Merge pull request #418 from diffix/cristian/misc

Reject unsupported column types during AID labeling.

Author: cristianberneanu

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## Version 1.0.3
+  - Reject unsupported column types during AID labeling.
+
 ## Version 1.0.2
   - Allow casts between `int4` and `int8`.
   - Allow more metadata discovery queries.

docs/admin_guide.md

@@ -79,6 +79,8 @@ CALL diffix.mark_personal('transactions', 'sender_acct', 'receiver_acct');
 ```
 labels the table `transactions` as personal, and labels the `sender_acct` and `receiver_acct` columns as AID columns.
 
+The currently supported types for AID columns are: `integer`, `bigint`, `text` and `varchar`.
+
 The procedure `diffix.unmark_table(table_name)` clears the labels for the table and all its AID columns.
 
 ## Settings

src/auth.c

@@ -2,6 +2,7 @@
 
 #include "catalog/pg_inherits.h"
 #include "catalog/pg_namespace.h"
+#include "catalog/pg_type.h"
 #include "fmgr.h"
 #include "miscadmin.h"
 #include "utils/acl.h"
@@ -144,26 +145,38 @@ bool is_aid_column(Oid relation_oid, AttrNumber attnum)
       "Anonymization label `%s` not supported on objects of type `%s`", \
       seclabel, getObjectTypeDescription(object))
 
-static void verify_pg_features(Oid relation_id)
+static void verify_pg_features(Oid relation_oid)
 {
-  if (has_subclass(relation_id) || has_superclass(relation_id))
+  if (has_subclass(relation_oid) || has_superclass(relation_oid))
     FAILWITH("Anonymization over tables using inheritance is not supported.");
 }
 
+static bool is_aid_type_supported(Oid relation_oid, AttrNumber attnum)
+{
+  switch (get_atttype(relation_oid, attnum))
+  {
+  case INT4OID:
+  case INT8OID:
+  case TEXTOID:
+  case VARCHAROID:
+    return true;
+  default:
+    return false;
+  }
+}
+
 static void object_relabel(const ObjectAddress *object, const char *seclabel)
 {
   if (!superuser())
-    FAILWITH_CODE(ERRCODE_INSUFFICIENT_PRIVILEGE, "only a superuser can set anonymization labels");
+    FAILWITH_CODE(ERRCODE_INSUFFICIENT_PRIVILEGE, "Only a superuser can set anonymization labels");
 
   if (seclabel == NULL)
     return;
 
   if (is_personal_label(seclabel) || is_public_label(seclabel))
   {
     if (is_personal_label(seclabel))
-    {
       verify_pg_features(object->objectId);
-    }
 
     if (object->classId == RelationRelationId && object->objectSubId == 0)
       return;
@@ -173,7 +186,13 @@ static void object_relabel(const ObjectAddress *object, const char *seclabel)
   else if (is_aid_label(seclabel))
   {
     if (object->classId == RelationRelationId && object->objectSubId != 0)
+    {
+      if (!is_aid_type_supported(object->objectId, object->objectSubId))
+        FAILWITH_CODE(ERRCODE_FEATURE_NOT_SUPPORTED,
+                      "AID label can not be set on target column because the type is unsupported");
       return;
+    }
+
     FAIL_ON_INVALID_OBJECT_TYPE(seclabel, object);
   }
   else if (is_anonymized_trusted_label(seclabel) || is_anonymized_untrusted_label(seclabel) || is_direct_label(seclabel))

test/expected/admin.out

@@ -37,6 +37,9 @@ SET pg_diffix.strict = true;
 SET pg_diffix.top_count_max = 3;
 NOTICE:  [PG_DIFFIX] Bounds must differ by at least 1. Set other bound to make it valid.
 SET pg_diffix.top_count_max = 4;
+-- Reject unsupported column types during AID labeling
+SECURITY LABEL FOR pg_diffix ON COLUMN test_customers.discount IS 'aid';
+ERROR:  [PG_DIFFIX] AID label can not be set on target column because the type is unsupported
 -- Restriction on users with access level below `direct`
 SET ROLE diffix_test;
 SET pg_diffix.session_access_level = 'anonymized_trusted';

test/sql/admin.sql

@@ -20,6 +20,9 @@ SET pg_diffix.strict = true;
 SET pg_diffix.top_count_max = 3;
 SET pg_diffix.top_count_max = 4;
 
+-- Reject unsupported column types during AID labeling
+SECURITY LABEL FOR pg_diffix ON COLUMN test_customers.discount IS 'aid';
+
 -- Restriction on users with access level below `direct`
 SET ROLE diffix_test;
 SET pg_diffix.session_access_level = 'anonymized_trusted';