Merge pull request #294 from Mytherin/enableexternalaccess

Disable attaching new Postgres databases when enable external access is disabled
duckdb · Feb 4, 2025 · 79fcce4 · 79fcce4
2 parents ecabb61 + 12aa961
commit 79fcce4
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 31 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -118,7 +118,8 @@ if(NOT EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/postgres)
 
   # Download the PostgreSQL source code
   message(STATUS "Downloading PostgreSQL source code")
-  file(DOWNLOAD
+  file(
+    DOWNLOAD
     "https://github.com/postgres/postgres/archive/refs/tags/REL_15_2.tar.gz"
     ${CMAKE_CURRENT_SOURCE_DIR}/pg.tar.gz
     SHOW_PROGRESS
@@ -132,13 +133,12 @@ if(NOT EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/postgres)
 
   # Extract the PostgreSQL source code
   message(STATUS "Extracting PostgreSQL source code")
-  file(ARCHIVE_EXTRACT INPUT ${CMAKE_CURRENT_SOURCE_DIR}/pg.tar.gz
-       DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/postgres_tmp)
+  file(ARCHIVE_EXTRACT INPUT ${CMAKE_CURRENT_SOURCE_DIR}/pg.tar.gz DESTINATION
+       ${CMAKE_CURRENT_SOURCE_DIR}/postgres_tmp)
 
   # Move out of root directory
   file(RENAME ${CMAKE_CURRENT_SOURCE_DIR}/postgres_tmp/postgres-REL_15_2
-            ${CMAKE_CURRENT_SOURCE_DIR}/postgres
-  )
+       ${CMAKE_CURRENT_SOURCE_DIR}/postgres)
 
   # Remove the tmp directory
   file(REMOVE_RECURSE ${CMAKE_CURRENT_SOURCE_DIR}/postgres_tmp)
@@ -157,46 +157,32 @@ if(NOT EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/postgres)
 
     # Check if configuration was successful
     if(NOT PG_MKVCBUILD_RESULT EQUAL 0)
-        file(REMOVE_RECURSE postgres)
-        message(FATAL_ERROR "Failed to configure PostgreSQL source code for windows")
+      file(REMOVE_RECURSE postgres)
+      message(
+        FATAL_ERROR "Failed to configure PostgreSQL source code for windows")
     endif()
   else()
     # On other platforms, use the configure script to configure the source code
     set(ENV{CC} gcc)
     set(ENV{CXX} g++)
     execute_process(
-      COMMAND ./configure
-        --without-llvm
-        --without-icu
-        --without-tcl
-        --without-perl
-        --without-python
-        --without-gssapi
-        --without-pam
-        --without-bsd-auth
-        --without-ldap
-        --without-bonjour
-        --without-selinux
-        --without-systemd
-        --without-readline
-        --without-libxml
-        --without-libxslt
-        --without-zlib
-        --without-lz4
-        --without-openssl
+      COMMAND
+        ./configure --without-llvm --without-icu --without-tcl --without-perl
+        --without-python --without-gssapi --without-pam --without-bsd-auth
+        --without-ldap --without-bonjour --without-selinux --without-systemd
+        --without-readline --without-libxml --without-libxslt --without-zlib
+        --without-lz4 --without-openssl
       RESULT_VARIABLE PG_CONFIGURE_RESULT
-      WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/postgres
-    )
+      WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/postgres)
     # Check if configuration was successful
     if(NOT PG_CONFIGURE_RESULT EQUAL 0)
       file(REMOVE_RECURSE postgres)
       message(FATAL_ERROR "Failed to configure PostgreSQL source code")
-    endif ()
+    endif()
   endif()
   message(STATUS "Finished setting up PostgreSQL source code!")
 endif()
 
-
 set(PARAMETERS "-no-warnings")
 build_loadable_extension(${TARGET_NAME} ${PARAMETERS} ${ALL_OBJECT_FILES}
                          ${LIBPG_SOURCES_FULLPATH})

diff --git a/src/include/storage/postgres_catalog.hpp b/src/include/storage/postgres_catalog.hpp
@@ -20,7 +20,8 @@ class PostgresSchemaEntry;
 
 class PostgresCatalog : public Catalog {
 public:
-	explicit PostgresCatalog(AttachedDatabase &db_p, string connection_string, string attach_path, AccessMode access_mode, string schema_to_load);
+	explicit PostgresCatalog(AttachedDatabase &db_p, string connection_string, string attach_path,
+	                         AccessMode access_mode, string schema_to_load);
 	~PostgresCatalog();
 
 	string connection_string;

diff --git a/src/postgres_storage.cpp b/src/postgres_storage.cpp
@@ -10,6 +10,10 @@ namespace duckdb {
 static unique_ptr<Catalog> PostgresAttach(StorageExtensionInfo *storage_info, ClientContext &context,
                                           AttachedDatabase &db, const string &name, AttachInfo &info,
                                           AccessMode access_mode) {
+	auto &config = DBConfig::GetConfig(context);
+	if (!config.options.enable_external_access) {
+		throw PermissionException("Attaching Postgres databases is disabled through configuration");
+	}
 	string attach_path = info.path;
 
 	string secret_name;

diff --git a/test/sql/storage/attach_external_access.test b/test/sql/storage/attach_external_access.test
@@ -0,0 +1,15 @@
+# name: test/sql/storage/attach_external_access.test
+# description: Test that we cannot attach new databases if external access is disabled
+# group: [storage]
+
+require postgres_scanner
+
+require-env POSTGRES_TEST_DATABASE_AVAILABLE
+
+statement ok
+SET enable_external_access=false
+
+statement error
+ATTACH 'dbname=postgresscanner' AS simple (TYPE POSTGRES)
+----
+disabled through configuration