Again match pg_user_mappings to information_schema.user_mapping_options.

Commit 3eefc51 claimed to make
pg_user_mappings enforce the qualifications user_mapping_options had
been enforcing, but its removal of a longstanding restriction left them
distinct when the current user is the subject of a mapping yet has no
server privileges.  user_mapping_options emits no rows for such a
mapping, but pg_user_mappings includes full umoptions.  Change
pg_user_mappings to show null for umoptions.  Back-patch to 9.2, like
the above commit.

Reviewed by Tom Lane.  Reported by Jeff Janes.

Security: CVE-2017-7547

Author: nmisch

doc/src/sgml/catalogs.sgml

@@ -10050,17 +10050,37 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
       <entry><type>text[]</type></entry>
       <entry></entry>
       <entry>
-       User mapping specific options, as <quote>keyword=value</>
-       strings.  This column will show as null unless the current user
-       is the user being mapped, or the mapping is for
-       <literal>PUBLIC</literal> and the current user is the server
-       owner, or the current user is a superuser.  The intent is
-       to protect password information stored as user mapping option.
+       User mapping specific options, as <quote>keyword=value</> strings
       </entry>
      </row>
     </tbody>
    </tgroup>
   </table>
+
+  <para>
+   To protect password information stored as a user mapping option,
+   the <structfield>umoptions</structfield> column will read as null
+   unless one of the following applies:
+   <itemizedlist>
+    <listitem>
+     <para>
+      current user is the user being mapped, and owns the server or
+      holds <literal>USAGE</> privilege on it
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      current user is the server owner and mapping is for <literal>PUBLIC</>
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      current user is a superuser
+     </para>
+    </listitem>
+   </itemizedlist>
+  </para>
+
  </sect1>
 
 

src/backend/catalog/system_views.sql

@@ -826,7 +826,9 @@ CREATE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                     THEN U.umoptions

src/test/regress/expected/foreign_data.out

@@ -1179,10 +1179,11 @@ ERROR:  permission denied for foreign-data wrapper foo
 ALTER SERVER s9 VERSION '1.1';
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
 CREATE USER MAPPING FOR current_user SERVER s9;
+-- We use terse mode to avoid ordering issues in cascade detail output.
+\set VERBOSITY terse
 DROP SERVER s9 CASCADE;
 NOTICE:  drop cascades to 2 other objects
-DETAIL:  drop cascades to user mapping for public on server s9
-drop cascades to user mapping for regress_unprivileged_role on server s9
+\set VERBOSITY default
 RESET ROLE;
 CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_unprivileged_role;
@@ -1198,57 +1199,62 @@ ERROR:  must be owner of foreign server s9
 SET ROLE regress_test_role;
 CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
 CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
-GRANT USAGE ON FOREIGN SERVER s10 TO regress_unprivileged_role;
--- owner of server can see option fields
+CREATE USER MAPPING FOR regress_unprivileged_role SERVER s10 OPTIONS (user 'secret');
+-- owner of server can see some option fields
 \deu+
                  List of user mappings
  Server |         User name         |    FDW Options    
 --------+---------------------------+-------------------
  s10    | public                    | ("user" 'secret')
+ s10    | regress_unprivileged_role | 
  s4     | regress_foreign_data_user | 
  s5     | regress_test_role         | (modified '1')
  s6     | regress_test_role         | 
  s8     | public                    | 
  s8     | regress_foreign_data_user | 
  s9     | regress_unprivileged_role | 
  t1     | public                    | (modified '1')
-(8 rows)
+(9 rows)
 
 RESET ROLE;
--- superuser can see option fields
+-- superuser can see all option fields
 \deu+
                   List of user mappings
  Server |         User name         |     FDW Options     
 --------+---------------------------+---------------------
  s10    | public                    | ("user" 'secret')
+ s10    | regress_unprivileged_role | ("user" 'secret')
  s4     | regress_foreign_data_user | 
  s5     | regress_test_role         | (modified '1')
  s6     | regress_test_role         | 
  s8     | public                    | 
  s8     | regress_foreign_data_user | (password 'public')
  s9     | regress_unprivileged_role | 
  t1     | public                    | (modified '1')
-(8 rows)
+(9 rows)
 
--- unprivileged user cannot see option fields
+-- unprivileged user cannot see any option field
 SET ROLE regress_unprivileged_role;
 \deu+
               List of user mappings
  Server |         User name         | FDW Options 
 --------+---------------------------+-------------
  s10    | public                    | 
+ s10    | regress_unprivileged_role | 
  s4     | regress_foreign_data_user | 
  s5     | regress_test_role         | 
  s6     | regress_test_role         | 
  s8     | public                    | 
  s8     | regress_foreign_data_user | 
  s9     | regress_unprivileged_role | 
  t1     | public                    | 
-(8 rows)
+(9 rows)
 
 RESET ROLE;
+\set VERBOSITY terse
 DROP SERVER s10 CASCADE;
-NOTICE:  drop cascades to user mapping for public on server s10
+NOTICE:  drop cascades to 2 other objects
+\set VERBOSITY default
 -- Triggers
 CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
   BEGIN
@@ -1583,15 +1589,12 @@ Inherits: pt1
 Child tables: ct3,
               ft3
 
+\set VERBOSITY terse
 DROP FOREIGN TABLE ft2; -- ERROR
 ERROR:  cannot drop foreign table ft2 because other objects depend on it
-DETAIL:  table ct3 depends on foreign table ft2
-foreign table ft3 depends on foreign table ft2
-HINT:  Use DROP ... CASCADE to drop the dependent objects too.
 DROP FOREIGN TABLE ft2 CASCADE;
 NOTICE:  drop cascades to 2 other objects
-DETAIL:  drop cascades to table ct3
-drop cascades to foreign table ft3
+\set VERBOSITY default
 CREATE FOREIGN TABLE ft2 (
 	c1 integer NOT NULL,
 	c2 text,
@@ -1815,16 +1818,12 @@ owner of user mapping for regress_test_role on server s6
 DROP SERVER t1 CASCADE;
 NOTICE:  drop cascades to user mapping for public on server t1
 DROP USER MAPPING FOR regress_test_role SERVER s6;
--- This test causes some order dependent cascade detail output,
--- so switch to terse mode for it.
 \set VERBOSITY terse
 DROP FOREIGN DATA WRAPPER foo CASCADE;
 NOTICE:  drop cascades to 5 other objects
-\set VERBOSITY default
 DROP SERVER s8 CASCADE;
 NOTICE:  drop cascades to 2 other objects
-DETAIL:  drop cascades to user mapping for regress_foreign_data_user on server s8
-drop cascades to user mapping for public on server s8
+\set VERBOSITY default
 DROP ROLE regress_test_indirect;
 DROP ROLE regress_test_role;
 DROP ROLE regress_unprivileged_role;                        -- ERROR

src/test/regress/expected/rules.out

@@ -2151,7 +2151,7 @@ pg_user_mappings| SELECT u.oid AS umid,
             ELSE a.rolname
         END AS usename,
         CASE
-            WHEN (((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text)) OR ( SELECT pg_authid.rolsuper
+            WHEN (((u.umuser <> (0)::oid) AND (a.rolname = "current_user"()) AND (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text))) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text)) OR ( SELECT pg_authid.rolsuper
                FROM pg_authid
               WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions
             ELSE NULL::text[]

src/test/regress/sql/foreign_data.sql

@@ -481,7 +481,10 @@ CREATE SERVER s10 FOREIGN DATA WRAPPER foo;                     -- ERROR
 ALTER SERVER s9 VERSION '1.1';
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
 CREATE USER MAPPING FOR current_user SERVER s9;
+-- We use terse mode to avoid ordering issues in cascade detail output.
+\set VERBOSITY terse
 DROP SERVER s9 CASCADE;
+\set VERBOSITY default
 RESET ROLE;
 CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_unprivileged_role;
@@ -495,17 +498,19 @@ DROP SERVER s9 CASCADE;                                         -- ERROR
 SET ROLE regress_test_role;
 CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
 CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
-GRANT USAGE ON FOREIGN SERVER s10 TO regress_unprivileged_role;
--- owner of server can see option fields
+CREATE USER MAPPING FOR regress_unprivileged_role SERVER s10 OPTIONS (user 'secret');
+-- owner of server can see some option fields
 \deu+
 RESET ROLE;
--- superuser can see option fields
+-- superuser can see all option fields
 \deu+
--- unprivileged user cannot see option fields
+-- unprivileged user cannot see any option field
 SET ROLE regress_unprivileged_role;
 \deu+
 RESET ROLE;
+\set VERBOSITY terse
 DROP SERVER s10 CASCADE;
+\set VERBOSITY default
 
 -- Triggers
 CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
@@ -629,8 +634,10 @@ SELECT relname, conname, contype, conislocal, coninhcount, connoinherit
 -- child does not inherit NO INHERIT constraints
 \d+ pt1
 \d+ ft2
+\set VERBOSITY terse
 DROP FOREIGN TABLE ft2; -- ERROR
 DROP FOREIGN TABLE ft2 CASCADE;
+\set VERBOSITY default
 CREATE FOREIGN TABLE ft2 (
 	c1 integer NOT NULL,
 	c2 text,
@@ -704,12 +711,10 @@ DROP SCHEMA foreign_schema CASCADE;
 DROP ROLE regress_test_role;                                -- ERROR
 DROP SERVER t1 CASCADE;
 DROP USER MAPPING FOR regress_test_role SERVER s6;
--- This test causes some order dependent cascade detail output,
--- so switch to terse mode for it.
 \set VERBOSITY terse
 DROP FOREIGN DATA WRAPPER foo CASCADE;
-\set VERBOSITY default
 DROP SERVER s8 CASCADE;
+\set VERBOSITY default
 DROP ROLE regress_test_indirect;
 DROP ROLE regress_test_role;
 DROP ROLE regress_unprivileged_role;                        -- ERROR