Match pg_user_mappings limits to information_schema.user_mapping_options.

Both views replace the umoptions field with NULL when the user does not meet qualifications to see it. They used different qualifications, and pg_user_mappings documented qualifications did not match its implemented qualifications. Make its documentation and implementation match those of user_mapping_options. One might argue for stronger qualifications, but these have long, documented tenure. pg_user_mappings has always exhibited this problem, so back-patch to 9.2 (all supported versions). Michael Paquier and Feike Steenbergen. Reviewed by Jeff Janes. Reported by Andrew Wheelwright. Security: CVE-2017-7486
author: Noah Misch <noah@leadboat.com> 2017-05-08 07:24:24 -0700
committer: Noah Misch <noah@leadboat.com> 2017-05-08 07:24:27 -0700
commit: db2158108674812abe883f7e0bd14eb2024ea8f3 (patch)
tree: 5737d3a4176a7ca93757962b29075c0e331fade0
parent: 96d7454920e28447a1127497bba624cdf0f315c1 (diff)
download: postgresql-db2158108674812abe883f7e0bd14eb2024ea8f3.tar.gz
5 files changed, 82 insertions, 8 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index ba2e4463ea..23cb262753 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -9990,8 +9990,11 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
       <entry></entry>
       <entry>
        User mapping specific options, as <quote>keyword=value</>
-       strings, if the current user is the owner of the foreign
-       server, else null
+       strings.  This column will show as null unless the current user
+       is the user being mapped, or the mapping is for
+       <literal>PUBLIC</literal> and the current user is the server
+       owner, or the current user is a superuser.  The intent is
+       to protect password information stored as user mapping option.
       </entry>
      </row>
     </tbody>
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index c0bd6fa96b..9f59f9d17b 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -775,11 +775,11 @@ CREATE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE') THEN
-            U.umoptions
-        ELSE
-            NULL
-        END AS umoptions
+        CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
+                    OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
+                    OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
+                    THEN U.umoptions
+                 ELSE NULL END AS umoptions
     FROM pg_user_mapping U
          LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
         pg_foreign_server S ON (U.umserver = S.oid);
diff --git a/src/test/regress/expected/foreign_data.out b/src/test/regress/expected/foreign_data.out
index 660840cd90..03d11d908a 100644
--- a/src/test/regress/expected/foreign_data.out
+++ b/src/test/regress/expected/foreign_data.out
@@ -1194,7 +1194,61 @@ WARNING:  no privileges were granted for "s9"
 CREATE USER MAPPING FOR current_user SERVER s9;
 DROP SERVER s9 CASCADE;                                         -- ERROR
 ERROR:  must be owner of foreign server s9
+-- Check visibility of user mapping data
+SET ROLE regress_test_role;
+CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
+CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
+GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
+-- owner of server can see option fields
+\deu+
+             List of user mappings
+ Server |     User name     |    FDW Options    
+--------+-------------------+-------------------
+ s10    | public            | ("user" 'secret')
+ s4     | foreign_data_user | 
+ s5     | regress_test_role | (modified '1')
+ s6     | regress_test_role | 
+ s8     | foreign_data_user | 
+ s8     | public            | 
+ s9     | unprivileged_role | 
+ t1     | public            | (modified '1')
+(8 rows)
+
+RESET ROLE;
+-- superuser can see option fields
+\deu+
+              List of user mappings
+ Server |     User name     |     FDW Options     
+--------+-------------------+---------------------
+ s10    | public            | ("user" 'secret')
+ s4     | foreign_data_user | 
+ s5     | regress_test_role | (modified '1')
+ s6     | regress_test_role | 
+ s8     | foreign_data_user | (password 'public')
+ s8     | public            | 
+ s9     | unprivileged_role | 
+ t1     | public            | (modified '1')
+(8 rows)
+
+-- unprivileged user cannot see option fields
+SET ROLE unprivileged_role;
+\deu+
+          List of user mappings
+ Server |     User name     | FDW Options 
+--------+-------------------+-------------
+ s10    | public            | 
+ s4     | foreign_data_user | 
+ s5     | regress_test_role | 
+ s6     | regress_test_role | 
+ s8     | foreign_data_user | 
+ s8     | public            | 
+ s9     | unprivileged_role | 
+ t1     | public            | 
+(8 rows)
+
 RESET ROLE;
+DROP SERVER s10 CASCADE;
+NOTICE:  drop cascades to user mapping for public on server s10
 -- Triggers
 CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
   BEGIN
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index 899ab445db..e5bd422a30 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -2102,7 +2102,9 @@ pg_user_mappings| SELECT u.oid AS umid,
             ELSE a.rolname
         END AS usename,
         CASE
-            WHEN (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text)) THEN u.umoptions
+            WHEN (((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text)) OR ( SELECT pg_authid.rolsuper
+               FROM pg_authid
+              WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions
             ELSE NULL::text[]
         END AS umoptions
    FROM ((pg_user_mapping u
diff --git a/src/test/regress/sql/foreign_data.sql b/src/test/regress/sql/foreign_data.sql
index 384e155fcb..b78ae2d040 100644
--- a/src/test/regress/sql/foreign_data.sql
+++ b/src/test/regress/sql/foreign_data.sql
@@ -490,7 +490,22 @@ ALTER SERVER s9 VERSION '1.2';                                  -- ERROR
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;          -- WARNING
 CREATE USER MAPPING FOR current_user SERVER s9;
 DROP SERVER s9 CASCADE;                                         -- ERROR
+
+-- Check visibility of user mapping data
+SET ROLE regress_test_role;
+CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
+CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
+GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
+-- owner of server can see option fields
+\deu+
+RESET ROLE;
+-- superuser can see option fields
+\deu+
+-- unprivileged user cannot see option fields
+SET ROLE unprivileged_role;
+\deu+
 RESET ROLE;
+DROP SERVER s10 CASCADE;
 
 -- Triggers
 CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
author	Noah Misch <noah@leadboat.com>	2017-05-08 07:24:24 -0700
committer	Noah Misch <noah@leadboat.com>	2017-05-08 07:24:27 -0700
commit	db2158108674812abe883f7e0bd14eb2024ea8f3 (patch)
tree	5737d3a4176a7ca93757962b29075c0e331fade0
parent	96d7454920e28447a1127497bba624cdf0f315c1 (diff)
download	postgresql-db2158108674812abe883f7e0bd14eb2024ea8f3.tar.gz