NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit632cd9f

committed

Create new ParseExprKind for use by policy expressions.

Policy USING and WITH CHECK expressions were using EXPR_KIND_WHERE forparse analysis, which results in inappropriate ERROR messages whenthe expression contains unsupported constructs such as aggregates.Create a new ParseExprKind called EXPR_KIND_POLICY and tailor therelated messages to fit.Reported by Noah Misch. Reviewed by Dean Rasheed, Alvaro Herrera,and Robert Haas. Back-patch to 9.5 where RLS was introduced.

1 parentf04ce31 commit632cd9fCopy full SHA for 632cd9f

File tree

7 files changed

+39

-7

lines changed

src
- backend
  - commands
    - policy.c
  - parser
    - parse_agg.c
    - parse_expr.c
- include/parser
  - parse_node.h
- test
  - modules/test_rls_hooks
    - test_rls_hooks.c
  - regress
    - expected
      - rowsecurity.out
    - sql
      - rowsecurity.sql

7 files changed

+39

-7

lines changed

`‎src/backend/commands/policy.c`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -534,12 +534,12 @@ CreatePolicy(CreatePolicyStmt *stmt)`
`534`	`534`
`535`	`535`	`qual=transformWhereClause(qual_pstate,`
`536`	`536`	`copyObject(stmt->qual),`
`537`		`-EXPR_KIND_WHERE,`
	`537`	`+EXPR_KIND_POLICY,`
`538`	`538`	`"POLICY");`
`539`	`539`
`540`	`540`	`with_check_qual=transformWhereClause(with_check_pstate,`
`541`	`541`	`copyObject(stmt->with_check),`
`542`		`-EXPR_KIND_WHERE,`
	`542`	`+EXPR_KIND_POLICY,`
`543`	`543`	`"POLICY");`
`544`	`544`
`545`	`545`	`/* Fix up collation information */`
`@@ -707,7 +707,7 @@ AlterPolicy(AlterPolicyStmt *stmt)`
`707`	`707`	`addRTEtoQuery(qual_pstate,rte, false, true, true);`
`708`	`708`
`709`	`709`	`qual=transformWhereClause(qual_pstate,copyObject(stmt->qual),`
`710`		`-EXPR_KIND_WHERE,`
	`710`	`+EXPR_KIND_POLICY,`
`711`	`711`	`"POLICY");`
`712`	`712`
`713`	`713`	`/* Fix up collation information */`
`@@ -730,7 +730,7 @@ AlterPolicy(AlterPolicyStmt *stmt)`
`730`	`730`
`731`	`731`	`with_check_qual=transformWhereClause(with_check_pstate,`
`732`	`732`	`copyObject(stmt->with_check),`
`733`		`-EXPR_KIND_WHERE,`
	`733`	`+EXPR_KIND_POLICY,`
`734`	`734`	`"POLICY");`
`735`	`735`
`736`	`736`	`/* Fix up collation information */`

`‎src/backend/parser/parse_agg.c`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -372,6 +372,13 @@ check_agglevels_and_constraints(ParseState pstate, Node expr)`
`372`	`372`	`break;`
`373`	`373`	`caseEXPR_KIND_WHERE:`
`374`	`374`	`errkind= true;`
	`375`	`+break;`
	`376`	`+caseEXPR_KIND_POLICY:`
	`377`	`+if (isAgg)`
	`378`	`+err=_("aggregate functions are not allowed in policy expressions");`
	`379`	`+else`
	`380`	`+err=_("grouping operations are not allowed in policy expressions");`
	`381`	`+`
`375`	`382`	`break;`
`376`	`383`	`caseEXPR_KIND_HAVING:`
`377`	`384`	`/* okay */`
`@@ -770,6 +777,9 @@ transformWindowFuncCall(ParseState pstate, WindowFunc wfunc,`
`770`	`777`	`caseEXPR_KIND_WHERE:`
`771`	`778`	`errkind= true;`
`772`	`779`	`break;`
	`780`	`+caseEXPR_KIND_POLICY:`
	`781`	`+err=_("window functions are not allowed in policy expressions");`
	`782`	`+break;`
`773`	`783`	`caseEXPR_KIND_HAVING:`
`774`	`784`	`errkind= true;`
`775`	`785`	`break;`

`‎src/backend/parser/parse_expr.c`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1672,6 +1672,7 @@ transformSubLink(ParseState pstate, SubLink sublink)`
`1672`	`1672`	`caseEXPR_KIND_FROM_SUBSELECT:`
`1673`	`1673`	`caseEXPR_KIND_FROM_FUNCTION:`
`1674`	`1674`	`caseEXPR_KIND_WHERE:`
	`1675`	`+caseEXPR_KIND_POLICY:`
`1675`	`1676`	`caseEXPR_KIND_HAVING:`
`1676`	`1677`	`caseEXPR_KIND_FILTER:`
`1677`	`1678`	`caseEXPR_KIND_WINDOW_PARTITION:`
`@@ -3173,6 +3174,8 @@ ParseExprKindName(ParseExprKind exprKind)`
`3173`	`3174`	`return"function in FROM";`
`3174`	`3175`	`caseEXPR_KIND_WHERE:`
`3175`	`3176`	`return"WHERE";`
	`3177`	`+caseEXPR_KIND_POLICY:`
	`3178`	`+return"POLICY";`
`3176`	`3179`	`caseEXPR_KIND_HAVING:`
`3177`	`3180`	`return"HAVING";`
`3178`	`3181`	`caseEXPR_KIND_FILTER:`

`‎src/include/parser/parse_node.h`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,8 @@ typedef enum ParseExprKind`
`63`	`63`	`EXPR_KIND_INDEX_PREDICATE,/* index predicate */`
`64`	`64`	`EXPR_KIND_ALTER_COL_TRANSFORM,/* transform expr in ALTER COLUMN TYPE */`
`65`	`65`	`EXPR_KIND_EXECUTE_PARAMETER,/* parameter value in EXECUTE */`
`66`		`-EXPR_KIND_TRIGGER_WHEN/* WHEN condition in CREATE TRIGGER */`
	`66`	`+EXPR_KIND_TRIGGER_WHEN,/* WHEN condition in CREATE TRIGGER */`
	`67`	`+EXPR_KIND_POLICY/* USING or WITH CHECK expr in policy */`
`67`	`68`	`}ParseExprKind;`
`68`	`69`
`69`	`70`

`‎src/test/modules/test_rls_hooks/test_rls_hooks.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)`
`106`	`106`	`e= (Node)makeSimpleA_Expr(AEXPR_OP,"=", (Node)n, (Node*)c,0);`
`107`	`107`
`108`	`108`	`policy->qual= (Expr*)transformWhereClause(qual_pstate,copyObject(e),`
`109`		`-EXPR_KIND_WHERE,`
	`109`	`+EXPR_KIND_POLICY,`
`110`	`110`	`"POLICY");`
`111`	`111`
`112`	`112`	`policy->with_check_qual=copyObject(policy->qual);`
`@@ -160,7 +160,7 @@ test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)`
`160`	`160`	`e= (Node)makeSimpleA_Expr(AEXPR_OP,"=", (Node)n, (Node*)c,0);`
`161`	`161`
`162`	`162`	`policy->qual= (Expr*)transformWhereClause(qual_pstate,copyObject(e),`
`163`		`-EXPR_KIND_WHERE,`
	`163`	`+EXPR_KIND_POLICY,`
`164`	`164`	`"POLICY");`
`165`	`165`
`166`	`166`	`policy->with_check_qual=copyObject(policy->qual);`

`‎src/test/regress/expected/rowsecurity.out`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3024,6 +3024,15 @@ CREATE RULE "_RETURN" AS ON SELECT TO t DO INSTEAD`
`3024`	`3024`	`SELECT * FROM generate_series(1,5) t0(c); -- succeeds`
`3025`	`3025`	`ROLLBACK;`
`3026`	`3026`	`--`
	`3027`	`+-- Policy expression handling`
	`3028`	`+--`
	`3029`	`+BEGIN;`
	`3030`	`+SET row_security = FORCE;`
	`3031`	`+CREATE TABLE t (c) AS VALUES ('bar'::text);`
	`3032`	`+CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions`
	`3033`	`+ERROR: aggregate functions are not allowed in policy expressions`
	`3034`	`+ROLLBACK;`
	`3035`	`+--`
`3027`	`3036`	`-- Clean up objects`
`3028`	`3037`	`--`
`3029`	`3038`	`RESET SESSION AUTHORIZATION;`

`‎src/test/regress/sql/rowsecurity.sql`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1289,6 +1289,15 @@ CREATE RULE "_RETURN" AS ON SELECT TO t DO INSTEAD`
`1289`	`1289`	`SELECT*FROM generate_series(1,5) t0(c);-- succeeds`
`1290`	`1290`	`ROLLBACK;`
`1291`	`1291`
	`1292`	`+--`
	`1293`	`+-- Policy expression handling`
	`1294`	`+--`
	`1295`	`+BEGIN;`
	`1296`	`+SET row_security= FORCE;`
	`1297`	`+CREATETABLEt (c)ASVALUES ('bar'::text);`
	`1298`	`+CREATE POLICY pON t USING (max(c));-- fails: aggregate functions are not allowed in policy expressions`
	`1299`	`+ROLLBACK;`
	`1300`	`+`
`1292`	`1301`	`--`
`1293`	`1302`	`-- Clean up objects`
`1294`	`1303`	`--`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit632cd9f

File tree

7 files changed

7 files changed

`‎src/backend/commands/policy.c`

`‎src/backend/parser/parse_agg.c`

`‎src/backend/parser/parse_expr.c`

`‎src/include/parser/parse_node.h`

`‎src/test/modules/test_rls_hooks/test_rls_hooks.c`

`‎src/test/regress/expected/rowsecurity.out`

`‎src/test/regress/sql/rowsecurity.sql`

0 commit comments