Veil2
Postgres extension for VPD implementations
|
Provides callable veil2 functions. These are written in C for performance and to ensure that they cannot be easily subverted. More...
#include "postgres.h"
#include "funcapi.h"
#include "catalog/pg_type.h"
#include "access/xact.h"
#include "executor/spi.h"
#include "utils/builtins.h"
#include "veil2.h"
Go to the source code of this file.
Data Structures | |
struct | ContextPrivs |
struct | SessionPrivs |
Macros | |
#define | CONTEXT_PRIVS_INCREMENT 16 |
#define | CONTEXT_PRIVS_SIZE(elems) |
Functions | |
static void | findContext (int *p_idx, int scope_type, int scope) |
static bool | checkContext (int *p_idx, int scope_type, int scope, int priv) |
static void | freeContextPrivs (ContextPrivs *cp) |
static void | clear_session_privs () |
static SessionPrivs * | extendSessionPrivs (SessionPrivs *session_privs) |
static void | add_scope_privs (int scope_type, int scope, Bitmap *privs) |
static bool | fetch_scope_privs (HeapTuple tuple, TupleDesc tupdesc, void *p_result) |
static void | do_load_session_privs () |
static void | load_privs () |
static bool | error_if_no_session () |
static bool | fetch_2ints (HeapTuple tuple, TupleDesc tupdesc, void *p_result) |
static void | create_temp_tables () |
static void | truncate_temp_tables (bool clear_context) |
Datum | veil2_session_ready (FunctionCallInfo fcinfo) |
static void | do_reset_session (bool clear_context) |
Datum | veil2_reset_session (FunctionCallInfo fcinfo) |
Datum | veil2_reset_session_privs (FunctionCallInfo fcinfo) |
Datum | veil2_true (FunctionCallInfo fcinfo) |
static bool | checkSessionReady () |
Datum | veil2_i_have_global_priv (FunctionCallInfo fcinfo) |
Datum | veil2_i_have_personal_priv (FunctionCallInfo fcinfo) |
Datum | veil2_i_have_priv_in_scope (FunctionCallInfo fcinfo) |
Datum | veil2_i_have_priv_in_scope_or_global (FunctionCallInfo fcinfo) |
Datum | veil2_i_have_priv_in_superior_scope (FunctionCallInfo fcinfo) |
Datum | veil2_i_have_priv_in_scope_or_superior (FunctionCallInfo fcinfo) |
Datum | veil2_i_have_priv_in_scope_or_superior_or_global (FunctionCallInfo fcinfo) |
Datum | veil2_result_counts (FunctionCallInfo fcinfo) |
static text * | textfromstr (char *in) |
Datum | veil2_docpath (FunctionCallInfo fcinfo) |
Datum | veil2_datapath (FunctionCallInfo fcinfo) |
Variables | |
static bool | session_ready = ((bool) 0) |
static int | result_counts [] = {0, 0} |
static SessionPrivs * | session_privs = ((void *) 0) |
static bool | session_privs_loaded = ((bool) 0) |
Provides callable veil2 functions. These are written in C for performance and to ensure that they cannot be easily subverted.
Definition in file veil2.c.
#define CONTEXT_PRIVS_INCREMENT 16 |
How many ContextPrivs entries a SessionPrivs structure will be created with/extended by.
#define CONTEXT_PRIVS_SIZE | ( | elems | ) |
Provide the size that we want our SessionPrivs structure to be.
elems | the number of ContextPrivs entries already in place. This will be increased by CONTEXT_PRIVS_INCREMENT. |
|
static |
Add a ContextPrivs entry to session_privs, from the parameters.
scope_type | The scope_type for the new entry |
the | scope scope for the new entry |
privs | The privileges Bitmap for the new entry |
Definition at line 283 of file veil2.c.
|
static |
Wrapper for findContext() that finds the context and checks for a privilege in a single operation.
p_idx | Pointer to a cached index value for the entry in the session_privs->active_contexts that the search should start from. This allows the caller to cache the last returned index in the hope that they will be looking for the same entry next time. If no cached value exists, the caller should provide -1. The index of the found ContextPrivs entry will be returned through this, or -1 if no context can be found. |
scope_type | The scope_type_id of the ContextPrivs entry we are looking for. |
scope | The scope_id of the ContextPrivs entry we are looking for. |
priv | The privilege to test for. |
Definition at line 183 of file veil2.c.
|
static |
Check whether a session has been properly initialized. If not, and we are supposed to fail in such a situation, fail with an appropriate error message. Otherwise return true if the session is ready to go.
Definition at line 644 of file veil2.c.
|
static |
Clear all ContextPrivs entries in session_privs.
Definition at line 212 of file veil2.c.
|
static |
|
static |
|
static |
Does the database donkey-work for veil2_reset_session().
clear_context | Whether veil2_session_context should be cleared as well as the privileges temp tables. |
Definition at line 509 of file veil2.c.
|
static |
Predicate to indicate whether to raise an error if a privilege test function has been called prior to a session being established. If not, the privilege testing function should return false. The determination of whether to error or return false is based on the value of the veil2.system_parameter 'error on uninitialized session' at the time that the database session is established.
Definition at line 387 of file veil2.c.
|
static |
|
static |
This is a Fetch_fn() for dealing with tuples containing 2 integers. Its job is to populate the p_result parameter with 2 integers from a Postgres SPI query.
tuple | The ::HeapTuple returned from a Postgres SPI query. This will contain a tuple of 2 integers. |
tupdesc | The ::TupleDesc returned from the same Postgres SPI query |
p_result | Pointer to a tuple_2ints struct into which the 2 integers from the SPI query will be placed. |
bool
false, indicating to veil2_query() that no more rows are expected.
|
static |
A Fetch_fn for veil2_query() that retrieves the details for a ContextPrivs entry and adds it to session_privs using add_scope_privs().
tuple | The ::HeapTuple returned from a Postgres SPI query. This will contain a tuple of 2 integers. |
tupdesc | The ::TupleDesc returned from the same Postgres SPI query |
p_result | This should be null. |
Definition at line 318 of file veil2.c.
|
static |
Locate a particular ContextPriv entry in session_privs.
p_idx | Pointer to a cached index value for the entry in the session_privs->active_contexts that the search should start from. This allows the caller to cache the last returned index in the hope that they will be looking for the same entry next time. If no cached value exists, the caller should provide -1. The index of the found ContextPrivs entry will be returned through this, or -1 if no context can be found. |
scope_type | The scope_type_id of the ContextPrivs entry we are looking for. |
scope | The scope_id of the ContextPrivs entry we are looking for. |
|
static |
Free a ContextPrivs entry. This just means freeing the privileges Bitmap and zeroing the pointer for it.
cp | The ContextPrivs entry to be cleared out. |
|
static |
|
static |
|
static |
Truncate the veil2_session_privileges and veil2_session_context temporary tables (actually we use deletion rather than truncation as it seems faster.
clear_context | Whether veil2_session_context should be cleared as well as the privileges temp tables. |
Definition at line 470 of file veil2.c.
Datum veil2_datapath | ( | FunctionCallInfo | fcinfo | ) |
Datum veil2_docpath | ( | FunctionCallInfo | fcinfo | ) |
Datum veil2_i_have_global_priv | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_global_priv(priv) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, with global scope.
privilege_id | Integer giving privilege to test for |
Definition at line 669 of file veil2.c.
Datum veil2_i_have_personal_priv | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_personal_priv(priv, accessor_id) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, in their personal scope (ie for data pertaining to themselves).
privilege_id | Integer giving privilege to test for |
accessor_id | Integer id for a party from the record being checked. |
Definition at line 699 of file veil2.c.
Datum veil2_i_have_priv_in_scope | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_priv_in_scope(priv, scope_type_id, scope_id) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, in a specific scope (scope_type_id
, scope_id
).
privilege_id | Integer giving privilege to test for |
scope_type_id | Integer id of the scope type to be checked |
scope_id | Integer id of the scop to be checked |
Definition at line 731 of file veil2.c.
Datum veil2_i_have_priv_in_scope_or_global | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_priv_in_scope_or_global(priv, scope_type_id, scope_id) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, in a specific scope (scope_type_id
, scope_id
), or in global scope.
privilege_id | Integer giving privilege to test for |
scope_type_id | Integer id of the scope type to be checked |
scope_id | Integer id of the scop to be checked |
Definition at line 764 of file veil2.c.
Datum veil2_i_have_priv_in_scope_or_superior | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_priv_in_scope_or_superior(priv, scope_type_id, scope_id) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, in the supplied scope or a superior one: scope_type_id
, scope_id
.
privilege_id | Integer giving privilege to test for |
scope_type_id | Integer id of the scope type to be checked |
scope_id | Integer id of the scop to be checked |
Definition at line 857 of file veil2.c.
Datum veil2_i_have_priv_in_scope_or_superior_or_global | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_priv_in_scope_or_superior_or_global(priv, scope_type_id, scope_id) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, in global_scope, or the supplied scope, or a superior one: scope_type_id
, scope_id
.
privilege_id | Integer giving privilege to test for |
scope_type_id | Integer id of the scope type to be checked |
scope_id | Integer id of the scop to be checked |
Definition at line 924 of file veil2.c.
Datum veil2_i_have_priv_in_superior_scope | ( | FunctionCallInfo | fcinfo | ) |
veil2.i_have_priv_in_superior_scope(priv, scope_type_id, scope_id) returns bool
Predicate to determine whether the current session user has a given privilege, priv
, in a superior scope to that supplied: scope_type_id
, scope_id
.
privilege_id | Integer giving privilege to test for |
scope_type_id | Integer id of the scope type to be checked |
scope_id | Integer id of the scop to be checked |
Definition at line 801 of file veil2.c.
Datum veil2_reset_session | ( | FunctionCallInfo | fcinfo | ) |
veil2.reset_session() returns void
Resets a postgres session prior to the recording of session privilege information. This ensures that the Veil2 temporary tables, on which our security depends, exist and have not been tamperered with. Unless this function succeeds, the privilege testing functions veil2_i_have_global_priv(), veil2_i_have_personal_priv(), veil2_i_have_priv_in_scope() and veil2_i_have_priv_in_superior_scope() will always return false.
Definition at line 588 of file veil2.c.
Datum veil2_reset_session_privs | ( | FunctionCallInfo | fcinfo | ) |
Datum veil2_result_counts | ( | FunctionCallInfo | fcinfo | ) |
Datum veil2_session_ready | ( | FunctionCallInfo | fcinfo | ) |
veil2_session_ready() returns bool
Predicate to indicate whether the current session has been properly initialized by veil2_reset_session(). It tests the static variable session_ready.
bool
true if this session has been set up. Datum veil2_true | ( | FunctionCallInfo | fcinfo | ) |
|
static |
|
static |
The SessionPrivs object for this session.
|
static |
Whether we have loaded our session's ContextPrivs into session memory.
|
static |
Used to record whether the current session's temporary tables have been properly initialised using veil2_reset_session(). If not the privilege testing functions veil2_i_have_global_priv(), veil2_i_have_personal_priv(), veil2_i_have_priv_in_scope() and veil2_i_have_priv_in_superior_scope() will always return false. If you need to implement your own pl/pgsql base privilege testing function, it should call veil2_session_reeady() to ensure that privileges have been correctly set up.
The primary reason for this variable to exist is to ensure that a user cannot trick the privileges functions by creating their own session_privileges table.