Fix filter pushdowns in the presence of rls (#2653)

joshua-spacetime · web-flow · commit f69113f53608 · 2025-04-21T19:33:22.000Z
diff --git a/crates/core/src/sql/execute.rs b/crates/core/src/sql/execute.rs
@@ -550,6 +550,112 @@ pub(crate) mod tests {
             &auth_for_b,
             [product![id_for_b]],
         );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "a"
+            "select * from users where identity = :sender",
+            &auth_for_a,
+            [product![id_for_a]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "b"
+            "select * from users where identity = :sender",
+            &auth_for_b,
+            [product![id_for_b]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "a"
+            &format!("select * from users where identity = 0x{}", id_for_a.to_hex()),
+            &auth_for_a,
+            [product![id_for_a]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "b"
+            &format!("select * from users where identity = 0x{}", id_for_b.to_hex()),
+            &auth_for_b,
+            [product![id_for_b]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "a"
+            &format!(
+                "select * from users where identity = :sender and identity = 0x{}",
+                id_for_a.to_hex()
+            ),
+            &auth_for_a,
+            [product![id_for_a]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "b"
+            &format!(
+                "select * from users where identity = :sender and identity = 0x{}",
+                id_for_b.to_hex()
+            ),
+            &auth_for_b,
+            [product![id_for_b]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "a"
+            &format!(
+                "select * from users where identity = :sender or identity = 0x{}",
+                id_for_b.to_hex()
+            ),
+            &auth_for_a,
+            [product![id_for_a]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "b"
+            &format!(
+                "select * from users where identity = :sender or identity = 0x{}",
+                id_for_a.to_hex()
+            ),
+            &auth_for_b,
+            [product![id_for_b]],
+        );
+        assert_query_results(
+            &db,
+            // Should not return any rows.
+            // Querying as sender "a", but filtering on sender "b".
+            &format!("select * from users where identity = 0x{}", id_for_b.to_hex()),
+            &auth_for_a,
+            [],
+        );
+        assert_query_results(
+            &db,
+            // Should not return any rows.
+            // Querying as sender "b", but filtering on sender "a".
+            &format!("select * from users where identity = 0x{}", id_for_a.to_hex()),
+            &auth_for_b,
+            [],
+        );
+        assert_query_results(
+            &db,
+            // Should not return any rows.
+            // Querying as sender "a", but filtering on sender "b".
+            &format!(
+                "select * from users where identity = :sender and identity = 0x{}",
+                id_for_b.to_hex()
+            ),
+            &auth_for_a,
+            [],
+        );
+        assert_query_results(
+            &db,
+            // Should not return any rows.
+            // Querying as sender "b", but filtering on sender "a".
+            &format!(
+                "select * from users where identity = :sender and identity = 0x{}",
+                id_for_a.to_hex()
+            ),
+            &auth_for_b,
+            [],
+        );
         assert_query_results(
             &db,
             // Should only return the orders for sender "a"
@@ -564,6 +670,34 @@ pub(crate) mod tests {
             &auth_for_b,
             [product![2u64, id_for_b], product![4u64, id_for_b]],
         );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "a"
+            "select s.* from users u join sales s on u.identity = s.customer",
+            &auth_for_a,
+            [product![1u64, id_for_a], product![3u64, id_for_a]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "b"
+            "select s.* from users u join sales s on u.identity = s.customer",
+            &auth_for_b,
+            [product![2u64, id_for_b], product![4u64, id_for_b]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "a"
+            "select s.* from users u join sales s on u.identity = s.customer where u.identity = :sender",
+            &auth_for_a,
+            [product![1u64, id_for_a], product![3u64, id_for_a]],
+        );
+        assert_query_results(
+            &db,
+            // Should only return the orders for sender "b"
+            "select s.* from users u join sales s on u.identity = s.customer where u.identity = :sender",
+            &auth_for_b,
+            [product![2u64, id_for_b], product![4u64, id_for_b]],
+        );
 
         Ok(())
     }
diff --git a/crates/physical-plan/src/rules.rs b/crates/physical-plan/src/rules.rs
@@ -267,9 +267,14 @@ impl RewriteRule for PushConstEq {
     type Info = Label;
 
     fn matches(plan: &PhysicalPlan) -> Option<Self::Info> {
+        // Is this plan a table scan followed by a sequence of filters?
+        // If so, it's already in a normalized state, so no need to push.
+        let is_filter = |plan: &PhysicalPlan| {
+            !plan.any(&|plan| !matches!(plan, PhysicalPlan::TableScan(..) | PhysicalPlan::Filter(..)))
+        };
         if let PhysicalPlan::Filter(input, PhysicalExpr::BinOp(_, expr, value)) = plan {
             if let (PhysicalExpr::Field(TupleField { label, .. }), PhysicalExpr::Value(_)) = (&**expr, &**value) {
-                return (input.has_table_scan(Some(label)) && !input.is_table_scan(None)).then_some(*label);
+                return (input.has_table_scan(Some(label)) && !is_filter(input)).then_some(*label);
             }
         }
         None
@@ -328,12 +333,17 @@ impl RewriteRule for PushConstAnd {
     type Info = Label;
 
     fn matches(plan: &PhysicalPlan) -> Option<Self::Info> {
+        // Is this plan a table scan followed by a sequence of filters?
+        // If so, it's already in a normalized state, so no need to push.
+        let is_filter = |plan: &PhysicalPlan| {
+            !plan.any(&|plan| !matches!(plan, PhysicalPlan::TableScan(..) | PhysicalPlan::Filter(..)))
+        };
         if let PhysicalPlan::Filter(input, PhysicalExpr::LogOp(LogOp::And, exprs)) = plan {
             return exprs.iter().find_map(|expr| {
                 if let PhysicalExpr::BinOp(_, expr, value) = expr {
                     if let (PhysicalExpr::Field(TupleField { label, .. }), PhysicalExpr::Value(_)) = (&**expr, &**value)
                     {
-                        return (input.has_table_scan(Some(label)) && !input.is_table_scan(None)).then_some(*label);
+                        return (input.has_table_scan(Some(label)) && !is_filter(input)).then_some(*label);
                     }
                 }
                 None
