Line data Source code
1 : /*--------------------------------------------------------------------------
2 : *
3 : * test_rls_hooks.c
4 : * Code for testing RLS hooks.
5 : *
6 : * Copyright (c) 2015-2026, PostgreSQL Global Development Group
7 : *
8 : * IDENTIFICATION
9 : * src/test/modules/test_rls_hooks/test_rls_hooks.c
10 : *
11 : * -------------------------------------------------------------------------
12 : */
13 :
14 : #include "postgres.h"
15 :
16 : #include "catalog/pg_type.h"
17 : #include "fmgr.h"
18 : #include "nodes/makefuncs.h"
19 : #include "parser/parse_clause.h"
20 : #include "parser/parse_collate.h"
21 : #include "parser/parse_node.h"
22 : #include "parser/parse_relation.h"
23 : #include "rewrite/rowsecurity.h"
24 : #include "test_rls_hooks.h"
25 : #include "utils/acl.h"
26 : #include "utils/rel.h"
27 : #include "utils/relcache.h"
28 :
29 0 : PG_MODULE_MAGIC;
30 :
31 : /* Install hooks */
32 : void
33 0 : _PG_init(void)
34 : {
35 : /* Set our hooks */
36 0 : row_security_policy_hook_permissive = test_rls_hooks_permissive;
37 0 : row_security_policy_hook_restrictive = test_rls_hooks_restrictive;
38 0 : }
39 :
40 : /*
41 : * Return permissive policies to be added
42 : */
43 : List *
44 0 : test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
45 : {
46 0 : List *policies = NIL;
47 0 : RowSecurityPolicy *policy = palloc0_object(RowSecurityPolicy);
48 0 : Datum role;
49 0 : FuncCall *n;
50 0 : Node *e;
51 0 : ColumnRef *c;
52 0 : ParseState *qual_pstate;
53 0 : ParseNamespaceItem *nsitem;
54 :
55 0 : if (strcmp(RelationGetRelationName(relation), "rls_test_permissive") != 0 &&
56 0 : strcmp(RelationGetRelationName(relation), "rls_test_both") != 0)
57 0 : return NIL;
58 :
59 0 : qual_pstate = make_parsestate(NULL);
60 :
61 0 : nsitem = addRangeTableEntryForRelation(qual_pstate,
62 0 : relation, AccessShareLock,
63 : NULL, false, false);
64 0 : addNSItemToQuery(qual_pstate, nsitem, false, true, true);
65 :
66 0 : role = ObjectIdGetDatum(ACL_ID_PUBLIC);
67 :
68 0 : policy->policy_name = pstrdup("extension policy");
69 0 : policy->polcmd = '*';
70 0 : policy->roles = construct_array_builtin(&role, 1, OIDOID);
71 :
72 : /*
73 : * policy->qual = (Expr *) makeConst(BOOLOID, -1, InvalidOid,
74 : * sizeof(bool), BoolGetDatum(true), false, true);
75 : */
76 :
77 0 : n = makeFuncCall(list_make2(makeString("pg_catalog"),
78 : makeString("current_user")),
79 : NIL,
80 : COERCE_EXPLICIT_CALL,
81 : -1);
82 :
83 0 : c = makeNode(ColumnRef);
84 0 : c->fields = list_make1(makeString("username"));
85 0 : c->location = 0;
86 :
87 0 : e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
88 :
89 0 : policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
90 : EXPR_KIND_POLICY,
91 : "POLICY");
92 : /* Fix up collation information */
93 0 : assign_expr_collations(qual_pstate, (Node *) policy->qual);
94 :
95 0 : policy->with_check_qual = copyObject(policy->qual);
96 0 : policy->hassublinks = false;
97 :
98 0 : policies = list_make1(policy);
99 :
100 0 : return policies;
101 0 : }
102 :
103 : /*
104 : * Return restrictive policies to be added
105 : *
106 : * Note that a permissive policy must exist or the default-deny policy
107 : * will be included and nothing will be visible. If no filtering should
108 : * be done except for the restrictive policy, then a single "USING (true)"
109 : * permissive policy can be used; see the regression tests.
110 : */
111 : List *
112 0 : test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
113 : {
114 0 : List *policies = NIL;
115 0 : RowSecurityPolicy *policy = palloc0_object(RowSecurityPolicy);
116 0 : Datum role;
117 0 : FuncCall *n;
118 0 : Node *e;
119 0 : ColumnRef *c;
120 0 : ParseState *qual_pstate;
121 0 : ParseNamespaceItem *nsitem;
122 :
123 0 : if (strcmp(RelationGetRelationName(relation), "rls_test_restrictive") != 0 &&
124 0 : strcmp(RelationGetRelationName(relation), "rls_test_both") != 0)
125 0 : return NIL;
126 :
127 0 : qual_pstate = make_parsestate(NULL);
128 :
129 0 : nsitem = addRangeTableEntryForRelation(qual_pstate,
130 0 : relation, AccessShareLock,
131 : NULL, false, false);
132 0 : addNSItemToQuery(qual_pstate, nsitem, false, true, true);
133 :
134 0 : role = ObjectIdGetDatum(ACL_ID_PUBLIC);
135 :
136 0 : policy->policy_name = pstrdup("extension policy");
137 0 : policy->polcmd = '*';
138 0 : policy->roles = construct_array_builtin(&role, 1, OIDOID);
139 :
140 0 : n = makeFuncCall(list_make2(makeString("pg_catalog"),
141 : makeString("current_user")),
142 : NIL,
143 : COERCE_EXPLICIT_CALL,
144 : -1);
145 :
146 0 : c = makeNode(ColumnRef);
147 0 : c->fields = list_make1(makeString("supervisor"));
148 0 : c->location = 0;
149 :
150 0 : e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
151 :
152 0 : policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
153 : EXPR_KIND_POLICY,
154 : "POLICY");
155 : /* Fix up collation information */
156 0 : assign_expr_collations(qual_pstate, (Node *) policy->qual);
157 :
158 0 : policy->with_check_qual = copyObject(policy->qual);
159 0 : policy->hassublinks = false;
160 :
161 0 : policies = list_make1(policy);
162 :
163 0 : return policies;
164 0 : }
|
