/*
* row_security_active
*
* check_enable_rls wrapped as a SQL callable function except
* RLS_NONE_ENV and RLS_NONE are the same for this purpose.
*/
Datum
row_security_active(PG_FUNCTION_ARGS)
{
/* By OID */
Oid tableoid = PG_GETARG_OID(0);
int rls_status;
rls_status = check_enable_rls(tableoid, InvalidOid, true);
PG_RETURN_BOOL(rls_status == RLS_ENABLED);
}
Datum
row_security_active_name(PG_FUNCTION_ARGS)
{
/* By qualified name */
text *tablename = PG_GETARG_TEXT_P(0);
RangeVar *tablerel;
Oid tableoid;
int rls_status;
/* Look up table name. Can't lock it - we might not have privileges. */
tablerel = makeRangeVarFromNameList(textToQualifiedNameList(tablename));
tableoid = RangeVarGetRelid(tablerel, NoLock, false);
rls_status = check_enable_rls(tableoid, InvalidOid, true);
PG_RETURN_BOOL(rls_status == RLS_ENABLED);
}
/*
* Get any row security quals and check quals that should be applied to the
* specified RTE.
*
* In addition, hasRowSecurity is set to true if row level security is enabled
* (even if this RTE doesn't have any row security quals), and hasSubLinks is
* set to true if any of the quals returned contain sublinks.
*/
void
get_row_security_policies(Query *root, CmdType commandType, RangeTblEntry *rte,
int rt_index, List **securityQuals,
List **withCheckOptions, bool *hasRowSecurity,
bool *hasSubLinks)
{
Expr *rowsec_expr = NULL;
Expr *rowsec_with_check_expr = NULL;
Expr *hook_expr_restrictive = NULL;
Expr *hook_with_check_expr_restrictive = NULL;
Expr *hook_expr_permissive = NULL;
Expr *hook_with_check_expr_permissive = NULL;
List *rowsec_policies;
List *hook_policies_restrictive = NIL;
List *hook_policies_permissive = NIL;
Relation rel;
Oid user_id;
int rls_status;
bool defaultDeny = false;
/* Defaults for the return values */
*securityQuals = NIL;
*withCheckOptions = NIL;
*hasRowSecurity = false;
*hasSubLinks = false;
/* If this is not a normal relation, just return immediately */
if (rte->relkind != RELKIND_RELATION)
return;
/* Switch to checkAsUser if it's set */
user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
/* Determine the state of RLS for this, pass checkAsUser explicitly */
rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
/* If there is no RLS on this table at all, nothing to do */
if (rls_status == RLS_NONE)
return;
/*
* RLS_NONE_ENV means we are not doing any RLS now, but that may change
* with changes to the environment, so we mark it as hasRowSecurity to
* force a re-plan when the environment changes.
*/
if (rls_status == RLS_NONE_ENV)
{
/*
* Indicate that this query may involve RLS and must therefore be
* replanned if the environment changes (GUCs, role), but we are not
* adding anything here.
*/
*hasRowSecurity = true;
return;
}
/* Grab the built-in policies which should be applied to this relation. */
rel = heap_open(rte->relid, NoLock);
rowsec_policies = pull_row_security_policies(commandType, rel,
user_id);
/*
* Check if this is only the default-deny policy.
*
* Normally, if the table has row security enabled but there are no
* policies, we use a default-deny policy and not allow anything. However,
* when an extension uses the hook to add their own policies, we don't
* want to include the default deny policy or there won't be any way for a
* user to use an extension exclusively for the policies to be used.
*/
if (((RowSecurityPolicy *) linitial(rowsec_policies))->policy_id
== InvalidOid)
defaultDeny = true;
/* Now that we have our policies, build the expressions from them. */
process_policies(root, rowsec_policies, rt_index, &rowsec_expr,
&rowsec_with_check_expr, hasSubLinks, OR_EXPR);
/*
* Also, allow extensions to add their own policies.
*
* extensions can add either permissive or restrictive policies.
*
* Note that, as with the internal policies, if multiple policies are
* returned then they will be combined into a single expression with all
* of them OR'd (for permissive) or AND'd (for restrictive) together.
*
* If only a USING policy is returned by the extension then it will be
* used for WITH CHECK as well, similar to how internal policies are
* handled.
*
* The only caveat to this is that if there are NO internal policies
* defined, there ARE policies returned by the extension, and RLS is
* enabled on the table, then we will ignore the internally-generated
* default-deny policy and use only the policies returned by the
* extension.
*/
if (row_security_policy_hook_restrictive)
{
hook_policies_restrictive = (*row_security_policy_hook_restrictive) (commandType, rel);
/* Build the expression from any policies returned. */
if (hook_policies_restrictive != NIL)
process_policies(root, hook_policies_restrictive, rt_index,
&hook_expr_restrictive,
&hook_with_check_expr_restrictive,
hasSubLinks,
AND_EXPR);
}
if (row_security_policy_hook_permissive)
{
hook_policies_permissive = (*row_security_policy_hook_permissive) (commandType, rel);
/* Build the expression from any policies returned. */
if (hook_policies_permissive != NIL)
process_policies(root, hook_policies_permissive, rt_index,
&hook_expr_permissive,
&hook_with_check_expr_permissive, hasSubLinks,
OR_EXPR);
}
/*
* If the only built-in policy is the default-deny one, and hook policies
* exist, then use the hook policies only and do not apply the
* default-deny policy. Otherwise, we will apply both sets below.
*/
if (defaultDeny &&
(hook_policies_restrictive != NIL || hook_policies_permissive != NIL))
{
rowsec_expr = NULL;
rowsec_with_check_expr = NULL;
}
/*
* For INSERT or UPDATE, we need to add the WITH CHECK quals to Query's
* withCheckOptions to verify that any new records pass the WITH CHECK
* policy (this will be a copy of the USING policy, if no explicit WITH
* CHECK policy exists).
*/
if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
{
/*
* WITH CHECK OPTIONS wants a WCO node which wraps each Expr, so
* create them as necessary.
*/
/*
* Handle any restrictive policies first.
*
* They can simply be added.
*/
if (hook_with_check_expr_restrictive)
{
WithCheckOption *wco;
wco = (WithCheckOption *) makeNode(WithCheckOption);
wco->kind = commandType == CMD_INSERT ? WCO_RLS_INSERT_CHECK :
WCO_RLS_UPDATE_CHECK;
wco->relname = pstrdup(RelationGetRelationName(rel));
wco->qual = (Node *) hook_with_check_expr_restrictive;
wco->cascaded = false;
*withCheckOptions = lappend(*withCheckOptions, wco);
}
/*
* Handle built-in policies, if there are no permissive policies from
* the hook.
*/
if (rowsec_with_check_expr && !hook_with_check_expr_permissive)
{
WithCheckOption *wco;
wco = (WithCheckOption *) makeNode(WithCheckOption);
wco->kind = commandType == CMD_INSERT ? WCO_RLS_INSERT_CHECK :
WCO_RLS_UPDATE_CHECK;
wco->relname = pstrdup(RelationGetRelationName(rel));
wco->qual = (Node *) rowsec_with_check_expr;
wco->cascaded = false;
*withCheckOptions = lappend(*withCheckOptions, wco);
}
/* Handle the hook policies, if there are no built-in ones. */
else if (!rowsec_with_check_expr && hook_with_check_expr_permissive)
{
WithCheckOption *wco;
wco = (WithCheckOption *) makeNode(WithCheckOption);
wco->kind = commandType == CMD_INSERT ? WCO_RLS_INSERT_CHECK :
WCO_RLS_UPDATE_CHECK;
wco->relname = pstrdup(RelationGetRelationName(rel));
wco->qual = (Node *) hook_with_check_expr_permissive;
wco->cascaded = false;
*withCheckOptions = lappend(*withCheckOptions, wco);
}
/* Handle the case where there are both. */
else if (rowsec_with_check_expr && hook_with_check_expr_permissive)
{
WithCheckOption *wco;
List *combined_quals = NIL;
Expr *combined_qual_eval;
combined_quals = lcons(copyObject(rowsec_with_check_expr),
combined_quals);
combined_quals = lcons(copyObject(hook_with_check_expr_permissive),
combined_quals);
combined_qual_eval = makeBoolExpr(OR_EXPR, combined_quals, -1);
wco = (WithCheckOption *) makeNode(WithCheckOption);
wco->kind = commandType == CMD_INSERT ? WCO_RLS_INSERT_CHECK :
WCO_RLS_UPDATE_CHECK;
wco->relname = pstrdup(RelationGetRelationName(rel));
wco->qual = (Node *) combined_qual_eval;
wco->cascaded = false;
*withCheckOptions = lappend(*withCheckOptions, wco);
}
/*
* ON CONFLICT DO UPDATE has an RTE that is subject to both INSERT and
* UPDATE RLS enforcement. Those are enforced (as a special, distinct
* kind of WCO) on the target tuple.
*
* Make a second, recursive pass over the RTE for this, gathering
* UPDATE-applicable RLS checks/WCOs, and gathering and converting
* UPDATE-applicable security quals into WCO_RLS_CONFLICT_CHECK RLS
* checks/WCOs. Finally, these distinct kinds of RLS checks/WCOs are
* concatenated with our own INSERT-applicable list.
*/
if (root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE &&
commandType == CMD_INSERT)
{
List *conflictSecurityQuals = NIL;
List *conflictWCOs = NIL;
ListCell *item;
bool conflictHasRowSecurity = false;
bool conflictHasSublinks = false;
/* Assume that RTE is target resultRelation */
get_row_security_policies(root, CMD_UPDATE, rte, rt_index,
&conflictSecurityQuals, &conflictWCOs,
&conflictHasRowSecurity,
&conflictHasSublinks);
if (conflictHasRowSecurity)
*hasRowSecurity = true;
if (conflictHasSublinks)
*hasSubLinks = true;
/*
* Append WITH CHECK OPTIONs/RLS checks, which should not conflict
* between this INSERT and the auxiliary UPDATE
*/
*withCheckOptions = list_concat(*withCheckOptions,
conflictWCOs);
foreach(item, conflictSecurityQuals)
{
Expr *conflict_rowsec_expr = (Expr *) lfirst(item);
WithCheckOption *wco;
wco = (WithCheckOption *) makeNode(WithCheckOption);
wco->kind = WCO_RLS_CONFLICT_CHECK;
wco->relname = pstrdup(RelationGetRelationName(rel));
wco->qual = (Node *) copyObject(conflict_rowsec_expr);
wco->cascaded = false;
*withCheckOptions = lappend(*withCheckOptions, wco);
}
}
/*
* BuildIndexValueDescription
*
* Construct a string describing the contents of an index entry, in the
* form "(key_name, ...)=(key_value, ...)". This is currently used
* for building unique-constraint and exclusion-constraint error messages.
*
* Note that if the user does not have permissions to view all of the
* columns involved then a NULL is returned. Returning a partial key seems
* unlikely to be useful and we have no way to know which of the columns the
* user provided (unlike in ExecBuildSlotValueDescription).
*
* The passed-in values/nulls arrays are the "raw" input to the index AM,
* e.g. results of FormIndexDatum --- this is not necessarily what is stored
* in the index, but it's what the user perceives to be stored.
*/
char *
BuildIndexValueDescription(Relation indexRelation,
Datum *values, bool *isnull)
{
StringInfoData buf;
Form_pg_index idxrec;
HeapTuple ht_idx;
int natts = indexRelation->rd_rel->relnatts;
int i;
int keyno;
Oid indexrelid = RelationGetRelid(indexRelation);
Oid indrelid;
AclResult aclresult;
/*
* Check permissions- if the user does not have access to view all of the
* key columns then return NULL to avoid leaking data.
*
* First check if RLS is enabled for the relation. If so, return NULL to
* avoid leaking data.
*
* Next we need to check table-level SELECT access and then, if there is
* no access there, check column-level permissions.
*/
/*
* Fetch the pg_index tuple by the Oid of the index
*/
ht_idx = SearchSysCache1(INDEXRELID, ObjectIdGetDatum(indexrelid));
if (!HeapTupleIsValid(ht_idx))
elog(ERROR, "cache lookup failed for index %u", indexrelid);
idxrec = (Form_pg_index) GETSTRUCT(ht_idx);
indrelid = idxrec->indrelid;
Assert(indexrelid == idxrec->indexrelid);
/* RLS check- if RLS is enabled then we don't return anything. */
if (check_enable_rls(indrelid, GetUserId(), true) == RLS_ENABLED)
{
ReleaseSysCache(ht_idx);
return NULL;
}
/* Table-level SELECT is enough, if the user has it */
aclresult = pg_class_aclcheck(indrelid, GetUserId(), ACL_SELECT);
if (aclresult != ACLCHECK_OK)
{
/*
* No table-level access, so step through the columns in the index and
* make sure the user has SELECT rights on all of them.
*/
for (keyno = 0; keyno < idxrec->indnatts; keyno++)
{
AttrNumber attnum = idxrec->indkey.values[keyno];
/*
* Note that if attnum == InvalidAttrNumber, then this is an index
* based on an expression and we return no detail rather than try
* to figure out what column(s) the expression includes and if the
* user has SELECT rights on them.
*/
if (attnum == InvalidAttrNumber ||
pg_attribute_aclcheck(indrelid, attnum, GetUserId(),
ACL_SELECT) != ACLCHECK_OK)
{
/* No access, so clean up and return */
ReleaseSysCache(ht_idx);
return NULL;
}
}
}
ReleaseSysCache(ht_idx);
initStringInfo(&buf);
appendStringInfo(&buf, "(%s)=(",
pg_get_indexdef_columns(indexrelid, true));
for (i = 0; i < natts; i++)
{
char *val;
if (isnull[i])
val = "null";
else
{
Oid foutoid;
bool typisvarlena;
/*
* The provided data is not necessarily of the type stored in the
* index; rather it is of the index opclass's input type. So look
* at rd_opcintype not the index tupdesc.
*
* Note: this is a bit shaky for opclasses that have pseudotype
* input types such as ANYARRAY or RECORD. Currently, the
* typoutput functions associated with the pseudotypes will work
* okay, but we might have to try harder in future.
*/
getTypeOutputInfo(indexRelation->rd_opcintype[i],
&foutoid, &typisvarlena);
val = OidOutputFunctionCall(foutoid, values[i]);
}
if (i > 0)
appendStringInfoString(&buf, ", ");
appendStringInfoString(&buf, val);
}
appendStringInfoChar(&buf, ')');
return buf.data;
}
/*
* intorel_startup --- executor startup
*/
static void
intorel_startup(DestReceiver *self, int operation, TupleDesc typeinfo)
{
DR_intorel *myState = (DR_intorel *) self;
IntoClause *into = myState->into;
bool is_matview;
char relkind;
CreateStmt *create;
Oid intoRelationId;
Relation intoRelationDesc;
RangeTblEntry *rte;
Datum toast_options;
ListCell *lc;
int attnum;
static char *validnsps[] = HEAP_RELOPT_NAMESPACES;
Assert(into != NULL); /* else somebody forgot to set it */
/* This code supports both CREATE TABLE AS and CREATE MATERIALIZED VIEW */
is_matview = (into->viewQuery != NULL);
relkind = is_matview ? RELKIND_MATVIEW : RELKIND_RELATION;
/*
* Create the target relation by faking up a CREATE TABLE parsetree and
* passing it to DefineRelation.
*/
create = makeNode(CreateStmt);
create->relation = into->rel;
create->tableElts = NIL; /* will fill below */
create->inhRelations = NIL;
create->ofTypename = NULL;
create->constraints = NIL;
create->options = into->options;
create->oncommit = into->onCommit;
create->tablespacename = into->tableSpaceName;
create->if_not_exists = false;
/*
* Build column definitions using "pre-cooked" type and collation info. If
* a column name list was specified in CREATE TABLE AS, override the
* column names derived from the query. (Too few column names are OK, too
* many are not.)
*/
lc = list_head(into->colNames);
for (attnum = 0; attnum < typeinfo->natts; attnum++)
{
Form_pg_attribute attribute = typeinfo->attrs[attnum];
ColumnDef *col = makeNode(ColumnDef);
TypeName *coltype = makeNode(TypeName);
if (lc)
{
col->colname = strVal(lfirst(lc));
lc = lnext(lc);
}
else
col->colname = NameStr(attribute->attname);
col->typeName = coltype;
col->inhcount = 0;
col->is_local = true;
col->is_not_null = false;
col->is_from_type = false;
col->storage = 0;
col->raw_default = NULL;
col->cooked_default = NULL;
col->collClause = NULL;
col->collOid = attribute->attcollation;
col->constraints = NIL;
col->fdwoptions = NIL;
col->location = -1;
coltype->names = NIL;
coltype->typeOid = attribute->atttypid;
coltype->setof = false;
coltype->pct_type = false;
coltype->typmods = NIL;
coltype->typemod = attribute->atttypmod;
coltype->arrayBounds = NIL;
coltype->location = -1;
/*
* It's possible that the column is of a collatable type but the
* collation could not be resolved, so double-check. (We must check
* this here because DefineRelation would adopt the type's default
* collation rather than complaining.)
*/
if (!OidIsValid(col->collOid) &&
type_is_collatable(coltype->typeOid))
ereport(ERROR,
(errcode(ERRCODE_INDETERMINATE_COLLATION),
errmsg("no collation was derived for column \"%s\" with collatable type %s",
col->colname, format_type_be(coltype->typeOid)),
errhint("Use the COLLATE clause to set the collation explicitly.")));
create->tableElts = lappend(create->tableElts, col);
}
if (lc != NULL)
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("too many column names were specified")));
/*
* Actually create the target table
*/
intoRelationId = DefineRelation(create, relkind, InvalidOid);
/*
* If necessary, create a TOAST table for the target table. Note that
* NewRelationCreateToastTable ends with CommandCounterIncrement(), so
* that the TOAST table will be visible for insertion.
*/
CommandCounterIncrement();
/* parse and validate reloptions for the toast table */
toast_options = transformRelOptions((Datum) 0,
create->options,
"toast",
validnsps,
true, false);
(void) heap_reloptions(RELKIND_TOASTVALUE, toast_options, true);
NewRelationCreateToastTable(intoRelationId, toast_options);
/* Create the "view" part of a materialized view. */
if (is_matview)
{
/* StoreViewQuery scribbles on tree, so make a copy */
Query *query = (Query *) copyObject(into->viewQuery);
StoreViewQuery(intoRelationId, query, false);
CommandCounterIncrement();
}
/*
* Finally we can open the target table
*/
intoRelationDesc = heap_open(intoRelationId, AccessExclusiveLock);
/*
* Check INSERT permission on the constructed table.
*
* XXX: It would arguably make sense to skip this check if into->skipData
* is true.
*/
rte = makeNode(RangeTblEntry);
rte->rtekind = RTE_RELATION;
rte->relid = intoRelationId;
rte->relkind = relkind;
rte->requiredPerms = ACL_INSERT;
for (attnum = 1; attnum <= intoRelationDesc->rd_att->natts; attnum++)
rte->modifiedCols = bms_add_member(rte->modifiedCols,
attnum - FirstLowInvalidHeapAttributeNumber);
ExecCheckRTPerms(list_make1(rte), true);
/*
* Make sure the constructed table does not have RLS enabled.
*
* check_enable_rls() will ereport(ERROR) itself if the user has requested
* something invalid, and otherwise will return RLS_ENABLED if RLS should
* be enabled here. We don't actually support that currently, so throw
* our own ereport(ERROR) if that happens.
*/
if (check_enable_rls(intoRelationId, InvalidOid, false) == RLS_ENABLED)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
(errmsg("policies not yet implemented for this command"))));
/*
* Tentatively mark the target as populated, if it's a matview and we're
* going to fill it; otherwise, no change needed.
*/
if (is_matview && !into->skipData)
SetMatViewPopulatedState(intoRelationDesc, true);
/*
* Fill private fields of myState for use by later routines
*/
myState->rel = intoRelationDesc;
myState->output_cid = GetCurrentCommandId(true);
/* and remember the new relation's OID for ExecCreateTableAs */
CreateAsRelid = RelationGetRelid(myState->rel);
/*
* We can skip WAL-logging the insertions, unless PITR or streaming
* replication is in use. We can skip the FSM in any case.
*/
myState->hi_options = HEAP_INSERT_SKIP_FSM |
(XLogIsNeeded() ? 0 : HEAP_INSERT_SKIP_WAL);
myState->bistate = GetBulkInsertState();
/* Not using WAL requires smgr_targblock be initially invalid */
Assert(RelationGetTargetBlock(intoRelationDesc) == InvalidBlockNumber);
}
