Only allow roles on which the session user as admin_option to alter

the target role.
aiven · Jan 18, 2024 · 3da9d2b · 3da9d2b
1 parent 797926e
commit 3da9d2b
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/sql/aiven_extras.sql b/sql/aiven_extras.sql
@@ -507,6 +507,8 @@ RETURNS VOID LANGUAGE plpgsql
 SECURITY DEFINER
 SET search_path = pg_catalog, aiven_extras
 AS $$
+DECLARE
+   is_allowed bool := true;
 BEGIN
     IF COALESCE(
         (SELECT rolsuper
@@ -517,7 +519,22 @@ BEGIN
         FALSE
     ) THEN
         RAISE EXCEPTION 'Configuring superuser roles not allowed: %', arg_role;
-    ELSIF arg_parameter NOT IN (
+    END IF;
+    WITH RECURSIVE tree AS (
+    -- Start with the possibly admin_role
+    SELECT member AS base_role, roleid, admin_option, member FROM pg_auth_members
+    UNION ALL
+    -- Recurse down, keeping admin_option from up if it exists
+    SELECT base_role, pg_auth_members.roleid, tree.admin_option OR pg_auth_members.admin_option AS admin_option, pg_auth_members.member FROM pg_auth_members JOIN tree ON pg_auth_members.member = tree.roleid
+    )
+    SELECT EXISTS (
+    SELECT 1 FROM tree WHERE base_role = session_user::regrole::oid AND admin_option AND roleid = arg_role::regrole
+   ) INTO is_allowed;
+    IF NOT is_allowed THEN
+        RAISE EXCEPTION 'Configuring roles on which we don''t have ADMIN membership is not allowed';
+    END IF;
+
+    IF arg_parameter NOT IN (
         'log',
         'log_catalog',
         'log_max_string_length',