PostgreSQL Source Code: src/backend/rewrite/rowsecurity.c Source File (original) (raw)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

36

50

53 List **permissive_policies,

54 List **restrictive_policies);

55

57

59

61 List *permissive_policies,

62 List *restrictive_policies,

63 List **securityQuals,

64 bool *hasSubLinks);

65

67 int rt_index,

69 List *permissive_policies,

70 List *restrictive_policies,

71 List **withCheckOptions,

72 bool *hasSubLinks,

73 bool force_using);

74

76

77

78

79

80

81

82

83

84

85

88

89

90

91

92

93

94

95

96

97void

99 List **securityQuals, List **withCheckOptions,

100 bool *hasRowSecurity, bool *hasSubLinks)

101{

102 Oid user_id;

103 int rls_status;

106 List *permissive_policies;

107 List *restrictive_policies;

109

110

111 *securityQuals = NIL;

112 *withCheckOptions = NIL;

113 *hasRowSecurity = false;

114 *hasSubLinks = false;

115

117

118

119 if (rte->relkind != RELKIND_RELATION &&

120 rte->relkind != RELKIND_PARTITIONED_TABLE)

121 return;

122

124

125

128

129

131

132

134 return;

135

136

137

138

139

140

142 {

143

144

145

146

147

148 *hasRowSecurity = true;

149

150 return;

151 }

152

153

154

155

156

157

158

159

160

161

163

164 commandType = rt_index == root->resultRelation ?

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

196 {

197 List *update_permissive_policies;

198 List *update_restrictive_policies;

199

201 &update_permissive_policies,

202 &update_restrictive_policies);

203

205 update_permissive_policies,

206 update_restrictive_policies,

207 securityQuals,

208 hasSubLinks);

209 }

210

211

212

213

214

215

216

217

219 &restrictive_policies);

220

225 permissive_policies,

226 restrictive_policies,

227 securityQuals,

228 hasSubLinks);

229

230

231

232

233

234

235

236

237

238

239

243 {

244 List *select_permissive_policies;

245 List *select_restrictive_policies;

246

248 &select_permissive_policies,

249 &select_restrictive_policies);

250

252 select_permissive_policies,

253 select_restrictive_policies,

254 securityQuals,

255 hasSubLinks);

256 }

257

258

259

260

261

262

263

265 {

266

267 Assert(rt_index == root->resultRelation);

268

272 permissive_policies,

273 restrictive_policies,

274 withCheckOptions,

275 hasSubLinks,

276 false);

277

278

279

280

281

282

283

284

286 {

287 List *select_permissive_policies = NIL;

288 List *select_restrictive_policies = NIL;

289

291 &select_permissive_policies,

292 &select_restrictive_policies);

296 select_permissive_policies,

297 select_restrictive_policies,

298 withCheckOptions,

299 hasSubLinks,

300 true);

301 }

302

303

304

305

306

309 {

310 List *conflict_permissive_policies;

311 List *conflict_restrictive_policies;

312 List *conflict_select_permissive_policies = NIL;

313 List *conflict_select_restrictive_policies = NIL;

314

315

317 &conflict_permissive_policies,

318 &conflict_restrictive_policies);

319

320

321

322

323

324

325

328 conflict_permissive_policies,

329 conflict_restrictive_policies,

330 withCheckOptions,

331 hasSubLinks,

332 true);

333

334

335

336

337

338

339

340

342 {

344 &conflict_select_permissive_policies,

345 &conflict_select_restrictive_policies);

348 conflict_select_permissive_policies,

349 conflict_select_restrictive_policies,

350 withCheckOptions,

351 hasSubLinks,

352 true);

353 }

354

355

358 conflict_permissive_policies,

359 conflict_restrictive_policies,

360 withCheckOptions,

361 hasSubLinks,

362 false);

363

364

365

366

367

368

369

373 conflict_select_permissive_policies,

374 conflict_select_restrictive_policies,

375 withCheckOptions,

376 hasSubLinks,

377 true);

378 }

379 }

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

405 {

406 List *merge_update_permissive_policies;

407 List *merge_update_restrictive_policies;

408 List *merge_delete_permissive_policies;

409 List *merge_delete_restrictive_policies;

410 List *merge_insert_permissive_policies;

411 List *merge_insert_restrictive_policies;

412 List *merge_select_permissive_policies = NIL;

413 List *merge_select_restrictive_policies = NIL;

414

415

416

417

418

420 &merge_update_permissive_policies,

421 &merge_update_restrictive_policies);

422

423

424

425

426

429 merge_update_permissive_policies,

430 merge_update_restrictive_policies,

431 withCheckOptions,

432 hasSubLinks,

433 true);

434

435

438 merge_update_permissive_policies,

439 merge_update_restrictive_policies,

440 withCheckOptions,

441 hasSubLinks,

442 false);

443

444

445

446

447

448

450 {

452 &merge_select_permissive_policies,

453 &merge_select_restrictive_policies);

456 merge_select_permissive_policies,

457 merge_select_restrictive_policies,

458 withCheckOptions,

459 hasSubLinks,

460 true);

461 }

462

463

464

465

466

468 &merge_delete_permissive_policies,

469 &merge_delete_restrictive_policies);

470

471

472

473

474

477 merge_delete_permissive_policies,

478 merge_delete_restrictive_policies,

479 withCheckOptions,

480 hasSubLinks,

481 true);

482

483

484

485

486

487

489 &merge_insert_permissive_policies,

490 &merge_insert_restrictive_policies);

491

494 merge_insert_permissive_policies,

495 merge_insert_restrictive_policies,

496 withCheckOptions,

497 hasSubLinks,

498 false);

499

500

501

502

503

504

505

509 merge_select_permissive_policies,

510 merge_select_restrictive_policies,

511 withCheckOptions,

512 hasSubLinks,

513 true);

514 }

515

517

518

519

520

521

524

525

526

527

528

529 *hasRowSecurity = true;

530}

531

532

533

534

535

536

537

538

539

540static void

542 List **permissive_policies,

543 List **restrictive_policies)

544{

546

547 *permissive_policies = NIL;

548 *restrictive_policies = NIL;

549

550

552 {

553 bool cmd_matches = false;

555

556

557 if (policy->polcmd == '*')

558 cmd_matches = true;

559 else

560 {

561

562 switch (cmd)

563 {

566 cmd_matches = true;

567 break;

570 cmd_matches = true;

571 break;

574 cmd_matches = true;

575 break;

578 cmd_matches = true;

579 break;

581

582

583

584

585

586

587 break;

588 default:

589 elog(ERROR, "unrecognized policy command type %d",

590 (int) cmd);

591 break;

592 }

593 }

594

595

596

597

598

600 {

602 *permissive_policies = lappend(*permissive_policies, policy);

603 else

604 *restrictive_policies = lappend(*restrictive_policies, policy);

605 }

606 }

607

608

609

610

611

613

614

615

616

617

618

620 {

621 List *hook_policies =

622 (*row_security_policy_hook_restrictive) (cmd, relation);

623

624

625

626

627

628

629

631

632 foreach(item, hook_policies)

633 {

635

637 *restrictive_policies = lappend(*restrictive_policies, policy);

638 }

639 }

640

642 {

643 List *hook_policies =

644 (*row_security_policy_hook_permissive) (cmd, relation);

645

646 foreach(item, hook_policies)

647 {

649

651 *permissive_policies = lappend(*permissive_policies, policy);

652 }

653 }

654}

655

656

657

658

659

660

661

662

663

664static void

666{

668}

669

670

671

672

673static int

675{

678

679

683 return -1;

684

686}

687

688

689

690

691

692

693

694

695

696

697

698

699static void

701 List *permissive_policies,

702 List *restrictive_policies,

703 List **securityQuals,

704 bool *hasSubLinks)

705{

707 List *permissive_quals = NIL;

708 Expr *rowsec_expr;

709

710

711

712

713

714 foreach(item, permissive_policies)

715 {

717

718 if (policy->qual != NULL)

719 {

720 permissive_quals = lappend(permissive_quals,

723 }

724 }

725

726

727

728

729

730

731

732 if (permissive_quals != NIL)

733 {

734

735

736

737

738

739

740 foreach(item, restrictive_policies)

741 {

744

745 if (policy->qual != NULL)

746 {

749

752 }

753 }

754

755

756

757

758

760 rowsec_expr = (Expr *) linitial(permissive_quals);

761 else

763

766 }

767 else

768

769

770

771

772

773

774 *securityQuals = lappend(*securityQuals,

777 false, true));

778}

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795static void

797 int rt_index,

799 List *permissive_policies,

800 List *restrictive_policies,

801 List **withCheckOptions,

802 bool *hasSubLinks,

803 bool force_using)

804{

806 List *permissive_quals = NIL;

807

808#define QUAL_FOR_WCO(policy) \

809 ( !force_using && \

810 (policy)->with_check_qual != NULL ? \

811 (policy)->with_check_qual : (policy)->qual )

812

813

814

815

816

817 foreach(item, permissive_policies)

818 {

821

822 if (qual != NULL)

823 {

826 }

827 }

828

829

830

831

832

833

834

835

836 if (permissive_quals != NIL)

837 {

838

839

840

841

842

843

844

846

848 wco->kind = kind;

852

855 else

857

859

861

862

863

864

865

866

867

868 foreach(item, restrictive_policies)

869 {

872

873 if (qual != NULL)

874 {

877

879 wco->kind = kind;

884

887 }

888 }

889 }

890 else

891 {

892

893

894

895

897

899 wco->kind = kind;

904 false, true);

906

907 *withCheckOptions = lappend(*withCheckOptions, wco);

908 }

909}

910

911

912

913

914

915static bool

917{

918 int i;

920

921

923 return true;

924

925 for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)

926 {

928 return true;

929 }

930

931 return false;

932}

bool has_privs_of_role(Oid member, Oid role)

#define OidIsValid(objectId)

Assert(PointerIsAligned(start, uint64))

List * lappend(List *list, void *datum)

void list_sort(List *list, list_sort_comparator cmp)

List * list_append_unique(List *list, void *datum)

Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)

Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)

char * pstrdup(const char *in)

RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)

@ WCO_RLS_MERGE_UPDATE_CHECK

@ WCO_RLS_MERGE_DELETE_CHECK

static int list_length(const List *l)

static Datum BoolGetDatum(bool X)

#define RelationGetRelationName(relation)

void setRuleCheckAsUser(Node *node, Oid userid)

void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)

int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)

row_security_policy_hook_type row_security_policy_hook_permissive

void get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)

static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)

row_security_policy_hook_type row_security_policy_hook_restrictive

#define QUAL_FOR_WCO(policy)

static void sort_policies_by_name(List *policies)

static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)

static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)

static int row_security_policy_cmp(const ListCell *a, const ListCell *b)

static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)

List *(* row_security_policy_hook_type)(CmdType cmdtype, Relation relation)

struct RowSecurityDesc * rd_rsdesc

void table_close(Relation relation, LOCKMODE lockmode)

Relation table_open(Oid relationId, LOCKMODE lockmode)