1 /*
2 * rewrite/rowsecurity.c
3 * Routines to support policies for row level security (aka RLS).
4 *
5 * Policies in PostgreSQL provide a mechanism to limit what records are
6 * returned to a user and what records a user is permitted to add to a table.
7 *
8 * Policies can be defined for specific roles, specific commands, or provided
9 * by an extension. Row security can also be enabled for a table without any
10 * policies being explicitly defined, in which case a default-deny policy is
11 * applied.
12 *
13 * Any part of the system which is returning records back to the user, or
14 * which is accepting records from the user to add to a table, needs to
15 * consider the policies associated with the table (if any). For normal
16 * queries, this is handled by calling get_row_security_policies() during
17 * rewrite, for each RTE in the query. This returns the expressions defined
18 * by the table's policies as a list that is prepended to the securityQuals
19 * list for the RTE. For queries which modify the table, any WITH CHECK
20 * clauses from the table's policies are also returned and prepended to the
21 * list of WithCheckOptions for the Query to check each row that is being
22 * added to the table. Other parts of the system (eg: COPY) simply construct
23 * a normal query and use that, if RLS is to be applied.
24 *
25 * The check to see if RLS should be enabled is provided through
26 * check_enable_rls(), which returns an enum (defined in rowsecurity.h) to
27 * indicate if RLS should be enabled (RLS_ENABLED), or bypassed (RLS_NONE or
28 * RLS_NONE_ENV). RLS_NONE_ENV indicates that RLS should be bypassed
29 * in the current environment, but that may change if the row_security GUC or
30 * the current role changes.
31 *
32 * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
33 * Portions Copyright (c) 1994, Regents of the University of California
34 */
35 #include "postgres.h"
36
37 #include "access/heapam.h"
38 #include "access/htup_details.h"
39 #include "access/sysattr.h"
40 #include "catalog/pg_class.h"
41 #include "catalog/pg_inherits_fn.h"
42 #include "catalog/pg_policy.h"
43 #include "catalog/pg_type.h"
44 #include "miscadmin.h"
45 #include "nodes/makefuncs.h"
46 #include "nodes/nodeFuncs.h"
47 #include "nodes/pg_list.h"
48 #include "nodes/plannodes.h"
49 #include "parser/parsetree.h"
50 #include "rewrite/rewriteDefine.h"
51 #include "rewrite/rewriteHandler.h"
52 #include "rewrite/rewriteManip.h"
53 #include "rewrite/rowsecurity.h"
54 #include "utils/acl.h"
55 #include "utils/lsyscache.h"
56 #include "utils/rel.h"
57 #include "utils/rls.h"
58 #include "utils/syscache.h"
59 #include "tcop/utility.h"
60
61 static void get_policies_for_relation(Relation relation,
62 CmdType cmd, Oid user_id,
63 List **permissive_policies,
64 List **restrictive_policies);
65
66 static List *sort_policies_by_name(List *policies);
67
68 static int row_security_policy_cmp(const void *a, const void *b);
69
70 static void add_security_quals(int rt_index,
71 List *permissive_policies,
72 List *restrictive_policies,
73 List **securityQuals,
74 bool *hasSubLinks);
75
76 static void add_with_check_options(Relation rel,
77 int rt_index,
78 WCOKind kind,
79 List *permissive_policies,
80 List *restrictive_policies,
81 List **withCheckOptions,
82 bool *hasSubLinks,
83 bool force_using);
84
85 static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
86
87 /*
88 * hooks to allow extensions to add their own security policies
89 *
90 * row_security_policy_hook_permissive can be used to add policies which
91 * are included in the "OR"d set of policies.
92 *
93 * row_security_policy_hook_restrictive can be used to add policies which
94 * are enforced, regardless of other policies (they are "AND"d).
95 */
96 row_security_policy_hook_type row_security_policy_hook_permissive = NULL;
97 row_security_policy_hook_type row_security_policy_hook_restrictive = NULL;
98
99 /*
100 * Get any row security quals and WithCheckOption checks that should be
101 * applied to the specified RTE.
102 *
103 * In addition, hasRowSecurity is set to true if row level security is enabled
104 * (even if this RTE doesn't have any row security quals), and hasSubLinks is
105 * set to true if any of the quals returned contain sublinks.
106 */
107 void
get_row_security_policies(Query * root,RangeTblEntry * rte,int rt_index,List ** securityQuals,List ** withCheckOptions,bool * hasRowSecurity,bool * hasSubLinks)108 get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index,
109 List **securityQuals, List **withCheckOptions,
110 bool *hasRowSecurity, bool *hasSubLinks)
111 {
112 Oid user_id;
113 int rls_status;
114 Relation rel;
115 CmdType commandType;
116 List *permissive_policies;
117 List *restrictive_policies;
118
119 /* Defaults for the return values */
120 *securityQuals = NIL;
121 *withCheckOptions = NIL;
122 *hasRowSecurity = false;
123 *hasSubLinks = false;
124
125 /* If this is not a normal relation, just return immediately */
126 if (rte->relkind != RELKIND_RELATION)
127 return;
128
129 /* Switch to checkAsUser if it's set */
130 user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
131
132 /* Determine the state of RLS for this, pass checkAsUser explicitly */
133 rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
134
135 /* If there is no RLS on this table at all, nothing to do */
136 if (rls_status == RLS_NONE)
137 return;
138
139 /*
140 * RLS_NONE_ENV means we are not doing any RLS now, but that may change
141 * with changes to the environment, so we mark it as hasRowSecurity to
142 * force a re-plan when the environment changes.
143 */
144 if (rls_status == RLS_NONE_ENV)
145 {
146 /*
147 * Indicate that this query may involve RLS and must therefore be
148 * replanned if the environment changes (GUCs, role), but we are not
149 * adding anything here.
150 */
151 *hasRowSecurity = true;
152
153 return;
154 }
155
156 /*
157 * RLS is enabled for this relation.
158 *
159 * Get the security policies that should be applied, based on the command
160 * type. Note that if this isn't the target relation, we actually want
161 * the relation's SELECT policies, regardless of the query command type,
162 * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
163 * policies and t2's SELECT policies.
164 */
165 rel = heap_open(rte->relid, NoLock);
166
167 commandType = rt_index == root->resultRelation ?
168 root->commandType : CMD_SELECT;
169
170 /*
171 * In some cases, we need to apply USING policies (which control the
172 * visibility of records) associated with multiple command types (see
173 * specific cases below).
174 *
175 * When considering the order in which to apply these USING policies, we
176 * prefer to apply higher privileged policies, those which allow the user
177 * to lock records (UPDATE and DELETE), first, followed by policies which
178 * don't (SELECT).
179 *
180 * Note that the optimizer is free to push down and reorder quals which
181 * use leakproof functions.
182 *
183 * In all cases, if there are no policy clauses allowing access to rows in
184 * the table for the specific type of operation, then a single
185 * always-false clause (a default-deny policy) will be added (see
186 * add_security_quals).
187 */
188
189 /*
190 * For a SELECT, if UPDATE privileges are required (eg: the user has
191 * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
192 * first.
193 *
194 * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
195 * which the user does not have access to via the UPDATE USING policies,
196 * similar to how we require normal UPDATE rights for these queries.
197 */
198 if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
199 {
200 List *update_permissive_policies;
201 List *update_restrictive_policies;
202
203 get_policies_for_relation(rel, CMD_UPDATE, user_id,
204 &update_permissive_policies,
205 &update_restrictive_policies);
206
207 add_security_quals(rt_index,
208 update_permissive_policies,
209 update_restrictive_policies,
210 securityQuals,
211 hasSubLinks);
212 }
213
214 /*
215 * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
216 * policies. These security quals control access to existing table rows.
217 * Restrictive policies are "AND"d together, and permissive policies are
218 * "OR"d together.
219 */
220
221 get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
222 &restrictive_policies);
223
224 if (commandType == CMD_SELECT ||
225 commandType == CMD_UPDATE ||
226 commandType == CMD_DELETE)
227 add_security_quals(rt_index,
228 permissive_policies,
229 restrictive_policies,
230 securityQuals,
231 hasSubLinks);
232
233 /*
234 * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
235 * required (eg: when a RETURNING clause exists, or the user has provided
236 * a WHERE clause which involves columns from the relation), we collect up
237 * CMD_SELECT policies and add them via add_security_quals first.
238 *
239 * This way, we filter out any records which are not visible through an
240 * ALL or SELECT USING policy.
241 */
242 if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
243 rte->requiredPerms & ACL_SELECT)
244 {
245 List *select_permissive_policies;
246 List *select_restrictive_policies;
247
248 get_policies_for_relation(rel, CMD_SELECT, user_id,
249 &select_permissive_policies,
250 &select_restrictive_policies);
251
252 add_security_quals(rt_index,
253 select_permissive_policies,
254 select_restrictive_policies,
255 securityQuals,
256 hasSubLinks);
257 }
258
259 /*
260 * For INSERT and UPDATE, add withCheckOptions to verify that any new
261 * records added are consistent with the security policies. This will use
262 * each policy's WITH CHECK clause, or its USING clause if no explicit
263 * WITH CHECK clause is defined.
264 */
265 if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
266 {
267 /* This should be the target relation */
268 Assert(rt_index == root->resultRelation);
269
270 add_with_check_options(rel, rt_index,
271 commandType == CMD_INSERT ?
272 WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
273 permissive_policies,
274 restrictive_policies,
275 withCheckOptions,
276 hasSubLinks,
277 false);
278
279 /*
280 * Get and add ALL/SELECT policies, if SELECT rights are required for
281 * this relation (eg: when RETURNING is used). These are added as WCO
282 * policies rather than security quals to ensure that an error is
283 * raised if a policy is violated; otherwise, we might end up silently
284 * dropping rows to be added.
285 */
286 if (rte->requiredPerms & ACL_SELECT)
287 {
288 List *select_permissive_policies = NIL;
289 List *select_restrictive_policies = NIL;
290
291 get_policies_for_relation(rel, CMD_SELECT, user_id,
292 &select_permissive_policies,
293 &select_restrictive_policies);
294 add_with_check_options(rel, rt_index,
295 commandType == CMD_INSERT ?
296 WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
297 select_permissive_policies,
298 select_restrictive_policies,
299 withCheckOptions,
300 hasSubLinks,
301 true);
302 }
303
304 /*
305 * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
306 * checks for the UPDATE which may be applied to the same RTE.
307 */
308 if (commandType == CMD_INSERT &&
309 root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
310 {
311 List *conflict_permissive_policies;
312 List *conflict_restrictive_policies;
313 List *conflict_select_permissive_policies = NIL;
314 List *conflict_select_restrictive_policies = NIL;
315
316 /* Get the policies that apply to the auxiliary UPDATE */
317 get_policies_for_relation(rel, CMD_UPDATE, user_id,
318 &conflict_permissive_policies,
319 &conflict_restrictive_policies);
320
321 /*
322 * Enforce the USING clauses of the UPDATE policies using WCOs
323 * rather than security quals. This ensures that an error is
324 * raised if the conflicting row cannot be updated due to RLS,
325 * rather than the change being silently dropped.
326 */
327 add_with_check_options(rel, rt_index,
328 WCO_RLS_CONFLICT_CHECK,
329 conflict_permissive_policies,
330 conflict_restrictive_policies,
331 withCheckOptions,
332 hasSubLinks,
333 true);
334
335 /*
336 * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
337 * to ensure they are considered when taking the UPDATE path of an
338 * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
339 * for this relation, also as WCO policies, again, to avoid
340 * silently dropping data. See above.
341 */
342 if (rte->requiredPerms & ACL_SELECT)
343 {
344 get_policies_for_relation(rel, CMD_SELECT, user_id,
345 &conflict_select_permissive_policies,
346 &conflict_select_restrictive_policies);
347 add_with_check_options(rel, rt_index,
348 WCO_RLS_CONFLICT_CHECK,
349 conflict_select_permissive_policies,
350 conflict_select_restrictive_policies,
351 withCheckOptions,
352 hasSubLinks,
353 true);
354 }
355
356 /* Enforce the WITH CHECK clauses of the UPDATE policies */
357 add_with_check_options(rel, rt_index,
358 WCO_RLS_UPDATE_CHECK,
359 conflict_permissive_policies,
360 conflict_restrictive_policies,
361 withCheckOptions,
362 hasSubLinks,
363 false);
364
365 /*
366 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
367 * that the final updated row is visible when taking the UPDATE
368 * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
369 * are required for this relation.
370 */
371 if (rte->requiredPerms & ACL_SELECT)
372 add_with_check_options(rel, rt_index,
373 WCO_RLS_UPDATE_CHECK,
374 conflict_select_permissive_policies,
375 conflict_select_restrictive_policies,
376 withCheckOptions,
377 hasSubLinks,
378 true);
379 }
380 }
381
382 heap_close(rel, NoLock);
383
384 /*
385 * Copy checkAsUser to the row security quals and WithCheckOption checks,
386 * in case they contain any subqueries referring to other relations.
387 */
388 setRuleCheckAsUser((Node *) *securityQuals, rte->checkAsUser);
389 setRuleCheckAsUser((Node *) *withCheckOptions, rte->checkAsUser);
390
391 /*
392 * Mark this query as having row security, so plancache can invalidate it
393 * when necessary (eg: role changes)
394 */
395 *hasRowSecurity = true;
396
397 return;
398 }
399
400 /*
401 * get_policies_for_relation
402 *
403 * Returns lists of permissive and restrictive policies to be applied to the
404 * specified relation, based on the command type and role.
405 *
406 * This includes any policies added by extensions.
407 */
408 static void
get_policies_for_relation(Relation relation,CmdType cmd,Oid user_id,List ** permissive_policies,List ** restrictive_policies)409 get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id,
410 List **permissive_policies,
411 List **restrictive_policies)
412 {
413 ListCell *item;
414
415 *permissive_policies = NIL;
416 *restrictive_policies = NIL;
417
418 /*
419 * First find all internal policies for the relation. CREATE POLICY does
420 * not currently support defining restrictive policies, so for now all
421 * internal policies are permissive.
422 */
423 foreach(item, relation->rd_rsdesc->policies)
424 {
425 bool cmd_matches = false;
426 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
427
428 /* Always add ALL policies, if they exist. */
429 if (policy->polcmd == '*')
430 cmd_matches = true;
431 else
432 {
433 /* Check whether the policy applies to the specified command type */
434 switch (cmd)
435 {
436 case CMD_SELECT:
437 if (policy->polcmd == ACL_SELECT_CHR)
438 cmd_matches = true;
439 break;
440 case CMD_INSERT:
441 if (policy->polcmd == ACL_INSERT_CHR)
442 cmd_matches = true;
443 break;
444 case CMD_UPDATE:
445 if (policy->polcmd == ACL_UPDATE_CHR)
446 cmd_matches = true;
447 break;
448 case CMD_DELETE:
449 if (policy->polcmd == ACL_DELETE_CHR)
450 cmd_matches = true;
451 break;
452 default:
453 elog(ERROR, "unrecognized policy command type %d",
454 (int) cmd);
455 break;
456 }
457 }
458
459 /*
460 * Add this policy to the list of permissive policies if it applies to
461 * the specified role.
462 */
463 if (cmd_matches && check_role_for_policy(policy->roles, user_id))
464 *permissive_policies = lappend(*permissive_policies, policy);
465 }
466
467 /*
468 * Then add any permissive or restrictive policies defined by extensions.
469 * These are simply appended to the lists of internal policies, if they
470 * apply to the specified role.
471 */
472 if (row_security_policy_hook_restrictive)
473 {
474 List *hook_policies =
475 (*row_security_policy_hook_restrictive) (cmd, relation);
476
477 /*
478 * We sort restrictive policies by name so that any WCOs they generate
479 * are checked in a well-defined order.
480 */
481 hook_policies = sort_policies_by_name(hook_policies);
482
483 foreach(item, hook_policies)
484 {
485 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
486
487 if (check_role_for_policy(policy->roles, user_id))
488 *restrictive_policies = lappend(*restrictive_policies, policy);
489 }
490 }
491
492 if (row_security_policy_hook_permissive)
493 {
494 List *hook_policies =
495 (*row_security_policy_hook_permissive) (cmd, relation);
496
497 foreach(item, hook_policies)
498 {
499 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
500
501 if (check_role_for_policy(policy->roles, user_id))
502 *permissive_policies = lappend(*permissive_policies, policy);
503 }
504 }
505 }
506
507 /*
508 * sort_policies_by_name
509 *
510 * This is only used for restrictive policies, ensuring that any
511 * WithCheckOptions they generate are applied in a well-defined order.
512 * This is not necessary for permissive policies, since they are all "OR"d
513 * together into a single WithCheckOption check.
514 */
515 static List *
sort_policies_by_name(List * policies)516 sort_policies_by_name(List *policies)
517 {
518 int npol = list_length(policies);
519 RowSecurityPolicy *pols;
520 ListCell *item;
521 int ii = 0;
522
523 if (npol <= 1)
524 return policies;
525
526 pols = (RowSecurityPolicy *) palloc(sizeof(RowSecurityPolicy) * npol);
527
528 foreach(item, policies)
529 {
530 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
531
532 pols[ii++] = *policy;
533 }
534
535 qsort(pols, npol, sizeof(RowSecurityPolicy), row_security_policy_cmp);
536
537 policies = NIL;
538 for (ii = 0; ii < npol; ii++)
539 policies = lappend(policies, &pols[ii]);
540
541 return policies;
542 }
543
544 /*
545 * qsort comparator to sort RowSecurityPolicy entries by name
546 */
547 static int
row_security_policy_cmp(const void * a,const void * b)548 row_security_policy_cmp(const void *a, const void *b)
549 {
550 const RowSecurityPolicy *pa = (const RowSecurityPolicy *) a;
551 const RowSecurityPolicy *pb = (const RowSecurityPolicy *) b;
552
553 /* Guard against NULL policy names from extensions */
554 if (pa->policy_name == NULL)
555 return pb->policy_name == NULL ? 0 : 1;
556 if (pb->policy_name == NULL)
557 return -1;
558
559 return strcmp(pa->policy_name, pb->policy_name);
560 }
561
562 /*
563 * add_security_quals
564 *
565 * Add security quals to enforce the specified RLS policies, restricting
566 * access to existing data in a table. If there are no policies controlling
567 * access to the table, then all access is prohibited --- i.e., an implicit
568 * default-deny policy is used.
569 *
570 * New security quals are added to securityQuals, and hasSubLinks is set to
571 * true if any of the quals added contain sublink subqueries.
572 */
573 static void
add_security_quals(int rt_index,List * permissive_policies,List * restrictive_policies,List ** securityQuals,bool * hasSubLinks)574 add_security_quals(int rt_index,
575 List *permissive_policies,
576 List *restrictive_policies,
577 List **securityQuals,
578 bool *hasSubLinks)
579 {
580 ListCell *item;
581 List *permissive_quals = NIL;
582 Expr *rowsec_expr;
583
584 /*
585 * First collect up the permissive quals. If we do not find any
586 * permissive policies then no rows are visible (this is handled below).
587 */
588 foreach(item, permissive_policies)
589 {
590 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
591
592 if (policy->qual != NULL)
593 {
594 permissive_quals = lappend(permissive_quals,
595 copyObject(policy->qual));
596 *hasSubLinks |= policy->hassublinks;
597 }
598 }
599
600 /*
601 * We must have permissive quals, always, or no rows are visible.
602 *
603 * If we do not, then we simply return a single 'false' qual which results
604 * in no rows being visible.
605 */
606 if (permissive_quals != NIL)
607 {
608 /*
609 * We now know that permissive policies exist, so we can now add
610 * security quals based on the USING clauses from the restrictive
611 * policies. Since these need to be "AND"d together, we can just add
612 * them one at a time.
613 */
614 foreach(item, restrictive_policies)
615 {
616 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
617 Expr *qual;
618
619 if (policy->qual != NULL)
620 {
621 qual = copyObject(policy->qual);
622 ChangeVarNodes((Node *) qual, 1, rt_index, 0);
623
624 *securityQuals = list_append_unique(*securityQuals, qual);
625 *hasSubLinks |= policy->hassublinks;
626 }
627 }
628
629 /*
630 * Then add a single security qual "OR"ing together the USING clauses
631 * from all the permissive policies.
632 */
633 if (list_length(permissive_quals) == 1)
634 rowsec_expr = (Expr *) linitial(permissive_quals);
635 else
636 rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
637
638 ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
639 *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
640 }
641 else
642
643 /*
644 * A permissive policy must exist for rows to be visible at all.
645 * Therefore, if there were no permissive policies found, return a
646 * single always-false clause.
647 */
648 *securityQuals = lappend(*securityQuals,
649 makeConst(BOOLOID, -1, InvalidOid,
650 sizeof(bool), BoolGetDatum(false),
651 false, true));
652 }
653
654 /*
655 * add_with_check_options
656 *
657 * Add WithCheckOptions of the specified kind to check that new records
658 * added by an INSERT or UPDATE are consistent with the specified RLS
659 * policies. Normally new data must satisfy the WITH CHECK clauses from the
660 * policies. If a policy has no explicit WITH CHECK clause, its USING clause
661 * is used instead. In the special case of an UPDATE arising from an
662 * INSERT ... ON CONFLICT DO UPDATE, existing records are first checked using
663 * a WCO_RLS_CONFLICT_CHECK WithCheckOption, which always uses the USING
664 * clauses from RLS policies.
665 *
666 * New WCOs are added to withCheckOptions, and hasSubLinks is set to true if
667 * any of the check clauses added contain sublink subqueries.
668 */
669 static void
add_with_check_options(Relation rel,int rt_index,WCOKind kind,List * permissive_policies,List * restrictive_policies,List ** withCheckOptions,bool * hasSubLinks,bool force_using)670 add_with_check_options(Relation rel,
671 int rt_index,
672 WCOKind kind,
673 List *permissive_policies,
674 List *restrictive_policies,
675 List **withCheckOptions,
676 bool *hasSubLinks,
677 bool force_using)
678 {
679 ListCell *item;
680 List *permissive_quals = NIL;
681
682 #define QUAL_FOR_WCO(policy) \
683 ( !force_using && \
684 (policy)->with_check_qual != NULL ? \
685 (policy)->with_check_qual : (policy)->qual )
686
687 /*
688 * First collect up the permissive policy clauses, similar to
689 * add_security_quals.
690 */
691 foreach(item, permissive_policies)
692 {
693 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
694 Expr *qual = QUAL_FOR_WCO(policy);
695
696 if (qual != NULL)
697 {
698 permissive_quals = lappend(permissive_quals, copyObject(qual));
699 *hasSubLinks |= policy->hassublinks;
700 }
701 }
702
703 /*
704 * There must be at least one permissive qual found or no rows are allowed
705 * to be added. This is the same as in add_security_quals.
706 *
707 * If there are no permissive_quals then we fall through and return a
708 * single 'false' WCO, preventing all new rows.
709 */
710 if (permissive_quals != NIL)
711 {
712 /*
713 * Add a single WithCheckOption for all the permissive policy clauses
714 * "OR"d together. This check has no policy name, since if the check
715 * fails it means that no policy granted permission to perform the
716 * update, rather than any particular policy being violated.
717 */
718 WithCheckOption *wco;
719
720 wco = (WithCheckOption *) makeNode(WithCheckOption);
721 wco->kind = kind;
722 wco->relname = pstrdup(RelationGetRelationName(rel));
723 wco->polname = NULL;
724 wco->cascaded = false;
725
726 if (list_length(permissive_quals) == 1)
727 wco->qual = (Node *) linitial(permissive_quals);
728 else
729 wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
730
731 ChangeVarNodes(wco->qual, 1, rt_index, 0);
732
733 *withCheckOptions = list_append_unique(*withCheckOptions, wco);
734
735 /*
736 * Now add WithCheckOptions for each of the restrictive policy clauses
737 * (which will be "AND"d together). We use a separate WithCheckOption
738 * for each restrictive policy to allow the policy name to be included
739 * in error reports if the policy is violated.
740 */
741 foreach(item, restrictive_policies)
742 {
743 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
744 Expr *qual = QUAL_FOR_WCO(policy);
745 WithCheckOption *wco;
746
747 if (qual != NULL)
748 {
749 qual = copyObject(qual);
750 ChangeVarNodes((Node *) qual, 1, rt_index, 0);
751
752 wco = (WithCheckOption *) makeNode(WithCheckOption);
753 wco->kind = kind;
754 wco->relname = pstrdup(RelationGetRelationName(rel));
755 wco->polname = pstrdup(policy->policy_name);
756 wco->qual = (Node *) qual;
757 wco->cascaded = false;
758
759 *withCheckOptions = list_append_unique(*withCheckOptions, wco);
760 *hasSubLinks |= policy->hassublinks;
761 }
762 }
763 }
764 else
765 {
766 /*
767 * If there were no policy clauses to check new data, add a single
768 * always-false WCO (a default-deny policy).
769 */
770 WithCheckOption *wco;
771
772 wco = (WithCheckOption *) makeNode(WithCheckOption);
773 wco->kind = kind;
774 wco->relname = pstrdup(RelationGetRelationName(rel));
775 wco->polname = NULL;
776 wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
777 sizeof(bool), BoolGetDatum(false),
778 false, true);
779 wco->cascaded = false;
780
781 *withCheckOptions = lappend(*withCheckOptions, wco);
782 }
783 }
784
785 /*
786 * check_role_for_policy -
787 * determines if the policy should be applied for the current role
788 */
789 static bool
check_role_for_policy(ArrayType * policy_roles,Oid user_id)790 check_role_for_policy(ArrayType *policy_roles, Oid user_id)
791 {
792 int i;
793 Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
794
795 /* Quick fall-thru for policies applied to all roles */
796 if (roles[0] == ACL_ID_PUBLIC)
797 return true;
798
799 for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
800 {
801 if (has_privs_of_role(user_id, roles[i]))
802 return true;
803 }
804
805 return false;
806 }
807