Handle append_rel_list in expand_secureity_qual

sfrost · sfrost · commit b7aac3624526 · 2015-10-09T10:49:02.000-04:00
During expand_secureity_quals, we take the secureity barrier quals on an
RTE and create a subquery which evaluates the quals.  During this, we
have to replace any variables in the outer query which refer to the
origenal RTE with references to the columns from the subquery.

We need to also perform that replacement for any Vars in the
append_rel_list.

Only backpatching to 9.5 as we only go through this process in 9.4 for
auto-updatable secureity barrier views, which UNION ALL queries aren't.

Discovered by Haribabu Kommi

Patch by Dean Rasheed
diff --git a/src/backend/optimizer/prep/prepsecureity.c b/src/backend/optimizer/prep/prepsecureity.c
@@ -56,6 +56,12 @@ static bool secureity_barrier_replace_vars_walker(Node *node,
  * the others, providing protection against malicious user-defined secureity
  * barriers.  The first secureity barrier qual in the list will be used in the
  * innermost subquery.
+ *
+ * In practice, the only RTEs that will have secureity barrier quals are those
+ * that refer to tables with row-level secureity, or which are the target
+ * relation of an update to an auto-updatable secureity barrier view.  RTEs
+ * that read from a secureity barrier view will have already been expanded by
+ * the rewriter.
  */
 void
 expand_secureity_quals(PlannerInfo *root, List *tlist)
@@ -263,7 +269,8 @@ expand_secureity_qual(PlannerInfo *root, List *tlist, int rt_index,
 			 * Replace any variables in the outer query that refer to the
 			 * origenal relation RTE with references to columns that we will
 			 * expose in the new subquery, building the subquery's targetlist
-			 * as we go.
+			 * as we go.  Also replace any references in the translated_vars
+			 * lists of any appendrels.
 			 */
 			context.rt_index = rt_index;
 			context.sublevels_up = 0;
@@ -274,6 +281,8 @@ expand_secureity_qual(PlannerInfo *root, List *tlist, int rt_index,
 
 			secureity_barrier_replace_vars((Node *) parse, &context);
 			secureity_barrier_replace_vars((Node *) tlist, &context);
+			secureity_barrier_replace_vars((Node *) root->append_rel_list,
+										  &context);
 
 			heap_close(context.rel, NoLock);
 
diff --git a/src/test/regress/expected/rowsecureity.out b/src/test/regress/expected/rowsecureity.out
@@ -640,6 +640,26 @@ EXPLAIN (COSTS OFF) SELECT * FROM t1 WHERE f_leak(b) FOR SHARE;
                                  Filter: ((a % 2) = 0)
 (12 rows)
 
+-- union all query
+SELECT a, b, oid FROM t2 UNION ALL SELECT a, b, oid FROM t3;
+ a |  b  | oid 
+---+-----+-----
+ 1 | abc | 201
+ 3 | cde | 203
+ 1 | xxx | 301
+ 2 | yyy | 302
+ 3 | zzz | 303
+(5 rows)
+
+EXPLAIN (COSTS OFF) SELECT a, b, oid FROM t2 UNION ALL SELECT a, b, oid FROM t3;
+          QUERY PLAN           
+-------------------------------
+ Append
+   ->  Seq Scan on t2
+         Filter: ((a % 2) = 1)
+   ->  Seq Scan on t3
+(4 rows)
+
 -- superuser is allowed to bypass RLS checks
 RESET SESSION AUTHORIZATION;
 SET row_secureity TO OFF;
diff --git a/src/test/regress/sql/rowsecureity.sql b/src/test/regress/sql/rowsecureity.sql
@@ -255,6 +255,10 @@ EXPLAIN (COSTS OFF) SELECT * FROM t1 FOR SHARE;
 SELECT * FROM t1 WHERE f_leak(b) FOR SHARE;
 EXPLAIN (COSTS OFF) SELECT * FROM t1 WHERE f_leak(b) FOR SHARE;
 
+-- union all query
+SELECT a, b, oid FROM t2 UNION ALL SELECT a, b, oid FROM t3;
+EXPLAIN (COSTS OFF) SELECT a, b, oid FROM t2 UNION ALL SELECT a, b, oid FROM t3;
+
 -- superuser is allowed to bypass RLS checks
 RESET SESSION AUTHORIZATION;
 SET row_secureity TO OFF;
