From df761e3cf79db09d602610ee61e51cb378288382 Mon Sep 17 00:00:00 2001 From: Alvaro Herrera Date: Mon, 1 Dec 2014 16:12:43 -0300 Subject: [PATCH] Move security_label test Rather than have the core security_label regression test depend on the dummy_seclabel module, have that part of the test be executed by dummy_seclabel itself directly. This simplifies the testing rig a bit; in particular it should silence the problems from the MSVC buildfarm phylum, which haven't yet gotten taught how to install src/test/modules. --- src/test/modules/dummy_seclabel/Makefile | 2 + .../input/dummy_seclabel.source | 79 +++++++++++ .../output/dummy_seclabel.source | 87 +++++++++++++ src/test/regress/GNUmakefile | 16 +-- src/test/regress/expected/security_label.out | 47 +++++++ src/test/regress/input/security_label.source | 108 --------------- src/test/regress/output/security_label.source | 123 ------------------ src/test/regress/sql/security_label.sql | 49 +++++++ 8 files changed, 268 insertions(+), 243 deletions(-) create mode 100644 src/test/modules/dummy_seclabel/input/dummy_seclabel.source create mode 100644 src/test/modules/dummy_seclabel/output/dummy_seclabel.source create mode 100644 src/test/regress/expected/security_label.out delete mode 100644 src/test/regress/input/security_label.source delete mode 100644 src/test/regress/output/security_label.source create mode 100644 src/test/regress/sql/security_label.sql diff --git a/src/test/modules/dummy_seclabel/Makefile b/src/test/modules/dummy_seclabel/Makefile index 909ac9ace7..41f50cc41e 100644 --- a/src/test/modules/dummy_seclabel/Makefile +++ b/src/test/modules/dummy_seclabel/Makefile @@ -3,6 +3,8 @@ MODULES = dummy_seclabel PGFILEDESC = "dummy_seclabel - regression testing of the SECURITY LABEL statement" +REGRESS = dummy_seclabel + ifdef USE_PGXS PG_CONFIG = pg_config PGXS := $(shell $(PG_CONFIG) --pgxs) diff --git a/src/test/modules/dummy_seclabel/input/dummy_seclabel.source b/src/test/modules/dummy_seclabel/input/dummy_seclabel.source new file mode 100644 index 0000000000..d39ce88aee --- /dev/null +++ b/src/test/modules/dummy_seclabel/input/dummy_seclabel.source @@ -0,0 +1,79 @@ +-- +-- Test for facilities of security label +-- +LOAD '@libdir@/dummy_seclabel@DLSUFFIX@'; + +-- initial setups +SET client_min_messages TO 'warning'; + +DROP ROLE IF EXISTS dummy_seclabel_user1; +DROP ROLE IF EXISTS dummy_seclabel_user2; + +DROP TABLE IF EXISTS dummy_seclabel_tbl1; +DROP TABLE IF EXISTS dummy_seclabel_tbl2; +DROP TABLE IF EXISTS dummy_seclabel_tbl3; + +CREATE USER dummy_seclabel_user1 WITH CREATEROLE; +CREATE USER dummy_seclabel_user2; + +CREATE TABLE dummy_seclabel_tbl1 (a int, b text); +CREATE TABLE dummy_seclabel_tbl2 (x int, y text); +CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2; +CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql; +CREATE DOMAIN dummy_seclabel_domain AS text; + +ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1; +ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2; + +RESET client_min_messages; + +-- +-- Test of SECURITY LABEL statement with a plugin +-- +SET SESSION AUTHORIZATION dummy_seclabel_user1; + +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK +SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK +SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail +SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK +SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail +SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner) +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser) +SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found) + +SET SESSION AUTHORIZATION dummy_seclabel_user2; +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail +SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK + +-- +-- Test for shared database object +-- +SET SESSION AUTHORIZATION dummy_seclabel_user1; + +SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK +SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail +SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK +SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail +SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser) +SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found) + +SET SESSION AUTHORIZATION dummy_seclabel_user2; +SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged) + +RESET SESSION AUTHORIZATION; + +-- +-- Test for various types of object +-- +RESET SESSION AUTHORIZATION; + +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK +SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK +SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK +SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK +CREATE SCHEMA dummy_seclabel_test; +SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK + +SELECT objtype, objname, provider, label FROM pg_seclabels + ORDER BY objtype, objname; diff --git a/src/test/modules/dummy_seclabel/output/dummy_seclabel.source b/src/test/modules/dummy_seclabel/output/dummy_seclabel.source new file mode 100644 index 0000000000..8275764cb9 --- /dev/null +++ b/src/test/modules/dummy_seclabel/output/dummy_seclabel.source @@ -0,0 +1,87 @@ +-- +-- Test for facilities of security label +-- +LOAD '@libdir@/dummy_seclabel@DLSUFFIX@'; +-- initial setups +SET client_min_messages TO 'warning'; +DROP ROLE IF EXISTS dummy_seclabel_user1; +DROP ROLE IF EXISTS dummy_seclabel_user2; +DROP TABLE IF EXISTS dummy_seclabel_tbl1; +DROP TABLE IF EXISTS dummy_seclabel_tbl2; +DROP TABLE IF EXISTS dummy_seclabel_tbl3; +CREATE USER dummy_seclabel_user1 WITH CREATEROLE; +CREATE USER dummy_seclabel_user2; +CREATE TABLE dummy_seclabel_tbl1 (a int, b text); +CREATE TABLE dummy_seclabel_tbl2 (x int, y text); +CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2; +CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql; +CREATE DOMAIN dummy_seclabel_domain AS text; +ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1; +ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2; +RESET client_min_messages; +-- +-- Test of SECURITY LABEL statement with a plugin +-- +SET SESSION AUTHORIZATION dummy_seclabel_user1; +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK +SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK +SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail +ERROR: column name must be qualified +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail +ERROR: '...invalid label...' is not a valid security label +SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK +SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail +ERROR: security label provider "unknown_seclabel" is not loaded +SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner) +ERROR: must be owner of relation dummy_seclabel_tbl2 +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser) +ERROR: only superuser can set 'secret' label +SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found) +ERROR: relation "dummy_seclabel_tbl3" does not exist +SET SESSION AUTHORIZATION dummy_seclabel_user2; +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail +ERROR: must be owner of relation dummy_seclabel_tbl1 +SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK +-- +-- Test for shared database object +-- +SET SESSION AUTHORIZATION dummy_seclabel_user1; +SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK +SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail +ERROR: '...invalid label...' is not a valid security label +SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK +SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail +ERROR: security label provider "unknown_seclabel" is not loaded +SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser) +ERROR: only superuser can set 'secret' label +SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found) +ERROR: role "dummy_seclabel_user3" does not exist +SET SESSION AUTHORIZATION dummy_seclabel_user2; +SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged) +ERROR: must have CREATEROLE privilege +RESET SESSION AUTHORIZATION; +-- +-- Test for various types of object +-- +RESET SESSION AUTHORIZATION; +SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK +SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK +SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK +SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK +CREATE SCHEMA dummy_seclabel_test; +SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK +SELECT objtype, objname, provider, label FROM pg_seclabels + ORDER BY objtype, objname; + objtype | objname | provider | label +----------+-----------------------+----------+-------------- + column | dummy_seclabel_tbl1.a | dummy | unclassified + domain | dummy_seclabel_domain | dummy | classified + function | dummy_seclabel_four() | dummy | classified + role | dummy_seclabel_user1 | dummy | classified + role | dummy_seclabel_user2 | dummy | unclassified + schema | dummy_seclabel_test | dummy | unclassified + table | dummy_seclabel_tbl1 | dummy | top secret + table | dummy_seclabel_tbl2 | dummy | classified + view | dummy_seclabel_view1 | dummy | classified +(9 rows) + diff --git a/src/test/regress/GNUmakefile b/src/test/regress/GNUmakefile index 77fe8b620d..1832eccbd9 100644 --- a/src/test/regress/GNUmakefile +++ b/src/test/regress/GNUmakefile @@ -101,9 +101,9 @@ installdirs-tests: installdirs $(MKDIR_P) $(patsubst $(srcdir)/%/,'$(DESTDIR)$(pkglibdir)/regress/%',$(sort $(dir $(regress_data_files)))) -# Get some extra C modules from contrib/spi and src/test/modules/dummy_seclabel... +# Get some extra C modules from contrib/spi -all: refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX) +all: refint$(DLSUFFIX) autoinc$(DLSUFFIX) refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX) cp $< $@ @@ -111,22 +111,14 @@ refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX) autoinc$(DLSUFFIX): $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX) cp $< $@ -dummy_seclabel$(DLSUFFIX): $(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX) - cp $< $@ - $(top_builddir)/contrib/spi/refint$(DLSUFFIX): | submake-contrib-spi ; $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX): | submake-contrib-spi ; -$(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX): | submake-dummy_seclabel ; - submake-contrib-spi: $(MAKE) -C $(top_builddir)/contrib/spi -submake-dummy_seclabel: - $(MAKE) -C $(top_builddir)/src/test/modules/dummy_seclabel - -.PHONY: submake-contrib-spi submake-dummy_seclabel +.PHONY: submake-contrib-spi # Tablespace setup @@ -179,7 +171,7 @@ bigcheck: all tablespace-setup clean distclean maintainer-clean: clean-lib # things built by `all' target - rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX) + rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX) rm -f pg_regress_main.o pg_regress.o pg_regress$(X) # things created by various check targets rm -f $(output_files) $(input_files) diff --git a/src/test/regress/expected/security_label.out b/src/test/regress/expected/security_label.out new file mode 100644 index 0000000000..10b062a355 --- /dev/null +++ b/src/test/regress/expected/security_label.out @@ -0,0 +1,47 @@ +-- +-- Test for facilities of security label +-- +-- initial setups +SET client_min_messages TO 'warning'; +DROP ROLE IF EXISTS seclabel_user1; +DROP ROLE IF EXISTS seclabel_user2; +DROP TABLE IF EXISTS seclabel_tbl1; +DROP TABLE IF EXISTS seclabel_tbl2; +DROP TABLE IF EXISTS seclabel_tbl3; +CREATE USER seclabel_user1 WITH CREATEROLE; +CREATE USER seclabel_user2; +CREATE TABLE seclabel_tbl1 (a int, b text); +CREATE TABLE seclabel_tbl2 (x int, y text); +CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2; +CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql; +CREATE DOMAIN seclabel_domain AS text; +ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1; +ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2; +RESET client_min_messages; +-- +-- Test of SECURITY LABEL statement without a plugin +-- +SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail +ERROR: no security label providers have been loaded +SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail +ERROR: security label provider "dummy" is not loaded +SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail +ERROR: no security label providers have been loaded +SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail +ERROR: no security label providers have been loaded +SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail +ERROR: no security label providers have been loaded +SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail +ERROR: security label provider "dummy" is not loaded +SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail +ERROR: no security label providers have been loaded +SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail +ERROR: no security label providers have been loaded +-- clean up objects +DROP FUNCTION seclabel_four(); +DROP DOMAIN seclabel_domain; +DROP VIEW seclabel_view1; +DROP TABLE seclabel_tbl1; +DROP TABLE seclabel_tbl2; +DROP USER seclabel_user1; +DROP USER seclabel_user2; diff --git a/src/test/regress/input/security_label.source b/src/test/regress/input/security_label.source deleted file mode 100644 index 287dd76ead..0000000000 --- a/src/test/regress/input/security_label.source +++ /dev/null @@ -1,108 +0,0 @@ --- --- Test for facilities of security label --- - --- initial setups -SET client_min_messages TO 'warning'; - -DROP ROLE IF EXISTS seclabel_user1; -DROP ROLE IF EXISTS seclabel_user2; - -DROP TABLE IF EXISTS seclabel_tbl1; -DROP TABLE IF EXISTS seclabel_tbl2; -DROP TABLE IF EXISTS seclabel_tbl3; - -CREATE USER seclabel_user1 WITH CREATEROLE; -CREATE USER seclabel_user2; - -CREATE TABLE seclabel_tbl1 (a int, b text); -CREATE TABLE seclabel_tbl2 (x int, y text); -CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2; -CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql; -CREATE DOMAIN seclabel_domain AS text; - -ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1; -ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2; - -RESET client_min_messages; - --- --- Test of SECURITY LABEL statement without a plugin --- -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail -SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail -SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail -SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail - -SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail -SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail -SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail -SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail - --- Load dummy external security provider -LOAD '@libdir@/dummy_seclabel@DLSUFFIX@'; - --- --- Test of SECURITY LABEL statement with a plugin --- -SET SESSION AUTHORIZATION seclabel_user1; - -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK -SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK -SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail -SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail -SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK -SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail -SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner) -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser) -SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found) - -SET SESSION AUTHORIZATION seclabel_user2; -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail -SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK - --- --- Test for shared database object --- -SET SESSION AUTHORIZATION seclabel_user1; - -SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK -SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail -SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK -SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail -SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser) -SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found) - -SET SESSION AUTHORIZATION seclabel_user2; -SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged) - -RESET SESSION AUTHORIZATION; - --- --- Test for various types of object --- -RESET SESSION AUTHORIZATION; - -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK -SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK -SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK -SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK -CREATE SCHEMA seclabel_test; -SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK - -SELECT objtype, objname, provider, label FROM pg_seclabels - ORDER BY objtype, objname; - --- clean up objects -DROP FUNCTION seclabel_four(); -DROP DOMAIN seclabel_domain; -DROP VIEW seclabel_view1; -DROP TABLE seclabel_tbl1; -DROP TABLE seclabel_tbl2; -DROP USER seclabel_user1; -DROP USER seclabel_user2; -DROP SCHEMA seclabel_test; - --- make sure we don't have any leftovers -SELECT objtype, objname, provider, label FROM pg_seclabels - ORDER BY objtype, objname; diff --git a/src/test/regress/output/security_label.source b/src/test/regress/output/security_label.source deleted file mode 100644 index 0e202446ab..0000000000 --- a/src/test/regress/output/security_label.source +++ /dev/null @@ -1,123 +0,0 @@ --- --- Test for facilities of security label --- --- initial setups -SET client_min_messages TO 'warning'; -DROP ROLE IF EXISTS seclabel_user1; -DROP ROLE IF EXISTS seclabel_user2; -DROP TABLE IF EXISTS seclabel_tbl1; -DROP TABLE IF EXISTS seclabel_tbl2; -DROP TABLE IF EXISTS seclabel_tbl3; -CREATE USER seclabel_user1 WITH CREATEROLE; -CREATE USER seclabel_user2; -CREATE TABLE seclabel_tbl1 (a int, b text); -CREATE TABLE seclabel_tbl2 (x int, y text); -CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2; -CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql; -CREATE DOMAIN seclabel_domain AS text; -ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1; -ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2; -RESET client_min_messages; --- --- Test of SECURITY LABEL statement without a plugin --- -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail -ERROR: no security label providers have been loaded -SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail -ERROR: security label provider "dummy" is not loaded -SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail -ERROR: no security label providers have been loaded -SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail -ERROR: no security label providers have been loaded -SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail -ERROR: no security label providers have been loaded -SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail -ERROR: security label provider "dummy" is not loaded -SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail -ERROR: no security label providers have been loaded -SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail -ERROR: no security label providers have been loaded --- Load dummy external security provider -LOAD '@libdir@/dummy_seclabel@DLSUFFIX@'; --- --- Test of SECURITY LABEL statement with a plugin --- -SET SESSION AUTHORIZATION seclabel_user1; -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- OK -SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified'; -- OK -SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified'; -- fail -ERROR: column name must be qualified -SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail -ERROR: '...invalid label...' is not a valid security label -SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified'; -- OK -SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified'; -- fail -ERROR: security label provider "unknown_seclabel" is not loaded -SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified'; -- fail (not owner) -ERROR: must be owner of relation seclabel_tbl2 -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret'; -- fail (not superuser) -ERROR: only superuser can set 'secret' label -SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail (not found) -ERROR: relation "seclabel_tbl3" does not exist -SET SESSION AUTHORIZATION seclabel_user2; -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified'; -- fail -ERROR: must be owner of relation seclabel_tbl1 -SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified'; -- OK --- --- Test for shared database object --- -SET SESSION AUTHORIZATION seclabel_user1; -SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- OK -SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail -ERROR: '...invalid label...' is not a valid security label -SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified'; -- OK -SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified'; -- fail -ERROR: security label provider "unknown_seclabel" is not loaded -SECURITY LABEL ON ROLE seclabel_user1 IS 'secret'; -- fail (not superuser) -ERROR: only superuser can set 'secret' label -SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail (not found) -ERROR: role "seclabel_user3" does not exist -SET SESSION AUTHORIZATION seclabel_user2; -SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified'; -- fail (not privileged) -ERROR: must have CREATEROLE privilege -RESET SESSION AUTHORIZATION; --- --- Test for various types of object --- -RESET SESSION AUTHORIZATION; -SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret'; -- OK -SECURITY LABEL ON VIEW seclabel_view1 IS 'classified'; -- OK -SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified'; -- OK -SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified'; -- OK -CREATE SCHEMA seclabel_test; -SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified'; -- OK -SELECT objtype, objname, provider, label FROM pg_seclabels - ORDER BY objtype, objname; - objtype | objname | provider | label -----------+-----------------+----------+-------------- - column | seclabel_tbl1.a | dummy | unclassified - domain | seclabel_domain | dummy | classified - function | seclabel_four() | dummy | classified - role | seclabel_user1 | dummy | classified - role | seclabel_user2 | dummy | unclassified - schema | seclabel_test | dummy | unclassified - table | seclabel_tbl1 | dummy | top secret - table | seclabel_tbl2 | dummy | classified - view | seclabel_view1 | dummy | classified -(9 rows) - --- clean up objects -DROP FUNCTION seclabel_four(); -DROP DOMAIN seclabel_domain; -DROP VIEW seclabel_view1; -DROP TABLE seclabel_tbl1; -DROP TABLE seclabel_tbl2; -DROP USER seclabel_user1; -DROP USER seclabel_user2; -DROP SCHEMA seclabel_test; --- make sure we don't have any leftovers -SELECT objtype, objname, provider, label FROM pg_seclabels - ORDER BY objtype, objname; - objtype | objname | provider | label ----------+---------+----------+------- -(0 rows) - diff --git a/src/test/regress/sql/security_label.sql b/src/test/regress/sql/security_label.sql new file mode 100644 index 0000000000..7f545896ef --- /dev/null +++ b/src/test/regress/sql/security_label.sql @@ -0,0 +1,49 @@ +-- +-- Test for facilities of security label +-- + +-- initial setups +SET client_min_messages TO 'warning'; + +DROP ROLE IF EXISTS seclabel_user1; +DROP ROLE IF EXISTS seclabel_user2; + +DROP TABLE IF EXISTS seclabel_tbl1; +DROP TABLE IF EXISTS seclabel_tbl2; +DROP TABLE IF EXISTS seclabel_tbl3; + +CREATE USER seclabel_user1 WITH CREATEROLE; +CREATE USER seclabel_user2; + +CREATE TABLE seclabel_tbl1 (a int, b text); +CREATE TABLE seclabel_tbl2 (x int, y text); +CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2; +CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql; +CREATE DOMAIN seclabel_domain AS text; + +ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1; +ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2; + +RESET client_min_messages; + +-- +-- Test of SECURITY LABEL statement without a plugin +-- +SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified'; -- fail +SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified'; -- fail +SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...'; -- fail +SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified'; -- fail + +SECURITY LABEL ON ROLE seclabel_user1 IS 'classified'; -- fail +SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified'; -- fail +SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...'; -- fail +SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified'; -- fail + +-- clean up objects +DROP FUNCTION seclabel_four(); +DROP DOMAIN seclabel_domain; +DROP VIEW seclabel_view1; +DROP TABLE seclabel_tbl1; +DROP TABLE seclabel_tbl2; +DROP USER seclabel_user1; +DROP USER seclabel_user2; -- 2.40.0