Add object TRUNCATE hook

All operations with acl permissions checks should have a corresponding hook
so that, for example, mandatory access control (MAC) may be enforced by an
extension. The command TRUNCATE is missing this hook, so add it. Patch by
Yuli Khodorkovskiy with some editorialization by me. Based on the discussion
not back-patched. A separate patch will exercise the hook in the sepgsql
extension.

Author: Yuli Khodorkovskiy
Reviewed-by: Joe Conway
Discussion: https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com

diff --git a/src/backend/catalog/objectaccess.c b/src/backend/catalog/objectaccess.c
index b1619b859f2d6fce3308e199bc8d85facee637f3..d51d01fe6512ea8603afd3017ae3cbf98703cd0a 100644 (file)
--- a/src/backend/catalog/objectaccess.c
+++ b/src/backend/catalog/objectaccess.c
@@ -11,6 +11,7 @@
 #include "postgres.h"
 
 #include "catalog/objectaccess.h"
+#include "catalog/pg_class.h"
 #include "catalog/pg_namespace.h"
 #include "catalog/pg_proc.h"
 
@@ -64,6 +65,22 @@ RunObjectDropHook(Oid classId, Oid objectId, int subId,
                           (void *) &drop_arg);
 }
 
+/*
+ * RunObjectTruncateHook
+ *
+ * It is the entrypoint of OAT_TRUNCATE event
+ */
+void
+RunObjectTruncateHook(Oid objectId)
+{
+   /* caller should check, but just in case... */
+   Assert(object_access_hook != NULL);
+
+   (*object_access_hook) (OAT_TRUNCATE,
+                          RelationRelationId, objectId, 0,
+                          NULL);
+}
+
 /*
  * RunObjectPostAlterHook
  *

diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
index 45aae5955d0a7075abf7ffe301b180b55f17a97e..5440eb90153d10b5081408194d19988df3a66b16 100644 (file)
--- a/src/backend/commands/tablecmds.c
+++ b/src/backend/commands/tablecmds.c
@@ -1937,6 +1937,8 @@ truncate_check_rel(Oid relid, Form_pg_class reltuple)
                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                 errmsg("permission denied: \"%s\" is a system catalog",
                        relname)));
+
+   InvokeObjectTruncateHook(relid);
 }
 
 /*

diff --git a/src/include/catalog/objectaccess.h b/src/include/catalog/objectaccess.h
index 0170f1f1e410e08346e71826383c8edc043b4072..9824adf531f9874bc17eb2ea69c8db0fb0763df5 100644 (file)
--- a/src/include/catalog/objectaccess.h
+++ b/src/include/catalog/objectaccess.h
@@ -37,6 +37,10 @@
  * creation or altering, because OAT_POST_CREATE or OAT_POST_ALTER are
  * sufficient for extensions to track these kind of checks.
  *
+ * OAT_TRUNCATE should be invoked just before truncation of objects. This
+ * event is equivalent to truncate permission on a relation under the
+ * default access control mechanism.
+ *
  * Other types may be added in the future.
  */
 typedef enum ObjectAccessType
@@ -45,7 +49,8 @@ typedef enum ObjectAccessType
    OAT_DROP,
    OAT_POST_ALTER,
    OAT_NAMESPACE_SEARCH,
-   OAT_FUNCTION_EXECUTE
+   OAT_FUNCTION_EXECUTE,
+   OAT_TRUNCATE
 } ObjectAccessType;
 
 /*
@@ -131,6 +136,7 @@ extern void RunObjectPostCreateHook(Oid classId, Oid objectId, int subId,
                                    bool is_internal);
 extern void RunObjectDropHook(Oid classId, Oid objectId, int subId,
                              int dropflags);
+extern void RunObjectTruncateHook(Oid objectId);
 extern void RunObjectPostAlterHook(Oid classId, Oid objectId, int subId,
                                   Oid auxiliaryId, bool is_internal);
 extern bool RunNamespaceSearchHook(Oid objectId, bool ereport_on_violation);
@@ -160,6 +166,12 @@ extern void RunFunctionExecuteHook(Oid objectId);
                              (dropflags));                         \
    } while(0)
 
+#define InvokeObjectTruncateHook(objectId)                         \
+   do {                                                            \
+       if (object_access_hook)                                     \
+           RunObjectTruncateHook(objectId);                        \
+   } while(0)
+
 #define InvokeObjectPostAlterHook(classId,objectId,subId)          \
    InvokeObjectPostAlterHookArg((classId),(objectId),(subId),      \
                                 InvalidOid,false)