rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adjustments to regression tests for security_barrier views. 

Drop the role we create, so regression tests pass even when run more
than once against the same cluster, a problem noted by Tom Lane and
Jeff Janes.  Also, rename the temporary role so that it starts with
"regress_", to make it unlikely that we'll collide with an existing
role name while running "make installcheck", per further gripe from
Tom Lane.
This commit is contained in:
Robert Haas 2012-01-24 08:38:20 -05:00
parent c172b7b02e
commit 49562f5eb6
3 changed files with 96 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
src/test/regress/expected/select_views.out
View File

@ -1250,7 +1250,7 @@ SELECT * FROM toyemp WHERE name = 'sharon';
--
-- Test for Leaky view scenario
--
CREATE USER alice;
CREATE ROLE regress_alice;
CREATE FUNCTION f_leak (text)
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END';
@ -1272,9 +1272,9 @@ CREATE TABLE credit_usage (
usage int
);
INSERT INTO customer
VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'),
(102, 'bob', '+01-234-567-8901', 'beafsteak'),
(103, 'eve', '+49-8765-43210', 'hamburger');
VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'),
(102, 'regress_bob', '+01-234-567-8901', 'beafsteak'),
(103, 'regress_eve', '+49-8765-43210', 'hamburger');
INSERT INTO credit_card
VALUES (101, '1111-2222-3333-4444', 4000),
(102, '5555-6666-7777-8888', 3000),
@ -1312,7 +1312,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public;
--
-- Run leaky view scenarios
--
SET SESSION AUTHORIZATION alice;
SET SESSION AUTHORIZATION regress_alice;
--
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
-- prior to the security policy of the view.
@ -1321,9 +1321,9 @@ SELECT * FROM my_property_normal WHERE f_leak(passwd);
NOTICE: f_leak => passwd123
NOTICE: f_leak => beafsteak
NOTICE: f_leak => hamburger
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
@ -1335,9 +1335,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
SELECT * FROM my_property_secure WHERE f_leak(passwd);
NOTICE: f_leak => passwd123
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd);
@ -1358,9 +1358,9 @@ SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 5555-6666-7777-8888
NOTICE: f_leak => 9801-2345-6789-0123
cid | name | tel | passwd | cnum | climit
-----+-------+------------------+-----------+---------------------+--------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
cid | name | tel | passwd | cnum | climit
-----+---------------+------------------+-----------+---------------------+--------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
@ -1377,9 +1377,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
NOTICE: f_leak => 1111-2222-3333-4444
cid | name | tel | passwd | cnum | climit
-----+-------+------------------+-----------+---------------------+--------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
cid | name | tel | passwd | cnum | climit
-----+---------------+------------------+-----------+---------------------+--------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
@ -1402,11 +1402,11 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
SELECT * FROM my_credit_card_usage_normal
WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01';
NOTICE: f_leak => 1111-2222-3333-4444
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+-------+------------------+-----------+---------------------+--------+------------+-------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
(3 rows)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal
@ -1435,11 +1435,11 @@ NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 1111-2222-3333-4444
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+-------+------------------+-----------+---------------------+--------+------------+-------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
(3 rows)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure
@ -1470,35 +1470,38 @@ EXECUTE p1;
NOTICE: f_leak => passwd123
NOTICE: f_leak => beafsteak
NOTICE: f_leak => hamburger
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXECUTE p2;
NOTICE: f_leak => passwd123
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
RESET SESSION AUTHORIZATION;
ALTER VIEW my_property_normal SET (security_barrier=true);
ALTER VIEW my_property_secure SET (security_barrier=false);
SET SESSION AUTHORIZATION alice;
SET SESSION AUTHORIZATION regress_alice;
EXECUTE p1; -- To be perform as a view with security-barrier
NOTICE: f_leak => passwd123
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXECUTE p2; -- To be perform as a view without security-barrier
NOTICE: f_leak => passwd123
NOTICE: f_leak => beafsteak
NOTICE: f_leak => hamburger
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
-- Cleanup.
RESET SESSION AUTHORIZATION;
DROP ROLE regress_alice;

83
src/test/regress/expected/select_views_1.out
View File

@ -1250,7 +1250,7 @@ SELECT * FROM toyemp WHERE name = 'sharon';
--
-- Test for Leaky view scenario
--
CREATE USER alice;
CREATE ROLE regress_alice;
CREATE FUNCTION f_leak (text)
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END';
@ -1272,9 +1272,9 @@ CREATE TABLE credit_usage (
usage int
);
INSERT INTO customer
VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'),
(102, 'bob', '+01-234-567-8901', 'beafsteak'),
(103, 'eve', '+49-8765-43210', 'hamburger');
VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'),
(102, 'regress_bob', '+01-234-567-8901', 'beafsteak'),
(103, 'regress_eve', '+49-8765-43210', 'hamburger');
INSERT INTO credit_card
VALUES (101, '1111-2222-3333-4444', 4000),
(102, '5555-6666-7777-8888', 3000),
@ -1312,7 +1312,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public;
--
-- Run leaky view scenarios
--
SET SESSION AUTHORIZATION alice;
SET SESSION AUTHORIZATION regress_alice;
--
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
-- prior to the security policy of the view.
@ -1321,9 +1321,9 @@ SELECT * FROM my_property_normal WHERE f_leak(passwd);
NOTICE: f_leak => passwd123
NOTICE: f_leak => beafsteak
NOTICE: f_leak => hamburger
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
@ -1335,9 +1335,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
SELECT * FROM my_property_secure WHERE f_leak(passwd);
NOTICE: f_leak => passwd123
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd);
@ -1358,9 +1358,9 @@ SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 5555-6666-7777-8888
NOTICE: f_leak => 9801-2345-6789-0123
cid | name | tel | passwd | cnum | climit
-----+-------+------------------+-----------+---------------------+--------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
cid | name | tel | passwd | cnum | climit
-----+---------------+------------------+-----------+---------------------+--------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
@ -1377,9 +1377,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
NOTICE: f_leak => 1111-2222-3333-4444
cid | name | tel | passwd | cnum | climit
-----+-------+------------------+-----------+---------------------+--------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
cid | name | tel | passwd | cnum | climit
-----+---------------+------------------+-----------+---------------------+--------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
(1 row)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
@ -1402,11 +1402,11 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
SELECT * FROM my_credit_card_usage_normal
WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01';
NOTICE: f_leak => 1111-2222-3333-4444
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+-------+------------------+-----------+---------------------+--------+------------+-------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
(3 rows)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal
@ -1435,11 +1435,11 @@ NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 1111-2222-3333-4444
NOTICE: f_leak => 1111-2222-3333-4444
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+-------+------------------+-----------+---------------------+--------+------------+-------
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
cid | name | tel | passwd | cnum | climit | ymd | usage
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
(3 rows)
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure
@ -1470,35 +1470,38 @@ EXECUTE p1;
NOTICE: f_leak => passwd123
NOTICE: f_leak => beafsteak
NOTICE: f_leak => hamburger
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXECUTE p2;
NOTICE: f_leak => passwd123
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
RESET SESSION AUTHORIZATION;
ALTER VIEW my_property_normal SET (security_barrier=true);
ALTER VIEW my_property_secure SET (security_barrier=false);
SET SESSION AUTHORIZATION alice;
SET SESSION AUTHORIZATION regress_alice;
EXECUTE p1; -- To be perform as a view with security-barrier
NOTICE: f_leak => passwd123
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
EXECUTE p2; -- To be perform as a view without security-barrier
NOTICE: f_leak => passwd123
NOTICE: f_leak => beafsteak
NOTICE: f_leak => hamburger
cid | name | tel | passwd
-----+-------+------------------+-----------
101 | alice | +81-12-3456-7890 | passwd123
cid | name | tel | passwd
-----+---------------+------------------+-----------
101 | regress_alice | +81-12-3456-7890 | passwd123
(1 row)
-- Cleanup.
RESET SESSION AUTHORIZATION;
DROP ROLE regress_alice;

16
src/test/regress/sql/select_views.sql
View File

@ -12,7 +12,7 @@ SELECT * FROM toyemp WHERE name = 'sharon';
--
-- Test for Leaky view scenario
--
CREATE USER alice;
CREATE ROLE regress_alice;
CREATE FUNCTION f_leak (text)
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
@ -38,9 +38,9 @@ CREATE TABLE credit_usage (
);
INSERT INTO customer
VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'),
(102, 'bob', '+01-234-567-8901', 'beafsteak'),
(103, 'eve', '+49-8765-43210', 'hamburger');
VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'),
(102, 'regress_bob', '+01-234-567-8901', 'beafsteak'),
(103, 'regress_eve', '+49-8765-43210', 'hamburger');
INSERT INTO credit_card
VALUES (101, '1111-2222-3333-4444', 4000),
(102, '5555-6666-7777-8888', 3000),
@ -83,7 +83,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public;
--
-- Run leaky view scenarios
--
SET SESSION AUTHORIZATION alice;
SET SESSION AUTHORIZATION regress_alice;
--
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
@ -131,6 +131,10 @@ EXECUTE p2;
RESET SESSION AUTHORIZATION;
ALTER VIEW my_property_normal SET (security_barrier=true);
ALTER VIEW my_property_secure SET (security_barrier=false);
SET SESSION AUTHORIZATION alice;
SET SESSION AUTHORIZATION regress_alice;
EXECUTE p1; -- To be perform as a view with security-barrier
EXECUTE p2; -- To be perform as a view without security-barrier
-- Cleanup.
RESET SESSION AUTHORIZATION;
DROP ROLE regress_alice;