Move security_label test
Rather than have the core security_label regression test depend on the dummy_seclabel module, have that part of the test be executed by dummy_seclabel itself directly. This simplifies the testing rig a bit; in particular it should silence the problems from the MSVC buildfarm phylum, which haven't yet gotten taught how to install src/test/modules.
This commit is contained in:
Alvaro Herrera
parent
e09996ff8d
commit
df761e3cf7
|
|
@ -3,6 +3,8 @@
|
|||
MODULES = dummy_seclabel
|
||||
PGFILEDESC = "dummy_seclabel - regression testing of the SECURITY LABEL statement"
|
||||
|
||||
REGRESS = dummy_seclabel
|
||||
|
||||
ifdef USE_PGXS
|
||||
PG_CONFIG = pg_config
|
||||
PGXS := $(shell $(PG_CONFIG) --pgxs)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,79 @@
|
|||
--
|
||||
-- Test for facilities of security label
|
||||
--
|
||||
LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
|
||||
|
||||
-- initial setups
|
||||
SET client_min_messages TO 'warning';
|
||||
|
||||
DROP ROLE IF EXISTS dummy_seclabel_user1;
|
||||
DROP ROLE IF EXISTS dummy_seclabel_user2;
|
||||
|
||||
DROP TABLE IF EXISTS dummy_seclabel_tbl1;
|
||||
DROP TABLE IF EXISTS dummy_seclabel_tbl2;
|
||||
DROP TABLE IF EXISTS dummy_seclabel_tbl3;
|
||||
|
||||
CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
|
||||
CREATE USER dummy_seclabel_user2;
|
||||
|
||||
CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
|
||||
CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
|
||||
CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
|
||||
CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
||||
CREATE DOMAIN dummy_seclabel_domain AS text;
|
||||
|
||||
ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
|
||||
ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
|
||||
|
||||
RESET client_min_messages;
|
||||
|
||||
--
|
||||
-- Test of SECURITY LABEL statement with a plugin
|
||||
--
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user1;
|
||||
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK
|
||||
SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser)
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
|
||||
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user2;
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK
|
||||
|
||||
--
|
||||
-- Test for shared database object
|
||||
--
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user1;
|
||||
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser)
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
|
||||
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user2;
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
|
||||
|
||||
RESET SESSION AUTHORIZATION;
|
||||
|
||||
--
|
||||
-- Test for various types of object
|
||||
--
|
||||
RESET SESSION AUTHORIZATION;
|
||||
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK
|
||||
SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK
|
||||
SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK
|
||||
CREATE SCHEMA dummy_seclabel_test;
|
||||
SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK
|
||||
|
||||
SELECT objtype, objname, provider, label FROM pg_seclabels
|
||||
ORDER BY objtype, objname;
|
||||
|
|
@ -0,0 +1,87 @@
|
|||
--
|
||||
-- Test for facilities of security label
|
||||
--
|
||||
LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
|
||||
-- initial setups
|
||||
SET client_min_messages TO 'warning';
|
||||
DROP ROLE IF EXISTS dummy_seclabel_user1;
|
||||
DROP ROLE IF EXISTS dummy_seclabel_user2;
|
||||
DROP TABLE IF EXISTS dummy_seclabel_tbl1;
|
||||
DROP TABLE IF EXISTS dummy_seclabel_tbl2;
|
||||
DROP TABLE IF EXISTS dummy_seclabel_tbl3;
|
||||
CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
|
||||
CREATE USER dummy_seclabel_user2;
|
||||
CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
|
||||
CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
|
||||
CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
|
||||
CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
||||
CREATE DOMAIN dummy_seclabel_domain AS text;
|
||||
ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
|
||||
ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
|
||||
RESET client_min_messages;
|
||||
--
|
||||
-- Test of SECURITY LABEL statement with a plugin
|
||||
--
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user1;
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK
|
||||
SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
ERROR: column name must be qualified
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
ERROR: '...invalid label...' is not a valid security label
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "unknown_seclabel" is not loaded
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
|
||||
ERROR: must be owner of relation dummy_seclabel_tbl2
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser)
|
||||
ERROR: only superuser can set 'secret' label
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
|
||||
ERROR: relation "dummy_seclabel_tbl3" does not exist
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user2;
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
ERROR: must be owner of relation dummy_seclabel_tbl1
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK
|
||||
--
|
||||
-- Test for shared database object
|
||||
--
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user1;
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail
|
||||
ERROR: '...invalid label...' is not a valid security label
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail
|
||||
ERROR: security label provider "unknown_seclabel" is not loaded
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser)
|
||||
ERROR: only superuser can set 'secret' label
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
|
||||
ERROR: role "dummy_seclabel_user3" does not exist
|
||||
SET SESSION AUTHORIZATION dummy_seclabel_user2;
|
||||
SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
|
||||
ERROR: must have CREATEROLE privilege
|
||||
RESET SESSION AUTHORIZATION;
|
||||
--
|
||||
-- Test for various types of object
|
||||
--
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK
|
||||
SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK
|
||||
SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK
|
||||
CREATE SCHEMA dummy_seclabel_test;
|
||||
SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK
|
||||
SELECT objtype, objname, provider, label FROM pg_seclabels
|
||||
ORDER BY objtype, objname;
|
||||
objtype | objname | provider | label
|
||||
----------+-----------------------+----------+--------------
|
||||
column | dummy_seclabel_tbl1.a | dummy | unclassified
|
||||
domain | dummy_seclabel_domain | dummy | classified
|
||||
function | dummy_seclabel_four() | dummy | classified
|
||||
role | dummy_seclabel_user1 | dummy | classified
|
||||
role | dummy_seclabel_user2 | dummy | unclassified
|
||||
schema | dummy_seclabel_test | dummy | unclassified
|
||||
table | dummy_seclabel_tbl1 | dummy | top secret
|
||||
table | dummy_seclabel_tbl2 | dummy | classified
|
||||
view | dummy_seclabel_view1 | dummy | classified
|
||||
(9 rows)
|
||||
|
||||
|
|
@ -101,9 +101,9 @@ installdirs-tests: installdirs
|
|||
$(MKDIR_P) $(patsubst $(srcdir)/%/,'$(DESTDIR)$(pkglibdir)/regress/%',$(sort $(dir $(regress_data_files))))
|
||||
|
||||
|
||||
# Get some extra C modules from contrib/spi and src/test/modules/dummy_seclabel...
|
||||
# Get some extra C modules from contrib/spi
|
||||
|
||||
all: refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
|
||||
all: refint$(DLSUFFIX) autoinc$(DLSUFFIX)
|
||||
|
||||
refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
|
||||
cp $< $@
|
||||
|
|
@ -111,22 +111,14 @@ refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
|
|||
autoinc$(DLSUFFIX): $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX)
|
||||
cp $< $@
|
||||
|
||||
dummy_seclabel$(DLSUFFIX): $(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX)
|
||||
cp $< $@
|
||||
|
||||
$(top_builddir)/contrib/spi/refint$(DLSUFFIX): | submake-contrib-spi ;
|
||||
|
||||
$(top_builddir)/contrib/spi/autoinc$(DLSUFFIX): | submake-contrib-spi ;
|
||||
|
||||
$(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX): | submake-dummy_seclabel ;
|
||||
|
||||
submake-contrib-spi:
|
||||
$(MAKE) -C $(top_builddir)/contrib/spi
|
||||
|
||||
submake-dummy_seclabel:
|
||||
$(MAKE) -C $(top_builddir)/src/test/modules/dummy_seclabel
|
||||
|
||||
.PHONY: submake-contrib-spi submake-dummy_seclabel
|
||||
.PHONY: submake-contrib-spi
|
||||
|
||||
# Tablespace setup
|
||||
|
||||
|
|
@ -179,7 +171,7 @@ bigcheck: all tablespace-setup
|
|||
|
||||
clean distclean maintainer-clean: clean-lib
|
||||
# things built by `all' target
|
||||
rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
|
||||
rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX)
|
||||
rm -f pg_regress_main.o pg_regress.o pg_regress$(X)
|
||||
# things created by various check targets
|
||||
rm -f $(output_files) $(input_files)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,47 @@
|
|||
--
|
||||
-- Test for facilities of security label
|
||||
--
|
||||
-- initial setups
|
||||
SET client_min_messages TO 'warning';
|
||||
DROP ROLE IF EXISTS seclabel_user1;
|
||||
DROP ROLE IF EXISTS seclabel_user2;
|
||||
DROP TABLE IF EXISTS seclabel_tbl1;
|
||||
DROP TABLE IF EXISTS seclabel_tbl2;
|
||||
DROP TABLE IF EXISTS seclabel_tbl3;
|
||||
CREATE USER seclabel_user1 WITH CREATEROLE;
|
||||
CREATE USER seclabel_user2;
|
||||
CREATE TABLE seclabel_tbl1 (a int, b text);
|
||||
CREATE TABLE seclabel_tbl2 (x int, y text);
|
||||
CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
|
||||
CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
||||
CREATE DOMAIN seclabel_domain AS text;
|
||||
ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
|
||||
ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
|
||||
RESET client_min_messages;
|
||||
--
|
||||
-- Test of SECURITY LABEL statement without a plugin
|
||||
--
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "dummy" is not loaded
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "dummy" is not loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
-- clean up objects
|
||||
DROP FUNCTION seclabel_four();
|
||||
DROP DOMAIN seclabel_domain;
|
||||
DROP VIEW seclabel_view1;
|
||||
DROP TABLE seclabel_tbl1;
|
||||
DROP TABLE seclabel_tbl2;
|
||||
DROP USER seclabel_user1;
|
||||
DROP USER seclabel_user2;
|
||||
|
|
@ -1,108 +0,0 @@
|
|||
--
|
||||
-- Test for facilities of security label
|
||||
--
|
||||
|
||||
-- initial setups
|
||||
SET client_min_messages TO 'warning';
|
||||
|
||||
DROP ROLE IF EXISTS seclabel_user1;
|
||||
DROP ROLE IF EXISTS seclabel_user2;
|
||||
|
||||
DROP TABLE IF EXISTS seclabel_tbl1;
|
||||
DROP TABLE IF EXISTS seclabel_tbl2;
|
||||
DROP TABLE IF EXISTS seclabel_tbl3;
|
||||
|
||||
CREATE USER seclabel_user1 WITH CREATEROLE;
|
||||
CREATE USER seclabel_user2;
|
||||
|
||||
CREATE TABLE seclabel_tbl1 (a int, b text);
|
||||
CREATE TABLE seclabel_tbl2 (x int, y text);
|
||||
CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
|
||||
CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
||||
CREATE DOMAIN seclabel_domain AS text;
|
||||
|
||||
ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
|
||||
ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
|
||||
|
||||
RESET client_min_messages;
|
||||
|
||||
--
|
||||
-- Test of SECURITY LABEL statement without a plugin
|
||||
--
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
|
||||
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
|
||||
|
||||
-- Load dummy external security provider
|
||||
LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
|
||||
|
||||
--
|
||||
-- Test of SECURITY LABEL statement with a plugin
|
||||
--
|
||||
SET SESSION AUTHORIZATION seclabel_user1;
|
||||
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK
|
||||
SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser)
|
||||
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found)
|
||||
|
||||
SET SESSION AUTHORIZATION seclabel_user2;
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK
|
||||
|
||||
--
|
||||
-- Test for shared database object
|
||||
--
|
||||
SET SESSION AUTHORIZATION seclabel_user1;
|
||||
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser)
|
||||
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found)
|
||||
|
||||
SET SESSION AUTHORIZATION seclabel_user2;
|
||||
SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged)
|
||||
|
||||
RESET SESSION AUTHORIZATION;
|
||||
|
||||
--
|
||||
-- Test for various types of object
|
||||
--
|
||||
RESET SESSION AUTHORIZATION;
|
||||
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK
|
||||
SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK
|
||||
SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK
|
||||
CREATE SCHEMA seclabel_test;
|
||||
SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK
|
||||
|
||||
SELECT objtype, objname, provider, label FROM pg_seclabels
|
||||
ORDER BY objtype, objname;
|
||||
|
||||
-- clean up objects
|
||||
DROP FUNCTION seclabel_four();
|
||||
DROP DOMAIN seclabel_domain;
|
||||
DROP VIEW seclabel_view1;
|
||||
DROP TABLE seclabel_tbl1;
|
||||
DROP TABLE seclabel_tbl2;
|
||||
DROP USER seclabel_user1;
|
||||
DROP USER seclabel_user2;
|
||||
DROP SCHEMA seclabel_test;
|
||||
|
||||
-- make sure we don't have any leftovers
|
||||
SELECT objtype, objname, provider, label FROM pg_seclabels
|
||||
ORDER BY objtype, objname;
|
||||
|
|
@ -1,123 +0,0 @@
|
|||
--
|
||||
-- Test for facilities of security label
|
||||
--
|
||||
-- initial setups
|
||||
SET client_min_messages TO 'warning';
|
||||
DROP ROLE IF EXISTS seclabel_user1;
|
||||
DROP ROLE IF EXISTS seclabel_user2;
|
||||
DROP TABLE IF EXISTS seclabel_tbl1;
|
||||
DROP TABLE IF EXISTS seclabel_tbl2;
|
||||
DROP TABLE IF EXISTS seclabel_tbl3;
|
||||
CREATE USER seclabel_user1 WITH CREATEROLE;
|
||||
CREATE USER seclabel_user2;
|
||||
CREATE TABLE seclabel_tbl1 (a int, b text);
|
||||
CREATE TABLE seclabel_tbl2 (x int, y text);
|
||||
CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
|
||||
CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
||||
CREATE DOMAIN seclabel_domain AS text;
|
||||
ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
|
||||
ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
|
||||
RESET client_min_messages;
|
||||
--
|
||||
-- Test of SECURITY LABEL statement without a plugin
|
||||
--
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "dummy" is not loaded
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "dummy" is not loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
|
||||
ERROR: no security label providers have been loaded
|
||||
-- Load dummy external security provider
|
||||
LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
|
||||
--
|
||||
-- Test of SECURITY LABEL statement with a plugin
|
||||
--
|
||||
SET SESSION AUTHORIZATION seclabel_user1;
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK
|
||||
SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
ERROR: column name must be qualified
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
ERROR: '...invalid label...' is not a valid security label
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "unknown_seclabel" is not loaded
|
||||
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
|
||||
ERROR: must be owner of relation seclabel_tbl2
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser)
|
||||
ERROR: only superuser can set 'secret' label
|
||||
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found)
|
||||
ERROR: relation "seclabel_tbl3" does not exist
|
||||
SET SESSION AUTHORIZATION seclabel_user2;
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
ERROR: must be owner of relation seclabel_tbl1
|
||||
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK
|
||||
--
|
||||
-- Test for shared database object
|
||||
--
|
||||
SET SESSION AUTHORIZATION seclabel_user1;
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
||||
ERROR: '...invalid label...' is not a valid security label
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail
|
||||
ERROR: security label provider "unknown_seclabel" is not loaded
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser)
|
||||
ERROR: only superuser can set 'secret' label
|
||||
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found)
|
||||
ERROR: role "seclabel_user3" does not exist
|
||||
SET SESSION AUTHORIZATION seclabel_user2;
|
||||
SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged)
|
||||
ERROR: must have CREATEROLE privilege
|
||||
RESET SESSION AUTHORIZATION;
|
||||
--
|
||||
-- Test for various types of object
|
||||
--
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK
|
||||
SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK
|
||||
SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK
|
||||
SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK
|
||||
CREATE SCHEMA seclabel_test;
|
||||
SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK
|
||||
SELECT objtype, objname, provider, label FROM pg_seclabels
|
||||
ORDER BY objtype, objname;
|
||||
objtype | objname | provider | label
|
||||
----------+-----------------+----------+--------------
|
||||
column | seclabel_tbl1.a | dummy | unclassified
|
||||
domain | seclabel_domain | dummy | classified
|
||||
function | seclabel_four() | dummy | classified
|
||||
role | seclabel_user1 | dummy | classified
|
||||
role | seclabel_user2 | dummy | unclassified
|
||||
schema | seclabel_test | dummy | unclassified
|
||||
table | seclabel_tbl1 | dummy | top secret
|
||||
table | seclabel_tbl2 | dummy | classified
|
||||
view | seclabel_view1 | dummy | classified
|
||||
(9 rows)
|
||||
|
||||
-- clean up objects
|
||||
DROP FUNCTION seclabel_four();
|
||||
DROP DOMAIN seclabel_domain;
|
||||
DROP VIEW seclabel_view1;
|
||||
DROP TABLE seclabel_tbl1;
|
||||
DROP TABLE seclabel_tbl2;
|
||||
DROP USER seclabel_user1;
|
||||
DROP USER seclabel_user2;
|
||||
DROP SCHEMA seclabel_test;
|
||||
-- make sure we don't have any leftovers
|
||||
SELECT objtype, objname, provider, label FROM pg_seclabels
|
||||
ORDER BY objtype, objname;
|
||||
objtype | objname | provider | label
|
||||
---------+---------+----------+-------
|
||||
(0 rows)
|
||||
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
--
|
||||
-- Test for facilities of security label
|
||||
--
|
||||
|
||||
-- initial setups
|
||||
SET client_min_messages TO 'warning';
|
||||
|
||||
DROP ROLE IF EXISTS seclabel_user1;
|
||||
DROP ROLE IF EXISTS seclabel_user2;
|
||||
|
||||
DROP TABLE IF EXISTS seclabel_tbl1;
|
||||
DROP TABLE IF EXISTS seclabel_tbl2;
|
||||
DROP TABLE IF EXISTS seclabel_tbl3;
|
||||
|
||||
CREATE USER seclabel_user1 WITH CREATEROLE;
|
||||
CREATE USER seclabel_user2;
|
||||
|
||||
CREATE TABLE seclabel_tbl1 (a int, b text);
|
||||
CREATE TABLE seclabel_tbl2 (x int, y text);
|
||||
CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
|
||||
CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
||||
CREATE DOMAIN seclabel_domain AS text;
|
||||
|
||||
ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
|
||||
ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
|
||||
|
||||
RESET client_min_messages;
|
||||
|
||||
--
|
||||
-- Test of SECURITY LABEL statement without a plugin
|
||||
--
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
|
||||
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
|
||||
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
||||
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
|
||||
|
||||
-- clean up objects
|
||||
DROP FUNCTION seclabel_four();
|
||||
DROP DOMAIN seclabel_domain;
|
||||
DROP VIEW seclabel_view1;
|
||||
DROP TABLE seclabel_tbl1;
|
||||
DROP TABLE seclabel_tbl2;
|
||||
DROP USER seclabel_user1;
|
||||
DROP USER seclabel_user2;
|
||||
Loading…
Reference in New Issue