MODULES = dummy_seclabel
PGFILEDESC = "dummy_seclabel - regression testing of the SECURITY LABEL statement"
+REGRESS = dummy_seclabel
+
ifdef USE_PGXS
PG_CONFIG = pg_config
PGXS := $(shell $(PG_CONFIG) --pgxs)
--- /dev/null
+--
+-- Test for facilities of security label
+--
+LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
+
+-- initial setups
+SET client_min_messages TO 'warning';
+
+DROP ROLE IF EXISTS dummy_seclabel_user1;
+DROP ROLE IF EXISTS dummy_seclabel_user2;
+
+DROP TABLE IF EXISTS dummy_seclabel_tbl1;
+DROP TABLE IF EXISTS dummy_seclabel_tbl2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl3;
+
+CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER dummy_seclabel_user2;
+
+CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
+CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
+CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
+CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN dummy_seclabel_domain AS text;
+
+ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
+ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
+
+RESET client_min_messages;
+
+--
+-- Test of SECURITY LABEL statement with a plugin
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail
+SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser)
+SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
+
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK
+
+--
+-- Test for shared database object
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail
+SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser)
+SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
+
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
+
+RESET SESSION AUTHORIZATION;
+
+--
+-- Test for various types of object
+--
+RESET SESSION AUTHORIZATION;
+
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK
+SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK
+SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK
+SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK
+CREATE SCHEMA dummy_seclabel_test;
+SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK
+
+SELECT objtype, objname, provider, label FROM pg_seclabels
+ ORDER BY objtype, objname;
--- /dev/null
+--
+-- Test for facilities of security label
+--
+LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
+-- initial setups
+SET client_min_messages TO 'warning';
+DROP ROLE IF EXISTS dummy_seclabel_user1;
+DROP ROLE IF EXISTS dummy_seclabel_user2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl1;
+DROP TABLE IF EXISTS dummy_seclabel_tbl2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl3;
+CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER dummy_seclabel_user2;
+CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
+CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
+CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
+CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN dummy_seclabel_domain AS text;
+ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
+ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
+RESET client_min_messages;
+--
+-- Test of SECURITY LABEL statement with a plugin
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail
+ERROR: column name must be qualified
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail
+ERROR: '...invalid label...' is not a valid security label
+SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail
+ERROR: security label provider "unknown_seclabel" is not loaded
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
+ERROR: must be owner of relation dummy_seclabel_tbl2
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser)
+ERROR: only superuser can set 'secret' label
+SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
+ERROR: relation "dummy_seclabel_tbl3" does not exist
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail
+ERROR: must be owner of relation dummy_seclabel_tbl1
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK
+--
+-- Test for shared database object
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail
+ERROR: '...invalid label...' is not a valid security label
+SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail
+ERROR: security label provider "unknown_seclabel" is not loaded
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser)
+ERROR: only superuser can set 'secret' label
+SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
+ERROR: role "dummy_seclabel_user3" does not exist
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
+ERROR: must have CREATEROLE privilege
+RESET SESSION AUTHORIZATION;
+--
+-- Test for various types of object
+--
+RESET SESSION AUTHORIZATION;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK
+SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK
+SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK
+SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK
+CREATE SCHEMA dummy_seclabel_test;
+SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK
+SELECT objtype, objname, provider, label FROM pg_seclabels
+ ORDER BY objtype, objname;
+ objtype | objname | provider | label
+----------+-----------------------+----------+--------------
+ column | dummy_seclabel_tbl1.a | dummy | unclassified
+ domain | dummy_seclabel_domain | dummy | classified
+ function | dummy_seclabel_four() | dummy | classified
+ role | dummy_seclabel_user1 | dummy | classified
+ role | dummy_seclabel_user2 | dummy | unclassified
+ schema | dummy_seclabel_test | dummy | unclassified
+ table | dummy_seclabel_tbl1 | dummy | top secret
+ table | dummy_seclabel_tbl2 | dummy | classified
+ view | dummy_seclabel_view1 | dummy | classified
+(9 rows)
+
$(MKDIR_P) $(patsubst $(srcdir)/%/,'$(DESTDIR)$(pkglibdir)/regress/%',$(sort $(dir $(regress_data_files))))
-# Get some extra C modules from contrib/spi and src/test/modules/dummy_seclabel...
+# Get some extra C modules from contrib/spi
-all: refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
+all: refint$(DLSUFFIX) autoinc$(DLSUFFIX)
refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
cp $< $@
autoinc$(DLSUFFIX): $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX)
cp $< $@
-dummy_seclabel$(DLSUFFIX): $(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX)
- cp $< $@
-
$(top_builddir)/contrib/spi/refint$(DLSUFFIX): | submake-contrib-spi ;
$(top_builddir)/contrib/spi/autoinc$(DLSUFFIX): | submake-contrib-spi ;
-$(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX): | submake-dummy_seclabel ;
-
submake-contrib-spi:
$(MAKE) -C $(top_builddir)/contrib/spi
-submake-dummy_seclabel:
- $(MAKE) -C $(top_builddir)/src/test/modules/dummy_seclabel
-
-.PHONY: submake-contrib-spi submake-dummy_seclabel
+.PHONY: submake-contrib-spi
# Tablespace setup
clean distclean maintainer-clean: clean-lib
# things built by `all' target
- rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
+ rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX)
rm -f pg_regress_main.o pg_regress.o pg_regress$(X)
# things created by various check targets
rm -f $(output_files) $(input_files)
--- /dev/null
+--
+-- Test for facilities of security label
+--
+-- initial setups
+SET client_min_messages TO 'warning';
+DROP ROLE IF EXISTS seclabel_user1;
+DROP ROLE IF EXISTS seclabel_user2;
+DROP TABLE IF EXISTS seclabel_tbl1;
+DROP TABLE IF EXISTS seclabel_tbl2;
+DROP TABLE IF EXISTS seclabel_tbl3;
+CREATE USER seclabel_user1 WITH CREATEROLE;
+CREATE USER seclabel_user2;
+CREATE TABLE seclabel_tbl1 (a int, b text);
+CREATE TABLE seclabel_tbl2 (x int, y text);
+CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
+CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN seclabel_domain AS text;
+ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
+ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
+RESET client_min_messages;
+--
+-- Test of SECURITY LABEL statement without a plugin
+--
+SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
+ERROR: no security label providers have been loaded
+SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
+ERROR: security label provider "dummy" is not loaded
+SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
+ERROR: no security label providers have been loaded
+SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
+ERROR: no security label providers have been loaded
+SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
+ERROR: no security label providers have been loaded
+SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
+ERROR: security label provider "dummy" is not loaded
+SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
+ERROR: no security label providers have been loaded
+SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
+ERROR: no security label providers have been loaded
+-- clean up objects
+DROP FUNCTION seclabel_four();
+DROP DOMAIN seclabel_domain;
+DROP VIEW seclabel_view1;
+DROP TABLE seclabel_tbl1;
+DROP TABLE seclabel_tbl2;
+DROP USER seclabel_user1;
+DROP USER seclabel_user2;
+++ /dev/null
---
--- Test for facilities of security label
---
-
--- initial setups
-SET client_min_messages TO 'warning';
-
-DROP ROLE IF EXISTS seclabel_user1;
-DROP ROLE IF EXISTS seclabel_user2;
-
-DROP TABLE IF EXISTS seclabel_tbl1;
-DROP TABLE IF EXISTS seclabel_tbl2;
-DROP TABLE IF EXISTS seclabel_tbl3;
-
-CREATE USER seclabel_user1 WITH CREATEROLE;
-CREATE USER seclabel_user2;
-
-CREATE TABLE seclabel_tbl1 (a int, b text);
-CREATE TABLE seclabel_tbl2 (x int, y text);
-CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
-CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
-CREATE DOMAIN seclabel_domain AS text;
-
-ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
-ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
-
-RESET client_min_messages;
-
---
--- Test of SECURITY LABEL statement without a plugin
---
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
-
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
-
--- Load dummy external security provider
-LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
-
---
--- Test of SECURITY LABEL statement with a plugin
---
-SET SESSION AUTHORIZATION seclabel_user1;
-
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser)
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found)
-
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK
-
---
--- Test for shared database object
---
-SET SESSION AUTHORIZATION seclabel_user1;
-
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail
-SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser)
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found)
-
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged)
-
-RESET SESSION AUTHORIZATION;
-
---
--- Test for various types of object
---
-RESET SESSION AUTHORIZATION;
-
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK
-SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK
-SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK
-SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK
-CREATE SCHEMA seclabel_test;
-SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK
-
-SELECT objtype, objname, provider, label FROM pg_seclabels
- ORDER BY objtype, objname;
-
--- clean up objects
-DROP FUNCTION seclabel_four();
-DROP DOMAIN seclabel_domain;
-DROP VIEW seclabel_view1;
-DROP TABLE seclabel_tbl1;
-DROP TABLE seclabel_tbl2;
-DROP USER seclabel_user1;
-DROP USER seclabel_user2;
-DROP SCHEMA seclabel_test;
-
--- make sure we don't have any leftovers
-SELECT objtype, objname, provider, label FROM pg_seclabels
- ORDER BY objtype, objname;
+++ /dev/null
---
--- Test for facilities of security label
---
--- initial setups
-SET client_min_messages TO 'warning';
-DROP ROLE IF EXISTS seclabel_user1;
-DROP ROLE IF EXISTS seclabel_user2;
-DROP TABLE IF EXISTS seclabel_tbl1;
-DROP TABLE IF EXISTS seclabel_tbl2;
-DROP TABLE IF EXISTS seclabel_tbl3;
-CREATE USER seclabel_user1 WITH CREATEROLE;
-CREATE USER seclabel_user2;
-CREATE TABLE seclabel_tbl1 (a int, b text);
-CREATE TABLE seclabel_tbl2 (x int, y text);
-CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
-CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
-CREATE DOMAIN seclabel_domain AS text;
-ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
-ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
-RESET client_min_messages;
---
--- Test of SECURITY LABEL statement without a plugin
---
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
-ERROR: no security label providers have been loaded
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
-ERROR: security label provider "dummy" is not loaded
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
-ERROR: no security label providers have been loaded
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
-ERROR: no security label providers have been loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
-ERROR: no security label providers have been loaded
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
-ERROR: security label provider "dummy" is not loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
-ERROR: no security label providers have been loaded
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
-ERROR: no security label providers have been loaded
--- Load dummy external security provider
-LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
---
--- Test of SECURITY LABEL statement with a plugin
---
-SET SESSION AUTHORIZATION seclabel_user1;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail
-ERROR: column name must be qualified
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
-ERROR: '...invalid label...' is not a valid security label
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
-ERROR: security label provider "unknown_seclabel" is not loaded
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
-ERROR: must be owner of relation seclabel_tbl2
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser)
-ERROR: only superuser can set 'secret' label
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found)
-ERROR: relation "seclabel_tbl3" does not exist
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail
-ERROR: must be owner of relation seclabel_tbl1
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK
---
--- Test for shared database object
---
-SET SESSION AUTHORIZATION seclabel_user1;
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
-ERROR: '...invalid label...' is not a valid security label
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail
-ERROR: security label provider "unknown_seclabel" is not loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser)
-ERROR: only superuser can set 'secret' label
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found)
-ERROR: role "seclabel_user3" does not exist
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged)
-ERROR: must have CREATEROLE privilege
-RESET SESSION AUTHORIZATION;
---
--- Test for various types of object
---
-RESET SESSION AUTHORIZATION;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK
-SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK
-SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK
-SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK
-CREATE SCHEMA seclabel_test;
-SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK
-SELECT objtype, objname, provider, label FROM pg_seclabels
- ORDER BY objtype, objname;
- objtype | objname | provider | label
-----------+-----------------+----------+--------------
- column | seclabel_tbl1.a | dummy | unclassified
- domain | seclabel_domain | dummy | classified
- function | seclabel_four() | dummy | classified
- role | seclabel_user1 | dummy | classified
- role | seclabel_user2 | dummy | unclassified
- schema | seclabel_test | dummy | unclassified
- table | seclabel_tbl1 | dummy | top secret
- table | seclabel_tbl2 | dummy | classified
- view | seclabel_view1 | dummy | classified
-(9 rows)
-
--- clean up objects
-DROP FUNCTION seclabel_four();
-DROP DOMAIN seclabel_domain;
-DROP VIEW seclabel_view1;
-DROP TABLE seclabel_tbl1;
-DROP TABLE seclabel_tbl2;
-DROP USER seclabel_user1;
-DROP USER seclabel_user2;
-DROP SCHEMA seclabel_test;
--- make sure we don't have any leftovers
-SELECT objtype, objname, provider, label FROM pg_seclabels
- ORDER BY objtype, objname;
- objtype | objname | provider | label
----------+---------+----------+-------
-(0 rows)
-
--- /dev/null
+--
+-- Test for facilities of security label
+--
+
+-- initial setups
+SET client_min_messages TO 'warning';
+
+DROP ROLE IF EXISTS seclabel_user1;
+DROP ROLE IF EXISTS seclabel_user2;
+
+DROP TABLE IF EXISTS seclabel_tbl1;
+DROP TABLE IF EXISTS seclabel_tbl2;
+DROP TABLE IF EXISTS seclabel_tbl3;
+
+CREATE USER seclabel_user1 WITH CREATEROLE;
+CREATE USER seclabel_user2;
+
+CREATE TABLE seclabel_tbl1 (a int, b text);
+CREATE TABLE seclabel_tbl2 (x int, y text);
+CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
+CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN seclabel_domain AS text;
+
+ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
+ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
+
+RESET client_min_messages;
+
+--
+-- Test of SECURITY LABEL statement without a plugin
+--
+SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail
+SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail
+SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail
+SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail
+
+SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail
+SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail
+SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail
+SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail
+
+-- clean up objects
+DROP FUNCTION seclabel_four();
+DROP DOMAIN seclabel_domain;
+DROP VIEW seclabel_view1;
+DROP TABLE seclabel_tbl1;
+DROP TABLE seclabel_tbl2;
+DROP USER seclabel_user1;
+DROP USER seclabel_user2;