PostgreSQL Source Code git master
test_rls_hooks.c
Go to the documentation of this file.
1/*--------------------------------------------------------------------------
2 *
3 * test_rls_hooks.c
4 * Code for testing RLS hooks.
5 *
6 * Copyright (c) 2015-2025, PostgreSQL Global Development Group
7 *
8 * IDENTIFICATION
9 * src/test/modules/test_rls_hooks/test_rls_hooks.c
10 *
11 * -------------------------------------------------------------------------
12 */
13
14#include "postgres.h"
15
16#include "catalog/pg_type.h"
17#include "fmgr.h"
18#include "nodes/makefuncs.h"
19#include "parser/parse_clause.h"
20#include "parser/parse_collate.h"
21#include "parser/parse_node.h"
22#include "parser/parse_relation.h"
23#include "rewrite/rowsecurity.h"
24#include "test_rls_hooks.h"
25#include "utils/acl.h"
26#include "utils/rel.h"
27#include "utils/relcache.h"
28
29PG_MODULE_MAGIC;
30
31/* Install hooks */
32void
33_PG_init(void)
34{
35 /* Set our hooks */
36 row_security_policy_hook_permissive = test_rls_hooks_permissive;
37 row_security_policy_hook_restrictive = test_rls_hooks_restrictive;
38}
39
40/*
41 * Return permissive policies to be added
42 */
43List *
44test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
45{
46 List *policies = NIL;
47 RowSecurityPolicy *policy = palloc0(sizeof(RowSecurityPolicy));
48 Datum role;
49 FuncCall *n;
50 Node *e;
51 ColumnRef *c;
52 ParseState *qual_pstate;
53 ParseNamespaceItem *nsitem;
54
55 if (strcmp(RelationGetRelationName(relation), "rls_test_permissive") != 0 &&
56 strcmp(RelationGetRelationName(relation), "rls_test_both") != 0)
57 return NIL;
58
59 qual_pstate = make_parsestate(NULL);
60
61 nsitem = addRangeTableEntryForRelation(qual_pstate,
62 relation, AccessShareLock,
63 NULL, false, false);
64 addNSItemToQuery(qual_pstate, nsitem, false, true, true);
65
66 role = ObjectIdGetDatum(ACL_ID_PUBLIC);
67
68 policy->policy_name = pstrdup("extension policy");
69 policy->polcmd = '*';
70 policy->roles = construct_array_builtin(&role, 1, OIDOID);
71
72 /*
73 * policy->qual = (Expr *) makeConst(BOOLOID, -1, InvalidOid,
74 * sizeof(bool), BoolGetDatum(true), false, true);
75 */
76
77 n = makeFuncCall(list_make2(makeString("pg_catalog"),
78 makeString("current_user")),
79 NIL,
80 COERCE_EXPLICIT_CALL,
81 -1);
82
83 c = makeNode(ColumnRef);
84 c->fields = list_make1(makeString("username"));
85 c->location = 0;
86
87 e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
88
89 policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
90 EXPR_KIND_POLICY,
91 "POLICY");
92 /* Fix up collation information */
93 assign_expr_collations(qual_pstate, (Node *) policy->qual);
94
95 policy->with_check_qual = copyObject(policy->qual);
96 policy->hassublinks = false;
97
98 policies = list_make1(policy);
99
100 return policies;
101}
102
103/*
104 * Return restrictive policies to be added
105 *
106 * Note that a permissive policy must exist or the default-deny policy
107 * will be included and nothing will be visible. If no filtering should
108 * be done except for the restrictive policy, then a single "USING (true)"
109 * permissive policy can be used; see the regression tests.
110 */
111List *
112test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
113{
114 List *policies = NIL;
115 RowSecurityPolicy *policy = palloc0(sizeof(RowSecurityPolicy));
116 Datum role;
117 FuncCall *n;
118 Node *e;
119 ColumnRef *c;
120 ParseState *qual_pstate;
121 ParseNamespaceItem *nsitem;
122
123 if (strcmp(RelationGetRelationName(relation), "rls_test_restrictive") != 0 &&
124 strcmp(RelationGetRelationName(relation), "rls_test_both") != 0)
125 return NIL;
126
127 qual_pstate = make_parsestate(NULL);
128
129 nsitem = addRangeTableEntryForRelation(qual_pstate,
130 relation, AccessShareLock,
131 NULL, false, false);
132 addNSItemToQuery(qual_pstate, nsitem, false, true, true);
133
134 role = ObjectIdGetDatum(ACL_ID_PUBLIC);
135
136 policy->policy_name = pstrdup("extension policy");
137 policy->polcmd = '*';
138 policy->roles = construct_array_builtin(&role, 1, OIDOID);
139
140 n = makeFuncCall(list_make2(makeString("pg_catalog"),
141 makeString("current_user")),
142 NIL,
143 COERCE_EXPLICIT_CALL,
144 -1);
145
146 c = makeNode(ColumnRef);
147 c->fields = list_make1(makeString("supervisor"));
148 c->location = 0;
149
150 e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
151
152 policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
153 EXPR_KIND_POLICY,
154 "POLICY");
155 /* Fix up collation information */
156 assign_expr_collations(qual_pstate, (Node *) policy->qual);
157
158 policy->with_check_qual = copyObject(policy->qual);
159 policy->hassublinks = false;
160
161 policies = list_make1(policy);
162
163 return policies;
164}
ACL_ID_PUBLIC
#define ACL_ID_PUBLIC
Definition: acl.h:46
construct_array_builtin
ArrayType * construct_array_builtin(Datum *elems, int nelems, Oid elmtype)
Definition: arrayfuncs.c:3381
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
makeSimpleA_Expr
A_Expr * makeSimpleA_Expr(A_Expr_Kind kind, char *name, Node *lexpr, Node *rexpr, int location)
Definition: makefuncs.c:48
makeFuncCall
FuncCall * makeFuncCall(List *name, List *args, CoercionForm funcformat, int location)
Definition: makefuncs.c:676
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1703
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1351
copyObject
#define copyObject(obj)
Definition: nodes.h:230
CmdType
CmdType
Definition: nodes.h:269
makeNode
#define makeNode(_type_)
Definition: nodes.h:161
transformWhereClause
Node * transformWhereClause(ParseState *pstate, Node *clause, ParseExprKind exprKind, const char *constructName)
Definition: parse_clause.c:1854
parse_clause.h
assign_expr_collations
void assign_expr_collations(ParseState *pstate, Node *expr)
Definition: parse_collate.c:177
parse_collate.h
make_parsestate
ParseState * make_parsestate(ParseState *parentParseState)
Definition: parse_node.c:39
parse_node.h
EXPR_KIND_POLICY
@ EXPR_KIND_POLICY
Definition: parse_node.h:78
addRangeTableEntryForRelation
ParseNamespaceItem * addRangeTableEntryForRelation(ParseState *pstate, Relation rel, int lockmode, Alias *alias, bool inh, bool inFromCl)
Definition: parse_relation.c:1584
addNSItemToQuery
void addNSItemToQuery(ParseState *pstate, ParseNamespaceItem *nsitem, bool addToJoinList, bool addToRelNameSpace, bool addToVarNameSpace)
Definition: parse_relation.c:2710
parse_relation.h
AEXPR_OP
@ AEXPR_OP
Definition: parsenodes.h:324
NIL
#define NIL
Definition: pg_list.h:68
list_make1
#define list_make1(x1)
Definition: pg_list.h:212
list_make2
#define list_make2(x1, x2)
Definition: pg_list.h:214
pg_type.h
Datum
uintptr_t Datum
Definition: postgres.h:69
ObjectIdGetDatum
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:257
c
char * c
Definition: preproc-cursor.c:31
e
e
Definition: preproc-init.c:82
COERCE_EXPLICIT_CALL
@ COERCE_EXPLICIT_CALL
Definition: primnodes.h:751
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:550
row_security_policy_hook_permissive
row_security_policy_hook_type row_security_policy_hook_permissive
Definition: rowsecurity.c:86
row_security_policy_hook_restrictive
row_security_policy_hook_type row_security_policy_hook_restrictive
Definition: rowsecurity.c:87
List
Definition: pg_list.h:54
Node
Definition: nodes.h:135
RowSecurityPolicy::roles
ArrayType * roles
Definition: rowsecurity.h:24
RowSecurityPolicy::with_check_qual
Expr * with_check_qual
Definition: rowsecurity.h:27
test_rls_hooks_restrictive
List * test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
Definition: test_rls_hooks.c:112
_PG_init
void _PG_init(void)
Definition: test_rls_hooks.c:33
PG_MODULE_MAGIC
PG_MODULE_MAGIC
Definition: test_rls_hooks.c:29
test_rls_hooks_permissive
List * test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
Definition: test_rls_hooks.c:44
test_rls_hooks.h
makeString
String * makeString(char *str)
Definition: value.c:63