postgresql/contrib/sepgsql/sql/ddl.sql

--
-- Regression Test for DDL of Object Permission Checks
--

-- clean-up in case a prior regression run failed
SET client_min_messages TO 'warning';
DROP DATABASE IF EXISTS sepgsql_test_regression;
DROP USER IF EXISTS regress_sepgsql_test_user;
RESET client_min_messages;

-- confirm required permissions using audit messages
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
SET sepgsql.debug_audit = true;
SET client_min_messages = LOG;

--
-- CREATE Permission checks
--
CREATE DATABASE sepgsql_test_regression;

CREATE USER regress_sepgsql_test_user;

CREATE SCHEMA regtest_schema;

GRANT ALL ON SCHEMA regtest_schema TO regress_sepgsql_test_user;

SET search_path = regtest_schema, public;

CREATE TABLE regtest_table (x serial primary key, y text);

ALTER TABLE regtest_table ADD COLUMN z int;

CREATE TABLE regtest_table_2 (a int) WITH OIDS;

-- corresponding toast table should not have label and permission checks
ALTER TABLE regtest_table_2 ADD COLUMN b text;

-- VACUUM FULL internally create a new table and swap them later.
VACUUM FULL regtest_table;

CREATE VIEW regtest_view AS SELECT * FROM regtest_table WHERE x < 100;

CREATE SEQUENCE regtest_seq;

CREATE TYPE regtest_comptype AS (a int, b text);

CREATE FUNCTION regtest_func(text,int[]) RETURNS bool LANGUAGE plpgsql
	   AS 'BEGIN RAISE NOTICE ''regtest_func => %'', $1; RETURN true; END';

CREATE AGGREGATE regtest_agg (
           sfunc1 = int4pl, basetype = int4, stype1 = int4, initcond1 = '0'
);

-- CREATE objects owned by others
SET SESSION AUTHORIZATION regress_sepgsql_test_user;

SET search_path = regtest_schema, public;

CREATE TABLE regtest_table_3 (x int, y serial);

CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y;

CREATE FUNCTION regtest_func_2(int) RETURNS bool LANGUAGE plpgsql
           AS 'BEGIN RETURN $1 * $1 < 100; END';

RESET SESSION AUTHORIZATION;

--
-- ALTER and CREATE/DROP extra attribute permissions
--
CREATE TABLE regtest_table_4 (x int primary key, y int, z int);
CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y);
CREATE INDEX regtest_index_tbl4_z ON regtest_table_4(z);
ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;
DROP INDEX regtest_index_tbl4_y;
ALTER TABLE regtest_table_4
      ADD CONSTRAINT regtest_tbl4_con EXCLUDE USING btree (z WITH =);
DROP TABLE regtest_table_4 CASCADE;

--
-- DROP Permission checks (with clean-up)
--

DROP FUNCTION regtest_func(text,int[]);
DROP AGGREGATE regtest_agg(int);

DROP SEQUENCE regtest_seq;
DROP VIEW regtest_view;

ALTER TABLE regtest_table DROP COLUMN y;
ALTER TABLE regtest_table_2 SET WITHOUT OIDS;

DROP TABLE regtest_table;

DROP OWNED BY regress_sepgsql_test_user;

DROP DATABASE sepgsql_test_regression;
DROP USER regress_sepgsql_test_user;
DROP SCHEMA IF EXISTS regtest_schema CASCADE;
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`--`
sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00			`-- Regression Test for DDL of Object Permission Checks`
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`--`

sepgsql: Support for new post-ALTER access hook. KaiGai Kohei 2013-03-27 13:10:14 +01:00			`-- clean-up in case a prior regression run failed`
			`SET client_min_messages TO 'warning';`
Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`DROP DATABASE IF EXISTS sepgsql_test_regression;`
			`DROP USER IF EXISTS regress_sepgsql_test_user;`
sepgsql: Support for new post-ALTER access hook. KaiGai Kohei 2013-03-27 13:10:14 +01:00			`RESET client_min_messages;`

sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`-- confirm required permissions using audit messages`
Fix sepgsql regression tests. The regression tests for sepgsql were broken by changes in the base distro as-shipped policies. Specifically, definition of unconfined_t in the system default policy was changed to bypass multi-category rules, which the regression test depended on. Fix that by defining a custom privileged domain (sepgsql_regtest_superuser_t) and using it instead of system's unconfined_t domain. The new sepgsql_regtest_superuser_t domain performs almost like the current unconfined_t, but restricted by multi-category policy as the traditional unconfined_t was. The custom policy module is a self defined domain, and so should not be affected by related future system policy changes. However, it still uses the unconfined_u:unconfined_r pair for selinux-user and role. Those definitions have not been changed for several years and seem less risky to rely on than the unconfined_t domain. Additionally, if we define custom user/role, they would need to be manually defined at the operating system level, adding more complexity to an already non-standard and complex regression test. Back-patch to 9.3. The regression tests will need more work before working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies on libselinux versions that are only available on newer distros with the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works fine with the older distros with original policy set (e.g. RHEL 6.x), and on which the existing regression tests work fine. We might want eventually change 9.1 sepgsql regression tests to be more independent from the underlying OS policies, however more work will be needed to make that happen and it is not clear that it is worth the effort. Kohei KaiGai with review by Adam Brightwell and me, commentary by Stephen, Alvaro, Tom, Robert, and others. 2015-08-30 20:09:05 +02:00			`-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0`
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`SET sepgsql.debug_audit = true;`
			`SET client_min_messages = LOG;`

sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00			`--`
			`-- CREATE Permission checks`
			`--`
Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`CREATE DATABASE sepgsql_test_regression;`
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00
Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`CREATE USER regress_sepgsql_test_user;`
sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`CREATE SCHEMA regtest_schema;`

Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`GRANT ALL ON SCHEMA regtest_schema TO regress_sepgsql_test_user;`
sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`SET search_path = regtest_schema, public;`

			`CREATE TABLE regtest_table (x serial primary key, y text);`

			`ALTER TABLE regtest_table ADD COLUMN z int;`

			`CREATE TABLE regtest_table_2 (a int) WITH OIDS;`

			`-- corresponding toast table should not have label and permission checks`
			`ALTER TABLE regtest_table_2 ADD COLUMN b text;`

			`-- VACUUM FULL internally create a new table and swap them later.`
			`VACUUM FULL regtest_table;`

			`CREATE VIEW regtest_view AS SELECT * FROM regtest_table WHERE x < 100;`

			`CREATE SEQUENCE regtest_seq;`

			`CREATE TYPE regtest_comptype AS (a int, b text);`

			`CREATE FUNCTION regtest_func(text,int[]) RETURNS bool LANGUAGE plpgsql`
			`AS 'BEGIN RAISE NOTICE ''regtest_func => %'', $1; RETURN true; END';`

			`CREATE AGGREGATE regtest_agg (`
			`sfunc1 = int4pl, basetype = int4, stype1 = int4, initcond1 = '0'`
			`);`

sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00			`-- CREATE objects owned by others`
Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`SET SESSION AUTHORIZATION regress_sepgsql_test_user;`
sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00
			`SET search_path = regtest_schema, public;`

			`CREATE TABLE regtest_table_3 (x int, y serial);`

			`CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y;`

			`CREATE FUNCTION regtest_func_2(int) RETURNS bool LANGUAGE plpgsql`
			`AS 'BEGIN RETURN $1 * $1 < 100; END';`

			`RESET SESSION AUTHORIZATION;`

Add context info to OAT_POST_CREATE security hook ... and have sepgsql use it to determine whether to check permissions during certain operations. Indexes that are being created as a result of REINDEX, for instance, do not need to have their permissions checked; they were already checked when the index was created. Author: KaiGai Kohei, slightly revised by me 2012-10-23 23:07:26 +02:00			`--`
			`-- ALTER and CREATE/DROP extra attribute permissions`
			`--`
			`CREATE TABLE regtest_table_4 (x int primary key, y int, z int);`
			`CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y);`
			`CREATE INDEX regtest_index_tbl4_z ON regtest_table_4(z);`
			`ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;`
			`DROP INDEX regtest_index_tbl4_y;`
			`ALTER TABLE regtest_table_4`
			`ADD CONSTRAINT regtest_tbl4_con EXCLUDE USING btree (z WITH =);`
			`DROP TABLE regtest_table_4 CASCADE;`

sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`--`
sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00			`-- DROP Permission checks (with clean-up)`
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`--`

sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00			`DROP FUNCTION regtest_func(text,int[]);`
			`DROP AGGREGATE regtest_agg(int);`

			`DROP SEQUENCE regtest_seq;`
			`DROP VIEW regtest_view;`

			`ALTER TABLE regtest_table DROP COLUMN y;`
			`ALTER TABLE regtest_table_2 SET WITHOUT OIDS;`

			`DROP TABLE regtest_table;`

Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`DROP OWNED BY regress_sepgsql_test_user;`
sepgsql DROP support. KaiGai Kohei 2012-03-09 21:18:45 +01:00
Establish conventions about global object names used in regression tests. To ensure that "make installcheck" can be used safely against an existing installation, we need to be careful about what global object names (database, role, and tablespace names) we use; otherwise we might accidentally clobber important objects. There's been a weak consensus that test databases should have names including "regression", and that test role names should start with "regress_", but we didn't have any particular rule about tablespace names; and neither of the other rules was followed with any consistency either. This commit moves us a long way towards having a hard-and-fast rule that regression test databases must have names including "regression", and that test role and tablespace names must start with "regress_". It's not completely there because I did not touch some test cases in rolenames.sql that test creation of special role names like "session_user". That will require some rethinking of exactly what we want to test, whereas the intent of this patch is just to hit all the cases in which the needed renamings are cosmetic. There is no enforcement mechanism in this patch either, but if we don't add one we can expect that the tests will soon be violating the convention again. Again, that's not such a cosmetic change and it will require discussion. (But I did use a quick-hack enforcement patch to find these cases.) Discussion: <16638.1468620817@sss.pgh.pa.us> 2016-07-18 00:42:31 +02:00			`DROP DATABASE sepgsql_test_regression;`
			`DROP USER regress_sepgsql_test_user;`
sepgsql: Check CREATE permissions for some object types. KaiGai Kohei, reviewed by Dimitri Fontaine and me. 2011-12-21 15:12:43 +01:00			`DROP SCHEMA IF EXISTS regtest_schema CASCADE;`