From e05613d5c4b1dba4fa7fddd71a3b4e00b14819e9 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 10:25:44 +0200 Subject: [PATCH 01/10] added tests for usertables to check private tables are not returned --- test/CDB_UserTablesTest.sql | 6 ++++++ test/CDB_UserTablesTest_expect | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/test/CDB_UserTablesTest.sql b/test/CDB_UserTablesTest.sql index 25e1029..836a748 100644 --- a/test/CDB_UserTablesTest.sql +++ b/test/CDB_UserTablesTest.sql @@ -8,6 +8,12 @@ SELECT 'all',CDB_UserTables('all') ORDER BY 2; SELECT 'public',CDB_UserTables('public') ORDER BY 2; SELECT 'private',CDB_UserTables('private') ORDER BY 2; SELECT '--unsupported--',CDB_UserTables('--unsupported--') ORDER BY 2; +-- now tests with public user +\c contrib_regression publicuser +SELECT 'all_publicuser',CDB_UserTables('all') ORDER BY 2; +SELECT 'public_publicuser',CDB_UserTables('public') ORDER BY 2; +SELECT 'private_publicuser',CDB_UserTables('private') ORDER BY 2; +\c contrib_regression postgres DROP TABLE pub; DROP TABLE prv; DROP ROLE publicuser; diff --git a/test/CDB_UserTablesTest_expect b/test/CDB_UserTablesTest_expect index 0eb6786..73f01a4 100644 --- a/test/CDB_UserTablesTest_expect +++ b/test/CDB_UserTablesTest_expect @@ -9,6 +9,10 @@ all|prv all|pub public|pub private|prv +You are now connected to database "contrib_regression" as user "publicuser" +all_publicuser|pub +public_publicuser|pub +You are now connected to database "contrib_regression" as user "postgres" DROP TABLE DROP TABLE DROP ROLE From df36e83cb552bb8cb287a12b53a562730003807f Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 10:31:55 +0200 Subject: [PATCH 02/10] revoke permissions to list private tables to public user --- scripts-available/CDB_UserTables.sql | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts-available/CDB_UserTables.sql b/scripts-available/CDB_UserTables.sql index 9f636a5..bfa5165 100644 --- a/scripts-available/CDB_UserTables.sql +++ b/scripts-available/CDB_UserTables.sql @@ -17,9 +17,8 @@ WHERE c.relkind = 'r' AND c.relname NOT IN ('cdb_tablemetadata', 'spatial_ref_sys') AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'topology') AND CASE WHEN perm = 'public' THEN has_table_privilege('publicuser', c.oid, 'SELECT') - WHEN perm = 'private' THEN (has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege(current_user, c.oid, 'SELECT')) - AND NOT has_table_privilege('publicuser', c.oid, 'SELECT') - WHEN perm = 'all' THEN has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege('publicuser', c.oid, 'SELECT') + WHEN perm = 'private' THEN has_table_privilege(current_user, c.oid, 'SELECT') AND NOT has_table_privilege('publicuser', c.oid, 'SELECT') + WHEN perm = 'all' THEN has_table_privilege(current_user, c.oid, 'SELECT') OR has_table_privilege('publicuser', c.oid, 'SELECT') ELSE false END; $$ LANGUAGE 'sql'; From 5d6c2111bf9e4f4e1029114d629a5f157d6d4fe6 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 10:37:07 +0200 Subject: [PATCH 03/10] updates tests --- test/CDB_UserTablesTest.sql | 2 +- test/CDB_UserTablesTest_expect | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/CDB_UserTablesTest.sql b/test/CDB_UserTablesTest.sql index 836a748..97821e7 100644 --- a/test/CDB_UserTablesTest.sql +++ b/test/CDB_UserTablesTest.sql @@ -1,4 +1,4 @@ -CREATE ROLE publicuser; +CREATE ROLE publicuser LOGIN; CREATE TABLE pub(a int); CREATE TABLE prv(a int); GRANT SELECT ON TABLE pub TO publicuser; diff --git a/test/CDB_UserTablesTest_expect b/test/CDB_UserTablesTest_expect index 73f01a4..2325bab 100644 --- a/test/CDB_UserTablesTest_expect +++ b/test/CDB_UserTablesTest_expect @@ -9,10 +9,10 @@ all|prv all|pub public|pub private|prv -You are now connected to database "contrib_regression" as user "publicuser" +You are now connected to database "contrib_regression" as user "publicuser". all_publicuser|pub public_publicuser|pub -You are now connected to database "contrib_regression" as user "postgres" +You are now connected to database "contrib_regression" as user "postgres". DROP TABLE DROP TABLE DROP ROLE From 1b3db28a741582fc0b6d367bcffd8f0850e92acb Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 10:51:20 +0200 Subject: [PATCH 04/10] added tests for organization --- test/organization/test.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/organization/test.sh b/test/organization/test.sh index c713afa..c1a65f3 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -346,6 +346,23 @@ function test_cdb_querytables_does_not_return_functions_as_part_of_the_resultset sql postgres "select * from CDB_QueryTables('select * from cdb_testmember_1.foo, cdb_testmember_2.bar, plainto_tsquery(''foo'')');" should "{cdb_testmember_1.foo,cdb_testmember_2.bar}" } +function test_cdb_usertables_should_work_with_orgusers() { + sql "CREATE ROLE publicuser LOGIN" + sql "GRANT USAGE ON SCHEMA cartodb TO publicuser;" + ${CMD} -d ${DATABASE} -f scripts-available/CDB_UserTables.sql + sql cdb_testmember_1 "CREATE TABLE test_perms_pub (a int)" + sql cdb_testmember_1 "CREATE TABLE test_perms_priv (a int)" + sql cdb_testmember_1 "GRANT SELECT ON TABLE test_perms_pub TO publicuser" + sql publicuser "SELECT count(*) FROM CDB_UserTables('all')" should 1 + sql publicuser "SELECT count(*) FROM CDB_UserTables('public')" should 1 + sql publicuser "SELECT count(*) FROM CDB_UserTables('private')" should 0 + # the following tests are for https://github.com/CartoDB/cartodb-postgresql/issues/98 + #sql cdb_testmember_2 "SELECT count(*) FROM CDB_UserTables('all')" should 1 + #sql cdb_testmember_2 "SELECT count(*) FROM CDB_UserTables('public')" should 1 + #sql cdb_testmember_2 "SELECT count(*) FROM CDB_UserTables('private')" should 0 +} + + #################################################### TESTS END HERE #################################################### From 12260b9fc3537a029b95ea26864af2778b9b9d64 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 10:54:43 +0200 Subject: [PATCH 05/10] test cleanup --- test/organization/test.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/organization/test.sh b/test/organization/test.sh index c1a65f3..3ada56b 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -360,6 +360,9 @@ function test_cdb_usertables_should_work_with_orgusers() { #sql cdb_testmember_2 "SELECT count(*) FROM CDB_UserTables('all')" should 1 #sql cdb_testmember_2 "SELECT count(*) FROM CDB_UserTables('public')" should 1 #sql cdb_testmember_2 "SELECT count(*) FROM CDB_UserTables('private')" should 0 + + sql cdb_testmember_1 "DROP TABLE test_perms_pub" + sql cdb_testmember_1 "DROP TABLE test_perms_priv" } From c71faf21e27cddc25a24a4bf0d80b287c0b795d7 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 10:57:38 +0200 Subject: [PATCH 06/10] do not create publicuser since a previous tests is doing it --- test/organization/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/organization/test.sh b/test/organization/test.sh index 3ada56b..bc70ef1 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -347,7 +347,7 @@ function test_cdb_querytables_does_not_return_functions_as_part_of_the_resultset } function test_cdb_usertables_should_work_with_orgusers() { - sql "CREATE ROLE publicuser LOGIN" + #sql "CREATE ROLE publicuser LOGIN" sql "GRANT USAGE ON SCHEMA cartodb TO publicuser;" ${CMD} -d ${DATABASE} -f scripts-available/CDB_UserTables.sql sql cdb_testmember_1 "CREATE TABLE test_perms_pub (a int)" From 53e6b38c325c4daabfcb485abaffd97a97ef39c4 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 11:03:21 +0200 Subject: [PATCH 07/10] enabling user again (no sense) --- test/organization/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/organization/test.sh b/test/organization/test.sh index bc70ef1..1dbabeb 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -347,7 +347,7 @@ function test_cdb_querytables_does_not_return_functions_as_part_of_the_resultset } function test_cdb_usertables_should_work_with_orgusers() { - #sql "CREATE ROLE publicuser LOGIN" + sql "CREATE ROLE publicuser" sql "GRANT USAGE ON SCHEMA cartodb TO publicuser;" ${CMD} -d ${DATABASE} -f scripts-available/CDB_UserTables.sql sql cdb_testmember_1 "CREATE TABLE test_perms_pub (a int)" From 68fdd9ce33afa98d8296e595b2f0b08cb56debae Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 11:07:46 +0200 Subject: [PATCH 08/10] just add login permissions to public user --- test/organization/test.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/organization/test.sh b/test/organization/test.sh index 1dbabeb..431c2ba 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -347,7 +347,7 @@ function test_cdb_querytables_does_not_return_functions_as_part_of_the_resultset } function test_cdb_usertables_should_work_with_orgusers() { - sql "CREATE ROLE publicuser" + sql "ALTER USER publicuser LOGIN" sql "GRANT USAGE ON SCHEMA cartodb TO publicuser;" ${CMD} -d ${DATABASE} -f scripts-available/CDB_UserTables.sql sql cdb_testmember_1 "CREATE TABLE test_perms_pub (a int)" @@ -363,6 +363,7 @@ function test_cdb_usertables_should_work_with_orgusers() { sql cdb_testmember_1 "DROP TABLE test_perms_pub" sql cdb_testmember_1 "DROP TABLE test_perms_priv" + sql "ALTER USER publicuser NOLOGIN" } From 92b5d1f8f4c91c65cbccf10494e1789ea8aa07e8 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 11:15:14 +0200 Subject: [PATCH 09/10] creating in setup --- test/organization/test.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/organization/test.sh b/test/organization/test.sh index 431c2ba..75e5b5c 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -142,6 +142,8 @@ function setup() { log_info "############################# SETUP #############################" create_role_and_schema cdb_testmember_1 create_role_and_schema cdb_testmember_2 + sql "CREATE ROLE publicuser LOGIN;" + sql "GRANT CONNECT ON DATABASE \"${DATABASE}\" TO publicuser;" create_table cdb_testmember_1 foo sql cdb_testmember_1 'INSERT INTO cdb_testmember_1.foo VALUES (1), (2), (3), (4), (5);' @@ -171,6 +173,7 @@ function tear_down() { sql 'DROP ROLE cdb_testmember_1;' sql 'DROP ROLE cdb_testmember_2;' + sql 'DROP ROLE publicuser;' ${CMD} -c "DROP DATABASE ${DATABASE}" } @@ -347,7 +350,6 @@ function test_cdb_querytables_does_not_return_functions_as_part_of_the_resultset } function test_cdb_usertables_should_work_with_orgusers() { - sql "ALTER USER publicuser LOGIN" sql "GRANT USAGE ON SCHEMA cartodb TO publicuser;" ${CMD} -d ${DATABASE} -f scripts-available/CDB_UserTables.sql sql cdb_testmember_1 "CREATE TABLE test_perms_pub (a int)" @@ -363,7 +365,6 @@ function test_cdb_usertables_should_work_with_orgusers() { sql cdb_testmember_1 "DROP TABLE test_perms_pub" sql cdb_testmember_1 "DROP TABLE test_perms_priv" - sql "ALTER USER publicuser NOLOGIN" } From 400248cd5d1f48def6269b7a14898d4d9b160357 Mon Sep 17 00:00:00 2001 From: javi Date: Mon, 27 Jul 2015 11:20:55 +0200 Subject: [PATCH 10/10] remove connection permissions to public user --- test/organization/test.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/organization/test.sh b/test/organization/test.sh index 75e5b5c..40d1a41 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -170,6 +170,7 @@ function tear_down() { sql "REVOKE CONNECT ON DATABASE \"${DATABASE}\" FROM cdb_testmember_1;" sql "REVOKE CONNECT ON DATABASE \"${DATABASE}\" FROM cdb_testmember_2;" + sql "REVOKE CONNECT ON DATABASE \"${DATABASE}\" FROM publicuser;" sql 'DROP ROLE cdb_testmember_1;' sql 'DROP ROLE cdb_testmember_2;'