1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
--
-- Regression Test for DDL of Object Permission Checks
--
-- clean-up in case a prior regression run failed
SET client_min_messages TO 'warning';
DROP DATABASE IF EXISTS sepgsql_test_regression;
DROP USER IF EXISTS regress_sepgsql_test_user;
RESET client_min_messages;
-- confirm required permissions using audit messages
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
SET sepgsql.debug_audit = true;
SET client_min_messages = LOG;
--
-- CREATE Permission checks
--
CREATE DATABASE sepgsql_test_regression;
CREATE USER regress_sepgsql_test_user;
CREATE SCHEMA regtest_schema;
GRANT ALL ON SCHEMA regtest_schema TO regress_sepgsql_test_user;
SET search_path = regtest_schema, public;
CREATE TABLE regtest_table (x serial primary key, y text);
ALTER TABLE regtest_table ADD COLUMN z int;
CREATE TABLE regtest_table_2 (a int);
CREATE TABLE regtest_ptable (a int) PARTITION BY RANGE (a);
CREATE TABLE regtest_ptable_ones PARTITION OF regtest_ptable FOR VALUES FROM ('0') TO ('10');
CREATE TABLE regtest_ptable_tens PARTITION OF regtest_ptable FOR VALUES FROM ('10') TO ('100');
ALTER TABLE regtest_ptable ADD COLUMN q int;
-- corresponding toast table should not have label and permission checks
ALTER TABLE regtest_table_2 ADD COLUMN b text;
-- VACUUM FULL internally create a new table and swap them later.
VACUUM FULL regtest_table;
VACUUM FULL regtest_ptable;
CREATE VIEW regtest_view AS SELECT * FROM regtest_table WHERE x < 100;
CREATE VIEW regtest_pview AS SELECT * FROM regtest_ptable WHERE a < 99;
CREATE SEQUENCE regtest_seq;
CREATE TYPE regtest_comptype AS (a int, b text);
CREATE FUNCTION regtest_func(text,int[]) RETURNS bool LANGUAGE plpgsql
AS 'BEGIN RAISE NOTICE ''regtest_func => %'', $1; RETURN true; END';
CREATE AGGREGATE regtest_agg (
sfunc1 = int4pl, basetype = int4, stype1 = int4, initcond1 = '0'
);
-- CREATE objects owned by others
SET SESSION AUTHORIZATION regress_sepgsql_test_user;
SET search_path = regtest_schema, public;
CREATE TABLE regtest_table_3 (x int, y serial);
CREATE TABLE regtest_ptable_3 (o int, p serial) PARTITION BY RANGE (o);
CREATE TABLE regtest_ptable_3_ones PARTITION OF regtest_ptable_3 FOR VALUES FROM ('0') to ('10');
CREATE TABLE regtest_ptable_3_tens PARTITION OF regtest_ptable_3 FOR VALUES FROM ('10') to ('100');
CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y;
CREATE VIEW regtest_pview_2 AS SELECT * FROM regtest_ptable_3 WHERE o < p;
CREATE FUNCTION regtest_func_2(int) RETURNS bool LANGUAGE plpgsql
AS 'BEGIN RETURN $1 * $1 < 100; END';
RESET SESSION AUTHORIZATION;
--
-- ALTER and CREATE/DROP extra attribute permissions
--
CREATE TABLE regtest_table_4 (x int primary key, y int, z int);
CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y);
CREATE INDEX regtest_index_tbl4_z ON regtest_table_4(z);
ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;
DROP INDEX regtest_index_tbl4_y;
ALTER TABLE regtest_table_4
ADD CONSTRAINT regtest_tbl4_con EXCLUDE USING btree (z WITH =);
DROP TABLE regtest_table_4 CASCADE;
-- For partitioned tables
CREATE TABLE regtest_ptable_4 (x int, y int, z int) PARTITION BY RANGE (x);
CREATE TABLE regtest_ptable_4_ones PARTITION OF regtest_ptable_4 FOR VALUES FROM ('0') TO ('10');
CREATE INDEX regtest_pindex_tbl4_y ON regtest_ptable_4_ones(y);
CREATE INDEX regtest_pindex_tbl4_z ON regtest_ptable_4_ones(z);
ALTER TABLE regtest_ptable_4 ALTER COLUMN y TYPE float;
DROP INDEX regtest_pindex_tbl4_y;
ALTER TABLE regtest_ptable_4_ones
ADD CONSTRAINT regtest_ptbl4_con EXCLUDE USING btree (z WITH =);
DROP TABLE regtest_ptable_4 CASCADE;
--
-- DROP Permission checks (with clean-up)
--
DROP FUNCTION regtest_func(text,int[]);
DROP AGGREGATE regtest_agg(int);
DROP SEQUENCE regtest_seq;
DROP VIEW regtest_view;
ALTER TABLE regtest_table DROP COLUMN y;
ALTER TABLE regtest_ptable DROP COLUMN q CASCADE;
DROP TABLE regtest_table;
DROP TABLE regtest_ptable CASCADE;
DROP OWNED BY regress_sepgsql_test_user;
DROP DATABASE sepgsql_test_regression;
DROP USER regress_sepgsql_test_user;
DROP SCHEMA IF EXISTS regtest_schema CASCADE;
|
