Allow functions to be executed with the privileges of the function owner.

I took the opportunity to remove the pg_proc.proistrusted field.

5 files changed, 83 insertions, 22 deletions

diff --git a/src/backend/catalog/pg_aggregate.c b/src/backend/catalog/pg_aggregate.c
index 4c7dbba1288..3e586f0b523 100644
--- a/src/backend/catalog/pg_aggregate.c
+++ b/src/backend/catalog/pg_aggregate.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/catalog/pg_aggregate.c,v 1.45 2002/05/17 22:35:12 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/catalog/pg_aggregate.c,v 1.46 2002/05/18 13:47:59 petere Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -139,7 +139,7 @@ AggregateCreate(const char *aggName,
 							  "aggregate_dummy",	/* placeholder proc */
 							  "-",			/* probin */
 							  true,			/* isAgg */
-							  true,			/* (obsolete "trusted") */
+							  false,		/* security invoker (currently not definable for agg) */
 							  false,		/* isImplicit */
 							  false,		/* isStrict (not needed for agg) */
 							  PROVOLATILE_IMMUTABLE,	/* volatility (not needed for agg) */
diff --git a/src/backend/catalog/pg_proc.c b/src/backend/catalog/pg_proc.c
index 50ea475f85a..6fa6a4bf6fe 100644
--- a/src/backend/catalog/pg_proc.c
+++ b/src/backend/catalog/pg_proc.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/catalog/pg_proc.c,v 1.71 2002/05/17 22:35:12 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/catalog/pg_proc.c,v 1.72 2002/05/18 13:47:59 petere Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -48,7 +48,7 @@ ProcedureCreate(const char *procedureName,
 				const char *prosrc,
 				const char *probin,
 				bool isAgg,
-				bool trusted,
+				bool security_definer,
 				bool isImplicit,
 				bool isStrict,
 				char volatility,
@@ -220,7 +220,7 @@ ProcedureCreate(const char *procedureName,
 	values[i++] = Int32GetDatum(GetUserId());	/* proowner */
 	values[i++] = ObjectIdGetDatum(languageObjectId); /* prolang */
 	values[i++] = BoolGetDatum(isAgg);			/* proisagg */
-	values[i++] = BoolGetDatum(trusted);		/* proistrusted */
+	values[i++] = BoolGetDatum(security_definer); /* prosecdef */
 	values[i++] = BoolGetDatum(isImplicit);		/* proimplicit */
 	values[i++] = BoolGetDatum(isStrict);		/* proisstrict */
 	values[i++] = BoolGetDatum(returnsSet);		/* proretset */
diff --git a/src/backend/commands/functioncmds.c b/src/backend/commands/functioncmds.c
index e294b6f973e..06870b0d3d2 100644
--- a/src/backend/commands/functioncmds.c
+++ b/src/backend/commands/functioncmds.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/functioncmds.c,v 1.4 2002/05/17 18:32:52 petere Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/functioncmds.c,v 1.5 2002/05/18 13:47:59 petere Exp $
  *
  * DESCRIPTION
  *	  These routines take the parse tree and pick out the
@@ -421,6 +421,7 @@ CreateFunction(CreateFunctionStmt *stmt)
 	outin_ratio = OUTIN_RATIO;
 	isImplicit = false;
 	isStrict = false;
+	security = false;
 	volatility = PROVOLATILE_VOLATILE;
 
 	/* override attributes from explicit list */
@@ -489,7 +490,7 @@ CreateFunction(CreateFunctionStmt *stmt)
 					prosrc_str, /* converted to text later */
 					probin_str, /* converted to text later */
 					false,		/* not an aggregate */
-					true,		/* (obsolete "trusted") */
+					security,
 					isImplicit,
 					isStrict,
 					volatility,
diff --git a/src/backend/utils/adt/sets.c b/src/backend/utils/adt/sets.c
index a0403615527..298bdbdec82 100644
--- a/src/backend/utils/adt/sets.c
+++ b/src/backend/utils/adt/sets.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/adt/Attic/sets.c,v 1.43 2002/04/11 20:00:05 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/adt/Attic/sets.c,v 1.44 2002/05/18 13:47:59 petere Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -61,7 +61,7 @@ SetDefine(char *querystr, Oid elemType)
 							 querystr,	/* prosrc */
 							 fileName,	/* probin */
 							 false,		/* not aggregate */
-							 true,		/* trusted */
+							 false,		/* security invoker */
 							 false,		/* not implicit coercion */
 							 false,		/* isStrict (irrelevant, no args) */
 							 PROVOLATILE_VOLATILE,	/* assume unsafe */
diff --git a/src/backend/utils/fmgr/fmgr.c b/src/backend/utils/fmgr/fmgr.c
index 64988a2077b..275896053ac 100644
--- a/src/backend/utils/fmgr/fmgr.c
+++ b/src/backend/utils/fmgr/fmgr.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/fmgr/fmgr.c,v 1.58 2002/03/05 05:33:20 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/fmgr/fmgr.c,v 1.59 2002/05/18 13:47:59 petere Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -19,6 +19,7 @@
 #include "catalog/pg_language.h"
 #include "catalog/pg_proc.h"
 #include "executor/functions.h"
+#include "miscadmin.h"
 #include "utils/builtins.h"
 #include "utils/fmgrtab.h"
 #include "utils/lsyscache.h"
@@ -56,10 +57,12 @@ typedef struct
 } Oldstyle_fnextra;
 
 
+static void fmgr_info_cxt_security(Oid functionId, FmgrInfo *finfo, MemoryContext mcxt,
+								   bool ignore_security);
 static void fmgr_info_C_lang(Oid functionId, FmgrInfo *finfo, HeapTuple procedureTuple);
 static void fmgr_info_other_lang(Oid functionId, FmgrInfo *finfo, HeapTuple procedureTuple);
 static Datum fmgr_oldstyle(PG_FUNCTION_ARGS);
-static Datum fmgr_untrusted(PG_FUNCTION_ARGS);
+static Datum fmgr_security_definer(PG_FUNCTION_ARGS);
 
 
 /*
@@ -136,6 +139,18 @@ fmgr_info(Oid functionId, FmgrInfo *finfo)
 void
 fmgr_info_cxt(Oid functionId, FmgrInfo *finfo, MemoryContext mcxt)
 {
+	fmgr_info_cxt_security(functionId, finfo, mcxt, false);
+}
+
+/*
+ * This one does the actual work.  ignore_security is ordinarily false
+ * but is set to true by fmgr_security_definer to avoid infinite
+ * recursive lookups.
+ */
+static void
+fmgr_info_cxt_security(Oid functionId, FmgrInfo *finfo, MemoryContext mcxt,
+					   bool ignore_security)
+{
 	const FmgrBuiltin *fbp;
 	HeapTuple	procedureTuple;
 	Form_pg_proc procedureStruct;
@@ -177,10 +192,9 @@ fmgr_info_cxt(Oid functionId, FmgrInfo *finfo, MemoryContext mcxt)
 	finfo->fn_strict = procedureStruct->proisstrict;
 	finfo->fn_retset = procedureStruct->proretset;
 
-	if (!procedureStruct->proistrusted)
+	if (procedureStruct->prosecdef && !ignore_security)
 	{
-		/* This isn't really supported anymore... */
-		finfo->fn_addr = fmgr_untrusted;
+		finfo->fn_addr = fmgr_security_definer;
 		finfo->fn_oid = functionId;
 		ReleaseSysCache(procedureTuple);
 		return;
@@ -620,17 +634,63 @@ fmgr_oldstyle(PG_FUNCTION_ARGS)
 
 
 /*
- * Handler for all functions marked "untrusted"
+ * Support for security definer functions
+ */
+
+struct fmgr_security_definer_cache
+{
+	FmgrInfo	flinfo;
+	Oid			userid;
+};
+
+/*
+ * Function handler for security definer functions.  We extract the
+ * OID of the actual function and do a fmgr lookup again.  Then we
+ * look up the owner of the function and cache both the fmgr info and
+ * the owner ID.  During the call we temporarily replace the flinfo
+ * with the cached/looked-up one, while keeping the outer fcinfo
+ * (which contains all the actual arguments, etc.) intact.
  */
 static Datum
-fmgr_untrusted(PG_FUNCTION_ARGS)
+fmgr_security_definer(PG_FUNCTION_ARGS)
 {
-	/*
-	 * Currently these are unsupported.  Someday we might do something
-	 * like forking a subprocess to execute 'em.
-	 */
-	elog(ERROR, "Untrusted functions not supported");
-	return 0;					/* keep compiler happy */
+	Datum		result;
+	FmgrInfo   *save_flinfo;
+	struct fmgr_security_definer_cache *fcache;
+	Oid			save_userid;
+	HeapTuple	tuple;
+
+	if (!fcinfo->flinfo->fn_extra)
+	{
+		fcache = MemoryContextAlloc(fcinfo->flinfo->fn_mcxt, sizeof(*fcache));
+		memset(fcache, 0, sizeof(*fcache));
+
+		fmgr_info_cxt_security(fcinfo->flinfo->fn_oid, &fcache->flinfo,
+							   fcinfo->flinfo->fn_mcxt, true);
+
+		tuple = SearchSysCache(PROCOID, ObjectIdGetDatum(fcinfo->flinfo->fn_oid), 0, 0, 0);
+		if (!HeapTupleIsValid(tuple))
+			elog(ERROR, "fmgr_security_definer: function %u: cache lookup failed",
+				 fcinfo->flinfo->fn_oid);
+		fcache->userid = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
+		ReleaseSysCache(tuple);
+
+		fcinfo->flinfo->fn_extra = fcache;
+	}
+	else
+		fcache = fcinfo->flinfo->fn_extra;
+
+	save_flinfo = fcinfo->flinfo;
+	fcinfo->flinfo = &fcache->flinfo;
+
+	save_userid = GetUserId();
+	SetUserId(fcache->userid);
+	result = FunctionCallInvoke(fcinfo);
+	SetUserId(save_userid);
+
+	fcinfo->flinfo = save_flinfo;
+
+	return result;
 }