mirror of
https://github.com/MariaDB/server.git
synced 2025-08-23 03:54:27 +03:00
b54b7c6552
The problem is that the patch for Bug 33464 didn't update the results of the test cases which caused the problem. Dropping a stored routine also revoke privileges for all users on the stored routine and errors about missing grants are converted into warnings. Before Bug 33464 such errors could be incorrectly returned to the user, which would later trigger a assertion due to multiple errors being set. mysql-test/suite/funcs_1/r/innodb_storedproc_06.result: Update test case result, grants were already dropped. mysql-test/suite/funcs_1/r/memory_storedproc_06.result: Update test case result, grants were already dropped. mysql-test/suite/funcs_1/r/myisam_storedproc_06.result: Update test case result, grants were already dropped. mysql-test/suite/funcs_1/r/ndb_storedproc_06.result: Update test case result, grants were already dropped. mysql-test/suite/funcs_1/storedproc/storedproc_06.inc: Add comment regarding bug revealed by test case. mysql-test/suite/funcs_1/t/disabled.def: Re-enable test cases, bug has been fixed.
470 lines
14 KiB
PHP
470 lines
14 KiB
PHP
#### suite/funcs_1/storedproc/storedproc_06.inc
|
|
#
|
|
--source suite/funcs_1/storedproc/load_sp_tb.inc
|
|
|
|
# ==============================================================================
|
|
# (numbering from requirement document TP v1.0, Last updated: 25 Jan 2005 01:00)
|
|
#
|
|
# 3.1.6 Privilege checks:
|
|
#
|
|
# 1. Ensure that no user may create a stored procedure without the
|
|
# GRANT CREATE ROUTINE privilege.
|
|
# 2. Ensure that root always has the GRANT CREATE ROUTINE privilege.
|
|
# 3. Ensure that a user with the GRANT CREATE ROUTINE privilege can always
|
|
# create both a procedure and a function, on any appropriate database.
|
|
# 4. Ensure that the default security provision of a stored procedure is
|
|
# SQL SECURITY DEFINER.
|
|
# 5. Ensure that a stored procedure defined with SQL SECURITY DEFINER can be
|
|
# called/executed by any user, using only the privileges (including
|
|
# database access privileges) associated with the user who created
|
|
# the stored procedure.
|
|
# 6. Ensure that a stored procedure defined with SQL SECURITY INVOKER can be
|
|
# called/executed by any user, using only the privileges (including
|
|
# database access privileges) associated with the user executing
|
|
# the stored procedure.
|
|
#
|
|
# ==============================================================================
|
|
let $message= Section 3.1.6 - Privilege Checks:;
|
|
--source include/show_msg80.inc
|
|
|
|
|
|
connection default;
|
|
USE db_storedproc_1;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
# ------------------------------------------------------------------------------
|
|
let $message= Testcase 3.1.6.1:
|
|
-----------------
|
|
Ensure that no user may create a stored procedure without the GRANT CREATE
|
|
ROUTINE privilege.;
|
|
--source include/show_msg80.inc
|
|
|
|
create user 'user_1'@'localhost';
|
|
|
|
grant all on db_storedproc_1.* to 'user_1'@'localhost';
|
|
revoke create routine on db_storedproc_1.* from 'user_1'@'localhost';
|
|
flush privileges;
|
|
|
|
--disable_warnings
|
|
DROP PROCEDURE IF EXISTS sp1;
|
|
--enable_warnings
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user1a, localhost, user_1, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
USE db_storedproc_1;
|
|
|
|
delimiter //;
|
|
--error ER_DBACCESS_DENIED_ERROR
|
|
CREATE PROCEDURE sp1(v1 char(20))
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';
|
|
END//
|
|
delimiter ;//
|
|
|
|
disconnect user1a;
|
|
|
|
# add privilege again and check
|
|
connection default;
|
|
USE db_storedproc_1;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
GRANT CREATE ROUTINE ON db_storedproc_1.* TO 'user_1'@'localhost';
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user1b, localhost, user_1, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
USE db_storedproc_1;
|
|
|
|
delimiter //;
|
|
CREATE PROCEDURE sp1(v1 char(20))
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';
|
|
END//
|
|
delimiter ;//
|
|
disconnect user1b;
|
|
|
|
# cleanup
|
|
connection default;
|
|
USE db_storedproc_1;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
DROP USER 'user_1'@'localhost';
|
|
DROP PROCEDURE sp1;
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
let $message= Testcase 3.1.6.2:
|
|
-----------------
|
|
Ensure that root always has the GRANT CREATE ROUTINE privilege.
|
|
(checked by other testscases);
|
|
--source include/show_msg80.inc
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
let $message= Testcase 3.1.6.3:
|
|
-----------------
|
|
Ensure that a user with the GRANT CREATE ROUTINE privilege can always create
|
|
both a procedure and a function, on any appropriate database.
|
|
--source include/show_msg80.inc
|
|
|
|
|
|
create user 'user_1'@'localhost';
|
|
|
|
grant create routine on db_storedproc_1.* to 'user_1'@'localhost';
|
|
flush privileges;
|
|
|
|
# disconnect default;
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user2, localhost, user_1, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
--disable_warnings
|
|
DROP PROCEDURE IF EXISTS sp3;
|
|
DROP FUNCTION IF EXISTS fn1;
|
|
--enable_warnings
|
|
|
|
delimiter //;
|
|
CREATE PROCEDURE sp3(v1 char(20))
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';
|
|
END//
|
|
delimiter ;//
|
|
|
|
delimiter //;
|
|
CREATE FUNCTION fn1(v1 int) returns int
|
|
BEGIN
|
|
return v1;
|
|
END//
|
|
delimiter ;//
|
|
|
|
disconnect user2;
|
|
|
|
# cleanup
|
|
connection default;
|
|
USE db_storedproc_1;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
drop user 'user_1'@'localhost';
|
|
DROP PROCEDURE sp3;
|
|
# This drop function shouldn't generated a warning as the
|
|
# privileges should have been removed when the user was
|
|
# dropped. Reported as Bug#36544 DROP USER does not remove
|
|
# stored function privileges
|
|
DROP FUNCTION fn1;
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
let $message= Testcase 3.1.6.4:
|
|
-----------------
|
|
Ensure that the default security provision of a stored procedure is SQL SECURITY
|
|
DEFINER.;
|
|
--source include/show_msg80.inc
|
|
|
|
CREATE USER 'user_1'@'localhost';
|
|
|
|
grant update on db_storedproc_1.t6 to 'user_1'@'localhost';
|
|
grant execute on db_storedproc_1.* to 'user_1'@'localhost';
|
|
flush privileges;
|
|
|
|
USE db_storedproc_1;
|
|
|
|
--disable_warnings
|
|
DROP PROCEDURE IF EXISTS sp4;
|
|
--enable_warnings
|
|
|
|
delimiter //;
|
|
CREATE PROCEDURE sp4(v1 char(20))
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';
|
|
END//
|
|
delimiter ;//
|
|
|
|
#disconnect default;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user3, localhost, user_1, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
USE db_storedproc_1;
|
|
CALL sp4('a');
|
|
|
|
--vertical_results
|
|
SELECT SPECIFIC_NAME, ROUTINE_SCHEMA, ROUTINE_NAME, ROUTINE_TYPE,
|
|
ROUTINE_BODY, ROUTINE_DEFINITION, IS_DETERMINISTIC,
|
|
SQL_DATA_ACCESS, SECURITY_TYPE, SQL_MODE, ROUTINE_COMMENT
|
|
FROM information_schema.routines
|
|
WHERE routine_schema LIKE 'db_sto%';
|
|
--horizontal_results
|
|
|
|
disconnect user3;
|
|
|
|
# cleanup
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
DROP PROCEDURE sp4;
|
|
DROP USER 'user_1'@'localhost';
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
let $message= Testcase 3.1.6.5:
|
|
-----------------
|
|
Ensure that a stored procedure defined with SQL SECURITY DEFINER can be
|
|
called/executed by any user, using only the privileges (including database
|
|
access privileges) associated with the user who created the stored procedure.;
|
|
--source include/show_msg80.inc
|
|
|
|
USE db_storedproc_1;
|
|
CREATE TABLE t3165 ( c1 char(20), c2 char(20), c3 date);
|
|
INSERT INTO t3165 VALUES ('inserted', 'outside of SP', NULL);
|
|
|
|
# creates procedures
|
|
create user 'user_1'@'localhost';
|
|
|
|
#executes procedure
|
|
create user 'user_2'@'localhost';
|
|
|
|
grant create routine on db_storedproc_1.* to 'user_1'@'localhost';
|
|
grant SELECT on db_storedproc_1.* to 'user_2'@'localhost';
|
|
grant execute on db_storedproc_1.* to 'user_2'@'localhost';
|
|
flush privileges;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user5_1, localhost, user_1, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
delimiter //;
|
|
CREATE PROCEDURE sp5_s_i () sql security definer
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t3165;
|
|
insert into db_storedproc_1.t3165 values ('inserted', 'from sp5_s_i', 1000);
|
|
END//
|
|
|
|
CREATE PROCEDURE sp5_sel () sql security definer
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t3165;
|
|
END//
|
|
|
|
CREATE PROCEDURE sp5_ins () sql security definer
|
|
BEGIN
|
|
insert into db_storedproc_1.t3165 values ('inserted', 'from sp5_ins', 1000);
|
|
END//
|
|
delimiter ;//
|
|
|
|
disconnect user5_1;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user5_2, localhost, user_2, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_s_i();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_ins();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_sel();
|
|
|
|
# now 'add' INSERT to DEFINER
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_sel();
|
|
grant insert on db_storedproc_1.* to 'user_1'@'localhost';
|
|
flush privileges;
|
|
|
|
connection user5_2;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_s_i();
|
|
CALL sp5_ins();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_sel();
|
|
|
|
# now 'add' SELECT to DEFINER
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_sel();
|
|
grant SELECT on db_storedproc_1.* to 'user_1'@'localhost';
|
|
#grant execute on db_storedproc_1.* to 'user_2'@'localhost';
|
|
flush privileges;
|
|
|
|
connection user5_2;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
CALL sp5_s_i();
|
|
CALL sp5_ins();
|
|
CALL sp5_sel();
|
|
|
|
# now revoke INSERT FROM DEFINER
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
REVOKE INSERT on db_storedproc_1.* from 'user_1'@'localhost';
|
|
flush privileges;
|
|
|
|
connection user5_2;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_s_i();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_ins();
|
|
CALL sp5_sel();
|
|
|
|
# now revoke SELECT FROM DEFINER
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
REVOKE SELECT on db_storedproc_1.* from 'user_1'@'localhost';
|
|
flush privileges;
|
|
|
|
connection user5_2;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_s_i();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_ins();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp5_sel();
|
|
|
|
# cleanup
|
|
disconnect user5_2;
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
DROP PROCEDURE sp5_s_i;
|
|
DROP PROCEDURE sp5_sel;
|
|
DROP PROCEDURE sp5_ins;
|
|
DROP TABLE t3165;
|
|
DROP USER 'user_1'@'localhost';
|
|
DROP USER 'user_2'@'localhost';
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
let $message= Testcase 3.1.6.6:
|
|
-----------------
|
|
Ensure that a stored procedure defined with SQL SECURITY INVOKER can be
|
|
called/executed by any user, using only the privileges (including database
|
|
access privileges) associated with the user executing the stored procedure.;
|
|
--source include/show_msg80.inc
|
|
|
|
USE db_storedproc_1;
|
|
CREATE TABLE t3166 ( c1 char(30) );
|
|
INSERT INTO db_storedproc_1.t3166 VALUES ('inserted outside SP');
|
|
|
|
# DEFINER
|
|
create user 'user_1'@'localhost';
|
|
|
|
# INVOKER
|
|
create user 'user_2'@'localhost';
|
|
|
|
GRANT CREATE ROUTINE ON db_storedproc_1.* TO 'user_1'@'localhost';
|
|
GRANT SELECT ON db_storedproc_1.* TO 'user_2'@'localhost';
|
|
GRANT EXECUTE ON db_storedproc_1.* TO 'user_2'@'localhost';
|
|
FLUSH PRIVILEGES;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user6_1, localhost, user_1, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
delimiter //;
|
|
CREATE PROCEDURE sp3166_s_i () SQL SECURITY INVOKER
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t3166;
|
|
insert into db_storedproc_1.t3166 values ('inserted from sp3166_s_i');
|
|
END//
|
|
|
|
CREATE PROCEDURE sp3166_sel () SQL SECURITY INVOKER
|
|
BEGIN
|
|
SELECT * from db_storedproc_1.t3166;
|
|
END//
|
|
|
|
CREATE PROCEDURE sp3166_ins () SQL SECURITY INVOKER
|
|
BEGIN
|
|
insert into db_storedproc_1.t3166 values ('inserted from sp3166_ins');
|
|
END//
|
|
delimiter ;//
|
|
|
|
disconnect user6_1;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user6_2, localhost, user_2, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp3166_s_i();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp3166_ins();
|
|
CALL sp3166_sel();
|
|
|
|
# now 'add' INSERT to INVOKER
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
CALL sp3166_sel();
|
|
GRANT INSERT ON db_storedproc_1.* TO 'user_2'@'localhost';
|
|
FLUSH PRIVILEGES;
|
|
disconnect user6_2;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user6_3, localhost, user_2, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
CALL sp3166_s_i();
|
|
CALL sp3166_ins();
|
|
CALL sp3166_sel();
|
|
disconnect user6_3;
|
|
|
|
# now 'remove' SELECT from INVOKER
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
CALL sp3166_sel();
|
|
REVOKE SELECT ON db_storedproc_1.* FROM 'user_2'@'localhost';
|
|
FLUSH PRIVILEGES;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user6_4, localhost, user_2, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp3166_s_i();
|
|
CALL sp3166_ins();
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
CALL sp3166_sel();
|
|
disconnect user6_4;
|
|
|
|
# now 'remove' EXECUTE FROM INVOKER
|
|
connection default;
|
|
CALL sp3166_s_i();
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
REVOKE EXECUTE on db_storedproc_1.* FROM 'user_2'@'localhost';
|
|
FLUSH PRIVILEGES;
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
connect (user6_5, localhost, user_2, , db_storedproc_1);
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
CALL sp3166_s_i();
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
CALL sp3166_ins();
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
CALL sp3166_sel();
|
|
disconnect user6_5;
|
|
|
|
# cleanup
|
|
connection default;
|
|
--source suite/funcs_1/include/show_connection.inc
|
|
|
|
DROP PROCEDURE sp3166_s_i;
|
|
DROP PROCEDURE sp3166_sel;
|
|
DROP PROCEDURE sp3166_ins;
|
|
DROP TABLE t3166;
|
|
DROP USER 'user_1'@'localhost';
|
|
DROP USER 'user_2'@'localhost';
|
|
|
|
|
|
# ==============================================================================
|
|
# USE the same .inc to cleanup before and after the test
|
|
--source suite/funcs_1/storedproc/cleanup_sp_tb.inc
|
|
|
|
# ==============================================================================
|
|
--echo
|
|
--echo . +++ END OF SCRIPT +++
|
|
--echo --------------------------------------------------------------------------------
|
|
# ==============================================================================
|