, user_id,
                                   &merge_permissive_policies,
                                   &merge_restrictive_policies);
  
         /*
          * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
          * the existing target row.
          */
         add_with_check_options(rel, rt_index,
                                WCO_RLS_MERGE_UPDATE_CHECK,
                                merge_permissive_policies,
                                merge_restrictive_policies,
                                withCheckOptions,
                                hasSubLinks,
                                true);
  
         /*
          * Same with DELETE policies.
          */
         get_policies_for_relation(rel, CMD_DELETE, user_id,
                                   &merge_permissive_policies,
                                   &merge_restrictive_policies);
  
         add_with_check_options(rel, rt_index,
                                WCO_RLS_MERGE_DELETE_CHECK,
                                merge_permissive_policies,
                                merge_restrictive_policies,
                                withCheckOptions,
                                hasSubLinks,
                                true);
  
         /*
          * No special handling is required for INSERT policies. They will be
          * checked and enforced during ExecInsert(). But we must add them to
          * withCheckOptions.
          */
         get_policies_for_relation(rel, CMD_INSERT, user_id,
                                   &merge_permissive_policies,
                                   &merge_restrictive_policies);
  
         add_with_check_options(rel, rt_index,
                                WCO_RLS_INSERT_CHECK,
                                merge_permissive_policies,
                                merge_restrictive_policies,
                                withCheckOptions,
                                hasSubLinks,
                                false);
  
         /* Enforce the WITH CHECK clauses of the UPDATE policies */
         add_with_check_options(rel, rt_index,
                                WCO_RLS_UPDATE_CHECK,
                                merge_permissive_policies,
                                merge_restrictive_policies,
                                withCheckOptions,
                                hasSubLinks,
                                false);
     }
  
     table_close(rel, NoLock);
  
     /*
      * Copy checkAsUser to the row security quals and WithCheckOption checks,
      * in case they contain any subqueries referring to other relations.
      */
     setRuleCheckAsUser((Node *) *securityQuals, perminfo->checkAsUser);
     setRuleCheckAsUser((Node *) *withCheckOptions, perminfo->checkAsUser);
  
     /*
      * Mark this query as having row security, so plancache can invalidate it
      * when necessary (eg: role changes)
      */
     *hasRowSecurity = true;
 }