168 lines
5.3 KiB
C
168 lines
5.3 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* rls.c
|
|
* RLS-related utility functions.
|
|
*
|
|
* Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
*
|
|
*
|
|
* IDENTIFICATION
|
|
* src/backend/utils/misc/rls.c
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#include "postgres.h"
|
|
|
|
#include "access/htup.h"
|
|
#include "access/htup_details.h"
|
|
#include "access/transam.h"
|
|
#include "catalog/namespace.h"
|
|
#include "catalog/pg_class.h"
|
|
#include "miscadmin.h"
|
|
#include "utils/acl.h"
|
|
#include "utils/builtins.h"
|
|
#include "utils/lsyscache.h"
|
|
#include "utils/rls.h"
|
|
#include "utils/syscache.h"
|
|
#include "utils/varlena.h"
|
|
|
|
|
|
/*
|
|
* check_enable_rls
|
|
*
|
|
* Determine, based on the relation, row_security setting, and current role,
|
|
* if RLS is applicable to this query. RLS_NONE_ENV indicates that, while
|
|
* RLS is not to be added for this query, a change in the environment may change
|
|
* that. RLS_NONE means that RLS is not on the relation at all and therefore
|
|
* we don't need to worry about it. RLS_ENABLED means RLS should be implemented
|
|
* for the table and the plan cache needs to be invalidated if the environment
|
|
* changes.
|
|
*
|
|
* Handle checking as another role via checkAsUser (for views, etc). Pass
|
|
* InvalidOid to check the current user.
|
|
*
|
|
* If noError is set to 'true' then we just return RLS_ENABLED instead of doing
|
|
* an ereport() if the user has attempted to bypass RLS and they are not
|
|
* allowed to. This allows users to check if RLS is enabled without having to
|
|
* deal with the actual error case (eg: error cases which are trying to decide
|
|
* if the user should get data from the relation back as part of the error).
|
|
*/
|
|
int
|
|
check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
|
|
{
|
|
Oid user_id = OidIsValid(checkAsUser) ? checkAsUser : GetUserId();
|
|
HeapTuple tuple;
|
|
Form_pg_class classform;
|
|
bool relrowsecurity;
|
|
bool relforcerowsecurity;
|
|
bool amowner;
|
|
|
|
/* Nothing to do for built-in relations */
|
|
if (relid < (Oid) FirstNormalObjectId)
|
|
return RLS_NONE;
|
|
|
|
/* Fetch relation's relrowsecurity and relforcerowsecurity flags */
|
|
tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relid));
|
|
if (!HeapTupleIsValid(tuple))
|
|
return RLS_NONE;
|
|
classform = (Form_pg_class) GETSTRUCT(tuple);
|
|
|
|
relrowsecurity = classform->relrowsecurity;
|
|
relforcerowsecurity = classform->relforcerowsecurity;
|
|
|
|
ReleaseSysCache(tuple);
|
|
|
|
/* Nothing to do if the relation does not have RLS */
|
|
if (!relrowsecurity)
|
|
return RLS_NONE;
|
|
|
|
/*
|
|
* BYPASSRLS users always bypass RLS. Note that superusers are always
|
|
* considered to have BYPASSRLS.
|
|
*
|
|
* Return RLS_NONE_ENV to indicate that this decision depends on the
|
|
* environment (in this case, the user_id).
|
|
*/
|
|
if (has_bypassrls_privilege(user_id))
|
|
return RLS_NONE_ENV;
|
|
|
|
/*
|
|
* Table owners generally bypass RLS, except if the table has been set (by
|
|
* an owner) to FORCE ROW SECURITY, and this is not a referential
|
|
* integrity check.
|
|
*
|
|
* Return RLS_NONE_ENV to indicate that this decision depends on the
|
|
* environment (in this case, the user_id).
|
|
*/
|
|
amowner = object_ownercheck(RelationRelationId, relid, user_id);
|
|
if (amowner)
|
|
{
|
|
/*
|
|
* If FORCE ROW LEVEL SECURITY has been set on the relation then we
|
|
* should return RLS_ENABLED to indicate that RLS should be applied.
|
|
* If not, or if we are in an InNoForceRLSOperation context, we return
|
|
* RLS_NONE_ENV.
|
|
*
|
|
* InNoForceRLSOperation indicates that we should not apply RLS even
|
|
* if the table has FORCE RLS set - IF the current user is the owner.
|
|
* This is specifically to ensure that referential integrity checks
|
|
* are able to still run correctly.
|
|
*
|
|
* This is intentionally only done after we have checked that the user
|
|
* is the table owner, which should always be the case for referential
|
|
* integrity checks.
|
|
*/
|
|
if (!relforcerowsecurity || InNoForceRLSOperation())
|
|
return RLS_NONE_ENV;
|
|
}
|
|
|
|
/*
|
|
* We should apply RLS. However, the user may turn off the row_security
|
|
* GUC to get a forced error instead.
|
|
*/
|
|
if (!row_security && !noError)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("query would be affected by row-level security policy for table \"%s\"",
|
|
get_rel_name(relid)),
|
|
amowner ? errhint("To disable the policy for the table's owner, use ALTER TABLE NO FORCE ROW LEVEL SECURITY.") : 0));
|
|
|
|
/* RLS should be fully enabled for this relation. */
|
|
return RLS_ENABLED;
|
|
}
|
|
|
|
/*
|
|
* row_security_active
|
|
*
|
|
* check_enable_rls wrapped as a SQL callable function except
|
|
* RLS_NONE_ENV and RLS_NONE are the same for this purpose.
|
|
*/
|
|
Datum
|
|
row_security_active(PG_FUNCTION_ARGS)
|
|
{
|
|
/* By OID */
|
|
Oid tableoid = PG_GETARG_OID(0);
|
|
int rls_status;
|
|
|
|
rls_status = check_enable_rls(tableoid, InvalidOid, true);
|
|
PG_RETURN_BOOL(rls_status == RLS_ENABLED);
|
|
}
|
|
|
|
Datum
|
|
row_security_active_name(PG_FUNCTION_ARGS)
|
|
{
|
|
/* By qualified name */
|
|
text *tablename = PG_GETARG_TEXT_PP(0);
|
|
RangeVar *tablerel;
|
|
Oid tableoid;
|
|
int rls_status;
|
|
|
|
/* Look up table name. Can't lock it - we might not have privileges. */
|
|
tablerel = makeRangeVarFromNameList(textToQualifiedNameList(tablename));
|
|
tableoid = RangeVarGetRelid(tablerel, NoLock, false);
|
|
|
|
rls_status = check_enable_rls(tableoid, InvalidOid, true);
|
|
PG_RETURN_BOOL(rls_status == RLS_ENABLED);
|
|
}
|