Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: allow nosuperuser attribute to be set on roles #87

Merged
merged 7 commits into from
May 31, 2024
Merged

fix: allow nosuperuser attribute to be set on roles #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
93d3b27
fix: allow nosuperuser attribute to be set on roles
sweatybridge May 31, 2024
09e2299
chore: update unit test for privileged role
sweatybridge May 31, 2024
ffa699b
chore: verify nosuperuser attribute can be set
sweatybridge May 31, 2024
6b591b3
chore: update ci push trigger to only run on master
sweatybridge May 31, 2024
858d6c3
chore: update test comment
sweatybridge May 31, 2024
8388d41
chore: update test
soedirgo May 31, 2024
a2776be
fix: don't allow alter role nosuperuser
soedirgo May 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
name: CI

on: [push, pull_request]
on:
pull_request:
push:
branches:
- master

jobs:
test:
Expand Down
3 changes: 2 additions & 1 deletion src/supautils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
#include <access/xact.h>
#include <catalog/namespace.h>
#include <catalog/pg_authid.h>
#include <commands/defrem.h>
#include <executor/spi.h>
#include <fmgr.h>
#include <miscadmin.h>
Expand Down Expand Up @@ -434,7 +435,7 @@ supautils_hook(PROCESS_UTILITY_PARAMS)
hasrolemembers = true;

// Setting the superuser attribute is not allowed.
if (strcmp(defel->defname, "superuser") == 0) {
if (strcmp(defel->defname, "superuser") == 0 && defGetBoolean(defel)) {
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied to create role"),
Expand Down
10 changes: 9 additions & 1 deletion test/expected/privileged_role.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,11 +176,19 @@ alter role authenticator nologin;
ERROR: "authenticator" is a reserved role, only superusers can modify it
\echo

-- privileged_role cannot manage [no]superuser attribute
-- privileged_role can create nosuperuser
create role r nosuperuser;
drop role r;
\echo

-- privileged_role cannot create superuser or alter [no]superuser
create role r superuser;
ERROR: permission denied to create role
DETAIL: Only roles with the SUPERUSER attribute may create roles with the SUPERUSER attribute.
create role r;
alter role r nosuperuser;
ERROR: permission denied to alter role
DETAIL: Only roles with the SUPERUSER attribute may alter roles with the SUPERUSER attribute.
alter role r superuser;
ERROR: permission denied to alter role
DETAIL: Only roles with the SUPERUSER attribute may alter roles with the SUPERUSER attribute.
Expand Down
9 changes: 8 additions & 1 deletion test/sql/privileged_role.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,9 +132,16 @@ alter role authenticator rename to authorized;
alter role authenticator nologin;
\echo

-- privileged_role cannot manage [no]superuser attribute
-- privileged_role can create nosuperuser
create role r nosuperuser;

drop role r;
\echo

-- privileged_role cannot create superuser or alter [no]superuser
create role r superuser;
create role r;
alter role r nosuperuser;
alter role r superuser;
alter role postgres nosuperuser;

Expand Down
Loading