| blob | 5ae77f7636709a045240528dedbdaf1aba184520 |
1 /*-------------------------------------------------------------------------
2 *
3 * Utility routines for SQL dumping
4 *
5 * Basically this is stuff that is useful in both pg_dump and pg_dumpall.
6 *
7 *
8 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
9 * Portions Copyright (c) 1994, Regents of the University of California
10 *
11 * src/bin/pg_dump/dumputils.c
12 *
13 *-------------------------------------------------------------------------
14 */
17 #include <ctype.h>
32 /*
33 * Build GRANT/REVOKE command(s) for an object.
34 *
35 * name: the object name, in the form to use in the commands (already quoted)
36 * subname: the sub-object name, if any (already quoted); NULL if none
37 * nspname: the namespace the object is in (NULL if none); not pre-quoted
38 * type: the object type (as seen in GRANT command: must be one of
39 * TABLE, SEQUENCE, FUNCTION, PROCEDURE, LANGUAGE, SCHEMA, DATABASE, TABLESPACE,
40 * FOREIGN DATA WRAPPER, SERVER, PARAMETER or LARGE OBJECT)
41 * acls: the ACL string fetched from the database
42 * baseacls: the initial ACL string for this object
43 * owner: username of object owner (will be passed through fmtId); can be
44 * NULL or empty string to indicate "no owner known"
45 * prefix: string to prefix to each generated command; typically empty
46 * remoteVersion: version of database
47 *
48 * Returns true if okay, false if could not parse the acl string.
49 * The resulting commands (if any) are appended to the contents of 'sql'.
50 *
51 * baseacls is typically the result of acldefault() for the object's type
52 * and owner. However, if there is a pg_init_privs entry for the object,
53 * it should instead be the initprivs ACLs. When acls is itself a
54 * pg_init_privs entry, baseacls is what to dump that relative to; then
55 * it can be either an acldefault() value or an empty ACL "{}".
56 *
57 * Note: when processing a default ACL, prefix is "ALTER DEFAULT PRIVILEGES "
58 * or something similar, and name is an empty string.
59 *
60 * Note: beware of passing a fmtId() result directly as 'name' or 'subname',
61 * since this routine uses fmtId() internally.
62 */
63 bool
67 PQExpBuffer sql)
68 {
79 PQExpBuffer grantee,
80 grantor,
81 privs,
82 privswgo;
83 PQExpBuffer firstsql,
84 secondsql;
86 /*
87 * If the acl was NULL (initial default state), we need do nothing. Note
88 * that this is distinguishable from all-privileges-revoked, which will
89 * look like an empty array ("{}").
90 */
94 /* treat empty-string owner same as NULL */
98 /* Parse the acls array */
100 {
103 }
105 /* Parse the baseacls too */
107 {
111 }
113 /*
114 * Compare the actual ACL with the base ACL, extracting the privileges
115 * that need to be granted (i.e., are in the actual ACL but not the base
116 * ACL) and the ones that need to be revoked (the reverse). We use plain
117 * string comparisons to check for matches. In principle that could be
118 * fooled by extraneous issues such as whitespace, but since all these
119 * strings are the work of aclitemout(), it should be OK in practice.
120 * Besides, a false mismatch will just cause the output to be a little
121 * more verbose than it really needed to be.
122 */
125 {
129 {
131 {
134 }
135 }
138 }
141 {
145 {
147 {
150 }
151 }
154 }
156 /* Prepare working buffers */
162 /*
163 * At the end, these two will be pasted together to form the result.
164 */
168 /*
169 * Build REVOKE statements for ACLs listed in revokeitems[].
170 */
172 {
176 {
179 }
182 {
192 else
195 }
196 }
198 /*
199 * At this point we have issued REVOKE statements for all initial and
200 * default privileges that are no longer present on the object, so we are
201 * almost ready to GRANT the privileges listed in grantitems[].
202 *
203 * We still need some hacking though to cover the case where new default
204 * public privileges are added in new versions: the REVOKE ALL will revoke
205 * them, leading to behavior different from what the old version had,
206 * which is generally not what's wanted. So add back default privs if the
207 * source database is too old to have had that particular priv. (As of
208 * right now, no such cases exist in supported versions.)
209 */
211 /*
212 * Scan individual ACL items to be granted.
213 *
214 * The order in which privileges appear in the ACL string (the order they
215 * have been GRANT'd in, which the backend maintains) must be preserved to
216 * ensure that GRANTs WITH GRANT OPTION and subsequent GRANTs based on
217 * those are dumped in the correct order. However, some old server
218 * versions will show grants to PUBLIC before the owner's own grants; for
219 * consistency's sake, force the owner's grants to be output first.
220 */
222 {
225 {
226 /*
227 * If the grantor isn't the owner, we'll need to use SET SESSION
228 * AUTHORIZATION to become the grantor. Issue the SET/RESET only
229 * if there's something useful to do.
230 */
232 {
233 PQExpBuffer thissql;
235 /* Set owner as grantor if that's not explicit in the ACL */
239 /* Make sure owner's own grants are output before others */
244 else
253 {
263 else
265 }
267 {
277 else
280 }
285 }
286 }
287 else
288 {
289 /* parseAclItem failed, give up */
292 }
293 }
310 }
312 /*
313 * Build ALTER DEFAULT PRIVILEGES command(s) for a single pg_default_acl entry.
314 *
315 * type: the object type (TABLES, FUNCTIONS, etc)
316 * nspname: schema name, or NULL for global default privileges
317 * acls: the ACL string fetched from the database
318 * acldefault: the appropriate default ACL for the object type and owner
319 * owner: username of privileges owner (will be passed through fmtId)
320 * remoteVersion: version of database
321 *
322 * Returns true if okay, false if could not parse the acl string.
323 * The resulting commands (if any) are appended to the contents of 'sql'.
324 */
325 bool
330 PQExpBuffer sql)
331 {
332 PQExpBuffer prefix;
336 /*
337 * We incorporate the target role directly into the command, rather than
338 * playing around with SET ROLE or anything like that. This is so that a
339 * permissions error leads to nothing happening, rather than changing
340 * default privileges for the wrong user.
341 */
347 /*
348 * There's no such thing as initprivs for a default ACL, so the base ACL
349 * is always just the object-type-specific default.
350 */
354 {
357 }
362 }
364 /*
365 * This will parse an aclitem string, having the general form
366 * username=privilegecodes/grantor
367 *
368 * Returns true on success, false on parse error. On success, the components
369 * of the string are returned in the PQExpBuffer parameters.
370 *
371 * The returned grantee string will be the dequoted username, or an empty
372 * string in the case of a grant to PUBLIC. The returned grantor is the
373 * dequoted grantor name. Privilege characters are translated to GRANT/REVOKE
374 * comma-separated privileges lists. If "privswgo" is non-NULL, the result is
375 * separate lists for privileges with grant option ("privswgo") and without
376 * ("privs"). Otherwise, "privs" bears every relevant privilege, ignoring the
377 * grant option distinction.
378 *
379 * Note: for cross-version compatibility, it's important to use ALL to
380 * represent the privilege sets whenever appropriate.
381 */
382 static bool
387 {
397 /* user or group name is string up to = */
400 {
403 }
405 /* grantor should appear after / */
408 {
412 {
415 }
416 }
417 else
418 {
421 }
423 /* privilege codes */
424 #define CONVERT_PRIV(code, keywd) \
425 do { \
426 if ((pos = strchr(eqpos + 1, code))) \
427 { \
429 { \
430 AddAcl(privswgo, keywd, subname); \
431 all_without_go = false; \
432 } \
433 else \
434 { \
435 AddAcl(privs, keywd, subname); \
436 all_with_go = false; \
437 } \
438 } \
439 else \
440 all_with_go = all_without_go = false; \
441 } while (0)
448 {
453 /* sequence only */
455 else
456 {
457 /* table only */
460 /* rest are not applicable to columns */
462 {
467 }
468 }
470 /* UPDATE */
472 }
483 {
486 }
488 {
492 }
505 {
508 }
510 {
513 }
514 else
517 #undef CONVERT_PRIV
520 {
525 }
527 {
532 }
537 }
539 /*
540 * Transfer the role name at *input into the output buffer, adding
541 * quoting according to the same rules as putid() in backend's acl.c.
542 */
543 void
545 {
550 {
551 /* This test had better match what putid() does */
553 {
556 }
557 }
561 {
562 /* A double quote character in a username is encoded as "" */
566 }
569 }
571 /*
572 * Transfer a user or group name starting at *input into the output buffer,
573 * dequoting if needed. Returns a pointer to just past the input name.
574 * The name is taken to end at an unquoted '=' or end of string.
575 * Note: unlike quoteAclUserName(), this first clears the output buffer.
576 */
579 {
583 {
584 /*
585 * If user name isn't quoted, then just add it to the output buffer
586 */
589 else
590 {
591 /* Otherwise, it's a quoted username */
592 input++;
593 /* Loop until we come across an unescaped quote */
595 {
599 /*
600 * Quoting convention is to escape " as "". Keep this code in
601 * sync with putid() in backend's acl.c.
602 */
604 input++;
606 }
607 input++;
608 }
609 }
611 }
613 /*
614 * Append a privilege keyword to a keyword list, inserting comma if needed.
615 */
616 static void
618 {
624 }
627 /*
628 * buildShSecLabelQuery
629 *
630 * Build a query to retrieve security labels for a shared object.
631 * The object is identified by its OID plus the name of the catalog
632 * it can be found in (e.g., "pg_database" for database names).
633 * The query is appended to "sql". (We don't execute it here so as to
634 * keep this file free of assumptions about how to deal with SQL errors.)
635 */
636 void
638 PQExpBuffer sql)
639 {
641 "SELECT provider, label FROM pg_catalog.pg_shseclabel "
642 "WHERE classoid = 'pg_catalog.%s'::pg_catalog.regclass "
644 }
646 /*
647 * emitShSecLabels
648 *
649 * Construct SECURITY LABEL commands using the data retrieved by the query
650 * generated by buildShSecLabelQuery, and append them to "buffer".
651 * Here, the target object is identified by its type name (e.g. "DATABASE")
652 * and its name (not pre-quoted).
653 */
654 void
657 {
661 {
665 /* must use fmtId result before calling it again */
674 }
675 }
678 /*
679 * Detect whether the given GUC variable is of GUC_LIST_QUOTE type.
680 *
681 * It'd be better if we could inquire this directly from the backend; but even
682 * if there were a function for that, it could only tell us about variables
683 * currently known to guc.c, so that it'd be unsafe for extensions to declare
684 * GUC_LIST_QUOTE variables anyway. Lacking a solution for that, it doesn't
685 * seem worth the work to do more than have this list, which must be kept in
686 * sync with the variables actually marked GUC_LIST_QUOTE in guc_tables.c.
687 */
688 bool
690 {
698 else
700 }
702 /*
703 * SplitGUCList --- parse a string containing identifiers or file names
704 *
705 * This is used to split the value of a GUC_LIST_QUOTE GUC variable, without
706 * presuming whether the elements will be taken as identifiers or file names.
707 * See comparable code in src/backend/utils/adt/varlena.c.
708 *
709 * Inputs:
710 * rawstring: the input string; must be overwritable! On return, it's
711 * been modified to contain the separated identifiers.
712 * separator: the separator punctuation expected between identifiers
713 * (typically '.' or ','). Whitespace may also appear around
714 * identifiers.
715 * Outputs:
716 * namelist: receives a malloc'd, null-terminated array of pointers to
717 * identifiers within rawstring. Caller should free this
718 * even on error return.
719 *
720 * Returns true if okay, false if there is a syntax error in the string.
721 */
722 bool
725 {
730 /*
731 * Since we disallow empty identifiers, this is a conservative
732 * overestimate of the number of pointers we could need. Allow one for
733 * list terminator.
734 */
745 /* At the top of the loop, we are at start of a new identifier. */
746 do
747 {
752 {
753 /* Quoted name --- collapse quote-quote pairs */
756 {
762 /* Collapse adjacent quotes into one quote, and look again */
765 }
766 /* endp now points at the terminating quote */
768 }
769 else
770 {
771 /* Unquoted name --- extends to separator or whitespace */
775 nextp++;
779 }
785 {
786 nextp++;
789 /* we expect another name, so done remains false */
790 }
793 else
796 /* Now safe to overwrite separator with a null */
799 /*
800 * Finished isolating current name --- add it to output array
801 */
804 /* Loop back if we didn't reach end of string */
809 }
811 /*
812 * Helper function for dumping "ALTER DATABASE/ROLE SET ..." commands.
813 *
814 * Parse the contents of configitem (a "name=value" string), wrap it in
815 * a complete ALTER command, and append it to buf.
816 *
817 * type is DATABASE or ROLE, and name is the name of the database or role.
818 * If we need an "IN" clause, type2 and name2 similarly define what to put
819 * there; otherwise they should be NULL.
820 * conn is used only to determine string-literal quoting conventions.
821 */
822 void
826 PQExpBuffer buf)
827 {
831 /* Parse the configitem. If we can't find an "=", silently do nothing. */
835 {
838 }
841 /* Build the command, with suitable quoting for everything. */
847 /*
848 * Variables that are marked GUC_LIST_QUOTE were already fully quoted by
849 * flatten_set_variable_args() before they were put into the setconfig
850 * array. However, because the quoting rules used there aren't exactly
851 * like SQL's, we have to break the list value apart and then quote the
852 * elements as string literals. (The elements may be double-quoted as-is,
853 * but we can't just feed them to the SQL parser; it would do the wrong
854 * thing with elements that are zero-length or longer than NAMEDATALEN.)
855 *
856 * Variables that are not so marked should just be emitted as simple
857 * string literals. If the variable is not known to
858 * variable_is_guc_list_quote(), we'll do that; this makes it unsafe to
859 * use GUC_LIST_QUOTE for extension variables.
860 */
862 {
866 /* Parse string into list of identifiers */
867 /* this shouldn't fail really */
869 {
871 {
875 }
876 }
878 }
879 else
885 }