pg-ext: add more SQL func wrappers (#8488)

fantix · elprans · commit fc57e890e76a · 2025-03-21T15:40:23.000-07:00
Adds wrappers for: * `has_database_privilege` * `has_any_column_privilege` (this fixes Metabase compatibility) If the same table name exists in more than one schema, the `has*_privilege()` functions that take an unqualified table name are not yet looking into `search_path` as they are expected to be, but rather choose a "random" one as the result. This is not a problem yet, because Gel user is "superuser" only, it has access to any of the tables with the same name, so the result is inaccurately correct. Also fixes the `pg_database` view. Refs #5307, #5319 Fixes #8457
diff --git a/edb/pgsql/metaschema.py b/edb/pgsql/metaschema.py
@@ -1227,7 +1227,7 @@ class GetDatabaseFrontendNameFunction(trampoline.VersionedFunction):
         THEN
             substring(db_name, position('_' in db_name) + 1)
         ELSE
-            'edgedb'
+            'main'
         END
     '''
 
@@ -7143,22 +7143,36 @@ def make_wrapper_view(name: str) -> trampoline.VersionedView:
             query="""
         SELECT
             oid,
-            edgedb_VER.get_current_database()::name as datname,
+            frontend_name.n as datname,
             datdba,
             encoding,
+            datlocprovider,
             datcollate,
             datctype,
             datistemplate,
             datallowconn,
+            dathasloginevt,
             datconnlimit,
             0::oid AS datlastsysoid,
             datfrozenxid,
             datminmxid,
             dattablespace,
+            datlocale,
+            daticurules,
+            datcollversion,
             datacl,
             tableoid, xmin, cmin, xmax, cmax, ctid
-        FROM pg_database
-        WHERE datname LIKE '%_edgedb'
+        FROM
+            pg_database,
+            LATERAL (
+                SELECT edgedb_VER.get_database_frontend_name(datname) AS n
+            ) frontend_name,
+            LATERAL (
+                SELECT edgedb_VER.get_database_metadata(frontend_name.n) AS j
+            ) metadata
+        WHERE
+            metadata.j->>'tenant_id' = edgedb_VER.get_backend_tenant_id()
+            AND NOT (metadata.j->'builtin')::bool
         """,
         ),
 
@@ -7692,6 +7706,65 @@ def construct_pg_view(
             views.append(v)
 
     util_functions = [
+        # WARNING: this `edgedbsql.to_regclass()` function is currently not
+        # accurately implemented to take application-level `search_path`
+        # into consideration. It is currently here to support the following
+        # `has_*privilege` functions (which are less sensitive to such issue).
+        # SO DO NOT USE `edgedbsql.to_regclass()` FOR ANYTHING ELSE.
+        trampoline.VersionedFunction(
+            name=('edgedbsql', 'to_regclass'),
+            args=(
+                ('name', 'text',),
+            ),
+            returns=('regclass',),
+            text="""
+                SELECT
+                    CASE
+                        WHEN array_length(parts, 1) = 1 THEN
+                            (
+                                SELECT oid::regclass
+                                FROM edgedbsql_VER.pg_class
+                                WHERE relname = parts[1]
+                                LIMIT 1  -- HACK: see comments above
+                            )
+                        WHEN array_length(parts, 1) = 2 THEN
+                            (
+                                SELECT pc.oid::regclass
+                                FROM edgedbsql_VER.pg_class pc
+                                JOIN edgedbsql_VER.pg_namespace pn
+                                ON pn.oid = pc.relnamespace
+                                WHERE relname = parts[2] AND nspname = parts[1]
+                            )
+                        ELSE
+                            NULL::regclass
+                    END
+                FROM parse_ident(name) parts
+            """
+        ),
+        trampoline.VersionedFunction(
+            name=('edgedbsql', 'has_database_privilege'),
+            args=(
+                ('database_name', 'text'),
+                ('privilege', 'text'),
+            ),
+            returns=('bool',),
+            text="""
+                SELECT has_database_privilege(oid, privilege)
+                FROM edgedbsql_VER.pg_database
+                WHERE datname = database_name
+            """
+        ),
+        trampoline.VersionedFunction(
+            name=('edgedbsql', 'has_database_privilege'),
+            args=(
+                ('database_oid', 'oid'),
+                ('privilege', 'text'),
+            ),
+            returns=('bool',),
+            text="""
+                SELECT has_database_privilege(database_oid, privilege)
+            """
+        ),
         trampoline.VersionedFunction(
             name=('edgedbsql', 'has_schema_privilege'),
             args=(
@@ -7728,20 +7801,19 @@ def construct_pg_view(
             ),
             returns=('bool',),
             text="""
-                SELECT has_table_privilege(oid, privilege)
-                FROM edgedbsql_VER.pg_class
-                WHERE relname = table_name;
+                SELECT has_table_privilege(
+                    edgedbsql_VER.to_regclass(table_name), privilege)
             """
         ),
         trampoline.VersionedFunction(
             name=('edgedbsql', 'has_table_privilege'),
             args=(
-                ('schema_oid', 'oid'),
+                ('table_oid', 'oid'),
                 ('privilege', 'text'),
             ),
             returns=('bool',),
             text="""
-                SELECT has_table_privilege(schema_oid, privilege)
+                SELECT has_table_privilege(table_oid, privilege)
             """
         ),
 
@@ -7766,9 +7838,8 @@ def construct_pg_view(
             ),
             returns=('bool',),
             text="""
-                SELECT has_column_privilege(oid, col, privilege)
-                FROM edgedbsql_VER.pg_class
-                WHERE relname = tbl;
+                SELECT has_column_privilege(
+                    edgedbsql_VER.to_regclass(tbl), col, privilege)
             """
         ),
         trampoline.VersionedFunction(
@@ -7795,9 +7866,32 @@ def construct_pg_view(
             returns=('bool',),
             text="""
                 SELECT has_column_privilege(pc.oid, attnum_internal, privilege)
-                FROM edgedbsql_VER.pg_class pc
-                JOIN edgedbsql_VER.pg_attribute_ext pa ON pa.attrelid = pc.oid
-                WHERE pc.relname = tbl AND pa.attname = col;
+                FROM edgedbsql_VER.pg_attribute_ext pa,
+                LATERAL (SELECT edgedbsql_VER.to_regclass(tbl) AS oid) pc
+                WHERE pa.attrelid = pc.oid AND pa.attname = col
+            """
+        ),
+        trampoline.VersionedFunction(
+            name=('edgedbsql', 'has_any_column_privilege'),
+            args=(
+                ('tbl', 'oid'),
+                ('privilege', 'text'),
+            ),
+            returns=('bool',),
+            text="""
+                SELECT has_any_column_privilege(tbl, privilege)
+            """
+        ),
+        trampoline.VersionedFunction(
+            name=('edgedbsql', 'has_any_column_privilege'),
+            args=(
+                ('tbl', 'text'),
+                ('privilege', 'text'),
+            ),
+            returns=('bool',),
+            text="""
+                SELECT has_any_column_privilege(
+                    edgedbsql_VER.to_regclass(tbl), privilege)
             """
         ),
         trampoline.VersionedFunction(
diff --git a/edb/pgsql/resolver/static.py b/edb/pgsql/resolver/static.py
@@ -383,9 +383,11 @@ def eval_FuncCall(
         # schema and table names need to be remapped. This is accomplished
         # with wrapper functions defined in metaschema.py.
         has_wrapper = {
+            'has_database_privilege',
             'has_schema_privilege',
             'has_table_privilege',
             'has_column_privilege',
+            'has_any_column_privilege',
         }
         if fn_name in has_wrapper:
             return pgast.FuncCall(name=(V('edgedbsql'), fn_name), args=fn_args)
diff --git a/tests/test_sql_query.py b/tests/test_sql_query.py
@@ -1622,6 +1622,40 @@ async def test_sql_query_be_state(self):
         finally:
             await con.aclose()
 
+    async def test_sql_query_privileges_01(self):
+
+        res = await self.squery_values(
+            '''
+            select has_database_privilege($1, 'CONNECT');
+            ''',
+            self.con.dbname,
+        )
+        self.assertEqual(res, [[True]])
+
+    async def test_sql_query_privileges_02(self):
+        res = await self.squery_values(
+            '''
+            select has_table_privilege('"Movie"', 'SELECT');
+            '''
+        )
+        self.assertEqual(res, [[True]])
+
+    async def test_sql_query_privileges_03(self):
+        res = await self.squery_values(
+            '''
+            select has_column_privilege('"Movie"', 'title', 'SELECT');
+            '''
+        )
+        self.assertEqual(res, [[True]])
+
+    async def test_sql_query_privileges_04(self):
+        res = await self.squery_values(
+            '''
+            select has_any_column_privilege('"Movie"', 'SELECT');
+            '''
+        )
+        self.assertEqual(res, [[True]])
+
     async def test_sql_query_client_encoding_1(self):
         self.assertEqual(
             self.scon.get_settings().client_encoding.lower(), "utf_8"
