Add tests for row-level security with prewhere

tests/integration/test_row_policy/test.py

@@ -107,6 +107,7 @@ def test_cannot_trick_row_policy_with_keyword_with():
     assert node.query("WITH 0 AS a SELECT a, b FROM mydb.filtered_table1") == TSV([[0, 0], [0, 1]])
     assert node.query("WITH 0 AS a SELECT a FROM mydb.filtered_table1") == TSV([[0], [0]])
     assert node.query("WITH 0 AS a SELECT b FROM mydb.filtered_table1") == TSV([[0], [1]])
+    assert node.query("WITH 0 AS a SELECT * FROM mydb.filtered_table1 PREWHERE a IN(0, 1) WHERE b IN(0, 1)") == TSV([[0], [1]])
 
 
 def test_policy_from_users_xml_affects_only_user_assigned():
@@ -121,6 +122,38 @@ def test_policy_from_users_xml_affects_only_user_assigned():
     assert node.query("SELECT * FROM mydb.local", user="another") == TSV([[1, 0], [1, 1]])
 
 
+def test_with_prewhere():
+    copy_policy_xml('normal_filters.xml')
+    assert node.query("SELECT * FROM mydb.filtered_table2 WHERE a > 1") == TSV([[4, 5, 2, 1]])
+    assert node.query("SELECT a FROM mydb.filtered_table2 WHERE a > 1") == TSV([[4]])
+    assert node.query("SELECT a, b FROM mydb.filtered_table2 WHERE a > 1") == TSV([[4, 5]])
+    assert node.query("SELECT b, c FROM mydb.filtered_table2 WHERE a > 1") == TSV([[5, 2]])
+    assert node.query("SELECT d FROM mydb.filtered_table2 WHERE a > 1") == TSV([[1]])
+
+    assert node.query("SELECT * FROM mydb.filtered_table2 PREWHERE a > 1") == TSV([[4, 5, 2, 1]])
+    assert node.query("SELECT a FROM mydb.filtered_table2 PREWHERE a > 1") == TSV([[4]])
+    assert node.query("SELECT a, b FROM mydb.filtered_table2 PREWHERE a > 1") == TSV([[4, 5]])
+    assert node.query("SELECT b, c FROM mydb.filtered_table2 PREWHERE a > 1") == TSV([[5, 2]])
+    assert node.query("SELECT d FROM mydb.filtered_table2 PREWHERE a > 1") == TSV([[1]])
+
+    assert node.query("SELECT * FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[1, 2, 3, 4]])
+    assert node.query("SELECT a FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[1]])
+    assert node.query("SELECT b FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[2]])
+    assert node.query("SELECT a, b FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[1, 2]])
+    assert node.query("SELECT a, c FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[1, 3]])
+    assert node.query("SELECT b, d FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[2, 4]])
+    assert node.query("SELECT c, d FROM mydb.filtered_table2 PREWHERE a < 4 WHERE b < 10") == TSV([[3, 4]])
+
+
+def test_with_throwif_in_prewhere():
+    copy_policy_xml('no_filters.xml')
+    assert 'expected' in node.query_and_get_error("SELECT throwIf(a = 0, 'expected') FROM mydb.filtered_table2 PREWHERE b < 10")
+
+    copy_policy_xml('normal_filters.xml')
+    assert node.query("SELECT throwIf(a = 0, 'pwned') FROM mydb.filtered_table2 PREWHERE b < 10") == TSV([
+        [4, 5, 2, 1], [1, 2, 3, 4]])
+
+
 def test_change_of_users_xml_changes_row_policies():
     copy_policy_xml('normal_filters.xml')
     assert node.query("SELECT * FROM mydb.filtered_table1") == TSV([[1, 0], [1, 1]])

tests/performance/prewhere_with_row_level_filter.xml

@@ -0,0 +1,16 @@
+<test>
+    <create_query>DROP TABLE IF EXISTS test_prl;</create_query>
+    <create_query>CREATE TABLE test_prl (n UInt64) ENGINE MergeTree ORDER BY n;</create_query>
+    <create_query>CREATE ROW POLICY OR REPLACE test_prl_policy ON test_prl AS PERMISSIVE FOR SELECT USING n % 7 TO ALL;</create_query>
+
+    <fill_query>INSERT INTO test_prl SELECT number FROM numbers(50000000);</fill_query>
+
+    <query>SELECT * FROM test_prl;</query>
+    <query>SELECT * FROM test_prl WHERE n % 3 AND n % 5;</query>
+    <query>SELECT * FROM test_prl PREWHERE n % 3 AND n % 5;</query>
+    <query>SELECT * FROM test_prl PREWHERE n % 3 WHERE n % 5;</query>
+    <query>SELECT * FROM test_prl PREWHERE n % 5 WHERE n % 3;</query>
+
+    <drop_query>DROP ROW POLICY IF EXISTS test_prl_policy ON test_prl;</drop_query>
+    <drop_query>DROP TABLE IF EXISTS test_prl;</drop_query>
+</test>