fix: run custom scripts on non privileged extensions #147
Conversation
|
@soedirgo If this is the case, then please separate custom scripts to its own test suite, separate from privileged extensions. To avoid further confusion. Also to ensure this behavior covered, we need more tests:
|
| // Prevent recursively running custom scripts | ||
| static bool running_custom_script = false; |
There was a problem hiding this comment.
I find this recursive custom scripts behavior mysterious. When can this happen? Can we cover it by tests so it can be fully understood?
I can help by adding the tests on another PR too, if it requires some other extension it's fine (I've added tests requiring plpgsql_check and pgmq before). Just let me know how can I reproduce.
There was a problem hiding this comment.
The pathological behavior we're trying to avoid is an infinite loop caused by a create extension triggering a custom script that then runs a create extension, which in turn triggers a custom script, etc.
Can't really put the infinite loop as a test case, but preventing nested custom scripts can be done with 2 extensions: have custom scripts for both where one does a create extension for the other, and have the other one do a side effect (e.g. create a table with some sentinel name) and we assert not to happen.
| bool already_switched_to_superuser = false; | ||
|
|
||
| switch_to_superuser(supautils_superuser, &already_switched_to_superuser); | ||
| switch_to_superuser(supautils_superuser, &already_switched_to_superuser); |
There was a problem hiding this comment.
Ditto. I find these already_switched_to_superuser flags mysterious. When can this happen? Is it tested? If not, please mention how can a test be added to cover this behavior.
There was a problem hiding this comment.
The mechanism we use to switch to and from superuser (switch_to_superuser(), switch_to_original_role()) can't be done in a nested manner, unless we use a stack. (Nor does it need to be, for our use case this is sufficient)
The reason is if we do switch_to_superuser() twice, the first one will make the current user id the superuser oid, and the second one will set the prev_role_oid (utils.c) to also be the superuser oid (because that's now the current user id). Then when switch_to_original_role is called, it sets the current user id to the prev_role_oid, which is now the superuser oid. Now the user gets access to a superuser.
To avoid this we just prevent switch_to_superuser() to be called twice without switch_to_original_role() in between. That's what the flag is for; don't run switch_to_superuser() if we already are one. This is tested here by asserting the original role is restored when running a statement that triggers switch_to_superuser() at least twice during its execution.
Also deprecate `supautils.privileged_extensions_custom_scripts_path`
to `extensions_parameter_overrides.{h,c}`
soedirgo
force-pushed
the
fix/run-custom-scripts-on-non-privileged-extensions
branch
from
1c56d66 to
ee5f371
Compare
Pull Request Test Coverage Report for Build 15216870438Details
💛 - Coveralls |
|
Addressed the comments and added the tests, the one for |
What kind of change does this PR introduce?
Fixes #146
What is the current behavior?
Extension custom scripts are only run for
privileged_extensionsWhat is the new behavior?
Support extension custom scripts for all extensions
Additional context
More info on the linked issue