From 4214f8f658163df0c1715d11daec027e267ba660 Mon Sep 17 00:00:00 2001 From: Eric Long Date: Fri, 11 Oct 2019 12:23:34 -0400 Subject: [PATCH] 0003920: In PostgreSQL trigger function should be SECURITY DEFINER --- .../postgresql/PostgreSqlTriggerTemplate.java | 17 ++++++++++++----- .../symmetric/common/ParameterConstants.java | 1 + .../main/resources/symmetric-default.properties | 8 ++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/symmetric-client/src/main/java/org/jumpmind/symmetric/db/postgresql/PostgreSqlTriggerTemplate.java b/symmetric-client/src/main/java/org/jumpmind/symmetric/db/postgresql/PostgreSqlTriggerTemplate.java index a4e2351f5e..d882fe7ed9 100644 --- a/symmetric-client/src/main/java/org/jumpmind/symmetric/db/postgresql/PostgreSqlTriggerTemplate.java +++ b/symmetric-client/src/main/java/org/jumpmind/symmetric/db/postgresql/PostgreSqlTriggerTemplate.java @@ -94,7 +94,7 @@ public PostgreSqlTriggerTemplate(ISymmetricDialect symmetricDialect) { " $(custom_on_insert_text) \n" + " return null; \n" + " end; \n" + -" $function$ language plpgsql; " ); +" $function$ language plpgsql" + getSecurityClause() + ";"); sqlTemplates.put("insertReloadTriggerTemplate" , "create or replace function $(schemaName)f$(triggerName)() returns trigger as $function$ \n" + @@ -118,7 +118,7 @@ public PostgreSqlTriggerTemplate(ISymmetricDialect symmetricDialect) { " $(custom_on_insert_text) \n" + " return null; \n" + " end; \n" + -" $function$ language plpgsql; " ); +" $function$ language plpgsql" + getSecurityClause() + ";"); sqlTemplates.put("insertPostTriggerTemplate" , @@ -155,7 +155,7 @@ public PostgreSqlTriggerTemplate(ISymmetricDialect symmetricDialect) { " $(custom_on_update_text) \n" + " return null; \n" + " end; \n" + -" $function$ language plpgsql; " ); +" $function$ language plpgsql" + getSecurityClause() + ";"); sqlTemplates.put("updateReloadTriggerTemplate" , "create or replace function $(schemaName)f$(triggerName)() returns trigger as $function$ \n" + @@ -185,7 +185,7 @@ public PostgreSqlTriggerTemplate(ISymmetricDialect symmetricDialect) { " $(custom_on_update_text) \n" + " return null; \n" + " end; \n" + -" $function$ language plpgsql; " ); +" $function$ language plpgsql" + getSecurityClause() + ";"); sqlTemplates.put("updatePostTriggerTemplate" , "create trigger $(triggerName) after update on $(schemaName)$(tableName) \n" + @@ -214,7 +214,7 @@ public PostgreSqlTriggerTemplate(ISymmetricDialect symmetricDialect) { " $(custom_on_delete_text) \n" + " return null; \n" + " end; \n" + -" $function$ language plpgsql; " ); +" $function$ language plpgsql" + getSecurityClause() + ";"); sqlTemplates.put("deletePostTriggerTemplate" , "create trigger $(triggerName) after delete on $(schemaName)$(tableName) \n" + @@ -237,5 +237,12 @@ protected String getCreateTimeExpression(ISymmetricDialect symmetricDialect) { return String.format("CURRENT_TIMESTAMP AT TIME ZONE '%s'", timezone); } } + + protected String getSecurityClause() { + if (symmetricDialect.getParameterService().is(ParameterConstants.POSTGRES_SECURITY_DEFINER, false)) { + return " security definer"; + } + return ""; + } } \ No newline at end of file diff --git a/symmetric-core/src/main/java/org/jumpmind/symmetric/common/ParameterConstants.java b/symmetric-core/src/main/java/org/jumpmind/symmetric/common/ParameterConstants.java index fdf64976b5..aeba62eec6 100644 --- a/symmetric-core/src/main/java/org/jumpmind/symmetric/common/ParameterConstants.java +++ b/symmetric-core/src/main/java/org/jumpmind/symmetric/common/ParameterConstants.java @@ -510,6 +510,7 @@ private ParameterConstants() { public final static String REDSHIFT_BULK_LOAD_S3_SECRET_KEY = "redshift.bulk.load.s3.secret.key"; public final static String REDSHIFT_BULK_LOAD_S3_ENDPOINT = "redshift.bulk.load.s3.endpoint"; + public final static String POSTGRES_SECURITY_DEFINER = "postgres.security.definer"; public static Map getParameterMetaData() { return parameterMetaData; diff --git a/symmetric-core/src/main/resources/symmetric-default.properties b/symmetric-core/src/main/resources/symmetric-default.properties index 8b67c826eb..d4ca025aa2 100644 --- a/symmetric-core/src/main/resources/symmetric-default.properties +++ b/symmetric-core/src/main/resources/symmetric-default.properties @@ -2646,3 +2646,11 @@ cloud.bulk.load.azure.sas.token= # Tags: other # Type: boolean snapshot.file.include.hostname=false + +# Postgres triggers default to "security invoker" with permissions based on caller. +# Enable this parameter to use "security definer" with permissions based on owner. +# +# DatabaseOverridable: false +# Tags: postgres +# Type: boolean +postgres.security.definer=false