109 lines
3.9 KiB
Plaintext
109 lines
3.9 KiB
Plaintext
--
|
|
-- Test for facilities of security label
|
|
--
|
|
|
|
-- initial setups
|
|
SET client_min_messages TO 'warning';
|
|
|
|
DROP ROLE IF EXISTS seclabel_user1;
|
|
DROP ROLE IF EXISTS seclabel_user2;
|
|
|
|
DROP TABLE IF EXISTS seclabel_tbl1;
|
|
DROP TABLE IF EXISTS seclabel_tbl2;
|
|
DROP TABLE IF EXISTS seclabel_tbl3;
|
|
|
|
CREATE USER seclabel_user1 WITH CREATEROLE;
|
|
CREATE USER seclabel_user2;
|
|
|
|
CREATE TABLE seclabel_tbl1 (a int, b text);
|
|
CREATE TABLE seclabel_tbl2 (x int, y text);
|
|
CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
|
|
CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
|
|
CREATE DOMAIN seclabel_domain AS text;
|
|
|
|
ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
|
|
ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
|
|
|
|
RESET client_min_messages;
|
|
|
|
--
|
|
-- Test of SECURITY LABEL statement without a plugin
|
|
--
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
|
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
|
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
|
|
|
|
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
|
|
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
|
|
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
|
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
|
|
|
|
-- Load dummy external security provider
|
|
LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
|
|
|
|
--
|
|
-- Test of SECURITY LABEL statement with a plugin
|
|
--
|
|
SET SESSION AUTHORIZATION seclabel_user1;
|
|
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK
|
|
SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK
|
|
SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
|
|
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK
|
|
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
|
|
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser)
|
|
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found)
|
|
|
|
SET SESSION AUTHORIZATION seclabel_user2;
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail
|
|
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK
|
|
|
|
--
|
|
-- Test for shared database object
|
|
--
|
|
SET SESSION AUTHORIZATION seclabel_user1;
|
|
|
|
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK
|
|
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
|
|
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK
|
|
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail
|
|
SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser)
|
|
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found)
|
|
|
|
SET SESSION AUTHORIZATION seclabel_user2;
|
|
SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged)
|
|
|
|
RESET SESSION AUTHORIZATION;
|
|
|
|
--
|
|
-- Test for various types of object
|
|
--
|
|
RESET SESSION AUTHORIZATION;
|
|
|
|
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK
|
|
SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK
|
|
SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK
|
|
SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK
|
|
CREATE SCHEMA seclabel_test;
|
|
SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK
|
|
|
|
SELECT objtype, objname, provider, label FROM pg_seclabels
|
|
ORDER BY objtype, objname;
|
|
|
|
-- clean up objects
|
|
DROP FUNCTION seclabel_four();
|
|
DROP DOMAIN seclabel_domain;
|
|
DROP VIEW seclabel_view1;
|
|
DROP TABLE seclabel_tbl1;
|
|
DROP TABLE seclabel_tbl2;
|
|
DROP USER seclabel_user1;
|
|
DROP USER seclabel_user2;
|
|
DROP SCHEMA seclabel_test;
|
|
|
|
-- make sure we don't have any leftovers
|
|
SELECT objtype, objname, provider, label FROM pg_seclabels
|
|
ORDER BY objtype, objname;
|