mirror of
https://github.com/postgres/postgres.git
synced 2025-08-05 07:41:25 +03:00
Adjustments to regression tests for security_barrier views.
Drop the role we create, so regression tests pass even when run more than once against the same cluster, a problem noted by Tom Lane and Jeff Janes. Also, rename the temporary role so that it starts with "regress_", to make it unlikely that we'll collide with an existing role name while running "make installcheck", per further gripe from Tom Lane.
This commit is contained in:
Robert Haas
@@ -1250,7 +1250,7 @@ SELECT * FROM toyemp WHERE name = 'sharon';
|
|||||||
--
|
--
|
||||||
-- Test for Leaky view scenario
|
-- Test for Leaky view scenario
|
||||||
--
|
--
|
||||||
CREATE USER alice;
|
CREATE ROLE regress_alice;
|
||||||
CREATE FUNCTION f_leak (text)
|
CREATE FUNCTION f_leak (text)
|
||||||
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
|
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
|
||||||
AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END';
|
AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END';
|
||||||
@@ -1272,9 +1272,9 @@ CREATE TABLE credit_usage (
|
|||||||
usage int
|
usage int
|
||||||
);
|
);
|
||||||
INSERT INTO customer
|
INSERT INTO customer
|
||||||
VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'),
|
VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'),
|
||||||
(102, 'bob', '+01-234-567-8901', 'beafsteak'),
|
(102, 'regress_bob', '+01-234-567-8901', 'beafsteak'),
|
||||||
(103, 'eve', '+49-8765-43210', 'hamburger');
|
(103, 'regress_eve', '+49-8765-43210', 'hamburger');
|
||||||
INSERT INTO credit_card
|
INSERT INTO credit_card
|
||||||
VALUES (101, '1111-2222-3333-4444', 4000),
|
VALUES (101, '1111-2222-3333-4444', 4000),
|
||||||
(102, '5555-6666-7777-8888', 3000),
|
(102, '5555-6666-7777-8888', 3000),
|
||||||
@@ -1312,7 +1312,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public;
|
|||||||
--
|
--
|
||||||
-- Run leaky view scenarios
|
-- Run leaky view scenarios
|
||||||
--
|
--
|
||||||
SET SESSION AUTHORIZATION alice;
|
SET SESSION AUTHORIZATION regress_alice;
|
||||||
--
|
--
|
||||||
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
|
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
|
||||||
-- prior to the security policy of the view.
|
-- prior to the security policy of the view.
|
||||||
@@ -1322,8 +1322,8 @@ NOTICE: f_leak => passwd123
|
|||||||
NOTICE: f_leak => beafsteak
|
NOTICE: f_leak => beafsteak
|
||||||
NOTICE: f_leak => hamburger
|
NOTICE: f_leak => hamburger
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
|
||||||
@@ -1336,8 +1336,8 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
|
|||||||
SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
||||||
NOTICE: f_leak => passwd123
|
NOTICE: f_leak => passwd123
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
||||||
@@ -1359,8 +1359,8 @@ NOTICE: f_leak => 1111-2222-3333-4444
|
|||||||
NOTICE: f_leak => 5555-6666-7777-8888
|
NOTICE: f_leak => 5555-6666-7777-8888
|
||||||
NOTICE: f_leak => 9801-2345-6789-0123
|
NOTICE: f_leak => 9801-2345-6789-0123
|
||||||
cid | name | tel | passwd | cnum | climit
|
cid | name | tel | passwd | cnum | climit
|
||||||
-----+-------+------------------+-----------+---------------------+--------
|
-----+---------------+------------------+-----------+---------------------+--------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
|
||||||
@@ -1378,8 +1378,8 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
|
|||||||
SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
cid | name | tel | passwd | cnum | climit
|
cid | name | tel | passwd | cnum | climit
|
||||||
-----+-------+------------------+-----------+---------------------+--------
|
-----+---------------+------------------+-----------+---------------------+--------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
||||||
@@ -1403,10 +1403,10 @@ SELECT * FROM my_credit_card_usage_normal
|
|||||||
WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01';
|
WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01';
|
||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
cid | name | tel | passwd | cnum | climit | ymd | usage
|
cid | name | tel | passwd | cnum | climit | ymd | usage
|
||||||
-----+-------+------------------+-----------+---------------------+--------+------------+-------
|
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
||||||
(3 rows)
|
(3 rows)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal
|
||||||
@@ -1436,10 +1436,10 @@ NOTICE: f_leak => 1111-2222-3333-4444
|
|||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
cid | name | tel | passwd | cnum | climit | ymd | usage
|
cid | name | tel | passwd | cnum | climit | ymd | usage
|
||||||
-----+-------+------------------+-----------+---------------------+--------+------------+-------
|
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
||||||
(3 rows)
|
(3 rows)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure
|
||||||
@@ -1471,26 +1471,26 @@ NOTICE: f_leak => passwd123
|
|||||||
NOTICE: f_leak => beafsteak
|
NOTICE: f_leak => beafsteak
|
||||||
NOTICE: f_leak => hamburger
|
NOTICE: f_leak => hamburger
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXECUTE p2;
|
EXECUTE p2;
|
||||||
NOTICE: f_leak => passwd123
|
NOTICE: f_leak => passwd123
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
RESET SESSION AUTHORIZATION;
|
RESET SESSION AUTHORIZATION;
|
||||||
ALTER VIEW my_property_normal SET (security_barrier=true);
|
ALTER VIEW my_property_normal SET (security_barrier=true);
|
||||||
ALTER VIEW my_property_secure SET (security_barrier=false);
|
ALTER VIEW my_property_secure SET (security_barrier=false);
|
||||||
SET SESSION AUTHORIZATION alice;
|
SET SESSION AUTHORIZATION regress_alice;
|
||||||
EXECUTE p1; -- To be perform as a view with security-barrier
|
EXECUTE p1; -- To be perform as a view with security-barrier
|
||||||
NOTICE: f_leak => passwd123
|
NOTICE: f_leak => passwd123
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXECUTE p2; -- To be perform as a view without security-barrier
|
EXECUTE p2; -- To be perform as a view without security-barrier
|
||||||
@@ -1498,7 +1498,10 @@ NOTICE: f_leak => passwd123
|
|||||||
NOTICE: f_leak => beafsteak
|
NOTICE: f_leak => beafsteak
|
||||||
NOTICE: f_leak => hamburger
|
NOTICE: f_leak => hamburger
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
|
-- Cleanup.
|
||||||
|
RESET SESSION AUTHORIZATION;
|
||||||
|
DROP ROLE regress_alice;
|
||||||
|
|||||||
@@ -1250,7 +1250,7 @@ SELECT * FROM toyemp WHERE name = 'sharon';
|
|||||||
--
|
--
|
||||||
-- Test for Leaky view scenario
|
-- Test for Leaky view scenario
|
||||||
--
|
--
|
||||||
CREATE USER alice;
|
CREATE ROLE regress_alice;
|
||||||
CREATE FUNCTION f_leak (text)
|
CREATE FUNCTION f_leak (text)
|
||||||
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
|
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
|
||||||
AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END';
|
AS 'BEGIN RAISE NOTICE ''f_leak => %'', $1; RETURN true; END';
|
||||||
@@ -1272,9 +1272,9 @@ CREATE TABLE credit_usage (
|
|||||||
usage int
|
usage int
|
||||||
);
|
);
|
||||||
INSERT INTO customer
|
INSERT INTO customer
|
||||||
VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'),
|
VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'),
|
||||||
(102, 'bob', '+01-234-567-8901', 'beafsteak'),
|
(102, 'regress_bob', '+01-234-567-8901', 'beafsteak'),
|
||||||
(103, 'eve', '+49-8765-43210', 'hamburger');
|
(103, 'regress_eve', '+49-8765-43210', 'hamburger');
|
||||||
INSERT INTO credit_card
|
INSERT INTO credit_card
|
||||||
VALUES (101, '1111-2222-3333-4444', 4000),
|
VALUES (101, '1111-2222-3333-4444', 4000),
|
||||||
(102, '5555-6666-7777-8888', 3000),
|
(102, '5555-6666-7777-8888', 3000),
|
||||||
@@ -1312,7 +1312,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public;
|
|||||||
--
|
--
|
||||||
-- Run leaky view scenarios
|
-- Run leaky view scenarios
|
||||||
--
|
--
|
||||||
SET SESSION AUTHORIZATION alice;
|
SET SESSION AUTHORIZATION regress_alice;
|
||||||
--
|
--
|
||||||
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
|
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
|
||||||
-- prior to the security policy of the view.
|
-- prior to the security policy of the view.
|
||||||
@@ -1322,8 +1322,8 @@ NOTICE: f_leak => passwd123
|
|||||||
NOTICE: f_leak => beafsteak
|
NOTICE: f_leak => beafsteak
|
||||||
NOTICE: f_leak => hamburger
|
NOTICE: f_leak => hamburger
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
|
||||||
@@ -1336,8 +1336,8 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_property_normal WHERE f_leak(passwd);
|
|||||||
SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
||||||
NOTICE: f_leak => passwd123
|
NOTICE: f_leak => passwd123
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_property_secure WHERE f_leak(passwd);
|
||||||
@@ -1359,8 +1359,8 @@ NOTICE: f_leak => 1111-2222-3333-4444
|
|||||||
NOTICE: f_leak => 5555-6666-7777-8888
|
NOTICE: f_leak => 5555-6666-7777-8888
|
||||||
NOTICE: f_leak => 9801-2345-6789-0123
|
NOTICE: f_leak => 9801-2345-6789-0123
|
||||||
cid | name | tel | passwd | cnum | climit
|
cid | name | tel | passwd | cnum | climit
|
||||||
-----+-------+------------------+-----------+---------------------+--------
|
-----+---------------+------------------+-----------+---------------------+--------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
|
||||||
@@ -1378,8 +1378,8 @@ EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_normal WHERE f_leak(cnum);
|
|||||||
SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
cid | name | tel | passwd | cnum | climit
|
cid | name | tel | passwd | cnum | climit
|
||||||
-----+-------+------------------+-----------+---------------------+--------
|
-----+---------------+------------------+-----------+---------------------+--------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_secure WHERE f_leak(cnum);
|
||||||
@@ -1403,10 +1403,10 @@ SELECT * FROM my_credit_card_usage_normal
|
|||||||
WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01';
|
WHERE f_leak(cnum) AND ymd >= '2011-10-01' AND ymd < '2011-11-01';
|
||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
cid | name | tel | passwd | cnum | climit | ymd | usage
|
cid | name | tel | passwd | cnum | climit | ymd | usage
|
||||||
-----+-------+------------------+-----------+---------------------+--------+------------+-------
|
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
||||||
(3 rows)
|
(3 rows)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_normal
|
||||||
@@ -1436,10 +1436,10 @@ NOTICE: f_leak => 1111-2222-3333-4444
|
|||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
NOTICE: f_leak => 1111-2222-3333-4444
|
NOTICE: f_leak => 1111-2222-3333-4444
|
||||||
cid | name | tel | passwd | cnum | climit | ymd | usage
|
cid | name | tel | passwd | cnum | climit | ymd | usage
|
||||||
-----+-------+------------------+-----------+---------------------+--------+------------+-------
|
-----+---------------+------------------+-----------+---------------------+--------+------------+-------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-05-2011 | 90
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-18-2011 | 110
|
||||||
101 | alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
101 | regress_alice | +81-12-3456-7890 | passwd123 | 1111-2222-3333-4444 | 4000 | 10-21-2011 | 200
|
||||||
(3 rows)
|
(3 rows)
|
||||||
|
|
||||||
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure
|
EXPLAIN (COSTS OFF) SELECT * FROM my_credit_card_usage_secure
|
||||||
@@ -1471,26 +1471,26 @@ NOTICE: f_leak => passwd123
|
|||||||
NOTICE: f_leak => beafsteak
|
NOTICE: f_leak => beafsteak
|
||||||
NOTICE: f_leak => hamburger
|
NOTICE: f_leak => hamburger
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXECUTE p2;
|
EXECUTE p2;
|
||||||
NOTICE: f_leak => passwd123
|
NOTICE: f_leak => passwd123
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
RESET SESSION AUTHORIZATION;
|
RESET SESSION AUTHORIZATION;
|
||||||
ALTER VIEW my_property_normal SET (security_barrier=true);
|
ALTER VIEW my_property_normal SET (security_barrier=true);
|
||||||
ALTER VIEW my_property_secure SET (security_barrier=false);
|
ALTER VIEW my_property_secure SET (security_barrier=false);
|
||||||
SET SESSION AUTHORIZATION alice;
|
SET SESSION AUTHORIZATION regress_alice;
|
||||||
EXECUTE p1; -- To be perform as a view with security-barrier
|
EXECUTE p1; -- To be perform as a view with security-barrier
|
||||||
NOTICE: f_leak => passwd123
|
NOTICE: f_leak => passwd123
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
EXECUTE p2; -- To be perform as a view without security-barrier
|
EXECUTE p2; -- To be perform as a view without security-barrier
|
||||||
@@ -1498,7 +1498,10 @@ NOTICE: f_leak => passwd123
|
|||||||
NOTICE: f_leak => beafsteak
|
NOTICE: f_leak => beafsteak
|
||||||
NOTICE: f_leak => hamburger
|
NOTICE: f_leak => hamburger
|
||||||
cid | name | tel | passwd
|
cid | name | tel | passwd
|
||||||
-----+-------+------------------+-----------
|
-----+---------------+------------------+-----------
|
||||||
101 | alice | +81-12-3456-7890 | passwd123
|
101 | regress_alice | +81-12-3456-7890 | passwd123
|
||||||
(1 row)
|
(1 row)
|
||||||
|
|
||||||
|
-- Cleanup.
|
||||||
|
RESET SESSION AUTHORIZATION;
|
||||||
|
DROP ROLE regress_alice;
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ SELECT * FROM toyemp WHERE name = 'sharon';
|
|||||||
--
|
--
|
||||||
-- Test for Leaky view scenario
|
-- Test for Leaky view scenario
|
||||||
--
|
--
|
||||||
CREATE USER alice;
|
CREATE ROLE regress_alice;
|
||||||
|
|
||||||
CREATE FUNCTION f_leak (text)
|
CREATE FUNCTION f_leak (text)
|
||||||
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
|
RETURNS bool LANGUAGE 'plpgsql' COST 0.0000001
|
||||||
@@ -38,9 +38,9 @@ CREATE TABLE credit_usage (
|
|||||||
);
|
);
|
||||||
|
|
||||||
INSERT INTO customer
|
INSERT INTO customer
|
||||||
VALUES (101, 'alice', '+81-12-3456-7890', 'passwd123'),
|
VALUES (101, 'regress_alice', '+81-12-3456-7890', 'passwd123'),
|
||||||
(102, 'bob', '+01-234-567-8901', 'beafsteak'),
|
(102, 'regress_bob', '+01-234-567-8901', 'beafsteak'),
|
||||||
(103, 'eve', '+49-8765-43210', 'hamburger');
|
(103, 'regress_eve', '+49-8765-43210', 'hamburger');
|
||||||
INSERT INTO credit_card
|
INSERT INTO credit_card
|
||||||
VALUES (101, '1111-2222-3333-4444', 4000),
|
VALUES (101, '1111-2222-3333-4444', 4000),
|
||||||
(102, '5555-6666-7777-8888', 3000),
|
(102, '5555-6666-7777-8888', 3000),
|
||||||
@@ -83,7 +83,7 @@ GRANT SELECT ON my_credit_card_usage_secure TO public;
|
|||||||
--
|
--
|
||||||
-- Run leaky view scenarios
|
-- Run leaky view scenarios
|
||||||
--
|
--
|
||||||
SET SESSION AUTHORIZATION alice;
|
SET SESSION AUTHORIZATION regress_alice;
|
||||||
|
|
||||||
--
|
--
|
||||||
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
|
-- scenario: if a qualifier with tiny-cost is given, it shall be launched
|
||||||
@@ -131,6 +131,10 @@ EXECUTE p2;
|
|||||||
RESET SESSION AUTHORIZATION;
|
RESET SESSION AUTHORIZATION;
|
||||||
ALTER VIEW my_property_normal SET (security_barrier=true);
|
ALTER VIEW my_property_normal SET (security_barrier=true);
|
||||||
ALTER VIEW my_property_secure SET (security_barrier=false);
|
ALTER VIEW my_property_secure SET (security_barrier=false);
|
||||||
SET SESSION AUTHORIZATION alice;
|
SET SESSION AUTHORIZATION regress_alice;
|
||||||
EXECUTE p1; -- To be perform as a view with security-barrier
|
EXECUTE p1; -- To be perform as a view with security-barrier
|
||||||
EXECUTE p2; -- To be perform as a view without security-barrier
|
EXECUTE p2; -- To be perform as a view without security-barrier
|
||||||
|
|
||||||
|
-- Cleanup.
|
||||||
|
RESET SESSION AUTHORIZATION;
|
||||||
|
DROP ROLE regress_alice;
|
||||||
|
|||||||
Reference in New Issue
Block a user