From 49562f5eb66f31940dd7b64555bbd81bae952387 Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Tue, 24 Jan 2012 08:38:20 -0500 Subject: [PATCH] Adjustments to regression tests for security_barrier views. Drop the role we create, so regression tests pass even when run more than once against the same cluster, a problem noted by Tom Lane and Jeff Janes. Also, rename the temporary role so that it starts with "regress_", to make it unlikely that we'll collide with an existing role name while running "make installcheck", per further gripe from Tom Lane. --- src/test/regress/expected/select_views.out | 83 ++++++++++---------- src/test/regress/expected/select_views_1.out | 83 ++++++++++---------- src/test/regress/sql/select_views.sql | 16 ++-- 3 files changed, 96 insertions(+), 86 deletions(-) diff --git a/src/test/regress/expected/select_views.out b/src/test/regress/expected/select_views.out index 89dfcb1790..8c2cfc8499 100644 --- a/src/test/regress/expected/select_views.out +++ b/src/test/regress/expected/select_views.out @@ -1250,7 +1250,7 @@ SELECT * FROM toyemp WHERE name = 'sharon'; -- -- Test for Leaky view scenario -- -CREATE USER alice; +CREATE ROLE regress_alice; CREATE FUNCTION f_leak (text) RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001 AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END'; @@ -1272,9 +1272,9 @@ CREATE TABLE credit_usage ( usage int ); INSERT INTO customer - VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'), - (102, 'bob', '+01-234-567-8901', 'beafsteak'), - (103, 'eve', '+49-8765-43210', 'hamburger'); + VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'), + (102, 'regress_bob', '+01-234-567-8901', 'beafsteak'), + (103, 'regress_eve', '+49-8765-43210', 'hamburger'); INSERT INTO credit_card VALUES (101, '1111-2222-3333-4444', 4000), (102, '5555-6666-7777-8888', 3000), @@ -1312,7 +1312,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public; -- -- Run leaky view scenarios -- -SET SESSION AUTHORIZATION alice; +SET SESSION AUTHORIZATION regress_alice; -- -- scenario: if a qualifier with tiny-cost is given, it shall be launched -- prior to the security policy of the view. @@ -1321,9 +1321,9 @@ SELECT * FROM my_property_normal WHERE f_leak(passwd); NOTICE: f_leak => passwd123 NOTICE: f_leak => beafsteak NOTICE: f_leak => hamburger - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd); @@ -1335,9 +1335,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd); SELECT * FROM my_property_secure WHERE f_leak(passwd); NOTICE: f_leak => passwd123 - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd); @@ -1358,9 +1358,9 @@ SELECT * FROM my_credit_card_normal WHERE f_leak(cnum); NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 5555-6666-7777-8888 NOTICE: f_leak => 9801-2345-6789-0123 - cid | name | tel | passwd | cnum | climit ------+-------+------------------+-----------+---------------------+-------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 + cid | name | tel | passwd | cnum | climit +-----+---------------+------------------+-----------+---------------------+-------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum); @@ -1377,9 +1377,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum); SELECT * FROM my_credit_card_secure WHERE f_leak(cnum); NOTICE: f_leak => 1111-2222-3333-4444 - cid | name | tel | passwd | cnum | climit ------+-------+------------------+-----------+---------------------+-------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 + cid | name | tel | passwd | cnum | climit +-----+---------------+------------------+-----------+---------------------+-------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum); @@ -1402,11 +1402,11 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum); SELECT * FROM my_credit_card_usage_normal WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01'; NOTICE: f_leak => 1111-2222-3333-4444 - cid | name | tel | passwd | cnum | climit | ymd | usage ------+-------+------------------+-----------+---------------------+--------+------------+------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 + cid | name | tel | passwd | cnum | climit | ymd | usage +-----+---------------+------------------+-----------+---------------------+--------+------------+------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 (3 rows) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal @@ -1435,11 +1435,11 @@ NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 1111-2222-3333-4444 - cid | name | tel | passwd | cnum | climit | ymd | usage ------+-------+------------------+-----------+---------------------+--------+------------+------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 + cid | name | tel | passwd | cnum | climit | ymd | usage +-----+---------------+------------------+-----------+---------------------+--------+------------+------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 (3 rows) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure @@ -1470,35 +1470,38 @@ EXECUTE p1; NOTICE: f_leak => passwd123 NOTICE: f_leak => beafsteak NOTICE: f_leak => hamburger - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXECUTE p2; NOTICE: f_leak => passwd123 - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) RESET SESSION AUTHORIZATION; ALTER VIEW my_property_normal SET (security_barrier=true); ALTER VIEW my_property_secure SET (security_barrier=false); -SET SESSION AUTHORIZATION alice; +SET SESSION AUTHORIZATION regress_alice; EXECUTE p1; -- To be perform as a view with security-barrier NOTICE: f_leak => passwd123 - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXECUTE p2; -- To be perform as a view without security-barrier NOTICE: f_leak => passwd123 NOTICE: f_leak => beafsteak NOTICE: f_leak => hamburger - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) +-- Cleanup. +RESET SESSION AUTHORIZATION; +DROP ROLE regress_alice; diff --git a/src/test/regress/expected/select_views_1.out b/src/test/regress/expected/select_views_1.out index c6f75af6ca..0343f39645 100644 --- a/src/test/regress/expected/select_views_1.out +++ b/src/test/regress/expected/select_views_1.out @@ -1250,7 +1250,7 @@ SELECT * FROM toyemp WHERE name = 'sharon'; -- -- Test for Leaky view scenario -- -CREATE USER alice; +CREATE ROLE regress_alice; CREATE FUNCTION f_leak (text) RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001 AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END'; @@ -1272,9 +1272,9 @@ CREATE TABLE credit_usage ( usage int ); INSERT INTO customer - VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'), - (102, 'bob', '+01-234-567-8901', 'beafsteak'), - (103, 'eve', '+49-8765-43210', 'hamburger'); + VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'), + (102, 'regress_bob', '+01-234-567-8901', 'beafsteak'), + (103, 'regress_eve', '+49-8765-43210', 'hamburger'); INSERT INTO credit_card VALUES (101, '1111-2222-3333-4444', 4000), (102, '5555-6666-7777-8888', 3000), @@ -1312,7 +1312,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public; -- -- Run leaky view scenarios -- -SET SESSION AUTHORIZATION alice; +SET SESSION AUTHORIZATION regress_alice; -- -- scenario: if a qualifier with tiny-cost is given, it shall be launched -- prior to the security policy of the view. @@ -1321,9 +1321,9 @@ SELECT * FROM my_property_normal WHERE f_leak(passwd); NOTICE: f_leak => passwd123 NOTICE: f_leak => beafsteak NOTICE: f_leak => hamburger - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd); @@ -1335,9 +1335,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd); SELECT * FROM my_property_secure WHERE f_leak(passwd); NOTICE: f_leak => passwd123 - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd); @@ -1358,9 +1358,9 @@ SELECT * FROM my_credit_card_normal WHERE f_leak(cnum); NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 5555-6666-7777-8888 NOTICE: f_leak => 9801-2345-6789-0123 - cid | name | tel | passwd | cnum | climit ------+-------+------------------+-----------+---------------------+-------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 + cid | name | tel | passwd | cnum | climit +-----+---------------+------------------+-----------+---------------------+-------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum); @@ -1377,9 +1377,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum); SELECT * FROM my_credit_card_secure WHERE f_leak(cnum); NOTICE: f_leak => 1111-2222-3333-4444 - cid | name | tel | passwd | cnum | climit ------+-------+------------------+-----------+---------------------+-------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 + cid | name | tel | passwd | cnum | climit +-----+---------------+------------------+-----------+---------------------+-------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 (1 row) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum); @@ -1402,11 +1402,11 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum); SELECT * FROM my_credit_card_usage_normal WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01'; NOTICE: f_leak => 1111-2222-3333-4444 - cid | name | tel | passwd | cnum | climit | ymd | usage ------+-------+------------------+-----------+---------------------+--------+------------+------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 + cid | name | tel | passwd | cnum | climit | ymd | usage +-----+---------------+------------------+-----------+---------------------+--------+------------+------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 (3 rows) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal @@ -1435,11 +1435,11 @@ NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 1111-2222-3333-4444 NOTICE: f_leak => 1111-2222-3333-4444 - cid | name | tel | passwd | cnum | climit | ymd | usage ------+-------+------------------+-----------+---------------------+--------+------------+------- - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 - 101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 + cid | name | tel | passwd | cnum | climit | ymd | usage +-----+---------------+------------------+-----------+---------------------+--------+------------+------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110 + 101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200 (3 rows) EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure @@ -1470,35 +1470,38 @@ EXECUTE p1; NOTICE: f_leak => passwd123 NOTICE: f_leak => beafsteak NOTICE: f_leak => hamburger - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXECUTE p2; NOTICE: f_leak => passwd123 - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) RESET SESSION AUTHORIZATION; ALTER VIEW my_property_normal SET (security_barrier=true); ALTER VIEW my_property_secure SET (security_barrier=false); -SET SESSION AUTHORIZATION alice; +SET SESSION AUTHORIZATION regress_alice; EXECUTE p1; -- To be perform as a view with security-barrier NOTICE: f_leak => passwd123 - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) EXECUTE p2; -- To be perform as a view without security-barrier NOTICE: f_leak => passwd123 NOTICE: f_leak => beafsteak NOTICE: f_leak => hamburger - cid | name | tel | passwd ------+-------+------------------+----------- - 101 | alice | +81-12-3456-7890 | passwd123 + cid | name | tel | passwd +-----+---------------+------------------+----------- + 101 | regress_alice | +81-12-3456-7890 | passwd123 (1 row) +-- Cleanup. +RESET SESSION AUTHORIZATION; +DROP ROLE regress_alice; diff --git a/src/test/regress/sql/select_views.sql b/src/test/regress/sql/select_views.sql index 4b2dac93fb..e626b9b94a 100644 --- a/src/test/regress/sql/select_views.sql +++ b/src/test/regress/sql/select_views.sql @@ -12,7 +12,7 @@ SELECT * FROM toyemp WHERE name = 'sharon'; -- -- Test for Leaky view scenario -- -CREATE USER alice; +CREATE ROLE regress_alice; CREATE FUNCTION f_leak (text) RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001 @@ -38,9 +38,9 @@ CREATE TABLE credit_usage ( ); INSERT INTO customer - VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'), - (102, 'bob', '+01-234-567-8901', 'beafsteak'), - (103, 'eve', '+49-8765-43210', 'hamburger'); + VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'), + (102, 'regress_bob', '+01-234-567-8901', 'beafsteak'), + (103, 'regress_eve', '+49-8765-43210', 'hamburger'); INSERT INTO credit_card VALUES (101, '1111-2222-3333-4444', 4000), (102, '5555-6666-7777-8888', 3000), @@ -83,7 +83,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public; -- -- Run leaky view scenarios -- -SET SESSION AUTHORIZATION alice; +SET SESSION AUTHORIZATION regress_alice; -- -- scenario: if a qualifier with tiny-cost is given, it shall be launched @@ -131,6 +131,10 @@ EXECUTE p2; RESET SESSION AUTHORIZATION; ALTER VIEW my_property_normal SET (security_barrier=true); ALTER VIEW my_property_secure SET (security_barrier=false); -SET SESSION AUTHORIZATION alice; +SET SESSION AUTHORIZATION regress_alice; EXECUTE p1; -- To be perform as a view with security-barrier EXECUTE p2; -- To be perform as a view without security-barrier + +-- Cleanup. +RESET SESSION AUTHORIZATION; +DROP ROLE regress_alice; -- 2.40.0