Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * user.c
4 : : * Commands for manipulating roles (formerly called users).
5 : : *
6 : : * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 : : * Portions Copyright (c) 1994, Regents of the University of California
8 : : *
9 : : * src/backend/commands/user.c
10 : : *
11 : : *-------------------------------------------------------------------------
12 : : */
13 : : #include "postgres.h"
14 : :
15 : : #include "access/genam.h"
16 : : #include "access/htup_details.h"
17 : : #include "access/table.h"
18 : : #include "access/xact.h"
19 : : #include "catalog/binary_upgrade.h"
20 : : #include "catalog/catalog.h"
21 : : #include "catalog/dependency.h"
22 : : #include "catalog/indexing.h"
23 : : #include "catalog/objectaccess.h"
24 : : #include "catalog/pg_auth_members.h"
25 : : #include "catalog/pg_authid.h"
26 : : #include "catalog/pg_database.h"
27 : : #include "catalog/pg_db_role_setting.h"
28 : : #include "commands/comment.h"
29 : : #include "commands/dbcommands.h"
30 : : #include "commands/defrem.h"
31 : : #include "commands/seclabel.h"
32 : : #include "commands/user.h"
33 : : #include "lib/qunique.h"
34 : : #include "libpq/crypt.h"
35 : : #include "miscadmin.h"
36 : : #include "storage/lmgr.h"
37 : : #include "utils/acl.h"
38 : : #include "utils/builtins.h"
39 : : #include "utils/catcache.h"
40 : : #include "utils/fmgroids.h"
41 : : #include "utils/syscache.h"
42 : : #include "utils/varlena.h"
43 : :
44 : : /*
45 : : * Removing a role grant - or the admin option on it - might recurse to
46 : : * dependent grants. We use these values to reason about what would need to
47 : : * be done in such cases.
48 : : *
49 : : * RRG_NOOP indicates a grant that would not need to be altered by the
50 : : * operation.
51 : : *
52 : : * RRG_REMOVE_ADMIN_OPTION indicates a grant that would need to have
53 : : * admin_option set to false by the operation.
54 : : *
55 : : * Similarly, RRG_REMOVE_INHERIT_OPTION and RRG_REMOVE_SET_OPTION indicate
56 : : * grants that would need to have the corresponding options set to false.
57 : : *
58 : : * RRG_DELETE_GRANT indicates a grant that would need to be removed entirely
59 : : * by the operation.
60 : : */
61 : : typedef enum
62 : : {
63 : : RRG_NOOP,
64 : : RRG_REMOVE_ADMIN_OPTION,
65 : : RRG_REMOVE_INHERIT_OPTION,
66 : : RRG_REMOVE_SET_OPTION,
67 : : RRG_DELETE_GRANT,
68 : : } RevokeRoleGrantAction;
69 : :
70 : : /* Potentially set by pg_upgrade_support functions */
71 : : Oid binary_upgrade_next_pg_authid_oid = InvalidOid;
72 : :
73 : : typedef struct
74 : : {
75 : : unsigned specified;
76 : : bool admin;
77 : : bool inherit;
78 : : bool set;
79 : : } GrantRoleOptions;
80 : :
81 : : #define GRANT_ROLE_SPECIFIED_ADMIN 0x0001
82 : : #define GRANT_ROLE_SPECIFIED_INHERIT 0x0002
83 : : #define GRANT_ROLE_SPECIFIED_SET 0x0004
84 : :
85 : : /* GUC parameters */
86 : : int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
87 : : char *createrole_self_grant = "";
88 : : static bool createrole_self_grant_enabled = false;
89 : : static GrantRoleOptions createrole_self_grant_options;
90 : :
91 : : /* Hook to check passwords in CreateRole() and AlterRole() */
92 : : check_password_hook_type check_password_hook = NULL;
93 : :
94 : : static void AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
95 : : List *memberSpecs, List *memberIds,
96 : : Oid grantorId, GrantRoleOptions *popt);
97 : : static void DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
98 : : List *memberSpecs, List *memberIds,
99 : : Oid grantorId, GrantRoleOptions *popt,
100 : : DropBehavior behavior);
101 : : static void check_role_membership_authorization(Oid currentUserId, Oid roleid,
102 : : bool is_grant);
103 : : static Oid check_role_grantor(Oid currentUserId, Oid roleid, Oid grantorId,
104 : : bool is_grant);
105 : : static RevokeRoleGrantAction *initialize_revoke_actions(CatCList *memlist);
106 : : static bool plan_single_revoke(CatCList *memlist,
107 : : RevokeRoleGrantAction *actions,
108 : : Oid member, Oid grantor,
109 : : GrantRoleOptions *popt,
110 : : DropBehavior behavior);
111 : : static void plan_member_revoke(CatCList *memlist,
112 : : RevokeRoleGrantAction *actions, Oid member);
113 : : static void plan_recursive_revoke(CatCList *memlist,
114 : : RevokeRoleGrantAction *actions,
115 : : int index,
116 : : bool revoke_admin_option_only,
117 : : DropBehavior behavior);
118 : : static void InitGrantRoleOptions(GrantRoleOptions *popt);
119 : :
120 : :
121 : : /* Check if current user has createrole privileges */
122 : : static bool
3910 alvherre@alvh.no-ip. 123 :CBC 1106 : have_createrole_privilege(void)
124 : : {
125 : 1106 : return has_createrole_privilege(GetUserId());
126 : : }
127 : :
128 : :
129 : : /*
130 : : * CREATE ROLE
131 : : */
132 : : Oid
3287 peter_e@gmx.net 133 : 908 : CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
134 : : {
135 : : Relation pg_authid_rel;
136 : : TupleDesc pg_authid_dsc;
137 : : HeapTuple tuple;
1148 peter@eisentraut.org 138 : 908 : Datum new_record[Natts_pg_authid] = {0};
139 : 908 : bool new_record_nulls[Natts_pg_authid] = {0};
975 rhaas@postgresql.org 140 : 908 : Oid currentUserId = GetUserId();
141 : : Oid roleid;
142 : : ListCell *item;
143 : : ListCell *option;
7266 bruce@momjian.us 144 : 908 : char *password = NULL; /* user password */
3910 alvherre@alvh.no-ip. 145 : 908 : bool issuper = false; /* Make the user a superuser? */
146 : 908 : bool inherit = true; /* Auto inherit privileges? */
2999 tgl@sss.pgh.pa.us 147 : 908 : bool createrole = false; /* Can this user create roles? */
148 : 908 : bool createdb = false; /* Can the user create databases? */
149 : 908 : bool canlogin = false; /* Can this user login? */
3910 alvherre@alvh.no-ip. 150 : 908 : bool isreplication = false; /* Is this a replication role? */
2999 tgl@sss.pgh.pa.us 151 : 908 : bool bypassrls = false; /* Is this a row security enabled role? */
7266 bruce@momjian.us 152 : 908 : int connlimit = -1; /* maximum connections allowed */
153 : 908 : List *addroleto = NIL; /* roles to make this a member of */
2999 tgl@sss.pgh.pa.us 154 : 908 : List *rolemembers = NIL; /* roles to be members of this role */
155 : 908 : List *adminmembers = NIL; /* roles to be admins of this role */
156 : 908 : char *validUntil = NULL; /* time the login is valid until */
157 : : Datum validUntil_datum; /* same, as timestamptz Datum */
158 : : bool validUntil_null;
8788 bruce@momjian.us 159 : 908 : DefElem *dpassword = NULL;
7374 tgl@sss.pgh.pa.us 160 : 908 : DefElem *dissuper = NULL;
7347 161 : 908 : DefElem *dinherit = NULL;
7375 162 : 908 : DefElem *dcreaterole = NULL;
7374 163 : 908 : DefElem *dcreatedb = NULL;
7375 164 : 908 : DefElem *dcanlogin = NULL;
5263 bruce@momjian.us 165 : 908 : DefElem *disreplication = NULL;
7342 tgl@sss.pgh.pa.us 166 : 908 : DefElem *dconnlimit = NULL;
7375 167 : 908 : DefElem *daddroleto = NULL;
168 : 908 : DefElem *drolemembers = NULL;
169 : 908 : DefElem *dadminmembers = NULL;
8788 bruce@momjian.us 170 : 908 : DefElem *dvalidUntil = NULL;
4005 sfrost@snowman.net 171 : 908 : DefElem *dbypassRLS = NULL;
172 : : GrantRoleOptions popt;
173 : :
174 : : /* The defaults can vary depending on the original statement type */
7347 tgl@sss.pgh.pa.us 175 [ + + + - ]: 908 : switch (stmt->stmt_type)
176 : : {
177 : 669 : case ROLESTMT_ROLE:
178 : 669 : break;
179 : 227 : case ROLESTMT_USER:
3910 alvherre@alvh.no-ip. 180 : 227 : canlogin = true;
181 : : /* may eventually want inherit to default to false here */
7347 tgl@sss.pgh.pa.us 182 : 227 : break;
183 : 12 : case ROLESTMT_GROUP:
184 : 12 : break;
185 : : }
186 : :
187 : : /* Extract options from the statement node tree */
8824 188 [ + + + + : 1487 : foreach(option, stmt->options)
+ + ]
189 : : {
8717 bruce@momjian.us 190 : 579 : DefElem *defel = (DefElem *) lfirst(option);
191 : :
3043 heikki.linnakangas@i 192 [ + + ]: 579 : if (strcmp(defel->defname, "password") == 0)
193 : : {
8788 bruce@momjian.us 194 [ - + ]: 61 : if (dpassword)
1514 dean.a.rasheed@gmail 195 :UBC 0 : errorConflictingDefElem(defel, pstate);
8788 bruce@momjian.us 196 :CBC 61 : dpassword = defel;
197 : : }
8717 198 [ + + ]: 518 : else if (strcmp(defel->defname, "sysid") == 0)
199 : : {
7347 tgl@sss.pgh.pa.us 200 [ + - ]: 3 : ereport(NOTICE,
201 : : (errmsg("SYSID can no longer be specified")));
202 : : }
7374 203 [ + + ]: 515 : else if (strcmp(defel->defname, "superuser") == 0)
204 : : {
205 [ - + ]: 95 : if (dissuper)
1514 dean.a.rasheed@gmail 206 :UBC 0 : errorConflictingDefElem(defel, pstate);
7374 tgl@sss.pgh.pa.us 207 :CBC 95 : dissuper = defel;
208 : : }
7347 209 [ + + ]: 420 : else if (strcmp(defel->defname, "inherit") == 0)
210 : : {
211 [ - + ]: 31 : if (dinherit)
1514 dean.a.rasheed@gmail 212 :UBC 0 : errorConflictingDefElem(defel, pstate);
7347 tgl@sss.pgh.pa.us 213 :CBC 31 : dinherit = defel;
214 : : }
7375 215 [ + + ]: 389 : else if (strcmp(defel->defname, "createrole") == 0)
216 : : {
217 [ - + ]: 44 : if (dcreaterole)
1514 dean.a.rasheed@gmail 218 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 219 :CBC 44 : dcreaterole = defel;
220 : : }
8717 bruce@momjian.us 221 [ + + ]: 345 : else if (strcmp(defel->defname, "createdb") == 0)
222 : : {
8788 223 [ - + ]: 34 : if (dcreatedb)
1514 dean.a.rasheed@gmail 224 :UBC 0 : errorConflictingDefElem(defel, pstate);
8788 bruce@momjian.us 225 :CBC 34 : dcreatedb = defel;
226 : : }
7375 tgl@sss.pgh.pa.us 227 [ + + ]: 311 : else if (strcmp(defel->defname, "canlogin") == 0)
228 : : {
229 [ - + ]: 146 : if (dcanlogin)
1514 dean.a.rasheed@gmail 230 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 231 :CBC 146 : dcanlogin = defel;
232 : : }
5365 magnus@hagander.net 233 [ + + ]: 165 : else if (strcmp(defel->defname, "isreplication") == 0)
234 : : {
235 [ - + ]: 44 : if (disreplication)
1514 dean.a.rasheed@gmail 236 :UBC 0 : errorConflictingDefElem(defel, pstate);
5365 magnus@hagander.net 237 :CBC 44 : disreplication = defel;
238 : : }
7342 tgl@sss.pgh.pa.us 239 [ + + ]: 121 : else if (strcmp(defel->defname, "connectionlimit") == 0)
240 : : {
241 [ - + ]: 6 : if (dconnlimit)
1514 dean.a.rasheed@gmail 242 :UBC 0 : errorConflictingDefElem(defel, pstate);
7342 tgl@sss.pgh.pa.us 243 :CBC 6 : dconnlimit = defel;
244 : : }
7375 245 [ + + ]: 115 : else if (strcmp(defel->defname, "addroleto") == 0)
246 : : {
247 [ - + ]: 49 : if (daddroleto)
1514 dean.a.rasheed@gmail 248 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 249 :CBC 49 : daddroleto = defel;
250 : : }
251 [ + + ]: 66 : else if (strcmp(defel->defname, "rolemembers") == 0)
252 : : {
253 [ - + ]: 14 : if (drolemembers)
1514 dean.a.rasheed@gmail 254 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 255 :CBC 14 : drolemembers = defel;
256 : : }
257 [ + + ]: 52 : else if (strcmp(defel->defname, "adminmembers") == 0)
258 : : {
259 [ - + ]: 11 : if (dadminmembers)
1514 dean.a.rasheed@gmail 260 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 261 :CBC 11 : dadminmembers = defel;
262 : : }
8717 bruce@momjian.us 263 [ + + ]: 41 : else if (strcmp(defel->defname, "validUntil") == 0)
264 : : {
8788 265 [ - + ]: 1 : if (dvalidUntil)
1514 dean.a.rasheed@gmail 266 :UBC 0 : errorConflictingDefElem(defel, pstate);
8788 bruce@momjian.us 267 :CBC 1 : dvalidUntil = defel;
268 : : }
4005 sfrost@snowman.net 269 [ + - ]: 40 : else if (strcmp(defel->defname, "bypassrls") == 0)
270 : : {
271 [ - + ]: 40 : if (dbypassRLS)
1514 dean.a.rasheed@gmail 272 :UBC 0 : errorConflictingDefElem(defel, pstate);
4005 sfrost@snowman.net 273 :CBC 40 : dbypassRLS = defel;
274 : : }
275 : : else
8086 tgl@sss.pgh.pa.us 276 [ # # ]:UBC 0 : elog(ERROR, "option \"%s\" not recognized",
277 : : defel->defname);
278 : : }
279 : :
7197 peter_e@gmx.net 280 [ + + + + ]:CBC 908 : if (dpassword && dpassword->arg)
7374 tgl@sss.pgh.pa.us 281 : 55 : password = strVal(dpassword->arg);
282 [ + + ]: 908 : if (dissuper)
1331 peter@eisentraut.org 283 : 95 : issuper = boolVal(dissuper->arg);
7347 tgl@sss.pgh.pa.us 284 [ + + ]: 908 : if (dinherit)
1331 peter@eisentraut.org 285 : 31 : inherit = boolVal(dinherit->arg);
7375 tgl@sss.pgh.pa.us 286 [ + + ]: 908 : if (dcreaterole)
1331 peter@eisentraut.org 287 : 44 : createrole = boolVal(dcreaterole->arg);
7374 tgl@sss.pgh.pa.us 288 [ + + ]: 908 : if (dcreatedb)
1331 peter@eisentraut.org 289 : 34 : createdb = boolVal(dcreatedb->arg);
7375 tgl@sss.pgh.pa.us 290 [ + + ]: 908 : if (dcanlogin)
1331 peter@eisentraut.org 291 : 146 : canlogin = boolVal(dcanlogin->arg);
5365 magnus@hagander.net 292 [ + + ]: 908 : if (disreplication)
1331 peter@eisentraut.org 293 : 44 : isreplication = boolVal(disreplication->arg);
7342 tgl@sss.pgh.pa.us 294 [ + + ]: 908 : if (dconnlimit)
295 : : {
296 : 6 : connlimit = intVal(dconnlimit->arg);
6063 heikki.linnakangas@i 297 [ - + ]: 6 : if (connlimit < -1)
6063 heikki.linnakangas@i 298 [ # # ]:UBC 0 : ereport(ERROR,
299 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
300 : : errmsg("invalid connection limit: %d", connlimit)));
301 : : }
7375 tgl@sss.pgh.pa.us 302 [ + + ]:CBC 908 : if (daddroleto)
303 : 49 : addroleto = (List *) daddroleto->arg;
304 [ + + ]: 908 : if (drolemembers)
305 : 14 : rolemembers = (List *) drolemembers->arg;
306 [ + + ]: 908 : if (dadminmembers)
307 : 11 : adminmembers = (List *) dadminmembers->arg;
7374 308 [ + + ]: 908 : if (dvalidUntil)
309 : 1 : validUntil = strVal(dvalidUntil->arg);
3910 alvherre@alvh.no-ip. 310 [ + + ]: 908 : if (dbypassRLS)
1331 peter@eisentraut.org 311 : 40 : bypassrls = boolVal(dbypassRLS->arg);
312 : :
313 : : /* Check some permissions first */
956 rhaas@postgresql.org 314 [ + + ]: 908 : if (!superuser_arg(currentUserId))
315 : : {
316 [ - + ]: 111 : if (!has_createrole_privilege(currentUserId))
956 rhaas@postgresql.org 317 [ # # ]:UBC 0 : ereport(ERROR,
318 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
319 : : errmsg("permission denied to create role"),
320 : : errdetail("Only roles with the %s attribute may create roles.",
321 : : "CREATEROLE")));
956 rhaas@postgresql.org 322 [ + + ]:CBC 111 : if (issuper)
3910 alvherre@alvh.no-ip. 323 [ + - ]: 3 : ereport(ERROR,
324 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
325 : : errmsg("permission denied to create role"),
326 : : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
327 : : "SUPERUSER", "SUPERUSER")));
956 rhaas@postgresql.org 328 [ + + + + ]: 108 : if (createdb && !have_createdb_privilege())
3910 alvherre@alvh.no-ip. 329 [ + - ]: 3 : ereport(ERROR,
330 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
331 : : errmsg("permission denied to create role"),
332 : : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
333 : : "CREATEDB", "CREATEDB")));
956 rhaas@postgresql.org 334 [ + + + + ]: 105 : if (isreplication && !has_rolreplication(currentUserId))
3910 alvherre@alvh.no-ip. 335 [ + - ]: 6 : ereport(ERROR,
336 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
337 : : errmsg("permission denied to create role"),
338 : : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
339 : : "REPLICATION", "REPLICATION")));
956 rhaas@postgresql.org 340 [ + + + + ]: 99 : if (bypassrls && !has_bypassrls_privilege(currentUserId))
3910 alvherre@alvh.no-ip. 341 [ + - ]: 3 : ereport(ERROR,
342 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
343 : : errmsg("permission denied to create role"),
344 : : errdetail("Only roles with the %s attribute may create roles with the %s attribute.",
345 : : "BYPASSRLS", "BYPASSRLS")));
346 : : }
347 : :
348 : : /*
349 : : * Check that the user is not trying to create a role in the reserved
350 : : * "pg_" namespace.
351 : : */
3438 sfrost@snowman.net 352 [ + + ]: 893 : if (IsReservedName(stmt->role))
353 [ + - ]: 4 : ereport(ERROR,
354 : : (errcode(ERRCODE_RESERVED_NAME),
355 : : errmsg("role name \"%s\" is reserved",
356 : : stmt->role),
357 : : errdetail("Role names starting with \"pg_\" are reserved.")));
358 : :
359 : : /*
360 : : * If built with appropriate switch, whine when regression-testing
361 : : * conventions for role names are violated.
362 : : */
363 : : #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
364 : : if (strncmp(stmt->role, "regress_", 8) != 0)
365 : : elog(WARNING, "roles created by regression test cases should have names starting with \"regress_\"");
366 : : #endif
367 : :
368 : : /*
369 : : * Check the pg_authid relation to be certain the role doesn't already
370 : : * exist.
371 : : */
2420 andres@anarazel.de 372 : 889 : pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
7375 tgl@sss.pgh.pa.us 373 : 889 : pg_authid_dsc = RelationGetDescr(pg_authid_rel);
374 : :
5511 rhaas@postgresql.org 375 [ + + ]: 889 : if (OidIsValid(get_role_oid(stmt->role, true)))
8086 tgl@sss.pgh.pa.us 376 [ + - ]: 3 : ereport(ERROR,
377 : : (errcode(ERRCODE_DUPLICATE_OBJECT),
378 : : errmsg("role \"%s\" already exists",
379 : : stmt->role)));
380 : :
381 : : /* Convert validuntil to internal form */
5771 382 [ + + ]: 886 : if (validUntil)
383 : : {
384 : 1 : validUntil_datum = DirectFunctionCall3(timestamptz_in,
385 : : CStringGetDatum(validUntil),
386 : : ObjectIdGetDatum(InvalidOid),
387 : : Int32GetDatum(-1));
388 : 1 : validUntil_null = false;
389 : : }
390 : : else
391 : : {
392 : 885 : validUntil_datum = (Datum) 0;
393 : 885 : validUntil_null = true;
394 : : }
395 : :
396 : : /*
397 : : * Call the password checking hook if there is one defined
398 : : */
399 [ + + - + ]: 886 : if (check_password_hook && password)
5771 tgl@sss.pgh.pa.us 400 :UBC 0 : (*check_password_hook) (stmt->role,
401 : : password,
402 : : get_password_type(password),
403 : : validUntil_datum,
404 : : validUntil_null);
405 : :
406 : : /*
407 : : * Build a tuple to insert
408 : : */
7375 tgl@sss.pgh.pa.us 409 :CBC 886 : new_record[Anum_pg_authid_rolname - 1] =
410 : 886 : DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
3910 alvherre@alvh.no-ip. 411 : 886 : new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
412 : 886 : new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
413 : 886 : new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
414 : 886 : new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
415 : 886 : new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(canlogin);
416 : 886 : new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(isreplication);
7342 tgl@sss.pgh.pa.us 417 : 886 : new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
418 : :
8824 419 [ + + ]: 886 : if (password)
420 : : {
421 : : char *shadow_pass;
1334 michael@paquier.xyz 422 : 55 : const char *logdetail = NULL;
423 : :
424 : : /*
425 : : * Don't allow an empty password. Libpq treats an empty password the
426 : : * same as no password at all, and won't even try to authenticate. But
427 : : * other clients might, so allowing it would be confusing. By clearing
428 : : * the password when an empty string is specified, the account is
429 : : * consistently locked for all clients.
430 : : *
431 : : * Note that this only covers passwords stored in the database itself.
432 : : * There are also checks in the authentication code, to forbid an
433 : : * empty password from being used with authentication methods that
434 : : * fetch the password from an external system, like LDAP or PAM.
435 : : */
2952 heikki.linnakangas@i 436 [ + + - + ]: 107 : if (password[0] == '\0' ||
437 : 52 : plain_crypt_verify(stmt->role, password, "", &logdetail) == STATUS_OK)
438 : : {
439 [ + - ]: 3 : ereport(NOTICE,
440 : : (errmsg("empty string is not a valid password, clearing password")));
441 : 3 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
442 : : }
443 : : else
444 : : {
445 : : /* Encrypt the password to the requested format. */
446 : 52 : shadow_pass = encrypt_password(Password_encryption, stmt->role,
447 : : password);
448 : 49 : new_record[Anum_pg_authid_rolpassword - 1] =
449 : 49 : CStringGetTextDatum(shadow_pass);
450 : : }
451 : : }
452 : : else
6152 tgl@sss.pgh.pa.us 453 : 831 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
454 : :
5771 455 : 883 : new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
456 : 883 : new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
457 : :
3910 alvherre@alvh.no-ip. 458 : 883 : new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(bypassrls);
459 : :
460 : : /*
461 : : * pg_largeobject_metadata contains pg_authid.oid's, so we use the
462 : : * binary-upgrade override.
463 : : */
4030 bruce@momjian.us 464 [ - + ]: 883 : if (IsBinaryUpgrade)
465 : : {
4030 bruce@momjian.us 466 [ # # ]:UBC 0 : if (!OidIsValid(binary_upgrade_next_pg_authid_oid))
467 [ # # ]: 0 : ereport(ERROR,
468 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
469 : : errmsg("pg_authid OID value not set when in binary upgrade mode")));
470 : :
2482 andres@anarazel.de 471 : 0 : roleid = binary_upgrade_next_pg_authid_oid;
5356 bruce@momjian.us 472 : 0 : binary_upgrade_next_pg_authid_oid = InvalidOid;
473 : : }
474 : : else
475 : : {
2482 andres@anarazel.de 476 :CBC 883 : roleid = GetNewOidWithIndex(pg_authid_rel, AuthIdOidIndexId,
477 : : Anum_pg_authid_oid);
478 : : }
479 : :
480 : 883 : new_record[Anum_pg_authid_oid - 1] = ObjectIdGetDatum(roleid);
481 : :
482 : 883 : tuple = heap_form_tuple(pg_authid_dsc, new_record, new_record_nulls);
483 : :
484 : : /*
485 : : * Insert new record in the pg_authid table
486 : : */
487 : 883 : CatalogTupleInsert(pg_authid_rel, tuple);
488 : :
489 : : /*
490 : : * Advance command counter so we can see new record; else tests in
491 : : * AddRoleMems may fail.
492 : : */
197 tgl@sss.pgh.pa.us 493 : 883 : CommandCounterIncrement();
494 : :
495 : : /* Default grant. */
1108 rhaas@postgresql.org 496 : 883 : InitGrantRoleOptions(&popt);
497 : :
498 : : /*
499 : : * Add the new role to the specified existing roles.
500 : : */
1960 rhodiumtoad@postgres 501 [ + + ]: 883 : if (addroleto)
502 : : {
503 : 49 : RoleSpec *thisrole = makeNode(RoleSpec);
504 : 49 : List *thisrole_list = list_make1(thisrole);
505 : 49 : List *thisrole_oidlist = list_make1_oid(roleid);
506 : :
507 : 49 : thisrole->roletype = ROLESPEC_CSTRING;
508 : 49 : thisrole->rolename = stmt->role;
509 : 49 : thisrole->location = -1;
510 : :
511 [ + - + + : 62 : foreach(item, addroleto)
+ + ]
512 : : {
513 : 49 : RoleSpec *oldrole = lfirst(item);
514 : 49 : HeapTuple oldroletup = get_rolespec_tuple(oldrole);
515 : 49 : Form_pg_authid oldroleform = (Form_pg_authid) GETSTRUCT(oldroletup);
516 : 49 : Oid oldroleid = oldroleform->oid;
517 : 49 : char *oldrolename = NameStr(oldroleform->rolname);
518 : :
519 : : /* can only add this role to roles for which you have rights */
975 rhaas@postgresql.org 520 : 49 : check_role_membership_authorization(currentUserId, oldroleid, true);
521 : 13 : AddRoleMems(currentUserId, oldrolename, oldroleid,
522 : : thisrole_list,
523 : : thisrole_oidlist,
524 : : InvalidOid, &popt);
525 : :
1960 rhodiumtoad@postgres 526 : 13 : ReleaseSysCache(oldroletup);
527 : : }
528 : : }
529 : :
530 : : /*
531 : : * If the current user isn't a superuser, make them an admin of the new
532 : : * role so that they can administer the new object they just created.
533 : : * Superusers will be able to do that anyway.
534 : : *
535 : : * The grantor of record for this implicit grant is the bootstrap
536 : : * superuser, which means that the CREATEROLE user cannot revoke the
537 : : * grant. They can however grant the created role back to themselves with
538 : : * different options, since they enjoy ADMIN OPTION on it.
539 : : */
970 rhaas@postgresql.org 540 [ + + ]: 847 : if (!superuser())
541 : : {
542 : 60 : RoleSpec *current_role = makeNode(RoleSpec);
543 : : GrantRoleOptions poptself;
544 : : List *memberSpecs;
545 : 60 : List *memberIds = list_make1_oid(currentUserId);
546 : :
547 : 60 : current_role->roletype = ROLESPEC_CURRENT_ROLE;
548 : 60 : current_role->location = -1;
549 : 60 : memberSpecs = list_make1(current_role);
550 : :
551 : 60 : poptself.specified = GRANT_ROLE_SPECIFIED_ADMIN
552 : : | GRANT_ROLE_SPECIFIED_INHERIT
553 : : | GRANT_ROLE_SPECIFIED_SET;
554 : 60 : poptself.admin = true;
555 : 60 : poptself.inherit = false;
556 : 60 : poptself.set = false;
557 : :
558 : 60 : AddRoleMems(BOOTSTRAP_SUPERUSERID, stmt->role, roleid,
559 : : memberSpecs, memberIds,
560 : : BOOTSTRAP_SUPERUSERID, &poptself);
561 : :
562 : : /*
563 : : * We must make the implicit grant visible to the code below, else the
564 : : * additional grants will fail.
565 : : */
566 : 60 : CommandCounterIncrement();
567 : :
568 : : /*
569 : : * Because of the implicit grant above, a CREATEROLE user who creates
570 : : * a role has the ability to grant that role back to themselves with
571 : : * the INHERIT or SET options, if they wish to inherit the role's
572 : : * privileges or be able to SET ROLE to it. The createrole_self_grant
573 : : * GUC can be used to make this happen automatically. This has no
574 : : * security implications since the same user is able to make the same
575 : : * grant using an explicit GRANT statement; it's just convenient.
576 : : */
577 [ + + ]: 60 : if (createrole_self_grant_enabled)
578 : 3 : AddRoleMems(currentUserId, stmt->role, roleid,
579 : : memberSpecs, memberIds,
580 : : currentUserId, &createrole_self_grant_options);
581 : : }
582 : :
583 : : /*
584 : : * Add the specified members to this new role. adminmembers get the admin
585 : : * option, rolemembers don't.
586 : : *
587 : : * NB: No permissions check is required here. If you have enough rights to
588 : : * create a role, you can add any members you like.
589 : : */
975 590 : 847 : AddRoleMems(currentUserId, stmt->role, roleid,
591 : : rolemembers, roleSpecsToIds(rolemembers),
592 : : InvalidOid, &popt);
1108 593 : 844 : popt.specified |= GRANT_ROLE_SPECIFIED_ADMIN;
594 : 844 : popt.admin = true;
975 595 : 844 : AddRoleMems(currentUserId, stmt->role, roleid,
596 : : adminmembers, roleSpecsToIds(adminmembers),
597 : : InvalidOid, &popt);
598 : :
599 : : /* Post creation hook for new role */
4567 600 [ + + ]: 841 : InvokeObjectPostCreateHook(AuthIdRelationId, roleid, 0);
601 : :
602 : : /*
603 : : * Close pg_authid, but keep lock till commit.
604 : : */
2420 andres@anarazel.de 605 : 841 : table_close(pg_authid_rel, NoLock);
606 : :
4634 rhaas@postgresql.org 607 : 841 : return roleid;
608 : : }
609 : :
610 : :
611 : : /*
612 : : * ALTER ROLE
613 : : *
614 : : * Note: the rolemembers option accepted here is intended to support the
615 : : * backwards-compatible ALTER GROUP syntax. Although it will work to say
616 : : * "ALTER ROLE role ROLE rolenames", we don't document it.
617 : : */
618 : : Oid
1514 dean.a.rasheed@gmail 619 : 227 : AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
620 : : {
1148 peter@eisentraut.org 621 : 227 : Datum new_record[Natts_pg_authid] = {0};
622 : 227 : bool new_record_nulls[Natts_pg_authid] = {0};
623 : 227 : bool new_record_repl[Natts_pg_authid] = {0};
624 : : Relation pg_authid_rel;
625 : : TupleDesc pg_authid_dsc;
626 : : HeapTuple tuple,
627 : : new_tuple;
628 : : Form_pg_authid authform;
629 : : ListCell *option;
630 : : char *rolename;
7266 bruce@momjian.us 631 : 227 : char *password = NULL; /* user password */
632 : 227 : int connlimit = -1; /* maximum connections allowed */
2999 tgl@sss.pgh.pa.us 633 : 227 : char *validUntil = NULL; /* time the login is valid until */
634 : : Datum validUntil_datum; /* same, as timestamptz Datum */
635 : : bool validUntil_null;
8824 636 : 227 : DefElem *dpassword = NULL;
7374 637 : 227 : DefElem *dissuper = NULL;
7347 638 : 227 : DefElem *dinherit = NULL;
7375 639 : 227 : DefElem *dcreaterole = NULL;
7374 640 : 227 : DefElem *dcreatedb = NULL;
7375 641 : 227 : DefElem *dcanlogin = NULL;
5263 bruce@momjian.us 642 : 227 : DefElem *disreplication = NULL;
7342 tgl@sss.pgh.pa.us 643 : 227 : DefElem *dconnlimit = NULL;
7375 644 : 227 : DefElem *drolemembers = NULL;
7374 645 : 227 : DefElem *dvalidUntil = NULL;
4005 sfrost@snowman.net 646 : 227 : DefElem *dbypassRLS = NULL;
647 : : Oid roleid;
975 rhaas@postgresql.org 648 : 227 : Oid currentUserId = GetUserId();
649 : : GrantRoleOptions popt;
650 : :
3438 sfrost@snowman.net 651 : 227 : check_rolespec_name(stmt->role,
1074 alvherre@alvh.no-ip. 652 : 227 : _("Cannot alter reserved roles."));
653 : :
654 : : /* Extract options from the statement node tree */
8717 bruce@momjian.us 655 [ + - + + : 574 : foreach(option, stmt->options)
+ + ]
656 : : {
657 : 347 : DefElem *defel = (DefElem *) lfirst(option);
658 : :
3043 heikki.linnakangas@i 659 [ + + ]: 347 : if (strcmp(defel->defname, "password") == 0)
660 : : {
8824 tgl@sss.pgh.pa.us 661 [ - + ]: 45 : if (dpassword)
1514 dean.a.rasheed@gmail 662 :UBC 0 : errorConflictingDefElem(defel, pstate);
8824 tgl@sss.pgh.pa.us 663 :CBC 45 : dpassword = defel;
664 : : }
7374 665 [ + + ]: 302 : else if (strcmp(defel->defname, "superuser") == 0)
666 : : {
667 [ - + ]: 49 : if (dissuper)
1514 dean.a.rasheed@gmail 668 :UBC 0 : errorConflictingDefElem(defel, pstate);
7374 tgl@sss.pgh.pa.us 669 :CBC 49 : dissuper = defel;
670 : : }
7347 671 [ + + ]: 253 : else if (strcmp(defel->defname, "inherit") == 0)
672 : : {
673 [ - + ]: 33 : if (dinherit)
1514 dean.a.rasheed@gmail 674 :UBC 0 : errorConflictingDefElem(defel, pstate);
7347 tgl@sss.pgh.pa.us 675 :CBC 33 : dinherit = defel;
676 : : }
7375 677 [ + + ]: 220 : else if (strcmp(defel->defname, "createrole") == 0)
678 : : {
679 [ - + ]: 24 : if (dcreaterole)
1514 dean.a.rasheed@gmail 680 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 681 :CBC 24 : dcreaterole = defel;
682 : : }
7374 683 [ + + ]: 196 : else if (strcmp(defel->defname, "createdb") == 0)
684 : : {
685 [ - + ]: 33 : if (dcreatedb)
1514 dean.a.rasheed@gmail 686 :UBC 0 : errorConflictingDefElem(defel, pstate);
7374 tgl@sss.pgh.pa.us 687 :CBC 33 : dcreatedb = defel;
688 : : }
689 [ + + ]: 163 : else if (strcmp(defel->defname, "canlogin") == 0)
690 : : {
691 [ - + ]: 36 : if (dcanlogin)
1514 dean.a.rasheed@gmail 692 :UBC 0 : errorConflictingDefElem(defel, pstate);
7374 tgl@sss.pgh.pa.us 693 :CBC 36 : dcanlogin = defel;
694 : : }
5365 magnus@hagander.net 695 [ + + ]: 127 : else if (strcmp(defel->defname, "isreplication") == 0)
696 : : {
697 [ - + ]: 67 : if (disreplication)
1514 dean.a.rasheed@gmail 698 :UBC 0 : errorConflictingDefElem(defel, pstate);
5365 magnus@hagander.net 699 :CBC 67 : disreplication = defel;
700 : : }
7342 tgl@sss.pgh.pa.us 701 [ + + ]: 60 : else if (strcmp(defel->defname, "connectionlimit") == 0)
702 : : {
703 [ - + ]: 6 : if (dconnlimit)
1514 dean.a.rasheed@gmail 704 :UBC 0 : errorConflictingDefElem(defel, pstate);
7342 tgl@sss.pgh.pa.us 705 :CBC 6 : dconnlimit = defel;
706 : : }
7375 707 [ + + ]: 54 : else if (strcmp(defel->defname, "rolemembers") == 0 &&
708 [ + - ]: 21 : stmt->action != 0)
709 : : {
710 [ - + ]: 21 : if (drolemembers)
1514 dean.a.rasheed@gmail 711 :UBC 0 : errorConflictingDefElem(defel, pstate);
7375 tgl@sss.pgh.pa.us 712 :CBC 21 : drolemembers = defel;
713 : : }
7374 714 [ - + ]: 33 : else if (strcmp(defel->defname, "validUntil") == 0)
715 : : {
7374 tgl@sss.pgh.pa.us 716 [ # # ]:UBC 0 : if (dvalidUntil)
1514 dean.a.rasheed@gmail 717 : 0 : errorConflictingDefElem(defel, pstate);
7374 tgl@sss.pgh.pa.us 718 : 0 : dvalidUntil = defel;
719 : : }
4005 sfrost@snowman.net 720 [ + - ]:CBC 33 : else if (strcmp(defel->defname, "bypassrls") == 0)
721 : : {
722 [ - + ]: 33 : if (dbypassRLS)
1514 dean.a.rasheed@gmail 723 :UBC 0 : errorConflictingDefElem(defel, pstate);
4005 sfrost@snowman.net 724 :CBC 33 : dbypassRLS = defel;
725 : : }
726 : : else
8086 tgl@sss.pgh.pa.us 727 [ # # ]:UBC 0 : elog(ERROR, "option \"%s\" not recognized",
728 : : defel->defname);
729 : : }
730 : :
7197 peter_e@gmx.net 731 [ + + + - ]:CBC 227 : if (dpassword && dpassword->arg)
7374 tgl@sss.pgh.pa.us 732 : 45 : password = strVal(dpassword->arg);
7342 733 [ + + ]: 227 : if (dconnlimit)
734 : : {
735 : 6 : connlimit = intVal(dconnlimit->arg);
6063 heikki.linnakangas@i 736 [ - + ]: 6 : if (connlimit < -1)
6063 heikki.linnakangas@i 737 [ # # ]:UBC 0 : ereport(ERROR,
738 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
739 : : errmsg("invalid connection limit: %d", connlimit)));
740 : : }
7374 tgl@sss.pgh.pa.us 741 [ - + ]:CBC 227 : if (dvalidUntil)
7374 tgl@sss.pgh.pa.us 742 :UBC 0 : validUntil = strVal(dvalidUntil->arg);
743 : :
744 : : /*
745 : : * Scan the pg_authid relation to be certain the user exists.
746 : : */
2420 andres@anarazel.de 747 :CBC 227 : pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
7375 tgl@sss.pgh.pa.us 748 : 227 : pg_authid_dsc = RelationGetDescr(pg_authid_rel);
749 : :
3834 alvherre@alvh.no-ip. 750 : 227 : tuple = get_rolespec_tuple(stmt->role);
751 : 219 : authform = (Form_pg_authid) GETSTRUCT(tuple);
752 : 219 : rolename = pstrdup(NameStr(authform->rolname));
2482 andres@anarazel.de 753 : 219 : roleid = authform->oid;
754 : :
755 : : /* To mess with a superuser in any way you gotta be superuser. */
904 peter@eisentraut.org 756 [ + + - + ]: 219 : if (!superuser() && authform->rolsuper)
956 rhaas@postgresql.org 757 [ # # ]:UBC 0 : ereport(ERROR,
758 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
759 : : errmsg("permission denied to alter role"),
760 : : errdetail("Only roles with the %s attribute may alter roles with the %s attribute.",
761 : : "SUPERUSER", "SUPERUSER")));
904 peter@eisentraut.org 762 [ + + + + ]:CBC 219 : if (!superuser() && dissuper)
763 [ + - ]: 9 : ereport(ERROR,
764 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
765 : : errmsg("permission denied to alter role"),
766 : : errdetail("Only roles with the %s attribute may change the %s attribute.",
767 : : "SUPERUSER", "SUPERUSER")));
768 : :
769 : : /*
770 : : * Most changes to a role require that you both have CREATEROLE privileges
771 : : * and also ADMIN OPTION on the role.
772 : : */
970 rhaas@postgresql.org 773 [ + + ]: 210 : if (!have_createrole_privilege() ||
774 [ + + ]: 192 : !is_admin_of_role(GetUserId(), roleid))
775 : : {
776 : : /* things an unprivileged user certainly can't do */
1331 peter@eisentraut.org 777 [ + + + - : 21 : if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
+ - + - +
- + - ]
956 rhaas@postgresql.org 778 [ + - - + ]: 18 : dvalidUntil || disreplication || dbypassRLS)
7374 tgl@sss.pgh.pa.us 779 [ + - ]: 3 : ereport(ERROR,
780 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
781 : : errmsg("permission denied to alter role"),
782 : : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may alter this role.",
783 : : "CREATEROLE", "ADMIN", rolename)));
784 : :
785 : : /* an unprivileged user can change their own password */
975 rhaas@postgresql.org 786 [ + + + - ]: 18 : if (dpassword && roleid != currentUserId)
1111 787 [ + - ]: 3 : ereport(ERROR,
788 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
789 : : errmsg("permission denied to alter role"),
790 : : errdetail("To change another role's password, the current user must have the %s attribute and the %s option on the role.",
791 : : "CREATEROLE", "ADMIN")));
792 : : }
956 793 [ + + ]: 189 : else if (!superuser())
794 : : {
795 : : /*
796 : : * Even if you have both CREATEROLE and ADMIN OPTION on a role, you
797 : : * can only change the CREATEDB, REPLICATION, or BYPASSRLS attributes
798 : : * if they are set for your own role (or you are the superuser).
799 : : */
800 [ + + + + ]: 30 : if (dcreatedb && !have_createdb_privilege())
801 [ + - ]: 3 : ereport(ERROR,
802 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
803 : : errmsg("permission denied to alter role"),
804 : : errdetail("Only roles with the %s attribute may change the %s attribute.",
805 : : "CREATEDB", "CREATEDB")));
806 [ + + + + ]: 27 : if (disreplication && !has_rolreplication(currentUserId))
807 [ + - ]: 3 : ereport(ERROR,
808 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
809 : : errmsg("permission denied to alter role"),
810 : : errdetail("Only roles with the %s attribute may change the %s attribute.",
811 : : "REPLICATION", "REPLICATION")));
812 [ + + + + ]: 24 : if (dbypassRLS && !has_bypassrls_privilege(currentUserId))
813 [ + - ]: 3 : ereport(ERROR,
814 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
815 : : errmsg("permission denied to alter role"),
816 : : errdetail("Only roles with the %s attribute may change the %s attribute.",
817 : : "BYPASSRLS", "BYPASSRLS")));
818 : : }
819 : :
820 : : /* To add or drop members, you need ADMIN OPTION. */
970 821 [ + + + + ]: 195 : if (drolemembers && !is_admin_of_role(currentUserId, roleid))
822 [ + - ]: 6 : ereport(ERROR,
823 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
824 : : errmsg("permission denied to alter role"),
825 : : errdetail("Only roles with the %s option on role \"%s\" may add or drop members.",
826 : : "ADMIN", rolename)));
827 : :
828 : : /* Convert validuntil to internal form */
1331 peter@eisentraut.org 829 [ - + ]: 189 : if (dvalidUntil)
830 : : {
5771 tgl@sss.pgh.pa.us 831 :UBC 0 : validUntil_datum = DirectFunctionCall3(timestamptz_in,
832 : : CStringGetDatum(validUntil),
833 : : ObjectIdGetDatum(InvalidOid),
834 : : Int32GetDatum(-1));
835 : 0 : validUntil_null = false;
836 : : }
837 : : else
838 : : {
839 : : /* fetch existing setting in case hook needs it */
5771 tgl@sss.pgh.pa.us 840 :CBC 189 : validUntil_datum = SysCacheGetAttr(AUTHNAME, tuple,
841 : : Anum_pg_authid_rolvaliduntil,
842 : : &validUntil_null);
843 : : }
844 : :
845 : : /*
846 : : * Call the password checking hook if there is one defined
847 : : */
848 [ + + + - ]: 189 : if (check_password_hook && password)
3759 bruce@momjian.us 849 : 7 : (*check_password_hook) (rolename,
850 : : password,
851 : : get_password_type(password),
852 : : validUntil_datum,
853 : : validUntil_null);
854 : :
855 : : /*
856 : : * Build an updated tuple, perusing the information just obtained
857 : : */
858 : :
859 : : /*
860 : : * issuper/createrole/etc
861 : : */
1331 peter@eisentraut.org 862 [ + + ]: 185 : if (dissuper)
863 : : {
841 tgl@sss.pgh.pa.us 864 : 40 : bool should_be_super = boolVal(dissuper->arg);
865 : :
1138 rhaas@postgresql.org 866 [ + + - + ]: 40 : if (!should_be_super && roleid == BOOTSTRAP_SUPERUSERID)
1138 rhaas@postgresql.org 867 [ # # ]:UBC 0 : ereport(ERROR,
868 : : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
869 : : errmsg("permission denied to alter role"),
870 : : errdetail("The bootstrap superuser must have the %s attribute.",
871 : : "SUPERUSER")));
872 : :
1138 rhaas@postgresql.org 873 :CBC 40 : new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super);
3910 alvherre@alvh.no-ip. 874 : 40 : new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
875 : : }
876 : :
1331 peter@eisentraut.org 877 [ + + ]: 185 : if (dinherit)
878 : : {
879 : 30 : new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(boolVal(dinherit->arg));
3910 alvherre@alvh.no-ip. 880 : 30 : new_record_repl[Anum_pg_authid_rolinherit - 1] = true;
881 : : }
882 : :
1331 peter@eisentraut.org 883 [ + + ]: 185 : if (dcreaterole)
884 : : {
885 : 24 : new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(boolVal(dcreaterole->arg));
3910 alvherre@alvh.no-ip. 886 : 24 : new_record_repl[Anum_pg_authid_rolcreaterole - 1] = true;
887 : : }
888 : :
1331 peter@eisentraut.org 889 [ + + ]: 185 : if (dcreatedb)
890 : : {
891 : 30 : new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(boolVal(dcreatedb->arg));
3910 alvherre@alvh.no-ip. 892 : 30 : new_record_repl[Anum_pg_authid_rolcreatedb - 1] = true;
893 : : }
894 : :
1331 peter@eisentraut.org 895 [ + + ]: 185 : if (dcanlogin)
896 : : {
897 : 33 : new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(boolVal(dcanlogin->arg));
3910 alvherre@alvh.no-ip. 898 : 33 : new_record_repl[Anum_pg_authid_rolcanlogin - 1] = true;
899 : : }
900 : :
1331 peter@eisentraut.org 901 [ + + ]: 185 : if (disreplication)
902 : : {
903 : 56 : new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(boolVal(disreplication->arg));
3910 alvherre@alvh.no-ip. 904 : 56 : new_record_repl[Anum_pg_authid_rolreplication - 1] = true;
905 : : }
906 : :
7342 tgl@sss.pgh.pa.us 907 [ + + ]: 185 : if (dconnlimit)
908 : : {
909 : 3 : new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
6152 910 : 3 : new_record_repl[Anum_pg_authid_rolconnlimit - 1] = true;
911 : : }
912 : :
913 : : /* password */
8824 914 [ + + ]: 185 : if (password)
915 : : {
916 : : char *shadow_pass;
1334 michael@paquier.xyz 917 : 38 : const char *logdetail = NULL;
918 : :
919 : : /* Like in CREATE USER, don't allow an empty password. */
2952 heikki.linnakangas@i 920 [ + - + + ]: 76 : if (password[0] == '\0' ||
921 : 38 : plain_crypt_verify(rolename, password, "", &logdetail) == STATUS_OK)
922 : : {
923 [ + - ]: 6 : ereport(NOTICE,
924 : : (errmsg("empty string is not a valid password, clearing password")));
925 : 6 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
926 : : }
927 : : else
928 : : {
929 : : /* Encrypt the password to the requested format. */
930 : 32 : shadow_pass = encrypt_password(Password_encryption, rolename,
931 : : password);
932 : 29 : new_record[Anum_pg_authid_rolpassword - 1] =
933 : 29 : CStringGetTextDatum(shadow_pass);
934 : : }
6152 tgl@sss.pgh.pa.us 935 : 35 : new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
936 : : }
937 : :
938 : : /* unset password */
7197 peter_e@gmx.net 939 [ + + - + ]: 182 : if (dpassword && dpassword->arg == NULL)
940 : : {
6152 tgl@sss.pgh.pa.us 941 :UBC 0 : new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
942 : 0 : new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
943 : : }
944 : :
945 : : /* valid until */
5771 tgl@sss.pgh.pa.us 946 :CBC 182 : new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
947 : 182 : new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
948 : 182 : new_record_repl[Anum_pg_authid_rolvaliduntil - 1] = true;
949 : :
1331 peter@eisentraut.org 950 [ + + ]: 182 : if (dbypassRLS)
951 : : {
952 : 30 : new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(boolVal(dbypassRLS->arg));
3910 alvherre@alvh.no-ip. 953 : 30 : new_record_repl[Anum_pg_authid_rolbypassrls - 1] = true;
954 : : }
955 : :
6152 tgl@sss.pgh.pa.us 956 : 182 : new_tuple = heap_modify_tuple(tuple, pg_authid_dsc, new_record,
957 : : new_record_nulls, new_record_repl);
3140 alvherre@alvh.no-ip. 958 : 182 : CatalogTupleUpdate(pg_authid_rel, &tuple->t_self, new_tuple);
959 : :
4556 rhaas@postgresql.org 960 [ - + ]: 182 : InvokeObjectPostAlterHook(AuthIdRelationId, roleid, 0);
961 : :
9060 tgl@sss.pgh.pa.us 962 : 182 : ReleaseSysCache(tuple);
963 : 182 : heap_freetuple(new_tuple);
964 : :
1108 rhaas@postgresql.org 965 : 182 : InitGrantRoleOptions(&popt);
966 : :
967 : : /*
968 : : * Advance command counter so we can see new record; else tests in
969 : : * AddRoleMems may fail.
970 : : */
1331 peter@eisentraut.org 971 [ + + ]: 182 : if (drolemembers)
972 : : {
1213 tgl@sss.pgh.pa.us 973 : 15 : List *rolemembers = (List *) drolemembers->arg;
974 : :
7374 975 : 15 : CommandCounterIncrement();
976 : :
1213 977 [ + + ]: 15 : if (stmt->action == +1) /* add members to role */
975 rhaas@postgresql.org 978 : 9 : AddRoleMems(currentUserId, rolename, roleid,
979 : : rolemembers, roleSpecsToIds(rolemembers),
980 : : InvalidOid, &popt);
1331 peter@eisentraut.org 981 [ + - ]: 6 : else if (stmt->action == -1) /* drop members from role */
975 rhaas@postgresql.org 982 : 6 : DelRoleMems(currentUserId, rolename, roleid,
983 : : rolemembers, roleSpecsToIds(rolemembers),
984 : : InvalidOid, &popt, DROP_RESTRICT);
985 : : }
986 : :
987 : : /*
988 : : * Close pg_authid, but keep lock till commit.
989 : : */
2420 andres@anarazel.de 990 : 182 : table_close(pg_authid_rel, NoLock);
991 : :
4634 rhaas@postgresql.org 992 : 182 : return roleid;
993 : : }
994 : :
995 : :
996 : : /*
997 : : * ALTER ROLE ... SET
998 : : */
999 : : Oid
7375 tgl@sss.pgh.pa.us 1000 : 46 : AlterRoleSet(AlterRoleSetStmt *stmt)
1001 : : {
1002 : : HeapTuple roletuple;
1003 : : Form_pg_authid roleform;
5813 alvherre@alvh.no-ip. 1004 : 46 : Oid databaseid = InvalidOid;
4483 bruce@momjian.us 1005 : 46 : Oid roleid = InvalidOid;
1006 : :
4584 peter_e@gmx.net 1007 [ + + ]: 46 : if (stmt->role)
1008 : : {
3438 sfrost@snowman.net 1009 : 42 : check_rolespec_name(stmt->role,
1074 alvherre@alvh.no-ip. 1010 : 42 : _("Cannot alter reserved roles."));
1011 : :
3834 1012 : 42 : roletuple = get_rolespec_tuple(stmt->role);
2482 andres@anarazel.de 1013 : 38 : roleform = (Form_pg_authid) GETSTRUCT(roletuple);
1014 : 38 : roleid = roleform->oid;
1015 : :
1016 : : /*
1017 : : * Obtain a lock on the role and make sure it didn't go away in the
1018 : : * meantime.
1019 : : */
1020 : 38 : shdepLockAndCheckObject(AuthIdRelationId, roleid);
1021 : :
1022 : : /*
1023 : : * To mess with a superuser you gotta be superuser; otherwise you need
1024 : : * CREATEROLE plus admin option on the target role; unless you're just
1025 : : * trying to change your own settings
1026 : : */
1027 [ + + ]: 38 : if (roleform->rolsuper)
1028 : : {
4584 peter_e@gmx.net 1029 [ - + ]: 15 : if (!superuser())
4584 peter_e@gmx.net 1030 [ # # ]:UBC 0 : ereport(ERROR,
1031 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1032 : : errmsg("permission denied to alter role"),
1033 : : errdetail("Only roles with the %s attribute may alter roles with the %s attribute.",
1034 : : "SUPERUSER", "SUPERUSER")));
1035 : : }
1036 : : else
1037 : : {
970 rhaas@postgresql.org 1038 [ + + ]:CBC 23 : if ((!have_createrole_privilege() ||
841 tgl@sss.pgh.pa.us 1039 [ - + ]: 18 : !is_admin_of_role(GetUserId(), roleid))
970 rhaas@postgresql.org 1040 [ - + ]: 5 : && roleid != GetUserId())
4584 peter_e@gmx.net 1041 [ # # ]:UBC 0 : ereport(ERROR,
1042 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1043 : : errmsg("permission denied to alter role"),
1044 : : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may alter this role.",
1045 : : "CREATEROLE", "ADMIN", NameStr(roleform->rolname))));
1046 : : }
1047 : :
4584 peter_e@gmx.net 1048 :CBC 38 : ReleaseSysCache(roletuple);
1049 : : }
1050 : :
1051 : : /* look up and lock the database, if specified */
5813 alvherre@alvh.no-ip. 1052 [ + + ]: 42 : if (stmt->database != NULL)
1053 : : {
5511 rhaas@postgresql.org 1054 : 2 : databaseid = get_database_oid(stmt->database, false);
5813 alvherre@alvh.no-ip. 1055 : 2 : shdepLockAndCheckObject(DatabaseRelationId, databaseid);
1056 : :
4584 peter_e@gmx.net 1057 [ - + ]: 2 : if (!stmt->role)
1058 : : {
1059 : : /*
1060 : : * If no role is specified, then this is effectively the same as
1061 : : * ALTER DATABASE ... SET, so use the same permission check.
1062 : : */
1028 peter@eisentraut.org 1063 [ # # ]:UBC 0 : if (!object_ownercheck(DatabaseRelationId, databaseid, GetUserId()))
2835 peter_e@gmx.net 1064 : 0 : aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_DATABASE,
4584 1065 : 0 : stmt->database);
1066 : : }
1067 : : }
1068 : :
4584 peter_e@gmx.net 1069 [ + + + - ]:CBC 42 : if (!stmt->role && !stmt->database)
1070 : : {
1071 : : /* Must be superuser to alter settings globally. */
1072 [ - + ]: 4 : if (!superuser())
4584 peter_e@gmx.net 1073 [ # # ]:UBC 0 : ereport(ERROR,
1074 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1075 : : errmsg("permission denied to alter setting"),
1076 : : errdetail("Only roles with the %s attribute may alter settings globally.",
1077 : : "SUPERUSER")));
1078 : : }
1079 : :
4584 peter_e@gmx.net 1080 :CBC 42 : AlterSetting(databaseid, roleid, stmt->setstmt);
1081 : :
4634 rhaas@postgresql.org 1082 : 41 : return roleid;
1083 : : }
1084 : :
1085 : :
1086 : : /*
1087 : : * DROP ROLE
1088 : : */
1089 : : void
7375 tgl@sss.pgh.pa.us 1090 : 860 : DropRole(DropRoleStmt *stmt)
1091 : : {
1092 : : Relation pg_authid_rel,
1093 : : pg_auth_members_rel;
1094 : : ListCell *item;
586 michael@paquier.xyz 1095 : 860 : List *role_oids = NIL;
1096 : :
3910 alvherre@alvh.no-ip. 1097 [ - + ]: 860 : if (!have_createrole_privilege())
8086 tgl@sss.pgh.pa.us 1098 [ # # ]:UBC 0 : ereport(ERROR,
1099 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1100 : : errmsg("permission denied to drop role"),
1101 : : errdetail("Only roles with the %s attribute and the %s option on the target roles may drop roles.",
1102 : : "CREATEROLE", "ADMIN")));
1103 : :
1104 : : /*
1105 : : * Scan the pg_authid relation to find the Oid of the role(s) to be
1106 : : * deleted and perform preliminary permissions and sanity checks.
1107 : : */
2420 andres@anarazel.de 1108 :CBC 860 : pg_authid_rel = table_open(AuthIdRelationId, RowExclusiveLock);
1109 : 860 : pg_auth_members_rel = table_open(AuthMemRelationId, RowExclusiveLock);
1110 : :
7375 tgl@sss.pgh.pa.us 1111 [ + - + + : 1721 : foreach(item, stmt->roles)
+ + ]
1112 : : {
3834 alvherre@alvh.no-ip. 1113 : 915 : RoleSpec *rolspec = lfirst(item);
1114 : : char *role;
1115 : : HeapTuple tuple,
1116 : : tmp_tuple;
1117 : : Form_pg_authid roleform;
1118 : : ScanKeyData scankey;
1119 : : SysScanDesc sscan;
1120 : : Oid roleid;
1121 : :
1122 [ - + ]: 915 : if (rolspec->roletype != ROLESPEC_CSTRING)
3834 alvherre@alvh.no-ip. 1123 [ # # ]:UBC 0 : ereport(ERROR,
1124 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1125 : : errmsg("cannot use special role specifier in DROP ROLE")));
3834 alvherre@alvh.no-ip. 1126 :CBC 915 : role = rolspec->rolename;
1127 : :
5683 rhaas@postgresql.org 1128 : 915 : tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
9278 bruce@momjian.us 1129 [ + + ]: 915 : if (!HeapTupleIsValid(tuple))
1130 : : {
7154 andrew@dunslane.net 1131 [ + + ]: 150 : if (!stmt->missing_ok)
1132 : : {
1133 [ + - ]: 45 : ereport(ERROR,
1134 : : (errcode(ERRCODE_UNDEFINED_OBJECT),
1135 : : errmsg("role \"%s\" does not exist", role)));
1136 : : }
1137 : : else
1138 : : {
1139 [ + + ]: 105 : ereport(NOTICE,
1140 : : (errmsg("role \"%s\" does not exist, skipping",
1141 : : role)));
1142 : : }
1143 : :
1144 : 105 : continue;
1145 : : }
1146 : :
2482 andres@anarazel.de 1147 : 765 : roleform = (Form_pg_authid) GETSTRUCT(tuple);
1148 : 765 : roleid = roleform->oid;
1149 : :
7375 tgl@sss.pgh.pa.us 1150 [ + + ]: 765 : if (roleid == GetUserId())
8086 1151 [ + - ]: 3 : ereport(ERROR,
1152 : : (errcode(ERRCODE_OBJECT_IN_USE),
1153 : : errmsg("current user cannot be dropped")));
7348 1154 [ - + ]: 762 : if (roleid == GetOuterUserId())
7348 tgl@sss.pgh.pa.us 1155 [ # # ]:UBC 0 : ereport(ERROR,
1156 : : (errcode(ERRCODE_OBJECT_IN_USE),
1157 : : errmsg("current user cannot be dropped")));
7375 tgl@sss.pgh.pa.us 1158 [ - + ]:CBC 762 : if (roleid == GetSessionUserId())
8086 tgl@sss.pgh.pa.us 1159 [ # # ]:UBC 0 : ereport(ERROR,
1160 : : (errcode(ERRCODE_OBJECT_IN_USE),
1161 : : errmsg("session user cannot be dropped")));
1162 : :
1163 : : /*
1164 : : * For safety's sake, we allow createrole holders to drop ordinary
1165 : : * roles but not superuser roles, and only if they also have ADMIN
1166 : : * OPTION.
1167 : : */
2482 andres@anarazel.de 1168 [ + + + + ]:CBC 762 : if (roleform->rolsuper && !superuser())
7374 tgl@sss.pgh.pa.us 1169 [ + - ]: 3 : ereport(ERROR,
1170 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1171 : : errmsg("permission denied to drop role"),
1172 : : errdetail("Only roles with the %s attribute may drop roles with the %s attribute.",
1173 : : "SUPERUSER", "SUPERUSER")));
970 rhaas@postgresql.org 1174 [ + + ]: 759 : if (!is_admin_of_role(GetUserId(), roleid))
1175 [ + - ]: 3 : ereport(ERROR,
1176 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1177 : : errmsg("permission denied to drop role"),
1178 : : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.",
1179 : : "CREATEROLE", "ADMIN", NameStr(roleform->rolname))));
1180 : :
1181 : : /* DROP hook for the role being removed */
4567 1182 [ + + ]: 756 : InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
1183 : :
1184 : : /* Don't leak the syscache tuple */
1115 1185 : 756 : ReleaseSysCache(tuple);
1186 : :
1187 : : /*
1188 : : * Lock the role, so nobody can add dependencies to her while we drop
1189 : : * her. We keep the lock until the end of transaction.
1190 : : */
7366 tgl@sss.pgh.pa.us 1191 : 756 : LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock);
1192 : :
1193 : : /*
1194 : : * If there is a pg_auth_members entry that has one of the roles to be
1195 : : * dropped as the roleid or member, it should be silently removed, but
1196 : : * if there is a pg_auth_members entry that has one of the roles to be
1197 : : * dropped as the grantor, the operation should fail.
1198 : : *
1199 : : * It's possible, however, that a single pg_auth_members entry could
1200 : : * fall into multiple categories - e.g. the user could do "GRANT foo
1201 : : * TO bar GRANTED BY baz" and then "DROP ROLE baz, bar". We want such
1202 : : * an operation to succeed regardless of the order in which the
1203 : : * to-be-dropped roles are passed to DROP ROLE.
1204 : : *
1205 : : * To make that work, we remove all pg_auth_members entries that can
1206 : : * be silently removed in this loop, and then below we'll make a
1207 : : * second pass over the list of roles to be removed and check for any
1208 : : * remaining dependencies.
1209 : : */
7374 1210 : 756 : ScanKeyInit(&scankey,
1211 : : Anum_pg_auth_members_roleid,
1212 : : BTEqualStrategyNumber, F_OIDEQ,
1213 : : ObjectIdGetDatum(roleid));
1214 : :
1215 : 756 : sscan = systable_beginscan(pg_auth_members_rel, AuthMemRoleMemIndexId,
1216 : : true, NULL, 1, &scankey);
1217 : :
1218 [ + + ]: 880 : while (HeapTupleIsValid(tmp_tuple = systable_getnext(sscan)))
1219 : : {
1220 : : Form_pg_auth_members authmem_form;
1221 : :
1115 rhaas@postgresql.org 1222 : 124 : authmem_form = (Form_pg_auth_members) GETSTRUCT(tmp_tuple);
1223 : 124 : deleteSharedDependencyRecordsFor(AuthMemRelationId,
1224 : : authmem_form->oid, 0);
3139 tgl@sss.pgh.pa.us 1225 : 124 : CatalogTupleDelete(pg_auth_members_rel, &tmp_tuple->t_self);
1226 : : }
1227 : :
7374 1228 : 756 : systable_endscan(sscan);
1229 : :
1230 : 756 : ScanKeyInit(&scankey,
1231 : : Anum_pg_auth_members_member,
1232 : : BTEqualStrategyNumber, F_OIDEQ,
1233 : : ObjectIdGetDatum(roleid));
1234 : :
1235 : 756 : sscan = systable_beginscan(pg_auth_members_rel, AuthMemMemRoleIndexId,
1236 : : true, NULL, 1, &scankey);
1237 : :
1238 [ + + ]: 876 : while (HeapTupleIsValid(tmp_tuple = systable_getnext(sscan)))
1239 : : {
1240 : : Form_pg_auth_members authmem_form;
1241 : :
1115 rhaas@postgresql.org 1242 : 120 : authmem_form = (Form_pg_auth_members) GETSTRUCT(tmp_tuple);
1243 : 120 : deleteSharedDependencyRecordsFor(AuthMemRelationId,
1244 : : authmem_form->oid, 0);
3139 tgl@sss.pgh.pa.us 1245 : 120 : CatalogTupleDelete(pg_auth_members_rel, &tmp_tuple->t_self);
1246 : : }
1247 : :
7374 1248 : 756 : systable_endscan(sscan);
1249 : :
1250 : : /*
1251 : : * Advance command counter so that later iterations of this loop will
1252 : : * see the changes already made. This is essential if, for example,
1253 : : * we are trying to drop both a role and one of its direct members ---
1254 : : * we'll get an error if we try to delete the linking pg_auth_members
1255 : : * tuple twice. (We do not need a CCI between the two delete loops
1256 : : * above, because it's not allowed for a role to directly contain
1257 : : * itself.)
1258 : : */
1259 : 756 : CommandCounterIncrement();
1260 : :
1261 : : /* Looks tentatively OK, add it to the list if not there yet. */
586 michael@paquier.xyz 1262 : 756 : role_oids = list_append_unique_oid(role_oids, roleid);
1263 : : }
1264 : :
1265 : : /*
1266 : : * Second pass over the roles to be removed.
1267 : : */
1268 [ + + + + : 1497 : foreach(item, role_oids)
+ + ]
1269 : : {
1270 : 753 : Oid roleid = lfirst_oid(item);
1271 : : HeapTuple tuple;
1272 : : Form_pg_authid roleform;
1273 : : char *detail;
1274 : : char *detail_log;
1275 : :
1276 : : /*
1277 : : * Re-find the pg_authid tuple.
1278 : : *
1279 : : * Since we've taken a lock on the role OID, it shouldn't be possible
1280 : : * for the tuple to have been deleted -- or for that matter updated --
1281 : : * unless the user is manually modifying the system catalogs.
1282 : : */
1115 rhaas@postgresql.org 1283 : 753 : tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
1284 [ - + ]: 753 : if (!HeapTupleIsValid(tuple))
1115 rhaas@postgresql.org 1285 [ # # ]:UBC 0 : elog(ERROR, "could not find tuple for role %u", roleid);
1115 rhaas@postgresql.org 1286 :CBC 753 : roleform = (Form_pg_authid) GETSTRUCT(tuple);
1287 : :
1288 : : /*
1289 : : * Check for pg_shdepend entries depending on this role.
1290 : : *
1291 : : * This needs to happen after we've completed removing any
1292 : : * pg_auth_members entries that can be removed silently, in order to
1293 : : * avoid spurious failures. See notes above for more details.
1294 : : */
1295 [ + + ]: 753 : if (checkSharedDependencies(AuthIdRelationId, roleid,
1296 : : &detail, &detail_log))
1297 [ + - ]: 62 : ereport(ERROR,
1298 : : (errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
1299 : : errmsg("role \"%s\" cannot be dropped because some objects depend on it",
1300 : : NameStr(roleform->rolname)),
1301 : : errdetail_internal("%s", detail),
1302 : : errdetail_log("%s", detail_log)));
1303 : :
1304 : : /*
1305 : : * Remove the role from the pg_authid table
1306 : : */
1307 : 691 : CatalogTupleDelete(pg_authid_rel, &tuple->t_self);
1308 : :
1309 : 691 : ReleaseSysCache(tuple);
1310 : :
1311 : : /*
1312 : : * Remove any comments or security labels on this role.
1313 : : */
1314 : 691 : DeleteSharedComments(roleid, AuthIdRelationId);
1315 : 691 : DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
1316 : :
1317 : : /*
1318 : : * Remove settings for this role.
1319 : : */
1320 : 691 : DropSetting(InvalidOid, roleid);
1321 : : }
1322 : :
1323 : : /*
1324 : : * Now we can clean up; but keep locks until commit.
1325 : : */
2420 andres@anarazel.de 1326 : 744 : table_close(pg_auth_members_rel, NoLock);
1327 : 744 : table_close(pg_authid_rel, NoLock);
10138 scrappy@hub.org 1328 : 744 : }
1329 : :
1330 : : /*
1331 : : * Rename role
1332 : : */
1333 : : ObjectAddress
7375 tgl@sss.pgh.pa.us 1334 : 16 : RenameRole(const char *oldname, const char *newname)
1335 : : {
1336 : : HeapTuple oldtuple,
1337 : : newtuple;
1338 : : TupleDesc dsc;
1339 : : Relation rel;
1340 : : Datum datum;
1341 : : bool isnull;
1342 : : Datum repl_val[Natts_pg_authid];
1343 : : bool repl_null[Natts_pg_authid];
1344 : : bool repl_repl[Natts_pg_authid];
1345 : : int i;
1346 : : Oid roleid;
1347 : : ObjectAddress address;
1348 : : Form_pg_authid authform;
1349 : :
2420 andres@anarazel.de 1350 : 16 : rel = table_open(AuthIdRelationId, RowExclusiveLock);
7793 bruce@momjian.us 1351 : 16 : dsc = RelationGetDescr(rel);
1352 : :
5683 rhaas@postgresql.org 1353 : 16 : oldtuple = SearchSysCache1(AUTHNAME, CStringGetDatum(oldname));
7793 bruce@momjian.us 1354 [ - + ]: 16 : if (!HeapTupleIsValid(oldtuple))
8107 peter_e@gmx.net 1355 [ # # ]:UBC 0 : ereport(ERROR,
1356 : : (errcode(ERRCODE_UNDEFINED_OBJECT),
1357 : : errmsg("role \"%s\" does not exist", oldname)));
1358 : :
1359 : : /*
1360 : : * XXX Client applications probably store the session user somewhere, so
1361 : : * renaming it could cause confusion. On the other hand, there may not be
1362 : : * an actual problem besides a little confusion, so think about this and
1363 : : * decide. Same for SET ROLE ... we don't restrict renaming the current
1364 : : * effective userid, though.
1365 : : */
1366 : :
3438 sfrost@snowman.net 1367 :CBC 16 : authform = (Form_pg_authid) GETSTRUCT(oldtuple);
2482 andres@anarazel.de 1368 : 16 : roleid = authform->oid;
1369 : :
7375 tgl@sss.pgh.pa.us 1370 [ - + ]: 16 : if (roleid == GetSessionUserId())
8107 peter_e@gmx.net 1371 [ # # ]:UBC 0 : ereport(ERROR,
1372 : : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1373 : : errmsg("session user cannot be renamed")));
7348 tgl@sss.pgh.pa.us 1374 [ - + ]:CBC 16 : if (roleid == GetOuterUserId())
7348 tgl@sss.pgh.pa.us 1375 [ # # ]:UBC 0 : ereport(ERROR,
1376 : : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1377 : : errmsg("current user cannot be renamed")));
1378 : :
1379 : : /*
1380 : : * Check that the user is not trying to rename a system role and not
1381 : : * trying to rename a role into the reserved "pg_" namespace.
1382 : : */
3438 sfrost@snowman.net 1383 [ - + ]:CBC 16 : if (IsReservedName(NameStr(authform->rolname)))
3438 sfrost@snowman.net 1384 [ # # ]:UBC 0 : ereport(ERROR,
1385 : : (errcode(ERRCODE_RESERVED_NAME),
1386 : : errmsg("role name \"%s\" is reserved",
1387 : : NameStr(authform->rolname)),
1388 : : errdetail("Role names starting with \"pg_\" are reserved.")));
1389 : :
3438 sfrost@snowman.net 1390 [ - + ]:CBC 16 : if (IsReservedName(newname))
3438 sfrost@snowman.net 1391 [ # # ]:UBC 0 : ereport(ERROR,
1392 : : (errcode(ERRCODE_RESERVED_NAME),
1393 : : errmsg("role name \"%s\" is reserved",
1394 : : newname),
1395 : : errdetail("Role names starting with \"pg_\" are reserved.")));
1396 : :
1397 : : /*
1398 : : * If built with appropriate switch, whine when regression-testing
1399 : : * conventions for role names are violated.
1400 : : */
1401 : : #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
1402 : : if (strncmp(newname, "regress_", 8) != 0)
1403 : : elog(WARNING, "roles created by regression test cases should have names starting with \"regress_\"");
1404 : : #endif
1405 : :
1406 : : /* make sure the new name doesn't exist */
5683 rhaas@postgresql.org 1407 [ - + ]:CBC 16 : if (SearchSysCacheExists1(AUTHNAME, CStringGetDatum(newname)))
8107 peter_e@gmx.net 1408 [ # # ]:UBC 0 : ereport(ERROR,
1409 : : (errcode(ERRCODE_DUPLICATE_OBJECT),
1410 : : errmsg("role \"%s\" already exists", newname)));
1411 : :
1412 : : /*
1413 : : * Only superusers can mess with superusers. Otherwise, a user with
1414 : : * CREATEROLE can rename a role for which they have ADMIN OPTION.
1415 : : */
905 peter@eisentraut.org 1416 [ + + ]:CBC 16 : if (authform->rolsuper)
1417 : : {
7374 tgl@sss.pgh.pa.us 1418 [ - + ]: 3 : if (!superuser())
7374 tgl@sss.pgh.pa.us 1419 [ # # ]:UBC 0 : ereport(ERROR,
1420 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1421 : : errmsg("permission denied to rename role"),
1422 : : errdetail("Only roles with the %s attribute may rename roles with the %s attribute.",
1423 : : "SUPERUSER", "SUPERUSER")));
1424 : : }
1425 : : else
1426 : : {
970 rhaas@postgresql.org 1427 [ + - ]:CBC 13 : if (!have_createrole_privilege() ||
1428 [ + + ]: 13 : !is_admin_of_role(GetUserId(), roleid))
7374 tgl@sss.pgh.pa.us 1429 [ + - ]: 3 : ereport(ERROR,
1430 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1431 : : errmsg("permission denied to rename role"),
1432 : : errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may rename this role.",
1433 : : "CREATEROLE", "ADMIN", NameStr(authform->rolname))));
1434 : : }
1435 : :
1436 : : /* OK, construct the modified tuple */
7375 1437 [ + + ]: 169 : for (i = 0; i < Natts_pg_authid; i++)
6152 1438 : 156 : repl_repl[i] = false;
1439 : :
1440 : 13 : repl_repl[Anum_pg_authid_rolname - 1] = true;
7375 1441 : 13 : repl_val[Anum_pg_authid_rolname - 1] = DirectFunctionCall1(namein,
1442 : : CStringGetDatum(newname));
6152 1443 : 13 : repl_null[Anum_pg_authid_rolname - 1] = false;
1444 : :
7375 1445 : 13 : datum = heap_getattr(oldtuple, Anum_pg_authid_rolpassword, dsc, &isnull);
1446 : :
3139 heikki.linnakangas@i 1447 [ + + + - ]: 13 : if (!isnull && get_password_type(TextDatumGetCString(datum)) == PASSWORD_TYPE_MD5)
1448 : : {
1449 : : /* MD5 uses the username as salt, so just clear it on a rename */
6152 tgl@sss.pgh.pa.us 1450 : 3 : repl_repl[Anum_pg_authid_rolpassword - 1] = true;
1451 : 3 : repl_null[Anum_pg_authid_rolpassword - 1] = true;
1452 : :
7793 bruce@momjian.us 1453 [ + - ]: 3 : ereport(NOTICE,
1454 : : (errmsg("MD5 password cleared because of role rename")));
1455 : : }
1456 : :
6152 tgl@sss.pgh.pa.us 1457 : 13 : newtuple = heap_modify_tuple(oldtuple, dsc, repl_val, repl_null, repl_repl);
3140 alvherre@alvh.no-ip. 1458 : 13 : CatalogTupleUpdate(rel, &oldtuple->t_self, newtuple);
1459 : :
4556 rhaas@postgresql.org 1460 [ - + ]: 13 : InvokeObjectPostAlterHook(AuthIdRelationId, roleid, 0);
1461 : :
3840 alvherre@alvh.no-ip. 1462 : 13 : ObjectAddressSet(address, AuthIdRelationId, roleid);
1463 : :
7793 bruce@momjian.us 1464 : 13 : ReleaseSysCache(oldtuple);
1465 : :
1466 : : /*
1467 : : * Close pg_authid, but keep lock till commit.
1468 : : */
2420 andres@anarazel.de 1469 : 13 : table_close(rel, NoLock);
1470 : :
3840 alvherre@alvh.no-ip. 1471 : 13 : return address;
1472 : : }
1473 : :
1474 : : /*
1475 : : * GrantRoleStmt
1476 : : *
1477 : : * Grant/Revoke roles to/from roles
1478 : : */
1479 : : void
1108 rhaas@postgresql.org 1480 : 465 : GrantRole(ParseState *pstate, GrantRoleStmt *stmt)
1481 : : {
1482 : : Relation pg_authid_rel;
1483 : : Oid grantor;
1484 : : List *grantee_ids;
1485 : : ListCell *item;
1486 : : GrantRoleOptions popt;
975 1487 : 465 : Oid currentUserId = GetUserId();
1488 : :
1489 : : /* Parse options list. */
1108 1490 : 465 : InitGrantRoleOptions(&popt);
1491 [ + + + + : 647 : foreach(item, stmt->opt)
+ + ]
1492 : : {
841 tgl@sss.pgh.pa.us 1493 : 182 : DefElem *opt = (DefElem *) lfirst(item);
1108 rhaas@postgresql.org 1494 : 182 : char *optval = defGetString(opt);
1495 : :
1496 [ + + ]: 182 : if (strcmp(opt->defname, "admin") == 0)
1497 : : {
1498 : 94 : popt.specified |= GRANT_ROLE_SPECIFIED_ADMIN;
1499 : :
1500 [ + - ]: 94 : if (parse_bool(optval, &popt.admin))
1501 : 94 : continue;
1502 : : }
1503 [ + + ]: 88 : else if (strcmp(opt->defname, "inherit") == 0)
1504 : : {
1505 : 47 : popt.specified |= GRANT_ROLE_SPECIFIED_INHERIT;
1506 [ + - ]: 47 : if (parse_bool(optval, &popt.inherit))
1507 : 47 : continue;
1508 : : }
1023 1509 [ + - ]: 41 : else if (strcmp(opt->defname, "set") == 0)
1510 : : {
1511 : 41 : popt.specified |= GRANT_ROLE_SPECIFIED_SET;
1512 [ + - ]: 41 : if (parse_bool(optval, &popt.set))
1513 : 41 : continue;
1514 : : }
1515 : : else
1108 rhaas@postgresql.org 1516 [ # # ]:UBC 0 : ereport(ERROR,
1517 : : errcode(ERRCODE_SYNTAX_ERROR),
1518 : : errmsg("unrecognized role option \"%s\"", opt->defname),
1519 : : parser_errposition(pstate, opt->location));
1520 : :
1521 [ # # ]: 0 : ereport(ERROR,
1522 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1523 : : errmsg("unrecognized value for role option \"%s\": \"%s\"",
1524 : : opt->defname, optval),
1525 : : parser_errposition(pstate, opt->location)));
1526 : : }
1527 : :
1528 : : /* Lookup OID of grantor, if specified. */
7375 tgl@sss.pgh.pa.us 1529 [ + + ]:CBC 465 : if (stmt->grantor)
3834 alvherre@alvh.no-ip. 1530 : 60 : grantor = get_rolespec_oid(stmt->grantor, false);
1531 : : else
1111 rhaas@postgresql.org 1532 : 405 : grantor = InvalidOid;
1533 : :
3834 alvherre@alvh.no-ip. 1534 : 462 : grantee_ids = roleSpecsToIds(stmt->grantee_roles);
1535 : :
1536 : : /* AccessShareLock is enough since we aren't modifying pg_authid */
2420 andres@anarazel.de 1537 : 462 : pg_authid_rel = table_open(AuthIdRelationId, AccessShareLock);
1538 : :
1539 : : /*
1540 : : * Step through all of the granted roles and add, update, or remove
1541 : : * entries in pg_auth_members as appropriate. If stmt->is_grant is true,
1542 : : * we are adding new grants or, if they already exist, updating options on
1543 : : * those grants. If stmt->is_grant is false, we are revoking grants or
1544 : : * removing options from them.
1545 : : */
7375 tgl@sss.pgh.pa.us 1546 [ + - + + : 865 : foreach(item, stmt->granted_roles)
+ + ]
1547 : : {
6071 1548 : 463 : AccessPriv *priv = (AccessPriv *) lfirst(item);
1549 : 463 : char *rolename = priv->priv_name;
1550 : : Oid roleid;
1551 : :
1552 : : /* Must reject priv(columns) and ALL PRIVILEGES(columns) */
1553 [ + - - + ]: 463 : if (rolename == NULL || priv->cols != NIL)
6071 tgl@sss.pgh.pa.us 1554 [ # # ]:UBC 0 : ereport(ERROR,
1555 : : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1556 : : errmsg("column names cannot be included in GRANT/REVOKE ROLE")));
1557 : :
5511 rhaas@postgresql.org 1558 :CBC 463 : roleid = get_role_oid(rolename, false);
975 1559 : 463 : check_role_membership_authorization(currentUserId,
1560 : 463 : roleid, stmt->is_grant);
7375 tgl@sss.pgh.pa.us 1561 [ + + ]: 418 : if (stmt->is_grant)
975 rhaas@postgresql.org 1562 : 343 : AddRoleMems(currentUserId, rolename, roleid,
1563 : : stmt->grantee_roles, grantee_ids,
1564 : : grantor, &popt);
1565 : : else
1566 : 75 : DelRoleMems(currentUserId, rolename, roleid,
1567 : : stmt->grantee_roles, grantee_ids,
1568 : : grantor, &popt, stmt->behavior);
1569 : : }
1570 : :
1571 : : /*
1572 : : * Close pg_authid, but keep lock till commit.
1573 : : */
2420 andres@anarazel.de 1574 : 402 : table_close(pg_authid_rel, NoLock);
7375 tgl@sss.pgh.pa.us 1575 : 402 : }
1576 : :
1577 : : /*
1578 : : * DropOwnedObjects
1579 : : *
1580 : : * Drop the objects owned by a given list of roles.
1581 : : */
1582 : : void
6912 bruce@momjian.us 1583 : 77 : DropOwnedObjects(DropOwnedStmt *stmt)
1584 : : {
3834 alvherre@alvh.no-ip. 1585 : 77 : List *role_ids = roleSpecsToIds(stmt->roles);
1586 : : ListCell *cell;
1587 : :
1588 : : /* Check privileges */
7228 bruce@momjian.us 1589 [ + - + + : 163 : foreach(cell, role_ids)
+ + ]
1590 : : {
1591 : 92 : Oid roleid = lfirst_oid(cell);
1592 : :
7229 alvherre@alvh.no-ip. 1593 [ + + ]: 92 : if (!has_privs_of_role(GetUserId(), roleid))
1594 [ + - ]: 6 : ereport(ERROR,
1595 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1596 : : errmsg("permission denied to drop objects"),
1597 : : errdetail("Only roles with privileges of role \"%s\" may drop objects owned by it.",
1598 : : GetUserNameFromId(roleid, false))));
1599 : : }
1600 : :
1601 : : /* Ok, do it */
1602 : 71 : shdepDropOwned(role_ids, stmt->behavior);
1603 : 68 : }
1604 : :
1605 : : /*
1606 : : * ReassignOwnedObjects
1607 : : *
1608 : : * Give the objects owned by a given list of roles away to another user.
1609 : : */
1610 : : void
6912 bruce@momjian.us 1611 : 26 : ReassignOwnedObjects(ReassignOwnedStmt *stmt)
1612 : : {
3834 alvherre@alvh.no-ip. 1613 : 26 : List *role_ids = roleSpecsToIds(stmt->roles);
1614 : : ListCell *cell;
1615 : : Oid newrole;
1616 : :
1617 : : /* Check privileges */
7228 bruce@momjian.us 1618 [ + - + + : 46 : foreach(cell, role_ids)
+ + ]
1619 : : {
1620 : 26 : Oid roleid = lfirst_oid(cell);
1621 : :
7229 alvherre@alvh.no-ip. 1622 [ + + ]: 26 : if (!has_privs_of_role(GetUserId(), roleid))
1623 [ + - ]: 6 : ereport(ERROR,
1624 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1625 : : errmsg("permission denied to reassign objects"),
1626 : : errdetail("Only roles with privileges of role \"%s\" may reassign objects owned by it.",
1627 : : GetUserNameFromId(roleid, false))));
1628 : : }
1629 : :
1630 : : /* Must have privileges on the receiving side too */
3834 1631 : 20 : newrole = get_rolespec_oid(stmt->newrole, false);
1632 : :
7229 1633 [ + + ]: 20 : if (!has_privs_of_role(GetUserId(), newrole))
7228 bruce@momjian.us 1634 [ + - ]: 3 : ereport(ERROR,
1635 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1636 : : errmsg("permission denied to reassign objects"),
1637 : : errdetail("Only roles with privileges of role \"%s\" may reassign objects to it.",
1638 : : GetUserNameFromId(newrole, false))));
1639 : :
1640 : : /* Ok, do it */
7229 alvherre@alvh.no-ip. 1641 : 17 : shdepReassignOwned(role_ids, newrole);
1642 : 17 : }
1643 : :
1644 : : /*
1645 : : * roleSpecsToIds
1646 : : *
1647 : : * Given a list of RoleSpecs, generate a list of role OIDs in the same order.
1648 : : *
1649 : : * ROLESPEC_PUBLIC is not allowed.
1650 : : */
1651 : : List *
3834 1652 : 2286 : roleSpecsToIds(List *memberNames)
1653 : : {
7375 tgl@sss.pgh.pa.us 1654 : 2286 : List *result = NIL;
1655 : : ListCell *l;
1656 : :
1657 [ + + + + : 2950 : foreach(l, memberNames)
+ + ]
1658 : : {
3071 1659 : 664 : RoleSpec *rolespec = lfirst_node(RoleSpec, l);
1660 : : Oid roleid;
1661 : :
3834 alvherre@alvh.no-ip. 1662 : 664 : roleid = get_rolespec_oid(rolespec, false);
7375 tgl@sss.pgh.pa.us 1663 : 664 : result = lappend_oid(result, roleid);
1664 : : }
1665 : 2286 : return result;
1666 : : }
1667 : :
1668 : : /*
1669 : : * AddRoleMems -- Add given members to the specified role
1670 : : *
1671 : : * currentUserId: OID of role performing the operation
1672 : : * rolename: name of role to add to (used only for error messages)
1673 : : * roleid: OID of role to add to
1674 : : * memberSpecs: list of RoleSpec of roles to add (used only for error messages)
1675 : : * memberIds: OIDs of roles to add
1676 : : * grantorId: OID that should be recorded as having granted the membership
1677 : : * (InvalidOid if not set explicitly)
1678 : : * popt: information about grant options
1679 : : */
1680 : : static void
975 rhaas@postgresql.org 1681 : 2119 : AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
1682 : : List *memberSpecs, List *memberIds,
1683 : : Oid grantorId, GrantRoleOptions *popt)
1684 : : {
1685 : : Relation pg_authmem_rel;
1686 : : TupleDesc pg_authmem_dsc;
1687 : : ListCell *specitem;
1688 : : ListCell *iditem;
1689 : :
3834 alvherre@alvh.no-ip. 1690 [ - + ]: 2119 : Assert(list_length(memberSpecs) == list_length(memberIds));
1691 : :
1692 : : /* Validate grantor (and resolve implicit grantor if not specified). */
1111 rhaas@postgresql.org 1693 : 2119 : grantorId = check_role_grantor(currentUserId, roleid, grantorId, true);
1694 : :
2420 andres@anarazel.de 1695 : 2116 : pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
7375 tgl@sss.pgh.pa.us 1696 : 2116 : pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
1697 : :
1698 : : /*
1699 : : * Only allow changes to this role by one backend at a time, so that we
1700 : : * can check integrity constraints like the lack of circular ADMIN OPTION
1701 : : * grants without fear of race conditions.
1702 : : */
1111 rhaas@postgresql.org 1703 : 2116 : LockSharedObject(AuthIdRelationId, roleid, 0,
1704 : : ShareUpdateExclusiveLock);
1705 : :
1706 : : /* Preliminary sanity checks. */
3834 alvherre@alvh.no-ip. 1707 [ + + + + : 2601 : forboth(specitem, memberSpecs, iditem, memberIds)
+ + + + +
+ + - +
+ ]
1708 : : {
1960 rhodiumtoad@postgres 1709 : 494 : RoleSpec *memberRole = lfirst_node(RoleSpec, specitem);
7375 tgl@sss.pgh.pa.us 1710 : 494 : Oid memberid = lfirst_oid(iditem);
1711 : :
1712 : : /*
1713 : : * pg_database_owner is never a role member. Lifting this restriction
1714 : : * would require a policy decision about membership loops. One could
1715 : : * prevent loops, which would include making "ALTER DATABASE x OWNER
1716 : : * TO proposed_datdba" fail if is_member_of_role(pg_database_owner,
1717 : : * proposed_datdba). Hence, gaining a membership could reduce what a
1718 : : * role could do. Alternately, one could allow these memberships to
1719 : : * complete loops. A role could then have actual WITH ADMIN OPTION on
1720 : : * itself, prompting a decision about is_admin_of_role() treatment of
1721 : : * the case.
1722 : : *
1723 : : * Lifting this restriction also has policy implications for ownership
1724 : : * of shared objects (databases and tablespaces). We allow such
1725 : : * ownership, but we might find cause to ban it in the future.
1726 : : * Designing such a ban would more troublesome if the design had to
1727 : : * address pg_database_owner being a member of role FOO that owns a
1728 : : * shared object. (The effect of such ownership is that any owner of
1729 : : * another database can act as the owner of affected shared objects.)
1730 : : */
1610 noah@leadboat.com 1731 [ + + ]: 494 : if (memberid == ROLE_PG_DATABASE_OWNER)
1625 1732 [ + - ]: 3 : ereport(ERROR,
1733 : : errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1734 : : errmsg("role \"%s\" cannot be a member of any role",
1735 : : get_rolespec_name(memberRole)));
1736 : :
1737 : : /*
1738 : : * Refuse creation of membership loops, including the trivial case
1739 : : * where a role is made a member of itself. We do this by checking to
1740 : : * see if the target role is already a member of the proposed member
1741 : : * role. We have to ignore possible superuserness, however, else we
1742 : : * could never grant membership in a superuser-privileged role.
1743 : : */
7246 tgl@sss.pgh.pa.us 1744 [ + + ]: 491 : if (is_member_of_role_nosuper(roleid, memberid))
7374 1745 [ + - ]: 6 : ereport(ERROR,
1746 : : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1747 : : errmsg("role \"%s\" is a member of role \"%s\"",
1748 : : rolename, get_rolespec_name(memberRole))));
1749 : : }
1750 : :
1751 : : /*
1752 : : * Disallow attempts to grant ADMIN OPTION back to a user who granted it
1753 : : * to you, similar to what check_circularity does for ACLs. We want the
1754 : : * chains of grants to remain acyclic, so that it's always possible to use
1755 : : * REVOKE .. CASCADE to clean up all grants that depend on the one being
1756 : : * revoked.
1757 : : *
1758 : : * NB: This check might look redundant with the check for membership loops
1759 : : * above, but it isn't. That's checking for role-member loop (e.g. A is a
1760 : : * member of B and B is a member of A) while this is checking for a
1761 : : * member-grantor loop (e.g. A gave ADMIN OPTION on X to B and now B, who
1762 : : * has no other source of ADMIN OPTION on X, tries to give ADMIN OPTION on
1763 : : * X back to A).
1764 : : */
1108 rhaas@postgresql.org 1765 [ + + + + ]: 2107 : if (popt->admin && grantorId != BOOTSTRAP_SUPERUSERID)
1766 : : {
1767 : : CatCList *memlist;
1768 : : RevokeRoleGrantAction *actions;
1769 : : int i;
1770 : :
1771 : : /* Get the list of members for this role. */
1111 1772 : 72 : memlist = SearchSysCacheList1(AUTHMEMROLEMEM,
1773 : : ObjectIdGetDatum(roleid));
1774 : :
1775 : : /*
1776 : : * Figure out what would happen if we removed all existing grants to
1777 : : * every role to which we've been asked to make a new grant.
1778 : : */
1779 : 72 : actions = initialize_revoke_actions(memlist);
1780 [ + + + + : 114 : foreach(iditem, memberIds)
+ + ]
1781 : : {
1782 : 42 : Oid memberid = lfirst_oid(iditem);
1783 : :
1784 [ - + ]: 42 : if (memberid == BOOTSTRAP_SUPERUSERID)
1111 rhaas@postgresql.org 1785 [ # # ]:UBC 0 : ereport(ERROR,
1786 : : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1787 : : errmsg("%s option cannot be granted back to your own grantor",
1788 : : "ADMIN")));
1111 rhaas@postgresql.org 1789 :CBC 42 : plan_member_revoke(memlist, actions, memberid);
1790 : : }
1791 : :
1792 : : /*
1793 : : * If the result would be that the grantor role would no longer have
1794 : : * the ability to perform the grant, then the proposed grant would
1795 : : * create a circularity.
1796 : : */
1797 [ + + ]: 87 : for (i = 0; i < memlist->n_members; ++i)
1798 : : {
1799 : : HeapTuple authmem_tuple;
1800 : : Form_pg_auth_members authmem_form;
1801 : :
1802 : 84 : authmem_tuple = &memlist->members[i]->tuple;
1803 : 84 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
1804 : :
1805 [ + + ]: 84 : if (actions[i] == RRG_NOOP &&
1806 [ + + ]: 78 : authmem_form->member == grantorId &&
1807 [ + - ]: 69 : authmem_form->admin_option)
1808 : 69 : break;
1809 : : }
1810 [ + + ]: 72 : if (i >= memlist->n_members)
1811 [ + - ]: 3 : ereport(ERROR,
1812 : : (errcode(ERRCODE_INVALID_GRANT_OPERATION),
1813 : : errmsg("%s option cannot be granted back to your own grantor",
1814 : : "ADMIN")));
1815 : :
1816 : 69 : ReleaseSysCacheList(memlist);
1817 : : }
1818 : :
1819 : : /* Now perform the catalog updates. */
1820 [ + + + + : 2586 : forboth(specitem, memberSpecs, iditem, memberIds)
+ + + + +
+ + - +
+ ]
1821 : : {
1822 : 482 : RoleSpec *memberRole = lfirst_node(RoleSpec, specitem);
1823 : 482 : Oid memberid = lfirst_oid(iditem);
1824 : : HeapTuple authmem_tuple;
1825 : : HeapTuple tuple;
1826 : 482 : Datum new_record[Natts_pg_auth_members] = {0};
1827 : 482 : bool new_record_nulls[Natts_pg_auth_members] = {0};
1828 : 482 : bool new_record_repl[Natts_pg_auth_members] = {0};
1829 : :
1830 : : /* Common initialization for possible insert or update */
1108 1831 : 482 : new_record[Anum_pg_auth_members_roleid - 1] =
1832 : 482 : ObjectIdGetDatum(roleid);
1833 : 482 : new_record[Anum_pg_auth_members_member - 1] =
1834 : 482 : ObjectIdGetDatum(memberid);
1835 : 482 : new_record[Anum_pg_auth_members_grantor - 1] =
1836 : 482 : ObjectIdGetDatum(grantorId);
1837 : :
1838 : : /* Find any existing tuple */
1111 1839 : 482 : authmem_tuple = SearchSysCache3(AUTHMEMROLEMEM,
1840 : : ObjectIdGetDatum(roleid),
1841 : : ObjectIdGetDatum(memberid),
1842 : : ObjectIdGetDatum(grantorId));
1843 : :
1844 : : /*
1845 : : * If we found a tuple, update it with new option values, unless there
1846 : : * are no changes, in which case issue a WARNING.
1847 : : *
1848 : : * If we didn't find a tuple, just insert one.
1849 : : */
1108 1850 [ + + ]: 482 : if (HeapTupleIsValid(authmem_tuple))
1851 : : {
1852 : : Form_pg_auth_members authmem_form;
1853 : 17 : bool at_least_one_change = false;
1854 : :
1115 1855 : 17 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
1856 : :
1108 1857 [ - + ]: 17 : if ((popt->specified & GRANT_ROLE_SPECIFIED_ADMIN) != 0
1108 rhaas@postgresql.org 1858 [ # # ]:UBC 0 : && authmem_form->admin_option != popt->admin)
1859 : : {
1860 : 0 : new_record[Anum_pg_auth_members_admin_option - 1] =
1861 : 0 : BoolGetDatum(popt->admin);
1862 : 0 : new_record_repl[Anum_pg_auth_members_admin_option - 1] =
1863 : : true;
1864 : 0 : at_least_one_change = true;
1865 : : }
1866 : :
1108 rhaas@postgresql.org 1867 [ + + ]:CBC 17 : if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0
1868 [ + - ]: 8 : && authmem_form->inherit_option != popt->inherit)
1869 : : {
1870 : 8 : new_record[Anum_pg_auth_members_inherit_option - 1] =
1871 : 8 : BoolGetDatum(popt->inherit);
1872 : 8 : new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
1873 : : true;
1874 : 8 : at_least_one_change = true;
1875 : : }
1876 : :
1023 1877 [ + + ]: 17 : if ((popt->specified & GRANT_ROLE_SPECIFIED_SET) != 0
1878 [ + - ]: 5 : && authmem_form->set_option != popt->set)
1879 : : {
1880 : 5 : new_record[Anum_pg_auth_members_set_option - 1] =
1881 : 5 : BoolGetDatum(popt->set);
1882 : 5 : new_record_repl[Anum_pg_auth_members_set_option - 1] =
1883 : : true;
1884 : 5 : at_least_one_change = true;
1885 : : }
1886 : :
1108 1887 [ + + ]: 17 : if (!at_least_one_change)
1888 : : {
1115 1889 [ + - ]: 9 : ereport(NOTICE,
1890 : : (errmsg("role \"%s\" has already been granted membership in role \"%s\" by role \"%s\"",
1891 : : get_rolespec_name(memberRole), rolename,
1892 : : GetUserNameFromId(grantorId, false))));
1893 : 9 : ReleaseSysCache(authmem_tuple);
1894 : 9 : continue;
1895 : : }
1896 : :
6152 tgl@sss.pgh.pa.us 1897 : 8 : tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
1898 : : new_record,
1899 : : new_record_nulls, new_record_repl);
3140 alvherre@alvh.no-ip. 1900 : 8 : CatalogTupleUpdate(pg_authmem_rel, &tuple->t_self, tuple);
1901 : :
7375 tgl@sss.pgh.pa.us 1902 : 8 : ReleaseSysCache(authmem_tuple);
1903 : : }
1904 : : else
1905 : : {
1906 : : Oid objectId;
197 1907 : 465 : Oid *newmembers = (Oid *) palloc(3 * sizeof(Oid));
1908 : : int nnewmembers;
1909 : :
1910 : : /*
1911 : : * The values for these options can be taken directly from 'popt'.
1912 : : * Either they were specified, or the defaults as set by
1913 : : * InitGrantRoleOptions are correct.
1914 : : */
1108 rhaas@postgresql.org 1915 : 465 : new_record[Anum_pg_auth_members_admin_option - 1] =
1916 : 465 : BoolGetDatum(popt->admin);
1023 1917 : 465 : new_record[Anum_pg_auth_members_set_option - 1] =
1918 : 465 : BoolGetDatum(popt->set);
1919 : :
1920 : : /*
1921 : : * If the user specified a value for the inherit option, use
1922 : : * whatever was specified. Otherwise, set the default value based
1923 : : * on the role-level property.
1924 : : */
1108 1925 [ + + ]: 465 : if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0)
1926 : 97 : new_record[Anum_pg_auth_members_inherit_option - 1] =
29 peter@eisentraut.org 1927 :GNC 97 : BoolGetDatum(popt->inherit);
1928 : : else
1929 : : {
1930 : : HeapTuple mrtup;
1931 : : Form_pg_authid mrform;
1932 : :
779 michael@paquier.xyz 1933 :CBC 368 : mrtup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(memberid));
1108 rhaas@postgresql.org 1934 [ - + ]: 368 : if (!HeapTupleIsValid(mrtup))
1108 rhaas@postgresql.org 1935 [ # # ]:UBC 0 : elog(ERROR, "cache lookup failed for role %u", memberid);
1108 rhaas@postgresql.org 1936 :CBC 368 : mrform = (Form_pg_authid) GETSTRUCT(mrtup);
1937 : 368 : new_record[Anum_pg_auth_members_inherit_option - 1] =
29 peter@eisentraut.org 1938 :GNC 368 : BoolGetDatum(mrform->rolinherit);
1108 rhaas@postgresql.org 1939 :CBC 368 : ReleaseSysCache(mrtup);
1940 : : }
1941 : :
1942 : : /* get an OID for the new row and insert it */
999 michael@paquier.xyz 1943 : 465 : objectId = GetNewOidWithIndex(pg_authmem_rel, AuthMemOidIndexId,
1944 : : Anum_pg_auth_members_oid);
29 peter@eisentraut.org 1945 :GNC 465 : new_record[Anum_pg_auth_members_oid - 1] = ObjectIdGetDatum(objectId);
6152 tgl@sss.pgh.pa.us 1946 :CBC 465 : tuple = heap_form_tuple(pg_authmem_dsc,
1947 : : new_record, new_record_nulls);
3140 alvherre@alvh.no-ip. 1948 : 465 : CatalogTupleInsert(pg_authmem_rel, tuple);
1949 : :
1950 : : /*
1951 : : * Record dependencies on the roleid, member, and grantor, as if a
1952 : : * pg_auth_members entry were an object ACL.
1953 : : * updateAclDependencies() requires an input array that is
1954 : : * palloc'd (it will free it), sorted, and de-duped.
1955 : : */
197 tgl@sss.pgh.pa.us 1956 : 465 : newmembers[0] = roleid;
1957 : 465 : newmembers[1] = memberid;
1958 : 465 : newmembers[2] = grantorId;
1959 : 465 : qsort(newmembers, 3, sizeof(Oid), oid_cmp);
1960 : 465 : nnewmembers = qunique(newmembers, 3, sizeof(Oid), oid_cmp);
1961 : :
1115 rhaas@postgresql.org 1962 : 465 : updateAclDependencies(AuthMemRelationId, objectId,
1963 : : 0, InvalidOid,
1964 : : 0, NULL,
1965 : : nnewmembers, newmembers);
1966 : : }
1967 : :
1968 : : /* CCI after each change, in case there are duplicates in list */
7374 tgl@sss.pgh.pa.us 1969 : 473 : CommandCounterIncrement();
1970 : : }
1971 : :
1972 : : /*
1973 : : * Close pg_authmem, but keep lock till commit.
1974 : : */
2420 andres@anarazel.de 1975 : 2104 : table_close(pg_authmem_rel, NoLock);
9396 bruce@momjian.us 1976 : 2104 : }
1977 : :
1978 : : /*
1979 : : * DelRoleMems -- Remove given members from the specified role
1980 : : *
1981 : : * rolename: name of role to del from (used only for error messages)
1982 : : * roleid: OID of role to del from
1983 : : * memberSpecs: list of RoleSpec of roles to del (used only for error messages)
1984 : : * memberIds: OIDs of roles to del
1985 : : * grantorId: who is revoking the membership
1986 : : * popt: information about grant options
1987 : : * behavior: RESTRICT or CASCADE behavior for recursive removal
1988 : : */
1989 : : static void
975 rhaas@postgresql.org 1990 : 81 : DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
1991 : : List *memberSpecs, List *memberIds,
1992 : : Oid grantorId, GrantRoleOptions *popt, DropBehavior behavior)
1993 : : {
1994 : : Relation pg_authmem_rel;
1995 : : TupleDesc pg_authmem_dsc;
1996 : : ListCell *specitem;
1997 : : ListCell *iditem;
1998 : : CatCList *memlist;
1999 : : RevokeRoleGrantAction *actions;
2000 : : int i;
2001 : :
3834 alvherre@alvh.no-ip. 2002 [ - + ]: 81 : Assert(list_length(memberSpecs) == list_length(memberIds));
2003 : :
2004 : : /* Validate grantor (and resolve implicit grantor if not specified). */
1111 rhaas@postgresql.org 2005 : 81 : grantorId = check_role_grantor(currentUserId, roleid, grantorId, false);
2006 : :
2420 andres@anarazel.de 2007 : 81 : pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
7375 tgl@sss.pgh.pa.us 2008 : 81 : pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
2009 : :
2010 : : /*
2011 : : * Only allow changes to this role by one backend at a time, so that we
2012 : : * can check for things like dependent privileges without fear of race
2013 : : * conditions.
2014 : : */
1111 rhaas@postgresql.org 2015 : 81 : LockSharedObject(AuthIdRelationId, roleid, 0,
2016 : : ShareUpdateExclusiveLock);
2017 : :
2018 : 81 : memlist = SearchSysCacheList1(AUTHMEMROLEMEM, ObjectIdGetDatum(roleid));
2019 : 81 : actions = initialize_revoke_actions(memlist);
2020 : :
2021 : : /*
2022 : : * We may need to recurse to dependent privileges if DROP_CASCADE was
2023 : : * specified, or refuse to perform the operation if dependent privileges
2024 : : * exist and DROP_RESTRICT was specified. plan_single_revoke() will figure
2025 : : * out what to do with each catalog tuple.
2026 : : */
3834 alvherre@alvh.no-ip. 2027 [ + - + + : 156 : forboth(specitem, memberSpecs, iditem, memberIds)
+ - + + +
+ + - +
+ ]
2028 : : {
2029 : 81 : RoleSpec *memberRole = lfirst(specitem);
7375 tgl@sss.pgh.pa.us 2030 : 81 : Oid memberid = lfirst_oid(iditem);
2031 : :
1111 rhaas@postgresql.org 2032 [ + + ]: 81 : if (!plan_single_revoke(memlist, actions, memberid, grantorId,
2033 : : popt, behavior))
2034 : : {
7375 tgl@sss.pgh.pa.us 2035 [ + - ]: 3 : ereport(WARNING,
2036 : : (errmsg("role \"%s\" has not been granted membership in role \"%s\" by role \"%s\"",
2037 : : get_rolespec_name(memberRole), rolename,
2038 : : GetUserNameFromId(grantorId, false))));
2039 : 3 : continue;
2040 : : }
2041 : : }
2042 : :
2043 : : /*
2044 : : * We now know what to do with each catalog tuple: it should either be
2045 : : * left alone, deleted, or just have the admin_option flag cleared.
2046 : : * Perform the appropriate action in each case.
2047 : : */
1111 rhaas@postgresql.org 2048 [ + + ]: 218 : for (i = 0; i < memlist->n_members; ++i)
2049 : : {
2050 : : HeapTuple authmem_tuple;
2051 : : Form_pg_auth_members authmem_form;
2052 : :
2053 [ + + ]: 143 : if (actions[i] == RRG_NOOP)
2054 : 62 : continue;
2055 : :
2056 : 81 : authmem_tuple = &memlist->members[i]->tuple;
1115 2057 : 81 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2058 : :
1111 2059 [ + + ]: 81 : if (actions[i] == RRG_DELETE_GRANT)
2060 : : {
2061 : : /*
2062 : : * Remove the entry altogether, after first removing its
2063 : : * dependencies
2064 : : */
1115 2065 : 57 : deleteSharedDependencyRecordsFor(AuthMemRelationId,
2066 : : authmem_form->oid, 0);
3139 tgl@sss.pgh.pa.us 2067 : 57 : CatalogTupleDelete(pg_authmem_rel, &authmem_tuple->t_self);
2068 : : }
2069 : : else
2070 : : {
2071 : : /* Just turn off the specified option */
2072 : : HeapTuple tuple;
1148 peter@eisentraut.org 2073 : 24 : Datum new_record[Natts_pg_auth_members] = {0};
2074 : 24 : bool new_record_nulls[Natts_pg_auth_members] = {0};
2075 : 24 : bool new_record_repl[Natts_pg_auth_members] = {0};
2076 : :
2077 : : /* Build a tuple to update with */
1108 rhaas@postgresql.org 2078 [ + + ]: 24 : if (actions[i] == RRG_REMOVE_ADMIN_OPTION)
2079 : : {
2080 : 15 : new_record[Anum_pg_auth_members_admin_option - 1] =
2081 : 15 : BoolGetDatum(false);
2082 : 15 : new_record_repl[Anum_pg_auth_members_admin_option - 1] =
2083 : : true;
2084 : : }
2085 [ + + ]: 9 : else if (actions[i] == RRG_REMOVE_INHERIT_OPTION)
2086 : : {
2087 : 6 : new_record[Anum_pg_auth_members_inherit_option - 1] =
2088 : 6 : BoolGetDatum(false);
2089 : 6 : new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
2090 : : true;
2091 : : }
1023 2092 [ + - ]: 3 : else if (actions[i] == RRG_REMOVE_SET_OPTION)
2093 : : {
2094 : 3 : new_record[Anum_pg_auth_members_set_option - 1] =
2095 : 3 : BoolGetDatum(false);
2096 : 3 : new_record_repl[Anum_pg_auth_members_set_option - 1] =
2097 : : true;
2098 : : }
2099 : : else
1108 rhaas@postgresql.org 2100 [ # # ]:UBC 0 : elog(ERROR, "unknown role revoke action");
2101 : :
6152 tgl@sss.pgh.pa.us 2102 :CBC 24 : tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
2103 : : new_record,
2104 : : new_record_nulls, new_record_repl);
3140 alvherre@alvh.no-ip. 2105 : 24 : CatalogTupleUpdate(pg_authmem_rel, &tuple->t_self, tuple);
2106 : : }
2107 : : }
2108 : :
1111 rhaas@postgresql.org 2109 : 75 : ReleaseSysCacheList(memlist);
2110 : :
2111 : : /*
2112 : : * Close pg_authmem, but keep lock till commit.
2113 : : */
2420 andres@anarazel.de 2114 : 75 : table_close(pg_authmem_rel, NoLock);
8107 peter_e@gmx.net 2115 : 75 : }
2116 : :
2117 : : /*
2118 : : * Check that currentUserId has permission to modify the membership list for
2119 : : * roleid. Throw an error if not.
2120 : : */
2121 : : static void
975 rhaas@postgresql.org 2122 : 512 : check_role_membership_authorization(Oid currentUserId, Oid roleid,
2123 : : bool is_grant)
2124 : : {
2125 : : /*
2126 : : * The charter of pg_database_owner is to have exactly one, implicit,
2127 : : * situation-dependent member. There's no technical need for this
2128 : : * restriction. (One could lift it and take the further step of making
2129 : : * object_ownercheck(DatabaseRelationId, ...) equivalent to
2130 : : * has_privs_of_role(roleid, ROLE_PG_DATABASE_OWNER), in which case
2131 : : * explicit, situation-independent members could act as the owner of any
2132 : : * database.)
2133 : : */
2134 [ + + + + ]: 512 : if (is_grant && roleid == ROLE_PG_DATABASE_OWNER)
2135 [ + - ]: 6 : ereport(ERROR,
2136 : : errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2137 : : errmsg("role \"%s\" cannot have explicit members",
2138 : : GetUserNameFromId(roleid, false)));
2139 : :
2140 : : /* To mess with a superuser role, you gotta be superuser. */
2141 [ + + ]: 506 : if (superuser_arg(roleid))
2142 : : {
2143 [ + + ]: 8 : if (!superuser_arg(currentUserId))
2144 : : {
904 peter@eisentraut.org 2145 [ + - ]: 3 : if (is_grant)
2146 [ + - ]: 3 : ereport(ERROR,
2147 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2148 : : errmsg("permission denied to grant role \"%s\"",
2149 : : GetUserNameFromId(roleid, false)),
2150 : : errdetail("Only roles with the %s attribute may grant roles with the %s attribute.",
2151 : : "SUPERUSER", "SUPERUSER")));
2152 : : else
904 peter@eisentraut.org 2153 [ # # ]:UBC 0 : ereport(ERROR,
2154 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2155 : : errmsg("permission denied to revoke role \"%s\"",
2156 : : GetUserNameFromId(roleid, false)),
2157 : : errdetail("Only roles with the %s attribute may revoke roles with the %s attribute.",
2158 : : "SUPERUSER", "SUPERUSER")));
2159 : : }
2160 : : }
2161 : : else
2162 : : {
2163 : : /*
2164 : : * Otherwise, must have admin option on the role to be changed.
2165 : : */
970 rhaas@postgresql.org 2166 [ + + ]:CBC 498 : if (!is_admin_of_role(currentUserId, roleid))
2167 : : {
904 peter@eisentraut.org 2168 [ + - ]: 72 : if (is_grant)
2169 [ + - ]: 72 : ereport(ERROR,
2170 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2171 : : errmsg("permission denied to grant role \"%s\"",
2172 : : GetUserNameFromId(roleid, false)),
2173 : : errdetail("Only roles with the %s option on role \"%s\" may grant this role.",
2174 : : "ADMIN", GetUserNameFromId(roleid, false))));
2175 : : else
904 peter@eisentraut.org 2176 [ # # ]:UBC 0 : ereport(ERROR,
2177 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2178 : : errmsg("permission denied to revoke role \"%s\"",
2179 : : GetUserNameFromId(roleid, false)),
2180 : : errdetail("Only roles with the %s option on role \"%s\" may revoke this role.",
2181 : : "ADMIN", GetUserNameFromId(roleid, false))));
2182 : : }
2183 : : }
975 rhaas@postgresql.org 2184 :CBC 431 : }
2185 : :
2186 : : /*
2187 : : * Sanity-check, or infer, the grantor for a GRANT or REVOKE statement
2188 : : * targeting a role.
2189 : : *
2190 : : * The grantor must always be either a role with ADMIN OPTION on the role in
2191 : : * which membership is being granted, or the bootstrap superuser. This is
2192 : : * similar to the restriction enforced by select_best_grantor, except that
2193 : : * roles don't have owners, so we regard the bootstrap superuser as the
2194 : : * implicit owner.
2195 : : *
2196 : : * If the grantor was not explicitly specified by the user, grantorId should
2197 : : * be passed as InvalidOid, and this function will infer the user to be
2198 : : * recorded as the grantor. In many cases, this will be the current user, but
2199 : : * things get more complicated when the current user doesn't possess ADMIN
2200 : : * OPTION on the role but rather relies on having SUPERUSER privileges, or
2201 : : * on inheriting the privileges of a role which does have ADMIN OPTION. See
2202 : : * below for details.
2203 : : *
2204 : : * If the grantor was specified by the user, then it must be a user that
2205 : : * can legally be recorded as the grantor, as per the rule stated above.
2206 : : * This is an integrity constraint, not a permissions check, and thus even
2207 : : * superusers are subject to this restriction. However, there is also a
2208 : : * permissions check: to specify a role as the grantor, the current user
2209 : : * must possess the privileges of that role. Superusers will always pass
2210 : : * this check, but for non-superusers it may lead to an error.
2211 : : *
2212 : : * The return value is the OID to be regarded as the grantor when executing
2213 : : * the operation.
2214 : : */
2215 : : static Oid
1111 2216 : 2200 : check_role_grantor(Oid currentUserId, Oid roleid, Oid grantorId, bool is_grant)
2217 : : {
2218 : : /* If the grantor ID was not specified, pick one to use. */
2219 [ + + ]: 2200 : if (!OidIsValid(grantorId))
2220 : : {
2221 : : /*
2222 : : * Grants where the grantor is recorded as the bootstrap superuser do
2223 : : * not depend on any other existing grants, so always default to this
2224 : : * interpretation when possible.
2225 : : */
970 2226 [ + + ]: 2080 : if (superuser_arg(currentUserId))
1111 2227 : 1912 : return BOOTSTRAP_SUPERUSERID;
2228 : :
2229 : : /*
2230 : : * Otherwise, the grantor must either have ADMIN OPTION on the role or
2231 : : * inherit the privileges of a role which does. In the former case,
2232 : : * record the grantor as the current user; in the latter, pick one of
2233 : : * the roles that is "most directly" inherited by the current role
2234 : : * (i.e. fewest "hops").
2235 : : *
2236 : : * (We shouldn't fail to find a best grantor, because we've already
2237 : : * established that the current user has permission to perform the
2238 : : * operation.)
2239 : : */
2240 : 168 : grantorId = select_best_admin(currentUserId, roleid);
2241 [ - + ]: 168 : if (!OidIsValid(grantorId))
1111 rhaas@postgresql.org 2242 [ # # ]:UBC 0 : elog(ERROR, "no possible grantors");
1111 rhaas@postgresql.org 2243 :CBC 168 : return grantorId;
2244 : : }
2245 : :
2246 : : /*
2247 : : * If an explicit grantor is specified, it must be a role whose privileges
2248 : : * the current user possesses.
2249 : : *
2250 : : * It should also be a role that has ADMIN OPTION on the target role, but
2251 : : * we check this condition only in case of GRANT. For REVOKE, no matching
2252 : : * grant should exist anyway, but if it somehow does, let the user get rid
2253 : : * of it.
2254 : : */
2255 [ + + ]: 120 : if (is_grant)
2256 : : {
2257 [ - + ]: 108 : if (!has_privs_of_role(currentUserId, grantorId))
1111 rhaas@postgresql.org 2258 [ # # ]:UBC 0 : ereport(ERROR,
2259 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2260 : : errmsg("permission denied to grant privileges as role \"%s\"",
2261 : : GetUserNameFromId(grantorId, false)),
2262 : : errdetail("Only roles with privileges of role \"%s\" may grant privileges as this role.",
2263 : : GetUserNameFromId(grantorId, false))));
2264 : :
1111 rhaas@postgresql.org 2265 [ + + + + ]:CBC 153 : if (grantorId != BOOTSTRAP_SUPERUSERID &&
2266 : 45 : select_best_admin(grantorId, roleid) != grantorId)
2267 [ + - ]: 3 : ereport(ERROR,
2268 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2269 : : errmsg("permission denied to grant privileges as role \"%s\"",
2270 : : GetUserNameFromId(grantorId, false)),
2271 : : errdetail("The grantor must have the %s option on role \"%s\".",
2272 : : "ADMIN", GetUserNameFromId(roleid, false))));
2273 : : }
2274 : : else
2275 : : {
2276 [ - + ]: 12 : if (!has_privs_of_role(currentUserId, grantorId))
1111 rhaas@postgresql.org 2277 [ # # ]:UBC 0 : ereport(ERROR,
2278 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2279 : : errmsg("permission denied to revoke privileges granted by role \"%s\"",
2280 : : GetUserNameFromId(grantorId, false)),
2281 : : errdetail("Only roles with privileges of role \"%s\" may revoke privileges granted by this role.",
2282 : : GetUserNameFromId(grantorId, false))));
2283 : : }
2284 : :
2285 : : /*
2286 : : * If a grantor was specified explicitly, always attribute the grant to
2287 : : * that role (unless we error out above).
2288 : : */
1111 rhaas@postgresql.org 2289 :CBC 117 : return grantorId;
2290 : : }
2291 : :
2292 : : /*
2293 : : * Initialize an array of RevokeRoleGrantAction objects.
2294 : : *
2295 : : * 'memlist' should be a list of all grants for the target role.
2296 : : *
2297 : : * This constructs an array indicating that no actions are to be performed;
2298 : : * that is, every element is initially RRG_NOOP.
2299 : : */
2300 : : static RevokeRoleGrantAction *
2301 : 153 : initialize_revoke_actions(CatCList *memlist)
2302 : : {
2303 : : RevokeRoleGrantAction *result;
2304 : : int i;
2305 : :
2306 [ - + ]: 153 : if (memlist->n_members == 0)
1111 rhaas@postgresql.org 2307 :UBC 0 : return NULL;
2308 : :
1111 rhaas@postgresql.org 2309 :CBC 153 : result = palloc(sizeof(RevokeRoleGrantAction) * memlist->n_members);
2310 [ + + ]: 416 : for (i = 0; i < memlist->n_members; i++)
2311 : 263 : result[i] = RRG_NOOP;
2312 : 153 : return result;
2313 : : }
2314 : :
2315 : : /*
2316 : : * Figure out what we would need to do in order to revoke a grant, or just the
2317 : : * admin option on a grant, given that there might be dependent privileges.
2318 : : *
2319 : : * 'memlist' should be a list of all grants for the target role.
2320 : : *
2321 : : * Whatever actions prove to be necessary will be signalled by updating
2322 : : * 'actions'.
2323 : : *
2324 : : * If behavior is DROP_RESTRICT, an error will occur if there are dependent
2325 : : * role membership grants; if DROP_CASCADE, those grants will be scheduled
2326 : : * for deletion.
2327 : : *
2328 : : * The return value is true if the matching grant was found in the list,
2329 : : * and false if not.
2330 : : */
2331 : : static bool
2332 : 81 : plan_single_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
2333 : : Oid member, Oid grantor, GrantRoleOptions *popt,
2334 : : DropBehavior behavior)
2335 : : {
2336 : : int i;
2337 : :
2338 : : /*
2339 : : * If popt.specified == 0, we're revoking the grant entirely; otherwise,
2340 : : * we expect just one bit to be set, and we're revoking the corresponding
2341 : : * option. As of this writing, there's no syntax that would allow for an
2342 : : * attempt to revoke multiple options at once, and the logic below
2343 : : * wouldn't work properly if such syntax were added, so assert that our
2344 : : * caller isn't trying to do that.
2345 : : */
1108 2346 [ - + ]: 81 : Assert(pg_popcount32(popt->specified) <= 1);
2347 : :
1111 2348 [ + + ]: 140 : for (i = 0; i < memlist->n_members; ++i)
2349 : : {
2350 : : HeapTuple authmem_tuple;
2351 : : Form_pg_auth_members authmem_form;
2352 : :
2353 : 137 : authmem_tuple = &memlist->members[i]->tuple;
2354 : 137 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2355 : :
2356 [ + + ]: 137 : if (authmem_form->member == member &&
2357 [ + + ]: 87 : authmem_form->grantor == grantor)
2358 : : {
1108 2359 [ + + ]: 78 : if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0)
2360 : : {
2361 : : /*
2362 : : * Revoking the INHERIT option doesn't change anything for
2363 : : * dependent privileges, so we don't need to recurse.
2364 : : */
2365 : 6 : actions[i] = RRG_REMOVE_INHERIT_OPTION;
2366 : : }
1023 2367 [ + + ]: 72 : else if ((popt->specified & GRANT_ROLE_SPECIFIED_SET) != 0)
2368 : : {
2369 : : /* Here too, no need to recurse. */
2370 : 3 : actions[i] = RRG_REMOVE_SET_OPTION;
2371 : : }
2372 : : else
2373 : : {
2374 : : bool revoke_admin_option_only;
2375 : :
2376 : : /*
2377 : : * Revoking the grant entirely, or ADMIN option on a grant,
2378 : : * implicates dependent privileges, so we may need to recurse.
2379 : : */
1108 2380 : 69 : revoke_admin_option_only =
2381 : 69 : (popt->specified & GRANT_ROLE_SPECIFIED_ADMIN) != 0;
2382 : 69 : plan_recursive_revoke(memlist, actions, i,
2383 : : revoke_admin_option_only, behavior);
2384 : : }
1111 2385 : 72 : return true;
2386 : : }
2387 : : }
2388 : :
2389 : 3 : return false;
2390 : : }
2391 : :
2392 : : /*
2393 : : * Figure out what we would need to do in order to revoke all grants to
2394 : : * a given member, given that there might be dependent privileges.
2395 : : *
2396 : : * 'memlist' should be a list of all grants for the target role.
2397 : : *
2398 : : * Whatever actions prove to be necessary will be signalled by updating
2399 : : * 'actions'.
2400 : : */
2401 : : static void
2402 : 42 : plan_member_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
2403 : : Oid member)
2404 : : {
2405 : : int i;
2406 : :
2407 [ + + ]: 93 : for (i = 0; i < memlist->n_members; ++i)
2408 : : {
2409 : : HeapTuple authmem_tuple;
2410 : : Form_pg_auth_members authmem_form;
2411 : :
2412 : 51 : authmem_tuple = &memlist->members[i]->tuple;
2413 : 51 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2414 : :
2415 [ + + ]: 51 : if (authmem_form->member == member)
2416 : 3 : plan_recursive_revoke(memlist, actions, i, false, DROP_CASCADE);
2417 : : }
2418 : 42 : }
2419 : :
2420 : : /*
2421 : : * Workhorse for figuring out recursive revocation of role grants.
2422 : : *
2423 : : * This is similar to what recursive_revoke() does for ACLs.
2424 : : */
2425 : : static void
2426 : 84 : plan_recursive_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
2427 : : int index,
2428 : : bool revoke_admin_option_only, DropBehavior behavior)
2429 : : {
2430 : 84 : bool would_still_have_admin_option = false;
2431 : : HeapTuple authmem_tuple;
2432 : : Form_pg_auth_members authmem_form;
2433 : : int i;
2434 : :
2435 : : /* If it's already been done, we can just return. */
2436 [ - + ]: 84 : if (actions[index] == RRG_DELETE_GRANT)
1111 rhaas@postgresql.org 2437 :UBC 0 : return;
1111 rhaas@postgresql.org 2438 [ - + - - ]:CBC 84 : if (actions[index] == RRG_REMOVE_ADMIN_OPTION &&
2439 : : revoke_admin_option_only)
1111 rhaas@postgresql.org 2440 :UBC 0 : return;
2441 : :
2442 : : /* Locate tuple data. */
1111 rhaas@postgresql.org 2443 :CBC 84 : authmem_tuple = &memlist->members[index]->tuple;
2444 : 84 : authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
2445 : :
2446 : : /*
2447 : : * If the existing tuple does not have admin_option set, then we do not
2448 : : * need to recurse. If we're just supposed to clear that bit we don't need
2449 : : * to do anything at all; if we're supposed to remove the grant, we need
2450 : : * to do something, but only to the tuple, and not any others.
2451 : : */
2452 [ + + ]: 84 : if (!revoke_admin_option_only)
2453 : : {
2454 : 66 : actions[index] = RRG_DELETE_GRANT;
2455 [ + + ]: 66 : if (!authmem_form->admin_option)
2456 : 45 : return;
2457 : : }
2458 : : else
2459 : : {
2460 [ - + ]: 18 : if (!authmem_form->admin_option)
1111 rhaas@postgresql.org 2461 :UBC 0 : return;
1111 rhaas@postgresql.org 2462 :CBC 18 : actions[index] = RRG_REMOVE_ADMIN_OPTION;
2463 : : }
2464 : :
2465 : : /* Determine whether the member would still have ADMIN OPTION. */
2466 [ + + ]: 114 : for (i = 0; i < memlist->n_members; ++i)
2467 : : {
2468 : : HeapTuple am_cascade_tuple;
2469 : : Form_pg_auth_members am_cascade_form;
2470 : :
2471 : 75 : am_cascade_tuple = &memlist->members[i]->tuple;
2472 : 75 : am_cascade_form = (Form_pg_auth_members) GETSTRUCT(am_cascade_tuple);
2473 : :
2474 [ + + ]: 75 : if (am_cascade_form->member == authmem_form->member &&
2475 [ + - - + ]: 39 : am_cascade_form->admin_option && actions[i] == RRG_NOOP)
2476 : : {
1111 rhaas@postgresql.org 2477 :UBC 0 : would_still_have_admin_option = true;
2478 : 0 : break;
2479 : : }
2480 : : }
2481 : :
2482 : : /* If the member would still have ADMIN OPTION, we need not recurse. */
1111 rhaas@postgresql.org 2483 [ - + ]:CBC 39 : if (would_still_have_admin_option)
1111 rhaas@postgresql.org 2484 :UBC 0 : return;
2485 : :
2486 : : /*
2487 : : * Recurse to grants that are not yet slated for deletion which have this
2488 : : * member as the grantor.
2489 : : */
1111 rhaas@postgresql.org 2490 [ + + ]:CBC 108 : for (i = 0; i < memlist->n_members; ++i)
2491 : : {
2492 : : HeapTuple am_cascade_tuple;
2493 : : Form_pg_auth_members am_cascade_form;
2494 : :
2495 : 75 : am_cascade_tuple = &memlist->members[i]->tuple;
2496 : 75 : am_cascade_form = (Form_pg_auth_members) GETSTRUCT(am_cascade_tuple);
2497 : :
2498 [ + + ]: 75 : if (am_cascade_form->grantor == authmem_form->member &&
2499 [ + - ]: 18 : actions[i] != RRG_DELETE_GRANT)
2500 : : {
2501 [ + + ]: 18 : if (behavior == DROP_RESTRICT)
2502 [ + - ]: 6 : ereport(ERROR,
2503 : : (errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
2504 : : errmsg("dependent privileges exist"),
2505 : : errhint("Use CASCADE to revoke them too.")));
2506 : :
2507 : 12 : plan_recursive_revoke(memlist, actions, i, false, behavior);
2508 : : }
2509 : : }
2510 : : }
2511 : :
2512 : : /*
2513 : : * Initialize a GrantRoleOptions object with default values.
2514 : : */
2515 : : static void
1108 2516 : 1530 : InitGrantRoleOptions(GrantRoleOptions *popt)
2517 : : {
2518 : 1530 : popt->specified = 0;
2519 : 1530 : popt->admin = false;
2520 : 1530 : popt->inherit = false;
1023 2521 : 1530 : popt->set = true;
1108 2522 : 1530 : }
2523 : :
2524 : : /*
2525 : : * GUC check_hook for createrole_self_grant
2526 : : */
2527 : : bool
970 2528 : 1070 : check_createrole_self_grant(char **newval, void **extra, GucSource source)
2529 : : {
2530 : : char *rawstring;
2531 : : List *elemlist;
2532 : : ListCell *l;
2533 : 1070 : unsigned options = 0;
2534 : : unsigned *result;
2535 : :
2536 : : /* Need a modifiable copy of string */
2537 : 1070 : rawstring = pstrdup(*newval);
2538 : :
2539 [ - + ]: 1070 : if (!SplitIdentifierString(rawstring, ',', &elemlist))
2540 : : {
2541 : : /* syntax error in list */
970 rhaas@postgresql.org 2542 :UBC 0 : GUC_check_errdetail("List syntax is invalid.");
2543 : 0 : pfree(rawstring);
2544 : 0 : list_free(elemlist);
2545 : 0 : return false;
2546 : : }
2547 : :
970 rhaas@postgresql.org 2548 [ + + + + :CBC 1076 : foreach(l, elemlist)
+ + ]
2549 : : {
2550 : 6 : char *tok = (char *) lfirst(l);
2551 : :
2552 [ + + ]: 6 : if (pg_strcasecmp(tok, "SET") == 0)
2553 : 3 : options |= GRANT_ROLE_SPECIFIED_SET;
2554 [ + - ]: 3 : else if (pg_strcasecmp(tok, "INHERIT") == 0)
2555 : 3 : options |= GRANT_ROLE_SPECIFIED_INHERIT;
2556 : : else
2557 : : {
970 rhaas@postgresql.org 2558 :UBC 0 : GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
2559 : 0 : pfree(rawstring);
2560 : 0 : list_free(elemlist);
2561 : 0 : return false;
2562 : : }
2563 : : }
2564 : :
970 rhaas@postgresql.org 2565 :CBC 1070 : pfree(rawstring);
2566 : 1070 : list_free(elemlist);
2567 : :
2568 : 1070 : result = (unsigned *) guc_malloc(LOG, sizeof(unsigned));
163 dgustafsson@postgres 2569 [ - + ]: 1070 : if (!result)
163 dgustafsson@postgres 2570 :UBC 0 : return false;
970 rhaas@postgresql.org 2571 :CBC 1070 : *result = options;
2572 : 1070 : *extra = result;
2573 : :
2574 : 1070 : return true;
2575 : : }
2576 : :
2577 : : /*
2578 : : * GUC assign_hook for createrole_self_grant
2579 : : */
2580 : : void
2581 : 1070 : assign_createrole_self_grant(const char *newval, void *extra)
2582 : : {
841 tgl@sss.pgh.pa.us 2583 : 1070 : unsigned options = *(unsigned *) extra;
2584 : :
970 rhaas@postgresql.org 2585 : 1070 : createrole_self_grant_enabled = (options != 0);
2586 : 1070 : createrole_self_grant_options.specified = GRANT_ROLE_SPECIFIED_ADMIN
2587 : : | GRANT_ROLE_SPECIFIED_INHERIT
2588 : : | GRANT_ROLE_SPECIFIED_SET;
2589 : 1070 : createrole_self_grant_options.admin = false;
2590 : 1070 : createrole_self_grant_options.inherit =
2591 : 1070 : (options & GRANT_ROLE_SPECIFIED_INHERIT) != 0;
2592 : 1070 : createrole_self_grant_options.set =
2593 : 1070 : (options & GRANT_ROLE_SPECIFIED_SET) != 0;
2594 : 1070 : }
|
