Move security_label test

Rather than have the core security_label regression test depend on the
dummy_seclabel module, have that part of the test be executed by
dummy_seclabel itself directly.  This simplifies the testing rig a bit;
in particular it should silence the problems from the MSVC buildfarm
phylum, which haven't yet gotten taught how to install src/test/modules.

diff --git a/src/test/modules/dummy_seclabel/Makefile b/src/test/modules/dummy_seclabel/Makefile
index 909ac9ace72d641458b5cf6b168ea00c30cdc7e7..41f50cc41ee62dbce936c8d037e01ea2de7475e8 100644 (file)
--- a/src/test/modules/dummy_seclabel/Makefile
+++ b/src/test/modules/dummy_seclabel/Makefile
@@ -3,6 +3,8 @@
 MODULES = dummy_seclabel
 PGFILEDESC = "dummy_seclabel - regression testing of the SECURITY LABEL statement"
 
+REGRESS = dummy_seclabel
+
 ifdef USE_PGXS
 PG_CONFIG = pg_config
 PGXS := $(shell $(PG_CONFIG) --pgxs)

diff --git a/src/test/modules/dummy_seclabel/input/dummy_seclabel.source b/src/test/modules/dummy_seclabel/input/dummy_seclabel.source
new file mode 100644 (file)
index 0000000..d39ce88
--- /dev/null
+++ b/src/test/modules/dummy_seclabel/input/dummy_seclabel.source
@@ -0,0 +1,79 @@
+--
+-- Test for facilities of security label
+--
+LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
+
+-- initial setups
+SET client_min_messages TO 'warning';
+
+DROP ROLE IF EXISTS dummy_seclabel_user1;
+DROP ROLE IF EXISTS dummy_seclabel_user2;
+
+DROP TABLE IF EXISTS dummy_seclabel_tbl1;
+DROP TABLE IF EXISTS dummy_seclabel_tbl2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl3;
+
+CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER dummy_seclabel_user2;
+
+CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
+CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
+CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
+CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN dummy_seclabel_domain AS text;
+
+ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
+ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
+
+RESET client_min_messages;
+
+--
+-- Test of SECURITY LABEL statement with a plugin
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';                   -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';              -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';        -- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';  -- fail
+SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';     -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';    -- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';               -- fail (not superuser)
+SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
+
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified';         -- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';                   -- OK
+
+--
+-- Test for shared database object
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified';                   -- OK
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...';  -- fail
+SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified';     -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified';  -- fail
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret';       -- fail (not superuser)
+SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
+
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
+
+RESET SESSION AUTHORIZATION;
+
+--
+-- Test for various types of object
+--
+RESET SESSION AUTHORIZATION;
+
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret';                   -- OK
+SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified';                   -- OK
+SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified';              -- OK
+SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified';                -- OK
+CREATE SCHEMA dummy_seclabel_test;
+SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified';                -- OK
+
+SELECT objtype, objname, provider, label FROM pg_seclabels
+       ORDER BY objtype, objname;

diff --git a/src/test/modules/dummy_seclabel/output/dummy_seclabel.source b/src/test/modules/dummy_seclabel/output/dummy_seclabel.source
new file mode 100644 (file)
index 0000000..8275764
--- /dev/null
+++ b/src/test/modules/dummy_seclabel/output/dummy_seclabel.source
@@ -0,0 +1,87 @@
+--
+-- Test for facilities of security label
+--
+LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
+-- initial setups
+SET client_min_messages TO 'warning';
+DROP ROLE IF EXISTS dummy_seclabel_user1;
+DROP ROLE IF EXISTS dummy_seclabel_user2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl1;
+DROP TABLE IF EXISTS dummy_seclabel_tbl2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl3;
+CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER dummy_seclabel_user2;
+CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
+CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
+CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
+CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN dummy_seclabel_domain AS text;
+ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
+ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
+RESET client_min_messages;
+--
+-- Test of SECURITY LABEL statement with a plugin
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';                   -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';              -- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';        -- fail
+ERROR:  column name must be qualified
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';  -- fail
+ERROR:  '...invalid label...' is not a valid security label
+SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';     -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';    -- fail
+ERROR:  security label provider "unknown_seclabel" is not loaded
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
+ERROR:  must be owner of relation dummy_seclabel_tbl2
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';               -- fail (not superuser)
+ERROR:  only superuser can set 'secret' label
+SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
+ERROR:  relation "dummy_seclabel_tbl3" does not exist
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified';         -- fail
+ERROR:  must be owner of relation dummy_seclabel_tbl1
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';                   -- OK
+--
+-- Test for shared database object
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified';                   -- OK
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...';  -- fail
+ERROR:  '...invalid label...' is not a valid security label
+SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified';     -- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified';  -- fail
+ERROR:  security label provider "unknown_seclabel" is not loaded
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret';       -- fail (not superuser)
+ERROR:  only superuser can set 'secret' label
+SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
+ERROR:  role "dummy_seclabel_user3" does not exist
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
+ERROR:  must have CREATEROLE privilege
+RESET SESSION AUTHORIZATION;
+--
+-- Test for various types of object
+--
+RESET SESSION AUTHORIZATION;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret';                   -- OK
+SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified';                   -- OK
+SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified';              -- OK
+SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified';                -- OK
+CREATE SCHEMA dummy_seclabel_test;
+SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified';                -- OK
+SELECT objtype, objname, provider, label FROM pg_seclabels
+       ORDER BY objtype, objname;
+ objtype  |        objname        | provider |    label     
+----------+-----------------------+----------+--------------
+ column   | dummy_seclabel_tbl1.a | dummy    | unclassified
+ domain   | dummy_seclabel_domain | dummy    | classified
+ function | dummy_seclabel_four() | dummy    | classified
+ role     | dummy_seclabel_user1  | dummy    | classified
+ role     | dummy_seclabel_user2  | dummy    | unclassified
+ schema   | dummy_seclabel_test   | dummy    | unclassified
+ table    | dummy_seclabel_tbl1   | dummy    | top secret
+ table    | dummy_seclabel_tbl2   | dummy    | classified
+ view     | dummy_seclabel_view1  | dummy    | classified
+(9 rows)
+

diff --git a/src/test/regress/GNUmakefile b/src/test/regress/GNUmakefile
index 77fe8b620d46e657a5bf54655e0d611a6cab6143..1832eccbd9cdb9b5f1700313d7e0605775f7351f 100644 (file)
--- a/src/test/regress/GNUmakefile
+++ b/src/test/regress/GNUmakefile
@@ -101,9 +101,9 @@ installdirs-tests: installdirs
        $(MKDIR_P)  $(patsubst $(srcdir)/%/,'$(DESTDIR)$(pkglibdir)/regress/%',$(sort $(dir $(regress_data_files))))
 
 
-# Get some extra C modules from contrib/spi and src/test/modules/dummy_seclabel...
+# Get some extra C modules from contrib/spi
 
-all: refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
+all: refint$(DLSUFFIX) autoinc$(DLSUFFIX)
 
 refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
        cp $< $@
@@ -111,22 +111,14 @@ refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
 autoinc$(DLSUFFIX): $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX)
        cp $< $@
 
-dummy_seclabel$(DLSUFFIX): $(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX)
-       cp $< $@
-
 $(top_builddir)/contrib/spi/refint$(DLSUFFIX): | submake-contrib-spi ;
 
 $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX): | submake-contrib-spi ;
 
-$(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX): | submake-dummy_seclabel ;
-
 submake-contrib-spi:
        $(MAKE) -C $(top_builddir)/contrib/spi
 
-submake-dummy_seclabel:
-       $(MAKE) -C $(top_builddir)/src/test/modules/dummy_seclabel
-
-.PHONY: submake-contrib-spi submake-dummy_seclabel
+.PHONY: submake-contrib-spi
 
 # Tablespace setup
 
@@ -179,7 +171,7 @@ bigcheck: all tablespace-setup
 
 clean distclean maintainer-clean: clean-lib
 # things built by `all' target
-       rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
+       rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX)
        rm -f pg_regress_main.o pg_regress.o pg_regress$(X)
 # things created by various check targets
        rm -f $(output_files) $(input_files)

diff --git a/src/test/regress/expected/security_label.out b/src/test/regress/expected/security_label.out
new file mode 100644 (file)
index 0000000..10b062a
--- /dev/null
+++ b/src/test/regress/expected/security_label.out
@@ -0,0 +1,47 @@
+--
+-- Test for facilities of security label
+--
+-- initial setups
+SET client_min_messages TO 'warning';
+DROP ROLE IF EXISTS seclabel_user1;
+DROP ROLE IF EXISTS seclabel_user2;
+DROP TABLE IF EXISTS seclabel_tbl1;
+DROP TABLE IF EXISTS seclabel_tbl2;
+DROP TABLE IF EXISTS seclabel_tbl3;
+CREATE USER seclabel_user1 WITH CREATEROLE;
+CREATE USER seclabel_user2;
+CREATE TABLE seclabel_tbl1 (a int, b text);
+CREATE TABLE seclabel_tbl2 (x int, y text);
+CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
+CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN seclabel_domain AS text;
+ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
+ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
+RESET client_min_messages;
+--
+-- Test of SECURITY LABEL statement without a plugin
+--
+SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';                 -- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';             -- fail
+ERROR:  security label provider "dummy" is not loaded
+SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';                -- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';                       -- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';                 -- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';             -- fail
+ERROR:  security label provider "dummy" is not loaded
+SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';                -- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';                       -- fail
+ERROR:  no security label providers have been loaded
+-- clean up objects
+DROP FUNCTION seclabel_four();
+DROP DOMAIN seclabel_domain;
+DROP VIEW seclabel_view1;
+DROP TABLE seclabel_tbl1;
+DROP TABLE seclabel_tbl2;
+DROP USER seclabel_user1;
+DROP USER seclabel_user2;

diff --git a/src/test/regress/input/security_label.source b/src/test/regress/input/security_label.source
deleted file mode 100644 (file)
index 287dd76..0000000
--- a/src/test/regress/input/security_label.source
+++ /dev/null
@@ -1,108 +0,0 @@
---
--- Test for facilities of security label
---
-
--- initial setups
-SET client_min_messages TO 'warning';
-
-DROP ROLE IF EXISTS seclabel_user1;
-DROP ROLE IF EXISTS seclabel_user2;
-
-DROP TABLE IF EXISTS seclabel_tbl1;
-DROP TABLE IF EXISTS seclabel_tbl2;
-DROP TABLE IF EXISTS seclabel_tbl3;
-
-CREATE USER seclabel_user1 WITH CREATEROLE;
-CREATE USER seclabel_user2;
-
-CREATE TABLE seclabel_tbl1 (a int, b text);
-CREATE TABLE seclabel_tbl2 (x int, y text);
-CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
-CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
-CREATE DOMAIN seclabel_domain AS text;
-
-ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
-ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
-
-RESET client_min_messages;
-
---
--- Test of SECURITY LABEL statement without a plugin
---
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';                 -- fail
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';             -- fail
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';                -- fail
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';                       -- fail
-
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';                 -- fail
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';             -- fail
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';                -- fail
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';                       -- fail
-
--- Load dummy external security provider
-LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
-
---
--- Test of SECURITY LABEL statement with a plugin
---
-SET SESSION AUTHORIZATION seclabel_user1;
-
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';                 -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified';            -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified';      -- fail
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';        -- fail
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified';   -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified';  -- fail
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified';       -- fail (not owner)
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret';             -- fail (not superuser)
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';       -- fail (not found)
-
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified';               -- fail
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified';                 -- OK
-
---
--- Test for shared database object
---
-SET SESSION AUTHORIZATION seclabel_user1;
-
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';                 -- OK
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';        -- fail
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified';   -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified';        -- fail
-SECURITY LABEL ON ROLE seclabel_user1 IS 'secret';     -- fail (not superuser)
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';       -- fail (not found)
-
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified';       -- fail (not privileged)
-
-RESET SESSION AUTHORIZATION;
-
---
--- Test for various types of object
---
-RESET SESSION AUTHORIZATION;
-
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret';                 -- OK
-SECURITY LABEL ON VIEW seclabel_view1 IS 'classified';                 -- OK
-SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified';            -- OK
-SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified';              -- OK
-CREATE SCHEMA seclabel_test;
-SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified';              -- OK
-
-SELECT objtype, objname, provider, label FROM pg_seclabels
-       ORDER BY objtype, objname;
-
--- clean up objects
-DROP FUNCTION seclabel_four();
-DROP DOMAIN seclabel_domain;
-DROP VIEW seclabel_view1;
-DROP TABLE seclabel_tbl1;
-DROP TABLE seclabel_tbl2;
-DROP USER seclabel_user1;
-DROP USER seclabel_user2;
-DROP SCHEMA seclabel_test;
-
--- make sure we don't have any leftovers
-SELECT objtype, objname, provider, label FROM pg_seclabels
-       ORDER BY objtype, objname;

diff --git a/src/test/regress/output/security_label.source b/src/test/regress/output/security_label.source
deleted file mode 100644 (file)
index 0e20244..0000000
--- a/src/test/regress/output/security_label.source
+++ /dev/null
@@ -1,123 +0,0 @@
---
--- Test for facilities of security label
---
--- initial setups
-SET client_min_messages TO 'warning';
-DROP ROLE IF EXISTS seclabel_user1;
-DROP ROLE IF EXISTS seclabel_user2;
-DROP TABLE IF EXISTS seclabel_tbl1;
-DROP TABLE IF EXISTS seclabel_tbl2;
-DROP TABLE IF EXISTS seclabel_tbl3;
-CREATE USER seclabel_user1 WITH CREATEROLE;
-CREATE USER seclabel_user2;
-CREATE TABLE seclabel_tbl1 (a int, b text);
-CREATE TABLE seclabel_tbl2 (x int, y text);
-CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
-CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
-CREATE DOMAIN seclabel_domain AS text;
-ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
-ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
-RESET client_min_messages;
---
--- Test of SECURITY LABEL statement without a plugin
---
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';                 -- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';             -- fail
-ERROR:  security label provider "dummy" is not loaded
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';                -- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';                       -- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';                 -- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';             -- fail
-ERROR:  security label provider "dummy" is not loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';                -- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';                       -- fail
-ERROR:  no security label providers have been loaded
--- Load dummy external security provider
-LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
---
--- Test of SECURITY LABEL statement with a plugin
---
-SET SESSION AUTHORIZATION seclabel_user1;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';                 -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified';            -- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified';      -- fail
-ERROR:  column name must be qualified
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';        -- fail
-ERROR:  '...invalid label...' is not a valid security label
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified';   -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified';  -- fail
-ERROR:  security label provider "unknown_seclabel" is not loaded
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified';       -- fail (not owner)
-ERROR:  must be owner of relation seclabel_tbl2
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret';             -- fail (not superuser)
-ERROR:  only superuser can set 'secret' label
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';       -- fail (not found)
-ERROR:  relation "seclabel_tbl3" does not exist
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified';               -- fail
-ERROR:  must be owner of relation seclabel_tbl1
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified';                 -- OK
---
--- Test for shared database object
---
-SET SESSION AUTHORIZATION seclabel_user1;
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';                 -- OK
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';        -- fail
-ERROR:  '...invalid label...' is not a valid security label
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified';   -- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified';        -- fail
-ERROR:  security label provider "unknown_seclabel" is not loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS 'secret';     -- fail (not superuser)
-ERROR:  only superuser can set 'secret' label
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';       -- fail (not found)
-ERROR:  role "seclabel_user3" does not exist
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified';       -- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
-RESET SESSION AUTHORIZATION;
---
--- Test for various types of object
---
-RESET SESSION AUTHORIZATION;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret';                 -- OK
-SECURITY LABEL ON VIEW seclabel_view1 IS 'classified';                 -- OK
-SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified';            -- OK
-SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified';              -- OK
-CREATE SCHEMA seclabel_test;
-SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified';              -- OK
-SELECT objtype, objname, provider, label FROM pg_seclabels
-       ORDER BY objtype, objname;
- objtype  |     objname     | provider |    label     
-----------+-----------------+----------+--------------
- column   | seclabel_tbl1.a | dummy    | unclassified
- domain   | seclabel_domain | dummy    | classified
- function | seclabel_four() | dummy    | classified
- role     | seclabel_user1  | dummy    | classified
- role     | seclabel_user2  | dummy    | unclassified
- schema   | seclabel_test   | dummy    | unclassified
- table    | seclabel_tbl1   | dummy    | top secret
- table    | seclabel_tbl2   | dummy    | classified
- view     | seclabel_view1  | dummy    | classified
-(9 rows)
-
--- clean up objects
-DROP FUNCTION seclabel_four();
-DROP DOMAIN seclabel_domain;
-DROP VIEW seclabel_view1;
-DROP TABLE seclabel_tbl1;
-DROP TABLE seclabel_tbl2;
-DROP USER seclabel_user1;
-DROP USER seclabel_user2;
-DROP SCHEMA seclabel_test;
--- make sure we don't have any leftovers
-SELECT objtype, objname, provider, label FROM pg_seclabels
-       ORDER BY objtype, objname;
- objtype | objname | provider | label 
----------+---------+----------+-------
-(0 rows)
-

diff --git a/src/test/regress/sql/security_label.sql b/src/test/regress/sql/security_label.sql
new file mode 100644 (file)
index 0000000..7f54589
--- /dev/null
+++ b/src/test/regress/sql/security_label.sql
@@ -0,0 +1,49 @@
+--
+-- Test for facilities of security label
+--
+
+-- initial setups
+SET client_min_messages TO 'warning';
+
+DROP ROLE IF EXISTS seclabel_user1;
+DROP ROLE IF EXISTS seclabel_user2;
+
+DROP TABLE IF EXISTS seclabel_tbl1;
+DROP TABLE IF EXISTS seclabel_tbl2;
+DROP TABLE IF EXISTS seclabel_tbl3;
+
+CREATE USER seclabel_user1 WITH CREATEROLE;
+CREATE USER seclabel_user2;
+
+CREATE TABLE seclabel_tbl1 (a int, b text);
+CREATE TABLE seclabel_tbl2 (x int, y text);
+CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
+CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN seclabel_domain AS text;
+
+ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
+ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
+
+RESET client_min_messages;
+
+--
+-- Test of SECURITY LABEL statement without a plugin
+--
+SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';                 -- fail
+SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';             -- fail
+SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';                -- fail
+SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';                       -- fail
+
+SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';                 -- fail
+SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';             -- fail
+SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';                -- fail
+SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';                       -- fail
+
+-- clean up objects
+DROP FUNCTION seclabel_four();
+DROP DOMAIN seclabel_domain;
+DROP VIEW seclabel_view1;
+DROP TABLE seclabel_tbl1;
+DROP TABLE seclabel_tbl2;
+DROP USER seclabel_user1;
+DROP USER seclabel_user2;